Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 11818 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Geo-ip filter on WAF rule

Ian Rogers

Hello,

Is it possible to put a geo-up filter on the web-application-firewall rules? Or is this another 'awaiting' feature?

I can understand how to do it on an normal firewall rule for port forwarding etc.

Some of the web sites hosted on the firewall are only for a select few people to use all in the UK and i was looking to add that extra layer of security over the username / password on the site.

Thanks very much

Ian



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to DejanBukovec

    Hi,

    we do not support country blocking for WAF (name in v15: HTTP based Business Application rule).

    We do support GeoIP blocking. Therefore, you have to create and select a Protection Policy with 'Block clients with bad reputation' enabled and mode 'reject'.

     

    Best,
     Sabine

  • 0 in reply to Evianne

    Sabine,

    thanks for your reply. Is this behaviour going to change? A standard for both HTTP and not-HTTP will be nice and improve the management.

    Thanks

  • 0 in reply to lferrara

    Hi,

    sorry, I'm not aware of any plans to change this.

     

    Sabine

  • 0 in reply to Evianne

    This is still not supported, are there any plans to change this?

    Is a basic feature in any enterprise firewall.

  • 0 in reply to Evianne

    Hi Sabine,

    Sorry to resurrect such an old post, but I was just researching if something was possible and this was the nearest find.

    My use-case simply is that i'd like to use geo-ip to block every country apart from UK being able to access my ssl vpn (i.e. i'd rather limit who my exposed ssl vpn port is open to).  I have geo-ip restrictions in place for surfing - but as you'd expect i would want to surf to more countries than i expect to receive vpn connections from.

    Is this in any way possible via the geo-ip exceptions ?  (at first glance, this seems to work the reverse way to what i'm looking for)

     

    UTM 9.701-6

     

    Thanks, Dave

  • +1 in reply to Dave Taylor1

    For SSL VPN you can't do this.

    For WAF you can on XG, but only on v17.5, on v18 this method is broken. Being tracked by Sophos with NC-51857.

    For v18, when It's fixed you will be able to create a rule like this, on top of the WAF Rule.

    While #Port2 = The port WAF is listening for connections.

    I know, this rule is really bad since It doesn't give you a lot of control, but apparently Sophos will never support Geo-IP Blocking directly on the WAF Rule.

    So this is the only way right now...