We've deployed IP Intelligence in our organization and some questions arise:
Due to the nature of the dynamic IPs, the update of the database should also include the removal of those IPs no longer considered as bad reputation, right? The update details shows the "number of IP Addresses received in the last update" but it does not mention nothing about IPs removed.
Does IP Intelligence take place before any other protection? I mean, if a suspicious IP arrives, it is blocked by the IPI and not analysed by the DoS or web scrapping policies, correct?
Good question, I'm curious about it as well. I'm pretty sure it will drop any traffic from suspicious addresses right away.
you should look at this drawing:
Very interesting diagram, thanks. Based on it, only L2/3/4 DoS inspection takes place before IP Intelligence, and after ASM processing, that´s it L7 DoS.
Let´s see if someone can provide info about the removal of valid IP addresses. I want to make sure we are not blocking IPs that had bad reputation but no longer have.
contact your local F5 sales team, they are most likely able to provide a definite answer. do report back here please.