https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3340778#M1041333 Sorry I wasn't looking at an FMC.<BR /><BR />I meant under Security Intelligence (SI) add a DNS Policy with your domains in a DNS Whitelist.<BR /><BR /><BR /><BR />If you are not using SI you should review the features, they add additional levels of security at the benefit of the device because the SI Blacklist occurs before Rule 1 - no CPU wasted on inspection.<BR /><BR /><BR /><BR />Once you get the DNS whitelist working you can review the SI Category blocking for IP's and DNS and determine if it fits your needs.<BR /><BR /><BR /><BR />Cisco link:<BR /><BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/DNS_Policies.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/DNS_Policies.pdf</A><BR /><BR /><BR /><BR />popravak has good write-ups about Firepower features as well:<BR /><BR /><A href="https://popravak.wordpress.com/2016/03/22/sourcefire-security-intelligence-dns-policy/" target="_blank">https://popravak.wordpress.com/2016/03/22/sourcefire-security-intelligence-dns-policy/</A><BR /><BR /><BR /><BR />Regards<BR /> Thu, 01 Mar 2018 22:23:50 GMT John Telford 2018-03-01T22:23:50Z https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3339889#M1041328 <P>Hello,</P> <P>If you look at the below policy inspection by Firepower, You have allow and block permits, etc...Let's say, Rule number 3 also says block country South Korea from any source to any destination and under rule 2, I am allowing access to samsung.com. If I access samsung.com, I should be allowed to get through, right? well, not the case. It's still blocked, and reason? - Country blocked. Why? I thought, If I'm allowing the website at rule 2, I shouldn't even hit rule 3 and beyond, correct? Don't understand this. I checked with Cisco, they didn't really have an answer for me. Any ideas?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AccessControlPolicy.png" style="width: 571px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/8156i5E7C39A8AD57C91A/image-dimensions/571x288?v=v2" width="571" height="288" role="button" title="AccessControlPolicy.png" alt="AccessControlPolicy.png" /></span></P> Fri, 21 Feb 2020 15:27:23 GMT https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3339889#M1041328 Hulk8647 2020-02-21T15:27:23Z https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3340054#M1041329 <P>Hello,</P> <P>Yes that is the premise, what do your logged events indicate?</P> <P>Is the request to the URL logged in the Trust and then the IP blocked in the GEO blocking rule?</P> <P>&nbsp;</P> <P>Check direction for the rules.</P> <P>If the URL is trusted Source &gt; Destination and the GEO rule is blocking ANY-ANY then return traffic may be denied.</P> <P>&nbsp;</P> <P>When it comes to URL's it can get interesting.</P> <P>What method of URL filtering are you using? SI URL White list or URL filtering license?</P> <P>&nbsp;</P> <P>The requested URL may initially be allowed but if the site utilizes a CDN then some or all the traffic may <STRONG>not</STRONG> be coming from that URL/Domain or even the same country.</P> <P>&nbsp;</P> <P>The Event logs and a capture at the client of a working session should help with the mystery.</P> <P>&nbsp;</P> <P>Regards.</P> Wed, 28 Feb 2018 23:18:03 GMT https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3340054#M1041329 John Telford 2018-02-28T23:18:03Z https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3340554#M1041330 <P>Here is a part of the log, it says it was blocked by source country. But why? I included a screenshot of my policy. </P> <P>&nbsp;</P> <P>LOG:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Inked2018-03-01 10_27_57-Cisco Firepower Management Center 750 6.2.0.1 Build 59 (CiscoIPS.enlivant.com) -_LI.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/8207i90BD97A772007C4B/image-size/large?v=v2&amp;px=999" role="button" title="Inked2018-03-01 10_27_57-Cisco Firepower Management Center 750 6.2.0.1 Build 59 (CiscoIPS.enlivant.com) -_LI.jpg" alt="Inked2018-03-01 10_27_57-Cisco Firepower Management Center 750 6.2.0.1 Build 59 (CiscoIPS.enlivant.com) -_LI.jpg" /></span></P> <P>POLICY</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2018-03-01 10_32_39-Document1 - Word.