Skip to content

NLB-7678: add documentation for IP Intelligence #1856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rishabh-f5 wants to merge 4 commits into
base: main
Choose a base branch
from
+101 −0
Open

NLB-7678: add documentation for IP Intelligence #1856

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6544cef
NLB-7678: add documentation for IP Intelligence
rishabh-f5 Apr 17, 2026
e1ac310
NLB-7678: removed next section
rishabh-f5 Apr 20, 2026
bd7d9e0
NLB-7678: refine ip intelligence docs
rishabh-f5 Apr 21, 2026
88bfb9e
Merge branch 'main' into NLB-7678-ip-intelligence-section
rishabh-f5 Apr 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 101 additions & 0 deletions content/nginxaas-azure/app-protect/ip-intelligence.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
---
title: IP Intelligence
weight: 350
toc: true
url: /nginxaas/azure/app-protect/ip-intelligence/
nd-content-type: concept
nd-product: NAZURE
---

## Overview

F5 WAF for NGINX includes an IP Intelligence feature that allows you to customize enforcement based on the source IP address of a request. Using IP Intelligence, you can block or log requests from IP addresses associated with known threat categories such as botnets, scanners, and phishing proxies.

IP Intelligence is available on NGINXaaS for Azure deployments with the **Standard v3** [plan]({{< ref "/nginxaas-azure/billing/overview.md/#standard-v3-plan" >}}).

{{< call-out "note" >}} IP Intelligence does not require an additional license. F5's existing license with the BrightCloud threat intelligence provider covers all NGINXaaS deployments. The IP address database is automatically updated every 60 minutes. {{< /call-out >}}

## Threat categories

IP Intelligence classifies IP addresses into the following threat categories. You can individually configure each category to block, alarm, or allow traffic.

{{< table >}}
| Category | Description |
|----------------------|-----------------------------------------------------------------------------|
| Anonymous Proxy | IP addresses associated with anonymous proxy services |
| BotNets | IP addresses that are part of known botnet networks |
| Cloud-based Services | IP addresses from cloud providers often used for automated attacks |
| Denial of Service | IP addresses associated with denial-of-service attacks |
| Infected Sources | IP addresses from hosts known to be compromised |
| Mobile Threats | IP addresses associated with malicious mobile applications |
| Phishing Proxies | IP addresses used as proxies for phishing campaigns |
| Scanners | IP addresses associated with network and vulnerability scanners |
| Spam Sources | IP addresses identified as sources of spam |
| Tor Proxies | IP addresses of known Tor exit nodes |
| Web Attacks | IP addresses associated with web-based attacks |
| Windows Exploits | IP addresses associated with Windows-specific exploits |
{{< /table >}}

Since the threat database is continuously updated, enforcement may change over time. IP addresses may be added, removed, or moved between categories based on their reported activity.

## Add IP Intelligence to a WAF policy

To use IP Intelligence, you must add the `ip-intelligence` section to a [custom WAF policy]({{< ref "/nginxaas-azure/app-protect/configure-waf.md#custom-policies" >}}). No additional setup or enablement steps are required.

Your WAF policy needs two additions:

1. The `VIOL_MALICIOUS_IP` violation in `blocking-settings`.
2. The `ip-intelligence` section with the desired threat categories.

### Example policy

The following policy turns on IP Intelligence with all categories set to block and alarm.

```json
{
"policy": {
"name": "ip_intelligence_policy",
"template": {
"name": "POLICY_TEMPLATE_NGINX_BASE"
},
"applicationLanguage": "utf-8",
"enforcementMode": "blocking",
"blocking-settings": {
"violations": [
{
"name": "VIOL_MALICIOUS_IP",
"alarm": true,
"block": true
}
]
},
"ip-intelligence": {
"enabled": true,
"ipIntelligenceCategories": [
{ "category": "Anonymous Proxy", "alarm": true, "block": true },
{ "category": "BotNets", "alarm": true, "block": true },
{ "category": "Cloud-based Services", "alarm": true, "block": true },
{ "category": "Denial of Service", "alarm": true, "block": true },
{ "category": "Infected Sources", "alarm": true, "block": true },
{ "category": "Mobile Threats", "alarm": true, "block": true },
{ "category": "Phishing Proxies", "alarm": true, "block": true },
{ "category": "Scanners", "alarm": true, "block": true },
{ "category": "Spam Sources", "alarm": true, "block": true },
{ "category": "Tor Proxies", "alarm": true, "block": true },
{ "category": "Web Attacks", "alarm": true, "block": true },
{ "category": "Windows Exploits", "alarm": true, "block": true }
]
}
}
}
```

- `"block": true` rejects requests from matching IP addresses.
- `"alarm": true` logs matching requests in the security logs.

You can customize each category independently — for example, blocking botnets while only alarming on scanners.

You can reference this policy in your NGINX configuration using the `app_protect_policy_file` directive, as described in [Configure F5 WAF for NGINX]({{< ref "/nginxaas-azure/app-protect/configure-waf.md" >}}).

For the full policy configuration reference, see the official [IP Intelligence documentation](https://docs.nginx.com/waf/policies/ip-intelligence/#configure-policies-for-ip-intelligence).

Loading