Thank you so much! I was not aware of these objects, I am changing over to them ASAP. May I ask, it seems like this should be the very first rule in the rulebase, is that correct? To keep down on the traffic?

Thanks again! 🙂

Yes if you are using Geo Updatable Objects and looking to drop traffic it should happen very early in your Access Control policy, even before the Stealth Rule.  The third edition of my book released in early 2020 still covers the old Geo Policy, but strongly recommends moving to Geo Updatable Objects if using R80.20+ due to the enhanced flexibility, and covers exactly how to set it up.

As mentioned in the third edition of my book, the legacy Geo Policy is enforced very early by the gateway in the F2F path, right after the antispoofing check in fact.  Geo Updatable Objects are not referenced until later when the Network policy is being checked in F2F, but with the advent of Column-based Matching in R80.10, rulebase lookup overhead has been significantly reduced.  So while there is a very slight performance edge for the legacy Geo Policy, the Geo Updatable Objects are far more flexible, easier to understand, and more than make up for it.  Assuming you are using R80.20+ on your gateways, Geo Updatable objects are highly recommended over Geo Policy, at least in my opinion.

Code version?

I am using R80.10 with Jumbo Hotfix Accumulator GA Take 259 both on my management server and gateways.

Please provide a redacted screenshot of the log card showing this.  Geo Policy is part of the Access Control policy starting in R80.10, it should not be the IPS blade blocking it.

Here is a screen shot of a IP from Panama that made it through.  I have Panama set "Drop" and track "None" in the GEO policy for this security gateway.  I was watching these logs in real time so I quickly opened a terminal session to the gateway and did a "fw ctl zdebug drop | grep 141.98.80.204" and what I saw is below.  It appears the IP from Panama was indeed being blocked by GEO but also made it past in at least this instance.

[Expert@:0]# fw ctl zdebug drop | grep 141.98.80.204

;[cpu_4];[fw4_7];fw_log_drop_ex: Packet proto=6 141.98.80.204:44490 -> 165.x.x.x57 dropped by fw_handle_first_packet Reason: Geo Protection;

;[cpu_2];[fw4_11];fw_log_drop_ex: Packet proto=6 141.98.80.204:44490 -> 50.x.x.x                                                             5.238:16957 dropped by fw_handle_first_packet Reason: Geo Protection;

;[cpu_7];[fw4_1];fw_log_drop_ex: Packet proto=6 141.98.80.204:44490 -> 50.x.x.x                                                             .245:16957 dropped by fw_handle_first_packet Reason: Geo Protection;

;[cpu_3];[fw4_9];fw_log_drop_ex: Packet proto=6 141.98.80.204:44490 -> 50.x.x.x

Thank you Tim! That makes sense.  I wasn't aware that the sweep scan would be based off of GEO policy like that.  It makes perfect sense now.  

I'll admit the use of "Detect" as an action for a Sweep Scan is a bit misleading, and implies that something was Detected but not Prevented which is not the case.  But Sweep Scan is one of those dastardly 39 IPS "Core Protections" that walk proudly in "no-man's land" so I'm not surprised. 🙂

I hate to keep beating the subject to death, and I am guessing my answer to this is the same as the port sweep. I have traffic coming in from a blocked country on non http traffdic on http port, which is also one of the inspection settings. So it is actually being blocked right? just showing as detect for the same reason as the port scan?

The Core Protections that create additive alerts with a "Detect" action are:

Sweep Scan

Host Port Scan

These alerts are triggered by drops that have already occurred over a certain threshold, these protections do not directly drop or block anything.  There may be other additive alerts like these but I can't think of any.

ok, thanks. I'll try and figure out why this traffic was getting through then.