- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Geo Policy
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Geo Policy
I am trying to implement a Geo policy which block traffic from certain country from accessing certain IP ad port within our domain. I was told that I can actually use the Geo Policy is the negate way e.g add India in the Geo policy list and set action to accept and set policy for other country to accept too. On the exemption for the policy set the destination to the IP and service port that I want to block. I was told that it will block the traffic to the exemption list since the action on the Geo policy is set to accept. Is anyone able to confirm this solution will work?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The exceptions in Geo Policy cannot be used to explicitly block traffic. If you really want to do this with Geo Policy in the SmartConsole it will be clumsy but I'd suggest this:
1) Add the country you wish to block (India) to Policy for Specific Countries set for "From Country" with an action of Block.
2) In the Geo Policy exceptions explicitly add exceptions for the Destinations and Services that you want the subject country to be able to access. Note that you can only do this using IP addresses and port numbers, and not by country name.
As you can see, not ideal. What might be easier on R80.10 gateway and earlier is if you have SecureXL enabled on your gateway, create a new fw samp rate-limiting rule matching the country, destination IP, and port number you wish to block and assign an allowed packet rate of zero. This is done from the gateway command line in expert mode.
Better yet, if you have R80.20+ for both management and gateway, you can leverage the new Updatable Objects which include Geo Country Objects. In that case you can leverage those Geo Objects directly in your main policy layers and explicitly permit or deny whatever traffic you want by country, which is much more flexible than clumsily trying to use Geo Policy for that purpose. With R80.20+ Geo Objects you could just add a rule right at the top of the Firewall/Network policy layer like this:
Src: India Dst: Server(s) Service: Port(s) Action: Drop Track:Log
CET (Europe) Timezone Course Scheduled for July 1-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Can you post screen with rules step by setp . i add geo rules but object on firewall not exist 😞
I use R80.30
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here you go
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On R80.30 I'd suggest using Geo Updatable Objects directly in your policy layers instead of the older Geo Policy. Here is an excerpt from the third edition of my book showing how to add these in:
Configuring GEO Updatable Objects
Configuration of GEO Updatable Objects is extremely straightforward; they are more or less treated like any other object in our Policy Layers. For our example we will add a policy rule blocking traffic from the country of North Korea. In the source of our new rule, click the “+” icon then “Import...Updatable Objects” as shown:
Expand the “GEO Locations..Asia” section and select the checkbox next to North Korea:
Click OK and the country of North Korea is added to the source of our rule:
That’s it. Other than the slightly longer procedure to access and place the GEO Updatable Object into our rule, they are treated the same as any other object in our policies. The sample configuration of the older Geo Policy in the next section is significantly more convoluted; use GEO Updatable Objects instead! For the latest updates see sk126172: Geo Location objects as network objects in R80.20.
CET (Europe) Timezone Course Scheduled for July 1-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it ok to use an inline rule with the Geo Updateable Objects. I have some countries blocked, but we need to allow port 443 traffic to some of our servers from one of the countries we have blocked (I have other exceptions I will need to create also, but this is the most pressing). This is what I have created (but not installed). The Geo rule is up at the top of the rulebase. Is there a better way or is this how the updateable objects and inline rules are intended to be used? Your thoughts are appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That config looks fine to me, although at least initially I'd advise setting the Track of rule 4.2 to "Log" in case troubleshooting is needed. Ideally you should log everything the firewall drops for ease of troubleshooting, especially when setting up new rules like this.
CET (Europe) Timezone Course Scheduled for July 1-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for checking it. Is this an ok way to use an inline rule? I wasn't sure if it was more for application layers or not?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is fine, Geo Updatable Objects are just like any other object that can be used throughout your policy layers.
CET (Europe) Timezone Course Scheduled for July 1-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how could you create that rule ?
