- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-22-2018 04:42 PM
Hello everyone,
Im trying to find out if its possible to block all countries except for two - United States and India easily. The only way we can see right now is to go country by country adding them into the list. Can someone please assist if theres an easier way to accomplish this?
Thanks,
James
01-22-2018 05:12 PM - edited 01-22-2018 05:26 PM
You have a couple alternatives.
One is to use two (or three) Security Policies, The first one allowing all traffic from (and/or a second rule for trafic *to*) US and India Regions, the next rule listed right after these rules, blocking destination any.
The second option is to use the Negate option. You would configure a Deny rule, and add US and India, then in the Source or Destination Address (depending on which direction of sessions you want to block, you may need to use separate rules for either direction) use the Negate checkbox, which will say, Deny everything 'except' these two Regions.
#1 Pros: Configuration is obvious to anyone reading it, especially if you need to add security profiles in the Actions tab.
#1 Cons: You need two (or three, to cover sessions in either direction) rules
#2 Pros: You need only one rule (or two, to cover sessions in either direction)
#2 Cons: Configuration may look awkward to someone who doesn't understand what the Negate option does, and it's also counter-intuitive to see Security Profiles configured in a Deny policy.
01-22-2018 05:12 PM - edited 01-22-2018 05:26 PM
You have a couple alternatives.
One is to use two (or three) Security Policies, The first one allowing all traffic from (and/or a second rule for trafic *to*) US and India Regions, the next rule listed right after these rules, blocking destination any.
The second option is to use the Negate option. You would configure a Deny rule, and add US and India, then in the Source or Destination Address (depending on which direction of sessions you want to block, you may need to use separate rules for either direction) use the Negate checkbox, which will say, Deny everything 'except' these two Regions.
#1 Pros: Configuration is obvious to anyone reading it, especially if you need to add security profiles in the Actions tab.
#1 Cons: You need two (or three, to cover sessions in either direction) rules
#2 Pros: You need only one rule (or two, to cover sessions in either direction)
#2 Cons: Configuration may look awkward to someone who doesn't understand what the Negate option does, and it's also counter-intuitive to see Security Profiles configured in a Deny policy.
01-22-2018 05:20 PM
Awesome, this makes sense, thank you very much
08-21-2018 09:50 AM
Thanks for the explanation. Just a quick question - In option 1 do we need 2 rules wouldnt the default deny take care of denying everything except the countries that are allowed?
08-21-2018 12:06 PM
Hello,
The use of the rules is one for inbound and the other for outbound traffic. While yes a DENY ALL at the end could suffice, it just saves the firewall to keep having to match the traffic to the whole policy list. It's always top to bottom and left ot right until a match is found.
Hope that clarifies things.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!