FMC Geolocation errors

Lee Dress · ‎11-23-2016

I'm using Firesight Management center 6.1 and have setup some geolocation blocks to prevent data from suspicious locations in the world getting into my network.

Analyzing some of the data that has been blocked i come across a few ip addresses that report to be in foreign countries, but when i do a whois on the ip address they report to be part of Microsoft's IP range.

For example:

40.96.13.146 reports in FMC to be Malaysia. the Whois data says Redmond Washington.

40.96.47.50 reports in FMC to be Korea the Whois data says Redmond Washington. (Same subnet)

This basically makes the Geolocation block I want to do unusable. as of today (11-23-16) the geolocation update that is installed is 2016-11-14-002, and there are no updates available that are newer.

Any ideas on what can be done?

Marvin Rhoads · ‎11-23-2016

They are part of supernets assigned to Microsoft but I suspect the actual locations are in Microsoft data centers in the countries reported. Remember Microsoft, like many organizations, operates data centers around the world while they register their addresses from a office in their corporate headquarters.

I ran a traceroute to each and, while the last few hops are buried in the end network and not reported, some inspection of the DNS entries for the ones nearing the end are telling. Most ISPs use IATA airport codes in their router names. The one reported as Malaysia reports "KUL" (Kuala Lumpur, Malaysia) and the one reported as Korea reports "PUS" (Gimhae International Airport in Busan Korea).

Also, checking a third party geolocation database confirms what FMC reports. Reference:

http://dev.maxmind.com/geoip/legacy/geolite/#Autonomous_System_Numbers