The GeoIP transformations can be used to translate an IPv4 address to either the corresponding country code (CC) or the autonomous system number (ASN) of the address. IPv6 adddress support is available in addition to the IPv4 address for the GeoIP transformation.

Two new transformations are available in the ModSecurity (ModSec) language for the WAF feature.

  • t:IPtoCountryCode

  • t:IPtoASNumber

Use Case Examples

  1. Blocking an IP when the IP is not from the US.

     SecRule REMOTE_ADDR "!@streq US" "phase:1,id:1,t:IPtoCountryCode,deny,msg:'IP address is not from the US'"

  2. Blocking an IP when it is not from the US (even if it comes over a US proxy).

     SecRule REMOTE_ADDR|REQUEST_HEADERS:X-Forwarded-For "!@streq US" "phase:1,id:2,t:IPtoCountryCode,deny,msg:'IP address is not from the US'"

  3. Block an IP if it is from AS64496.

       SecRule REMOTE_ADDR|REQUEST_HEADERS:X-Forwarded-For "@streq 64496" "phase:1,id:3,t:IPtoASNumber,deny,msg:'IP address is from AS64496'"

Relation with DataScript Geo Lookup Functions

The DataScript function get_geo_from_ip can get the country code using avi.utils.get_geo_from_ip(IP, "COUNTRY") or the ASN using avi.utils.get_geo_from_ip(IP, "ASN") from a given IP. This is using the same data and mapping as WAF.

Relation with ModSecurity @geoLookup Operator

ModSecurity does contain a @geoLookup operator and the GEO collection. This is not supported by NSX Advanced Load Balancer for different reasons. For example, you have a GEO rule from ModSecurity, as shown below:

# Configure geolocation database
SecGeoLookupDb /path/to/GeoLiteCity.dat
...
# Lookup IP address
SecRule REMOTE_ADDR "@geoLookup" "phase:1,id:155,nolog,pass"
 
# Block IP address when it is not from the US
SecRule GEO:COUNTRY_CODE "!@streq US" "phase:1,id:156,deny,msg:'IP address is not from the US'"

It can be replaced with the following rule, using the new transformation:

SecRule REMOTE_ADDR "!@streq US" "phase:1,id:4,t:IPtoCountryCode,deny,msg:'IP address is not from the US'"
Note:

Client IP is subject to the option Use_True_Client_IP. Client IP might be equal to source IP from layer-3 header or equal to the fetched IP from user-defined HTTP header. For more information, see True Client IP in L7 Security Features topic in the VMware NSX Advanced Load Balancer Configuration Guide.

Caveats

Additional Memory Requirements

The tables for the transformation are only loaded into memory if additional shared memory is configured. For more information on additional memory requirements and configuration details, see Extra Shared Memory topic in the VMware NSX Advanced Load Balancer Configuration Guide.