So while enabling some new features on my NetScalers in my lab I noticed I was getting just HAMMERED with attacks. I setup some basic IP Reputation blocks with logging so I can see the bad actors. And let me tell you, there was a lot. This code is a simple security feature you can easily enable globally on your NetScalers with Platinum licensing. Pair this with my Location based blocking examples and you effectively can silo off your environment from unwanted visitors.
enable ns feature Rep AppFw RESPONDER
add policy dataset Allow_list1 ipv4
add policy dataset Block_list1 ipv4
add audit messageaction IPREP_OR_BLOCKLIST WARNING "CLIENT.IP.SRC + \" was dropped because they are listed in either the IPREP Database or on the NetScaler Blocklist\"" -logtoNewnslog YES
add appfw policy Ip_Rep_Policy "((CLIENT.IP.SRC.IPREP_IS_MALICIOUS || CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Block_list1\")) && ! (CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Allow_list1\")))" APPFW_BLOCK -logAction IPREP_OR_BLOCKLIST
bind appfw global Ip_Rep_Policy 100 END -type REQ_DEFAULT
Just putty into your NetScalers and copy and paste the above code to be secured. This also will check datasets so you can block additional IP addresses, or relax connectivity for any address that might accidently be on the Reputation Block List. I have seen that when customer subnets for Internet Service Providers get dinged as malicious from viruses or botnets.