button, but a policy name cannot be modified. admin_geoBotSettings
The Geo IP & Botnet Filter > Settings page is used to enable/disable the Geo IP and Botnet Filter, manage caches, and add/delete/edit access policies. The Geo IP & Botnet Filter > Settings page contains three tabs:
• General Settings
• Cache Management
• Access Policies.
Use the General Settings section of the Geo IP & Botnet Filter > Settings page to globally enable or disable the Geo IP & Botnet Filter, which is disabled by default.
Note An IP address can be manually identified as a Botnet IP address by using the Botnet Test diagnostic tool accessed from the System > Diagnostics page.
To enable the Geo IP & Botnet Filter:
1. Check the Enable Geo IP & Botnet Filter check box to enable this feature. When enabled, a Location column is added to the NetExtender > Status, Virtual Assist > Status, Virtual Meeting > Status, and User > Status pages that identifies the location of users’ source IP addresses. Mousing over an icon in the Location column displays the Region and Country of the source IP.
2. Click Accept.
When this feature is enabled, the General Settings section displays four sub-features that can be individually enabled or disabled:
• Logging of Geo IP – When Logging of Geo IP is enabled, the Geo IP & Botnet Filter > Log, End Point Control > Log, Web Application Firewall > Log, and Log > View pages display information identifying the geographical location of the source IP for each event log message. This sub-feature is enabled by default.
• Access Control of Geo IP – When Access Control of Geo IP is enabled, the Geo IP Policy is enforced. This sub-feature is enabled by default.
• Logging of Botnet Filter - When Logging of Botnet Filter is enabled, traffic from each IP is logged only once for each second, no matter if it’s denied or allowed. For example, if several packets from an IP are received within a second, only a single message is generated for that traffic. This sub-feature is disabled by default.
• Access Control of Botnet Filter - When Access Control of Botnet Filter is enabled, all traffic from Botnet IPs is denied, and the Botnet Policy is enforced. When disabled, all traffic is allowed and the Botnet Filter operates in Detect mode. This sub-feature is disabled by default.
Use the Cache Management setting of the Geo IP & Botnet Filter to configure how this feature operates when the backend server is unreachable.
The Geo IP & Botnet Filter use the Dell SonicWALL maintained backend server to identify the geographical location of IP addresses and whether it is a Botnet. For better performance, this information is temporarily cached in the SRA appliance for use when the backend server is unavailable. Use the Maximum Cache Lifetime setting of the Geo IP & Botnet Filter to control how long cached data is used before refreshing it from the backend server.
To configure Geo IP & Botnet Filter cached information:
1. Check the Enable Offline Mode check box to use the expired cached Geo IP & Botnet data whenever the Dell SonicWALL backend Server cannot be reached. If not enabled (checked), cached data is removed when it expires.
2. In the Maximum Cache Lifetime field, type the maximum hours that cached Geo IP & Botnet Filter data is retained. The default lifetime is 12 hours.
3. Click Accept.
Use the Access Policies section of the Geo IP & Botnet Filter > Settings page to view, add, edit, and delete Geo IP and Botnet Filter access policies. Up to a total of 64 Geo IP and Botnet Filter access policies can be created.
Each policy is automatically assigned a different priority with 1 being the highest priority. A policy’s priority determines the order of enforcement, which is identified by the order they are listed on the Settings page.
• Botnet Filter policies have a higher priority than Geo IP policies. Geo IP policies are prioritized by the time they were created with those created first having the higher priority.
• Botnet Filter policies defined for a single IP address have a higher priority than Botnet Filter policies defined for a subnet, and each type is then prioritized based on the time they were created with those created first having the higher priority.
• Custom created polices are enforced first, which means if an IP address is listed in the SonicWALL Botnet Filter database, but admin defines an allow policy for this IP, then access from this IP will be allowed.
A policy can be modified by clicking the button, but a policy name cannot be modified.
A policy can be deleted by clicking the
button.
To create a new access policy, click the Add policy button on the Geo IP & Botnet Filter > Settings page. Two types of policies can be added:
• Geo IP Policy
A Geo IP policy allows or denies traffic from specified countries.
• Botnet Policy
A Botnet Policy allows or denies access from a specified IPv4 IP address or IP address range. Up to 64 policies can be created.
