Geolocation Database

Database

Country

Avi Vantage includes a geolocation database for identifying the origin of clients.  This is a fixed database based on the MaxMind IP-Country and IP-ASN data. The database is maintained on the Controllers, and incorporates database updates when the Controllers are upgraded.

Usage

The geolocation data is used in many locations, including:

ASN

  • Client logs
  • Policies, such as white lists or black lists
  • Client insights
  • Security page DDoS attacks
  • Tier 2 objects, such as cache, compression, or logging eligibility

Note: Client IP is subject to the option Use_True_Client_IP. Client IP might be equal to source IP from layer-3 header or equal to the fetched IP from user-defined HTTP header. For more information refer to True Client IP in L7 Security Features.

Starting with Avi Vantage version 21.1.1, there are various files within System-GeoDB as part of Geo DB implementation. You can use geo dB in HTTP policies, network policy, and so on, for more granular control. For instance, on region, there will be on city level too instead of only on the country level.

The following are the file objects located in /var/lib/avi/geo_db/admin:

File Objects Description Version
System-LocationDB-File Region, City, Latitude, Longitude IPv4
System-CountryDB-File Country, Continent Code, Name IPv4
System_ISPDB-File AS number, Name, ISP, Organisation Name IPv4
System-LocationDB_v6-File IPv6
System-CountryDB_v6-File IPv6
System-ISPDB_v6-File IPv6

In these geo DB files, each supported column header is defined as a value of the GeoMappingAttribute that can be further used in the policies.

Example

The following is the snippet of System-CountryDB-File:

system-countrydb-file

Country Code is defined as ATTRIBUTE_COUNTRY_CODE.

Similarly, ISP Name in System_ISPDB-File can be referenced as ATTRIBUTE_ISP_NAME, and so on. These can be further used in policies as follows:

http-security-policy-match-cli

This is an example of a HTTP security policy.

For more details on HTTP security policy, refer to HTTP Security Policy guide.

Custom Geo DB Files

Along with the files mentioned above, the custom Geo DB files is supported for private IP addresses or for any other use cases. The Custom Geo DB files should follow one of the format/syntaxes shown as follows:

  • IP/prefix;ISP Name;Country Code;AS Number;Region Name;Custom 1;Custom 2​ 10.120.145.150/32;MYISP;US;100;Bangalore;user1;IT​

  • IP/prefix;Custom 1;5.5.5.10/24;SomeData​

  • IP/prefix;Custom 1;Custom 2;Custom 3;Custom 4;Custom 5;Custom 6;Custom 7;Custom 8;Custom 9​ 10.120.145.150/32;Large;Number;Of;Custom;Columns;And;We;Support;It

Custom file can be uploaded in /var/lib/avi/other_files/<username>​ location using any application commands. The following is an instance of curl command,

curl -k --user <username> --location 'https://<controller-IP>/api/fileobject/upload' --header 'X-Avi-Version: 21.1.1' -F type=GEO_DB -F compressed=true -F 'file=@<path of the file>'

Notes:

  • The argument -F type=GEO_DB specifies the filetype and is a required (mandatory) field.
  • If the file is compressed with gzip (and therefore has the extension .csv.gz), then the additional argument -F compressed=true is required. If the file is not compressed (e.g. extension .csv), the argument -F compressed=true must be omitted.

User-Defined Mapping

Starting from Avi Vantage version 21.1.1, the grouping feature that maps multiple Geo values to a single result is added. It can be used to group similar entities in a bucket and then reference it in policies or DataScript.

Example

You can map all APAC countries, and do a match on “APAC mapping” in Security policy or group Embargo countries etc.

user-defined

The following is the CLI example for Match option in HTTP Security Policy:

http-security-policy-match-cli

Overriding the Database

IPGroup

The geolocation data may be overwritten or augmented by creating a custom IP group.

For instance, create a new IP group called “Internal” and add 10.0.0.0/8 and 192.168.0.0/16. Alternately, create a new IP group with Select by Country Code. In the example, the group is named North America and includes US, MX, and CA.

Note: A custom IP group will override only the geolocation database for the tenant in which the IP group was created.