Configure IP Blocking
The IP Blocking feature monitors network activities in real-time and blocks or allows connections between MBG and specific network blocks of IP addresses (netblocks) in CIDR format. Use the following procedures manage lists containing the netblocks, specify the order the lists are treated, and add the lists to MBG.
Managing CIDR Lists
CIDR lists are available on the internet that contain netblocks for entrie countries. You can obtain these files and modify them for your needs. You can also create your own CIDR lists from scratch.
Use a text editor to create CIDR lists according the following format:
# Block List Title
4.17.135.32/27 # Comment
4.17.143.0/28
- A list can be used to either block connections (block list) or allow connections (permit list).
- Enter addresses in IPv4 format with suffixes expressed in CIDR notation (for example, 4.17.135.32/27).
- Enter comments in shell style (behind a hash mark: #).
- Save the file in plain text format (with a .TXT extension).
Setting the Rules Mode
When you add a list, you must specify whether it is to block (to block connections) or permit (to allow connections). By selecting the rules mode, you determine which lists the MBG uses first, block or permit. This sets the blocking strategy for your enterprise.
To set the operating mode:
- On the MBG main page, click the Network tab and click IP blocking.
- In Status field, select one of the following:
- SIP UDP Only - to block all SIP UDP traffic only based on the CIDR list rules with respect to the Rule mode
- Off: No blocking.
- On: to block all traffic based on the CIDR list rules with respect to the Rules mode.
- In Rules mode, select either:
- Permit / Block / Allow: MBG first checks the permit lists and, if a match is found, allows the connection. If a match is not found, MBG then checks the blocklists and, if a match is found, denies the connection. If no matches are found, MBG allows the connection. You can use this mode to block connections from particular countries with exceptions made for branch offices located in those countries.
- Block / Permit / Deny (default): MBG first checks the blocklists and, if a match is found, denies the connection. If a match is not found, MBG then checks the permit lists and, if a match is found, allows the connection. If no matches are found, MBG denies the connection. You can use this mode to allow connections only from specific SIP trunk endpoints, from particular countries, or from particular countries but with some (threatening) networks blocked. For example, you could add a permit list that allows all connections from France plus a blocklist that denies some connections from Paris.
- Select Permit private networks check box to allow connections from private network IP addresses regardless of the Status and Rules mode settings. For example, traffic from:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/12
- Select Permit trunk endpoints check box to allow traffic from SIP trunk endpoints as programmed in SIP trunking forms regardless of the Status and Rules mode settings.
- On the MBG main page, click the Network tab and click IP blocking.
- In Status field, select one of the following:
- SIP UDP Only - to block all SIP UDP traffic only based on the CIDR list rules with respect to the Rule mode
- Off: No blocking.
- On: to block all traffic based on the CIDR list rules with respect to the Rules mode.
- In Rules mode, select either:
- Permit / Block / Allow: MBG first checks the permit lists and, if a match is found, allows the connection. If a match is not found, MBG then checks the block lists and, if a match is found, denies the connection. If no matches are found, MBG allows the connection. You can use this mode to block connections from particular countries with exceptions made for branch offices located in those countries.
- Block / Permit / Deny (default): MBG first checks the block lists and, if a match is found, denies the connection. If a match is not found, MBG then checks the permit lists and, if a match is found, allows the connection. If no matches are found, MBG denies the connection. You can use this mode to allow connections only from specific SIP trunk endpoints, from particular countries, or from particular countries but with some (threatening) networks blocked. For example, you could add a permit list that allows all connections from France plus a block list that denies some connections from Paris.
- Select Permit private networks check box to allow connections from private network IP addresses regardless of the Status and Rules mode settings. For example, traffic from:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/12
- Select Permit trunk endpoints check box to allow traffic from SIP trunk endpoints as programmed in SIP trunking forms regardless of the Status and Rules mode settings.
Managing the Lists
In addition to being able to add new “permit” and “block” lists, you can edit and delete existing lists.
To add a new IP blocking list:
- On the MBG main page, click the Network tab and click IP blocking.
- Click the
sign to display the Add IP blocking list dialog.
- Enter the Name for this list.
- Select the Mode, either Permit (allowed) or Block (blocked).
- Click Choose File, navigate to the location of the list, select the list and click Open.
- Click Save to upload the file.
The new list is activated and is now either allowing (permit) or blocking (block) IP addresses.
To edit an existing IP blocking list:
- On the MBG main page, click the Network tab and click IP blocking.
- Locate the list you want to edit and click
. The file is downloaded to your computer.
- Locate the file on your computer, edit it as required, and then save it.
- Return to the IP blocking screen, locate the file you wish to edit, and then click
.
- Enter the Name for this list.
- Select the Mode, either Permit (allowed) or Block (blocked).
- Click Choose File, navigate to the list you edited, select the list and click Open.
- Click Save to save your changes.
The edited list is activated and is now either allowing (permit) or blocking (block) IP addresses.
To delete an IP blocking list:
- On the MBG main page, click the Network tab and click IP blocking.
- Locate the list you wish to delete and click
.
- Click OK. The deletion is confirmed.