IP addresses can be assigned to a country via the associated IP networks and the organisations and institutions to which they are assigned.
For each country, a GeoIP exists on the UTM for this purpose, in which these assignments are stored.
This database is regularly updated independently of the firmware.
IPs that are not covered by the database are not taken into account by the rules. The UTM checks weekly (or via CLI if required) whether a new database is available.
The GeoIPs are treated by the UTM as network objects in the zone external. → further zones
The actual location of a host may differ from the assignment or may not be visible, e.g. due to a VPN tunnel!
System-wide blocking
Under → Firewall →Implied Rules regions can be blocked system-wide as source or destination
These settings apply system-wide in all zones and are applied before the port filter rules!
notempty
This article refers to a version that is no longer current!
There is already a newer version of this article, but it refers to a Reseller-Preview
Rules
Rules
Active
Group/Rule
Description
Dialogue: Implied Rules
On
GeoIP
Activates the GeoIP settings for both sources and destinations.
On
IPGeoBlockingSrc
Activates the GeoIP settings for rejected sources
On
IPGeoBlockingDst
Activates the GeoIP settings for rejected destinations
GeoIP settings
GeoIP settings
Caption
Value
Description
Dialogue: GeoIP Settings
System-wide dropped sources:
×BX (random example)
In the click box, countries can be selected that are to be blocked as sources.
New as of 12.4
Group:
All
Selection from preset groups, which selects e.g. all countries of a continent.
+Add
Adds the regions from the selected group
-Remove
Removes the regions from the selected group
Exceptions (sources):
×IP address
Exceptions for system-wide rejected sources can be defined here.
System-wide dropped destinations:
×BX (random example)
In the click box, countries can be selected that are to be blocked as targets. This prevents access via browsers as well as, for example, downloaded malicious code.
Exceptions (destinations):
×IP address
Exceptions for system-wide rejected destinations can be defined here.
GeoIP based port filter rules
Certain regions are to be denied access to certain ports. Here: No mails from Antarctica
GeoIPs have the zone external by default
Setting up additional zones for GeoIP
Dialog for network object GeoIP
If the interface with the Internet access is located in another zone or if Internet access is available at several interfaces with further zones, GeoIP network objects must also be available there.
Under → Firewall →PortfilterTab Network Objects Button Add Object o new network object of type GeoIP can be added. The zone in which these objects are to be located must be specified. A prefix is optionally possible. See also Wiki: Portfilter / Create network objects
Alternatively, this is done with a CLI command.
node geoip generate zone <zone> name <prefix>
The prefix name is optional, the zone must already exist.
Example: node geoip generate zone external2 name EXT2_
This command creates an additional network object in the external2 zone for each region. For Germany, this would then be called EXT2_GEOIP:DE
Attention: This command creates approx. 250 new network objects
Example: Blocking
Certain regions are to be denied access to certain ports. Here: No mails from Antarctica
Step 1: Create a network group
Step 1: Create a network group
Caption
Value
Description
Add a network group for GeoIPs to be blocked in the Network Groups section with the Add Group button.
Name:
Geo-Blocking-Mail
Meaningful name for the network group
Network Objects:
×GEOIP:AQ (Antarktis)
Search text for desired country
+Add object
Opens the dialogue to add a network object
Save
Saves the settings
Step 2: Overview Network Groups
Step 2: Overview Network Groups
Opens the editing window again and more regions can be added, for example.
Deletes the network group
Network Objects:
GEOIP:AQ
Shows the network object on the right incl. address and zone.
Step 3: Add portfilter rules
Step 3: Add portfilter rules
Create a new port filter rule under → Firewall →PortfilterTab Portfilter with Button Add rule
Source:
Geo-Blocking-Mail
Select the desired group in the drop-down menu in the GeoIP network objects section
Destination:
external-interface
Interface on which the packets to be blocked arrive
Service:
smtp
Service or service group to be blocked
Action:
DROP
Discards the packages
Logging:
SHORT
Select desired logging
Group
default
Selection from preset groups, which selects e.g. all countries of a continent.
Add and close
Step 4: Update Rules
Step 4: Update Rules
Update Rules
Example: Allow access
Access from abroad is to be restricted to selected countries. A port filter rule allows access from the Internet to the external interface with https. For this, the button Add group must be clicked under → Firewall →Port filterTab Network objects.
Step 1: Create a network group
Step 1: Create a network group
Caption
Value
Description
Name:
GeoIP-Test
Meaningful name for the network group
Network Objects:
×GEOIP:AT (Österreich) ×GEOIP:DE (Deutschland)
GeoIPs can now already be selected. Alternatively, the GeoIPs can also be added in the following step.
+Add object
Opens the dialogue to add a network object
Save
Saves the settings
Step 2: Overview Network Groups
Step 2: Overview Network Groups
Opens the editing window again and more regions can be added, for example.
Deletes the network group
Network Objects:
GEOIP:ATGEOIP:DE
Shows the network object on the right incl. address and zone.
If the Outlook App for iOS or Android by Microsoft is to be used, access from other sources (currently:USA) may also have to be permitted here.
The Outlook app from Microsoft does not establish a direct connection, but routes all traffic via Microsoft servers. Their location is ( as at 08.2022) in the USA. That's also where the access data is stored!
Step 3: Edit existing rules
Step 3: Edit existing rules
Add a new rule under → Firewall →PortfilterTab Portfilter with Button Add rule or edit an existing one
Source:
GeoIP-Test
Select the desired group in the drop-down menu in the GeoIP network objects section
Destination:
external-interface
Interface on which the packets to be allowed arrive
Service:
https
Service or service group to be allowed
Action:
ACCEPT
Lets the packets pass through
Logging:
SHORT
Select desired logging
Group
default
Selection from preset groups, which selects e.g. all countries of a continent.
Save
Step 4: Update Rules
Step 4: Update Rules
Update Rules
Database update via CLI
The system regularly updates the Geo-IP databases automatically.
The status of the database can be queried with the command: geolocation info
cli> geolocation info
attribute |value
-------------------+-----
IP4 Database Status|need update
IP4 Last Update |2023-02-14 09:36:22.060000000 +0100
IP6 Database Status|need update
IP6 Last Update |2023-02-14 09:36:22.700000000 +0100
The message need update appears when an update is available.
An update of the database is done with the CLI command: geolocation update. Attention: The status message occurs with a small delay of a few seconds.
cli> geolocation update
OK
cli> geolocation info
attribute |value
-------------------+-----
IP4 Database Status|ok
IP4 Last Update |2023-03-26 07:54:29.339700632 +0200
IP6 Database Status|ok
IP6 Last Update |2023-03-26 07:54:29.899700632 +0200
Block potentially dangerous IPs
Regardless of the geographical assignment of an IP, IPs that have been identified as potentially threatening can be blocked via the Cyber Defence Cloud: Activate under → Application →IDS/IPSTab Cyber Defence Cloud Button Log and drop connections
This setting is not activated by default, as the UTM does not perform any blocking that is not explicitly wanted!