Geolocation, which identifies the geographic location from which
requests originate, can help you configure the application firewall for the
optimal level of security. To bypass security implementations such as rate
limiting, which rely on the IP addresses of the clients, malware or rogue
computers can keep changing the source IP address in requests. Identifying the
specific region from where requests are coming can help determine whether the
requests are from a valid user or a device attempting to launch cyberattacks.
For example, if an excessively large number of requests are received from a
specific area, it is easy to determine whether they are being sent by users or
a rogue machine. Geolocation analysis of the received traffic can be very
useful in deflecting attacks such as denial of service (DoS) attacks.
The application firewall offers you the convenience of using the
built-in NetScaler database for identifying the locations corresponding to the
IP addresses from which malicious requests are originating. You can then
enforce a higher level of security for requests from those locations. Citrix
default syntax (PI) expressions give you the flexibility to configure location
based policies that can be used in conjunction with the built-in location
database to customize firewall protection, bolstering your defense against
coordinated attacks launched from rogue clients in a specific region.
You can use the NetScaler built-in database, or you can use any
other database. If the database does not have any location information for the
particular client IP address, the CEF log shows geolocation as an Unknown
Note: Geolocation logging uses the Common Event Format (CEF).
By default, CEF logging and GeoLocationLogging are OFF. You must explicitly
enable both parameters.
Example of a CEF log message showing geolocation information
June 8 00:21:09 <local0.info> 10.217.31.98 CEF:0|Citrix|NetScaler|NS11.0|APPFW|
spt=18655 method=GET request=http://aaron.stratum8.net/FFC/login.html
msg=Disallow Illegal URL. cn1=77 cn2=1547 cs1=test_pr_adv cs2=PPE1
cs3=KDynjg1pbFtfhC/nt0rBU1o/Tyg0001 cs4=ALERT cs5=2015 act=not blocked
Example of a log message showing geolocation= Unknown
June 9 23:50:53 <local0.info> 10.217.31.98 CEF:0|Citrix|NetScaler|NS11.0|
APPFW|APPFW_STARTURL|6|src=10.217.30.251 geolocation=Unknown spt=5086
method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL.
cn1=74 cn2=1576 cs1=test_pr_adv cs2=PPE2 cs3=PyR0eOEM4gf6GJiTyauiHByL88E0002
cs4=ALERT cs5=2015 act=not blocked