This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
networksteamIMS
Contributor
‎2026-02-23 07:54 AM

Geo Policy failed to block a country

Hi mates,

I have an issue that the Geo Policy is not able to block a particular country, ie Ukraine, see below logs

image.png

image.png

See below, I have a geo policy configured to block Ukraine

image.png

And no exception for Ukraine

image.png

But almost all other blocked countries are blocked successfully, ie

image.png

I have also explicitly blocking it using Updatable Objects but no luck

image.png

 

Any thoughts guys?

 

Regards,

Bill.

0 Kudos
15 Replies
_Val_
Admin
Admin
‎2026-02-23 08:14 AM

Version in use, details about FW appliances, configuration, policy, other than Geo protection?

0 Kudos
WiliRGasparetto
MVP Diamond
MVP Diamond
‎2026-02-23 09:53 AM

Which rule is matching? Is it not matching any of the policies above that rule? What Gaia version are you running (R81, R81.10, R82)? And what hotfix/JHF version is installed on your firewall?

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2026-02-23 09:57 AM

Hi,

Traffic matches implied rule. You can start with this SK if you want to move away from implied rules.

https://support.checkpoint.com/results/sk/sk179346

 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-23 11:59 AM

I would get rid of legacy geo policy and use updatable objects, which has been fully supported since R80.20, I believe.

Best,
Andy
"Have a great day and if its not, change it"
Lesley
MVP Gold
MVP Gold
‎2026-02-23 01:50 PM
In response to the_rock

Did not notice this! Indeed move away from legacy geo. If you open TAC case it will be first thing that is pointed out

-------
Please press "Accept as Solution" if my post solved it 🙂
the_rock
MVP Diamond
MVP Diamond
‎2026-02-23 01:56 PM
In response to Lesley

100%, no doubt.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Lau
Contributor
Contributor
‎2026-02-24 04:57 AM

I would suggest checking "fw ctl int get geo_max_ip_ranges". If it is at its default 300k that is too small for the current amount of IPs in the list (IpToCountry.csv currently at 346063). This will cause the gateway to not read the last addresses in the file. Even though the management can resolve them in the logs.

The correct answer is to change away from legacy geo protection though.

EDIT: Should ofcourse be "fw ctl get int geo_max_ip_ranges"

0 Kudos
networksteamIMS
Contributor
‎2026-02-24 09:02 AM

hi all

@_Val_ my bad forgot to mention i'm running r81.20 take 119

@the_rock yes, I am aware legacy geo policy has to be get rid of. so i created a network policy with updatable objects for pilot as shown but no luck

@WiliRGasparetto  from the log detail it's saying "Default Geo Policy" which my gateways associated

@Lesley  cant find any rules related to Geo in Impied rules

@Lau  yes i'm with default value 300k while the csv has 346063. I found a post replied by @the_rock  few months back https://community.checkpoint.com/t5/Firewall-and-Security-Management/Legacy-GeoProtection-Maximum-Ra...  , reconfigured it to 500k see if it helps.  Do you think those Updatable Country Objects are referencing to IPToCountry.csv as well?

 

Regards,

Bill.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-24 09:15 AM
In response to networksteamIMS

Hey Bill,

Shows policy rule has 8k hits, so it defintely does work. Did you deactivate legacy one?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
networksteamIMS
Contributor
‎2026-02-26 01:51 AM
In response to the_rock

oh yes you got it, let me get rid of geo policy completely

Regards,

Bill.

the_rock
MVP Diamond
MVP Diamond
‎2026-02-26 03:29 AM
In response to networksteamIMS

That would be best thing to do, Bill.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-26 06:40 AM
In response to networksteamIMS

Hey Bill,

I recall while ago, customer had same situation, they added updatable object policy for specific country and it was still not working right, but as soon as they deactivated legacy geo policy and installed, all worked fine afterwards.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2026-02-24 09:40 AM
In response to networksteamIMS

Hi,

The traffic that now is allowed it has as destination the firewall itself correct? (it is blurred out). 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
networksteamIMS
Contributor
‎2026-02-26 01:52 AM
In response to Lesley

yes, thats one of my public IP

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2026-02-26 02:35 AM
In response to networksteamIMS

Traffic towards the firewall itself mostly is allowed by rule 0 (implied rule). Geo protection kicks in after that. I think that is what happens here. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events