Dell SonicWALL SRA 7.0 Geo IP & Botnet Filters



Similar documents
Dell SonicWALL Aventail Connect Tunnel User Guide

SonicWALL SSL VPN 3.5: Virtual Assist

SonicWALL GMS Custom Reports

Release Notes. Contents. Release Purpose. Platform Compatibility. Windows XP and Internet Explorer 8 Update

Dell SonicWALL SRA 7.5 Citrix Access

Release Notes. Contents. Release Purpose. Platform Compatibility. Windows XP and Internet Explorer 8 Update

Release Notes. Contents. Release Purpose. Platform Compatibility. Licensing on the SRA Appliances and Virtual Appliance

USER GUIDE. Ethernet Configuration Guide (Lantronix) P/N: Rev 6

Analyzer 7.1 Administrator s Guide

Dell SonicWALL SRA 7.5 Secure Virtual Meeting and Secure Virtual Assist

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

SSL-VPN 200 Getting Started Guide

Global VPN Client Getting Started Guide

FortKnox Personal Firewall

Connecting to a Soundweb TM. London Network

Installation Guide for Windows May 2016

Citrix Access on SonicWALL SSL VPN

(1) Network Camera

Two Factor Authentication in SonicOS

WatchDox Administrator's Guide. Application Version 3.7.5

Content Filtering Client Policy & Reporting Administrator s Guide

Network Probe User Guide

1 Axis camera configuration IP configuration Setting up date and time Installing an IPS Analytics Application...

Charter Business Desktop Security Administrator's Guide

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Microsoft Dynamics CRM Clients

Barracuda Link Balancer Administrator s Guide

User Support Resource

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Configuration Manual English version

Technical Guide for Remote access

Manual Password Depot Server 8

Rebasoft Auditor Quick Start Guide

ProperSync 1.3 User Manual. Rev 1.2

Configuring SSL VPN on the Cisco ISA500 Security Appliance


Application Notes for Configuring a SonicWALL Continuous Data Protection (CDP) backup solution with Avaya Voic Pro - Issue 1.

1. What are popups? What if I have a problem with viewing popups? 1

SonicWALL SSL-VPN 2.5: NetExtender

Universal Printer Driver Guide

Help. F-Secure Online Backup

Aventail Connect Client with Smart Tunneling

TIBCO NimbusTM. Office Integration Server. Software Release October 2015

Using Entrust certificates with Microsoft Office and Windows

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Using SonicWALL NetExtender to Access FTP Servers

8x8 Click2Pop User Guide

SonicWALL Mobile Connect. Mobile Connect for OS X 3.0. User Guide

Netmail Search for Outlook 2010

How to set up popular firewalls to work with Web CEO

ez Agent Administrator s Guide

CONNECT-TO-CHOP USER GUIDE

Pendragon Forms Industrial

FTP Server Application Guide. Rev:

Citrix Access Gateway Plug-in for Windows User Guide

Extended Communication Server Virtual Desktop and MCC User Guide

Table of Contents. Introduction...9. Installation Program Tour The Program Components...10 Main Program Features...11

SonicOS Enhanced Release Notes

TriCore Secure Web Gateway User Guide 1

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Easy Setup Guide for the Sony Network Camera

Docufide Client Installation Guide for Windows

User Manual for Web. Help Desk Authority 9.0

Subscribe to RSS in Outlook Find RSS Feeds. Exchange Outlook 2007 How To s / RSS Feeds 1of 7

SonicOS Enhanced Release Notes TZ 180 Series and TZ 190 Series SonicWALL, Inc. Firmware Release: August 28, 2007

AT&T Global Network Client Domain Logon Guide. Version 9.6

SecuraLive ULTIMATE SECURITY

FTP Server Application Guide

MobileStatus Server Installation and Configuration Guide

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Integrating Autotask Service Desk Ticketing with the Cisco OnPlus Portal

Parallels Plesk Panel

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Configuring Basic Settings

Web-Access Security Solution

Using DC Agent for Transparent User Identification

How To Set Up A Thermal Cycler With Veritilink Remote Management Software

CTERA Agent for Windows

Privileged Access Management Upgrade Guide

Fireware XTM Traffic Management

National Fire Incident Reporting System (NFIRS 5.0) NFIRS Data Entry/Validation Tool Users Guide

