The use of geolocation is fairly obvious in monitoring networks with Firepower Management Center. What may be less obvious is that Continents and Countries can also be specified as the source or destination of connections in an Access Control Policy. Basically, this geographical information becomes one more match criteria that can be used to identify traffic for a block or allow action.
To get to this capability, open the Access Control Policy that is in use by the Firepower device. Within the policy, open or create an applicable rule. On the network tab (where you configure the source and destination addresses) a Geolocation tab can also be found. Clicking on this tab exposes Continents and Countries. These can be added as sources and/or destinations.
Note to reader: All Firepower content can be accessed by clicking here (or choosing Firepower from the menu at the top of the page).
As can be seen in the diagram above, I am creating a rule to block traffic to France. Before I save and deploy the policy changes to the device, I will confirm reachability to an IP address that exists in that part of Europe.
Last login: Mon Jul 17 11:48:29 on ttys000 PAULS:~ pauls$ ping www.parisinfo.com PING www.parisinfo.com (188.8.131.52): 56 data bytes 64 bytes from 184.108.40.206: icmp_seq=0 ttl=237 time=115.456 ms 64 bytes from 220.127.116.11: icmp_seq=1 ttl=237 time=121.466 ms 64 bytes from 18.104.22.168: icmp_seq=2 ttl=237 time=126.173 ms 64 bytes from 22.214.171.124: icmp_seq=3 ttl=237 time=116.089 ms 64 bytes from 126.96.36.199: icmp_seq=4 ttl=237 time=118.776 ms 64 bytes from 188.8.131.52: icmp_seq=5 ttl=237 time=115.351 ms 64 bytes from 184.108.40.206: icmp_seq=6 ttl=237 time=114.532 ms ^C --- www.parisinfo.com ping statistics --- 7 packets transmitted, 7 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 114.532/118.263/126.173/3.930 ms
After saving the changes and applying the policy to the device, I will test to make sure the traffic is blocked.
PAULS:~ pauls$ ping en.parisinfo.com PING www.parisinfo.com (220.127.116.11): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 Request timeout for icmp_seq 3 Request timeout for icmp_seq 4 ^C --- www.parisinfo.com ping statistics --- 6 packets transmitted, 0 packets received, 100.0% packet loss
Geolocation is a parameter that might not be an obvious option, but a useful addition to the match criteria of an Access Control Policy. I’m always curious to what extent others are using this feature and if any caveats have surfaced.
If you have feedback to share or other tips or tricks for maintaining and operating a Firepower solution, please share them by commenting below.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.