https://community.cisco.com/t5/network-security/geodb-accuracy-and-expectations/m-p/2995348#M18463 <P>So I have a customer that gets hit a fair bit with intrusion attempts etc. They only require external terminal server connections for say country "x".</P> <P></P> <P>I have created a firepower control policy which blocks (with reset) all traffic originating externally with an internal destination on port 3389 from all countries except country "x". - I created a geolocation object called "Geo_Restofworld" and selected all continents and countries except country "x".</P> <P></P> <P>So the policy only has one rule, which blocks "Geo_Restofworld" traffic to port 3389. The default action is Trust all traffic.</P> <P></P> <P>The rule appears to work really really well. It does indeed block a LOT of traffic from outside of country "x", however; there is a single IP that was allowed and logged - which if I do a lookup on the IP address I notice it is definitely from country "y" which is included in my "Geo_Restofworld" object.</P> <P></P> <P>So, is the Firepower GeoIP database not to be 100% trusted? I checked and I have the latest version installed (automatic updates). Is there any way to modify or update the current GeoIP database?</P> Wed, 16 Nov 2016 01:10:41 GMT Ella Bella 2016-11-16T01:10:41Z https://community.cisco.com/t5/network-security/geodb-accuracy-and-expectations/m-p/2995348#M18463 <P>So I have a customer that gets hit a fair bit with intrusion attempts etc. They only require external terminal server connections for say country "x".</P> <P></P> <P>I have created a firepower control policy which blocks (with reset) all traffic originating externally with an internal destination on port 3389 from all countries except country "x". - I created a geolocation object called "Geo_Restofworld" and selected all continents and countries except country "x".</P> <P></P> <P>So the policy only has one rule, which blocks "Geo_Restofworld" traffic to port 3389. The default action is Trust all traffic.</P> <P></P> <P>The rule appears to work really really well. It does indeed block a LOT of traffic from outside of country "x", however; there is a single IP that was allowed and logged - which if I do a lookup on the IP address I notice it is definitely from country "y" which is included in my "Geo_Restofworld" object.</P> <P></P> <P>So, is the Firepower GeoIP database not to be 100% trusted? I checked and I have the latest version installed (automatic updates). Is there any way to modify or update the current GeoIP database?</P> Wed, 16 Nov 2016 01:10:41 GMT https://community.cisco.com/t5/network-security/geodb-accuracy-and-expectations/m-p/2995348#M18463 Ella Bella 2016-11-16T01:10:41Z https://community.cisco.com/t5/network-security/geodb-accuracy-and-expectations/m-p/2995349#M18477 <P>You will not achieve 100% accuracy using GeoIP. According to MaxMind (widely used GeoIP service provider) an accuracy of&nbsp;<SPAN>99.8% on country level is to be expected. GeoIP updates are released every week for firepower (~ 5-7 days) so a window for false-positives/negatives is definitely&nbsp;possible.</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>There is no way to manually edit the geoip database but you could create a custom blacklist which you can automatically download every 30 minutes from a webserver to your FMC and attach to your access control policy</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>As every security mechanism nothing will ever protect you 100%. Stack various security mechanisms to achieve an acceptable protection rate, false positives and false negatives are to be expected.&nbsp;</SPAN></P> Sat, 26 Nov 2016 10:18:55 GMT https://community.cisco.com/t5/network-security/geodb-accuracy-and-expectations/m-p/2995349#M18477 Oliver Kaiser 2016-11-26T10:18:55Z