F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Nishal_Rai's avatar
Nishal_Rai
Icon for Cirrocumulus rankCirrocumulus
Apr 24, 2024

Can iRule be used to perform exception of IPI category based on Geolocation

Hi Everyone, Can we configure iRule to perform exception on certain IPI category like "Spam Sources" based on Geolocation. For instance, I want to bypass the mitigation enforced on "Spam Sour...
security
spalande's avatar
spalande
Icon for Nacreous rankNacreous
May 02, 2024

My bad. Else condition is rejecting all traffic. Try below and I would suggest try on non-prod VIP first.

 

when HTTP_REQUEST { 
    set ip_reputation_categories [IP::reputation [IP::client_addr]]
    if {([$ip_reputation_categories contains "Spam Sources"]) and (!([[whereis [IP::client_addr] country] equals "NP"]))} {
	log local0. "IP from spam sources block: [IP::client_addr]"
	drop
	} else {
	#DO NOTHING
	}
  }

 

  • Nishal_Rai's avatar
    Nishal_Rai
    Icon for Cirrocumulus rankCirrocumulus
    May 09, 2024

    spalande


    Few lines were also added for the debugging purpose in the provided iRule as discussed before.

    when HTTP_REQUEST { 
    set ip_reputation_categories [IP::reputation [IP::client_addr]]
    if {([$ip_reputation_categories contains "Spam Sources"]) and (!([[whereis [IP::client_addr] country] equals "NP"]))} {
    log local0. "IP from spam sources block: [IP::client_addr]"
    drop
    } else {
    log local0. "IP from spam sources from Nepal, allow: [IP::client_addr]"
    #DO NOTHING
    }
  }



    However after few minutes of attaching the iRule on the virtual server, the application stopped working. 

    While the following error logs were found on the /var/log/ltm,

    May  8 13:07:06 waf.domain.com err tmm2[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm1[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm2[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm3[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm3[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm1[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm3[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm2[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""



    It seems the iRule is still not valid to check the IPI category variable especially for the 

    [$ip_reputation_categories contains "Spam Sources"]