iRule error - bad IP address format (line x)
I just deployed this irule: when HTTP_REQUEST { if { [HTTP::header exists "X-Forwarded-For"] } { set client_ip [HTTP::header value "X-Forwarded-For"] set fromCountry [whereis $client_ip country] if { ( [class match $fromCountry equals Blocked_Countries]) }{ drop } } } And I'm getting this error in /var/log/ltm: TCL error: /parition1/BlockedCoun_XFF <HTTP_REQUEST> - bad IP address format (line 2) invoked from within "whereis $client_ip country" TCL error: /parition1/BlockedCoun_XFF <HTTP_REQUEST> - bad IP address format (line 3) invoked from within "whereis $client_ip country" I saw this article but not sure enough how to implement it in my irule https://support.f5.com/csp/article/K15450552 Could you please advise on this? Thanks
traffic flow between IPI, application security policy, bot detection, DoS protection, irule, and geolocation
I want to know how the traffic flow between IPI, application security policy, bot detection, DoS protection, irule, and Geolocation (using irule for Geolocation). I am using Global IPI (mean IPI does not attached to any VS) and have an irule for Geolocation and only have module ASM and LTM (No APM and AFM). I understand that irule can be arranged by the order. The application security policy, bot detection, DoS protection, irule are attached to VS. Here is what I understand the traffic flow. The traffic hits Global IPI -> reached VS for irules in order (including Geolocation, I always put Geolocation at first place) -> Application security policy -> DoS -> Bot detection. Is this correct? Or will application security policy , Dos, Bot detection happen at the same time? What is the best practice for Geolocation? Using an irule for Geolocation or using Geolocation in application security policy?
platform migration carry over Geolocation data file and ASM signature data file
I am working on platform migration from i5600 to i7600 by backing up UCS file and restoring it back to the i7600. I am wondering if geolocation data file, ASM signature, and bot signature will be updated as well. Recently I restore UCS file but see the Geolocation data file is 2020 which is last year and causing customer complain. When I did the geoip_lookup, it points to /usr/share/GeoIP/v2/F5GeoIP.dat which mean that there is no Geolocation data file under /shared/GeoIP/v2/F5GeoIP.dat and use the default location. What is the best way for me to compare the settings and configuration before and after the platform migration. I thought that UCS backup and restore should cover all the settings but I still missing Geolocation data file.
ASM IP Geo-location exemption
Hi, Is it possible to create exemptions to Geo-location configurations? The use case is fairly obvious and in our case: We're currently blocking all countries outside our own however a request has been raised to allow a single IP in a disallowed country. In newer iterations of ASM you can create an "IP Address Exception" configuration that gives you great flexibility in exempting a given IP from select ASM features. Geo-location seems to be a glaring omission from the available exemption options. Is there another way to create a Geo-location exception in a specific ASM Policy? Thanks, AndrewGeolocation when LDNS in a different geography than user doing the lookup
I am wondering if anyone has clever thoughts on how to address the situation with Topology load-balancing on F5 DNS. If a user is in EMEA but their ISP DNS server is in the US, it will be that DNS server in the US whose IP is analyzed by the geolocation database on the F5 and the GTM will respond with the DNS entry appropriate for US IP addresses. This circumvents our geolocation intent. Is there anything anyone has come up with to do to address this?
GTM/BIG IP DNS - Geolocation for a single URL/single country
Hello, So interesting thing came across my desk. Client wants to have a country be redirected to a datacenter for a single URL while leaving all other geolocation settings alone. I have multiple datacenters with two BIG IP DNS GTMs and this particular URL is load balanced via WideIP with Topology preference on the pool members. Currently traffic has 4 different datacenters it can go to, but due to how the geolocation is set, they feel that the traffic for this particular URL should go to another datacenter for latency reasons. They do not want to change geolocation for anything else, just this one URL dealing with this one country. I have seen some iRules that can be used for LTM and GTM stuff, but more for blocking, not redirecting. Is that something that can be done with the GTM? Guess the way to simplify it to the smallest form, Is there an iRule that can be placed on a WideIP that notices the country of origin and from that dictate what pool member it should send it to?
Excluding google from geolocation with IRULE
Hi, I am interested in an irule that will exclude google IPs from geolocation blocking. Since Google's IP list is dynamic, I need a way to take this list and turn it into a data group on a regular basis. The list is here: https://developers.google.com/search/apis/ipranges/googlebot.json And the ranges are here: https://www.gstatic.com/ipranges/goog.json Any ideas? Anybody done this already? Thanks, Vered
APM geolocation - N/A, others, anonymous proxy available?
Hi ASM's geolocation enforcement feature has (The BIG-IP Application Security Manager Part 7: Geolocation) N/A for internal/reserved IPs Others for external IPs not matching the geoDB Anonymous Proxy Is that available in APM too? Cannot find it in the documentation. Thanks Alex
Allow search engines even though country is blocked by geolocation block
Hi! We have an issue where site disappear in search engines. We are forced to use geo based country blocking in ASM policy due to compliance. As side effect, we also block important search engine bots. It will be too cumbersome to whitelist all ip ranges used by these. There is a list of bot signatures including search engines in the ASM ddos profile settings. Is there any way to write an iRule that utilize this list and bypass the geolocation blocking? "This applies to Bot Signatures configured for blocking or reporting, and including Search Engines. Syntax BOTDEFENSE::reason" We cannot trust the user agent string since that can be manipulated by anyone. Reverse DNS lookup (and forward to verify) take a lot of network resources. Is there an easy way (iRule?) to bypas the geo blocking based on this list without using unnecessary resources? We are on version 12.1.2. Many thanks in advance.