Thank you PhoneBoy for the update.    I wanted to make sure nothing was missed during the deployment and if all we have to do is use the objects per SK126172.

I am wondering if there is a database of change records within MaxMinds DB that I can match the log entry I see and validate if it was flagged as "russia" at the timestamp it was blocked.    Using the example IP in the post, if I can see that at that exact time we blocked it, it was flagged as "russia' even though our 'flag' in the logs showed "Saudi Arabia", I'll feel a little better 🙂

With the 80.40 lab I am using with Geo policy in 'monitor only', I am blocking more countries than our prod environment and all of those blocks are indeed matching the countries i have in the rules with no need to make any update on the management server.     While my lab will generate far less than our prod environment, it seemed odd that all of those logs matched the country flags while my prod environment did not.  

That being said, I did check the file on the lab 80.40 management and it is old (Jan 2020)

[Expert@LAB-MGMT:0]# ls -l $INDEXERDIR/conf/ip2country.csv

-rw-r----- 1 admin bin 13142995 Jan 17  2020 /opt/CPrt-R80.40/log_indexer/conf/ip2country.csv

[Expert@LAB-MGMT:0]#

After running the script you mentioned, it's now updated:

[Expert@LAB-MGMT:0]# ls -l $INDEXERDIR/conf/ip2country.csv

-rwxrwx--- 1 admin root 12569389 Dec 31 12:46 /opt/CPrt-R80.40/log_indexer/conf/ip2country.csv

[Expert@LAB-MGMT:0]#

Are the missing flag logs in the management truly linked to updating of this file on the management server or is it related at all to DNS caching within smartconsole?  

lastly, do you know if this update process has any plans to be automated in R81 or a future JHF for 80.40?   I would have to agree that having to restart service each time here it not the idea way but I do appreciate the quick script to be able to update it from time to time 🙂

Yes, the country in the logs in the management are truly based on that file in the management server.
I'm not aware of specific plans to automate the update of this file, but it is relatively straightforward to update it manually on a regular basis. 
I do see the restart could be problematic.
@Tomer_Noy is this something we can look at for the future?

Today, we have two mechanisms that refer to countries so in some cases it can create confusion. However, we are working to improve that.

The Updatable Objects rely on our cloud service to automatically update IPs for countries and common SaaS services. The gateway fetches the information regularly and the data is very accurate. This is used for enforcement. When a connection is matched on an Updatable Object, the gateway puts the name and flag of that object in special fields on the log. If you double-click a log, you will be able to see them.

The other mechanism, is our UI resolving for IPs to countries. This is based on a csv file that is brought with the version installation. The resolving is done upon querying the log server and will return information for any IP, even if not matched by the geo-protection / Updatable Objects.

Following previous feedback about confusion when the flags aren't accurate, or don't match with the Updatable Objects, we are planning the following improvements:

1. If a log was matched on an Updatable Object, we will show the icon from the Updatable Object, instead of resolving it from the csv. This will improve accuracy and consistency.
2. We plan to update the .csv file regularly on JHFs and not just on a major version.

Regarding the Updatable Objects using the cloud service to  automatically update IPs, a couple of questions:

1)  Does it still store the updated IPs for Geo Updatable Objects in the IpToCountry.csv on the gateway?

2)  If not, how can I tell if my IPs for Geo Updatable Objects are  up-to-date?

Thanks.

Q

It's now downloaded via a different mechanism.
The Troubleshooting section of the following SK should tell you what you need to know: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

Okay, thanks.  So, to answer my original question based upon that SK, it looks like the IP to Country mapping is in the $CPDIR/database/downloads/ONLINE_SERVICES/1.0/latestversionnumber/geo_location.C file now, rather than in the original CSV file.   Thanks for the tip on that.   I needed to prove that my gateway did indeed have the latest mappings, and I see that I'm good.

Am I correct in assuming that the (possibly out of date) countries shown in the management logs are what would be forwarded to an external log server, e.g. if we Log Exporter to send our logs to Splunk?

Dave