I m currently dealing with something that was brought up to my attention regarding specific 80/443 traffic for countries we are geo-blocking.
For Example, we are currently geo-blocking China but we noticed that since we have firewall rules allowing any source to access web servers on 80/443 therefore the traffic gets allowed due to the firewall rule match and it never gets geo-block.
is this normal? shouldn't Geo-protection block this traffic regardless whether the firewall blade has a rule allowing it?
Could it be that the country flag in a log is incorrect for the IP address that IANA has assigned for that country due to the file IpToCountry.csv is not updated automatically?
You can download the latest IpToCountry.csv file from https://sc1.checkpoint.com/freud/IpToCountry.csv.gz and check inside the csv file if the IP address is associated with China. The format used in the csv file is special so you have to convert the relevant IP address to the format used in IpToCountry.csv file. You can check sk94364 to figure out how you do that. Then search through the csv file to find the range that includes the relevant IP address.
You can also check the current country mapping of the IP address here: https://www.maxmind.com/en/geoip-demo