Support Center > Search Results > SecureKnowledge Details
Configuring Geo Policy using Updatable Objects in R80.20 and higher Technical Level



The Geo database is downloaded from MaxMind, a leading provider of IP Intelligence and online fraud prevention tools.
MaxMind provides mapping of location data for IP addresses. The server downloads the updated database from MaxMind on a weekly basis.

To check the current country mapping by testing the IP address, visit the GeoIP2 City Database Demo page.

In R80.10 and lower versions, customers who wished to restrict access to/from a specific country/continent based on IP addresses, had to add them to the rule base as Host objects and  install policy after every change.

Check Point Solution for R80.20 and higher

  • For each Country/Continent, Check Point provides an updatable object that can be imported into SmartConsole.
  • Each country/continent object matches a list of IP addresses according to the MaxMind database.
  • On every update in MaxMind database, these objects are updated automatically on the managed Security Gateways and Clusters (no need to install policy).
  • When the source or destination IP address in traffic matches a Network object, the traffic is processed according to the action selected in the corresponding policy rule.
  • This feature is only supported for R80.20 and higher gateways.


  1. Connect with SmartConsole to the Management Server.
  2. From the left navigation panel, click Security Policies.
  3. In the Access Control section, click Policy.
  4. Click in the Source or Destination column > click the [+] in the cell.
  5. In the top right corner, click Import > Updatable Objects.
  6. In the Updatable Objects window, choose the relevant continent/country from the list of objects.
  7. Click OK.
  8. Publish the session.
  9. Install the Access Control policy.

Note: Updatable objects support IPv6.

Example of Geo updatable objects in the Source column (rule 3) and Destination column (rules 1 and 2):

Geo Policy hidden from navigation pane

Starting from R81, Geo Policy is hidden from the navigation pane if no rules are configured in that window (the Geo Policy option is no longer available in SmartConsole > Security Policies > Shared Policies). Geo Policy is now supported through Updatable Objects in the Access Control Policy. You can still configure Geo Policy rules by using Updatable Objects as described above.

If you need the Geo Policy window, you can disable its hidden visibility by setting the environment variable "disableHiddenGeoPolicy" to any value.
Set the environment variable in the following way:

To set the environment variable:

  1. Connect to command line.
  2. Log in to the Expert mode.
  3. Run:
    cd $FWDIR/scripts/
    ./ -e "disableHiddenGeoPolicy=1"  
To unset the environment variable:
  1. Connect to command line.
  2. Log in to the Expert mode.
  3. Run:
    cd $FWDIR/scripts/  
     ./ -u "disableHiddenGeoPolicy"

Note - In a Multi-Domain environment, switch to the context of the Domain Management Server and apply the above steps.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document