This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Block Connections from Different Region

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block Connections from Different Region

Sanjay_Ramaiah
L4 Transporter

‎05-15-2024 10:37 PM

Hi All,

We have a requirement to setup a Block rule for the users connecting to GlobalProtect from different countries. We need to allow users only from one particular region to connect to GlobalProtect.

 

In Prisma we can use the Specific Tag and Specific Name on the rule to achieve this. But I don’t find any related document that suggests this level of config on Firewalls.

 

Please help us with suggesting what would be the right way to achieve this. As it is Any location that needs to be blocked we are concerned for other traffic other than the GP connection traffic.

 

This Document below is for prisma.

Block Incoming Connections from Specific Countries (paloaltonetworks.com)

0 Likes Likes
5 REPLIES 5

amanda2369weaver
L0 Member

‎05-16-2024 02:00 AM

To restrict GlobalProtect VPN access based on the user's country of origin, you can utilize various methods depending on your firewall platform. While Prisma offers specific features like Specific Tag and Specific Name for this purpose, other firewalls may have similar capabilities under different names or configurations. Here's a general approach you can take:

 

Geo-IP Filtering:

 

  • Many modern firewalls support Geo-IP filtering, allowing you to create rules based on the geographic location of IP addresses.
  • Check if your firewall platform supports this feature and how it can be configured.
  • Create a rule that denies access to GlobalProtect for IP addresses outside the desired region.


User Group or Role-Based Access:

 

  • Utilize user groups or roles within your firewall to differentiate between users based on their location.
  • Assign users connecting from the desired region to a specific group or role that is allowed access to GlobalProtect. For users outside this region, assign them to a group or role that is denied access.


Authentication and Authorization Policies:

 

  • Incorporate authentication and authorization policies that take into account the user's location.
  • During the authentication process, verify the user's country of origin and apply policies accordingly to allow or deny GlobalProtect access.


VPN Client Settings:

 

  • If your firewall allows, configure VPN client settings to restrict access based on location.
  • This may involve settings within the GlobalProtect client itself or configurations pushed from the firewall.


Integration with External Services:

 

  • Consider integrating your firewall with external services or threat intelligence platforms that provide geolocation data.
  • Use this data to dynamically update firewall rules or apply restrictions based on the user's country.


It's essential to consult your firewall's documentation or contact your firewall vendor's support for detailed guidance specific to your firewall model and software version. They can provide insights into the best practices and configurations for implementing country-based access controls for GlobalProtect or any VPN solution on your network.

0 Likes Likes

reaper
Cyber Elite
Cyber Elite

‎05-16-2024 05:59 AM

on a regular firewall I use the following rule to allow ipsec, panos-global-protect and ssl from certain regions only:

reaper_0-1715864288237.png

followed by a drop rule

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Brandon_Wertz
L6 Presenter

‎05-16-2024 07:12 AM

Specifically to accomplish what @reaper is mentioning in the Source or Destination tab you can select the country in the "Region" section of the address object:

Brandon_Wertz_0-1715868675088.png

 

Brandon_Wertz_1-1715868716281.png

 



Sanjay_Ramaiah
L4 Transporter
In response to Brandon_Wertz

‎05-16-2024 08:22 AM

Thank you both for the help 🙂

So this will not even let the Portal authentication attempt as well.

 

0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to Sanjay_Ramaiah

‎05-16-2024 06:39 PM - edited ‎05-16-2024 06:39 PM

@Sanjay_Ramaiah wrote:

Thank you both for the help 🙂

So this will not even let the Portal authentication attempt as well.

 

If you're wanting to block GP VPN access from these regions then I would use the region as the source and your GP portal/gateway IPs as the destination with a deny action.  No need to call out any specific application.  Doing this will prevent anyone from that IP space associated with that geographic region from reaching your environment. 

0 Likes Likes
  • 861 Views
  • 5 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks