GeoIP

Is anybody having success in using the GeoIP functionality? I am not and i find it quite frustrating.

What have i done:
1. created a country group within that group f.i. Romania:

2. created a Drop rule based on the country group:

3. Have been checking logs for a couple of weeks, today i saw that there wher entries in the log showing me that traffic was allowed originating from a Romanian IP:

And this is only one example, my log is filled with more similar ones.
Any thoughts on this? Is my thinking wrong, was my execution poor or are my expectations not right?

Grtz, Peter-Paul

  • Not based on any real knowledge about this, I'm curious what a source WAN zone versus Any would do.?

  • In reply to Paul Warriner:

    Have tried that s well. To my experience with no difference.

  • In reply to Peter-Paul Gras:

    Just for the notes, I tested v18 GA and v17.5.9 on console and it shows the same lookup as Romania.

    What I do see is the GeoLite2 MaxMind database, if the XG is still using it somewhere, doesn't list the 185.100.87.x subnet.

    Wonder if IP address lookup and Country group matching are using different data stores?

  • Hi Peter-Paul Gras,

    Is traffic from Romanian IP allowed form the same firewall rule that you have configured to block traffic based on GeoIP? or is it allowed by different rule?

    Thanks,

  • In reply to H_Patel:

    This Drop rule is the first FW rule in my firewall.

    I would expect it to block traffic coming form these blocked countries based on the fact that is the first FW rule to be hit.
    BTW, no allow rules defined....

    Grtz

  • In reply to Peter-Paul Gras:

    Hi Peter-Paul Gras,

    Could you please share full traffic logs that shows ports involved? What is the UserPortal port configured on the firewall? Do you have HTTPS access allowed over WAN Zone?

    Thanks,

  • In reply to Peter-Paul Gras:

    Peter,

    what is the target of the traffic logged and allowed? I mean, does the traffic goes to User portal, Web Admin or any local XG services?

    How did you try to simulate the traffic?

    Thanks

  • In reply to lferrara:

    Hey guys,

    he is not asking about specific ports or applications but that an IP address range is not blocked when using the XG country blocking and that IP range is registered against a country he has blocked.

    So, how does the database right XG uses get updated?

    Ian

  • In reply to rfcat_vk:

    Thank you Ian for explaining this.

    I was already puzzling on what was being asked from me and how to reply.
    But it is exactly what you said. I've countries i want to block and see every single IP addrees originating from these countries being allowed. Not a single one is being dropped, while the GeoIP drop rule is my first rule, all traffic should stumble over this one rule.

    My main question was: has anybody got this working? 

    Grtz, Peter-PAul

  • In reply to Peter-Paul Gras:

    Hi Peter-Paul,

    yes, I have it working on outgoing. It will not work on incoming because the traffic needs to hit the firewall to be assessed. I do see a lot of access attempts from Romania and Russia at the moment on a range of ports but my firewall rule to drop incoming traffic from Russia never show any activity. I put the block Russia there because my wife was being sent junk/attack email from Russia, since I put the block rule she hasn't received any more so I can only assume something is working.

    Ian  

  • In reply to rfcat_vk:

    Ok good to know it is working on outgoing traffic for you, but not on incoming.
    I need to block the incoming traffic. Will wait to see if any of the senior members here or Sophos Staff has a solution for this.

    Grtz, Peter-Paul

  • In reply to Peter-Paul Gras:

    Since we are holding, I'll place my bet on the GeoLite2 database (or a variant). :)

    Not that I am doing an exhaustive test, but I am finding IPs in GeoLite2 are blocked, and ones not in the table are allowed.

  • In reply to Peter-Paul Gras:

    Hi Peter-Paul Gras,

    I'm testing this issue in my LAB. I will update you with the findings as soon as possible. 

    Thanks,

     

  • Hi Peter-Paul Gras,

    I was able to replicate this issue in my LAB, traffic from the country that supposed to be blocked by the country blocking rule, it did not trigger that block rule. I have reported this issue to internal team. I will update this thread as soon as I get feedback on this issue.

    Thanks,

     

  • In reply to H_Patel:

    Thank you for letting us know and confirming the findings.

    Grtz, Peter-Paul