This tutorial will guide you through the Geo-IP function, which was introduced from v4.20 onwards!
Geo-IP allows you to block internet traffic coming in from specific countries - this will allow you for example to block countries which are usually very suspicious/well-known to be origin of malicious attacks. This becomes especially important in an evermore inter-connecting world, which on the other hand still carries out multiple economically and politically motivated conflicts.
Note: The Geo-IP Feature used to be part of the Content Filter and thus, applicable for licensing before use - however, since firmware v5.02 (ATP / USG FLEX) and v4.65 (USG / ZyWall110/310/1100), this feature has been implemented as a free feature, so enjoy your newly gained security feature at no extra cost!
In our below showed configuration example, we will showcase how to set up blocking traffic from a specific country - in our example, North Korea is the choice of country we want to block.
- Log in to the unit by entering its IP address and the credentials for an admin account (by default, the username is “admin”, the password is “1234”)
- Navigate to Configuration > Object > Address/Geo IP and click “Add”
- Type in a speaking name for the object, choose “GEOGRAPHY” as the Address Type, choose the needed country and click “OK”
- Using the tab “Geo IP” above you can update the Geo IP database, configure an automatic update schedule for the database, create your IPv4 to Geography rules and test different IPs to see to which Country they belong
- Navigate to Configuration > Security Policy > Policy Control and click “Add”
- Choose “From: any”, “To: any (Excluding ZyWall)”, the Geo IP country object for the Source and click “OK”
- Choose "Action: Deny".
After setting this firewall rule to active, requests from that country to your internal networks will be blocked in the future. You can enable the logging for that rule to see in the logs under Monitor > Log.
Note: To also block the access for that country to your ZyWall, you would need to create a second firewall rule similar to the first one where you define the destination as “ZyWall”. Also note, that a sophisticated attack using proxy servers may mask the country of origin of the attack, so the Geo-IP Feature will only be able to provide a certain level of security.