Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1206 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking WAF

seroal

HI there,

in relation to these WAF country blocking threads:

community.sophos.com/.../enable-country-blocking-for-waf-rule
https://community.sophos.com/sophos-xg-firewall/f/discussions/126590/ip-country-block-does-not-work-with-waf

Is this true for now, that Country Blocking can only be done, using Blackhole NAT Rules? Is this just a workaround? Will this be changed again in future? As far as I could find out, this had been implemented with v 18... (with SD-WAN?)

Thanks.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to seroal

    Yes it should and it does. But do not forget: DNAT and Firewall Rule need to match both. DNAT will work and grep the traffic without a matching firewall rule, but will drop the traffic because of the missing firewall rule. Your firewall rule is not hitting. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    The only difference between the settings (country blocking active/country blocking active) is, that I enable or disable DNAT to make countryblock work. So without the activated NAT, the firewall rules are matching. So why shouldn´t they match with NAT activated?

  • 0 in reply to seroal

    Again: Please post screenshots of your rule. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ok, I missed to point out, that I was actually testing with the Userportal and not with the WAF. So my question is not about the WAF, but the Userportal. Sorry for the confusion.

    Here are my NAT rules. Of course there is no firewallrule for the Userportal.

  • 0 in reply to seroal

    You do not need a allow NAT. 
    Please show the Firewall Rule matching for NAT Rule 2. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    There are multiple waf rules, that are matching. But as I said, my question was in regards to the Userportal.

    This is the "countryblock" NAT:

    This is an example WAF Rule:

  • 0 in reply to seroal

    NAT will redirect the traffic, if the NAT rule hits. 

    Firewall will allow the traffic.

    If NAT hits and firewall rule is not available, it will not forward the traffic (=deny). 

    Your firewall rule for the Blackhole NAT does not hit. Therefore you do not see the packet outgoing to the Blackhole Host. 

    OR: The blackhole Host is not reachable, therefore the ARP will not be resolved and the packet will not be send. 

    __________________________________________________________________________________________________________________

Cookie Information Banner