Avi Vantage includes a geolocation database for identifying the origin of clients. This is a fixed database based on the MaxMind IP-Country and IP-ASN data. The database is maintained on the Controllers, and incorporates database updates when the Controllers are upgraded.
The geolocation data is used in many locations, including:
- Client logs
- Policies, such as white lists or black lists
- Client insights
- Security page DDoS attacks
- Tier 2 objects, such as cache, compression, or logging eligibility
Note: Client IP is subject to the option
Use_True_Client_IP. Client IP might be equal to source IP from layer-3 header or equal to the fetched IP from user-defined HTTP header. For more information refer to True Client IP in L7 Security Features.
Starting with Avi Vantage version 21.1.1, there are various files within System-GeoDB as part of Geo DB implementation. You can use geo dB in HTTP policies, network policy, and so on, for more granular control. For instance, on region, there will be on city level too instead of only on the country level.
The following are the file objects located in
|System-LocationDB-File||Region, City, Latitude, Longitude||IPv4|
|System-CountryDB-File||Country, Continent Code, Name||IPv4|
|System_ISPDB-File||AS number, Name, ISP, Organisation Name||IPv4|
In these geo DB files, each supported column header is defined as a value of the
GeoMappingAttribute that can be further used in the policies.
The following is the snippet of
Country Code is defined as
Similarly, ISP Name in
System_ISPDB-File can be referenced as
ATTRIBUTE_ISP_NAME, and so on. These can be further used in policies as follows:
This is an example of a HTTP security policy.
For more details on HTTP security policy, refer to HTTP Security Policy guide.
Custom Geo DB Files
Along with the files mentioned above, the custom Geo DB files is supported for private IP addresses or for any other use cases. The Custom Geo DB files should follow one of the format/syntaxes shown as follows:
IP/prefix;ISP Name;Country Code;AS Number;Region Name;Custom 1;Custom 2 10.120.145.150/32;MYISP;US;100;Bangalore;user1;IT
IP/prefix;Custom 1;Custom 2;Custom 3;Custom 4;Custom 5;Custom 6;Custom 7;Custom 8;Custom 9 10.120.145.150/32;Large;Number;Of;Custom;Columns;And;We;Support;It
Custom file can be uploaded in
/var/lib/avi/other_files/<username> location using any application commands. The following is an instance of curl command,
curl -k --user <username> --location 'https://<controller-IP>/api/fileobject/upload'
--header 'X-Avi-Version: 21.1.1' -F type=GEO_DB -F compressed=true -F 'file=@<path of the file>'
- The argument -F type=GEO_DB specifies the filetype and is a required (mandatory) field.
- If the file is compressed with gzip (and therefore has the extension .csv.gz), then the additional argument -F compressed=true is required. If the file is not compressed (e.g. extension .csv), the argument -F compressed=true must be omitted.
Starting from Avi Vantage version 21.1.1, the grouping feature that maps multiple Geo values to a single result is added. It can be used to group similar entities in a bucket and then reference it in policies or DataScript.
You can map all APAC countries, and do a match on “APAC mapping” in Security policy or group Embargo countries etc.
The following is the CLI example for Match option in HTTP Security Policy:
Overriding the Database
The geolocation data may be overwritten or augmented by creating a custom IP group.
For instance, create a new IP group called “Internal” and add 10.0.0.0/8 and 192.168.0.0/16. Alternately, create a new IP group with Select by Country Code. In the example, the group is named North America and includes US, MX, and CA.
Note: A custom IP group will override only the geolocation database for the tenant in which the IP group was created.