02-25-2022 02:46 AM
Hi
we use the region as source adress in policies.
We allowed region EU but traffic from Spain was blocked. We had to add ES (Spain) to the allowed regions.
What am i missing? Spain should match the EU region. Any ideas?
If i enter the ip that was blocked in CLI with the "show location ip" command it shows Spain.
What does the EU region match? Do i also have to allow Italy, Austria and all the other EU countries separately?
If yes, what is the EU region used for?
TIA
Karsten
02-25-2022 10:26 AM
Yes, the "EU" region does not seem to be treated as a region group, but is instead a generic standalone region. It seems to be a catch-all for lots of mixed use blocks. So for Europe you need to have both the specific country code and the catch-all EU code.
As an example, Velia.net 146.0.224.0/19 is marked as EU, though it is in Germany (seems to be a Godaddy datacenter block in Germany). Even though the entire /19 is marked EU, specific sub-allocations are all over the place:
147.0.227.0/28 - Safetyman Intl Hong Kong
147.0.227.16/30 - CrossEngage Germany
147.0.227.32.0/30 - PetroLube Russia
147.0.227.36.0/31 - Superscanner Netherlands
147.0.227.96/29 - Admixer Ukraine
02-25-2022 10:26 AM
Yes, the "EU" region does not seem to be treated as a region group, but is instead a generic standalone region. It seems to be a catch-all for lots of mixed use blocks. So for Europe you need to have both the specific country code and the catch-all EU code.
As an example, Velia.net 146.0.224.0/19 is marked as EU, though it is in Germany (seems to be a Godaddy datacenter block in Germany). Even though the entire /19 is marked EU, specific sub-allocations are all over the place:
147.0.227.0/28 - Safetyman Intl Hong Kong
147.0.227.16/30 - CrossEngage Germany
147.0.227.32.0/30 - PetroLube Russia
147.0.227.36.0/31 - Superscanner Netherlands
147.0.227.96/29 - Admixer Ukraine
02-25-2022 11:20 AM
Thanks for the information. This helps alot.
How did you find this information? Is there any docu concerning the EU region and what it is catching up?
Any way to find out what is covered by EU, other than wait until something hits the logs and shows up as EU?
cu
02-25-2022 11:35 AM
Like you, I had allowed "EU" as a destination address in multiple rules and kept having failure to match that came up as Ireland/Germany/Spain/etc. So I found it by trial and error, adding those regions. I've had to wait for reports of blocked websites or scan the Traffic logs for potential matches: ( dstloc eq 'EU' )
I have not found any documentation concerning how PaloAlto has geolocated certain IP blocks. I originally thought it was based on the "country:" field of the IP whois field, but that is not always the case. You can override a region code by adding IPs/blocks in Objects -> Regions, but I haven't found any way to view all existing geolocations to see what might be miscategorized for your policy ruleset.
02-25-2022 11:48 AM
Ok, thanks for your help. Now i can be sure that EU does not match all EU countries.
Last question: Do you know if override a region with IPs just adds the manual IPs to the original region or does it replace the original region and only uses the manual added IPs?
02-25-2022 12:14 PM
I am not sure, but I think it just adds the manual IPs to the original region as an exception. I have not actually used it to add to existing region geolocations before, but I do have one custom region code "Hidden-Cobra" that has all the NK Hidden Cobra servers in it, redefining their region to one that is in a block-all-traffic policy rule.
There is this PA article on using the Objects->Regions to fix "How to resolve mismatch of country-IP mapping?":
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMt6CAG
06-09-2022 12:54 AM
Hi
i found some information here
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFFCA0
br
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
