Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 5600 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM country blocking - blocking geo allowed IP

HayMak3r

Greetings,

My utm firewall is for some reason blocking a US based cloudfare IP for Discord. This started a couple days ago I think. 

I of course don't have the US blocked in country blocking, but the country blocking rule is blocking it.. Here is some data for this. I think this may be some sort of FP perhaps??

From the Shell:

geoiplookup 162.159.135.232
GeoIP Country Edition: US, United States

From the network logs:

2023:04:04-10:41:23 bouncerasg ulogd[13546]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (GEOIP)" action="drop" fwrule="60019" initf="lag0" outitf="eth5" srcmac="" dstmac="" srcip="<mypc>" dstip="162.159.135.232" proto="17" length="1378" tos="0x00" prec="0x00" ttl="127" srcport="63248" dstport="443"

From the UI:

I know I can just exclude the IP, but why is the firewall doing this?!?!

Thanks,
Chris



This thread was automatically locked due to age.
  • 0

    This is the result of the command:

    loginuser@bouncerasg:/home/login > rpm -qa | egrep 'xtipv6'
    u2d-geoipxtipv6-9-259

    The first link that was provided by emmosophos is for a different cloudflare range. So are you sure this is actually resolved? My issue is with a different ip range. What is strange is why should this really matter? If I exclude the IP's Discord is using, the issue doesn't go away, so there seems to be more going on here than just the ip range being falsely blocked. I will try to open a support case.

    Regards,

    Chris

  • 0

    Hi Raphael, I have opened support ticket 06431974. Thanks, Chris

  • 0

    I just wanted to report that I opened a support ticket up, and the support agent was fantastic. But, in the end, when we turned country blocking back on, the issue was no longer present. today's pattern version must have included an additional whitelist for the cloudfare ips I was having an issue with. I will continue monitoring, but for now, all is well. I'll reply back here if the issue comes back.

  • 0 in reply to HayMak3r

    What's your pattern version? I got 223399 today.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    That is what I have as well.

Unfiltered HTML