- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-15-2024 10:37 PM
Hi All,
We have a requirement to setup a Block rule for the users connecting to GlobalProtect from different countries. We need to allow users only from one particular region to connect to GlobalProtect.
In Prisma we can use the Specific Tag and Specific Name on the rule to achieve this. But I don’t find any related document that suggests this level of config on Firewalls.
Please help us with suggesting what would be the right way to achieve this. As it is Any location that needs to be blocked we are concerned for other traffic other than the GP connection traffic.
This Document below is for prisma.
Block Incoming Connections from Specific Countries (paloaltonetworks.com)
05-16-2024 05:59 AM
on a regular firewall I use the following rule to allow ipsec, panos-global-protect and ssl from certain regions only:
followed by a drop rule
05-16-2024 02:00 AM
To restrict GlobalProtect VPN access based on the user's country of origin, you can utilize various methods depending on your firewall platform. While Prisma offers specific features like Specific Tag and Specific Name for this purpose, other firewalls may have similar capabilities under different names or configurations. Here's a general approach you can take:
Geo-IP Filtering:
User Group or Role-Based Access:
Authentication and Authorization Policies:
VPN Client Settings:
Integration with External Services:
It's essential to consult your firewall's documentation or contact your firewall vendor's support for detailed guidance specific to your firewall model and software version. They can provide insights into the best practices and configurations for implementing country-based access controls for GlobalProtect or any VPN solution on your network.
05-16-2024 05:59 AM
on a regular firewall I use the following rule to allow ipsec, panos-global-protect and ssl from certain regions only:
followed by a drop rule
05-16-2024 07:12 AM
Specifically to accomplish what @reaper is mentioning in the Source or Destination tab you can select the country in the "Region" section of the address object:
05-16-2024 08:22 AM
Thank you both for the help 🙂
So this will not even let the Portal authentication attempt as well.
05-16-2024 06:39 PM - edited 05-16-2024 06:39 PM
@Sanjay_Ramaiah wrote:
Thank you both for the help 🙂
So this will not even let the Portal authentication attempt as well.
If you're wanting to block GP VPN access from these regions then I would use the region as the source and your GP portal/gateway IPs as the destination with a deny action. No need to call out any specific application. Doing this will prevent anyone from that IP space associated with that geographic region from reaching your environment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!