User Tools

Site Tools


Integrate F5 LTM and AFM with CrowdSec IPS

With CrowdSec we now have a new way of handling bad actors on the Internet. The solution is in itself not revolutionary but the way they collect the IP's and how they make them available to everyone is a new thing. To understand how it works take a look at the FAQ.

Getting Started

The integration is based on a special bouncer called “Blocklist Mirror” which essentially is a web endpoint from where you can extract the current blocklist in a deterministic format.

This endpoint needs to be accessible from the F5 as my script is running directly on it. And of course you need to have the proper access to the F5 to have access to run the script and permissions to import the list.

Install Blocklist Mirror

You can find the instructions on how to install Blocklist Mirror here.

When the bouncer is installed you need to edit the configuration yaml file “/etc/crowdsec/bouncers/crowdsec-blocklist-mirror.yaml”

In the file locate this parameter:


and change it to the IP of a specific interface or all:


Then restart the daemon to put the change into effect:

sudo service crowdsec-blocklist-mirror restart

You should now see this on the server:

sudo ss -nap|grep 41412
tcp    LISTEN  0        4096     *:41412   *:*   users:(("crowdsec-blockl",pid=89227,fd=7))                                 

If you point your browser towards the server on port 41412/tcp you should see this:

If you want to enable TLS you must supply certificate and key and adjust the configuration accordingly. You will also have to change the URL in the script from “http” to “https”.

Last step is to make sure the service starts at boot:

systemctl enable crowdsec-blocklist-mirror.service

Setup F5

For the F5 part it is very simple, all you need is to upload this script to the box and setup a scheduler. I have tried to put notes into the script, so you can see what each line does. Please reach out if you have any questions, comments or something I need to improve.

Upload the script to for example “/shared/script”, unzip it and give execution permissions:

scp root@
chmod +x

Next up is creating an icall script in tmsh:

# tmsh
(/Common)(tmos)# create sys icall script crowdsec

Inside the vi editor make it look like this:

create script crowdsec {
    app-service none
    definition {
        exec /shared/script/ > /var/log/crowdsec.log
    description none
    events none

Exit vi by typing “:wq”. When you exit vi you will be prompted by tmsh if you want to save it, type “y”:

Save changes? (y/n/e) 

Next up is to set a timer.

Be careful how often you want the script to run if you use the AFM address list. When the script imports into the address list the mcpd daemon gets quite busy and it can take 10-15 minutes for it to finish. If you run it too often you might loose access to the webui because mcpd can't respond in time.

You will not find the same limitation if you only import to the external data group, as it only takes a second or two to import.

This example runs the update script once an hour:

# tmsh create sys icall handler periodic crowdsec interval 3600 script crowdsec

“interval 3600” is how often it is executed in seconds.

By using an icall script it will be part of the F5 configuration and follow along when you do upgrades. If you use crontab you will need to remember to setup the cron job after the upgrade.

That's it!

It was a great challenge to make this integration work and I did learn a lot about automation. The funny thing was that it wasn't getting the logic working that took the time, it was not killing my lab F5 during import :-D

When you ingest 15000-16000 IP addresses into a running configuration in one big blob, you realize how much that really is. On one hand automation can get you in trouble but it is also automation which gets you out of it again. I is not humanly possible to maintain these kind of lists by hand, so automation is the only way. You just need to know what you are doing and stay in control.

Please provide me with feedback should you have any, just drop me a line at

howtos/integrate_f5_ltm_and_afm_with_crowdsec_ips.txt · Last modified: 20/07/2022 09:12 by domingo