topic Re: geo policy on website behind haproxy using sni in Firewall and Security Management

geo policy on website behind haproxy using sni

Daniel_Kavan — Fri, 12 Sep 2025 13:02:26 GMT

Hi All,

We want to set up geo protection for certain websites. However, there many sites behind one IP using SNI behind one IP address on haproxy. Is this possible to protect one or two URLs (name) with a geo policy? I know SNI is supported with https inspection. Or would every project hosted behind that one IP have to be on the policy?

Re: geo policy on website behind haproxy using sni

PhoneBoy — Fri, 12 Sep 2025 21:22:34 GMT

I assume this is possible since:

You can use a geography as a source in a rule
You can use a Custom Application/Site as a destination (which can be as above) in a rule

SNI doesn't require HTTPS Inspection, FYI.

Re: geo policy on website behind haproxy using sni

the_rock — Sun, 14 Sep 2025 01:44:20 GMT

Just use geo objects as @@PhoneBoy said.

Andy

Re: geo policy on website behind haproxy using sni

Daniel_Kavan — Sun, 14 Sep 2025 19:02:33 GMT

rule #12 using a geography as source (blocking Russia for example) and a custom application as destination

rule #13 allows the IP. Sources from Russia wouldn't make it to rule #13 they would be blocked on #12.

Sounds good.

Re: geo policy on website behind haproxy using sni

the_rock — Sun, 14 Sep 2025 21:40:53 GMT

Hey Dan,

Can you send screenshot?

Andy

Re: geo policy on website behind haproxy using sni

Daniel_Kavan — Thu, 18 Sep 2025 11:14:25 GMT

Thanks, the application/site object works great in the access policy. Now, moving on to the threat prevention exception policy.

La Question du jour: Can a custom application/site object exist in the threat prevention Exceptions policy sort of acting as a destination site? I was focused adding a site object to the protected scope column (can't do it), but there is also the protections/site/file/blade column that I've only been using to add protection exceptions. IOW, when making an exception for an IP (and that IP can represent 100 sites) We just need an IPS exception for 1 of the 100 sites. Currently, the protected scope doesn't support application/site objects. However, I can and did simply add the site object to the column with the list of IPS protections the exception is for. IOW, I have 10 IPS protections and a site all in the same column. I mean the column does say it's for Protections/site/file/blade. It just seems very unusual to have that mix of protections and a specific destination (site object/URLs) in the same column. Thinking... that might just work.

Re: geo policy on website behind haproxy using sni

the_rock — Thu, 18 Sep 2025 11:00:02 GMT

Yea, probably best idea Dan.

Re: geo policy on website behind haproxy using sni

PhoneBoy — Thu, 18 Sep 2025 23:06:04 GMT

Let us know one way or the other.