I noticed that this is a topic that doesn’t nearly come up as much as it does with some of the other vendors, particularly SonicWALL, and I am betting that it is probably due to the following reasons: 1) Folks not using GeoBlocking because its “one more thing to break”, or 2) They are unsure of how to do it with XG Firewalls.
Here we go!
Geo/Country Blocking in the Sophos XG is not as intuitive up front as some other manufacturers. However, once you see the way it is done it will seem completely intuitive.
The purpose for GeoBlocking is to stop traffic from countries that are known for attacks, botnets, c&cs, etc. Also, if you aren’t expecting traffic from those countries — why leave the screen door open for them?
- Login to your XG firewall as an administrator (https://X.X.X.X:4444)
- Navigate to System > Hosts and Services
- Navigate to Country group (tab) > Add (button)
- Enter in the following information in the next screen:
- Name: Give it a descriptive name, I use the following: WAN-ADDRGrp-Blocked Countries. This tells us its WAN hosts, an Address Group, and what the purpose is.
- Description: A description that is meaningful to you.
- Select country: Press “Select all” and then uncheck United States. You can do this easier by selecting all first and then searching in the window for United States.
- Press “Apply 248 selected items“.
- Press “Save“
- Go to Protect > Firewall. Click “Add firewall rule“
- Select “User/Network rule“
- Create a rule with the following information, or substitute with your preferred naming.
- Rule name: WAN-LAN-CountryBlocking. This tells us it is WAN to LAN and what it is for.
- Rule group: Traffic to Internal Zone
- Action: Drop (reject sends notice back to the originator)
- Source zones: Any
- Source Networks and devices: WAN-ADDGrp-Blocked Countries
- During Schedule: All the time
- Destination zones:Any
- Destination networks: Any
- Services: Any
- Make sure “Match known users” is NOT checked.
- Check “Log firewall traffic“
- Press “Save“
Voila! You have Country/GeoBlocking Configured. To troubleshoot, you can now view this under the Log viewer > Firewall.