01-13-2021 03:09 AM
We want to enable our GEO-IP and use the whitelist/blacklist from connection events.
We have a White/Blacklist of GEO-IP objects, we'd like these in the GLOBAL ACP so they are applied everywhere.
No matter where I place the GEO-IP block rule, if it is enabled the "whitelist now" (IP or URL) does not take effect.
Default action on Global-ACP and individual-ACP's is set to "Block All Traffic"
With the default action set to block - should I use GEO-IP to whitelist only and let the default rule block?
I'd like to find documentation on the flow: SI rules, Mandatory-Global-ACP, FTD-ACP, Default-Global-ACP
Something like (copied from another discussion):
Solved! Go to Solution.
01-13-2021 08:34 AM
If you want to allow certain sites or addresses which are otherwise prohibited by your ACP entry with a Geolocation rule, then they must be accounted for in a preceding entry in the ACP (requiring a policy deploy).
SI whitelist alone will not do this and, indeed, should not be necessary (*unless the address was for some reason blocked by the TALOS SI feed - very uncommon but I did see it happen once for an RFC 1918 address!).
01-13-2021 04:15 AM
01-13-2021 04:35 AM
Thanks Mohammed,
From what I read, the Security Intelligence (SI) is processed first (and you cannot use their whitelist/blacklist in rules), the whitelist overrides blacklists. And these lists are modified using "whitelist now" in event correlator.
But in my testing, if I blocked a country in my ACP, it did not matter if I whitelisted the IP/URL - which is not what I read.
01-13-2021 04:43 AM
If you "whitelist now" the the SI stage will pass the traffic on to the ACP for further evaluation. At that point, the Geoblock ACP rule(s) would take effect.The SI Whitelist now is only to override what would have been otherwise blocked by SI - not to override your ACP rules.
You would need to put an allow rule in the ACP before the Geoblock rule to achieve the outcome I understand you to have described.
01-13-2021 06:01 AM
01-13-2021 08:34 AM
If you want to allow certain sites or addresses which are otherwise prohibited by your ACP entry with a Geolocation rule, then they must be accounted for in a preceding entry in the ACP (requiring a policy deploy).
SI whitelist alone will not do this and, indeed, should not be necessary (*unless the address was for some reason blocked by the TALOS SI feed - very uncommon but I did see it happen once for an RFC 1918 address!).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide