Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 17 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 2929 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ip / country block does not work with waf

Andreas Lindl

SFVH (SFOS 18.0.4 MR-4) 

hello

the block rule only works with dnat

I have created the "block country" rule and blocked my cell phone for testing purposes

the dnat rule is blocked correctly

but all waf rules are not blocked

do firewall rules not apply to waf?
how to set ip / country block for waf?



This thread was automatically locked due to age.
  • 0

    Hello,

    Drop/Reject Firewall Rules doesn't work with WAF since v18 EAP 1, I've reported it back then but they never fixed It; In v17.5 It used to work as expected.

    If you want to open a support case for It, you can use the NC-51857 as reference.

    (Read post below.)

    Now you should create a DNAT Blackhole in order to do country filtering for WAF.

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    Isnt this known to be a restriction to the decoupling of NAT? 

    If you create a NAT Rule for unwanted destination countries, it should hit. The WAF rule will pickup and overwrite the Deny rule. 

    https://community.sophos.com/xg-firewall/f/recommended-reads/122357/life-of-a-packet---sophos-xg-v18-0

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    The only answer I got from It has "No ETA for the fix".

    LuCar Toni said:
    If you create a NAT Rule for unwanted destination countries, it should hit.

    Apparently yes, I've just tried It out and worked as expected, just feels really strange to have a NAT Rule doing this instead of a Firewall Rule.

    Thanks again

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    can you show me your NAT rule?

  • +1 in reply to Andreas Lindl

    Sure, here's the Rule:

    Use the "Rule Position" at "Top".

    • Original Source: Here you will select the Countries / Continent you want to block.
    • Translated Source: Leave as "Original".
    • Original Destination: Mine is at #Port2 since It's where the WAF is currently located.
    • Translated Destination: Here you can create a Dummy IP (Blackhole IP), you can use any Local IPv4 that isn't being used.
    • Original Service: HTTP and HTTPS, or If the WAF is located on another port - you can then create a new Service in there.

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    that means i need 2 entries in the firewall. 1. drop rule firewall and nat rule to be sure?

    this is ***

  • 0

    Well its weird cuz for me IP/Country is working correctly. Ive checked it from different VPNs, proxies And all traffic is denied.  Im using WAF rules And on the top of all policies stand "deny countries" -> I did check logs and the traffic is  tagged as "denied".

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb

  • 0 in reply to Regex

    Hi,

    please remember that linked NAT rules take precedence over ordinary NAT rules even if you have the linked NAT rule lower down the processing order.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Those are mine. 

    And i havent been touhcong default settings ;)  FW rule is blocking whole world excpet specific hostname that is allow to access VPN and other services ;) pls keep in mind that dest FW rule is behind blocking rule. DNAT rule is FIRST as u can see in the screenshot. 

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb

Cookie Information Banner