GeoIP Database

The GeoIP database provides location-based traffic control and security enforcement for the CNF Edge Firewall. Using the GeoIP database, users can create firewall rules in the F5BigFwPolicy and F5BigFwRulelist CRs to allow or block traffic based on the geographic location (e.g., country or region) of the source or destination IP address.

F5 updates the GeoIP database weekly, and the latest version is available for download from MyF5.

Procedure

Follow the steps below to download and transfer the GeoIP database to TMM pods:

1. Download the GeoIP Database

a. Log in to MyF5 using your credentials.

b. Navigate to Support Resources and click Downloads.

c. Review the End User License Agreement and Program Terms, check the box to accept, and click Next.

d. From the Select a Product Family Group drop-down menu, choose BIG-IP_Next.

e. In the Product Line drop-down menu, select GeoIP Updates.

f. Locate the latest GeoIP database ZIP file in the download list.

Note: The latest GeoIP database file is identified by the most recent date in its filename, which follows the format:
ip-geolocation-v3-<YYYYMMDD>.zip

h. Choose a download location, then click Download to begin the download.

2. Copy the GeoIP Database to the Downloader Pod

After downloading the GeoIP database zip file (also known as the Intrusion Metadata (IM) package), manually copy it to the following directory within the Downloader Pod:

/var/downloader-localfile-upload/

Notes:

  • This directory is backed by a persistent volume, which ensures the file remains available across container restarts.

  • If the Downloader pod is deleted and recreated, you must manually copy the files back to the persistent volume.

3. Automatic Validation and Extraction

Once the file is placed in the directory, the Downloader Pod automatically:

  • Extracts the contents of the zip file.

  • Validates the .dat file using the .sha512 checksum file included in the package.

Validation Messages:

  • If the validation fails (e.g., the IM package is corrupted or incorrect), the following error appears in the Downloader Pod logs:

    GeoIP extraction and verification failed: <error reason>

  • If the validation is successful, the following confirmation message appears in the Downloader Pod logs:

    GeoIP extraction and verification successful: /var/downloader-localfile-upload/<filename>.zip

4. Configure the F5BigDownloaderPolicy CR

Create a YAML file for the F5BigDownloaderPolicy CR to configure the geoip component in offline mode.

For more information on parameter description and details on the downloader policy, see F5BigDownloaderPolicy CR.

Example Configuration

apiVersion: "k8s.f5net.com/v1"
kind: F5BigCneDownloader
metadata:
   name: "cnf-downloader"
   namespace: "cnf-gateway"
spec:
  components:
     - type: "geoip"
       mode: "offline"
       pollInterval: "5m"

Note: The pollInterval is required for schema validation, but does not affect GeoIP database updates; files are transferred immediately after validation.

5. Apply the F5BigDownloaderPolicy CR

Apply the F5BigDownloaderPolicy CR that you have created.

oc apply -f  cnf-download-geoip-cr.yaml

6. Automatic Transfer to TMM Pods

After the F5BigDownloaderPolicy CR is applied, the Downloader Pod automatically transfers the validated GeoIP database to all TMM Pods using TMM endpoint messages via the f5ingress service.

Note: When a TMM Pod restarts or scales out, the GeoIP database is automatically distributed to the new pods without requiring manual intervention.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.