Solved: Firepower Module 6.4 - If I block traffic sourced by geolocation will it block returning traffic req...

N3t-Guy · ‎11-17-2020

Hello, I am wanting to set an access rule in my default policy that blocks traffic from certain geolocations. If I block traffic sourced by these geolocations to "any" will it drop web traffic initiated by my internal users? I know that returning traffic that is initiated from inside the network will normally be allowed but how will Firepower handle web traffic from my users destined to websites in these countries? Thank-you!

HQuest · ‎11-17-2020

A L3 access control is applied on the initial SYN packet of a brand new session; your return traffic is a SYN+ACK packet on an existing session, so no, the return traffic won't be dropped. For you to block, you need to place a restriction using these geolocations as "destination", which will match a SYN packet of a brand new session from your internal users.

View solution in original post

HQuest · ‎11-17-2020

A L3 access control is applied on the initial SYN packet of a brand new session; your return traffic is a SYN+ACK packet on an existing session, so no, the return traffic won't be dropped. For you to block, you need to place a restriction using these geolocations as "destination", which will match a SYN packet of a brand new session from your internal users.

N3t-Guy · ‎11-17-2020

Thank you. For now just want to block inbound but will eventually block outbound to prevent C2 to these locations so it sounds like just from source will work for now!

Firepower Module 6.4 - If I block traffic sourced by geolocation will it block returning traffic requested from inside the network?