topic Re: Firepower Module 6.4 - If I block traffic sourced by geolocation will it block returning traffic requested from inside the network? in Network Security

Firepower Module 6.4 - If I block traffic sourced by geolocation will it block returning traffic requested from inside the network?

N3t-Guy — Tue, 17 Nov 2020 21:17:26 GMT

Hello, I am wanting to set an access rule in my default policy that blocks traffic from certain geolocations. If I block traffic sourced by these geolocations to "any" will it drop web traffic initiated by my internal users? I know that returning traffic that is initiated from inside the network will normally be allowed but how will Firepower handle web traffic from my users destined to websites in these countries? Thank-you!

Re: Firepower Module 6.4 - If I block traffic sourced by geolocation will it block returning traffic requested from inside the network?

HQuest — Tue, 17 Nov 2020 22:06:17 GMT

A L3 access control is applied on the initial SYN packet of a brand new session; your return traffic is a SYN+ACK packet on an existing session, so no, the return traffic won't be dropped. For you to block, you need to place a restriction using these geolocations as "destination", which will match a SYN packet of a brand new session from your internal users.

Re: Firepower Module 6.4 - If I block traffic sourced by geolocation will it block returning traffic requested from inside the network?

N3t-Guy — Tue, 17 Nov 2020 23:50:48 GMT

Thank you. For now just want to block inbound but will eventually block outbound to prevent C2 to these locations so it sounds like just from source will work for now!