Exceptions to country blocking

Hey Paul Treadaway 

Country-blocking for the XG is applied on a per-firewall rule basis, therefore you would need to create an allow firewall rule above your deny country-blocking rule in order to "except" your desired traffic :

unlike the UTM where it is a global setting (where you would need to configure exceptions):

Please see this KB article for reference for the XG.

Regards,

FloSupport said:

Hey Paul Treadaway 

Country-blocking for the XG is applied on a per-firewall rule basis, unlike the UTM where it is a global setting (where you would need to configure exceptions).

Please see this KB article for reference.

Regards,

 

Hi,

We already have a rule to block all other countries, but we need to make exceptions for specific ip addresses. This was possible in UTM9, but I can't see how to do it in XG - I can edit country groups or create a new one, to change which countries are blocked, but there doesn't seem to be any way of editing the country definitions themself, or any kind of global whitelist?

Paul

Hey Paul.

Create a rule above the country block rule allowing those specif IP addresses/ranges/networks. Since firewall rules are matched top-to-bottom, that should allow the traffic. I too come from the UTM world and sometimes it's hard to let go of old habits, but for XG we need to think very differently on how to setup things as they are both very, very different products.

Regards,

Giovani

giomoda said:

Hey Paul.

Create a rule above the country block rule allowing those specif IP addresses/ranges/networks. Since firewall rules are matched top-to-bottom, that should allow the traffic. I too come from the UTM world and sometimes it's hard to let go of old habits, but for XG we need to think very differently on how to setup things as they are both very, very different products.

Regards,

Giovani

 

Hi,

I've tried that, but it seems that the country block rule is still triggered as well as the rule to allow?

Paul T

I've tried that, but it seems that the country block rule is still triggered as well as the rule to allow?

Not seeing this here, Paul. For example, I created a rule blocking Hong Kong as a destination and fetched a random IP address from Hong Kong for testing - 103.5.198.214:

Pinging the address fails when the rule is on:

Now I added a rule above the previous rule, allowing only 103.5.198.214:

Ping succeeds:

I know you are probably doing this for incoming packets instead of outgoing, but the idea remains the same. Would you care to share some screenshots?

Regards,

Giovani

Paul Treadaway

I've tried that, but it seems that the country block rule is still triggered as well as the rule to allow?

Not seeing this here, Paul. For example, I created a rule blocking Hong Kong as a destination and fetched a random IP address from Hong Kong for testing - 103.5.198.214:

Pinging the address fails when the rule is on:

Now I added a rule above the previous rule, allowing only 103.5.198.214:

Ping succeeds:

I know you are probably doing this for incoming packets instead of outgoing, but the idea remains the same. Would you care to share some screenshots?

Regards,

Giovani

OK, maybe I have got the config of the allow rule wrong - I'll have another look. Thanks!

Paul T

Paul Treadaway

I've tried that, but it seems that the country block rule is still triggered as well as the rule to allow?

Not seeing this here, Paul. For example, I created a rule blocking Hong Kong as a destination and fetched a random IP address from Hong Kong for testing - 103.5.198.214:

Pinging the address fails when the rule is on:

Now I added a rule above the previous rule, allowing only 103.5.198.214:

Ping succeeds:

I know you are probably doing this for incoming packets instead of outgoing, but the idea remains the same. Would you care to share some screenshots?

Regards,

Giovani

OK, maybe I have got the config of the allow rule wrong - I'll have another look. Thanks!

Paul T