- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Geo policy
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Geo policy
Good Morning,
Is there a way to generate/extract the list of countries that we currently block under Geopolicy? we are running on R80.20.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use this script on management server to show countries and country IP lists.
This script lists all country entries from the file ip2country. csv and displays the countries sorted for R80.10+.
The country code can then be insert. For the selected country all IP Ranges are displayed.
So you can find all IP range, which are blocked by GeoProtection for a country.
Bash script to show IP ranges for countrys from GeoProtection
or
GEO Location Objects in Firewall Policy (with Dynamic Objects)
Regards
Heiko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have such a long list in your Geo Policy?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes we do, it s a very long list.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting this Geo Policy country list does not seem possible through the SmartConsole GUI or the API from what I can see.
However this information can be pulled out of the compiled policy out on the gateway similarly to the antispoofing configuration. The file to look at on the gateway is $FWDIR/state/local/FW1/local.set. There is a section called block_by_countries_protection in that file that shows all the countries listed under "Policy for Specific Countries". A fast way to access the list is the following command you can run on the gateway:
grep country_dispaly_name $FWDIR/state/local/FW1/local.set
(Note that I did not make a typo in the above command, it truly is country_dispaly_name in the file itself)
Obviously this one-liner does not show direction of enforcement and action (Drop/Accept) but if you know that all countries listed have an action of Drop this should be sufficient.
I sense an impending update to the ccc tool...
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Timothy_Hall senses are powerful. Solution here: One-liner to show Geo Policy on gateways
ccc script updated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use this script on management server to show countries and country IP lists.
This script lists all country entries from the file ip2country. csv and displays the countries sorted for R80.10+.
The country code can then be insert. For the selected country all IP Ranges are displayed.
So you can find all IP range, which are blocked by GeoProtection for a country.
Bash script to show IP ranges for countrys from GeoProtection
or
GEO Location Objects in Firewall Policy (with Dynamic Objects)
Regards
Heiko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Basilio_Alcant1 looks for a list of countries, not IP ranges.
![](/skins/images/AB448BCC84439713A9D8F01A2EF46C82/responsive_peak/images/icon_anonymous_message.png)