Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 3867 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking on XG

Supporto Tecnico1

Hi,

i need to test the country blocking feature in XG, but if i use the rule configuration as reported at this link https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/CreateFirewallSecurityRule.html the log viewer doesn't show any drop.

I want to know if XG drop only the inbound traffic from countries declared in Source Networks direct to the LAN resources but not directly to XG itself, or if the utm block all traffic (to itself too), showing the relative advices in log viewer. 

Watchguard i.e. block the inbound traffic from all the configured countries, also the traffic direct to the utm.

Thank you in advance for your reply

Claudio



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi  

    Thank you for reaching out to the Community! 

    The XG firewall will block traffic from blocked countries on its public IP address. If you have DNAT rules or configured ACL exceptions, then you have to configure blockhole DNAT rule with countries that you would like to block. The configured services with the DNAT rule and ACL exceptions are considered as local services; inbound traffic for blocked countries will not get through the country blocking rule. I would also suggest you enable log traffic on the firewall rule. 

    Thanks,

Reply
  • FormerMember
    0 FormerMember

    Hi  

    Thank you for reaching out to the Community! 

    The XG firewall will block traffic from blocked countries on its public IP address. If you have DNAT rules or configured ACL exceptions, then you have to configure blockhole DNAT rule with countries that you would like to block. The configured services with the DNAT rule and ACL exceptions are considered as local services; inbound traffic for blocked countries will not get through the country blocking rule. I would also suggest you enable log traffic on the firewall rule. 

    Thanks,

Children
  • 0 in reply to FormerMember

    Thank you H_Patel for your answer, and thank you to Peter-Paul Gras too.

    I find your arguments very interesting and useful.

    My question starts from the idea that if i apply a rule or a filter to one or more countries, to expand the surface of the inbound connection protection, i must apply this configuration in the most simple way.

    I explain that in my experience with Watchguard UTM, the way to drop traffic from some countries was very simple. In a dedicated interface i select the countries and then i save the configuration. So the UTM begin to drop inbound traffic from the selected countries.

    I know the logic behind Sophos UTM is different.

    I decide to begin to test this feature, because i find some invalid traffic in the LOG Viewer of the XG. The Firewall logs  shows invalid inbound TCP denied traffic i.e. from Turkey, direct to a public address of one of my connection, on 80 port. There isn't IN and OUT Interface description. The Message column say  "Could not associate packet to any connection".

    So i think, i can try the feature to block traffic i.e. from Turkey and in theory i should not view the drop assosiated to the precedent message, but associated to the country filter.

    In Watchguard logs, when an ip address of a blocked country tried to reach the public ip of my ISP, i saw the drop action reported in the LOGS.

    I haven't any ACL exeption or DNAT rules, and in according with the documentation. I created a new rule at the top to block traffic from unwanted countries, but i don't see any log about this rule.

Unfiltered HTML