Block IP address

Question

Hi guys, 
 In my XG I see a lot of incomming tcp attempts from several IP addresses. Currently they are all blocked by rule 0. Is there a way I can create a rule that is the first in line in which I can define all the IP's I want blocked. Some sort of blacklist. 
 Thanks in advance.

shred · Accepted Answer

L Jeffrey Jaspers said: Hi guys,
 In my XG I see a lot of incomming tcp attempts from several IP addresses. Currently they are all blocked by rule 0. Is there a way I can create a rule that is the first in line in which I can define all the IP's I want blocked. Some sort of blacklist. 
 Thanks in advance. 
 
 You can create a “IP Host” under “Host and Services” with a list of IP addresses you’re trying to block. From there, create a firewall rule to “Drop” anything coming from the “WAN” source zone and add the IP Host you created to the “Source Networks and Devices”. The destination zone would be to whatever zones you’re using (I’m assuming LAN) and the destination networks set to “Any”. This will drop traffic coming from the WAN zone and the IPs you listed to anything trying to reach to your LAN zone. 
 That being said, Sophos XG is a stateful firewall that, by default, blocks all incoming traffic (rule 0) unless it’s 1) a connection that was initiated from within your network (I.e. the stateful aspect of the firewall) or 2) a specific firewall rule is allowing that incoming traffic. I personally don’t see the point in creating another rule for a rule that already exists unless you need it for logging purposes which the default hidden rule 0 already does. I guess the other purpose would be to explicitly drop the traffic even if the connection was initiated from within your network (i.e. a device on your network is compromised).