Guest User!

You are not Sophos Staff.

Thread Info
  • Replies 0 replies
  • Subscribers 26 subscribers
  • Views 1370 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Troubleshooting Country blocking issues.

Arkita Thakkar

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview:

This article describes the troubleshooting steps to investigate the country blocking issues wherein traffic is not getting dropped based on the configuration of country blocking rule.

Scenario:

You have observed that country-based rules are not working as expected which leads to few IPs/countries traffic gets allowed/blocked on the contrary to the firewall rule action.

What to do:

Step1: Re-align with the documentation manual

Please make sure that the configuration of country blocking rule is proper as per guide - https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/FirewallRules/FirewallRulesCountryBasedRuleCreate/index.html

As mentioned in above article, if you have any active web application firewall (WAF) rules, the country-based firewall rule won't work. In this case, create a black hole DNAT rule and add the country you want to block as original source. See Create a black hole DNAT rule.

Step2: Verify Traffic Rule

Check the traffic in log viewer and confirm if it is passing from correct rule which is created for country blocking. For reference refer below:

Review that specific rule (which you found via log viewer) to validate the “source network” and action selected for it.

Note:

  • Sophos firewall uses top to bottom approach, thus make sure the sequences of rules are proper.
  • Best practice is to keep the country blocking rule on top.

Step3: Pattern Update

Please verify the patterns are up to date by navigating to System > Backup & Firmware > Pattern Updates.

Sophos uses geo-ip service for country-based classification. To confirm the pattern updates for “Geoip ip2country DB” is successfully installed please check if geo-ip files are showing in “/content” directory via below command:

SFVUNL_SO01_SFOS 19.0.0 GA-Build317# ls -larth /content/ | grep -i geoip
drwxr-xr-x    3 root     0           1.0K Sep 19 12:50 geoip_1.00
lrwxrwxrwx    1 root     0             27 Sep 19 12:50 geoip -> /content/geoip_1.00/2.0.013

Step4: Geo-IP Classification

If the configuration is proper and traffic is passing via the specified rule then, we would need to verify the geo-ip classification for specific IP with respect to the country.

console> show country-host ip2country ipaddress 40.127.240.158

40.127.240.158 belongs to country Ireland.

Step5: Contact Support

In case of misclassification of IP-to-country output please contact support with above all information.



Updated Disclaimer
[edited by: Erick Jan at 10:03 AM (GMT -7) on 17 Apr 2023]
Unfiltered HTML