Country Blocking Not Working for a WAN > LAN Rule

Hi.  It seems like country blocking is not working for WAN -> LAN (or any other protected network behind XG Firewall).

I have tested this with a proxy in the blocked countries.

I have this rule at the top of the list and network traffic still passes even though the rule shouldn't allow it, basically ignoring it.  The rule is never triggered thus always stating in 0 B, out 0 B.  I have tried every combination of Source/Destination/Zone/Network and still it doesn't work.

  • Hi Timonthy,

    Greetings.

    I will reproduce the incident and update you. Meanwhile, can I know which Firmware version does your UTM resides on.

    Thanks

    Sachin Gurung

  • In reply to sachingurung:

    Thank you! 

    I am using 

    SFOS 15.01.0 MR-1.1
  • In reply to TimothyStewart:

    Hi Timonthy,

    I came across a similar post and interestingly we have a solution. You can refer this link to configure Country blocking on your device.

    https://community.sophos.com/products/xg-firewall/f/125/t/75479

    Hope that helps :)

    Thanks

    Sachin Gurung

  • In reply to sachingurung:

    Hi there.  This does not address my concern.  I have also posted in that same thread and was asked to create a new thread after the bug was confirmed.   Please see my post in that thread and the response from a sales engineer.  This is confirmed to be broken when trying to protect WAN>LAN.  It works for protecting XG FIrewall services though with a local ACL.

  • In reply to TimothyStewart:

    Hi Timonthy,

    Oh! I missed it. I will check this personally and update you soon.

    Thanks

    Sachin Gurung

  • In reply to sachingurung:

    Hi Timothy,

    I have an answer in regards to this. 

    The problem you're experiencing is a known limitation and will be fixed in version two later this year. Here's a temporary fix, which I actually don't like but it works.

    Create a NON-HTTP business application rule. As the source host, add your country that you want to block. Set the Source Zone to WAN and the hosted address to the WAN interface.

    Then this the part that I'm not fond of - add a dummy or loopback address as the protected server and opt to forward all ports and click save.

    This will then ensure that all requests from the country you want to block are going to a "BlackHole".

  • In reply to BenVerschaeren:

    , you win!  That's too bad that this doesn't work out of box however sending the packets of to Neverland is a decent workaround.  Thanks for your help!  I'll keep an eye out for v2.  You were of great help both in the forums and PMs.  You get 2 gold stars! StarStar

  • In reply to BenVerschaeren:

    Do we know if this is fixed in MR2? Had some nasties try to get to my 2012 VPN server, its fairly well protected but would rather stop them even getting the chance to get there. Would rather not put a workaround in and know the rule works. Have set it up but until they try and fail / succeed I have no other way of knowing it is working.

  • In reply to nicholasbooth:

    I would also like to know if this has been fixed, because it does not appear to be working after the latest update. My country blocking rule shows zero in and zero out. 

  • In reply to BrettZehr:

    It's not although we've introduced a really nice way to do this in version 16 due to be released shortly. Happy to upload a screenshot if it's of interest to you!

  • In reply to BenVerschaeren:

    Do share please! Thanks

  • In reply to BenVerschaeren:

    Hi BenVerschaeren,

    I am using SFOS 16.01.1 (upgraded last night) and seeing a lot of Intrusion attacks from the countries I blocked in previous version.

    I got the Firewall rule (Blocked countries) on the Top.

     

    In the Reports -> Network & Threats (Intrusion Attacks 7.75k and growing, Attacks detected and allowed 7.75k).

    This definitely says the rule is not working.

    I found this thread while searching for this issue and I want to know How to create this rule.

    I want to know how to create a dummy loop back address.

     

    Thank you,

    Krishna

  • In reply to AdelaideShores:

    I look forward to seeing what everyone else's results are. I tested this on a few different XG's tonight.  I see traffic is hitting the rule, but didn't quite work as I expected (Or maybe it did?).  I put in the Country rule and tested access to a few servers using GeoPeeker.  All of the countries were able to access the website with the Country Block rule up top.  But if I add those Countries to the Blocked Hosts on the Business rule of that server, it works and the Countries on GeoPeeker were not able to access the site.  So thats good, however it seems like by putting the Country rule up top that should have blocked it??  Unsure.

     

    PS.  Why does the traffic show as "Out"?  SHouldn't it be "In"?  Seems backwards?

     

    Thanks

  • In reply to DMR188:

    Yes, It should be IN. But some how it is showing both ways.

    This is the latest screenshot.

     

    How do I add the countries as blocked hosts in the Business rule.

    When I try to create a New Business rule, I am selecting the Application Template as "DNAT/Full NAT/Load Balancing"

    assigning a rule name.

    Source:

    Source Zone -> WAN

    Allowed Client Networks -> ??

    Blocked Client Network -> Blocked countries

    Destination & Service:

    Destination Host/Network -> ??

    Forward type -> ??

    Service ports Forwarded -> I want to block every thing So not sure what ports I need to assign

    Protocol ->TCP or UDP

    Forward To:

    Protected Servers -> I Want to protect everything

    Mapped Port Type -> ??

    Mapped Port ->

    Protected Zone -> I want to protect LAN, VPN & Wi-Fi

     

    I know I am asking a Lot, But if you can give me what I need to select there it will be very helpful to me.

     

    Thank you,

    Krishna

  • In reply to AdelaideShores:

    So it doesn't look too far off, but as far as the Business rules, that would be just to open up some ports to a particular device on the LAN (i.e Server).  So typically it would look like:

     

    Source Zone = WAN

    Allowed Client Networks = Any (Or you could specify specific networks, like if you just want a service provider to have access to this server)

    Blocked Client Networks = (I usually put the Countries here)

    Destination Host/Network = Outside IP Object of the Server/Device - Or if you don't have multiple IP's, just the WAN Interface

    Forward Type = Lets use a single "port" in this example 

    Service Ports = Lets say we're gonna do RDP to this server - So you'd type 3389 here

    Protected Servers = Inside IP Object of the Server

    Mapped Port = In this example it will just fill in 3389 for you - Or you could change it

    Protected Zone = LAN

    Advanced = Basically whatever you want down there

     

     

    So that example is to open ports to a specific host.  I think your example/question is like you said, you don't wanna open anything, you just want to block all Countries from accessing anything on your LAN.  In that case I think your rule would be how you do it, but I don't think its quite working?  Hopefully someone else can shed some more light on how to do Country Blocking.

     

    Thanks