Centinel AnalyticaCentinel Analytica
Platforms

F5 BIG-IP iRules

Deploy Centinel Analytica on F5 BIG-IP load balancers using iRules for bot detection.

Overview

The Centinel iRule runs on your F5 BIG-IP, calls the Centinel API for each request, and blocks or challenges traffic based on the response.

Prerequisites

  • Centinel secret key (from your dashboard)
  • F5 BIG-IP device with LTM module (v11.5+ recommended)
  • SSH or TMSH access to the F5 device
  • DNS servers configured in TMM (needed for API hostname resolution)
  • Two iRule files (provided by Centinel support)

DNS configuration required

The iRule uses RESOLV::lookup to resolve validator.centinelanalytica.com. This runs in TMM (Traffic Management Microkernel) which requires DNS servers configured via tmsh sys dns.

Shell DNS (/etc/resolv.conf) and TMM DNS are separate systems. Even if curl works from the F5 shell, TMM won't resolve hostnames without proper DNS configuration.

Verify DNS is configured:

tmsh list sys dns

If no name-servers are shown:

tmsh modify sys dns name-servers add { 8.8.8.8 1.1.1.1 }
tmsh save sys config

Download required files

Download the Centinel F5 iRules package:

  • Centinel.tcl - Main iRule with API integration
  • Centinel-SSL-Helper.tcl - SSL connection handler

Download: centinel-f5-irules.zip

Installation

Download and extract the iRule package

Download the Centinel F5 iRules package:

# Download the package
curl -O https://docs.centinelanalytica.com/downloads/centinel-f5-irules.zip

# Extract files
unzip centinel-f5-irules.zip

# You should see:
# - Centinel.tcl
# - Centinel-SSL-Helper.tcl

Or download via browser: centinel-f5-irules.zip

Upload the iRule files

Log into your F5 BIG-IP management interface and upload both iRule files:

Via Web UI:

  1. Navigate to Local Traffic → iRules → iRules List
  2. Click Create
  3. Enter name: Centinel
  4. Paste the contents of Centinel.tcl
  5. Click Finished
  6. Repeat for Centinel-SSL-Helper with Centinel-SSL-Helper.tcl

Via TMSH:

# Copy files to BIG-IP first
scp Centinel.tcl Centinel-SSL-Helper.tcl root@<bigip-mgmt-ip>:/var/tmp/

# Wrap and load each iRule
{ echo 'ltm rule Centinel {'; cat /var/tmp/Centinel.tcl; echo '}'; } > /var/tmp/Centinel.conf
tmsh load sys config merge file /var/tmp/Centinel.conf

{ echo 'ltm rule Centinel-SSL-Helper {'; cat /var/tmp/Centinel-SSL-Helper.tcl; echo '}'; } > /var/tmp/Centinel-SSL-Helper.conf
tmsh load sys config merge file /var/tmp/Centinel-SSL-Helper.conf
Configure your API key

Edit the Centinel iRule and update the secret key on line 8:

# Replace with your actual API key
set static::CENTINEL_SECRET_KEY "sk_live_your_key_here"

Via Web UI:

  1. Navigate to Local Traffic → iRules → iRules List
  2. Click on Centinel
  3. Click Edit
  4. Update line 8 with your secret key
  5. Click Finished

Via TMSH:

tmsh edit ltm rule Centinel
# Update the key, then save and exit
Create the API virtual server

Create a virtual server for making outbound HTTPS calls to the Centinel API:

Via Web UI:

  1. Navigate to Local Traffic → Virtual Servers → Virtual Server List
  2. Click Create
  3. Configure:
    • Name: centinel_api_ssl_vs
    • Destination Address/Mask: 0.0.0.0/0 (any)
    • Service Port: 443
    • Protocol: TCP
    • HTTP Profile (Client): http
    • SSL Profile (Server): serverssl-insecure-compatible
    • Source Address Translation: Auto Map
    • Address Translation: Enabled
    • Port Translation: Enabled
  4. Click Finished

Via TMSH:

tmsh create ltm virtual centinel_api_ssl_vs \
    destination 0.0.0.0:443 \
    ip-protocol tcp \
    mask 0.0.0.0 \
    profiles add { tcp http { context all } serverssl-insecure-compatible { context serverside } } \
    source 0.0.0.0/0 \
    source-address-translation { type automap } \
    translate-address enabled \
    translate-port enabled
Apply SSL helper to API virtual server

Attach the Centinel-SSL-Helper iRule to the API virtual server:

Via Web UI:

  1. Navigate to Local Traffic → Virtual Servers
  2. Click on centinel_api_ssl_vs
  3. Go to Resources tab
  4. Under iRules, click Manage
  5. Move Centinel-SSL-Helper from Available to Enabled
  6. Click Finished

Via TMSH:

tmsh modify ltm virtual centinel_api_ssl_vs rules { Centinel-SSL-Helper }
Apply main iRule to application virtual server

Attach the Centinel iRule to your application's virtual server(s):

Via Web UI:

  1. Navigate to Local Traffic → Virtual Servers
  2. Click on your application virtual server (e.g. www_vs)
  3. Go to Resources tab
  4. Under iRules, click Manage
  5. Move Centinel from Available to Enabled
  6. Click Finished

Via TMSH:

tmsh modify ltm virtual your_application_vs rules { Centinel }

The Centinel iRule can be applied to multiple virtual servers.

