Forum Discussion
Allow search engines even though country is blocked by geolocation block
Hi!
We have an issue where site disappear in search engines. We are forced to use geo based country blocking in ASM policy due to compliance. As side effect, we also block important search engine bots. It will be too cumbersome to whitelist all ip ranges used by these.
There is a list of bot signatures including search engines in the ASM ddos profile settings. Is there any way to write an iRule that utilize this list and bypass the geolocation blocking?
"This applies to Bot Signatures configured for blocking or reporting, and including Search Engines.
Syntax
BOTDEFENSE::reason"
We cannot trust the user agent string since that can be manipulated by anyone. Reverse DNS lookup (and forward to verify) take a lot of network resources. Is there an easy way (iRule?) to bypas the geo blocking based on this list without using unnecessary resources? We are on version 12.1.2.
Many thanks in advance.
- Jad_Tabbara__J1Cirrostratus
Hello,
Based on your irule and to prevent blocking, you can do it differently.
You can create a VS parent with two child VS_1 and VS_2
The parent VS will apply the irule and route the traffic based on the check your are making.
Then you will apply on VS_1 the blocking ASM profile with Geoloc and on VS_2 the blocking ASM without Geoloc.
Regards
- RasmanNimbostratus
Tried a simple iRule to direct search engine traffic to a VIP without ASM policy, but the Geo block is kicking in before the iRule logic :(
when HTTP_REQUEST { if {[HTTP::header "User-Agent"] contains "Mozilla/5.0 (compatible; YandexWebmaster/2.0; +; }{ virtual "vip_without_asm_policy" log "http VIP user agent: [HTTP::header "User-Agent"]" } else { virtual "vip_with_asm_policy" log "https vip user agent: [HTTP::header "User-Agent"]" } }
Any ideas?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com