Block non-US and/or Canada sites from vservers

Posted byJeff Riechers Leave a comment on Block non-US and/or Canada sites from vservers 
set locationParameter -matchWildcardtoany YES

add locationFile /var/netscaler/inbuilt_db/Citrix_Netscaler_InBuilt_GeoIP_DB_IPv4 -format netscaler

add audit messageaction Non_US_Drop WARNING "CLIENT.IP.SRC + \" was dropped because they are not in the US.  They are listed as \" + CLIENT.IP.SRC.LOCATION" -logtoNewnslog YES

add audit messageaction Non_US_Canada_Drop WARNING "CLIENT.IP.SRC + \" was dropped because they are not in US or Canada.  They are listed as \" + CLIENT.IP.SRC.LOCATION" -logtoNewnslog YES

add responder policy Drop_Non_US "CLIENT.IP.SRC.MATCHES_LOCATION(\"*.US.*.*.*.*\").NOT" DROP -logAction Non_US_Drop

add responder policy Drop_Non_US_and_Canada "(CLIENT.IP.SRC.MATCHES_LOCATION(\"*.US.*.*.*.*\").NOT && CLIENT.IP.SRC.MATCHES_LOCATION(\"*.CA.*.*.*.*\").NOT)" DROP -logAction Non_US_Canada_Drop

Copy and paste the above code into a terminal window into your ADC.  Then enable (if not already) the Responder feature.  Bind these to your vServer that you want restricted access to and then test away.

I recommend engineers have a private VPN account so that they can route their traffic to various countries specifically for testing features such as this.

If everything is being trapped, make sure you have the * setup as a wild card. The code above includes it, and the article below goes into more detail.

https://support.citrix.com/article/CTX232884/policies-with-gslb-wildcard-location-expressions-not-getting-a-hit-on-build-1115311-and-above

Leave a comment

Your email address will not be published. Required fields are marked *