Safe internet for business use: Getting Started Guide

TRITON - Web Security Help

Security Explorer 9.5. User Guide

Working with your NTU off campus

Installation & Activation Guide. Lepide Active Directory Self Service

Oracle Beehive. Using Windows Mobile Device Release 2 ( )

Software Version 5.1 November, Xerox Device Agent User Guide

Vodafone Text Centre User Guide for Microsoft Outlook

Barracuda Link Balancer

Contents. Platform Compatibility. Known Issues

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Configuring SonicOS for Microsoft Azure

SonicWALL SSL VPN 3.0 HTTP(S) Reverse Proxy Support

Legal Notes. Regarding Trademarks KYOCERA Document Solutions Inc.

System Administration Training Guide. S100 Installation and Site Management

IIS, FTP Server and Windows

Installation Guide. IDA Indoor Climate and Energy. EQUA Simulation AB January Copyright 2014 EQUA Simulation AB.

Transcription:

Dell SonicWALL SRA 7.0 Geo IP & Botnet Filters This document describes how to configure and use Geo IP locations and Botnet filters, introduced in Dell SonicWALL SRA 7.0. This document contains the following sections: Feature Overview on page 1 Licensing on page 2 Configuring Geo IP & Botnet Filters on page 2 Viewing Geo IP & Botnet Filter Activity on page 7 Using the Log on page 9 Location Columns on page 12 Troubleshooting on page 11 Feature Overview This section, which provides an introduction to using Geo IP and Botnet filters with the SRA appliance, contains the following subsections: What is Geo IP? on page 1 What are Botnet Filters? on page 2 What is Geo IP? The Geo IP feature enables administrators to monitor and enforce policies effectively, based on the geographical locations of remote users. In addition, users Geo IP locations are displayed on several AMC pages. Geo IP is disabled by default in SRA appliances. Feature Overview 1

What are Botnet Filters? A Botnet, which is a task-oriented robot network of internet-connected programs, poses huge security risks such as DoS and Data Leakage. Botnets are hard to identify and control due to the transient nature of their origins. Botnet Filters enforce a strong and anti-evasive defense against rogue activity from Botnets using a dynamically updated database maintained by Dell SonicWALL to: Block connections to/from known botnet control servers. Your SonicWALL appliance will watch for and stop attempts to connect with a botnet server. Furthermore, built-in reporting will tell you exactly which PC on the network has the bot installed so it an be removed. Block connections to/from countries - With this feature you can prevent connections to and from servers outside of your local country. This helps control which servers your network users can connect to and helps block botnet servers that have not yet been discovered. Botnet Filter lookup is done asynchronously. Therefore, it allows the first few packets from an IP address to go through while it is looking up the Botnet policy for the IP address. Once the policy is cached, the policy is enforced for subsequent packets from that IP address. Botnet filters are disabled by default in SRA appliances. Licensing Geo IP & Botnet Filter is a subscription service, which includes a free trial that expires one year after the SRA 7.0 release date. The licensing status of the Geo IP & Botnet Filter subscription service is shown on the Geo IP & Botnet Filter > Licensing page. The Licensing page also includes a brief description of the feature and a link to the System > Licenses page where you can activate, upgrade, and renew licenses. Configuring Geo IP & Botnet Filters To configure Geo IP and Botnet Filters for an SRA appliance, perform the following steps: Enable Geo IP & Botnet Filters on page 3 Configure Cache Management on page 4 Configure Access Policies on page 5 Configure Access Policies on page 5 2 SRA Geo IP & Botnet Filters Feature Module

