Drop connection question

Question

Hi, 
 We want to drop/reject connection from some IP address, these IPs shouldnt have access to anything not from WAF rules or from DNAT rules 
 from what I understand we should create a DNAT rule and point it to a machine that is not exsit and group the IPs that we want to block them to a group and add them as the source of new DNAT. 
 But this will still process the connections that comes to the utm. we want to drop the connection or reject connection from these IPs. 
 can we create the DNAT rule and put it on the possition 1 and also instead of creating the firewall rule automatically for the DNAT, create a firewall rule manually and use the drop or reject connection from there?

Thanks

Karlos · Accepted Answer

Hi Aresh, 
 Your DNAT & Firewall Rule both look correct. Like I mentioned, Automatic Firewalls are processed BEFORE manually created ones. So even if you place it on top, it will still be processed after your automatic rules, hence why the checkbox for Automatic Firewall rules on your DNAT was disabled. 
 The best way to see how this process works is by conducting a test from an external network. Add that public IP temporarily to your Hackers Block Network group and attempt to access your UTM's WAN IP and see if you are able to access and how it appears on your firewall log. 
 Cheers, Karlos

Karlos · Answer

Hi Aresh, 
 Yes, creating a blackhole DNAT on top would be the best way as it is processed before your firewall rules. Automatic firewall rules are processed before manual firewall rules so there should be no need for the manual ones. 
 Here is a similar thread you can refer to: Blocking all traffic from IP address 
 Cheers, Karlos

Karlos · Answer

Hi Aresh, 
 In that case, yes go ahead and disable the automatic firewall rule and create a manual rule at the top that will drop the bad IP addresses. Make sure you enable logging in the firewall rule. 
 You can create two network groups (Definitions & Users > Network Definitions > New Network Definition > Type: Network Group). The first one for the "Bad IP addresses" to be blocked and another network group for the "5 public IPs." 
 You can then use these 2 groups for both your firewall and DNAT rule. 
 Let me know if you have any more questions. Here's another helpful thread to read where the exact steps above were followed: https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/40628/dnat-and-firewall-rule-question 
 Thanks, Karlos