Understanding Geo-IP and Botnet Filter Diagnostics Options

The Geo-IP Filter feature allows you to block connections to or from a geographic location. The SonicWall firewall uses the IP address to determine to the location of the connection. The GEO-IP Filter feature also allows you to create custom country lists that affect the identification of an IP address.
The MANAGE | Security Services | GEO-IP Filter page has a Diagnostics view with several tools:
• Show Resolved Locations
• Geo-IP Cache Statistics
• Custom Countries Statistics
• Check GEO Location Server Lookup
• Incorrectly Marked Address

The Botnet Filtering feature allows you to block connections to or from Botnet command and control servers and to make custom Botnet lists.
The MANAGE | Security Services | Botnet Filter page has a Diagnostics view with several tools:

• Show Resolved Botnet Locations
• Botnet Cache Statistics
• Botnets Statistics
• Check Botnet Server Lookup
• Incorrectly Marked Address

Geo-IP:

Navigate to MANAGE | Security Services | GEO-IP Filter and Diagnostics tab.

1. Show Resolved Locations
   It shows the list of IP addresses and the corresponding country that they belong to. 
   
   
2. Geo-IP Cache Statistics
   
   The Geo-IP Cache Statistics table contains this information:
   • Location Server IP - Remote IP address of the Botnet Server (utmgbdata.global.sonicwall.com)
   • Resolved Entries - Entries in the Location Table that have been checked against the Geo/Botnet DB for a result. This occurs for any IP that is looked up while the firewall has an internet connection and has downloaded the database.
   • Unresolved Entries - Entries added to the Location Table that have not been checked against the Geo/Botnet DB for some reason, possibly due to loss of internet connection. 
   • Current Entry Count - Current number of IPs in the cache
   • Max. Entry Count - Max cache count supported (Eg: TZ 300 – 10,000, TZ 500 – 15,000, NSa 2650 – 40,000, NSa 9650 – 50,000)
   • Location Map Count - List of countries
   
   
3. Custom Countries Statistics
   The Custom Countries Statistics table contains this information about the number of entries in the list and the number of times lookups have occurred for the entries:
   • No of Entries - Number of IPs added to the custom list
   • No of Times Called - Refers to the number of IPs that were looked up in the feature’s database
   • No of Times Not Looked-up - Refers to number of IPs that weren’t looked up against that particular database because the feature was disabled
   • No of Times Resolved - Number of IPs that were successfully checked against the custom list
   
   
   
4. Check GEO Location Server Lookup
   The Geo-IP Filter also provides the ability to lookup IP addresses to determine:
   • Domain name or IP address
   • The country of origin
   

   NOTE: The Geo Location Lookup tool can also be accessed from the INVESTIGATE | Tools | System Diagnostics page.
   
   
   

5. Incorrectly Marked Address
   If you think an address is marked as part of a country incorrectly, you can report the issue by clicking on the Geo-IP Status Lookup link in the Note on the MANAGE | Security Configuration | Security Services | GEO-IP filter page.
   
   The link displays the Submit IP for the Geolocation Review page.
   
   
   

Botnet Filter:

Navigate to MANAGE | Security Services | Botnet Filter and Diagnostics tab.

1. Show Resolved Botnet Locations
   Shows the list of botnets detected by the firewall present in the cache. The cache has a maximum count as per the device model, and we replace entries with newer ones one at a time once it reaches the max limit. 
   
   

   NOTE: The “show botnets” feature is not for historical use, but for diagnostic use. For reporting needs, it would best to use historical logging/reporting, such as GMS/Analytics or any other Syslog daemon. This information is also logged under the Event logs but it refreshes quite quickly to be viewed later and compared against the botnet hits.
   
   

2. Botnet Cache Statistics
   
   The Botnet Cache Statistics table contains this information:
   • Location Server IP - Remote IP address of the Botnet Server (utmgbdata.global.sonicwall.com)
   • Resolved Entries - Entries in the Location Table that have been checked against the Geo/Botnet DB for a result. This occurs for any IP that is looked up while the firewall has an internet connection and has downloaded the database.
   • Unresolved Entries - Entries added to the Location Table that has not been checked against the Geo/Botnet DB for some reason, possibly due to loss of internet connection. 
   • Current Entry Count - Current number of IPs in the cache
   • Max. Entry Count - Max cache count supported (Eg: TZ 300 – 10,000, TZ 500 – 15,000, NSa 2650 – 40,000, NSa 9650 – 50,000)
   • Botnets Detected - Number of botnets detected since uptime (Increments only upon unique IP addresses as Botnet)
   

   NOTE: t can be expected to see Botnet Cache Statistics showing the number of “Botnets Detected” while showing nothing in the “show botnets” list (display of the current locations table entries). It can also be expected to see the “show botnets” list displaying a number of items that is less than the number of “Detected Botnets”.
   
   

   EXAMPLE: You can see in the screenshots below that the statistics list 4 entries but the Show Botnets button shows only 1 entry. It means that the cache was cleared but the entries that were detected as botnets since uptime and only 1 is available at the moment.
   
   
   Also, the Geo-IP and Botnet use a single cache database. Clearing one would clear the other feature's database too.
   
   
   

3. Botnets Statistics
   The Diagnostics view displays statistics for both custom and dynamic Botnets. Both the Custom Botnets Statistics and Dynamic Botnet Statistics tables display the same information about the number of entries in the list and the number of times lookups have occurred for the entries:
   • No of Entries - Number of IPs present in the database
   • No of Times Called - Refers to the number of IPs that were looked up in the feature’s database
   • No of Times Not Looked-up - Refers to the number of IPs that weren’t looked up against that particular database because the feature was disabled
   • No of Times Resolved - Number of IPs that were successfully checked against the database
   
   
   The order in which an IP is looked up is
   1. Cache
   2. Custom Botnet Database
   3. Dynamic Botnet Database
   4. Default Botnet Database acquired from 3rd party.
   
   

   TIP: If a particular IP is present in the custom and dynamic DB, and if the Dynamic botnet was disabled, then we will NOT increment the “not looked-up” counter for dynamic as it would have already matched. However, if the custom botnet was disabled, we would increment the “not looked-up” counter for custom botnet in this case.

   NOTE: While using the Dynamic Botnet List server, whenever a new file gets downloaded, we clear the existing cache.
   It is intended that the firewall should enforce this feature based on the new list and not on old data. So, when the cache is reset; the cache count/size is set to 0.
   The statistics about the max size of the cache and the number of botnets blocked is still preserved.
   
   

4. Check Botnet Server Lookup
   The Botnet Filter also provides the ability to lookup IP addresses to determine:
   • Domain name or IP address
   • Whether the server is classified as a Botnet server
   

   NOTE: The Botnet Server Lookup tool can also be accessed from the INVESTIGATE | Tools | System Diagnostics page.
   
   
   

5. Incorrectly Marked Address
   If you believe that a certain address is marked as a Botnet incorrectly, or if you believe an address should be marked as a Botnet, report this issue at SonicWall Botnet IP Status Lookup by either clicking on the link in the Note in the MANAGE | Security Configuration | Security Services | Botnet Filter page or by going to http://botnet.global.sonicwall.com/