Centinel AnalyticaF5 BIG-IP iRules
Deploy Centinel Analytica on F5 BIG-IP load balancers using iRules for bot detection.
Overview
The Centinel iRule runs on your F5 BIG-IP, calls the Centinel API for each request, and blocks or challenges traffic based on the response.
Prerequisites
- Centinel secret key (from your dashboard)
- F5 BIG-IP device with LTM module (v11.5+ recommended)
- SSH or TMSH access to the F5 device
- DNS servers configured in TMM (needed for API hostname resolution)
- Two iRule files (provided by Centinel support)
DNS configuration required
The iRule uses RESOLV::lookup to resolve validator.centinelanalytica.com. This runs in TMM (Traffic Management Microkernel) which requires DNS servers configured via tmsh sys dns.
Shell DNS (/etc/resolv.conf) and TMM DNS are separate systems. Even if curl works from the F5 shell, TMM won't resolve hostnames without proper DNS configuration.
Verify DNS is configured:
tmsh list sys dnsIf no name-servers are shown:
tmsh modify sys dns name-servers add { 8.8.8.8 1.1.1.1 }
tmsh save sys configDownload required files
Download the Centinel F5 iRules package:
Centinel.tcl- Main iRule with API integrationCentinel-SSL-Helper.tcl- SSL connection handler
Download: centinel-f5-irules.zip
Install
Download the Centinel F5 iRules package:
# Download the package
curl -O https://docs.centinelanalytica.com/downloads/centinel-f5-irules.zip
# Extract files
unzip centinel-f5-irules.zip
# You should see:
# - Centinel.tcl
# - Centinel-SSL-Helper.tclOr download via browser: centinel-f5-irules.zip
Log into your F5 BIG-IP management interface and upload both iRule files:
Via Web UI:
- Navigate to Local Traffic → iRules → iRules List
- Click Create
- Enter name:
Centinel - Paste the contents of
Centinel.tcl - Click Finished
- Repeat for
Centinel-SSL-HelperwithCentinel-SSL-Helper.tcl
Via TMSH:
# Copy files to BIG-IP first
scp Centinel.tcl Centinel-SSL-Helper.tcl root@<bigip-mgmt-ip>:/var/tmp/
# Wrap and load each iRule
{ echo 'ltm rule Centinel {'; cat /var/tmp/Centinel.tcl; echo '}'; } > /var/tmp/Centinel.conf
tmsh load sys config merge file /var/tmp/Centinel.conf
{ echo 'ltm rule Centinel-SSL-Helper {'; cat /var/tmp/Centinel-SSL-Helper.tcl; echo '}'; } > /var/tmp/Centinel-SSL-Helper.conf
tmsh load sys config merge file /var/tmp/Centinel-SSL-Helper.confEdit the Centinel iRule and update the secret key on line 8:
# Replace with your actual API key
set static::CENTINEL_SECRET_KEY "sk_live_your_key_here"Via Web UI:
- Navigate to Local Traffic → iRules → iRules List
- Click on
Centinel - Click Edit
- Update line 8 with your secret key
- Click Finished
Via TMSH:
tmsh edit ltm rule Centinel
# Update the key, then save and exitCreate a virtual server for making outbound HTTPS calls to the Centinel API:
Via Web UI:
- Navigate to Local Traffic → Virtual Servers → Virtual Server List
- Click Create
- Configure:
- Name:
centinel_api_ssl_vs - Destination Address/Mask:
0.0.0.0/0(any) - Service Port:
443 - Protocol:
TCP - HTTP Profile (Client):
http - SSL Profile (Server):
serverssl-insecure-compatible - Source Address Translation:
Auto Map - Address Translation:
Enabled - Port Translation:
Enabled
- Name:
- Click Finished
Via TMSH:
tmsh create ltm virtual centinel_api_ssl_vs \
destination 0.0.0.0:443 \
ip-protocol tcp \
mask 0.0.0.0 \
profiles add { tcp http { context all } serverssl-insecure-compatible { context serverside } } \
source 0.0.0.0/0 \
source-address-translation { type automap } \
translate-address enabled \
translate-port enabledAttach the Centinel-SSL-Helper iRule to the API virtual server:
Via Web UI:
- Navigate to Local Traffic → Virtual Servers
- Click on
centinel_api_ssl_vs - Go to Resources tab
- Under iRules, click Manage
- Move
Centinel-SSL-Helperfrom Available to Enabled - Click Finished
Via TMSH:
tmsh modify ltm virtual centinel_api_ssl_vs rules { Centinel-SSL-Helper }Attach the Centinel iRule to your application's virtual server(s):
Via Web UI:
- Navigate to Local Traffic → Virtual Servers
- Click on your application virtual server (e.g.
www_vs) - Go to Resources tab
- Under iRules, click Manage
- Move
Centinelfrom Available to Enabled - Click Finished
Via TMSH:
tmsh modify ltm virtual your_application_vs rules { Centinel }The Centinel iRule can be applied to multiple virtual servers.