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/8210iC2BFF904B3DAF585/image-size/large?v=v2&amp;px=999" role="button" title="2018-03-01 10_32_39-Document1 - Word.png" alt="2018-03-01 10_32_39-Document1 - Word.png" /></span>If you look at the policy Rule number 4, it allows the website "anology.com"(not samsung, anology and anology resides in Thailand) Now, If I am allowing anology.com at the rule 3, why is it still hitting rule 10. Rule 10 states block Thailand from source and from destination.</P> Thu, 01 Mar 2018 16:35:26 GMT https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3340554#M1041330 Hulk8647 2018-03-01T16:35:26Z https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3340581#M1041331 Ahh,<BR /><BR />The other fun part of URL filtering and trusts.<BR /><BR />On the Blocked log the 'Client' is DNS.<BR /><BR /><BR /><BR />It is not blocking the URL, it is blocking the Domain lookup. We can't see the source/dest IP addresses in your event but I assume the returned DNS server for site resides in your Geo Block or it returned the IP located in your Geo block. I'm not sure which the Geo blocking is acting on.<BR /><BR /><BR /><BR />Try add the domains for your trusted URL's to the DNS whitelist on rule #4.<BR /><BR /><BR /><BR />You may still have issues depending on how your DNS is set up and located (behind the IPS) if it is querying DNS servers globally.<BR /><BR />You also may still have issues if content returned from trusted URLS comes from other sources with different url.<BR /><BR /><BR /><BR />Regards<BR /> Thu, 01 Mar 2018 17:07:50 GMT https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3340581#M1041331 John Telford 2018-03-01T17:07:50Z https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3340744#M1041332 <P>I see whats you're saying, I just not sure what you mean by this:</P> <P>Try add the domains for your trusted URL's to the DNS whitelist on rule #4.</P> <P>&nbsp;</P> <P>Can you explain?</P> <P>&nbsp;</P> <P>Also, you're right, because when I added a rule 9 (thats why you dont see it there, I temporarily disabled it) I had my DNS servers allowed to THAILAND and that worked.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2018-03-01 15_02_36-Cisco Firepower Management Center 750 6.2.0.1 Build 59 (CiscoIPS.enlivant.com) -.png" style="width: 898px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/8220iD21315836302134D/image-size/large?v=v2&amp;px=999" role="button" title="2018-03-01 15_02_36-Cisco Firepower Management Center 750 6.2.0.1 Build 59 (CiscoIPS.enlivant.com) -.png" alt="2018-03-01 15_02_36-Cisco Firepower Management Center 750 6.2.0.1 Build 59 (CiscoIPS.enlivant.com) -.png" /></span></P> Thu, 01 Mar 2018 21:03:09 GMT https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3340744#M1041332 Hulk8647 2018-03-01T21:03:09Z https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3340778#M1041333 Sorry I wasn't looking at an FMC.<BR /><BR />I meant under Security Intelligence (SI) add a DNS Policy with your domains in a DNS Whitelist.<BR /><BR /><BR /><BR />If you are not using SI you should review the features, they add additional levels of security at the benefit of the device because the SI Blacklist occurs before Rule 1 - no CPU wasted on inspection.<BR /><BR /><BR /><BR />Once you get the DNS whitelist working you can review the SI Category blocking for IP's and DNS and determine if it fits your needs.<BR /><BR /><BR /><BR />Cisco link:<BR /><BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/DNS_Policies.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/DNS_Policies.pdf</A><BR /><BR /><BR /><BR />popravak has good write-ups about Firepower features as well:<BR /><BR /><A href="https://popravak.wordpress.com/2016/03/22/sourcefire-security-intelligence-dns-policy/" target="_blank">https://popravak.wordpress.com/2016/03/22/sourcefire-security-intelligence-dns-policy/</A><BR /><BR /><BR /><BR />Regards<BR /> Thu, 01 Mar 2018 22:23:50 GMT https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3340778#M1041333 John Telford 2018-03-01T22:23:50Z https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3341232#M1041334 thank you, I will review those! Fri, 02 Mar 2018 14:17:43 GMT https://community.cisco.com/t5/network-security/cisco-firepower-policy-question/m-p/3341232#M1041334 Hulk8647 2018-03-02T14:17:43Z