CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 14 of 14

Thread: Geo Protection in R70.30 not updating

  1. #1
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Geo Protection in R70.30 not updating

    Although we finally got Geo Protection working, the updates are not and it's supposed to update daily by default. In GUIdbEdit we do see that

    update_countries_list = true

    but

    update_list_source_url is blank and has no default value. We're guessing it's not supposed to be.

    If you

    cd /opt/CPsuite-R70/fw1/tmp/geo_location_tmp/updates

    ls -al

    what do you see for a date stamp on IpToCountry.csv? Ours is June 16, 2010. The one in /var/opt/CPsuite-R70/fw1/conf is March 16, 2010.

    If you have a later date, would you please look in GUIdbEdit and post what you have for update_list_source_url ?

    Thanks,

    Ray
    Last edited by RayPesek; 2010-12-04 at 11:56.

  2. #2
    Join Date
    2008-11-23
    Location
    Atlanta, GA
    Posts
    542
    Rep Power
    12

    Default Re: Geo Protection in R70.30 not updating

    Ours isn't that date, but it's the install date with no updates since then. For the record it's July 29th.
    - boldin
    CISSP
    CCSE/R65

  3. #3
    Join Date
    2005-08-11
    Location
    San Francisco, CA
    Posts
    1,395
    Rep Power
    16

    Default Re: Geo Protection in R70.30 not updating

    Mine shows February 12th, 1984, but at least I can block East Germany if I wanted to!
    Barry J. Stiefel ("Stee-ful" or "Shtee-ful")
    B.S., MBA, CCSA/CCSE/CCSE+/CCSI
    Resilience RCSE/RCSI, Fortinet FCSE
    CISSP, MCSE, NSA ISM
    Founder of CPUG
    Founder of CPUG University

  4. #4
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: Geo Protection in R70.30 not updating

    Kind off odd dates, eh? We actually uninstalled R70.30 this week as part of my other problem and reinstalled it. I do not know if those folders were deleted though. Tomorrow we're doing two more that have never had R70.20 or higher installed. I'll post what those dates are tomorrow.

    Thanks,

    Ray

  5. #5
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: Geo Protection in R70.30 not updating

    The March 16th one is still March 16th. This was on a clean install; we had to blow the enforcement module away and install it from scratch.

    The other one has today's date. Both have a file size of 7050932

    We were only able to do one enforcement module today due to having to blow it away. The other one no doubt will be the same whenever we get around to doing it.

    Ray

  6. #6
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: Geo Protection in R70.30 not updating

    The lack of responses is interesting. So which is it?

    a. Almost no one is using Geo Protection so this is not of interest.

    b. A lot of people are using Geo Protection but suddenly everyone has realized no one is receiving updates. I asked for a response if the dates were different, so almost no one has responded because they all have the same dates on the files.

    c. People find me annoying so they ignore me.

    d. All of the above.

    As an aside, the anti-spam feature has an IP Reputation feature and it, too, uses an IpToCountry.csv file. We're not licensed for it, so I'm wondering if the update mechanism is somehow messed up so it never updates unless you also have the anti-spam license. An IP Reputation feature that never has its core database updated seems somewhat useless.

    Ray

  7. #7
    Join Date
    2006-04-30
    Location
    Europe, Germany
    Posts
    433
    Rep Power
    15

    Default Re: Geo Protection in R70.30 not updating

    Quote Originally Posted by RayPesek View Post
    The lack of responses is interesting. So which is it?
    ...
    In my case it's A)

    At the moment I have absolute no use case for GeoIP on the firewall level.
    I use GeoIP since years in combination with other products but mostly not for blocking.

    One thing Is from interest for me since you wrote it is a simple CSV file.
    Can you post a view lines from the CVS file or compare it with the free ones provided from FREE IP to Country Database (IPV4 and IPV6) ?

  8. #8
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: Geo Protection in R70.30 not updating

    Dude! You rock! Not only is Check Point using it, they are shipping a version that is over a year old. <sigh>

    I wonder if I can just substitute the file. Excuse me while I go update my support case. :-)

    Thanks!

