Hi!
We've recently moved our Geo policy on R81.10 to updatable objects as per sk126172 but as I'm running into what I believe is a false positive, I have a hard time troubleshooting the issue. Basically most Checkpoint SKs don't clarify if the steps are still valid for this new method or only for the old "host" method.
For example, the IP 199.49.20.6 is blocked by our policy. We allow traffic to USA, Canada and most European countries.
I check MaxMind DB and that IP is marked as USA...
I check the IP on my gateway IpToCountry.csv (timestamps March 7) using sk94364 and it comes up within a USA range...
I check SmartConsole and the logs mark the IP as USA...
I proceed with this one-liner to update the management IpToCountry.csv file which now marks the IP as from Bermuda. Not in line with MaxMind but Bermuda would indeed be blocked by our policy.
I download the latest IpToCountry.csv as per sk84801 and now I see that 199.49.20.6 is indeed now from Bermuda in that latest file. I didn't update it on the gateway, just a download on my computer to compare with the file on my gateway.
Clearly something doesn't add up here...
So would I be correct to say that Management still uses the IpToCountry.csv file to assign the flags and that file needs to be manually updated so flags are correctly represented?
And also that the gateway does not use the IpToCountry.csv file anymore? I didn't update the IpToCountry.csv on my gateway so it should be flagged as USA but yet it's flagged as something else since it's being blocked (Bermuda presumably).
If that is true and like stated in sk126172 the information is grabbed from MaxMind instead, why does my gateway not return the same results as that DB? And where is that info stored if not the CSV anymore? Can I force an update?
This is so confusing! Any guidance would be appreciated!