Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 3916 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country blocking dropping unblocked countries.

Mike Menlo

I have country blocking enabled and find that I can't use some tools.

I have installed and running a v9.510-5.

When viewing the live log, I see some entries indicating a "Country blocked" for IP addresses which GEOLOCATE shows as being in the US, which is not blocked.
example:


11:26:02 Country blocked TCP 192.168.0.58 : 57769→35.201.70.64 : 443 [SYN] len=60 ttl=63 tos=0x00 srcmac=a4:08:ea:28:6a:31 dstmac=34:97:f6:27:76:9f

 

All IP location tools I've tried indicate 32.201.70.64 as "Mountain view, CA"

I have "United States" set to "OFF" in the firewall Country Blocking tab, so why is this IP being blocked?

I also tried adding an exception as shown below, but this did not work.  Am I doing it incorrectly?

 

Also, I tried adding an "exception" for this IP address, and this does not seem to work.  I added a "host" exception with the



This thread was automatically locked due to age.
  • +1

    The easy part first.   Yes, your exception is configured incorrectly.   When the referenced object is remote (public IP), the country list must be left EMPTY.   When the referenced object is internal (private IP), one or more countries are required in the list.   The help attempts to explain this, but it does not do it well.

    You show a fragment from the packet filter live log.   For the packet filter log only, the live log is abbreviated for performance reasons.   Always check the archived version of the full log using the Log Search tab, the current day log view, or the archived log download.   However, in this case it will not help.   Unless something changed recently, the full packet log will not show the country name either.

    Since this is a web connection, I suggest enabling web logging, even if it is just in allow-all mode, because the web log will show the country name.  It will also show whether the connection uses a host name or an IP address for the connection.   This allows you to match the exception to the need, without allowing more than necessary

    Outbound country blocking is not widely used, so it may not be rigorously exercised logic, and you may have found a bug.   Equally likely, the country assignment may be incorrect.   The matching logic is an imperfect science.   If there is an IPv4 to IPv6 translation in the process, the detected location will be at the translation point rather than the point of origin.

    Inbound country blocking is pretty intuitive:   "I am not travelling in Russia, so I don't want to allow remote access connections from Russia." 

    Outbound country blocking is more nuanced:  If a Russian company and a French company share a hosting service in Canada, which country name applies?   Whichever country is chosen, does blocking that connection leave me better protected than if I did not block it?"   High usage websites are hosted on networks like Akamai, using servers all over the world.   DNS is used to direct you to the data center that has spare capacity and sufficiently close to your location.   The actual destination can be different on different days.

    I say all this from experience and from conversations with product management.   We use country blocking in both directions, but we are an exception.

  • 0 in reply to DouglasFoster

    Thank you! deselecting the country names worked!

     

    I would like to understand how to do the rest of what you suggest.  I'm not clear on how to "enable web logging" can you explain? I don't use web filtering and the live log of that shows nothing at all.  Any detail you provide would be much appreciated!

    I use country blocking on the assumption that servers located in certain countries are not subject to any lawful supervision.  I'm less concerned with companies and legit websites and more concerned with wholesale uploading of data from my network, and/or hijacking of video traffic off webcams.

  • 0 in reply to Mike Menlo

    Web filter categorizes everything by category and reputation.   So you block anything with suspicious or malicious reputation, and you block any category that you do not every want (web ads, pornography, school cheating, etc.)  Web filtering should be enabled, it is probably UTM's best feature.

    I have written rather extensively on the subject as I have learned how Web Filtering works and as I have worked through the best way to use UTM.   Start with the Wiki articles -- they are relatively short and provide critical information that is not in any manual.   Then read the "Web Filtering Lessons Learned" post, which is pinned to the top of the Web Filtering topic area, and "How To Troubleshoot Web Filtering".   This reading order reflects the order in which they were written, but the topics also tended to get longer over time.

    If you get stuck, you can send me a P.M., but I have tried to document everything that I wish I knew from the beginning.  Hopefully it will have all that you need.

  • 0 in reply to Mike Menlo

    Mike, you can run geoiplookup at the command line on the UTM.  Moments ago:

    secure:/home # geoiplookup 32.201.70.64
    GeoIP Country Edition: US, United States

    These kinds of errors and corrections occur often, so it's possible that your exception didn't come into play.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML