Geolocation and Geoblocking

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member

Geolocation and GeoblockingGeolocation and Geoblocking

Palo Alto Networks dives into how your firewall can perform Geolocation and Geoblocking to help you keep your network safe in different regions. Learn how to set security policies, decryption policies, and DoS policies for your firewall. 

 

 

What are Geolocation and Geoblocking?

Geolocation is the estimation of the real-world geographic location of an object. In our specific use case, I am referring to the physical location of your PC, laptop, mobile device, or from the servers you are trying to reach.

 

Geoblocking is when you start restricting or allowing access to content based on the geolocation.

 

The next-generation firewall supports creation of policy rules that apply to specified countries or regions. The region is available as an option when specifying source and destination for security policies, decryption policies, and DoS policies. You can choose from a standard list of countries or use the region settings described in this section to define custom regions to include as options for security policy rules.

 

As a very simple example, let's assume you are located in the United States and would like to only allow access to addresses that are located in that country. First, you'll need to allow this access through a security rule.

 

You do this simply by adding the desired region or country to your security rule with an allow action.

 

Country Allow Security RuleCountry Allow Security Rule

 

 

Through geolocation, the firewall will identify that the IP address you are trying to access is located in the US, and the policy will grant you the access.

 

If you want to deny access to all other regions, then you can just let the default-deny rule handle it. Alternatively, if you want to catch it earlier, then you can add a rule that excludes all the US traffic and blocks it. The negate option is very useful in this specific use case. Any IP address that isn't part of the US region will hit this rule and follow the configure Action Setting (Deny for example).

 

Security Policy for NegateSecurity Policy for Negate

 

 

Sounds very simple doesn't it? It is indeed very easy to set up.

 

With that said, did you know that there's a way to trick certain devices into believing you are from a totally different region?

 

You can easily do this through online proxies and/or anonymizers. These are tools that are freely available online, and as the name indicates, proxies or anonymizers anonymize your traffic.

 

What happens is that you connect to these servers and they in turn make a connection in your name to the destination server. This destination server sees an incoming connection from the proxy server, not knowing the request is actually coming from you.

 

Often, these tools are used for shady practices or to hide what you're doing. Don't want your users to use these tools? Just block the access to them by blocking the URL-category 'proxy-avoidance-and-anonymizers'.

 

URL CategoryURL Category

 

NOTE: This URL-category is only useful for outbound sessions and will not protect you from inbound connections using these proxies. I recommend researching EDL (External Dynamic Lists) for this instead.

 

Check out the links below if you want to know more about geolocation or geoblocking on the Palo Alto Networks firewall!

 

Objects > Regions

How to Block Traffic Based Upon Countries

How to Verify PAN-OS IP Region Mapping

 

Thanks for taking time to read the blog.

If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Kiwi out!

14 Comments
L0 Member

Nice post, thanks.

 

In the link

How to Verify PAN-OS IP Region Mapping

is given a site about ip to country relation, is this site used by PaloAlto ?

https://www.nirsoft.net/countryip/

 

I ask this because I am searching for a solution to what you explained what will not be blocked:

"

NOTE: This URL-category is only useful for outbound sessions and will not protect you from inbound connections using these proxies. I recommend researching EDL (External Dynamic Lists) for this instead.

"

Because then you need a website/partner that keeps track of the ip addresses that are given out by such anonymizer providers.

 

Hopefully you have a example about EDL which can be used.

 

Regards

Paul

 

L7 Applicator
L0 Member

Hello,

 

Nice article and I do like this GEO feature. What would it cost to add Regions to NAT rules ? I'm currently using a third party hardware with GEO capabilities to return different DNS resolution based on the client's IP address.

 

That would save me several DNS delegations if I could specify the incoming region of a request and determine the NATed IP destination address + possibily alternative destinations in case of unreachability of the NATed IP.

 

Best regards,

Fabien

L1 Bithead

does the country object include ipv6 or is it ipv4 only?

Community Team Member

@RobertRostek ,

 

The IPv6 Geo databases haven't been added yet.  Please reach out to your local SE and ask him to add your vote to feature request #2865 (IPv6 Country Geo Location).

 

Cheers !

-Kiwi.

 
L0 Member

hello,

can i do destination nat based on geolocation ? 

Example: i want to publish service with public ip 1 from US and with public ip 2 from UAE.

L0 Member

I am facing an issue where I have added the region object in the rule, but the traffic for one of the IP is not matching on that rule because as per the Palo Alto database, the IP is of the different region but as per the google database, it belongs to the same region which is part of the rule.

 

Like URL recategorization, Do we have any option where we can request them to address this kind of issues and re-map the IP to Geo location mapping ?

Community Team Member

Hi @gaurav_sanghavi , the IP database is pulled directly from the RIR (Regional Internet Registries) through content updates. First make sure you have the latest content. Check the respective RIR for that IP address (depending on the region) and if there's an inconsistency with what you see on your PA device then reach out to support to have it corrected.

 

As a workaround you can create a custom region with the correct location: HOW TO RESOLVE MISMATCH OF COUNTRY-IP MAPPING? 

 

These are the 5 RIRs:

AFRINIC

ARIN

APNIC

LACNIC

RIPE NCC

 

https://en.wikipedia.org/wiki/Regional_Internet_registry 

 

PAN-OS REPORTING INCORRECT GEOLOCATION OF IP ADDRESS 

 

Hope this helps,

-Kiwi.

L0 Member

We currently have the rule set to block all non-U.S. IP's. This is great but causes us an issue because cloud based applications may host outside the U.S. When we try to Whitelist the IP it will still block. Is there a rule that can be created for Whitelist of IP's based or hosted from Non-U.S. entities?

L0 Member

@kiwi 

 

Thanks for your article. 

 

I have some questions regarding the geolocation IPs. You mentioned in the comment that Palo Alto pull the IP data from RIRs. How could I get a complete IP list for a specific country, like United States. 

 

We got a list of US IP addresses from ISP and want to compare the it with Palo Alto's database. If PA's is accurate enough, we would prefer the integrated IP database, rather than using the ISP's list as external dynamic list.

 

Thank you!

Community Team Member

Hi @thqiang ,

 

Eeach RIR produces monthly reports of the allocations and assignments of IPv4, IPv6, and AS numbers within their region. You can use that data to provide an approximate mapping of the IP addresses to their original allocation location.

The data are a historical summary of the resources allocated, assigned, or reserved, including geographical information.

 

Allocation reports per region/RIR

 

APNIC
AFRINIC
ARIN
LACNIC
RIPE NCC

 

You can check the allocated pools per RIR at IANA: https://www.iana.org/numbers

 

Kind regards,

-Kiwi.

 

L0 Member

This is a great guide; but Palo is really lacking what I feel is a super important addition when doing GeoBlocking:  the ability to display a block page.  As cloud continues to expand, traffic to cloud hosted apps often goes to who knows where now.  It would be super helpful for users to know that their traffic was blocked by a geo rule so that when they call the help desk, it could get routed properly.

L1 Bithead

@kiwi 

 

Which Content updates is being used to pull the IP database ?

L4 Transporter

@manninegi1985 Sorry, what do you mean by which?  The IP Region mapping (geolocation - what is shown in the show ip location CLI command) is updated via Content Updates (in other words, the Applications and Threats section of Dynamic Updates).

  • 101333 Views
  • 14 comments
  • 14 Likes
Register or Sign-in
Labels