Custom Geo-IP list to exclude a website from Geo-IP filter

05/18/2022 335 People found this article helpful 374,985 Views

Description

Geo-IP custom list is used for many reasons, of which the following are more prominent ones.

To allow an IP/subnet/range which is part of a blocked country
To block an IP/subnet/range which is part of an allowed country
If an IP address is classified as the wrong country - along with this, a location change request can be done : GEO-IP location change request

If you just need an exclusion for the hosts behind SonicWall, then follow this KB : How can I exclude hosts behind SonicWall from Geo-IP Filter using firewall access rules? and Using Geo-IP filtering to block connections coming to or from a geographic location

This article assumes the Geo-IP filter is already configured.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Login to SonicWall management interface and navigate to POLICY | Security Services | Geo-IP Filter | Settings
Enable the option "Enable custom list" and
1. Override Firewall countries by Custom list : Enabling a custom list can affect the country identification, for an IP address, in the following ways: • If "Enable Custom List" is not enabled, then during country identification, only firewall country database will be searched. If "Enable Custom List" is enabled, but "Override Firewall Countries By Custom List" is not enabled, then during country identification, then first firewall country database will be searched, if not resolved, then the custom country list will be searched. If "Enable Custom List" is enabled and "Override Firewall Countries By Custom List" is also enabled, then during country identification, first custom country list will be searched, if not resolved, then the firewall country database will be searched. Action will be taken accordingly
Accept to save the settings
Now, navigate to the Custom list and click Add
In the pop-up window, give the right address object (for the IP to be allowed) and mark this IP as part of any Allowed country. I have used US in my example below:

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Login to SonicWall management interface and navigate to Manage| Security Services | Geo-IP Filter | Settings
Enable the option "Enable custom list" and
1. Override Firewall countries by Custom list : Enabling a custom list can affect the country identification, for an IP address, in the following ways: • If "Enable Custom List" is not enabled, then during country identification, only the firewall country database will be searched. If "Enable Custom List" is enabled, but "Override Firewall Countries By Custom List" is not enabled, then during country identification, then first firewall country database will be searched, if not resolved, then the custom country list will be searched. If "Enable Custom List" is enabled and "Override Firewall Countries By Custom List" is also enabled, then during country identification, first custom country list will be searched, if not resolved, then the firewall country database will be searched. Action will be taken accordingly
Accept to save the settings
Now, navigate to the Custom list and click Add
In the pop-up window, give the right address object (for the IP to be allowed) and mark this IP as part of any Allowed country. I have used US in my example below: