The FW needs to see the IP before geoblock can be applied
under monitor > logs > GlobalProtect
( stage eq 'login' ) and ( status eq 'success' )
Also
Network > Gateways, click on the "Remote Users" link on the right
There is also the option to create the NAT for the GP IP only for the geo locations allowed
Have a general security rules with geoblock to/from any deny
Have a security rule to allow access to the GP IP only from the approved countries
Set the countries up in the GP config (portal / gateway)
Config the geoblock on any 2FA you might be using for 2FA as well as another line of defence
Enable the palo EDL blocks and dynamic threats etc, strict IPS
***
GP allow initial connections IP connections
can geoblock here IE (but be careful about your S2S VPNs, maybe make a rule to all S2S peer IPs)
outside > OUTSIDE
D:x.x.x.x (GP public IP)
UDP 500
UDP 4500
UDP 4501
GP allow IE users
outside to outside
D:x.x.x.x (GP public IP)
apps
ike
ipsec-esp
ipsec-espudp
panos-global-protect
ssl
web-browsing
Block everything else
outside to outside
D:x.x.x.x (GP public IP)
any any deny
No comments:
Post a Comment