I can see that this new approach using updatable ojects can be far more flexible, with better control of exceptions by using layered rules etc. But how is the performance compared to the "old" way of doing geo-policy? As of my understanding, one of the advantages of using geo policy is that it is checked much earlier than the security policy. I have adapted this updatable objects approach for one of the environments I am manageing due to a bug in the traditional way on my system. And I am now contemplating changing from the old way on a new environment I'm in the process of building, even though this is not affected by the same bug. Whats your two cents? If it's just minor differences in performance, I can see the advantages of updatable objects outweighing the disadvantage with slight performance decrease.
When it comes to Geoblocking i agree the old way is better in pure performance. As you say the rule order for geopolicy is much higher, geo policy will be checked before the firewall start to process normal rules. So the traffic will be killed alot earlier than normal firewall so for performance thats better. One big difference is that the old way did require IPS blade to be activated. am not sure if it still dose. IPS takes performance aswell. The updatable objects do not require IPS or an IPS licens and it gives much more flexibility. If you dont need that flexibility and you just want to drop traffic to/from specific origins and already use IPS the old way is better. Thanks for watching and commenting, always nice to get some feedback :) Regards, Magnus
Hello, Magnus. Excellent video. Congratulations on it. One query, please. It is the first time that I need to implement a GEO POLICY for a team that we have in production, is it advisable to do this, through the own section of the SHARED POLICIES-> GEO POLICY, or is it better to do it through the ACCESS CONTROL -> POLICY, since in the video, I understood you that were those 2 ways that we had to implement this type of service. Which of both would you recommend? Because I am right now trying to block connections to and from CHINA, but even in my Smartcenter, I still see that there are attempts to connect to my computer. I have a distributed environment (SMARTCENTER + GATEWAY), and I am trying directly from the GEO POLICY section. Would you have any recommendation to give me, please? Thanks for your videos. Regards.
To use the new way (access controll -> Policy) you do need to have R80.20 or higher on the GW. But the benifit of this one is that you no longer need a licens for geo blocking. The old way (geo policy) you do need to enable IPS and you do need a licens for IPS to use it. I would use the new way as it gives more flexibility and dont require licens etc for it.
@@MagnusHolmberg-NetSec Thanks for your reply, my friend. I enabled my configuration using GEO POLICY, and while I could see that it blocks many incoming connections from the country of CHINA, I still see "several connection attempts" that "pass" as allowed. Do you think that this small security "breach" will correct it, if I use the new method, doing it through a security rule? Thank you very much for all your help.
Nice feature and great explanation as always.
Thank you! :)
From R81 its actaully possible to use the dynamic objects like this within NAT rules aswell.
World IT Security Admins 😊
Sweden IT Security Admins ☠
Just kidding. Thanks for these great videos man!
Glad you like them!
I can see that this new approach using updatable ojects can be far more flexible, with better control of exceptions by using layered rules etc.
But how is the performance compared to the "old" way of doing geo-policy? As of my understanding, one of the advantages of using geo policy is that it is checked much earlier than the security policy.
I have adapted this updatable objects approach for one of the environments I am manageing due to a bug in the traditional way on my system.
And I am now contemplating changing from the old way on a new environment I'm in the process of building, even though this is not affected by the same bug.
Whats your two cents?
If it's just minor differences in performance, I can see the advantages of updatable objects outweighing the disadvantage with slight performance decrease.
When it comes to Geoblocking i agree the old way is better in pure performance.
As you say the rule order for geopolicy is much higher, geo policy will be checked before the firewall start to process normal rules.
So the traffic will be killed alot earlier than normal firewall so for performance thats better.
One big difference is that the old way did require IPS blade to be activated. am not sure if it still dose. IPS takes performance aswell.
The updatable objects do not require IPS or an IPS licens and it gives much more flexibility.
If you dont need that flexibility and you just want to drop traffic to/from specific origins and already use IPS the old way is better.
Thanks for watching and commenting, always nice to get some feedback :)
Regards,
Magnus
Hi Magnus,
I didn't find the shared policy tab for geo policy on my smart console .dose it required something to enable ?
What version are you running today? in older versions IPS was used for geo blocking.
Excellent Magnus 👍👍👍.
Please have a video on how to management, gateway cluster configuration..
It’s included in the ccsa playlist :)
@@MagnusHolmberg-NetSec Thanks for your response 🙏🙏🙏
Hello, Magnus.
Excellent video. Congratulations on it.
One query, please. It is the first time that I need to implement a GEO POLICY for a team that we have in production, is it advisable to do this, through the own section of the SHARED POLICIES-> GEO POLICY, or is it better to do it through the ACCESS CONTROL -> POLICY, since in the video, I understood you that were those 2 ways that we had to implement this type of service. Which of both would you recommend?
Because I am right now trying to block connections to and from CHINA, but even in my Smartcenter, I still see that there are attempts to connect to my computer. I have a distributed environment (SMARTCENTER + GATEWAY), and I am trying directly from the GEO POLICY section.
Would you have any recommendation to give me, please?
Thanks for your videos.
Regards.
To use the new way (access controll -> Policy) you do need to have R80.20 or higher on the GW.
But the benifit of this one is that you no longer need a licens for geo blocking.
The old way (geo policy) you do need to enable IPS and you do need a licens for IPS to use it.
I would use the new way as it gives more flexibility and dont require licens etc for it.
@@MagnusHolmberg-NetSec
Thanks for your reply, my friend.
I enabled my configuration using GEO POLICY, and while I could see that it blocks many incoming connections from the country of CHINA, I still see "several connection attempts" that "pass" as allowed.
Do you think that this small security "breach" will correct it, if I use the new method, doing it through a security rule?
Thank you very much for all your help.
i would recommend checking this post on the checkmate community.
community.checkpoint.com/t5/Management/GEO-policy-don-t-work/td-p/83954