topic Re: login attacks coming in with geo protection turned on in Endpoint

login attacks coming in with geo protection turned on

Daniel_Kavan — Wed, 22 Jan 2025 17:19:58 GMT

Does MAB / sslvpn not fall under the umbrella of geo protection?

I'm seeing DoS login failed attacks coming in from countries even though geo protection should be dropping them (NOT accept). However I see Accept. Maybe, sometimes the IPs don't fall under the right countries?

Also, I was looking for away to white list networks hitting sslvpn but I'm not seeing that as an option.

Re: login attacks coming in with geo protection turned on

Tal_Paz-Fridman — Wed, 22 Jan 2025 18:30:31 GMT

It probably used implied rules that are matched before the other rules in the policy.

Re: login attacks coming in with geo protection turned on

Lesley — Wed, 22 Jan 2025 18:54:34 GMT

Hi,

Traffic is allowed on implied rule. You can disable implied rules, then you can first make a drop rule with geo protection and then allow the rest.

Re: login attacks coming in with geo protection turned on

Daniel_Kavan — Wed, 22 Jan 2025 20:27:18 GMT

The only Implied rule I see in global properties that looks relevant is:

Remote Access Control Connections

Is that https traffic to the MAB portal?

Re: login attacks coming in with geo protection turned on

the_rock — Thu, 23 Jan 2025 00:58:17 GMT

Im thinking MAB.

Re: login attacks coming in with geo protection turned on

PhoneBoy — Thu, 23 Jan 2025 13:39:38 GMT

Believe so, yes.
Are you using legacy Geo Protection or doing this in a policy layer?

Re: login attacks coming in with geo protection turned on

Daniel_Kavan — Thu, 23 Jan 2025 15:06:09 GMT

Ah, that may be the issue. Yeah, legacy. We are switching to a unified policy soon, but right now it's a separate policy in MAB. Actually, we do have a test gw with unified, does anyone see documentation RE: add a source geo location in the src column? I don't see anythin the R81.20 admin guide or TP guide for geo location objects. Ah, I found it sk126172 - Configuring Geo Policy using Updatable Objects

thank you - the dos mitigation rules are working.

Re: login attacks coming in with geo protection turned on

Daniel_Kavan — Thu, 23 Jan 2025 14:16:18 GMT

Do you think a geo location rule in the access policy will block attacks to sslvpn when using legacy vpn (not unified policy)?

Re: login attacks coming in with geo protection turned on

PhoneBoy — Thu, 23 Jan 2025 14:19:13 GMT

No, but you can do it with Dos Mitigation rules, which can be geo-specific (not in R82 currently) and will apply before implied rules.
https://support.checkpoint.com/results/sk/sk112454

Re: login attacks coming in with geo protection turned on

Daniel_Kavan — Tue, 28 Jan 2025 15:03:17 GMT

has anyone done it before to save me time? For example, if you want to block IP address 94.154.35.24/32 with a dos mitigation rule.

I may try this one:

fwaccel dos rate add source cidr:94.154.35.24/32 https byte-rate 0

smartevent proections aren't stopping it either. Brute force for example .

Update: the dos mitigation blocks are working. Thank you. Even the inline geo-location rule wasn't in my unified policy.

It's like wargames, they are trying other networks now.

Re: login attacks coming in with geo protection turned on

Daniel_Kavan — Wed, 26 Feb 2025 13:03:18 GMT

Check Point came out with a fix for this in R82 and R81.20 JHF96 and it works.

BTW, I'm implementing a negation rule with US as the update-able geo protection object. So, it should block everything that's NOT from the USA.