xff and geolocation
If I want to create a dos l7 profile that needs to check the xff header as the source address (I will add an http+xff profile), and I want to exclude a country from the dosL7 policy using an LTM policy - can this be done with XFF? can the ltm policy recognise xff addresses' geolocations? If not with ltm policy, can this be done with an irule? thanks, Vered
iRule error - bad IP address format (line x)
I just deployed this irule: when HTTP_REQUEST { if { [HTTP::header exists "X-Forwarded-For"] } { set client_ip [HTTP::header value "X-Forwarded-For"] set fromCountry [whereis $client_ip country] if { ( [class match $fromCountry equals Blocked_Countries]) }{ drop } } } And I'm getting this error in /var/log/ltm: TCL error: /parition1/BlockedCoun_XFF <HTTP_REQUEST> - bad IP address format (line 2) invoked from within "whereis $client_ip country" TCL error: /parition1/BlockedCoun_XFF <HTTP_REQUEST> - bad IP address format (line 3) invoked from within "whereis $client_ip country" I saw this article but not sure enough how to implement it in my irule https://support.f5.com/csp/article/K15450552 Could you please advise on this? Thanks
Excluding google from geolocation with IRULE
Hi, I am interested in an irule that will exclude google IPs from geolocation blocking. Since Google's IP list is dynamic, I need a way to take this list and turn it into a data group on a regular basis. The list is here: https://developers.google.com/search/apis/ipranges/googlebot.json And the ranges are here: https://www.gstatic.com/ipranges/goog.json Any ideas? Anybody done this already? Thanks, Vered
platform migration carry over Geolocation data file and ASM signature data file
I am working on platform migration from i5600 to i7600 by backing up UCS file and restoring it back to the i7600. I am wondering if geolocation data file, ASM signature, and bot signature will be updated as well. Recently I restore UCS file but see the Geolocation data file is 2020 which is last year and causing customer complain. When I did the geoip_lookup, it points to /usr/share/GeoIP/v2/F5GeoIP.dat which mean that there is no Geolocation data file under /shared/GeoIP/v2/F5GeoIP.dat and use the default location. What is the best way for me to compare the settings and configuration before and after the platform migration. I thought that UCS backup and restore should cover all the settings but I still missing Geolocation data file.traffic flow between IPI, application security policy, bot detection, DoS protection, irule, and geolocation
I want to know how the traffic flow between IPI, application security policy, bot detection, DoS protection, irule, and Geolocation (using irule for Geolocation). I am using Global IPI (mean IPI does not attached to any VS) and have an irule for Geolocation and only have module ASM and LTM (No APM and AFM). I understand that irule can be arranged by the order. The application security policy, bot detection, DoS protection, irule are attached to VS. Here is what I understand the traffic flow. The traffic hits Global IPI -> reached VS for irules in order (including Geolocation, I always put Geolocation at first place) -> Application security policy -> DoS -> Bot detection. Is this correct? Or will application security policy , Dos, Bot detection happen at the same time? What is the best practice for Geolocation? Using an irule for Geolocation or using Geolocation in application security policy?
GTM/BIG IP DNS - Geolocation for a single URL/single country
Hello, So interesting thing came across my desk. Client wants to have a country be redirected to a datacenter for a single URL while leaving all other geolocation settings alone. I have multiple datacenters with two BIG IP DNS GTMs and this particular URL is load balanced via WideIP with Topology preference on the pool members. Currently traffic has 4 different datacenters it can go to, but due to how the geolocation is set, they feel that the traffic for this particular URL should go to another datacenter for latency reasons. They do not want to change geolocation for anything else, just this one URL dealing with this one country. I have seen some iRules that can be used for LTM and GTM stuff, but more for blocking, not redirecting. Is that something that can be done with the GTM? Guess the way to simplify it to the smallest form, Is there an iRule that can be placed on a WideIP that notices the country of origin and from that dictate what pool member it should send it to?Geolocation when LDNS in a different geography than user doing the lookup
I am wondering if anyone has clever thoughts on how to address the situation with Topology load-balancing on F5 DNS. If a user is in EMEA but their ISP DNS server is in the US, it will be that DNS server in the US whose IP is analyzed by the geolocation database on the F5 and the GTM will respond with the DNS entry appropriate for US IP addresses. This circumvents our geolocation intent. Is there anything anyone has come up with to do to address this?
Convert Geolocation Data From String to Degrees
Problem this snippet solves: The whereis command returns latitude and longitude as strings instead of floating points to save room in the geolation database. If you need degrees, you need to divide by 10000 to get them. This simple proc does the work for you.. How to use this snippet: Add the proc to your specific rule or to your library rule of procs, then "call" it as appropriate. Code : ### proc to convert integers to lat/lon degrees ### proc geoloc_mod {latitude longitude} { return [list [expr {$latitude / 10000.}] [expr {$longitude / 10000.}]] } ### example iRule taking advantage of the proc ### when HTTP_REQUEST { set lat [whereis [IP::client_addr] latitude] set lon [whereis [IP::client_addr] longitude] if { [string is integer $lat] && [string is integer $lon] } { #use proc to convert geolocation from strings to degrees, store in a list set geoloc_deg [call geoloc_mod $lat $lon] } log local0. "Latitude: [lindex $geoloc_deg 0], Longititude: [lindex $geoloc_deg 1]" } Tested this on version: 11.6
Allow search engines even though country is blocked by geolocation block
Hi! We have an issue where site disappear in search engines. We are forced to use geo based country blocking in ASM policy due to compliance. As side effect, we also block important search engine bots. It will be too cumbersome to whitelist all ip ranges used by these. There is a list of bot signatures including search engines in the ASM ddos profile settings. Is there any way to write an iRule that utilize this list and bypass the geolocation blocking? "This applies to Bot Signatures configured for blocking or reporting, and including Search Engines. Syntax BOTDEFENSE::reason" We cannot trust the user agent string since that can be manipulated by anyone. Reverse DNS lookup (and forward to verify) take a lot of network resources. Is there an easy way (iRule?) to bypas the geo blocking based on this list without using unnecessary resources? We are on version 12.1.2. Many thanks in advance.