For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Snl's avatar
Snl
Icon for Cirrostratus rankCirrostratus
Feb 25, 2018

Asm geo location irule

folks ,

need some help with asm geo location irule

I want to allow Ip address which contain country SG in forwarder Header , since i have only restricted my ASM geo location policy to allow only SG country to access this application but due to google play integration i am seeing US ip address as source but the original Ip showing in x forwarder.

when ASM_REQUEST_DONE {
log local0. "Detected Country IP"
      if { ([whereris IP::client_addr] == "SG") && ( [ASM::violation details] contains "VIOLATION_ILLEGAL_GEOLOCATION") }{
    ASM::unblock
    log local0. "[ASM::violation_data]. unblocked for [IP::client_addr]"
  }

}
application delivery
ASM Advanced WAF
iRules

2 Replies

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Feb 26, 2018
    when ASM_REQUEST_DONE {
    set xff_is_sg ""
    if { [whereis [IP::client_addr] country] ne "SG" } {
        if { [HTTP::header exists "X-Forwarded-For"] } {
            foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {
                log local0. "Current XFF element: $xff"
                 Check if the current XFF IP is in SG:
                if { [whereis $xff country] eq "SG" } {
                    log local0. "$xff is from SG."
                    set xff_is_sg 1
                    break
                }
            }
            if { $xff_is_sg ne "" } {
                ASM::unblock
                return
            }
        }
    }
}

    However, XFF can be spoofed. If you know which non-SG ip address range your users are forwarded from, then you can tighten up the rule by trusting that range only when processing XFF.