Country blocking exception not working

Question

I'm running Firmware version: 9.303-2. I have Country Blocking turned on to some  countries, one of which is Netherlands.

When I try to go to: Yellow Bricks

I get this error:
Content blocked
While trying to retrieve the URL: Yellow Bricks
The content is blocked due to the following condition:
The URL you have requested matches a forbidden Country. If you think this is wrong, please contact your administrator.
Country: Netherlands

I went to "Country Blocking Exceptions" and created a an exception called "Whitelist"

It says its set to:

skip blocking of these countries:
    [Netherlands] Netherlands
for traffic going to these destination networks:
    Whitelist 1
    Whitelist 2
    Whitelist 3
Using these services:
    Any

For the three networks, I've tried three things:

Name: Whitelist 1
Type: DNS Host
Hostname: Yellow Bricks

Name: Whitelist 2
Type: DNS Host
Hostname: yellow-bricks.com

Name: Whitelist 3
Type: Network
IPV4 address: 109.237.219.143 /32

None of them work.

If I tell the country blocking list to allow Netherlands, it lets me access the site.

Any ideas?

Thanks!

Arch

This thread was automatically locked due to age.

GetParanoid · Answer

Update: This has been escalated for whatever that is worth. Bug ID29981 was assigned back on 9.1 with no workaround listed (for those of us who would like to track). The good news is after a couple of failed workaround attempts offered by dev to engineer to me, they have now figured out a workaround that actually "works"...  1. Definitions & Users -> Network Definitions -> create Host (IP) or DNS Host (Url) for desired exception  2. Network Protection -> Firewall -> Country Blocking Exceptions -> create your desired exception - must leave Skip blocking of these: BLANK  - must set For all request: going to these  - add your desired exception Host (IP) or DNS Host (Url) to Host/Networks - Save  3. Web Protection -> Filtering Options -> Misc -> Transparent mode skiplist -> add Host (IP) or DNS Host (Url) to Skip transparent mode destination hosts/nets -> Apply  UPDATED OBSERVATIONS 9.305-4! - After making above settings, sometimes exceptions don't "take" until you toggle that Country in Country Blocking to OFF (Apply) then back to ALL (Apply). I had to do this on a few of mine to get them to work. - Watch out when creating DNS Host, example.com might resolve to a different IP than it does with www added onto beginning or url.  ----------- The above is working for me in my scenario (transparent). There is also somewhere else on the client that must be set for those running standard mode, but I'm not familiar with that. If someone could chime in on clear instructions for that part it would be most appreciated. Here is that part of their instruction with portion I am unsure of marked in bold:  "Add site to proxy transparent destination bypass list & browser proxy exceptions list (if using standard mode) "

Coder68 · Answer

I am not a paid customer, so I guess I am out of luck.  Sad thing is, I was showing this to a friend that has a business and needs a new firewall. A company in town is trying to sell him the Palo Alto NGF, but he does not want to spend that much money. I suggested the Sophos. He liked what it had to offer, but when this failed to work, he seemed to lose interest. I will keep at him though.   That being said, do you know of any workaround for this issue?

Ol Deda · Answer

Don't CHECK anything, since the request is not coming...... It is definitely not a bug

DouglasFoster · Answer

The trick is that the country blocking excdpfion needs to include "http cache" service in addition to http and https. Juxt finishex a case on this with support. 
 An alternative is to disable url checking in a web filtering exception.