    Ray

    #
    # INFORMATION AND NOTES ON IpToCountry
    # ====================================
    #
    # ========================
    # A REQUEST From us to you
    # ========================
    #
    # It took a lot of work to put this database together and it takes even more to
    # maintain it. For this, we do not charge you anything. We would **really**
    # appreciate a link from your site back to us.
    #
    # It won't make you famous but it will earn you our gratitude :)
    #
    # ------------------------------------------------------------------------------
    # LICENSE
    # =======
    # This database is NOT freeware. It is licensed under the GENERAL PUBLIC LICENSE,
    # GPLv3 of June 29, 2009
    # See A Quick Guide to GPLv3 - GNU Project - Free Software Foundation (FSF) for details.
    # ------------------------------------------------------------------------------
    #
    # File Time Stamp : Wed Nov 4 06:40:01 2009 UTC.
    # Generator : ip.pl on webnet77 Low cost domain names, domain transfers, web hosting, email accounts, and so much more. (A Webnet77 Company)
    # Software Author : BRM
    # Software Version : 5.3.2
    # Contact : BibleForums Christian Message Board - Home
    # Download : FREE IP to Country Database (IPV4 and IPV6)
    # ################################################## ####################
    # BEFORE you send us questions, please see the FAQ:
    # GEO IP Database FAQ
    # ################################################## ####################
    #
    # ################################################## ####################
    # IMPORTANT !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!
    # ################################################## ####################
    # PLEASE NOTE THIS DATABASE MOVED AT THE END OF JUNE 2009 TO
    # FREE IP to Country Database (IPV4 and IPV6)
    # THE OLD LINKS TO DOWNLOAD ARE CURRENTLY BEING REDIRECTED SO YOUR DOWNLOADS
    # WILL STILL WORK FOR NOW. BUT THIS WILL CHANGE EVENBTUALLY...
    #
    # YOU MUST EVENTUALLY UPDATE YOUR SOFTWARE TO USE THE CORRECT URL TO DOWNLOAD
    # THE DATABASE. PLEASE SEE 'AUTOMATIC DOWNLOADS' BELOW FOR DETAILS

  9. #9
    Join Date
    2006-04-30
    Location
    Europe, Germany
    Posts
    433
    Rep Power
    15

    Default Re: Geo Protection in R70.30 not updating

    Quote Originally Posted by RayPesek View Post
    Dude! You rock! Not only is Check Point using it, they are shipping a version that is over a year old. <sigh>
    You gave the me only the right information ;) in this case the keyword was
    uses an IpToCountry.csv file
    which I remember from this perl module Geo-IPfree - search.cpan.org

    If the format match then I guess the file can be replaced with a fresh one, but I suspect there is a deamon/process to reload since database is maybe cached in memory for speed reasons.

  10. #10
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: Geo Protection in R70.30 not updating

    I'm going to copy some posts I made a the CP forums here to complete the thread in case anyone is interested. It is confirmed as a bug present in at least R70.30. Briefly the Geo Protection update feature must use a proxy server resolvable and reachable by the firewall even if the firewall is directly connected to the Internet. Our CSP configured a simple proxy at their location for us to use to get updates. CP confirmed a bug and will produce a hotfix.

    Ray
    ------------------------
    We just enabled Geo Protection debugging by using the command

    fw debug in.geod on TDERROR_ALL_ALL=5

    with

    fw debug in.geod off TDERROR_ALL_ALL=0

    to stop it when done. It will write to $FWDIR/log/geod.elg.
    -----------------------
    The IpToCountry.csv file on the gateway did not update this morning, but geod.elg has some interesting items.

    Note the URL in the very first line. It is a good link and allows me to download the current IpToCountry.csv file from a browser.

    A bit later there are some errors because it could not resolve some kind of proxy. There is no proxy needed because the enforcement module is directly connected to the Internet. There is also a note about an invalid password parameter.
    =====
    Before performing POST operation. url=https://updates.checkpoint.com/WebService/services/DownloadMetaDataService. cert path=/opt/CPsuite-R70/fw1/bin/ca-bundle.crt
    =====
    Note that there is a period at the end of DownloadMetaDataService . If I browse to that URL without the trailing period, it says
    -----
    DownloadMetaDataService

    Hi there, this is an AXIS service!
    Perhaps there will be a form for invoking the service here...
    -----
    If I add the trailing period to the browsed URL it says
    -----
    AXIS error

    No service is available at this URL
    -----
    If the log is accurately displaying what it going on, maybe it's the presence of the trailing period that is breaking things?

