bigip_firewall_dos_vector – Manage attack vector configuration in an AFM DoS profile
bigip_firewall_dos_vector – Manage attack vector configuration in an AFM DoS profile
New in version 2.8.
Synopsis
- Manage attack vector configuration in an AFM DoS profile. In addition to the normal AFM DoS profile vectors, this module can manage the device-configuration vectors. See the module documentation for details about this method.
Requirements
The below requirements are needed on the host that executes this module.
- BIG-IP >= v13.0.0
Parameters
Parameter | Choices/Defaults | Comments | |
---|---|---|---|
allow_advertisement boolean |
|
Specifies that addresses that are identified for blacklisting are advertised to BGP routers | |
attack_ceiling string |
Specifies the absolute maximum allowable for packets of this type. This setting rate limits packets to the packets per second setting, when specified. To set no hard limit and allow automatic thresholds to manage all rate limiting, set this to | ||
attack_floor string |
Specifies packets per second to identify an attack. These settings provide an absolute minimum of packets to allow before the attack is identified. As the automatic detection thresholds adjust to traffic and CPU usage on the system over time, this attack floor becomes less relevant. This value may not exceed the value in | ||
auto_blacklist boolean |
|
Automatically blacklists detected bad actors. To enable this parameter, the This parameter is not supported by the This parameter is not supported by the | |
bad_actor_detection boolean |
|
Whether Bad Actor detection is enabled or disabled for a vector, if available. This parameter must be enabled to enable the This parameter is not supported by the This parameter is not supported by the | |
blacklist_detection_seconds integer |
Detection, in seconds, before blacklisting occurs. | ||
blacklist_duration integer |
Duration, in seconds, that the blacklist will last. | ||
detection_threshold_eps string |
Lists how many packets per second the system must discover in traffic in order to detect this attack.
| ||
detection_threshold_percent string |
Lists the threshold percent increase over time that the system must detect in traffic in order to detect this attack. The
| ||
mitigation_threshold_eps string |
Specify the maximum number of this type of packet per second the system allows for a vector. The system drops packets once the traffic level exceeds the rate limit.
| ||
name string |
|
Specifies the name of the vector to modify. Vectors that ship with the device are "hard-coded" so-to-speak in that the list of vectors is known to the system and users cannot add new vectors. Users only manipulate the existing vectors; all of which are disabled by default. When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When When | |
partition string |
Default: "Common" |
Device partition to manage resources on. | |
password string / required |
The password for the user account used to connect to the BIG-IP. You may omit this option by setting the environment variable
| ||
per_source_ip_detection_threshold string |
Specifies the number of packets per second to identify an IP address as a bad actor. | ||
per_source_ip_mitigation_threshold string |
Specifies the rate limit applied to a source IP that is identified as a bad actor. | ||
profile string / required |
Specifies the name of the profile to manage vectors in. The name Vectors can be managed in either DoS Profiles, or Device Configuration. By specifying a profile of 'device-config', this module will specifically tailor configuration of the provided vectors to the Device Configuration. | ||
provider dictionary added in 2.5 |
A dict object containing connection details. | ||
password string / required |
The password for the user account used to connect to the BIG-IP. You may omit this option by setting the environment variable
| ||
server string / required |
The BIG-IP host. You may omit this option by setting the environment variable | ||
server_port integer |
Default: 443 |
The BIG-IP server port. You may omit this option by setting the environment variable | |
ssh_keyfile path |
Specifies the SSH keyfile to use to authenticate the connection to the remote device. This argument is only used for cli transports. You may omit this option by setting the environment variable | ||
timeout integer |
Default: 10 |
Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error. | |
transport string |
|
Configures the transport connection to use when connecting to the remote device. | |
user string / required |
The username to connect to the BIG-IP with. This user must have administrative privileges on the device. You may omit this option by setting the environment variable | ||
validate_certs boolean |
|
If You may omit this option by setting the environment variable | |
server string / required |
The BIG-IP host. You may omit this option by setting the environment variable | ||
server_port integer added in 2.2 |
Default: 443 |
The BIG-IP server port. You may omit this option by setting the environment variable | |
simulate_auto_threshold boolean |
|
Specifies that results of the current automatic thresholds are logged, though manual thresholds are enforced, and no action is taken on automatic thresholds. The | |
state string / required |
|
When When When When | |
threshold_mode string |
|
The The The | |
user string / required |
The username to connect to the BIG-IP with. This user must have administrative privileges on the device. You may omit this option by setting the environment variable | ||
validate_certs boolean added in 2.0 |
|
If You may omit this option by setting the environment variable |
Notes
Note
- For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.
- Requires BIG-IP software version >= 12.
- The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.
Examples
- name: Enable DNS AAAA vector mitigation
bigip_firewall_dos_vector:
name: aaaa
state: mitigate
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
allow_advertisement boolean |
changed |
The new Allow External Advertisement setting.
Sample: True |
attack_ceiling string |
changed |
The new Attack Ceiling EPS setting.
Sample: infinite |
attack_floor string |
changed |
The new Attack Floor EPS setting.
Sample: infinite |
auto_blacklist boolean |
changed |
The new Auto Blacklist setting.
|
bad_actor_detection boolean |
changed |
The new Bad Actor Detection setting.
|
blacklist_category string |
changed |
The new Category Name setting.
Sample: /Common/cloud_provider_networks |
blacklist_detection_seconds integer |
changed |
The new Sustained Attack Detection Time setting.
Sample: 60 |
blacklist_duration integer |
changed |
The new Category Duration Time setting.
Sample: 14400 |
detection_threshold_eps string |
changed |
The new Detection Threshold EPS setting.
Sample: infinite |
detection_threshold_percent string |
changed |
The new Detection Threshold Percent setting.
Sample: infinite |
mitigation_threshold_eps string |
changed |
The new Mitigation Threshold EPS setting.
Sample: infinite |
per_source_ip_detection_threshold string |
changed |
The new Per Source IP Detection Threshold EPS setting.
Sample: 23 |
per_source_ip_mitigation_threshold string |
changed |
The new Per Source IP Mitigation Threshold EPS setting.
Sample: infinite |
simulate_auto_threshold boolean |
changed |
The new Simulate Auto Threshold setting.
|
state string |
changed |
The new state of the vector.
Sample: mitigate |
threshold_mode string |
changed |
The new Mitigation Threshold EPS setting.
Sample: infinite |
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by an Ansible Partner. [certified]
Authors
- Tim Rupp (@caphrim007)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/bigip_firewall_dos_vector_module.html