Showing results for 
Search instead for 
Did you mean: 
Create a Post

GeoProtection daily update problem today

Hello,I'm writing this post to let other Check Point customers know that their iptocountry.csv file used in GeoProtection may be corrupt, to confirm if others have experienced a similar problem today, as well as to vent 🙂We are running R80.30 and heavily utilize the GeoProtection feature of Threat Prevention (block about 180 of the 195 countries for To/From). We utilize a whitelist policy such that if a country isn't explicitly allowed, we drop/log the packet.This morning we were receiving complaints that uses' internet connection wasn't working. Upon inspection of our firewall logs, we noticed that 99% of traffic was being blocked due to GeoProtection. To get things up and running (as our risk tolerance leans heavily towards usability) we disabled GeoProtection prior to performing an RCA.As every block was related to GeoProtection, I theorized that the GeoProtection update (which occurs in the morning of every day) was a possible root cause. Sure enough, upon inspection of the iptocountry.csv file located at $FWDIR/tmp/geo_location_tmp/updates/, the timestamp of the file matched the first report of a user's inability to connect to the internet.Prior to contacting Check Point support, I pulled the file from the gateway in case they needed a copy for troubleshooting. But when I opened the file I noticed that it was much smaller than previous examinations. Indeed, the size of the file was only 22KB, whereas other times it's been closer to 7MB.Additionally, I examined a specific log entry for a blocked session destined to one of Apple's public IP addresses, 17.x.x.x, and using Check Point's conversion method (sk94364), I confirmed that the IP was not in the .csv file and by extension not identified as belonging to any particular country.Sidenote about GeoProtection up to R80.30; if an IP range is not included in the iptocountry.csv file (of which there are a handful, including,, and, SmartConsole will cosmetically identify the country as the United States but behaviorally treat the packet as belonging to an unknown country.So if a packet has an IP whose range is not in the iptocountry.csv file, then depending on your GeoPolicy being whitelist or blacklist two different things will happen.If your GeoPolicy is whitelist (and logically your action for 'other countries' would be to drop), then the packet would be dropped.If your GeoPolicy is blacklist (and logically your action for 'other countries' would be to allow), then the packet would be allowed.When I got on the phone with support, they were doing their traditional troubleshooting of break/fix by replacing the iptocountry.csv file on the gateway. However after mentioning that when attempting to download the same .csv file from Check Point's website (from this URL:, as mentioned in this Checkmates post:, it's the same 22KB sized file that was synced to our gateway.He reached out to his escalation team and they mentioned that other tickets were appearing for the same symptom.So heads up Checkmates!Fun morning 🙂-------------------Edit regarding blacklist vs whitelist: a few months ago we had a ticket open with Check Point support regarding GeoProtection, and were told that the best practice is to implement a whitelist, despite the fact that sk112249 mentions that Blacklisting (at least Application Control as mentioned in that article) is 'by far more common'.-------------------Update: CP support responded with this post about their RCA ( also received an email on July 11 from the TAC engineer assigned to the case saying that their CFG team has confirmed the issue has been resolved in the most recent Geo Protection update file. However, the URL for which I was downloading a copy of the iptocountry.csv file ( still only has the 22KB file, but I'm wondering if this is only the monthly update (not daily) as support wrote about in their aforementioned RCA post.

