From 6544cef72c32a6e139a70bdf9f9f2d60a4a0c42f Mon Sep 17 00:00:00 2001 From: Rishabh Rana Date: Fri, 17 Apr 2026 08:17:38 +0000 Subject: [PATCH 1/3] NLB-7678: add documentation for IP Intelligence --- .../app-protect/ip-intelligence.md | 104 ++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 content/nginxaas-azure/app-protect/ip-intelligence.md diff --git a/content/nginxaas-azure/app-protect/ip-intelligence.md b/content/nginxaas-azure/app-protect/ip-intelligence.md new file mode 100644 index 0000000000..3284a07611 --- /dev/null +++ b/content/nginxaas-azure/app-protect/ip-intelligence.md @@ -0,0 +1,104 @@ +--- +title: IP Intelligence +weight: 350 +toc: true +url: /nginxaas/azure/app-protect/ip-intelligence/ +nd-content-type: concept +nd-product: NAZURE +--- + +## Overview + +F5 WAF for NGINX includes an IP Intelligence feature that allows you to customize enforcement based on the source IP address of a request. Using IP Intelligence, you can block or log requests from IP addresses associated with known threat categories such as botnets, scanners, and phishing proxies. + +IP Intelligence is available on NGINXaaS for Azure deployments with the **Standard v3** [plan]({{< ref "/nginxaas-azure/billing/overview.md/#standard-v3-plan" >}}). + +{{< call-out "note" >}} No additional license is required. F5's existing license with the BrightCloud threat intelligence provider covers all NGINXaaS deployments. The IP address database is automatically updated every 60 minutes. {{< /call-out >}} + +## Threat categories + +IP Intelligence classifies IP addresses into the following threat categories. Each category can be individually configured to block, alarm, or allow traffic: + +{{< table >}} +| Category | Description | +|----------------------|-----------------------------------------------------------------------------| +| Anonymous Proxy | IP addresses associated with anonymous proxy services | +| BotNets | IP addresses that are part of known botnet networks | +| Cloud-based Services | IP addresses from cloud providers often used for automated attacks | +| Denial of Service | IP addresses associated with denial-of-service attacks | +| Infected Sources | IP addresses from hosts known to be compromised | +| Mobile Threats | IP addresses associated with malicious mobile applications | +| Phishing Proxies | IP addresses used as proxies for phishing campaigns | +| Scanners | IP addresses associated with network and vulnerability scanners | +| Spam Sources | IP addresses identified as sources of spam | +| Tor Proxies | IP addresses of known Tor exit nodes | +| Web Attacks | IP addresses associated with web-based attacks | +| Windows Exploits | IP addresses associated with Windows-specific exploits | +{{< /table >}} + +Since the threat database is continuously updated, enforcement may change over time. IP addresses may be added, removed, or moved between categories based on their reported activity. + +## Add IP Intelligence to a WAF policy + +To use IP Intelligence, add the `ip-intelligence` section to a [custom WAF policy]({{< ref "/nginxaas-azure/app-protect/configure-waf.md#custom-policies" >}}). No additional setup or enablement steps are required. + +Your policy needs two additions: + +1. The `VIOL_MALICIOUS_IP` violation in `blocking-settings`. +2. The `ip-intelligence` section with the desired threat categories. + +### Example policy + +The following policy enables IP Intelligence with all categories set to block and alarm: + +```json +{ + "policy": { + "name": "ip_intelligence_policy", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "enforcementMode": "blocking", + "blocking-settings": { + "violations": [ + { + "name": "VIOL_MALICIOUS_IP", + "alarm": true, + "block": true + } + ] + }, + "ip-intelligence": { + "enabled": true, + "ipIntelligenceCategories": [ + { "category": "Anonymous Proxy", "alarm": true, "block": true }, + { "category": "BotNets", "alarm": true, "block": true }, + { "category": "Cloud-based Services", "alarm": true, "block": true }, + { "category": "Denial of Service", "alarm": true, "block": true }, + { "category": "Infected Sources", "alarm": true, "block": true }, + { "category": "Mobile Threats", "alarm": true, "block": true }, + { "category": "Phishing Proxies", "alarm": true, "block": true }, + { "category": "Scanners", "alarm": true, "block": true }, + { "category": "Spam Sources", "alarm": true, "block": true }, + { "category": "Tor Proxies", "alarm": true, "block": true }, + { "category": "Web Attacks", "alarm": true, "block": true }, + { "category": "Windows Exploits", "alarm": true, "block": true } + ] + } + } +} +``` + +- `"block": true` rejects requests from matching IP addresses. +- `"alarm": true` logs matching requests in the security logs. + +You can customize each category independently — for example, blocking botnets while only alarming on scanners. + +Then reference this policy in your NGINX configuration using the `app_protect_policy_file` directive, as described in [Configure F5 WAF for NGINX]({{< ref "/nginxaas-azure/app-protect/configure-waf.md" >}}). + +For the full policy configuration reference, see the official [IP Intelligence documentation](https://docs.nginx.com/waf/policies/ip-intelligence/#configure-policies-for-ip-intelligence). + +## What's next + +- [Enable F5 WAF for NGINX Logs]({{< ref "/nginxaas-azure/app-protect/enable-logging.md" >}}) to monitor IP Intelligence violations in your security logs. From e1ac31000c3c8a54077a7b3ab7c2ed58d7ac686a Mon Sep 17 00:00:00 2001 From: Rishabh Rana Date: Mon, 20 Apr 2026 04:54:48 +0000 Subject: [PATCH 2/3] NLB-7678: removed next section --- content/nginxaas-azure/app-protect/ip-intelligence.