cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Is there any way to restrict RA users per geolocation?

Simple as it gets: I need to only allow to establish remote access connections (with the VPN client and/or Capsule) from certain countries for some users. Is there any way to do it?

I know I could allow/deny https connection to the gateway from a country on the access control rulebase, but I can't do that as some users maybe will be connecting from different countries... But I need to be sure that other users can't connect from some other countries.

The location tab on the user properties only allow me to use network objects so that also doesn't work me. And neither the Geo Policy offer the flexibility to do this.

Hope I was clear with my question, thanks!

0 Kudos
4 Replies
Admin
Admin

Re: Is there any way to restrict RA users per geolocation?

Have you tried using a rule with source: countries vpn: remote access action: drop?

This implies R80.20.

0 Kudos

Re: Is there any way to restrict RA users per geolocation?

Hi PhoneBoy, I owe you an answer but we had the platform migration in between.

I would try the rule as you said, but, if I apply it as-is would it be blocking *all* remote access connection for *all* users from that country?
I need to block from some countries but to only some users at the same time.

P.S.: yes, the gateway involved is a R80.20
0 Kudos
Jerry
Gold

Re: Is there any way to restrict RA users per geolocation?

sounds like you want to eat a cake and have a cake, you need to be more specific Santiago,

if you make a rule "before" MAB rules dropping specific countries down then none of the users will be abel to connect to your listening ports on Firewall,
should you thing about dropping the access per "users" I think you know the answer how to "deny" access for specific users do you?
I believe if I understand correctly you want to drop specific users from specific countries - that won't be easy considering even R80.30 as you're having two aspects in place: country and username. YOU know well how to deny access to specific user(s) but country wise I believe one drop-rule at the above of MAB access rule and off you go.

correct me if I'm wrong but I think it isn't that complicated right?

Cheers
Jerry
0 Kudos

Re: Is there any way to restrict RA users per geolocation?

Hi Jerry, maybe my question appears to be complicated, but is as easy as you said in your last paragraph. I think the problem is the rule I need needs to much granularity.
Like you said, I know how to drop traffic from specific countries... And I know how to drop traffic from specific RA users... But as you said, I need both aspects in place and enforced in the same rule. 

Maybe with an example the issue will be simpler to understand: need to drop RA connections from USA for certain users (or user groups), but other RA users still have to be able to connect from USA. 
If I do a drop rule for USA above the MAB/RA access rule, it will drop *all* RA connections incoming from USA, regardless which user is the one trying to connect.

The granularity is the issue here: I need the cake, eat it and have it Smiley Tongue

0 Kudos