waleedCorrect me if I'm wrong, but I think traffic passes through IPS before hitting any Cato firewall. So, even if there was a firewall rule, the geoblock would still be in effect. You would have to modify the IPS rule to only block inbound and then you'd have a bunch of traffic getting past IPS. It would probably work if IPS is modified, but it would introduce more risk than I'm willing to accept.
Ilya, modifying the IPS rule to only apply geo_restriction to inbound traffic does not bypass outbound traffic from IPS. It will simply not block outbound traffic based on the IPS signature of "geo_restriction". IPS will continue to scan all the traffic inbound and outbound.
waleedRight, what I mean is, I still want the geoblock in effect for everything else going to India. Removing outbound for an entire country for one vendor isn't really the solution I was looking for. Cato can just update their product to whitelist a domain for geo_restrictions and we'll just put an RFE in for that. Why would you change such a large IPS behavior (i.e. removing outbound geo_restriction for a country) just for a single vendor choosing to send some of your traffic to India?
Domain/App bypass in the IPS GeoBlock would be great, agreed. However, even with the existing tool set, you can still accomplish what you are intending using the Internet Firewall rules for outbound geo restriction to India. You can essentially accomplish the same geoblock via the Internet Firewall.
Your 2 new internet firewall rule will look like this:
Rule#1: If traffic is Microsoft domain or all predefined MS apps AND country is India : Action Allow
Rule#2: All other traffic to country India: Action Block
At the end of the day, both the Inet FW and IPS will accomplish the same outbound geo restriction task.
