WAF Restrict traffic from WAN

Hello Regex ,

Thank you for reaching out to the community, as of now only we can only specify the IP addresses and networks that can connect to the hosted web server.

As of now it would be FR [Feature Request], I'd recommend you to reach out to your Account manager, Sales Engineer, or Sales Representative so that they can enter this request into our system.

Additionally, you can use the in-product feedback in the Sophos Firewall located in the Top Menu Bar.

Thx for suggestion, but as far as i know this feature have been already written. Community have requested a lots of FR - maybe someday we will get what we requested xD Im a home user so this is my small suggestion for a free product I hope that some day "our prayers will be heard" :D

You could use a Blackhole DNAT. Works exactly like you want. 

See: https://support.sophos.com/support/s/article/KB-000042367?language=en_US

Can you explain, why there is rule for "From WAN to WAN"? what is the logic behing it? is it some kind of loopback or esle?

I have hade already specific rule but with small exception - as destination i have  'ANY'. <--- is it bad?

This should not be a Problem. Reason is, you want to drop the traffic, if the firewall rule not applied, it will be dropped, if the rule does apply, it will be dropped. The outcome is the same. Only logging would not be there, if the firewall does not apply. So if you see drops in your logviewer by your Blackhole Rule, you are fine. 

ok then, thx for help its working like a charm ^^ 

Can you also explain why after setup BlackHole DNAT rule i cant see "Web server protection" logs anymore? I guess its cuz it catches in "block country" FW rule where NAS is linked.?

EDIT:
So actually there was no need to create BlackHole NAT rules cuz it was only enought to just limit source in exristing DNAT WAF policy. But you loose WAF logs for that particular traffic as it will not catch into waf policy... pity