Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Patrick_Taphorn
Participant
Jump to solution

Order of Geo-Protection Enforcement in R80.20

Scenario: R80.20 gateway is assigned to Geo-Protection policy that Allows access To/From United States, To/From Isreal, and default action of Drop for all other countries.

End-user is traveling to United Kingdom and needs access web server behind gateway. An Access Policy rule is created using new R80.20 Updatable Geo Object to allow United Kingdom access to web Server.

Question: Will The Geo-Protection policy drop the traffic from the United Kingdom BEFORE the access policy rule is hit?

1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

Geo Policy will always be enforced first, long before the rulebase is ever reached.  If Geo Policy specifies a drop (whether configured as a whitelist or a blacklist) the traffic will be killed very early in firewall processing.  If Geo Policy specifies an Accept, then the rulebase potentially using Geo Objects in R80.20 will be consulted.  From a performance optimization perspective, it is always preferable to drop traffic using the Geo Policy if possible but the Geo Objects in R80.20 do offer some additional policy flexibility.

Your question is quite timely for reasons that will be publicly announced soon.  🙂

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

6 Replies
Ryan_St__Germai
Advisor

I asked a similar question. I didn't get a direct answer. https://community.checkpoint.com/thread/9888-do-geo-location-objects-trump-the-ips-geo-policy 

0 Kudos
_Val_
Admin
Admin

Actually, the answer you got is correct, but probably not clear enough.

As far as I am concerned, and that was also mentioned by Tim Hall, Geo policy is enforced before Access rules. The comment done by Tomer is saying: if you have any concerns about order of rules, use Unified Policy with inline layers, where you have more control over the order of things. 

Now, in the example above the topic starter only allows USA and Israel traffic while dropping anything else. The answer to the question at the end is yes, rule 7 will not be matched, as Geo Policy drops all UK traffic before Access rules

Timothy_Hall
Legend Legend
Legend

Geo Policy will always be enforced first, long before the rulebase is ever reached.  If Geo Policy specifies a drop (whether configured as a whitelist or a blacklist) the traffic will be killed very early in firewall processing.  If Geo Policy specifies an Accept, then the rulebase potentially using Geo Objects in R80.20 will be consulted.  From a performance optimization perspective, it is always preferable to drop traffic using the Geo Policy if possible but the Geo Objects in R80.20 do offer some additional policy flexibility.

Your question is quite timely for reasons that will be publicly announced soon.  🙂

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Patrick_Taphorn
Participant

Thanks Tim for the clarification.   Hopefully the big announcement is being able to select a Updatable Geo Object as a source or destination object in the Geo Policy Exceptions list. Smiley Happy

Timothy_Hall
Legend Legend
Legend

Actually the announcement is that I will be kicking off the Tuesday CheckMates break-out sessions at CPX360 Vegas and Vienna with an in-depth discussion of "your secret weapon" Geo Policy/Objects.   

See the CPX360 schedule for details.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Danny
Champion Champion
Champion

I added a check for Geo Policy Blade and it's update status to our ccc script.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events