:

Chapter 74: Configuring Geo-IP and Botnet Filters

This chapter contains the following sections:

• Security Services > Geo-IP Filter
• Security Services > Botnet Filter

Security Services > Geo-IP Filter

The Geo-IP Filter feature allows administrators to block connections to or from a geographic location based. The SonicWALL appliance uses IP address to determine to the location of the connection.

To configure Geo-IP Filtering, perform the following steps:

1. To block connections to and from specific countries, select the Block connections to/from countries listed in the table below option.
2. Select one of the following two modes for Geo-IP Filtering:
• All Connections: All connections to and from the firewall are filtered.
• Firewall Rule-Based Connections: Only connections that match an access rule configured on the firewall are filtered.
3. If you want to block all connections when the Geo-IP database is not downloaded, select the Block all connections to public IPs if GeoIP DB is not downloaded.
4. To log Geo-IP Filter-related events, select Enable logging.
5. Under Countries, in the Blocked Country table, select the countries to be blocked.
6. If you wan to block any countries that are not listed, select the Block ALL UNKNOWN countries option.

Note: Optionally, you can configure an exclusion list to all connections to approved IP addresses. To do so, go to the Geo-IP Exclusion Object pulldown menu and select an address object or address group. All IP addresses in the address object or group will be allowed, even if they are from a blocked country.

For this feature to work correctly, the country database must be downloaded to the appliance. The Status indicator at the top right of the page turns yellow if this download fails. Green status indicates that the database has been successfully downloaded. Click the Status button to display more information.

In order for the country database to be downloaded, the appliance must be able to resolve the address, "geodnsd.global.sonicwall.com".

When a user attempt to access a web page that is from a blocked country, a block page is displayed on the user’s web browser.

Note: If a connection to a blocked country is short-lived, and the firewall does not have a cache for the IP address, then the connection may not be blocked immediately. As a result, connections to blocked countries may occasionally appear in the App Flow Monitor. However, additional connections to the same IP address will be blocked immediately.

Geo-IP Filter Diagnostics

The Geo-IP Filter page has a Diagnostics section containing:

• Show Resolved Locations button
• Geo-IP Cache Statistics table
• Check GEO Location Server Lookup

The Geo Location and Botnet Server Lookup tool can also be accessed from the System > Diagnostics page.

Security Services > Botnet Filter

The Botnet Filtering feature allows administrators to block connections to or from Botnet command and control servers.

To configure Botnet filtering, perform the following steps:

1. To block all servers that are designated as Botnet servers, select the Block connections to/from Botnet Command and Control Servers option.
2. Select one of the following two modes for Botnet Filtering:
• All Connections: All connections to and from the firewall are filtered.
• Firewall Rule-Based Connections: Only connections that match an access rule configured on the firewall are filtered.
3. If you want to block all connections when the Botnet database is not downloaded, select the Block all connections to public IPs if BOTNET DB is not downloaded.
4. Select Enable logging to log Botnet Filter-related events.

Note: Optionally, you can configure an exclusion list to all connections to approved IP addresses. To do so, go to the Botnet Exclusion Object pulldown menu and select an address object or address group.

Note: If you believe that a certain address is marked as a botnet incorrectly, or if you believe an address should be marked as a botnet, report this issue at the SonicWALL Botnet IP Status Lookup tool at:http://botnet.global.sonicwall.com/

Checking Geographic Location and Botnet Server Status

The Botnet Filter also provides the ability to look up IP addresses to determine the domain name, DNS server, the country of origin, and whether or not it is classified as a Botnet server. To do so, perform the following steps:

1. Scroll to the bottom of the Security Services > Botnet Filter page.





2. Enter the IP address in the Lookup IP field and click Go.

Details on the IP address are displayed below the Result heading.

Botnet Filter Diagnostics

The Botnet Filter page has a Diagnostics section containing:

• Show Resolved Locations button
• Botnet Cache Statistics table
• Check Botnet Server Lookup

The Geo Location and Botnet Server Lookup tool can also be accessed from the System > Diagnostics page.