Thread Info
  • State Suggested Answer
  • +7 person also asked this people also asked this
  • Locked Locked
  • Replies 58 replies
  • Answers 4 answers
  • Subscribers 49 subscribers
  • Views 191201 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking Not Working for a WAN > LAN Rule

Timothy Stewart

Hi.  It seems like country blocking is not working for WAN -> LAN (or any other protected network behind XG Firewall).

I have tested this with a proxy in the blocked countries.

I have this rule at the top of the list and network traffic still passes even though the rule shouldn't allow it, basically ignoring it.  The rule is never triggered thus always stating in 0 B, out 0 B.  I have tried every combination of Source/Destination/Zone/Network and still it doesn't work.



This thread was automatically locked due to age.
Parents
  • 0

    I have rules the same as yours, but can only test the outgoing one.

    I recently reworked my country blocking rules and can confirm the outgoing version works. I tried to block lots of this junk mail offering all sorts of sex services, but they are randomly sourced.

    So, I found an actual RU site that is in the RU and used that to test my theory and rule making.

    What I found and has been pointed out in another thread that not all .xx are actually located in .xx country. I found some .ru sites located in the US, makes blocking very difficult.

    So, in summary be very careful about stating country blocking doesn't work, we need some other reference database to check the suffix rather than the physical IP address.

  • 0 in reply to rfcat_vk

    I can comfortably say it still does not work.  I have web services  on most continents where I can ping my IP / access web services.  The workaround still works but it's pretty janky.  Sad, when I originally opened this thread I thought would be resolved by now.  Am running SFOS 16.01.2 and I can confirm it does not work. 

  • 0 in reply to Timothy Stewart

    I have tried out my rules with your settings and they fail, but when I change the destination to Any from WAN the rule works. At this stage I can only test the incoming.

    I added Australia to the destination with both WAN and ANY settings. With WAN I could reach AU sites without an issue, with ANY blocked no access to www.google.com.au or www.iinet.net.au.

    The logic I expect is that WAN is from your external interface where as ANY is from any source external to your XG.

    When I have a little more time first thing New Year's day I will try accessing the XG from another network using the same settings for the source as above for the Destination.

  • 0 in reply to Timothy Stewart

    Further testing today on the incoming rule, the results did surprise me.

    The following tests were tried - the incoming rule is now at the top of the rule list

    1/. using my existing incoming group of blocked countries - nothing blocked, not expected to because I didn't have any sites to remote from.

    2/. added Australia to the blocked list, no affect - www.iinet.net.au (one of the ISPs I use) or www.google.com.au

    3/. added America, result same as in 2.

    4/. changed the blocked list to ANY and I could not reach any external sites from within the XG protected network.

     

    So in summary, something is very wrong with external country blocking function.

    As Timothy has said, the incoming block country is broken and needs to be fixed urgently .

     

    Update- forgot to add none of the settings stopped me accessing the external interface of the my XG. I was able to make configuration changes using the external interface. Yes, I closed the session and started a new session using a different web browser.

  • 0 in reply to rfcat_vk

    This one seems to have been dropped like a hot potato by the 'Official' people who were going to test and report back.

    Maybe there is a secret fix being built?

  • 0 in reply to rfcat_vk

    This issue is here since a long time now.

    An official JIRA should be available to us. , can you update all of us?

    Thanks

Reply Children
  • 0 in reply to lferrara

    I hate to make a big issue out of everything XG, but this is exactly the reason I have moved back to UTM9. I tried my best to get along with XG but there are just too many little things that work perfectly in UTM9 that don't work as expected in XG. The underwhelming v16.5 update with broken categorization over the christmas weekend was enough for me to turn off my XG and go back to UTM9... it just works. 

    Country blocking while not perfect still offers protection to a certain degree. The feature is already available in XG and for the developers to completely disregard the issue for this long is really strange.

  • 0 in reply to Billybob
    Months later and there is no solution and no due-date?
  • 0 in reply to MarcBorgers

    Just repeat after me,

    v17 will fix all the things that the partners and users are asking for. After v17 is released... v18 will fix all the things that the partners and users are asking for and so on [:'(]

  • 0 in reply to Billybob

    No feedback from Sophos yet so is it not a bug but a limitation or a feature not yet implement on WAN to LAN side...

    In my opinion if Sophos advice us lilke....

    "Sorry this feature is not yet implement but it will be implemented on v17 MR-X" is much better. Silence is much worste!