IP intelligence
F5 WAF for NGINX has an IP intelligence feature which allows you to customize enforcement based on the source IP address of a request. This allows you to limit access from specific IP addresses.
It is disabled by default, requiring extra steps to enable and configure.
To complete this guide, you will need the following prerequisites:
- The host must have an active internet connection and working DNS
- The host must be able to access
vector.brightcloud.comover port 443 - The host must be configured properly if connecting through a forward proxy server
A proxy server can be configured in the file /etc/app_protect/tools/iprepd.cfg:
EnableProxy=True
ProxyHost=5.1.2.4
ProxyPort=8080
ProxyUsername=admin # Optional
ProxyPassword=admin # Optional
CACertPath=/etc/ssl/certs/ca-certificates.crt # Optional`After saving the changes, restart the client to apply the new settings:
/opt/app_protect/bin/iprepd /etc/app_protect/tools/iprepd.cfg > ipi.log 2>&1 &This section only applies to V4 packages.
To enable IP intelligence on a virtual machine or bare metal installation, you must install an extra package. You can install the extra package during or after set-up.
Review the virtual machine installation instructions for information on how to use the package manager for a specific operating system.
| Operating system | Package name |
|---|---|
| Alpine Linux | app-protect-ip-intelligence |
| Amazon Linux | app-protect-ip-intelligence |
| Debian | app-protect-ip-intelligence |
| Oracle Linux / RHEL / Rocky Linux 8 | app-protect-ip-intelligence |
| Ubuntu | app-protect-ip-intelligence |
| RHEL / Rocky Linux 9 | app-protect-ip-intelligence |
After installing the package, run the client:
/opt/app_protect/bin/iprepd /etc/app_protect/tools/iprepd.cfg > ipi.log 2>&1 &Then verify the client is populating the database:
tail -f iprepd.logOnce complete, you can now Configure policies for IP intelligence.
This section only applies to NGINX Open Source and NGINX Plus installations.
IP intelligence has its own Docker container for NGINX Open Source and NGINX Plus installations.
You can add it to the deployment in your Docker Compose file.
First, create the required directory:
sudo mkdir -p /var/IpRepThen set correct ownership of the directory:
sudo chown -R 101:101 /var/IpRepModify the original docker-compose.yml file to include the IP intelligence container, replacing image tags as appropriate:
services:
waf-enforcer:
container_name: waf-enforcer
image: waf-enforcer:5.7.0
environment:
- ENFORCER_PORT=50000
ports:
- "50000:50000"
volumes:
- /opt/app_protect/bd_config:/opt/app_protect/bd_config
networks:
- waf_network
restart: always
depends_on:
- waf-ip-intelligence
waf-config-mgr:
container_name: waf-config-mgr
image: waf-config-mgr:5.7.0
volumes:
- /opt/app_protect/bd_config:/opt/app_protect/bd_config
- /opt/app_protect/config:/opt/app_protect/config
- /etc/app_protect/conf:/etc/app_protect/conf
restart: always
network_mode: none
depends_on:
waf-enforcer:
condition: service_started
waf-ip-intelligence:
container_name: waf-ip-intelligence
image: waf-ip-intelligence:5.7.0
volumes:
- /var/IpRep:/var/IpRep
networks:
- waf_network
restart: always
networks:
waf_network:
driver: bridgeOnce complete, you can now Configure policies for IP intelligence.
Once the requirements for IP intelligence have been installed, you can enable it in two sections of your policy:
- In the violation list, assigning block and alarm values (
"name": "VIOL_MALICIOUS_IP") - In a new IP intelligence section, defining actions for each category (
"ip-intelligence": {"enabled": true})
The following policy shows examples of both, with all IP intelligence categories configure to block and alarm:
{
"policy": {
"name": "ip_intelligency_policy",
"template": {
"name": "POLICY_TEMPLATE_NGINX_BASE"
},
"applicationLanguage": "utf-8",
"caseInsensitive": false,
"enforcementMode": "blocking",
"blocking-settings": {
"violations": [
{
"name": "VIOL_MALICIOUS_IP",
"alarm": true,
"block": true
}
]
},
"ip-intelligence": {
"enabled": true,
"ipIntelligenceCategories": [
{
"category": "Anonymous Proxy",
"alarm": true,
"block": true
},
{
"category": "BotNets",
"alarm": true,
"block": true
},
{
"category": "Cloud-based Services",
"alarm": true,
"block": true
},
{
"category": "Denial of Service",
"alarm": true,
"block": true
},
{
"category": "Infected Sources",
"alarm": true,
"block": true
},
{
"category": "Mobile Threats",
"alarm": true,
"block": true
},
{
"category": "Phishing Proxies",
"alarm": true,
"block": true
},
{
"category": "Scanners",
"alarm": true,
"block": true
},
{
"category": "Spam Sources",
"alarm": true,
"block": true
},
{
"category": "Tor Proxies",
"alarm": true,
"block": true
},
{
"category": "Web Attacks",
"alarm": true,
"block": true
},
{
"category": "Windows Exploits",
"alarm": true,
"block": true
}
]
}
}
}This policy will block all IP addresses that are part of any threat category ("block": true) and add a log entry ("alarm": true) for the transaction.
The IP address database is managed by an external provider and is constantly updated (every 1 minute by default).
The database categorizes IP addresses into one or more threat categories. These are the same categories that can be configured individually in the IP intelligence section:
- Anonymous Proxy
- BotNets
- Cloud-based Services
- Denial of Service
- Infected Sources
- Mobile Threats
- Phishing Proxies
- Scanners
- Spam Sources
- Tor Proxies
- Web Attacks
- Windows Exploits
Since the IP address database is constantly updated, their enforcement may also change. Addresses may be added, removed, or moved from one category to another based on their reported activity.