F5 BIG-IP iRules

Deploy Centinel Analytica on F5 BIG-IP load balancers using iRules for bot detection.

Overview

The Centinel iRule runs on your F5 BIG-IP, calls the Centinel API for each request, and blocks or challenges traffic based on the response.

Prerequisites

Centinel secret key (from your dashboard)
F5 BIG-IP device with LTM module (v11.5+ recommended)
SSH or TMSH access to the F5 device
DNS servers configured in TMM (needed for API hostname resolution)
Two iRule files (provided by Centinel support)

DNS configuration required

The iRule uses RESOLV::lookup to resolve validator.centinelanalytica.com. This runs in TMM (Traffic Management Microkernel) which requires DNS servers configured via tmsh sys dns.

Shell DNS (/etc/resolv.conf) and TMM DNS are separate systems. Even if curl works from the F5 shell, TMM won't resolve hostnames without proper DNS configuration.

Verify DNS is configured:

tmsh list sys dns

If no name-servers are shown:

tmsh modify sys dns name-servers add { 8.8.8.8 1.1.1.1 }
tmsh save sys config

Download required files

Download the Centinel F5 iRules package:

Centinel.tcl - Main iRule with API integration
Centinel-SSL-Helper.tcl - SSL connection handler

Download: centinel-f5-irules.zip

Installation

Download and extract the iRule package

Download the Centinel F5 iRules package:

# Download the package
curl -O https://docs.centinelanalytica.com/downloads/centinel-f5-irules.zip

# Extract files
unzip centinel-f5-irules.zip

# You should see:
# - Centinel.tcl
# - Centinel-SSL-Helper.tcl

Or download via browser: centinel-f5-irules.zip

Upload the iRule files

Log into your F5 BIG-IP management interface and upload both iRule files:

Via Web UI:

Navigate to Local Traffic → iRules → iRules List
Click Create
Enter name: Centinel
Paste the contents of Centinel.tcl
Click Finished
Repeat for Centinel-SSL-Helper with Centinel-SSL-Helper.tcl

Via TMSH:

# Copy files to BIG-IP first
scp Centinel.tcl Centinel-SSL-Helper.tcl root@<bigip-mgmt-ip>:/var/tmp/

# Wrap and load each iRule
{ echo 'ltm rule Centinel {'; cat /var/tmp/Centinel.tcl; echo '}'; } > /var/tmp/Centinel.conf
tmsh load sys config merge file /var/tmp/Centinel.conf

{ echo 'ltm rule Centinel-SSL-Helper {'; cat /var/tmp/Centinel-SSL-Helper.tcl; echo '}'; } > /var/tmp/Centinel-SSL-Helper.conf
tmsh load sys config merge file /var/tmp/Centinel-SSL-Helper.conf

Configure your API key

Edit the Centinel iRule and update the secret key on line 8:

# Replace with your actual API key
set static::CENTINEL_SECRET_KEY "sk_live_your_key_here"

Via Web UI:

Navigate to Local Traffic → iRules → iRules List
Click on Centinel
Click Edit
Update line 8 with your secret key
Click Finished

Via TMSH:

tmsh edit ltm rule Centinel
# Update the key, then save and exit

Create the API virtual server

Create a virtual server for making outbound HTTPS calls to the Centinel API:

Via Web UI:

Navigate to Local Traffic → Virtual Servers → Virtual Server List
Click Create
Configure:
- Name: centinel_api_ssl_vs
- Destination Address/Mask: 0.0.0.0/0 (any)
- Service Port: 443
- Protocol: TCP
- HTTP Profile (Client): http
- SSL Profile (Server): serverssl-insecure-compatible
- Source Address Translation: Auto Map
- Address Translation: Enabled
- Port Translation: Enabled
Click Finished

Via TMSH:

tmsh create ltm virtual centinel_api_ssl_vs \
    destination 0.0.0.0:443 \
    ip-protocol tcp \
    mask 0.0.0.0 \
    profiles add { tcp http { context all } serverssl-insecure-compatible { context serverside } } \
    source 0.0.0.0/0 \
    source-address-translation { type automap } \
    translate-address enabled \
    translate-port enabled

Apply SSL helper to API virtual server

Attach the Centinel-SSL-Helper iRule to the API virtual server:

Via Web UI:

Navigate to Local Traffic → Virtual Servers
Click on centinel_api_ssl_vs
Go to Resources tab
Under iRules, click Manage
Move Centinel-SSL-Helper from Available to Enabled
Click Finished

Via TMSH:

tmsh modify ltm virtual centinel_api_ssl_vs rules { Centinel-SSL-Helper }

Apply main iRule to application virtual server

Attach the Centinel iRule to your application's virtual server(s):

Via Web UI:

Navigate to Local Traffic → Virtual Servers
Click on your application virtual server (e.g. www_vs)
Go to Resources tab
Under iRules, click Manage
Move Centinel from Available to Enabled
Click Finished

Via TMSH:

tmsh modify ltm virtual your_application_vs rules { Centinel }

The Centinel iRule can be applied to multiple virtual servers.

Save configuration

Save your changes to persistent storage:

Via Web UI: Click System → Configuration → Save Configuration

Via TMSH:

tmsh save sys config

Verify DNS configuration

Make sure TMM has DNS servers configured (needed for RESOLV::lookup in the iRule):

tmsh list sys dns

Expected output:

sys dns {
    name-servers { 8.8.8.8 1.1.1.1 }
    search { example.com }
}

If no name-servers are shown, add DNS servers:

tmsh modify sys dns name-servers add { 8.8.8.8 1.1.1.1 }
tmsh save sys config

Test DNS resolution:

run /util dig validator.centinelanalytica.com

You should see an ANSWER SECTION with IP addresses.

