4/10/23, 11:51 AM
Configuring Geo Policy using Updatable Objects in R80.20 and higher
Support Center > Search Results > SecureKnowledge Details
Search Support Center
Configuring Geo Policy using Updatable Objects in R80.20 and higher
Rate This
Solution ID
My Favorites
sk126172
Technical Level
Product
Quantum Security Gateways, VSX
Version
R80.20 (EOL), R80.30 (EOL), R80.40, R81, R81.10, R81.20
OS
Gaia
Date Created
06-Jun-2018
Last Modified
02-Jan-2023
Cause
Solution
Background
The Geo database is downloaded from MaxMind, a leading provider of IP Intelligence and online fraud prevention tools.
MaxMind provides mapping of location data for IP addresses. The server downloads the updated database from MaxMind on a weekly basis.
To check the current country mapping by testing the IP address, visit the GeoIP2 City Database Demo page.
In R80.10 and lower versions, customers who wished to restrict access to/from a specific country/continent based on IP addresses, had to add them to the rule base a
after every change.
Check Point Solution for R80.20 and higher
For each Country/Continent, Check Point provides an updatable object that can be imported into SmartConsole.
Each country/continent object matches a list of IP addresses according to the MaxMind database.
On every update in MaxMind database, these objects are updated automatically on the managed Security Gateways and Clusters (no need to install policy).
When the source or destination IP address in traffic matches a Network object, the traffic is processed according to the action selected in the corresponding po
This feature is only supported for R80.20 and higher gateways.
Procedure
1. Connect with SmartConsole to the Management Server.
2. From the left navigation panel, click Security Policies.
3. In the Access Control section, click Policy.
4. Click in the Source or Destination column > click the [+] in the cell.
5. In the top right corner, click Import > Updatable Objects.
6. In the Updatable Objects window, choose the relevant continent/country from the list of objects.
7. Click OK.
8. Publish the session.
9. Install the Access Control policy.
Note: Updatable objects support IPv6.
Example of Geo updatable objects in the Source column (rule 3) and Destination column (rules 1 and 2):
Geo Policy hidden from navigation pane
Starting from R81, Geo Policy is hidden from the navigation pane if no rules are configured in that window (the Geo Policy option is no longer available in SmartConsol
Policies). Geo Policy is now supported through Updatable Objects in the Access Control Policy. You can still configure Geo Policy rules by using Updatable Objects as d
If you need the Geo Policy window, you can disable its hidden visibility by setting the environment variable "disableHiddenGeoPolicy" to any value.
Set the environment variable in the following way:
To set the environment variable:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk126172
1/2
4/10/23, 11:51 AM
Configuring Geo Policy using Updatable Objects in R80.20 and higher
1. Connect to command line.
2. Log in to the Expert mode.
3. Run:
cd $FWDIR/scripts/
./reload_env_vars.sh -e "disableHiddenGeoPolicy=1"
To unset the environment variable:
1. Connect to command line.
2. Log in to the Expert mode.
3. Run:
cd $FWDIR/scripts/
./reload_env_vars.sh -u "disableHiddenGeoPolicy"
Note - In a Multi-Domain environment, switch to the context of the Domain Management Server and apply the above steps.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
Give us Feedback
Please rate this document
Comment
[1=Worst,5=Best]
Enter your comment here
SECURE YOUR EVERYTHING ™
Follow Us
   
©1994-2023 Check Point Software Technologies Ltd. All rights reserved.
Copyright | Privacy Policy
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk126172
2/2