Geolocation and ip acl
Contents
Description
Description
Discard a customer connection or request in line with the client’s source Ip.
This use situation might be configured using a DataScript or perhaps a Network Security or HTTP Security policy. If your bigger listing of client IPs will be used, or maybe the origin IP addresses derive from a geographic location, then your DataScript or policies ought to be pointed in an IP group.
DataScript
A DataScript enables you to close the client’s connection. This can be done using a TCP RST or perhaps a elegant TCP FIN. This is dependent upon a flag within the avi.http.close_conn command.
| Example 1 | This rule discards a statically defined Ip.
if avi.versus.client_ip() == “10.1.1.1” then avi.http.close_conn() finish |
| Example 2 | This rule discards a listing or number of IP addresses. This may be a listing, range, or perhaps a geographic location like a number of countries. The IP list is determined inside the IP Group and enforced through the DataScript.
if avi.ipgroup.contains(“Blacklist-IP-Group”, avi.versus.client_ip()) then avi.http.close_conn() finish |
Policy
The Network Security and also the HTTP Security policies enables you to discard a customer according to their Ip. The next illustrations show developing a configured policy rule that is referencing an IP group known as Blacklist. If this policy is triggered, a substantial log is going to be generated indicating the insurance policy dropped this user. With sufficient frequency, it can possibly get in a penalty around the health score’s security row.
IP Group
The IP group is configured and maintained individually in the DataScript or policy referencing it. The audience could have lists of addresses or country codes. Begin to see the IP Group KB for additional detail about this feature.
Resourse: https://avinetworks.com/docs/17.1/geo-location-and-ip-acl/
