Forum Discussion

AP's avatar
Icon for Nimbostratus rankNimbostratus
May 12, 2014

ASM IP Geo-location exemption



Is it possible to create exemptions to Geo-location configurations?


The use case is fairly obvious and in our case: We're currently blocking all countries outside our own however a request has been raised to allow a single IP in a disallowed country.


In newer iterations of ASM you can create an "IP Address Exception" configuration that gives you great flexibility in exempting a given IP from select ASM features. Geo-location seems to be a glaring omission from the available exemption options.


Is there another way to create a Geo-location exception in a specific ASM Policy?


Thanks, Andrew


3 Replies

  • Hi Andrew, you should be able to creat an IP Address exception for the single IP from the disallowed country. Go to Application Security:IP Addresses: IP Address Exceptions, and click create. Then add the allowed IP address and select the option to "Never block this IP address."


    Apply the change to the ASM security policy and you should be all set.


    Requests from that IP address will still be marked as illegal, because they still originate from a disallowed geolocation. But the exception flag will be an error because it is specified as an allowed address.


    Erik Novak


  • AP's avatar
    Icon for Nimbostratus rankNimbostratus

    Hi Erik,


    The aim is to implement an IP exception to the geolocation blocking policy only, not to all blocking policies. Setting an exception to "Never block this IP address" is really expanding the potential attack surface from that IP which I'm not keen to do.


    Thanks for your suggestion though, it seems to be the only option in the list that would actually do what I'm looking for however the cons are too severe in my opinion.