Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Basilio_Alcant1
Contributor
Jump to solution

Geo policy

Good Morning,

 

Is there a way to generate/extract the list of countries that we currently block under Geopolicy? we are running on R80.20.

 

 

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @Basilio_Alcant1

Use this script on management server to show countries and country IP lists.

This script lists all country entries from the file ip2country. csv and displays the countries sorted for R80.10+.
The country code can then be insert. For the selected country all IP Ranges are displayed.

So you can find all IP range, which are blocked by GeoProtection for a country.

Bash script to show IP ranges for countrys from GeoProtection
or
GEO Location Objects in Firewall Policy (with Dynamic Objects)

Regards

Heiko

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

0 Kudos
6 Replies
Danny
Champion Champion
Champion

Do you have such a long list in your Geo Policy?

0 Kudos
Basilio_Alcant1
Contributor

yes we do, it s a very long list.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Getting this Geo Policy country list does not seem possible through the SmartConsole GUI or the API from what I can see.

However this information can be pulled out of the compiled policy out on the gateway similarly to the antispoofing configuration.  The file to look at on the gateway is $FWDIR/state/local/FW1/local.set.  There is a section called block_by_countries_protection in that file that shows all the countries listed under "Policy for Specific Countries".  A fast way to access the list is the following command you can run on the gateway:

grep country_dispaly_name $FWDIR/state/local/FW1/local.set

(Note that I did not make a typo in the above command, it truly is country_dispaly_name in the file itself)

Obviously this one-liner does not show direction of enforcement and action (Drop/Accept) but if you know that all countries listed have an action of Drop this should be sufficient.

I sense an impending update to the ccc tool...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Danny
Champion Champion
Champion

@Timothy_Hall senses are powerful. Solution here: One-liner to show Geo Policy on gateways

ccc script updated.

HeikoAnkenbrand
Champion Champion
Champion

Hi @Basilio_Alcant1

Use this script on management server to show countries and country IP lists.

This script lists all country entries from the file ip2country. csv and displays the countries sorted for R80.10+.
The country code can then be insert. For the selected country all IP Ranges are displayed.

So you can find all IP range, which are blocked by GeoProtection for a country.

Bash script to show IP ranges for countrys from GeoProtection
or
GEO Location Objects in Firewall Policy (with Dynamic Objects)

Regards

Heiko

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Danny
Champion Champion
Champion

@Basilio_Alcant1 looks for a list of countries, not IP ranges.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events