Start Trial

Cerberus FTP Server 12.11 Introduces Connection Country Restrictions

by | Nov 15, 2022 | FTP Server Administration, FTP Server Security, New Release, News | 3 comments

About our new Country-level Geoblocking Features

The Cerberus team is excited to share that blocking or allowing connections based on the country the connection originates from (geoblocking) and a new Firewall Controls Overview page are now available in Cerberus FTP Server 12.11.  

Geoblocking by country leverages our existing geolocation integration with the commercial ipstack service to enable administrators to restrict connections by country in one of two modes: 

  • Allow only countries specified to connect
    -OR-
  • Deny countries specified from connecting

How to use the New Country-level Geoblocking Features

The new country level connection restrictions are accessible from the Firewall Controls (previously known as the IP Manager) in Cerberus. In addition to the new country level restrictions, there’s now an Overviews page that provides an at-a-glance view of the server configuration for connection blocking. Settings like Geolocation, country level restrictions, and auto-blocking setting status, as well as a graph of recent changes to the IP list can be easily reviewed from this page. There’s also a new Connection Authorization Pipeline graphic, which visualizes how connections are authorized by Cerberus with the existing and new authorization capabilities.

The new Overview page of the Firewall Controls Manager
The new Overview page of the Firewall Controls Manager

You can access the new country restrictions features from the Country and IP Connection Restrictions page in the Firewall Controls section of the admin console:

Country and IP Connection Restrictions page of the Firewall Controls Manager
The Country and IP Connection Restrictions page of the Firewall Controls Manager

Controlling how Country Restrictions Work

Administrators can operate the country restrictions controls in one of two ways:

  • Deny Countries Listed
  • Allow Only Countries Listed

Deny Countries Listed Mode

In Deny Countries Listed mode, any countries you add to the countries restrictions list will be rejected when they attempt to establish a connection with the server.  Cerberus uses the ipstack service to geolocate connections as they connect and reject any that are from countries on the restricted list.  

Allow Only Countries Listed Mode

The Allow Only Countries Listed option works in reverse – only allowing incoming connections from countries on an explicit country allow list.  Connections from any countries not on the allow list are rejected.  

We’ve tried to make country selection as easy as possible.  Administrators can zoom in and select countries on the world map, or type a country into the country edit control to get a drop down list of available matching countries that they can easily select.

Now that the geolocation service is a key component of the connection authorization pipeline and not just an informational service, there are new options for determining what to do when geolocation fails.  Administrators can decide to either always block or always allow all connections in those cases based on a toggle setting. You can easily access these and other geolocation settings by pressing the Configure button in the Geolocation Configuration section of the Country and IP Connection Restrictions tab.

Other Enhancements

As part of our geolocation and geoblocking changes, we’ve also made significant enhancements to our connection logging to provide administrators and auditors with additional context for troubleshooting and compliance.  Initial connections are always logged with their country of origin (if geolocation is enabled and functioning), and any rejections based on IP blocks, country restrictions, or exceptions from allow-listed IP addresses, are now always logged along with the incoming connection request.  Admins will now be able to more easily determine where a connection came from and why it was authorized or not authorized to connect.

Finally, we’ve also added support for HTTPS connections to the ipstack service.  We previously only supported HTTP connections (NOTE: Using HTTPS currently requires a paid ipstack account. A free account is limited to HTTP only).

Availability and Feedback

These new improvements are available on Cerberus FTP version 12.11.

We will continue to refine and improve this capability as we receive feedback from customers, although we believe the initial release is quite full-featured and expect it will meet most customers’ needs.  More information about the ipstack service is available on their homepage.  Please note that you will need to sign up for a plan with ipstack to use the new geoblocking features.  They have different service tiers depending upon your expected connection traffic.  We are considering supporting other commercial geolocation service APIs in future releases (depending on feedback).

Related posts:

  1. On-Premise vs. Cloud: What’s the Best Option for a File Transfer Server?
  2. Best File Transfer for Windows: Evaluating SFTP vs. FTPS Pros and Cons
  3. Moving to OpenSSL 3 in Cerberus FTP Server 12.11
  4. How to Implement Two-Factor Authentication (2FA) for Secure File Transfer Server 

3 Comments

  1. Yohann
    Yohann on November 8, 2022 at 7:50 am

    Thanks all the crews for this new feature!!!!

  2. MAT JACKMOND
    MAT JACKMOND on November 8, 2022 at 11:17 am

    Hooray! This is a GREAT addition to this product! One that I have personally been asking for and waiting for for years!!! Thank you very much for implementing it!!!

  3. Steve Hoyer
    Steve Hoyer on December 14, 2022 at 11:57 am

    Most excellent. Thank you!