Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Block Connections from Different Region

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Block Connections from Different Region

L4 Transporter

Hi All,

We have a requirement to setup a Block rule for the users connecting to GlobalProtect from different countries. We need to allow users only from one particular region to connect to GlobalProtect.

 

In Prisma we can use the Specific Tag and Specific Name on the rule to achieve this. But I don’t find any related document that suggests this level of config on Firewalls.

 

Please help us with suggesting what would be the right way to achieve this. As it is Any location that needs to be blocked we are concerned for other traffic other than the GP connection traffic.

 

This Document below is for prisma.

Block Incoming Connections from Specific Countries (paloaltonetworks.com)

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

on a regular firewall I use the following rule to allow ipsec, panos-global-protect and ssl from certain regions only:

reaper_0-1715864288237.png

followed by a drop rule

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

5 REPLIES 5

To restrict GlobalProtect VPN access based on the user's country of origin, you can utilize various methods depending on your firewall platform. While Prisma offers specific features like Specific Tag and Specific Name for this purpose, other firewalls may have similar capabilities under different names or configurations. Here's a general approach you can take:

 

Geo-IP Filtering:

 

  • Many modern firewalls support Geo-IP filtering, allowing you to create rules based on the geographic location of IP addresses.
  • Check if your firewall platform supports this feature and how it can be configured.
  • Create a rule that denies access to GlobalProtect for IP addresses outside the desired region.


User Group or Role-Based Access:

 

  • Utilize user groups or roles within your firewall to differentiate between users based on their location.
  • Assign users connecting from the desired region to a specific group or role that is allowed access to GlobalProtect. For users outside this region, assign them to a group or role that is denied access.


Authentication and Authorization Policies:

 

  • Incorporate authentication and authorization policies that take into account the user's location.
  • During the authentication process, verify the user's country of origin and apply policies accordingly to allow or deny GlobalProtect access.


VPN Client Settings:

 

  • If your firewall allows, configure VPN client settings to restrict access based on location.
  • This may involve settings within the GlobalProtect client itself or configurations pushed from the firewall.


Integration with External Services:

 

  • Consider integrating your firewall with external services or threat intelligence platforms that provide geolocation data.
  • Use this data to dynamically update firewall rules or apply restrictions based on the user's country.


It's essential to consult your firewall's documentation or contact your firewall vendor's support for detailed guidance specific to your firewall model and software version. They can provide insights into the best practices and configurations for implementing country-based access controls for GlobalProtect or any VPN solution on your network.

Cyber Elite
Cyber Elite

on a regular firewall I use the following rule to allow ipsec, panos-global-protect and ssl from certain regions only:

reaper_0-1715864288237.png

followed by a drop rule

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L6 Presenter

Specifically to accomplish what @reaper is mentioning in the Source or Destination tab you can select the country in the "Region" section of the address object:

Brandon_Wertz_0-1715868675088.png

 

Brandon_Wertz_1-1715868716281.png

 



Thank you both for the help 🙂

So this will not even let the Portal authentication attempt as well.

 


@Sanjay_Ramaiah wrote:

Thank you both for the help 🙂

So this will not even let the Portal authentication attempt as well.

 


If you're wanting to block GP VPN access from these regions then I would use the region as the source and your GP portal/gateway IPs as the destination with a deny action.  No need to call out any specific application.  Doing this will prevent anyone from that IP space associated with that geographic region from reaching your environment. 

  • 1 accepted solution
  • 2830 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!