Save configuration

Save your changes to persistent storage:

Via Web UI: Click System → Configuration → Save Configuration

Via TMSH:

tmsh save sys config
Verify DNS configuration

Make sure TMM has DNS servers configured (needed for RESOLV::lookup in the iRule):

tmsh list sys dns

Expected output:

sys dns {
    name-servers { 8.8.8.8 1.1.1.1 }
    search { example.com }
}

If no name-servers are shown, add DNS servers:

tmsh modify sys dns name-servers add { 8.8.8.8 1.1.1.1 }
tmsh save sys config

Test DNS resolution:

run /util dig validator.centinelanalytica.com

You should see an ANSWER SECTION with IP addresses.

Use your organization's internal DNS servers instead of public DNS (8.8.8.8) for better performance and security.

Verify deployment

Test the integration:

  1. Check logs: Monitor for Centinel activity

    tail -f /var/log/ltm

  2. Test normal traffic: Visit your application to confirm requests work normally

  3. Check statistics: View iRule execution stats

    tmsh show ltm rule Centinel

  4. Monitor Centinel dashboard: Verify requests appear in your Centinel dashboard

Advanced configuration

URI path filtering

By default, static assets (images, CSS, JS, fonts) are excluded from validation for better performance.

Exclude additional paths

Edit CENTINEL_URI_REGEX_EXCLUSION (line 28) to skip more paths:

# Example: Exclude health checks and metrics
set static::CENTINEL_URI_REGEX_EXCLUSION {(?i)\.(avi|flv|mka|mkv|mov|mp4|mpeg|mpg|mp3|flac|ogg|ogm|opus|wav|webm|webp|bmp|gif|ico|jpeg|jpg|png|svg|svgz|swf|eot|otf|ttf|woff|woff2|css|less|js)$|^/health$|^/metrics$}

Protect only specific paths

Add CENTINEL_URI_REGEX to validate only certain paths (unset by default, meaning all paths are checked):

# Only protect paths starting with /api/ or /admin
set static::CENTINEL_URI_REGEX {^/(api|admin)/}

Timeout configuration

Adjust API timeout for your network. Default is 150ms.

set static::CENTINEL_timeout 300

Debug logging

Enable detailed logging for troubleshooting:

Edit the Centinel iRule and set these variables:

# Enable debug logging
set static::CENTINEL_LOG_REQUEST_HEADERS 1
set static::CENTINEL_LOG_RESPONSE_HEADERS 1
set static::CENTINEL_LOG_REQUEST_TIME 1

View logs:

# Real-time log monitoring
tail -f /var/log/ltm | grep CENTINEL

# Search for errors
grep "CENTINEL ERROR" /var/log/ltm

For high-traffic environments, use High-Speed Logging (HSL) to avoid flooding the local log:

set static::CENTINEL_LOG_PUBLISHER "/Common/remote_log_publisher"

Performance optimization

  1. Connection pooling is automatic — the iRule reuses TLS connections to the Centinel API across requests. No configuration needed.

  2. Raise the connection limit on the API virtual server if needed:

    tmsh modify ltm virtual centinel_api_ssl_vs connection-limit 10000

  3. Apply the iRule to multiple F5 devices in an HA pair or cluster — each device maintains its own connection pool.

Configuration reference

Main iRule variables

Edit these in the Centinel iRule (inside when RULE_INIT):

VariableDefaultDescription
CENTINEL_SECRET_KEY(required)Your API key from Centinel dashboard
CENTINEL_MODULE_VERSION1.1.1Module version (informational)
CENTINEL_vs/Common/centinel_api_ssl_vsName of API virtual server
CENTINEL_timeout150API timeout in milliseconds
CENTINEL_URI_REGEX_EXCLUSION(see code)Regex pattern for paths to skip
CENTINEL_HEADER_WHITELIST(see code)List of HTTP headers sent to API (customizable)
CENTINEL_LOG_REQUEST_HEADERS0Log outbound request headers (0=off, 1=on)
CENTINEL_LOG_RESPONSE_HEADERS0Log API response headers (0=off, 1=on)
CENTINEL_LOG_REQUEST_TIME0Log request timing (0=off, 1=on)

Changelog

v1.1.1

  • Removed unused duplicate procedures to fix F5 string limit compliance (81K → 48K chars).

v1.1.0

  • 5 CPU performance optimizations: header whitelist, pre-compiled regex, optimized JSON construction, renamed sideband proc, XFF truncation.
  • New configurable CENTINEL_HEADER_WHITELIST variable.

v1.0.5

  • Send all request headers in JSON payload.

v1.0.3

  • TLS connection reuse for reduced latency.

v1.0.2

  • Eliminated dict usage for TCL 8.4 / F5 v11.5+ compatibility.

v1.0.0

  • Initial release.

Drupal 8+

Add Centinel Analytica to your Drupal 8+ website.

Fastly Compute (Rust)

Add Centinel Analytica bot protection to your Fastly Compute service using the Rust SDK.

On this page

InstallationAdvanced configurationURI path filteringExclude additional pathsProtect only specific pathsTimeout configurationDebug loggingPerformance optimizationConfiguration referenceMain iRule variablesChangelogv1.1.1v1.1.0v1.0.5v1.0.3v1.0.2v1.0.0