topic Re: Firepower GeoBlocking Not Working in Network Security

Firepower GeoBlocking Not Working

gpowlin — Sun, 01 Nov 2020 14:16:54 GMT

I have China geo-blocked, both as a source and destination (separate rules of course), yet still see Intrusion Event blocks for traffic originating in China. Is this working as designed? The intrusion event based block is based on a malware signature being matched, so is it possible traffic hits this filter first, but otherwise would would get blocked via the geo-block policy? Just want to be sure this is working/configured properly and hoping I'm just not clear on the order of operations, so to speak. Thx,

Re: Firepower GeoBlocking Not Working

Mohammed al Baqari — Sun, 01 Nov 2020 16:07:45 GMT

Hi,

If you are using GEO blocking, then you should see 'IP Block' instead of
Malware signature. It seems that your GEO is not working. When you see that
it originated from China was this location identified by FMC in the event
log or another method.

Do you have a scheduled task to update Geo-DB in FMC and are these updates
installed successfully. You should be able to see this from the FMC tasks.
Also, can you confirm that Geo-DB is updated successfully on FTD.

**** please remember to rate useful posts

Re: Firepower GeoBlocking Not Working

gpowlin — Sun, 01 Nov 2020 16:36:24 GMT

Mohammed, thanks for the response!

I tried a more refined search (which I should have done in the first place) and can see blacklist, IPS, and I think geo based blocks for China.

For "Reason" I see "IP Block" associated with addresses included in my Global-Blacklist, then <blank> for events that look to be geo-blocked, and then "Intrusion Block" for those events IPS (signature-based) blocked. And, I am getting the source location of "China" from the event log.

I do have a scheduled task to update the Geo-DB, so that looks to be good and it is current.

So, maybe it all is working, and I just wasn't filtering properly. Do you know if the IPS is triggered before geo-blocking?

Thx,

Re: Firepower GeoBlocking Not Working

Mohammed al Baqari — Sun, 01 Nov 2020 17:28:09 GMT

Hi,

Yes I agree it seems to be working. By default IPS isn't done before identifying traffic unless you have the option "Intrusion Policy used before Access Control rule is determined" is set. In this case, IPS is done before ACP. This can be checked In the access control policy editor, click Advanced, then click edit next to the Network Analysis and Intrusion Policies section.

**** please remember to rate useful posts