Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alex_Mondol
Participant

With updatable objects do you still need to Geo Policy?

Now that since R80.20 there have been Updatable Objects, do we still need to deploy Geo Policy? Although Geo Policy is more on the NIC or ACL level BlockList vs processed by FW workers, what is the Check Point recommendation? Use both for a granular approach? Use Updatable Objects only? Use Geo Policy Only? Does the use of both have any implications on each other? Please Check Point Let me know what you recommend. Thanks

 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

The Geographic Dynamic Objects are meant to replace Geo Policy in R80.20 and above gateways.
From a performance perspective, they should operate identically.
From a flexibility perspective, the Dynamic Objects approach is the clear winner.
Alex_Mondol
Participant

So are you saying that from an organization that has not deployed either and has been given the go ahead to deploy Geo Protection, should we instll both Policy and Updatable Objects? or only do Updatable objects? Is Geo Policy truely faster since its dropped at a NIC level like an ACL would be? or Updatable Object should be the only deployment advised?
0 Kudos
Alex_Mondol
Participant

Are there any advantages to deploy both Geo Policy and Updatable objects? or Are we just complicating troubleshooting if we do both? or is it not advised to do both?
0 Kudos
Timothy_Hall
Champion
Champion

If you have an existing Geo Policy setup you can continue using it.  However for any new R80.20+ policies I would strongly advise using Geo Updatable Objects instead.  There is a very slight performance edge for Geo Policy as it is checked just after antispoofing long before reaching the security policy where Geo Updatable Objects are located.   However Geo Updatable Objects are so much more flexible and easier to use and understand, that I'd advise against using Geo Policy going forward despite its very slight performance edge.

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Alex_Mondol
Participant

 

geo.jpg

If our intent was to block these foreign countries sources from externally sourced coming in would this be correct? 

0 Kudos
PhoneBoy
Admin
Admin

That's the right idea.
0 Kudos