Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
leonid1890
Contributor

Geo IP / Geo Policy

Hello,

 

Where I can find information regarding Geo IP / Geo Policy on Gaia Embedded (Local Management)?
What it gives and how to configure it on the appliance?

0 Kudos
12 Replies
Lesley
Leader Leader
Leader

Hi, what version are you running on the FW? Older versions Geo protection is not supported. 

In R81.10 it is supported, please see:

https://support.checkpoint.com/results/sk/sk178604

I think you have to import the updateable objects, please check if they are already present on the FW:

https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/show-updatable-objects-impor...

This topic also shows how to use them in the rules.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
leonid1890
Contributor

Thanks, 

I am using R81.

is there also some documention that explaining what is geo protection and how should I use it?

I am new to this feature.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

See  sk126172: Configuring Geo Policy using Updatable Objects in R80.20 and higher

Also look into this  discussion:

Multiple Geo Locations In Manual Policy

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee

The simplistic use case is using the country objects in the source or destination column of your security policy.

Navigate as follows:

Access Policy > Firewall > Policy > New > Top > Modify the Source or Destination Column > Import > Updatable Objects > Scroll down to the "GEO Locations" objects > Expand and pick the country of your choice. > Apply > Finishing defining your rule and click Apply again.

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
Legend Legend
Legend

GEO protection uses maps of IP address ranges to country. This can be used in different ways, e.g. restricting RA VPN connections to IPs from the customers country only or denying web access to sites in Russia or China.

The drawback: IP address ranges are subject to change, often the IP mapping is temporarily wrong and only corrected after some days or on demand. So you can not be sure that this method does always work as  expected...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
leonid1890
Contributor

Hello,

Let's assume for example that x.x.x.x/16 was Country-A pool
and after two month it purchased by Country-B.

1. How my gateway will know about this change?
2. What I need to do in order to update my gateway regarding this change?

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

1. By automatic updates - See sk95976: How the Geo Protection country file is updated

2. Make sure that the Security Gateway can fetch the updates from Check Point download center

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
leonid1890
Contributor

I read the sk95976 and there was written: "Currently, the Security Gateway should fetch the updates from Check Point download center"

My question is there a way to check if the geo protaction was updated actually?
is there any log? or something in GUI I can see?
How should I know if gateway fetched the updates from Check Point download center?

0 Kudos
the_rock
Legend
Legend

https://support.checkpoint.com/results/sk/sk83520

I could be wrong, but I dont believe iptocountry.csv file is even present on the SMB gateway (at least its not on regular Gaia fw)

Andy

0 Kudos
the_rock
Legend
Legend

Soprry, I take my last response back, I was 100% wrong. Yoou can check below and then run following.

Andy

[Expert@quantum-firewall:0]# find / -name IpToCountry*
/var/log/opt/CPsuite-R81.20/fw1/tmp/email_tmp/updates/IpToCountry.csv
/var/opt/CPsuite-R81.20/fw1/conf/IpToCountry.csv
[Expert@quantum-firewall:0]#

 

[Expert@quantum-firewall:0]# stat /var/log/opt/CPsuite-R81.20/fw1/tmp/email_tmp/updates/IpToCountry.csv
File: '/var/log/opt/CPsuite-R81.20/fw1/tmp/email_tmp/updates/IpToCountry.csv'
Size: 11600487 Blocks: 22664 IO Block: 4096 regular file
Device: fc00h/64512d Inode: 268578887 Links: 1
Access: (0640/-rw-r-----) Uid: ( 0/ admin) Gid: ( 1/ bin)
Access: 2022-11-16 06:25:26.000000000 -0500
Modify: 2022-11-16 06:25:26.000000000 -0500
Change: 2022-12-28 13:16:06.155028136 -0500
Birth: -
[Expert@quantum-firewall:0]# stat /var/opt/CPsuite-R81.20/fw1/conf/IpToCountry.csv
File: '/var/opt/CPsuite-R81.20/fw1/conf/IpToCountry.csv'
Size: 11600487 Blocks: 22664 IO Block: 4096 regular file
Device: fc01h/64513d Inode: 1384643 Links: 1
Access: (0640/-rw-r-----) Uid: ( 0/ admin) Gid: ( 1/ bin)
Access: 2023-03-24 11:20:13.187213100 -0400
Modify: 2022-11-16 06:25:26.000000000 -0500
Change: 2022-12-28 13:13:59.385021532 -0500
Birth: -
[Expert@quantum-firewall:0]#

0 Kudos
leonid1890
Contributor

This command don't show me something "find / -name IpToCountry*".

My Firewall Version:

fw ver
This is Check Point's 1570 Appliance R81.10.00 - Build 575

0 Kudos
the_rock
Legend
Legend

I would say what @G_W_Albrecht gave you is very good reference. Since device is locally managed, no need to worry about any updates on management server.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events