This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andy_Yap
Explorer
‎2019-03-26 05:38 PM

Geo Policy

I am trying to implement a Geo policy which block traffic from certain country from accessing certain IP ad port within our domain.  I was told that I can actually use the Geo Policy is the negate way e.g add India in the Geo policy list  and set action to accept and  set policy for other country to accept too. On the exemption for the policy  set the destination to the IP and service port that I want to block. I was told that it will block the traffic to the exemption list since the action on the Geo policy is set to accept. Is anyone able to confirm this solution will work?

10 Replies
Timothy_Hall
Legend Legend
Legend
‎2019-03-27 06:54 AM

The exceptions in Geo Policy cannot be used to explicitly block traffic.  If you really want to do this with Geo Policy in the SmartConsole it will be clumsy but I'd suggest this:

1) Add the country you wish to block (India) to Policy for Specific Countries set for "From Country" with an action of Block.

2) In the Geo Policy exceptions explicitly add exceptions for the Destinations and Services that you want the subject country to be able to access.  Note that you can only do this using IP addresses and port numbers, and not by country name.

As you can see, not ideal.  What might be easier on R80.10 gateway and earlier is if you have SecureXL enabled on your gateway, create a new fw samp rate-limiting rule matching the country, destination IP, and port number you wish to block and assign an allowed packet rate of zero.  This is done from the gateway command line in expert mode.

Better yet, if you have R80.20+ for both management and gateway, you can leverage the new Updatable Objects which include Geo Country Objects.  In that case you can leverage those Geo Objects directly in your main policy layers and explicitly permit or deny whatever traffic you want by country, which is much more flexible than clumsily trying to use Geo Policy for that purpose.  With R80.20+ Geo Objects you could just add a rule right at the top of the Firewall/Network policy layer like this:

Src: India   Dst: Server(s)   Service: Port(s)   Action: Drop   Track:Log

 

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
aleksander_wlad
Participant
‎2020-02-18 11:32 PM
In response to Timothy_Hall

Hi 

Can you post screen with rules step by setp . i add geo rules but object on firewall not exist 😞

I use R80.30

 

Timothy_Hall
Legend Legend
Legend
‎2020-02-19 06:49 AM
In response to aleksander_wlad

On R80.30 I'd suggest using Geo Updatable Objects directly in your policy layers instead of the older Geo Policy.  Here is an excerpt from the third edition of my book showing how to add these in:

 

 

Click to Expand

Configuring GEO Updatable Objects


Configuration of GEO Updatable Objects is extremely straightforward; they are more or less treated like any other object in our Policy Layers. For our example we will add a policy rule blocking traffic from the country of North Korea. In the source of our new rule, click the “+” icon then “Import...Updatable Objects” as shown:

geo_objects2.png

 

Expand the “GEO Locations..Asia” section and select the checkbox next to North Korea:

 

geo_objects1.png

 

Click OK and the country of North Korea is added to the source of our rule:

 

policy.png

That’s it. Other than the slightly longer procedure to access and place the GEO Updatable Object into our rule, they are treated the same as any other object in our policies. The sample configuration of the older Geo Policy in the next section is significantly more convoluted; use GEO Updatable Objects instead! For the latest updates see sk126172: Geo Location objects as network objects in R80.20.

 

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
Terri_Hawkins
Collaborator
‎2020-05-27 04:07 AM
In response to Timothy_Hall

Is it ok to use an inline rule with the Geo Updateable Objects. I have some countries blocked, but we need to allow port 443 traffic to some of our servers from one of the countries we have blocked (I have other exceptions I will need to create also, but this is the most pressing).  This is what I have created (but not installed). The Geo rule is up at the top of the rulebase. Is there a better way or is this how the updateable objects and inline rules are intended to be used? Your thoughts are appreciated.

georule.png

Timothy_Hall
Legend Legend
Legend
‎2020-05-27 06:00 AM
In response to Terri_Hawkins

That config looks fine to me, although at least initially I'd advise setting the Track of rule 4.2 to "Log" in case troubleshooting is needed.  Ideally you should log everything the firewall drops for ease of troubleshooting, especially when setting up new rules like this.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
Terri_Hawkins
Collaborator
‎2020-05-27 06:06 AM
In response to Timothy_Hall

Thank you for checking it. Is this an ok way to use an inline rule? I wasn't sure if it was more for application layers or not?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-05-27 06:59 AM
In response to Terri_Hawkins

That is fine, Geo Updatable Objects are just like any other object that can be used throughout your policy layers. 

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
minarisk1
Explorer
‎2020-08-21 05:25 AM
In response to Terri_Hawkins

how could you create that policy ?
0 Kudos
minarisk1
Explorer
‎2020-08-21 05:26 AM
In response to Terri_Hawkins

how could you create that rule ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top