Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend

Geo VPN blocking

Hey boys and girls,

Happy Monday 🙂

Figured would share this, though Im sure some of you may already know, but since there were lots of posts about it and even TAC guy told me people constantly ask, here is way to actually do geo VPN remote access blocking.

What you need to do is below.

First, change kernel parameter to 1 on the fw itself as per below sk:

HTTP and HTTPS requests to external interfaces create implied rule 0 accepts in Logs & Monitor (chec...

You can leave portal setting per all interfaces or according to policy (custom port can be there for web UI)

Screenshot_1.png

 

 Then, you create a rule. In my case, since it hated me to test using NORDvpn service on my home laptop to connect from another country, I simply created a rule for Canada (which is where I live) to block access to fw on port 80 and 443. This stopped me from even creating the vpn site when policy was pushed.

Screenshot_2.png

If any questions, let me know, happy to test. Once you disable/delete the rule I pointed out, and apply policy, site creation will work as normal. Just to point out, in case anyone might be wondering, port 443 is key here, as thats what is needed for clients to connect, see below post about it.

https://community.checkpoint.com/t5/Remote-Access-VPN/Remote-access-without-visitor-mode-enabled/td-...

Best,

Andy

(2)
Who rated this post