This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sagar_Manandhar
Advisor
‎2017-08-07 03:21 AM

Policy according to geo location

hi,

how can i implement the policy in which single public server will get access from one country and deny from all other geo location. i am using standalone 5600 appliance with R77.30.02.

Regards,

Sagar Manandhar

0 Kudos
5 Replies
Timothy_Hall
Legend Legend
Legend
‎2017-08-07 05:25 AM

That is not how Geo Protection is designed to work.  I've had some customers (mainly local government municipalities) try to essentially "whitelist" North America and deny all other countries with Geo Protection in an attempt to protect themselves, under the reasoning that all their customers/constituents would be located in North America.  This setup causes major issues with all kinds of things and they always have to back it out. 

Geo Protection is designed to blacklist specified countries very early on and let the "allowed" countries continue on for policy evaluation as specified here:

sk110683: IPS Geo Protection drops the wrong traffic when it is configured as a whitelist

This limitation is definitely present in R77.30 and is also listed as a R80.10 known limitation. 

However I just noticed the above SK link referring to some kind of hotfix to permit Geo Protection whitelisting.  This must be a recent addition as I don't recall seeing it before.  Definitely worth investigation in your case.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Kristof_Vermael
Contributor
‎2017-08-07 07:20 AM

We have this configured for a customer already 3 years ago, and not had any issues with this. (on R77.20, even before this SK was created )

To do this, you have to create groups with all IP address that you do not want to be part of GEO protection, and exclude them in the IPS exclusions for the GEO protection signature  ( 2 rules, 1 as source, and 1 as destination to cover incomming and outgoing).

Next, you can configure the IPS GEO protection accordingly , to allow all outbound traffic and deny all incomming traffic from unwanted countries. As you have excluded all other IP addresses, this protection will only be relevant for that single IP.

For me, it is a missed opportunity to not have included GEO protection in the R80 'one policy' concept . I hope it is on the roadmap.

0 Kudos
Sagar_Manandhar
Advisor
‎2017-08-07 07:40 AM
In response to Kristof_Vermael

that means we need to list out all the ip according to geo location and manually add the ip whenever the new ip are register to that location. may be it not feasible in my case.

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2017-08-07 08:10 AM

i'm sorry are we discussing Endpoint (R77.30.02) or maintrain Security Management (R77.30 / R80.10)?

0 Kudos
Sagar_Manandhar
Advisor
‎2017-08-07 08:18 AM
In response to Tomer_Sole

its  about security management R77.30 .

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events