Jump to content
Welcome to our new Citrix community!
  • 0

Geo-location map only shows US as the source of all security violations despite there being Client IP address from other countries.


Travis Widener 2

Question

I had originally posted this in Citrix Application Delivery Management but did not get any responses so I'm reposting here.

 

Our Citrix ADM Security geo-location map only shows US as the source of all security violations despite there being Client IP address from other countries and the Location will be blank. I think this might be because the WAF geo-map is using the IP of the proxy servers Infront of the ADC instead of the real Client IP. I have enabled “HTTP X-Forwarded-For” under Analytics Configuration which fixed the Web Insight geo-map however the Security insight geo-map is still not functioning. How do I go about correcting this?

image.thumb.png.32487e70b9cf8fc007c198bfa35cc6fc.png

 

image.thumb.png.3d100f377fdad4e0a728f7d7b5379d85.png

Citrix ADM Analytics settings

 

Citrix ADM Web Insight works correctly.

image.thumb.png.6c861ff02b7cbc7a8c5585a9e6aea510.png

 

ADM version 13.1 4.43

ADC version 13.0 52.24

ADC Static DB /var/netscaler/inbuilt_db/Citrix_Netscaler_InBuilt_GeoIP_DB_IPv4

Link to comment

3 answers to this question

Recommended Posts

  • 0
1 hour ago, Travis Widener 2 said:

What I find strange is that ADM Web Insight geo location works fine however the Security Insight geo location does not. Do they use different geo location databases, maybe Web insight uses a database on the ADM and Security Insight uses one on the ADC?

First, my understanding is that they are not supposed to BUT...

1) Security Insight is an ADM feature and I'm not sure why it would be handling this incorrectly unless the ADC was recording the wrong source ips.

2) It might genuinely be a bug and would need to contact support since no one else on forums has been able to give you an answer either.  Security Insight might have slipped through the cracks and so support might be needed to suss out what is going on between these two systems if everything else is correct.

 

I originally didn't respond because I thought the issue was purely an ADM reporting issue. Then when I looked back I realized there might be an issue on the ADC side too.  Which seems to not be the case, if you think the ADC geo list is correct.

 

1 hour ago, Travis Widener 2 said:

s there a way to get a more upto date geo location database?

https://docs.citrix.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-advanced-settings/retrieve-location-details-using-ip-address-from-geolocation-database.html

For ADC, the built in geo location is supposed to be "current" enough after an appliance upgrade.

Custom maps on ADC can be imported or more specific maps from other sources.

Example of converting MaxMind GeoLite2 to citrix format here:  https://docs.citrix.com/en-us/citrix-adc/current-release/global-server-load-balancing/configuring-static-proximity/add-a-location-file-create-static-proximity-db.html#script-to-convert-maxmind-geolite2-database-format-to-citrix-adc-database-format

 

I'm only finding MAS related articles and not ADM specific, so I think support may be the best follow up.

 

 

 

 

 

  • Like 1
Link to comment
  • 0

Sorry for a delayed response.

 

First, I would verify the AppFw feature on the ADC is grabbing the correct IP Address for violation logging (which might be affecting the ADM Security Insight logging):

On your ADC, can you look at your syslog or appfw logs (if segregated out) for what it is reporting as the "source ip".  

Verify in the AppFw Global Engine Settings that you have logging in CEF format enabled along with Geo IP logging.

https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/logs.html#common-event-format-cef-logs

And if traffic is coming through proxies, configure the Logging Header name (x-forwarded-for, etc...) under the AppFw global engine settings:

https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/configuring-global-settings/engine-settings.html

 

If the ADC geologging is correct, and the ADM Security Insight is still not logging, then the issue is likely on the ADM and you might need a tech support case.

 

If the ADC logs are incorrect, then the issue may be on the ADC first.

 

 

 

 

Link to comment
  • 0
19 hours ago, Rhonda Rowland1709152125 said:

Sorry for a delayed response.

 

First, I would verify the AppFw feature on the ADC is grabbing the correct IP Address for violation logging (which might be affecting the ADM Security Insight logging):

On your ADC, can you look at your syslog or appfw logs (if segregated out) for what it is reporting as the "source ip".  

Verify in the AppFw Global Engine Settings that you have logging in CEF format enabled along with Geo IP logging.

https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/logs.html#common-event-format-cef-logs

And if traffic is coming through proxies, configure the Logging Header name (x-forwarded-for, etc...) under the AppFw global engine settings:

https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/configuring-global-settings/engine-settings.html

 

If the ADC geologging is correct, and the ADM Security Insight is still not logging, then the issue is likely on the ADM and you might need a tech support case.

 

If the ADC logs are incorrect, then the issue may be on the ADC first.

 

 

 

 

 

Thanks for replying.

 

I have verified the ADC syslog does show the correct source IP (the client IP and not the proxy IP) and that both CEF Logging, Geo-Location are enabled, and Logging Header Name is set to X-Forwarded-For. 

 

What I find strange is that ADM Web Insight geo location works fine however the Security Insight geo location does not. Do they use different geo location databases, maybe Web insight uses a database on the ADM and Security Insight uses one on the ADC?

 

I also notice that the ADC geo location database is a bit off. I'm using the built-in Citrix_Netscaler_InBuilt_GeoIP_DB_IPv4 one. If I ssh into the ADC and from shell if I type

root@VPX-ADC01# nsmap -d -t 79.124.8.3
79.124.8.3 79.124.8.0-79.124.8.255 "Europe"."GB"."England"."*"."London"."*" 0 east  52 north

If I query that same IP address via ip-api.com or whatsmyip.org the IP  location is in the Netherlands.

PS C:\> Invoke-RestMethod -Method Get -Uri "http://ip-api.com/json/79.124.8.3"

status      : success
country     : Netherlands
countryCode : NL
region      : FL
regionName  : Flevoland
city        : Lelystad
zip         : 8243
lat         : 52.5067
lon         : 5.4422
timezone    : Europe/Amsterdam
isp         : Maximilian Kutzner trading as HostSlick
org         : Makut Investments
as          : AS208046 HostSlick Germany
query       : 79.124.8.3

Is there a way to get a more upto date geo location database?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...