This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
MVP Silver
MVP Silver
‎2023-07-02 11:33 AM

Geo Policy VS Updateable rules

Hi,

We have Geo policy as below:

 

geo.JPG

The problem is that we still see logs with "Accept" from these countries! for example from China:

geo1.JPG

geo3.JPG

What I know is that if the Geo policy is set to drop, no one packet (from countries included) will go through the firewall, or do i miss something?

I tried to use a rule with an updateable object as:

geo2.JPG

As you can see this rule is not getting any hits! even if there are many rules that accepted traffic from China over this one like rule 25 and 35.

 

Should these two (Geo policy & a rule with Updateable objects) being used together or only one should be used?

As you can see in the rule i have included Indonesia only to test if I will get some hits from a country that is not included in the Geo policy, but I got nothing.

0 Kudos
6 Replies
Wolfgang
MVP Gold
MVP Gold
‎2023-07-02 01:03 PM

Sometimes some IP addresses are not correctly classified, you have to investigate with TAC. But most common error is an outdated geo location database on the SMS. Use Dannys script One-liner to update IpToCountry data on Security Managements   to update the database. Geo Protection logs show the wrong country flag 

Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-07-03 01:41 AM

Updatable Objects were introduced in R80.20 to replace Geo Policy. Geo Policy was removed (or hidden) starting R81. Therefore it is advised to use Updatable Objects.

https://support.checkpoint.com/results/sk/sk131852

 

Also please refer to sk120261 Geo Protection logs show the wrong country flag:

https://support.checkpoint.com/results/sk/sk120261 

Moudar
MVP Silver
MVP Silver
‎2023-07-03 02:10 AM
In response to Tal_Paz-Fridman

I have verion 81.10

I have now removed the countries from the Geo policy and added these countries to a rule with updateable objects.

It now shows drops from my rule.

The question now is: Should I create a new rule with updateable objects for every section? Because the rule I created would drop traffic headed only to one section but not other sections.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-03 01:05 PM
In response to Moudar

It depends on how you've structured your rulebase and what your precise objectives are.
But, yes, you may need to add these objects in other rules in other places.

Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-07-31 05:40 AM
In response to Moudar

For awareness. R81.10 JHF T110:

PRJ-44952,
PRHF-28082

IPS

UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day.
CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-07-31 07:22 AM
In response to Moudar

The way I do this for every customer is like this...regardless if you have inline layers or multiple ordered layers, makes no difference. I create geo block as very FIRST rule in network policy and block whatever needs to be blocked, using updatable objects. 

Andy

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events