Security_Services_GeoIP
Topics:
• Security Services > Geo-IP Filter
• Security Services > Botnet Filter
Security Services > Geo-IP Filter
The Geo-IP Filter feature allows you to block connections to or from a geographic location. The Dell/SonicWALL network security appliance uses IP address to determine to the location of the connection.
Topics:
• Configuring Geo-IP Filtering
To configure Geo-IP Filtering, perform the following steps:
1. Navigate to Security Services > Geo-IP Filter page.
2. To block connections to and from specific countries, select the Block connections to/from countries listed in the table below option.
3. Select one of the following two modes for Geo-IP Filtering:
• All Connections: All connections to and from the firewall are filtered.
• Firewall Rule-Based Connections: Only connections that match an access rule configured on the firewall are filtered.
4. If you want to block all connections when the Geo-IP database is not downloaded, select the Block all connections to public IPs if Geo-IP DB is not downloaded.
5. To log Geo-IP Filter-related events, select Enable logging.
6. Under Countries, in the Blocked Country table, select the countries to be blocked. Clicking the checkbox at the top of the table selects all countries, and then you can select countries to be included.
7. If you want to block any countries that are not listed, select the Block ALL UNKNOWN countries option.
8. Optionally, you can configure an exclusion list to all connections to approved IP addresses. To do so, go to the Geo-IP Exclusion Object pulldown menu and select an address object or address group. All IP addresses in the address object or group will be allowed, even if they are from a blocked country.
For this feature to work correctly, the country database must be downloaded to the appliance. The Status indicator at the top right of the page turns yellow if this download fails. Green status indicates that the database has been successfully downloaded. Click the Status button to display more information.
For the country database to be downloaded, the appliance must be able to resolve the address, "geodnsd.global.sonicwall.com".
When a user attempts to access a web page that is from a blocked country, a block page is displayed on the user’s web browser.
Note If a connection to a blocked country is short-lived, and the firewall does not have a cache for the IP address, then the connection may not be blocked immediately. As a result, connections to blocked countries may occasionally appear in the App Flow Monitor. However, additional connections to the same IP address will be blocked immediately.
9. Click the Accept button at the top of the page to enable your changes.
The Geo-IP Filter page has a Diagnostics section containing the following:
• Check GEO Location Server Lookup
When you click on the Show Resolved Locations button, a table of IP addresses by country displays.
The Geo-IP Cache Statistics table contains this information:
• Location Server IP
• Resolved Entries
• Unresolved Entries
• Current Entry Count
• Max. Entry Count
• Location Max. Count
Check GEO Location Server Lookup
The Botnet Filter also provides the ability to look up IP addresses to determine the country of origin and whether or not it is classified as a Botnet server.
Note The GEO Location Server Lookup tool can also be accessed from the System > Diagnostics page.
To look up a GEO server, perform the following steps:
1. Scroll to the Check GEO Location Server Lookup section at the bottom of the Security Services > GEO-IP Filter page.
2. Enter the IP address in the Lookup IP field and click Go.
Details on the IP address are displayed below the Result heading.
Security Services > Botnet Filter
The Botnet Filtering feature allows you to block connections to or from Botnet command and control servers.
Topics:
• Configuring Botnet Filtering
To configure Geo-IP Filtering, perform the following steps:
1. Navigate to the Security Services > Botnet Filter page.
2. To block all servers that are designated as Botnet servers, select the Block connections to/from Botnet Command and Control Servers option.
3. Select one of the following two modes for Botnet Filtering:
• All Connections: All connections to and from the firewall are filtered.
• Firewall Rule-based Connections: Only connections that match an access rule configured on the firewall are filtered.
4. If you want to block all connections when the Botnet database is not downloaded, select the Block all connections to public IPs if BOTNET DB is not downloaded.
5. Select Enable logging to log Botnet Filter-related events.
6. Optionally, you can configure an exclusion list to all connections to approved IP addresses. To do so, go to the Botnet Exclusion Object pull-down menu and select an address object or address group.
7. Click the Accept button at the top of the page to enable your changes.
The Security Services > Botnet Filter page has a Diagnostics section containing:
When you click on the Show Resolved Locations button, a table of IP addresses showing whether the address is a Botnet displays.
The Geo-IP Cache Statistics table contains this information:
• Location Server IP
• Resolved Entries
• Unresolved Entries
• Current Entry Count
• Max. Entry Count
• Location Max. Count
The Botnet Filter also provides the ability to look up IP addresses to determine the country of origin and whether or not it is classified as a Botnet server.
Note The Botnet Server Lookup tool can also be accessed from the System > Diagnostics page.
To look up a Botnet server, perform the following steps:
1. Scroll to the Check BOTNET Server Lookup section at the bottom of the Security Services > Botnet Filter page.
2. Enter the IP address in the Lookup IP field and click Go.
Details on the IP address are displayed below the Result heading.
Note If you believe that a certain address is marked as a Botnet server incorrectly, or if you believe an address should be marked as a Botnet server, report this issue at the SonicWALL Botnet IP Status Lookup tool at:
http://botnet.global.sonicwall.com/