Overview of Geolocation-Based Firewall Rules
Geolocation-based firewall rules allow you to configure firewall rules for allowing or denying network traffic based on the specified source and destination locations.
A third-party database is used for geolocation-to-IP-address mapping. Use the geo database update command to update the geolocation database periodically to pick up the latest changes.
After you configure a geolocation-based firewall rule by specifying source and destination locations in Cisco vManage, the geolocation database is automatically enabled in the CLI. Alternatively, you can use the geo database command to enable the geolocation database.
For more information on the CLI commands, see Cisco IOS XE SD-WAN Qualified Command Reference.
This feature adds a new object group geo , where you can specify countries and continents as objects to use in Access Control Lists (ACLs). The new geo object group is then used in the ACL to enable geolocation-based firewall rules.
The geo object group is a collection of the following types of objects:
Three-letter country code objects
Two-letter continent code objects
An object group can contain a single object or multiple objects. You can nest other geolocation object groups using the group-object command.
You cannot configure nested geo object groups in Cisco vManage. You can configure nested geo object groups using only the CLI.
Data packets are classified using geolocation-based firewall rules instead of using IP addresses. When classifying the data packet, if a firewall rule has a geolocation-based filter, an IP address lookup occurs against the geolocation database to determine which country or continent is associated with the IP address.
A client (192.168.11.10) in a local area network (LAN) initiates traffic over Dedicated Internet Access (DIA) to a destination IP addresses belonging to France (FRA) and Germany (GBR). As per the security firewall policy, traffic to France should be inspected and that to Germany should be dropped.
Benefits of Geolocation-Based Firewall Rules
You can restrict access to particular countries without needing to know the associated IP addresses for those countries.
A geolocation can be a country, a continent, or a list containing both continents and countries.
After you have chosen a continent in a security firewall rule, all IP addresses belonging to that particular continent code are inspected as part of the security firewall rule.
You can add multiple geolocation lists or geolocations using a single policy.
When you update a geo object group, all the policies that use that geo object group are automatically updated.