Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3607
Views
10
Helpful
3
Replies

Firepower GeoBlocking Not Working

Go to solution
gpowlin
Level 1
Level 1

‎11-01-2020 06:16 AM

I have China geo-blocked, both as a source and destination (separate rules of course), yet still see Intrusion Event blocks for traffic originating in China.  Is this working as designed?  The intrusion event based block is based on a malware signature being matched, so is it possible traffic hits this filter first, but otherwise would would get blocked via the geo-block policy?  Just want to be sure this is working/configured properly and hoping I'm just not clear on the order of operations, so to speak.  Thx, 

1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎11-01-2020 09:28 AM

Hi,

 

Yes I agree it seems to be working. By default IPS isn't done before identifying traffic unless you have the option "Intrusion Policy used before Access Control rule is determined" is set. In this case, IPS is done before ACP. This can be checked In the access control policy editor, click Advanced, then click edit next to the Network Analysis and Intrusion Policies section.

 

 

**** please remember to rate useful posts 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎11-01-2020 08:07 AM

Hi,

If you are using GEO blocking, then you should see 'IP Block' instead of
Malware signature. It seems that your GEO is not working. When you see that
it originated from China was this location identified by FMC in the event
log or another method.

Do you have a scheduled task to update Geo-DB in FMC and are these updates
installed successfully. You should be able to see this from the FMC tasks.
Also, can you confirm that Geo-DB is updated successfully on FTD.

**** please remember to rate useful posts

Go to solution
gpowlin
Level 1
Level 1
In response to Mohammed al Baqari

‎11-01-2020 08:36 AM

Mohammed, thanks for the response!

 

I tried a more refined search (which I should have done in the first place) and can see blacklist, IPS, and I think geo based blocks for China.

 

For "Reason" I see "IP Block" associated with addresses included in my Global-Blacklist, then <blank> for events that look to be geo-blocked, and then "Intrusion Block" for those events IPS (signature-based) blocked.  And, I am getting the source location of "China" from the event log.

 

I do have a scheduled task to update the Geo-DB, so that looks to be good and it is current.

 

So, maybe it all is working, and I just wasn't filtering properly.  Do you know if the IPS is triggered before geo-blocking?

 

Thx,

 

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎11-01-2020 09:28 AM

Hi,

 

Yes I agree it seems to be working. By default IPS isn't done before identifying traffic unless you have the option "Intrusion Policy used before Access Control rule is determined" is set. In this case, IPS is done before ACP. This can be checked In the access control policy editor, click Advanced, then click edit next to the Network Analysis and Intrusion Policies section.

 

 

**** please remember to rate useful posts 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top