Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
origins26
Explorer

Configuring geo policies

Jump to solution

This is my first time working with geo policies, now I'm trying to implement a geo policy that blocks traffic from Russia, I have a 5000 appliance  R80.10. 

Do I just have to configured it like this?

 
 
 
 

geo policy.pnggeopolicy.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Thank you for your help.

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

Yes, but normally if you are blocking a country you want to block "from and to" to drop both connections initiated from that country, and any "phone home" attempts to that country initiated by malware already inside your network.  Also ensure that "Default Geo Policy" is applied to your firewall on the Gateways screen.

As Phoneboy says though use of Geo Updatable Objects in the mainline Access Control policy in R80.20+ is much more flexible and easy to work with.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
Should be able to.
However it might be better to upgrade to R80.20 or later and use the Updatable Objects for Russia in the access policy, which is far more flexible.
Timothy_Hall
Champion
Champion

Yes, but normally if you are blocking a country you want to block "from and to" to drop both connections initiated from that country, and any "phone home" attempts to that country initiated by malware already inside your network.  Also ensure that "Default Geo Policy" is applied to your firewall on the Gateways screen.

As Phoneboy says though use of Geo Updatable Objects in the mainline Access Control policy in R80.20+ is much more flexible and easy to work with.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

origins26
Explorer

Thank you all of you.

As of now I'm not able to upgrade to 80.20, so I'll be working with 80.10, as you said I'm going to configure it to block "from and to Country". I verified and Default Geo policiy is in the gateways screen. 

 

default.png

 

 

0 Kudos
JT_Ohio
Explorer

I would like to add an additional question to this.  We currently utilize updatable objects to block specific countries that love to send their packets to us. We are on R80.40.  Looks like we have a customer in one of these blocked countries. 

To create an exception, can I just add an ALLOW rule containing their network/IP above my country blocking rule?  I don't know if there is additional logic or checks when implementing country blocking in the security rule set.  I am not using a specific Geo policy on my gateway, just a block rule with updatable country objs at the top of my rule list.

Thank you!

JJ

0 Kudos
Timothy_Hall
Champion
Champion

Correct, if you are using Geo Updatable objects in a policy rule to block a certain country just add an Accept rule above that one to implement the exception.  You may want to double-check that you are not also blocking that country in the legacy Geo Policy configuration, because if you are that block will be applied long before the rulebase gets evaluated.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Magnus-Holmberg
Advisor
 

As said above from R80.20 you can use updatable objects anywere in the rulebase.

step1.png

step2.png

step3.png

  

step4.png

 

https://www.youtube.com/c/MagnusHolmberg-NetSec