Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

How to create wild card entries for GEO-IP exclusion

I have enabled GEO-IP, but I am finding myself having to add every single subdomain of a domain some are 192 entries of the same site, example. MITEL.COM , mitel has 192 subdomains. i tried building a address object of *.mitel.com as the FQDN, then putting that address object into a group, putting that group into the GEO-IP exclusion list , but mitel site still not accessible, If i put in www.mitel.com as FQDN it works, the problem is i have 192 unique XYZ.MITEL.COM FQDNs that need to be entered , this is ridiculous. why does it allow me to build a FQDN with an *.domain.com but not allow me to use that in GEO-IP ?

what makes matters worse, it SONICWALL provides no way for me to export all these entries from the firewall, now i have to duplicate 192 manual entries again in yet another firewall... HELP!!!!!!!!!!!

Category: Firewall Security Services
Reply

Answers

  • LarryLarry Cybersecurity Overlord ✭✭✭

    Agreed on both counts.

    However, I understand that the engine behind the scenes is probably trying to obtain the actual IP address to figure out if it is within - or without - the country block parameters. A wild card would present two levels for this to generate and sort through...

    But, just the same:

    RFE #1 - Adjust Geo block to use wildcard FQDN

    RFE #2 - Provide ability to import/export Address Objects and Groups

    Would also be helpful if the Moderator created a location for these kinds of things so that the community could vote on them

  • fmadiafmadia Moderator

    Hi @MPERU99,

    have you tried using .mitel.com instead of *.mitel.com as Address Object? However as far as I see we only support IPs as exclusion objects in the Geo-IP.

    I would suggest you doing something different as a test: create a new Access Rule from your source zone to your WAN (either allowing ANY source and as destination use an Address Object for "*.mitel.com") and then disable the Geo-IP from the access rule and make sure it has high priority.

  • MPERU99MPERU99 Newbie ✭

    you cannot use .mitel.com that is invalid, if you try to use ?.mitel.com , it complains that it is not a valid *.mitel.com wildcard, so it knows its needs to be *.mitel.com. As far as access rule, GEO-IP should override that, plus this is a production unit so i cannot do a lot of testing. There are several methods in GEO-IP for address objects, HOST(ip) RANGE, NETWORK, FQDN I have used them all in GEO , but its the FQDN that fails using wildcards, if its not supported there should be an error message indicating such when adding to GEO exclusion that tells you , that you cannot use wildcards. but that is not the case, it lets you add it successfully , which makes you assume it will work.

  • shiprasahu93shiprasahu93 Moderator

    Hello @MPERU99,

    In the background, we still depend on the IP resolution of the FQDN address object and then use the exclusion for Geo-IP service. So, this is not similar to CFS which filters based on the URI field of the HTTP packet itself and then takes decisions.

    Since address objects are part of the firewall prefs file, I am not sure if it will be possible to export the address objects itself. If you are familiar with SonicOS API, the following KB can be helpful to add multiple address objects at once.

    The same JSON file can be used to add these address objects across multiple firewalls.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • MPERU99MPERU99 Newbie ✭

    No I am just starting out, and been tasked to cleanup and fix a lot of the issues. I have use Untangle NG for a few years and thought for sure SONICWALL would be able to export /import objects/rules/ etc.. from the GUI , not having to learn a API, and not on a production environment. again, I understand its a ZONE based/IP based firewall, so are a lot of others. But wildcards are able to be used in most. and if not they at least give you an error indicating you cannot use the wildcard in the particular situation.

    So you gonna tell me that i have to first enable a feature that is not secure, (which probably requires a reboot of the firewall - thats not going to happen anytime soon) then to create a file, that i have no experience in creating that before , using some interface that i have no experience using, based on a few pics and some quick blrubs on how to do it . and they can only be IP's ?? and then have to figure out all those IPs to put into a group, in that little tiny window that your web interface provides? Heck CHROME don't even work anymore , though its the recommended browser. the framed windows are all jacked up, you cannot move things over, etc.. only seems that firefox is the one i can get all features of sonicwall to display properly. What is the sonicwall limitation of address objects? 1000? 65000? , just seems like a lot of work for simple tasks that really should be available to any admin from the GUI I could spend days finding out all the IP's , to all the subdomains, creating this odd file that only contains IPs and having to explain to the company why it takes so long.

  • LarryLarry Cybersecurity Overlord ✭✭✭

    @MPERU99

    I would like to offer some assistance, because you sound quite exasperated (and I definitely know that feeling).

