Forum Discussion
NimbostratusCountry based ASM security policy
[ASM 11.5.1.HF4]
Hello,
I'm trying to setup ASM security policy based on client country geoip.
So my thoughts was to use the following iRule:
when HTTP_REQUEST {
HTTP::header remove "X-GEO-COUNTRY"
HTTP::header insert "X-GEO-COUNTRY" [string tolower [whereis [IP::remote_addr] country]]
}
It just add custom HTTP header containing geoip country information to request(Tested, works OK).
Then I put following rule to policy selection:
Conditions:
http-header all name X-GEO-COUNTRY not equals en
Actions:
asm enable policy not-en-policy
And finally I moved the (policy) rule before last rule which match all other traffic. Unfortunately it doesn't work. There are no invocations on this rule. The last rule has all invocations. I guess, it's because the iRule header is added too late, after policy selection. Right? I don't want to select security policy directly in iRule. Is there any easy solution for this?
3 Replies
Thomas_GobetHi,
This should work I already done this kind of configuration without problem.
Can you add a log action, with that we will know if it's matched or not.Also can you paste your policy configuration here ?
dgdv_171415Hi,
Thanks for your answer.
> Can you add a log action, with that we will know if it's matched or not.
I added log action and it's never matched(regardless the country code provided in the rule). It's same as rule invocation statistics. Strange thing is, when I change Condition from:
http-header all name X-GEO-COUNTRY not equals en (Value can be missing:true)
to
http-header all name X-GEO-COUNTRY not contains en (Value can be missing:true)
then it's always matched(again regardless the country code provided).
And finally also when 'Value can be missing' is not set, the results above are completely negated.
>Also can you paste your policy configuration here ?
I'm not sure if this is what you asked for:
Strategy: first-match
Requires: http
Controls: asm
Rules:
rule1: "http-uri path starts-with /something1/" "asm enable policy /partition1/policy1"
rule2: "http-uri path starts-with /something2/" "asm enable policy /partition1/policy2"
rule3: "http-header all name X-GEO-COUNTRY not equals en (value can be missing:true)" "asm enable policy /partition1/untrusted-countries-policy"
rule4: "" "asm enable policy /partition1/trusted-countries-policy"
Rule1 and rule2 works OK. For other traffic always only one rule is matched for all requests: rule3 or rule4 depending on equals/contains or value can/can't be missing condition.
And iRule works OK, i.e. this is from HTTP Request logged by ASM:
X-GEO-COUNTRY: us
- Thomas_Gobet
Ok, I've got it, iRules are applied after your LTM policies.
So you don't match the rule n°3 and your traffic goes to rule 4, isn't it ?
I'm searching for a solution on how to do it from your policy but I'm not sure it's possible with the 11.5.x version.
In the 11.6.0 version, you can do it directly from your policy (geolocation condition without inserting information into the header).
