This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Drop connection question

Hi,

We want to drop/reject connection from some IP address, these IPs shouldnt have access to anything not from WAF rules or from DNAT rules

from what I understand we should create a DNAT rule and point it to a machine that is not exsit and group the IPs that we want to block them to a group and add them as the source of new DNAT.

But this will still process the connections that comes to the utm. we want to drop the connection or reject connection from these IPs.

can we create the DNAT rule and put it on the possition 1 and also instead of creating the firewall rule automatically for the DNAT, create a firewall rule manually and use the drop or reject connection from there?

 

 

Thanks



This thread was automatically locked due to age.
Parents
  • Hi Aresh,

    Yes, creating a blackhole DNAT on top would be the best way as it is processed before your firewall rules. Automatic firewall rules are processed before manual firewall rules so there should be no need for the manual ones.

    Here is a similar thread you can refer to: Blocking all traffic from IP address

    Cheers,
    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • But the automatic rule dont allow me to reject/drop the in comeing connections! from those IPs!

    My WAN nic have 5 public IPs how can I group them so I dont need to create 5 different DNAT for each of my public IPS.

  • Hi Aresh,

    In that case, yes go ahead and disable the automatic firewall rule and create a manual rule at the top that will drop the bad IP addresses. Make sure you enable logging in the firewall rule.

    You can create two network groups (Definitions & Users > Network Definitions > New Network Definition > Type: Network Group). The first one for the "Bad IP addresses" to be blocked and another network group for the "5 public IPs."

    You can then use these 2 groups for both your firewall and DNAT rule. 

    Let me know if you have any more questions. Here's another helpful thread to read where the exact steps above were followed: https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/40628/dnat-and-firewall-rule-question

    Thanks,
    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Hi Karlos,

     

    Thanks or the update,

    Can we put the primery IP of the WAN also in the same group? all of the 5 IPs are assigned to the WAN int 

     

    Thanks

  • Yes, include the Primary WAN IP in your Network Group

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Hi Karlos,

     

    Thanks for your update,

    when creating the FW rule manually, we chose the source from the bad IPs, for service we chose Any, for the destenation should we chose the group od our Public IPs or the should we chose the none exsiting machine in internal network?

    Also this solution will drop connections from NAT and WAG both right?

     

    Update,

    this is my rule:

    FW rule:

    when I did create the FW rule I said put it at the top, but it look like it put it only at the top of the manually created rules and not really at the top, I also used the FW public IPs group as the Destenation of the FW rule.

    question,

    Does the destnation of the FW correct?

    Why the firewall rule is not at the top of all of the rules?

     

    Thanks

  • Hi Aresh,

    Your DNAT & Firewall Rule both look correct. Like I mentioned, Automatic Firewalls are processed BEFORE manually created ones. So even if you place it on top, it will still be processed after your automatic rules, hence why the checkbox for Automatic Firewall rules on your DNAT was disabled.

    The best way to see how this process works is by conducting a test from an external network. Add that public IP temporarily to your Hackers Block Network group and attempt to access your UTM's WAN IP and see if you are able to access and how it appears on your firewall log.

    Cheers,
    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
Reply
  • Hi Aresh,

    Your DNAT & Firewall Rule both look correct. Like I mentioned, Automatic Firewalls are processed BEFORE manually created ones. So even if you place it on top, it will still be processed after your automatic rules, hence why the checkbox for Automatic Firewall rules on your DNAT was disabled.

    The best way to see how this process works is by conducting a test from an external network. Add that public IP temporarily to your Hackers Block Network group and attempt to access your UTM's WAN IP and see if you are able to access and how it appears on your firewall log.

    Cheers,
    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
Children
  • Thank you Karlos,

    Somewhere I read that to get the manual Firewall rule on the top of other rules we should disable all of the DNAT rules and then first enable the manual rule.

    I will test this and let you know the result.

    Thanks again for your assistance.

     

     

     

  • Rather than getting rid of all of the automatic firewall rules in your DNATs, VPNs and proxies, I prefer a blackhole DNAT at the top of the list of NAT rules.  See #2 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob

    I already done that and connections droping but I think the utm proces all incoming connetions from the bad ip groups, and if there are  200000 packegs that utm must proces then it is valuable device resources that are waisted

    I open a new post regarding the reject vs drop.