Country Blocking of whitelisted Country

Hello HerrTim,

Thank you for contacting the Sophos Community!

I am not understanding your problem correctly, so please clarify.

You were trying to access your XG from an IP in Germany, however, you were not able to?

Or you were expecting the IP from Germany to be blocked?

Regards,

Hello Emmanuel,

I'm using WAF to protect my Server behind my XG. As country blocking described in https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/CreateFirewallSecurityRule.html is not working, I'm using a blackhole solution. Forward IP's from countries to a non existing client in my network. Only IP's from Germany and 3 other EU countries are allowed to access my server. That worked fine in the past. But last weekend I used a Wifi in Germany and I was not able to access my server. The XG applied the Blackhole rule although my IP was identified as DEU. Now I'm a bit confused and I want understand the problem and prevent a similar problem in the future.

To your questions: Yes and no :)

I hope it is now a little bit clearer.

Regards,

Tim

Hello Herr,

Thank you for the follow-up!

Oh ok I got confused with the Live Log. Not sure why it would have taken the DNAT rule for the black hole instead of the NAT rule for the WAF, my guess is that the Europe Continent still has Germany, I am not sure if you are able to test again but can you go to System >> Hosts and Services >> Country Group >> Europe Continent and remove Germany from here and try accessing again.

Regards,

Hello Emmanuel,

I think there is still a misunderstanding.

1. DNAT Rule for Country Blocking, Germany is allowed (not included in Europe Continent). That DNAT rule is used as a blackhole

2. WAF for my Server

That works fine. This way only clients with a german Ip address can access my server. But as I already said, I now had the problem that a german IP address, which was also identified as src_country="DEU", was not able to access the server. I have no idea why that happened. If Germany would be part of the EU country list, nobody could access the server. But Germany is not part of the country list EU. 

Regards

Hello Herr,

Thank you for the follow-up!

Thank you I thought it was hitting the DNAT rule, but if it hit the WAF rule, I don't see the rule blocked the packet but allow it. I think this might be rather a different module that blocked that request, is there any way you can replicate this? by the con_event="Stop" I think it might have been the IPS. 

Regards,

Hello Herr,

Thank you for the follow-up!

Thank you I thought it was hitting the DNAT rule, but if it hit the WAF rule, I don't see the rule blocked the packet but allow it. I think this might be rather a different module that blocked that request, is there any way you can replicate this? by the con_event="Stop" I think it might have been the IPS. 

Regards,

It hit the DNAT rule which is wrong. IPs from Germany should not hit the DNAT rule, only the WAF. The DNAT rule does not block any IPs. It forwards the IPs to a blackhole: https://support.sophos.com/support/s/article/KB-000038943?language=en_US

As I already said, this worked fine in the past but with this IP address it did not work, means: the IP hit the DNAT and was forwarded to a dummy host. I was not able to access the server. I can not replicate this, as I left the location last monday.