Forum Discussion

Rich_L's avatar
Rich_L
Icon for Nimbostratus rankNimbostratus
May 25, 2017

iRule to allow IP address that is being blocked by ASM Geo-location policy

We have an ASM security policy configured on our public facing Virtual Servers. We also enforce blocking access from countries that we do not allow in our Geo-Location policy. I am looking to allow...
application delivery
ASM Advanced WAF
Portallion_1480's avatar
Portallion_1480
Icon for Nimbostratus rankNimbostratus
Nov 02, 2018

I have tried for a while to get something like this to work, but for a URI. After much trial and error, I have the following iRule working. Basically, putting a statement before to block if there is an attack signature violation, then an elseif to not block if the violation is for geolocation. I tested, and I am allowed as expected, but if I attempt to do XSS or some other violation that matches an attack signature then I get a block page. Including the irules for IP, single URI and Data Group for multiple URIs.

IP

when ASM_REQUEST_DONE {
     if {[IP::client_addr] == "X.X.X.X" and [ASM::violation names] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED"} {
           ASM::support_id

     } elseif { 
     [ASM::violation names] contains "GEOLOCATION" and [IP::client_addr] == "X.X.X.X"} {
           ASM::unblock
    }
}

Single URI

when ASM_REQUEST_DONE {
     if {[ASM::violation names] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED" and [HTTP::path] contains "/upload"} {
           ASM::support_id

     } elseif { 
     [ASM::violation names] contains "GEOLOCATION" and [HTTP::path] contains "/upload"} {
           ASM::unblock
    }
}

Data Group

when ASM_REQUEST_DONE {
     if {([ASM::violation names] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED") and [class match [HTTP::uri] equals Geo_URIs]} {
           ASM::support_id               
     }elseif {([ASM::violation names] contains "GEOLOCATION") and [class match [HTTP::uri] equals Geo_URIs]} {
           ASM::unblock
    }
}