Allow search engines even though country is blocked by geolocation block

Rasman_75397 · ‎10-May-2017

Hi!

We have an issue where site disappear in search engines. We are forced to use geo based country blocking in ASM policy due to compliance. As side effect, we also block important search engine bots. It will be too cumbersome to whitelist all ip ranges used by these.

There is a list of bot signatures including search engines in the ASM ddos profile settings. Is there any way to write an iRule that utilize this list and bypass the geolocation blocking?

"This applies to Bot Signatures configured for blocking or reporting, and including Search Engines.

Syntax

BOTDEFENSE::reason"

We cannot trust the user agent string since that can be manipulated by anyone. Reverse DNS lookup (and forward to verify) take a lot of network resources. Is there an easy way (iRule?) to bypas the geo blocking based on this list without using unnecessary resources? We are on version 12.1.2.

Many thanks in advance.

Rasman · ‎11-May-2017

Tried a simple iRule to direct search engine traffic to a VIP without ASM policy, but the Geo block is kicking in before the iRule logic 😞

when HTTP_REQUEST { if {[HTTP::header "User-Agent"] contains "Mozilla/5.0 (compatible; YandexWebmaster/2.0; +; }{ virtual "vip_without_asm_policy" log "http VIP user agent: [HTTP::header "User-Agent"]" } else { virtual "vip_with_asm_policy" log "https vip user agent: [HTTP::header "User-Agent"]" } }

Any ideas?

Jad_Tabbara__J1 · ‎11-May-2017

Hello,

Based on your irule and to prevent blocking, you can do it differently.

You can create a VS parent with two child VS_1 and VS_2

The parent VS will apply the irule and route the traffic based on the check your are making.

Then you will apply on VS_1 the blocking ASM profile with Geoloc and on VS_2 the blocking ASM without Geoloc.

Regards

DevCentral

Allow search engines even though country is blocked by geolocation block