Thread Info
  • State Suggested Answer
  • +7 person also asked this people also asked this
  • Locked Locked
  • Replies 58 replies
  • Answers 4 answers
  • Subscribers 49 subscribers
  • Views 191201 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking Not Working for a WAN > LAN Rule

Timothy Stewart

Hi.  It seems like country blocking is not working for WAN -> LAN (or any other protected network behind XG Firewall).

I have tested this with a proxy in the blocked countries.

I have this rule at the top of the list and network traffic still passes even though the rule shouldn't allow it, basically ignoring it.  The rule is never triggered thus always stating in 0 B, out 0 B.  I have tried every combination of Source/Destination/Zone/Network and still it doesn't work.



This thread was automatically locked due to age.
Parents
  • 0

    I have read through this thread and forgive me if I missed it, but it wasn't clear to me whether or not this is a confirmed bug in the XG or not?  I've seen some various workarounds offered (thanks for those) but has Sophos confirmed this is a bug?  If they say its not a bug (I have no idea how that could be true) is there a feature request somewhere we can upvote?

  • 0 in reply to Bill Roland

    No, this issue has not been recognized here by anyone from Sophos.  It is also still missing from the known issues list.

    In his post on page 2, Aditya Patel demonstrated that the IP to country mappings are working correctly (which had already been proven in this thread).  But there has been no other information about the actual issue that blocking by source country in a Network Rule is broken in XG.

  • 0 in reply to JD MaC

    Hi All, 

    You may need to check the scenario, for instance, if you have created a DNAT rule a Business application Rule is needed not simple firewall rule. Additionally, you may check my taking a VPN connection and test from the address of another country and Allow/Block the country host . 

    In any instance, the issue occurs that the host is not blocked you may need to check the command mentioned earlier to verify the country reported on XG and verify with any third party website to validate . 

    There is an ongoing issue for Wrong Country Classification for IP address and need to confirm if that is the case here. Reference: NC-17519

  • 0 in reply to Aditya Patel

    Aditya,

    Just to remove any confusion, I am not seeing any issues with country classification.  If you see my example earlier in this thread, the Business Application Rule used as a workaround is using the same country definitions and is working correctly (although with the limitations I describe in that post).

     

    Here is the scenario I am trying to work through: I have several DNAT Business Application Rules doing port forwards.  I would like to prevent connections from specific countries from accessing these open ports.  I have created the Network Rule in my example above to attempt to prevent this.  If I am reading your reply correctly a reject Network Rule will not override a DNAT Business Application Rules?

     

    If that is the case, what is the correct method to apply country blocking to a series of DNAT rules?  I am assuming (hoping) that I do not need to use the Blocked Client Networks in every single DNAT rule instead of managing this centrally in a single blocking rule. 

  • 0 in reply to Aditya Patel

    , how is the status of Country blocking?

    It simply does not work on Wan to LAN Firewall rules. This is a bug and it is not even tracked. Users cannot use this features.

    Can you update us? We expect to see Reference NC soon.

    Thanks

  • 0 in reply to lferrara

    Hi

    I can see this thread has gone on for a while and there has been a lot of confusion.

    The issue that Aditya referenced above (NC-17519) relates to incorrect classification of IP address to country definition in certain cases, so I don't think that directly relates to the original issue in this thread. E.g Country blocking WAN to LAN simply not working at all.

    I'll try and setup some tests here to test this behaviour, as it isn't something i have come across before, and update you.

    In the meantime, if anyone has anyone support case references where this has been raised or "NC-" reference numbers that they have been given by Sophos Support in relation to these symptoms can you private message them to me?

    Thanks

    Greg

Reply
  • 0 in reply to lferrara

    Hi

    I can see this thread has gone on for a while and there has been a lot of confusion.

    The issue that Aditya referenced above (NC-17519) relates to incorrect classification of IP address to country definition in certain cases, so I don't think that directly relates to the original issue in this thread. E.g Country blocking WAN to LAN simply not working at all.

    I'll try and setup some tests here to test this behaviour, as it isn't something i have come across before, and update you.

    In the meantime, if anyone has anyone support case references where this has been raised or "NC-" reference numbers that they have been given by Sophos Support in relation to these symptoms can you private message them to me?

    Thanks

    Greg

Children
No Data