Thread Info
  • State Suggested Answer
  • +7 person also asked this people also asked this
  • Locked Locked
  • Replies 58 replies
  • Answers 4 answers
  • Subscribers 49 subscribers
  • Views 191242 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking Not Working for a WAN > LAN Rule

Timothy Stewart

Hi.  It seems like country blocking is not working for WAN -> LAN (or any other protected network behind XG Firewall).

I have tested this with a proxy in the blocked countries.

I have this rule at the top of the list and network traffic still passes even though the rule shouldn't allow it, basically ignoring it.  The rule is never triggered thus always stating in 0 B, out 0 B.  I have tried every combination of Source/Destination/Zone/Network and still it doesn't work.



This thread was automatically locked due to age.
Parents
  • 0

    This continues to be an issue in 16.05.2 MR-2.  It's also a little disappointing that it doesn't appear in the known issues list.  Don't have a lot of confidence we're going to see this one fixed any time soon...

  • 0 in reply to JD MaC

    HI , 

    Could you provide me an instance where you could verify if the issue is with the Country blocking or not . 

    on Console I have tested few sites , (impossible for all) and could verify that the host address points to the country address . 

    Eg: 8.8.8.8 

     show country-host ip2country ipaddres 8.8.8.8

    Result > 8.8.8.8 belongs to country United States.

    Could you verify the results and when you add the country , make sure the session is disconnected or delete the connection . 

  • 0 in reply to Aditya Patel

    Hi Aditya,

    the country blocking does not work even after a restart from power off. I am talking about incoming and outgoing. If as I tested earlier you block all countries that works, but specific countries no that does not work. Yes, I have the rule at the top.

  • 0 in reply to Aditya Patel

    Aditya,

    I have been testing using a public facing web site behind my firewall and the tools Geoscreenshot and Localbrowser to test.  I'm just looking for the site to be inaccessible from blocked countries.

    I have two country blocking rules in my configuration, but only one is enabled at a time.  This is the first is a network rule.  This rule does not work.  When it is enabled (and the other rule disabled) Geoscreenshot and Localbrowser are able to load my site from blocked countries.  I have not seen this type of rule block stop any traffic.

    This is the second rule.  This rule uses the workaround that BenVerschaeren explained earlier in this thread.  This rule works.  When it is enabled (and the other rule disabled) Geoscreenshot and Localbrowser timeout when trying to access the site from blocked countries.  This workaround is a good bandaid, however it is not an ideal solution.  With this rule, my network actually allows connections on all ports from blocked countries.  The traffic is sent to a black hole address, it is not actually dropped.  This results in additional interest from port scanners, that results in increased malicious traffic headed towards my network.

Reply
  • 0 in reply to Aditya Patel

    Aditya,

    I have been testing using a public facing web site behind my firewall and the tools Geoscreenshot and Localbrowser to test.  I'm just looking for the site to be inaccessible from blocked countries.

    I have two country blocking rules in my configuration, but only one is enabled at a time.  This is the first is a network rule.  This rule does not work.  When it is enabled (and the other rule disabled) Geoscreenshot and Localbrowser are able to load my site from blocked countries.  I have not seen this type of rule block stop any traffic.

    This is the second rule.  This rule uses the workaround that BenVerschaeren explained earlier in this thread.  This rule works.  When it is enabled (and the other rule disabled) Geoscreenshot and Localbrowser timeout when trying to access the site from blocked countries.  This workaround is a good bandaid, however it is not an ideal solution.  With this rule, my network actually allows connections on all ports from blocked countries.  The traffic is sent to a black hole address, it is not actually dropped.  This results in additional interest from port scanners, that results in increased malicious traffic headed towards my network.

Children
No Data