Re: Geolocation and prefilter on FTD.

nwtimberlake75 · ‎01-08-2021

Is there any chance that Geolocation will ever be available for use in prefilter rules?

What I would like to do is have a prefilter rule that will exempt certain subnets from undesirable locations - just analyze the traffic and pass onto the ACP, and a second rule with all of the locations that we want to block.

This can be done within the ACP, but the powers that be do not feel comfortable with using Geolocation in allow rules (replacing allow "any" with something like allow "obj-geolocation-allow and obj-geoblock-exclude" (this group is specific subnets included in locations not selected in obj-geolocation-allow)).

Marvin Rhoads · ‎01-08-2021

I haven't seen it on any Cisco roadmap so far.

We have also been hoping for Geolocation to be used in a control plane ACL to restrict remote access VPN users.

gpowlin · ‎01-14-2024

I was recently told there is an enhancement request in with Cisco to add the Geolocation capability to the control plane, as you've suggested above. It's worrisome to see the VPN get hammered from all over the world. A regular control plane ACL via Flex Config helps, but it is whack-a-mole and seems best applied as an allow for know good sources. Hopefully the enhancement happens soon. Do you have any insight on that?

Marvin Rhoads · ‎01-15-2024

There is an open ENH that has been around for several years. If you ask to have your use case added to help bump the priority given, your Cisco account manager should be able to do that for you.