In a past article, I explained how to auto-block hosts with a WatchGuard Firebox. Yesterday alone my logs showed over 100 IP addresses auto-blocked in one day on a Firebox used for testing purposes. The list included over 1000 blocked IP addresses. I also noticed the Firebox shows a limited number of blocked hosts so the total number of blocked hosts may be longer than what the Firebox Web UI displays.
For those curious to know more about traffic in firewall logs, you can look up what part of the world and which network is trying to access your systems on blocked ports. To do that we can look up the IP address in the five Internet Registries that store information about who owns networks in different parts of the world. Each registry has a website with a “whois” search box to look up this information.
Afrinic | Africa | https://arin.net |
Apnic | Asia Pacific | https://apnic.net |
Arin | North America | https://arin.net |
Lacnic | Latin America | https://lacnic.net |
Ripe | Europe | https://ripe.net |
You can view the IP addresses that the Firebox auto-blocked by logging into the Fireware Web UI. Click on System Status and then Blocked Sites in the left menu.
Here is a random IP address that tried to connect to a blocked port on my firewall. Let’s see what information we can find out about it.
169.0.121.99
If you have no idea which region to search for the IP, then start with https://arin.net. Enter the IP address in the whois search box and click the arrow or hit enter.
For IP 169.0.121.99, the search results show that AFRINIC is the correct registry to search for this IP address, and any IP address in the range of 169.0.0.0 – 169.0.255.255.
If we go to https://afrinic.net and repeat the process to find information about the IP address we see the following, which tells us the IP address is in the range of 169.0.0.0 – 169.0.255.255 which has the network name: AFRIHOST-DYNAMIC.
The registry also displays address and contact information.
How is this information useful? A company could reach out to the other network to ask them to stop sending the traffic. Contacting every company that is sending unwanted traffic would be a time-consuming undertaking given the amount of rogue traffic like this that exists on the Internet. Alternatively, companies may choose to block networks or locations that are sending unwanted traffic, or proactively prevent some IP addresses from accessing all or part the networks protected by the Firebox.
The value above for inetnum: 169.0.0.0 – 169.0.255.255, shows the range of IP addresses that belong to this network. First, I want to convert the IP addresses to CIDR notation, which is another way to represent the address range. I will enter the CIDR block into my Firebox. Online calculators can help convert IP ranges to CIDR notation. Enter the starting and ending IP address and click “calculate.”
https://www.ipaddressguide.com/cidr
Now I know that the CIDR notation for this network is 169.0.0.0/16. I can enter that into the list of sites I want to block permanently in my Firebox by selecting Firewall, then Blocked Sites from the left menu.
Click the Add button at the bottom of the screen. Choose Network IPv4 (a network using Internet Protocol version 4) and enter the CIDR block we calculated above.
Click the OK button and important – make sure to also hit the Save button at the bottom of the list of blocked IP addresses before exiting the screen. Now whenever a host tries to connect to or from that network, the Firebox will block it right away. You can also delete the individual hosts from the auto-blocked list that are covered by this permanent rule.
What if your company never does business in Africa and you don’t want your employees visiting websites in Africa? You could look up all the addresses belonging to Africa in the registries and block them. Another approach would be to use the WatchGuard Geolocation Service which comes with the WatchGuard Total Security license. The Geolocation allows network administrators to choose countries on a map or from a list to allow or disallow traffic.
The most important thing is to monitor and understand what is happening in your environment. Know what is normal so you can spot things that are suspicious and investigate further. Use what you learn to create network rules to allow and disallow traffic appropriately. — Teri Radichel (@teriradichel)
Larry French says
Good luck getting a response from a foreign country operator.
Adrian says
The Geolocation tool and APT are the two best features of the WatchGuard Fireboxes. Geolocation has reduced my administration overhead and unsolicited incoming traffic considerably. However, there is one missing part in this article.
Most of my unsolicited traffic comes from China and the USA – almost nothing comes from Africa. Blocking China is easy for me, as my company does not do business with China. However, there are many USA-based companies that make use of content delivery and other services that are based in China. Microsoft is one of these organisations. The good news is that WatchGuard included an Exemptions tab within Geolocation. So you can add exemptions for sites that you need to access. Microsoft is very good as they provide a public list of their IP addresses. It is a little harder to get a complete list for smaller companies. While this sounds like lots of work, it is nothing compared to keeping track of all the Chinese IP addresses that you want to permanently block.
So big thumbs up for Geolocation from me!
Jim Pennington says
Geolocation is a great technology that is unfortunately really missing its potential.
In its current implementation, all that can be done is completely block *all* traffic *to* and *from* a country. With an all or nothing approach this is extremely limiting. Imagine if all our firewall policies were all or nothing? I haven’t been able to use Geolocation blocking because of this unilateral approach. Usually if I block a country it ends up blocking some other traffic that was needed. The countries that usually need to be blocked the most (like China) also soemtimes need to be communicated with.
The Geolocation feature would be immensely useful if it was changed where I could block based on *policies*, not unilaterally. That way I could, for example, allow web traffic out to China but block all email and other login attempts from there.
I hope Watchguard will implement this at some point to really make the feature useful.
Teri Radichel says
Good news! I just spoke with product management and this is on the road map, coming soon to a Firebox near you!