06-01-2011 05:02 PM
Hello,
We have an Extranet server which sits on our DMZ... http and https are allowed through the firewall so that outside users can access the web app on that server. My server admin asked me if I can block all inbound traffic from China and Taiwan as he gets a ton of hack attempts coming from those countries. Our web app doesn't serve anybody in those countries so it makes sense to me. Does anybody know a reason why I should not do that? And does anybody know how I would go about blocking traffic from those sources?
Thanks in advance for the help!
-Dave
06-01-2011 05:44 PM
Dave
With PAN-OS for 4.0, the security policies support specifying countries, in the source and destination fields of security policy. That will be the easiest and best option for you to block traffic from certian countries
Thank you
Jerish
06-02-2011 03:59 PM
Jerish,
Thanks for the reply. That's exactly what I'm looking for... I just want to specify a country in the source field of my security policy. I don't see how to add a country though... do I have to manually set up an object or something? I know that IP source country is already defined and tracked somewhere as the Traffic Map under the Monitor tab shows traffic from different countries. Can you point out what I'm missing?
Thanks for the help!
-Dave
06-03-2011 10:02 AM
As long as you are on 4.0.x, you can choose a source country when you add a security rule under the Policies tab. The country list will appear in the drop down menu when you click "Add" under "Source Address" or in the drop down "Name" field under "Regions".
06-03-2011 10:42 AM
Aaaah... got it... thanks! I'm actually on 3.1.5 so that's where I was confused. I'll check it out once we upgrade.
Thanks for the help!
05-29-2012 01:33 PM
I am slightly confused. Why would the external country be associated to a source address instead of a destination address? Our rules go from trust to untrust, (trust being internal IPs obviously). Therefore a user (source) hitting a chinese site (destination country block CN) should in theory be blocked but it isn't (IP confirmed to be registered in China).
Is the response from a chinese site then considered to be the "source" by PA?
Can someone elaborate a bit more on how this rule should work effectively?
To block CN, which would be the rule (or rule combo)?:
a) from Trust source (user) to Untrust destination (country block) action Deny? not working
or
b) from trust source (country block) to untrust source (user) action Deny? illogical to trust a blocked country
or
c) from Untrust source (country block) to Trust destination (user) action Deny?
or.....
Thanks,
Larry
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
