How to Block Traffic Based Upon Countries
246644
Created On 09/25/18 19:38 PM - Last Modified 04/19/24 19:24 PM
Symptom
- It is possible to block the traffic destined to or sourced from an entire country in the Palo Alto Networks firewall.
- This works based on the fact that the PAN-OS performs a Public IP Address to region mapping by probing an internal database.
- This information is updated weekly through content updates and the firewall maintains this in its database.
Environment
- PAN-OS 8.1 and above
- Palo Alto Networks Firewall
- Security Policy based on Geo-Location
Resolution
- Go to GUI: Policies > Security > Add > In the Source or Destination Fields, Click on Add. The options of Address, Address group, and Regions are seeing in the Address section.
- As shown in the example, select Regions. In this example the Destination Address.
- Now it is possible to see all the countries in the world, and their corresponding region codes as shown below:
- Select the country in which to block, the example below shows China (CN):
- Users can also specify specific Public IP addresses from the country by clicking on the Add button. The country will now be called in the destination as shown below:
- The final configured security policy will look like the screenshot shown below. The configuration will block all the traffic sourced or destined to that country based upon where the region is called in the Policy, Source. or Destination.
- Regions can also be created under GUI: Object > Regions, as shown below:
- New regions can also be created by using the GeoLocation feature which can be used in the creation of Traffic and Threat maps. This can be done by specifying the exact coordinates of the region
Some regions such as EU regions do not fully contain all the EU countries, these countries have to be added in conjunction with the regions.
Note: The region-based blocking currently works only for IPV4 addresses.
Additional Information
Region Object Not Working in Security Policy