Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 2045 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM country blocking - blocking geo allowed IP

HayMak3r

Greetings,

My utm firewall is for some reason blocking a US based cloudfare IP for Discord. This started a couple days ago I think. 

I of course don't have the US blocked in country blocking, but the country blocking rule is blocking it.. Here is some data for this. I think this may be some sort of FP perhaps??

From the Shell:

geoiplookup 162.159.135.232
GeoIP Country Edition: US, United States

From the network logs:

2023:04:04-10:41:23 bouncerasg ulogd[13546]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (GEOIP)" action="drop" fwrule="60019" initf="lag0" outitf="eth5" srcmac="" dstmac="" srcip="<mypc>" dstip="162.159.135.232" proto="17" length="1378" tos="0x00" prec="0x00" ttl="127" srcport="63248" dstport="443"

From the UI:

I know I can just exclude the IP, but why is the firewall doing this?!?!

Thanks,
Chris



This thread was automatically locked due to age.
  • 0

    I would like to add, that I've added all the IP's I am seeing from cloudfare in to a country block exception. This has not resolved the issue at all. If I turn off country blocking, the issue definitely goes away. 


    I almost forgot, I am on sophos version: 9.712-13

    I know I am a couple versions old. Is this list updated through pattern updates? That is currently: 223044

  • 0

    I'm on version 9.714-4.  I was unable to access hubspot.com, canva.com and downdetector.com.  I saw this thread, disabled Country Blocking and everything works now.  Hoping there is a fix soon!

  • 0

    +1 with this problem.


    Version 9.714-4, but also had it on the last Version, just upgraded to test if its the version.

    Only disabling the whole Country Blocking helps.
    Setting the affected country to any value "all, from, to, off" does not make any difference.

  • +1

    Hello,

    This is related to Advisory: Sophos UTM - Cloudflare range (104.16.0.0/13 ) being blocked by Geo IP

    GES and DEV are currently investigating, and a workaround is available in the link above.

    Regards,

  • 0 in reply to emmosophos

    I tested this, and I see that my firewall is on 220394 for its pattern version. But when I enabled country blocking. Even with the exception in place, I still am blocked. In your link, there is a subnet of 104.16.0.0/13. My issue is with the 162 network. Did the fix include 162.159.0.0/23??

  • 0 in reply to emmosophos

      As a firewall expert you should know better than to post shortened urls. I understand t.co is twitter's shortened url tld, but to ensure security, all (or as many as I could identify) short urls are blocked here at firewall level.

    In addition,  wouldn't it be best to link to an announcement at *.sophos.com.....?

  • 0 in reply to Jay Jay

    Hello Jay,

    Thank you for the feedback.

    I didn't realize I incorrectly linked the short URL instead of using the community to add the hyperlink using the original link for the external KB.

    Regards,

  • 0

    Just curious if there could be any update to this? I just tested country blocking, and I am STILL having this issue with cloudfare IP's. I would REALLY like to keep this turned on. Excluding the IP's is NOT working. This is the first time I have ever needed to open a forum post up, or have had any real issues with this firewall. I have used this since the ASG days. I really hope that this experience is not normal with a slow response, and I have just gotten lucky all of these years with not needing any support.

  • 0 in reply to HayMak3r

    Hello  ,

    I apologize that you have faced this issue. This issue should be already resolved. RPM can be check to confirm UTM has updated it's patterns on your device. u2d-geoipxtipv6-9-259 is fixed version

    To check, kindly input command in advance shell:

    rpm -qa | egrep 'xtipv6'

    If this issue still persist after you have confirmed the installed pattern is  u2d-geoipxtipv6-9-259 

    -Kindly open a support ticket and please share with us the caseID.

    Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,