cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Order of Geo-Protection Enforcement in R80.20

Jump to solution

Scenario: R80.20 gateway is assigned to Geo-Protection policy that Allows access To/From United States, To/From Isreal, and default action of Drop for all other countries.

End-user is traveling to United Kingdom and needs access web server behind gateway. An Access Policy rule is created using new R80.20 Updatable Geo Object to allow United Kingdom access to web Server.

Question: Will The Geo-Protection policy drop the traffic from the United Kingdom BEFORE the access policy rule is hit?

Labels (1)
1 Solution

Accepted Solutions

Re: Order of Geo-Protection Enforcement in R80.20

Jump to solution

Geo Policy will always be enforced first, long before the rulebase is ever reached.  If Geo Policy specifies a drop (whether configured as a whitelist or a blacklist) the traffic will be killed very early in firewall processing.  If Geo Policy specifies an Accept, then the rulebase potentially using Geo Objects in R80.20 will be consulted.  From a performance optimization perspective, it is always preferable to drop traffic using the Geo Policy if possible but the Geo Objects in R80.20 do offer some additional policy flexibility.

Your question is quite timely for reasons that will be publicly announced soon.  🙂

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
6 Replies

Re: Order of Geo-Protection Enforcement in R80.20

Jump to solution

I asked a similar question. I didn't get a direct answer.  

0 Kudos

Re: Order of Geo-Protection Enforcement in R80.20

Jump to solution

Actually, the answer you got is correct, but probably not clear enough.

As far as I am concerned, and that was also mentioned by Tim Hall, Geo policy is enforced before Access rules. The comment done by Tomer is saying: if you have any concerns about order of rules, use Unified Policy with inline layers, where you have more control over the order of things. 

Now, in the example above the topic starter only allows USA and Israel traffic while dropping anything else. The answer to the question at the end is yes, rule 7 will not be matched, as Geo Policy drops all UK traffic before Access rules

Re: Order of Geo-Protection Enforcement in R80.20

Jump to solution

Geo Policy will always be enforced first, long before the rulebase is ever reached.  If Geo Policy specifies a drop (whether configured as a whitelist or a blacklist) the traffic will be killed very early in firewall processing.  If Geo Policy specifies an Accept, then the rulebase potentially using Geo Objects in R80.20 will be consulted.  From a performance optimization perspective, it is always preferable to drop traffic using the Geo Policy if possible but the Geo Objects in R80.20 do offer some additional policy flexibility.

Your question is quite timely for reasons that will be publicly announced soon.  🙂

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Order of Geo-Protection Enforcement in R80.20

Jump to solution

Thanks Tim for the clarification.   Hopefully the big announcement is being able to select a Updatable Geo Object as a source or destination object in the Geo Policy Exceptions list. Smiley Happy

Re: Order of Geo-Protection Enforcement in R80.20

Jump to solution

Actually the announcement is that I will be kicking off the Tuesday CheckMates break-out sessions at CPX360 Vegas and Vienna with an in-depth discussion of "your secret weapon" Geo Policy/Objects.   

See the CPX360 schedule for details.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Danny
Pearl

Re: Order of Geo-Protection Enforcement in R80.20

Jump to solution

I added a check for Geo Policy Blade and it's update status to our ccc script.