help with country blocking

Gary,

I created a Network Rule to block Lan to Wan where Http/https to United Kingdom is blocked.....it does not work.

What I have seen is that the Country Blocking engine is categorizing website wrongly. Trying 2 website www.google.co.uk and www.gov.uk and both are categorized as "United States".

Go to Cli (option 4) and type the following command:

show country-host ip2country ipaddress "url ip"

It should be a bug!

Hi Luk,

Interestingly, if you check the IPlocation for the website www.Gov.uk here, it will resolve at the United States. Hence, the categorization in XG is correct.

I tested country blocking with my firewall at v15 and it works. PFA screenshot:

Logs FYI:

2016-10-19 14:13:59 0101021 IP 10.10.10.3.55576 > 151.101.100.144.80 : proto TCP: S 1846200904:1846200904(0) win 8192 checksum : 16737
0x0000: 4500 0030 529e 4000 3f06 d927 0a0a 0a03 E..0R.@.?..'....
0x0010: 9765 6490 d918 0050 6e0a ca48 0000 0000 .ed....Pn..H....
0x0020: 7002 2000 4161 0000 0204 05b4 0101 0402 p...Aa..........
Date=2016-10-19 Time=14:13:59 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Port2 inzone_id=1 outzone_id=2 source_mac=50:7b:9d:84:89:e9 dest_mac=00:1a:8c:43:c7:ec l3_protocol=IP source_ip=10.10.10.3 dest_ip=151.101.100.144 l4_protocol=TCP source_port=55576 dest_port=80 fw_rule_id=4 policytype=1 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3616447881541582848 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=2830145216 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

console> show country-host ip2country ipaddress 151.101.100.144
151.101.100.144 belongs to country United States.

Hope that helps :)

Sachin,

Gov.uk is a U.K. Address and not United States. Of course I used the command line to check where the ip comes from.

I will check the ip even on Whois.

Also by command line we should be able to use URL otherwise we first need to ping the URL, copy the ip and paste into cli.

Sachin,

Gov.uk is a U.K. Address and not United States. Of course I used the command line to check where the ip comes from.

I will check the ip even on Whois.

Also by command line we should be able to use URL otherwise we first need to ping the URL, copy the ip and paste into cli.

Hi Luk,

That is what I addressed, I verified the IP location on www.iplocation.net which also resolves to US servers.

Thanks

Thanks sachingurungu.

Any plan to improve coutry blocking? I mean, looking at more databases? See the result for gov.uk on whois

https://who.is/whois/gov.uk

It can be useful to read Registrant information/addresses and compare or merge information obtained by iplocation.net?

Mine is an idea.

Thanks

Hi Luk,

What I understand is that you are looking for a country blocking feature in a different way than how it is with XG. In XG, country blocking will explicitly work in relation with IP address location. I like your idea and it would be a great feature if that's possible to implement.

Thanks

Thanks Sachin. Relying on one method/database is not so reliable. Let me know if you check the feature request internally or I have to open a feature request.

Thanks

Hey folks, I do see that when I try some other sites in other countries that they are blocked, so functionally the blocking does appear to be working for me.  Going to still play around with it a bit though.  

Gary,

as Sachingurung wrote, country blocking is using the IP Public information to determine the country. Use the "country-host ip2country ipaddress x.x.x.x" from console (cli > option 4) do determine the origin.

Some websites register their IP or buy the website from another country, so it can be difficult to track them. As I wrote gov.uk should be from UK but it registered to United States.

Hope that XG will improve the country blocking by double checking for example the .com/.co.uk/.it etc and the registered IP origin.

Thanks

Hi Luk,

country blocking doesn't work in XG as you tested and wrote about for a very simple reason, China could register with one site in the US and then China is no longer blocked.

I know it is a simplistic example, but makes the point.

So, I agree with you folks that Sophos should work to improve this feature.   I wanted to know if the type of country classification based on ip that XG is using is the same as the UTM 9.x?

XG uses a different technology than UTM9.

Maybe we need to open a feature request for that or maybe we need to wait from a Sophos Official reply where they say that Country Blocking on XG will be moved to UTM9 technology.

[:#]