Configure Geolocation

The Geolocation subscription service uses a database of IP addresses and countries to identify the geographic location of connections through the Firebox.

To use Geolocation, the Firebox must run Fireware v11.12 or higher and must have a feature key that enables the RED subscription service. For more information, see:

When you enable Geolocation or change the countries to block, the Firebox blocks new incoming and outgoing connections to or from sites located in the specified countries. The Geolocation settings apply only to new connections. If you block connections to a country, the Firebox does not drop existing connections to that country.

If your internal network or FireCluster configuration uses IP addresses outside the reserved private IP address ranges defined in RFC 1918, RFC 5737, or RFC 8190, look up the geolocation of the IP addresses you use before you block a country.

Before you configure Geolocation to block a country, make sure to evaluate the geographic location of sites that users and servers on your network must connect to. A site that is hosted in one country may include content that is hosted elsewhere.

To look up the geolocation of an IP address, from Fireware Web UI select Dashboard > Geolocation > Lookup. For more information, see Geolocation Dashboard.

Enable Geolocation

When you enable the Geolocation subscription service, Geolocation is enabled automatically for all policies. In Fireware 12.3 or higher, all policies are initially configured to use the default Global action automatically.

When you enable Geolocation, a warning message appears if automatic updates are disabled for the Geolocation database. To configure automatic updates, see Configure the Geolocation Update Server.

Configure Geolocation Actions

A Geolocation action is a set of settings that contains a list of blocked countries and exceptions that specify any sites you never want to block.

By default, all policies are initially configured to use the Global Geolocation action. If you want to use different Geolocation settings for different types of traffic, you can configure additional Geolocation actions and apply them to your policies. For example, you could configure an SMTP policy to use a Geolocation action that blocks fewer countries than the Geolocation action you use for other policies.

You can configure Geolocation actions in Fireware 12.3 or higher. In Fireware 12.2.x and lower, only one set of Geolocation settings is available.

Add or Edit Geolocation Actions

To add or edit Geolocation actions:

  1. Select Subscription Services > Geolocation.
  2. To create a new Geolocation action, click Add.
    Or, to edit an action, select the action name and click Edit.

Screen shot of Geolocation action settings in Fireware Web UI

Geolocation action settings in Fireware Web UI

Screen shot of Geolocation action settings in Policy Manager.

Geolocation action settings in Policy Manager

  1. If this is a new action, in the Name text box, type the name of the action.
  2. (Optional) In the Description text box, type a description of the action.
  3. On the Map or Country List tabs, select countries to block. For more information, see Select Countries to Block.
  4. If there are sites you want to allow in the blocked countries, on the Exceptions tab, configure exceptions. For more information, see Configure Geolocation Exceptions.
  5. Click Save (Fireware Web UI) or OK (Policy Manager).

Clone Geolocation Actions

To create a new Geolocation action that is similar to one that you have already created, you can clone (copy) an existing action.

To clone a Geolocation action:

  1. Select Subscription Services > Geolocation.
  2. Select the Geolocation action you want to clone.
  3. Click Clone.
  4. Edit the Geolocation action, as described in the previous section.

Remove Geolocation Actions

You can remove any user-defined Geolocation action that is not used in a policy. The Global Geolocation action is created by default and cannot be removed.

To remove a Geolocation action:

  1. Select Subscription Services > Geolocation.
  2. Select the Geolocation action you want to remove.
  3. Click Remove.
    A confirmation message appears.
  4. Click Yes.
    The action is removed from the list.

Select Countries to Block

In Geolocation actions, you can select the countries to block from a map or from a list of countries. If you want to block the same countries in multiple actions or on multiple Fireboxes, you can also import and export the list of blocked countries.

Select Countries to Block on a Map

On the Map tab, the currently blocked countries are shown in red. You can unlock the map to change the countries to block.

Select Countries to Block from a List

The Country List tab shows a list of all countries, organized by continent. You can block or unblock individual countries or all countries on a continent.

Import and Export the Blocked Country List

You can export the list of blocked countries from one Geolocation action and import it to another action on the same or a different Firebox. This makes it easy to block connections to and from the same countries on all the Fireboxes you manage.

When you import blocked countries to a Geolocation action, you must specify whether to clear the existing list of countries first. If you choose not to clear the list, the imported countries are added to the existing list of countries.

Assign Geolocation Actions to Policies

By default, all policies are initially configured to use the Global Geolocation action. If you want to use different Geolocation settings, you can assign a different Geolocation action to one or more policies in the Geolocation page.

You can also enable Geolocation and assign an action when you edit a policy. For more information, see Enable Geolocation in a Policy.

See Also

About Geolocation

Configure Geolocation Exceptions

Configure the Geolocation Update Server