Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

GEO-IP and "Europe" tag

Hi,

For the first time I used the "Europe" tag on a GEO blocking rule - WAN to WAN

However it still blocks Ireland and the UK... and probably more Euro continent countries if I left it applied longer.

Can you confirm what the "Europe" geo ip group contains, entire continent of Europe, mainland Europe, Eurozone EU... nothing?

TZ 500 on Firmware Version:SonicOS Enhanced 6.5.4.4-44n

Category: Firewall Security Services
Reply

Comments

  • ThKThK Cybersecurity Overlord ✭✭✭

    @RedNet Hi !

    on sma the geofilter looks like europe is a group of countries. but in the firewall as you see, i think europe stands for .eu only instead of the european member states

    -- Thomas

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi guys,

    I guess it depends how the GeoIP provider (MaxMind, etc.) which is used by SNWL classified it. Or relying on the IP registry (RIPE etc.) whois information.

    I checked 92.123.212.56 a minute ago, it was classified as EU and the whois information shows EU as country as well.

    So EU is no group for that matter.

    --Michael@BWC

  • RedNetRedNet Enthusiast ✭✭
    edited September 2020

    But "Europe" on the firewall's Geo-IP table is an option, so what does it contain, one would assume it is the continent of Europe and groups all countries within? Obviously this is not the case as on my example Ireland is being blocked.

    I have a tech support ticket open to get clarification - they sent me a link to a KB article about requesting an IP location change.

    My ticket was clearly described with nice screenshots, this query should be easy to answer... obviously they didnt bother reading it correctly.


    @ThK Thanks for the response but .eu sites would relate to CFS, not GEO-IP filters for access rules. Yes I am asking what group of countries Europe is, its clearly not one containing the EU and European continent country of Ireland as in my example they are blocked when "Europe" is applied as a filter (even though sonicwall geo-ip filter test identifies the IP's as Ireland)

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited September 2020

    Hi @RedNet

    as mentioned before, my best guess is that the GeoIP-Filter just reflects whats provided in the IP registry database.

    So no grouping at this point.

    Or did I got it wrong and you blocked Europe and Ireland was blocked?

    --Michael@BWC

  • RedNetRedNet Enthusiast ✭✭
    edited September 2020


    Ah I get what you are saying now, so for some IP's the country tag is marked as "Europe" in the registration DB's?

    I only allowed Europe and my Ireland IP was blocked.

    Why isnt it checking the continent code described here?


    I cannot check maxminds DB but I can look at the continent code from whois using whois:


    The IP's from Ireland which were blocked return the "EU" continent code using whois, one example.

     "ip": "37.228.239.10",
      "success": true,
      "type": "IPv4",
      "continent": "Europe",
      "continent_code": "EU",
      "country": "Ireland",
      "country_code": "IE",
    


    an example of the same from one IP in your range does not state Europe either as country (Germany):

     "ip": "92.123.212.1",
      "success": true,
      "type": "IPv4",
      "continent": "Europe",
      "continent_code": "EU",
      "country": "Germany",
      "country_code": "DE",
      "country_flag": "https://cdn.ipwhois.io/flags/de.svg",
      "country_capital": "Berlin",
    


  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @RedNet

    I don't know what the GeoIP source for SNWL is using, maybe someone from SNWL can disclose this.

    My example above was directly out of the RIPE database, maybe ipwhois does have more accurate information. iplocation.net for example showed UK as country.

    But if you just block Europe on the SNWL then your addresses recognized as IE IMHO shouldn't match. If you double check on Manage -> Security Services -> GEO-IP Filter / Diagnostics (show resolved locations).

    --Michael@BWC

  • RedNetRedNet Enthusiast ✭✭

    No worries, thanks for the input. I had never seen "Europe" as a tag for the country field of an IP in the RIPE db. So, i'm sure you are correct and that's probably what it is. I just assumed SonicWALL had just created a GEO-IP group for all of the EU countries instead of having to add them all individually.

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    What was the conclusion to this?

    My guess is that "Europe" is used where an IP is suspected to be in Europe but can't be more specifically located. I can't verify this though, because I've never been able to get an IP to come up as "Europe"!

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    Support have confirmed that's what this is. It should really have a different name to avoid confusion.

Sign In or Register to comment.