cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Blocking Country Connections with IPS

hi guys, we are trying to block China via a firewall rule but some China IP Blocks, for example 59.56.0.0/16, are able to pass.  Is China object in the NSM not up to date? How can I verify this?

9 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

Re: Blocking Country Connections with IPS

Hi Hüseyin,

Are you using an Advanced Firewall Policy?

Is your Signature set up to date?

Regards

Peter

Highlighted

Re: Blocking Country Connections with IPS

Yes we are using advanced firewall policy. We can see that some China IPs are blocked but some aren't. Sigset is up to date.

Highlighted

Re: Blocking Country Connections with IPS

By the way, the IP address is 59.56.77.6

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 10

Re: Blocking Country Connections with IPS

Hi Hüseyin,

Just checking, this is on an In-line connection and not a Span session?

What manager version are you using?

I found the following in the IPS Administration Guide, P692;

Country — The Country rule object enables you to allow or block traffic based on the source or

destination country. The Sensor identifies the traffic originating or destined to these countries

based on the CIDRs mapped to the countries. Country is relevant only for advanced Firewall

policies.

The country-to-CIDRs mapping information is sourced from the geolocation database of

MaxMind. You cannot modify or update this list of countries manually. McAfee updates this list of

country-to-CIDRs mapping through signature sets. Use the Status command in a Sensor's CLI

to check if the geolocation database is present in the Sensor.

In the Firewall rule you have created for China have you selected any other options?

Are you just using the China Rule object on it's own or are you combining it with anything else?

Regards

Peter

Highlighted

Re: Blocking Country Connections with IPS

Hello Peter, sensor is deployed as inline, not span. we are not combining any other object with China. Basically, rule says that if source is China, drop packets. Thanks for the information by the way. It is helpful.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 10

Re: Blocking Country Connections with IPS

Hi Hüseyin,

Probably best to just open a service request with support and ask them to confirm if the IP range is included in the current SigSet.

Regards

Peter

Highlighted

Re: Blocking Country Connections with IPS

Hi Peter,

I have already opened the case. They said it was included. But we still see packets on our firewall. IPS is supposed to drop packets before reaching firewall. Anyway, thanks for your help.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 10

Re: Blocking Country Connections with IPS

Hi Hüseyin,

We have seen issues with our Firewall Rules on 8.2 where occasionally the rules do not work, we see alerts generated for some traffic that should be ignored.

We have opened this issue with McAfee support a few times but as we are unable to replicate the issue we have not been able to troubleshoot it.

What manager version are you using? I'm hoping the issue won't occur in the 8.3 release.

Regards

Peter

Highlighted

Re: Blocking Country Connections with IPS

Hi Peter,

we are using 8.3.7.29.1 version. It is an hotfix version for specifically NS5X series. Issue seems like the same you have. We have an ongoing case. I will let you know how it is solved.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community