Save your changes to persistent storage:
Via Web UI: Click System → Configuration → Save Configuration
Via TMSH:
tmsh save sys configConfigure
Advanced configuration
URI path filtering
By default, static assets (images, CSS, JS, fonts) are excluded from validation for better performance.
Exclude additional paths
Edit CENTINEL_URI_REGEX_EXCLUSION (line 28) to skip more paths:
# Example: Exclude health checks and metrics
set static::CENTINEL_URI_REGEX_EXCLUSION {(?i)\.(avi|flv|mka|mkv|mov|mp4|mpeg|mpg|mp3|flac|ogg|ogm|opus|wav|webm|webp|bmp|gif|ico|jpeg|jpg|png|svg|svgz|swf|eot|otf|ttf|woff|woff2|css|less|js)$|^/health$|^/metrics$}Protect only specific paths
Add CENTINEL_URI_REGEX to validate only certain paths (unset by default, meaning all paths are checked):
# Only protect paths starting with /api/ or /admin
set static::CENTINEL_URI_REGEX {^/(api|admin)/}Timeout configuration
Adjust API timeout for your network. Default is 150ms.
set static::CENTINEL_timeout 300Debug logging
Enable detailed logging for troubleshooting:
Edit the Centinel iRule and set these variables:
# Enable debug logging
set static::CENTINEL_LOG_REQUEST_HEADERS 1
set static::CENTINEL_LOG_RESPONSE_HEADERS 1
set static::CENTINEL_LOG_REQUEST_TIME 1View logs:
# Real-time log monitoring
tail -f /var/log/ltm | grep CENTINEL
# Search for errors
grep "CENTINEL ERROR" /var/log/ltmFor high-traffic environments, use High-Speed Logging (HSL) to avoid flooding the local log:
set static::CENTINEL_LOG_PUBLISHER "/Common/remote_log_publisher"Performance optimization
-
Connection pooling is automatic — the iRule reuses TLS connections to the Centinel API across requests. No configuration needed.
-
Raise the connection limit on the API virtual server if needed:
tmsh modify ltm virtual centinel_api_ssl_vs connection-limit 10000 -
Apply the iRule to multiple F5 devices in an HA pair or cluster — each device maintains its own connection pool.
Configuration reference
Main iRule variables
Edit these in the Centinel iRule (inside when RULE_INIT):
| Variable | Default | Description |
|---|---|---|
CENTINEL_SECRET_KEY | (required) | Your API key from Centinel dashboard |
CENTINEL_MODULE_VERSION | 1.1.1 | Module version (informational) |
CENTINEL_vs | /Common/centinel_api_ssl_vs | Name of API virtual server |
CENTINEL_timeout | 150 | API timeout in milliseconds |
CENTINEL_URI_REGEX_EXCLUSION | (see code) | Regex pattern for paths to skip |
CENTINEL_HEADER_WHITELIST | (see code) | List of HTTP headers sent to API (customizable) |
CENTINEL_LOG_REQUEST_HEADERS | 0 | Log outbound request headers (0=off, 1=on) |
CENTINEL_LOG_RESPONSE_HEADERS | 0 | Log API response headers (0=off, 1=on) |
CENTINEL_LOG_REQUEST_TIME | 0 | Log request timing (0=off, 1=on) |
Verify
Make sure TMM has DNS servers configured (needed for RESOLV::lookup in the iRule):
tmsh list sys dnsExpected output:
sys dns {
name-servers { 8.8.8.8 1.1.1.1 }
search { example.com }
}If no name-servers are shown, add DNS servers:
tmsh modify sys dns name-servers add { 8.8.8.8 1.1.1.1 }
tmsh save sys configTest DNS resolution:
run /util dig validator.centinelanalytica.comYou should see an ANSWER SECTION with IP addresses.
Use your organization's internal DNS servers instead of public DNS (8.8.8.8) for better performance and security.
-
Check logs: Monitor for Centinel activity
tail -f /var/log/ltm -
Test normal traffic: Visit your application to confirm requests work normally
-
Check statistics: View iRule execution stats
tmsh show ltm rule Centinel -
Monitor Centinel dashboard: Verify requests appear in your Centinel dashboard
Changelog
- v1.1.1 — F5 string limit fix
- v1.1.0 — Performance optimizations
- v1.0.5 — Send all headers
- v1.0.3 — TLS connection reuse
- v1.0.2 — TCL 8.4 compatibility
- v1.0.0 — Initial release