topic IP Country of Origin Inconsistent - Chekpoint Firewall in General Topics

IP Country of Origin Inconsistent - Chekpoint Firewall

mikegemini — Fri, 22 Sep 2023 02:08:41 GMT

Good evening. I'm having a little bit of confusion with some of the data on my firewall.

In the GUI, it shows an attempted connection from the source 193.37.69.203 over port 3389 with a Russian Federation flag.

There are two things I found a bit confusing.

1.) One of my analysts colleagues at markup related to that IP, and it reads as:

"ip": 193.37.69.203
"country_name": Netherlands.

2.) Looking up the IP in arin.net, shows it as having a registration in London.

https://search.arin.net/rdap/?query=193.37.69.203

Can anyone tell me what might be the source of the inconsistency? One thing we did look at was the IP in RiskIQ, and it appears that a few Russian Federation related URLs are associated with it, so I'm not sure if I'm not understanding what goes into the data that we're being presented.

Thank you!

Re: IP Country of Origin Inconsistent - Chekpoint Firewall

the_rock — Fri, 22 Sep 2023 12:26:18 GMT

CP uses maxmind for those things, so if something is not consistent, maybe best to open TAC case to have it sorted out.

Andy

Re: IP Country of Origin Inconsistent - Chekpoint Firewall

Chris_Atkinson — Fri, 22 Sep 2023 13:01:27 GMT

Are you running R81.10 JHF T110 or higher?

PRJ-44952,PRHF-28082 - IPS - UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day.

Re: IP Country of Origin Inconsistent - Chekpoint Firewall

PhoneBoy — Fri, 22 Sep 2023 23:14:31 GMT

Even if not, you can update it manually using: https://community.checkpoint.com/t5/API-CLI-Discussion/One-liner-to-update-IpToCountry-data-on-Security-Managements/m-p/97922
You can troubleshoot the data with: https://support.checkpoint.com/results/sk/sk114216
If an IP is incorrectly classified, you'll need to open a TAC case: https://help.checkpoint.com