Forum Discussion

dbaimakov's avatar
Icon for Altocumulus rankAltocumulus
Oct 23, 2023

Exception for GeoBlocked Country. Without Allow-Listing a specific IP

We are geo-blocking users from China, but some users are trying to ship goods and needs to see access certain guidelines regarding the types of goods that are allowed.

The security policy that governs access to this application also applies to several other applications. I am concerned that allow-listing the specific IP addresses of those users could potentially open up a security loophole.

We are in a bit of pickle and exploring the best way to address this issue without compromising security protocols. Any suggestions would be appriciated. 

I tinkered and composed this iRule. I am uncertain about the last part... (ignore private.url as I don't want to post it publcily here)



    # Initialize a variable to hold the block status

    set blocked_ip 1




    # Check if the request is for the specific full URL and the client is from China

    if { ([HTTP::host] equals "private.url") and

         ([HTTP::uri] equals "/substances-search/Substance?lang=en") and

         ([whereis [IP::client_addr] country] equals "CN") } {

        # Tentatively allow access, pending the ASM check

        set blocked_ip 0





    # Check if the request is blocked by ASM

    if { [ASM::status] eq "blocked" } {

        # If it's due to geolocation and the specified conditions are met, unblock

        if { [ASM::violation names] contains "VIOLATION_ILLEGAL_GEOLOCATION" and

             $blocked_ip == 0 } {


            log local0. "[ASM::violation_data] unblocked for [IP::client_addr]"

        } else {

            # For other violations, ensure the request remains blocked

            set blocked_ip 1






    # If the block status is true, respond with a 403 Forbidden

    if { $blocked_ip == 1 and

         [ASM::status] eq "blocked" and

         ![ASM::violation names] contains "VIOLATION_SQL_INJECTION" } {

        HTTP::respond 403 content "Access denied" "Content-Type" "text/plain" "Connection" "close"



  • Hi dbaimakov,

    You can use two waf policies and disable the geolocation control in one policy.

2 Replies

  • dbaimakov From my understanding the only way around this would be to create an IP exception list since the IP database is grouped all together in country code CN.

  • Hi dbaimakov,

    You can use two waf policies and disable the geolocation control in one policy.