Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 17 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 2930 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ip / country block does not work with waf

Andreas Lindl

SFVH (SFOS 18.0.4 MR-4) 

hello

the block rule only works with dnat

I have created the "block country" rule and blocked my cell phone for testing purposes

the dnat rule is blocked correctly

but all waf rules are not blocked

do firewall rules not apply to waf?
how to set ip / country block for waf?



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    Drop/Reject Firewall Rules doesn't work with WAF since v18 EAP 1, I've reported it back then but they never fixed It; In v17.5 It used to work as expected.

    If you want to open a support case for It, you can use the NC-51857 as reference.

    (Read post below.)

    Now you should create a DNAT Blackhole in order to do country filtering for WAF.

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    Isnt this known to be a restriction to the decoupling of NAT? 

    If you create a NAT Rule for unwanted destination countries, it should hit. The WAF rule will pickup and overwrite the Deny rule. 

    https://community.sophos.com/xg-firewall/f/recommended-reads/122357/life-of-a-packet---sophos-xg-v18-0

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    The only answer I got from It has "No ETA for the fix".

    LuCar Toni said:
    If you create a NAT Rule for unwanted destination countries, it should hit.

    Apparently yes, I've just tried It out and worked as expected, just feels really strange to have a NAT Rule doing this instead of a Firewall Rule.

    Thanks again

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    can you show me your NAT rule?

  • +1 in reply to Andreas Lindl

    Sure, here's the Rule:

    Use the "Rule Position" at "Top".

    • Original Source: Here you will select the Countries / Continent you want to block.
    • Translated Source: Leave as "Original".
    • Original Destination: Mine is at #Port2 since It's where the WAF is currently located.
    • Translated Destination: Here you can create a Dummy IP (Blackhole IP), you can use any Local IPv4 that isn't being used.
    • Original Service: HTTP and HTTPS, or If the WAF is located on another port - you can then create a new Service in there.

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Reply
  • +1 in reply to Andreas Lindl

    Sure, here's the Rule:

    Use the "Rule Position" at "Top".

    • Original Source: Here you will select the Countries / Continent you want to block.
    • Translated Source: Leave as "Original".
    • Original Destination: Mine is at #Port2 since It's where the WAF is currently located.
    • Translated Destination: Here you can create a Dummy IP (Blackhole IP), you can use any Local IPv4 that isn't being used.
    • Original Service: HTTP and HTTPS, or If the WAF is located on another port - you can then create a new Service in there.

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Children
Cookie Information Banner