About our new Country-level Geoblocking Features
The Cerberus team is excited to share that blocking or allowing connections based on the country the connection originates from (geoblocking) and a new Firewall Controls Overview page are now available in Cerberus FTP Server 12.11.
Geoblocking by country leverages our existing geolocation integration with the commercial ipstack service to enable administrators to restrict connections by country in one of two modes:
- Allow only countries specified to connect
- Deny countries specified from connecting
How to use the New Country-level Geoblocking Features
The new country level connection restrictions are accessible from the Firewall Controls (previously known as the IP Manager) in Cerberus. In addition to the new country level restrictions, there’s now an Overviews page that provides an at-a-glance view of the server configuration for connection blocking. Settings like Geolocation, country level restrictions, and auto-blocking setting status, as well as a graph of recent changes to the IP list can be easily reviewed from this page. There’s also a new Connection Authorization Pipeline graphic, which visualizes how connections are authorized by Cerberus with the existing and new authorization capabilities.
You can access the new country restrictions features from the Country and IP Connection Restrictions page in the Firewall Controls section of the admin console:
Controlling how Country Restrictions Work
Administrators can operate the country restrictions controls in one of two ways:
- Deny Countries Listed
- Allow Only Countries Listed
Deny Countries Listed Mode
In Deny Countries Listed mode, any countries you add to the countries restrictions list will be rejected when they attempt to establish a connection with the server. Cerberus uses the ipstack service to geolocate connections as they connect and reject any that are from countries on the restricted list.
Allow Only Countries Listed Mode
The Allow Only Countries Listed option works in reverse – only allowing incoming connections from countries on an explicit country allow list. Connections from any countries not on the allow list are rejected.
We’ve tried to make country selection as easy as possible. Administrators can zoom in and select countries on the world map, or type a country into the country edit control to get a drop down list of available matching countries that they can easily select.
Now that the geolocation service is a key component of the connection authorization pipeline and not just an informational service, there are new options for determining what to do when geolocation fails. Administrators can decide to either always block or always allow all connections in those cases based on a toggle setting. You can easily access these and other geolocation settings by pressing the Configure button in the Geolocation Configuration section of the Country and IP Connection Restrictions tab.
As part of our geolocation and geoblocking changes, we’ve also made significant enhancements to our connection logging to provide administrators and auditors with additional context for troubleshooting and compliance. Initial connections are always logged with their country of origin (if geolocation is enabled and functioning), and any rejections based on IP blocks, country restrictions, or exceptions from allow-listed IP addresses, are now always logged along with the incoming connection request. Admins will now be able to more easily determine where a connection came from and why it was authorized or not authorized to connect.
Finally, we’ve also added support for HTTPS connections to the ipstack service. We previously only supported HTTP connections (NOTE: Using HTTPS currently requires a paid ipstack account. A free account is limited to HTTP only).
Availability and Feedback
These new improvements are available on Cerberus FTP version 12.11.
We will continue to refine and improve this capability as we receive feedback from customers, although we believe the initial release is quite full-featured and expect it will meet most customers’ needs. More information about the ipstack service is available on their homepage. Please note that you will need to sign up for a plan with ipstack to use the new geoblocking features. They have different service tiers depending upon your expected connection traffic. We are considering supporting other commercial geolocation service APIs in future releases (depending on feedback).