Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

How to cope with Geo-IP blocking and add exceptions now

LarryLarry All-Knowing Sage ✭✭✭✭

I blocked Germany along with a number of other European countries from a client site based on the current situation.

It turns out they need to get to the Bosch and Miele websites (they are an appliance dealer). While those sites are US-based, but their back-ends - apparently - are not.

There seems to be no effective mechanism to say, I don't want ANYTHING in Germany, but - oh, I need to go through this data center in Leipzig because Bosch/Miele uses it for some form of hosting.

Is there any way to keep my client's environment safe and still provide access to these vendor web sites?

Looking for fast, but thorough solutions.

Thanks!

Larry

Category: Entry Level Firewalls
Reply

Answers

  • MitatOngeMitatOnge Cybersecurity Overlord ✭✭✭

    Hi @Larry ,

    Actualy there is no easy way for backend servers. 3 ways come to my mind. I used two of these

    1) Custom list is usefull for static backend servers.

    2) SMA proxy is usefull for dynamic backend servers. I used to Universities global libraries access for roaming Students and Academics.


    1) Custom List for backend servers

    I'm currently using GEO-IP execption list for trusted ip's (Im searching and finding all connection backend servers)

    a) Create address object with Host ip or Network range.

    b) create and Assign to "GEO-IP_Exception" group

    c) Enable Geo-IP custom List

    d) Add to "GEO-IP_Exception" as a Trusted Country in the Custom List Tab


    2) SMA Proxy onthe cloude.

    a) You should install SMA as a web proxy on the SaaS (Amazon, Azure etc..)

    b) Create bookmarks for Web applications.

    c) Create Access rule on Firewall for SMA wan ip

    e) User will access only SMA ip address. SMA can be proxy all web sites behind to Germany.

  • LarryLarry All-Knowing Sage ✭✭✭✭

    @MitatOnge appreciate the response; however, it is not at all applicable to the current situation.

    And I'm certainly not going to add another SonicWall device that has had a slew of problems as a "solution" to this.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    In the GEOIP Countries page there is the Exclusions section. I use the 'Default GEOIP and BOTNET Exclusions Group' as the exclusion object, then added FQDNs and IPs to the group as needed.

    Not sure if there was something else you were looking for.

  • LarryLarry All-Knowing Sage ✭✭✭✭

    @TKWITS Yes, that is what I am using as well.

    However, when I put create an FQDN for *.bosch.com and another for bosch.com and add them to an Addresss Group and then add that to Default Geo, it doesn't work. That's because Bosch uses other data centers in Germany. So the client doesn't get the pop-up window - the browser merely hangs or times out (and I have to search through the log to find the IP address at fault). Do that a couple of dozen times times (which means countless IP Address Object entries) and I still can't get every single one covered.

    So I removed Germany from the list just to let them work, and now - I know this to be the case from looking at the logs - various groups are hammering away at the SonicWall and trying to get to the RDP server.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited February 16

    Dont forget if your using Gen7 with the latest firmware its a known bug that wildcard FQDNs dont resolve properly without a www address object created for the domain as well.

    Considering Bosch is fairly large they might be using a CDN or DDOS prevention service. I'd capture some packets while browsing the site to see where traffic is actually flowing to / from.

Sign In or Register to comment.