Support Center > Search Results > SecureKnowledge Details
IPS Geo Protection drops the wrong traffic when it is configured as a whitelist
Symptoms
  • When IPS Geo Protection is configured as a whitelist, traffic that should have been accepted is blocked:

    • "Allow" rules are configured in the "Policy for Specific Countries" section
    • "Block" rules are configured in the "Policy for Other Countries"

    Example:

Cause

Currently, such configuration ("whitelisting") is not fully supported by the IPS Geo Protection.


Solution

This issue was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version.

if you do not wish to upgrade, Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification please collect CPinfo files from the Security Management and Security Gateways involved in the case.

Hotfix installation instructions:

  1. Hotfix has to be installed on Security Gateway.

    Note: In cluster environment, this procedure must be performed on all members of the cluster.
  2. Procedure:

    • Using CPUSE - On Security Gateway running Gaia OS R75.40 and above:

      Make sure to install the latest build of the CPUSE Agent.

      Refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent):

      • Section "(4-A-c)" / "(4-A-d)" - refer to import instructions for Offline procedure
      • Section "(4-B-a)" - refer to installation instructions for Hotfixes

      You can also use the sk111158 - Central Deployment Tool (CDT) to install this hotfix on Security Gateways.

      Note: Reboot is required.

    • Using Legacy CLI - On VSX Gateway running Gaia OS R75.40VS - R77.30; On Security Gateway running SecurePlatform/Linux/IPSO OS:

      Note: You must be connected either over Console, or LOM card (SSH session could be disconnected). On VSX versions R75.40VS - R77.30, the Gaia CPUSE does not support installation of hotfixes (refer to sk92449 - section "(2)" - "VSX Gateways").

      1. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).

      2. Unpack and install the hotfix package:

        [Expert@HostName]# cd /some_path_to_fix/
        [Expert@HostName]# tar -zxvf fw1_wrapper_<HOTFIX_NAME>.tgz
        [Expert@HostName]# ./fw1_wrapper_<HOTFIX_NAME>

        Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
      3. Reboot the machine.

 

The following workaround is also available:

Configure a blacklist by creating "Block" rules for countries, from which you would like to block traffic, and configure "Allow" in the "Policy for Other Countries" section.

For more information about Geo Protections, refer to the "Configuring Geo Protections" section in the R77 versions IPS Administration Guide.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
Applies To:
  • 02199090 , 02570893 , 02573231 , 02335004

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment