- CheckMates
- :
- Products
- :
- General Topics
- :
- IP Country of Origin Inconsistent - Chekpoint Fire...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IP Country of Origin Inconsistent - Chekpoint Firewall
Good evening. I'm having a little bit of confusion with some of the data on my firewall.
In the GUI, it shows an attempted connection from the source 193.37.69.203 over port 3389 with a Russian Federation flag.
There are two things I found a bit confusing.
1.) One of my analysts colleagues at markup related to that IP, and it reads as:
"ip": 193.37.69.203
"country_name": Netherlands.
2.) Looking up the IP in arin.net, shows it as having a registration in London.
https://search.arin.net/rdap/?query=193.37.69.203
Can anyone tell me what might be the source of the inconsistency? One thing we did look at was the IP in RiskIQ, and it appears that a few Russian Federation related URLs are associated with it, so I'm not sure if I'm not understanding what goes into the data that we're being presented.
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CP uses maxmind for those things, so if something is not consistent, maybe best to open TAC case to have it sorted out.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you running R81.10 JHF T110 or higher?
PRJ-44952,PRHF-28082 - IPS - UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Even if not, you can update it manually using: https://community.checkpoint.com/t5/API-CLI-Discussion/One-liner-to-update-IpToCountry-data-on-Secur...
You can troubleshoot the data with: https://support.checkpoint.com/results/sk/sk114216
If an IP is incorrectly classified, you'll need to open a TAC case: https://help.checkpoint.com
