So I have a customer that gets hit a fair bit with intrusion attempts etc. They only require external terminal server connections for say country "x".
I have created a firepower control policy which blocks (with reset) all traffic originating externally with an internal destination on port 3389 from all countries except country "x". - I created a geolocation object called "Geo_Restofworld" and selected all continents and countries except country "x".
So the policy only has one rule, which blocks "Geo_Restofworld" traffic to port 3389. The default action is Trust all traffic.
The rule appears to work really really well. It does indeed block a LOT of traffic from outside of country "x", however; there is a single IP that was allowed and logged - which if I do a lookup on the IP address I notice it is definitely from country "y" which is included in my "Geo_Restofworld" object.
So, is the Firepower GeoIP database not to be 100% trusted? I checked and I have the latest version installed (automatic updates). Is there any way to modify or update the current GeoIP database?