cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Policy according to geo location

hi,

how can i implement the policy in which single public server will get access from one country and deny from all other geo location. i am using standalone 5600 appliance with R77.30.02.

Regards,

Sagar Manandhar

0 Kudos
5 Replies

Re: Policy according to geo location

That is not how Geo Protection is designed to work.  I've had some customers (mainly local government municipalities) try to essentially "whitelist" North America and deny all other countries with Geo Protection in an attempt to protect themselves, under the reasoning that all their customers/constituents would be located in North America.  This setup causes major issues with all kinds of things and they always have to back it out. 

Geo Protection is designed to blacklist specified countries very early on and let the "allowed" countries continue on for policy evaluation as specified here:

sk110683: IPS Geo Protection drops the wrong traffic when it is configured as a whitelist

This limitation is definitely present in R77.30 and is also listed as a R80.10 known limitation. 

However I just noticed the above SK link referring to some kind of hotfix to permit Geo Protection whitelisting.  This must be a recent addition as I don't recall seeing it before.  Definitely worth investigation in your case.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Policy according to geo location

We have this configured for a customer already 3 years ago, and not had any issues with this. (on R77.20, even before this SK was created )

To do this, you have to create groups with all IP address that you do not want to be part of GEO protection, and exclude them in the IPS exclusions for the GEO protection signature  ( 2 rules, 1 as source, and 1 as destination to cover incomming and outgoing).

Next, you can configure the IPS GEO protection accordingly , to allow all outbound traffic and deny all incomming traffic from unwanted countries. As you have excluded all other IP addresses, this protection will only be relevant for that single IP.

For me, it is a missed opportunity to not have included GEO protection in the R80 'one policy' concept . I hope it is on the roadmap.

0 Kudos

Re: Policy according to geo location

that means we need to list out all the ip according to geo location and manually add the ip whenever the new ip are register to that location. may be it not feasible in my case.

0 Kudos

Re: Policy according to geo location

i'm sorry are we discussing Endpoint (R77.30.02) or maintrain Security Management (R77.30 / R80.10)?

0 Kudos

Re: Policy according to geo location

its  about security management R77.30 .

0 Kudos