Thank you PhoneBoy for the update. I wanted to make sure nothing was missed during the deployment and if all we have to do is use the objects per SK126172.
I am wondering if there is a database of change records within MaxMinds DB that I can match the log entry I see and validate if it was flagged as "russia" at the timestamp it was blocked. Using the example IP in the post, if I can see that at that exact time we blocked it, it was flagged as "russia' even though our 'flag' in the logs showed "Saudi Arabia", I'll feel a little better 🙂
With the 80.40 lab I am using with Geo policy in 'monitor only', I am blocking more countries than our prod environment and all of those blocks are indeed matching the countries i have in the rules with no need to make any update on the management server. While my lab will generate far less than our prod environment, it seemed odd that all of those logs matched the country flags while my prod environment did not.
That being said, I did check the file on the lab 80.40 management and it is old (Jan 2020)
[Expert@LAB-MGMT:0]# ls -l $INDEXERDIR/conf/ip2country.csv
-rw-r----- 1 admin bin 13142995 Jan 17 2020 /opt/CPrt-R80.40/log_indexer/conf/ip2country.csv
[Expert@LAB-MGMT:0]#
After running the script you mentioned, it's now updated:
[Expert@LAB-MGMT:0]# ls -l $INDEXERDIR/conf/ip2country.csv
-rwxrwx--- 1 admin root 12569389 Dec 31 12:46 /opt/CPrt-R80.40/log_indexer/conf/ip2country.csv
[Expert@LAB-MGMT:0]#
Are the missing flag logs in the management truly linked to updating of this file on the management server or is it related at all to DNS caching within smartconsole?
lastly, do you know if this update process has any plans to be automated in R81 or a future JHF for 80.40? I would have to agree that having to restart service each time here it not the idea way but I do appreciate the quick script to be able to update it from time to time 🙂