Country Blocking Not Working for a WAN > LAN Rule

GregH, 

thanks for your reply and info. What is strage and unacceptable is that Sophos took more than one year to give us an official answer and a NC number.

This should never happen!

Many users have forgotten this feature or even explained to customers that the feature Country Blocking is half working (not in all area).

Really disappointing thing![:@]

Hi Luk,

I agree this thread has become a little confused with discussion of the IP classifications which hasn't helped the communication, which is why i wanted to try and clear this up.

The advice we would always give to get an official answer on potential bugs or changes to the product is to log a case with Sophos Support, they will then be able to provide the correct information along with the reference IDs where applicable. I can see support cases have been logged for this particular issue and the correct information provided to the customers logging those cases, but that hasn't filtered down to this thread.

This thread was brought to my attention via a support case that was logged earlier this week.

By the way, on an unrelated note, thanks for all the posts and information you contribute on this forum, it is appreciated.

Greg

Hi Luk,

As Greg mentioned, the issue is not completely related to the Country Blocking module but it affects the discussed feature. I understand your concern towards the delay in creating the NC-ID but looking at the issue there was a working work around to blackhole the IP addresses and meanwhile, there were a lot of bug fixes during this time. Please be asure that we are continuously working on the XG firewall and  the accountability of bug fixes are considered on the basis of the criticality of the issue. 

Thanks

Silence and sometime in the future are quite different period of time and they have different meaning. If there is SW code there are bugs and no one complains on that. What we are not happy and really angry here is the silence for a long time and then...pooof someone from Sophos reported the NC and gave even an expected release version.

So sachingurung be sure to properly report time and NC most efficently here and to all users. Another issue that is around the forum are bookmarks. There is an NC number but it does not cover all issues (I guess).

Taking a year to have an answer is more than alot. Be sure to at least inform as that it is a bug, your are investigating, or whatever phases you are but the silence is the worse phase users accept.

Silence means poor quality!

Kind Regards

We understand the concerns but the NC-# was not created until v16-MR1 and the JIRA was not directly referenced to the country blocking issue, which is one of the reason my team was not sure to reference it. We were already discussing this internally but we were not able to get a solid case reference on this issue. The cases were mostly resolved configuring a blackhole business rule and it is an accepted solution as we see. 

We work as a tangant team between the Support and a Customer hence we can only report and expidite the NC-# if they are already created & reported but we cannot emphasize on creating one of the NC#. The reason we were not able to provide an update on this issue is because, the workaround was accepted and the cases were never reported in the escalations or went cold. 

I will take the responsibilities of such unresolved thread, please PM me and I will make sure they are immediately looked upon by us and the support team. 

Sincerely,

Sachin,

I have sent a PM to you.

Regards

Hi.  I created the original issue and I want to make sure it is not getting diluted with other issues and workarounds.  The issue still stands.  My steps to reproduce are in the first post.  A workaround of a blackhole is just that, a workaround and not a fix.  Will this issue be fixed?  Is it being address?  The feature clearly does not work.

Thanks Timothy.

Sophos has recognized the issue/design limitation. It should be fixed in v17 MR1 as reported by GregH. NC-17413

So they are going to change the behaviour and fix the Country Blocking at the same time.

Finally!!!!

GregH said:

I can confirm that this is something that has been logged and the intention is to change how this behaves in v17 MR1. The reference for this change is NC-17413 in case anyone needs an update on the release version from Support. 

Thanks for confirming.

What is the expected timeframe for v17 MR1 release?

I see the NC-17413 was supposedly in MR-2.  Unless I am doing something drastically wrong, it still does not work at all (I am on MR3 now).  I even see a KB article posted about it on December 21st (https://community.sophos.com/kb/en-us/123007)and I followed it exactly and still it does not work.  At all.  It does nothing.  

Look I don't mean to give you a hard time but this is a really simple feature that any firewall should be able to do out of the box in its sleep.  There were ways to accomplish this as far back as at least Microsoft ISA Server 2004.  I like XG and don't subscribe to the general bashing it receives but this one is legit and quite frankly the excuses are just that.