How to block login attempts from specific countries or regions in Prisma Access

How to block login attempts from specific countries or regions in Prisma Access

12122
Created On 06/10/23 02:38 AM - Last Modified 02/13/26 20:27 PM


Objective


  • To block  certain countries or regions attempting to login to Prisma access when configured Geo Location Rule rule is not working.
  • The reason normal Geo location based rule does not work for initial login attempts for mobile user connections is due to the fact that there are pre-defined rules to allow that traffic subject to user fulfilling the authentication criteria configured by the administrator.
  • The normal Geo location based rule will still work for users after the login is done (if allowed) for access to resources.

Environment


  • Prisma Access for Users 3.1 or above.
  • Prisma Access for Networks 3.1 or above. 
  • Geo Location Rules

Procedure


      The above information is documented at Features in Prisma Access 3.1 documentation.

      Additional Information


      • The rule name should be exactly as defined in the document.
      • The Tag is also mandatory and the rule will not work as intended if the Tag PA_predefined_embargo_rule is not added to the rule.
      • The rule doesn't have to be moved to the Top (Although it is recommended for sanity) as the Tag will cause the rule to be placed on top of rule stack in Prisma Access SPN.
      • Rule examples

      PANORAMA

      Rule example for Panorama managed Prisma Access
      STRATA CLOUD MANAGER
      Rule example cloud managed Prisma Access
       
      Other users also viewed:
      Actions
      • Print
      • Copy Link

        https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bq08CAA&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail