Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Tech Tips: Geo-IP And Botnet Filter Diagnostics Options

Hello Everyone,

Geo-IP and Botnet filters have been part of the SonicWall's Security services for quite some time. We have been using it but when we need to troubleshoot any issue related to it, the diagnostics options can come very handy.

Here are the configuration KBs for both the feature:

Geo-IP:

Botnet Filter:

This new KB regarding the Geo-IP And Botnet Filter Diagnostics Options will clarify some of those intricate details regarding the feature.

I hope you find this useful!

Thanks!!

Category: Firewall Security Services
Reply

Shipra Sahu

Technical Support Advisor, Premier Services

Comments

  • LarryLarry Enthusiast ✭✭

    @shiprasahu93, thanks for this information because it is very informative.

    But I do have a scenario and question about the Geo-IP fencing. If I add a full country to the block list sometimes I hear back from a client that they can't get to a site - and they've not received any notice from the TZ appliance. I then have to search through the log to see where the incident occurred. Invariably, I have to ask the client's staff member to re-try accessing the site because the log doesn't go back far enough. Then I have to add the IP to exclusion list. Is there any means of obtaining that IP information in a concise, say end-of-day report/summary?

    Thanks!

  • shiprasahu93shiprasahu93 Moderator

    @Larry,

    The reason why the firewall might not be showing any message could be due to the fact that it is a HTTPS website and the DPI SSL feature on the firewall is not turned ON. If it is, the error message should directly show up on the browser with the reason for block, IP, country etc.

    When this website gets blocked, we can see it in packet capture or logs but as you know they are real-time and might not be available later.

    If you have any monitoring tool like Analytics or GMS, the reports can be generated from there.

    Let me check a little bit on my end to see how those reports can be received from the monitoring tool.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • shiprasahu93shiprasahu93 Moderator

    @Larry ,

    So, this is how I tested it. I blocked Russian federation using Geo-IP and accessed the websites vk.com and government.ru which both belong to that country.

    When I access them over HTTP, you can see that I get the blocked page that tells me why this is being blocked.

    Otherwise it just shows me connection timed out for HTTPS. I can see the drops in packet capture and logs that tells me that this issue is related to Geo-IP and what IP needs to be excluded.

    This firewall is associated with CSC, so I could check what was being blocked under session logs for blocked.

    We can also schedule daily reports for blocked traffic as below

    On GMS, we have a separate section called Geo-IP and that gives initiator and responder IPs at one place specific to Geo-IP alone.

    I hope you find this information useful!

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • SaravananSaravanan Moderator

    Hi @Larry,

    SonicWall logs have a limitation of storing logs for over a period of time. This is because, the GUI log cache is 30,000 bytes for all SonicWall appliances. Log messages stored in the cache use between 16 and 256 bytes depending on the content of the message. The cache typically stores approximately 600 messages, but this varies with the message composition.

    I have listed the best ways for you to get historic events of your network activity including the Geo-IP block / allow information below. You can pick the one that best suits your environment.

    • The event log can be sent automatically to an Email address for convenience and archiving. Alerts from the  can also be sent via Email and can alert you about any security violation on your firewall. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.
    • By default, these logs are sent to the Built-In Storage Module. With the help of Flexible Storage modules, the NSa firewalls can store Syslog and trace log entries to it. Hence the logs will be saved in the flexible storage instead the built-in storage serving your purpose of revisiting the logs when needed.
    • Use SonicWall reporting tools such as SonicWall Analytics, SonicWall GMS or Capture Security Center for historic network events happening via the SonicWall firewall.

    Hope this answers your question.

    Have a better day!!!

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Sign In or Register to comment.