Geolocation and geoblocking

by 3 weeks ago - last edited 3 weeks ago (1,520 Views)

Geolocation is the estimation of the real-world geographic location of an object. In our specific use case, I mean the physical location of your PC, laptop, mobile device or from the servers you are trying to reach.

 

Geoblocking is when you start restricting or allowing access to content based on the geolocation.

 

The firewall supports creation of policy rules that apply to specified countries or other regions.  The region is available as an option when specifying source and destination for security policies, decryption policies, and DoS policies. You can choose from a standard list of countries or use the region settings described in this section to define custom regions to include as options for Security policy rules.
 

 

As a very simple example, let's assume you are located in the US and would like to only allow access to addresses that are located in the US.  First, you'll need to allow this access through a security rule. 

 

You do this simply by adding the desired region or country to your security rule with an allow action:

 2017-11-27_13-39-20.png

 

 

Through geolocation, the firewall will identify that the IP address you are trying to access is located in the US and the policy will grant you the access.

 

If you want to deny access to all other regions then you can just let the default-deny rule handle it.  Alternatively, if you want to catch it earlier, then you can add a rule which excludes all the US traffic and block it.  The Negate option is very usefull in this specific use case!  Any IP address the isn't part of the US region will hit this rule and follow the configure Action Setting (Deny for example).

 

Negate optionNegate option

 

Sounds very simple doesn't it ... it is indeed very easy.  To set up.

 

That said, did you know that there's a way to trick certain devices into believing you are from a totally different region?

You can easily do this through online proxies and/or anonymizers.  These are tools that are freely available online, and as the name indicates, proxies or anonymizes your traffic.

 

What happens is that you connect to these servers and they in turn make a connection in your name to the destination server.  This destination server sees an incoming connection from the proxy server, not knowing the request is actually coming from you.

 

Often, these tools are used for shady practices or to hide what you're doing.  Don't want your users to use these tools? Just block the access to them by blocking the URL-category 'proxy-avoidance-and-anonymizers'.

Note that this URL-category is only useful for outbound sessions and will not protect you from inbound connections using these proxies.  I recommend researching EBL for this instead.

 

Check out the links below if you want to know more about geolocation or geoblocking on the Palo Alto Networks firewall!

 

Objects-Regions

How to Block Traffic Based Upon Countries

How to Verify PAN-OS IP Region Mapping

 

Thanks for reading, and as always, feedback, questions and comments are most welcome!

 

-Kiwi out!

Ask Questions Get Answers Join the Live Community