Google gets blocked by Country Blocking

  • Article ID: 120934
  • Rating:
  • 5 customers rated this article 1.0 out of 6
  • Updated: 18 May 2015

Issue

Though you have not blocked Google URLs, they are being blocked by country blocking.  Users see the block screen below with 'Country' shown as 'China':


  

A corresponding log entry will look like the following:

2014:04:28-12:00:00 UTM httpproxy[24773]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="CONNECT" srcip="192.168.0.10" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPCFFProfile (Default content filter profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3258" request="0x1d352ee0" url="https://www.google.de" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="5999" device="0" auth="0" country="China"

First seen in
Sophos UTM

Cause

On your Sophos UTM, you have Country Blocking enabled for China and Google has routed traffic through their servers located in China.  This is not a UTM-specific problem or unexpected behavior, as it is caused by accessing a service or host with an IP addresses located in China.

Note: All other Firewall manufactures which utilize Country Blocking are affected as well.  It also seems to be a problem with different GeoIP Providers, as some show the IP in China others in California.

What To Do

One solution is to disable Country blocking for China:

  1. Login to the WebAdmin.
  2. Go under Network Protection > Firewall > Country Blocking.
  3. Change China to 'Off': 
  4. Click on 'Apply' at the bottom.

Another solution is to add a Country Blocking Exception for the affected Google IP addresses:

  1. In WebAdmin, browse to Network Protection > Firewall > Country Blocking Exceptions.
  2. Click 'New Exception List...'
  3. Add a name.
  4. Under 'Skip blocking of these', do not select a country (in CBEs, as per the Live Help / Administrator Guide, countries to except should only be added for internal sites). 
  5. Under 'For all requests', select 'going to these', and add a network object for the Google IP ranges you want to except into the 'Hosts/Networks' box.
  6. Under 'Using these services', add Any or HTTP & HTTPS.
  7. Click Save.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments