About Geolocation Policies
If your Web Security Service portal account has the Advanced Web Security with Risk Controls and Web Applications add-on license, the Source and Destinations constructs in the Content Filtering and Threat Protection policy editors contain the Geolocation construct. This allows you to create policy based on from what country or to what country a content request occurs.
Tip: Geolocations are supported with the Universal Policy Enforcement (UPE) solution if the on-premises ProxySG also is provisioned with the correct license.
Because of how the WSS determines the geolocation (country), this policy is best suited for the following connectivity methods.
- Explicit Proxy
- Mobile Devices (iOS, Android)
- WSS Agent and SEP clients
- Roaming Captive Portal authentication option
Be advised of the following details.
- Sources—If the connectivity method is Firewall/VPN or Proxy Forwarding, the WSS receives the IP address of the client system; therefore, the service cannot properly determine the geolocation. For these methods, define policy based on the fixed locations (as defined in Service mode > Network > Locations).
- Destinations—The WSS determines the geolocation based on a DNS resolution to an IP address. If the destination IP address resolves to a different IP address for the same URL, a different policy result might occur.
The WSS provides pre-defined geolocation reports based on Sources only. You can create custom reports to see results based on Destinations.
When a client request triggers a policy rule, the WSS displays an exception page.
The exception details includes the source (Client Geolocation).
Tip: To provide Server Geolocation, create a custom exception page. See Customize the User Notification Template.
The Error ID item informs you what policy rule triggered the exception.
- In the above example, Content Filtering (CF) rule G1 is the trigger.
- A TP-## indicates a Threat Protection a rule.
The add-on license allows you to suppress personal information based on geolocation. See Suppress Personal Information From Access Logs.