Thread Info
  • State Suggested Answer
  • +7 person also asked this people also asked this
  • Locked Locked
  • Replies 58 replies
  • Answers 4 answers
  • Subscribers 49 subscribers
  • Views 191179 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking Not Working for a WAN > LAN Rule

Timothy Stewart

Hi.  It seems like country blocking is not working for WAN -> LAN (or any other protected network behind XG Firewall).

I have tested this with a proxy in the blocked countries.

I have this rule at the top of the list and network traffic still passes even though the rule shouldn't allow it, basically ignoring it.  The rule is never triggered thus always stating in 0 B, out 0 B.  I have tried every combination of Source/Destination/Zone/Network and still it doesn't work.



This thread was automatically locked due to age.
Parents
  • 0

    I have read through this thread and forgive me if I missed it, but it wasn't clear to me whether or not this is a confirmed bug in the XG or not?  I've seen some various workarounds offered (thanks for those) but has Sophos confirmed this is a bug?  If they say its not a bug (I have no idea how that could be true) is there a feature request somewhere we can upvote?

  • 0 in reply to Bill Roland

    No, this issue has not been recognized here by anyone from Sophos.  It is also still missing from the known issues list.

    In his post on page 2, Aditya Patel demonstrated that the IP to country mappings are working correctly (which had already been proven in this thread).  But there has been no other information about the actual issue that blocking by source country in a Network Rule is broken in XG.

  • 0 in reply to GregH

    GregH said:

    I can confirm that this is something that has been logged and the intention is to change how this behaves in v17 MR1. The reference for this change is NC-17413 in case anyone needs an update on the release version from Support. 

     

    Thanks for confirming.

    What is the expected timeframe for v17 MR1 release?

  • 0 in reply to GregH

    I see the NC-17413 was supposedly in MR-2.  Unless I am doing something drastically wrong, it still does not work at all (I am on MR3 now).  I even see a KB article posted about it on December 21st (https://community.sophos.com/kb/en-us/123007)and I followed it exactly and still it does not work.  At all.  It does nothing.  

    Look I don't mean to give you a hard time but this is a really simple feature that any firewall should be able to do out of the box in its sleep.  There were ways to accomplish this as far back as at least Microsoft ISA Server 2004.  I like XG and don't subscribe to the general bashing it receives but this one is legit and quite frankly the excuses are just that.

  • 0 in reply to Bill Roland

    Just to add a vote to this - I am getting hammered on ports 23 / 2323 / 1900 from a bunch of countries that we have no dealings with and I would like to block all of them and using a simple WAN to LAN rule with the countries seems easy - but like others say it doesnt work.

    I am also on v17 MR3

    Really need this as it gives us a much larger attack surface.

    Have any of you managed a work around?

  • +2 in reply to M8ey

    This fix was released in MR3, and I just double-checked my firewall, to confirm it's working. Check your zones in the block rule, as there's probably a mistake there. Test with zones set to ANY/ANY. You're defining the network source in the rule by specifying the country, so defining the zones also, is a bit redundant anyway. 

  • 0 in reply to AlanT

    AlanT said:

    This fix was released in MR3, and I just double-checked my firewall, to confirm it's working. Check your zones in the block rule, as there's probably a mistake there. Test with zones set to ANY/ANY. You're defining the network source in the rule by specifying the country, so defining the zones also, is a bit redundant anyway. 

     

    It seems for me the trick is it has to be set to Any/Any for the zones, once doing that it started working.  Thanks Alan!

     

    You may want to update this KB article here https://community.sophos.com/kb/en-us/123007, the settings show selecting WAN and LAN zones. 

  • 0 in reply to AlanT

    Hi folks,

    just added the country blocking into the firewall rules for the IPv4 rule set. Tried to add the same rules to the IPv6 rule set and there is no country selection available, minor bug?

    Ian

     

    And just to add my further 10c again, does not work. Try this site https://saharokstore.ru/

    Now while I understand some of these sites might not actually have an RU IP assigned address, they are still part of the blocked group.

     

    So as well as adding firewall rules we also must add country blocking exceptions in WEB access to block web sites with ru etc suffixes?

  • 0 in reply to rfcat_vk

    Any update on this issue?

    We're running 16.05.8 MR-8 and have no desire to move to v17 yet due to issues with IPSec and many other bugs that the community have reported.

    Could someone also explain the sending-traffic-to-black-hole method in more detail so I can replicate this instead for now?

    Thanks

  • 0 in reply to IT-Support-247

    Same with SFOS 18.0.0 GA-Build354.

    Should it be solved?

  • 0 in reply to dirkkotte

    We are having the same issue at the moment. Support is involved but so far it seems to go nowhere.

    When we have a WAF-Rule present the drop rule at the top does not work at all.

     

    It is a mystery to me why the "Access Permission" or "Blocked sources" tabs do not let you use country blocking there. We want to be able to restrict access to the hosted site to only clients from the DACH region (germany, austria, switzerland).

  • 0 in reply to FPTHE

    Hi folks,

    please build one of these firewall rules at the top of your rule list, I have and the amount of junk it blocks surprising.

    https://community.sophos.com/kb/en-us/134380

    I di d it slightly differently as per the screenshot below.

    I forgot the NAT rule that is showing most hits, there are three of them created by the business rule.

     

    Ian

Reply Children
No Data