topic Re: GEO Location Objects in Firewall Policy (with Dynamic Objects) in API / CLI Discussion

GEO Location Objects in Firewall Policy (with Dynamic Objects)

HeikoAnkenbrand — Wed, 20 Mar 2019 20:16:32 GMT

Currently no regional settings can be used in the Firewall Policy.This only works in the „Geo Policy“ and has the disadvantage that no special settings are possible.

For example, no services like http can be specified.

This solution helps and creates Dynamic Objects with the IP ranges of the individual countries.

In the first step, a Dynamic Object is created on the gateway that contains all IP addresses of the appropriate country. To do this the script is executed on the gateway.

If the script is started the first time the country file is transferred from the management server to the gateway via scp.

All you have to do is enter the IP address, user name and password of the management server.

The current country list is displayed. Now only the appropriate country must be selected.

For example "WLF".

Afterwards dynamic object is created on the gateway with the following name „GEO_<country code>“.

For example "GEO_WLF".

Now create a Dynamic Object with the same name in the management under
„New>More>Network Objekts>Dynamic Objects >Dynamic Objekt“.
For example "GEO_WLF"

Now create a Firewall Policy with the Dynamic Objekt.

Install Policy

Important!

1) On a cluster the script must be executed on both gateways.

2) This is not a supported CheckPoint solution!

Script Version:

- 0.7a final version

- 0.7b bug fix (02.08.2018)

Regards,

Heiko

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

PhoneBoy — Wed, 25 Apr 2018 00:58:46 GMT

Nice one!

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

Alexander_Rodio — Thu, 26 Apr 2018 11:48:05 GMT

Is it possible to add all coutries as dynamic objects on one step?

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

HeikoAnkenbrand — Thu, 26 Apr 2018 13:51:19 GMT

In the next version I want to change the following:
1) Add all countries as dynamic object "GEO_xyz
2) Delete all "GEO_xyz" objects
3) Delete individual "GEO_xyz" objects

Regards,

Heiko

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

Ukko_Metsola — Thu, 26 Apr 2018 16:39:20 GMT

Nice Code

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

Dr__Chris_Murph — Sat, 28 Apr 2018 13:04:18 GMT

Hello Heiko,

I'm already using your script. Works well. Maybe you can add a download function for the country file from Check Point Update Server with „curl_cli“

Regards

Chris

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

HeikoAnkenbrand — Sat, 28 Apr 2018 20:12:56 GMT

That's a good idea!

Thank you

Heiko

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

HeikoAnkenbrand — Fri, 25 May 2018 12:47:36 GMT

I have almost finished the new version with the following features (beta):
1) Add all countries as dynamic object "GEO_xyz
2) Delete all "GEO_xyz" objects
3) Delete individual "GEO_xyz" objects

Give me a few more days.

Regards,

Heiko

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

Danny_Yang — Tue, 29 May 2018 15:48:13 GMT

Very nice!

It's a useful tool.

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

_Val_ — Tue, 09 Oct 2018 12:53:26 GMT

Just a note. R80.20 allows using so-called "Updatable objects" for cloud deployment and GEO (countries) objects. R80.20 MGMT + GW are required.

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

Timothy_Hall — Sun, 21 Oct 2018 13:46:24 GMT

The Gaia Embedded appliances 600-1400 do not support Geo Policy at all (or IPS/TP Packet Captures), but can the geo-dyn script technique illustrated by Heiko Ankenbrand‌ in this article be used to work around this limitation on the Gaia Embedded appliances running R77.20.XX? My guess is no but wanted to see if anyone has given this a try. Thanks!

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

HeikoAnkenbrand — Mon, 22 Oct 2018 08:47:20 GMT

See SK:

Geo Location objects as network objects in R80.20

Regards

Heiko

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

HeikoAnkenbrand — Mon, 22 Oct 2018 08:50:31 GMT

Hi Timothy,

I'll take a look at it in the next few days. Maybe this will work on the SMB appliancen as well.

Unfortunately, embeded GAIA does not support all CLI commands. This always leads to problems with scripts.

Regards

Heiko

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

Egor_Cherkasov — Fri, 01 Mar 2019 11:31:49 GMT

Thank you, it's a useful script.

But I don't know how to execute it, I always see the syntax error near unexpected token `('

As well rigths has been assigned to the script (chmod 777 <script_name>).

So could you please advise smth to run it?

Thank you anyway!

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

HristoGrigorov — Fri, 08 Mar 2019 05:27:00 GMT

'dynamic_objects' on SMB seems to support all the command line arguments used in the script. So very likely that will work. However 'scp' from management server (R80.20 here) gives the following error:

protocol error: illegal mode

Workaround is to transfer /opt/CPrt-R80/conf/ip2country.csv manually and then run the script. It will check that file already exists and skip the scp part.

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

HristoGrigorov — Sat, 09 Mar 2019 05:05:40 GMT

Btw, Tim, I have similar system on my SMBs that is using 'sim dropcfg' to reject traffic from countries and/or custom networks. I can upload it here if anyone is interested in it.

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

HristoGrigorov — Sat, 09 Mar 2019 05:38:23 GMT

On R80.20 the correct path is:

/opt/CPrt-R80.20/conf/ip2country.csv

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

Andy_Yap — Thu, 28 Mar 2019 00:04:36 GMT

Would this script work with VSX gateway or just purely applicable to discreet firewall?

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

Timothy_Hall — Thu, 28 Mar 2019 12:02:29 GMT

@HristoGrigorov would like to see how you are doing country enforcement with sim dropcfg on embedded Gaia...

Re: GEO Location Objects in Firewall Policy (with Dynamic Objects)

HristoGrigorov — Thu, 28 Mar 2019 13:06:45 GMT

Well, I do not pretend to be the most effective way but it works for me.

1. Linux box that downloads aggregated IP ranges for the different countries from http://www.ipdeny.com/ipblocks/data/aggregated/

2. Perl script that will generate simdrop.db file that contains:

- ports that are blocked from Internet (telnet, rdp, etc)

- custom IPs and networks that I want to blacklist

- IP ranges for countries I want to block

3. That file is placed on a web server running on that same box

4. There is a script running on SMBs that will download simdrop.db and use 'sim dropcfg ...' to apply it.

I am working on few improvements:

1. Use CheckPoint provided database as an alternative

2. Web interface similar to what is in SmartConsole to specify countries to block

3. Have SMB poll and auto-download and apply new database when such is published on the Web server (at the moment it is applied on boot and manually when needed)