Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3544
Views
0
Helpful
6
Replies

Cisco Firepower policy question

Go to solution
Hulk8647
Level 1
Level 1

‎02-28-2018 11:52 AM - edited ‎02-21-2020 07:27 AM

Hello,

If you look at the below policy inspection by Firepower, You have allow and block permits, etc...Let's say, Rule number 3 also says block country South Korea from any source to any destination and under rule 2, I am allowing access to samsung.com. If I access samsung.com, I should be allowed to get through, right? well, not the case. It's still blocked, and reason? - Country blocked. Why? I thought, If I'm allowing the website at rule 2, I shouldn't even hit rule 3 and beyond, correct? Don't understand this. I checked with Cisco, they didn't really have an answer for me. Any ideas?

 

 

AccessControlPolicy.png

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
John Telford
Level 1
Level 1
In response to Hulk8647

‎03-01-2018 02:23 PM

Sorry I wasn't looking at an FMC.

I meant under Security Intelligence (SI) add a DNS Policy with your domains in a DNS Whitelist.



If you are not using SI you should review the features, they add additional levels of security at the benefit of the device because the SI Blacklist occurs before Rule 1 - no CPU wasted on inspection.



Once you get the DNS whitelist working you can review the SI Category blocking for IP's and DNS and determine if it fits your needs.



Cisco link:

https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/DNS_Policies.pdf



popravak has good write-ups about Firepower features as well:

https://popravak.wordpress.com/2016/03/22/sourcefire-security-intelligence-dns-policy/



Regards

View solution in original post

0 Helpful
6 Replies 6

Go to solution
John Telford
Level 1
Level 1

‎02-28-2018 03:18 PM

Hello,

Yes that is the premise, what do your logged events indicate?

Is the request to the URL logged in the Trust and then the IP blocked in the GEO blocking rule?

 

Check direction for the rules.

If the URL is trusted Source > Destination and the GEO rule is blocking ANY-ANY then return traffic may be denied.

 

When it comes to URL's it can get interesting.

What method of URL filtering are you using? SI URL White list or URL filtering license?

 

The requested URL may initially be allowed but if the site utilizes a CDN then some or all the traffic may not be coming from that URL/Domain or even the same country.

 

The Event logs and a capture at the client of a working session should help with the mystery.

 

Regards.

0 Helpful

Go to solution
Hulk8647
Level 1
Level 1
In response to John Telford

‎03-01-2018 08:35 AM

Here is a part of the log, it says it was blocked by source country. But why? I included a screenshot of my policy.

 

LOG:

Inked2018-03-01 10_27_57-Cisco Firepower Management Center 750 6.2.0.1 Build 59 (CiscoIPS.enlivant.com) -_LI.jpg

POLICY

2018-03-01 10_32_39-Document1 - Word.pngIf you look at the policy Rule number 4, it allows the website "anology.com"(not samsung, anology and anology resides in Thailand) Now, If I am allowing anology.com at the rule 3, why is it still hitting rule 10. Rule 10 states block Thailand from source and from destination.

0 Helpful

Go to solution
John Telford
Level 1
Level 1
In response to Hulk8647

‎03-01-2018 09:07 AM

Ahh,

The other fun part of URL filtering and trusts.

On the Blocked log the 'Client' is DNS.



It is not blocking the URL, it is blocking the Domain lookup. We can't see the source/dest IP addresses in your event but I assume the returned DNS server for site resides in your Geo Block or it returned the IP located in your Geo block. I'm not sure which the Geo blocking is acting on.



Try add the domains for your trusted URL's to the DNS whitelist on rule #4.



You may still have issues depending on how your DNS is set up and located (behind the IPS) if it is querying DNS servers globally.

You also may still have issues if content returned from trusted URLS comes from other sources with different url.



Regards
0 Helpful

Go to solution
Hulk8647
Level 1
Level 1
In response to John Telford

‎03-01-2018 01:03 PM

I see whats you're saying, I just not sure what you mean by this:

Try add the domains for your trusted URL's to the DNS whitelist on rule #4.

 

Can you explain?

 

Also, you're right, because when I added a rule 9 (thats why you dont see it there, I temporarily disabled it) I had my DNS servers allowed to THAILAND and that worked.

 

2018-03-01 15_02_36-Cisco Firepower Management Center 750 6.2.0.1 Build 59 (CiscoIPS.enlivant.com) -.png

0 Helpful

Go to solution
John Telford
Level 1
Level 1
In response to Hulk8647

‎03-01-2018 02:23 PM

Sorry I wasn't looking at an FMC.

I meant under Security Intelligence (SI) add a DNS Policy with your domains in a DNS Whitelist.



If you are not using SI you should review the features, they add additional levels of security at the benefit of the device because the SI Blacklist occurs before Rule 1 - no CPU wasted on inspection.



Once you get the DNS whitelist working you can review the SI Category blocking for IP's and DNS and determine if it fits your needs.



Cisco link:

https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/DNS_Policies.pdf



popravak has good write-ups about Firepower features as well:

https://popravak.wordpress.com/2016/03/22/sourcefire-security-intelligence-dns-policy/



Regards
0 Helpful

Go to solution
Hulk8647
Level 1
Level 1
In response to John Telford

‎03-02-2018 06:17 AM

thank you, I will review those!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card