Create a Post
Showing results for 
Search instead for 
Did you mean: 

Policy according to geo location


how can i implement the policy in which single public server will get access from one country and deny from all other geo location. i am using standalone 5600 appliance with R77.30.02.


Sagar Manandhar

0 Kudos
5 Replies
Champion Champion

That is not how Geo Protection is designed to work.  I've had some customers (mainly local government municipalities) try to essentially "whitelist" North America and deny all other countries with Geo Protection in an attempt to protect themselves, under the reasoning that all their customers/constituents would be located in North America.  This setup causes major issues with all kinds of things and they always have to back it out. 

Geo Protection is designed to blacklist specified countries very early on and let the "allowed" countries continue on for policy evaluation as specified here:

sk110683: IPS Geo Protection drops the wrong traffic when it is configured as a whitelist

This limitation is definitely present in R77.30 and is also listed as a R80.10 known limitation. 

However I just noticed the above SK link referring to some kind of hotfix to permit Geo Protection whitelisting.  This must be a recent addition as I don't recall seeing it before.  Definitely worth investigation in your case.

My book "Max Power: Check Point Firewall Performance Optimization"
now available via

Gateway Performance Optimization R81.20 Course
now available at

We have this configured for a customer already 3 years ago, and not had any issues with this. (on R77.20, even before this SK was created )

To do this, you have to create groups with all IP address that you do not want to be part of GEO protection, and exclude them in the IPS exclusions for the GEO protection signature  ( 2 rules, 1 as source, and 1 as destination to cover incomming and outgoing).

Next, you can configure the IPS GEO protection accordingly , to allow all outbound traffic and deny all incomming traffic from unwanted countries. As you have excluded all other IP addresses, this protection will only be relevant for that single IP.

For me, it is a missed opportunity to not have included GEO protection in the R80 'one policy' concept . I hope it is on the roadmap.

0 Kudos

that means we need to list out all the ip according to geo location and manually add the ip whenever the new ip are register to that location. may be it not feasible in my case.

0 Kudos

i'm sorry are we discussing Endpoint (R77.30.02) or maintrain Security Management (R77.30 / R80.10)?

0 Kudos

its  about security management R77.30 .

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events