Geo Policy
What can I do here?
In this window you can:
- Set the activation mode
- Create a traffic policy for specified countries
- Define a policy to accept or drop traffic for all other countries
|
Getting Here - Security Policies > Shared Policies > Geo Policy > Policy
|
Understanding Geo Policy
Note - This protection:
- Is enforced only by Gateways of version R70.20 and above.
- Requires a valid IPS contract and a Software Blade license for each Security Gateway that enforces Geo Protection, and for the Security Management Server.
Country information is derived from IP addresses in the packet by means of an IP-to-country database. Private IP addresses are always allowed unless the other side of the connection is explicitly blocked. Check Point control connections (such as between Security Gateways and the Security Management Server) are always allowed, regardless of the Geo Protection policy.
Geo Policy Options
- . Set the Geo Policy mode as active, monitor only, or inactive.
- . For countries that are not in this list, the applies.
- Configure settings that are specific to this country and are different than the .
- If From Country or To Country is selected, connections in the other direction are handled according to the .
- Either Accept or Drop.
- Any setting other than None generates a log for every connection that is tracked by this protection. If a connection matches two rules, the first rule is logged.
- .
- Applies to countries and directions for which no has been defined. This policy also applies to IP addresses that are not country-specific.
- Either Accept or Drop.
- Choose a tracking option that applies to all other countries.
- Turn log aggregation on or off for the Geo Policy enforcement. Geo Policy logs are aggregated by default. Turning off log aggregation may result in a significant increase in the number of generated logs, and in increased CPU utilization on the Security Gateway.
