Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 40 replies
  • Answers 1 answer
  • Subscribers 34 subscribers
  • Views 14141 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GeoIP

Peter-Paul Gras

Is anybody having success in using the GeoIP functionality? I am not and i find it quite frustrating.

What have i done:
1. created a country group within that group f.i. Romania:

2. created a Drop rule based on the country group:

3. Have been checking logs for a couple of weeks, today i saw that there wher entries in the log showing me that traffic was allowed originating from a Romanian IP:

And this is only one example, my log is filled with more similar ones.
Any thoughts on this? Is my thinking wrong, was my execution poor or are my expectations not right?

Grtz, Peter-Paul



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Peter-Paul Gras,

    Is traffic from Romanian IP allowed form the same firewall rule that you have configured to block traffic based on GeoIP? or is it allowed by different rule?

    Thanks,

  • 0 in reply to FormerMember

    This Drop rule is the first FW rule in my firewall.

    I would expect it to block traffic coming form these blocked countries based on the fact that is the first FW rule to be hit.
    BTW, no allow rules defined....

    Grtz

  • FormerMember
    0 FormerMember in reply to Peter-Paul Gras

    Hi Peter-Paul Gras,

    Could you please share full traffic logs that shows ports involved? What is the UserPortal port configured on the firewall? Do you have HTTPS access allowed over WAN Zone?

    Thanks,

  • 0 in reply to Peter-Paul Gras

    Peter,

    what is the target of the traffic logged and allowed? I mean, does the traffic goes to User portal, Web Admin or any local XG services?

    How did you try to simulate the traffic?

    Thanks

  • 0 in reply to lferrara

    Hey guys,

    he is not asking about specific ports or applications but that an IP address range is not blocked when using the XG country blocking and that IP range is registered against a country he has blocked.

    So, how does the database XG uses get updated?

    Ian

    edit - removed an odd word.

  • 0 in reply to rfcat_vk

    Thank you Ian for explaining this.

    I was already puzzling on what was being asked from me and how to reply.
    But it is exactly what you said. I've countries i want to block and see every single IP addrees originating from these countries being allowed. Not a single one is being dropped, while the GeoIP drop rule is my first rule, all traffic should stumble over this one rule.

    My main question was: has anybody got this working? 

    Grtz, Peter-PAul

  • 0 in reply to Peter-Paul Gras

    Hi Peter-Paul,

    yes, I have it working on outgoing. It will not work on incoming because the traffic needs to hit the firewall to be assessed. I do see a lot of access attempts from Romania and Russia at the moment on a range of ports but my firewall rule to drop incoming traffic from Russia never show any activity. I put the block Russia there because my wife was being sent junk/attack email from Russia, since I put the block rule she hasn't received any more so I can only assume something is working.

    Ian  

  • 0 in reply to rfcat_vk

    Ok good to know it is working on outgoing traffic for you, but not on incoming.
    I need to block the incoming traffic. Will wait to see if any of the senior members here or Sophos Staff has a solution for this.

    Grtz, Peter-Paul

  • 0 in reply to Peter-Paul Gras

    Since we are holding, I'll place my bet on the GeoLite2 database (or a variant). :)

    Not that I am doing an exhaustive test, but I am finding IPs in GeoLite2 are blocked, and ones not in the table are allowed.

Reply Children
No Data