Configure Geolocation

The Geolocation subscription service uses a database of IP addresses and countries to identify the geographic location of connections through the Firebox.

To use Geolocation, the Firebox must have a feature key that enables the RED subscription service. For more information, go to:

When you enable Geolocation or change the countries to block, the Firebox blocks new incoming and outgoing connections to or from sites located in the specified countries. The Geolocation settings apply only to new connections. If you block connections to a country, the Firebox does not drop existing connections to that country.

WARNING: If your internal network or FireCluster configuration uses IP addresses outside the reserved private IP address ranges defined in RFC 1918, RFC 5737, or RFC 8190, look up the geolocation of the IP addresses you use before you block a country.

Before you configure Geolocation to block a country, make sure to evaluate the geographic location of sites that users and servers on your network must connect to. A site that is hosted in one country may include content that is hosted elsewhere.

To look up the geolocation of an IP address, from Fireware Web UI select Dashboard > Geolocation > Lookup. For more information, go to Geolocation Dashboard.

Enable Geolocation

When you enable the Geolocation subscription service, Geolocation is enabled automatically for all policies. In Fireware 12.3 or higher, all policies are initially configured to use the default Global action automatically.

When you enable Geolocation, a warning message appears if automatic updates are disabled for the Geolocation database. To configure automatic updates, go to Configure the Geolocation Update Server.

  1. Select Subscription Services > Geolocation.
    The Geolocation page appears.

Screen shot of Geolocation page in Fireware Web UI.

  1. Select the Enable Geolocation check box.
  1. Select Subscription Services > Geolocation.
    The Geolocation dialog box appears.

Screen shot of the Geolocation dialog box, Actions tab

  1. Select the Enable Geolocation check box.
  2. Click OK.

Configure Geolocation Actions

A Geolocation action is a set of settings that contains a list of blocked countries and exceptions that specify any sites you never want to block.

By default, all policies are initially configured to use the Global Geolocation action. If you want to use different Geolocation settings for different types of traffic, you can configure additional Geolocation actions and apply them to your policies. For example, you could configure an SMTP policy to use a Geolocation action that blocks fewer countries than the Geolocation action you use for other policies.

You can configure Geolocation actions in Fireware 12.3 or higher. In Fireware 12.2.x and lower, only one set of Geolocation settings is available.

Add or Edit Geolocation Actions

To add or edit Geolocation actions:

  1. Select Subscription Services > Geolocation.
  2. To create a new Geolocation action, click Add.
    Or, to edit an action, select the action name and click Edit.

Screen shot of Geolocation action settings in Fireware Web UI

Geolocation action settings in Fireware Web UI

Screen shot of Geolocation action settings in Policy Manager.

Geolocation action settings in Policy Manager

  1. If this is a new action, in the Name text box, type the name of the action.
  2. (Optional) In the Description text box, type a description of the action.
  3. On the Map or Country List tabs, select countries to block. For more information, go to Select Countries to Block.
  4. If there are sites you want to allow in the blocked countries, on the Exceptions tab, configure exceptions. For more information, go to Configure Geolocation Exceptions.
  5. Click Save (Fireware Web UI) or OK (Policy Manager).

Clone Geolocation Actions

To create a new Geolocation action that is similar to one that you have already created, you can clone (copy) an existing action.

To clone a Geolocation action:

  1. Select Subscription Services > Geolocation.
  2. Select the Geolocation action you want to clone.
  3. Click Clone.
  4. Edit the Geolocation action, as described in the previous section.

Remove Geolocation Actions

You can remove any user-defined Geolocation action that is not used in a policy. The Global Geolocation action is created by default and cannot be removed.

To remove a Geolocation action:

  1. Select Subscription Services > Geolocation.
  2. Select the Geolocation action you want to remove.
  3. Click Remove.
    A confirmation message appears.
  4. Click Yes.
    The action is removed from the list.

Select Countries to Block

In Geolocation actions, you can select the countries to block from a map or from a list of countries. If you want to block the same countries in multiple actions or on multiple Fireboxes, you can also import and export the list of blocked countries.

Select Countries to Block on a Map

On the Map tab, the currently blocked countries are shown in red. You can unlock the map to change the countries to block.

  1. Add or edit a Geolocation action (Fireware 12.3 or higher).
  2. Select the Map tab.
    A world map appears. Blocked countries are colored red.
  3. To unlock the map, click Edit.
    The Edit button label changes to Lock.

Screen shot of the Geolocation Blocking Map tab in Fireware Web UI

  1. To interact with the map:
    • Use the mouse scroll wheel to zoom in and out.
    • Click and drag the map to reposition it in the window.
    • Point to a country to see its name.
  2. To block or unblock connections to or from a country, click the country on the map.
    The country color changes to indicate whether connections to and from that country are blocked. Blocked countries are shown in red.
  3. To lock the map, click Lock.
  4. To save your changes, click Save below the map.
  1. Add or edit a Geolocation action (Fireware 12.3 or higher).
  2. Select the Map tab.
    A world map appears. Blocked countries are colored red.
  3. To unlock the map, click the lock icon .

