This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
MVP Gold
MVP Gold
3 weeks ago
Jump to solution

geo policy on website behind haproxy using sni

Hi All,

We want to set up geo protection for certain websites.  However, there many sites behind one IP using SNI behind one IP address on haproxy.    Is this possible to protect one or two URLs (name) with a geo policy?   I know SNI is supported with https inspection.   Or would every project hosted behind that one IP have to be on the policy?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
3 weeks ago
Jump to solution

I assume this is possible since:

  • You can use a geography as a source in a rule
  • You can use a Custom Application/Site as a destination (which can be as above) in a rule

SNI doesn't require HTTPS Inspection, FYI. 

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
3 weeks ago
Jump to solution

I assume this is possible since:

  • You can use a geography as a source in a rule
  • You can use a Custom Application/Site as a destination (which can be as above) in a rule

SNI doesn't require HTTPS Inspection, FYI. 

Daniel_Kavan
MVP Gold
MVP Gold
3 weeks ago
In response to PhoneBoy
Jump to solution

rule #12 using a geography as source (blocking Russia for example) and a custom application as destination 

rule #13 allows the IP.   Sources from Russia wouldn't make it to rule #13 they would be blocked on #12.

Sounds good.

0 Kudos
the_rock
MVP Gold
MVP Gold
3 weeks ago
In response to Daniel_Kavan
Jump to solution

Hey Dan,

Can you send screenshot?

Andy

0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
3 weeks ago
In response to PhoneBoy
Jump to solution

Thanks, the application/site object works great in the access policy.   Now, moving on to the threat prevention exception policy.

 

La Question du jour:  Can a custom application/site object exist in the threat prevention Exceptions policy sort of acting as a destination site?   I was focused adding a site object to the protected scope column (can't do it), but there is also the protections/site/file/blade column that I've only been using to add protection exceptions.    IOW, when making an exception for an IP (and that IP can represent 100 sites)   We just need an IPS exception for 1 of the 100 sites.   Currently, the protected scope doesn't support application/site objects.   However, I can and did simply add the site object to the column with the list of IPS protections the exception is for.   IOW, I have 10 IPS protections and a site all in the same column.   I mean the column does say it's for Protections/site/file/blade.   It just seems very unusual to have that mix of protections and a specific destination (site object/URLs) in the same column.  Thinking... that might just work.

the_rock
MVP Gold
MVP Gold
3 weeks ago
In response to Daniel_Kavan
Jump to solution

Yea, probably best idea Dan.

0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago
In response to Daniel_Kavan
Jump to solution

Let us know one way or the other.

0 Kudos
the_rock
MVP Gold
MVP Gold
3 weeks ago
Jump to solution

Just use geo objects as @@PhoneBoy  said.

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events