Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Jan 16, 2024

F5 AFM IP intelligence whitelist content

We have F5 AFM IP intelligence and we dont use the AFM license so no external feed list but only the local categories on the system. it is licensed with IP intelligence, now the question.

How can we see the whitelist category content from CLI or GUI?

Security  ››  Network Firewall : IP Intelligence : Blacklist Categories whitelist

Here in the menu you have the option Add to gategory and delete from category but how can we see the content of the whitelist category? Hence then we know if this list is still accurate....

 

ipi
security

2 Replies

Sort By
  • Michael_Saleem's avatar
    Michael_Saleem
    Icon for MVP rankMVP
    Jan 16, 2024

    I do not believe it is possible to extract a full dump of the IP addresses currently contained within an IP Intelligence category; you can only check if a single IP address is in a category with the following command:

    show security ip-intelligence info address <IP ADDRESS>
    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus
      Jan 23, 2024

      Hi Michael, thanks for the reply we were facing an issue where an external IP is blacklisted as windows_exploit category so we created a custom category in the IP intelligence policy windows_exploit_bypass with action allow however while doing so the IP got recognized by both categories and still dropped.

      When finally requesting BRighcloud to whitelist this IP address they performed it and is now allowed. This IP however is not really trusted as behind these IP exist a guest network where attacker launch attacks frequently.

      So we should be able to bypass this locally as this is not a good security remediation. Other customers can now also be exposed to threats.

      The category whitelist embedded on the F5 system cant be used in IPI policy, what would you recommend to do in this situation?