cancel
Showing results for 
Search instead for 
Did you mean: 

Blocking Country Connections with IPS

hi guys, we are trying to block China via a firewall rule but some China IP Blocks, for example 59.56.0.0/16, are able to pass.  Is China object in the NSM not up to date? How can I verify this?

9 Replies
Reliable Contributor petermason
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

Re: Blocking Country Connections with IPS

Hi Hüseyin,

Are you using an Advanced Firewall Policy?

Is your Signature set up to date?

Regards

Peter

Re: Blocking Country Connections with IPS

Yes we are using advanced firewall policy. We can see that some China IPs are blocked but some aren't. Sigset is up to date.

Re: Blocking Country Connections with IPS

By the way, the IP address is 59.56.77.6

Highlighted
Reliable Contributor petermason
Reliable Contributor
Report Inappropriate Content
Message 5 of 10

Re: Blocking Country Connections with IPS

Hi Hüseyin,

Just checking, this is on an In-line connection and not a Span session?

What manager version are you using?

I found the following in the IPS Administration Guide, P692;

Country — The Country rule object enables you to allow or block traffic based on the source or

destination country. The Sensor identifies the traffic originating or destined to these countries

based on the CIDRs mapped to the countries. Country is relevant only for advanced Firewall

policies.

The country-to-CIDRs mapping information is sourced from the geolocation database of

MaxMind. You cannot modify or update this list of countries manually. McAfee updates this list of

country-to-CIDRs mapping through signature sets. Use the Status command in a Sensor's CLI

to check if the geolocation database is present in the Sensor.

In the Firewall rule you have created for China have you selected any other options?

Are you just using the China Rule object on it's own or are you combining it with anything else?

Regards

Peter

Re: Blocking Country Connections with IPS

Hello Peter, sensor is deployed as inline, not span. we are not combining any other object with China. Basically, rule says that if source is China, drop packets. Thanks for the information by the way. It is helpful.

Reliable Contributor petermason
Reliable Contributor
Report Inappropriate Content
Message 7 of 10

Re: Blocking Country Connections with IPS

Hi Hüseyin,

Probably best to just open a service request with support and ask them to confirm if the IP range is included in the current SigSet.

Regards

Peter

Re: Blocking Country Connections with IPS

Hi Peter,

I have already opened the case. They said it was included. But we still see packets on our firewall. IPS is supposed to drop packets before reaching firewall. Anyway, thanks for your help.

Reliable Contributor petermason
Reliable Contributor
Report Inappropriate Content
Message 9 of 10

Re: Blocking Country Connections with IPS

Hi Hüseyin,

We have seen issues with our Firewall Rules on 8.2 where occasionally the rules do not work, we see alerts generated for some traffic that should be ignored.

We have opened this issue with McAfee support a few times but as we are unable to replicate the issue we have not been able to troubleshoot it.

What manager version are you using? I'm hoping the issue won't occur in the 8.3 release.

Regards

Peter

Re: Blocking Country Connections with IPS

Hi Peter,

we are using 8.3.7.29.1 version. It is an hotfix version for specifically NS5X series. Issue seems like the same you have. We have an ongoing case. I will let you know how it is solved.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community