With the release of Sophos UTM version 9.1 the functionality of the blocking of network traffic to or from a particular continent/country/region has been enhanced. You can now:
- Regulate traffic and traffic direction for each country or continent.
- Create exceptions to block specific countries.
This article provides an overview of these new features.
Applies to the following Sophos product(s) and version(s)
9.1 or higher
Country Blocking - Enhancements
The country blocking feature works with geo-IPs and is available from the WebAdmin under: 'Network Protection' | 'Firewall' | 'County Blocking' tab.
You can use Country Blocking to:
- Prevent users from accessing countries or regions that you specify. This may be because you believe that those locations host webpages that you do not want your employees to access, for security or other reasons.
- Allow traffic to these locations, but block the traffic coming from them.
From the drop-down alongside each continent/region/country name you can choose one of the following options:
- Off: Country blocking is off (i.e., traffic is allowed in both directions).
- All: Block all traffic to and from that location.
- From: Block all traffic from that location.
- To: Block all traffic to that location.
Country blocking - Exceptions
The 'Country Blocking Exceptions' tab allows you to create exceptions for a region that you have blocked on the previous tab. For example, you can block all websites in the United States, with the exception of YouTube pages as shown in the screenshot below (click image for larger view).
Creating and configuring a new exception list
- Open the Sophos UTM WebAdmin interface and login.
- Go to 'Network Protection' | 'Firewall' | 'County Blocking Exceptions' tab.
- Click on the 'New Exception List' button.
- Enter a name for the exception and a descriptive comment.
- Under 'Skip blocking of these' configure the following options:
- Region: Use this drop-down list to narrow down the list displayed in the Countries box.
- Countries: Select the checkbox in front of the locations or countries you want to make the exception for. To select all countries at once, select the Select All checkbox.
- For all requests: Select the condition under which the country blocking should be skipped. You can choose between outgoing and incoming traffic - this will refer to the hosts/networks to be selected in the box below.
- Hosts/networks: Add or select the hosts/networks that should be allowed to send traffic to or receive traffic from, the selected countries - depending on the entry selected in the drop-down list above.
- Using these - services: Add the services that should be allowed between the selected hosts/networks and the selected countries/locations.
- Save the new exception and turn it on by switching the toggle.