Monitor Geolocation Activity

Geolocation of Allowed Connections

In Fireware Web UI, you can use the Geolocation Dashboard to monitor the geographic location of connections allowed through the Firebox and to look up the geographic location of an IPv4 or IPv6 address. The Geolocation Dashboard does not show connections that were blocked based on the geographic location of the source or destination. For more information about the Geolocation Dashboard, go to Geolocation Dashboard.

Geolocation Statistics

From Fireware Web UI and Firebox System Manager, you can see Geolocation statistics, which include the total number of source and destination IP addresses that were scanned, and the number of connections blocked based on source or destination IP address. You can also see the version information of your Geolocation database and manually update the database to the latest version.

Select Dashboard > Subscription Services.

Screen shot of the Geolocation Blocking widget

Select the Subscription Services tab.

Screen shot of the Subscription Services tab > Geolocation Blocking statistics

For more information about these statistics, go to Geolocation Statistics.

Geolocation IP Address Lookup

From the Subscription Services tab in Firebox System Manager you can look up the country and continent of an IP address.

To look up the location of an IP address, from the Subscription Services tab:

  1. In the Geolocation section, click Look Up IP.
    The Geolocation IP Address Lookup dialog box appears.
  2. In the IP Address text box, type an IP address.
  3. Click Look Up.
    The results appear in the Recent Results section.

Screen shot of the Geolocation IP Address Lookup dialog box

You can also look up the location of an IP address from the Geolocation Dashboard in Fireware Web UI. For more information, go to Geolocation Dashboard.

Geolocation Log Messages

Your Firebox generates a log message when Geolocation blocks a connection based on the geographic location of the source or destination. Geolocation log messages indicate whether the connection was blocked based on the geographic location of the connection source or destination, and include the country abbreviation. For example, this log message shows a connection denied based on the geographic location of the destination:

2018-10-05 11:34:06 Deny 10.0.1.3 185.89.207.21 https/tcp 60183 443 1-Trusted 0-External blocked sites (geolocation destination) 52 127 (HTTPS-proxy-00) proc_id="firewall" rc="101" msg_id="3000-0173" tcp_info="offset 8 S 3686646637 win 8192" geo_dst="GBR" geo="geo_dst"

When you enable Geolocation, all traffic log messages show the destination or source of the connection external to the Firebox. This information can help you decide if you want to block connections to or from a geographic location.

The log rate you specify for Blocked Sites also controls the maximum frequency of Geolocation log messages. For more information about log rates, go to Set Logging and Notification Preferences.

In Traffic Monitor, you can filter the log messages for information about connections blocked by Geolocation.

  • To see log messages for all connections blocked by Geolocation, search for: geo=
  • To see log messages for connections blocked based on the source, search for: geo="geo_src"
  • To see log messages for connections blocked based on the destination, search for: geo="geo_dst"

For more information about how to see and filter log messages in Fireware Web UI, go to Traffic Monitor.

For more information about how to see and filter log messages in Firebox System Manager, go to Device Log Messages (Traffic Monitor).

Related Topics

About Geolocation

Configure Geolocation Exceptions

Configure the Geolocation Update Server