This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wayne_Hammond
Collaborator
‎2025-06-02 02:16 PM
Jump to solution

Odd Thing After R82 Upgrade

Hi,

This evening I upgraded one of our FW's to R82 from R81.20

All went well, but then I noticed it was getting an odd message about couldn't contact Checkpoint and could not then find updates.

After various head scratching I looked in the logs and for some reason the Geo Policy now thinks my IP address is registered in BGR which is on our risk database, so blocked.

Long story short I have had to add an exception in the policy, but what on earth would cause this, and is there a reasonable fix or do i just leave me exception in place?

Thanks

Wayne - confused 🙂 

Preview file
15 KB
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Diamond
MVP Diamond
‎2025-06-03 03:38 AM
In response to Wayne_Hammond
Jump to solution

Here is what I always do with all customers.

Create whatever country exceptions you need on the top of the rulebase, then just below that, add all other countries as source (group them so it looks nicer), then dst as any, service any, action block, install policy, thats it. And you can also delete old legacy geo policy.

Andy

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

0 Kudos
10 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-06-02 03:41 PM
Jump to solution

Hey Wayne,

I hate assuming things, but let me take a wild guess...did you by any chance have old legacy geo policy in place? If so, this behavior would not surprise me. Since R80.20, updatable objects are recommended to use for geo blocking.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Wayne_Hammond
Collaborator
‎2025-06-02 11:01 PM
In response to the_rock
Jump to solution

Hi Andy, 

Yes I use the old Geo policy, I checked my IP on MaxMind and that says UK based.

Still a bit confused?

Cheers

Wayne

0 Kudos
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2025-06-02 11:22 PM
In response to Wayne_Hammond
Jump to solution

Please refer to https://support.checkpoint.com/results/sk/sk126172 and use Updatable Objects instead of the Geo Policy.

0 Kudos
Wayne_Hammond
Collaborator
‎2025-06-02 11:39 PM
In response to Tal_Paz-Fridman
Jump to solution

Hi Tal,

I will try converting to UO and see what happens

Cheers

Wayne

0 Kudos
Wayne_Hammond
Collaborator
‎2025-06-03 12:52 AM
In response to Wayne_Hammond
Jump to solution

Quick question, if I do use UO for Geo policy, what is the best way to have exceptions?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-06-03 03:38 AM
In response to Wayne_Hammond
Jump to solution

Here is what I always do with all customers.

Create whatever country exceptions you need on the top of the rulebase, then just below that, add all other countries as source (group them so it looks nicer), then dst as any, service any, action block, install policy, thats it. And you can also delete old legacy geo policy.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-06-03 03:37 AM
In response to Wayne_Hammond
Jump to solution

I get it, but I had seen it happen many times before with old geo policy, specially in new versions. As @Tal_Paz-Fridman suggested, that sk is best to follow.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Wayne_Hammond
Collaborator
‎2025-06-03 04:02 AM
In response to the_rock
Jump to solution

Thanks to both of you !!

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-06-03 04:08 AM
In response to Wayne_Hammond
Jump to solution

Glad we can help mate. I attached a screenshot from my lab. I did not even add any exceptions, as in my group, I did NOT add Canada and USA, everything else is there (just as an example)

Andy

 

Best,
Andy
"Have a great day and if its not, change it"
Preview file
160 KB
the_rock
MVP Diamond
MVP Diamond
‎2025-06-03 04:24 AM
In response to Wayne_Hammond
Jump to solution

Forgot to add something else, though this obviously will not apply to everyone out there, but I want to mention it to you Wayne. While back, I was working with a hospital and we determined they were having bunch of issues due to geo policy, until we addeed Israel and Japan as exceptions. Mind you, that should be easy to tell from the logs if you ever encounter such an issue.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events