Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor

Geo Policy in R80.10

Jump to solution

I have a requirement to allow traffic to a URL from only specific regions such as India,US and Russia.. rest all regions need to be blocked.

In the Geo Policy i can only see Country,Action,Direction which can be blocked.,there are no fields for destination/port... how can i selectively allow traffic from certain regions to the URL ?

I am aware about the updatable objects in R80.40 and going to upgrade to it soon..but in the meantime i need to do this in R80.10.

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

Because Updatable Geo Objects are not available in your R80.10 release, the only officially-supported way to do this is to block an entire country with Geo Policy, then specify exceptions utilizing IP addresses and port numbers to whatever server is hosting the URL; you can't specify URLs in Geo Policy exceptions.  That is the best you can do "officially" unless you want to create & maintain static group objects matching all IP networks from the desired countries and match them in your policy, which is less than desirable to say the least.

If you still want to do this under R80.10, check out this workaround written by @HeikoAnkenbrand :

https://community.checkpoint.com/t5/API-CLI-Discussion/GEO-Location-Objects-in-Firewall-Policy-with-...

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

5 Replies
Timothy_Hall
Champion
Champion

Because Updatable Geo Objects are not available in your R80.10 release, the only officially-supported way to do this is to block an entire country with Geo Policy, then specify exceptions utilizing IP addresses and port numbers to whatever server is hosting the URL; you can't specify URLs in Geo Policy exceptions.  That is the best you can do "officially" unless you want to create & maintain static group objects matching all IP networks from the desired countries and match them in your policy, which is less than desirable to say the least.

If you still want to do this under R80.10, check out this workaround written by @HeikoAnkenbrand :

https://community.checkpoint.com/t5/API-CLI-Discussion/GEO-Location-Objects-in-Firewall-Policy-with-...

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

LostBoY
Advisor

One Query here.. after i have enabled the geo policy ..where can i see logs for it ? is it in normal logging window ?

0 Kudos
Timothy_Hall
Champion
Champion

Assuming Track is set to Log on your Geo Policy, yes and the logs will be associated with the Firewall blade.  On an R77.30 or earlier gateway Geo Protection events were logged under the IPS blade.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
LostBoY
Advisor

Ok..i have set it to logging but observing a strange behaviour..

ihave a rule "Any" to Webserver allowed in ACL

I set up a geo policy to block from and to Source 'China'.

However, 1 hour later ..i observed an "ACCEPT" log from Src China via the configured ACL rule.. as per my understanding geo policy should take precedence and block this it should never go to ACL.. i have IPS , Antibot, Antivirus Blades enabled on the FW

0 Kudos
Timothy_Hall
Champion
Champion

Are you sure that the rule matching China in your Geo Policy is set to drop AND that the China rule is part of the Geo Policy profile that is actually applied to the gateway in question?

If so double-check that the source IP address is actually in China according to https://www.maxmind.com/en/geoip-demo and doing a whois lookup at www.apnic.net.  

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com