cancel
Showing results for 
Search instead for 
Did you mean: 

How To Drop Packets From Foriegn Countries?

Jump to solution

I have been asked to setup our firewall to drop any packets arriving at the external interface that originate from any other country other than the US and US teritories.  I created a GEO Location Network object and put every country except the US and US teritories in it.  I then created a rule to drop packets on the external interface if the source endpoint matches anything in that GEO Location object.  This rule is the first rule in the list.  It does not appear to be working. I get email alerts all the time where foriegn IP's are hitting ports like FTP etc.  This tells me the packets are not getting dropped. 

Here is an example of an audit alert:

2013-06-26 00:22:52 -0700 f_ftp_proxy a_aclquery t_attackp_major

pid: 1724 logid: 0 cmd: 'pftp' hostname:MYFIREWALL

category: policy_violation event: ACL deny attackip:80.246.50.171

attackzone: external src_geo: DE srcip: 80.246.50.171srcport: 39642

srczone: external protocol: 6 dst_geo: US dstip:xxx.xxx.xxx.xxx dstport: 21

dstzone: external rule_name: Deny All cache_hit: 0

reason: Traffic denied by policy.

The firewall obviously can tell this orginated from I believe Denmark.  I can tell it made it through all of the rules because it hit the last rule, the Deny All.  So I am not sure what I am doing wrong.  Any help is greatly appreciated.  Thanks!

Here is what my rule looks like:

Message was edited by: grinder on 6/27/13 12:27:53 PM CDT
1 Solution

Accepted Solutions
sliedl
Level 14
Report Inappropriate Content
Message 2 of 5

Re: How To Drop Packets From Foriegn Countries?

Jump to solution

Set the Redirect to the external IP of the FW (actually, any IP would do). That will tell the rule-compiler to Deny this traffic. This will be fixed very soon by an epatch.

4 Replies
sliedl
Level 14
Report Inappropriate Content
Message 2 of 5

Re: How To Drop Packets From Foriegn Countries?

Jump to solution

Set the Redirect to the external IP of the FW (actually, any IP would do). That will tell the rule-compiler to Deny this traffic. This will be fixed very soon by an epatch.

Re: How To Drop Packets From Foriegn Countries?

Jump to solution

How can I find out when this patch is released or get notified of it?

Highlighted
sliedl
Level 14
Report Inappropriate Content
Message 4 of 5

Re: How To Drop Packets From Foriegn Countries?

Jump to solution

You can file a ticket with Support and we'll send you the patch.  This will be in 8.3.2 and in the next 8.2.1 release also.

Re: How To Drop Packets From Foriegn Countries?

Jump to solution

Thank You!

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community