Use your organization's internal DNS servers instead of public DNS (8.8.8.8) for better performance and security.

Verify deployment

Test the integration:

Check logs: Monitor for Centinel activity
```
tail -f /var/log/ltm
```
Test normal traffic: Visit your application to confirm requests work normally
Check statistics: View iRule execution stats
```
tmsh show ltm rule Centinel
```
Monitor Centinel dashboard: Verify requests appear in your Centinel dashboard

Advanced configuration

URI path filtering

By default, static assets (images, CSS, JS, fonts) are excluded from validation for better performance.

Exclude additional paths

Edit CENTINEL_URI_REGEX_EXCLUSION (line 28) to skip more paths:

# Example: Exclude health checks and metrics
set static::CENTINEL_URI_REGEX_EXCLUSION {(?i)\.(avi|flv|mka|mkv|mov|mp4|mpeg|mpg|mp3|flac|ogg|ogm|opus|wav|webm|webp|bmp|gif|ico|jpeg|jpg|png|svg|svgz|swf|eot|otf|ttf|woff|woff2|css|less|js)$|^/health$|^/metrics$}

Protect only specific paths

Add CENTINEL_URI_REGEX to validate only certain paths (unset by default, meaning all paths are checked):

# Only protect paths starting with /api/ or /admin
set static::CENTINEL_URI_REGEX {^/(api|admin)/}

Timeout configuration

Adjust API timeout for your network. Default is 150ms.

set static::CENTINEL_timeout 300

Debug logging

Enable detailed logging for troubleshooting:

Edit the Centinel iRule and set these variables:

# Enable debug logging
set static::CENTINEL_LOG_REQUEST_HEADERS 1
set static::CENTINEL_LOG_RESPONSE_HEADERS 1
set static::CENTINEL_LOG_REQUEST_TIME 1

View logs:

# Real-time log monitoring
tail -f /var/log/ltm | grep CENTINEL

# Search for errors
grep "CENTINEL ERROR" /var/log/ltm

For high-traffic environments, use High-Speed Logging (HSL) to avoid flooding the local log:

set static::CENTINEL_LOG_PUBLISHER "/Common/remote_log_publisher"

Performance optimization

Connection pooling is automatic — the iRule reuses TLS connections to the Centinel API across requests. No configuration needed.

Raise the connection limit on the API virtual server if needed:

tmsh modify ltm virtual centinel_api_ssl_vs connection-limit 10000

Apply the iRule to multiple F5 devices in an HA pair or cluster — each device maintains its own connection pool.

Security decisions

The Centinel API returns one of four decisions:

Decision	Action	Description
`allow`	Request proceeds	Clean traffic, forward to origin
`block`	403 Forbidden	Malicious bot detected, request blocked
`redirect`	Challenge page	Suspicious traffic, present challenge
`not_matched`	Request proceeds	No rule matched, allow by default

Challenge flow (redirect decision)

When a redirect decision is returned:

F5 serves a base64-encoded HTML challenge page to the client
Browser executes JavaScript challenge
Challenge validation cookie is set
Client is redirected back to original URL
Subsequent request includes validation cookie
Centinel validates cookie and allows request

Configuration reference

Main iRule variables

Edit these in the Centinel iRule (inside when RULE_INIT):

Variable	Default	Description
`CENTINEL_SECRET_KEY`	(required)	Your API key from Centinel dashboard
`CENTINEL_MODULE_VERSION`	`1.1.0`	Module version (informational)
`CENTINEL_vs`	`/Common/centinel_api_ssl_vs`	Name of API virtual server
`CENTINEL_timeout`	`150`	API timeout in milliseconds
`CENTINEL_URI_REGEX_EXCLUSION`	(see code)	Regex pattern for paths to skip
`CENTINEL_HEADER_WHITELIST`	(see code)	List of HTTP headers sent to API (customizable)
`CENTINEL_LOG_REQUEST_HEADERS`	`0`	Log outbound request headers (0=off, 1=on)
`CENTINEL_LOG_RESPONSE_HEADERS`	`0`	Log API response headers (0=off, 1=on)
`CENTINEL_LOG_REQUEST_TIME`	`0`	Log request timing (0=off, 1=on)

API endpoint

The iRule connects to: https://validator.centinelanalytica.com/validate

This is hardcoded in the iRule.

The iRule uses RESOLV::lookup to resolve the API hostname at runtime. This requires DNS servers configured in TMM (tmsh sys dns) — shell DNS (/etc/resolv.conf) is a separate system and won't help. See the DNS callout in Prerequisites.

Network requirements:

DNS servers in TMM (tmsh sys dns)
Outbound HTTPS (port 443) from the F5 device
TLS 1.2+ (the serverssl-insecure-compatible profile handles this)

Troubleshooting

Most common causes:

TMM DNS not configured — run tmsh list sys dns to verify
API virtual server missing or misconfigured
SSL-Helper not attached to centinel_api_ssl_vs
Outbound port 443 blocked by firewall
Wrong API key in CENTINEL_SECRET_KEY

Enable debug logging to diagnose:

set static::CENTINEL_LOG_REQUEST_HEADERS 1
set static::CENTINEL_LOG_RESPONSE_HEADERS 1
set static::CENTINEL_LOG_REQUEST_TIME 1

tail -f /var/log/ltm | grep CENTINEL

Fail-open architecture

The integration uses fail-open behavior for maximum reliability:

API timeout → Request allowed
API unreachable → Request allowed
Network error → Request allowed
DNS failure → Request allowed
SSL error → Request allowed

Only when the API explicitly returns block is traffic blocked.

On this page