Feature suggest: update GeoIP DB at boot for firewall

Options
mMontana
mMontana Posts: 1,337  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited February 7 in Security

This is what happened to me…

My ISP is a phone provider operating in more than one country. Mobile and not. Currently is offloading some public IPv4 addresses frome one country to mine, and now I'm connected with one of "another country", now provided to mine.

I updated firmware in some appliances.
Some of the rules are for allowing VPN access only from my country.
After reboot, GEOip rules blocked me to access to the device.

This lead to unwanted behaviour: firewall working but blocking (instead of useful) GeoIP firewall rule.

This also could happen simply rebooting the device: GeoIP db provided with the firmware is dated… as firmware pack (not even release)

IVMHO, within 5/10 minutes from boot time, Firewall should automatically trigger GEOip db update. This could solve the issue in a "clean" and managable way. Packing firmware still with (or without) a GeoIP db available.

All Replies

  • lalaland
    lalaland Posts: 90  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    The GEO IP database doesn't undergo frequent changes.
    If triggered for an update every time the system boots up, wouldn't it cause system busyness?

  • mMontana
    mMontana Posts: 1,337  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    AFAIK there's a compare between the one stored and the one available. Only after "acknowledgin" a fresher DB, should the download happen.

    GEO Ip db is stored into firmware.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,099  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @mMontana

    Many thanks for your valued suggestion. Currently, the Geo IP is database-based designment and can update it manually or weekly schedule.

  • mMontana
    mMontana Posts: 1,337  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    In the specific case, auto update was setup.

    However, without allowance to connection due to old geoip DB, i was not able to update manually.

    Usual chicken/egg problem unfortunate.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,099  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    OK, noted it. Thank you for your update.

  • Mario
    Mario Posts: 104  Ally Member
    First Anniversary 10 Comments Friend Collector Zyxel Certified Network Engineer Level 1 - Security
    Options

    @mMontana

    I understand your point.
    an up-to-date version of all signatures should be supplied with at least every firmware release!
    after an update i always run an update of all signatures to reduce the attack surface.
    the firmware 5.73.2 from today delivers signatures from november 2023 😒

  • c777
    c777 Posts: 11
    First Anniversary First Comment
    Options

    Hello,

    With a usg20w-vpn, I had 1 to 2 updates per week. But since March 11, nothing.

    Personally, I would have set up a daily schedule, even if the updates were happening once a week.

  • mMontana
    mMontana Posts: 1,337  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Today I updated the DB. And now it's 29/03 (29th of march)

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,099  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @mMontana

    OK, thank you for your update.

Security Highlight