topic Re: Geo Policy block VPN traffic from blocked countries? in Firewall and Security Management

Geo Policy block VPN traffic from blocked countries?

seanmc12 — Sun, 10 Apr 2022 23:10:40 GMT

I am configuring Geo policy with updatable objects and am wondering if there will be any impact? If someone from one of the blocked countries, tries to access our VPN...and they are actually authorized, will they be allowed to connect if their country is on the dropped list?

Re: Geo Policy block VPN traffic from blocked countries?

Chris_Atkinson — Mon, 11 Apr 2022 00:14:40 GMT

If it's all enforced / terminating on a single Gateway you will likely find the implied rules allow the remote access traffic without incident. Refer:

https://community.checkpoint.com/t5/Security-Gateways/Restrict-VPN-access-by-GEO-location/m-p/117288

incident.

Re: Geo Policy block VPN traffic from blocked countries?

the_rock — Sun, 10 Apr 2022 23:32:35 GMT

I can tell you from my own experience that every time specific country is blocked, it gets enforced 100%, even for VPN.

Re: Geo Policy block VPN traffic from blocked countries?

Timothy_Hall — Mon, 11 Apr 2022 16:30:40 GMT

If you have a country defined as "block to and from" in Geo Policy (not Geo Updatable Objects) they will not be allowed to connect at all as @the_rock stated. This may have changed in later releases, but last time I looked Geo Policy enforcement is performed just after anti-spoofing enforcement and before any "First" implied rules allowing Remote Access VPN traffic are consulted. However if the newer Geo Updatable Objects are used, that enforcement will not happen until after the implied rules. So they will be able to at least connect in that case.

However Geo Policy was deprecated in R81 (hidden in some cases but still works) so there really isn't a long-term solution for completely blocking certain countries for Remote Access VPN before the implied rules are enforced. One possibility is using fw samp/fwaccel dos which allows the specification of a country code, then grant them a bandwidth/connection rate of zero (if that is possible).

The only other way I could think of to do this would be an RFE that allows specified countries to be blocked right on the topology page for any interface designated "External" in the Firewall's topology, along with perhaps a way to add exceptions or a "don't check packets from" to that enforcement on that same screen. Kind of a per interface Geo Policy similar to the per-interface Advanced...Multicast Restrictions feature.

Another RFE avenue for this functionality might be the ability to choose countries in a Gaia Policy Based Routing configuration and blackhole them. But the former SmartConsole-based approach would probably be easier to understand and troubleshoot.

Re: Geo Policy block VPN traffic from blocked countries?

seanmc12 — Mon, 11 Apr 2022 16:40:53 GMT

Thanks for the response. I have configured Geo updatable objects. So I was thinking I could put an exception just before the updatable objects rule and the user from say China, would be able to authenticate and use VPN, but any other traffic would be blocked at the GUO policy.

Re: Geo Policy block VPN traffic from blocked countries?

the_rock — Mon, 11 Apr 2022 16:43:00 GMT

Thats excellent idea...as long as that rule is BEFORE geo rule blocking the traffic from given country, you are good to go.

Andy

Re: Geo Policy block VPN traffic from blocked countries?

seanmc12 — Tue, 12 Apr 2022 16:33:34 GMT

Unfortunately, the only way this will work is if your remote individual comes into your network with a static IP address. With a dynamic IP, the firewall will block all of the data from the applicable country before it ever sees the user creds. I should have known that piece.

Re: Geo Policy block VPN traffic from blocked countries?

the_rock — Tue, 12 Apr 2022 17:08:11 GMT

For sure, 100%...it would have to be static IP, I agree. If its dynamic IP, there is no way for firewall to differentiate that if the country is say, Egypt, and its blocked in your GEO policy.

Andy