Screen shot of the Edit Geolocation Control Action, Map tab.

  1. To interact with the map:
    • Use the mouse scroll wheel to zoom in and out.
    • Click and drag the map to reposition it in the window.
    • Point to a country to see its name.
  2. To block or unblock connections to or from a country, click the country on the map.
    The country color changes to indicate whether connections to and from that country are blocked. Blocked countries are shown in red.
  3. To lock the map, click the Lock icon .
  4. Click OK.

Select Countries to Block from a List

The Country List tab shows a list of all countries, organized by continent. You can block or unblock individual countries or all countries on a continent.

  1. Add or edit a Geolocation action (Fireware 12.3 or higher).
  2. Select the Country List tab.
    A list of countries appears, separated into sections by continent.

Screen shot of the Geolocation page, Country List tab

  1. To see or hide the list of countries for a continent, click the continent name.
  2. Select the countries you want to block:
    • To select an individual country, select the check box next to its flag.
    • To block all countries in a continent, click Select All in the continent section header.
    • To unblock all countries in a continent, click Clear All in the continent section header.
  3. Click Save.
  1. Add or edit a Geolocation action (Fireware 12.3 or higher).
  2. Select the Country List tab.
    a list of countries appears, separated into sections by continent.

Screen shot of the Geolocation dialog box, Country List tab

  1. Select the countries you want to block based on geographic location.
  2. To select an individual country, click the adjacent text box
  3. To see or hide the list of countries for a continent, click the continent section header
  4. To select all countries in a continent, click Select All in the country list for that continent
  5. To clear the check boxes for all countries in a continent, click Clear All in the country list for that continent
  6. Click OK.

Import and Export the Blocked Country List

You can export the list of blocked countries from one Geolocation action and import it to another action on the same or a different Firebox. This makes it easy to block connections to and from the same countries on all the Fireboxes you manage.

When you import blocked countries to a Geolocation action, you must specify whether to clear the existing list of countries first. If you choose not to clear the list, the imported countries are added to the existing list of countries.

  1. Add or edit a Geolocation action (Fireware 12.3 or higher).
  2. Select the Country List tab.
  3. Click Export.
    The blocked country list is saved in the geoblocked_countries.txt file. In some browsers, the file is saved to your Downloads folder.
  1. Add or edit a Geolocation action (Fireware 12.3 or higher).
  2. Select the Country List tab.
  3. Click Export.
  4. Specify the file name and the location where you want to save the file. 
    The blocked country list is saved as a text file in the location you specified.
  1. Add or edit a Geolocation action (Fireware 12.3 or higher).
  2. Select the Country List tab.
  3. Click Import.
    A confirmation message appears.
  4. Click Yes to remove the current blocked countries, or No to keep the current blocked countries.
  5. Select the file to import.
  6. Click Import.
    The blocked countries from the file are added to the blocked countries list.
  1. Add or edit a Geolocation action (Fireware 12.3 or higher).
  2. Select the Country List tab.
  3. Click Import.
  4. Select the file to import.
    A confirmation message appears.
  5. Click Yes to remove the current blocked countries, or No to keep the current blocked countries.
    The blocked countries from the file are added to the blocked countries list.

Assign Geolocation Actions to Policies

By default, all policies are initially configured to use the Global Geolocation action. If you want to use different Geolocation settings, you can assign a different Geolocation action to one or more policies in the Geolocation page.

You can also enable Geolocation and assign an action when you edit a policy. For more information, go to Enable Geolocation in a Policy.

  1. Select Subscription Services > Geolocation.
    The Geolocation Actions page appears. The Geolocation Policies section shows the Geolocation action enabled for each policy.

Screen shot of Geolocation page in Fireware Web UI.

  1. Select the check box next to the name of each policy you want to assign the Geolocation action to.
  2. From the Select Action drop-down list, select the Geolocation action to assign to the selected policies.
    Or, to disable Geolocation for the selected policies, select None.
  3. Click Save.
  1. Select Subscription Services > Geolocation.
    The Geolocation dialog box appears.
  2. Select the Policies tab.
    A list of configured policies appears. The Action column shows which Geolocation action is assigned to each policy.

Screen shot of the Geolocation dialog box, Policies tab

  1. To change the action for one or more policies, select the policies in the list.
    Use the Ctrl or Shift keys to select multiple policies at the same time.
  2. From the Select action drop-down list, select a Geolocation action to assign to the selected policies.
    Or, to disable Geolocation for the selected policies, select None.
  3. Click OK.

Related Topics

About Geolocation

Configure Geolocation Exceptions

Configure the Geolocation Update Server