Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 40 replies
  • Answers 4 answers
  • Subscribers 11 subscribers
  • Views 169022 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country blocking exception not working

ArchParks
I'm running Firmware version: 9.303-2. I have Country Blocking turned on to some  countries, one of which is Netherlands.

When I try to go to: Yellow Bricks

I get this error:
Content blocked
While trying to retrieve the URL: Yellow Bricks
The content is blocked due to the following condition:
The URL you have requested matches a forbidden Country. If you think this is wrong, please contact your administrator.
Country: Netherlands

I went to "Country Blocking Exceptions" and created a an exception called "Whitelist"

It says its set to:

skip blocking of these countries:
    [Netherlands] Netherlands
for traffic going to these destination networks:
    Whitelist 1
    Whitelist 2
    Whitelist 3
Using these services:
    Any

For the three networks, I've tried three things:

Name: Whitelist 1
Type: DNS Host
Hostname: Yellow Bricks


Name: Whitelist 2
Type: DNS Host
Hostname: yellow-bricks.com


Name: Whitelist 3
Type: Network
IPV4 address: 109.237.219.143 /32


None of them work. 

If I tell the country blocking list to allow Netherlands, it lets me access the site.


Any ideas?

Thanks!

Arch


This thread was automatically locked due to age.
  • 0 in reply to teched_01
    If I can keep him interested I will see who in the area sells Sophos. Do you really think sales will help with this issue?
  • 0
    It's your only option.  Sometimes they will, sometimes not, depends on the money involved in the sale.  Any salesperson will try as it is a commission for them.  whether or not the sale is worth the dev costs are worth it is a decision made elsewhere.  If a promise is made to get it fixed by X if your friend signs on the dotted line, make certain that you get it in writing.  Besides engaging a reseller, you can also call and ask to speak with a sales rep directly, https://www.sophos.com/en-us/company/contact.aspx.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    I am wondering if this workaround would work. I will try this later tonight or tomorrow, depending on my schedule. 

    There is a "do not proxy section" in the UTM.

    Web Protection\Filtering Options\Misc\transparent mode skip list.

    If I put that Block Exceptions group in there, is should be forced through the Firewall where I can make a Block Exceptions rule "allow". If the proxy skip list is executed before the country block, this should work. 

    Either way, if I am correct, the order of execution will be determined by testing this...

    -----------Update ------------

    It works! I tried going to another site in that same country and it is blocked, but not my block exception URL! (I only have one in there right now.) I did not even need a rule in the FW, since the FW is not the one blocking the country. W00T!

    Test data:

    Block Norway.
    Try going to https://urlvoid.net - blocked
    Make a definition for https://urlvoid.net. Put in the proxy skiplist. 
    Try going to https://urlvoid.net - Not blocked.
    Try going to www.norway.org - blocked by country block! 

    I hope this helps others.
  • 0 in reply to Coder68

    Coder68 - What's your recent experience with Country Blocking Exceptions? We were having heck with malicious botnets scanning our network for RDP connections. We eventually had to purchase RDP guard software (Windows protection is useless) for those few machines we had to have listening all the time, and turn the rest of the listening machine's NAT translations off, and only turn them back on when needed.

    So, I thought we'd just block all the countries in the list, and create specific country blocking exceptions to accept SMTP incoming traffic, which is the only thing we'd be interested in accepting from most foreign countries. However, later one of our suppliers whose email routes through Israel complained that their emails were getting rejected, and sure enough they were right. I had to turn off the country block for Israel to restore functionality for them, even though they were in the country blocking exception rules. I can open a support case, but I know it's going to be difficult for Sophos Techs to test this, and I don't want to make my supplier a guinea pig.

     

    Thanks,

    Steve P

  • 0 in reply to Coder68

    Hi,

    I'm running 9.311-3 on an SG 230 and having this same problem. The workarounds didn't work in my case. Conde68's idea with the transparent skip list got closer though. Rather than a "country blocked" message from the page, the page timed out after a couple minutes.

    I also tried doing both a country exception AND a transparent proxy skip list.

    Now wondering if there'd be any point in submitting a support ticket since Soohos MUST know this is still an issue.

    Thanks,

    Jeff

  • 0 in reply to JeffCooper

    Jeff - Sophos fixed this for me, after submitting an SR. They need to look at your particular setup. After looking at mine, they figured out where the blocking was taking place, and we were able to come up with an exception rule that worked.

    Thanks,

    Steve P

  • 0

    Country Blocking must be ON in FW. There is more powerful

    There this exception worked for me

    For all Requests- going to this Host/Network: (Dns host) yellow-bricks.com - using service:any allow

  • +1

    Don't CHECK anything, since the request is not coming......
    It is definitely not a bug

  • 0

    Well, I've been battling an inbound country blocking exception for days and I just found this topic.

    Synology support from Thailand needed to access my NAS over SSH, and HTTPS over port 5001. So, I built a DNAT with an auto FW rule to handle the SSH, and let my existing HTTPS/5001 web publishing rule handle the rest. I also built a country block exception for Taiwan from Synology's support IP addresses on destination ports 22 and 5001.

    I can connect just fine from a US address, which is allowed by country blocking along with Canada - in other words, these countries are switched "off." All other countries are set to block traffic "from" them, including Taiwan.

    But unfortunately,  Synology support can't connect and the FW log stubbornly shows GEOIP blocks for the inbound traffic on both ports.

    Upon reinspection, the DNAT and auto FW rule looked to be correctly constructed, and the country block exception, also.

    I ran the source IPs through the MaxMind database and confirmed they were in the excepted country.

    I've now disabled Country Blocking and I'm waiting for Synology support to try again. It occurs to me that I could also switch Taiwan to "off" in Country Blocking, and achieve the same result.

    /sigh    ....sure would like this to work as designed.

     

    edited to add: In fact, Synology was able to access my appliance five times overnight, after I disabled Country Blocking altogether. I've since re-enabled Country Blocking, but switched Taiwan to "off," and I'm waiting to see a connection attempt.

  • 0 in reply to TimothyTrace

    Timothy, please have a ticket submitted to Sophos Support.  They won't fix it unless we complain when it doesn't work!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML