Stop RFC1918 addresses from going to WAN (PCI DSS requirement)

Question

Is it possible to configure XG firewall to stop packets sourced from a private LAN and destined for RFC 1918 private IP address space going out to the Internet ? This is a PCI DSS requirement. Since Sophos does have articles talking about PCI compliance I presume it can do this, but have not found a detailed approach documented anywhere. Thanks 
 ...brian

KingChris · Accepted Answer

Hi Brian Cole 
 
 This is standard routing that happens on all network devices. If the XG does not have a route for that network that is being requested, it will send it out its default gateway. 
 Only way to stop this is by creating a drop rule as already advised. 
 Thanks!

Deepak Verma · Answer

Hi, 
 You can do it on the Sophos XG firewall same as the Cisco router or firewall. You can create a new Firewall User rule on the top (source LAN and Destination WAN) with an action of Drop. And Destination Subnet/Device must be only IP Subnets as defined in the RFC1918. It will drop the packets and will not move on the WAN. 
 10.0.0.0 - 10.255.255.255 (10/8 prefix)
 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)