GeoProtection daily update issue from July 10th

Hi guys, I would like to share our root cause analysis for the Geo-location update issue from July 10th: On July 10th at 9:16 UTC our automatic geo-location update service issued an update package which included only small fraction of the geo-location information, resulting in Security Gateways around the world getting only partial information. This caused either allowing or disallowing more traffic than intended. Throughout July 10th we started receiving reports from customers about this issue and on July 11th we reverted the update to the July 9th version while investigating the issue. We have since then found the bug and know its root cause. This was not caused by a software update or a faulty deployment. For transparency we would like to share the details of the incident: In 2018, 9 years after creating the geo-location update service, we improved the service to become updated daily (instead of monthly updates as was until then). This was done to accommodate our customers’ wishes mostly in response to new US OFAC (Office of Foreign Assets Control) regulations. We created an algorithm to produce hybrid geo-location updates from two data sources – one that is more accurate but updates once a month, and another that is less detailed and possibly less accurate but updates once per day – taking the good parts from each data source and leaving the bad parts out. This algorithm proved itself – we saw a drastic decline in the number of complaints about geo-location misclassification and received positive feedback. Last week’s incident was caused by a daily update which assigned an IPv4 range to the country of Laos. Laos’s official name is “Lao People’s Democratic Republic”. Embarrassingly that name caused a sequence of events that caused our service to publish a valid but very partial geo-location package. Although this service is well monitored – the failure was in a blind spot and we did not get an alert prior to the service tickets. We are very sorry this happened, we realize this service means a lot to our customers. We are doing a full review of the script monitoring system to make sure no other blind spots exist and make sure this doesn’t happen again.

Understanding Identity Sharing

The documents reviews the process of identity sharing between PDP and PEP instances and it is providing a short documentation about the related commands for monitoring and troubleshooting.

IPS Analyzer Tool - How to analyze IPS performance efficiently

(1) IntroductionThe IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.The IPS Analyzer Tool is supported on R77 and above.(2) ProcedureCollect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".Compress the IPS statistics output folder on Security Gateway:[Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/[Expert@HostName:0]# tar cvf IPS_Statistics.tar <HH-MM-SS__MM-DD-YYYY>Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:Open Windows Command PromptRun:C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"Review the output files:AnalyzerReport.html - Main report file, located in DISK:\path_to_uncompressed_statistics_output_folder\AnalyzerReport.html (use Chrome or Firefox browser)analyzer.log - Log file*NOTE*The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:"Threat Prevention Protection – ID NUM"If a significant portion of these entries is found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.(3) IPS Analyzer Tool SurveyWe would like to receive your feedback in a short, up to 2 minutes survey. Your feedback will help us to improve the tool and the services we provide you. Click here to take the survey.For any question please

VRRP with R80.10 - Interfaces in backup mode

Hi Folks,I am facing a weird issue with R80.10 Cluster in VRRP.I have currently have only one firewall configured in VRRP cluster and management server is away one hop; that is on L3 switch. So my topology is INTERNET-----Firewall--> L3-->Mgmt server.I then upgraded the firewall to R80.30 however after upgradation obviously it came up with Initial Policy since it could not fetch the policy from Mgmt server however when I decided to install policy it couldnt connect to Mgmt server. When I investigated I found that all the interfaces [though its single appliance in cluster] were in backup mode. And since no policy was installed HA module wasnt started.I guess since being a single appliance it by default should come up as Primary, correct?Any clue or any other alternative by which appliance can load last installed policy?

How to configure Check Point as WAF?

Hi,We have heard that the Check Point can work as simple WAF.We are thinking that it is a part of IPS. Becasue there is no WAF blade.However we couldn't find any documents and information about it in SK or this check mate site.Could you inform me of how to configure Check Point as WAF?We know that OWASP Top 10 is renewed in 2017 as below.--------------------------------------------A1:2017-InjectionA2:2017-Broken AuthenticationA3:2017-Sensitive Data ExposureA4:2017-XML External Entities (XXE)A5:2017-Broken Access ControlA6:2017-Security MisconfigurationA7:2017-Cross-Site ScriptingA8:2017-Insecure DeserializationA9:2017-Using Components with Known VulnerabilitiesA10:2017-Insufficient Logging&Monitoring--------------------------------------------We are thinking that the above each item is corresponded to a signature of IPS.Regards,

VPN Tunnel Management per Gateway Pair and consequences when I have multiple other tunnels

Hi Folks,I have total around 12 VPN Tunnels running on 5900; all are Policy/Domains based VPN. I have been asked to move and see the possibiities one Tunnel out of those 12 to One VPN tunnel per Gateway Pair. Wondering what could be the consequences on other tunnels then? Since I know One VPN tunnel per Gateway pair means CP will start sending/accepting R

