https://community.cisco.com/t5/network-security/firepower-rules-geofiltering/m-p/3033154#M42991 <P>Ah ok - yes the excluded zone was what I was referring to.&nbsp;</P> <P>You're welcome.</P> Mon, 17 Apr 2017 06:31:22 GMT Marvin Rhoads 2017-04-17T06:31:22Z https://community.cisco.com/t5/network-security/firepower-rules-geofiltering/m-p/3033151#M42978 <P>Hello all, i just had a few questions about Geofiltering on an ASA 5512-X with FirePOWER services managed through ASDM. I believe that I have the &nbsp;rules setup correctly as everything is functioning as it should. I have the rules setup so that any packet with a source or destination address that is not from the US will be blocked. Obviously there are a few cases where I will need to exempt IPs outside of the US. What is the best way to accomplish this? Currently I have added two rules, one for inbound and one for outbound, that are linked to a network objecting containing the addresses I want to whitelist. The point of this rule is to catch the traffic before it hits the block rule and specifically allow it. I also enabled the IPS filtering and file policy on this rule. If my understanding is correct the traffic I exempt should be matching this rule (which it is) and then be filtered through IPS and file policy and then not be processed by any further rules. I will post a screenshot of my rules below. Everything is functional I just want to make sure that there is not a better perhaps more elegant way to accomplish the same thing. I also don't want to have anything processing multiple times and causing unnecessary hardware utilization.&nbsp;</P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/capture_277.png" class="migrated-markup-image" /></P> <P></P> <P>Rules 1 and 2 are the geofilter bypass rules (the names are cut off) and also IPS and file policy filtering for matching traffic, 3 and 4 are the inbound or outbound match rules and 5 is the IPS and file policy filtering for any traffic that makes it that far. I matched rule number 5 to the inside and outside zone to avoid filtering on an specific interface that I cannot have filtered. Is it okay that I have the source and destination zones as the same zone for both?</P> <P>Any feedback would be greatly appreciated! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sun, 10 Mar 2019 13:48:51 GMT https://community.cisco.com/t5/network-security/firepower-rules-geofiltering/m-p/3033151#M42978 brandonbittinger 2019-03-10T13:48:51Z https://community.cisco.com/t5/network-security/firepower-rules-geofiltering/m-p/3033152#M42980 <P>That looks pretty much like how I would do it and how it's taught by Cisco.</P> <P>I would only leave out the zones as I don't think they add any granularity that's not already implicit in the rest of the rules. (Unless you have other zones that aren't mentioned in your posting.)</P> Sun, 16 Apr 2017 21:37:24 GMT https://community.cisco.com/t5/network-security/firepower-rules-geofiltering/m-p/3033152#M42980 Marvin Rhoads 2017-04-16T21:37:24Z https://community.cisco.com/t5/network-security/firepower-rules-geofiltering/m-p/3033153#M42982 <P>There is one other zone containing one interface that I need to exclude from the filtering. It connects to a partner network and FirePOWER causes some issues. Is that what you were referring too?</P> <P></P> <P>Other than that thank you for the feedback!&nbsp;</P> Sun, 16 Apr 2017 21:37:25 GMT https://community.cisco.com/t5/network-security/firepower-rules-geofiltering/m-p/3033153#M42982 brandonbittinger 2017-04-16T21:37:25Z https://community.cisco.com/t5/network-security/firepower-rules-geofiltering/m-p/3033154#M42991 <P>Ah ok - yes the excluded zone was what I was referring to.&nbsp;</P> <P>You're welcome.</P> Mon, 17 Apr 2017 06:31:22 GMT https://community.cisco.com/t5/network-security/firepower-rules-geofiltering/m-p/3033154#M42991 Marvin Rhoads 2017-04-17T06:31:22Z