Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ 600 When are Geo-IP Blocked Countries connections Blocked

I reviewing logs that show almost every action taken by the TZ 600. What I see is that a connection from a blocked country is Accepted then Dropped in two separately logged items. When I do a search for an IP address I know should be blocked, there are two entries for every attempt.

Is this correct?

Does the firewall have to accept the connection on the WAN side before it can determine if it should be blocked?

Category: Entry Level Firewalls
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    SaravananSaravanan Moderator
    Accepted Answer

    Hi @MATT,

    Thank you for visiting SonicWall Community.

    There may be a single log entry or multiple log entries depending upon the number of hits from the external IP. SonicWall would allow the connections after passing the traffic to all its security engine and verifying that the access is allowed. If the access is denied, it would just drop the packets before a successful connection is established. Packet monitor option on the SonicWall would be able to show any connection establishment and drop for better understanding.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Answers

  • MattMatt Newbie ✭

    Hello Saravanan,

    You wrote

    "SonicWall would allow the connections after passing the traffic to all its security engine and verifying that the access is allowed."

    I guess the definition of "allow the connections" is what I am getting at. It appears the SonicWall allows the connection to the firewall in order to review the full packet, but does not "allow the connections" to whichever internal device unless all the security test are passed. If the any of the tests fail the connection to the firewall is dropped.

    If this is correct it, then that makes sense. The full packet needs to reviewed before all the test can verify or not.

    For some reason I was thinking that packets from certain IP addresses (listed as bad or not on the Approved Geo-IP list) would not even be allowed to enter the firewall.

    i appreciate your quick response and I will do some packet monitoring to understand the process better.


    Thanks,

    Matt R.

  • SaravananSaravanan Moderator

    Hi @MATT,

    You are absolutely got my point. For the firewall to validate the any traffic, it has to pass the traffic to the security engines and confirm if some suspicious stuff happening or a block policy is hit, etc,., It is also the responsibility of the firewall to report such events otherwise network admin wouldn't get to know.

    So, technically SonicWall restricts the connection if any sort of violation or block policy is hit and not allowed to pass through the network. As an account of connection failure, SonicWall reports the event in its logs.

    Hope this is clear. Please let me know for any questions. Happy to clarify.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Sign In or Register to comment.