ip / country block does not work with waf

Hello,

Drop/Reject Firewall Rules doesn't work with WAF since v18 EAP 1, I've reported it back then but they never fixed It; In v17.5 It used to work as expected.

If you want to open a support case for It, you can use the NC-51857 as reference.

(Read LuCar Toni post below.)

Now you should create a DNAT Blackhole in order to do country filtering for WAF.

Thanks!

Hello,

Drop/Reject Firewall Rules doesn't work with WAF since v18 EAP 1, I've reported it back then but they never fixed It; In v17.5 It used to work as expected.

If you want to open a support case for It, you can use the NC-51857 as reference.

(Read LuCar Toni post below.)

Now you should create a DNAT Blackhole in order to do country filtering for WAF.

Thanks!

Isnt this known to be a restriction to the decoupling of NAT? 

If you create a NAT Rule for unwanted destination countries, it should hit. The WAF rule will pickup and overwrite the Deny rule. 

https://community.sophos.com/xg-firewall/f/recommended-reads/122357/life-of-a-packet---sophos-xg-v18-0

The only answer I got from It has "No ETA for the fix".

LuCar Toni said:

If you create a NAT Rule for unwanted destination countries, it should hit.

Apparently yes, I've just tried It out and worked as expected, just feels really strange to have a NAT Rule doing this instead of a Firewall Rule.

Thanks again

can you show me your NAT rule?

Sure, here's the Rule:

Use the "Rule Position" at "Top".

• Original Source: Here you will select the Countries / Continent you want to block.
• Translated Source: Leave as "Original".
• Original Destination: Mine is at #Port2 since It's where the WAF is currently located.
• Translated Destination: Here you can create a Dummy IP (Blackhole IP), you can use any Local IPv4 that isn't being used.
• Original Service: HTTP and HTTPS, or If the WAF is located on another port - you can then create a new Service in there.

Thanks!

thank you, it works

that means i need 2 entries in the firewall. 1. drop rule firewall and nat rule to be sure?

this is ***

I have seen in my environment that MR5 does NOT fix this issue. Very disappointing especially since it took a lot of work to get the maint window approved.

On top of that, I actually had to also roll back to MR4 because development also took "nc" out of the OS which breaks my custom reverse proxy logging solution.

This will not be resolved and is documented in the online help: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/FirewallRulesCountryBasedRuleCreate.html?hl=blocking

I understand that, and I have also crafted the blackhole dnat. That's all fine and well but this also affected the ability to do Outbound country blocking as well.  How can this be resolved? Everything drops fine but HTTP/HTTPS. 

What do you actually want to Archive? The DNAT Rule will pickup the traffic in front of the WAF, therefore it will also drop the traffic coming from those countries and reroute it. That should work for MR5 and MR4.