Geo-ip filter on WAF rule

Ian,

You can apply Waf rule using country filter by adding only UK under source network as you do on dnat or network firewall rule.

Regards

Thanks very much, just had a look at that and it doesn't seem to be working,.

On the business application rule I can set the access permission and allowed client networks,  it it doesn't show any of the country filters included in a basic firewall rule.

Running XG v16.1.0.2

Thanks again

Ian

Ian make sure you are on v16 as firmware. Also inside the source network make sure to show all.

Thanks

Im on v16 firmware and there is not option to add Country to allowed/blocked network...

Hi Dejan,

I am curious to know what happens when you add other countries in the blocked client network box and keep Italy in the allowed box.

Thanks

Im sorry but I don't understand what you mean?

In HTTP Bussines Rule is not possible add any Country or Country Group.

Normal Non HTTP Bussines Rule have option to add Country:

But HTTP Bussines Rule don't have(Picture from my previous post)...

Hi,

we do not support country blocking for WAF (name in v15: HTTP based Business Application rule).

We do support GeoIP blocking. Therefore, you have to create and select a Protection Policy with 'Block clients with bad reputation' enabled and mode 'reject'.

Best,
 Sabine

Sabine,

thanks for your reply. Is this behaviour going to change? A standard for both HTTP and not-HTTP will be nice and improve the management.

Thanks

Hi,

sorry, I'm not aware of any plans to change this.

Sabine

This is still not supported, are there any plans to change this?

Is a basic feature in any enterprise firewall.

Hi Sabine,

Sorry to resurrect such an old post, but I was just researching if something was possible and this was the nearest find.

My use-case simply is that i'd like to use geo-ip to block every country apart from UK being able to access my ssl vpn (i.e. i'd rather limit who my exposed ssl vpn port is open to).  I have geo-ip restrictions in place for surfing - but as you'd expect i would want to surf to more countries than i expect to receive vpn connections from.

Is this in any way possible via the geo-ip exceptions ?  (at first glance, this seems to work the reverse way to what i'm looking for)

UTM 9.701-6

Thanks, Dave

For SSL VPN you can't do this.

For WAF you can on XG, but only on v17.5, on v18 this method is broken. Being tracked by Sophos with NC-51857.

For v18, when It's fixed you will be able to create a rule like this, on top of the WAF Rule.

While #Port2 = The port WAF is listening for connections.

I know, this rule is really bad since It doesn't give you a lot of control, but apparently Sophos will never support Geo-IP Blocking directly on the WAF Rule.

So this is the only way right now...

For SSL VPN you can't do this.

For WAF you can on XG, but only on v17.5, on v18 this method is broken. Being tracked by Sophos with NC-51857.

For v18, when It's fixed you will be able to create a rule like this, on top of the WAF Rule.

While #Port2 = The port WAF is listening for connections.

I know, this rule is really bad since It doesn't give you a lot of control, but apparently Sophos will never support Geo-IP Blocking directly on the WAF Rule.

So this is the only way right now...