hi guys, we are trying to block China via a firewall rule but some China IP Blocks, for example 184.108.40.206/16, are able to pass. Is China object in the NSM not up to date? How can I verify this?
Just checking, this is on an In-line connection and not a Span session?
What manager version are you using?
I found the following in the IPS Administration Guide, P692;
Country — The Country rule object enables you to allow or block traffic based on the source or
destination country. The Sensor identifies the traffic originating or destined to these countries
based on the CIDRs mapped to the countries. Country is relevant only for advanced Firewall
The country-to-CIDRs mapping information is sourced from the geolocation database of
MaxMind. You cannot modify or update this list of countries manually. McAfee updates this list of
country-to-CIDRs mapping through signature sets. Use the Status command in a Sensor's CLI
to check if the geolocation database is present in the Sensor.
In the Firewall rule you have created for China have you selected any other options?
Are you just using the China Rule object on it's own or are you combining it with anything else?
Hello Peter, sensor is deployed as inline, not span. we are not combining any other object with China. Basically, rule says that if source is China, drop packets. Thanks for the information by the way. It is helpful.
Probably best to just open a service request with support and ask them to confirm if the IP range is included in the current SigSet.
I have already opened the case. They said it was included. But we still see packets on our firewall. IPS is supposed to drop packets before reaching firewall. Anyway, thanks for your help.
We have seen issues with our Firewall Rules on 8.2 where occasionally the rules do not work, we see alerts generated for some traffic that should be ignored.
We have opened this issue with McAfee support a few times but as we are unable to replicate the issue we have not been able to troubleshoot it.
What manager version are you using? I'm hoping the issue won't occur in the 8.3 release.
we are using 220.127.116.11.1 version. It is an hotfix version for specifically NS5X series. Issue seems like the same you have. We have an ongoing case. I will let you know how it is solved.