Jump to:navigation, search
Wiki





notempty
Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty
Der Artikel für die neueste Version steht hier

notempty
Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht












































































Control configuration of access via Geo-IP on the UTM
Last adaptation to the version: 12.2.2
New:
  • New feature
notempty
This article refers to a Resellerpreview
-
De.png
En.png
Fr.png
  • IP addresses can be assigned to a country via the associated IP networks and the organisations and institutions to which they are assigned.

    For each country, a GeoIP exists on the UTM for this purpose, in which these assignments are stored.

    This database is regularly updated independently of the firmware.
    IPs that are not covered by the database are not taken into account by the rules. The update takes place weekly.
      

    The GeoIPs are treated by the UTM as network objects in the zone external. → further zones

  • The actual location of a host may differ from the assignment or may not be visible, e.g. due to a VPN tunnel!

  • System-wide blocking

    Under → Firewall →Implied Rules regions can be blocked system-wide as source or destination

    These settings apply system-wide in all zones and are applied before the port filter rules!





































    Active Group/Rule Description UTM v12.2.2 Implizite Regeln-GeoIP-en.png
    Dialogue Implied Rules
    On GeoIP Activates the GeoIP settings for both sources and destinations.
    On DropSource Activates the GeoIP settings for rejected sources
    On DropDestination Activates the GeoIP settings for rejected destinations

    GeoIP settings
    Caption Value Description
    System-wide dropped sources: ×BX (random example) In the click box, countries can be selected that are to be blocked as sources.
    System-wide dropped destinations: ×BX (random example) In the click box, countries can be selected that are to be blocked as targets.
    This prevents access via browsers as well as, for example, downloaded malicious code.


    GeoIP based port filter rules

    Certain regions are to be denied access to certain ports.
    Here: No mails from Antarctica

  • GeoIPs have the zone external by default
  • Setting up additional zones for GeoIP

    If the interface with the Internet access is located in another zone or if Internet access is available at several interfaces with further zones, GeoIP network objects must also be available there.

    This is done with a CLI command.
    node geoip generate zone <zone> name <prefix>

    The prefix name is optional, the zone must already exist.

    Example: node geoip generate zone external2 name EXT2_

    This command creates an additional network object in the external2 zone for each region.
    For Germany, this would then be called EXT2_GEOIP:DE
    Attention: This command creates approx. 250 new network objects

    Example: Blocking

    Certain regions are to be denied access to certain ports.
    Here: No mails from Antarctica

    Step 1: Create a network group
    Step 1: Create a network group
    Caption Value Description UTM v12.2.2 Netzwerkobjekte Gruppe hinzufügen-en.png
    Add a network group for GeoIPs to be blocked in the Network Groups section with the Add Group button.
    Name: Geo-Blocking-Mail Meaningful name for the network group
    Save
    Step 2: Add GeoIP
    Step 2: Add GeoIP
    Geo-Blocking-Mail Open the network group you have just created by clicking on it. UTM v12.2.2 Netzwerkobjekte GeoIP-en.png
    Network Objects ant Search text for desired country
    Add to group Map-marked-alt.svg GEOIP:XY Adds the region to the group
    Hovering over the icon shows the full name
    Step 3: Add portfilter rules
    Step 3: Add portfilter rules
    Create a new port filter rule under → Firewall →PortfilterTab Portfilter with Button Add rule UTM v12.2.2 Portfilteregel Block-en.png
    Source: Map-marked-alt-custom-multiple.svg Geo-Blocking-Mail Select the desired group in the drop-down menu in the GeoIP network objects section
    Destination: Interface.svg external-interface Interface on which the packets to be blocked arrive
    Service: Tcp.svg smtp Service or service group to be blocked
    Action: DROP Discards the packages
    Logging: SHORT Select desired logging
    Group: default Select desired group
    Add and close
    Step 4: Update Rules
    Step 4: Update Rules
    Update Rules

    Example: Allow access

    Access to the OWA interface of an Exchange server should only be possible from Germany, Austria and Switzerland.
    Given is a configuration as described in the Wiki-Article on this.
    A port filter rule allows access from the Internet to the external interface with https

    Step 1: Create a network group
    Step 1: Create a network group
    Caption Value Description UTM v12.2.2 Netzwerkobjekte GeoIP OWA-en.png
    Add a network group for GeoIPs to be given access in the networkgroups section with the Add Group button.
    Name: GeoIP-OWA Meaningful name for the network group
    Save
    Step 2: Add GeoIP
    Step 2: Add GeoIP
    GeoIP-OWA Open the network group you have just created by clicking on it. UTM v12.2.2 Netzwerkobjekte GeoIP allow-en.png
    Network Objects sw Search text for desired country
    Add to group Map-marked-alt.svg GEOIP:XY Adds the region to the group
    Hovering over the icon shows the full name
    Step 3: Edit existing rules
    Step 3: Edit existing rules
    Edit existing port filter rule under → Firewall →PortfilterTab Portfilter with Button UTM v12.2.2 Portfilteregel allow-en.png
    Source: Map-marked-alt-custom-multiple.svg GeoIP-OWA Select the desired group in the drop-down menu in the GeoIP network objects section
    Destination: Interface.svg external-interface Interface on which the packets to be blocked arrive
    Service: Tcp.svg https Service or service group to be blocked
    Action: ACCEPT Lets the packets pass through
    Logging: SHORT Select desired logging
    Group: default Select desired group
    Save
    Step 4: Update Rules
    Step 4: Update Rules
    Update Rules

    Block potentially dangerous IPs

    Regardless of the geographical assignment of an IP, IPs that have been identified as potentially threatening can be blocked via the Cyber Defence Cloud: Activate under → Application →IDS/IPSTab Cyber Defence Cloud Button Log and drop connections

  • This setting is not activated by default, as the UTM does not perform any blocking that is not explicitly wanted!