How to exclude a client from GEO-IP

This KB explains how to exclude a specific host/network from Geo-IP.

Geo-IP checking is applied both on the source and destination IP addresses. However the Geo-IP exclusion object relates only to the Geo-IP being blocked, i.e. the external IP Address on the WAN being blocked, it does not exclude Internal IPs from the Geo-IP feature.

For example: If a Client-PC's IP is included as exclusion within the Geo-IP feature, the traffic is still be blocked, since the destination IP address belongs to a blocked country.

This is expected behavior for GEN6/GEN7 devices. 

Below is an initial Geo-IP Configuration:

LAN client is included in GEO-IP Exclusion - Address Object "CLIENT-192.168.168.12"

However, the access to a blocked country is still blocked.

If IP 195.211.222.2 is added to the exclusion list the website will be accessible even if belongs to a blocked country.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

How to exclude a client from Geo-IP

1. Change the Geo-IP to Firewall rule-based connections
   
   
   
2. Create an access rule from LAN to WAN including the Client IP in Source Address
   
3. In "Security Profiles" TAB enabled the GEO-IP FILTER
   
   
   About Geo-IP Filter Mode
   1. If set to Global: client is subject to Global Geo-IP Configuration.
      It this example: can access the IP 195.211.222.2 because excluded in global configuration, but will not access other IPs belonging to blocked countries.
   2. if set to Custom: client will access only the Allowed Countries listed in the table.
      
      
4. For the other clients the default LAN to WAN rule can be edited to manage the GEO-IP rules.