Controlling Application use by Geolocations¶
Overview¶
Geolocation software can identify the geographic location of a client or web application user. Geolocation refers either to the process of assessing the location, or to the actual assessed location.
For applications protected by WAF, you can use geolocation enforcement to restrict or allow application use in specific countries. You adjust the lists of which countries or locations are allowed or disallowed in a security policy. If an application user tries to access the web application from a location that is not allowed, the Access from disallowed GeoLocation
violation occurs. By default, all locations are allowed, and the violation learn, alarm, and block flags are enabled.
Requests from certain locations, such as RFC-1918 addresses or unassigned global addresses, do not include a valid country code. The geolocation is shown as N/A in both the request, and the list of geolocations. You have the option to disallow N/A requests whose country of origination is unknown.
If BIG-IP Next is deployed behind a proxy, you might need to set the Trust XFF Header option in the security policy properties. Then the system identifies the location using the address from the XFF header instead of the source IP address.
Prerequisites¶
Verify any attached application services to ensure proper security after changes are deployed.
You need to have a user role of Security Manager or Administrator to manage a WAF policy.
How to manage policy geolocations¶
Modify the allowed and disallowed geolocations for the policy. By default, all countries are allowed. Traffic that originates from the countries assigned to the Disallowed Geolocations are restricted.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the Basic Settings opens.
Toggle Advanced View button to the top right of the Basic Settings panel.
In the Allowed Geolocations and Disallowed Geolocations lists, select one or more countries from a list and use the arrow key to move the selection to the other list.
Select Select All and use the arrow key to move the entire country list from one status to another.
Click Save to save your changes. If you would like to automatically deploy your changes to the BIG-IP Next instance, click Save & Deploy.
If you deployed your changes to an applicaiton, traffic from countries in the Disallowed Geolocations list will be restriced access to your application.
Geolocation management using the policy Editor¶
Edit the WAF policy JSON declaration directly through the WAF policy editor.