Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 40 replies
  • Answers 1 answer
  • Subscribers 34 subscribers
  • Views 14219 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GeoIP

Peter-Paul Gras

Is anybody having success in using the GeoIP functionality? I am not and i find it quite frustrating.

What have i done:
1. created a country group within that group f.i. Romania:

2. created a Drop rule based on the country group:

3. Have been checking logs for a couple of weeks, today i saw that there wher entries in the log showing me that traffic was allowed originating from a Romanian IP:

And this is only one example, my log is filled with more similar ones.
Any thoughts on this? Is my thinking wrong, was my execution poor or are my expectations not right?

Grtz, Peter-Paul



This thread was automatically locked due to age.
  • 0

    Not based on any real knowledge about this, I'm curious what a source WAN zone versus Any would do.?

  • 0 in reply to Paul Warriner

    Have tried that s well. To my experience with no difference.

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to Peter-Paul Gras

    Just for the notes, I tested v18 GA and v17.5.9 on console and it shows the same lookup as Romania.

    What I do see is the GeoLite2 MaxMind database, if the XG is still using it somewhere, doesn't list the 185.100.87.x subnet.

    Wonder if IP address lookup and Country group matching are using different data stores?

  • FormerMember
    0 FormerMember

    Hi Peter-Paul Gras,

    Is traffic from Romanian IP allowed form the same firewall rule that you have configured to block traffic based on GeoIP? or is it allowed by different rule?

    Thanks,

  • 0 in reply to FormerMember

    This Drop rule is the first FW rule in my firewall.

    I would expect it to block traffic coming form these blocked countries based on the fact that is the first FW rule to be hit.
    BTW, no allow rules defined....

    Grtz

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • FormerMember
    0 FormerMember in reply to Peter-Paul Gras

    Hi Peter-Paul Gras,

    Could you please share full traffic logs that shows ports involved? What is the UserPortal port configured on the firewall? Do you have HTTPS access allowed over WAN Zone?

    Thanks,

  • 0 in reply to Peter-Paul Gras

    Peter,

    what is the target of the traffic logged and allowed? I mean, does the traffic goes to User portal, Web Admin or any local XG services?

    How did you try to simulate the traffic?

    Thanks

  • 0 in reply to lferrara

    Hey guys,

    he is not asking about specific ports or applications but that an IP address range is not blocked when using the XG country blocking and that IP range is registered against a country he has blocked.

    So, how does the database XG uses get updated?

    Ian

    edit - removed an odd word.

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thank you Ian for explaining this.

    I was already puzzling on what was being asked from me and how to reply.
    But it is exactly what you said. I've countries i want to block and see every single IP addrees originating from these countries being allowed. Not a single one is being dropped, while the GeoIP drop rule is my first rule, all traffic should stumble over this one rule.

    My main question was: has anybody got this working? 

    Grtz, Peter-PAul

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to Peter-Paul Gras

    Hi Peter-Paul,

    yes, I have it working on outgoing. It will not work on incoming because the traffic needs to hit the firewall to be assessed. I do see a lot of access attempts from Romania and Russia at the moment on a range of ports but my firewall rule to drop incoming traffic from Russia never show any activity. I put the block Russia there because my wife was being sent junk/attack email from Russia, since I put the block rule she hasn't received any more so I can only assume something is working.

    Ian  

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Cookie Information Banner