This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
freshwater84
Participant
a month ago
Jump to solution

Block MobileAccess/VPN Client Access from unwanted countries

Dear Community,

I wonder, if I can block Mobile Acesss/VPN Client Access in General from unwanted countries, or just allow it from wanted countries.
I'm aware of Geo-Blocking possibilities in rules, but it seems, that VPN access over Mobile Access/VPN-Client is already done in implied rules. Around there I don't want to mess too much around.

We have a quite strong security concept with Certificate+Username/Password for VPN Dial-In, but if I could just whitelist 3-4 countries which we need for VPN access, that would be an extra security of course. Mainly if there should be a 0-Day exploit one day, which is rare but not impossible on Checkpoint...

(1)
2 Solutions

Accepted Solutions
the_rock
MVP Diamond
MVP Diamond
a month ago
Jump to solution

Hey @freshwater84 ,

See if this post I made almost 2 years ago helps? Btw, I did test this later on with few different countries using my personal nordvpn account and worked flawlessly.

https://community.checkpoint.com/t5/SASE-and-Remote-Access/Geo-VPN-blocking/m-p/214040

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

0 Kudos
Lesley
MVP Gold
MVP Gold
a month ago
In response to freshwater84
Jump to solution

Just without the -a flag

[Expert@cp0]# fw ctl get int fw_ignore_before_drop_rules
fw_ignore_before_drop_rules = 0
[Expert@cp:0]# fw ctl get int fw_ignore_before_drop_rules -a
FW:
fw_ignore_before_drop_rules = 0
PPAK 0: Get failed.
dmd_mgmt: Get param failed: Unknown parameter fw_ignore_before_drop_rules
dmd_worker: Get param failed: Unknown parameter fw_ignore_before_drop_rules

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

0 Kudos
6 Replies
the_rock
MVP Diamond
MVP Diamond
a month ago
Jump to solution

Hey @freshwater84 ,

See if this post I made almost 2 years ago helps? Btw, I did test this later on with few different countries using my personal nordvpn account and worked flawlessly.

https://community.checkpoint.com/t5/SASE-and-Remote-Access/Geo-VPN-blocking/m-p/214040

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
freshwater84
Participant
a month ago
In response to the_rock
Jump to solution

Hi Rock,

Thanks for the quick response. Is this parameter also applicable for 3900 ARM series R82.10?
When I check for the parameter on my 3920 R82.10, I get the following output:
# fw ctl get int fw_ignore_before_drop_rules -a
FW:
fw_ignore_before_drop_rules = 0
PPAK 0: Get failed.
Would the regular IPSEC Client (without MobileAccess blade) also being affected, as this parameter just go for 80/443 as far I understood...?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
a month ago
In response to freshwater84
Jump to solution

Not sure for brand new version, sorry : - (

Might be worth verify with TAC.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Lesley
MVP Gold
MVP Gold
a month ago
In response to freshwater84
Jump to solution

Just without the -a flag

[Expert@cp0]# fw ctl get int fw_ignore_before_drop_rules
fw_ignore_before_drop_rules = 0
[Expert@cp:0]# fw ctl get int fw_ignore_before_drop_rules -a
FW:
fw_ignore_before_drop_rules = 0
PPAK 0: Get failed.
dmd_mgmt: Get param failed: Unknown parameter fw_ignore_before_drop_rules
dmd_worker: Get param failed: Unknown parameter fw_ignore_before_drop_rules

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
freshwater84
Participant
a month ago
In response to Lesley
Jump to solution

Hi Lesley,
Do you know if that is supported on R82.10 on SG3900 series?

And how do I get it permanently into Kernl on R82.10?

0 Kudos
Lesley
MVP Gold
MVP Gold
a month ago
In response to freshwater84
Jump to solution

To make it reboot proof follow please:

https://support.checkpoint.com/results/sk/sk26202

More details regarding this parameter and support:

https://support.checkpoint.com/results/sk/sk105740

It does not show R82.10 but R82, but i cannot see why it should not work. You can just follow the steps. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events