Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Geo IP Filter vs direct IP Filter

JanSkodJanSkod Newbie ✭
in High End Firewalls

Hello, we have a NSA 6600. Some countries are blocked completely. Our data research shows that in some countries of course are some specific IPs, which perform massive requests.

So the question is, is it useful to directly block these IP addresses so that no Geo check must be perfomed and utilizations on the firewall can be decreased?


best regards


Jan

Category: High End Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @JanSkod

    I have no stressable data for you, but if you're seeing the same IPs over and over again causing many connections I guess it would be IMHO better to have them blocked before GeoIP checking them. I would probably block whole networks instead of single IPs if they are coming from the same block.

    If you're doing long term monitoring of the utilization, you should see an immediate effect.

    --Michael@BWC

  • JanSkodJanSkod Newbie ✭

    Hello Thanks for the reply. With IP i also try of course IP blocks. We will go ahead. I would be just interesting from the tecnical Point of view. I guess country blocked IPs, which occur very often, will not be checked by geo all the time as an caching should be implemented.

  • JanSkodJanSkod Newbie ✭
    edited April 2021

    So we blocked now several IP-address Ranges. But included IP-addresses are still throwing an alert(country blocked). Does anyone knows, if Geo-Filtering will be checked before the own defined rules are checked? If so it makes no sense to block addresses from blocked countries.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @JanSkod a flow diagram or Judgement Order would be great to have, count me in.

    If I get you right, you have an Access Rule which blocks from/to specific addresses and another Rule allowing from/to specific addresses?

    The blocked packets got also blocked because of GeoIP? Did you configured your Allow Rule to consider GeoIP at all?

    --Michael@BWC

  • JanSkodJanSkod Newbie ✭
    edited April 2021

    Hello Michael. Yes we did a object with ip range and did a discard access rule on it. This is valid for WAN to DMZ. As we discussed today, we found a problem in interpreting the behavior. In the access rule additionally GeoIP was enabled.

    From my perspective it maybe does not make sense. All IPs von the given range should be just discarded. So what does happen if Geo-IP is also activated? Does it again check for the country even if it should be just discarded?


    To find out i gave the command to turn the Geo-IP enabled to off. So i can check later on, if the Alets meesages to the given IP address range with message "country blocked" dont occur any more.

Sign In or Register to comment.