Support Center > Search Results > SecureKnowledge Details
Configuring Geo Policy using Updatable Objects in R80.20 and higher Technical Level
Cause

Solution

Background

The Geo database is downloaded from MaxMind, a leading provider of IP Intelligence and online fraud prevention tools.
MaxMind provides mapping of location data for IP addresses. The server downloads the updated database from MaxMind on a weekly basis.

To check the current country mapping by test the IP address, visit the GeoIP2 City Database Demo page.

In R80.10 and lower versions, customers who wish to restrict access to/from a specific country/continent based on IP addresses, should add them to the rule base as Host objects and have to install policy after every change.

Check Point Solution for R80.20 and higher

  • For each Country/Continent, Check Point provides an updatable object that can be imported into SmartConsole.
  • Each country/continent object matches a list of IP addresses according to the MaxMind database.
  • On every update in MaxMind database, these objects are updated automatically on the managed Security Gateways and Clusters (no need to install policy).
  • When the source or destination IP address in traffic matches a Network object, the traffic is processed according to the action selected in the corresponding policy rule.

Procedure

  1. Connect with SmartConsole to the Management Server.
  2. From the left navigation panel, click Security Policies.
  3. In the Access Control section, click Policy.
  4. Click in the Source or Destination column > click the [+] in the cell.
  5. In the top right corner, click Import > Updatable Objects.
  6. In the Updatable Objects window, choose the relevant continent/country from the list of objects.
  7. Click OK.
  8. Publish the session.
  9. Install the Access Control policy.

Example of Geo updatable objects in the Source column (rule 3) and Destination column (rules 1 and 2):




Geo Policy hidden from navigation pane

Starting from R81, Geo Policy is hidden from the navigation pane if no rules are configured in that window. Geo Policy is now supported through Updatable Objects in the Access Control Policy. Geo Policy rules can still be configured in Updatable Objects as described above.

If Geo Policy window is needed, it is possible to disable its hidden visibility by setting the environment variable "disableHiddenGeoPolicy" to any value.
The environment variable should be set in the following way:
cd $FWDIR/scripts/  
 ./reload_env_vars.sh -e "disableHiddenGeoPolicy=1"
and can be unset by using:
cd $FWDIR/scripts/  
 ./reload_env_vars.sh -u "disableHiddenGeoPolicy=1"


This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment