GeoIP Transformations

Overview

Starting with Avi Vantage release 18.2.6, two new transformations are available in the ModSecurity (ModSec) language for the WAF feature.

• t:IPtoCountryCode
• t:IPtoASNumber

These transformations can be used to translate an IPv4 address to either the corresponding country code (CC) or the autonomous system number (ASN) of the address. Starting with Avi Vantage release 20.1.3, IPv6 adddress support is available in addition to the IPv4 address for the GeoIP transformation.

Use Case Examples

1. Blocking an IP when the IP is not from the US.
   

   
    SecRule REMOTE_ADDR "!@streq US" "phase:1,id:1,t:IPtoCountryCode,deny,msg:'IP address is not from the US'"
    

2. Blocking an IP when it is not from the US (even if it comes over a US proxy).
   

   
    SecRule REMOTE_ADDR|REQUEST_HEADERS:X-Forwarded-For "!@streq US" "phase:1,id:2,t:IPtoCountryCode,deny,msg:'IP address is not from the US'"
    

3. Block an IP if it is from AS64496
   

   
      SecRule REMOTE_ADDR|REQUEST_HEADERS:X-Forwarded-For "@streq 64496" "phase:1,id:3,t:IPtoASNumber,deny,msg:'IP address is from AS64496'"
    

Relation with DataScript Geo Lookup Functions

The DataScript function get_geo_from_ip can get the country code using avi.utils.get_geo_from_ip(IP, "COUNTRY") or the ASN using avi.utils.get_geo_from_ip(IP, "ASN") from a given IP.

This is using the same data and mapping as WAF.

Relation with ModSecurity @geoLookup Operator

ModSecurity does contain a @geoLookup operator and the GEO collection. This is not supported by Avi Vantage for different reasons.

For example, you have a GEO rule from ModSecurity, as shown below:

# Configure geolocation database
SecGeoLookupDb /path/to/GeoLiteCity.dat
...
# Lookup IP address
SecRule REMOTE_ADDR "@geoLookup" "phase:1,id:155,nolog,pass"
 
# Block IP address when it is not from the US
SecRule GEO:COUNTRY_CODE "!@streq US" "phase:1,id:156,deny,msg:'IP address is not from the US'"

It can be replaced with the following rule, using the new transformation:

SecRule REMOTE_ADDR "!@streq US" "phase:1,id:4,t:IPtoCountryCode,deny,msg:'IP address is not from the US'"

Note: Client IP is subject to the option Use_True_Client_IP. Client IP might be equal to source IP from layer-3 header or equal to the fetched IP from user-defined HTTP header. For more information refer to True Client IP in L7 Security Features.

Caveats

Additional Memory Requirements

The tables for the transformation are only loaded into memory if additional shared memory is configured. Refer to Extra Shared Memory to understand the additional memory requirements and configure the same.