This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GeoIP

Is anybody having success in using the GeoIP functionality? I am not and i find it quite frustrating.

What have i done:
1. created a country group within that group f.i. Romania:

2. created a Drop rule based on the country group:

3. Have been checking logs for a couple of weeks, today i saw that there wher entries in the log showing me that traffic was allowed originating from a Romanian IP:

And this is only one example, my log is filled with more similar ones.
Any thoughts on this? Is my thinking wrong, was my execution poor or are my expectations not right?

Grtz, Peter-Paul

This thread was automatically locked due to age.

Top Replies

Peter-Paul Gras over 4 years ago in reply to FormerMember +1

The blackhole DNAT rule does the trick. Thank you very much for all you and Sophos staff did on this subject. Much appreciated.

Parents

0 FormerMember over 4 years ago

Hi All,

This issue is currently being investigated with internal ID NC-58436. I will update this post as soon as more information becomes available.

Thank you Peter-Paul Gras for providing support access to your firewall to collect detailed logs and packet capture.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
+1 FormerMember over 4 years ago in reply to FormerMember

Hi Peter-Paul Gras

This is known behavior when the service is destined for the local service on the XG. The firewall rules do not come into effect for the local system. Thus to overcome this, creating a DNAT rule with source as the country group, and follow the instructions outlined in this KB Article : Sophos XG: Creating a blackhole DNAT.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Peter-Paul Gras over 4 years ago in reply to FormerMember

The blackhole DNAT rule does the trick.
Thank you very much for all you and Sophos staff did on this subject. Much appreciated.

SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th 2023

Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports

[If any of my posts are helpful to you please use the 'Verify Answer' link]
Cancel
Vote Up +1 Vote Down

Cancel
0 Oo-T over 4 years ago in reply to Peter-Paul Gras

Hi Peter,

I tried to create a DNAT rule to block a country access to my WAN Sophos interface without success.

Can you please share with us what did put as parameters.

Thanks in advance.

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 Oo-T over 4 years ago in reply to Peter-Paul Gras

Hi Peter,

Never mind, found how to create it.

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Oo-T over 4 years ago in reply to Peter-Paul Gras

Hi Peter,

Never mind, found how to create it.

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 rfcat_vk over 4 years ago in reply to Oo-T

Hi,

I applied that rule to my v18 XG and ended up with 3 NAT rules of which I deleted 2 because they were not showing any use.

I knew my XG was being attacked, but just didn't realise how much over 7000 in 6 hours, from the same IP address in Russia using the same source port.

Ian

XG115W - v20.0.1 MR-1 - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

0 Rijsbol over 3 years ago in reply to Oo-T

I have the same problem. Is it like this (link)

Rule name	Enter a name
Original source	Any
Original destination	The WAN interface of your XG Firewall
Original service	Select a service
Translated source (SNAT)	Original
Translated destination (DNAT)	A dummy IP address (a host that does not exist)
Translated service (PAT)	Original
Inbound interface	Any
Outbound interface	Any

0 FormerMember over 3 years ago in reply to Rijsbol

Hi Rijsbol

Could you please provide the screenshot of your country blocking rule and let me know what service/port you still see traffic from the blocked countries?

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Rijsbol over 3 years ago in reply to FormerMember

As requested:

NAT Rule

In the Source: BLOCK the country group with Ukraine included.
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 3 years ago in reply to Rijsbol

Hi Rijsbol

Thank you for providing screenshots of your firewall rules.

Please change the destination to some other IP address that is not configured in your internal network. The IP address 1.2.3.4 is a magic IP address that is used for Sophos AP registration on the firewall. Also, consider creating a matched drop/reject firewall rule.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel