This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PhoneBoy
Admin
Admin
‎2023-02-24 03:40 PM

Block VPN Traffic by Country

VPN traffic (Site to Site or Remote Access) is currently accepted by Implied Rules, meaning you cannot use Access Policy or legacy GeoProtection to block VPN access from specific countries.

@Aleksandr_Nosit pointed out to me that DOS Rate Limiting rules can be set by country, which will block all matched traffic (including VPN) before implied rules.
Here are a couple examples (see sk112454 for other possibilities)

Option 1: allow access from specific countries, block the rest

“X.X.X.X” – is gateway external interface IP address:

Bypass rules:

fwaccel dos rate add -a b source cc:EE
fwaccel dos rate add -a b source cc:LV
fwaccel dos rate add -a b source cc:FI
fwaccel dos rate add -a b source cc:SE
fwaccel dos rate add -a b source cc:DK

Block “rest of the world” rule :

fwaccel dos rate add -a d -l a service any source any destination cidr:X.X.X.X/32 pkt-rate 0

Option 2: block specific countries

This will block China while allowing other countries:

fwaccel dos rate add -a d -l a service any source cc:CC destination cidr:X.X.X.X/32 pkt-rate 0

9 Replies
Gojira
Collaborator
Collaborator
‎2023-03-01 07:28 AM

Thanks!

Useful as some customers complain about implied rules

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-01 10:42 AM
In response to Gojira

I can see this method being useful for "overriding" certain implied rules, particularly if the dos rules are very targeted.

0 Kudos
the_rock
Legend
Legend
‎2023-03-01 11:02 AM

Thanks phoneboy, thats super useful info, for sure.

Andy

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-04-21 02:45 AM

Hello PhoneBoy,

about the statement:

Block “rest of the world” rule :

fwaccel dos rate add -a d -l a service any source destination cidr:X.X.X.X./32 pkt-rate 0

Did you miss "any" after "source" ? or maybe you can avoid to specify "source" word for "any" because of it is default

 

 

another question, did this configuration survives to JHF/major upgrade installations ?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-04-21 08:34 AM
In response to CheckPointerXL

You are correct, I was missing an "any" there and have fixed it in the original post.
If I remember correctly, fwaccel dos rules are persistent across reboots/upgrades.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-07-31 06:15 AM

sk180527 & sk126172 will be helpful for anyone attempting similar using VSX.

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2024-01-05 09:45 AM

@PhoneBoy So sorry to reply to this almost a year later, but just need to confirm something. Is there any limitation for this when you create VMSS CP fw on Azure? My colleague and I tested it with public IP assisnged and we blocked CA (country code for Canada) from your 2nd example to external IP of the fw, but we could still create and connect to VPN site.

Thanks in advance.

Best,

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-01-05 12:53 PM
In response to the_rock

In Public Cloud, it's entirely possible we're not seeing the real source IP (depending on the exact configuration).
You should confirm precisely what IP the gateway is seeing with tcpdump or similar. 

0 Kudos
the_rock
Legend
Legend
‎2024-01-05 06:24 PM
In response to PhoneBoy

I really have gut feeling its because even though ifconfig shows public IP, BUT, when I look at fw topology in smart console object, that IP is NOT listed there...I will talk to one of my colleagues next week who is way better with Azure than myself, but logically, thats what stands out to me.

Andy

 


eth0 Link encap:Ethernet HWaddr 00:0D:3A:F4:98:C4
inet addr:10.2.0.4 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::20d:3aff:fef4:98c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:604471 errors:0 dropped:0 overruns:0 frame:0
TX packets:598227 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:466812315 (445.1 MiB) TX bytes:142959965 (136.3 MiB)

eth0:1 Link encap:Ethernet HWaddr 00:0D:3A:F4:98:C4
inet addr:52.229.98.249 Bcast:52.229.98.249 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth1 Link encap:Ethernet HWaddr 00:0D:3A:F4:9E:31
inet addr:10.2.1.4 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::20d:3aff:fef4:9e31/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:2424 (2.3 KiB)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events