IP::intelligence¶
Description¶
This iRules command returns a Tcl list of IP intelligence category
names for a given IP address. It checks up to 3 (configured) IP
intelligence policies - global policy, policy attached to virtual
server and policy attached to route domain. If any of the policies use
IP reputation database, it will also be checked. This command is an
extention of the IP::reputation command,
which checked only IP reputation database available from external
source. This new command checks user defined IP classification
configured in IP intelligence policies, which get their lists of IP
addresses and categories from user defined feeds. Each policy can
additionally use the legacy IP reputation database, but is not
required to.
Note that the IP intelligence feature requires an add-on license.
Contact your F5 or Partner salesperson
for details on ordering the license.
Syntax¶
IP::intelligence <IP address>
The requirements for using IP address intelligence are:
- The system must have an IP Intelligence license.
- The system must have an Internet connection either directly or through a proxy server.
- The system must have DNS configured (go to System > Configuration > Device > DNS).
Examples¶
# This irule can be used to test IP Intelligence dwbl (feed lists).
# if a request comes in with a URI query: ?ip=10.0.0.2, it returns the intelligence record.
# if no query is supplied, it returns the intelligence file. You can use this in the feed list configuration.
when HTTP_REQUEST {
set ip [URI::query [HTTP::uri] ip]
if { $ip equals "" } {
log local0. "Got a Feed List update request from [IP::client_addr]"
HTTP::respond 200 content {10.0.0.2,32,bl,spam_sources
10.0.0.3,,wl,botnets
10.10.0.12,,botnets
10.0.0.12,,,
10.0.0.13,,bl,
}
} else {
HTTP::respond 200 content "<html>Reputation of $ip is: [IP::intelligence $ip]</html>"
}
}