Using NSX Advanced Load Balancer UI

• Navigate to Applications > Virtual Services and click Edit.

• Click Policies in the Edit Virtual Service popup window.

• Select System-IP reputation-Webroot-DB from the IP Reputation DB drop-down menu under Network Security.

• Click + icon to create a rule or choose an existing one.

• Select IP Reputation from the Add New Match drop-down menu to create the matching rule to filter the request.

• Choose an option from the IP Reputation Type drop-down menu.

• Set the Action to Allow, Deny or Rate Limit against the request for which the IP reputation will be detected.

• Click Save Rule.

Using NSX Advanced Load Balancer CLI

A virtual service on NSX Advanced Load Balancer is configured with the Network Security Policy (Layer 4) to enable the IP reputation service to block or take the desired action against the malicious IP addresses. The virtual service can be configured to reject connections from the listed bad IP addresses.

The following describes the packet flow for the Network Security Policy:

1. All the configured Network Security Policies are evaluated when a client connects to the virtual service.

2. The corresponding action for the policy is executed when the following conditions are met:

   1. When there is a match for the Network Security Policy (the IP address of the client is present in the IP reputation database).

   2. The configured match target matches the IP reputation type listed against the client IP address.

[admin:controller]: > configure albservicesconfig
Updating an existing object. Currently, the object is:
+-----------------------------------------------+------------------------------------+
| Field                                         | Value                              |
+-----------------------------------------------+------------------------------------+
| uuid                                          | default                            |
| portal_url                                    | https://portal.avinetworks.com     |
| polling_interval                              | 10                                 |
| asset_contact                                 |                                    |
|   name                                        | John Doe                           |
|   email                                       | xxxxxxxxx                          |
|   phone                                       | (xxxxxx)                           |
| feature_opt_in_status                         |                                    |
|   enable_auto_download_waf_signatures         | False                              |
|   enable_waf_signatures_notifications         | True                               |
|   enable_auto_case_creation_on_system_failure | False                              |
|   enable_auto_case_creation_on_se_failure     | False                              |
|   enable_ip_reputation                        | False                              |
| proactive_support_defaults                    |                                    |
|   attach_tech_support                         | True                               |
|   case_severity                               | Severity 5                         |
|   attach_core_dump                            | False                              |
| use_split_proxy                               | False                              |
| ip_reputation_config                          |                                    |
|   ip_reputation_sync_interval                 | 60 min                             |
|   ip_reputation_file_object_expiry_duration   | 3 days                             |
+-----------------------------------------------+------------------------------------+

The default sync interval is 60 minutes and can be changed to any value between 2 and 60 minutes. Use the ip_reputation_sync_interval option to change the sync interval.

[admin:controller]: albservicesconfig> ip_reputation_config [admin:controller]: albservicesconfig:ip_reputation_config> ip_reputation_sync_interval 10

IP Reputation in HTTP Policies

You can use IP reputation database in HTTP Security policy and HTTP Request policy. This can be configured in the same way as Configuring the Network Security Policy.

IP Reputation in DataScript

You can use the DB for IP reputation check in L7 DataScript using a Lua function.

is_good, reputation_type = avi.utils.get_ip_reputation(ip_addr)

• The first return value for is_good is true or false, which indicates if the given IP is of good reputation.

• The second return value is a bitmap of IP reputation type and is valid only if is_good is false. For instance, value 1 indicates Spam Source (bit 0 set), and value 17 indicates Spam Source and Scanner (bits 0 and 4 sets).

For more information, see the IP reputation table in IP Reputation Types.

The function uses the IP reputation database configured for a VSDataScriptSet.

The Lua function accepts both IPv4 and IPv6 addresses. However, it will always return true for IPv6 addresses because the IP reputation database currently contains only IPv4 address information.

The format of the ip_addr parameters is expected to be as returned by avi.vs.client_ip(), which is a presentation format, for example, 1.2.3.4.

message VSDataScriptSet {
  ...
  optional string ip_reputation_db_uuid = 58 [
    (refers_to) = "IPReputationDB",
    ...
  ]
  ...
}

Configuration Workflow

When a script uses the avi.utils.get_ip_reputation(ip_addr) function, IPReputationDB must be configured at the VSDataScriptSet level.