Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3242
Views
10
Helpful
3
Replies

Firepower Geoblocking Bypass

Go to solution
ChristopherCraddock66504
Level 1
Level 1

‎10-11-2021 07:25 AM

Dear Community,

 

We are currently using the Geolocation Blocking feature in our ACP's, blocking traffic to/from some specific countries. However, we have run into the occasional instance where we need to whitelist a single IP that resides in a specific blocked country because it was blocking legitimate traffic. Right now we are doing this by adding those IPs to a network object group, and then placing an allow rule above the blocking rule that is blocking traffic to the IP. So, in essence, we are creating exceptions for individual IP's that reside in otherwise blocked countries. 

 

I was wondering, is there a more intelligent way to accomplish this besides waiting for a failure and playing "whack-a-mole" with the IP addresses? is it possible to whitelist certain URLs that may have IP addresses that reside in a blocked country, allowing that traffic based on the URL instead? 

 

Thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ChristopherCraddock66504

‎10-11-2021 08:47 PM

Yes, your current approach is, while imperfect, the best you can do for now.

Some services like Microsoft 365 are now offering a dynamic feed which can be consumed in Firepower 7.0+ via the Cisco Secure Dynamic Attributes Connector (CSDAC). While offering some operational relief, that's far from a widely available at this point.

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-11-2021 01:09 PM

Yes you can use FQDN objects in your rules.

However that can also be an elusive goal as sometimes a given user might not get the same IP for a given URL that Firepower does due to how Content Delivery Networks (CDNs) may use multiple IP addresses for a given site.

Go to solution
ChristopherCraddock66504
Level 1
Level 1
In response to Marvin Rhoads

‎10-11-2021 01:28 PM

Thank you Marvin. I have also run into this issue with the ASA, where the ASA will resolve a URL to one or more IP addresses but the IP address the client machine resolved to was not any of the ones the ASA resolved to. This would cause intermittent connectivity due to the ASA sometimes blocking and sometimes permitting. 

 

Is the solution I am using the best so far? Basically get the Public IP space of the service and whitelist it while all other IP's for the blocked country stay blocked?

 

Thanks. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ChristopherCraddock66504

‎10-11-2021 08:47 PM

Yes, your current approach is, while imperfect, the best you can do for now.

Some services like Microsoft 365 are now offering a dynamic feed which can be consumed in Firepower 7.0+ via the Cisco Secure Dynamic Attributes Connector (CSDAC). While offering some operational relief, that's far from a widely available at this point.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card