Is there going to be an option in the future to whitelist geoblock IPS using a domain name? Currently only IP addresses affect geo_restriction, so, whitelisting all Microsoft servers in India is a bit like playing whack-a-mole. You can add a domain, but it throws an error (see screenshot below).
Cato EmployeeHi ilya,
This is an interesting point.
Would you share the reason to whitlelist the domain from geoblock IPS?
Are you whitelisting the access of the domain (microsoft[dot]com) for certain/selected countries?
Thank you and Happy Holidays.
The reason is because the alternative would be to create subnet lists for every CIDR block that Microsoft has because they don't separate their CIDR blocks by country. The IP Ranges would just keep growing with every CIDR block discovered (see my screenshot list of IP Ranges below). Is there a better way to do this since geoblock requires specific IP addresses/IP address ranges?
Cato EmployeeHi ilya,
I see.
Do you mean you want to only allow/whitelist Microsoft IP address from India?
And block/blacklist Microsoft traffic to/from other countries/regions, such as US, Europe, Asia?
Thank you
Hi Ilya,
If you intend to whitelist outbound traffic, a better strategy would be to use the internet firewall for outbound geo-restriction while using the IPS for inbound geo-restriction. You could create a rule with all the Microsoft Apps AND country India while another rule could allow/block outbound traffic to other countries.
Thanks
waleedCorrect me if I'm wrong, but I think traffic passes through IPS before hitting any Cato firewall. So, even if there was a firewall rule, the geoblock would still be in effect. You would have to modify the IPS rule to only block inbound and then you'd have a bunch of traffic getting past IPS. It would probably work if IPS is modified, but it would introduce more risk than I'm willing to accept.
Ilya, modifying the IPS rule to only apply geo_restriction to inbound traffic does not bypass outbound traffic from IPS. It will simply not block outbound traffic based on the IPS signature of "geo_restriction". IPS will continue to scan all the traffic inbound and outbound.
waleedRight, what I mean is, I still want the geoblock in effect for everything else going to India. Removing outbound for an entire country for one vendor isn't really the solution I was looking for. Cato can just update their product to whitelist a domain for geo_restrictions and we'll just put an RFE in for that. Why would you change such a large IPS behavior (i.e. removing outbound geo_restriction for a country) just for a single vendor choosing to send some of your traffic to India?
