WAF Geo Restriction - False Positive IP Block



My organization recently obtained our own block of public IP addresses from ARIN. We are currently using one of these IPs as our outbound IP for all internet traffic.

We are seeing an increase in "403 Forbidden" errors for certain websites hosted on AWS. The responding server header for these errors is "awselb/2.0"

One software vendor we worked with said they had to manually add an exception for our IP address. That specific vendor said their AWS WAF was configured to only allow connections from certain countries (one of the countries being the US, where we are located).

I have verified that our geoIP information is accurate in Maxmind as well as other major providers. Also, our IP block is not listed in any major spam lists.

So my question is, why is AWS not seeing our IP as being in the US? Do they use a separate geoIP database, or are they just slow to refresh their database with other geoIP providers?

Unfortunately, my organization is not currently an AWS customer, so we have no access to AWS support. This forum is our only resort. Any help you can provide would be very much appreciated.


2 Answers


It would be helpful for the software vendor to check the AWS WAF logs to see where the service indicates that the traffic is coming from. Without additional information, there are a few possibilities: The WAF FAQ indicates that the accuracy of the GeoIP database varies by region and has an overall accuracy of 99.8% [1]. While unlikely, it is possible that the GeoIP database is simply incorrect. There is an internal issue with the WAF service. The routing of your on-premises configuration causes the IP address to appear to originate outside the US. This could be caused by using a proxy service, for instance. For more information about how WAF performs geo matching, please see [2]. Moreover. It would be the best if you could open a case using AWS support so that we can have a look at the configuration and examine the error logs.

[1] https://aws.amazon.com/waf/faqs/

[2] https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html

answered a year ago

Hello, do you know exactly why the blockage? normally the AWS policies within their preconfigured rules in AWSManagedRules are the ones that block such as "IPreputationList" or "AnonymousIpList", they have to open a ticket with AWS support, and explain the problem in detail I suggest you do labs with WAF and raising a page with CloudFront to find the exact problem, both with free trials).



If the problem is with other Rules delivered by external services, normally the rule delivered by GeoGuard blocked some IP range, if this is the case it is a simple process by emailing GeoGuard support and they will enter your prefix to a whit3list. They will I will leave the options to contact them:

ipintelligence@geoguard.com or https://geocomply.my.site.com/Portal/s/contactsupport

profile picture
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions