Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht
{{var | Einrichten weiterer Zonen für GeoIP-Gui--desc
| Unter → Firewall →PortfilterTab Netzwerkobjekte Button Objekt hinzufügen kann ein Netzwerkobjekt vom Typ GeoIP hinzugefügt werden. Dabei muss die Zone angegeben werden, in der diese Objekte liegen sollen. Ein Präfix ist optional möglich. Siehe auch Wiki: Portfilter / Netzwerkobjekte erstellen
| Under → Firewall →PortfilterTab Network Objects Button Add Object o new network object of type GeoIP can be added. The zone in which these objects are to be located must be specified. A prefix is optionally possible. See also Wiki: Portfilter / Create network objects
Activates the GeoIP settings for both sources and destinations.
On
IPGeoBlockingSrc
Activates the GeoIP settings for rejected sources
On
IPGeoBlockingDst
Activates the GeoIP settings for rejected destinations
GeoIP settings
GeoIP settings
Caption
Value
Description
Dialogue: GeoIP Settings
System-wide dropped sources:
×BX (random example)
In the click box, countries can be selected that are to be blocked as sources.
Group:
All
Selection from preset groups, which selects e.g. all countries of a continent.
+Add
Adds the regions from the selected group
-Remove
Removes the regions from the selected group
Exceptions (sources):
×IP address
Exceptions for system-wide rejected sources can be defined here.
System-wide dropped destinations:
×BX (random example)
In the click box, countries can be selected that are to be blocked as targets. This prevents access via browsers as well as, for example, downloaded malicious code.
Exceptions (destinations):
×IP address
Exceptions for system-wide rejected destinations can be defined here.
GeoIP based port filter rules
Certain regions are to be denied access to certain ports. Here: No mails from Antarctica
GeoIPs have the zone external by default
Setting up additional zones for GeoIP
Dialog for network object GeoIP
If the interface with the Internet access is located in another zone or if Internet access is available at several interfaces with further zones, GeoIP network objects must also be available there.
New as of v.12.2.3
Alternatively, this is done with a CLI command.
node geoip generate zone <zone> name <prefix>
The prefix name is optional, the zone must already exist.
Example: node geoip generate zone external2 name EXT2_
This command creates an additional network object in the external2 zone for each region. For Germany, this would then be called EXT2_GEOIP:DE
Attention: This command creates approx. 250 new network objects
Example: Blocking
Certain regions are to be denied access to certain ports. Here: No mails from Antarctica
Step 1: Create a network group
Step 1: Create a network group
Caption
Value
Description
Add a network group for GeoIPs to be blocked in the Network Groups section with the Add Group button.
Name:
Geo-Blocking-Mail
Meaningful name for the network group
Save
Step 2: Add GeoIP
Step 2: Add GeoIP
→
Geo-Blocking-Mail
Open the network group you have just created by clicking on it.
Network Objects
ant
Search text for desired country
Add to group
GEOIP:XY
Adds the region to the group Hovering over the icon shows the full name
Step 3: Add portfilter rules
Step 3: Add portfilter rules
Create a new port filter rule under → Firewall →PortfilterTab Portfilter with Button Add rule
Source:
Geo-Blocking-Mail
Select the desired group in the drop-down menu in the GeoIP network objects section
Destination:
external-interface
Interface on which the packets to be blocked arrive
Service:
smtp
Service or service group to be blocked
Action:
DROP
Discards the packages
Logging:
SHORT
Select desired logging
Group
default
Selection from preset groups, which selects e.g. all countries of a continent.
Add and close
Step 4: Update Rules
Step 4: Update Rules
Update Rules
Example: Allow access
Access to the OWA interface of an Exchange server should only be possible from certain countries. Given is a configuration as described in the Wiki-Article on this. A port filter rule allows access from the Internet to the external interface with https
Step 1: Create a network group
Step 1: Create a network group
Caption
Value
Description
Add a network group for GeoIPs to be given access in the networkgroups section with the Add Group button.
Name:
GeoIP-OWA
Meaningful name for the network group
Save
Step 2: Add GeoIP
Step 2: Add GeoIP
→
GeoIP-OWA
Open the network group you have just created by clicking on it.
Network Objects
sw
Search text for desired country
Add to group
GEOIP:XY
Adds the region to the group Hovering over the icon shows the full name
If the Outlook App for iOS or Android by Microsoft is to be used, access from other sources (currently:USA) may also have to be permitted here.
The Outlook app from Microsoft does not establish a direct connection, but routes all traffic via Microsoft servers. Their location is ( as at 08.2022) in the USA.
That's also where the access data is stored!
Step 3: Edit existing rules
Step 3: Edit existing rules
Add a new rule under → Firewall →PortfilterTab Portfilter with Button Add rule or edit an existing one
Source:
GeoIP-OWA
Select the desired group in the drop-down menu in the GeoIP network objects section
Destination:
external-interface
Interface on which the packets to be allowed arrive
Service:
https
Service or service group to be allowed
Action:
ACCEPT
Lets the packets pass through
Logging:
SHORT
Select desired logging
Group
default
Selection from preset groups, which selects e.g. all countries of a continent.
Save
Step 4: Update Rules
Step 4: Update Rules
Update Rules
Block potentially dangerous IPs
Regardless of the geographical assignment of an IP, IPs that have been identified as potentially threatening can be blocked via the Cyber Defence Cloud: Activate under → Application →IDS/IPSTab Cyber Defence Cloud Button Log and drop connections
This setting is not activated by default, as the UTM does not perform any blocking that is not explicitly wanted!