Note If a firewall is installed before the SRA appliance, the firewall should allow: 1. HTTP request/response to and from address set to geoipdata.global.sonicwall.com 2. Suffix of DNS packets (at least DNS queries) is.geoipd.global.sonicwall.coms Enable Geo IP & Botnet Filters Use the General Settings section of the Geo IP & Botnet Filter > Settings page to globally enable or disable the Geo IP & Botnet Filter, which is disabled by default. This section is also used to enable or disable Geo IP & Botnet Filter logging, which is described in Using the Log on page 9. Note An IP address can be manually identified as a Botnet IP address by using the Botnet Test diagnostic tool accessed from the System > Diagnostics page, as explained in Using the Diagnostic Tool on page 11. To enable the Geo IP & Botnet Filter: 1. Check the Enable Geo IP & Botnet Filter check box to enable this feature. When enabled, a Location column is added to the NetExtender > Status, Virtual Assist > Status, Virtual Meeting > Status, and User > Status pages that identifies the location of users source IP addresses. Mousing over an icon in the Location column displays the Region and Country of the source IP. 2. Click Accept. Configuring Geo IP & Botnet Filters 3

When this feature is enabled, the General Settings section displays four sub-features that can be individually enabled or disabled: Logging of Geo IP When Logging of Geo IP is enabled, the Geo IP & Botnet Filter > Log, End Point Control > Log, Web Application Firewall > Log, and Log > View pages display information identifying the geographical location of the source IP for each event log message. This sub-feature is enabled by default. Access Control of Geo IP When Access Control of Geo IP is enabled, the Geo IP Policy is enforced. This sub-feature is disabled by default. Logging of Botnet Filter - When Logging of Botnet Filter is enabled, traffic from each IP is logged only once for each second, no matter if it s denied or allowed. For example, if several packets from an IP are received within a second, only a single message is generated for that traffic. This sub-feature is enabled by default. Access Control of Botnet Filter - When Access Control of Botnet Filter is enabled, all traffic from Botnet IPs is denied, and the Botnet Policy is enforced. When disabled, all traffic is allowed and the Botnet Filter operates in Detect mode. This sub-feature is disabled by default. Configure Cache Management The Geo IP & Botnet Filter feature uses a backend server maintained by Dell SonicWALL to identify the geographical location of IP addresses and whether it is a Botnet. For better performance, this information is temporarily cached in the SRA appliance for use when the backend server is unavailable. Use Cache Management to govern how Geo IP and Botnet data are managed. To configure Geo IP & Botnet Filter cached information: 1. Check the Enable Offline Mode check box to use expired cached Geo IP & Botnet data whenever the Dell SonicWALL backend server cannot be reached. If not enabled (checked), cached data is removed when it expires. 2. In the Maximum Cache Lifetime field, type the maximum hours that cached Geo IP & Botnet Filter data is valid. The default lifetime is 12 hours. After this time, cached data is not used unless Offline mode is enabled and the backend server is unreachable. 3. Click Accept. 4 SRA Geo IP & Botnet Filters Feature Module

Configure Access Policies Use the Access Policies section of the Geo IP & Botnet Filter > Settings page to view, add, edit, and delete Geo IP and Botnet Filter access policies. Up to 64 Geo IP and Botnet Filter access policies can be created. To add a Geo IP policy: Consider the following when configuring access policies: Each policy is automatically assigned a different priority with 1 being the highest priority. A policy s priority determines the order of enforcement, which is identified by the order they are listed on the Settings page. Botnet Filter policies have a higher priority than Geo IP policies. Geo IP policies are prioritized by the time they were created with those created first having the higher priority. Botnet Filter policies defined for a single IP address have a higher priority than Botnet Filter policies defined for a subnet, and each type is then prioritized based on the time they were created with those created first having the higher priority. Custom created polices are enforced first, which means if an IP address is listed in the SonicWALL Botnet Filter database, but admin defines an allow policy for this IP, then access from this IP will be allowed. A policy can be modified by clicking the button, but a policy name cannot be modified. A policy can be deleted by clicking the button. Step 1 Step 2 Step 3 Expand the Access Policies section of the Geo IP & Botnet Filter > Settings page. Click the Add Policy button, which displays the Add Policy page. In the Policy Name field, type the name you want to use to identify the access policy. Configuring Geo IP & Botnet Filters 5

