Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Leader
Leader

R81 geo policy

Hey everyone,

 

I know that sk126172 says to use updatable objects and thats fine, but at the bottom if the article, it gives the procedure on how to unhide default geo policy tab in dashboard. Funny enough, customer has cloud instance, so we can do that, but, I thought based on reading the article that command is ran on gateway itself? Regardless, tried it and did not do anything...

 

By the way, I had 2 R81 labs (one standalone and one distributed) and when I ran the commands, it messed something up that I had to disable IPS blade to get policy working again. Just sounds too coincidental that issue would happen literally 15 mins after running the script from the sk.

Anyone experienced something similar? 

 

Andy

0 Kudos
23 Replies
PhoneBoy
Admin
Admin

The mechanism is still there, we just hide it in the management UI in R81.

And yes the legacy method is tied to IPS.
Believe it operates similar to Core IPS protections (ie requires an Access Policy install to make changes).

0 Kudos
Danny
Champion
Champion

It's hidden for a reason. I'm following Check Point's recommendation. No issues with updatable objects so far.

image.png

0 Kudos
the_rock
Leader
Leader

Thanks for the responses guys, but that does not answer my question at all. I know I can use updatable objects, but had few customers where there was an issue...say specific country is blocked and just randomly, traffic is being allowed for no reason and TAC never found an explanation why. When we switched to default geo policy, worked fine. So again, seems like sk I indicated is not very useful, as it does not give the right procedure. Its highly unlikely commands are correct, considering I did it in 2 lab R81 setups and it failed in both...makes no sense.

 

Andy

0 Kudos
Danny
Champion
Champion

That might just be a visual issue which tricks you to think that traffic is accepted for a blocked country because you probably din't update the ip2country.csv on your SmartCenter every night. I've created a One-liner that solves this.

0 Kudos
D_TK
Contributor

Danny  - off topic, but it looks like in your screenshot, rule 2, is the source a group of updatable objects?  Every time I've tried to group updatable geo objects, i receive a "field network object group members ...." error. so unfortunately i have ~100 objects in my geo rules.  R80.40

0 Kudos
the_rock
Leader
Leader

Thats easy to fix...you say add countries to block via updatable objects and then allow all continents in the rule below. That actually works for the most part.

0 Kudos
D_TK
Contributor

right, but in my block rule i have about 100 updatable country objects listed (which looks messy) because smartconsole won't let me create a group with updatable objects.

0 Kudos
the_rock
Leader
Leader

Tell me about it :). I still recall similar things even back in R55 lol

0 Kudos
the_rock
Leader
Leader

But, in all seriousness, Im not joking now, you CAN do that. Here is how...super easy peasy. Highlight all those countries in the rule, then right click and select "group objects", give it a name, done. You are welcome : )

0 Kudos
D_TK
Contributor

Doesn't work for me with updatable objects.  receive this error every time.

 

Screenshot 2021-02-12 192045.jpg

0 Kudos
the_rock
Leader
Leader

Yes, you are right...I know this worked for me in R80.10, but I see it fails now in R80.40. Ah, Check Point...man, always something : ). Ok, let me test this tomorrow morning and I will update you.

Happy weekend!

Andy

0 Kudos
Dorit_Dor
Employee
Employee

1. The functionality is there. However the “legacy” ui was so front end in the ui, the product actually mis-guided the user to use the wrong thing. So we hidden the ui by default if you dont use it. 


2. If you are fresh user, you will now be directed to use the right way and if you used the legacy, and dont want to migrate, we dont force you

3. Please use the new way if you can because its the right way. In addition,  updateable objects are necessary for good use of the  product in modern scenarios. If updateable objects dont work in good way, we are not aware and we need to fix it. So please assume that we expect them to work and if there are issues, open TAC case so that we can handle them 

0 Kudos
the_rock
Leader
Leader

I never quite logically understand why Check Point does things like that. Arent customers entitled to know if a feature is broken or something could be wrong with it? I asked TAC person the other night specifically, point blank, what would be the reason that you guys would remove default geo policy in R81? He took few minutes, came back and said that he found some internal notes, but is not allowed to share them with customers. Imagine how uncomfortable that must feel for an engineer...they know the reason, but are not allowed to share it. I dont personally see how is that a good business practise.

 

Anyway, all Im trying to figure out is why the sk I attempted fails and no one in TAC seems to know or is willing to test. The best answer I got is "Well, it is a new product"...to which I respond "Well, you are making money off people selling it to them, so it would be honest thing to try and make it work"

0 Kudos
Dorit_Dor
Employee
Employee

Thank you for the feedback

The change was not supposed to be secret or hidden and it was not supposed to be hard to get answers on “why”

Therefore, we appreciate the report and will use it to learn what went wrong, improve documentation and improve the process going forward

Dorit

0 Kudos
the_rock
Leader
Leader

Hi Dorit,

 

Im happy to give you my honest feedback offline, if you really care to know about it (you are more than welcome to message me privately offline). All I will say is this...there is RIGHT way of doing this and there is WRONG way of doing thigs. Sadly, my experience with lots of SKs and procedures in them, as well as way TAC does things, has not been a positive one and I can assure you, I am not the only one that says that.

 

Cheers,

Andy

0 Kudos
the_rock
Leader
Leader

Sorry to say this, but I dont think its possible...maybe if someone from escalations or R&D sees this thread, they can confirm, but I tried everything I can think of and no dice, apologies.

 

Andy

0 Kudos
Dorit_Dor
Employee
Employee

1. sk126172  stated that Starting from R81, Geo Policy is hidden from the navigation pane if no rules are configured in that window. Geo Policy is now supported through Updatable Objects in the Access Control Policy. Geo Policy rules can still be configured in Updatable Objects as described above.

We are having offline discussion to learn why the communication went wrong and we will improve it 

2. The other point here is that grouping (needed to manage large number of geographies) does not work. There is indeed issue w specific grouping of updateable objects (UI validation on grouping that is too strong). The issue was already raised by others and grouping is supported in R81.10  (join the EA soon). Until then you can continue to use the old geo policy 

We appreciate the product feedback. 

0 Kudos
Vladimir
Champion
Champion

FYI: the sk126172 to unset Geo in R81 392 (had to enable it temporary to remove Geo logging) results in:

"Failed to reload Env variables to CPM. Check /opt/CPsuite-R81/fw1/log/cpm.elg for errors."
The error is:
invalid format in line [unset disableHiddenGeoPolicy=1] in file [/opt/CPsuite-R81/fw1/conf/dynamic_system_env]

CPIshai
Employee
Employee

Hi @Vladimir, thanks for bringing the issue to our attention, of course you are right and in the SK instead of:

 ./reload_env_vars.sh -u "disableHiddenGeoPolicy=1"

It should have been  

./reload_env_vars.sh -u "disableHiddenGeoPolicy"

I'll make sure to fix the SK as well. 

Vladimir
Champion
Champion

@CPIshai , you are quite welcome and thank you for the prompt response and correction.

0 Kudos
Vladimir
Champion
Champion

Apologies fro removing your reply from being a solution, as it does not address the original post's concerns.

It was a solution to a different, but related issue.

the_rock
Leader
Leader

Thats great it will be corrected, because I suspected something was wrong with that command in the sk.

CPIshai
Employee
Employee

@Vladimir @the_rock the SK commands seem to be fine now.