cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Geo policy

Jump to solution

Good Morning,

 

Is there a way to generate/extract the list of countries that we currently block under Geopolicy? we are running on R80.20.

 

 

1 Solution

Accepted Solutions

Re: Geo policy

Jump to solution

Hi @Basilio_Alcant1

Use this script on management server to show countries and country IP lists.

This script lists all country entries from the file ip2country. csv and displays the countries sorted for R80.10+.
The country code can then be insert. For the selected country all IP Ranges are displayed.

So you can find all IP range, which are blocked by GeoProtection for a country.

Bash script to show IP ranges for countrys from GeoProtection
or
GEO Location Objects in Firewall Policy (with Dynamic Objects)

Regards

Heiko

 

 

Tags (1)
0 Kudos
6 Replies
Danny
Pearl

Re: Geo policy

Jump to solution

Do you have such a long list in your Geo Policy?

0 Kudos
Highlighted

Re: Geo policy

Jump to solution

yes we do, it s a very long list.

0 Kudos

Re: Geo policy

Jump to solution

Getting this Geo Policy country list does not seem possible through the SmartConsole GUI or the API from what I can see.

However this information can be pulled out of the compiled policy out on the gateway similarly to the antispoofing configuration.  The file to look at on the gateway is $FWDIR/state/local/FW1/local.set.  There is a section called block_by_countries_protection in that file that shows all the countries listed under "Policy for Specific Countries".  A fast way to access the list is the following command you can run on the gateway:

grep country_dispaly_name $FWDIR/state/local/FW1/local.set

(Note that I did not make a typo in the above command, it truly is country_dispaly_name in the file itself)

Obviously this one-liner does not show direction of enforcement and action (Drop/Accept) but if you know that all countries listed have an action of Drop this should be sufficient.

I sense an impending update to the ccc tool...

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Danny
Pearl

Re: Geo policy

Jump to solution

@Timothy_Hall senses are powerful. Solution here: One-liner to show Geo Policy on gateways

ccc script updated.

Re: Geo policy

Jump to solution

Hi @Basilio_Alcant1

Use this script on management server to show countries and country IP lists.

This script lists all country entries from the file ip2country. csv and displays the countries sorted for R80.10+.
The country code can then be insert. For the selected country all IP Ranges are displayed.

So you can find all IP range, which are blocked by GeoProtection for a country.

Bash script to show IP ranges for countrys from GeoProtection
or
GEO Location Objects in Firewall Policy (with Dynamic Objects)

Regards

Heiko

 

 

Tags (1)
0 Kudos
Danny
Pearl

Re: Geo policy

Jump to solution

@Basilio_Alcant1 looks for a list of countries, not IP ranges.

0 Kudos