Policy Object: Regions
Focus
Focus
Network Security

Policy Object: Regions

Table of Contents

Policy Object: Regions

Define regions to apply policy to specified countries or locations. Applying policy based on region is a great way to control traffic between branch offices.
Where Can I Use This?What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
Check for any license or role requirements for the products you're using.
Enhance your security posture by limiting exposure to potential threats from high-risk regions, bolster your defense against malicious activities such as cyberattacks or data breaches, and compliance with regulatory frameworks that mandate restricted or monitored access to and from specific geographic areas.
In today's interconnected world, you might sometimes face distinct security challenges that vary based on the regions from which network traffic originates. The Region policy object provides a fine-grained control mechanism that aligns security measures with specific geographic regions or countries.
Use Region to define rules and restrictions based on the geographic source of traffic, enabling a more tailored approach to network security. This may include allowing or denying traffic from certain countries, regions, or continents based on your security requirements and regulatory compliance obligations.
Region is available as an option when specifying source and destination for security rules, decryption security rules, and DoS security rules. You can choose from a standard list of countries or use the region settings described in this section to define custom regions to include as options for Security rules.
Keep reading to learn how to add geographical regions for applying policy.

Add a Region

Add a Region (Strata Cloud Manager)

Define regions to apply policy to specified countries or locations. Applying policy based on region is a great way to control traffic between branch offices.
Regions, along with Addresses and Address Groups allow you to group specific source or destination addresses that require the same policy enforcement. The address object can include an IPv4 or IPv6 address (single IP, range, subnet), an IP wildcard address (IPv4 address/wildcard mask) or the FQDN. Alternatively, a region can be defined by the latitude and longitude coordinates or you can select a country and define an IP address or IP range. You can then group a collection of address objects to create an address group object. You can also use dynamic address groups to dynamically update IP addresses in environments where host IP addresses change frequently.
Here, we're going to show you how to use Regions to get better control over the flow of traffic between your branches. Follow these steps to specify a geographical region to apply policy to.
  1. Go to ManageConfigurationNGFW and Prisma AccessObjectsAddressRegions.
  2. Select Add Region to add a new region to apply policy to.
  3. Configure the settings in this table:
    Region Settings
    Description
    Name
    Select a name that describes the region. This name appears in the address list when defining security security rules. Typing text into this field to narrow down a standard list of countries for you to choose from.
    Geo Location
    To specify latitude and longitude, select this option and specify the values (xxx.xxxxxx format). This information is used in the traffic and threat maps for App-Scope.
    Addresses
    Using any of the following formats, specify an IP address, range of IP addresses, or subnet to identify the region:
    x.x.x.x
    x.x.x.x-y.y.y.y
    x.x.x.x/n
  4. Save your configuration.

Add a Region (PAN-OS & Panorama)

Define regions to apply policy to specified countries or locations. Applying policy based on region is a great way to control traffic between branch offices.
Regions, along with Addresses and Address Groups allow you to group specific source or destination addresses that require the same policy enforcement. The address object can include an IPv4 or IPv6 address (single IP, range, subnet), an IP wildcard address (IPv4 address/wildcard mask) or the FQDN. Alternatively, a region can be defined by the latitude and longitude coordinates or you can select a country and define an IP address or IP range. You can then group a collection of address objects to create an address group object. You can also use dynamic address groups to dynamically update IP addresses in environments where host IP addresses change frequently.
Here, we're going to show you how to use Regions to get better control over the flow of traffic between your branches. Follow these steps to specify a geographical region to apply policy to.
  1. Go to ObjectsRegions.
  2. Select Add to add a new region to apply policy to.
  3. Configure the settings in this table:
    Region Settings
    Description
    Name
    Select a name that describes the region. This name appears in the address list when defining security security rules. Typing text into this field to narrow down a standard list of countries for you to choose from.
    Geo Location
    To specify latitude and longitude, select this option and specify the values (xxx.xxxxxx format). This information is used in the traffic and threat maps for App-Scope.
    Addresses
    Using any of the following formats, specify an IP address, range of IP addresses, or subnet to identify the region:
    x.x.x.x
    x.x.x.x-y.y.y.y
    x.x.x.x/n
  4. Select OK to save your configuration.