The Enable Deny Page option for Geolocation on outgoing policies

What is the implication of having the "Enable Deny Page" option selected for policies which allow outgoing traffic?
Is this option ignored for outgoing traffic?
Does "inbound" below mean from an External interface?

From the docs:
In Fireware v12.8 or higher, you can choose whether inbound traffic that Geolocation denies receives a deny page.

Best Answer

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative
    Answer ✓

    Hi Bruce,

    This only works for inbound traffic (if you are bringing traffic in from a source other than an external zone, it'll just ignore it.)

    The only implication I can think of from the firewall itself is that the deny pages take resources to generate, so if you're having to generate an excessive number of deny pages it might be better to just not. Some customers may also consider it a security issue as it basically discloses what type of policy you're using to deny the user.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.