Meaning of CVE numbers in IPS signatures

Hi,we are currently running 77.30 and are going to upgrade to 80.x.Anyway we started using IPS now with the 77.30 and I'm wondering about the meaning of the CVE numbers in the IPS signatures.As an example I have the "Linux System Files Information Disclosure" going with CVE-2018-3948. The CVE number is about TP-Link devices.So we don't run TP-Link devices and I first thought I could deactivate this protection. But then I checked the logged events and saw common directory traversal attacks. I checked if there are other "Linux System Files Information Disclosure" protections but cannot find any.Is this signature just for TP-Link devices because of the CVE or is the CVE just an example for this attack pattern?Thank you for your help.

IPS Tags assigned to a IPS protection

I'm not sure this is a feature request or something I'm missing, but I'd like to see what IPS tags are applied to a single protection. For example, when I open protection "Adobe Acrobat and Reader Memory Corruption (APSB17-24; CVE-2017-11227)", I'd like it to display what tags are applied to it. This would be more useful in certain circumstances instead of filtering on a tag and seeing what protections have that tag. Am I missing something? Dave

Geo policy

Good Morning, Is there a way to generate/extract the list of countries that we currently block under Geopolicy? we are running on R80.20.

Policy Violation on MTA with Thread Emulation/Extraction

Hi mates!This is my very first post so i'll try to do my best.We are facing a strange issue where immedately after enabling the Thread Emulation and Thread Prevention blades (along with the MTA) on the checkpoint cluster, all mail traffic flow stops.Our mail flow setup consists of 2 Exchange 2010 Edge Transport servers in our DMZ, and 2 Exchange hub Transport servers in the internal security zone, all of them connected with a Edge Subscription. All security zones are connected via our 15400 two-node ClusterXL, on R80.10.The behavior is really strange because when we enable the blades and the MTA, all mail queues stop delivering and the Exchange queue viewer show a "POLICY VIOLATION" error.Please don't hesitate to ask for further information. Lot of thanks

Anti-spam blade don´t permit attachments and sends to spam

Anti-spam blade don´t permit attachments and sends to spamWhat can cause this problem??Here the capture.

Slow performance when Antivrus enabled.

I am looking for information on why performance of a java applet drops by a factor of 20 when I enable the antivirus blade and where I can look for the cause. The environment: I have replaced an existing cluster of 5200 appliances with a cluster of 5600 appliances. the 5200 cluster is running r77.30 and the 5600 cluster is running R80.20 They both have exactly the same features/blades enabled and the same policy is applied to both. When I run the java applet(jnlp) from the web page using the 5200 cluster, logon to the application takes under 5 seconds after entering my credentials. However when I replaced the cluster with the 5600 cluster running R80.20 logon takes >2 minutes. If I disable the antivirus blade logon goes back to sub 5 seconds. I set up a test environment where I can run the 5600 cluster in parallel with the 5200 cluster with the only traffic through the 5600 cluster being the one server that java applet connects to. I have exactly the same experience with the applet, <5sec logon with antivirus disabled and > 2 minutes with it enabled. To me this would indicate that it is not a capacity problem, but possibly something to do with the way R80.20 performs antivirus. I have checked the logs on the smartconsole but there are no antivirus logs recorded. Does anyone have any tips on how to see what the antivirus is doing and why it may be causing slow performance?

DNS protection in R80

Hi AllCan anyone tell me if R80 does any checking and blocking of DNS queries to malicious websites etc?Many thanksCarl

Finding those who want to steal or encrypt your data - Learn about Anti-Bot

In this short video you see how Anti-Bot Blade is playing a key role in the defense against ransomware and malware stealing data. Enjoy 😄 LITHIUM.OoyalaPlayer.addVideo('https:\/\/\/static\/v4\/production\/', 'lia-vid-pxZzg0aTE6AhE3UdqzNQiPa-6MgH-grww1600h900r402', 'pxZzg0aTE6AhE3UdqzNQiPa-6MgH-grw', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"900px"});(view in My Videos)