Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion

GEO Location Objects in Firewall Policy (with Dynamic Objects)

Currently no regional settings can be used in the Firewall Policy.This only works in the „Geo Policy“ and has the disadvantage that no special settings are possible.

For example, no services like http can be specified.

 

This solution helps and creates Dynamic Objects with the IP ranges of the individual countries.

 

In the first step, a Dynamic Object is created on the gateway that contains all IP addresses of the appropriate country. To do this the script is executed on the gateway.

 

If the script is started the first time the country file is transferred from the management server to the gateway via scp.

 

All you have to do is enter the IP address, user name and password of the management server.

The current country list is displayed. Now only the appropriate country must be selected. 

For example "WLF".

Afterwards dynamic object is created on the gateway with the following name „GEO_<country code>“.

For example "GEO_WLF".

 

Now create a Dynamic Object with the same name in the management under
„New>More>Network Objekts>Dynamic Objects >Dynamic Objekt“.
For example "GEO_WLF"

Now create a Firewall Policy with the Dynamic Objekt.

Install Policy

 

Important!

1) On a cluster the script must be executed on both gateways.

2) This is not a supported CheckPoint solution!

Script Version:

- 0.7a final version

- 0.7b bug fix (02.08.2018)

 

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
25 Replies
PhoneBoy
Admin
Admin

Nice one!

Alexander_Rodio
Participant

Is it possible to add all coutries as dynamic objects on one step?

HeikoAnkenbrand
Champion Champion
Champion

In the next version I want to change the following:
1) Add all countries as dynamic object "GEO_xyz
2) Delete all "GEO_xyz" objects
3) Delete individual "GEO_xyz" objects

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Ukko_Metsola
Participant

Nice Code

0 Kudos
Dr__Chris_Murph
Participant

Hello Heiko,

I'm already using your script. Works well. Maybe you can add a download function for the country file from Check Point Update Server with „curl_cli“

Regards

Chris

HeikoAnkenbrand
Champion Champion
Champion

That's a good idea!

Thank you

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

I have almost finished the new version with the following features (beta):
1) Add all countries as dynamic object "GEO_xyz
2) Delete all "GEO_xyz" objects
3) Delete individual "GEO_xyz" objects

Give me a few more days.

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Danny_Yang
Ambassador
Ambassador

Very nice!

It's a useful tool.

_Val_
Admin
Admin

Just a note. R80.20 allows using so-called "Updatable objects" for cloud deployment and GEO (countries) objects. R80.20 MGMT + GW are required.

Timothy_Hall
Legend Legend
Legend

The Gaia Embedded appliances 600-1400 do not support Geo Policy at all (or IPS/TP Packet Captures), but can the geo-dyn script technique illustrated by Heiko Ankenbrand‌ in this article be used to work around this limitation on the Gaia Embedded appliances running R77.20.XX?  My guess is no but wanted to see if anyone has given this a try.  Thanks!

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
HeikoAnkenbrand
Champion Champion
Champion

See SK:

Geo Location objects as network objects in R80.20 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

Hi Timothy,

I'll take a look at it in the next few days. Maybe this will work on the SMB appliancen as well.

Unfortunately, embeded GAIA does not support all CLI commands. This always leads to problems with scripts.

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Egor_Cherkasov
Contributor

Thank you, it's a useful script.

But I don't know how to execute it, I always see the syntax error near unexpected token `('

As well rigths has been assigned to the script (chmod 777 <script_name>).

So could you please advise smth to run it?

Thank you anyway!

0 Kudos
Maik1
Contributor

I had the same problem. I solved the problem with the  2nd line.  Also you have to find the line "scp $mng_admin@$mng_ip:/opt/CPrt-R80.40/conf/ip2country.csv ./ip2country.csv" Correct this line if your managemt version is not R80.40

0 Kudos
HristoGrigorov

'dynamic_objects' on SMB seems to support all the command line arguments used in the script. So very likely that will work. However 'scp' from management server (R80.20 here) gives the following error:

protocol error: illegal mode

Workaround is to transfer /opt/CPrt-R80/conf/ip2country.csv manually and then run the script. It will check that file already exists and skip the scp part.

HristoGrigorov

Btw, Tim, I have similar system on my SMBs that is using 'sim dropcfg' to reject traffic from countries and/or custom networks. I can upload it here if anyone is interested in it.

0 Kudos
Timothy_Hall
Legend Legend
Legend

@HristoGrigorov would like to see how you are doing country enforcement with sim dropcfg on embedded Gaia...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
HristoGrigorov

Well, I do not pretend to be the most effective way but it works for me. 

1. Linux box that downloads aggregated IP ranges for the different countries from http://www.ipdeny.com/ipblocks/data/aggregated/

2. Perl script that will generate simdrop.db file that contains:

- ports that are blocked from Internet (telnet, rdp, etc)

- custom IPs and networks that I want to blacklist

- IP ranges for countries I want to block

3. That file is placed on a web server running on that same box

4. There is a script running on SMBs that will download simdrop.db and use 'sim dropcfg ...' to apply it. 

 

I am working on few improvements:

1. Use CheckPoint provided database as an alternative

2. Web interface similar to what is in SmartConsole to specify countries to block

3. Have SMB poll and auto-download and apply new database when such is published on the Web server (at the moment it is applied on boot and manually when needed)

HristoGrigorov

On R80.20 the correct path is:

/opt/CPrt-R80.20/conf/ip2country.csv

0 Kudos
Andy_Yap
Explorer

Would this script work with VSX gateway or just purely applicable to discreet firewall? 

0 Kudos
Bechor
Employee Alumnus
Employee Alumnus

I'm also wondering is someone tried this script on a VSX env.
If so, the script needs to run on VS-0 or on the specific VS (VS-1)?
0 Kudos
Bruno_Duarte
Employee
Employee

You need to run the script in the specific VS (not in VS0)
0 Kudos
Bruno_Duarte
Employee
Employee

It works in VSX.
0 Kudos
Yatiraj_Panchal
Contributor

HI Heiko,

How can I run this attached script on management server.
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @Yatiraj_Panchal,

This script only runs on a gateway.
It modifies the dynamic objects on the gateway.

Regards
Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events