UTM on AWS, enabling Country Blocking, but it does not seem to evaluate the X-Forwarded-FOR headers

Hi, 

I've below setup on AWS:

Internet  -->  External-ELB Classic --> Sophos UTM --> Internal-ELB (classic)--> ApplicationServers

The External and  Internal ELBs have been configured to listen on HTTPS (443). 

The Sophos UTM is configured with WebServer Protection WAF: Virtual WebServers & Real WebServers (with the SSL certificate uploaded to Sophos for the Virtual WebServers configuration) ; All the HTTPS traffic from Internet are working and getting responses from the ApplicationServers. The ApplicationServers currently rely on the X-Forwarded-FOR headers to identify the original source IP of the requests. All working perfectly from the application perspective.

I just recently enabled the Country Blocking on Sophos UTM9, to block certain countries per my customer requests; But upon testing sending requests from the blocked countries, found the Sophos UTM 9 Country Blocking did not work at all -> it just passing thru the HTTPS request from Internet to my Application Servers. 

I was hoping when the Country Blocking on Sophos UTM9 enabled, then it'll stop the requests from blocked countries. I checked the WAF live logs, and Firewall logs - the traffic from blocked countries went thru (saw the entries on the WAF live logs; while nothing recorded on Firewall logs)

Has anyone experienced similar issue with Country Blocking and X-Forwarded-FOR?

I also tried to enable the ProxyProtocol on the External ELB and Sophos UTM, but it ended up blocking all traffic (the request never seems arrived on the backend application servers, regardless what the source IP).

Thanks for any insights to this.

Regards,

Yo

Parents
  • Hi Yo and welcome to the UTM Community!

    Country Blocking just considers the sending IP.  It can't be used with your current network design.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi Yo and welcome to the UTM Community!

    Country Blocking just considers the sending IP.  It can't be used with your current network design.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data