Jump to:navigation, search
Wiki





notempty
Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty
Der Artikel für die neueste Version steht hier

notempty
Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht

























































| Add a network group for GeoIPs to be given access in the networkgroups section with the Add Group button. }}
















De.png
En.png
Fr.png






Control configuration of access via Geo-IP on the UTM
Last adaption: 12.4
New:
  • GeoIP now has its own tab
  • In the GeoIP settings there are now preset groups
notempty
This article refers to a Resellerpreview

12.3 12.2.3 12.2.2

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115
→ Firewall →Portfilter


  • IP addresses can be assigned to a country via the associated IP networks and the organisations and institutions to which they are assigned.

    For each country, a GeoIP exists on the UTM for this purpose, in which these assignments are stored.

    This database is regularly updated independently of the firmware.
    IPs that are not covered by the database are not taken into account by the rules. The UTM checks weekly (or via CLI if required) whether a new database is available.
      

    The GeoIPs are treated by the UTM as network objects in the zone external. → further zones

  • The actual location of a host may differ from the assignment or may not be visible, e.g. due to a VPN tunnel!


  • System-wide blocking

    Under → Firewall →Implied Rules regions can be blocked system-wide as source or destination

    These settings apply system-wide in all zones and are applied before the port filter rules!





    notempty
    This article refers to a version that is no longer current!

    notempty
    The article for the latest version is here

    notempty
    There is already a newer version of this article, but it refers to a Reseller-Preview














































    Rules

    Rules
    Active Group/Rule Description UTM v12.4 Firewall Implizite Regeln GeoIP aktiviert-en.png
    Dialogue: Implied Rules
    On GeoIP Activates the GeoIP settings for both sources and destinations.
    On IPGeoBlockingSrc Activates the GeoIP settings for rejected sources
    On IPGeoBlockingDst Activates the GeoIP settings for rejected destinations

    GeoIP settings

    GeoIP settings
    Caption Value Description UTM v12.4 Firewall Implizite Regeln GeoIP Einstellungen-en.png
    Dialogue: GeoIP Settings
    System-wide dropped sources: ×BX (random example) In the click box, countries can be selected that are to be blocked as sources.
    New as of 12.4

    Group:
    All Selection from preset groups, which selects e.g. all countries of a continent.
    + Add Adds the regions from the selected group
    - Remove Removes the regions from the selected group
    Exceptions (sources): ×IP address Exceptions for system-wide rejected sources can be defined here.
    System-wide dropped destinations: ×BX (random example) In the click box, countries can be selected that are to be blocked as targets.
    This prevents access via browsers as well as, for example, downloaded malicious code.
    Exceptions (destinations): ×IP address Exceptions for system-wide rejected destinations can be defined here.


    GeoIP based port filter rules

    Certain regions are to be denied access to certain ports.
    Here: No mails from Antarctica

    GeoIPs have the zone external by default

    Setting up additional zones for GeoIP

    Dialog for network object GeoIP

    If the interface with the Internet access is located in another zone or if Internet access is available at several interfaces with further zones, GeoIP network objects must also be available there.


    Under → Firewall →PortfilterTab Network Objects Button Add Object o new network object of type GeoIP can be added. The zone in which these objects are to be located must be specified.
    A prefix is optionally possible.
    See also Wiki: Portfilter / Create network objects

    Alternatively, this is done with a CLI command.
    node geoip generate zone <zone> name <prefix>

    The prefix name is optional, the zone must already exist.

    Example: node geoip generate zone external2 name EXT2_

    This command creates an additional network object in the external2 zone for each region.
    For Germany, this would then be called EXT2_GEOIP:DE

  • Attention: This command creates approx. 250 new network objects


  • Example: Blocking

    Certain regions are to be denied access to certain ports.
    Here: No mails from Antarctica

