This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Patrick_Taphorn
Participant
‎2018-12-20 05:55 PM
Jump to solution

Order of Geo-Protection Enforcement in R80.20

Scenario: R80.20 gateway is assigned to Geo-Protection policy that Allows access To/From United States, To/From Isreal, and default action of Drop for all other countries.

End-user is traveling to United Kingdom and needs access web server behind gateway. An Access Policy rule is created using new R80.20 Updatable Geo Object to allow United Kingdom access to web Server.

Question: Will The Geo-Protection policy drop the traffic from the United Kingdom BEFORE the access policy rule is hit?

Labels
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2018-12-21 07:20 AM
Jump to solution

Geo Policy will always be enforced first, long before the rulebase is ever reached.  If Geo Policy specifies a drop (whether configured as a whitelist or a blacklist) the traffic will be killed very early in firewall processing.  If Geo Policy specifies an Accept, then the rulebase potentially using Geo Objects in R80.20 will be consulted.  From a performance optimization perspective, it is always preferable to drop traffic using the Geo Policy if possible but the Geo Objects in R80.20 do offer some additional policy flexibility.

Your question is quite timely for reasons that will be publicly announced soon.  🙂

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

6 Replies
Ryan_St__Germai
Advisor
‎2018-12-21 05:21 AM
Jump to solution

I asked a similar question. I didn't get a direct answer. https://community.checkpoint.com/thread/9888-do-geo-location-objects-trump-the-ips-geo-policy 

0 Kudos
_Val_
Admin
Admin
‎2018-12-21 06:05 AM
In response to Ryan_St__Germai
Jump to solution

Actually, the answer you got is correct, but probably not clear enough.

As far as I am concerned, and that was also mentioned by Tim Hall, Geo policy is enforced before Access rules. The comment done by Tomer is saying: if you have any concerns about order of rules, use Unified Policy with inline layers, where you have more control over the order of things. 

Now, in the example above the topic starter only allows USA and Israel traffic while dropping anything else. The answer to the question at the end is yes, rule 7 will not be matched, as Geo Policy drops all UK traffic before Access rules

Timothy_Hall
MVP Gold
MVP Gold
‎2018-12-21 07:20 AM
Jump to solution

Geo Policy will always be enforced first, long before the rulebase is ever reached.  If Geo Policy specifies a drop (whether configured as a whitelist or a blacklist) the traffic will be killed very early in firewall processing.  If Geo Policy specifies an Accept, then the rulebase potentially using Geo Objects in R80.20 will be consulted.  From a performance optimization perspective, it is always preferable to drop traffic using the Geo Policy if possible but the Geo Objects in R80.20 do offer some additional policy flexibility.

Your question is quite timely for reasons that will be publicly announced soon.  🙂

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Patrick_Taphorn
Participant
‎2018-12-21 07:43 AM
In response to Timothy_Hall
Jump to solution

Thanks Tim for the clarification.   Hopefully the big announcement is being able to select a Updatable Geo Object as a source or destination object in the Geo Policy Exceptions list. Smiley Happy

Timothy_Hall
MVP Gold
MVP Gold
‎2018-12-27 06:32 AM
In response to Patrick_Taphorn
Jump to solution

Actually the announcement is that I will be kicking off the Tuesday CheckMates break-out sessions at CPX360 Vegas and Vienna with an in-depth discussion of "your secret weapon" Geo Policy/Objects.   

See the CPX360 schedule for details.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Danny
MVP Platinum
MVP Platinum
‎2019-04-17 11:42 AM
In response to Timothy_Hall
Jump to solution

I added a check for Geo Policy Blade and it's update status to our ccc script.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events