This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Geolocation Region EU allowed bust Spain is denied

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Geolocation Region EU allowed bust Spain is denied

Go to solution
kbe
L3 Networker

‎02-25-2022 02:46 AM

Hi

 

we use the region as source adress in policies.

We allowed region EU but traffic from Spain was blocked. We had to add ES (Spain) to the allowed regions.

What am i missing? Spain should match the EU region. Any ideas?

 

If i enter the ip that was blocked in CLI with the "show location ip" command it shows Spain.

What does the EU region match? Do i also have to allow Italy, Austria and all the other EU countries separately?

If yes, what is the EU region used for?

 

TIA

Karsten

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Adrian_Jensen
L6 Presenter

‎02-25-2022 10:26 AM

Yes, the "EU" region does not seem to be treated as a region group, but is instead a generic standalone region. It seems to be a catch-all for lots of mixed use blocks. So for Europe you need to have both the specific country code and the catch-all EU code.

 

As an example, Velia.net 146.0.224.0/19 is marked as EU, though it is in Germany (seems to be a Godaddy datacenter block in Germany). Even though the entire /19 is marked EU, specific sub-allocations are all over the place:

147.0.227.0/28 - Safetyman Intl   Hong Kong

147.0.227.16/30 - CrossEngage Germany

147.0.227.32.0/30 - PetroLube Russia

147.0.227.36.0/31 - Superscanner Netherlands

147.0.227.96/29 - Admixer Ukraine

View solution in original post

6 REPLIES 6

Go to solution
Adrian_Jensen
L6 Presenter

‎02-25-2022 10:26 AM

Yes, the "EU" region does not seem to be treated as a region group, but is instead a generic standalone region. It seems to be a catch-all for lots of mixed use blocks. So for Europe you need to have both the specific country code and the catch-all EU code.

 

As an example, Velia.net 146.0.224.0/19 is marked as EU, though it is in Germany (seems to be a Godaddy datacenter block in Germany). Even though the entire /19 is marked EU, specific sub-allocations are all over the place:

147.0.227.0/28 - Safetyman Intl   Hong Kong

147.0.227.16/30 - CrossEngage Germany

147.0.227.32.0/30 - PetroLube Russia

147.0.227.36.0/31 - Superscanner Netherlands

147.0.227.96/29 - Admixer Ukraine

Go to solution
kbe
L3 Networker
In response to Adrian_Jensen

‎02-25-2022 11:20 AM

Thanks for the information. This helps alot.

How did you find this information? Is there any docu concerning the EU region and what it is catching up?

Any way to find out what is covered by EU, other than wait until something hits the logs and shows up as EU?

cu

 

0 Likes Likes

Go to solution
Adrian_Jensen
L6 Presenter
In response to kbe

‎02-25-2022 11:35 AM

Like you, I had allowed "EU" as a destination address in multiple rules and kept having failure to match that came up as Ireland/Germany/Spain/etc. So I found it by trial and error, adding those regions. I've had to wait for reports of blocked websites or scan the Traffic logs for potential matches: ( dstloc eq 'EU' )

 

I have not found any documentation concerning how PaloAlto has geolocated certain IP blocks. I originally thought it was based on the "country:" field of the IP whois field, but that is not always the case. You can override a region code by adding IPs/blocks in Objects -> Regions, but I haven't found any way to view all existing geolocations to see what might be miscategorized for your policy ruleset.

Go to solution
kbe
L3 Networker
In response to Adrian_Jensen

‎02-25-2022 11:48 AM

Ok, thanks for your help. Now i can be sure that EU does not match all EU countries.

Last question: Do you know if override a region with IPs just adds the manual IPs to the original region or does it replace the original region and only uses the manual added IPs?

0 Likes Likes

Go to solution
Adrian_Jensen
L6 Presenter
In response to kbe

‎02-25-2022 12:14 PM

I am not sure, but I think it just adds the manual IPs to the original region as an exception. I have not actually used it to add to existing region geolocations before, but I do have one custom region code "Hidden-Cobra" that has all the NK Hidden Cobra servers in it, redefining their region to one that is in a block-all-traffic policy rule.

 

There is this PA article on using the Objects->Regions to fix "How to resolve mismatch of country-IP mapping?":

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMt6CAG

Go to solution
YordanYordanov
L2 Linker
In response to kbe

‎06-09-2022 12:54 AM

Hi

i found some information here

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFFCA0

br

0 Likes Likes
  • 1 accepted solution
  • 4468 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks