Geolocation Database
Database
Avi Vantage includes a geolocation database for identifying the origin of clients. This is a fixed database based on the MaxMind IP-Country and IP-ASN data. The database is maintained on the Controllers, and incorporates database updates when the Controllers are upgraded.
Usage
The geolocation data is used in many locations, including:
- Client logs
- Policies, such as white lists or black lists
- Client insights
- Security page DDoS attacks
- Tier 2 objects, such as cache, compression, or logging eligibility
Note: Client IP is subject to the option Use_True_Client_IP
. Client IP might be equal to source IP from layer-3 header or equal to the fetched IP from user-defined HTTP header. For more information refer to True Client IP in L7 Security Features.
Starting with Avi Vantage version 21.1.1, there are various files within System-GeoDB as part of Geo DB implementation. You can use geo dB in HTTP policies, network policy, and so on, for more granular control. For instance, on region, there will be on city level too instead of only on the country level.
The following are the file objects located in /var/lib/avi/geo_db/admin
:
File Objects | Description | Version |
---|---|---|
System-LocationDB-File | Region, City, Latitude, Longitude | IPv4 |
System-CountryDB-File | Country, Continent Code, Name | IPv4 |
System_ISPDB-File | AS number, Name, ISP, Organisation Name | IPv4 |
System-LocationDB_v6-File | IPv6 | |
System-CountryDB_v6-File | IPv6 | |
System-ISPDB_v6-File | IPv6 |
In these geo DB files, each supported column header is defined as a value of the GeoMappingAttribute
that can be further used in the policies.
Example
The following is the snippet of System-CountryDB-File
:
Country Code is defined as ATTRIBUTE_COUNTRY_CODE
.
Similarly, ISP Name in System_ISPDB-File
can be referenced as ATTRIBUTE_ISP_NAME
, and so on. These can be further used in policies as follows:
This is an example of a HTTP security policy.
For more details on HTTP security policy, refer to HTTP Security Policy guide.
Custom Geo DB Files
Along with the files mentioned above, the custom Geo DB files is supported for private IP addresses or for any other use cases. The Custom Geo DB files should follow one of the format/syntaxes shown as follows:
-
IP/prefix;ISP Name;Country Code;AS Number;Region Name;Custom 1;Custom 2 10.120.145.150/32;MYISP;US;100;Bangalore;user1;IT
-
IP/prefix;Custom 1;5.5.5.10/24;SomeData
-
IP/prefix;Custom 1;Custom 2;Custom 3;Custom 4;Custom 5;Custom 6;Custom 7;Custom 8;Custom 9 10.120.145.150/32;Large;Number;Of;Custom;Columns;And;We;Support;It
Custom file can be uploaded in /var/lib/avi/other_files/<username>
location using any application commands. The following is an instance of curl command,
curl -k --user <username> --location 'https://<controller-IP>/api/fileobject/upload'
--header 'X-Avi-Version: 21.1.1' -F type=GEO_DB -F compressed=true -F 'file=@<path of the file>'
Notes:
- The argument -F type=GEO_DB specifies the filetype and is a required (mandatory) field.
- If the file is compressed with gzip (and therefore has the extension .csv.gz), then the additional argument -F compressed=true is required. If the file is not compressed (e.g. extension .csv), the argument -F compressed=true must be omitted.
User-Defined Mapping
Starting from Avi Vantage version 21.1.1, the grouping feature that maps multiple Geo values to a single result is added. It can be used to group similar entities in a bucket and then reference it in policies or DataScript.
Example
You can map all APAC countries, and do a match on “APAC mapping” in Security policy or group Embargo countries etc.
The following is the CLI example for Match option in HTTP Security Policy:
Overriding the Database
The geolocation data may be overwritten or augmented by creating a custom IP group.
For instance, create a new IP group called “Internal” and add 10.0.0.0/8 and 192.168.0.0/16. Alternately, create a new IP group with Select by Country Code. In the example, the group is named North America and includes US, MX, and CA.
Note: A custom IP group will override only the geolocation database for the tenant in which the IP group was created.