Geo Policy

What can I do here?

In this window you can:

• Set the activation mode

• Create a traffic policy for specified countries

• Define a policy to accept or drop traffic for all other countries

Getting Here - Security Policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. > Shared Policies > Geo Policy > Policy

Understanding Geo Policy

Note - This protection:

• Is enforced only by Gateways of version R70.20 and above.

• Requires a valid IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). contract and a Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. license for each Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. that enforces Geo Protection, and for the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

Country information is derived from IP addresses in the packet by means of an IP-to-country database. Private IP addresses are always allowed unless the other side of the connection is explicitly blocked. Check Point control connections (such as between Security Gateways and the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.) are always allowed, regardless of the Geo Protection policy.

Geo Policy Options

• Activation Mode. Set the Geo Policy mode as active, monitor only, or inactive.

• Policy for Specific Countries. For countries that are not in this list, the Policy for Other Countries applies.

  • Country: Configure settings that are specific to this country and are different than the Policy for Other Countries.

  • Direction: If From Country or To Country is selected, connections in the other direction are handled according to the Policy for Other Countries.

  • Action: Either Accept or Drop.

  • Track: Any setting other than None generates a log for every connection that is tracked by this protection. If a connection matches two rules, the first rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. is logged.

• Policy for other countries.

  • Policy for Other Countries: Applies to countries and directions for which no Policy for Specific Countries has been defined. This policy also applies to IP addresses that are not country-specific.

  • Action: Either Accept or Drop.

  • Track: Choose a tracking option that applies to all other countries.

  • Additional Settings: Turn log aggregation on or off for the Geo Policy enforcement. Geo Policy logs are aggregated by default. Turning off log aggregation may result in a significant increase in the number of generated logs, and in increased CPU utilization on the Security Gateway.