Jump to:navigation, search
Wiki

Use GeoIP

From Securepoint Wiki






























































| Add a network group for GeoIPs to be given access in the networkgroups section with the Add Group button. }}
















De.png
En.png
Fr.png


Thumbnail for

Load video
Vimeo
Instructions as a short video









Control configuration of access via Geo-IP on the UTM

Last adaptation to the version: 14.0.1(01.2025)

New:
notempty
This article refers to a Resellerpreview
Access: Firewall network object


  • IP addresses can be assigned to a country via the associated IP networks and the organisations and institutions to which they are assigned.

    For each country, a GeoIP exists on the UTM for this purpose, in which these assignments are stored.

    This database is regularly updated independently of the firmware.

    The GeoIPs are treated by the UTM as network objects in the zone external. → further zones

  • The actual location of a host may differ from the assignment or may not be visible, e.g. due to a VPN tunnel!
























































    • Systemweite Sperrungen

    notempty
    Aufruf Verschoben und Layout aktualisiert zur v14.0.1

    Unter Applications IDS/IPS  Area Systemweite Sperrungen lassen sich systemweite Sperrungen von IP-Adressen bewirken.

    Es können einzelne IP-Adressen oder ganze GeoIP Gruppen als Quellen und/oder Ziele blockiert werden.
    notempty
    These settings apply system-wide in all zones and are applied before the packet filter rules!
    Caption Value Description Implied Rules UTMuser@firewall.name.fqdnFirewall UTM v14.0.1 IDS IPS Systemweite Sperrungen-en.pngKonfiguration für Systemweite Sperrungen

    IP-Adressen

    IP-Adressen
    notempty
    New as of v14.0.1
    Quell-Adressen systemweit ablehnen: Yes Aktiviert das Ablehnen von IP-Adressen als Quellen
    Ziel-Adressen systemweit ablehnen: Yes Aktiviert das Ablehnen von IP-Adressen als Ziele
    IP-Adressen: »203.0.113.13 IP-Adressen, die systemweit auf allen Schnittstellen blockiert werden
  • Im Log erscheint dazu unter Alle Paketfilter-Meldungen
  • Es können nur einzelne IP-Adressen, keine Range, blockiert werden

    • GeoIP Quellen

    GeoIP Quellen
    GeoIP Quellen systemweit ablehnen: On Activates the GeoIP settings for rejected sources
    System-wide dropped sources: »BX (random example) In the click box, countries can be selected that are to be blocked as sources.
    Group: All Selection from preset groups, which selects e.g. all countries of a continent.
    Add Adds the regions from the selected group
    Remove Removes the regions from the selected group
    Exceptions: »IP address Exceptions for system-wide rejected sources can be defined here.

    GeoIP Ziele

    GeoIP Ziele
    GeoIP Ziele systemweit ablehnen: On Activates the GeoIP settings for rejected destinations
    System-wide dropped destinations: BX (random example) In the click box, countries can be selected that are to be blocked as targets.
    This prevents access via browsers as well as, for example, downloaded malicious code.
    Group: All Selection from preset groups, which selects e.g. all countries of a continent.
    Add Adds the regions from the selected group
    Remove Removes the regions from the selected group
    Exceptions: IP address Exceptions for system-wide rejected destinations can be defined here.

    GeoIP based packet filter rules

    Certain regions are to be denied access to certain ports.
    Here: No mails from Antarctica

    GeoIPs have the zone external by default

    Setting up additional zones for GeoIP

    Add network object UTMuser@firewall.name.fqdnFirewallnetwork object UTM v12.6 GeoIP Netzwerkobjekt hinzufuegen-en.png Dialog for network object GeoIP

    If the interface with the Internet access is located in another zone or if Internet access is available at several interfaces with further zones, GeoIP network objects must also be available there.


    Under Firewall Network Objects  Button Add Object o new network object of type GeoIP can be added. The zone in which these objects are to be located must be specified.
    A prefix is optionally possible.
    See also Wiki: Packet filter/ Create network objects

    Alternatively, this is done with a CLI command.



    Example: Blocking

    Certain regions are to be denied access to certain ports.
    Here: No mails from Antarctica

