TZ670, SonicOS 7.0.0-R906: Geo-IP filter exclusion using wildcard FQDN does not work
I'm hoping someone can help me with setting up Geo-IP filter exclusion by using FQDN rather than IP addresses.
Our AV uses an agent which communicates with cloud services to log messages and alerts to our web console. The domains it communicates with are Akamaized so they may resolve to various IPs. A few of the IPs it uses quite often are located in Spain, which is set to be blocked through Geo-IP filter. We believe this causes the issue we have with the agents not communicating with our console.
The address object using wildcard FQDN and placed in the exclusion group applied to the filter does not seem to work as IP addresses of the subdomains are still blocked and traffic is dropped by the FW as seen in Monitor / System Logs.
This is what I have set up at the moment:
- Address Objects created with wildcard FQDN like so: *.domain-name.com and assigned to the zones where traffic originates from.
- Objects above added to the Address Group which is used as exclusion group under Policy / Security Services / Geo-IP Filter / Countries / GEO-IP EXCLUSION OBJECT
What I want to do:
I want to use the FQDN with a wildcard to make sure the exclusions are dynamic as IPs may resolve to various locations.
I found a post with a similar problem and a workaround proposed in the reply linked below. However users reported the issue was resolved with a firmware patch in SonicOS version 6.x.x. I am using version 7 and I would expect this would work in the newer version however it does not seem so. I suspect there is a configuration somewhere which would enable resolving FQDNs used in Address Objects.
The setting suggested in the post above is not enabled on my FW; would this (i.e. enabling ENABLE DNS HOST NAME LOOKUP OVER TCP FOR FQDN option) be the correct way to enable exclusions which use FQDNs?
This is a FW which is in production, as most staff work remotely now I can't do too much in terms of testing and messing about with various settings.
Screenshots with the config below. I have edited out some info which has internal setup details (IPs, etc.), but I left the important settings visible.
I would recommend going to Firmware version 22.214.171.124XX. It introduced many fixes and may include a fix for what you are describing.
Thanks for a reply. I was hoping there would be some configuration that I have maybe missed. It won't be easy to get the firewalls upgraded with everyone working remotely, it'll probably end up being a weekend job at some point.
I will look up release notes and see what has been fixed, maybe it is just a matter of upgrading the firmware.
Am I correct in assuming that the current settings should work fine for Geo-IP filter exclusion? Or is someone able to confirm that the filtering works on wildcard FQDNs too and not just IP addresses?
I have wildcard FQDN exclusions to many Microsoft domains, but most are hosted in the USA anyway. I have Address Objects in the Default GEOIP & BOTNET Exclusion group.
If you provide an address to test with I can report my findings (I am on a TZ570 w/ 126.96.36.199xx).
Thanks for the offer I really appreciate it. Are you based in USA? For me the domain resolves to an IP in Spain, it could be different for you based on location as they have servers spread out across a few countries.
But either way if you want to try *.pandasecurity.com but I'm not sure where the IP address will be based for you. I also have this wildcard FQDN as an address object added to the default group, with a zone set to where the traffic is originating from i.e. my hosts on various VLANs.
I am in the USA and the pandasecurity.com IP is identified as Spain by the Sonicwall. The www.pandasecurity.com IP is id'd as in the USA (Akamai'd & geo redundant).
I can browse to www.pandasecurity.com but it is relatively slow to load; currently unable to tracert to pandasecurity.com per our GeoIP rules.
I added *.pandasecurity.com as FQDN Addess Object, and the AO to Default GEOIP & BOTNET Exclusion Group.
Retesting www.pandasecurity.com website performs much faster; able to tracert to pandasecurity.com.
Again this is on a TZ570 running 188.8.131.522.
Hope that helps.
Thank you so much I really appreciate it. It seems like the firewalls may need an upgrade here, looks like a bug in the version I am running.
I will update the thread once I've had a chance to do the upgrade and re-test. It will probably be in a couple of weeks or so. Got to do it over the weekend at some point.
Thank you again for your time and help.