ip / country block does not work with waf

Question

SFVH (SFOS 18.0.4 MR-4) 
 hello 
 the block rule only works with dnat 
 I have created the "block country" rule and blocked my cell phone for testing purposes

the dnat rule is blocked correctly

but all waf rules are not blocked

do firewall rules not apply to waf? how to set ip / country block for waf?

Prism · Accepted Answer

Sure, here's the Rule: 
 
 Use the "Rule Position" at "Top". 
 
 Original Source: Here you will select the Countries / Continent you want to block. 
 Translated Source: Leave as "Original". 
 Original Destination: Mine is at #Port2 since It's where the WAF is currently located. 
 Translated Destination: Here you can create a Dummy IP (Blackhole IP), you can use any Local IPv4 that isn't being used. 
 Original Service: HTTP and HTTPS, or If the WAF is located on another port - you can then create a new Service in there. 
 
 Thanks!

LuCar Toni · Answer

Isnt this known to be a restriction to the decoupling of NAT? 
 If you create a NAT Rule for unwanted destination countries, it should hit. The WAF rule will pickup and overwrite the Deny rule. 
 https://community.sophos.com/xg-firewall/f/recommended-reads/122357/life-of-a-packet---sophos-xg-v18-0

ip / country block does not work with waf

Top Replies