How to block the client from accessing a certain country using Geo IP?

Zyxel_Jeff

The Geo IP offers to identify the country-based IP addresses; it allows you to block the client from accessing a certain country based on the security policy.

When the user makes HTTP or HTTPS request, USG Flex H queries the IP address from the cloud database, then takes action when it matches the block country in the security policy.

USG Flex H Geo IP Example:

Note: All network IP addresses and subnet masks are used as examples in this article. Please replace them with your actual network IP addresses and subnet masks. This example was tested using USG Flex 500H(Firmware Version: 1.10)

Setup the Address Object with Geo IP on the USG Flex H

Navigate to Object > Address > Geo IP > Add a geo IP related object.

Navigate to Object > Address > Address, you can see the customized GEOGRAPHY address object.

Navigate to Object > Address > Address Group> Add Address Group Rule, and add all customized GEOGRAPHY addresses into the same Member object.

Set Up the Security Policy on the USG Flex H

Go to Security Policy > Policy Control, configure a Name for you to identify the Security Policy profile. Set deny Geo IP traffic from LAN to WAN (geo_block_policy in this example).

Test the Result

When the LAN PC tries to access a website that matches the blocked geographical location, it is unable to reach those sites. The situation is as follows:

To view the log message, go to USG Flex H Log & Report > Log / Events. You will find log messages similar to the following. Any traffic that matches the Geo IP policy will be blocked, and the details will be displayed in the Message field.