Applies To:Show Versions
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Overview: Enforcing application use in certain geolocations
Geolocation software can identify the geographic location of a client or web application user. Geolocation refers either to the process of assessing the location, or to the actual assessed location.
For applications protected by Application Security Manager, you can use geolocation enforcement to restrict or allow application use in specific countries. You adjust the lists of which countries or locations are allowed or disallowed in a security policy. If an application user tries to access the web application from a location that is not allowed, the Access from disallowed GeoLocation violation occurs. By default, all locations are allowed, and the violation learn, alarm, and block flags are enabled.
Requests from certain locations, such as RFC-1918 addresses or unassigned global addresses, do not include a valid country code. The geolocation is shown as N/A in both the request, and the list of geolocations. You have the option to disallow N/A requests whose country of origination is unknown.
Enforcing application use in certain geolocations
- On the Main tab, click .
- In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
In the Geolocation List setting, use the move buttons to
adjust the lists of allowed and disallowed geolocations. To restrict traffic
from anonymous proxies, move Anonymous Proxy to the
disallowed geolocations list.
If no geolocations are assigned, the list displays the word
None. The screen shows the value
N/A in the list of geolocations for cases where a
user is in a location that cannot be identified, for example, if using RFC-1918
addresses or unassigned global addresses.
Tip: You can approach geolocation enforcement by specifying either which locations you want to disallow or which locations you want to allow.
- Click Save to save your settings.
- In the editing context area, click Apply Policy to put the changes into effect.
Setting up geolocation enforcement from a request
- On the Main tab, expand Application Security and click Reporting. The Requests screen opens and shows all illegal requests that have occurred for this security policy.
- In the Request List, click anywhere on a request. The screen displays details about the request including any violations associated with the request, and other details, such as the geolocation.
- In the Request Details area, next to Geolocation, the country is displayed, and if the country is not on the disallowed geolocation list, you see Disallow this Geolocation. The system asks you to verify that you want to disallow this geolocation. When you verify that you do, the system adds the country to the geolocation disallowed list.
- Apply the change to the security policy: on the Main tab, click Policy, and then click Apply Policy.
- On the menu bar, click Geolocation Enforcement. The Geolocation Enforcement screen opens, and you can see that the country was added to the disallowed geolocations list.
Now, if a user in a disallowed location attempts to access the web application, the security policy (if in blocking mode) blocks the user and displays the violation Access from disallowed Geolocation.