Many organizations receive production traffic from specific countries, specific business partners or specific network blocks. Yet attack traffic may originate from different regions worldwide, from hosting providers, residential proxy networks or abused ASNs. Making decisions based solely on the IP address or a simple blocklist ignores this context entirely.
Country-based access control can be critical especially for government, financial, healthcare and locally-scoped applications. If a service is designed for users in specific countries only, leaving it open to the entire world creates unnecessary attack surface. But tying that control to an external GeoIP service introduces both latency and data-dependency risk.
ASN information is equally important. Traffic from residential users in the same country as traffic from large hosting networks, automation infrastructure or abused providers does not carry the same risk. Looking only at geographic location narrows the attack surface, but understanding the source type remains incomplete without ASN context.
In multi-tenant and namespace-segmented deployments the problem compounds. Each tenant may not apply the same country policy; one tenant may want access only from Turkey while another permits Europe and specific partner networks. This requires country sets to be prepared separately per namespace, with unnecessary sets never loaded.
TR7 Geo/ASN Access Control resolves this by using local GeoIP database files, namespace-based country ipset synchronization, IPv4/IPv6 sets, L7 GeoIP visibility and WAAP log enrichment to turn an IP address into actionable access-decision context.
TR7 manages GeoIP and ASN decisions without dependency on external query services, using local databases and layered policy enforcement.
GeoLite2 Country, City and ASN databases are stored on TR7 under `/geoDB`. Country, city and ASN lookups happen on the device; no external internet service is required at decision time.
Country-based firewall rules are applied through IPv4 and IPv6 ipset structures. Specific country sets are prepared per namespace; traffic can be tied to a drop, reject or log decision at the earliest traffic layer.
Different vServices on the same platform can operate with different country and ASN risk policies. Country whitelist, blacklist, CAPTCHA, rate-limiting and WAAP log enrichment can be combined based on each service's requirements.
Rather than blindly loading all country sets into every namespace, TR7 prepares only the countries referenced by active rules. This reduces RAM usage, preparation time and unnecessary ipset overhead.
Geo/ASN Access Control combines local lookup, ipset-based country policy, caching, namespace isolation and WAAP visibility in a single integrated layer.
TR7 can produce a two-letter ISO 3166-1 country code, a geoname_id and continent information for a client IP address. This data is usable both in L3/L4 access decisions and in L7 log enrichment. For example, only traffic from specific countries can be allowed, or stricter policies can be applied for high-risk country groups. Because the lookup runs against a local MMDB file, there is no external service dependency.
The City database adds a city name and geoname_id context to an IP address. City information is most valuable on the analysis, reporting and incident-investigation side rather than in direct firewall decisions. WAAP events can show the country and city distribution of an attack in a more meaningful way. This context helps security teams understand the geographic profile of an attack wave more quickly.
The ASN lookup returns the autonomous system number, organization name and network CIDR for an IP address. This data helps determine whether traffic originates from a residential network, a hosting provider or an enterprise network. ASN information can be used for risk analysis inside WAAP logs and live monitoring dashboards.
RFC1918, loopback and local addresses can be automatically placed in a private category. TR7 can report such sources with a local label such as `XX`; unmatched or unknown addresses can be shown with a `--` label. This separation prevents internal network traffic from mixing with real external source traffic. Audit reports show unknown, local and actual country codes as clearly distinct values.
Smart per-namespace sync builds only the country sets referenced by the relevant firewall rules for each namespace. For example, if a tenant uses rules only for TR, DE and US, only those sets are prepared. This approach eliminates the need to load data for 250+ countries into every namespace. In multi-tenant deployments, memory consumption, preparation time and operational complexity all decrease.
For each country, IPv4 and IPv6 sets are treated as separate but coordinated structures. This prevents the error of controlling only IPv4 traffic while leaving the IPv6 path open. When a country rule is defined, the relevant v4 and v6 scope is considered together. In modern dual-stack networks this distinction is critical for complete access control.
TR7 can use a cache profile with a 10,000-key capacity and a 600-second TTL for frequently seen IP addresses. Hot IPs are served without going back to the MMDB lookup on every request. This is especially useful in reducing latency for high-volume traffic from the same customer networks. Because the cache runs locally, no external query fees or internet access are needed.
GeoIP lookup is not limited to firewall drop decisions; country and city information can also be appended to WAAP event logs. Attack-country aggregation, event trends and SIEM reports all draw from this enrichment. Security teams can more easily see which countries are the source of which attack types. This visibility supports evidence-based policy tuning.
Country ipset data can be parsed and prepared from local files such as `/geoDB/countries.ipset`. Reputation or blacklist sets can also be managed via a separate file path. This design allows access control to function even in environments with restricted or no internet access. Update cycles can be planned around the organization's own maintenance windows.
In cluster deployments, ipsets and related GeoIP data must be transferred to the passive node. TR7 supports an operational model in which country sets and changes are synchronized to the passive side. When failover occurs, the newly active node continues serving traffic under the same country policy. GeoIP access control therefore does not depend on single-node behavior.
Geo/ASN access control is operated alongside the GeoIP reader model, cache profile, ipset file management, background restore, required-set extraction and force-mode updates.
TR7 uses GeoIP MMDB readers with prefix-length support for country, city and ASN lookups. The prefix-length-aware lookup determines which network block an IP address belongs to. The model works for both IPv4 and IPv6 addresses.
The cache profile can operate with a 10,000-key capacity, a 600-second standard TTL and a 120-second check period. Unnecessary object cloning overhead is eliminated. This configuration delivers fast responses under heavy, repetitive IP lookup loads.
Country sets can be managed from `/geoDB/countries.ipset`, while blacklist sets are managed from a separate blacklist file. Because both files are local, no off-device query is required. Update and rollback operations are planned through file management and the restore process.
The ipset fill process runs in the background so the UI flow is not unnecessarily blocked. Batch processing prepares sets in a controlled manner. For large country sets this approach makes the management experience noticeably smoother.
Firewall rules and the namespace security map are inspected to determine which country sets are needed per namespace. Smart sync operates against this derived list. As a result, unused country sets are never loaded into the relevant namespace.
When force mode is enabled, the parse and push operation runs again without consulting the cache. This mode is useful when a GeoIP data update, a rule change or suspected set inconsistency requires an immediate refresh. Under normal operation, cache and smart sync are preferred to avoid unnecessary reloads.
A bank may want to allow only traffic from Turkey and specific European countries. TR7 ties the remaining countries to an early-layer drop or reject decision using country ipsets. Softer fallback policies can be added for customers who need roaming or exception handling.
A public portal can be configured to accept connections only from Turkey and local networks. The `XX` label separates local/private sources; real external country traffic is blocked via country sets. Audit trails can show which country traffic was dropped.
A SaaS application can monitor the ASN of traffic hitting a login endpoint inside WAAP logs. Unusual login attempts from hosting networks can be evaluated alongside CAPTCHA, rate-limiting or custom WAAP policies. ASN visibility provides richer risk context than country-only decisions.
When a traffic spike concentrates in specific countries, TR7 can switch to temporary drop, reject or stricter rate-limiting policies for those countries. Because country sets are already prepared, the decision is applied at the earliest traffic layer. Operations teams can monitor the attack wave alongside its source-country distribution.
Fully auditable access control backed by local GeoIP databases, namespace-based ipset sync and WAAP log enrichment. We can walk through a live setup in your own environment.