Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Karan0587
Explorer

VPN Access + Geo Location

Customer has the following requirement 

Blocking the Remote Access from any other countries except which they are part of .

Now in R81 we can have the updatable object for countries which we can use in the source field of the unified access policy.

We are basically using Access Role for Remote access and there is a field ( specific networks) but I can't see we can add the updatable object(country).

 

Is there something we can do  in this ?

 

  • Gaia R81
  • Smart Cloud Mgmt
0 Kudos
2 Replies
PhoneBoy
Admin
Admin

The issue is the actual encrypted VPN traffic is accepted on implied rules.
That means the updatable objects in the access policy won’t work for the VPN traffic unless those implied rules are disabled and explicit rules are created for that traffic in the access policy.

Normally that requires editing .def files on the management.
Since you’re using Smart-1 Cloud, that requires a TAC case since you don’t have access to do that.

0 Kudos
Timothy_Hall
Legend Legend
Legend

This limitation was discussed recently (Restrict VPN access by GEO location), and will probably need to be an RFE.  You can also try checking with the Solutions Center via your Check Point SE, they may have some custom code that can block/allow Remote Access VPN by country.

However after poking around there may be a way to do this:  (Edit: After further thought I don't think this will work as the allowed sources and destinations restriction is probably applied against the inner packet IP addresses (i.e. the assigned office mode address) and not the outer IPSec packet IP address that is part of the geographic country in question)

1) Prior to the introduction of Updatable Geo Objects in R80.20, @HeikoAnkenbrand created Dynamic Objects that represented certain countries and could be selected in a Security Policy as you can see here:  https://community.checkpoint.com/t5/API-CLI-Discussion/GEO-Location-Objects-in-Firewall-Policy-with-...

2) If these Geo Dynamic objects are present in your configuration, it looks like they can then be selected as an "Allowed Source" in the individual User Record (Geo Updatable objects introduced in R80.20 cannot be selected here though):

Allowed Source.png

3) So what you could do here is import the Geo Dynamic Objects in Step 1, and then select the Geo Dynamic Object(s) for the countries you want to permit as Allowed Sources, all other sources will be denied (an allow list).  There is not a way to to a deny list of countries and allow all others for this user that I can see.

I haven't tested this but it looks like it should work, however the use of allowed sources and destinations in the User attributes instead of your policy layers has been controversial in the past, as it can be a bit confusing when the policy layers explicitly allow something but it gets denied anyway by a setting in the User attributes.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events