topic Re: GeoPolicy not working in Firewall and Security Management

GeoPolicy not working

pfilipe — Fri, 08 Jul 2022 10:31:28 GMT

Hello guys,

So we have some rules to block all incoming and outgoing traffic to russia.

But after we see the logs we get a amount of Accepts coming from russia. Why is this happening and what should i do?

Best regards,

Re: GeoPolicy not working

Ruan_Kotze — Fri, 08 Jul 2022 10:57:57 GMT

Is it an implied rule accepting the traffic?

Re: GeoPolicy not working

pfilipe — Fri, 08 Jul 2022 11:06:10 GMT

There are some Logs with implied yes but there are more logs with other rules.

Re: GeoPolicy not working

Sorin_Gogean — Fri, 08 Jul 2022 11:18:00 GMT

hey,

your Russia drop rules are positioned where, compared with the Allow rules that you show in the screenshots ?

Ty,

Re: GeoPolicy not working

pfilipe — Fri, 08 Jul 2022 11:25:58 GMT

Hey,

My Geopolicy rules is number 2 and 3.

Re: GeoPolicy not working

Ruan_Kotze — Fri, 08 Jul 2022 11:38:55 GMT

OK, so first make sure that it isn't just a cosmetic issue as per sk120261. Check Point uses MaxMind for IP Geo-location, so doublecheck on their site as well.

If everything checks out then you still need to keep in mind that updateable objects won't block traffic allowed by implied rules. In order to work around that you can possibly do a rate-limiting SAM rule or use the "classic" geo policies.

For traffic that is not being blocked and you are confident that it is not due to rule order I would say a call to TAC is in order.

Re: GeoPolicy not working

the_rock — Fri, 08 Jul 2022 13:00:19 GMT

I would run below script on mgmt if you can execute cpstop afterwards:

https://community.checkpoint.com/t5/API-CLI-Discussion/One-liner-to-update-IpToCountry-data-on-Security-Managements/m-p/97922

I personally never experienced this issue myself, so hard to say for sure why those rules dont take full effect. As @Ruan_Kotze indicated, if all fails, then contacting TAC might be your best option.