Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 40 replies
  • Answers 1 answer
  • Subscribers 34 subscribers
  • Views 14141 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GeoIP

Peter-Paul Gras

Is anybody having success in using the GeoIP functionality? I am not and i find it quite frustrating.

What have i done:
1. created a country group within that group f.i. Romania:

2. created a Drop rule based on the country group:

3. Have been checking logs for a couple of weeks, today i saw that there wher entries in the log showing me that traffic was allowed originating from a Romanian IP:

And this is only one example, my log is filled with more similar ones.
Any thoughts on this? Is my thinking wrong, was my execution poor or are my expectations not right?

Grtz, Peter-Paul



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Peter,

    Can you please check what is the destination? from the firewall logs?
    Is it the firewall IP or is it getting forwarded into your LAN?

    Have you tried WAN zone to LAN zone firewall rule with source country block?

Reply
  • FormerMember
    0 FormerMember

    Hi Peter,

    Can you please check what is the destination? from the firewall logs?
    Is it the firewall IP or is it getting forwarded into your LAN?

    Have you tried WAN zone to LAN zone firewall rule with source country block?

Children
  • 0 in reply to FormerMember

    Hello James,

    "Can you please check what is the destination? from the firewall logs?"
    I have two WAN interfaces in my SW appliance. 
    The destinations for these log messages are the IPv4 adresses of the WAN ports.

    "Have you tried WAN zone to LAN zone firewall rule with source country block?"
    Yes, i have been testing the following scenario's: WAN-ANY, ANY-ANY, WAN-LAN (the initial and current set up).
    All lead to the same result of not blocking traffic originating from the countries i want  to block. Today 32 hits so far...

    Hope this answers your questions. If you have more questions i'll be more than happy to help.

    Grtz, Peter-Paul

  • FormerMember
    0 FormerMember in reply to Peter-Paul Gras

    Hi Peter,

    The firewall rules come in picture when traffic is intended only to FORWARD from ANY ZONE to ANY ZONE.

    So, if the requests coming from WAN is intended for the firewall WAN IP, it will not consider that in firewall rules at all. It will go for the 'Device access rules aka LOCAL_ACLS'.

    ADD a new rule in 'Administration > Device access > Local service ACL exception rule' for Romania and verify once again.

  • 0 in reply to FormerMember

    Hello James,

    Just created the following exception rule (please evaluate):

    2 questions:

    1. can i disable the FW rule (as i understand it doesn't do GeoIP blocking)
    2. how/where to check the logging for entries concerning the new Local service ACL exception rule?

    Grtz, Peter-Paul 

  • FormerMember
    0 FormerMember in reply to Peter-Paul Gras

    Hi Peter,

    The rule looks fine.

    1. Yes, you can disable the firewall rule. It does do GeoIP blocking, incase where the source and destination are not Sophos interface IPs.

    2. You can check the DROP logs at the same place. Log viewer > Firewall logs

  • 0 in reply to FormerMember

    No luck. Incoming traffic from Romania is still not being dropped:

    Grtz, Peter-Paul

  • FormerMember
    0 FormerMember in reply to Peter-Paul Gras

    Hi Peter

    The destination port 25 is SMTP service which is not part of the Local ACL rule.

    Try and initiate traffic for service ports that are dropped in that ACL like HTTPS or SSH.

    Or if you want to test with port 25, check the firewall rule from which the traffic is passing i.e rule ID 2, it might be above the country block rule. The country block rule should be on the TOP.

  • 0 in reply to FormerMember

    Yes, i can see traffic going to DST Port 443 being denied.

    But my aim is to minimize the attack surface, e.g. with the use of GeoIP blocking. And only being able to block certain traffic still imposes a risk.
    I simply want to block all traffic originating from certain countries. This seems not feasible.

    Thank you for your help. 

    Grtz, Peter-PAul