    Step 1: Create a network group
    Step 1: Create a network group
    Caption Value Description Add network group UTMuser@firewall.name.fqdnFirewallnetwork object UTM v12.6 GeoIP Netzwerkobjekte Gruppe hinzufügen Geo-Mail-Blocking-en.pngAdd network group
    Add a network group for GeoIPs to be blocked in the Network Groups section with the Add Group button.
    Name: Geo-Blocking-Mail Meaningful name for the network group
    network object: Map-marked-alt.svgGEOIP:AQ (Antarktis) Search text for desired country
    + Add object Opens the dialogue to add a network object
    Save and close
    		 Saves the settings and closes the window
    Step 2: Overview Network Groups
    Step 2: Overview Network Groups
    Opens the editing window again and more regions can be added, for example. network object UTMuser@firewall.name.fqdnFirewall Update Rules UTM v12.6 GeoIP Netzwerkobjekte AQ angezeigt-en.pngOverview network groups
    Deletes the network group
    network object: GEOIP:AQ Shows the network object on the right incl. address and zone.
    Step 3: Add Packet filter rules
    Step 3: Add Packet filter rules
    Create a new packet filter rule under Firewall Packet filter  Button Add rule Add rule UTMuser@firewall.name.fqdnFirewallPacket filter UTM v12.6 GeoIP Paketfilterregel Block-en.pngAdd packet filter rule
    Source: Map-marked-alt-custom-multiple.svg Geo-Blocking-Mail Select the desired group in the drop-down menu in the GeoIP network objects section
    Destination: Interface.svg external-interface Interface on which the packets to be blocked arrive
    Service: Tcp.svg smtp Service or service group to be blocked
    Action: DROP Discards the packages
    Logging: SHORT Select desired logging
    Group default Selection from preset groups, which selects e.g. all countries of a continent.
    Save and close
    		 Saves the settings and closes the window
    Step 4: Update Rules
    Step 4: Update Rules
    Update Rules


    Example: Allow access

    Access from abroad is to be restricted to selected countries.
    A packet filter rule allows access from the Internet to the external interface with https.
    For this, the button Add group must be clicked under Firewall Network objects .

    Step 1: Create a network group
    Step 1: Create a network group
    Caption Value Description Add network group UTMuser@firewall.name.fqdnFirewallnetwork object UTM v12.6 GeoIP Netzwerkobjekte Gruppe hinzufügen GeoIP-Test-en.pngAdd network group
    Name: GeoIP-Test Meaningful name for the network group
    network object: Map-marked-alt.svgGEOIP:AT (Österreich)
    Map-marked-alt.svgGEOIP:DE (Deutschland)    		 GeoIPs can now already be selected. Alternatively, the GeoIPs can also be added in the following step.
    + Add object Opens the dialogue to add a network object
    Save and close
    		 Saves the settings and closes the window
    Step 2: Overview Network Groups
    Step 2: Overview Network Groups
    Opens the editing window again and more regions can be added, for example. network object UTMuser@firewall.name.fqdnFirewall Update Rules UTM v12.6 GeoIP Netzwerkobjekte AT angezeigt-en.pngOverview network groups
    network object: GEOIP:AT GEOIP:DE Shows the network object on the right incl. address and zone.
  • If the Outlook App for iOS or Android by Microsoft is to be used, access from other sources (currently:USA) may also have to be permitted here.
    • Step 3: Edit existing rules
    Step 3: Edit existing rules
    Add a new rule under Firewall Packetfilter  Button Add rule or edit an existing one Add rule UTMuser@firewall.name.fqdnFirewallPacket filter UTM v12.6 GeoIP Paketfilterregel Accept-en.pngAdd packet filter rule
    Source: Map-marked-alt-custom-multiple.svg GeoIP-Test Select the desired group in the drop-down menu in the GeoIP network objects section
    Destination: Interface.svg external-interface Interface on which the packets to be allowed arrive
    Service: Tcp.svg https Service or service group to be allowed
    Action: ACCEPT Lets the packets pass through
    Logging: SHORT Select desired logging
    Group default Selection from preset groups, which selects e.g. all countries of a continent.
    Save and close
    		 Saves the settings and closes the window
    Step 4: Update Rules
    Step 4: Update Rules
    Update Rules


    Database update via CLI

  • The system regularly updates the Geo-IP databases automatically.

    • The status of the database can be queried with the command:
    geolocation info 

    cli> geolocation info
attribute          |value
-------------------+-----
IP4 Database Status|need update
IP4 Last Update    |2023-02-14 09:36:22.060000000 +0100
IP6 Database Status|need update
IP6 Last Update    |2023-02-14 09:36:22.700000000 +0100

    The message need update appears when an update is available.

    An update of the database is done with the CLI command:
    geolocation update. Attention: The status message occurs with a small delay of a few seconds. 

    cli> geolocation update
OK
cli> geolocation info
attribute          |value
-------------------+-----
IP4 Database Status|ok   
IP4 Last Update    |2023-03-26 07:54:29.339700632 +0200
IP6 Database Status|ok   
IP6 Last Update    |2023-03-26 07:54:29.899700632 +0200

    Block potentially dangerous IPs

    Regardless of the geographical assignment of an IP, IPs that have been identified as potentially threatening can be blocked via the Cyber Defence Cloud: Activate under Application IDS/IPS  Area Cyber Defence Cloud Button Log and drop connection: Yes

    notempty
    This setting is not activated by default, as the UTM does not perform any blocking that is not explicitly wanted!
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/GeoIP&oldid=94474"