Country Blocking

(Mike) #1

Curious if anyone has any experience or feedback on country based blocks. We are considering blocking traffic to Russia, China, Cuba, North Korea, etc. We don’t have offices in these countries. Has anyone else implemented this and if so do you have any best practices? Looking at our traffic over the past month, we definitely see a fair amount of transactions with China and Russia where the URL category is Internet Services so I’m concerned of any potential business impact due to any Internet infrastructure hosted there.

Follow up question. I’m doing my reporting in our SIEM but does Zscaler provide any native reporting on GEO IP?

(Yogi Chandiramani) #2


The country field is part of the firewall logs.
This would require the advanced firewall license.

(Nick Morgan) #3

From past experience overly aggressive country blocking within the Advanced Threat Protection section can have unintended impacts to business applications. A surprising amount of applications are hosted in countries you might not expect.

Certainly it could make sense to apply blocking to embargoed countries but I would be wary of widening too far because it is a very crude method for applying security, you may end up needing to apply lots of exceptions - which ends up bypassing security scanning for the URLs that you bypass from this feature…which is clearly a bad idea.

Better to trust in Zscaler’s ability to apply malware and advanced threat protection to the actual content of every web transaction where real threats can be picked up inline using multiple detection techniques. For example part of the advanced threat protection capability is the PageRisk calculation that is carried out on every transaction - if content is being hosted in more ‘risky’ countries this will increase the risk scoring…


(Pablo Smiraglia) #4

also notice that country blocks happen before whitelisting, so creating
exceptions for fqdns in a blocked country is a challenge. I had issues with
a customer that blocked a few countries and created hard to troubleshoot
problems with O365.


(Mike) #5

Good feedback. Thanks!

(Mike) #6

I’m not sure I follow. All the documentation I’ve read indicates that country base blocks occur later. Security Exceptions should be the first policy enforced.

(Nick Morgan) #7

Suspicious Destinations Protection (Country based blocking) within the
Policy > Web > Security > Advanced Threat Protection do occur very early on
(there is a GEO IP lookup on the destination). This only applies to
outbound web traffic.

Additionally ‘Security Exceptions’ (within the Security policy section)
which would be required to bypass any URLs from a country that had been
blocked by this feature also occur very early on.Placing a URL into a
whitelist ‘Allow’ within the Access Control > URL policy would not be
effective at bypassing this.

Country based blocking across all ports & protocols is also achievable
through the Advanced Firewall module (if you have subscribed to that).
Exception handling for firewall policies can be dealt with in a much more
granular fashion within the Advanced Firewall module so may well be
worthwhile considering here since these bypasses don’t necessarily prevent
security scanning from occurring (assuming it is a traffic protocol that
can be security scanned by Zscaler).

Does that clear things up?

(Mike) #8

I should have clarified that we are only using Z-App at this time so my questions are around functionality and issues related to web traffic.

Understood on the difference between setting the exceptions in the Security Policy section vs. Access Control.

(Nick Morgan) #9

Ok glad to have clarified that element.

For what it’s worth any traffic (including web or ZApp traffic) will be
subject to the your firewall policy…it’s just that web traffic gets a lot
of extra inspection :slight_smile:

From the link you provided earlier:

When the ZEN receives outbound web traffic from your organization to the Internet:
1. It sends the traffic to its web module for policy evaluation. If the traffic violates a web policy, it blocks the transaction.
2. If the traffic does not violate any web policies, it sends the traffic to the firewall module for policy evaluation.
3. If the traffic violates a firewall policy, it blocks the transaction. If the traffic does not violate any firewall policies, it allows the traffic to the Internet.

(Mike) #10

I thought that Firewall Control/policy was only applicable to locations that it had been enabled for? Since there isn’t a location associated with Z-App users, the firewall policy doesn’t apply?

(Nick Morgan) #11

You are correct the firewall policy will only be applied for traffic coming from office locations with firewall policy enabled - sorry for the confusion.

(Rodney Arthur) #12

I want the option to be able to able to block a country, but then allow specific access to specific sites. For example, if I wanted to block Belgium, but there was a site that the company wanted to access, there should be an option to create an exception list for those types of sites.

(Nick Morgan) #13

Hi RodA,
A colleague has highlighted an Enhancement Request that has been submitted to enhance the exception handling around country blocking. The ER number is: ER-4216

If you raise a support case and provide the details of your requirements your company name can be added to the ER.