Configuring Geo-IP Filtering

The Settings page gives a group of settings that can be configured for Geo-IP Filtering. Several of the settings have (information) icons next to them that give screen tips about that setting.

• Block connections to/from countries selected in the Countries tab - This option is selected by default. If this option is enabled, all connections to/from the selected list of countries are blocked. You can specify an exclusion list to exclude blocking for selected IPs. When this option is selected, the next two options become available.
  • All Connections - This selects one of the two modes of Geo-Filter. All connections to and from the firewall are filtered. This option is selected by default.
  • Firewall Rule-Based Connections - With this selection only connections that match an access rule configured on the firewall are filtered for blocking.
• Block all connections to public IPs if GeoIP DB is not downloaded - This option is not selected by default. If the Geo-IP database is not downloaded, this selection drops all attempted connections from public IP addresses.
• Enable Custom List - This option is not selected by default. Custom lists are sometimes used to correct a false country assignment for an IP address. If the checkbox is selected, the Override Firewall Countries by Custom List is made available.
• Override Firewall Countries by Custom List - This selection is only available if Enable Custom List is clicked. It allows your custom list to override the firewall list where there are differences. Unless you select this Override, the firewall list takes precedence, even when you have enabled a custom list.
• Enable Logging -This option is not selected by default. It enables logging of filter events.

The Countries page gives a group of settings that can be configured for Geo-IP Filtering to block specific countries.

• Blocked Country table - Click the checkbox for the countries to be blocked. By default, no countries are blocked. By clicking on the checkbox at the top of the table, you can select all countries, then exclude countries from blocking by clicking on them separately.
• Block All Unknown countries - Select this option to block any countries that are not listed. All connections to unknown public IPs are blocked. This option is not selected by default.

• Geo-IP Exclusion Object - This setting allows you to configure an exclusion list of all connections to approved IP addresses.

  Select an address group from the list. The default is Default Geo-IP and Botnet Exclusion Group.

  The Geo-IP Exclusion Object is a network address object group that specifies a group or a range of IP addresses to be excluded from the Geo-IP filter blocking. All IP addresses in the address object or group are allowed, even if they are from a blocked country.

  For example, if all IP addresses coming from Country A are set to be blocked and an IP address from Country A is detected, but it is in the Geo-IP Exclusion Object list, then traffic to and from this IP address is allowed to pass.

  For this feature to work correctly, the country database must be downloaded to the firewall. The Status indicator at the top right of the page turns yellow if this download fails. Green status indicates that the database has been successfully downloaded.

  For the country database to be downloaded, the firewall must be able to resolve the address geodnsd.global.SonicWall.com.

  When a user attempts to access a web page that is from a blocked country, a block page message is displayed on the user’s web browser.

  If a connection to a blocked country is short-lived and the firewall does not have a cache for the IP address, then the connection might not be blocked immediately. As a result, connections to blocked countries might occasionally appear in the App Flow Monitor. However, additional connections to the same IP address are blocked immediately.

Click:

• Accept to confirm your changes.
• Reset to cancel your changes.