topic Re: Configuring geo policies in Firewall and Security Management

Configuring geo policies

origins26 — Tue, 30 Jun 2020 16:27:23 GMT

This is my first time working with geo policies, now I'm trying to implement a geo policy that blocks traffic from Russia, I have a 5000 appliance R80.10.

Do I just have to configured it like this?

Thank you for your help.

Re: Configuring geo policies

PhoneBoy — Sat, 04 Jul 2020 20:47:51 GMT

Should be able to.
However it might be better to upgrade to R80.20 or later and use the Updatable Objects for Russia in the access policy, which is far more flexible.

Re: Configuring geo policies

Timothy_Hall — Sun, 05 Jul 2020 14:12:03 GMT

Yes, but normally if you are blocking a country you want to block "from and to" to drop both connections initiated from that country, and any "phone home" attempts to that country initiated by malware already inside your network. Also ensure that "Default Geo Policy" is applied to your firewall on the Gateways screen.

As Phoneboy says though use of Geo Updatable Objects in the mainline Access Control policy in R80.20+ is much more flexible and easy to work with.

Re: Configuring geo policies

Magnus-Holmberg — Sun, 05 Jul 2020 22:45:10 GMT

As said above from R80.20 you can use updatable objects anywere in the rulebase.

Re: Configuring geo policies

origins26 — Mon, 06 Jul 2020 16:21:21 GMT

Thank you all of you.

As of now I'm not able to upgrade to 80.20, so I'll be working with 80.10, as you said I'm going to configure it to block "from and to Country". I verified and Default Geo policiy is in the gateways screen.

Re: Configuring geo policies

JT_Ohio — Wed, 14 Jul 2021 21:09:02 GMT

I would like to add an additional question to this. We currently utilize updatable objects to block specific countries that love to send their packets to us. We are on R80.40. Looks like we have a customer in one of these blocked countries.

To create an exception, can I just add an ALLOW rule containing their network/IP above my country blocking rule? I don't know if there is additional logic or checks when implementing country blocking in the security rule set. I am not using a specific Geo policy on my gateway, just a block rule with updatable country objs at the top of my rule list.

Thank you!

Re: Configuring geo policies

Timothy_Hall — Thu, 15 Jul 2021 12:04:48 GMT

Correct, if you are using Geo Updatable objects in a policy rule to block a certain country just add an Accept rule above that one to implement the exception. You may want to double-check that you are not also blocking that country in the legacy Geo Policy configuration, because if you are that block will be applied long before the rulebase gets evaluated.