GEO Location Objects in Firewall Policy (with Dyna...

HeikoAnkenbrand · ‎2018-04-23

Currently no regional settings can be used in the Firewall Policy.This only works in the „Geo Policy“ and has the disadvantage that no special settings are possible.

For example, no services like http can be specified.

This solution helps and creates Dynamic Objects with the IP ranges of the individual countries.

In the first step, a Dynamic Object is created on the gateway that contains all IP addresses of the appropriate country. To do this the script is executed on the gateway.

If the script is started the first time the country file is transferred from the management server to the gateway via scp.

All you have to do is enter the IP address, user name and password of the management server.

The current country list is displayed. Now only the appropriate country must be selected.

For example "WLF".

Afterwards dynamic object is created on the gateway with the following name „GEO_<country code>“.

For example "GEO_WLF".

Now create a Dynamic Object with the same name in the management under
„New>More>Network Objekts>Dynamic Objects >Dynamic Objekt“.
For example "GEO_WLF"

Now create a Firewall Policy with the Dynamic Objekt.

Install Policy

Important!

1) On a cluster the script must be executed on both gateways.

2) This is not a supported CheckPoint solution!

Script Version:

- 0.7a final version

- 0.7b bug fix (02.08.2018)

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

PhoneBoy · ‎2018-04-24

Nice one!

Alexander_Rodio · ‎2018-04-26

Is it possible to add all coutries as dynamic objects on one step?

HeikoAnkenbrand · ‎2018-04-26

In the next version I want to change the following:
1) Add all countries as dynamic object "GEO_xyz
2) Delete all "GEO_xyz" objects
3) Delete individual "GEO_xyz" objects

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Ukko_Metsola · ‎2018-04-26

Nice Code

Dr__Chris_Murph · ‎2018-04-28

Hello Heiko,

I'm already using your script. Works well. Maybe you can add a download function for the country file from Check Point Update Server with „curl_cli“

Regards

Chris

HeikoAnkenbrand · ‎2018-04-28

That's a good idea!

Thank you

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

HeikoAnkenbrand · ‎2018-05-25

I have almost finished the new version with the following features (beta):
1) Add all countries as dynamic object "GEO_xyz
2) Delete all "GEO_xyz" objects
3) Delete individual "GEO_xyz" objects

Give me a few more days.

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Danny_Yang · ‎2018-05-29

Very nice!

It's a useful tool.

_Val_ · ‎2018-10-09

Just a note. R80.20 allows using so-called "Updatable objects" for cloud deployment and GEO (countries) objects. R80.20 MGMT + GW are required.

Timothy_Hall · ‎2018-10-21

The Gaia Embedded appliances 600-1400 do not support Geo Policy at all (or IPS/TP Packet Captures), but can the geo-dyn script technique illustrated by Heiko Ankenbrand‌ in this article be used to work around this limitation on the Gaia Embedded appliances running R77.20.XX? My guess is no but wanted to see if anyone has given this a try. Thanks!

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

HeikoAnkenbrand · ‎2018-10-22

See SK:

Geo Location objects as network objects in R80.20

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

HeikoAnkenbrand · ‎2018-10-22

Hi Timothy,

I'll take a look at it in the next few days. Maybe this will work on the SMB appliancen as well.

Unfortunately, embeded GAIA does not support all CLI commands. This always leads to problems with scripts.

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Egor_Cherkasov · ‎2019-03-01

Thank you, it's a useful script.

But I don't know how to execute it, I always see the syntax error near unexpected token `('

As well rigths has been assigned to the script (chmod 777 <script_name>).

So could you please advise smth to run it?

Thank you anyway!

Maik1 · ‎2020-12-16

I had the same problem. I solved the problem with the 2nd line. Also you have to find the line "scp $mng_admin@$mng_ip:/opt/CPrt-R80.40/conf/ip2country.csv ./ip2country.csv" Correct this line if your managemt version is not R80.40

HristoGrigorov · ‎2019-03-07

'dynamic_objects' on SMB seems to support all the command line arguments used in the script. So very likely that will work. However 'scp' from management server (R80.20 here) gives the following error:

protocol error: illegal mode

Workaround is to transfer /opt/CPrt-R80/conf/ip2country.csv manually and then run the script. It will check that file already exists and skip the scp part.

HristoGrigorov · ‎2019-03-08

Btw, Tim, I have similar system on my SMBs that is using 'sim dropcfg' to reject traffic from countries and/or custom networks. I can upload it here if anyone is interested in it.

Timothy_Hall · ‎2019-03-28

@HristoGrigorov would like to see how you are doing country enforcement with sim dropcfg on embedded Gaia...

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

HristoGrigorov · ‎2019-03-28

Well, I do not pretend to be the most effective way but it works for me.

1. Linux box that downloads aggregated IP ranges for the different countries from http://www.ipdeny.com/ipblocks/data/aggregated/

2. Perl script that will generate simdrop.db file that contains:

- ports that are blocked from Internet (telnet, rdp, etc)

- custom IPs and networks that I want to blacklist

- IP ranges for countries I want to block

3. That file is placed on a web server running on that same box

4. There is a script running on SMBs that will download simdrop.db and use 'sim dropcfg ...' to apply it.

I am working on few improvements:

1. Use CheckPoint provided database as an alternative

2. Web interface similar to what is in SmartConsole to specify countries to block

3. Have SMB poll and auto-download and apply new database when such is published on the Web server (at the moment it is applied on boot and manually when needed)

HristoGrigorov · ‎2019-03-08

On R80.20 the correct path is:

/opt/CPrt-R80.20/conf/ip2country.csv

Andy_Yap · ‎2019-03-27

Would this script work with VSX gateway or just purely applicable to discreet firewall?

Bechor · ‎2019-04-02

I'm also wondering is someone tried this script on a VSX env.
If so, the script needs to run on VS-0 or on the specific VS (VS-1)?

Bruno_Duarte · ‎2020-03-31

You need to run the script in the specific VS (not in VS0)

Bruno_Duarte · ‎2020-03-31

It works in VSX.

Yatiraj_Panchal · ‎2020-01-14

HI Heiko,

How can I run this attached script on management server.

HeikoAnkenbrand · ‎2020-03-31

Hi @Yatiraj_Panchal,

This script only runs on a gateway.
It modifies the dynamic objects on the gateway.

Regards
Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Are you a member of CheckMates?

GEO Location Objects in Firewall Policy (with Dynamic Objects)