This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
HeikoAnkenbrand
Champion
Champion
‎2018-04-23 08:38 AM

GEO Location Objects in Firewall Policy (with Dynamic Objects)

Currently no regional settings can be used in the Firewall Policy.This only works in the „Geo Policy“ and has the disadvantage that no special settings are possible.

For example, no services like http can be specified.

 

This solution helps and creates Dynamic Objects with the IP ranges of the individual countries.

 

In the first step, a Dynamic Object is created on the gateway that contains all IP addresses of the appropriate country. To do this the script is executed on the gateway.

 

If the script is started the first time the country file is transferred from the management server to the gateway via scp.

 

All you have to do is enter the IP address, user name and password of the management server.

The current country list is displayed. Now only the appropriate country must be selected. 

For example "WLF".

Afterwards dynamic object is created on the gateway with the following name „GEO_<country code>“.

For example "GEO_WLF".

 

Now create a Dynamic Object with the same name in the management under
„New>More>Network Objekts>Dynamic Objects >Dynamic Objekt“.
For example "GEO_WLF"

Now create a Firewall Policy with the Dynamic Objekt.

Install Policy

 

Important!

1) On a cluster the script must be executed on both gateways.

2) This is not a supported CheckPoint solution!

Script Version:

- 0.7a final version

- 0.7b bug fix (02.08.2018)

 

Regards,

Heiko

geo_dyn_0.7.txt.zip
Reply
25 Replies
PhoneBoy
Admin
Admin
‎2018-04-24 05:58 PM

Nice one!

Reply
Alexander_Rodio
Participant
‎2018-04-26 04:48 AM

Is it possible to add all coutries as dynamic objects on one step?

Reply
HeikoAnkenbrand
Champion
Champion
‎2018-04-26 06:51 AM

In the next version I want to change the following:
1) Add all countries as dynamic object "GEO_xyz
2) Delete all "GEO_xyz" objects
3) Delete individual "GEO_xyz" objects

Regards,

Heiko

Reply
Ukko_Metsola
Participant
‎2018-04-26 09:39 AM

Nice Code

0 Kudos
Reply
Dr__Chris_Murph
Participant
‎2018-04-28 06:04 AM

Hello Heiko,

I'm already using your script. Works well. Maybe you can add a download function for the country file from Check Point Update Server with „curl_cli“

Regards

Chris

Reply
HeikoAnkenbrand
Champion
Champion
‎2018-04-28 01:12 PM

That's a good idea!

Thank you

Heiko

Reply
HeikoAnkenbrand
Champion
Champion
‎2018-05-25 05:47 AM

I have almost finished the new version with the following features (beta):
1) Add all countries as dynamic object "GEO_xyz
2) Delete all "GEO_xyz" objects
3) Delete individual "GEO_xyz" objects

Give me a few more days.

Regards,

Heiko

Reply
Danny_Yang
Employee
Employee
‎2018-05-29 08:48 AM

Very nice!

It's a useful tool.

Reply
_Val_
Admin
Admin
‎2018-10-09 05:53 AM

Just a note. R80.20 allows using so-called "Updatable objects" for cloud deployment and GEO (countries) objects. R80.20 MGMT + GW are required.

Reply
Timothy_Hall
Champion
Champion
‎2018-10-21 06:46 AM

The Gaia Embedded appliances 600-1400 do not support Geo Policy at all (or IPS/TP Packet Captures), but can the geo-dyn script technique illustrated by Heiko Ankenbrand‌ in this article be used to work around this limitation on the Gaia Embedded appliances running R77.20.XX?  My guess is no but wanted to see if anyone has given this a try.  Thanks!

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
Reply
HeikoAnkenbrand
Champion
Champion
‎2018-10-22 01:47 AM

See SK:

Geo Location objects as network objects in R80.20 

Regards

Heiko

Reply
HeikoAnkenbrand
Champion
Champion
‎2018-10-22 01:50 AM

Hi Timothy,

I'll take a look at it in the next few days. Maybe this will work on the SMB appliancen as well.

Unfortunately, embeded GAIA does not support all CLI commands. This always leads to problems with scripts.

