We have a server that runs a script to block traffic from certain non-US countries. Every night it emails a list of the connections it had to block.
We purchased FirePOWER - and configured GeoBlocking - to Block/Reset connections from those same countries - however we're still seeing the server log connections that it had to drop.
Has anyone seen issues w/ GeoBlocking not working?
What exactly happens when the firewall does a Block/Reset?
This was a rather expensive purchase for something like this not to work as expected.
It works in my experience.
What happens with a block depends on whether you are running a dedicated FirePOWER appliance or a FirePOWER module in an ASA. The former will send a tcp reset directly to the client for the session at hand. The latter will send a message to the parent ASA directing it to do the same.
I think I found out that I had to put the GeoLocation blocking in a rule all by it's own. So make sure your rule doesnt have other tabs of configured stuff, just geo. Then I put that rule at the top of my list to block them right away with reset.
This goes for all of the rules. It's not obvious, but there is a logical "and" for each of the tabs. So you cannot combine for example, applications and url filtering into one rule because you have a logical "and" between them, which in most cases will never match. Because of this I have to have a lot of rules in the access control policy. I really which there was an option to set the rule to "and" or "or" like some other vendors have.
I know this is an old thread but if you add the rule to the very top thats great. But then the issue occurs if you want to add a specific IP address to allow you must insert it above that rule and then your rule is no longer at the top.
Example, you GEO block the country of China and place that rule at the top. There is a specific IP address in China that you need to allow in. You must then place that rule above your GEO blocking rule.
If my GEO blocking rule is further down the list then the logs states that the country is blocked. However, I run packet captures and I know 100% that the traffic is getting through from these countries to my server even though the FMC states otherwise.
I was having the same issue. I found that you cannot add the region (ie. Asia, Africa) as the source network or you will still have traffic allowed through. I had to make rules and add the sub entries of each region to get my block/resets to work right. I also had to make several rules because there is a limit of 50 entries for Source networks when creating a rule. Hopefully Cisco can get the regional blocks to work properly one day.
having the same problem - we blocked a country when source traffic and still seeing connection from the same originated country hitting our servers
devices awe have are SFR 8350 managed from FMC
Has anyone been able to respond to you? I created 3 global geolocation objects and used those defined in my access policy.
Access Policy, Networks - Geolocation - my 3 objects
Block and reset all traffic from these locations going anywhere.
I still get FMC notifications that IPs in China are attempting connections. I have also updated my GEO DB
FMC will notify you that the attempted connections from disallowed locations were dropped. That is normal and expected.