I do, in fact, log Geolocation and import it as a custom field in Web Reporter.
Sites that get blocked put the country name on the block page like this:
The logs look like this:
And Web Reporter can generate output like the attached PDF to this message.
Any chance you could put the templates and the rules that you are using for geolocation blocking and collecting that information in the logs. I have gotten it to block based on geolocation but right now only the two digit country code is listed and not the full name. Also, the location of geolocation country code to full name list would be helpful. I had it saved but screwed up and deleted the link.
Good stuff! With regards to your report, is that bytes sent? So geolocation info will only show up if you use real time GTI lookups, and not the local DB?
Attached are rules and pages.
The rules do a CloudOnly lookup and assign the results to a variable:
Enabled Rule Action Events Enabled Block sites in GeoBlacklist
1: URL.Geolocation<CloudOnly> is in list GeoLocationCodes
2: AND List.OfString.IsEmpty(GeoLocationNames) equals false
Continue Set User-Defined.Geolocation = URL.Geolocation<CloudOnly>
The condition "List.OfString.IsEmpty(GeoLocationNames) equals false" is used strictly for attaching the list of full country names to the ruleset for export/import and does not do anything by itself.
I have a list of countries I want to ban, and they will block if there is a match:
Enabled Block sites in GeoBlacklist
1: User-Defined.Geolocation is in list GeoBlacklist
I also included reputation checking in this rule set because we already are doing the lookup, so why not. It is optional.
Enabled Block Bad Reputation Sites
1: URL.ReputationString<CloudOnly> equals "High Risk"
2: OR URL.IsHighRisk<CloudOnly> equals true
The real meat is on the block page. It may not import exactly, but there are a list of images with the flags, each with it's country symbol. (US.gif, GB.gif, CA.gif, etc) Import those to the img/ folder.
Then, the HTML on the block page itself may or may not work as imported. You may have to adjust the references to the properties.
There is a section that displays the flag, you may have to adjust:
<img src='$Proxy.EndUserURL$/files/default/img/button_$String.ReplaceAll(URL.ReputationString<MostRecent >," ","")$.gif' />
When you add that property, make sure the Most Recently Used Settings is checked for URL.Reputation.
Then you want to display the full country name, you have to use:
Basically, it takes the 2-digit country and uses it as an index in the CountryNames list to get the full country name.
(I did not attach the logging rules. You must enter them yourself.)
And finally in the logs, I have a field in my access.log that appends the full country name to the Geolocation variable:
Enabled Lookup Geolocation
1: User-Defined.Geolocation does not equal "Unknown"
Continue Set User-Defined.Geolocation =
Set User-Defined.Geolocation = String.ReplaceIfEquals(User-Defined.Geolocation,"-Unknown","Unknown")
And print the Geolocation in the access log:
" "" +
"" " +
Web Reporter does Bytes from Server by default I think.
Geolocation only shows up with a CloudOnly lookup. We don't download and maintain the IP list for countries on box.
In practice, I might craft the overall rules to do a local lookup against categories that I want to block, then for uncategorized sites do the CloudLookup with Geolocation. That means You won't get countries in the logs for things in the local database, but will for the sites that are not local.
Does that make sense?
Still having problems in displaying the full country name in the block page. It is coming up as Geolocation: (two_letter_country_code) flag.img. I am missing something in somewhere.
When you view the source of the block page, the flag image should be substituted as:
You said ".img" nor ".gif" in your post.
is it possible to match the Connection.IP with the Geolocation Data. Eg. in a reverse proxy environment to block access from specific countries?