F5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs
Hello to All,
I was thinking of using the iRule tables command to write when a user ip/device id makes too many violations for a time perioud and to get blocked for some time but I see that the F5 ASM has correlation logs that trigger incidents but there is not a lot info if this can be used in iRules or to block user ip addresses / deviceid.
https://support.f5.com/csp/article/K92532922
To answer your question regarding the required license - yes, IP I is a subscription feature of AdvWAF. You need to spend money on that one.
For the table command, I don't have a lot experience. Hence I would also not make any suggestion how an iRule could look like.
Interesting question would be: If you block a client based on its source IP for 5 minutes, what will happen if that client makes a new violation after 4:50 minutes? Will the block be released after 5 minutes or after 4:50 + 5 more minutes?
This kind of "business logic" must be solved in all soltions - IP Intelligence feed, BIG-IQ and Ansible.