    I did search from GUIdbEdit for the main part of that URL but only found it with a "?wsdl" trailer in a field named download_center_address

    Interestingly, the very next field is named proxy_address and does have our internal proxy server set in it, but that's not resolvable from the gateway itself.

    Maybe the gateway is inadvertently trying to resolve the internal-only proxy we use for other IPS updates?

    Ray

    3:47:36] geo_location_update_geoip_dl: Downloading GEOIP file from 'http://sc1.checkpoint.com/fortune/IpToCountry.csv.gz'...
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] set_client: Client code was set to 35
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] geo_location_get_file:the client id is set
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] geo_location_get_file: phFilter created
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [NOTICE] http_client_create: CURL initialized successfully.
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [NOTICE] http_client_create: curl init finished successfully
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 25
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 1
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 5
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] FDT_create: Getting the tderror log file handler
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [NOTICE] FDTparser_create: FDTParser created succesfully.
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] FDT_set_opts: Recieved option 20
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 24
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] FDT_set_opts: Recieved option 16
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 26
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] FDT_set_opts: Recieved option 11
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 15
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] FDT_tderror_hide_password: called from create_info_soap
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] FDT_tderror_hide_password: invalid arguments
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 10
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_apply_options: Setting ssl certificate verification to 2
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [NOTICE] http_client_get: Before performing POST operation. url=https://updates.checkpoint.com/WebService/services/DownloadMetaDataService. cert path=/opt/CPsuite-R70/fw1/bin/ca-bundle.crt
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [ERROR] http_client_get: Operation failed. Errorcode=5. Error String:couldnt resolve proxy
    Error Buffer=<NULL>
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [ERROR] FDT_get_data: Failed to get data from https://updates.checkpoint.com/WebSe...etaDataService
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] ==>geo_location_DataCB
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] geo_location_DataCB: FDT status not ok, returned 2
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] geo_location_get_file:get_data_results 2
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] geo_location_get_file: get_info: General Error
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [NOTICE] http_client_destroy: Free HttpClient memory - Done.
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] geo_location_update_geoip_dl: Failed to download file.
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36]
    -------------------------------
    Hi Ray,

    It seems like one of the fixes is not included in Flo HFA. We will fix it.

    Thanks,
    Maya Maimon
    Check Point

  11. #11
    Join Date
    2006-12-16
    Posts
    539
    Rep Power
    14

    Default Re: Geo Protection in R70.30 not updating

    Quote Originally Posted by RayPesek View Post
    I'm going to copy some posts I made a the CP forums here to complete the thread in case anyone is interested. It is confirmed as a bug present in at least R70.30. Briefly the Geo Protection update feature must use a proxy server resolvable and reachable by the firewall even if the firewall is directly connected to the Internet. Our CSP configured a simple proxy at their location for us to use to get updates. CP confirmed a bug and will produce a hotfix.

    Ray
    ------------------------
    We just enabled Geo Protection debugging by using the command

    fw debug in.geod on TDERROR_ALL_ALL=5

    with

    fw debug in.geod off TDERROR_ALL_ALL=0

    to stop it when done. It will write to $FWDIR/log/geod.elg.
    -----------------------
    The IpToCountry.csv file on the gateway did not update this morning, but geod.elg has some interesting items.

    Note the URL in the very first line. It is a good link and allows me to download the current IpToCountry.csv file from a browser.

    A bit later there are some errors because it could not resolve some kind of proxy. There is no proxy needed because the enforcement module is directly connected to the Internet. There is also a note about an invalid password parameter.
    =====
    Before performing POST operation. url=https://updates.checkpoint.com/WebService/services/DownloadMetaDataService. cert path=/opt/CPsuite-R70/fw1/bin/ca-bundle.crt
    =====
    Note that there is a period at the end of DownloadMetaDataService . If I browse to that URL without the trailing period, it says
    -----
    DownloadMetaDataService

    Hi there, this is an AXIS service!
    Perhaps there will be a form for invoking the service here...
    -----
    If I add the trailing period to the browsed URL it says
    -----
    AXIS error

    No service is available at this URL
    -----
    If the log is accurately displaying what it going on, maybe it's the presence of the trailing period that is breaking things?

    I did search from GUIdbEdit for the main part of that URL but only found it with a "?wsdl" trailer in a field named download_center_address

    Interestingly, the very next field is named proxy_address and does have our internal proxy server set in it, but that's not resolvable from the gateway itself.

