Manual Chapter :
Disallowing Application Use at Specific
Geolocations
Applies To:
Show VersionsBIG-IP ASM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
Disallowing Application Use at Specific
Geolocations
Overview: Disallowing application use in
certain geolocations
Geolocation software can identify the geographic location of a client or web application user.
Geolocation
refers either to the process of assessing the location, or to the
actual assessed location.For applications protected by Application Security Manager™, you can use
geolocation enforcement to restrict or allow application use in specific countries. You adjust
the lists of which countries or locations are allowed or disallowed in a security policy. If an
application user tries to access the web application from a location that is not allowed, the
Access from disallowed GeoLocation
violation occurs. By default, all locations
are allowed, and the violation learn, alarm, and block flags are enabled. Requests from certain locations, such as RFC-1918 addresses or unassigned global addresses, do
not include a valid country code. The geolocation is shown as
N/A
in both
the request, and the list of geolocations. You have the option to disallow N/A requests whose
country of origination is unknown.Disallowing application use in certain
geolocations
Before you can set up geolocation enforcement, you need to create a security policy.
If the BIG-IPsystem is deployed behind a proxy, you might need to
set the
Trust XFF Header
option in the security policy
properties. Then the system identifies the location using the address from the XFF
header instead of the source IP address. You can set up a security policy to allow or disallow access to the web
application by users in specific countries, areas, or from anonymous proxies.
- On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- In theGeolocation Listsetting, use the move buttons to adjust the lists of allowed and disallowed geolocations. To restrict traffic from anonymous proxies, moveAnonymous Proxyto the disallowed geolocations list.If no geolocations are disallowed, the list displays the wordNone. The screen shows the valueN/Ain the list of geolocations for cases where a user is in a location that cannot be identified, for example, if using RFC-1918 addresses or unassigned global addresses.You can approach geolocation enforcement by specifying either which locations you want to disallow or which locations you want to allow.
- ClickSaveto save your settings.
- In the editing context area, clickApply Policyto put the changes into effect.
If a user in a disallowed location attempts to access the web application, the
security policy (if in blocking mode) blocks the user and displays the violation
Access from disallowed Geolocation
.Setting up geolocation enforcement from a request
You can restrict application use in certain geolocations by using the Requests
list. This is an easy way to restrict users in a certain country from accessing the web
application. By examining illegal request details, you can disallow the locations from
which frequent problems are originating.
- On the Main tab, click.The Requests screen opens and shows all illegal requests that have occurred for all security policies.
- Filter the Requests List to show the illegal requests for the security policy for which you want to disallow the geolocation causing the problem.
- In the Requests List, click anywhere on a request.The screen displays details about the request including any violations associated with the request, and other details, such as the geolocation.
- In the Request Details area, theGeolocationsetting displays the country, and if the country is not on the disallowed geolocation list, you seeDisallow this Geolocation. If you want to disallow that location, click it.The system asks you to verify that you want to disallow this geolocation. When you verify that you do, the system adds the country to the Disallowed Geolocations list for that policy.
- Apply the change to the security policy: on the Main tab, click, make sure it is the correct current edited policy, and then clickApply Policy.
If a user in a disallowed location attempts to access the web application, the
security policy (if in blocking mode) blocks the user and displays the violation
Access from disallowed Geolocation
.