Hey everyone,
I am looking for some suggestions to block traffic originating from Anonymizer Services like VPNs(NordVPN, Express VPN,...), Proxies, Tor exit nodes, etc. to a specific IP address in the customers DMZ.
Gateway Version & Management are version R81.10 + Antivirus Blade
Our idea was to subscribe to a service like maxmind or ip2location who offer .csv files with these IP addresses and use them on the gateways to block access from these IPs.
But the more I read about all the different features this could be achieved with, the more confused I get.
External Custom Intelligence Feeds:
This article from the Admin Guide mentions how to import intelligence feeds in SmartConsole. Under "Limitations" it also mentions the following:
Does that mean that the gateway checks every connection if it matches an IP from my feed and I cannot define a rule per se to only apply it to a specific destination host in the DMZ?
SK132193 describes how to configure feeds and mentions the following under "Known Limitations":
Inbound traffic to a host behind the gateway does not get blocked, e.g: IP that is on the feed, sends ICMP Request to a host behind the gateway. This traffic does not get blocked.
In R81 and higher versions, this traffic is blocked.
I assume this matches the Limitation from the Admin Guide, that the IoC is matched on every connection? These feeds have a few million entries. If every connection is checked, will there not be an immensive performance drop?
SK103154 is an example on how to block traffic coming from Tor nodes.
- R80.30+ with Anti Virus Blade recommends Custom Intelligence Feeds
- R81+ without Anti Virus Blade recommends Generic Data Center Objects
Generic Datacenter Objects have a few disadvantages but also the advantage of using them in the rulebase
Disadavantages:
What solution would you suggest?
Thank you !
