I've been running Firepower (yes I know) at a site in monitor-only mode for some time and decided to switch it to inline mode. I block all non-US traffic within Firepower and it has started dropping traffic it thinks is from abroad, as you might expect.
I know IP geolocation isn't particularly accurate sometimes so I'm concerned about erroneously blocking legit traffic. I checked one of the IPs it was blocking and I get various results when I look it up. One site says it's in the US or Canada or Poland, which isn't particularly useful. Some others say US, one says Edmonton, CA. Trace route seems to indicate it might be in New York in which case it should not be dropped. The last 10 hops are not visible though so who knows where it goes.
The site www.countryipblocks.net says the IP is in the US but I don't have an account so the data could be up to 90 days old. I hope to register at some point.
I use several different Geo IP sites but they often disagree with each other and sometimes with themselves. I'd be interested if anyone has any IP location lookup sites they like.
The Firepower device downloads geolocation database updates from Cisco pretty regularly so I was hoping it might be accurate, but I'm not too sure at this point.
Just wondering if anyone has any thoughts on the subject. Do you do this kind of thing, and do you get complaints from users who should be able to access your site?
No comments:
Post a Comment