Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 40 replies
  • Answers 1 answer
  • Subscribers 34 subscribers
  • Views 14199 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GeoIP

Peter-Paul Gras

Is anybody having success in using the GeoIP functionality? I am not and i find it quite frustrating.

What have i done:
1. created a country group within that group f.i. Romania:

2. created a Drop rule based on the country group:

3. Have been checking logs for a couple of weeks, today i saw that there wher entries in the log showing me that traffic was allowed originating from a Romanian IP:

And this is only one example, my log is filled with more similar ones.
Any thoughts on this? Is my thinking wrong, was my execution poor or are my expectations not right?

Grtz, Peter-Paul



This thread was automatically locked due to age.
  • 0 in reply to rfcat_vk

    Ok good to know it is working on outgoing traffic for you, but not on incoming.
    I need to block the incoming traffic. Will wait to see if any of the senior members here or Sophos Staff has a solution for this.

    Grtz, Peter-Paul

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to Peter-Paul Gras

    Since we are holding, I'll place my bet on the GeoLite2 database (or a variant). :)

    Not that I am doing an exhaustive test, but I am finding IPs in GeoLite2 are blocked, and ones not in the table are allowed.

  • FormerMember
    0 FormerMember in reply to Peter-Paul Gras

    Hi Peter-Paul Gras,

    I'm testing this issue in my LAB. I will update you with the findings as soon as possible. 

    Thanks,

     

  • FormerMember
    0 FormerMember

    Hi Peter-Paul Gras,

    I was able to replicate this issue in my LAB, traffic from the country that supposed to be blocked by the country blocking rule, it did not trigger that block rule. I have reported this issue to internal team. I will update this thread as soon as I get feedback on this issue.

    Thanks,

     

  • 0 in reply to FormerMember

    Thank you for letting us know and confirming the findings.

    Grtz, Peter-Paul

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to FormerMember

    Hi,

    Is this issue also related to NC-51857 ?

    GeoIP works fine on v17.5.x, but not on v18. I've had this issue in v18 EAP 1.

     

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • FormerMember
    0 FormerMember

    Hi Peter,

    Can you please check what is the destination? from the firewall logs?
    Is it the firewall IP or is it getting forwarded into your LAN?

    Have you tried WAN zone to LAN zone firewall rule with source country block?

  • 0 in reply to FormerMember

    Hello James,

    "Can you please check what is the destination? from the firewall logs?"
    I have two WAN interfaces in my SW appliance. 
    The destinations for these log messages are the IPv4 adresses of the WAN ports.

    "Have you tried WAN zone to LAN zone firewall rule with source country block?"
    Yes, i have been testing the following scenario's: WAN-ANY, ANY-ANY, WAN-LAN (the initial and current set up).
    All lead to the same result of not blocking traffic originating from the countries i want  to block. Today 32 hits so far...

    Hope this answers your questions. If you have more questions i'll be more than happy to help.

    Grtz, Peter-Paul

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to Prism

    Do you maybe know if this is fixed in latest release?

  • FormerMember
    0 FormerMember in reply to Peter-Paul Gras

    Hi Peter,

    The firewall rules come in picture when traffic is intended only to FORWARD from ANY ZONE to ANY ZONE.

    So, if the requests coming from WAN is intended for the firewall WAN IP, it will not consider that in firewall rules at all. It will go for the 'Device access rules aka LOCAL_ACLS'.

    ADD a new rule in 'Administration > Device access > Local service ACL exception rule' for Romania and verify once again.

Cookie Information Banner