Tech Tips: Geo-IP And Botnet Filter Diagnostics Options

shiprasahu93 · June 2020

Hello Everyone,

Geo-IP and Botnet filters have been part of the SonicWall's Security services for quite some time. We have been using it but when we need to troubleshoot any issue related to it, the diagnostics options can come very handy.

Here are the configuration KBs for both the feature:

Geo-IP:

https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-sonicwall-geo-ip-filter-using-firewall-access-rules/170505480197552/

Botnet Filter:

https://www.sonicwall.com/support/knowledge-base/how-to-configure-botnet-filtering-with-firewall-access-rules/170503936467975/

This new KB regarding the Geo-IP And Botnet Filter Diagnostics Options will clarify some of those intricate details regarding the feature.

https://www.sonicwall.com/support/knowledge-base/understanding-geo-ip-and-botnet-filter-diagnostics-options/200527122256150/

I hope you find this useful!

Thanks!!

Larry · June 2020

@shiprasahu93, thanks for this information because it is very informative.

But I do have a scenario and question about the Geo-IP fencing. If I add a full country to the block list sometimes I hear back from a client that they can't get to a site - and they've not received any notice from the TZ appliance. I then have to search through the log to see where the incident occurred. Invariably, I have to ask the client's staff member to re-try accessing the site because the log doesn't go back far enough. Then I have to add the IP to exclusion list. Is there any means of obtaining that IP information in a concise, say end-of-day report/summary?

Thanks!

shiprasahu93 · June 2020

@Larry,

The reason why the firewall might not be showing any message could be due to the fact that it is a HTTPS website and the DPI SSL feature on the firewall is not turned ON. If it is, the error message should directly show up on the browser with the reason for block, IP, country etc.

When this website gets blocked, we can see it in packet capture or logs but as you know they are real-time and might not be available later.

If you have any monitoring tool like Analytics or GMS, the reports can be generated from there.

Let me check a little bit on my end to see how those reports can be received from the monitoring tool.

Thanks!

shiprasahu93 · June 2020

@Larry ,

So, this is how I tested it. I blocked Russian federation using Geo-IP and accessed the websites vk.com and government.ru which both belong to that country.

When I access them over HTTP, you can see that I get the blocked page that tells me why this is being blocked.

Otherwise it just shows me connection timed out for HTTPS. I can see the drops in packet capture and logs that tells me that this issue is related to Geo-IP and what IP needs to be excluded.

This firewall is associated with CSC, so I could check what was being blocked under session logs for blocked.

We can also schedule daily reports for blocked traffic as below

On GMS, we have a separate section called Geo-IP and that gives initiator and responder IPs at one place specific to Geo-IP alone.

I hope you find this information useful!

Thanks!

Saravanan · June 2020

Hi @Larry,

SonicWall logs have a limitation of storing logs for over a period of time. This is because, the GUI log cache is 30,000 bytes for all SonicWall appliances. Log messages stored in the cache use between 16 and 256 bytes depending on the content of the message. The cache typically stores approximately 600 messages, but this varies with the message composition.

I have listed the best ways for you to get historic events of your network activity including the Geo-IP block / allow information below. You can pick the one that best suits your environment.

The event log can be sent automatically to an Email address for convenience and archiving. Alerts from the can also be sent via Email and can alert you about any security violation on your firewall. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.

https://www.sonicwall.com/support/knowledge-base/how-can-i-e-mail-logs-and-alerts-via-smtp-server/170503803088038/

By default, these logs are sent to the Built-In Storage Module. With the help of Flexible Storage modules, the NSa firewalls can store Syslog and trace log entries to it. Hence the logs will be saved in the flexible storage instead the built-in storage serving your purpose of revisiting the logs when needed.

https://www.sonicwall.com/support/knowledge-base/how-to-configure-flexible-storage-on-sonicwall/200520095513933/

Use SonicWall reporting tools such as SonicWall Analytics, SonicWall GMS or Capture Security Center for historic network events happening via the SonicWall firewall.

https://www.sonicwall.com/products/management-and-reporting/

Hope this answers your question.

Have a better day!!!

MacGyver · December 2021

Interesting thread. Any idea why if DPI-SSL is configured correctly, (Browser certificates are showing Sonicwall, and CFS is accurately reporting blocked https sites) that the block screen still would not show correctly for GEO-IP on https sites?

MacGyver · December 2021

For anyone else's benefit that encounters this, members over at Spiceworks have duplicated this and are seeing the exact same behavior, so we have a bug/bad firmware. I opened a ticket 4 days ago with Sonicwall, but it has yet to even be assigned to anyone. Definitely not the Pre-Dell Sonicwall days when Level 3 was in Arizona.

Join the Conversation

Tech Tips: Geo-IP And Botnet Filter Diagnostics Options

Comments