IP reputation


The IP Reputation helps augment security posture by adding a dynamic IP reputation service to existing defenses. This service provides a real time feed of known malicious IP addresses broken down into 10 categories so IT security administrators can easily identify threats by type. These categories are: Windows Exploits, Web Attacks, Phishing, Botnets, Denial of Service, Scanners, Proxies, Reputation, Spam Sources, and Mobile Threats.

Security is increased with this service as the time required to identify new and existing IP threats is drastically reduced. Not only does the service decrease the time it takes to research IP addresses, it also provides visibility into the types of threats, as well as historical and geolocation data to help security admins make better threat decisions.


IP classification service helps in identifying the malicious IP addresses and the origin. With the reputation database, any inbound attack from these malicious end points can be stopped at the controller itself, thereby protecting the client devices behind the controller.

The geolocation database can provide granularity of the location of the IP address to the levels of country and city. It can provide powerful visualizations that can be used to demonstrate the top countries that originate malware/spyware traffic or top countries from where maximum DDOS attacks are received. This information can be used by customers to formulate geolocation firewall policies to protect the internal network resources and keep the network healthy.

            The current firewall policy enforcement in AOS relies on L3/L4-L7 information with DPI/WebCC support. This feature extends this by allowing customers to define new IP classification based firewall policies.


            The benefits of this feature include:

  1. Identify and prevent any attack from the malicious hosts.
  2. Identifying the geolocation of traffic originating from or destined to.
  3. Identifying the location from where maximum spyware/malware/DDOS attacks are originated from.
  4. Geolocation visibility information about the traffic flows.
  5. Ability to formulate firewall policies based on geolocation of IP address to permit/deny traffic.

Without this feature, the only way to prevent traffic coming from rogue nations is by knowing all the IP address ranges for each rogue nation and adding ACL rule for each range that needs to be blocked.


This feature once enabled will cause all L3 traffic to be classified. All the sessions shall be classified with reputation (either malicious or clean) and geolocation (as originating from a specific location, which can be either country or more specific city) information. This classification shall be done in the datapath by SP during session creation before user-role policy enforcement. Datapath maintains IP classification table holding the reputation/geolocation information for various IP addresses. This table is downloaded from the control plane once the feature is enabled and fetched from the Webroot server.


When a new session is received, the source and destination IP addresses are fetched and table lookup is done for both the IP addresses to get the reputation/location information of these IP addresses. If the table lookup succeeds, then the session is marked as classified and subjected to IP classification based firewall policies. If table lookup fails, IP classification query message is sent to the control plane web_cc daemon for cloud lookup. Once the cloud lookup is resolved, entry will be added to the datapath table.

Once a session is IP classified, the datapath subjects the session through IP classification based firewall policies. If a match is seen, the action shall determine whether the session should be permitted or denied. Else the session shall be subjected through default role-based firewall policies.


Aruba7210) (config) #firewall ?

ip-classification          Enable IP (reputation/geolocation) classification


Policy Configuration:

A new access-list type is defined for configuring IP geolocation based firewall policies.

(Aruba7210) (config) #ip access-list ?

eth                               Ethertype access list

extended                     Extended Access List

mac                              MAC access list

session                         Session Access List

standard                      Standard Access List

ip-geolocation             IP geolocation access list


 (Aruba7210) (config) #ip access-list ip-geolocation 


The syntax for location based firewall policies is as follows:

 (config-ip-geo-policy) #[permit | deny] [to | from] location

location can be any of the following:

any                              -           Match any location

country                       -           Match a single country

region                         -           Match a group of countries

anonymous-proxy     -           Match anonymous proxy


The reputation rules can be configured as:

(Aruba7210) (config) #ip-reputation deny ?

inbound                       connections originated from outside

outbound                     connections originated by the controller


Customers can exempt traffic from IP classification based firewall policies using whitelist rules which can be configured as follows:

(Aruba7220) (config) #ip-classification whitelist-db add

(Aruba7220) (config) #ip-classification whitelist-db add

(Aruba7220) (config) #ip-classification whitelist-db del

(Aruba7220) (config) #ip-classification whitelist-db purge


Show commands:

show ip-geolocation – displays the geolocation config

show ip-geolocation countries – List of countries

show ip-reputation - displays the reputation config

show ip-classification whitelist-db - Lists whitelist Ips

show firewall – displays the ip-classification config


Datapath Commands :

show datapath ip-geolocation – displays the geolocation DB

show datapath ip-geolocation counters - displays the session counters

show datapath ip-reputation – displays the geolocation DB

show datapath ip-reputation counters - displays the session counters

show datapath ip-reputation rtc - displays real time cache

show datapath dns-cache – displays dns cache

Show datapath session ip-classification


  1. show datapath ip-reputation table


Datapath IP Reputation Table Entries


ThreatMask: S - spam source, E - windows exploits, W - web attacks

            B - botnet, C - scanners, D - denial of service

            M - malware-infected, P - phishing, A - anonymous proxy

            O - cloud provider, I - malicious mobile apps


Idx      IP                       ThreatMask       Rep

-------- ------------------------ ---------------- -----

0           A                100

1           C                100

2            S                100

3           C                100

4            A                100

5            A                100

6           A                100

7           C                100

8           C                100

9            S                100

a            A                100

b            S                100

c           A                100

d           A                100

e           A                100

f           A                100

10           A                100

11           A                100

12            S                100

13               SI               100

14               SI               100



Version history
Revision #:
2 of 2
Last update:
‎03-26-2017 02:26 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: