CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 9 of 9

Thread: How do you get Geo Protection to do anything?

  1. #1
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    15

    Default How do you get Geo Protection to do anything?

    We set some Geo Protection rules on an R70.30 SPLAT firewall that block inbound and outbound to most of RIPE and APNIC. I installed the policy on Friday. The firewall is using the Recommended Protection IPS Profile and the Geo Protection rules are set up on that profile as well. The Action is Prevent. "Track" is set to Log for both the rules and for the "Policy for other countries". In "Advanced" "aggregate" is un-checked.

    SmartView Tracker should be showing dozens of entries by now but it's showing zero. For example, we're blocking the Russian Federation but .ru traffic is being resolved in the logs. China.org.cn - China news, weather, business, travel & language courses on 202.130.245.33 is reachable but APNIC shows it's registered in China. Even APNIC - Home, which is registered in China, is reachable.

    SmartView Tracker is not showing any outbound traffic from the firewall except for the expected SMTP, DNS and NTP traffic. "Accept outgoing packets originating from Gateway" is checked and set to "Before Last". I would expect to see the periodic IP address table lookups occurring, at least even once, but there's nothing. "Log implied rules" is checked.

    Yes, we are using only blade licenses and we do have a valid IPS contract. :-)

    Any thoughts?

    Thanks,

    Ray

  2. #2
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    15

    Default Re: How do you get Geo Protection to do anything?

    Sorry, I'm in APNIC, my reply can't get through

  3. #3
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    15

    Default Re: How do you get Geo Protection to do anything?

    Actually your reply is proof positive that it doesn't work correctly. :-)

    Ray

  4. #4
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    15

    Default Re: How do you get Geo Protection to do anything?

    Interestingly, it started to work by itself with no indications. The best guess is that the country-to-IP database needs to be downloaded on some schedule.

    I used www . gov . hk as the test site and was looking at the logs for the two IP addresses it resolves to. It was logging fine and access was fine.

    I added a rule to block traffic to and from Hong Kong and to "Log" both the rule itself and to "Log" the "Policy for Other Countries". After I installed the policy I could no longer access www . gov . hk

    BUT absolutely nothing is logged. I cannot see any traffic from the gateway doing these country database downloads. Logging of the traffic to the two IP addresses associated with www . gov . hk stopped. It does not show up in All Records, nor in "IPS - All" nor in "IPS - Geo Protection".

    Having a firewall that blocks traffic and (apparently) downloads things from the Internet without logging it is not a good thing...

    Ray

  5. #5
    Join Date
    2010-07-17
    Posts
    37
    Rep Power
    0

    Default Re: How do you get Geo Protection to do anything?

    I'm new to this forum so I don't want to state the obvious, but my thoughts would be the obvious.

    I would guess your not seeing anything showing in the logs as you might not be logging Implicit rules??

    Global Policy > Firewall, bottom of the window check the log Implict rules??

    Also you said that you craeted a rule to block traffic to www. gov . uk or something like that, have you got that rule set to log?

    I'm sure these wont be the answers but I have to ask the obvious first to rule it out.

    I have a different problem with IPS and that is that the GEO protection is logging more than I want it too. Anyway, good luck I hope you find a fix.

  6. #6
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    15

    Default Re: How do you get Geo Protection to do anything?

    Thanks for the response. Sometimes the obvious isn't so obvious. Unfortunately we have always logged implied rules. Yes, everything is set to log.

    The country database updates once a day. There is an initial database installation on the first policy install but the rules I set may not have become active until the first daily download.

    Ray

  7. #7
    Join Date
    2005-12-01
    Location
    Maryland
    Posts
    11
    Rep Power
    0

    Default Re: How do you get Geo Protection to do anything?

    Ray,

    You say that it updates once a day. How do you know that? My database appears to be 8 months old, and when I asked CP Support about it, they didn't know and are referring me to a CP SE.

    I may just not have something configured correctly, and that's why mine isn't updating.

  8. #8
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    15

    Default Re: How do you get Geo Protection to do anything?

    No, we have not gotten this working yet. There is a wealth of information on how this thing works here:

    https://forums.checkpoint.com/forums...10613&tstart=0

    including how to look at the actual files.

    Ray

  9. #9
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    15

    Default Re: How do you get Geo Protection to do anything?

    CP determined that if we did an upgrade_export, blew the thing away, installed R70 base, upgraded to R70.30 and did an upgrade_import that it should work. We did that on the combined SmartCenter/enforcement module and it did entirely fix the problem.

    We then rebuilt the standalone SmartCenter by creating an upgrade_export, installing R70 base and going to R70.30 and doing an upgrade_import.

    It did NOT fix it, unlike the combined SmartCenter/firewall. That told us it was an enforcement module issue.

    The only thing we could think of was the Sockstress hotfix, SK 42723. We downloaded it again and lo and behold, it is not the same one we applied. The one we applied has a patch file date of Sept 8, 2009 and is about 43MB in size. The current one in the SK article is dated Sept. 30, 2009 and is about 23MB in size.

    Ours had a file name of FW1_HOTFIX_FGC_HF_HA010_125_730125005_2

    The newer one has a file name of FW1_HOTFIX_FGC_HF_HA010_125_730125007_5.

    We uninstalled R70.30 on one enforcement module, rebooted, uninstalled the Sockstress hotfix, rebooted, installed R70.30 on top of R70.1, rebooted and everything is working fine. It looks like something in R70.30 did not overwrite something from the original Sockstress hotfix.

    We're going to do the other firewalls this weekend.

    I'd like to offer my thanks to the person at Check Point who decided to replace the hotfix and not notify people that there was an issue with it. Thanks for wasting five months of time and dozens of hours of work for us, our CSP and Check Point support.

    Ray

Similar Threads

  1. Need more granularity with Geo Protection
    By RayPesek in forum Geo Protection
    Replies: 0
    Last Post: 2010-06-12, 14:22
  2. IKE DoS Protection Doubt
    By amol0009in_7 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2009-06-25, 06:51
  3. IKE DOS Protection
    By claytoncs in forum CCSE NGX Exam 156-315.1 (No Longer Offered)
    Replies: 5
    Last Post: 2008-12-16, 18:26
  4. Protection of connection
    By ppawlo in forum SecureClient/SecuRemote
    Replies: 2
    Last Post: 2008-05-04, 13:53
  5. Identity protection
    By maurox in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2007-01-19, 12:04

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •