Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 8 subscribers
  • Views 1884 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

country blocking - block all then add exceptions??

Jean Thibodeau

New to sophos UTM. Is it do-able and would it make sense/work to block "from" all countries and have exception allowing from my own country for IPSec VPN and Webadmin services (for Any IP), which is the only traffic I would like to accept?

I'm assuming blocking traffic "from" a country is about blocking calls initiated by that country, i.e. it wouldn't block the *response* to a call initiated from my allowed country to the blocked country. Is that true?

Unit is remote right now and I fear testing my theories could result in my losing access to the remote device and the people at that site losing all internet access...



This thread was automatically locked due to age.
Parents
  • 0

    We use some country blocking in both directions.

    Exception configuration trick:

    If the exception address is external  (e.g. packets going to or from example.com), the country does not matter, so the country list MUST BE EMPTY

    If the exception address is internal (e,g, packets from my PC at 10.10.10.10), the country list MUST BE CONFIGRED.  (All is a possible option.)

    Logging

    As you noticed, Country names only appear in the web filtering log.    It can be useful to enable country blocking even if nothing is blocked, simply to get the country information in your web filter log files.   You can use maxmind.com to look up a country name from an individual IP.  You could marry IP addresses in the firewall log with IP addresses in the Web Filter log to get country names for a subset of the firewall log data.

    Protection Suggestions

    I would not under any circumstances enable Web Admin access from the Internet.    Since you must run WebAdmin remotely, log in using IPSC VPN or SSL VPN, and then connect to Web Admin.

    User Portal is different from Web Admin.   In some configurations, you need to allow User Portal access from the internet.

    OTP (One Time Passwords) is a great feature.   Use it for any of the remote access methods that you enable.

    If you have an internal mail server and a sophisticated spam filter, I suggest exempting country blocking from all sources for incoming traffic on port 25, then block unwanted senders in your spam filter.   This gives better visibility to lost traffic than if it is blocked at the firewall.   But it sounds like this does not apply to your specific situation.

Reply
  • 0

    We use some country blocking in both directions.

    Exception configuration trick:

    If the exception address is external  (e.g. packets going to or from example.com), the country does not matter, so the country list MUST BE EMPTY

    If the exception address is internal (e,g, packets from my PC at 10.10.10.10), the country list MUST BE CONFIGRED.  (All is a possible option.)

    Logging

    As you noticed, Country names only appear in the web filtering log.    It can be useful to enable country blocking even if nothing is blocked, simply to get the country information in your web filter log files.   You can use maxmind.com to look up a country name from an individual IP.  You could marry IP addresses in the firewall log with IP addresses in the Web Filter log to get country names for a subset of the firewall log data.

    Protection Suggestions

    I would not under any circumstances enable Web Admin access from the Internet.    Since you must run WebAdmin remotely, log in using IPSC VPN or SSL VPN, and then connect to Web Admin.

    User Portal is different from Web Admin.   In some configurations, you need to allow User Portal access from the internet.

    OTP (One Time Passwords) is a great feature.   Use it for any of the remote access methods that you enable.

    If you have an internal mail server and a sophisticated spam filter, I suggest exempting country blocking from all sources for incoming traffic on port 25, then block unwanted senders in your spam filter.   This gives better visibility to lost traffic than if it is blocked at the firewall.   But it sounds like this does not apply to your specific situation.

Children
No Data
Unfiltered HTML