Geolocation Region EU allowed bust Spain is denied

cancel
Showing results for 
Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Geolocation Region EU allowed bust Spain is denied

L3 Networker

Hi

 

we use the region as source adress in policies.

We allowed region EU but traffic from Spain was blocked. We had to add ES (Spain) to the allowed regions.

What am i missing? Spain should match the EU region. Any ideas?

 

If i enter the ip that was blocked in CLI with the "show location ip" command it shows Spain.

What does the EU region match? Do i also have to allow Italy, Austria and all the other EU countries separately?

If yes, what is the EU region used for?

 

TIA

Karsten

1 ACCEPTED SOLUTION

Accepted Solutions

L4 Transporter

Yes, the "EU" region does not seem to be treated as a region group, but is instead a generic standalone region. It seems to be a catch-all for lots of mixed use blocks. So for Europe you need to have both the specific country code and the catch-all EU code.

 

As an example, Velia.net 146.0.224.0/19 is marked as EU, though it is in Germany (seems to be a Godaddy datacenter block in Germany). Even though the entire /19 is marked EU, specific sub-allocations are all over the place:

147.0.227.0/28 - Safetyman Intl   Hong Kong

147.0.227.16/30 - CrossEngage Germany

147.0.227.32.0/30 - PetroLube Russia

147.0.227.36.0/31 - Superscanner Netherlands

147.0.227.96/29 - Admixer Ukraine

View solution in original post

6 REPLIES 6

L4 Transporter

Yes, the "EU" region does not seem to be treated as a region group, but is instead a generic standalone region. It seems to be a catch-all for lots of mixed use blocks. So for Europe you need to have both the specific country code and the catch-all EU code.

 

As an example, Velia.net 146.0.224.0/19 is marked as EU, though it is in Germany (seems to be a Godaddy datacenter block in Germany). Even though the entire /19 is marked EU, specific sub-allocations are all over the place:

147.0.227.0/28 - Safetyman Intl   Hong Kong

147.0.227.16/30 - CrossEngage Germany

147.0.227.32.0/30 - PetroLube Russia

147.0.227.36.0/31 - Superscanner Netherlands

147.0.227.96/29 - Admixer Ukraine

Thanks for the information. This helps alot.

How did you find this information? Is there any docu concerning the EU region and what it is catching up?

Any way to find out what is covered by EU, other than wait until something hits the logs and shows up as EU?

cu

 

Like you, I had allowed "EU" as a destination address in multiple rules and kept having failure to match that came up as Ireland/Germany/Spain/etc. So I found it by trial and error, adding those regions. I've had to wait for reports of blocked websites or scan the Traffic logs for potential matches: ( dstloc eq 'EU' )

 

I have not found any documentation concerning how PaloAlto has geolocated certain IP blocks. I originally thought it was based on the "country:" field of the IP whois field, but that is not always the case. You can override a region code by adding IPs/blocks in Objects -> Regions, but I haven't found any way to view all existing geolocations to see what might be miscategorized for your policy ruleset.

Ok, thanks for your help. Now i can be sure that EU does not match all EU countries.

Last question: Do you know if override a region with IPs just adds the manual IPs to the original region or does it replace the original region and only uses the manual added IPs?

I am not sure, but I think it just adds the manual IPs to the original region as an exception. I have not actually used it to add to existing region geolocations before, but I do have one custom region code "Hidden-Cobra" that has all the NK Hidden Cobra servers in it, redefining their region to one that is in a block-all-traffic policy rule.

 

There is this PA article on using the Objects->Regions to fix "How to resolve mismatch of country-IP mapping?":

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMt6CAG

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!