Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 40 replies
  • Answers 1 answer
  • Subscribers 34 subscribers
  • Views 14219 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GeoIP

Peter-Paul Gras

Is anybody having success in using the GeoIP functionality? I am not and i find it quite frustrating.

What have i done:
1. created a country group within that group f.i. Romania:

2. created a Drop rule based on the country group:

3. Have been checking logs for a couple of weeks, today i saw that there wher entries in the log showing me that traffic was allowed originating from a Romanian IP:

And this is only one example, my log is filled with more similar ones.
Any thoughts on this? Is my thinking wrong, was my execution poor or are my expectations not right?

Grtz, Peter-Paul



This thread was automatically locked due to age.
  • 0 in reply to FormerMember

    Hello James,

    Just created the following exception rule (please evaluate):

    2 questions:

    1. can i disable the FW rule (as i understand it doesn't do GeoIP blocking)
    2. how/where to check the logging for entries concerning the new Local service ACL exception rule?

    Grtz, Peter-Paul 

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • FormerMember
    0 FormerMember in reply to Peter-Paul Gras

    Hi Peter,

    The rule looks fine.

    1. Yes, you can disable the firewall rule. It does do GeoIP blocking, incase where the source and destination are not Sophos interface IPs.

    2. You can check the DROP logs at the same place. Log viewer > Firewall logs

  • 0 in reply to FormerMember

    No luck. Incoming traffic from Romania is still not being dropped:

    Grtz, Peter-Paul

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • FormerMember
    0 FormerMember in reply to Peter-Paul Gras

    Hi Peter

    The destination port 25 is SMTP service which is not part of the Local ACL rule.

    Try and initiate traffic for service ports that are dropped in that ACL like HTTPS or SSH.

    Or if you want to test with port 25, check the firewall rule from which the traffic is passing i.e rule ID 2, it might be above the country block rule. The country block rule should be on the TOP.

  • 0 in reply to FormerMember

    Yes, i can see traffic going to DST Port 443 being denied.

    But my aim is to minimize the attack surface, e.g. with the use of GeoIP blocking. And only being able to block certain traffic still imposes a risk.
    I simply want to block all traffic originating from certain countries. This seems not feasible.

    Thank you for your help. 

    Grtz, Peter-PAul

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to DejanBukovec

    No, they didn't fixed it.

    The issue people are having on this thread is pretty much the same I reported on v18 EAP 1.

    I also through it would have been fixed by now, since it has reported on EAP 1. but, well...

     

    I hope It's fixed soon.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    It is a long standing issue, not just in V18.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I can be wrong, but this issue has never present on >v17.5.6

    I've always used geoip blocking on inbound/outbound and on WAF on v17.5.x, and never had any of those issues.

    The issue is currently only present in v18, It's present since v18 EAP 1 came out.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    Outbound has always worked in IP4, but inbound was an issue and neither work in IPv6.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    The key difference and this thread discussion is about inbound GeoIP on IPv4, It always worked on v17.5, but doesn't work anymore on v18.

    GeoIP on IPv6 is a whole different history in XG.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Cookie Information Banner