This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Abeja_huhuhu
Contributor
‎2019-07-06 07:03 PM
Jump to solution

How to block all other country and only accept destination service from specific country

Hi Guys,

 

i would like to know is it possible for us to create a rule that only accept connection coming from specific country for speficic services?

i believe the first portion can be done using clean up rule or spefic drop rule but then the most important part is to only allow access specific service from specific country for eg: singapore, as we are not able to list down all malaysia subnets inside this rules.

please advise.

1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2019-07-06 08:06 PM
Jump to solution

If you have an R80.20+ management and gateway, you can do that easily via Updatable Objects.  Updatable Objects representing countries can be used like any other object in your rule base.  If you have R80.10 or earlier, you could use the Geo Policy/Protection feature to block all traffic from a particular country then create an exception allowing a particular service from that country.  A bit roundabout but will work.

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

View solution in original post

5 Replies
Timothy_Hall
Legend Legend
Legend
‎2019-07-06 08:06 PM
Jump to solution

If you have an R80.20+ management and gateway, you can do that easily via Updatable Objects.  Updatable Objects representing countries can be used like any other object in your rule base.  If you have R80.10 or earlier, you could use the Geo Policy/Protection feature to block all traffic from a particular country then create an exception allowing a particular service from that country.  A bit roundabout but will work.

 

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
Blason_R
Leader
Leader
‎2019-07-06 10:02 PM
In response to Timothy_Hall
Jump to solution

Yes, that is the easiest option and it works perfectly fine. 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Abeja_huhuhu
Contributor
‎2019-08-30 10:06 AM
In response to Timothy_Hall
Jump to solution

Hi Timothy,

thanks for your advise. yes, it is working. we are using R80.20. so case close.
0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2019-08-30 08:14 PM
In response to Abeja_huhuhu
Jump to solution

Be careful with blocking everything else than my own country type of policy. The reason is simple. Today many cloud based services have servers in many countries without you knowing it. Blocking everything else except US for example might lead to connectivity problems if a DNS server happens to be in Germany.

chymmmy
Participant
‎2024-03-04 04:34 AM
In response to Lari_Luoma
Jump to solution

Following this thread, what is the best practice in checkpoint security policies allow the DNS service but securing that service.
We have an autorize server that it should be connect with the others DNS servers (cloudfare DNS, cisco DNS, google DNS, etc), so what can be done?

Are there a configuration more specific for that service that a simple rules as below ?
5 - deny countries (a few countries)
10 - allow our public IP DNS server -> any DNS service
15 - allow any -> our public IP DNS server DNS service

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top