Geolocation objects in the firewall policy rules let you filter external IPv4 and external IPv6 traffic based on specific geographic locations or regions.
You can apply rules with geolocation objects to ingress and egress traffic. Based on the direction of the traffic, the IP addresses associated with the country codes are matched against the source or destination of the traffic.
You can configure geolocation objects for hierarchical firewall policies, global network firewall policies, and regional network firewall policies.
To add geolocations to the firewall policy rules, use the two-letter country or region codes as defined in the ISO 3166 alpha-2 country codes.
For example, if you want to allow incoming traffic only from the US into the network, create an ingress firewall policy rule with the source country code set to
USand the action set toallow. Similarly, if you want to allow outbound traffic only to the US, configure an egress firewall policy rule with the destination country code set toUSand the action set toallow.Cloud NGFW lets you configure firewall rules for the following territories subject to comprehensive US sanctions:
Territories Assigned code Crimea XC So-Called Donetsk People's Republic and Luhansk People's Republic XD If there are any duplicate country codes included in a single firewall rule, only one entry for that country code is retained. The duplicate entry is removed. For example, in the country code list
ca,us,us, onlyca,usis retained.Google maintains a database with IP addresses and country code mappings. Google Cloud firewalls use this database to map the IP addresses of source and destination traffic to the country code, and then apply the matching firewall policy rule with geolocation objects.
Sometimes, IP address assignments and country codes change due to the following conditions:
- IP address movement across geographic locations
- Updates to the ISO 3166 alpha-2 country codes standard
Because it takes some time for these changes to be reflected in Google's database, you might see some traffic disruptions and changes in behavior for certain traffic being blocked or allowed.
Use geolocation objects with other firewall policy rule filters
You can use geolocation objects along with other source or destination filters. Depending on the rule direction, the firewall policy rule is applied to the incoming or outgoing traffic that matches the union of all the specified filters.
For information about how geolocation objects work with other source filters in the ingress rules, see Sources for ingress rules.
For information about how geolocation objects work with other destination filters in the egress rules, see Destinations for egress rules.