The FW needs to see the IP before geoblock can be applied
under monitor > logs > GlobalProtect
( stage eq 'login' ) and ( status eq 'success' )
Also
Network > Gateways, click on the "Remote Users" link on the right
There is also the option to create the NAT for the GP IP only for the geo locations allowed
Have a general security rules with geoblock to/from any deny
Have a security rule to allow access to the GP IP only from the approved countries
Set the countries up in the GP config (portal / gateway)
Config the geoblock on any 2FA you might be using for 2FA as well as another line of defence
Enable the palo EDL blocks and dynamic threats etc, strict IPS
No comments:
Post a Comment