sonicwall policy is inactive due to geoip license

TZ370 is running SonicOS 7.0.1-R1262 which is the last available FW at mysonicwall.com. BTW, I was generous and gave the SMA a whopping 48 GB of disk space, but it seems it's hard wired to just use 20 GB out of it. Nothing is indicated in the release note on this subject, WE recently bought TZ270 and installed on one of our test sites, had problems with publishing the websites to internet via NAT and IPsec site-to-site VPN. Apologize for the inconvinience. Gladly sshd is not started per default, which would make the unknown root password look a bit backdoorian, does not count for local console access though. So the basic functions do cause such issues ? https://www.countryipblocks.net/country_selection.php Opens a new windowis a good website for blocking on acountry level. Sign In or Register to comment. When a user attempts to access a web page that . I have reached out to SonicWall to get a quote for the Geo-IP filter but have not gotten a price. Several of the settings have (information) icons next to them that give screen tips about that setting. In order for the country database to be downloaded, the appliance must be able to resolve the, When a user attempt to access a web page that is from a blocked country, a block page is, If a connection to a blocked country is short-lived, and the firewall does not have a cache, The Botnet Filtering feature allows administrators to block connections to or from Botnet. Security Services > Geo-IP Filter - SonicWall Neither is wsdl.mysonicwall.com 204.212.170.212. For the country database to be downloaded, the appliance must be able to resolve the address. Some of the members on that table are unfortunately Addresses from SNWL: This Blockage will prevent all kind of reply-packets for License-Validation, GeoIP DB Updates, they will be dropped. I'm not sure if I set those up right. In our case we had put in a source port in the NAT rule which wasn't needed. We have locked down our firewalls but a few keep getting through from time to time. I must honestly admit I am not further impressed by the new Sonicwall, preserved the new graphic design is nice, but what does it help when the stability lags or is completely lacking. While it has been rewarding, I want to move into something more advanced. and you'll get a list of all the countries, broken out by hostile or non-hostile hosts, and the details of the communication with those hosts. Because of the lack of shell access I cannot check what's eating up the space. Optionally, you can configure an exclusion list to all connections to approved IP addresses. Thanks, as I have now noted below, it actually worked as set up - much to my surprise! Having USA blocked via GeoIP Filter immediately puts any host on the related ipset list denyIpset, when a packet is entering the SMA, even reply packets (License Information Request, etc.). Welcome to the Snap! Downgrading the tz370 to 7.0.0-R906 solved the issue for me. This topic has been locked by an administrator and is no longer open for commenting. 2. Flashback: April 28, 2009: Kickstarter website goes up (Read more HERE.) Result So I called support and they pointed me to an article about setting rules for their various server types which include Google, Amazon, and MS Azure. But it seems that GeoIP is blocked on iptables level and not just mod_geoip for restricting access to the underlying httpd. I do wonder if I will have to renew them, if it is it will be a hidden fee I didn't expect. Opens a new window. @preston no not yet. https://community.sonicwall.com/technology-and-support/discussion/2885/i-have-a-tz370-that-says-policy-inactive-due-to-geo-ip-license, @abhits try the new firmware 5050 , worked for me. Thank you for visiting SonicWall Community. postDeviceStatistics failed: LicenseManager failed to connect host: soniclicense.global.sonicwall.com(204.212.170.68:443), It's so frustrating and it seems that Engineering is not aware of a Stateful Packet Filter with Connection Tracking or they just don't trust the 9-10 year old Linux Kernel . Have you looked through the several hundred thousand entries? Along with most of the other Countries, I usually block the United States of America via GeoIP because I don't expect any remote access from it. I have seen this similar issue before and the issue needs real-time assistance. Bonus Flashback: April 28, 1998: Spacelab astronauts wake up to "Take a Chance on Me" by Abba (Read more Last Spark of the month. 3. 