Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 996 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you restrict specific countries from reaching/connecting/anything on an XG Firewall?

bladefox3

So in UTM 9.x, beautifully laid out under "Network Protection > Country Blocking > "List of Country", block From / To or ALL".

In SF-OS v18.0.4, no idea.  There is the "Hosts and Services > Country Groups", but literally no indicator to know what you should do with these Country Groups.

In review, community posts get very garbled in this discussion, but absolutely no clear guidance on what is the best practice unless I am missing something.  Can someone explain or point me in the direction of a very simple "How-To Block Countries in SF-OS" guide?

Thank you.



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Fred_B

    Thanks Fred,  i guess im just a bit miffed about this since Ive grown accustomed to the ease of use of UTM 9.x, but ill give the Blackhole DNAT a shot, since there are no logs coming off the firewall rule i generated, so i cant verify, the only way i think i can say it is currently working is tried to access the firewall from a Bahamas IP address, and had it in the WAN > ANY > FROM: Bahamas rule, and couldnt access it, i have no Local ACL on the XG in Device Access either, so perhaps it is working, but it just doesnt tell you anything as to whether it is like the UTM would.  

    Thank you both for you inpu and

Children
  • 0 in reply to bladefox3

    As the firewall rule is not logging anything (logging enabled in the rule) and you see no hits than I assume it is a system rule that takes precedence. 

    The blackhole DNAT and NAT rule will give you allowed results in the log but their endstation is a blackhole.