Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Danny
Champion Champion
Champion
Jump to solution

ERROR: Wrong Geo Location for Russia - Customers are reporting issues

The last Geo Location update on Quantum Security Gateways appears to have an error.

[Expert@fw:0]# ls -la $CPDIR/database/downloads/ONLINE_SERVICES/1.0/150622030521/geo_location.C
Jun 14 17:02 /opt/CPshrd-R81/database/downloads/ONLINE_SERVICES/1.0/150622030521/geo_location.C

A newer update for updatable objects (sk121877) is currently not available.

Multiple customers report that regional IP addresses are blocked as they are wrongly located in Russia.
MaxMind correcty shows them as regional IP addresses in Germany but Check Point Quantum Security Gateways do not.

Example: 92.217.8.19

MaxMind shows: Munich, Germany

Check Point shows the IP within a big block for Russia within geo_location.C:

    :CP_GEO_RU (
                :parent ()
                :uuid ("909383a0-c34b-49ef-b423-c0168a37c37d")
                :display_name ("Russia")
                :icon ("@app/cp_geo_ru")
                :IPV4 (
                        : (
                                :from ("91.228.62.0")
                                :to ("92.228.64.255")
                                :type (ip_range)
                        )
[Expert@fw:0]# dynamic_objects -lo CP_GEO_RU | grep 92.228.
range : 91.228.62.0  -  92.228.64.255
2 Solutions

Accepted Solutions
Eitan_Gilad-Lug
Employee
Employee

Hello CheckMates,

We are working on a solution for this issue, and aiming for releasing it today. sorry for the inconvenience.

thanks

Eitan

View solution in original post

ids
Employee
Employee

I would like to share an update on the ongoing Geo enforcement issue

 For any customers who are using IPS Geo Protection, and not Geo Updateable Objects (R80.30 and above)

 Customers that applied the manual workaround, should revert the change to get the new update.

 Please follow the steps below to manually deploy the change on demand, if waiting for the auto-update cycle is not an option

  

  • Updatable Objects - a new release will be sent out at 1900 IL time today, while FWs update frequency is every 2 hours. that means without any manual intervention, all FWs should get the new update by 2100 IL time.
    1. To enforce an update on demand  for Updatable; objects:

Per sk131852 > Troubleshooting: Run on your Gateway machine:

 # unified_dl UPDATE ONLINE_SERVICES

  • IPS Geo Protection ( IP2country)- fixed release was uploaded and the FWs should get this on their next update that happens every 24 hours, without any manual intervention. (maximum by tomorrow 1600 IL time)
    1. Check Point recommendation is to use only Updatable Objects from FW R80.20 upwards instead of IPS Geo.
    2. To enforce an update on demand  for IPS Geo Policy:
      1. Download the latest IpToCountry.csv file from this URL:
        1. http://downloads.checkpoint.com/fileserver/ID/11901/FILE/IpToCountry.csv.gz
      2. Transfer the IpToCountry.csv.gz file to the Security Gateway / each Cluster Member to some directory.
      3. Connect to the command line on the Security Gateway / each Cluster Member.
      4. Log in to the Expert mode.
      5. Go to the directory with the IpToCountry.csv.gz file.
      6. Unpack the IpToCountry.csv.gz file:
        $CPDIR/util/gzip -df IpToCountry.csv.gz
      7. Copy the file IpToCountry.csv to $FWDIR/tmp/geo_location_tmp/updates/ directory:
        cp -v IpToCountry.csv $FWDIR/tmp/geo_location_tmp/updates/
      8. In SmartConsole, install the Access Control policy on the Security Gateway / Cluster object.

 Thank you for your understanding and cooperation, we appreciate the patience

View solution in original post

14 Replies
AaronCP
Advisor

Hey @Danny,

 

We're having the exact same issue. Our gateway last updated the iptocountry.csv file at 10pm UK time last night. It seems that the URL referenced in SK120261 is no longer available (https://sc1.checkpoint.com/freud2/IpToCountry.csv.gz). I wonder if Check Point have pulled the file?

