Block countries

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Block countries

L4 Transporter

Can you block more that one country in a single security policy?

10 REPLIES 10

L7 Applicator

Yes... looks like this:

 

geo.png

That looks like one over block for the entire firewall can you do the same thing on individual security policies?

It's still an individual security policy, applied to the whole firewall.  Yes, you could have multiple policies referencing specific countries.  

 

You can also do something like "permit ssh except for china" (not to pick on China).  In this case, your source country you would choose the country/countries you want to exempt from this list, and then select the "negate" option.  That looks like this:

 

geoblock4.png

why not pick on China they pick on us 🙂 That is exactly who I wish to block LOL

I work at a university and I do not know how practical it would be for us to block whole countries access, since we have many international students. I think we could probably do it on individual security policy level, to block access from certain countries to certain locations or devices or zones

Some things to bear in mind.

 

Your inbound block policies will not prevent your students from browsing out to the affected region web sites.

 

You should be sure to include an inbound allow policy for smtp specifically before your inbound blocks so your student mail will still work (assuming you host the mail servers).

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hello All,

For the country blocks, we block both ways, inbound and outbound. Sometimes its easier to just list the friendly countries and block the rest rather than blocking a huge list. But either way works. Also with the shortage of IPv4 addresses, we are running into issues where ISP's are buying from other countries and causing issuse for some of our users. Just another weird thing going on.

 

Cheers!

so basically you are using it like a whitelist

Exactly, a whitelist rather than a blacklist. But it all depends on your situation. I like to follow the less amount of work principle, where the least amount of effort on my part will grant me the resulsts I need.

In my opinion I would only block entire countires on inbound connections and only on certain applications. For example if you host your own exchange enviroment then I would block some countires from sending email in, as long as your business requirements actually allow for this.

 

  • 3856 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!