Source Countries are not reported, displaying "Reserved" only

Hello qdrop,

Thank you for reaching out to the community, 

Source Country: Name of the country. Note that country association is not applicable to local hosts and Reserved is displayed in such cases.

Thank you for clarifying :-)

How can I report incoming traffic from source countries then? I have to other possibility to enable DPI on other firewall rules (as I have this single outbound rule with a linked SNAT rule).

In that case you can create a country base rule, where you can restrict/block certain countries...
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/FirewallRules/FirewallRulesCountryBasedRuleCreate/index.html

Thanks Vitek.

I already did this, allowing some protocols from Switzerland only:

Let's Encrypt (80 for HTTP challenge) for instance has to remain accessible from everywhere. These rules work as expected. Also, Rule #5 shows the correct traffic counters: Much more ingress than egress. So from a firewall perspective, everything works as expected. But the Source Countries are not resolved.

Thanks Vitek.

I already did this, allowing some protocols from Switzerland only:

Let's Encrypt (80 for HTTP challenge) for instance has to remain accessible from everywhere. These rules work as expected. Also, Rule #5 shows the correct traffic counters: Much more ingress than egress. So from a firewall perspective, everything works as expected. But the Source Countries are not resolved.

Any source using an internal address in the 10, 172.16 or 196.168 will always show as reserved. If you are using IPv6 all addresses are shown as reserved. You would have to be using the whole Swiss allocated IP address ranges which does not make sense also you are only authorising Swiss address which are not the same as your normal internal address ranges. Further your firewall is not very secure with the any zone as source.

ian

Hi ian.

I understand - but the source I'm talking about is the global internet: The local host requests a website, the website responds. All of this is NATed / MASQeraded - a pretty default setup. But I'm not able to see, where the Source Country traffic is originating and I'm not able to distinguish source and destination zones.

Just to confuse things XG reverses source and destination addresses.

I also suspect you have tried to put too much into one rule when two or more would help with debug and reporting.

reading your rules I am having trouble understanding what you are trying to achieve.

ian

hmm... I don't think my rules are complicated as these where automatically generated by Sophos and are unaltered. The other incoming firewall rules are just for port forwardings (as implied by the group name).

So basically I just don't get Sophos to properly report incoming masqueraded traffic. That's all and I don't know how to solve that.

Hey qdrop, 

You can refer the article - 
How to configure firewall rule and NAT rule on Sophos XG: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/121919/how-to-configure-firewall-rule-and-nat-rule-on-sophos-xg-v18

Yes, my rules are configured accordingly and work as expected. The only issue I have is that the reports for Source Countries fail to display these and just show "Reserved" instead. Probably because the firewall rule is processed after de packets are rewritten by the NAT...?

Hi,

please take a step back from your existing rules. If your internal network has unique ip addresses not in the 10 or 172.16 or  192.168 ranges you do not need Nat rules.

ian

Well I use internal IPs: 192.168.X.X. So I have two NATs in place:

• The standard NAT, that allows communication from inside out and on the way back with MASQ (masquerading internal packets with the external IP and translating those on both directions).
• The incoming NAT, that allows to expose internal services (nginx, ssh, wireguard, etc...)

I can't operate that without NAT; how would that work?

You have one rule for outgoing traffic and another rule for incoming traffic I hope?
you do not need a rule for traffic that is answering a connection request from your lan.

ian