GEO IP location blocking IP (false positive)

Need to add  Country blocking is disable 

Hello Morris,

You can check in the console which country the IP Adrdress belongs

https://community.sophos.com/kb/en-us/130858

It looks like Sophos (old and not correct database) thinks the IP belongs to 

console> show country-host ip2country ipaddress 104.98.167.67
104.98.167.67 belongs to country Netherlands.

I had the same problem and created a support ticket, took a few month because they have to create a new firmware 

(thats what they told me)

If the IP is important you should also create a ticket and for time being create an exclusion.

All of this seems odd, because I thought UTM was based on Maxmind.   When I go to maxmind.com and use their test tool, it puts that IP address in the USA.

As per my finding I checked maxmind database available on https://dev.maxmind.com/geoip/geoip2/geolite2/ and it stated as USA for that particular IP range.

Looks like UTM updates its database with firmware upgrade only. Then wait for next upgrade to update other entries. I might be be incorrect. 

Thank you for the reply SGH and DouglasFoster 

i have created exception using kb: https://community.sophos.com/kb/en-us/119119

Hi Morris and welcome to the UTM Community!

The availability of a geoip update can be checked as often as every 15 minutes.  Check 'Pattern Download/Installation Interval' on the 'Configuration' tab in 'Management > Up2Date'.

I can't remember at the moment which geoip location service is used, but it is not maxmind.

If Country Blocking were disabled, there would be no GEOIP blocks in the Firewall log.

Good job finding that KB article  - that's the best "Band-Aid" you can use.

Cheers - Bob

Hi Morris and welcome to the UTM Community!

The availability of a geoip update can be checked as often as every 15 minutes.  Check 'Pattern Download/Installation Interval' on the 'Configuration' tab in 'Management > Up2Date'.

I can't remember at the moment which geoip location service is used, but it is not maxmind.

If Country Blocking were disabled, there would be no GEOIP blocks in the Firewall log.

Good job finding that KB article  - that's the best "Band-Aid" you can use.

Cheers - Bob

Sorry I have a XG firewall and there is no Management>Up2Date

With my Sophos service request they told me to check ip2location website

https://www.ip2location.com/104.98.167.67

This was there solution for XG box

This is regarding the service request number  7000724.
As discussed, we would need to install new Geodb binary into the XG box to resolve the reported issue

Morris do you have the Sophos UTM or XG?

I know this is the Sophos UTM group but just to be sure.

Hoi SGH,

I don't think IP2Location is used by the UTM.  Good to know that it's used by XG.

Cheers - Bob

I got UTM