Skip to main content
Integrations with 3rd Party WAFs for Mitigation

Search

F5 IP filtering Integration

© 2024 Cequence Security. All Rights Reserved.

F5 IP filtering Integration

  • Updated on
  • ~ minute read
Download PDF

The F5 BIG-IP system supports IP filtering. You can integrate Cequence into an F5 IP filtering workflow by exporting a list of IPs to block from the Cequence Unified API Protection (UAP) platform to a data group used by an F5 iRule.

Integrating F5 IP filtering with the Cequence UAP platform enables you to block IP address or ranges that the UAP platform identifies as threats.

Deployment

To deploy the F5 IP filtering integration with the UAP platform, create a Data Group for an F5 iRule.

  1. In the F5 console, from Local Traffic > iRules, click the green plus (+) character next to Data Group List.
    The Create New Data Group page appears.
  2. In the Name field, type cequence-blockip-policy.
  3. From the Type drop-down, select Address.
  4. Click Update.

The data group is ready. Create an iRule for the data group to attach to.

  1. In the F5 console, from Local Traffic > iRules, click the green plus (+) character next to iRule list.
    The Create New iRule page appears.
  2. Type a name for the iRule.
  3. In the Definition field, type the following code. 
    when FLOW_INIT {
      if { [class match [IP::remote_addr] equals cequence-blockip-policy]} {
        log local0. "Attacker IP [IP::client_addr]"
        drop
      }
    }
  4. Click Finished.

The iRule is now ready to attach to a virtual server.

Configuration

The following procedure attaches the iRule that contains the IP blocklist data group to a virtual server.

  1. In the F5 console, from Local Traffic > Virtual Servers, select a virtual server.
  2. Select the Resource tab.
  3. Click Manage.
  4. From the Available list, select an iRule.
  5. Move the selected iRule to the Enabled list.
  6. Click Finished.

The virtual server is now using the iRule, and the Data Group attached to the iRule is ready to receive IP data from the UAP platform. Configure the UAP platform to send this data with the following procedure.

  1. Log in to the UAP management portal.
    The UAP dashboard appears.
  2. Select Integrations > Data Export.
  3. Click Add a new integration and select HTTP from the drop-down.
    The integration configuration pane appears.
  4. Type the following information at the Overview pane.
    Name: A name for the Data Export integration.
    HTTP URL: https://<F5 management IP>/mgmt/tm/ltm/data-group/internal/~Tenant_1~cequence-blockip-policy. In this URL, replace <F5 management IP> with the IPv4 address of the F5 management server, Tenant_1 with the F5 Partition / Path, and cequence-blockip-policy with the name of the Data Group.
    Method: PUT
    Basic Auth: Enable
    Username: “admin”
    Password: The management password for the F5 BIG-IP instance.
    Headers: Content-Type - application/json
    Batch Size: <As Applicable>
    Batch Interval: <As Applicable>
  5. In the integration configuration pane, click the Bot Detection Events tab.
    The bot detection events tab appears.
  6. In Event Criteria, add any relevant event criteria.
  7. In Export Fields, add Client IP: No Transformation.
  8. In Transformation Script, paste the following code. 
    var result = {:}; 
    result['name']= 'cequence-blockip-policy'; 
    result['type']='ip';
    result['records']= [];
    var ipList = [...];
    var ipSet = {};
    if (data.size() > 0) {
      for(var d: data){
      var ip = d['client_ip'];
      var ipAddress = {:};
      ipAddress['name']=ip;
      if(ip !~ ipSet)
        {
          ipList.add(ipAddress);
        }
          ipSet.add(ip);
        }
      } 
    result['records'] = ipList;
    return result;
  9. Click Save.

The UAP platform integration is ready to send IP blocklist information to F5.

Was this article helpful?
Japanese (Japan)