Control configuration of access via Geo-IP on the UTM
Last adaptation to the version: 12.2.2
New:
New feature
notempty
This article refers to a Resellerpreview
-
IP addresses can be assigned to a country via the associated IP networks and the organisations and institutions to which they are assigned.
For each country, a GeoIP exists on the UTM for this purpose, in which these assignments are stored.
This database is regularly updated independently of the firmware.
IPs that are not covered by the database are not taken into account by the rules. The update takes place weekly.
The GeoIPs are treated by the UTM as network objects in the zone external. → further zones
The actual location of a host may differ from the assignment or may not be visible, e.g. due to a VPN tunnel!
System-wide blocking
Under → Firewall →Implied Rules regions can be blocked system-wide as source or destination
These settings apply system-wide in all zones and are applied before the port filter rules!
Active
Group/Rule
Description
Dialogue Implied Rules
On
GeoIP
Activates the GeoIP settings for both sources and destinations.
On
DropSource
Activates the GeoIP settings for rejected sources
On
DropDestination
Activates the GeoIP settings for rejected destinations
GeoIP settings
Caption
Value
Description
System-wide dropped sources:
×BX (random example)
In the click box, countries can be selected that are to be blocked as sources.
System-wide dropped destinations:
×BX (random example)
In the click box, countries can be selected that are to be blocked as targets. This prevents access via browsers as well as, for example, downloaded malicious code.
GeoIP based port filter rules
Certain regions are to be denied access to certain ports. Here: No mails from Antarctica
GeoIPs have the zone external by default
Setting up additional zones for GeoIP
If the interface with the Internet access is located in another zone or if Internet access is available at several interfaces with further zones, GeoIP network objects must also be available there.
This is done with a CLI command.
node geoip generate zone <zone> name <prefix>
The prefix name is optional, the zone must already exist.
Example: node geoip generate zone external2 name EXT2_
This command creates an additional network object in the external2 zone for each region. For Germany, this would then be called EXT2_GEOIP:DE Attention: This command creates approx. 250 new network objects
Example: Blocking
Certain regions are to be denied access to certain ports. Here: No mails from Antarctica
Step 1: Create a network group
Step 1: Create a network group
Caption
Value
Description
Add a network group for GeoIPs to be blocked in the Network Groups section with the Add Group button.
Name:
Geo-Blocking-Mail
Meaningful name for the network group
Save
Step 2: Add GeoIP
Step 2: Add GeoIP
→
Geo-Blocking-Mail
Open the network group you have just created by clicking on it.
Network Objects
ant
Search text for desired country
Add to group
GEOIP:XY
Adds the region to the group Hovering over the icon shows the full name
Step 3: Add portfilter rules
Step 3: Add portfilter rules
Create a new port filter rule under → Firewall →PortfilterTab Portfilter with Button Add rule
Source:
Geo-Blocking-Mail
Select the desired group in the drop-down menu in the GeoIP network objects section
Destination:
external-interface
Interface on which the packets to be blocked arrive
Service:
smtp
Service or service group to be blocked
Action:
DROP
Discards the packages
Logging:
SHORT
Select desired logging
Group:
default
Select desired group
Add and close
Step 4: Update Rules
Step 4: Update Rules
Update Rules
Example: Allow access
Access to the OWA interface of an Exchange server should only be possible from Germany, Austria and Switzerland. Given is a configuration as described in the Wiki-Article on this. A port filter rule allows access from the Internet to the external interface with https
Step 1: Create a network group
Step 1: Create a network group
Caption
Value
Description
Add a network group for GeoIPs to be given access in the networkgroups section with the Add Group button.
Name:
GeoIP-OWA
Meaningful name for the network group
Save
Step 2: Add GeoIP
Step 2: Add GeoIP
→
GeoIP-OWA
Open the network group you have just created by clicking on it.
Network Objects
sw
Search text for desired country
Add to group
GEOIP:XY
Adds the region to the group Hovering over the icon shows the full name
Step 3: Edit existing rules
Step 3: Edit existing rules
Edit existing port filter rule under → Firewall →PortfilterTab Portfilter with Button
Source:
GeoIP-OWA
Select the desired group in the drop-down menu in the GeoIP network objects section
Destination:
external-interface
Interface on which the packets to be blocked arrive
Service:
https
Service or service group to be blocked
Action:
ACCEPT
Lets the packets pass through
Logging:
SHORT
Select desired logging
Group:
default
Select desired group
Save
Step 4: Update Rules
Step 4: Update Rules
Update Rules
Block potentially dangerous IPs
Regardless of the geographical assignment of an IP, IPs that have been identified as potentially threatening can be blocked via the Cyber Defence Cloud: Activate under → Application →IDS/IPSTab Cyber Defence Cloud Button Log and drop connections
This setting is not activated by default, as the UTM does not perform any blocking that is not explicitly wanted!