IPS Geo Protection Based on X-Forwarded-For HTTP Header

The IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). Geo protection filters and logs traffic based on the country, from each it arrives. This protection is applied to both the source address of the connection, as well as to any IPv4 address present in an 'X-Forwarded-For' HTTP header.

Notes:

  • The External Load Balancer does not hide the client's original IP address.

  • If an HTTP request goes through multiple proxies or Load Balancers, the X-Forwarded-For HTTP header is expected to contain multiple IP addresses.

  • All IPv4 addresses contained in the X-Forwarded-For HTTP header, are inspected by the IPS Geo protection.

  • Any IPv6 address in the X-Forwarded-For HTTP header is ignored.

For more information, see sk115532 on IPS Geo protection based on X-Forwarded-For HTTP header.

Use Case 1

  1. A user is located in Dallas (USA), and the client opens a direct connection to the External Load Balancer.

  2. The Load Balancer forwards the connection to one of the Check Point CloudGuard Network Security Gateways and leaves the source IP address unchanged.

  3. The IPS Geo protection on the CloudGuard Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. identifies the country of origin as the United States.

  4. The CloudGuard Security Gateway allows or drops the connection based on the policy.

Use Case 2

  1. A user is located in Dallas (USA), and the client opens a direct connection to the External Load Balancer.

    The Load Balancer forwards the UserA's connection to one of the Check Point CloudGuard Network Security Gateways and leaves the UserA's source IP address unchanged.

    The IPS Geo protection on the CloudGuard Security Gateway identifies the country of origin as the United States for the UserA's connection.

  2. UserB is also located in Dallas (USA), and the client uses a proxy server to connect to the External Load Balancer.

    The proxy adds an X-Forwarded-For HTTP header to the UserB's connection with the IP address of the UserB's client in Dallas.

    The Load Balancer forwards the connection to one of the Check Point CloudGuard Network Security Gateways.

    The IPS Geo protection on the CloudGuard Security Gateways identifies the country of origin as the United States for the UserB's connection.

  3. The CloudGuard Security Gateway allows or drops the connections based on the policy.