Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 40 replies
  • Answers 1 answer
  • Subscribers 46 subscribers
  • Views 15873 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GeoIP

Peter-Paul Gras

Is anybody having success in using the GeoIP functionality? I am not and i find it quite frustrating.

What have i done:
1. created a country group within that group f.i. Romania:

2. created a Drop rule based on the country group:

3. Have been checking logs for a couple of weeks, today i saw that there wher entries in the log showing me that traffic was allowed originating from a Romanian IP:

And this is only one example, my log is filled with more similar ones.
Any thoughts on this? Is my thinking wrong, was my execution poor or are my expectations not right?

Grtz, Peter-Paul



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi All, 

    This issue is currently being investigated with internal ID NC-58436. I will update this post as soon as more information becomes available.

    Thank you  for providing support access to your firewall to collect detailed logs and packet capture. 

    Thanks,

  • FormerMember
    +1 FormerMember in reply to FormerMember

    Hi  

    This is known behavior when the service is destined for the local service on the XG. The firewall rules do not come into effect for the local system. Thus to overcome this, creating a DNAT rule with source as the country group, and follow the instructions outlined in this KB Article : Sophos XG: Creating a blackhole DNAT.

    Thanks,

  • 0 in reply to FormerMember

    The blackhole DNAT rule does the trick.
    Thank you very much for all you and Sophos staff did on this subject. Much appreciated.

     
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to Peter-Paul Gras

    Hi Peter,

     

    I tried to create a DNAT rule to block a country access to my WAN Sophos interface without success.

    Can you please share with us what did put as parameters.

     

    Thanks in advance.

     

    Regards

  • 0 in reply to Peter-Paul Gras

    Hi Peter,

     

    Never mind, found how to create it.

    Thanks.

  • 0 in reply to Oo-T

    Hi,

    I applied that rule to my v18 XG and ended up with 3 NAT rules of which I deleted 2 because they were not showing any use. 

    I knew my XG was being attacked, but just didn't realise how much over 7000 in 6 hours, from the same IP address in Russia using the same source port.

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Oo-T

    I have the same problem. Is it like this (link)

    Rule name

    Enter a name

    Original source

    Any

    Original destination

    The WAN interface of your XG Firewall

    Original service

    Select a service

    Translated source (SNAT)

    Original

    Translated destination (DNAT)

    A dummy IP address (a host that does not exist)

    Translated service (PAT)

    Original

    Inbound interface

    Any

    Outbound interface

    Any
  • FormerMember
    0 FormerMember in reply to Rijsbol

    Hi  

    Could you please provide the screenshot of your country blocking rule and let me know what service/port you still see traffic from the blocked countries? 

    Thanks,

Reply Children
Unfiltered HTML