AnsweredAssumed Answered

IPS Geoblocking

Question asked by Basilio Alcantara on Mar 6, 2018
Latest reply on Mar 7, 2018 by Timothy Hall

Like • Show 2 Likes2
Comment • 4

I m currently dealing with something that was brought up to my attention regarding specific 80/443 traffic for countries we are geo-blocking.

For Example, we are currently geo-blocking China but we noticed that since we have firewall rules allowing any source to access web servers on 80/443 therefore the traffic gets allowed due to the firewall rule match and it never gets geo-block.

is this normal? shouldn't Geo-protection block this traffic regardless whether the firewall blade has a rule allowing it?

No one else has this question

Outcomes

4 Replies

Enis Dunic Mar 7, 2018 1:30 AM
Mark Correct
Correct Answer
Could it be that the country flag in a log is incorrect for the IP address that IANA has assigned for that country due to the file IpToCountry.csv is not updated automatically?
You can download the latest IpToCountry.csv file from https://sc1.checkpoint.com/freud/IpToCountry.csv.gz and check inside the csv file if the IP address is associated with China. The format used in the csv file is special so you have to convert the relevant IP address to the format used in IpToCountry.csv file. You can check sk94364 to figure out how you do that. Then search through the csv file to find the range that includes the relevant IP address.

You can also check the current country mapping of the IP address here: https://www.maxmind.com/en/geoip-demo
4 people found this helpful
Like • Show 0 Likes0
Actions
Gaurav Pandya Mar 7, 2018 1:46 AM
Mark Correct
Correct Answer
Hi,
For one particular blade, FW checks access from Top to bottom and then go to next blade so Blade check is from Left to Right.
Definitely first it checks Firewall access rule (First Blade) and then go to next blade but if it is blocked in next blade then it will drop the packet.

Kindly check if you have configured IPS Geo location restriction correctly as it is inbound as well as outbound.
Like • Show 0 Likes0
Actions
Gaurav Pandya Mar 7, 2018 1:48 AM
Mark Correct
Correct Answer
Yeah. If all things looks good then you can check the file what Enis has suggested to verify that IP.
Like • Show 0 Likes0
Actions
Timothy Hall Mar 7, 2018 5:06 AM
Mark Correct
Correct Answer
Gateway version? Geo Protection was part of the IPS blade in R77.30 and earlier, but was decoupled from IPS in R80.10 gateway, became part of the Access Policy, and was renamed Geo Policy.

First off as mentioned in my book, make sure that the country database has been updated as specified here: sk92823: Geo Protection fails to update.

Geo Policy enforcement is performed very early in firewall processing, well before the rulebase is ever consulted and can save lots of overhead imposed by the "background noise" of the Internet. As mentioned by another poster above, make sure you are blocking connections both from and to the country in question.

If using R80.10, make sure that the country restriction is associated with the correct Geo Policy Profile that is applied on the gateway. Under Geo Policy select Gateways to verify which Geo Policy profile is applied to your gateway, then make sure you are editing the right one. In R77.30 the Geo Protection settings are associated with the IPS profile assigned to the gateway.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
3 people found this helpful
Like • Show 1 Like1
Actions

IPS Geoblocking

Outcomes

Related Content

Recommended Content