Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager

IP Address Exception Properties in ASM/AWAF

In BIG-IP ASM/AWAF, administrators can configure IP address exceptions to control how specific IP addresses are treated during security policy enforcement. These exceptions are crucial for managing trusted sources or special cases where the usual security measures may not apply. Below are the key IP Address Exception Properties that can be configured:

IP Address Exception Properties:

  1. Policy Builder Trusted IP

    • Description: This option marks the IP address as trusted. Once an IP address is designated as trusted, ASM/AWAF will consider the traffic from this address safe and treat it with less scrutiny during security checks.

    • Effect: The IP is added to the list of trusted IP addresses, meaning it won't be subject to the same rigorous attack detection rules applied to other traffic sources.

  2. Ignore in Anomaly Detection

    • Description: This property prevents traffic from the specified IP address from being considered in anomaly detection. Anomaly detection mechanisms, such as those used for detecting brute force attacks or web scraping, will not apply to traffic from this IP.

    • Effect: This IP is whitelisted for anomaly detection, so ASM/AWAF won't flag it for suspicious behavior or potential attacks that might typically trigger alerts.

  3. Ignore in Learning Suggestions

    • Description: Traffic from the specified IP will not be included in the learning process. Learning suggestions are generated based on observed traffic to inform security policy updates, and this setting ensures that no learning suggestions are made from this IP address’s traffic.

    • Effect: Traffic from this IP is excluded from generating any learning suggestions, potentially speeding up the learning process by focusing only on other traffic.

  4. Never Block This IP Address

    • Description: Regardless of the security policy settings, traffic from this IP address will never be blocked. This is useful for ensuring that requests from trusted sources or critical services are never mistakenly blocked.

    • Effect: Requests from this IP will bypass any blocking actions that would normally be triggered by the security policy, even if the policy is set to block malicious or suspicious traffic.

  5. Never Log Traffic From This IP Address

    • Description: This setting prevents any traffic from the specified IP address from being logged by the system. It means requests or responses from this IP will not appear in any security logs, which can be beneficial for reducing log noise or avoiding the logging of trusted or internal traffic.

    • Effect: Traffic from this IP will not be recorded in logs, making the traffic invisible to log-based analysis or monitoring.

  6. Ignore IP Address Intelligence

    • Description: This setting adds the specified IP address to the whitelist of the IP Address Intelligence feature. This feature typically uses external threat intelligence to flag malicious IPs. By adding an IP to this list, it is excluded from threat intelligence-based checks.

    • Effect: Traffic from this IP will not be assessed by the IP Address Intelligence engine, meaning it will not be flagged as potentially malicious based on external reputation data.

Use Cases for IP Address Exceptions:

  • Trusted Partners: If your organization has partners or clients that regularly access your application, marking their IP addresses as trusted or never blocked ensures that their traffic is treated with a lower level of scrutiny and doesn’t result in false positives.

  • Internal Systems: For internal applications or systems that should not be subject to anomaly detection or learning suggestions, configuring these IPs to ignore in anomaly detection and learning suggestions can improve the accuracy of security measures applied to external traffic.

  • Critical Services: For services or servers that are critical to operations (e.g., APIs or monitoring systems), you can ensure they are never blocked and never logged to avoid service interruptions or unnecessary logging.

  • Third-party Integrations: If you are integrating with external services, and you are confident that these services are legitimate, you can configure their IP addresses to ignore IP address intelligence to avoid unnecessary blocking based on external threat intelligence sources.

Summary of Effects on ASM/AWAF Behavior:

Property

Effect

Policy Builder Trusted IP

Marks the IP as trusted, traffic from it is considered safe.

Ignore in Anomaly Detection

Excludes traffic from this IP in anomaly detection for brute force or web scraping.

Ignore in Learning Suggestions

Prevents traffic from this IP from generating learning suggestions.

Never Block This IP Address

Ensures traffic from this IP is never blocked, even if the security policy is set to block.

Never Log Traffic From This IP

Prevents traffic from this IP from being logged in any security logs.

Ignore IP Address Intelligence

Excludes the IP from being assessed by IP Address Intelligence, bypassing external reputation checks.

These exception properties are designed to help fine-tune security settings by making allowances for specific traffic that should not be treated as part of the normal security enforcement process, whether due to internal trust, external integrations, or to prevent unnecessary alerts and blocks.

PreviousPolicy Diff: Comparing and Auditing Security PoliciesNextCross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF

Last updated 3 months ago