I am curious about the countries or Geolocations that are the default blocked when turing on this feature. A customer was asking why is Chile blocked? (for example). The TLD is included in the Geolocation default list. (*.cl) Chile sites. (or Geolocation from Chile).
I understand there are many countries outside of the US that are known Threat sources, Russia, China and some well known other other locations for security threats. It makes sense to blanket block those.
Is there a specific reason Chile is included by default?
neither TLDs- nor Geolocation-blocking is active by default on Web Gateway. Do you speak about Web Gateway on premise or Cloud Service? Do you have a custom ruleset policy?
The default ruleset for Web Gateway on premise has a Webreputation and URL Category filter active, was the site blocked by them? You can check it with the ruletracing.
That is correct, it is not turned on by default. But if you do turn it on, the list provided as standard for the Gateway by McAfee (Trellix, SkyHigh) has a list of included Geolocations to block. In that list .CL is iincluded.
can you provide a list or a rule that you're reffering to? Maybe a screenshot?
I don't have such a list 🙂
It can be US specific.
Do you mean Lists > add List > list content is managed remotely > Skyhigh Security Supplied list ?
ok, found it under RuleSet Library > URL Filter > Geolocation. This ruleset contain an empty list called "Geolocation: Blocked Countries" with a comment "This is an arbitrary list of blocked countries. Please enter the country code in ISO 3166 notation."
The list is empty. This is a fresh 12.0.0-42686 install. You can have some older version or the ruleset comes from an older version.
Based on the comment, it seems like somebody by McAfee just choosed some countries arbitrary as an example.
See attached screenshot.
Honestly, I do not think that the list is arbritary. I believe it is based on data that at some point deterimed the included locatations were at some point significant threat sources. Russia, China, Côte d'Ivoire (419 Scam phish origin) and many others in the list make great sense to block as they continue to be high on the list of threat, malware, scam and other attack origins.
It sure would be great if someone from the Vendor provided some feedback on this.
But I appreciate your research.
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership: