This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country blocking logging disabled - how to enable?

UTM 9.707

I recall at some point the firewall log did record the blocked country connection attempts. It appears to not do so any more.

cc set geoip log on

Returns

# cc set geoip log on
0
{
          'Nattrs' => [
                        'nodelist'
                      ],
          'attrs' => [],
          'check' => 'input',
          'datatype' => 'LISTPICK',
          'fatal' => 1,
          'format' => 'The %_N requires %_d.',
          'msgtype' => 'INCOMPATIBLE_DATA',
          'name' => 'The logging mode requires one of certain fixed strings.',
          'never_hide' => 0,
          'nodelist' => 'geoip->log',
          'value' => 'on'
        }

Clearly this pig aint liking the lipstick.....I tried other variations such as 1, true, enable, etc. No go.

Suggestions how to enable this?

This thread was automatically locked due to age.

Top Replies

Jay Jay over 2 years ago in reply to BAlfson +1

You're right. All seems to result in a flood. It's amazing how many international ip's are trying to connect to my ip at a given moment. Unrelated, but wonder if this is considered billable data for…

Jay Jay over 2 years ago

I read this thread before - https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/41655/country-blocking-stop-logging , but didn't read carefully enough.

"all, limited and off are the valid options (at least for 9.113)."

I'm curious how he determined these were the valid options.
Cancel
Vote Up 0 Vote Down

Cancel
Jay Jay over 2 years ago

I should probably add my usecase. Trying to use the dns servers from adguard (94.140.14.14), but was running into connectivity issues and for the life of me couldn't figure out why. Nothing showing up in firewall log or web filtering. Real head scratcher until I tried the ip in a browser and saw the country blocking message from utm. Turns out Cyprus was blocked, which is where that ip destines to.

I wonder what the limited option is. The first two are self explanatory. Would be nice if one could configure specific conditions when geoip logging is performed. IE outbound attempts to specific countries.
Cancel
Vote Up 0 Vote Down

Cancel
BAlfson over 2 years ago in reply to Jay Jay

I always assumed that 'limited' meant that the logs wouldn't get filled up by logging every block from a specific IP within a certain amount of time.

I recommend using "From" in Country Blocking instead of "All" and that would solve your original problem.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
Jay Jay over 2 years ago in reply to BAlfson

You're right. All seems to result in a flood. It's amazing how many international ip's are trying to connect to my ip at a given moment.

Unrelated, but wonder if this is considered billable data for those on fixed monthly bandwidth isp packages. While not much data, there is the packet header overhead, even if dropped. It has to pass through the modem/gateway. Probably adds up to something over the course of a billing cycle.
Cancel
Vote Up +1 Vote Down

Cancel