    Step 1: Create a network group
    Step 1: Create a network group
    Caption Value Description UTM v12.4 Firewall Potfilter Netzwerkobjekte Gruppe hinzufügen Geo-Mail-Blocking-en.png
    Add a network group for GeoIPs to be blocked in the Network Groups section with the Add Group button.
    Name: Geo-Blocking-Mail Meaningful name for the network group
    Network Objects: ×GEOIP:AQ (Antarktis) Search text for desired country
    + Add object Opens the dialogue to add a network object
    Save Saves the settings
    Step 2: Overview Network Groups
    Step 2: Overview Network Groups
    Opens the editing window again and more regions can be added, for example. UTM v12.4 Firewall Potfilter Netzwerkobjekte AQ angezeigt-en.png
    Deletes the network group
    Network Objects: GEOIP:AQ Shows the network object on the right incl. address and zone.
    Step 3: Add portfilter rules
    Step 3: Add portfilter rules
    Create a new port filter rule under → Firewall →PortfilterTab Portfilter with Button Add rule UTM v12.2.2 Portfilteregel Block-en.png
    Source: Map-marked-alt-custom-multiple.svg Geo-Blocking-Mail Select the desired group in the drop-down menu in the GeoIP network objects section
    Destination: Interface.svg external-interface Interface on which the packets to be blocked arrive
    Service: Tcp.svg smtp Service or service group to be blocked
    Action: DROP Discards the packages
    Logging: SHORT Select desired logging
    Group default Selection from preset groups, which selects e.g. all countries of a continent.
    Add and close
    Step 4: Update Rules
    Step 4: Update Rules
    Update Rules


    Example: Allow access

    Access from abroad is to be restricted to selected countries.
    A port filter rule allows access from the Internet to the external interface with https.
    For this, the button Add group must be clicked under → Firewall →Port filterTab Network objects.

    Step 1: Create a network group
    Step 1: Create a network group
    Caption Value Description UTM v12.3.5 Firewall Portfilter Netzwerkgruppe hinzufügen GeoIP-en.png
    Name: GeoIP-Test Meaningful name for the network group
    Network Objects: ×GEOIP:AT (Österreich)
    ×GEOIP:DE (Deutschland)
    GeoIPs can now already be selected. Alternatively, the GeoIPs can also be added in the following step.
    + Add object Opens the dialogue to add a network object
    Save Saves the settings
    Step 2: Overview Network Groups
    Step 2: Overview Network Groups
    Opens the editing window again and more regions can be added, for example. UTM v12.4 Firewall Potfilter Netzwerkobjekte GeoIP Übersicht AT angezeigt-en.png
    Deletes the network group
    Network Objects: GEOIP:AT GEOIP:DE Shows the network object on the right incl. address and zone.
    If the Outlook App for iOS or Android by Microsoft is to be used, access from other sources (currently:USA) may also have to be permitted here.
    The Outlook app from Microsoft does not establish a direct connection, but routes all traffic via Microsoft servers. Their location is ( as at 08.2022) in the USA.
    That's also where the access data is stored!
      
    Step 3: Edit existing rules
    Step 3: Edit existing rules
    Add a new rule under → Firewall →PortfilterTab Portfilter with Button Add rule or edit an existing one UTM v12.3.5 Firewall Portfilterregel hinzufügen GeoIP-en.png
    Source: Map-marked-alt-custom-multiple.svg GeoIP-Test Select the desired group in the drop-down menu in the GeoIP network objects section
    Destination: Interface.svg external-interface Interface on which the packets to be allowed arrive
    Service: Tcp.svg https Service or service group to be allowed
    Action: ACCEPT Lets the packets pass through
    Logging: SHORT Select desired logging
    Group default Selection from preset groups, which selects e.g. all countries of a continent.
    Save
    Step 4: Update Rules
    Step 4: Update Rules
    Update Rules


    Database update via CLI

  • The system regularly updates the Geo-IP databases automatically.
  • The status of the database can be queried with the command:
    geolocation info

    cli> geolocation info
    attribute          |value
    -------------------+-----
    IP4 Database Status|need update
    IP4 Last Update    |2023-02-14 09:36:22.060000000 +0100
    IP6 Database Status|need update
    IP6 Last Update    |2023-02-14 09:36:22.700000000 +0100
    

    The message need update appears when an update is available.

    An update of the database is done with the CLI command:
    geolocation update. Attention: The status message occurs with a small delay of a few seconds.

    cli> geolocation update
    OK
    cli> geolocation info
    attribute          |value
    -------------------+-----
    IP4 Database Status|ok   
    IP4 Last Update    |2023-03-26 07:54:29.339700632 +0200
    IP6 Database Status|ok   
    IP6 Last Update    |2023-03-26 07:54:29.899700632 +0200
    

    Block potentially dangerous IPs

    Regardless of the geographical assignment of an IP, IPs that have been identified as potentially threatening can be blocked via the Cyber Defence Cloud: Activate under → Application →IDS/IPSTab Cyber Defence Cloud Button Log and drop connections

    This setting is not activated by default, as the UTM does not perform any blocking that is not explicitly wanted!