10-11-2021 07:25 AM
Dear Community,
We are currently using the Geolocation Blocking feature in our ACP's, blocking traffic to/from some specific countries. However, we have run into the occasional instance where we need to whitelist a single IP that resides in a specific blocked country because it was blocking legitimate traffic. Right now we are doing this by adding those IPs to a network object group, and then placing an allow rule above the blocking rule that is blocking traffic to the IP. So, in essence, we are creating exceptions for individual IP's that reside in otherwise blocked countries.
I was wondering, is there a more intelligent way to accomplish this besides waiting for a failure and playing "whack-a-mole" with the IP addresses? is it possible to whitelist certain URLs that may have IP addresses that reside in a blocked country, allowing that traffic based on the URL instead?
Thank you.
Solved! Go to Solution.
10-11-2021 08:47 PM
Yes, your current approach is, while imperfect, the best you can do for now.
Some services like Microsoft 365 are now offering a dynamic feed which can be consumed in Firepower 7.0+ via the Cisco Secure Dynamic Attributes Connector (CSDAC). While offering some operational relief, that's far from a widely available at this point.
10-11-2021 01:09 PM
Yes you can use FQDN objects in your rules.
However that can also be an elusive goal as sometimes a given user might not get the same IP for a given URL that Firepower does due to how Content Delivery Networks (CDNs) may use multiple IP addresses for a given site.
10-11-2021 01:28 PM
Thank you Marvin. I have also run into this issue with the ASA, where the ASA will resolve a URL to one or more IP addresses but the IP address the client machine resolved to was not any of the ones the ASA resolved to. This would cause intermittent connectivity due to the ASA sometimes blocking and sometimes permitting.
Is the solution I am using the best so far? Basically get the Public IP space of the service and whitelist it while all other IP's for the blocked country stay blocked?
Thanks.
10-11-2021 08:47 PM
Yes, your current approach is, while imperfect, the best you can do for now.
Some services like Microsoft 365 are now offering a dynamic feed which can be consumed in Firepower 7.0+ via the Cisco Secure Dynamic Attributes Connector (CSDAC). While offering some operational relief, that's far from a widely available at this point.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide