Block sites by url extension and by Geo Location on ProxySG/EdgeSWG

search cancel

Block sites by url extension and by Geo Location on ProxySG/EdgeSWG

book

Article ID: 371510

calendar_today

Updated On:

Products

ISG Proxy ProxySG Software - SGOS Advanced Secure Gateway Software - ASG ASG-S200 ASG-S400 ASG-S500 SG-300 SG-510 SG-600 SG-810-10 SG-810-20 SG-810-25 SG-810-5 SG-900 SG-9000 SG-S200 SG-S200-40 SG-S200-RP SG-S400 SG-S400-RP SG-S500 SG-S500-RP SG-VA SG-VA-DEMO

Issue/Introduction

Customer wants to completely block sites based on regional extension and Geo Location, since Geo Location feature has not been sufficient enough.

Cause

Some regional sites are still reachable after blocking country extensions

Resolution

- In order to use a GEO-IP blocking make sure that your license has Intelligence Services add-on purchased containing Geolocation feature

- Please check whether under Proxy > Administration > Data & Cloud Services > Geolocation , the service has been enabled and it has fetched the last updates

- Please go to Web VPM and create a new CPL Layer or add below CPL code to existing one. Please note that the rule should be placed according to Policy Order - if the previous rules allows access to the sites for the destination in blocked GEO-IP country, the site would be accessible. It's recommended to put the CPL layer above any Web Access Layer so this rules will be enforced as priority.

; ############ GEO Location Blocking rule #################
; List the exceptions that would be allowed to bypass GEO-IP restriction (remove the ; for rule to be effective)

; <proxy>

; ALLOW url.domain=//domain.name/

; Add the ISO 3166-1 destination country codes that should be blocked

<proxy>

supplier.allowed_countries[RU,PK,CN] (deny)

; ############ GEO Location Blocking rule end #############

PLEASE NOTE: Geo Location feature relies on MaxMind Geo IP database. ProxySG checks the resolved DNS IP address of the destination against the Geo-IP database and if the server location is under the restricted country, it will block it's access.

EXAMPLE:

- In a situation whereas the country extension site is still reachable, it means that the destination server where the site is being hosted is in another location and bypasses GEO-IP restriction

EXAMPLE: <domain>.ru, <domain>.cn, <domain>.pk (domains relate to the country chosen earlier)

- In order to prevent such behavior, you might add a rule for domain extension via CPL in addition to the previously created

; #### BLOCK URL EXTENSIONS
<Proxy>
condition=blockurlextensions DENY

define condition blockurlextensions
url.domain=.ru
url.domain=.pk
url.domain=.cn
end
; #### BLOCK URL EXTENSIONS END

- Matching site block to the specific set rules can be checked with a Policy Trace

Additional Information

KB articles:

Use Geolocation Service to identify location based on IP address - https://knowledge.broadcom.com/external/article?articleNumber=166498
Set Geo Restriction - https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-4/visual-policy-manager/action-column-objects/set-geolocation-restriction.html

Feedback

thumb_up Yes

thumb_down No