GEO-IP and "Europe" tag
RedNet
Enthusiast ✭✭
Hi,
For the first time I used the "Europe" tag on a GEO blocking rule - WAN to WAN
However it still blocks Ireland and the UK... and probably more Euro continent countries if I left it applied longer.
Can you confirm what the "Europe" geo ip group contains, entire continent of Europe, mainland Europe, Eurozone EU... nothing?
TZ 500 on Firmware Version:SonicOS Enhanced 6.5.4.4-44n
Category: Firewall Security Services
0
Comments
@RedNet Hi !
on sma the geofilter looks like europe is a group of countries. but in the firewall as you see, i think europe stands for .eu only instead of the european member states
-- Thomas
Hi guys,
I guess it depends how the GeoIP provider (MaxMind, etc.) which is used by SNWL classified it. Or relying on the IP registry (RIPE etc.) whois information.
I checked 92.123.212.56 a minute ago, it was classified as EU and the whois information shows EU as country as well.
So EU is no group for that matter.
--Michael@BWC
But "Europe" on the firewall's Geo-IP table is an option, so what does it contain, one would assume it is the continent of Europe and groups all countries within? Obviously this is not the case as on my example Ireland is being blocked.
I have a tech support ticket open to get clarification - they sent me a link to a KB article about requesting an IP location change.
My ticket was clearly described with nice screenshots, this query should be easy to answer... obviously they didnt bother reading it correctly.
@ThK Thanks for the response but .eu sites would relate to CFS, not GEO-IP filters for access rules. Yes I am asking what group of countries Europe is, its clearly not one containing the EU and European continent country of Ireland as in my example they are blocked when "Europe" is applied as a filter (even though sonicwall geo-ip filter test identifies the IP's as Ireland)
Hi @RedNet
as mentioned before, my best guess is that the GeoIP-Filter just reflects whats provided in the IP registry database.
So no grouping at this point.
Or did I got it wrong and you blocked Europe and Ireland was blocked?
--Michael@BWC
Ah I get what you are saying now, so for some IP's the country tag is marked as "Europe" in the registration DB's?
I only allowed Europe and my Ireland IP was blocked.
Why isnt it checking the continent code described here?
I cannot check maxminds DB but I can look at the continent code from whois using whois:
The IP's from Ireland which were blocked return the "EU" continent code using whois, one example.
an example of the same from one IP in your range does not state Europe either as country (Germany):
Hi @RedNet
I don't know what the GeoIP source for SNWL is using, maybe someone from SNWL can disclose this.
My example above was directly out of the RIPE database, maybe ipwhois does have more accurate information. iplocation.net for example showed UK as country.
But if you just block Europe on the SNWL then your addresses recognized as IE IMHO shouldn't match. If you double check on Manage -> Security Services -> GEO-IP Filter / Diagnostics (show resolved locations).
--Michael@BWC
No worries, thanks for the input. I had never seen "Europe" as a tag for the country field of an IP in the RIPE db. So, i'm sure you are correct and that's probably what it is. I just assumed SonicWALL had just created a GEO-IP group for all of the EU countries instead of having to add them all individually.
What was the conclusion to this?
My guess is that "Europe" is used where an IP is suspected to be in Europe but can't be more specifically located. I can't verify this though, because I've never been able to get an IP to come up as "Europe"!
Support have confirmed that's what this is. It should really have a different name to avoid confusion.