https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-GeoProtection-Maximum-Ranges-alert/m-p/261939#M51351 <P>Hi,</P><P>While reviewing the latest <STRONG>HCP report</STRONG>, I noticed the following alert:</P><BLOCKQUOTE><P><STRONG>Legacy GeoProtection Maximum Ranges</STRONG><BR /><STRONG>Description:</STRONG><BR />This test verifies if legacy GeoProtection will be able to update successfully based on the <EM>geo_max_ip_ranges</EM> kernel parameter.<BR /><STRONG>Finding:</STRONG><BR />The number of ranges in the current <EM>IpToCountry.csv</EM> exceeds the maximum allowed value in kernel parameter: geo_max_ip_ranges.<BR /><STRONG>Suggested Solution:</STRONG><BR />Increase the value of kernel parameter geo_max_ip_ranges to be higher than the current number of ranges in IpToCountry.csv (341359).</P></BLOCKQUOTE><P>I’m curious about this alert because it references a <STRONG>kernel-level parameter</STRONG> that seems to have a <STRONG>defined limit</STRONG>, and I’m not sure what the implications might be of modifying it.</P><P>So, I wanted to ask:</P><UL><LI><P>How safe is it to increase the value of the geo_max_ip_ranges parameter?</P></LI><LI><P>Would there be any noticeable performance or memory impact if we modify it?</P></LI><LI><P>Is there an alternative way to handle or suppress this alert?</P></LI></UL><P>Any guidance or experience with this specific HCP finding would be greatly appreciated.</P><P>Thanks in advance!</P> Thu, 06 Nov 2025 02:16:10 GMT jennyado 2025-11-06T02:16:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-GeoProtection-Maximum-Ranges-alert/m-p/261939#M51351 <P>Hi,</P><P>While reviewing the latest <STRONG>HCP report</STRONG>, I noticed the following alert:</P><BLOCKQUOTE><P><STRONG>Legacy GeoProtection Maximum Ranges</STRONG><BR /><STRONG>Description:</STRONG><BR />This test verifies if legacy GeoProtection will be able to update successfully based on the <EM>geo_max_ip_ranges</EM> kernel parameter.<BR /><STRONG>Finding:</STRONG><BR />The number of ranges in the current <EM>IpToCountry.csv</EM> exceeds the maximum allowed value in kernel parameter: geo_max_ip_ranges.<BR /><STRONG>Suggested Solution:</STRONG><BR />Increase the value of kernel parameter geo_max_ip_ranges to be higher than the current number of ranges in IpToCountry.csv (341359).</P></BLOCKQUOTE><P>I’m curious about this alert because it references a <STRONG>kernel-level parameter</STRONG> that seems to have a <STRONG>defined limit</STRONG>, and I’m not sure what the implications might be of modifying it.</P><P>So, I wanted to ask:</P><UL><LI><P>How safe is it to increase the value of the geo_max_ip_ranges parameter?</P></LI><LI><P>Would there be any noticeable performance or memory impact if we modify it?</P></LI><LI><P>Is there an alternative way to handle or suppress this alert?</P></LI></UL><P>Any guidance or experience with this specific HCP finding would be greatly appreciated.</P><P>Thanks in advance!</P> Thu, 06 Nov 2025 02:16:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-GeoProtection-Maximum-Ranges-alert/m-p/261939#M51351 jennyado 2025-11-06T02:16:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-GeoProtection-Maximum-Ranges-alert/m-p/261943#M51354 <P>Personally, and this is just me, I would not bother with any of that. Its simply refers to ip ranges, but truth be told, literally 99% of customers would simply add countries they wish to block, which you can use updatable objects for, thats it.</P> Thu, 06 Nov 2025 02:39:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-GeoProtection-Maximum-Ranges-alert/m-p/261943#M51354 the_rock 2025-11-06T02:39:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-GeoProtection-Maximum-Ranges-alert/m-p/262068#M51402 <P>Hi Jenn,</P> <P>I verified this with TAC and they confirmed that all that message says is that gateway's IPToCountry.csv file contains more ranges that what kernel parameter sllows, so its totally safe to change it to something higher, no issues.</P> <P>Here is an example in my lab:</P> <P>[Expert@CP-GW:0]# fw ctl get int geo_max_ip_ranges<BR />geo_max_ip_ranges = 300000<BR />[Expert@CP-GW:0]# fw ctl set -f int geo_max_ip_ranges 500000<BR />"fwkern.conf" was updated successfully<BR />[Expert@CP-GW:0]# more /opt/CPsuite-R82/fw1/boot/modules/fwkern.conf<BR />sip_forward_if_needed=1<BR />geo_max_ip_ranges=500000<BR />[Expert@CP-GW:0]#</P> Thu, 06 Nov 2025 20:50:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-GeoProtection-Maximum-Ranges-alert/m-p/262068#M51402 the_rock 2025-11-06T20:50:52Z