ip / country block does not work with waf

Hello,

Drop/Reject Firewall Rules doesn't work with WAF since v18 EAP 1, I've reported it back then but they never fixed It; In v17.5 It used to work as expected.

If you want to open a support case for It, you can use the NC-51857 as reference.

(Read LuCar Toni post below.)

Now you should create a DNAT Blackhole in order to do country filtering for WAF.

Thanks!

Isnt this known to be a restriction to the decoupling of NAT? 

If you create a NAT Rule for unwanted destination countries, it should hit. The WAF rule will pickup and overwrite the Deny rule. 

https://community.sophos.com/xg-firewall/f/recommended-reads/122357/life-of-a-packet---sophos-xg-v18-0

The only answer I got from It has "No ETA for the fix".

LuCar Toni said:

If you create a NAT Rule for unwanted destination countries, it should hit.

Apparently yes, I've just tried It out and worked as expected, just feels really strange to have a NAT Rule doing this instead of a Firewall Rule.

Thanks again

can you show me your NAT rule?

Sure, here's the Rule:

Use the "Rule Position" at "Top".

• Original Source: Here you will select the Countries / Continent you want to block.
• Translated Source: Leave as "Original".
• Original Destination: Mine is at #Port2 since It's where the WAF is currently located.
• Translated Destination: Here you can create a Dummy IP (Blackhole IP), you can use any Local IPv4 that isn't being used.
• Original Service: HTTP and HTTPS, or If the WAF is located on another port - you can then create a new Service in there.

Thanks!

thank you, it works

that means i need 2 entries in the firewall. 1. drop rule firewall and nat rule to be sure?

this is ***

Well its weird cuz for me IP/Country is working correctly. Ive checked it from different VPNs, proxies And all traffic is denied.  Im using WAF rules And on the top of all policies stand "deny countries" -> I did check logs and the traffic is  tagged as "denied".

Hi,

please remember that linked NAT rules take precedence over ordinary NAT rules even if you have the linked NAT rule lower down the processing order.

Ian

Those are mine. 

And i havent been touhcong default settings ;)  FW rule is blocking whole world excpet specific hostname that is allow to access VPN and other services ;) pls keep in mind that dest FW rule is behind blocking rule. DNAT rule is FIRST as u can see in the screenshot.