This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking Exceptions

I have a customer who has implemented a pretty extensive geo blocking policy.

They have users who need to access both Skype (https://secure.skype.com) and ICQ (http://login.icq.com). Both are being blocked based on the country rules. I've attempted to add Country Blocking Exceptions for both, but they're still being blocked.

Created DNS Group network definitions for both, then Country Blocking Exceptions lists allowing traffic to all countries going to those two network definitions.

Web Policy Test still shows as blocked.

This thread was automatically locked due to age.

0 BAlfson over 11 years ago

Brian, what version are they on?  A related problem supposedly was fixed in 9.206 after breaking in 9.2.

Still, Exceptions probably aren't necessary.  I think many people misunderstand how Country Blocking and the connection tracker work together.  For example, if you block traffic From China, the hackers from there won't be able to penetrate your defenses.

If you then try to access Google or some other site hosted in China, you will have no problem.  Conntrack will see that the traffic is a response to an allowed request, and so will accept the packets before any firewall rules or GEOIP can block them.

If you block All, you won't be able to access websites in China.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 briancarmen over 11 years ago in reply to BAlfson

Looks like the update did the trick. As for blocking only traffic from those not so friendly locales, by allowing traffic TO them, you're still opening yourself up to all kinds of nastiness if your users go there. I know that ATP, IPS and EP are going to do a pretty good job of catching those things, but better safe than sorry. Particularly with China and former SSRs.
Cancel
Vote Up 0 Vote Down

Cancel