Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 29 subscribers
  • Views 25935 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block IP address

Jeffrey Jaspers

Hi guys,

In my XG I see a lot of incomming tcp attempts from several IP addresses. Currently they are all blocked by rule 0. Is there a way I can create a rule that is the first in line in which I can define all the IP's I want blocked. Some sort of blacklist.

Thanks in advance.



This thread was automatically locked due to age.
  • 0

    Hi Jeffery,

    adding another rule at the top will not help much. You need to determine if they are from a specific country, then you can apply country blocking rules at the top.

    Are the failed attempts aimed at your internal devices or are they just denied connection notifications?

    Also what ACL features do you have enabled on your external interface?

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian thank you for the answer. I know what you mean by country blocking but that is not the solution im looking for. In the past I applied this solution to an customer environment but that seem to block a bit more that it was meant to. Some regular websites could not be visited. Although this is my home environment now, still it doesnt feel like the right solution to me. Do you know an alternative maybe?

    The failed attempts are not aimed at any internal applications, but I see continuously connection attempts to (to me) random ports. Its like there is a port scanner active on my IP. 

  • +1

    L

    Jeffrey Jaspers said:
    Hi guys,

    In my XG I see a lot of incomming tcp attempts from several IP addresses. Currently they are all blocked by rule 0. Is there a way I can create a rule that is the first in line in which I can define all the IP's I want blocked. Some sort of blacklist.

    Thanks in advance.

    You can create a “IP Host” under “Host and Services” with a list of IP addresses you’re trying to block. From there, create a firewall rule to “Drop” anything coming from the “WAN” source zone and add the IP Host you created to the “Source Networks and Devices”. The destination zone would be to whatever zones you’re using (I’m assuming LAN) and the destination networks set to “Any”. This will drop traffic coming from the WAN zone and the IPs you listed to anything trying to reach to your LAN zone.

    That being said, Sophos XG is a stateful firewall that, by default, blocks all incoming traffic (rule 0) unless it’s 1) a connection that was initiated from within your network (I.e. the stateful aspect of the firewall) or 2) a specific firewall rule is allowing that incoming traffic. I personally don’t see the point in creating another rule for a rule that already exists unless you need it for logging purposes which the default hidden rule 0 already does. I guess the other purpose would be to explicitly drop the traffic even if the connection was initiated from within your network (i.e. a device on your network is compromised).