How to fully block/drop packets from a malicious WAN address?

Question

Hi, 
 Since upgrading to V18 where NAT and Firewalls have been separated. How would I be sure to fully block and Drop a malicious WAN address traffic from hitting our web facing services? 
 I have written a drop rule containing a list of IP Addresses as sources from WAN zone and placed it at the top of my firewall rules, but I'm still seeing Allowed traffic against my Port Forwarding Rules (example shown) 
 
 Do I also need to write a specific NAT rule to block these malicious WAN IPs? If yes what would this look like? 
 Thanks, 
 Craig

Vishal_R · Accepted Answer

Hi CraigLloyd : Thanks for sharing the snapshot. With current XG architecture under certain circumstances, when there is a DNAT rule for port 443, but there is also a DROP rule for inbound traffic on port 443 from the WAN zone, the connection is being passed to awarrenhttp (web service ) to reflect or responds with a block page of Sophos.

So your traffic is dropped only by firewall but you are able to see this with action as in allowed in log viewer due to above behavior.

If you will check by generating traffic for any other port apart from 80 and 443 from outside IP by adding it in block list then you will get the expected result.

Currently this is known behavior and it is in scope of improvement in near future and probable fix version marked is V18 MR-5 as of now.

How to fully block/drop packets from a malicious WAN address?

Top Replies