How to: Set IP Intelligence

In the following example, IP Intelligence is enabled and set to alarm and block several common IP Intelligence categories. Because it is also common that the client address may instead represent a downstream proxy device as opposed to the original requestor’s IP address, you also configure WAF to prefer the use of an X-Forwarded-For (or similar) header injected to the request by a downstream proxy in order to more accurately identify the actual originator of the request.

{
    "policy": {
        "name": "blocking_policy",
        "template": {
            "name": "POLICY_TEMPLATE_RATING_BASED"
        },
        "applicationLanguage": "utf-8",
        "enforcementMode": "blocking",
        "blocking-settings": {
            "violations": [
                {
                    "name": "VIOL_MALICIOUS_IP",
                    "alarm": true,
                    "block": true
                }
            ]
        },
        "general": {
            "customXffHeaders": [],
            "trustXff": true
        },
        "ip-intelligence": {
            "enabled": true,
            "ipIntelligenceCategories": [
                {
                    "alarm": true,
                    "block": true,
                    "category": "Anonymous Proxy"
                },
                {
                    "alarm": true,
                    "block": true,
                    "category": "BotNets"
                },
                {
                    "alarm": true,
                    "block": true,
                    "category": "Phishing Proxies"
                },
                {
                    "alarm": true,
                    "block": true,
                    "category": "Web Attacks"
                },
                {
                    "alarm": true,
                    "block": true,
                    "category": "Windows Exploits"
                },
                {
                    "alarm": true,
                    "block": true,
                    "category": "Denial of Service"
                },
                {
                    "category": "Tor Proxies",
                    "alarm": true,
                    "block": true
                },
                {
                    "category": "Spam Sources",
                    "alarm": true,
                    "block": true
                }
            ]
        }
    }
}