Country Blocking Not Working for a WAN LAN Rule

Question

Hi. It seems like country blocking is not working for WAN -> LAN (or any other protected network behind XG Firewall). 
 I have tested this with a proxy in the blocked countries. 
 I have this rule at the top of the list and network traffic still passes even though the rule shouldn't allow it, basically ignoring it. The rule is never triggered thus always stating in 0 B, out 0 B. I have tried every combination of Source/Destination/Zone/Network and still it doesn't work.

AlanT · Answer

This fix was released in MR3, and I just double-checked my firewall, to confirm it's working. Check your zones in the block rule, as there's probably a mistake there. Test with zones set to ANY/ANY. You're defining the network source in the rule by specifying the country, so defining the zones also, is a bit redundant anyway.

Aditya Patel · Answer

HI , 
 Could you provide me an instance where you could verify if the issue is with the Country blocking or not . 
 on Console I have tested few sites , (impossible for all) and could verify that the host address points to the country address . 
 Eg: 8.8.8.8 
 show country-host ip2country ipaddres 8.8.8.8 
 Result > 8.8.8.8 belongs to country United States. 
 Could you verify the results and when you add the country , make sure the session is disconnected or delete the connection .

Aditya Patel · Answer

Hi All, 
 You may need to check the scenario, for instance, if you have created a DNAT rule a Business application Rule is needed not simple firewall rule. Additionally, you may check my taking a VPN connection and test from the address of another country and Allow/Block the country host . 
 In any instance, the issue occurs that the host is not blocked you may need to check the command mentioned earlier to verify the country reported on XG and verify with any third party website to validate . 
 There is an ongoing issue for Wrong Country Classification for IP address and need to confirm if that is the case here. Reference: NC-17519

rfcat_vk · Answer

Hi folks, 
 please build one of these firewall rules at the top of your rule list, I have and the amount of junk it blocks surprising. 
 https://community.sophos.com/kb/en-us/134380 
 I di d it slightly differently as per the screenshot below. 
 
 I forgot the NAT rule that is showing most hits, there are three of them created by the business rule.

Ian

Country Blocking Not Working for a WAN > LAN Rule