Add IP Intelligence

Overview

IP Intelligence incorporates external, intelligent services to enhance automated application delivery with better IP intelligence and stronger, context-based security. By identifying IP addresses and security categories associated with malicious activity, the IP Intelligence service can incorporate dynamic lists of threatening IP addresses into the BIG-IP Next, adding context to policy decisions. IP Intelligence service reduces risk and increases data center efficiency by eliminating the effort to process bad traffic.

With WAF, you can use IP Intelligence blocking in a security policy to block requests from IP addresses that have questionable reputations. IP Intelligence is enabled by default. IP addresses from which attacks or spam have originated are included in an IP intelligence database, along with the category describing the problem.

You can configure a security policy to alarm (log) and/or block requests from IP addresses of questionable reputation, and to perform different actions depending on the categories of problems.

Important: IP Intelligence requires external, third party, services to identify IP addresses and security categories associated with malicious activity. You must ensure that your BIG-IP Next Central Manager or instances have Licensing activated.

Prerequisites

  • Verify any attached application services to ensure proper security after changes are deployed.

  • You need to have a user role of Security Manager or Administrator to manage a WAF policy.

How to manage IP Intelligence

Enable or disable IP Intelligence

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Policies under WAF.

  3. Select the name of the policy.

    A panel for the General Settings opens.

  4. Use the toggle to change the IP Intelligence setting.

  5. Click Save to save your changes. If you would like to automatically deploy your changes to the BIG-IP Next instance, click Save & Deploy.

Manage IP Intelligence categories

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click WAF.

  3. Select the name of the policy.

    A panel for the General Settings opens.

  4. From the panel menu click {:} Policy Editor.

    The panel displays an editor with the policy’s JSON declaration.

  5. Click within the editor and type Ctrl+F. This displays the search bar at the top of the editor. Search ip-intelligence.

    See the sample disabled ip-intelligence declaration in the snippet below.

  6. Change the alarm or block settings. By default, both are true. You can change to false if you do not want the policy to mitigate and/or log a category of IP address.

  7. Click Save to save your changes. If you would like to automatically deploy your changes to the BIG-IP Next instance, click Save & Deploy.

{
    "ip-intelligence": {
        "enabled": true,
        "ipIntelligenceCategories": [
            {
                "alarm": true,
                "block": true,
                "category": "Spam Sources",
                "description": "The Spam Sources category includes Tunneling Spam messages through proxy, anomalous SMTP activities, and Forum Spam activities."
            },
            {
                "alarm": true,
                "block": true,
                "category": "Cloud-based Services",
                "description": "The Cloud-based Services category includes IP addresses and networks that are used by cloud providers."
            },
            {
                "alarm": true,
                "block": true,
                "category": "Mobile Threats",
                "description": "The Mobile Threats category includes IP addresses of malicious and unwanted mobile applications."
            },
            {
                "alarm": true,
                "block": true,
                "category": "Tor Proxies",
                "description": "The Tor Proxies category includes IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination."
            },
            {
                "alarm": true,
                "block": true,
                "category": "Windows Exploits",
                "description": "The Windows Exploits category includes active IP address offering or distributing malware, shell code, rootkits, worms, and viruses."
            },
            {
                "alarm": true,
                "block": true,
                "category": "Web Attacks",
                "description": "The Web Attacks category includes cross site scripting, iFrame injection, SQL injection, cross domain injection, and domain password brute force."
            },
            {
                "alarm": true,
                "block": true,
                "category": "BotNets",
                "description": "The Botnets category includes Botnet C&C channels and an infected zombie machine controlled by a Bot master."
            },
            {
                "alarm": true,
                "block": true,
                "category": "Scanners",
                "description": "The Scanners category includes all reconnaissance, such as probes, host scan, domain scan, and password brute force."
            },
            {
                "alarm": true,
                "block": true,
                "category": "Denial of Service",
                "description": "The Denial of Services category includes DOS, DDOS, anomalous syn flood, and anomalous traffic detection."
            },
            {
                "alarm": true,
                "block": true,
                "category": "Infected Sources",
                "description": "The Infected Sources category includes IP addresses currently known to be infected with malware, and IP addresses with an average low Reputation Index score. Enabling this category prevents access from sources identified to contact malware distribution points."
            },
            {
                "alarm": true,
                "block": true,
                "category": "Phishing Proxies",
                "description": "The Phishing Proxies category includes IP addresses hosting phishing sites, and other kind of fraud activities such as Ad Click Fraud and Gaming fraud."
            },
            {
                "alarm": true,
                "block": true,
                "category": "Anonymous Proxy",
                "description": "The Anonymous Proxy category includes IP addresses that provide proxy and anonymizing services."
            }
        ]
    }
}

Resources

IP Intelligence management using the policy Editor

Edit the WAF policy JSON declaration directly through the WAF policy editor.