topic Re: Geo Policy VS Updateable rules in General Topics

Geo Policy VS Updateable rules

Moudar — Sun, 02 Jul 2023 18:33:27 GMT

Hi,

We have Geo policy as below:

The problem is that we still see logs with "Accept" from these countries! for example from China:

What I know is that if the Geo policy is set to drop, no one packet (from countries included) will go through the firewall, or do i miss something?

I tried to use a rule with an updateable object as:

As you can see this rule is not getting any hits! even if there are many rules that accepted traffic from China over this one like rule 25 and 35.

Should these two (Geo policy & a rule with Updateable objects) being used together or only one should be used?

As you can see in the rule i have included Indonesia only to test if I will get some hits from a country that is not included in the Geo policy, but I got nothing.

Re: Geo Policy VS Updateable rules

Wolfgang — Sun, 02 Jul 2023 20:03:36 GMT

Sometimes some IP addresses are not correctly classified, you have to investigate with TAC. But most common error is an outdated geo location database on the SMS. Use Dannys script One-liner to update IpToCountry data on Security Managements to update the database. Geo Protection logs show the wrong country flag

Re: Geo Policy VS Updateable rules

Tal_Paz-Fridman — Mon, 03 Jul 2023 08:41:31 GMT

Updatable Objects were introduced in R80.20 to replace Geo Policy. Geo Policy was removed (or hidden) starting R81. Therefore it is advised to use Updatable Objects.

https://support.checkpoint.com/results/sk/sk131852

Also please refer to sk120261 Geo Protection logs show the wrong country flag:

https://support.checkpoint.com/results/sk/sk120261

Re: Geo Policy VS Updateable rules

Moudar — Mon, 03 Jul 2023 09:13:59 GMT

I have verion 81.10

I have now removed the countries from the Geo policy and added these countries to a rule with updateable objects.

It now shows drops from my rule.

The question now is: Should I create a new rule with updateable objects for every section? Because the rule I created would drop traffic headed only to one section but not other sections.

Re: Geo Policy VS Updateable rules

PhoneBoy — Mon, 03 Jul 2023 20:05:11 GMT

It depends on how you've structured your rulebase and what your precise objectives are.
But, yes, you may need to add these objects in other rules in other places.

Re: Geo Policy VS Updateable rules

Chris_Atkinson — Mon, 31 Jul 2023 12:40:47 GMT

For awareness. R81.10 JHF T110:

PRJ-44952,
PRHF-28082

IPS

UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day.

Re: Geo Policy VS Updateable rules

the_rock — Mon, 31 Jul 2023 14:22:57 GMT

The way I do this for every customer is like this...regardless if you have inline layers or multiple ordered layers, makes no difference. I create geo block as very FIRST rule in network policy and block whatever needs to be blocked, using updatable objects.

Andy