GeoIP Transformations

Overview

Starting with Avi Vantage release 18.2.6, two new transformations are available in the ModSecurity (ModSec) language for the WAF feature.

• t:IPtoCountryCode
• t:IPtoASNumber

These transformations can be used to translate an IPv4 address to either the corresponding country code (CC) or the autonomous system number (ASN) of the address. Starting with Avi Vantage release 20.1.3, IPv6 adddress support is available in addition to the IPv4 address for the GeoIP transformation.

Use Case Examples

1. Blocking an IP when the IP is not from the US.
   

   
    SecRule REMOTE_ADDR "!@streq US" "phase:1,id:1,t:IPtoCountryCode,deny,msg:'IP address is not from the US'"
    

2. Blocking an IP when it is not from the US (even if it comes over a US proxy).
   

   
    SecRule REMOTE_ADDR|REQUEST_HEADERS:X-Forwarded-For "!@streq US" "phase:1,id:2,t:IPtoCountryCode,deny,msg:'IP address is not from the US'"
    

3. Block an IP if it is from AS64496
   

   
      SecRule REMOTE_ADDR|REQUEST_HEADERS:X-Forwarded-For "@streq 64496" "phase:1,id:3,t:IPtoASNumber,deny,msg:'IP address is from AS64496'"
    

Relation with DataScript Geo Lookup Functions

The DataScript function get_geo_from_ip can get the country code using avi.utils.get_geo_from_ip(IP, "COUNTRY") or the ASN using avi.utils.get_geo_from_ip(IP, "ASN") from a given IP.

This is using the same data and mapping as WAF.

Relation with ModSecurity @geoLookup Operator

ModSecurity does contain a @geoLookup operator and the GEO collection. This is not supported by Avi Vantage for different reasons.

For example, you have a GEO rule from ModSecurity, as shown below:

# Configure geolocation database
SecGeoLookupDb /path/to/GeoLiteCity.dat
...
# Lookup IP address
SecRule REMOTE_ADDR "@geoLookup" "phase:1,id:155,nolog,pass"
 
# Block IP address when it is not from the US
SecRule GEO:COUNTRY_CODE "!@streq US" "phase:1,id:156,deny,msg:'IP address is not from the US'"

It can be replaced with the following rule, using the new transformation:

SecRule REMOTE_ADDR "!@streq US" "phase:1,id:4,t:IPtoCountryCode,deny,msg:'IP address is not from the US'"

Caveats

Memory Requirements

The tables for the transformation are only loaded into memory if additional shared memory is configured.

To use this function, at least 350MB of extra shared memory must be configured on the service engine (SE) group using it.

Configure extra_shared_config_memory, as shown below:

[admin:example-ctrl]: > configure serviceenginegroup Default-Group extra_shared_config_memory 100
[admin:example-ctrl]: serviceenginegroup > save