Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 27 subscribers
  • Views 15880 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

help with country blocking

Gary21

Hi,

 

I have gone through the various aging thread on country blocking and still have not been able to get it working on my side.  I am using the latest Home XG.

 

I have setup a rule to block a bunch of regions as indicated in the images below.   However, when I go to test out, I am still able to access these regions without issue.  I have closed all Wan to Lan access for now, although when I know this is working, I will want to open up and exclude regions for incoming as well.

 

Any thoughts?

 

 

 

Thanks



This thread was automatically locked due to age.
  • 0

    Gary,

    I created a Network Rule to block Lan to Wan where Http/https to United Kingdom is blocked.....it does not work.

    What I have seen is that the Country Blocking engine is categorizing website wrongly. Trying 2 website www.google.co.uk and www.gov.uk and both are categorized as "United States".

    Go to Cli (option 4) and type the following command:

    show country-host ip2country ipaddress "url ip"

    It should be a bug!

  • +1 in reply to lferrara

    Hi Luk,

    Interestingly, if you check the IPlocation for the website www.Gov.uk here, it will resolve at the United States. Hence, the categorization in XG is correct.

    I tested country blocking with my firewall at v15 and it works. PFA screenshot:

    Logs FYI:

    2016-10-19 14:13:59 0101021 IP 10.10.10.3.55576 > 151.101.100.144.80 : proto TCP: S 1846200904:1846200904(0) win 8192 checksum : 16737
    0x0000: 4500 0030 529e 4000 3f06 d927 0a0a 0a03 E..0R.@.?..'....
    0x0010: 9765 6490 d918 0050 6e0a ca48 0000 0000 .ed....Pn..H....
    0x0020: 7002 2000 4161 0000 0204 05b4 0101 0402 p...Aa..........
    Date=2016-10-19 Time=14:13:59 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Port2 inzone_id=1 outzone_id=2 source_mac=50:7b:9d:84:89:e9 dest_mac=00:1a:8c:43:c7:ec l3_protocol=IP source_ip=10.10.10.3 dest_ip=151.101.100.144 l4_protocol=TCP source_port=55576 dest_port=80 fw_rule_id=4 policytype=1 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3616447881541582848 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=2830145216 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    console> show country-host ip2country ipaddress 151.101.100.144
    151.101.100.144 belongs to country United States.

    Hope that helps :)

  • 0 in reply to sachingurung

    Sachin,

    Gov.uk is a U.K. Address and not United States. Of course I used the command line to check where the ip comes from.

    I will check the ip even on Whois.

    Also by command line we should be able to use URL otherwise we first need to ping the URL, copy the ip and paste into cli.

  • +1 in reply to lferrara

    Hi Luk,

    That is what I addressed, I verified the IP location on www.iplocation.net which also resolves to US servers.

    Thanks

  • 0 in reply to sachingurung

    Thanks sachingurungu.

    Any plan to improve coutry blocking? I mean, looking at more databases? See the result for gov.uk on whois

    https://who.is/whois/gov.uk

    It can be useful to read Registrant information/addresses and compare or merge information obtained by iplocation.net?

    Mine is an idea.

    Thanks

  • 0 in reply to lferrara

    Hi Luk,

    What I understand is that you are looking for a country blocking feature in a different way than how it is with XG. In XG, country blocking will explicitly work in relation with IP address location. I like your idea and it would be a great feature if that's possible to implement.

    Thanks

  • +1 in reply to sachingurung

    Thanks Sachin. Relying on one method/database is not so reliable. Let me know if you check the feature request internally or I have to open a feature request.

    Thanks

  • 0 in reply to lferrara

    Hey folks, I do see that when I try some other sites in other countries that they are blocked, so functionally the blocking does appear to be working for me.  Going to still play around with it a bit though.  

  • 0 in reply to Gary21

    Gary,

    as Sachingurung wrote, country blocking is using the IP Public information to determine the country. Use the "country-host ip2country ipaddress x.x.x.x" from console (cli > option 4) do determine the origin.

    Some websites register their IP or buy the website from another country, so it can be difficult to track them. As I wrote gov.uk should be from UK but it registered to United States.

    Hope that XG will improve the country blocking by double checking for example the .com/.co.uk/.it etc and the registered IP origin.

    Thanks

  • +1 in reply to lferrara

    Hi Luk,

    country blocking doesn't work in XG as you tested and wrote about for a very simple reason, China could register with one site in the US and then China is no longer blocked.

    I know it is a simplistic example, but makes the point.