GEO-IP Filtering through Access Policies on Multiple Interfaces
dohagan
Newbie ✭
If I have an Access Policy with custom GEO-IP Filtering applied to the WAN interface that blocks most countries, but I have a second Access Policy with less restrictive custom GEO-IP Filtering applied to the LAN interface, will my user who occasionally has to connect to countries that we want to normally restrict, be allowed to access them?
Basically, if I have an allowed connection coming from the LAN, will the WAN block the inbound response anyway because of its generic rule?
I would appreciate it is there is someone who is familiar with this before I start making changes to a live environment.
Thanks for any assist.
Category: Firewall Security Services
0
Answers
to continue the question…
I assume that, if I apply GEO-IP filter access rules to the WAN interfaces as outlined above, if I have existing access rules in place to allow connections to public facing server, I assume I would need to edit those rules to apple the same GEO-IP filtering settings? or will the access rules continue processing after the connection has matched one of them?
i.e. Device in X country tries to connect to published Web server IP will presumably be allowed to connect, even if there is a separate rule that has the rules based GEO-IP filtering applied to it, simply because it matched the rule to allow access through to the server.
thx
Ill try to help.
Basically, if I have an allowed connection coming from the LAN, will the WAN block the inbound response anyway because of its generic rule? - No, the LAN to WAN rule will be the one allowing the traffic out, thus any WAN to LAN rules would not apply. It's not like old school ACLs where you need to allow traffic both ways. Firewalls have connection trackers to make this happen.
if I have existing access rules in place to allow connections to public facing server, I assume I would need to edit those rules to apple the same GEO-IP filtering settings? - This depends on your GEOIP settings. If you are using the 'firewall rule-based' config you will need to enable GEOIP on each rule you want it applied on. If you are using the 'all connections' config, like it says, all connections will be filtered (even internal).