Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
seanmc12
Participant

Geo Policy block VPN traffic from blocked countries?

I am configuring Geo policy with updatable objects and am wondering if there will be any impact? If someone from one of the blocked countries, tries to access our VPN...and they are actually authorized, will they be allowed to connect if their country is on the dropped list?

0 Kudos
7 Replies
Chris_Atkinson
Employee
Employee

If it's all enforced / terminating on a single Gateway you will likely find the implied rules allow the remote access traffic without incident. Refer:

https://community.checkpoint.com/t5/Security-Gateways/Restrict-VPN-access-by-GEO-location/m-p/117288

 

 

 incident.

0 Kudos
the_rock
Champion
Champion

I can tell you from my own experience that every time specific country is blocked, it gets enforced 100%, even for VPN.

0 Kudos
Timothy_Hall
Champion
Champion

If you have a country defined as "block to and from" in Geo Policy (not Geo Updatable Objects) they will not be allowed to connect at all as @the_rock stated.  This may have changed in later releases, but last time I looked Geo Policy enforcement is performed just after anti-spoofing enforcement and before any "First" implied rules allowing Remote Access VPN traffic are consulted.  However if the newer Geo Updatable Objects are used, that enforcement will not happen until after the implied rules.  So they will be able to at least connect in that case.

However Geo Policy was deprecated in R81 (hidden in some cases but still works) so there really isn't a long-term solution for completely blocking certain countries for Remote Access VPN before the implied rules are enforced.  One possibility is using fw samp/fwaccel dos which allows the specification of a country code, then grant them a bandwidth/connection rate of zero (if that is possible).

The only other way I could think of to do this would be an RFE that allows specified countries to be blocked right on the topology page for any interface designated "External" in the Firewall's topology, along with perhaps a way to add exceptions or a "don't check packets from" to that enforcement on that same screen.  Kind of a per interface Geo Policy similar to the per-interface Advanced...Multicast Restrictions feature. 

Another RFE avenue for this functionality might be the ability to choose countries in a Gaia Policy Based Routing configuration and blackhole them.  But the former SmartConsole-based approach would probably be easier to understand and troubleshoot.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
seanmc12
Participant

Thanks for the response. I have configured Geo updatable objects. So I was thinking I could put an exception just before the updatable objects rule and the user from say China, would be able to authenticate and use VPN, but any other traffic would be blocked at the GUO policy.

0 Kudos
the_rock
Champion
Champion

Thats excellent idea...as long as that rule is BEFORE geo rule blocking the traffic from given country, you are good to go.

Andy

0 Kudos
seanmc12
Participant

Unfortunately, the only way this will work is if your remote individual comes into your network with a static IP address. With a dynamic IP, the firewall will block all of the data from the applicable country before it ever sees the user creds. I should have known that piece.

0 Kudos
the_rock
Champion
Champion

For sure, 100%...it would have to be static IP, I agree. If its dynamic IP, there is no way for firewall to differentiate that if the country is say, Egypt, and its blocked in your GEO policy.

Andy

0 Kudos