Sophos Central Admin US-West customers may experience performance and login issues. See Central Status for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
Hi. It seems like country blocking is not working for WAN -> LAN (or any other protected network behind XG Firewall).
I have tested this with a proxy in the blocked countries.
I have this rule at the top of the list and network traffic still passes even though the rule shouldn't allow it, basically ignoring it. The rule is never triggered thus always stating in 0 B, out 0 B. I have tried every combination of Source/Destination/Zone/Network and still it doesn't work.
Greetings. I will reproduce the incident and update you. Meanwhile, can I know which Firmware version does your UTM resides on?
In reply to sachingurung:
I am using
In reply to TimothyStewart:
I came across a similar post and interestingly we have a solution. You can refer this link to configure Country blocking on your device.
Hi there. This does not address my concern. I have also posted in that same thread and was asked to create a new thread after the bug was confirmed. Please see my post in that thread and the response from a sales engineer. This is confirmed to be broken when trying to protect WAN>LAN. It works for protecting XG FIrewall services though with a local ACL.
Oh! I missed it. I will check this personally and update you soon.
I have an answer in regards to this.
The problem you're experiencing is a known limitation and will be fixed in version two later this year. Here's a temporary fix, which I actually don't like but it works.
Create a NON-HTTP business application rule. As the source host, add your country that you want to block. Set the Source Zone to WAN and the hosted address to the WAN interface.
Then this the part that I'm not fond of - add a dummy or loopback address as the protected server and opt to forward all ports and click save.
This will then ensure that all requests from the country you want to block are going to a "BlackHole".
In reply to BenVerschaeren:
BenVerschaeren, you win! That's too bad that this doesn't work out of box however sending the packets of to Neverland is a decent workaround. Thanks for your help! I'll keep an eye out for v2. You were of great help both in the forums and PMs. You get 2 gold stars!
Do we know if this is fixed in MR2? Had some nasties try to get to my 2012 VPN server, its fairly well protected but would rather stop them even getting the chance to get there. Would rather not put a workaround in and know the rule works. Have set it up but until they try and fail / succeed I have no other way of knowing it is working.
In reply to nicholasbooth:
I would also like to know if this has been fixed, because it does not appear to be working after the latest update. My country blocking rule shows zero in and zero out.
In reply to BrettZehr:
It's not although we've introduced a really nice way to do this in version 16 due to be released shortly. Happy to upload a screenshot if it's of interest to you!
Do share please! Thanks
I am using SFOS 16.01.1 (upgraded last night) and seeing a lot of Intrusion attacks from the countries I blocked in previous version.
I got the Firewall rule (Blocked countries) on the Top.
In the Reports -> Network & Threats (Intrusion Attacks 7.75k and growing, Attacks detected and allowed 7.75k).
This definitely says the rule is not working.
I found this thread while searching for this issue and I want to know How to create this rule.
I want to know how to create a dummy loop back address.
In reply to AdelaideShores:
I look forward to seeing what everyone else's results are. I tested this on a few different XG's tonight. I see traffic is hitting the rule, but didn't quite work as I expected (Or maybe it did?). I put in the Country rule and tested access to a few servers using GeoPeeker. All of the countries were able to access the website with the Country Block rule up top. But if I add those Countries to the Blocked Hosts on the Business rule of that server, it works and the Countries on GeoPeeker were not able to access the site. So thats good, however it seems like by putting the Country rule up top that should have blocked it?? Unsure.
PS. Why does the traffic show as "Out"? SHouldn't it be "In"? Seems backwards?
In reply to DMR188:
Yes, It should be IN. But some how it is showing both ways.
This is the latest screenshot.
How do I add the countries as blocked hosts in the Business rule.
When I try to create a New Business rule, I am selecting the Application Template as "DNAT/Full NAT/Load Balancing"
assigning a rule name.
Source Zone -> WAN
Allowed Client Networks -> ??
Blocked Client Network -> Blocked countries
Destination & Service:
Destination Host/Network -> ??
Forward type -> ??
Service ports Forwarded -> I want to block every thing So not sure what ports I need to assign
Protocol ->TCP or UDP
Protected Servers -> I Want to protect everything
Mapped Port Type -> ??
Mapped Port ->
Protected Zone -> I want to protect LAN, VPN & Wi-Fi
I know I am asking a Lot, But if you can give me what I need to select there it will be very helpful to me.
So it doesn't look too far off, but as far as the Business rules, that would be just to open up some ports to a particular device on the LAN (i.e Server). So typically it would look like:
Source Zone = WAN
Allowed Client Networks = Any (Or you could specify specific networks, like if you just want a service provider to have access to this server)
Blocked Client Networks = (I usually put the Countries here)
Destination Host/Network = Outside IP Object of the Server/Device - Or if you don't have multiple IP's, just the WAN Interface
Forward Type = Lets use a single "port" in this example
Service Ports = Lets say we're gonna do RDP to this server - So you'd type 3389 here
Protected Servers = Inside IP Object of the Server
Mapped Port = In this example it will just fill in 3389 for you - Or you could change it
Protected Zone = LAN
Advanced = Basically whatever you want down there
So that example is to open ports to a specific host. I think your example/question is like you said, you don't wanna open anything, you just want to block all Countries from accessing anything on your LAN. In that case I think your rule would be how you do it, but I don't think its quite working? Hopefully someone else can shed some more light on how to do Country Blocking.