Hi All,
I have been asked to look at implementing an IP blacklist on out Sophos UTM as this was a feature we had on our old appliance which the UTM replaced. I can see that there is no exact feature for this in the UTM but a my research leads me to believe that a Blackhole DNAT rule might accomplish what we are looking for. With that in mind i have put together the following plan which i am looking to implement. I just want to make sure my logic is sound before i put the change request in with my manager. What i am proposing is as follows:
- Create a new network group object that will contain all the IP we want to black list (lets call it IPBlacklist)
- Create another network group object (ExtAddresses) that contains all the Address Objects of our external IP addresses (we have 2 IP ranges connected to the UTM)
- Create a network host object as a "Blackhole address"
- Create a NAT rule like so
- Source Address = IPBlacklist
- Destination Port = any
- Destination address = ExtAddresses
- Translated address = "blackhole address"
- Translasted port = "blank"
- Automatic firewall disabled
- Logging enabled (To begin with to ensure the rule is working as expected)
I suppose what i am looking to get confirmation on is the following:
- The rule i have proposed will actually do what is intended (i.e. block traffic from the blacklisted IPs)?
- That a single rule will work using the group containing the interface address objects or will i have create a rule for each one?
Any help on this would be appreciated.
Thanks,
Andrew
This thread was automatically locked due to age.
