Solved: How to block another country in the FMC

macgyver0099_1 · ‎02-28-2022

Hi,

How can I block a country from accessing the BiTorrent application in firepower? I tried several different ways, but when I attempt to deploy the rule, my FMC yields a warning that there are not interfaces in that zone. I also tried to block a country straight up, but get the same warning.

macgyver0099_1 · ‎03-07-2022

Hi Everyone,

Thank you for all of your help. It would appear the error was actually a warning and not an error. The configuration could still be deployed. The warning in question was complaining the security zone was not tied to an interface on some (but not all) of the firepowers in my domain.

You can add or remove interfaces to a Security Zone by clicking edit on it under the same path that was provided before, Objects > Object Management > Interfaces. I did this and was able to proceed to blocking the country and the application.

If you want to block traffic TO the country, then the Inside Security Zone needs to be set as source zone of the traffic and the country as destination network. If you want to block traffic FROM the country, then the Inside Security Zone needs to be set as the destination zone of the traffic and the country as the source network.

Keep in mind if you add both a country and app component to a rule it becomes an AND condition, meaning that both the country and the application need to match the traffic for the rule to trigger, it will not match is only the country matches but not the application, or if only the application matches but not the country.

View solution in original post

Rob Ingram · ‎02-28-2022

@macgyver0099_1 if its complaining about zones without an interface, have you just defined the ACP rule with source/destination networks? Can you provide screenshots of your rules and error?

macgyver0099_1 · ‎03-07-2022

Hi Everyone,

Thank you for all of your help. It would appear the error was actually a warning and not an error. The configuration could still be deployed. The warning in question was complaining the security zone was not tied to an interface on some (but not all) of the firepowers in my domain.

You can add or remove interfaces to a Security Zone by clicking edit on it under the same path that was provided before, Objects > Object Management > Interfaces. I did this and was able to proceed to blocking the country and the application.

If you want to block traffic TO the country, then the Inside Security Zone needs to be set as source zone of the traffic and the country as destination network. If you want to block traffic FROM the country, then the Inside Security Zone needs to be set as the destination zone of the traffic and the country as the source network.

Keep in mind if you add both a country and app component to a rule it becomes an AND condition, meaning that both the country and the application need to match the traffic for the rule to trigger, it will not match is only the country matches but not the application, or if only the application matches but not the country.