We created rules to block inbound and outbound traffic using a geolocation object. Both rules were at the top of the ACP, and were basically inverse of each other. The rules were set up as follows:
----------------------------------------------------------------------------------------------------------
Name | Source Zone | Destination Zone | Source Networks | Destination Networks | any ... | Action
----------------------------------------------------------------------------------------------------------
inbound_geoblock | internet_sz | any | Geolocation_Block | Any | ... Block
----------------------------------------------------------------------------------------------------------
outbound_geoblock | any | internet_sz | any | Geolocation_Block | ... Block
----------------------------------------------------------------------------------------------------------
What we found was that all inbound traffic not in the Geolocation_Block group would hit the first rule and be sent to SNORT (Geoblock traffic was dropped). After that, the traffic would be evaluated by SNORT against the second rule (I think during pre-process). SNORT dropped any traffic that matched the second rule. On the remaining traffic, SNORT performed intrusion inspection and ultimately traffic not deemed malicious was allowed with no further analysis. In a nutshell, the two rules canceled each other out and all traffic not specifically blocked was allowed through the firewall.
This was an easy fix, but I would like to hear people's take on this.
*Added* - Having the inbound geolocation rule in place works as expected. One interesting thing I found is that the hit counts on rules later in the ACP do not increment on the FTD, but do in FMC.
