Forum Discussion

Rich_L's avatar
Rich_L
Icon for Nimbostratus rankNimbostratus
May 25, 2017

iRule to allow IP address that is being blocked by ASM Geo-location policy

We have an ASM security policy configured on our public facing Virtual Servers. We also enforce blocking access from countries that we do not allow in our Geo-Location policy. I am looking to allow access to the website / virtual server for one specific IP address which happens to be located in a country that is not allowed in our Geo-location. I have tried the following, but the user is still getting denied by the ASM with the following violation: Access from disallowed Geolocation.

My iRule is (this has a fake IP address for this post):

when ASM_REQUEST_DONE {
log local0. "Detected Country IP"
  if { ([IP::client_addr] == "123.456.789.101") && ( [ASM::violation details] contains "VIOLATION_ILLEGAL_GEOLOCATION") }{
    ASM::unblock
    log local0. "[ASM::violation_data]. unblocked for [IP::client_addr]"
  }

}

Has anybody ever ran into this situation and if so, were you able to create a working iRule that you can share? Thanks!

application delivery
ASM Advanced WAF

9 Replies

Sort By
  • Anesh's avatar
    Anesh
    Icon for Cirrostratus rankCirrostratus
    May 25, 2017

    Try below

        when CLIENT_ACCEPTED {

    if {[IP::client_addr] == "123.456.789.101"} {   
        set disable_asm 1
        }else {
        set disable_asm 0
        }
    }

   when ASM_REQUEST_DONE {
 if {$disable_asm==1}{
     log local0. "[IP::client_addr]:[TCP::client_port]: unblocked for  for this request."
       ASM::unblock
      } 
}
  • Rich_L's avatar
    Rich_L
    Icon for Nimbostratus rankNimbostratus
    May 26, 2017

    Thank you for the response ErkkiS. However, I believe "never block this IP address" would be the same as disabling the ASM security policies for that IP address.

     

    • Raj_Barre_35591's avatar
      Raj_Barre_35591
      Icon for Nimbostratus rankNimbostratus
      Apr 20, 2018

      Anesh,

       

      I tried this iRule. Seems like it the block is still in place. Do we have to have IP exceptions applied as well? or is it just an iRule attached to the virtual server?

       

      Currently I have enabled IP exception but I don't want to go through this method as it completely disables the ASM for the incoming source traffic.

       

      Any guidance would really help.

       

      -Vas

       

    • Raj_Barre's avatar
      Raj_Barre
      Icon for Altostratus rankAltostratus
      Apr 20, 2018

      Anesh,

       

      I tried this iRule. Seems like it the block is still in place. Do we have to have IP exceptions applied as well? or is it just an iRule attached to the virtual server?

       

      Currently I have enabled IP exception but I don't want to go through this method as it completely disables the ASM for the incoming source traffic.

       

      Any guidance would really help.

       

      -Vas

       

  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Mar 28, 2018

    Hi,

    Did you tried in this way? 

    when ASM_REQUEST_DONE {
    if { [ASM::status] eq "blocked" } {
        if { [IP::client_addr] == "123.456.789.101" && [ASM::violation names] eq "VIOLATION_ILLEGAL_GEOLOCATION" }{
            log local0. "[ASM::violation_data]. unblocked for [IP::client_addr]"
            ASM::unblock
        }
    }
}

    So, requests from that origin that contains only geolocation violation will be ignored.

    Regards.

  • David_Holmes_12's avatar
    David_Holmes_12
    Historic F5 Account
    Jun 06, 2018

    Re the update from 28-March. Wouldn't this iRule fail?

     

    The first violation would always be "ILLEGAL_GEOLOCATION". ASM::unblock would then turn off ASM for the session. No other violations would be seen. So if the second request contained an SQL injection, it wouldn't be seen because ASM was now being bypassed?

     

  • Portallion_1480's avatar
    Portallion_1480
    Icon for Nimbostratus rankNimbostratus
    Nov 02, 2018

    I have tried for a while to get something like this to work, but for a URI. After much trial and error, I have the following iRule working. Basically, putting a statement before to block if there is an attack signature violation, then an elseif to not block if the violation is for geolocation. I tested, and I am allowed as expected, but if I attempt to do XSS or some other violation that matches an attack signature then I get a block page. Including the irules for IP, single URI and Data Group for multiple URIs.

    IP

    when ASM_REQUEST_DONE {
     if {[IP::client_addr] == "X.X.X.X" and [ASM::violation names] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED"} {
           ASM::support_id

     } elseif { 
     [ASM::violation names] contains "GEOLOCATION" and [IP::client_addr] == "X.X.X.X"} {
           ASM::unblock
    }
}

    Single URI

    when ASM_REQUEST_DONE {
     if {[ASM::violation names] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED" and [HTTP::path] contains "/upload"} {
           ASM::support_id

     } elseif { 
     [ASM::violation names] contains "GEOLOCATION" and [HTTP::path] contains "/upload"} {
           ASM::unblock
    }
}

    Data Group

    when ASM_REQUEST_DONE {
     if {([ASM::violation names] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED") and [class match [HTTP::uri] equals Geo_URIs]} {
           ASM::support_id               
     }elseif {([ASM::violation names] contains "GEOLOCATION") and [class match [HTTP::uri] equals Geo_URIs]} {
           ASM::unblock
    }
}