Google gets blocked by Country Blocking

  • Article ID: 120934
  • Rating:
  • 5 customers rated this article 1.0 out of 6
  • Updated: 18 May 2015


Though you have not blocked Google URLs, they are being blocked by country blocking.  Users see the block screen below with 'Country' shown as 'China':


A corresponding log entry will look like the following:

2014:04:28-12:00:00 UTM httpproxy[24773]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="CONNECT" srcip="" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPCFFProfile (Default content filter profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3258" request="0x1d352ee0" url="" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="5999" device="0" auth="0" country="China"

First seen in
Sophos UTM


On your Sophos UTM, you have Country Blocking enabled for China and Google has routed traffic through their servers located in China.  This is not a UTM-specific problem or unexpected behavior, as it is caused by accessing a service or host with an IP addresses located in China.

Note: All other Firewall manufactures which utilize Country Blocking are affected as well.  It also seems to be a problem with different GeoIP Providers, as some show the IP in China others in California.

What To Do

One solution is to disable Country blocking for China:

  1. Login to the WebAdmin.
  2. Go under Network Protection > Firewall > Country Blocking.
  3. Change China to 'Off': 
  4. Click on 'Apply' at the bottom.

Another solution is to add a Country Blocking Exception for the affected Google IP addresses:

  1. In WebAdmin, browse to Network Protection > Firewall > Country Blocking Exceptions.
  2. Click 'New Exception List...'
  3. Add a name.
  4. Under 'Skip blocking of these', do not select a country (in CBEs, as per the Live Help / Administrator Guide, countries to except should only be added for internal sites). 
  5. Under 'For all requests', select 'going to these', and add a network object for the Google IP ranges you want to except into the 'Hosts/Networks' box.
  6. Under 'Using these services', add Any or HTTP & HTTPS.
  7. Click Save.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent