This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
MVP Gold
MVP Gold
‎2025-01-22 09:17 AM
Jump to solution

login attacks coming in with geo protection turned on

Does MAB / sslvpn not fall under the umbrella of geo protection?

I'm seeing DoS login failed attacks coming in from countries even though geo protection should be dropping them (NOT accept).  However I see Accept.   Maybe, sometimes the IPs don't fall under the right countries?

Also, I was looking for away to white list networks hitting sslvpn but I'm not seeing that as an option.

0 Kudos
2 Solutions

Accepted Solutions
Daniel_Kavan
MVP Gold
MVP Gold
‎2025-01-23 05:44 AM
In response to PhoneBoy
Jump to solution

Ah, that may be the issue.  Yeah, legacy.   We are switching to a unified policy soon, but right now it's a separate policy in MAB.  Actually, we do have a test gw with unified, does anyone see documentation RE: add a source geo location in the src column?   I don't see anythin the R81.20 admin guide or TP guide for geo location objects.  Ah, I found it sk126172 - Configuring Geo Policy using Updatable Objects  

 

thank you - the dos mitigation rules are working.

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-23 06:19 AM
In response to Daniel_Kavan
Jump to solution

No, but you can do it with Dos Mitigation rules, which can be geo-specific (not in R82 currently) and will apply before implied rules.
https://support.checkpoint.com/results/sk/sk112454 

View solution in original post

10 Replies
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2025-01-22 10:29 AM
Jump to solution

It probably used implied rules that are matched before the other rules in the policy.

Lesley
MVP Gold
MVP Gold
‎2025-01-22 10:54 AM
Jump to solution

Hi,

Traffic is allowed on implied rule. You can disable implied rules, then you can first make a drop rule with geo protection and then allow the rest. 

-------
Please press "Accept as Solution" if my post solved it 🙂
Daniel_Kavan
MVP Gold
MVP Gold
‎2025-01-22 12:27 PM
In response to Lesley
Jump to solution

The only Implied rule I see in global properties that looks relevant is: 

Remote Access Control Connections

Is that https traffic to the MAB portal?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-01-22 04:58 PM
In response to Daniel_Kavan
Jump to solution

Im thinking MAB.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-23 05:39 AM
In response to Daniel_Kavan
Jump to solution

Believe so, yes.
Are you using legacy Geo Protection or doing this in a policy layer?

Daniel_Kavan
MVP Gold
MVP Gold
‎2025-01-23 05:44 AM
In response to PhoneBoy
Jump to solution

Ah, that may be the issue.  Yeah, legacy.   We are switching to a unified policy soon, but right now it's a separate policy in MAB.  Actually, we do have a test gw with unified, does anyone see documentation RE: add a source geo location in the src column?   I don't see anythin the R81.20 admin guide or TP guide for geo location objects.  Ah, I found it sk126172 - Configuring Geo Policy using Updatable Objects  

 

thank you - the dos mitigation rules are working.

0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2025-01-23 06:16 AM
In response to PhoneBoy
Jump to solution

Do you think a geo location rule in the access policy will block attacks to sslvpn when using legacy vpn (not unified policy)?

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-23 06:19 AM
In response to Daniel_Kavan
Jump to solution

No, but you can do it with Dos Mitigation rules, which can be geo-specific (not in R82 currently) and will apply before implied rules.
https://support.checkpoint.com/results/sk/sk112454 

Daniel_Kavan
MVP Gold
MVP Gold
‎2025-01-23 06:30 AM
In response to PhoneBoy
Jump to solution

has anyone done it before to save me time?   For example, if you want to block IP address 94.154.35.24/32 with a dos mitigation rule.

I may try this one:

fwaccel dos rate add source cidr:94.154.35.24/32 https byte-rate 0

 

smartevent proections aren't stopping it either.  Brute force for example .

Update: the dos mitigation blocks are working.  Thank you.  Even the inline geo-location rule wasn't in my unified policy.

It's like wargames, they are trying other networks now.

 

0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2025-02-26 05:03 AM
In response to PhoneBoy
Jump to solution

Check Point came out with a fix for this in R82 and R81.20 JHF96 and it works.

BTW, I'm implementing a negation rule with US as the update-able geo protection object.  So, it should block everything that's NOT from the USA.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events