    Here's a resource for you: https://www.ultratools.com/tools/ipWhoisLookup

    If you enter mitel.com and click Go, you'll find that it has taken up the following IP address range: 104.16.0.0-104.31.255.255

    If you put THAT address object in your Geo-IP exclusion list, you should be good.

    Now, I don't know where you are located nor what countries you've set to block, but this IP range is located in the US....

    Hope that helps!

  • MPERU99MPERU99 Newbie ✭

    Larry,

    I do appreciate the help, i really do, but unfortunately I have used that tool, and its a great tool, however that only provides the block of IPs that www.mitel.com uses and not the 192 unique subdomains associated with mitel.com, you have to use other tools like https://www.nmmapper.com/sys/tools/subdomainfinder/ to find all the subdomains of [domain.com] my guys could not get into miaccess.mitel.com with just those range of IP's that utlratools website only provides, and because miaccess.mitel.com has several other associated links from all over the world all 192 unique subdomains had to be entered manually. This is why i am complaining and hoping there is a smoother option that having to crack open the API to do it.. I am exasperated, after having to manual put in 192 unique subdomains because i simply cannot enter *.domain.com , wait let me rephrase that, i can enter *.domain.com as address object and it successfully accepts it, and even lets me add it to the exclusion list without ERROR, but will not function. Thats the frustrating part. It does not indicate and ERROR or warning that it cannot be used in a exclusion list it just allows you to enter it. nor does sonicwall provide a easy and friendly way of importing each subdomain. I havent even begun to start on the other firewall yet because it is such a pain.

  • MPERU99MPERU99 Newbie ✭

    I believe i found a way around this. It seems i can now use *.domain.com in the GEO-IP exclusion.

    fix: I went to NETWORK / DNS and scrolled down to the bottom , I checked the box for "ENABLE DNS HOST NAME LOOKUP OVER TCP FOR FQDN" and saved, after that i added *.somesite.com as an address object, for example: I created a address object called ACTi.com FQDN with SD (the with SD means with subdomains) as the name and placed it in the WAN zone Assignment and FQDN as *.ACTi.com and then went over to address groups and created a group called "NG-ACTi Grouped Networks" and added the address object ACTi.com FQDN with SD to that group. Next I edited the default GEO-IP exclusion address group and found the group NT-ACTi grouped Networks not the address object , and placed that group into the GEO IP exclusion group. and saved.

    Now when you do this, go to monitor and view multi-core monitor, I would actually go click on that first , that way you only have to click on the MONITOR button at the top, and will put you back into multi-monitor immediately. So when you click save on the address object go to the multi-monitor view and you will see core 1 or (0) to out at 100% on the control plane. this is to be expected as it is configuring and also now resolving all for *.acti.com you can now access the site without a BLOCKED NOTIFICATION you can also verify this by going into SECURITY CONFIGURATION / SECURITY SERVICES / GEO-IP Filter and going to DIAGNOSTICS button and running SHOW RESOLVED LOCATIONS.

    It will take sometime but will give you a listing of all resolved locations and I found majority of the IPs of ACTi.com including the subdomains of ACTi.com. (* only the ones that were called upon when i accessed the webpage were showing, probably because it only requested those associated to what i was viewing)

  • prestonpreston Enthusiast ✭✭

    This hotfix 6.5.4.5-53n--HF223391-1n fixed it for me, I was having the same issues with DPI-SSL exclusions using Wildcard FQDN address objects, after the hotfix it resolves the subdomains also, you might want to lower the FQDN cache timeouts in the Diag page though otherwise it causes high CPU usage

  • MPERU99MPERU99 Newbie ✭

    where do i lower the cache, i am in the diag page i see 'show resolved and GEOiP lookup but nothing i can configure.

  • prestonpreston Enthusiast ✭✭

    Hi it's under the FQDN part, the offset and the Maximum retry threshold


  • MPERU99MPERU99 Newbie ✭

    Hello,

    I would love to tell you I found it, but Im telling you I don't have that option. What model do you have ? what OS are you running?

    I am on a NSA 4600 with SonicOS Enhanced 6.5.1.5-6n

  • prestonpreston Enthusiast ✭✭

    TZ500 6.5.4.5-53n,

  • MPERU99MPERU99 Newbie ✭

    What is your Navigation Hierarchy to get to your setting? ex MANAGE-> NETOWORK -> DNS

  • MichAdaMichAda Newbie ✭

    Not a fan of reviving an old thread, but felt bad seeing no response the last question.

    In the browser address window, replace "/main.html" w/ "/diag.html"

    SW does not recommend to go in there without specific direction from support though.

Sign In or Register to comment.