Remove Geolocation from BOVPN policy?

There doesn't seem to be a way to remove Geolocation from the managed DVCP-BOVPN policies. I had a unit where the subscription expired and couldn't remove it from those policies. I couldn't get into the geolocation screen to turn it off. Editing the policy doesn't let you save the changes. Not sure if it was causing problems or not but it seems like it might be an issue. Now that I do have a subscription, I still can't remove it from those policies unless I turn it off all together. This is on T30 with Fireware 12.3.1 U1.

Comments

  • James_CarsonJames_Carson WatchGuard Representative

    Hi phanaaekIT,

    The Geolocation feature will be ignored if the feature is globally turned off or disabled due to the license expiring. It's the same type of behavior as if you disabled a policy -- all of the checkbox states will be remembered should you ever turn it back on.

    By default, Geolocation turns on for these policies with no restriction to log the origin of non RFC1918 IPs (Private IPs like 10.x.x.x, 172.16.x.x, and 192.168.x.x are ignored.) So it's intentional this this is on, but it would not block anything.

    The DVCP-BOVPN policies will only govern traffic that is being passed by those managed VPN tunnels. If you're concerned that traffic might be stopped, I'd suggest checking your traffic monitor logs for DENY traffic to/from the IPs that are associated with the VPN. Denied traffic will appear red with the DENY status.

    If you are running into an issue where traffic is being unexpectedly denied, I'd suggest opening a support case so that one of our Reps can take a closer look at the issue with you.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • >

    The Geolocation feature will be ignored if the feature is globally turned off or disabled due to the license expiring. It's the same type of behavior as if you disabled a policy -- all of the checkbox states will be remembered should you ever turn it back on.

    Thanks for the info. If a policy is disabled, it's greyed out, this isn't the case for the Globe icon when the subscription is expired so I wasn't sure if it was causing a problem or not. Couldn't find anything in the documentation stating that so might be something you'll want to put in there. I don't need Geolocation on my bovpn so I was simply trying to turn it off for better performance as well as troubleshoot the subscription issue.

  • Should a site at the end of a BOVPN have public IP addrs instead of private ones, why should there be any checks for Geolocation ever on that traffic ?

Sign In to comment.