Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 3777 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Again on country block

Marco Ferrante

Hello all,

I read the various threads that were started on country block and I know it's been a pain for a while but I also know that in the most current release it should not be a problem anymore.

I am on version SFOS 17.5.0 GA. I just started my XG a couple of days ago, created the user/network rule (did not create as a business application rule) below, I placed it on top of the firewall rules list but surprisingly I still see zero traffic dropped:

 

 

The second drop rule blocks about 2000 IP addresses (two groups), however, it's plausible that there's no traffic on that one. The first rule however should show something other than zero.

 

Any thoughts? Did I miss some small detail?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Marco Ferrante

    Hi Marco,

    for the traffic to be logged it has to get into the firewall, not be bounced at the gate.

    I use country blocking on the outgoing side incase something does get hacked.

    Also a little bit of trivia, not all country sites are located in the country suffix eg there are some ru sites based in USofA servers those are the ones I have investigated.

    Ian

  • 0 in reply to rfcat_vk

    Got it.

    so I did a test, found a random newspaper in China...url is jlwb.njnews.cn (ip, through trace is 61.132.73.251)

     

    GeoIP2/Maxmind tells me it's in China.

    If I go to the site I can see it...but shouldn't the response from that server be dropped because of the rule? Or am I seeing it due to the reflexive property of the firewall?

     

    I just don't have another XG to confront mine with and I am trying to make sure the rule I set forth is working.

     

    Thanks for your help!

    Marco

     

  • 0 in reply to Marco Ferrante

    Hi Marco,

    you are confusing yourself.

    The firewall will see the connection you started as being allowed traffic because you originated the conversation.

    Now if the newspaper tried to start a connection with your PC then that connection would fail and appear in the log viewer and count against the block firewall rule.

    Ian

  • 0 in reply to rfcat_vk

    Ian,

    Thanks for clarifying that. That's what I meant by reflexive, if I initiated the communication the firewall will let the traffic through.

    I was thinking about setting a rule just like the one you mentioned in the event a device on the lan attempts, for example, to reach a foreign c2 (command & control) server.

    Would you be willing to share your outbound block rule? You can PM me too.