FTD Geolocation

  • Post author:
  • Post category:Cisco / FTD

Cisco Firepower Threat Defense (FTD) can filter traffic based on the Geolocation of the source IP address. A Geolocation database (GeoDB) is a database of geographic data (such as country, city and co-ordinates) and connection related data (ISP, domain name and connection type).

The FMC downloads the GeoLocation database (GeoDB) from the Cisco Cloud and is updated regularly, updates are either automatic via a scheduled task on the FMC or manually download from the Cisco website and uploaded to the FMC.

GUI location: System > Updates > Geolocation Updates

The FMC stores the GeoDB information in the location /var/sf/geodb/ipv4_country_code_map. This country code map is a database that associates the IP address to a country.

The Country Code map lists the data in the format <Start IP Address>,<End IP Address>,<Country Code>

The FTD has a csv file located in /ngfw/var/sf/ngfw_GeoDB/ called “geoDBInfo.csv” which contains the information about the Country Codes.

Run the command cat getDBInfo.csv to read the contents of the file. The getDBinfo file has the following information: <Country Name>,<Country Code>,<Continent Code>,<Continent number ID>,<Country ISO code>,<Country ISO 3166 code>.

Use grep to find specific countries. In the screenshot below we’ve search for France and the United States. The value “840 is the Country Code of the United States and “250” is the Country Code of France.

From the FMC GUI modify the Access Control Policy to filter either source or destination via Geolocation. In this example we will allow traffic only from France and the United States.

Once the policy has been configured in the FMC and pushed to the FTD, the FTD will create a file containing the IP addresses that match the country code specified in the ACP. The file is located /var/sf/geodb/ipv4_country_code_map. Bear in mind, the FTD does NOT keep a full list of the ipv4_country_code_map. In this scenario the FTD will have IP addresses for France (250) and United States (840) countries codes only.

From the CLI of the FTD run the command show access-control-config to display the configured rules in the ACP. From the screenshot below we can see the configuration of the ‘Inbound’ rule we created to test Geolocation, with the source networks as “France” and “United States”.

For testing we simulate generating traffic from China, France and the United States, we will define a couple of loopback interfaces with IP addresses from the different countries. The website https://www.whois.com/ can be used to confirm the IP address information is correct.

From the CLI of the FTD run the command system support firewall-engine-debug, filter on the server IP address (the destination) as permitted in the ACP.

Executing a ping from an IP address sourced from France (2.2.2.254) we can confirm that traffic matches the rule called ‘Inbound’ and the action is ‘allow’.

Executing a ping from an IP address sourced from China (1.1.3.254) we can confirm traffic does not match the ‘Inbound’ rule but matches the ‘Default Action’ rule which takes the ‘deny’ action.

From the FMC dashboard, we can see from the screenshot below, traffic sourced from the networks identified as sourced from China are blocked, whereas traffic from the USA and France are allowed.

Tags: , ,