Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 7 subscribers
  • Views 6788 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GEO IP location blocking IP (false positive)

Morris

Hello All,

 

I am new to Sophos product. On my UTM, it is blocking IP which belongs to USA.Below are the logs:

 

2019:10:23-07:50:56

tci-utm ulogd[24705]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (GEOIP)" action="drop"
fwrule="60019" initf="vpc2.0"
outitf="eth0" srcmac="12:ca:fa:e1:b3:54"
dstmac="5e:e5:ce:cf:ae:57" srcip="10.103.2.184"
dstip="104.98.167.67" proto="6" length="52" 
tos="0x02" prec="0x00" ttl="127"
srcport="55316" dstport="443"
tcpflags="SYN"

 

 

Kindly suggest 

 

Thank You



This thread was automatically locked due to age.
Parents
  • 0

     

     This may be a bit out of date, I don't keep up with recent UTM changes.

     

     

    UTM GeoIP database updates are published monthly, long history of being approximately the 12th of each month.

    zgrep Installing /var/log/up2date/201*/*/*.gz | grep geo

     

    Web tools can be nice but what matters is what your UTM is using.

    geoiplookup -v 9.9.9.9

    (The IP does not matter here, the result should show the information for the GeoIP data files in /var/geoip/)



    geoiplookup 1.1.1.1

     

  • 0 in reply to teched

    "UTM GeoIP database updates are published monthly, long history of being approximately the 12th of each month"

    Interesting - thanks!  When I did that, I found that were occasional updates between the regular monthly ones.  Just guessing that it's only when a large subnet is sold to an entity in another country as opposed to error corrections.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to teched

    "UTM GeoIP database updates are published monthly, long history of being approximately the 12th of each month"

    Interesting - thanks!  When I did that, I found that were occasional updates between the regular monthly ones.  Just guessing that it's only when a large subnet is sold to an entity in another country as opposed to error corrections.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML