How-to create policy to block access to MX from all countries except local

Hi Jason,

does legitimate mail traffic only come from one source, if so add that your mail rule.

Ian

Hi Ian,

Thank you for the prompt reply.

With the current situation, travel is currently not allowed for staff, so yes.. traffic will only be from home country.

What you suggesting is to use the same policy for email and setup the countries to be blocked under "Block Client Network"?

Regards/Jason

Hi Jason,

I was thinking that you were talking about your server and limiting the access to your external mail provider assuming you only have one?

if you wish to block country address ranges you will need to build a dnat rule pointing at fictious address.

This thread might help.

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/118893/geoip?pi2151=2

Ian

Hi Ian,

As for now, my objective is to restrict access to my MX via port-443.. 

I saw the suggestion of using the "Local service ACL exception rule"

Do you think it will work if I setup as below?

Appreciate your advice.

Thanks/Jason