This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
casgrain
Participant
‎2023-03-22 08:10 AM
Jump to solution

Troubleshoot Geo policy after sk126172

Hi! 

We've recently moved our Geo policy on R81.10 to updatable objects as per sk126172 but as I'm running into what I believe is a false positive, I have a hard time troubleshooting the issue. Basically most Checkpoint SKs don't clarify if the steps are still valid for this new method or only for the old "host" method.

For example, the IP 199.49.20.6 is blocked by our policy. We allow traffic to USA, Canada and most European countries.

I check MaxMind DB and that IP is marked as USA... 
I check the IP on my gateway IpToCountry.csv (timestamps March 7) using sk94364 and it comes up within a USA range...
I check SmartConsole and the logs mark the IP as USA...

I proceed with this one-liner to update the management IpToCountry.csv file which now marks the IP as from Bermuda. Not in line with MaxMind but Bermuda would indeed be blocked by our policy.
I download the latest IpToCountry.csv as per sk84801 and now I see that 199.49.20.6 is indeed now from Bermuda in that latest file. I didn't update it on the gateway, just a download on my computer to compare with the file on my gateway. 

Clearly something doesn't add up here... 

So would I be correct to say that Management still uses the IpToCountry.csv file to assign the flags and that file needs to be manually updated so flags are correctly represented?
And also that the gateway does not use the IpToCountry.csv file anymore? I didn't update the IpToCountry.csv on my gateway so it should be flagged as USA but yet it's flagged as something else since it's being blocked (Bermuda presumably).
If that is true and like stated in sk126172 the information is grabbed from MaxMind instead, why does my gateway not return the same results as that DB? And where is that info stored if not the CSV anymore? Can I force an update? 

This is so confusing! Any guidance would be appreciated! 

Labels
0 Kudos
1 Solution

Accepted Solutions
Thomas_Eichelbu
Advisor
Advisor
2 weeks ago
In response to casgrain
Jump to solution

Hello folks, 

just did some updates to R82 HFA 41 and stumbled over the same issue, seems the GW, never did a successfull GW DB Update.
i had a wrong matching on the GEO DB and i saw this logs:

GEO_Fail.png


i searched quite a long time .. and found

https://support.checkpoint.com/results/sk/sk92823

solution was to extend the cached for the GEO DB in the kernel.
the lines of the update already reached the default threshold of 300000

fw ctl set -f int geo_max_ip_ranges 400000

this finally helped .... 

GEO_Win.png


seems good now 🙂

I mean CP says GEO Policy is outdated and even no longer supported with R81+ versions ...
but i like this easy feature to keep terror states out!


 

View solution in original post

10 Replies
PhoneBoy
Admin
Admin
‎2023-03-22 02:34 PM
Jump to solution

Management is still using the IpToCountry.csv file.
Gateways are blocking per the Updatable Objects for those countries.
It’s a different way to retrieve the same information from a different backend.
See: https://community.checkpoint.com/t5/Management/R80-20-Updatable-Domain-Objects-and-CLI-Commands/m-p/... 

Note in both cases, the data comes from MaxMind.

casgrain
Participant
‎2023-03-24 07:14 AM
In response to PhoneBoy
Jump to solution

Is there any method to check what country and IP is associated to? Similar to how it can be done with IpToCountry.csv

From your referred post all I get from domains_tool is more or less equivalent to nslookup reverse dns lookup. 

0 Kudos
the_rock
Legend
Legend
‎2023-03-24 08:22 AM
In response to casgrain
Jump to solution

Let me know please @casgrain if you find that out. I actuallt had customer ask that exact question to TAC person on the phone, but they never gotten back to us if its even possible.

Would be nice if there is a command to do it.

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
2 weeks ago
In response to the_rock
Jump to solution

https://www.maxmind.com/en/geoip-web-services-demo

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend
2 weeks ago
In response to G_W_Albrecht
Jump to solution

O yes,  I use that site often 🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-24 01:31 PM
In response to casgrain
Jump to solution

You can see the actual definitions downloaded to the gateway in a subdirectory of $CPDIR/database/downloads/ONLINE_SERVICES/1.0/

0 Kudos
the_rock
Legend
Legend
‎2023-03-22 03:48 PM
Jump to solution

I would check out below:

https://community.checkpoint.com/t5/API-CLI-Discussion/One-liner-to-update-IpToCountry-data-on-Secur...

Never mind, I realized after I posted it you did that already. Maybe get TAC case created and get this sorted out.

Andy

0 Kudos
casgrain
Participant
‎2023-03-24 07:16 AM
In response to the_rock
Jump to solution

I'll go down that path to clarify things. Especially if there's a method to check IP/Country association manually and how to verify/trigger updates of those mappings. I'll make sure to share the info afterwards. 

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
2 weeks ago
In response to casgrain
Jump to solution

Hello folks, 

just did some updates to R82 HFA 41 and stumbled over the same issue, seems the GW, never did a successfull GW DB Update.
i had a wrong matching on the GEO DB and i saw this logs:

GEO_Fail.png


i searched quite a long time .. and found

https://support.checkpoint.com/results/sk/sk92823

solution was to extend the cached for the GEO DB in the kernel.
the lines of the update already reached the default threshold of 300000

fw ctl set -f int geo_max_ip_ranges 400000

this finally helped .... 

GEO_Win.png


seems good now 🙂

I mean CP says GEO Policy is outdated and even no longer supported with R81+ versions ...
but i like this easy feature to keep terror states out!


 

the_rock
Legend
Legend
2 weeks ago
In response to Thomas_Eichelbu
Jump to solution

Great find @Thomas_Eichelbu !

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events