Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Explorer

Geo Policy

I am trying to implement a Geo policy which block traffic from certain country from accessing certain IP ad port within our domain.  I was told that I can actually use the Geo Policy is the negate way e.g add India in the Geo policy list  and set action to accept and  set policy for other country to accept too. On the exemption for the policy  set the destination to the IP and service port that I want to block. I was told that it will block the traffic to the exemption list since the action on the Geo policy is set to accept. Is anyone able to confirm this solution will work?

10 Replies
Champion
Champion

The exceptions in Geo Policy cannot be used to explicitly block traffic.  If you really want to do this with Geo Policy in the SmartConsole it will be clumsy but I'd suggest this:

1) Add the country you wish to block (India) to Policy for Specific Countries set for "From Country" with an action of Block.

2) In the Geo Policy exceptions explicitly add exceptions for the Destinations and Services that you want the subject country to be able to access.  Note that you can only do this using IP addresses and port numbers, and not by country name.

As you can see, not ideal.  What might be easier on R80.10 gateway and earlier is if you have SecureXL enabled on your gateway, create a new fw samp rate-limiting rule matching the country, destination IP, and port number you wish to block and assign an allowed packet rate of zero.  This is done from the gateway command line in expert mode.

Better yet, if you have R80.20+ for both management and gateway, you can leverage the new Updatable Objects which include Geo Country Objects.  In that case you can leverage those Geo Objects directly in your main policy layers and explicitly permit or deny whatever traffic you want by country, which is much more flexible than clumsily trying to use Geo Policy for that purpose.  With R80.20+ Geo Objects you could just add a rule right at the top of the Firewall/Network policy layer like this:

Src: India   Dst: Server(s)   Service: Port(s)   Action: Drop   Track:Log

 

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
Participant

Hi 

Can you post screen with rules step by setp . i add geo rules but object on firewall not exist 😞

I use R80.30

 

Advisor

Here you go

Screenshot_2.pngScreenshot_1.png

Champion
Champion

On R80.30 I'd suggest using Geo Updatable Objects directly in your policy layers instead of the older Geo Policy.  Here is an excerpt from the third edition of my book showing how to add these in:

 

 

Spoiler

Configuring GEO Updatable Objects


Configuration of GEO Updatable Objects is extremely straightforward; they are more or less treated like any other object in our Policy Layers. For our example we will add a policy rule blocking traffic from the country of North Korea. In the source of our new rule, click the “+” icon then “Import...Updatable Objects” as shown:

geo_objects2.png

 

Expand the “GEO Locations..Asia” section and select the checkbox next to North Korea:

 

geo_objects1.png

 

Click OK and the country of North Korea is added to the source of our rule:

 

policy.png

That’s it. Other than the slightly longer procedure to access and place the GEO Updatable Object into our rule, they are treated the same as any other object in our policies. The sample configuration of the older Geo Policy in the next section is significantly more convoluted; use GEO Updatable Objects instead! For the latest updates see sk126172: Geo Location objects as network objects in R80.20.

 

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
Contributor

Is it ok to use an inline rule with the Geo Updateable Objects. I have some countries blocked, but we need to allow port 443 traffic to some of our servers from one of the countries we have blocked (I have other exceptions I will need to create also, but this is the most pressing).  This is what I have created (but not installed). The Geo rule is up at the top of the rulebase. Is there a better way or is this how the updateable objects and inline rules are intended to be used? Your thoughts are appreciated.

georule.png

Champion
Champion

That config looks fine to me, although at least initially I'd advise setting the Track of rule 4.2 to "Log" in case troubleshooting is needed.  Ideally you should log everything the firewall drops for ease of troubleshooting, especially when setting up new rules like this.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Contributor

Thank you for checking it. Is this an ok way to use an inline rule? I wasn't sure if it was more for application layers or not?

0 Kudos
Reply
Champion
Champion

That is fine, Geo Updatable Objects are just like any other object that can be used throughout your policy layers. 

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Explorer

how could you create that policy ?
0 Kudos
Reply
Explorer

how could you create that rule ?

0 Kudos
Reply