Blocking traffic from another country

cancel
Showing results for 
Search instead for 
Did you mean: 

Blocking traffic from another country

L1 Bithead

Hello,

We have an Extranet server which sits on our DMZ... http and https are allowed through the firewall so that outside users can access the web app on that server.  My server admin asked me if I can block all inbound traffic from China and Taiwan as he gets a ton of hack attempts coming from those countries.  Our web app doesn't serve anybody in those countries so it makes sense to me.  Does anybody know a reason why I should not do that?  And does anybody know how I would go about blocking traffic from those sources?

Thanks in advance for the help!

-Dave

5 REPLIES 5

L4 Transporter

Dave

With PAN-OS for 4.0, the security policies support specifying countries, in the source and destination fields of security policy. That will be the easiest and best option for you to block traffic from certian countries

Thank you

Jerish

Jerish,

Thanks for the reply.  That's exactly what I'm looking for... I just want to specify a country in the source field of my security policy.  I don't see how to add a country though... do I have to manually set up an object or something?  I know that IP source country is already defined and tracked somewhere as the Traffic Map under the Monitor tab shows traffic from different countries.  Can you point out what I'm missing?

Thanks for the help!

-Dave

As long as you are on 4.0.x, you can choose a source country when you add a security rule under the Policies tab.  The country list will appear in the drop down menu when you click "Add" under "Source Address" or in the drop down "Name" field under "Regions".

countries.png

Aaaah... got it... thanks!  I'm actually on 3.1.5 so that's where I was confused.  I'll check it out once we upgrade.

Thanks for the help!

I am slightly confused. Why would the external country be associated to a source address instead of a destination address? Our rules go from trust to untrust, (trust being internal IPs obviously). Therefore a user (source) hitting a chinese site (destination country block CN) should in theory be blocked but it isn't (IP confirmed to be registered in China).

Is the response from a chinese site then considered to be the "source" by PA?

Can someone elaborate a bit more on how this rule should work effectively?

To block CN, which would be the rule (or rule combo)?:

a) from Trust source (user) to Untrust destination (country block) action Deny? not working

or

b) from trust source (country block) to untrust source (user) action Deny? illogical to trust a blocked country

or

c) from Untrust source (country block) to Trust destination (user) action Deny?

or.....

Thanks,

Larry

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!