Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SantiagoPlatero
Collaborator

Is there any way to restrict RA users per geolocation?

Simple as it gets: I need to only allow to establish remote access connections (with the VPN client and/or Capsule) from certain countries for some users. Is there any way to do it?

I know I could allow/deny https connection to the gateway from a country on the access control rulebase, but I can't do that as some users maybe will be connecting from different countries... But I need to be sure that other users can't connect from some other countries.

The location tab on the user properties only allow me to use network objects so that also doesn't work me. And neither the Geo Policy offer the flexibility to do this.

Hope I was clear with my question, thanks!

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

Have you tried using a rule with source: countries vpn: remote access action: drop?

This implies R80.20.

0 Kudos
SantiagoPlatero
Collaborator

Hi PhoneBoy, I owe you an answer but we had the platform migration in between.

I would try the rule as you said, but, if I apply it as-is would it be blocking *all* remote access connection for *all* users from that country?
I need to block from some countries but to only some users at the same time.

P.S.: yes, the gateway involved is a R80.20
0 Kudos
Jerry
Leader
Leader

sounds like you want to eat a cake and have a cake, you need to be more specific Santiago,

if you make a rule "before" MAB rules dropping specific countries down then none of the users will be abel to connect to your listening ports on Firewall,
should you thing about dropping the access per "users" I think you know the answer how to "deny" access for specific users do you?
I believe if I understand correctly you want to drop specific users from specific countries - that won't be easy considering even R80.30 as you're having two aspects in place: country and username. YOU know well how to deny access to specific user(s) but country wise I believe one drop-rule at the above of MAB access rule and off you go.

correct me if I'm wrong but I think it isn't that complicated right?

Cheers
Jerry
0 Kudos
SantiagoPlatero
Collaborator

Hi Jerry, maybe my question appears to be complicated, but is as easy as you said in your last paragraph. I think the problem is the rule I need needs to much granularity.
Like you said, I know how to drop traffic from specific countries... And I know how to drop traffic from specific RA users... But as you said, I need both aspects in place and enforced in the same rule. 

Maybe with an example the issue will be simpler to understand: need to drop RA connections from USA for certain users (or user groups), but other RA users still have to be able to connect from USA. 
If I do a drop rule for USA above the MAB/RA access rule, it will drop *all* RA connections incoming from USA, regardless which user is the one trying to connect.

The granularity is the issue here: I need the cake, eat it and have it Smiley Tongue

0 Kudos
the_rock
Leader
Leader

You can block certain countries from updatable object list.

0 Kudos
PointOfChecking
Contributor

This doesn't work as you get the error: "Only user groups and access roles are supported as source in VPN and client authentication rules".

 

Also, Implied rules take precedence, so the rule wouldn't apply even if we were allowed to use it.

0 Kudos
the_rock
Leader
Leader

Would you mind send a screenshot of that rule please? I want to see what it looks like, so I can try mimic it in my lab.

 

Thanks!

0 Kudos
PointOfChecking
Contributor

HI, I've attached it. 

I've also got the error message in there too.

 

Thanks.

 

0 Kudos
Timothy_Hall
Champion
Champion

In order to block or allow RA VPN users by geo country, you would need the ability to add Updatable Objects to the Network screen of an Access Role object as a matching criteria.  This does not currently seem to be possible, probably because there is no mechanism to propagate Updatable Object changes on the fly into the IA User to IP Address cache (displayed with pdp monitor all). 

You can try checking with the Solutions Center via your Check Point SE to see if they have some code that can enable this capability, otherwise you are probably looking at an RFE.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
PointOfChecking
Contributor

Hi Timothy,

 

Thanks for the reply.  I can check with support. 

However, your reply was talking about adding updatable objects to the Access Role object.  As per my previous reply the PNG attached, does not include Access Role.

We want to block anyone connecting to the VPN from outside the United Kingdom.  Is there anyway to get that to work as both the_rock and PhoneBoy has suggested the same method of using updatable objects with RemoteAccess VPN domain.  I'm just surprised it doesn't work (they probably are too).

 

 

0 Kudos
PointOfChecking
Contributor

Hi PhoneBoy,

 

Old thread, but I tried your suggestion, and I get the below error:

"Only user groups and access roles are supported as source in VPN and client authentication rules"

 

Also, as implied rules are run first, packets are accepted even if I were able to use a rule like this.

 

Using R80.40

0 Kudos
Julian_Sanchez
Collaborator

I am finding the same. We need to block connections out of Colombia for example. so only the users of one country can connect. 

0 Kudos