https://community.cisco.com/t5/network-security/fmc-does-packet-state-impact-access-control-policy-processing/m-p/4436795#M1082406 <P>For our first rule in our Access Control Policy, we've got a geolocation block on incoming traffic from country X. There is no corresponding rule for outgoiong traffic to country X, however.</P><P>&nbsp;</P><P>So, as I understand it, anyone in country X trying to initiate a new connection to us would have the packet dropped. However, someone trying to initiate a connection&nbsp;<EM>to</EM> country X from inside our network would be allowed through the firewall.</P><P>&nbsp;</P><P>What I'm not clear on is, in the latter case, would the response packet from country X, which would hit the firewall with state "ESTABLISHED" rather than "NEW," still get blocked by the geolocation rule?</P> Wed, 21 Jul 2021 16:32:08 GMT 00u1arh1c7Nbc5p2z5d7 2021-07-21T16:32:08Z https://community.cisco.com/t5/network-security/fmc-does-packet-state-impact-access-control-policy-processing/m-p/4436795#M1082406 <P>For our first rule in our Access Control Policy, we've got a geolocation block on incoming traffic from country X. There is no corresponding rule for outgoiong traffic to country X, however.</P><P>&nbsp;</P><P>So, as I understand it, anyone in country X trying to initiate a new connection to us would have the packet dropped. However, someone trying to initiate a connection&nbsp;<EM>to</EM> country X from inside our network would be allowed through the firewall.</P><P>&nbsp;</P><P>What I'm not clear on is, in the latter case, would the response packet from country X, which would hit the firewall with state "ESTABLISHED" rather than "NEW," still get blocked by the geolocation rule?</P> Wed, 21 Jul 2021 16:32:08 GMT https://community.cisco.com/t5/network-security/fmc-does-packet-state-impact-access-control-policy-processing/m-p/4436795#M1082406 00u1arh1c7Nbc5p2z5d7 2021-07-21T16:32:08Z https://community.cisco.com/t5/network-security/fmc-does-packet-state-impact-access-control-policy-processing/m-p/4436806#M1082407 <P>Since FW is statefull if the connection intiated from inside and allowed, the that should be ok.</P> <P>&nbsp;</P> <P>if the intiation from outside should be blocked, your understanding correct ?</P> <P>&nbsp;</P> <P>Do you see any issue, or is that just clarfication ?</P> <P>&nbsp;</P> Wed, 21 Jul 2021 16:49:53 GMT https://community.cisco.com/t5/network-security/fmc-does-packet-state-impact-access-control-policy-processing/m-p/4436806#M1082407 balaji.bandi 2021-07-21T16:49:53Z https://community.cisco.com/t5/network-security/fmc-does-packet-state-impact-access-control-policy-processing/m-p/4436844#M1082409 <P>Thanks, Balaji. I was just looking for clarification.</P> Wed, 21 Jul 2021 17:54:32 GMT https://community.cisco.com/t5/network-security/fmc-does-packet-state-impact-access-control-policy-processing/m-p/4436844#M1082409 00u1arh1c7Nbc5p2z5d7 2021-07-21T17:54:32Z