 

Do you know if it's possible to revert to a previous version of this file on the gateway? Our support provider have a ticket raised with TAC, but have said they're starting to get a lot of other customers reporting this issue.

 

Thanks,

 

Aaron.

0 Kudos
Danny
Champion Champion
Champion

It should be possible to revert to a previous revision by extracting it from a backup.

Example: tar -tzvf /var/log/CPbackup/backups/backup_filename.tgz | grep geo_location.C

Simply copy and paste the revision folder to $CPDIR/database/downloads/ONLINE_SERVICES/1.0/ and adjust $CPDIR/database/downloads/ONLINE_SERVICES/1.0/last_revision.xml to point to that revision.

Alternatively you can temp. unblock Russia in your security policy or configure Allow rules for the affected network ranges.

_Val_
Admin
Admin

@Danny please raise a TAC case for this, thanks

0 Kudos
Danny
Champion Champion
Champion

🙂 This is the first thing we did.

_Val_
Admin
Admin

Thank you

0 Kudos
Customer_ckp
Explorer

Put that subject on top. This affect several clients in France too. TAC cases opened too.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

MaxMind updates it daily, CP weekly only - so false positives happen every couple of weeks, i had three such cases with CP in the last 2 month...

But i am very suspicious concerning GeoIP.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Eitan_Gilad-Lug
Employee
Employee

Hello CheckMates,

We are working on a solution for this issue, and aiming for releasing it today. sorry for the inconvenience.

thanks

Eitan

Juan_
Collaborator

Customers from UK reporting it as well.

Geo-Policy affected too. I suppose it feeds from the same as updateable objects.

0 Kudos
ids
Employee
Employee

I would like to share an update on the ongoing Geo enforcement issue

 For any customers who are using IPS Geo Protection, and not Geo Updateable Objects (R80.30 and above)

 Customers that applied the manual workaround, should revert the change to get the new update.

 Please follow the steps below to manually deploy the change on demand, if waiting for the auto-update cycle is not an option

  

  • Updatable Objects - a new release will be sent out at 1900 IL time today, while FWs update frequency is every 2 hours. that means without any manual intervention, all FWs should get the new update by 2100 IL time.
    1. To enforce an update on demand  for Updatable; objects:

Per sk131852 > Troubleshooting: Run on your Gateway machine:

 # unified_dl UPDATE ONLINE_SERVICES

  • IPS Geo Protection ( IP2country)- fixed release was uploaded and the FWs should get this on their next update that happens every 24 hours, without any manual intervention. (maximum by tomorrow 1600 IL time)
    1. Check Point recommendation is to use only Updatable Objects from FW R80.20 upwards instead of IPS Geo.
    2. To enforce an update on demand  for IPS Geo Policy:
      1. Download the latest IpToCountry.csv file from this URL:
        1. http://downloads.checkpoint.com/fileserver/ID/11901/FILE/IpToCountry.csv.gz
      2. Transfer the IpToCountry.csv.gz file to the Security Gateway / each Cluster Member to some directory.
      3. Connect to the command line on the Security Gateway / each Cluster Member.
      4. Log in to the Expert mode.
      5. Go to the directory with the IpToCountry.csv.gz file.
      6. Unpack the IpToCountry.csv.gz file:
        $CPDIR/util/gzip -df IpToCountry.csv.gz
      7. Copy the file IpToCountry.csv to $FWDIR/tmp/geo_location_tmp/updates/ directory:
        cp -v IpToCountry.csv $FWDIR/tmp/geo_location_tmp/updates/
      8. In SmartConsole, install the Access Control policy on the Security Gateway / Cluster object.

 Thank you for your understanding and cooperation, we appreciate the patience

Danny
Champion Champion
Champion

Thanks Mate!

0 Kudos
skandshus
Advisor
Advisor

Yep im seeing the same issue today 

0 Kudos
skandshus
Advisor
Advisor

Today I’m seeing danish ip addresses from Telia showing us as Swedish ip adresses.. even ripe has them

shown as danish 

0 Kudos
_Val_
Admin
Admin

Please report via TAC case

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events