02-14-2017 12:57 PM
Yes... looks like this:
02-14-2017 01:09 PM
That looks like one over block for the entire firewall can you do the same thing on individual security policies?
02-14-2017 01:24 PM - edited 02-14-2017 01:27 PM
It's still an individual security policy, applied to the whole firewall. Yes, you could have multiple policies referencing specific countries.
You can also do something like "permit ssh except for china" (not to pick on China). In this case, your source country you would choose the country/countries you want to exempt from this list, and then select the "negate" option. That looks like this:
02-14-2017 01:30 PM
why not pick on China they pick on us 🙂 That is exactly who I wish to block LOL
02-14-2017 01:53 PM
I work at a university and I do not know how practical it would be for us to block whole countries access, since we have many international students. I think we could probably do it on individual security policy level, to block access from certain countries to certain locations or devices or zones
02-21-2017 06:26 AM
Some things to bear in mind.
Your inbound block policies will not prevent your students from browsing out to the affected region web sites.
You should be sure to include an inbound allow policy for smtp specifically before your inbound blocks so your student mail will still work (assuming you host the mail servers).
02-21-2017 01:23 PM
Hello All,
For the country blocks, we block both ways, inbound and outbound. Sometimes its easier to just list the friendly countries and block the rest rather than blocking a huge list. But either way works. Also with the shortage of IPv4 addresses, we are running into issues where ISP's are buying from other countries and causing issuse for some of our users. Just another weird thing going on.
Cheers!
02-21-2017 01:25 PM
so basically you are using it like a whitelist
02-21-2017 01:27 PM
Exactly, a whitelist rather than a blacklist. But it all depends on your situation. I like to follow the less amount of work principle, where the least amount of effort on my part will grant me the resulsts I need.
02-21-2017 01:33 PM
In my opinion I would only block entire countires on inbound connections and only on certain applications. For example if you host your own exchange enviroment then I would block some countires from sending email in, as long as your business requirements actually allow for this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
