help with country blocking

Question

Hi, 
 
 I have gone through the various aging thread on country blocking and still have not been able to get it working on my side. I am using the latest Home XG. 
 
 I have setup a rule to block a bunch of regions as indicated in the images below. However, when I go to test out, I am still able to access these regions without issue. I have closed all Wan to Lan access for now, although when I know this is working, I will want to open up and exclude regions for incoming as well. 
 
 Any thoughts?

Thanks

sachingurung · Accepted Answer

Hi Luk, 
 Interestingly, if you check the IPlocation for the website www.Gov.uk here , it will resolve at the United States. Hence, the categorization in XG is correct. 
 I tested country blocking with my firewall at v15 and it works. PFA screenshot: 
 
 Logs FYI: 
 2016-10-19 14:13:59 0101021 IP 10.10.10.3.55576 > 151.101.100.144.80 : proto TCP: S 1846200904:1846200904(0) win 8192 checksum : 16737 0x0000: 4500 0030 529e 4000 3f06 d927 0a0a 0a03 E..0R.@.?..'.... 0x0010: 9765 6490 d918 0050 6e0a ca48 0000 0000 .ed....Pn..H.... 0x0020: 7002 2000 4161 0000 0204 05b4 0101 0402 p...Aa.......... Date=2016-10-19 Time=14:13:59 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Port2 inzone_id=1 outzone_id=2 source_mac=50:7b:9d:84:89:e9 dest_mac=00:1a:8c:43:c7:ec l3_protocol=IP source_ip=10.10.10.3 dest_ip=151.101.100.144 l4_protocol=TCP source_port=55576 dest_port=80 fw_rule_id=4 policytype=1 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3616447881541582848 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=2830145216 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A 
 console> show country-host ip2country ipaddress 151.101.100.144 151.101.100.144 belongs to country United States. 
 Hope that helps :)

sachingurung · Answer

Hi Luk, 
 That is what I addressed, I verified the IP location on www.iplocation.net which also resolves to US servers. 
 Thanks

lferrara · Answer

Thanks Sachin. Relying on one method/database is not so reliable. Let me know if you check the feature request internally or I have to open a feature request. 
 Thanks

rfcat_vk · Answer

Hi Luk, 
 country blocking doesn't work in XG as you tested and wrote about for a very simple reason, China could register with one site in the US and then China is no longer blocked. 
 I know it is a simplistic example, but makes the point.

lferrara · Answer

Gary, 
 as Sachingurung wrote, country blocking is using the IP Public information to determine the country. Use the "country-host ip2country ipaddress x.x.x.x" from console (cli > option 4) do determine the origin. 
 Some websites register their IP or buy the website from another country, so it can be difficult to track them. As I wrote gov.uk should be from UK but it registered to United States. 
 Hope that XG will improve the country blocking by double checking for example the .com/.co.uk/.it etc and the registered IP origin. 
 Thanks