In this post we are going to see how we can use the Firepower geolocation feature in the access control policy. The Firepower geolocation comes in handy if you want to block the traffic from or to one or more countries, or even one or more continents. The FMC has a geolocation database stored locally, this database can be updated manually or automatically from Cisco support site. It is recommended to schedule the Firepower geolocation updates which happens on a weekly basis.
The FMC stores the geolocation database is in the /var/sf/geodb folder. Inside this folder there is a file called ipv4_country_code_map which contains all the countries IP addresses. The content of this file is not very intuitive, if you look at it you will see a bunch of lines with all the IP addresses and some codes at the end of each line. Let's take the following line as an example:
The above line defines an IP range with the IP address 184.108.40.206 as the first IP and the IP address 220.127.116.11 as the last one in that range. Now, what the number 380 is?!. This number defines the country code that the FMC and the FTD use for the IP to country mapping. To find out that country code we need to jump into the FTD and look for the geoDBInfo.csv file which is located inside the /ngfw/var/sf/ngfw_GeoDB folder. Let's grep for the number 380 and see what we get:
admin@ftdv-01:/ngfw/var/sf/ngfw_GeoDB$ more geoDBInfo.csv | grep 380
"italy", "380", "eu", "5", "ita", "it"
As you can see, the number 380 is associated to Italy, and as you can notice on the same line the continent Europe is associated with the number 5. This is how the FTD associates the geolocation IP addresses pushed by the FMC to their countries and continents. In our example above we now know that the IP range 18.104.22.168-22.214.171.124 belongs to Italy in Europe region.
Now let's see a couple of examples of how we can use the Firepower geolocation on the FMC access control policy. First thing let's update the geolocation database on FMC. To do so, go to the cog icon top right > Update > Geolocation Updates and tick the Download and install geolocation update from the Support Site option and click Import as shown below.
For the sake of this lab, let's see we want to block any traffic from our network destined to Italy. We will do our tests with the website libero.it. Let's first verify if we can ping that website and if we can open it up with our browser.
And here we can see on the FMC from the connections events that the traffic destined to Italy is allowed.
We can go to Analysis > Advanced > Geolocation and type in the IP address we want to lookup and see which country will be associated to it. An alternative could be to use Talos website or any other similar site.
Now we need to go into our access control policy and create a new rule where we will define Italy as the destination country and block the traffic that will be matching that rule.
To select the destination country, go to Network > Geolocation and expand Europe category and select Italy, then click Add to Destination. Notice I selected the above rule 1 option to place this new rule on the topmost in our access control policy, otherwise, in our case this rule would not be matched.
Here is how our access control policy looks like after we save the new rule:
Now after we deployed our changes to the FTD, let's go ahead and see if we can reach the website libero.it after adding our new rule. Remember to clear your browser cache before trying to open up the website again.
As we can see, ping failed as the traffic destined to Italy is being blocked by the FTD, and also the browser failed to open up the libero.it website. Here we can also see the events logs confirming that the traffic was blocked by the FTD:
Now let's say we want to block the traffic destined to France alongside Italy. The steps required to do this are almost identical, however, in this example I want to show you how to leverage the Geolocation object where you can add multiple countries or continents. Using the Geolocation objects could become very important as the FMC can only support up to 50 network objects. This means you can't add more than 50 individual countries to a rule. You can still add the continents that contain those countries though.
To create our Geolocation object, go to Objects > Object Management > Geolocation > Add Geolocation
Before we go ahead and edit the rule we created before to add the new Geolocation object, let's pick up a random website, and do some reachability checks. In this example, we will use the sortiraparis.com website:
Now let's edit our rule and add the new Geolocation object:
Now we have edited and saved the rule, and deployed the new changes to our FTD, let's go ahead and test the reachability to the website in France again:
As expected, after adding France to our access control policy rule, the website sortiraparis.com is not reachable anymore. Last thing I want to show you in this post before we wrap it up is how to add all countries in the world with the exception for one, although this is not a common thing to do, but let's just do it for fun. In this example, we will only allow the traffic to the UK blocking the traffic to any other country. The steps are very similar to the previous steps:
The FMC does not seem to add any check mark into the Europe continent checkbox to indicate that there are some countries selected inside, however, you can notice the numbers next to Countries Selected where it shows we have 53 countries selected out of 54. That's because we did not select the UK from the Europe countries list. Let's go ahead and edit our rule one more time, and add the new Geolocation object.
From the above connections events we can see that only the traffic destined to the UK is allowed, and any traffic destined to any other country will be blocked by our access control policy rule.
As you could see, the Firepower geolocation is a powerful feature and could come in handy in different scenarios to filter out the traffic based on the countries or regions.
Thank You for reading!