Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Abeja_huhuhu
Contributor
Jump to solution

How to block all other country and only accept destination service from specific country

Hi Guys,

 

i would like to know is it possible for us to create a rule that only accept connection coming from specific country for speficic services?

i believe the first portion can be done using clean up rule or spefic drop rule but then the most important part is to only allow access specific service from specific country for eg: singapore, as we are not able to list down all malaysia subnets inside this rules.

please advise.

1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

If you have an R80.20+ management and gateway, you can do that easily via Updatable Objects.  Updatable Objects representing countries can be used like any other object in your rule base.  If you have R80.10 or earlier, you could use the Geo Policy/Protection feature to block all traffic from a particular country then create an exception allowing a particular service from that country.  A bit roundabout but will work.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

5 Replies
Timothy_Hall
Legend Legend
Legend

If you have an R80.20+ management and gateway, you can do that easily via Updatable Objects.  Updatable Objects representing countries can be used like any other object in your rule base.  If you have R80.10 or earlier, you could use the Geo Policy/Protection feature to block all traffic from a particular country then create an exception allowing a particular service from that country.  A bit roundabout but will work.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Blason_R
Leader
Leader

Yes, that is the easiest option and it works perfectly fine. 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Abeja_huhuhu
Contributor
Hi Timothy,

thanks for your advise. yes, it is working. we are using R80.20. so case close.
0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

Be careful with blocking everything else than my own country type of policy. The reason is simple. Today many cloud based services have servers in many countries without you knowing it. Blocking everything else except US for example might lead to connectivity problems if a DNS server happens to be in Germany.

chymmmy
Participant

Following this thread, what is the best practice in checkpoint security policies allow the DNS service but securing that service.
We have an autorize server that it should be connect with the others DNS servers (cloudfare DNS, cisco DNS, google DNS, etc), so what can be done?

Are there a configuration more specific for that service that a simple rules as below ?
5 - deny countries (a few countries)
10 - allow our public IP DNS server -> any DNS service
15 - allow any -> our public IP DNS server DNS service

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events