Regards

Heiko

0 Kudos
Reply
Egor_Cherkasov
Contributor
‎2019-03-01 03:31 AM

Thank you, it's a useful script.

But I don't know how to execute it, I always see the syntax error near unexpected token `('

As well rigths has been assigned to the script (chmod 777 <script_name>).

So could you please advise smth to run it?

Thank you anyway!

0 Kudos
Reply
Maik1
Participant
‎2020-12-16 06:02 AM
In response to Egor_Cherkasov

I had the same problem. I solved the problem with the  2nd line.  Also you have to find the line "scp $mng_admin@$mng_ip:/opt/CPrt-R80.40/conf/ip2country.csv ./ip2country.csv" Correct this line if your managemt version is not R80.40

geo_dyn_0.7.zip
0 Kudos
Reply
HristoGrigorov
Mentor
Mentor
‎2019-03-07 09:27 PM

'dynamic_objects' on SMB seems to support all the command line arguments used in the script. So very likely that will work. However 'scp' from management server (R80.20 here) gives the following error:

protocol error: illegal mode

Workaround is to transfer /opt/CPrt-R80/conf/ip2country.csv manually and then run the script. It will check that file already exists and skip the scp part.

Reply
HristoGrigorov
Mentor
Mentor
‎2019-03-08 09:05 PM

Btw, Tim, I have similar system on my SMBs that is using 'sim dropcfg' to reject traffic from countries and/or custom networks. I can upload it here if anyone is interested in it.

0 Kudos
Reply
Timothy_Hall
Champion
Champion
‎2019-03-28 05:02 AM
In response to HristoGrigorov

@HristoGrigorov would like to see how you are doing country enforcement with sim dropcfg on embedded Gaia...

 

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
HristoGrigorov
Mentor
Mentor
‎2019-03-28 06:06 AM
In response to Timothy_Hall

Well, I do not pretend to be the most effective way but it works for me. 

1. Linux box that downloads aggregated IP ranges for the different countries from http://www.ipdeny.com/ipblocks/data/aggregated/

2. Perl script that will generate simdrop.db file that contains:

- ports that are blocked from Internet (telnet, rdp, etc)

- custom IPs and networks that I want to blacklist

- IP ranges for countries I want to block

3. That file is placed on a web server running on that same box

4. There is a script running on SMBs that will download simdrop.db and use 'sim dropcfg ...' to apply it. 

 

I am working on few improvements:

1. Use CheckPoint provided database as an alternative

2. Web interface similar to what is in SmartConsole to specify countries to block

3. Have SMB poll and auto-download and apply new database when such is published on the Web server (at the moment it is applied on boot and manually when needed)

Reply
HristoGrigorov
Mentor
Mentor
‎2019-03-08 09:38 PM

On R80.20 the correct path is:

/opt/CPrt-R80.20/conf/ip2country.csv

0 Kudos
Reply
Andy_Yap
Explorer
‎2019-03-27 05:04 PM

Would this script work with VSX gateway or just purely applicable to discreet firewall? 

0 Kudos
Reply
Bechor
Employee
Employee
‎2019-04-02 02:50 AM
In response to Andy_Yap

I'm also wondering is someone tried this script on a VSX env.
If so, the script needs to run on VS-0 or on the specific VS (VS-1)?
0 Kudos
Reply
Bruno_Duarte
Employee
Employee
‎2020-03-31 08:54 AM
In response to Bechor

You need to run the script in the specific VS (not in VS0)
0 Kudos
Reply
Bruno_Duarte
Employee
Employee
‎2020-03-31 08:54 AM
In response to Andy_Yap

It works in VSX.
0 Kudos
Reply
Yatiraj_Panchal
Contributor
‎2020-01-14 03:10 AM

HI Heiko,

How can I run this attached script on management server.
0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion
‎2020-03-31 09:44 AM
In response to Yatiraj_Panchal

Hi @Yatiraj_Panchal,

This script only runs on a gateway.
It modifies the dynamic objects on the gateway.

Regards
Heiko

0 Kudos
Reply