Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 0 replies
  • Subscribers 29 subscribers
  • Views 7104 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Troubleshooting Country blocking issues.

Arkita Thakkar

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview:

This recommended read describes the troubleshooting steps to investigate the country-blocking issues wherein traffic is not getting dropped based on the configuration of the country-blocking rule.

Scenario:

You have observed that country-based rules are not working as expected which leads to few IPs/countries traffic gets allowed/blocked on the contrary to the firewall rule action.

What to do:

Step1: Re-align with the documentation manual

Please ensure that the configuration of the country blocking rule is as proper as the guide.

As mentioned in above article, if you have any active web application firewall (WAF) rules, the country-based firewall rule won't work. In this case, create a black hole DNAT rule and add the country you want to block as original source. See Create a Black Hole DNAT Rule

Step2: Verify Traffic Rule

Check the traffic in log viewer and confirm if it is passing from correct rule which is created for country blocking. For reference refer below:

Review that specific rule (which you found via log viewer) to validate the “source network” and action selected for it.

Note:

  • Sophos firewall uses top to bottom approach, thus make sure the sequences of rules are proper.
  • Best practice is to keep the country blocking rule on top.

Step3: Pattern Update

Please verify the patterns are up to date by navigating to System > Backup & Firmware > Pattern Updates.

Sophos uses geo-ip service for country-based classification. To confirm the pattern updates for “Geoip ip2country DB” is successfully installed please check if geo-ip files are showing in “/content” directory via below command:

SFVUNL_SO01_SFOS 19.0.0 GA-Build317# ls -larth /content/ | grep -i geoip
drwxr-xr-x    3 root     0           1.0K Sep 19 12:50 geoip_1.00
lrwxrwxrwx    1 root     0             27 Sep 19 12:50 geoip -> /content/geoip_1.00/2.0.013

Step4: Geo-IP Classification

If the configuration is proper and traffic is passing via the specified rule then, we would need to verify the geo-ip classification for specific IP with respect to the country.

console> show country-host ip2country ipaddress 40.127.240.158

40.127.240.158 belongs to country Ireland.

Step5: Contact Support

In case of misclassification of IP-to-country output please contact support with above all information.



Revamped RR
[edited by: Erick Jan at 9:39 AM (GMT -7) on 17 Sep 2024]
Unfiltered HTML