Step 4 Select the Policy Type from the drop-down list. Select Geo IP policy to allow or deny traffic from specified countries: Select Botnet Policy to allow or deny access from a specified IPv4 IP address or IP address range. Step 5 Step 6 If you selected Geo IP Policy as the Policy Type, in the Apply Policy To section either: Check the check box for each country to be included in the policy. OR Check the top check box to include all policies in the policy. If you selected Botnet Policy as the Policy Type, in the Apply Policy To section either: a. Use the Apply Policy To drop-down list to select whether the policy will be enforced on a single IP address or a range of IP addresses. b. If you chose to enforce the policy on a single IP address, type the IP address in the IP Address field. c. If you chose to enforce the policy on a range of IP addresses, type the beginning IP address in the IP Network Address field and the subnet mask in the Subnet Mask field. 6 SRA Geo IP & Botnet Filters Feature Module

Step 7 d. In the Action drop-down list, select Allow to allow traffic from all IP addresses identified in the policy access to the network or select Deny to prohibit traffic from all IP addresses identified in the policy. Click Accept. Viewing Geo IP & Botnet Filter Activity Use the Geo IP & Botnet Filter > Status page to check information detailing Geo IP and Botnet activities. The Status page contains two tabs of information: General Status and Botnet Status. General Status The General Status tab displays general filter information and is used to clear the Geo IP and Botnet caches manually: Note Cache management is explained in Configure Cache Management on page 4. When the Geo IP & Botnet Filter is enabled, the General Status tab provides the following information: Server Status shows whether the backend server is connected. Offline status may indicate the network settings may need to be changed. Offline Mode identifies whether the Offline Mode for cache management is enabled. When the backend server is unreachable, Geo IP & Botnet Filter data is cached to provide Geo IP & Botnet Filter functions. Cache Count shows the total number of Geo IP and Botnet caches. The Cache Count can be cleared at any time by clicking the Clear All button. Viewing Geo IP & Botnet Filter Activity 7

Last checked displays the most recent timestamp of the cache. Service Expiration Date shows the license expiration date of the Geo IP & Botnet Filter service. License Status identifies whether the Geo IP & Botnet Filter service is licensed. The Geo IP & Botnet Filter is a subscription service, which includes a free trial that expires one year after the SRA 7.0 release date. When the Geo IP & Botnet Filter is licensed but disabled, the Status page displays a warning that contains a link to the Settings page where the feature can be enabled: Botnet Status The Botnet Status tab shows traffic statistics for Botnet IP addresses for the current reporting period. Statistics are shown for the top 10 IP addresses detected by the Botnet Filter during the selected period. Note that if the location of an IP address changes, each location is shown as a different IP address and statistics are divided. Use the Monitoring Period drop-down list to select the reporting period: Last 12 Hours, Last 14 Days, Last 21 Days, Last 6 Months, and All recorded traffic data. 8 SRA Geo IP & Botnet Filters Feature Module

Using the Log The Geo IP & Botnet Filter > Log page lists information detected by the Geo IP & Botnet Filter: Location information that identifies the geographical location of the source IP for each event log message generated by Geo IP. Location information is also displayed on applicable SRA log and status pages. If Geo IP Logging is disabled, this column contains a Not Logged icon. If a location or country flag is not available, this column contains an Unknown icon. Mousing over an icon in the Location field displays the Region and Country of the source IP. Traffic detected by the Botnet Filter. Traffic from each IP is logged only once for each second, no matter if it s denied or allowed. Several functions can be perform on this page, including a flexible search mechanism and the ability to export the log to a file or email it. Following are instruction for using these functions. Clicking on a log entry displays more information about the event, if available. Click any of the headings to sort the log messages alphabetically by heading. Searching the Log Search for a value contained in a specific column of the log table or search for log entries that do not contain the specified value. To view and search the log, perform the following steps: Step 1 Step 2 Step 3 On the Geo IP & Botnet Filter > Log page, type the value to search for into the Search field. The search value is case sensitive. Select the column in which to search from the drop-down list to the right of the Search field. Do one of the following: To start searching for log entries containing the search value, click Search. To start searching for log entries that do not contain the search value, click Exclude. To clear the Search field and display the first page of log entries, click Reset. Using the Log 9

