I have been asked to setup our firewall to drop any packets arriving at the external interface that originate from any other country other than the US and US teritories. I created a GEO Location Network object and put every country except the US and US teritories in it. I then created a rule to drop packets on the external interface if the source endpoint matches anything in that GEO Location object. This rule is the first rule in the list. It does not appear to be working. I get email alerts all the time where foriegn IP's are hitting ports like FTP etc. This tells me the packets are not getting dropped.
Here is an example of an audit alert:
2013-06-26 00:22:52 -0700 f_ftp_proxy a_aclquery t_attackp_major
pid: 1724 logid: 0 cmd: 'pftp' hostname:MYFIREWALL
category: policy_violation event: ACL deny attackip:22.214.171.124
attackzone: external src_geo: DE srcip: 126.96.36.199srcport: 39642
srczone: external protocol: 6 dst_geo: US dstip:xxx.xxx.xxx.xxx dstport: 21
dstzone: external rule_name: Deny All cache_hit: 0
reason: Traffic denied by policy.
The firewall obviously can tell this orginated from I believe Denmark. I can tell it made it through all of the rules because it hit the last rule, the Deny All. So I am not sure what I am doing wrong. Any help is greatly appreciated. Thanks!
Here is what my rule looks like:
Message was edited by: grinder on 6/27/13 12:27:53 PM CDT
Set the Redirect to the external IP of the FW (actually, any IP would do). That will tell the rule-compiler to Deny this traffic. This will be fixed very soon by an epatch.