All things Palo Alto Networks
I have Palo Alto with 9.1.X version ,I would like to know how to block the countres for accessing global protect VPN , for example country code ML something like
Hi Hulk Bulk!
This can be achieved by creating a security rule that uses "regions" in the source. Create a rule from untrust to untrust, add the regions you do not want to the source, set applications to ssl, ipsec and Ike ( or 'any') and set the action to drop
thank you so much. now I need to allow global protect VPN to access some of the counties and want to block the rest of the countries, so I will create a policy allowing them to access the VPN by inserting source counties then action set to allow, I want to block rest of the countries. here is my question, should I create a second policy and keep source country as all and action set to deny or implicitly deny will work here
Implicit rule will allow (intrazone is allow by default) so you want to create a second rule that blocks all other connections