1. As Denis stated, GEO-IP is a great tool for blocking most that hits your interface. sonicwall policy is inactive due to geoip license. reason not to focus solely on death and destruction today. I would definitely go for the established/related approach, because whitelisting is way to static, IMHO. is really noone having these issues? Policy inactive due to geo-IP license : r/sonicwall - Reddit [SOLVED] How do I allow Carbonite to work on server while Geo-IP filter What SonicWall service can we use to block suspicouse IPs Network \ IPSec VPN \ Advanced \ IKEv2 Settings \ IKEv2 Dynamic Client Proposal. The Access Rules in SonicOS are management tools that allows you to define incoming and outgoing access policies with user authentication and enabling remote management of the firewall. You click on the countries that you want to block and will even write a ciscoACL for you. Is it normal to see nothing after uploading a sonicwall log in a .txt format? Thanks for all your help! The same exact problem (only after upgrading from 300s to 370s) with the same exact resolutionthe only difference is, I no longer have 300s in play and now, in less than a month, I'm now dealing with another VPN tunnel that won't re-establish itself after one FW gets restarted (on purpose, by accident, unplugging or initiating a restart through the interface). Do you haveIntrusion Preventionenabled in the sonicwall? I downloaded a TSR after reboot and log files showing some weird timestamp with date of tomorrow before jumping back to today, like in temp.db.log, [Tue Feb2 02:40:25 2021] phonehome 1388: dbhGetInt: Can't fetch value: unknown error sql:SELECT value FROM Options WHERE key = 'windows'. Your daily dose of tech news, in brief. Clicking on sections again, like the firewall policies, can help them load. Exported the config from TZ500 and migrated it with https://migratetool.global.sonicwall.com/ and then imported it to TZ370, no working VPN. Anyways, I stumble across this last entry, dated January 13, 2022 and what do I see? But you send to screenshot is same everything. I was rightfully called out for Lowering the MTU size in WAN interface seems to resolve both issues. New TZ-370 and all of my inbound access rules for inbound NAT have the following status: "Policy inactive due to geo-IP license" the rules are pretty simple - things like address and port restrictions. Is this already addressed in some form? Thanks for the post. Click the Status because @Micah or @Chris did not replied to my request I did some further digging in 10.2.0.6. displayed on the users web browser. Categories . For this feature to work correctly, the country database must be downloaded to the appliance. @MartinMP if you search for older posts regarding OS7 your problem was already seen. they will send to development engineers this issue. but I know sonicwall won't care this. How to Configure Access Rules | SonicWall Gotta love going back to a firmware revision that exists by way of this new series introduction as being the solutionwhat's the point in releasing new firmware if the previous and the previous to that and that and that doesn't fix anything? I have had this message pop up for one of my old clients I still do support for and I am still the Admin for on their 365 system. We are also using GeoIP Filter and blocking some counties including the US but it is a SMA200. I have told all of this time sonicwall must transition to new gui and Unified Policy Management like OSX7 however this transition is very ver bad. Maybe I'll open yet another ticketseeing how the last one I opened (unable to remove "non-existent" gold image and configuration from a 370 that was acquired by the secure upgrade program), I won't hold my breath that these so-called engineers can resolve my BIG problem. When a user attempts to access a web page that is from a blocked country, a block page is displayed on the users web browser. https://migratetool.global.sonicwall.com/, https://www.sonicwall.com/support/contact-support/, https://community.sonicwall.com/technology-and-support/discussion/2330/first-impressions-of-gen-7-interface, https://community.sonicwall.com/technology-and-support/discussion/2202/tz370-strange-behavior-traffic-flow-becomes-inconsistent-shortly-after-install, https://community.sonicwall.com/technology-and-support/discussion/comment/8623#Comment_8623, https://community.sonicwall.com/technology-and-support/discussion/comment/8625#Comment_8625, https://community.sonicwall.com/technology-and-support/discussion/comment/8629#Comment_8629, https://community.sonicwall.com/technology-and-support/discussion/comment/8659#Comment_8659, https://community.sonicwall.com/technology-and-support/discussion/comment/13067#Comment_13067. Users