https://community.checkpoint.com/t5/SASE-and-Remote-Access/Ukraine-IP-address-filling-75-of-my-VPN-Logs/m-p/187294#M1016 <P>I would suggest using GEO policy to block the country, if you do not expect any connections coming from there.</P> Mon, 24 Jul 2023 07:37:54 GMT _Val_ 2023-07-24T07:37:54Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Ukraine-IP-address-filling-75-of-my-VPN-Logs/m-p/187281#M1015 <P>When checking the logs of my Harmony Connect VPN service I can see that there is a couple of IPs address coming from Ukraine that are generating 75% of my logs.</P><P><SPAN><FONT face="inherit">Are you </FONT>experiencing<FONT face="inherit">&nbsp;the same?</FONT></SPAN></P><P><SPAN>Last week I reported the same incident but from two different IPs as well from Ukraine and looks to me that the TAC people helped me out to block them. last IP:&nbsp;</SPAN><SPAN>109.207.200.44&nbsp;</SPAN></P><P>If you check your Harmony Connect VPN logs, can you see them too?&nbsp;&nbsp;</P><P>I understand the part of: they do not have the keys, or certificate and etc to break in, yeah, but those IPS are saturating Check Point logs and probably even degrading the service.&nbsp;</P><P>Does anyone know how to block them with involving TAC? I already added a policy that blocks any access from those IPs and nothing actually happened because I think it only applies to the valid traffic inside the VPN.&nbsp;</P><P>An email was sent today to the organization in Ukraine that are in charge of those IPs. nothing might happen!&nbsp;</P><P>Thoughts?&nbsp;</P><P>&nbsp;</P> Mon, 24 Jul 2023 05:34:19 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Ukraine-IP-address-filling-75-of-my-VPN-Logs/m-p/187281#M1015 ICSI 2023-07-24T05:34:19Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Ukraine-IP-address-filling-75-of-my-VPN-Logs/m-p/187294#M1016 <P>I would suggest using GEO policy to block the country, if you do not expect any connections coming from there.</P> Mon, 24 Jul 2023 07:37:54 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Ukraine-IP-address-filling-75-of-my-VPN-Logs/m-p/187294#M1016 _Val_ 2023-07-24T07:37:54Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Ukraine-IP-address-filling-75-of-my-VPN-Logs/m-p/187307#M1017 <P>Same, GEO protection and block the unwanted countries.&nbsp;</P><P>Here is the SK:</P><P><A href="https://support.checkpoint.com/results/sk/sk126172" target="_blank">https://support.checkpoint.com/results/sk/sk126172</A></P> Mon, 24 Jul 2023 08:53:05 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Ukraine-IP-address-filling-75-of-my-VPN-Logs/m-p/187307#M1017 Lesley 2023-07-24T08:53:05Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Ukraine-IP-address-filling-75-of-my-VPN-Logs/m-p/187344#M1018 <P>This (before encryption) traffic is accepted through implied rules.<BR />Short of changing the implied rules, the best way to block this traffic is using fwaccel dos rules:&nbsp;<A href="https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/Block-VPN-Traffic-by-Country/m-p/172695#M31396</A></P> Mon, 24 Jul 2023 13:02:23 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Ukraine-IP-address-filling-75-of-my-VPN-Logs/m-p/187344#M1018 PhoneBoy 2023-07-24T13:02:23Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Ukraine-IP-address-filling-75-of-my-VPN-Logs/m-p/187440#M1019 <P>I believe this is a result of bots/vulnarebility_scaneers&nbsp; activities.</P> <P>Based on topic you're using Harmony Connect Network Access client. Please raise ticket with TAC to block&nbsp; traffic&nbsp; from countries you don't want get traffic.</P> <P>&nbsp;</P> Tue, 25 Jul 2023 07:23:59 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Ukraine-IP-address-filling-75-of-my-VPN-Logs/m-p/187440#M1019 Andy_P 2023-07-25T07:23:59Z