Using F5 BIG-IP LTM/AFM and AWAF to block (OFAC) Sanctioned Countries
In follow on to my colleague MichaelatF5 's recent article on How to use F5 Distributed Cloud to block (OFAC) Sanctioned Countries there has been interest in providing a consolidated location for the various methods and functionality within BIG-IP.
Michael's article also links to external references to provide the list of countries if you need a reference.
Ensuring your geolocation database is up to date.
First and foremost, you will need to ensure your database is up to date. The BIG-IP platform does not ship with a database, but it is available and updated geolocation files are available on http://downloads.f5.com
This article walks you through validating that your database is up to date and how to upgrade if needed. The geolocation files are updated by a third party vendor largely by scanning the Internet. As IP address ranges can be transferred between organizations and countries, it's always good to update these on a regular basis if you have business logic that relies on them.
Blocking with the Local Traffic Manager (LTM)
The BIG-IP LTM has long been able to handle this request through iRules.
This K article contains 3 examples and the instructions for installing the geolocation files. The first iRule silently drops the TCP or UDP packet as it comes in to the BIG-IP listener as you would expect from a firewall. The second example drops after the 3-way handshake and the last one is commonly used when sitting behind a CDN network and drops based on the 'X-Forwarded-For' or any other configurable Layer 7 header. It also responds back with an HTTP 403 response code back through the CDN network to the client attempting to access your website. Responding with an HTTP 403 allows you to customize the response as well.
Blocking with Advanced Web Application Firewall (AWAF)
Advanced WAF has a built in functionality for blocking specified countries from accessing your web applications. The Advanced WAF policy can be set to trust the XFF header as part of the policy's general settings. Geolocation enforcement is simply part of the policy configuration.
Blocking with Advanced Firewall Manager (AFM)
And here we come to a section of my article where I don't have any external links. Why? Well, a firewall policy built with AFM is very straight forward. AFM will let you build firewall policies which specify the source (or destination) country even down to the state level. In the example below we specified a block at the country level (AF) and the state level (US:Krym) while allowing the rest of the country.
And that's it. Depending on your licensed options and implementation there are many flexible ways to go about blocking traffic from OFAC sanctioned countries; or any other way you want leverage the geolocation database to limit access to your applications.
Automating the geolocation updates via BIG-IQ.
Lastly BIG-IQ Centralized Manager can be leveraged to push out the geolocation updates and ensure that your configuration is up to date when IP addressing changes at the country level.
Let us know if this centralized reference is useful.