Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Anyone experience problem with Botnet Exclusion Group?

LarryLarry All-Knowing Sage ✭✭✭✭
in Entry Level Firewalls

Command 'exclude group "Custom Default Geo-IP and Botnet Exclusion Group"' does not match

botnetfailure.JPG


Registered new firewall (5050), backed up settings, downloaded latest firmware and updated it (5095).

Enabling Security Services and Botnet Filter errors out with the above message when adding an Exclusion Group.

Removed my customization (two groups and two FQDNs) and it worked.

Turns out Gen 7 is treating my custom Address Groups as IPv6 and not mixed when they are added to this group.


image.png

When you look at the list of my custom AGs they show as mixed; yet within this group they show as IPv6.

image.png

While the custom group fails for Botnet, it works for Geo-IP exclusion.

I have opened a support case after spending an hour and 45 minutes on a call.

Of course, this device and another (with the same settings) need to be deployed before the end of January....

Category: Entry Level Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    LarryLarry All-Knowing Sage ✭✭✭✭
    Answer ✓

    SonicWall Support came through with a Hotfix that corrects this problem. They had already tracked it as a problem.

    If you encountered this issue and need to resolve it now, you can contact Support to obtain it.

    On the other hand, if you can wait at least until the end of January, a new firmware revision (either 5095 or 5099), which contains this fix, should be available.

    Kudos to CSR Akeel for having such a good time working with me on this problem.

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    You want to put a group inside of a group! You're crazy Larry!

    Does it work if you put the contents of the sub-group as individual entries in the GEOIP and BOTNET Exclusion Group?

  • LarryLarry All-Knowing Sage ✭✭✭✭

    Yes, I've always done that - didn't know it was an aberrant behavior.

    image.png

    Works just fine for GAV exclusions (although I'm seeing that same ipv6 entry here instead of mixed).

    Only the Botnet seems to have a problem with it.

    I'll try the individual entries instead of the groups in a little while, but gosh that would be really annoying...

  • LarryLarry All-Knowing Sage ✭✭✭✭
    edited January 2023

    @TKWITS - Tim, I removed the two groups and added all the individual entries.

    Works just fine in the Geo-IP setting exclusion. Fails completely in the Botnet exclusion.

    Edited to say: It also works properly when you go into DIAG and revert the Gen 7 device to use the Gen 6 UI...

    Something is very wrong here and needs to be identified and corrected.

    - Larry

  • LarryLarry All-Knowing Sage ✭✭✭✭
    edited January 2023

    Further testing this morning shows that an exclusion Address Group with a Host Address Object works. An Address Group with a Host Address Object and a Range Address Object works. However, it fails when an Address Object of type FQDN is included.

    I validated this sequence in devices with firmware levels 5050 and 5095.

    Once again disappointed at discovering a flaw that should have easily been seen - and fixed! - in even the most trivial QA testing...

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    My sarcasm is frequently lost in translation.

    Well at least they have a ticket open for it. I'd refer them to this post if they want a detailed explanation.

    What if you just use the auto-created 'Default GEOIP and BOTNET Exclusion Group', not your custom one?

  • LarryLarry All-Knowing Sage ✭✭✭✭
    https://community.sonicwall.com/technology-and-support/discussion/comment/17125#Comment_17125

    The default exclusion group works just fine with the two Firewalled Subnet groups, which uses a third layering of groups (and I didn't think you could do that).

Sign In or Register to comment.