This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pfilipe
Contributor
‎2022-07-08 03:31 AM

GeoPolicy not working

Hello guys,

 

So we have some rules to block all incoming and outgoing traffic to russia. 

But after we see the logs we get a amount of Accepts coming from russia. Why is this happening and what should i do?

 


Best regards,

PF

Preview file
10 KB
Preview file
138 KB
0 Kudos
6 Replies
Ruan_Kotze
Advisor
‎2022-07-08 03:57 AM

Is it an implied rule accepting the traffic?

0 Kudos
pfilipe
Contributor
‎2022-07-08 04:06 AM
In response to Ruan_Kotze

There are some Logs with implied yes but there are more logs with other rules.

Preview file
128 KB
0 Kudos
Sorin_Gogean
Advisor
‎2022-07-08 04:18 AM
In response to pfilipe

hey,

 

your Russia drop rules are positioned where, compared with the Allow rules that you show in the screenshots ?

 

Ty,

0 Kudos
pfilipe
Contributor
‎2022-07-08 04:25 AM
In response to Sorin_Gogean

Hey, 

My Geopolicy rules is number 2 and 3.

 

Ty

0 Kudos
the_rock
Legend
Legend
‎2022-07-08 06:00 AM
In response to pfilipe

I would run below script on mgmt if you can execute cpstop afterwards:

https://community.checkpoint.com/t5/API-CLI-Discussion/One-liner-to-update-IpToCountry-data-on-Secur...

 

I personally never experienced this issue myself, so hard to say for sure why those rules dont take full effect. As @Ruan_Kotze indicated, if all fails, then contacting TAC might be your best option.

0 Kudos
Ruan_Kotze
Advisor
‎2022-07-08 04:38 AM
In response to pfilipe

OK, so first make sure that it isn't just a cosmetic issue as per sk120261.  Check Point uses MaxMind for IP Geo-location, so doublecheck on their site as well.

If everything checks out then you still need to keep in mind that updateable objects won't block traffic allowed by implied rules.  In order to work around that you can possibly do a rate-limiting SAM rule or use the "classic" geo policies.

For traffic that is not being blocked and you are confident that it is not due to rule order I would say a call to TAC is in order.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events