This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Geo Blocking problem

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Geo Blocking problem

Fraz_Mahmud
L1 Bithead

‎11-24-2020 08:01 AM

 
 

Hi, I am using Palo Alto (PA) firewalls hosting Software Version: 8.1.17 in AWS and need to configure Geo-Blocking so that only GB (United Kingdom) requests are permitted and all other requests denied. 

 

The infrastructure setup is as follows:

FQDN => Internet Load Balancer => Palo Alto => Internal Load Balancer => EC2 instance

 

I have set up "security" policy 1 under the "policies" tab with the 2 x source addresses which belong to the subnets attached to the internet load balancer. See below:

 

security policy source 1.PNG

 

I then set up a second security policy 2 with only "GB" in the source address and enabled the "negate" option (see below). I then placed policy 2 after policy 1 expecting all traffic other than GB to be blocked. This did not work because traffic permitted in rule 1 is obviously forwarding the load balancer IP and not that of the actual source address of the requestor.

 

security policy source 2.PNG

 

There is an x-forwarded for option (see below) but do I simply enable both checkboxes? Is there further configuration change required? Any help would be much appreciated.

 

PA_1.PNG

 

Thanks.

0 Likes Likes
5 REPLIES 5

MP18
Cyber Elite
Cyber Elite

‎11-24-2020 07:52 PM

@Fraz_Mahmud 

 

Regarding Security policy to allow traffic only from GB  you can configure this 

Source region GB  and destination address which you want and check they negate and then click on action as drop.

 

This will block traffic from all other countries other than GB for your destination address.

After this policy create another policy and put source IP which you want to allow and put the destination ip address which you want and

action as allow.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.
(1)

BPry
Cyber Elite
Cyber Elite

‎11-24-2020 08:19 PM

@Fraz_Mahmud,

You'll want to be running PAN-OS 10 and use the following feature to make this work as best as possible. 

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/identify-users-connected-through-a...

(1)

Fraz_Mahmud
L1 Bithead
In response to BPry

‎11-25-2020 06:13 AM - edited ‎11-25-2020 06:33 AM

 

Thanks for the info.

 

We've set up a dummy Palo Alto in a test environment with PAN-OS 10 to check out the options. See below.

 

image (3).pngimage (4).png


I was hoping I wouldn't have to upgrade the PAN-OS but looks like it may be the only solution. So by enabling the x-forwarded for security policy option, it will be at root level on the PA so may affect other rules. I will have to go through all other rules before making changes. It would have been great if you were able to specify explicit security rules to which the x-forwarded option could be explicitly applied.

 

Are you aware of any breaking changes upgrading from PAN-OS version 8 to 10?

 

Thanks

0 Likes Likes

Fraz_Mahmud
L1 Bithead
In response to BPry

‎11-25-2020 06:31 AM

@BPry that last response was meant for you. Thanks mate. I keep getting html errors when posting which is quite frustrating.

0 Likes Likes

Fraz_Mahmud
L1 Bithead
In response to MP18

‎11-25-2020 06:32 AM


@MP18

Thanks for the help. I'm not entirely sure this will work reflecting on it? The URL that incoming traffic is received via is DNSd to the AWS classic internet load balancer. So all traffic must come via the load balancer, then traverse the Palo Alto and then be blocked if non-GB. That's why the first rule allows all traffic via the load balancer and i set up the second rule to block all non-GB traffic. I may have misunderstood your suggestion so please feel free to correct me. I am in no way a network/firewall expert so open to all suggestions. It would have been easier if i could have blocked all traffic excluding GB at the load balancer.

0 Likes Likes
  • 4198 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks