Is this how you are supposed to allow exceptions in GeoBlocking?
I'm hoping someone can either take this up with SonicWall higher-ups or set me straight on how I'm not doing things properly.
I have GeoBlocking turned on for my TZ appliance for a large part of the world that I don't believe should have access to the device, nor should I be visiting.
And yet, having this turned on "high" prevents me from getting to certain websites that are - surprisingly and mysteriously - hosted in other countries (despite listing a US address).
To find out what I have to enable, log into the SonicWall device, I go Log - Log Monitor. I take note of the IP address and country being blocked. I then open up another browser window to double-check the IP address with UltraTools to ensure the IP and country match the log, then again to obtain the IP range and associated company (if needed).
Then its back to the SonicWall, this time to Network - Address Objects - Address Objects to add this entry. And then to Address Groups to update the default GeoBlocking exclusion group.
I'm looking for a better, faster, way to do this. As a Request for Enhancement, I'd dream of a one-click that would automatically ascertain the IP and add it to the GeoBlocking group.
But, more importantly, is this the "standard" or proscribed way of poking holes in a heightened secure zone?
GeoIP is a dilemma of its own and due to Routing, Anycast or what not wizardry the accuracy can be sometimes not so good.
I can't tell which database SNWL is using, opening a ticket for each "misplaced" Geo Location could be one option, but not sure how SNWL handles these requests.
Excluding wrongful categorized addresses like you do is an option, using Custom Lists and putting the IP in the correct Country would be another way. But at the end of the day you have to maintain these lists. Best way to avoid having tons of objects in the firewall would probably the use of Dynamic External Objects Groups (DEAG), you could create your own workflow to maintain these lists.
Interesting concept; however, just as much - if not more - work to maintain the list. And then there's the wait time for the update.
Thinking about this, though.