Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Geo-IP Block and Access Rules question

A_ElliottA_Elliott Enthusiast ✭✭
in Firewall Security Services

I have Geo-IP block turned on, with a small list of "allowed" countries.


I have a Access Policy to allow incoming connections to an SBC for voice, and have it set as the US being the only "allowed" country. (see picture).

geoIP.PNG


The SBC is getting hammered from countries not listed in the "Allowed" list. Makes me question all of the other inbound Access Policies I have as well.


What am I doing wrong here?


This is specifically on a NSa2700 HA pair, but I question if it's happening to my other locations with TZ670s/470s.

Category: Firewall Security Services
Reply

Answers

  • MustafaAMustafaA SonicWall Employee

    @A_Elliott , are you indicating that the traffic is flowing to the SBC from countries not listed in the allowed list or is this finding based on the TCP handshake only, from those countries?

  • MustafaAMustafaA SonicWall Employee

    Could this be related to the highlighted option available on the "diag" page?

    image.png


  • A_ElliottA_Elliott Enthusiast ✭✭
    https://community.sonicwall.com/technology-and-support/discussion/comment/18619#Comment_18619

    Inbound access rule is set to USA only, but the SBC had loads of connection attempts from other countries, verified on the SonicWall itself when looking up the IPs via "Diagnostics" in the Geo-IP filter settings sub page.



    https://community.sonicwall.com/technology-and-support/discussion/comment/18620#Comment_18620

    I do have "Drop TCP handshake originating from blocked Country" already checked.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    I know its not ideal but try using the Global option on the access rule rather than Custom. See if that actually applies the restrictions. I never use the Custom option.

    What firmware version are you running? Always provide that info in your posts.

  • A_ElliottA_Elliott Enthusiast ✭✭
    https://community.sonicwall.com/technology-and-support/discussion/comment/18634#Comment_18634

    Global has a few dozen countries listed, and inbound only needs to be from our local area, so limiting to the US was the best course. in fact, Global has France listed, which we sometimes need outbound access to, but would never need an inbound connection.


    You're absolutely correct, my bad.

    Firmware 7.0.1-5111 and now 7.0.1-5119

  • A_ElliottA_Elliott Enthusiast ✭✭

    Bumping this up as it appears it is still happening. Access rule has USA as only listed allowed country, but getting hammered from UK, Canada, France, and more...

    When I look up the IPs in Diganostics sub-tab of Geo-IP settings, each country seemingly is correct, aligned with a lookup on arin.net

    Now on version SonicOS 7.0.1-5145.


    Any thoughts?

  • A_ElliottA_Elliott Enthusiast ✭✭

    update:

    I just switched to per-rule Geo-IP filtering, and added the allowed countries to the LAN->WAN list (and other internal networks). Now my WAN->DMZ rules that have USA only might work. We'll find out!

  • MarkDMarkD Cybersecurity Overlord ✭✭✭

    Are you using unified policy or classic? I had some similar anomalies

  • A_ElliottA_Elliott Enthusiast ✭✭

    I had allowed countries set under the main Geo-IP settings, and then in my individual rules for incoming services were set to US only. I guess I didn't understand that those individual rule settings I had changed to "custom" instead of "global settings" and set to US did not in fact do anything at all until the main Geo-IP page was changed to "Per-rule" or whatever the wording is.


    Seems to be working now.

Sign In or Register to comment.