This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PhoneBoy
Admin
Admin
‎2023-02-24 03:40 PM
Jump to solution

Block VPN Traffic by Country

VPN traffic (Site to Site or Remote Access) is currently accepted by Implied Rules, meaning you cannot use Access Policy or legacy GeoProtection to block VPN access from specific countries.

@Aleksandr_Nosit pointed out to me that DOS Rate Limiting rules can be set by country, which will block all matched traffic (including VPN) before implied rules.
Here are a couple examples (see sk112454 for other possibilities)

Option 1: allow access from specific countries, block the rest

“X.X.X.X” – is gateway external interface IP address:

Bypass rules:

fwaccel dos rate add -a b source cc:EE
fwaccel dos rate add -a b source cc:LV
fwaccel dos rate add -a b source cc:FI
fwaccel dos rate add -a b source cc:SE
fwaccel dos rate add -a b source cc:DK

Block “rest of the world” rule :

fwaccel dos rate add -a d -l a service any source any destination cidr:X.X.X.X/32 pkt-rate 0

Option 2: block specific countries

This will block China while allowing other countries:

fwaccel dos rate add -a d -l a service any source cc:CC destination cidr:X.X.X.X/32 pkt-rate 0

1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
Monday
Jump to solution

One limitation of blocking all ports from a country, as shown above, is that if the outbound traffic is Hide NAT'd behind the gateway's main address, all communication of any kind with that country will be impossible.  The following statements block only the specific ports required for RAS IPSec VPN (and Mobile Access Blade) while still potentially allowing other communication with that country:

X.X.X.X - external gateway address
line 1 = IPSEC, line 2 = Site/Topology Download, line 3 = Visitor Mode/MAB, line 4=IKE, line 5 = NAT-T

fwaccel dos rate add -a d -l a service 50 source cc:CN destination cidr:X.X.X.X/32 pkt-rate 0
fwaccel dos rate add -a d -l a service 6/264 source cc:CN destination cidr:X.X.X.X/32 pkt-rate 0
fwaccel dos rate add -a d -l a service 6/443 source cc:CN destination cidr:X.X.X.X/32 pkt-rate 0
fwaccel dos rate add -a d -l a service 17/500 source cc:CN destination cidr:X.X.X.X/32 pkt-rate 0
fwaccel dos rate add -a d -l a service 17/4500 source cc:CN destination cidr:X.X.X.X/32 pkt-rate 0

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

0 Kudos
21 Replies
Machine_Head
Advisor
Advisor
‎2023-03-01 07:28 AM
Jump to solution

Thanks!

Useful as some customers complain about implied rules

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-01 10:42 AM
In response to Machine_Head
Jump to solution

I can see this method being useful for "overriding" certain implied rules, particularly if the dos rules are very targeted.

0 Kudos
the_rock
Legend
Legend
‎2023-03-01 11:02 AM
Jump to solution

Thanks phoneboy, thats super useful info, for sure.

Andy

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-04-21 02:45 AM
Jump to solution

Hello PhoneBoy,

about the statement:

Block “rest of the world” rule :

fwaccel dos rate add -a d -l a service any source destination cidr:X.X.X.X./32 pkt-rate 0

Did you miss "any" after "source" ? or maybe you can avoid to specify "source" word for "any" because of it is default

 

 

another question, did this configuration survives to JHF/major upgrade installations ?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-04-21 08:34 AM
In response to CheckPointerXL
Jump to solution

You are correct, I was missing an "any" there and have fixed it in the original post.
If I remember correctly, fwaccel dos rules are persistent across reboots/upgrades.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-07-31 06:15 AM
Jump to solution

sk180527 & sk126172 will be helpful for anyone attempting similar using VSX.

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2024-01-05 09:45 AM
Jump to solution

@PhoneBoy So sorry to reply to this almost a year later, but just need to confirm something. Is there any limitation for this when you create VMSS CP fw on Azure? My colleague and I tested it with public IP assisnged and we blocked CA (country code for Canada) from your 2nd example to external IP of the fw, but we could still create and connect to VPN site.

Thanks in advance.

Best,

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-01-05 12:53 PM
In response to the_rock
Jump to solution

In Public Cloud, it's entirely possible we're not seeing the real source IP (depending on the exact configuration).
You should confirm precisely what IP the gateway is seeing with tcpdump or similar. 

0 Kudos
the_rock
Legend
Legend
‎2024-01-05 06:24 PM
In response to PhoneBoy
Jump to solution

I really have gut feeling its because even though ifconfig shows public IP, BUT, when I look at fw topology in smart console object, that IP is NOT listed there...I will talk to one of my colleagues next week who is way better with Azure than myself, but logically, thats what stands out to me.

