Anyone experience problem with Botnet Exclusion Group?
Command 'exclude group "Custom Default Geo-IP and Botnet Exclusion Group"' does not match
Registered new firewall (5050), backed up settings, downloaded latest firmware and updated it (5095).
Enabling Security Services and Botnet Filter errors out with the above message when adding an Exclusion Group.
Removed my customization (two groups and two FQDNs) and it worked.
Turns out Gen 7 is treating my custom Address Groups as IPv6 and not mixed when they are added to this group.
When you look at the list of my custom AGs they show as mixed; yet within this group they show as IPv6.
While the custom group fails for Botnet, it works for Geo-IP exclusion.
I have opened a support case after spending an hour and 45 minutes on a call.
Of course, this device and another (with the same settings) need to be deployed before the end of January....
Best Answer
-
Larry All-Knowing Sage ✭✭✭✭
SonicWall Support came through with a Hotfix that corrects this problem. They had already tracked it as a problem.
If you encountered this issue and need to resolve it now, you can contact Support to obtain it.
On the other hand, if you can wait at least until the end of January, a new firmware revision (either 5095 or 5099), which contains this fix, should be available.
Kudos to CSR Akeel for having such a good time working with me on this problem.
1
Answers
You want to put a group inside of a group! You're crazy Larry!
Does it work if you put the contents of the sub-group as individual entries in the GEOIP and BOTNET Exclusion Group?
Yes, I've always done that - didn't know it was an aberrant behavior.
Works just fine for GAV exclusions (although I'm seeing that same ipv6 entry here instead of mixed).
Only the Botnet seems to have a problem with it.
I'll try the individual entries instead of the groups in a little while, but gosh that would be really annoying...
@TKWITS - Tim, I removed the two groups and added all the individual entries.
Works just fine in the Geo-IP setting exclusion. Fails completely in the Botnet exclusion.
Edited to say: It also works properly when you go into DIAG and revert the Gen 7 device to use the Gen 6 UI...
Something is very wrong here and needs to be identified and corrected.
- Larry
Further testing this morning shows that an exclusion Address Group with a Host Address Object works. An Address Group with a Host Address Object and a Range Address Object works. However, it fails when an Address Object of type FQDN is included.
I validated this sequence in devices with firmware levels 5050 and 5095.
Once again disappointed at discovering a flaw that should have easily been seen - and fixed! - in even the most trivial QA testing...
My sarcasm is frequently lost in translation.
Well at least they have a ticket open for it. I'd refer them to this post if they want a detailed explanation.
What if you just use the auto-created 'Default GEOIP and BOTNET Exclusion Group', not your custom one?
The default exclusion group works just fine with the two Firewalled Subnet groups, which uses a third layering of groups (and I didn't think you could do that).