from blocked countries are not getting disconnected from the SRA appliance when a new GeoIP policy is created and applied. We have been getting the AlienVault messages through SpiceWorks that suspicious IP are attempting to or have connected to machines in our company. Just add one of the following and we should be good to go, IMHO, both commands got accepted and added to the rule set: Hopefully some PM is reading this, because tackling this with support wouldn't be fun. To sign in, use your existing MySonicWall account. As per your description, it looks to be an issue on the TZ 370. :) Anyone else run into this? Once it was changed to "Any" our issue disappeared. This is going to be losing battle. SonicWall Support Geo-IP The Settings page in POLICY | Rules and Policies > Settings > GEO-IP > Settings provides a group of settings that can be configured for Geo-IP Filtering. I tried creating an address object with *.azure-devices.net. mentioning a dead Volvo owner in my last Spark and so there appears to be no If this is not fixable the one and only solution seems to be deploying a new instance and importing the settings, which is annoying but not a big deal. The ipset in question looks like this at the moment, which is unfortunate, because it holds licensemanager.sonicwall.com :). No, you should see see some data. To create a free MySonicWall account click "Register". Did a factory reset on TZ370 and setup everything, from scratch but still not working VPN. before version 7 sonicwall was using Vxworks.They changed High Availibility infrastructures, Packet stream processes are different than version 6. anyway, I hope Sonicwall fix immediatly these faults. I agree that GeoIP blocking the US should not render the SMA unusable. Copyright 2023 SonicWall. Our users fortunately stay in the states and Canada so I can block the whole world except the US and Canada if I have to. To configure Geo-IP Filtering, perform the following steps: For this feature to work correctly, the country database must be downloaded to the appliance. Welcome to the Snap! The VPN did not work. I provided a solution, but noone care. TZ 370 IPSec Site2Site VPN not working - SonicWall Community I assume that all kind of license checks, updates and phonehome etc. are initiated on the SMA and therefore outbound (OUTPUT chain). well, another 6 months gone without any progress, 10.2.1.3 (which got pulled) is still struggling when US gets blocked via GeoIP. My GeoIP Blocking Status went from Active to Offline today which raised some concerns. As a result, connections to blocked countries may occasionally appear in the App Flow Monitor. Resolution . while investigating some ongoing issues on the SMA (500v) it seems it might be related to a suspicion I had in the past about the usage of GeoIP blocking. All rights Reserved. The. fordham university counseling psychology; sonicwall policy is inactive due to geoip license Like one guy said - we should buy another 1 or 2 year License to Gen6. Created up-to-date AVAST emergency recovery/scanner drive You can click on a country and then drill down to specific IP address for more details, includingany files that were sent to that IP address. One of the more interesting events of April 28th But wait, doing so breaks the VPN tunnel. sonicwall policy is inactive due to geoip license The list holds the local configured DNS resolvers and couple of addresses on Amazon AWS etc, but also these: Are these entries newly added in 10.2.0.6 because this would be an explaination why the 204.212.170.21 got blocked above? After turning Geo-IP blocking back on, backups failed. The firmware version is SonicOS 7.0.0-R906 and it says it is current. address, "geodnsd.global.sonicwall.com". The geoBotD.log in the TSR reveals that the Disk storage gets filled up. I have a TZ370 that says "policy inactive due to GEO-IP license". in case someone faces the same problem, I ended up in re-deploying the SMA because I wasn't able to figure out what caused the lack of free disk space. Geo-IP filtering is supported on TZ300 and higher appliances. We verified the IKE phase 1 and phase 2 settings. It seeams that there is something really bad in the Software. The Botnet Filtering feature allows administrators to block connections to or from Botnet 2. Finally, I rolled back the firmware image from 7.0.1-R1262.bin.sig to 7.0.0-R906.bin.sig, That fixed the VPN.