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/content/nginxaas-azure/app-protect/ip-intelligence.md b/content/nginxaas-azure/app-protect/ip-intelligence.md index 3284a07611..5206d0aeff 100644 --- a/content/nginxaas-azure/app-protect/ip-intelligence.md +++ b/content/nginxaas-azure/app-protect/ip-intelligence.md @@ -99,6 +99,3 @@ Then reference this policy in your NGINX configuration using the `app_protect_po For the full policy configuration reference, see the official [IP Intelligence documentation](https://docs.nginx.com/waf/policies/ip-intelligence/#configure-policies-for-ip-intelligence). -## What's next - -- [Enable F5 WAF for NGINX Logs]({{< ref "/nginxaas-azure/app-protect/enable-logging.md" >}}) to monitor IP Intelligence violations in your security logs. From bd7d9e07bd2995110c6b3ae10ff2c606e0e496c9 Mon Sep 17 00:00:00 2001 From: Rishabh Rana Date: Tue, 21 Apr 2026 07:05:04 +0000 Subject: [PATCH 3/3] NLB-7678: refine ip intelligence docs --- .../nginxaas-azure/app-protect/ip-intelligence.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/nginxaas-azure/app-protect/ip-intelligence.md b/content/nginxaas-azure/app-protect/ip-intelligence.md index 5206d0aeff..577fd390e3 100644 --- a/content/nginxaas-azure/app-protect/ip-intelligence.md +++ b/content/nginxaas-azure/app-protect/ip-intelligence.md @@ -13,11 +13,11 @@ F5 WAF for NGINX includes an IP Intelligence feature that allows you to customiz IP Intelligence is available on NGINXaaS for Azure deployments with the **Standard v3** [plan]({{< ref "/nginxaas-azure/billing/overview.md/#standard-v3-plan" >}}). -{{< call-out "note" >}} No additional license is required. F5's existing license with the BrightCloud threat intelligence provider covers all NGINXaaS deployments. The IP address database is automatically updated every 60 minutes. {{< /call-out >}} +{{< call-out "note" >}} IP Intelligence does not require an additional license. F5's existing license with the BrightCloud threat intelligence provider covers all NGINXaaS deployments. The IP address database is automatically updated every 60 minutes. {{< /call-out >}} ## Threat categories -IP Intelligence classifies IP addresses into the following threat categories. Each category can be individually configured to block, alarm, or allow traffic: +IP Intelligence classifies IP addresses into the following threat categories. You can individually configure each category to block, alarm, or allow traffic. {{< table >}} | Category | Description | @@ -40,16 +40,16 @@ Since the threat database is continuously updated, enforcement may change over t ## Add IP Intelligence to a WAF policy -To use IP Intelligence, add the `ip-intelligence` section to a [custom WAF policy]({{< ref "/nginxaas-azure/app-protect/configure-waf.md#custom-policies" >}}). No additional setup or enablement steps are required. +To use IP Intelligence, you must add the `ip-intelligence` section to a [custom WAF policy]({{< ref "/nginxaas-azure/app-protect/configure-waf.md#custom-policies" >}}). No additional setup or enablement steps are required. -Your policy needs two additions: +Your WAF policy needs two additions: 1. The `VIOL_MALICIOUS_IP` violation in `blocking-settings`. 2. The `ip-intelligence` section with the desired threat categories. ### Example policy -The following policy enables IP Intelligence with all categories set to block and alarm: +The following policy turns on IP Intelligence with all categories set to block and alarm. ```json { @@ -95,7 +95,7 @@ The following policy enables IP Intelligence with all categories set to block an You can customize each category independently — for example, blocking botnets while only alarming on scanners. -Then reference this policy in your NGINX configuration using the `app_protect_policy_file` directive, as described in [Configure F5 WAF for NGINX]({{< ref "/nginxaas-azure/app-protect/configure-waf.md" >}}). +You can reference this policy in your NGINX configuration using the `app_protect_policy_file` directive, as described in [Configure F5 WAF for NGINX]({{< ref "/nginxaas-azure/app-protect/configure-waf.md" >}}). For the full policy configuration reference, see the official [IP Intelligence documentation](https://docs.nginx.com/waf/policies/ip-intelligence/#configure-policies-for-ip-intelligence).