Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Whitelist Override Ip Intelligence

Hello

I want to know , how is the best way to configure a Whitelist for Overriding IP intelligence function. I don`t understand very well the Feed Lists. With AFM is possible create a Local list in the Big-Ip ?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

IP intelligence uses a mutiple sources which are aggregated. One is the feed list the other is the service from Brightcloud. A feed is a simple comma-separated value (CSV) file. The file contains four comma-separated values per line. They are IP address, netmask, type and category. The last three are optional and will use defaults specified when you added the feed. Here is an example

10.0.0.2,32,bl,spam_sources
10.0.0.3,,wl,
10.10.0.12,,botnets
10.0.0.12,,,
10.0.0.13,,bl,

In the first line we have the address 10.0.0.2 with a /32 netmask. This is a blacklist item as specified by "bl" and the category is spam_sources. This list format is plain text. Store the file on a webserver and refer to it using the full URL. I am not aware of a on-box IP intelligence whitelist for AFM in 11.6.0. More information can be found here.

0
Comments on this Answer
Comment made 15-Feb-2017 by John Beckmann

You can use the following iRule to create a feedlist on one of your VS:-

when RULE_INIT {
set static::MY_WL {
10.0.0.2,32,bl,spam_sources,
10.0.0.3,,wl,
10.10.0.12,,botnets,
10.0.0.12,,,
10.0.0.13,,bl,,}
}
when HTTP_REQUEST {
  if { [HTTP::uri] eq "/My_White_List.html" } {
    HTTP::respond 200 content $static::MY_WL
  }
}

You then just create a Feedlist:-

http(s)://My_White_List.html

0
Comment made 18-Apr-2017 by Paolo Di Liberto

Hi, this iRule allows you to have a dynamic feed list populated with datagroups (ipi_wl and ipi_wl in my case).So you can add/remove white(black)listed ip/subnets. You have to add a new feed pointing to the VS that is hosting the feed (/whitelist.html) and (/blacklist.html). It is not optimized but it works:

when RULE_INIT {
#set datagroup names for whitelist and blacklist
set static::dgroup_whitelist "ipi_wl"
set static::dgroup_blacklist "ipi_bl"
}

switch -glob [string tolower [HTTP::uri]] {
    "/whitelist*" { 
        set class_name $static::dgroup_whitelist
        set id [class startsearch $class_name]
        set whitelist ""
        # Loop through the class row by row
        while {[class anymore $class_name $id]}{
            set element [class nextelement $class_name $id]
            set ipadd [lindex [split [lindex [split $element " "] 0] "/"] 0]
            set mask [lindex [split [lindex [split $element " "] 0] "/"] 1]
            set entry [concat $ipadd,$mask,,]
            set whitelist [concat $whitelist\r\n$entry]
        }
        # Clean up the search
        class donesearch $class_name $id
        HTTP::respond 200 content $whitelist
    }
    "/blacklist*" { 
        set class_name $static::dgroup_blacklist
        set id [class startsearch $class_name]
        set blacklist ""
        # Loop through the class row by row
        while {[class anymore $class_name $id]}{
            set element [class nextelement $class_name $id]
            set ipadd [lindex [split [lindex [split $element " "] 0] "/"] 0]
            set mask [lindex [split [lindex [split $element " "] 0] "/"] 1]
            set entry [concat $ipadd,$mask,,]
            set blacklist [concat $blacklist\r\n$entry]
        }
        # Clean up the search
        class donesearch $class_name $id
        HTTP::respond 200 content $blacklist
    }
    default { HTTP::respond 200 content "IP Intelligence Feed List Virtual Server Available" }
  }

}
0