Forum Discussion

mengler_136249's avatar
mengler_136249
Icon for Nimbostratus rankNimbostratus
May 11, 2017

Geoblocking/Redirects

Summary

 

Today we do geoblocking within AFM to only allow specific countries to connect to our virtual servers. I have a request for one specific virtual server to no longer drop the connection, but instead re-direct them to a different website (externally hosted).

 

My question:

 

Is AFM the best place to do this? I see within each rule of an AFM policy, there is a spot to call on an iRule. Should I perform the re-direct there or is there a better spot to handle this requirement?

 

AFM
application delivery
geo blocking
LTM
security

6 Replies

Sort By
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    May 11, 2017

    You'll have to use an iRule (LTM) for this. No other ways exist as of now.

     

    Do you keep your GeoIP database up to date? I suppose you do, but if not yet, this will be one additional must-do admin routines.

     

    Rgds

     

  • mengler_136249's avatar
    mengler_136249
    Icon for Nimbostratus rankNimbostratus
    May 11, 2017

    Yeah - we regularly check for updates on the GeoIP DB.

     

    Just to be clear though - you agree with my initial approach? To do this within AFM and call on an LTM iRule within the specific match statement? Or are you suggesting to not do this within AFM and only do it within LTM's iRules - which unless I'm misspoken, I would need to also write in the logic to check source country into the iRule instead of letting AFM do that.

     

    Thanks for the very quick response!

     

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    May 11, 2017

    Sure, but I think if you initiate that iRule call from AFM, you will need to write the logic too. There's no escape from writing a bit of TCL for what you want to do. The difference will be in visibility, and as far as I'm aware, purely down to personal preference. Do you prefer your Geolocation redirect iRule linked to VS (resources tab), or do you prefer having it un-linked but triggered from AFM?

     

    I posed one GeoIP iRule for your ref.

     

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    May 11, 2017

    This is GeoIP iRule ref. The code below will redirect any clients from China to a dedicated .cn web site. Modify as needed. You will need to use 2-letter country code as identifier. You may look up the codes for each country here: http://www.nationsonline.org/oneworld/country_code_list.htm (ISO Alpha2 Code)

     

    when HTTP_REQUEST {
    if { [whereis [IP::client_addr] country] eq "CN" } {
        HTTP::respond 302 Location "https://www.site.cn" Connection Close
        event disable
    }
}

    Requires a HTTP profile attached to Virtual Server.

     

    Warning: Written in notepad and untested.

     

  • mengler_136249's avatar
    mengler_136249
    Icon for Nimbostratus rankNimbostratus
    May 12, 2017

    Thanks. I think I would like to have the iRule only within AFM. That way I can let AFM handle the logic for the source address based on county. Then the iRule should only need to contain the logic for the re-direct and not the logic for checking the source country. If they come from the US (where we are based) then the iRule wont run since it wont match the ACL on the AFM policy.