This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scottc98
Advisor
‎2020-12-31 11:59 AM

Geo Policy question: New deployment using geo objects only (R80.30)

My current company recently wanted to start implementing geo based updatable object rules following SK126172 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)

During my PTO, our security team deployed a set of rules to one one country (Russia) and it looks to be working right now.   

I was checking logs and noticed that there were a few IP addresses that were being blocked but listed as another country:

Example:  85.209.0.186

1) Our gateway is blocking this thinking its in Russia

2) Our 'flag' from the smartconsole logs is showing this in "Saudi Arabia"

3) MaxMind site states this is in Country Code of "CZ" and Location of "Czechia,Europe"  (Using link: https://www.maxmind.com/en/geoip-demo)

I started to think that its possible that the ip list was not being updated from the gateways and stated to look at SK114216 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...)

Based on that SK, I looked at the 'in.geod' process and the file locations mentioned and none of the GWs have I have checked have this running nor have the files in place ($FWDIR/tmp/geo_location_tmp/updates/IpToCountry.csv)

Since this was a brand new geo deployment, the shared "Geo Policy" activation mode it still set to "inactive' (First screen shot) and I can't seem to find documentation on where having the activation is required (i.e. no mention on SK126172 and can't seem to find in deployment docs).

I have checked my 80.40 lab and I do see that when I set the geo policy to "Monitor Only" and leaving the rest as default. my lab gateway shows the daemon running and the updated file list within 24 hours like SK114216 mentions.

 

So my long question is this:   

  1.  Is there a Geo Policy activation requirement when using geo based updatable object rules following SK126172  
    1. I.E  setting to "monitor only" and using the updatable object method only in access rules

  2. If there is no requirement on the Geo Policy activation, how can I validate proper updates of the IP country list against the MaxMind DB since SK114216 shows no list updates?

     

Thank in advance.

 

 

 

 

 

 

 

 

 

 

 

 

Preview file
49 KB
0 Kudos
8 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events