Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Scottc98
Participant

Geo Policy question: New deployment using geo objects only (R80.30)

My current company recently wanted to start implementing geo based updatable object rules following SK126172 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)

During my PTO, our security team deployed a set of rules to one one country (Russia) and it looks to be working right now.   

I was checking logs and noticed that there were a few IP addresses that were being blocked but listed as another country:

Example:  85.209.0.186

1) Our gateway is blocking this thinking its in Russia

2) Our 'flag' from the smartconsole logs is showing this in "Saudi Arabia"

3) MaxMind site states this is in Country Code of "CZ" and Location of "Czechia,Europe"  (Using link: https://www.maxmind.com/en/geoip-demo)

I started to think that its possible that the ip list was not being updated from the gateways and stated to look at SK114216 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)

Based on that SK, I looked at the 'in.geod' process and the file locations mentioned and none of the GWs have I have checked have this running nor have the files in place ($FWDIR/tmp/geo_location_tmp/updates/IpToCountry.csv)

Since this was a brand new geo deployment, the shared "Geo Policy" activation mode it still set to "inactive' (First screen shot) and I can't seem to find documentation on where having the activation is required (i.e. no mention on SK126172 and can't seem to find in deployment docs).

I have checked my 80.40 lab and I do see that when I set the geo policy to "Monitor Only" and leaving the rest as default. my lab gateway shows the daemon running and the updated file list within 24 hours like SK114216 mentions.

 

So my long question is this:   

  1.  Is there a Geo Policy activation requirement when using geo based updatable object rules following SK126172  
    1. I.E  setting to "monitor only" and using the updatable object method only in access rules
  2. If there is no requirement on the Geo Policy activation, how can I validate proper updates of the IP country list against the MaxMind DB since SK114216 shows no list updates?

     

Thank in advance.

 

 

 

 

 

 

 

 

 

 

 

 

0 Kudos
Reply
5 Replies
PhoneBoy
Admin
Admin

First of all, for R80.20 and above, you should be using Updatable Objects in your regular access policy versus the legacy Geo Policy mechanism.
You can create a very granular policy in this manner (e.g. allow access to a specific website from anywhere but block all other access to/from a specific country).

The flags come from management which does NOT update its IP to Country mappings regularly.
This one liner should update it: https://community.checkpoint.com/t5/API-CLI-Discussion/One-liner-to-update-IpToCountry-data-on-Secur...

0 Kudos
Reply
Scottc98
Participant

Thank you PhoneBoy for the update.    I wanted to make sure nothing was missed during the deployment and if all we have to do is use the objects per SK126172.

I am wondering if there is a database of change records within MaxMinds DB that I can match the log entry I see and validate if it was flagged as "russia" at the timestamp it was blocked.    Using the example IP in the post, if I can see that at that exact time we blocked it, it was flagged as "russia' even though our 'flag' in the logs showed "Saudi Arabia", I'll feel a little better 🙂

 

With the 80.40 lab I am using with Geo policy in 'monitor only', I am blocking more countries than our prod environment and all of those blocks are indeed matching the countries i have in the rules with no need to make any update on the management server.     While my lab will generate far less than our prod environment, it seemed odd that all of those logs matched the country flags while my prod environment did not.  

That being said, I did check the file on the lab 80.40 management and it is old (Jan 2020)

[Expert@LAB-MGMT:0]# ls -l $INDEXERDIR/conf/ip2country.csv

-rw-r----- 1 admin bin 13142995 Jan 17  2020 /opt/CPrt-R80.40/log_indexer/conf/ip2country.csv

[Expert@LAB-MGMT:0]#

After running the script you mentioned, it's now updated:

[Expert@LAB-MGMT:0]# ls -l $INDEXERDIR/conf/ip2country.csv

-rwxrwx--- 1 admin root 12569389 Dec 31 12:46 /opt/CPrt-R80.40/log_indexer/conf/ip2country.csv

[Expert@LAB-MGMT:0]#

Are the missing flag logs in the management truly linked to updating of this file on the management server or is it related at all to DNS caching within smartconsole?  

lastly, do you know if this update process has any plans to be automated in R81 or a future JHF for 80.40?   I would have to agree that having to restart service each time here it not the idea way but I do appreciate the quick script to be able to update it from time to time 🙂

 

 

 

0 Kudos
Reply
PhoneBoy
Admin
Admin

Yes, the country in the logs in the management are truly based on that file in the management server.
I'm not aware of specific plans to automate the update of this file, but it is relatively straightforward to update it manually on a regular basis. 
I do see the restart could be problematic.
@Tomer_Noy is this something we can look at for the future?

0 Kudos
Reply
Tomer_Noy
Employee
Employee

Today, we have two mechanisms that refer to countries so in some cases it can create confusion. However, we are working to improve that.

The Updatable Objects rely on our cloud service to automatically update IPs for countries and common SaaS services. The gateway fetches the information regularly and the data is very accurate. This is used for enforcement. When a connection is matched on an Updatable Object, the gateway puts the name and flag of that object in special fields on the log. If you double-click a log, you will be able to see them.

The other mechanism, is our UI resolving for IPs to countries. This is based on a csv file that is brought with the version installation. The resolving is done upon querying the log server and will return information for any IP, even if not matched by the geo-protection / Updatable Objects.

Following previous feedback about confusion when the flags aren't accurate, or don't match with the Updatable Objects, we are planning the following improvements:

  1. If a log was matched on an Updatable Object, we will show the icon from the Updatable Object, instead of resolving it from the csv. This will improve accuracy and consistency.
  2. We plan to update the .csv file regularly on JHFs and not just on a major version.
David_Charnon
Collaborator

Am I correct in assuming that the (possibly out of date) countries shown in the management logs are what would be forwarded to an external log server, e.g. if we Log Exporter to send our logs to Splunk?

Dave

0 Kudos
Reply