Applies To:

Show Versions Show Versions

Manual Chapter: Enforcing Application Use at Specific Geolocations
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Enforcing application use in certain geolocations

Geolocation software can identify the geographic location of a client or web application user. Geolocation refers either to the process of assessing the location, or to the actual assessed location.

For applications protected by Application Security Manager™, you can use geolocation enforcement to restrict or allow application use in specific countries. You adjust the lists of which countries or locations are allowed or disallowed in a security policy. If an application user tries to access the web application from a location that is not allowed, the Access from disallowed GeoLocation violation occurs. By default, all locations are allowed, and the violation learn, alarm, and block flags are enabled.

Requests from certain locations, such as RFC-1918 addresses or unassigned global addresses, do not include a valid country code. The geolocation is shown as N/A in both the request, and the list of geolocations. You have the option to disallow N/A requests whose country of origination is unknown.

Enforcing application use in certain geolocations

Before you can set up geolocation enforcement, you need to create a security policy. If the BIG-IP®system is deployed behind a proxy, you might need to set the Trust XFF Header option in the security policy properties. Then the system identifies the location using the address from the XFF header instead of the source IP address.
You can set up a security policy to allow or disallow access to a web application by users in specific countries, areas, or from anonymous proxies.
  1. On the Main tab, click Security > Application Security > Geolocation Enforcement.
  2. In the Current edited policy list, verify that the edited security policy is the one you want to work on.
  3. In the Geolocation Enforcement area, use the Move buttons (<< and >>) to adjust the lists of allowed and disallowed geolocations.
    • The system displays None in the Disallowed Geolocations list if you do not assign any geolocations.
    • The system provides the N/A option in the Allowed Geolocations list for cases where users are in a location that cannot be identified, for example, if they are using RFC-1918 addresses or unassigned global addresses.
  4. To restrict traffic from anonymous proxies, move Anonymous Proxy to the Disallowed Geolocations list.
  5. Click Save.
  6. In the editing context area, click Apply Policy to immediately put the changes into effect.
If a user in a disallowed location attempts to access the web application, the security policy (if in blocking mode) blocks the user and displays the violation Access from disallowed Geolocation.

Setting up geolocation enforcement from a request

You can restrict application use in certain geolocations by using the Requests list. This is an easy way to restrict users in a certain country from accessing the web application. By examining illegal request details, you can disallow the locations from which frequent problems are originating.
  1. On the Main tab, click Security > Event Logs > Application. The Requests screen opens.
  2. In the Request List, click anywhere on a request. The screen displays details about the request, including any violations associated with the request, and other details, such as the geolocation.
  3. On the Request Details tab, in the General details area, locate Geolocation. If the location that is displayed is not in the disallowed geolocation list, you see the Disallow this Geolocation button.
  4. Click the Disallow this Geolocation button. The system confirms that you want to disallow this geolocation.
  5. Click OK. The system adds the country to the Disallowed Geolocation list.
  6. On the Main tab, clickApplication Security > Geolocation Enforcement. The Geolocation Enforcement screen opens.
  7. In the editing context area, click Apply Policy to immediately put the changes into effect.

If a user in a disallowed location attempts to access the web application, the security policy (if in blocking mode) blocks the user and displays the violation Access from disallowed Geolocation.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)