Geo-IP Location
Hominis_Floridanus
Newbie ✭
Hello,
I have a TZ series with Geo IP filtering. Although I have blocked most IPs outside the US, I still receive failed login reports where the IP address attempting to log in is in a blocked country. I have checked the DB and it shows the IP is outside the US and I don't have any Geo-IP exclusions.
Any ideas?
Category: Firewall Security Services
0
Answers
Seen the same thing. I created a service request and the Sonicwall people want to call in and have a look at it. Now writing in English is quite different from speaking in English - I'm not good at that, especially when it gets technical, so I didn't follow up on it.
Thanks Simon,
I you hear back from them about what it could be please post back.
-Miguel
@Hominis_Floridanus , can you please let me know if you have a Technical Support case with us? Also, can you share what firmware version you are using? Thanks in advance.
Hello Mustafa,
I don't have a support case and all my devices are running current versions. Since I posted a while back, I can't remember the specifics. I will see when it happens again and record the exact model, firmware version and more details.
Hello again Mustafa,
TZ-270, latest firmware SonicOS 7.0.1-5145. I have Geo-IP blocking set, block all connections radio button, no custom list enabled and block all unknown countries set. Yet traffic from some blocked countries reaching some NAT'ted hosts because the software based IDS/IPS on those hosts shows IP blocking in the logs.
Checking the IP address against the Sonicwall Geo-IP database it shows the Geo-IP has the correct country listed for the IP. I'm scratching my head as to why this is happening.
I think I finally solved the similar issues I was having by setting Geo-IP to "Per Access Rule" instead of "Global", and then I edited my WAN->WAN access rule and set the Geo-IP Allowed Countries (under the specific rule's Security Settings) to United States. Cut down nearly all of the issues I was having with other countries attempting to break into public facing services.
by setting Geo-IP to "Per Access Rule" instead of "Global"
Ok, this setting is on the page Security Settings - Geo-IP Filter tab Settings. There you can set Block connections to/from countries selected in the Countries tab and select either All Connections or Firewall Rule-based Connections.
I've got mine set as All Connections which, IMO, blocks all unlisted countries, overruling any policy. Just checked the manual and it confirms my thought.
The other setting, Firewall Rule-based Connections, applies the settings to a particular access rule. In that respect, it's pretty odd the latter works ok and the first doesn't?
Hello,
The host was on a separate zone. I enabled Gateway AV, Anti-Malware and IDS/IPS for the zone thinking maybe the security services have to be enabled on the zone for Geo-IP to work. I'll post back in a day or two to report, hopefully that change helps.
The recent change has not fixed the issue, I still get traffic from blocked countries. Here's two examples:
35.240.121.17 & 35.187.98.121 Geo-IP have them as being in Belgium which I have blocked. My server's software based IDS blocks traffic from it but it should have been blocked at the gateway by Geo-IP.
Mostly traffic is blocked from blocked countries but I am puzzled as to why addresses like the ones listed above get through somehow.
If you're using "Default GEO-IP exclusion group" (selected under countries tab), go into the address group, by default it has "Firewalled Subnets" excluded. Remove that from the group and see if GEO-IP functions as it should, then.