Configure Geo-IP Filter Settings

To configure Geo-IP Filtering, complete the following steps:

1	Enable Block connections to/from following countries to block all connections to and from specific countries. Select one of the two modes of Geo-IP Filtering:

•	All — All connections to and from the specified countries are blocked.

•	Firewall Rule-Based — Only connections that match an access rule configured on the appliance are blocked.

2	Click Block all connections to public IPs if GeoIP DB is not downloaded to drop all connections to public IP addresses if the Geo IP database is not downloaded.

3	Click Enable logging to log Geo-IP Filter-related events.

4	Select the countries to be blocked in the table.

5	Click Block ALL UNKNOWN countries to drop all connections from unknown public IP addresses.

6

Optionally, you can configure an exclusion list to all connections to approved IP addresses. To do so, go to the Geo-IP Exclusion Object drop-down menu and select an address object or address group. All IP addresses in the address object or group are allowed, even if they are from a blocked country.

For this feature to work correctly, the country database must be downloaded to the appliance. In order for the country database to be downloaded, the appliance must be able to resolve the address, “geodnsd.global.sonicwall.com.”

When a user attempt to access a web page that is from a blocked country, a block page is displayed on the user’s web browser.

NOTE: If a connection to a blocked country is short-lived, and the firewall does not have a cache for the IP address, then the connection might not be blocked immediately. As a result, connections to blocked countries might occasionally appear in the App Flow Monitor. However, additional connections to the same IP address are blocked immediately.