Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

Geo Policy misidentifying coutries in 80.40

While I've read the recommendations about using updatable dynamic objects in the access control policy for Geo Protection, I believe this should still work as advertised or it'll have the  same effect regardless of approach:

 

aGeo1.png

 

aGeo2.png

 

aGeo4.png

 

I am seeing it happening for multiple update services (Notepad++, MS, etc.)

0 Kudos
5 Replies
Timothy_Hall
Champion
Champion

That 31.220.48.0-31.220.55.255 netblock is indeed associated with RIPE (Europe) as part of a larger block, but if you actually do a whois search at www.ripe.net itself the result appears to indicate that the block is actually associated with the United States:

ripe.png

 

 

 

 

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Vladimir
Champion
Champion

Very well, so it does identify it correctly by country. In that case, why is it being blocked?

0 Kudos
Timothy_Hall
Champion
Champion

Hmm interesting, Geo objects/protection are based on the MaxMind database (https://www.maxmind.com/en/geoip-demo) and it is saying that IP address is in Lithuania, do you have that country blocked in your policy?  It appears MaxMind is wrong  which is causing the block, but the display of the country name in the logs is actually correct based on RIPE?  Huh?

Not sure what to make of this...paging @PhoneBoy for possible R&D assist...

maxmind.jpg

 

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Vladimir
Champion
Champion

Anything except US and Israel is blocked in the sample policy.

0 Kudos
PhoneBoy
Admin
Admin

When I look at the relevant CSV file on MY management, it shows the IP address as being in the US.
"534523904","534527999","iana","410227200","US","USA","United States"

That file is listed here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

To see what the Updatable Object says, we can leverage the fact that a Dynamic Object is created "under the hood" when used in the policy: dynamic_objects -uo_show
And it turns out that IP address is NOT listed among the ranges in CP_GEO_US (the dynamic object created for United States).

Theoretically, we should be using the same data source for both here, but clearly there is a difference.
Let me ask around internally.