Security_Services_GeoIP

Security Services > Geo-IP Filter

The Geo-IP Filter feature allows administrators to block connections to or from a geographic location based. The SonicWALL appliance uses IP address to determine to the location of the connection.

To configure Geo-IP Filtering, perform the following steps:

1.
Enable Block connections to/from following countries to block all connections to and from specific countries.
2.
Select one of the two modes of Geo-IP Filtering:
 
All : All connections to and from the specified countries are blocked.
 
Firewall Rule-Based : Only connections that match an access rule configured on the appliance will be blocked.
3.
Select Enable logging to log Geo-IP Filter-related events.
4.
Select the countries to be blocked in the table.
5.
Optionally, you can configure an exclusion list to all connections to approved IP addresses. To do so, go to the Geo-IP Exclusion Object pulldown menu and select an address object or address group. All IP addresses in the address object or group will be allowed, even if they are from a blocked country.

For this feature to work correctly, the country database must be downloaded to the appliance. The Status indicator at the top right of the page turns yellow if this download fails. Green status indicates that the database has been successfully downloaded. Click the Status button to display more information.

In order for the country database to be downloaded, the appliance must be able to resolve the address, "geodnsd.global.sonicwall.com".

When a user attempt to access a web page that is from a blocked country, a block page is displayed on the user’s web browser.

 
Note
If a connection to a blocked country is short-lived, and the firewall does not have a cache for the IP address, then the connection may not be blocked immediately. As a result, connections to blocked countries may occasionally appear in the App Flow Monitor. However, additional connections to the same IP address will be blocked immediately.

Security Services > Botnet Filter

The Botnet Filtering feature allows administrators to block connections to or from Botnet command and control servers.

To configure Botnet filtering, perform the following steps:

1.
Enable Block connections to/from Botnet Command and Control Servers to block all servers that are designated as Botnet servers. Use the exclusion list below to exclude approved IP addresses.
2.
Select one of the two modes of Botnet Filtering:
 
All : All connections to and from the specified countries are blocked.
 
Firewall Rule-Based : Only connections that match an access rule configured on the appliance will be blocked.
3.
Select Enable logging to log Botnet Filter-related events.
4.
Optionally, you can configure an exclusion list to all connections to approved IP addresses. To do so, go to the Botnet Exclusion Object pulldown menu and select an address object or address group.
 
Note
If you believe that a certain address is marked as a botnet incorrectly, or if you believe an address should be marked as a botnet, report this issue at the SonicWALL Botnet IP Status Lookup tool at:
http://botnet.global.sonicwall.com/

Checking Geographic Location and Botnet Server Status

The Botnet Filter also provides the ability to look up IP addresses to determine the domain name, DNS server, the country of origin, and whether or not it is classified as a Botnet server. To do so, perform the following steps:

1.
Scroll to the bottom of the Security Services > Botnet Filter page.
2.
Enter the IP address in the Lookup IP field and click Go .

Details on the IP address are displayed below the Result heading.

 
Note
This Geo Location and Botnet Server status tool can also be accessed from the System > Diagnostics page.