For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Snl's avatar
Snl
Icon for Cirrostratus rankCirrostratus
Feb 25, 2018

Asm geo location irule

folks , need some help with asm geo location irule I want to allow Ip address which contain country SG in forwarder Header , since i have only restricted my ASM geo location policy to allow only ...
application delivery
ASM Advanced WAF
iRules
JG's avatar
JG
Icon for Cumulonimbus rankCumulonimbus
Feb 26, 2018
when ASM_REQUEST_DONE {
    set xff_is_sg ""
    if { [whereis [IP::client_addr] country] ne "SG" } {
        if { [HTTP::header exists "X-Forwarded-For"] } {
            foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {
                log local0. "Current XFF element: $xff"
                 Check if the current XFF IP is in SG:
                if { [whereis $xff country] eq "SG" } {
                    log local0. "$xff is from SG."
                    set xff_is_sg 1
                    break
                }
            }
            if { $xff_is_sg ne "" } {
                ASM::unblock
                return
            }
        }
    }
}

However, XFF can be spoofed. If you know which non-SG ip address range your users are forwarded from, then you can tighten up the rule by trusting that range only when processing XFF.