I haven’t seen any discussion about this or anything in the documentation. I currently use geoip matching such as this:
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 action 'drop'
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination geoip country-code 'us'
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination geoip country-code 'ca'
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination geoip inverse-match
set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 log
This works fine for catching traffic destined to locations outside of US and Canada, however it also catches RFC1918 IPs, which should have no fixed geo-location.
Any suggestions how to get around this?
When checking db-ip.com (which I believe is where the GeoIP data comes from), this is the result for a RFC1918 IP:
{
"ipAddress": "10.10.10.10",
"countryCode": "ZZ",
"isp": "Private network",
"usageType": "reserved",
"organization": "Rfc 1918"
}
But if I try to use country code “ZZ”, it isn’t accepted:
# set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination geoip country-code zz
Invalid value
Value validation failed
Set failed
[edit]
# set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination geoip country-code ZZ
Invalid value
Value validation failed
Set failed
[edit]
I tried excluding 10.0.0.0/8 but you can’t combine GeoIP with an address:
# set firewall ipv4 name XYZ-FORWARD-IPV4 rule 10 destination address !10.0.0.0/8
[edit]
# commit
Only one of address, fqdn or geoip can be specified
[[firewall]] failed