topic Re: Geo Policy question: New deployment using geo objects only (R80.30) in Firewall and Security Management

Geo Policy question: New deployment using geo objects only (R80.30)

Scottc98 — Thu, 31 Dec 2020 19:59:13 GMT

My current company recently wanted to start implementing geo based updatable object rules following SK126172 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk126172&partition=Basic&product=Security)

During my PTO, our security team deployed a set of rules to one one country (Russia) and it looks to be working right now.

I was checking logs and noticed that there were a few IP addresses that were being blocked but listed as another country:

Example: 85.209.0.186

1) Our gateway is blocking this thinking its in Russia

2) Our 'flag' from the smartconsole logs is showing this in "Saudi Arabia"

3) MaxMind site states this is in Country Code of "CZ" and Location of "Czechia,Europe" (Using link: https://www.maxmind.com/en/geoip-demo)

I started to think that its possible that the ip list was not being updated from the gateways and stated to look at SK114216 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114216&partition=Advanced&product=IPS)

Based on that SK, I looked at the 'in.geod' process and the file locations mentioned and none of the GWs have I have checked have this running nor have the files in place ($FWDIR/tmp/geo_location_tmp/updates/IpToCountry.csv)

Since this was a brand new geo deployment, the shared "Geo Policy" activation mode it still set to "inactive' (First screen shot) and I can't seem to find documentation on where having the activation is required (i.e. no mention on SK126172 and can't seem to find in deployment docs).

I have checked my 80.40 lab and I do see that when I set the geo policy to "Monitor Only" and leaving the rest as default. my lab gateway shows the daemon running and the updated file list within 24 hours like SK114216 mentions.

So my long question is this:

Is there a Geo Policy activation requirement when using geo based updatable object rules following SK126172
1. I.E setting to "monitor only" and using the updatable object method only in access rules
If there is no requirement on the Geo Policy activation, how can I validate proper updates of the IP country list against the MaxMind DB since SK114216 shows no list updates?

Thank in advance.

Re: Geo Policy question: New deployment using geo objects only (R80.30)

PhoneBoy — Thu, 31 Dec 2020 20:15:08 GMT

First of all, for R80.20 and above, you should be using Updatable Objects in your regular access policy versus the legacy Geo Policy mechanism.
You can create a very granular policy in this manner (e.g. allow access to a specific website from anywhere but block all other access to/from a specific country).

The flags come from management which does NOT update its IP to Country mappings regularly.
This one liner should update it: https://community.checkpoint.com/t5/API-CLI-Discussion/One-liner-to-update-IpToCountry-data-on-Security-Managements/m-p/97922#M5202

Re: Geo Policy question: New deployment using geo objects only (R80.30)

Scottc98 — Thu, 31 Dec 2020 20:56:02 GMT

Thank you PhoneBoy for the update. I wanted to make sure nothing was missed during the deployment and if all we have to do is use the objects per SK126172.

I am wondering if there is a database of change records within MaxMinds DB that I can match the log entry I see and validate if it was flagged as "russia" at the timestamp it was blocked. Using the example IP in the post, if I can see that at that exact time we blocked it, it was flagged as "russia' even though our 'flag' in the logs showed "Saudi Arabia", I'll feel a little better 🙂

With the 80.40 lab I am using with Geo policy in 'monitor only', I am blocking more countries than our prod environment and all of those blocks are indeed matching the countries i have in the rules with no need to make any update on the management server. While my lab will generate far less than our prod environment, it seemed odd that all of those logs matched the country flags while my prod environment did not.

That being said, I did check the file on the lab 80.40 management and it is old (Jan 2020)

[Expert@LAB-MGMT:0]# ls -l $INDEXERDIR/conf/ip2country.csv

-rw-r----- 1 admin bin 13142995 Jan 17 2020 /opt/CPrt-R80.40/log_indexer/conf/ip2country.csv

[Expert@LAB-MGMT:0]#

After running the script you mentioned, it's now updated:

[Expert@LAB-MGMT:0]# ls -l $INDEXERDIR/conf/ip2country.csv

-rwxrwx--- 1 admin root 12569389 Dec 31 12:46 /opt/CPrt-R80.40/log_indexer/conf/ip2country.csv

[Expert@LAB-MGMT:0]#

Are the missing flag logs in the management truly linked to updating of this file on the management server or is it related at all to DNS caching within smartconsole?

lastly, do you know if this update process has any plans to be automated in R81 or a future JHF for 80.40? I would have to agree that having to restart service each time here it not the idea way but I do appreciate the quick script to be able to update it from time to time 🙂

Re: Geo Policy question: New deployment using geo objects only (R80.30)

PhoneBoy — Fri, 01 Jan 2021 00:10:23 GMT

Yes, the country in the logs in the management are truly based on that file in the management server.
I'm not aware of specific plans to automate the update of this file, but it is relatively straightforward to update it manually on a regular basis.
I do see the restart could be problematic.
@Tomer_Noy is this something we can look at for the future?

Re: Geo Policy question: New deployment using geo objects only (R80.30)

Tomer_Noy — Sun, 03 Jan 2021 07:03:33 GMT

Today, we have two mechanisms that refer to countries so in some cases it can create confusion. However, we are working to improve that.

The Updatable Objects rely on our cloud service to automatically update IPs for countries and common SaaS services. The gateway fetches the information regularly and the data is very accurate. This is used for enforcement. When a connection is matched on an Updatable Object, the gateway puts the name and flag of that object in special fields on the log. If you double-click a log, you will be able to see them.

The other mechanism, is our UI resolving for IPs to countries. This is based on a csv file that is brought with the version installation. The resolving is done upon querying the log server and will return information for any IP, even if not matched by the geo-protection / Updatable Objects.

Following previous feedback about confusion when the flags aren't accurate, or don't match with the Updatable Objects, we are planning the following improvements:

If a log was matched on an Updatable Object, we will show the icon from the Updatable Object, instead of resolving it from the csv. This will improve accuracy and consistency.
We plan to update the .csv file regularly on JHFs and not just on a major version.

Re: Geo Policy question: New deployment using geo objects only (R80.30)

David_C1 — Thu, 14 Jan 2021 13:53:10 GMT

Am I correct in assuming that the (possibly out of date) countries shown in the management logs are what would be forwarded to an external log server, e.g. if we Log Exporter to send our logs to Splunk?

Dave

Re: Geo Policy question: New deployment using geo objects only (R80.30)

Quentin_Antrim — Wed, 03 Aug 2022 17:07:20 GMT

Regarding the Updatable Objects using the cloud service to automatically update IPs, a couple of questions:

1) Does it still store the updated IPs for Geo Updatable Objects in the IpToCountry.csv on the gateway?

2) If not, how can I tell if my IPs for Geo Updatable Objects are up-to-date?

Thanks.

Re: Geo Policy question: New deployment using geo objects only (R80.30)

PhoneBoy — Wed, 03 Aug 2022 20:05:22 GMT

It's now downloaded via a different mechanism.
The Troubleshooting section of the following SK should tell you what you need to know: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk131852

Re: Geo Policy question: New deployment using geo objects only (R80.30)

Quentin_Antrim — Wed, 03 Aug 2022 20:34:26 GMT

Okay, thanks. So, to answer my original question based upon that SK, it looks like the IP to Country mapping is in the $CPDIR/database/downloads/ONLINE_SERVICES/1.0/latestversionnumber/geo_location.C file now, rather than in the original CSV file. Thanks for the tip on that. I needed to prove that my gateway did indeed have the latest mappings, and I see that I'm good.