This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kevin_Orrison
Collaborator
‎2025-10-22 11:20 AM
Jump to solution

Geo Protection Updatable Objects

I'm looking to finally move to updatable objects off of the legacy geo protection policy. I'm looking for suggestions on the best way to do this. I'm not getting much guidance from support other than general information on updatable objects. The only info I can really find is the below SK. It just doesn't have a ton of info on the transition process. How did you all do this? Did you just use that command in the SK to hide the old shared geo policy and make a new access policy? How do I ensure the old policy isn't on or being enforced? Are you making a separate policy layer for geo protection or just adding rules to the top of your current access policy? Does anyone have any recommended geo policies they are willing to share as an example? 

https://support.checkpoint.com/results/sk/sk126172

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
‎2025-10-22 12:10 PM
Jump to solution

Thats it...just use the sk and use geo updatable objects as source to dst any block and other way around (if needed). I always place geo rules on very top.

Push policy, done.

Best,
Andy

View solution in original post

6 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-10-22 12:10 PM
Jump to solution

Thats it...just use the sk and use geo updatable objects as source to dst any block and other way around (if needed). I always place geo rules on very top.

Push policy, done.

Best,
Andy
Kevin_Orrison
Collaborator
‎2025-10-22 01:51 PM
In response to the_rock
Jump to solution

I'm guessing instead of the separate exception section, you just make a rule above your geo rules to allow an exception?

(1)
the_rock
MVP Platinum
MVP Platinum
‎2025-10-22 05:18 PM
In response to Kevin_Orrison
Jump to solution

YES SIR!

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-25 11:41 AM
Jump to solution

Hey Kevin,

Just wanted to check if you were able to get this sorted out?

Best,
Andy
0 Kudos
Kevin_Orrison
Collaborator
‎2025-10-30 03:23 PM
In response to the_rock
Jump to solution

Mostly... I set the old geo policy under shared policies to inactive and pushed out some new rules at the top of my rule base to block unwanted countries. Then I tried running $FWDIR/scripts/reload_env_vars.sh -u "disableHiddenGeoPolicy" on my SMS per sk126172 to hide the old geo policy under shared policies. It didn't work. It's still there under shared policies. I'm working with support to figure out why. Nothing yet. Has anyone else run into this?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-30 03:25 PM
In response to Kevin_Orrison
Jump to solution

I think that sk has steps how to hide old geo legacy policy?

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events