How to exclude a device behind my internal network using GEOIP?
Description
GeoIP Exclusion Object is not excluding my internal device.
Cause
Geo-IP checking gets applied both on the source and destination IP addresses. However the Geo-IP exclusion object relates only to the Geo-IP being blocked, i.e. the external server on the WAN being blocked, it does not exclude Internal IPs from the Geo-IP feature.
For example: If a Client-PC's IP is included as exclusion withing the Geo-IP feature, the traffic will still be blocked, since the destination IP address still belongs to a blocked country. This is expected behavior for GEN6/GEN7 devices.
In this scenario we will exclude one device behind the Lan-Network to access to a Spanish WebSite, a country which is blocked as per the global Geo-IP setting.
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
As an example, Initial global Geo-IP settings below, using ‘’All Connections’’ and ‘’Spain’’ as blocked country and INCORRECTLY setting the "Geo-IP exclusion" object as ’’my-internal-PC’’ on the LAN, will still block Geo-IP traffic.
The LogEvent below is showing an Alert where the website is being blocked due to Geo-IP. The Geo-IP Exclusion is not taking place with this configuration.
In order to overcome the issue:
- We need to enable "Firewall Rule-based Connections" under Geo-IP Filter Setting.
Add an
- access rule LAN to WAN or desirable internal zone where source address will be my client internal ip ‘’My-Internal-PC’’ and DISABLE "Geo-IP Filter" under Security Profiles.
- To keep blocking via Geo-IP for the rest of the LAN, we can use a second access rule LAN to WAN - Source Any and Destination ANY with Geo-IP filter enabled and using Global setting.
