Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sagar_Manandhar
Advisor

Policy according to geo location

hi,

how can i implement the policy in which single public server will get access from one country and deny from all other geo location. i am using standalone 5600 appliance with R77.30.02.

Regards,

Sagar Manandhar

0 Kudos
5 Replies
Timothy_Hall
Legend Legend
Legend

That is not how Geo Protection is designed to work.  I've had some customers (mainly local government municipalities) try to essentially "whitelist" North America and deny all other countries with Geo Protection in an attempt to protect themselves, under the reasoning that all their customers/constituents would be located in North America.  This setup causes major issues with all kinds of things and they always have to back it out. 

Geo Protection is designed to blacklist specified countries very early on and let the "allowed" countries continue on for policy evaluation as specified here:

sk110683: IPS Geo Protection drops the wrong traffic when it is configured as a whitelist

This limitation is definitely present in R77.30 and is also listed as a R80.10 known limitation. 

However I just noticed the above SK link referring to some kind of hotfix to permit Geo Protection whitelisting.  This must be a recent addition as I don't recall seeing it before.  Definitely worth investigation in your case.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Kristof_Vermael
Contributor

We have this configured for a customer already 3 years ago, and not had any issues with this. (on R77.20, even before this SK was created )

To do this, you have to create groups with all IP address that you do not want to be part of GEO protection, and exclude them in the IPS exclusions for the GEO protection signature  ( 2 rules, 1 as source, and 1 as destination to cover incomming and outgoing).

Next, you can configure the IPS GEO protection accordingly , to allow all outbound traffic and deny all incomming traffic from unwanted countries. As you have excluded all other IP addresses, this protection will only be relevant for that single IP.

For me, it is a missed opportunity to not have included GEO protection in the R80 'one policy' concept . I hope it is on the roadmap.

0 Kudos
Sagar_Manandhar
Advisor

that means we need to list out all the ip according to geo location and manually add the ip whenever the new ip are register to that location. may be it not feasible in my case.

0 Kudos
Tomer_Sole
Mentor
Mentor

i'm sorry are we discussing Endpoint (R77.30.02) or maintrain Security Management (R77.30 / R80.10)?

0 Kudos
Sagar_Manandhar
Advisor

its  about security management R77.30 .

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events