topic Re: Block Connections from Different Region in General Topics

Block Connections from Different Region

Sanjay_Ramaiah — Thu, 16 May 2024 05:37:54 GMT

Hi All,

We have a requirement to setup a Block rule for the users connecting to GlobalProtect from different countries. We need to allow users only from one particular region to connect to GlobalProtect.

In Prisma we can use the Specific Tag and Specific Name on the rule to achieve this. But I don’t find any related document that suggests this level of config on Firewalls.

Please help us with suggesting what would be the right way to achieve this. As it is Any location that needs to be blocked we are concerned for other traffic other than the GP connection traffic.

This Document below is for prisma.

Block Incoming Connections from Specific Countries (paloaltonetworks.com)

Re: Block Connections from Different Region

amanda2369weaver — Thu, 16 May 2024 09:00:54 GMT

To restrict GlobalProtect VPN access based on the user's country of origin, you can utilize various methods depending on your firewall platform. While Prisma offers specific features like Specific Tag and Specific Name for this purpose, other firewalls may have similar capabilities under different names or configurations. Here's a general approach you can take:

Geo-IP Filtering:

Many modern firewalls support Geo-IP filtering, allowing you to create rules based on the geographic location of IP addresses.
Check if your firewall platform supports this feature and how it can be configured.
Create a rule that denies access to GlobalProtect for IP addresses outside the desired region.

User Group or Role-Based Access:

Utilize user groups or roles within your firewall to differentiate between users based on their location.
Assign users connecting from the desired region to a specific group or role that is allowed access to GlobalProtect. For users outside this region, assign them to a group or role that is denied access.

Authentication and Authorization Policies:

Incorporate authentication and authorization policies that take into account the user's location.
During the authentication process, verify the user's country of origin and apply policies accordingly to allow or deny GlobalProtect access.

VPN Client Settings:

If your firewall allows, configure VPN client settings to restrict access based on location.
This may involve settings within the GlobalProtect client itself or configurations pushed from the firewall.

Integration with External Services:

Consider integrating your firewall with external services or threat intelligence platforms that provide geolocation data.
Use this data to dynamically update firewall rules or apply restrictions based on the user's country.

It's essential to consult your firewall's documentation or contact your firewall vendor's support for detailed guidance specific to your firewall model and software version. They can provide insights into the best practices and configurations for implementing country-based access controls for GlobalProtect or any VPN solution on your network.

Re: Block Connections from Different Region

reaper — Thu, 16 May 2024 12:59:21 GMT

on a regular firewall I use the following rule to allow ipsec, panos-global-protect and ssl from certain regions only:

followed by a drop rule

Re: Block Connections from Different Region

Brandon_Wertz — Thu, 16 May 2024 14:12:03 GMT

Specifically to accomplish what @reaper is mentioning in the Source or Destination tab you can select the country in the "Region" section of the address object:

Re: Block Connections from Different Region

Sanjay_Ramaiah — Thu, 16 May 2024 15:22:02 GMT

Thank you both for the help 🙂

So this will not even let the Portal authentication attempt as well.

Re: Block Connections from Different Region

Brandon_Wertz — Fri, 17 May 2024 01:39:53 GMT

@Sanjay_Ramaiah wrote:

Thank you both for the help 🙂

So this will not even let the Portal authentication attempt as well.

If you're wanting to block GP VPN access from these regions then I would use the region as the source and your GP portal/gateway IPs as the destination with a deny action. No need to call out any specific application. Doing this will prevent anyone from that IP space associated with that geographic region from reaching your environment.