Geo Policy

What can I do here?

In this window you can:

  • Set the activation mode

  • Create a traffic policy for specified countries

  • Define a policy to accept or drop traffic for all other countries

Getting Here - Security PoliciesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. > Shared Policies > Geo Policy > Policy

Understanding Geo Policy

Note - This protection:

Country information is derived from IP addresses in the packet by means of an IP-to-country database. Private IP addresses are always allowed unless the other side of the connection is explicitly blocked. Check Point control connections (such as between Security Gateways and the Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.) are always allowed, regardless of the Geo Protection policy.

Geo Policy Options

  • Activation Mode. Set the Geo Policy mode as active, monitor only, or inactive.

  • Policy for Specific Countries. For countries that are not in this list, the Policy for Other Countries applies.

  • Policy for other countries.

    • Policy for Other Countries: Applies to countries and directions for which no Policy for Specific Countries has been defined. This policy also applies to IP addresses that are not country-specific.

    • Action: Either Accept or Drop.

    • Track: Choose a tracking option that applies to all other countries.

    • Additional Settings: Turn log aggregation on or off for the Geo Policy enforcement. Geo Policy logs are aggregated by default. Turning off log aggregation may result in a significant increase in the number of generated logs, and in increased CPU utilization on the Security Gateway.