Drop connection question

Hi Aresh,

Yes, creating a blackhole DNAT on top would be the best way as it is processed before your firewall rules. Automatic firewall rules are processed before manual firewall rules so there should be no need for the manual ones.

Here is a similar thread you can refer to: Blocking all traffic from IP address

Cheers,
Karlos

But the automatic rule dont allow me to reject/drop the in comeing connections! from those IPs!

My WAN nic have 5 public IPs how can I group them so I dont need to create 5 different DNAT for each of my public IPS.

But the automatic rule dont allow me to reject/drop the in comeing connections! from those IPs!

My WAN nic have 5 public IPs how can I group them so I dont need to create 5 different DNAT for each of my public IPS.

Hi Aresh,

In that case, yes go ahead and disable the automatic firewall rule and create a manual rule at the top that will drop the bad IP addresses. Make sure you enable logging in the firewall rule.

You can create two network groups (Definitions & Users > Network Definitions > New Network Definition > Type: Network Group). The first one for the "Bad IP addresses" to be blocked and another network group for the "5 public IPs."

You can then use these 2 groups for both your firewall and DNAT rule. 

Let me know if you have any more questions. Here's another helpful thread to read where the exact steps above were followed: https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/40628/dnat-and-firewall-rule-question

Thanks,
Karlos

Hi Karlos,

Thanks or the update,

Can we put the primery IP of the WAN also in the same group? all of the 5 IPs are assigned to the WAN int 

Thanks

Yes, include the Primary WAN IP in your Network Group

Hi Karlos,

Thanks for your update,

when creating the FW rule manually, we chose the source from the bad IPs, for service we chose Any, for the destenation should we chose the group od our Public IPs or the should we chose the none exsiting machine in internal network?

Also this solution will drop connections from NAT and WAG both right?

Update,

this is my rule:

FW rule:

when I did create the FW rule I said put it at the top, but it look like it put it only at the top of the manually created rules and not really at the top, I also used the FW public IPs group as the Destenation of the FW rule.

question,

Does the destnation of the FW correct?

Why the firewall rule is not at the top of all of the rules?

Thanks

Hi Aresh,

Your DNAT & Firewall Rule both look correct. Like I mentioned, Automatic Firewalls are processed BEFORE manually created ones. So even if you place it on top, it will still be processed after your automatic rules, hence why the checkbox for Automatic Firewall rules on your DNAT was disabled.

The best way to see how this process works is by conducting a test from an external network. Add that public IP temporarily to your Hackers Block Network group and attempt to access your UTM's WAN IP and see if you are able to access and how it appears on your firewall log.

Cheers,
Karlos

Thank you Karlos,

Somewhere I read that to get the manual Firewall rule on the top of other rules we should disable all of the DNAT rules and then first enable the manual rule.

I will test this and let you know the result.

Thanks again for your assistance.

Rather than getting rid of all of the automatic firewall rules in your DNATs, VPNs and proxies, I prefer a blackhole DNAT at the top of the list of NAT rules.  See #2 in Rulz.

Cheers - Bob

Hi Bob

I already done that and connections droping but I think the utm proces all incoming connetions from the bad ip groups, and if there are  200000 packegs that utm must proces then it is valuable device resources that are waisted

I open a new post regarding the reject vs drop.