10-12-2021 08:54 PM
This actually is an uncommon problem, because you're trying to fundamentally break how geoblocking actually works. Trying to have your cake and eat it too if you will.
Fundamentally you can't allow BPry to access your GlobalProtect portal because the firewall is told to block all traffic from China. The firewall can't know that BPry is associated with that source IP in China unless I have a way to authenticate to the firewall (authenticate policy, GlobalProtect, ect.), but you're telling it to not allow any traffic from China to even perform that process.
If we have employees abroad all of my clients have a process of notifying us of the dates they will be abroad in which country. We can then setup a security rulebase entry allow GlobalProtect connections from that country with a schedule so that traffic is allowed exactly as needed. We then configure GlobalProtect so that only that one single user/machine can connect from that country and is allocated a dedicated IP Pool used solely for international travel that gives them extremely limited access to resources and lock it down as much as possible.
You can bring this a step further by demanding they bring a loaner issued laptop with them while traveling (bonus points for certificate authentication) that can be freshly imaged prior to them leaving the country and immediately re-imaged upon their return. We don't allow any BYOD endpoint to connect abroad and we don't let them take their regular equipment with them.
