Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 9473 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exceptions to country blocking

Paul Treadaway

How do I add an exception to country blocking in the XG firewall? In UTM9 there was a separate tab for it, but I can't find anywhere in the XG UI.



This thread was automatically locked due to age.
  • 0

    I think I understand what you are asking? You need to build your own list countries you want to block and then apply that list.

    Ian

  • 0

    Hey  

    Country-blocking for the XG is applied on a per-firewall rule basis, therefore you would need to create an allow firewall rule above your deny country-blocking rule in order to "except" your desired traffic :

    unlike the UTM where it is a global setting (where you would need to configure exceptions):

     

    Please see this KB article for reference for the XG.

    Regards,

  • 0 in reply to FloSupport

    Hey Flo,

    based on your answer where in the firewall rule would you put the block country? Usually you want block countries from the entire network not just one rule. Also the reference you refer to shows how to create a block country rule not how to apply it to each rule?

    I would personally put a block country rule at the top of the rule list.

    Ian

  • 0 in reply to rfcat_vk

    rfcat_vk said:

    I think I understand what you are asking? You need to build your own list countries you want to block and then apply that list.

    Ian

     

     

    No, I want to allow a specific range of ip addresses without unblocking the whole country.

     

    Paul

  • 0 in reply to FloSupport

    FloSupport said:

    Hey  

    Country-blocking for the XG is applied on a per-firewall rule basis, unlike the UTM where it is a global setting (where you would need to configure exceptions).

    Please see this KB article for reference.

    Regards,

     

     

    Hi,

    We already have a rule to block all other countries, but we need to make exceptions for specific ip addresses. This was possible in UTM9, but I can't see how to do it in XG - I can edit country groups or create a new one, to change which countries are blocked, but there doesn't seem to be any way of editing the country definitions themself, or any kind of global whitelist?

    Paul

  • 0 in reply to Paul Treadaway

    Hey Paul.

    Create a rule above the country block rule allowing those specif IP addresses/ranges/networks. Since firewall rules are matched top-to-bottom, that should allow the traffic. I too come from the UTM world and sometimes it's hard to let go of old habits, but for XG we need to think very differently on how to setup things as they are both very, very different products.

    Regards,

    Giovani

  • 0 in reply to giomoda

    giomoda said:

    Hey Paul.

    Create a rule above the country block rule allowing those specif IP addresses/ranges/networks. Since firewall rules are matched top-to-bottom, that should allow the traffic. I too come from the UTM world and sometimes it's hard to let go of old habits, but for XG we need to think very differently on how to setup things as they are both very, very different products.

    Regards,

    Giovani

     

    Hi,

    I've tried that, but it seems that the country block rule is still triggered as well as the rule to allow?

    Paul T

  • 0 in reply to Paul Treadaway

    I've tried that, but it seems that the country block rule is still triggered as well as the rule to allow?

    Not seeing this here, Paul. For example, I created a rule blocking Hong Kong as a destination and fetched a random IP address from Hong Kong for testing - 103.5.198.214:

    Pinging the address fails when the rule is on:

    Now I added a rule above the previous rule, allowing only 103.5.198.214:

    Ping succeeds:

    I know you are probably doing this for incoming packets instead of outgoing, but the idea remains the same. Would you care to share some screenshots?

    Regards,

    Giovani

  • 0 in reply to giomoda

     

     
    Paul Treadaway
    I've tried that, but it seems that the country block rule is still triggered as well as the rule to allow?
     

     

    Not seeing this here, Paul. For example, I created a rule blocking Hong Kong as a destination and fetched a random IP address from Hong Kong for testing - 103.5.198.214:

    Pinging the address fails when the rule is on:

    Now I added a rule above the previous rule, allowing only 103.5.198.214:

    Ping succeeds:

    I know you are probably doing this for incoming packets instead of outgoing, but the idea remains the same. Would you care to share some screenshots?

    Regards,

    Giovani

     

     

    OK, maybe I have got the config of the allow rule wrong - I'll have another look. Thanks!

    Paul T