Forum Discussion

dgdv_171415's avatar
dgdv_171415
Icon for Nimbostratus rankNimbostratus
Sep 24, 2014

Country based ASM security policy

[ASM 11.5.1.HF4]

Hello,

I'm trying to setup ASM security policy based on client country geoip.

So my thoughts was to use the following iRule:

 

when HTTP_REQUEST {
    HTTP::header remove "X-GEO-COUNTRY"
    HTTP::header insert "X-GEO-COUNTRY" [string tolower [whereis [IP::remote_addr] country]]   
}

 

It just add custom HTTP header containing geoip country information to request(Tested, works OK).

Then I put following rule to policy selection:

Conditions:

http-header all name X-GEO-COUNTRY not equals en

Actions:

asm enable policy not-en-policy

And finally I moved the (policy) rule before last rule which match all other traffic. Unfortunately it doesn't work. There are no invocations on this rule. The last rule has all invocations. I guess, it's because the iRule header is added too late, after policy selection. Right? I don't want to select security policy directly in iRule. Is there any easy solution for this?

application delivery
ASM Advanced WAF
deployment
devops
iRules
security

3 Replies

Sort By
  • Thomas_Gobet's avatar
    Thomas_Gobet
    Icon for Nimbostratus rankNimbostratus
    Sep 24, 2014

    Hi,

     

    This should work I already done this kind of configuration without problem.

     

    Can you add a log action, with that we will know if it's matched or not.

     

    Also can you paste your policy configuration here ?

     

  • dgdv_171415's avatar
    dgdv_171415
    Icon for Nimbostratus rankNimbostratus
    Sep 24, 2014

    Hi,

    Thanks for your answer.

    > Can you add a log action, with that we will know if it's matched or not.

    I added log action and it's never matched(regardless the country code provided in the rule). It's same as rule invocation statistics. Strange thing is, when I change Condition from:

    http-header all name X-GEO-COUNTRY not equals en (Value can be missing:true)

    to

    http-header all name X-GEO-COUNTRY not contains en (Value can be missing:true)

    then it's always matched(again regardless the country code provided).

    And finally also when 'Value can be missing' is not set, the results above are completely negated.

    >Also can you paste your policy configuration here ?

    I'm not sure if this is what you asked for:

    Strategy: first-match

    Requires: http

    Controls: asm

    Rules:

    rule1: "http-uri path starts-with /something1/" "asm enable policy /partition1/policy1"

    rule2: "http-uri path starts-with /something2/" "asm enable policy /partition1/policy2"

    rule3: "http-header all name X-GEO-COUNTRY not equals en (value can be missing:true)" "asm enable policy /partition1/untrusted-countries-policy"

    rule4: "" "asm enable policy /partition1/trusted-countries-policy"

    Rule1 and rule2 works OK. For other traffic always only one rule is matched for all requests: rule3 or rule4 depending on equals/contains or value can/can't be missing condition.

    And iRule works OK, i.e. this is from HTTP Request logged by ASM:

    X-GEO-COUNTRY: us

  • Thomas_Gobet's avatar
    Thomas_Gobet
    Icon for Nimbostratus rankNimbostratus
    Sep 24, 2014

    Ok, I've got it, iRules are applied after your LTM policies.

     

    So you don't match the rule n°3 and your traffic goes to rule 4, isn't it ?

     

    I'm searching for a solution on how to do it from your policy but I'm not sure it's possible with the 11.5.x version.

     

    In the 11.6.0 version, you can do it directly from your policy (geolocation condition without inserting information into the header).