This iRules command returns a Tcl list of IP intelligence category names for a given IP address. It checks up to 3 (configured) IP intelligence policies - global policy, policy attached to virtual server and policy attached to route domain. If any of the policies use IP reputation database, it will also be checked. This command is an extention of the IP::reputation command, which checked only IP reputation database available from external source. This new command checks user defined IP classification configured in IP intelligence policies, which get their lists of IP addresses and categories from user defined feeds. Each policy can additionally use the legacy IP reputation database, but is not required to.
Note that the IP intelligence feature requires an add-on license. Contact your F5 or Partner salesperson for details on ordering the license.


IP::intelligence <IP address>

The requirements for using IP address intelligence are:
  • The system must have an IP Intelligence license.
  • The system must have an Internet connection either directly or through a proxy server.
  • The system must have DNS configured (go to System > Configuration > Device > DNS).


# This irule can be used to test IP Intelligence dwbl (feed lists).
# if a request comes in with a URI query:  ?ip=, it returns the intelligence record.
# if no query is supplied, it returns the intelligence file.  You can use this in the feed list configuration.

    set ip [URI::query [HTTP::uri] ip]
    if { $ip equals "" } {
        log local0. "Got a Feed List update request from [IP::client_addr]"
    HTTP::respond 200 content {,32,bl,spam_sources,,wl,botnets,,botnets,,,,,bl,
    } else {
        HTTP::respond 200 content "<html>Reputation of $ip is: [IP::intelligence $ip]</html>"