This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
Advisor
‎2023-07-13 05:02 AM

Drop, updateable objects

Hi

I wonder why some traffic from China can cross my rules even if a rule that would drop the traffic is there!

 

china.JPG

The goal of the 8th rule is to drop any traffic from these countries

but looking at the logs:

china1.JPG

What do I miss here?

0 Kudos
5 Replies
the_rock
Legend
Legend
‎2023-07-13 05:10 AM

That is a bit odd. When did you notice this happen first? Rule order is 100% correct, so as long as Geo block rule comes first, no reason why it would not work.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-07-13 05:16 AM

Ok, now I know 100% why it works...look at below. Based on maxmind site, (which is what CP uses officially for geo location), that IP shows as belonging to Singapore, NOT China and thats why its allowed. Also, all the other IPs from same range belong to exact same ISP provider.

I would open TAC case and ask them to sort this out.

Andy

Screenshot_1.png

Moudar
Advisor
‎2023-07-13 05:50 AM
In response to the_rock

You are right, I will keep an eye on this and see if more flag errors are there

0 Kudos
the_rock
Legend
Legend
‎2023-07-13 05:53 AM
In response to Moudar

I think what @Timothy_Hall posted is perfect, maybe you should folllow that and see if it works for you.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-07-13 05:45 AM

The gateways and the SMS have their own separate update mechanisms for the MaxMind geo database, and when they get out of sync with each other things like this can happen.  This situation was covered in my updated R81.20 IPS/AV/ABOT Immersion Course:

geo_updates.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events