Block GeoIP rule - DNAT Blackhole - WAF no longer working

Question

I found an earlier thread that GeoIP blocking was not working as the system take precedence over firewall rules and therfore are never hit. The Sophos advice was to create a DNAT Blackhole rule to a non existing IP adress. 
 So I tried creating a DNAT rules with source zones network any and exclusions the countries allowed. 
 It creates a DNAT rule under firewall rules and a NAT plus reflexive NAT rules under NAT rules. 
 However when I do this the allowed WAF calls also end up in the blackhole as the exclusion is not picked up by the NAT rule. The wizard does not create a linked NAT rule. 
 IS there a way to get this working? 
 TIA, 
 Fred

Prism · Accepted Answer

Hello, 
 Do you want to do GeoIP Filtering for WAF? 
 If so, on v18 you It's not possible anymore to use a Firewall Rule to do It; But instead, you will need to create a NAT Rule for It. (There's no need for a Firewall Rule anymore.) 
 You can look at this thread for more information: ip / country block does not work with waf - Discussions - XG Firewall - Sophos Community It also includes an example on how to do It. 
 Thanks!

Block GeoIP rule - DNAT Blackhole - WAF no longer working

Top Replies