cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
3774
Views
0
Helpful
9
Replies
Beginner

FirePOWER Geo Blocking Not Working

We have a server that runs a script to block traffic from certain non-US countries.  Every night it emails a list of the connections it had to block. 

We purchased FirePOWER - and configured GeoBlocking - to Block/Reset connections from those same countries - however we're still seeing the server log connections that it had to drop. 

Has anyone seen issues w/ GeoBlocking not working? 

What exactly happens when the firewall does a Block/Reset? 

This was a rather expensive purchase for something like this not to work as expected.

Everyone's tags (1)
9 REPLIES
Hall of Fame Master

It works in my experience.

It works in my experience.

What happens with a block depends on whether you are running a dedicated FirePOWER appliance or a FirePOWER module in an ASA. The former will send a tcp reset directly to the client for the session at hand. The latter will send a message to the parent ASA directing it to do the same.

Contributor

I think I found out that I

I think I found out that I had to put the GeoLocation blocking in a rule all by it's own.   So make sure your rule doesnt have other tabs of configured stuff, just geo. Then I put that rule at the top of my list to block them right away with reset.

Participant

Re: I think I found out that I

This goes for all of the rules.  It's not obvious, but there is a logical "and" for each of the tabs.  So you cannot combine for example, applications and url filtering into one rule because you have a logical "and" between them, which in most cases will never match.  Because of this I have to have a lot of rules in the access control policy.  I really which there was an option to set the rule to "and" or "or" like some other vendors have.

 

 

Dan.

Beginner

Re: I think I found out that I

I know this is an old thread but if you add the rule to the very top thats great.  But then the issue occurs if you want to add a specific IP address to allow you must insert it above that rule and then your rule is no longer at the top.

 

Example, you GEO block the country of China and place that rule at the top.  There is a specific IP address in China that you need to allow in.  You must then place that rule above your GEO blocking rule.

 

If my GEO blocking rule is further down the list then the logs states that the country is blocked.  However, I run packet captures and I know 100% that the traffic is getting through from these countries to my server even though the FMC states otherwise.  

 

- Mark

Beginner

Re: I think I found out that I

I was having the same issue. I found that you cannot add the region (ie. Asia, Africa) as the source network or you will still have traffic allowed through.  I had to make rules and add the sub entries of each region to get my block/resets to work right.  I also had to make several rules because there is a limit of 50 entries for Source networks when creating a rule.  Hopefully Cisco can get the regional blocks to work properly one day.

Enthusiast

Re: I think I found out that I

Instead of making several rules, create a GEO object with all the countries that you wanted to block. Worked well for me.
Beginner

Re: FirePOWER Geo Blocking Not Working

having the same problem  -  we  blocked a country  when source traffic  and still seeing   connection from the same originated country hitting our servers  

devices awe have are SFR 8350 managed from FMC 

Highlighted
Beginner

Re: FirePOWER Geo Blocking Not Working

Has anyone been able to respond to you? I created 3 global geolocation objects and used those defined in my access policy. 

 

Access Policy, Networks - Geolocation - my 3 objects 

Block and reset all traffic from these locations going anywhere.

 

I still get FMC notifications that IPs in China are attempting connections. I have also updated my GEO DB

Hall of Fame Master

Re: FirePOWER Geo Blocking Not Working

@albert_sze 

 

FMC will notify you that the attempted connections from disallowed locations were dropped. That is normal and expected.

CreatePlease to create content
This widget could not be displayed.
Ask the Expert- DMVPN on Cisco routers