    Maybe the gateway is inadvertently trying to resolve the internal-only proxy we use for other IPS updates?

    Ray

    3:47:36] geo_location_update_geoip_dl: Downloading GEOIP file from 'http://sc1.checkpoint.com/fortune/IpToCountry.csv.gz'...
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] set_client: Client code was set to 35
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] geo_location_get_file:the client id is set
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] geo_location_get_file: phFilter created
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [NOTICE] http_client_create: CURL initialized successfully.
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [NOTICE] http_client_create: curl init finished successfully
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 25
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 1
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 5
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] FDT_create: Getting the tderror log file handler
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [NOTICE] FDTparser_create: FDTParser created succesfully.
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] FDT_set_opts: Recieved option 20
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 24
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] FDT_set_opts: Recieved option 16
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 26
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] FDT_set_opts: Recieved option 11
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 15
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] FDT_tderror_hide_password: called from create_info_soap
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] FDT_tderror_hide_password: invalid arguments
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_set_opts: Recieved option 10
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [INFO] http_client_apply_options: Setting ssl certificate verification to 2
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [NOTICE] http_client_get: Before performing POST operation. url=https://updates.checkpoint.com/WebService/services/DownloadMetaDataService. cert path=/opt/CPsuite-R70/fw1/bin/ca-bundle.crt
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [ERROR] http_client_get: Operation failed. Errorcode=5. Error String:couldnt resolve proxy
    Error Buffer=<NULL>
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [ERROR] FDT_get_data: Failed to get data from https://updates.checkpoint.com/WebSe...etaDataService
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] ==>geo_location_DataCB
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] geo_location_DataCB: FDT status not ok, returned 2
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] geo_location_get_file:get_data_results 2
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] geo_location_get_file: get_info: General Error
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] [NOTICE] http_client_destroy: Free HttpClient memory - Done.
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36] geo_location_update_geoip_dl: Failed to download file.
    [geod 16017 1857293232]@firewall[21 Dec 3:47:36]
    -------------------------------
    Hi Ray,

    It seems like one of the fixes is not included in Flo HFA. We will fix it.

    Thanks,
    Maya Maimon
    Check Point
    Excellent work Ray
    CCSA,CCSE,CCSE+,CCMSE+P1,CCMSE+VSX,CCMA #23

  12. #12
    Join Date
    2008-12-16
    Posts
    4
    Rep Power
    0

    Default Re: Geo Protection in R70.30 not updating

    Has anyone tried this in R71.10? (We had everything running great for months in R70.30)

    We Geo Protection configured on 8 firewall's (UTM's to Power-1's) running R71.10. All 8 of them stop protecting and logging Geo Protections after a few hours. Geo Protection correctly restarts after a policy push and continues to work for the next several hours. Eventually it will stop logging and working. (Confirmed with relay proxy servers in source countries).

    We do know that the "in_geod" process is still running on the affected FW's and the PID does not go away, crash or restart. We even tracked the PID ID's for several weeks and they stay the same till a policy push gently restarts them.

    As this post states, we are configured to use the proxy server on each FW.

    Thanks
    mcatkinson

  13. #13
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: Geo Protection in R70.30 not updating

    Not us, but have you tried enabling debugging as per the previous post? That is what told us what was really going on. Maybe there will be a clue there.

    Ray

  14. #14
    Join Date
    2006-11-21
    Location
    Michigan
    Posts
    70
    Rep Power
    14

    Default Re: Geo Protection in R70.30 not updating

    https://forums.checkpoint.com/forums...art=0&start=15

    Update:

    I upgraded my enforcement points today to R71.2 from R70.3.

    I am still not using a proxy.

    The //opt/CPsuite-R71/fw1/tmp/geo_location_tmp/updates/IpToCountry.csv
    now shows version 5.6.0 updated today.

    So it looks like the need for a proxy to update the Geo Proctect has been fixed.

Similar Threads

  1. Sockstress - Updating to R70.1
    By ablem in forum Installing And Upgrading
    Replies: 1
    Last Post: 2009-09-24, 11:41
  2. Remotely updating SAM db
    By banduraj in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 3
    Last Post: 2009-02-08, 16:26
  3. Updating libsw
    By goldberg in forum Check Point SecurePlatform (SPLAT)
    Replies: 3
    Last Post: 2008-04-17, 17:21
  4. Updating DNS
    By evo22 in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2007-06-22, 12:19

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •