Thread Info
  • State Suggested Answer
  • +7 person also asked this people also asked this
  • Locked Locked
  • Replies 58 replies
  • Answers 4 answers
  • Subscribers 49 subscribers
  • Views 191190 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking Not Working for a WAN > LAN Rule

Timothy Stewart

Hi.  It seems like country blocking is not working for WAN -> LAN (or any other protected network behind XG Firewall).

I have tested this with a proxy in the blocked countries.

I have this rule at the top of the list and network traffic still passes even though the rule shouldn't allow it, basically ignoring it.  The rule is never triggered thus always stating in 0 B, out 0 B.  I have tried every combination of Source/Destination/Zone/Network and still it doesn't work.



This thread was automatically locked due to age.
  • 0 in reply to Timothy Stewart

    Further testing today on the incoming rule, the results did surprise me.

    The following tests were tried - the incoming rule is now at the top of the rule list

    1/. using my existing incoming group of blocked countries - nothing blocked, not expected to because I didn't have any sites to remote from.

    2/. added Australia to the blocked list, no affect - www.iinet.net.au (one of the ISPs I use) or www.google.com.au

    3/. added America, result same as in 2.

    4/. changed the blocked list to ANY and I could not reach any external sites from within the XG protected network.

     

    So in summary, something is very wrong with external country blocking function.

    As Timothy has said, the incoming block country is broken and needs to be fixed urgently .

     

    Update- forgot to add none of the settings stopped me accessing the external interface of the my XG. I was able to make configuration changes using the external interface. Yes, I closed the session and started a new session using a different web browser.

  • 0 in reply to rfcat_vk

    This one seems to have been dropped like a hot potato by the 'Official' people who were going to test and report back.

    Maybe there is a secret fix being built?

  • 0 in reply to rfcat_vk

    This issue is here since a long time now.

    An official JIRA should be available to us. , can you update all of us?

    Thanks

  • 0 in reply to lferrara

    I hate to make a big issue out of everything XG, but this is exactly the reason I have moved back to UTM9. I tried my best to get along with XG but there are just too many little things that work perfectly in UTM9 that don't work as expected in XG. The underwhelming v16.5 update with broken categorization over the christmas weekend was enough for me to turn off my XG and go back to UTM9... it just works. 

    Country blocking while not perfect still offers protection to a certain degree. The feature is already available in XG and for the developers to completely disregard the issue for this long is really strange.

  • 0 in reply to Billybob
    Months later and there is no solution and no due-date?
  • 0 in reply to MarcBorgers

    Just repeat after me,

    v17 will fix all the things that the partners and users are asking for. After v17 is released... v18 will fix all the things that the partners and users are asking for and so on [:'(]

  • 0

    Yea this still appears to not be working.  No matter how I set it up I can still ping my XG from any country I try from.

    Any update on this Sophos?

  • 0 in reply to Billybob

    No feedback from Sophos yet so is it not a bug but a limitation or a feature not yet implement on WAN to LAN side...

    In my opinion if Sophos advice us lilke....

    "Sorry this feature is not yet implement but it will be implemented on v17 MR-X" is much better. Silence is much worste!

  • 0

    This continues to be an issue in 16.05.2 MR-2.  It's also a little disappointing that it doesn't appear in the known issues list.  Don't have a lot of confidence we're going to see this one fixed any time soon...

  • 0 in reply to JD MaC

    HI , 

    Could you provide me an instance where you could verify if the issue is with the Country blocking or not . 

    on Console I have tested few sites , (impossible for all) and could verify that the host address points to the country address . 

    Eg: 8.8.8.8 

     show country-host ip2country ipaddres 8.8.8.8

    Result > 8.8.8.8 belongs to country United States.

    Could you verify the results and when you add the country , make sure the session is disconnected or delete the connection .