Andy

 


eth0 Link encap:Ethernet HWaddr 00:0D:3A:F4:98:C4
inet addr:10.2.0.4 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::20d:3aff:fef4:98c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:604471 errors:0 dropped:0 overruns:0 frame:0
TX packets:598227 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:466812315 (445.1 MiB) TX bytes:142959965 (136.3 MiB)

eth0:1 Link encap:Ethernet HWaddr 00:0D:3A:F4:98:C4
inet addr:52.229.98.249 Bcast:52.229.98.249 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth1 Link encap:Ethernet HWaddr 00:0D:3A:F4:9E:31
inet addr:10.2.1.4 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::20d:3aff:fef4:9e31/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:2424 (2.3 KiB)

0 Kudos
VikingsFan
Advisor
‎2025-03-27 04:51 AM
Jump to solution

Wouldn't there be an Option 3, which we're doing currently: Disable the Implied Rule and manually build out your accept rules/block rules?  Might not be preferred by most but it gives us more granular control and able to do everything within the access layer instead of CLI.

0 Kudos
the_rock
Legend
Legend
‎2025-03-27 05:02 AM
In response to VikingsFan
Jump to solution

See if this post I made last year helps. I definitely validated it works 100%, but you know how it goes with Azure subscription, even when devices are powered off, they still charge you 🙂

Andy

https://community.checkpoint.com/t5/Remote-Access-VPN/Geo-VPN-blocking/m-p/214040#M10593

0 Kudos
the_rock
Legend
Legend
‎2025-03-27 05:07 AM
In response to VikingsFan
Jump to solution

FWIW, just my PERSONAL opinion, I would NOT be disabling implied rules. I had seen people do this before and more often than not, down the road, it can lead to more issues.

Thats just my experience...

Andy

VikingsFan
Advisor
‎2025-03-28 04:37 AM
In response to the_rock
Jump to solution

Agree.  We did have some bumps from disabling a handful of the implied rules but now have the ruleset pretty solid with no issues (to my knowledge). 🙂  Could always manually build out the rules from this list too, which is what I used for checking some of mine: https://support.checkpoint.com/results/sk/sk119497

The change to the Geo Blocking and removing it from Smart Console and not working with access rules was one of the driving factors to look at removing implied rules.  Can't remember exactly but even with setting that configuration you referenced we were seeing countries getting through for VPN activity.  I didn't disable ALL the rules but focused on the remote access ones and also some of the SMB ones which we don't service on this gateway.

The ones we disabled are attached if interested.

Preview file
117 KB
0 Kudos
the_rock
Legend
Legend
‎2025-03-28 04:47 AM
In response to VikingsFan
Jump to solution

Speaking of geo blocking, did post I made last year that I posted in previous response help? Not sure if makes sense, but definitely worked when I tested it.

Andy

0 Kudos
VikingsFan
Advisor
‎2025-03-28 05:07 AM
In response to the_rock
Jump to solution

It makes sense and unfortunately I did not find that during my testing last year when implementing the cluster.  Looked at my notes and I had found this SK: https://support.checkpoint.com/results/sk/sk180808 but don't believe it worked as expected which is why I started unchecking implied rules.  Things are stable now and don't think we'll revert anything but would have been great if I had seen your post.

the_rock
Legend
Legend
‎2025-03-28 05:13 AM
In response to VikingsFan
Jump to solution

Hey, no worries, all good, as long as things are stable.

Andy

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2025-03-28 05:11 AM
Jump to solution

i was able to control access by country into access policy after following https://support.checkpoint.com/results/sk/sk105740

 
0 Kudos
chethan_m
Collaborator
‎2025-06-02 10:02 PM
Jump to solution

Much needed.

Thank you!

0 Kudos
Timothy_Hall
Legend Legend
Legend
Monday
Jump to solution

The country code for China is CN, not CC in your Option 2 command.  The inhabitants of the Coco/Keeling Islands took offense.  🙂

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
Legend
Legend
Monday
In response to Timothy_Hall
Jump to solution

I recommend that place, people are so sweet! By the way, never thought about it, till I saw your post, but I probably met half the country there 🤣🤣

0 Kudos
Timothy_Hall
Legend Legend
Legend
Monday
Jump to solution

One limitation of blocking all ports from a country, as shown above, is that if the outbound traffic is Hide NAT'd behind the gateway's main address, all communication of any kind with that country will be impossible.  The following statements block only the specific ports required for RAS IPSec VPN (and Mobile Access Blade) while still potentially allowing other communication with that country:

X.X.X.X - external gateway address
line 1 = IPSEC, line 2 = Site/Topology Download, line 3 = Visitor Mode/MAB, line 4=IKE, line 5 = NAT-T

fwaccel dos rate add -a d -l a service 50 source cc:CN destination cidr:X.X.X.X/32 pkt-rate 0
fwaccel dos rate add -a d -l a service 6/264 source cc:CN destination cidr:X.X.X.X/32 pkt-rate 0
fwaccel dos rate add -a d -l a service 6/443 source cc:CN destination cidr:X.X.X.X/32 pkt-rate 0
fwaccel dos rate add -a d -l a service 17/500 source cc:CN destination cidr:X.X.X.X/32 pkt-rate 0
fwaccel dos rate add -a d -l a service 17/4500 source cc:CN destination cidr:X.X.X.X/32 pkt-rate 0

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events