Solved: Re: FMC/FTD order of operations for GEOIP, ACL global, whitelist/blacklist

newbieftd · ‎01-13-2021

We want to enable our GEO-IP and use the whitelist/blacklist from connection events.

We have a White/Blacklist of GEO-IP objects, we'd like these in the GLOBAL ACP so they are applied everywhere.

No matter where I place the GEO-IP block rule, if it is enabled the "whitelist now" (IP or URL) does not take effect.

Default action on Global-ACP and individual-ACP's is set to "Block All Traffic"

With the default action set to block - should I use GEO-IP to whitelist only and let the default rule block?

I'd like to find documentation on the flow: SI rules, Mandatory-Global-ACP, FTD-ACP, Default-Global-ACP

Something like (copied from another discussion):

Marvin Rhoads · ‎01-13-2021

@newbieftd,

If you want to allow certain sites or addresses which are otherwise prohibited by your ACP entry with a Geolocation rule, then they must be accounted for in a preceding entry in the ACP (requiring a policy deploy).

SI whitelist alone will not do this and, indeed, should not be necessary (*unless the address was for some reason blocked by the TALOS SI feed - very uncommon but I did see it happen once for an RFC 1918 address!).

View solution in original post

Mohammed al Baqari · ‎01-13-2021

Hi,

If the whitelist rule is above blacklist rule, it should allow the IP/URL.
You need to check your rule to make sure that all conditions (if any) are
match such as port, domain, protocol, etc.

If its not matched, then the GEO classification is not able to classify
this IP/URL.

Use system support trace in CLI to see how the packets are processed in FTD
and whether your rule should matched or not.

***** please remember to rate useful posts

newbieftd · ‎01-13-2021

Thanks Mohammed,

From what I read, the Security Intelligence (SI) is processed first (and you cannot use their whitelist/blacklist in rules), the whitelist overrides blacklists. And these lists are modified using "whitelist now" in event correlator.

But in my testing, if I blocked a country in my ACP, it did not matter if I whitelisted the IP/URL - which is not what I read.

Marvin Rhoads · ‎01-13-2021

If you "whitelist now" the the SI stage will pass the traffic on to the ACP for further evaluation. At that point, the Geoblock ACP rule(s) would take effect.The SI Whitelist now is only to override what would have been otherwise blocked by SI - not to override your ACP rules.

You would need to put an allow rule in the ACP before the Geoblock rule to achieve the outcome I understand you to have described.

newbieftd · ‎01-13-2021

Thanks Marvin,

What is the best/proper way to incorporate GeoIP and whitelist/blacklists?

i.e. We block everything outside our home country via GeoIP (which must be added to an ACP rule - correct?) - then is the only way to poke a hole is to create a whitelist rule and place it before the GeoIP rule, and deploy - yes?

Is there any way to use the white/blacklists (SI objects) in an ACP rule (so you don't have to deploy)?

Marvin Rhoads · ‎01-13-2021

@newbieftd,

If you want to allow certain sites or addresses which are otherwise prohibited by your ACP entry with a Geolocation rule, then they must be accounted for in a preceding entry in the ACP (requiring a policy deploy).

SI whitelist alone will not do this and, indeed, should not be necessary (*unless the address was for some reason blocked by the TALOS SI feed - very uncommon but I did see it happen once for an RFC 1918 address!).