Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Options

GEO-IP Filtering through Access Policies on Multiple Interfaces

If I have an Access Policy with custom GEO-IP Filtering applied to the WAN interface that blocks most countries, but I have a second Access Policy with less restrictive custom GEO-IP Filtering applied to the LAN interface, will my user who occasionally has to connect to countries that we want to normally restrict, be allowed to access them?

Basically, if I have an allowed connection coming from the LAN, will the WAN block the inbound response anyway because of its generic rule?

I would appreciate it is there is someone who is familiar with this before I start making changes to a live environment.

Thanks for any assist.

Category: Firewall Security Services
Reply

Answers

  • Options
    dohagandohagan Newbie ✭

    to continue the question…

    I assume that, if I apply GEO-IP filter access rules to the WAN interfaces as outlined above, if I have existing access rules in place to allow connections to public facing server, I assume I would need to edit those rules to apple the same GEO-IP filtering settings? or will the access rules continue processing after the connection has matched one of them?

    i.e. Device in X country tries to connect to published Web server IP will presumably be allowed to connect, even if there is a separate rule that has the rules based GEO-IP filtering applied to it, simply because it matched the rule to allow access through to the server.

    thx

  • Options
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited June 27

    Ill try to help.

    Basically, if I have an allowed connection coming from the LAN, will the WAN block the inbound response anyway because of its generic rule? - No, the LAN to WAN rule will be the one allowing the traffic out, thus any WAN to LAN rules would not apply. It's not like old school ACLs where you need to allow traffic both ways. Firewalls have connection trackers to make this happen.

    if I have existing access rules in place to allow connections to public facing server, I assume I would need to edit those rules to apple the same GEO-IP filtering settings? - This depends on your GEOIP settings. If you are using the 'firewall rule-based' config you will need to enable GEOIP on each rule you want it applied on. If you are using the 'all connections' config, like it says, all connections will be filtered (even internal).

Sign In or Register to comment.