Countryblock Rule does not match

You need to create a black hole for all the countries you wish to block. The country list in XG is quite extensive and does work. I can’t provide details at the moment. There is a kba on setting up blackholes that only works in IP4 rules.

ian

Use a DNAT Rule, use HTTPS + Source the Countries, you do not want. NAT them to nowhere (Translated Destination).

PS: Be sure, country blocking is not the holy grail of security and easily avoidable. 

Hello,

thx for your answer.

Why does my rule not match?

Firewall Rules are not prioritized, if you have a WAF Rule in Place. The WAF Rule will pickup the traffic first. 

Interesting.

Then is this Packet Flow picture worng?

In this Picture the WAF Rules are behind all other rules.

And on the other hand: In this case, my rule order are worthless? Why can WAF Rules placed between normal L3-Rules when WAF are processed at firest?

Please shrare a complete picture/list with processing priorities. This is very importand for us.

Guenter

The Internal view of this packet flow is not sorted by prioritization. There are way more complex mechanism going on in this picture, than its possible to reflect. Hence it listed a module about processing and what is covered by this. PS: The traffic flow is also different externally vs internally.

Your Firewall rule is indeed not applied to any external traffic.  

Simply use a DNAT Rule, that will do the job. 

Wow, that's heavy.

L3-Ruleorders does not matter. This makes no sense for us.

But thank you for your honesty.

Guenter

Thats not my point. 

WAF is a priority Item within the firewall rule set. It will grap all traffic, before even the firewall will be applied. Its like NAT. 

Think about WAF as a NAT+Firewall Rule. As it is a NAT Rule (Business Application rule in v17.5), it will grap the traffic and allow it automatically. As this NAT rule is builtin, it can only excluded by a own NAT rule. 

The firewall rule at this point will never hit in any manner, as the NAT rule of WAF already marked this traffic to be considered. And the NAT Rule will fetch this with its own NAT Rule. 

Generally speaking its not a issue, as you can simply perform the same task by a NAT Rule. Its just another screen. 

PS: Once again, Country Blocking is simply a low level security feature. By no means, it´s secure to perform country blocking and rely on it. Its way to easy to simply use VPNs or hosted servers. There are way to many IPs not categorized today by any country (flexible IPs). Attackers simply bypass such country blocking rules. Scanner like shodan simply shows, if country blocking is in place and tell you, from which country you have to attack. 

Hi Guenter,

As LuCar Toni said, the service used within WAF/DNAT/ACL is called local service, and to block the external traffic from specific countries to these services, you'd have to create a black hole DNAT rule.

Create a black hole DNAT rule as per the following KBA and add the required countries in the source network: 

• Sophos XG: Creating a blackhole DNAT.

Reference Community thread: GeoIP.

Thanks,

Hi,

you and LuCar Toni are right. The DNAT-Trick is as a workarround that works.

But this is not the jumping Point.

The Jumping Point is, that the Userinterface allows ordering of Rules. There is no hint that a WAF Rule bypasses the L3-Rule order!

For each Sophos or IPTables Technican could this be clear.

But a customer, in my case a Cisco ASA Guy, grubles about that. Beacaue this is a big trap and suggest security that not exists.

Guenter