Country Blocking Not Working for a WAN > LAN Rule

Hi Timonthy,

Greetings. I will reproduce the incident and update you. Meanwhile, can I know which Firmware version does your UTM resides on?

Thank you! 

I am using 

Hi Timothy,

I have an answer in regards to this. 

The problem you're experiencing is a known limitation and will be fixed in version two later this year. Here's a temporary fix, which I actually don't like but it works.

Create a NON-HTTP business application rule. As the source host, add your country that you want to block. Set the Source Zone to WAN and the hosted address to the WAN interface.

Then this the part that I'm not fond of - add a dummy or loopback address as the protected server and opt to forward all ports and click save.

This will then ensure that all requests from the country you want to block are going to a "BlackHole".

BenVerschaeren, you win!  That's too bad that this doesn't work out of box however sending the packets of to Neverland is a decent workaround.  Thanks for your help!  I'll keep an eye out for v2.  You were of great help both in the forums and PMs.  You get 2 gold stars! [*][*]

Do we know if this is fixed in MR2? Had some nasties try to get to my 2012 VPN server, its fairly well protected but would rather stop them even getting the chance to get there. Would rather not put a workaround in and know the rule works. Have set it up but until they try and fail / succeed I have no other way of knowing it is working.

I would also like to know if this has been fixed, because it does not appear to be working after the latest update. My country blocking rule shows zero in and zero out. 

It's not although we've introduced a really nice way to do this in version 16 due to be released shortly. Happy to upload a screenshot if it's of interest to you!

Do share please! Thanks

Hi BenVerschaeren,

I am using SFOS 16.01.1 (upgraded last night) and seeing a lot of Intrusion attacks from the countries I blocked in previous version.

I got the Firewall rule (Blocked countries) on the Top.

In the Reports -> Network & Threats (Intrusion Attacks 7.75k and growing, Attacks detected and allowed 7.75k).

This definitely says the rule is not working.

I found this thread while searching for this issue and I want to know How to create this rule.

I want to know how to create a dummy loop back address.

Thank you,

Krishna

I look forward to seeing what everyone else's results are. I tested this on a few different XG's tonight.  I see traffic is hitting the rule, but didn't quite work as I expected (Or maybe it did?).  I put in the Country rule and tested access to a few servers using GeoPeeker.  All of the countries were able to access the website with the Country Block rule up top.  But if I add those Countries to the Blocked Hosts on the Business rule of that server, it works and the Countries on GeoPeeker were not able to access the site.  So thats good, however it seems like by putting the Country rule up top that should have blocked it??  Unsure.

PS.  Why does the traffic show as "Out"?  SHouldn't it be "In"?  Seems backwards?

Thanks

Yes, It should be IN. But some how it is showing both ways.

This is the latest screenshot.

How do I add the countries as blocked hosts in the Business rule.

When I try to create a New Business rule, I am selecting the Application Template as "DNAT/Full NAT/Load Balancing"

assigning a rule name.

Source:

Source Zone -> WAN

Allowed Client Networks -> ??

Blocked Client Network -> Blocked countries

Destination & Service:

Destination Host/Network -> ??

Forward type -> ??

Service ports Forwarded -> I want to block every thing So not sure what ports I need to assign

Protocol ->TCP or UDP

Forward To:

Protected Servers -> I Want to protect everything

Mapped Port Type -> ??

Mapped Port ->

Protected Zone -> I want to protect LAN, VPN & Wi-Fi

I know I am asking a Lot, But if you can give me what I need to select there it will be very helpful to me.

Thank you,

Krishna

So it doesn't look too far off, but as far as the Business rules, that would be just to open up some ports to a particular device on the LAN (i.e Server).  So typically it would look like:

Source Zone = WAN

Allowed Client Networks = Any (Or you could specify specific networks, like if you just want a service provider to have access to this server)

Blocked Client Networks = (I usually put the Countries here)

Destination Host/Network = Outside IP Object of the Server/Device - Or if you don't have multiple IP's, just the WAN Interface

Forward Type = Lets use a single "port" in this example 

Service Ports = Lets say we're gonna do RDP to this server - So you'd type 3389 here

Protected Servers = Inside IP Object of the Server

Mapped Port = In this example it will just fill in 3389 for you - Or you could change it

Protected Zone = LAN

Advanced = Basically whatever you want down there

So that example is to open ports to a specific host.  I think your example/question is like you said, you don't wanna open anything, you just want to block all Countries from accessing anything on your LAN.  In that case I think your rule would be how you do it, but I don't think its quite working?  Hopefully someone else can shed some more light on how to do Country Blocking.

Thanks

So it doesn't look too far off, but as far as the Business rules, that would be just to open up some ports to a particular device on the LAN (i.e Server).  So typically it would look like:

Source Zone = WAN

Allowed Client Networks = Any (Or you could specify specific networks, like if you just want a service provider to have access to this server)

Blocked Client Networks = (I usually put the Countries here)

Destination Host/Network = Outside IP Object of the Server/Device - Or if you don't have multiple IP's, just the WAN Interface

Forward Type = Lets use a single "port" in this example 

Service Ports = Lets say we're gonna do RDP to this server - So you'd type 3389 here

Protected Servers = Inside IP Object of the Server

Mapped Port = In this example it will just fill in 3389 for you - Or you could change it

Protected Zone = LAN

Advanced = Basically whatever you want down there

So that example is to open ports to a specific host.  I think your example/question is like you said, you don't wanna open anything, you just want to block all Countries from accessing anything on your LAN.  In that case I think your rule would be how you do it, but I don't think its quite working?  Hopefully someone else can shed some more light on how to do Country Blocking.

Thanks

sachingurung, Aditya Patel 

can you update us regarding Country Blocking issue? Is it fixed?

Thanks

Just letting you know I'm on 16.05 RC1 and WAN to LAN country blocking still showing 0 data in/out.