Forum Discussion

SanYang's avatar
SanYang
Icon for Cirrus rankCirrus
Oct 11, 2023

About IP intelligence

Hello,

I would like to ask about the difference between these two IP Intelligences.
1. In Policy

2. In Security ›› Network Firewall : IP Intelligence : Policies


Any Help is appraciate

 

 

  • Hi SanYang , 

    When I reviwed the AFM module , I found that I was wrong to say that there is not diffierence between IPI in AWAF and AFM. 
    Beside   Nikoolayy1 and Amine_Kadimi 
    IPI in AWAF : works per ASM policy also your appliance should be IPI licensed ( 1 Y or 3 Y .... etc ) , it's detectable in XFF headers as well. 

    IPI in AFM module : is very interesting , first it can work same as AWAF and your devices should be licensed for IPI 

    For your info ( License means : your Bigip able to get updates from a third party such as " brightCloud " , it updates its data base each 5 minutes with the latest bad reputation ips. ) 
    That's not all for AFM IPI, 

    you have another 2 functions can be used in AFM IPI ... 

    1- you can create IPI policy and assign it to Virtual server context or globally in bigip , this policy contains a defined Feed URL which enable your Bigip to get " Black listed or White listed " IPs information in a specific file format bigip ip can understand it , also you can define manually some IPs you want to drop or allow it with a defined duration for blocking if you need that. 

    Sample of the format that bigip gets from the defined feed in IPI policy: 10.0.0.2,32,bl,spam_sources 10.0.0.3,,wl, 10.10.0.12,,botnets 10.0.0.12,,, 10.0.0.13,,bl,

    For more info check this : https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/7.html

     

    2- You can use IPI shun : 
    briefly IPI shun works with AFM D(DoS) Vectors such as " Endpoint Sweep Vector " , if there is an IP exceeds a defined limits or thresholds of packets , AFM DDoS Sweep vector will be triggered and dynamically add this IP to IPI shun list which can be dropped furtherly very quickly without furher inspection, because AFM DDoS vector detected it as a malicious. 

    Also you can Configure something like Shun Black hole which means ( If bigip detedted bad actor or malicious IP , it advertise this ip to peer routers via BGP announcements , and these routers will be configured to send any trials of these bad ips which detected by AFM DDoS vectors to a black hole hop or drop these ips from the first layer in your network. " That's the Black hole and shun list role briefly " 

    Also you can configure scrubber instead of black hole which means bigip will send the malicious IPs trails to external scrubber such as " F5 server line/scrubber to clean or remove unwanted patterns in the packets from these Ips. 
    it follows the same mechanism of Black hole in advertising malicious IPs. 
    Both of Black hole and scrubber rely on ZebOS/BGP.


    you can review this : https://community.f5.com/t5/technical-articles/ip-intelligence-and-ip-shunning/ta-p/286783

     

    I hope my comment give you some insights 🙂 

  • Actually, there is an important difference: the ASM one is applied at layer 7, and the other is applied at layer 3 (earlier than L7) and can leverage PVA. The ASM one can also block based on XFF header value.

    You can check BIG-IP Life of A Packet - YouTube to know when each one is being exactly applied

  • Hi SanYang , 

    there is no difference , 

     you have to know that IP Inteligence is an independent function (it does not need a very specific module to work), you can use it with ltm, asm, afm, ...etc

    this function acts on the IP source in order defined IP classification configured in IP intelligence policies. F5 utilises the IP intelligence (reputation) database to drop traffic from source IP that match the threat categories from WebRoot. 

    look at this too : https://community.f5.com/t5/technical-forum/difference-between-asm-ip-address-intelligence-and-afm-ip/td-p/97107

     

  • Hi SanYang , 

    When I reviwed the AFM module , I found that I was wrong to say that there is not diffierence between IPI in AWAF and AFM. 
    Beside   Nikoolayy1 and Amine_Kadimi 
    IPI in AWAF : works per ASM policy also your appliance should be IPI licensed ( 1 Y or 3 Y .... etc ) , it's detectable in XFF headers as well. 

    IPI in AFM module : is very interesting , first it can work same as AWAF and your devices should be licensed for IPI 

    For your info ( License means : your Bigip able to get updates from a third party such as " brightCloud " , it updates its data base each 5 minutes with the latest bad reputation ips. ) 
    That's not all for AFM IPI, 

    you have another 2 functions can be used in AFM IPI ... 

    1- you can create IPI policy and assign it to Virtual server context or globally in bigip , this policy contains a defined Feed URL which enable your Bigip to get " Black listed or White listed " IPs information in a specific file format bigip ip can understand it , also you can define manually some IPs you want to drop or allow it with a defined duration for blocking if you need that. 

    Sample of the format that bigip gets from the defined feed in IPI policy: 10.0.0.2,32,bl,spam_sources 10.0.0.3,,wl, 10.10.0.12,,botnets 10.0.0.12,,, 10.0.0.13,,bl,

    For more info check this : https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-12-1-0/7.html

     

    2- You can use IPI shun : 
    briefly IPI shun works with AFM D(DoS) Vectors such as " Endpoint Sweep Vector " , if there is an IP exceeds a defined limits or thresholds of packets , AFM DDoS Sweep vector will be triggered and dynamically add this IP to IPI shun list which can be dropped furtherly very quickly without furher inspection, because AFM DDoS vector detected it as a malicious. 

    Also you can Configure something like Shun Black hole which means ( If bigip detedted bad actor or malicious IP , it advertise this ip to peer routers via BGP announcements , and these routers will be configured to send any trials of these bad ips which detected by AFM DDoS vectors to a black hole hop or drop these ips from the first layer in your network. " That's the Black hole and shun list role briefly " 

    Also you can configure scrubber instead of black hole which means bigip will send the malicious IPs trails to external scrubber such as " F5 server line/scrubber to clean or remove unwanted patterns in the packets from these Ips. 
    it follows the same mechanism of Black hole in advertising malicious IPs. 
    Both of Black hole and scrubber rely on ZebOS/BGP.


    you can review this : https://community.f5.com/t5/technical-articles/ip-intelligence-and-ip-shunning/ta-p/286783

     

    I hope my comment give you some insights 🙂