Geo-blocking VPN
Hi All,
Is there a way to geo-blocking incoming connection to IKE and SSL VPN.
I try putting on the rule but it seem to block outbound traffic from the VPN.
0
Sign In to comment.
Hi All,
Is there a way to geo-blocking incoming connection to IKE and SSL VPN.
I try putting on the rule but it seem to block outbound traffic from the VPN.
Comments
There is, firstly create your Geo-Action, usually for this purpose I create a separate inbound aggressive in number of countries it blocks then apply it to what I call the “connect” policy on MUVPN, there are two policies, the first (connect) is WatchGuard SSLVPN which takes the default format of Any-External to Firebox. The second policy Allow SSLVPN-Users from SSL VPN users to Any (in its default state) is the “access” policy
You need to apply the Geo action to the "connect policy", ie the WatchGuard SSLVPN rule.
IKEv2 am not sure in local Management, as its connect policy isn’t created when you set up IKEv2 MUVPN as a hidden policy known as IKE to Firebox (supports the IKEv2 MUVPN and BOVPN setup already exists as a hidden rule, meaning am not sure how you would achieve this with local management as that rule is hidden.
Am sure there is a way to do it, just not attempted so am not 100% sure
Note am referring to local management above, the options are a little different with cloud Management.
For local management, with IKEv2 (note this impacts site to site BOVPNs as well), in Policy Manager disable the "Enable built-in IPSec policy" option in VPN > VPN Settings.
Create an explicit inbound IPsec policy from "Any-External" (or your preferred interface if needs be) to "Firebox" and apply the Geolocation action to the same policy.