Understanding Geo-IP and Botnet Filter Diagnostics Options

04/19/2021 282 People found this article helpful 476,646 Views

Description

The Geo-IP Filter feature allows you to block connections to or from a geographic location. The SonicWall firewall uses the IP address to determine to the location of the connection. The GEO-IP Filter feature also allows you to create custom country lists that affect the identification of an IP address.
The MANAGE | Security Services | GEO-IP Filter page has a Diagnostics view with several tools:
• Show Resolved Locations
• Geo-IP Cache Statistics
• Custom Countries Statistics
• Check GEO Location Server Lookup
• Incorrectly Marked Address

The Botnet Filtering feature allows you to block connections to or from Botnet command and control servers and to make custom Botnet lists.
The MANAGE | Security Services | Botnet Filter page has a Diagnostics view with several tools:

• Show Resolved Botnet Locations
• Botnet Cache Statistics
• Botnets Statistics
• Check Botnet Server Lookup
• Incorrectly Marked Address

Resolution

Geo-IP:

Navigate to MANAGE | Security Services | GEO-IP Filter and Diagnostics tab.

Show Resolved Locations
It shows the list of IP addresses and the corresponding country that they belong to.
Geo-IP Cache Statistics

The Geo-IP Cache Statistics table contains this information:
• Location Server IP - Remote IP address of the Botnet Server (utmgbdata.global.sonicwall.com)
• Resolved Entries - Entries in the Location Table that have been checked against the Geo/Botnet DB for a result. This occurs for any IP that is looked up while the firewall has an internet connection and has downloaded the database.
• Unresolved Entries - Entries added to the Location Table that have not been checked against the Geo/Botnet DB for some reason, possibly due to loss of internet connection.
• Current Entry Count - Current number of IPs in the cache
• Max. Entry Count - Max cache count supported (Eg: TZ 300 – 10,000, TZ 500 – 15,000, NSa 2650 – 40,000, NSa 9650 – 50,000)
• Location Map Count - List of countries
Custom Countries Statistics
The Custom Countries Statistics table contains this information about the number of entries in the list and the number of times lookups have occurred for the entries:
• No of Entries - Number of IPs added to the custom list
• No of Times Called - Refers to the number of IPs that were looked up in the feature’s database
• No of Times Not Looked-up - Refers to number of IPs that weren’t looked up against that particular database because the feature was disabled
• No of Times Resolved - Number of IPs that were successfully checked against the custom list
Check GEO Location Server Lookup
The Geo-IP Filter also provides the ability to lookup IP addresses to determine:
• Domain name or IP address
• The country of origin

NOTE: The Geo Location Lookup tool can also be accessed from the INVESTIGATE | Tools | System Diagnostics page.
Incorrectly Marked Address
If you think an address is marked as part of a country incorrectly, you can report the issue by clicking on the Geo-IP Status Lookup link in the Note on the MANAGE | Security Configuration | Security Services | GEO-IP filter page.

The link displays the Submit IP for the Geolocation Review page.

Botnet Filter:

Navigate to MANAGE | Security Services | Botnet Filter and Diagnostics tab.

Show Resolved Botnet Locations
Shows the list of botnets detected by the firewall present in the cache. The cache has a maximum count as per the device model, and we replace entries with newer ones one at a time once it reaches the max limit.

NOTE: The “show botnets” feature is not for historical use, but for diagnostic use. For reporting needs, it would best to use historical logging/reporting, such as GMS/Analytics or any other Syslog daemon. This information is also logged under the Event logs but it refreshes quite quickly to be viewed later and compared against the botnet hits.
Botnet Cache Statistics

The Botnet Cache Statistics table contains this information:
• Location Server IP - Remote IP address of the Botnet Server (utmgbdata.global.sonicwall.com)
• Resolved Entries - Entries in the Location Table that have been checked against the Geo/Botnet DB for a result. This occurs for any IP that is looked up while the firewall has an internet connection and has downloaded the database.
• Unresolved Entries - Entries added to the Location Table that has not been checked against the Geo/Botnet DB for some reason, possibly due to loss of internet connection.
• Current Entry Count - Current number of IPs in the cache
• Max. Entry Count - Max cache count supported (Eg: TZ 300 – 10,000, TZ 500 – 15,000, NSa 2650 – 40,000, NSa 9650 – 50,000)
• Botnets Detected - Number of botnets detected since uptime (Increments only upon unique IP addresses as Botnet)

NOTE: t can be expected to see Botnet Cache Statistics showing the number of “Botnets Detected” while showing nothing in the “show botnets” list (display of the current locations table entries). It can also be expected to see the “show botnets” list displaying a number of items that is less than the number of “Detected Botnets”.

EXAMPLE: You can see in the screenshots below that the statistics list 4 entries but the Show Botnets button shows only 1 entry. It means that the cache was cleared but the entries that were detected as botnets since uptime and only 1 is available at the moment.

Also, the Geo-IP and Botnet use a single cache database. Clearing one would clear the other feature's database too.
Botnets Statistics
The Diagnostics view displays statistics for both custom and dynamic Botnets. Both the Custom Botnets Statistics and Dynamic Botnet Statistics tables display the same information about the number of entries in the list and the number of times lookups have occurred for the entries:
• No of Entries - Number of IPs present in the database
• No of Times Called - Refers to the number of IPs that were looked up in the feature’s database
• No of Times Not Looked-up - Refers to the number of IPs that weren’t looked up against that particular database because the feature was disabled
• No of Times Resolved - Number of IPs that were successfully checked against the database

The order in which an IP is looked up is
1. Cache
2. Custom Botnet Database
3. Dynamic Botnet Database
4. Default Botnet Database acquired from 3rd party.

TIP: If a particular IP is present in the custom and dynamic DB, and if the Dynamic botnet was disabled, then we will NOT increment the “not looked-up” counter for dynamic as it would have already matched. However, if the custom botnet was disabled, we would increment the “not looked-up” counter for custom botnet in this case.

NOTE: While using the Dynamic Botnet List server, whenever a new file gets downloaded, we clear the existing cache.
It is intended that the firewall should enforce this feature based on the new list and not on old data. So, when the cache is reset; the cache count/size is set to 0.
The statistics about the max size of the cache and the number of botnets blocked is still preserved.
Check Botnet Server Lookup
The Botnet Filter also provides the ability to lookup IP addresses to determine:
• Domain name or IP address
• Whether the server is classified as a Botnet server

NOTE: The Botnet Server Lookup tool can also be accessed from the INVESTIGATE | Tools | System Diagnostics page.
Incorrectly Marked Address
If you believe that a certain address is marked as a Botnet incorrectly, or if you believe an address should be marked as a Botnet, report this issue at SonicWall Botnet IP Status Lookup by either clicking on the link in the Note in the MANAGE | Security Configuration | Security Services | Botnet Filter page or by going to http://botnet.global.sonicwall.com/