Forum Discussion

dbaimakov's avatar
dbaimakov
Icon for Altocumulus rankAltocumulus
Oct 23, 2023

Exception for GeoBlocked Country. Without Allow-Listing a specific IP

We are geo-blocking users from China, but some users are trying to ship goods and needs to see access certain guidelines regarding the types of goods that are allowed.

The security policy that governs access to this application also applies to several other applications. I am concerned that allow-listing the specific IP addresses of those users could potentially open up a security loophole.

We are in a bit of pickle and exploring the best way to address this issue without compromising security protocols. Any suggestions would be appriciated. 

I tinkered and composed this iRule. I am uncertain about the last part... (ignore private.url as I don't want to post it publcily here)

 

when CLIENT_ACCEPTED {

    # Initialize a variable to hold the block status

    set blocked_ip 1

}

 

when HTTP_REQUEST {

    # Check if the request is for the specific full URL and the client is from China

    if { ([HTTP::host] equals "private.url") and

         ([HTTP::uri] equals "/substances-search/Substance?lang=en") and

         ([whereis [IP::client_addr] country] equals "CN") } {

        # Tentatively allow access, pending the ASM check

        set blocked_ip 0

    }

}

 

when ASM_REQUEST_DONE {

    # Check if the request is blocked by ASM

    if { [ASM::status] eq "blocked" } {

        # If it's due to geolocation and the specified conditions are met, unblock

        if { [ASM::violation names] contains "VIOLATION_ILLEGAL_GEOLOCATION" and

             $blocked_ip == 0 } {

            ASM::unblock

            log local0. "[ASM::violation_data] unblocked for [IP::client_addr]"

        } else {

            # For other violations, ensure the request remains blocked

            set blocked_ip 1

        }

    }

}

 

when HTTP_RESPONSE {

    # If the block status is true, respond with a 403 Forbidden

    if { $blocked_ip == 1 and

         [ASM::status] eq "blocked" and

         ![ASM::violation names] contains "VIOLATION_SQL_INJECTION" } {

        HTTP::respond 403 content "Access denied" "Content-Type" "text/plain" "Connection" "close"

    }

}




application delivery
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Oct 23, 2023

    Hi dbaimakov,

    You can use two waf policies and disable the geolocation control in one policy.

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Oct 23, 2023

    dbaimakov From my understanding the only way around this would be to create an IP exception list since the IP database is grouped all together in country code CN.

  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Oct 23, 2023

    Hi dbaimakov,

    You can use two waf policies and disable the geolocation control in one policy.