Controlling the Log Pagination To adjust the number of entries on the log page and display a different range of entries, perform the following steps: Step 1 Step 2 On the Geo IP & Botnet Filter > Log page, enter the number of log entries that you want on each page into the Items per Page field. The Log page changes to show the new number of entries. To view the log entries beginning at a certain number, type the starting number into the Item field and press Enter on your keyboard. Step 3 To view the first page of log entries, click the left-most button in the arrow control pad. Step 4 To view the previous page of log entries, click the left arrow in the arrow control pad. Step 5 To view the next page of log entries, click the right arrow in the arrow control pad. Step 6 To view the last page of log entries, click the right-most button in the arrow control pad. Exporting and Emailing Log Files You can export the current contents of the log to a file, or email the log contents by using the buttons in the top right corner of the Geo IP & Botnet Filter > Log page. Exported files are saved with a.wri file name extension, and open with WordPad, by default. Emailed files are automatically sent to the address configured on the Log > Settings page of the SSL-VPN management interface. If no address is configured, the Status line at the bottom of the browser will display an error message when you click the E-Mail Log button. To export or email the log, perform the following steps: Step 1 To export the log contents, click the Export button in the top right corner of the Geo IP & Botnet Filter > Log page. The File Download dialog box is displayed. Step 2 Step 3 In the File Download dialog box, do one of the following: To open the file, click Open. To save the file, click Save, then browse to the folder where you want to save the file and click Save. To email the log contents, click the E-Mail Log button in the top right corner of the Geo IP & Botnet Filter > Log page. The log contents are emailed to the address specified in the Log > Settings page. 10 SRA Geo IP & Botnet Filters Feature Module

Clearing the Log You can remove all entries from the log on the Geo IP & Botnet Filter > Log page. The entries on the page are removed, and any attempt to export or email the log file while it is still empty will cause a confirmation dialog box to display. To clear the log, perform the following: Step 1 Step 2 On the top right corner of the Geo IP & Botnet Filter > Log page, click Clear. Click OK in the confirmation dialog box. Troubleshooting Use the following Troubleshooting information to pinpoint questionable IP addresses and troubleshoot Botnet Filter problems. Using Log Messages The following log messages are useful to troubleshoot Botnet Filter problems: All packets from <IP address> will be allowed All packets from <IP address> will be denied These log messages indicate that a Geo IP & Botnet Filter policy has added the source IP address to the Allow/Deny list. During the cache lifetime, all packets from the identified source IP are allowed or denied, as indicated. If a user failed to connect to the appliance, check the log to find out if the user is denied by the Geo IP & Botnet Filter. Failed to reload Regions Database, no Regions information available Failed to reload Regions Database These log messages indicate that the system could not load any region data from the backend server. When the message includes no Regions information available, no region data was found in the local database. When the message does not include this text, a previous version of region data was found and used. Check the network settings to see if the backend server is accessible. Using the Diagnostic Tool To manually identify whether an IP address is a Botnet IP address, use the Botnet Test diagnostic tool. This tool is often used when you suspect an IP address is a Botnet and want to confirm it before creating an access policy that denies access. Troubleshooting 11

Step 1 Open the System > Diagnostics page. Step 2 Step 3 Step 4 In the Diagnostic Tool drop-down list, select Botnet Test. In the IP Address field, type the IP address you want to check. Click Enter. The diagnostic result is displayed. Location Columns A Location column identifying where a user is located has been added to tables on the following pages: Web Application Firewall > Log Log > View NetExtender > Status Virtual Assist > Status Virtual Meeting > Status User > Status 12 SRA Geo IP & Botnet Filters Feature Module

For example: Tables can be sorted by the Location column. In addition, the Location column can be searched or excluded from searches. 2013 Dell Inc. Trademarks: Dell, the DELL logo, SonicWALL, and all other SonicWALL product and service names and slogans are trademarks of Dell Inc. Microsoft Windows 7, Windows Vista, Windows XP, Internet Explorer, and Active Directory are trademarks or registered trademarks of Microsoft Corporation. Firefox is a trademark of Mozilla Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies and are the sole property of their respective manufacturers. P/N 232-002184-00 Rev A 5/2013 Location Columns 13

14 SRA Geo IP & Botnet Filters Feature Module

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information