I've deployed IPI only with AFM. I have both AFM and ASM modules, but IPI is only deployed for AFM.
If you are creating a whitelist within the feedlist, I used a FTP server inhouse to host the text file. I believe if you deployed IPI within ASM that it is built right into the GUI of the F5 to whitelist though.
This link will show the formatting of how you need to apply your whitelist on the "Feed list settings" section: https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-11-5-0/5.html
example: 10.0.0.3,,wl,
In order to see if a virtual server is showing blocks, you need to enable logging.
- Create a logging profile. Security > Event Logs > Logging Profile.
- Name is Local_IPI
- Enable Network Firewall
- Under the IPI, select local-db-publisher for your publisher. (You'll want to offload this else where later.
- Go to your virtual server and click on the security tab at the top > policy
- Make sure IP Intelligence profile is enabled and selected.
- Move Local_IPI you just created over to the selected section of Log Profile.
- Click the update button
- Your logs should now appear here: Security > Event Logs > Network > IP Intelligence
Give it a few minutes to a few hours depending on how much traffic this virtual server sees. I initially tested IPI on a very unpopular VS and didn't see any hits. As soon as I moved it to my most popular my logs went off the charts. Thus why it is not wise to keep these logs on the F5 themselves. I'd recommend pushing those logs to an external syslog server if you have one. My steps above also assume you have logging enabled on the IPI policy you created "Log blacklist category matches" if not, you'll need to do that too.
Nimbostratus
