Thread Info
  • State Suggested Answer
  • +7 person also asked this people also asked this
  • Locked Locked
  • Replies 58 replies
  • Answers 4 answers
  • Subscribers 49 subscribers
  • Views 191181 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking Not Working for a WAN > LAN Rule

Timothy Stewart

Hi.  It seems like country blocking is not working for WAN -> LAN (or any other protected network behind XG Firewall).

I have tested this with a proxy in the blocked countries.

I have this rule at the top of the list and network traffic still passes even though the rule shouldn't allow it, basically ignoring it.  The rule is never triggered thus always stating in 0 B, out 0 B.  I have tried every combination of Source/Destination/Zone/Network and still it doesn't work.



This thread was automatically locked due to age.
  • 0 in reply to BenVerschaeren

    Hi BenVerschaeren,

    I am using SFOS 16.01.1 (upgraded last night) and seeing a lot of Intrusion attacks from the countries I blocked in previous version.

    I got the Firewall rule (Blocked countries) on the Top.

     

    In the Reports -> Network & Threats (Intrusion Attacks 7.75k and growing, Attacks detected and allowed 7.75k).

    This definitely says the rule is not working.

    I found this thread while searching for this issue and I want to know How to create this rule.

    I want to know how to create a dummy loop back address.

     

    Thank you,

    Krishna

  • 0 in reply to AdelaideShores

    I look forward to seeing what everyone else's results are. I tested this on a few different XG's tonight.  I see traffic is hitting the rule, but didn't quite work as I expected (Or maybe it did?).  I put in the Country rule and tested access to a few servers using GeoPeeker.  All of the countries were able to access the website with the Country Block rule up top.  But if I add those Countries to the Blocked Hosts on the Business rule of that server, it works and the Countries on GeoPeeker were not able to access the site.  So thats good, however it seems like by putting the Country rule up top that should have blocked it??  Unsure.

     

    PS.  Why does the traffic show as "Out"?  SHouldn't it be "In"?  Seems backwards?

     

    Thanks

  • 0 in reply to DMR188

    Yes, It should be IN. But some how it is showing both ways.

    This is the latest screenshot.

     

    How do I add the countries as blocked hosts in the Business rule.

    When I try to create a New Business rule, I am selecting the Application Template as "DNAT/Full NAT/Load Balancing"

    assigning a rule name.

    Source:

    Source Zone -> WAN

    Allowed Client Networks -> ??

    Blocked Client Network -> Blocked countries

    Destination & Service:

    Destination Host/Network -> ??

    Forward type -> ??

    Service ports Forwarded -> I want to block every thing So not sure what ports I need to assign

    Protocol ->TCP or UDP

    Forward To:

    Protected Servers -> I Want to protect everything

    Mapped Port Type -> ??

    Mapped Port ->

    Protected Zone -> I want to protect LAN, VPN & Wi-Fi

     

    I know I am asking a Lot, But if you can give me what I need to select there it will be very helpful to me.

     

    Thank you,

    Krishna

  • 0 in reply to AdelaideShores

    So it doesn't look too far off, but as far as the Business rules, that would be just to open up some ports to a particular device on the LAN (i.e Server).  So typically it would look like:

     

    Source Zone = WAN

    Allowed Client Networks = Any (Or you could specify specific networks, like if you just want a service provider to have access to this server)

    Blocked Client Networks = (I usually put the Countries here)

    Destination Host/Network = Outside IP Object of the Server/Device - Or if you don't have multiple IP's, just the WAN Interface

    Forward Type = Lets use a single "port" in this example 

    Service Ports = Lets say we're gonna do RDP to this server - So you'd type 3389 here

    Protected Servers = Inside IP Object of the Server

    Mapped Port = In this example it will just fill in 3389 for you - Or you could change it

    Protected Zone = LAN

    Advanced = Basically whatever you want down there

     

     

    So that example is to open ports to a specific host.  I think your example/question is like you said, you don't wanna open anything, you just want to block all Countries from accessing anything on your LAN.  In that case I think your rule would be how you do it, but I don't think its quite working?  Hopefully someone else can shed some more light on how to do Country Blocking.

     

    Thanks

     

  • 0 in reply to DMR188

    ,  

    can you update us regarding Country Blocking issue? Is it fixed?

    Thanks

  • 0

    I have rules the same as yours, but can only test the outgoing one.

    I recently reworked my country blocking rules and can confirm the outgoing version works. I tried to block lots of this junk mail offering all sorts of sex services, but they are randomly sourced.

    So, I found an actual RU site that is in the RU and used that to test my theory and rule making.

    What I found and has been pointed out in another thread that not all .xx are actually located in .xx country. I found some .ru sites located in the US, makes blocking very difficult.

    So, in summary be very careful about stating country blocking doesn't work, we need some other reference database to check the suffix rather than the physical IP address.

  • 0 in reply to lferrara

    Just letting you know I'm on 16.05 RC1 and WAN to LAN country blocking still showing 0 data in/out.

  • 0 in reply to rfcat_vk

    I can comfortably say it still does not work.  I have web services  on most continents where I can ping my IP / access web services.  The workaround still works but it's pretty janky.  Sad, when I originally opened this thread I thought would be resolved by now.  Am running SFOS 16.01.2 and I can confirm it does not work. 

  • 0 in reply to Timothy Stewart

    I have tried out my rules with your settings and they fail, but when I change the destination to Any from WAN the rule works. At this stage I can only test the incoming.

    I added Australia to the destination with both WAN and ANY settings. With WAN I could reach AU sites without an issue, with ANY blocked no access to www.google.com.au or www.iinet.net.au.

    The logic I expect is that WAN is from your external interface where as ANY is from any source external to your XG.

    When I have a little more time first thing New Year's day I will try accessing the XG from another network using the same settings for the source as above for the Destination.