Is there a way to see what country the firepower system thinks an IP is from?
I get that I can create a rule and test whether the packet is allowed or denied - but I'd like more feedback from firepower regarding what country it believes the IP is from.
Unfortunately there is not at the moment. In Firepower 6.2 we are able to lookup the URL category, but I have not seen anything about geolocation lookups yet. I hope for being able to do this in the future. :)
It may be, that I misundestand the question... but, for example, in Analysis -> Contex Explorer I can see Geolocation information for connections. The same for Analysis -> Connection Events. Please, see the attaches.
Also, we need to update periodically geolocation base on FMC in System -> Updates -> Geolocation Updates.
I might have misunderstood the question as well.
What I mean is that it is not possible to test the geolocation before actually creating a rule to either allow or block.
But it is definitely possible to see the history of connection events, and where the geolocation resolved it to be.
Yes. The idea is to evaluate IPs prior to rule creation and without logged traffic.
Mostly this is to evaluate IP blocks which have been assigned to the customer prior to implementing, especially where existing geographic based rules already exist.
Cisco added this feature in FMC 6.1:
Analysis > Lookup > Geolocation
You can enter up to 250 IP addresses and get back the Country, Country Code and Continent.
Oh my. You are right.
Why did I not see that!
I had forgotten it too Dennis.
Earlier I was re-reading a presentation (BRKSEC-2050 from Cisco Live US 2016), saw the feature mentioned and was reminded of this thread.