Sophos Central Firewall Manager (CFM) maintenance scheduled for Wednesday, July 8th starting at 06:30 GMT. Expected time to complete is 5 hours. Partners will be unable to access CFM during this period.


Is anybody having success in using the GeoIP functionality? I am not and i find it quite frustrating.

What have i done:
1. created a country group within that group f.i. Romania:

2. created a Drop rule based on the country group:

3. Have been checking logs for a couple of weeks, today i saw that there wher entries in the log showing me that traffic was allowed originating from a Romanian IP:

And this is only one example, my log is filled with more similar ones.
Any thoughts on this? Is my thinking wrong, was my execution poor or are my expectations not right?

Grtz, Peter-Paul

  • Hi All, 

    This issue is currently being investigated with internal ID NC-58436. I will update this post as soon as more information becomes available.

    Thank you  for providing support access to your firewall to collect detailed logs and packet capture. 


  • In reply to H_Patel:


    This is known behavior when the service is destined for the local service on the XG. The firewall rules do not come into effect for the local system. Thus to overcome this, creating a DNAT rule with source as the country group, and follow the instructions outlined in this KB Article : Sophos XG: Creating a blackhole DNAT.


  • In reply to H_Patel:

    The blackhole DNAT rule does the trick.
    Thank you very much for all you and Sophos staff did on this subject. Much appreciated.

  • In reply to Peter-Paul Gras:

    Hi Peter,


    I tried to create a DNAT rule to block a country access to my WAN Sophos interface without success.

    Can you please share with us what did put as parameters.


    Thanks in advance.



  • In reply to Peter-Paul Gras:

    Hi Peter,


    Never mind, found how to create it.


  • In reply to Oo-T:


    I applied that rule to my v18 XG and ended up with 3 NAT rules of which I deleted 2 because they were not showing any use. 

    I knew my XG was being attacked, but just didn't realise how much over 7000 in 6 hours, from the same IP address in Russia using the same source port.