Solved

The best way to deny access to servers in Sonicwall SRA4200

Posted on 2011-02-17
17
1,086 Views
Last Modified: 2012-05-11
Hi;

In Sonicwall SRA 4200, I have a group for users who need access to some servers in LAN.  I added a couple policies to allow what servers or IP should be able to access, also I setup a policy to deny all address.  However, I found that once the deny all address is added, it blocked all other too.

What is the best setup to let the user access to some servers while blocking all others?
0
Comment
Question by:KANEWONG
  • 9
  • 8
17 Comments
 
LVL 33

Expert Comment

by:digitap
Comment Utility
is the block all policy first in the list?  it needs to be first, then the allow policy will only apply to the ip address you've specified in the allow policy.
0
 
LVL 1

Author Comment

by:KANEWONG
Comment Utility
this is what I tried but I cannot ping all other resource below that blocking policy after establish a NetExtender.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
OK...i looked at my sslvpn appliance.  i have all the policies before the deny all policy.  it also doesn't look like i can move the policy up or down.  if you do this, what results do you get?
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
also, what does the deny all rule look like?  i think we talked about this in a previous question so i think you have it right.  just in case, i have attached what my deny all looks like.
greenshot-2011-02-17-21-34-07.jpg
0
 
LVL 1

Author Comment

by:KANEWONG
Comment Utility
Hello;

In my first try, I was using the network object in Policy setting, in this case; the deny-all rule will be the first rule in policy, that would block everything even though I have my server listed below.

Then I tried to use by IP address, in this case; the DENY rule (like your snapshot example) is shown at the last rule in policy.
0
 
LVL 1

Author Comment

by:KANEWONG
Comment Utility
also, is it possible to set the account lock out in SRA if the user who is using local user database but failed to sign on for more than 3 times.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
so, is it working?  i don't think a lockout policy is possible.  i've tried to do this in the past and i could never get it to work.  you can configure a lockout policy if through AD.
0
 
LVL 1

Author Comment

by:KANEWONG
Comment Utility
Yes, if using IP address, not network object, it works but weird.  They should be the same.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 33

Expert Comment

by:digitap
Comment Utility
yes, i would agree with that.  does seem strange, but i don't think i'd ever considered using an object.  i'll  have to try that next week.  taking the family to the zoo tomorrow...yes, a whole day without EE!!
0
 
LVL 1

Author Comment

by:KANEWONG
Comment Utility
Hi;

Sorry, my test was wrong.  If the BLOCK ALL ADDRESS rule is the last policy, I still not able access to those resource above it.

My rules are configured like this

Allow-OWA-by-IP              172.16.0.5      Secure Web (HTTPS)      Allow       
Allow-Sharepoint-by-IP      172.16.0.17      Web (HTTP)                     Allow       
Allow-MMS-by-IP              172.16.0.16      Telnet                            Allow       
Allow-TS-by-IP                      172.16.0.11      All Services                   Allow       
Deny All               0.0.0.0-255.255.255.255      All Services         Deny

After bring up my NetExtender, I am not able to access my 172.16.0.16 server via telnet.  If no Deny All rule, I can.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
hey...i have just a moment to respond.  if you take out the deny rule, are you able to ping other resources BESIDES the ones you've specified in the policies or can you ONLY ping the resources specified in the policies?
0
 
LVL 1

Author Comment

by:KANEWONG
Comment Utility
Hi;

yes, if I take out the deny rule; I can ping all resources in LAN.  not only the resources in allow policy but also all other resources or IP not in the policy.  This is what I don't want.  I just want to let them access to those resources listed in the Allow policy, all other should be denied.

Don't know how to do it.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
under netextender > client routes, did you setup routes?  i'm looking at a ssl-vpn 2000 unit so i don't know if the settings are going to be different from the SRA2400.

ok, go to your group and review the policies.  if you still have the deny all rule you created, delete it.  then, click Add and in the Apply Policy To drop down and select All Addresses.  give the policy a name.  set options based on the screen shot attached to this solution.

let me know how it goes.
greenshot-2011-02-21-23-43-23.jpg
0
 
LVL 1

Author Comment

by:KANEWONG
Comment Utility
yes, I have a route setup in NetExtender Client Setup, and the tunnel all mode  is enable.

If I added the above policy, I cannot access to my server until I remove the policy.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
i'm at a loss then.  are you running the latest firmware on your appliance?
0
 
LVL 1

Author Comment

by:KANEWONG
Comment Utility
Hi;

I called Sonicwall, they asked me to put the deny all rule in global policy and using the allow rule for group policy only.

that solve my problem.
0
 
LVL 33

Accepted Solution

by:
digitap earned 250 total points
Comment Utility
isn't that where  we were putting it or were we putting it only in the group? i'm going to have to check my sslvpn appliance and see where my rule is.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now