Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Asm geo location irule

folks ,

need some help with asm geo location irule

I want to allow Ip address which contain country SG in forwarder Header , since i have only restricted my ASM geo location policy to allow only SG country to access this application but due to google play integration i am seeing US ip address as source but the original Ip showing in x forwarder.

when ASM_REQUEST_DONE {
log local0. "Detected Country IP"
      if { ([whereris IP::client_addr] == "SG") && ( [ASM::violation details] contains "VIOLATION_ILLEGAL_GEOLOCATION") }{
    ASM::unblock
    log local0. "[ASM::violation_data]. unblocked for [IP::client_addr]"
  }

}
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You may try [whereis [IP::client_addr] country] https://devcentral.f5.com/wiki/iRules.whereis.ashx

0
Comments on this Answer
Comment made 25-Feb-2018 by Only1masterblaster 608

you may also check the accuracy of geo data: geoip_lookup

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
when ASM_REQUEST_DONE {
    set xff_is_sg ""
    if { [whereis [IP::client_addr] country] ne "SG" } {
        if { [HTTP::header exists "X-Forwarded-For"] } {
            foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {
                log local0. "Current XFF element: $xff"
                # Check if the current XFF IP is in SG:
                if { [whereis $xff country] eq "SG" } {
                    log local0. "$xff is from SG."
                    set xff_is_sg 1
                    break
                }
            }
            if { $xff_is_sg ne "" } {
                ASM::unblock
                return
            }
        }
    }
}   

However, XFF can be spoofed. If you know which non-SG ip address range your users are forwarded from, then you can tighten up the rule by trusting that range only when processing XFF.

0
Comments on this Answer
Comment made 25-Feb-2018 by snl 511

Thank you both , i will test and confirm

0