Solved

The best way to deny access to servers in Sonicwall SRA4200

Posted on 2011-02-17
17
1,088 Views
Last Modified: 2012-05-11
Hi;

In Sonicwall SRA 4200, I have a group for users who need access to some servers in LAN.  I added a couple policies to allow what servers or IP should be able to access, also I setup a policy to deny all address.  However, I found that once the deny all address is added, it blocked all other too.

What is the best setup to let the user access to some servers while blocking all others?
0
Comment
Question by:KANEWONG
  • 9
  • 8
17 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34919026
is the block all policy first in the list?  it needs to be first, then the allow policy will only apply to the ip address you've specified in the allow policy.
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34922662
this is what I tried but I cannot ping all other resource below that blocking policy after establish a NetExtender.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34923087
OK...i looked at my sslvpn appliance.  i have all the policies before the deny all policy.  it also doesn't look like i can move the policy up or down.  if you do this, what results do you get?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34923110
also, what does the deny all rule look like?  i think we talked about this in a previous question so i think you have it right.  just in case, i have attached what my deny all looks like.
greenshot-2011-02-17-21-34-07.jpg
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34923182
Hello;

In my first try, I was using the network object in Policy setting, in this case; the deny-all rule will be the first rule in policy, that would block everything even though I have my server listed below.

Then I tried to use by IP address, in this case; the DENY rule (like your snapshot example) is shown at the last rule in policy.
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34923186
also, is it possible to set the account lock out in SRA if the user who is using local user database but failed to sign on for more than 3 times.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34923252
so, is it working?  i don't think a lockout policy is possible.  i've tried to do this in the past and i could never get it to work.  you can configure a lockout policy if through AD.
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34923575
Yes, if using IP address, not network object, it works but weird.  They should be the same.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 33

Expert Comment

by:digitap
ID: 34923607
yes, i would agree with that.  does seem strange, but i don't think i'd ever considered using an object.  i'll  have to try that next week.  taking the family to the zoo tomorrow...yes, a whole day without EE!!
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34923667
Hi;

Sorry, my test was wrong.  If the BLOCK ALL ADDRESS rule is the last policy, I still not able access to those resource above it.

My rules are configured like this

Allow-OWA-by-IP              172.16.0.5      Secure Web (HTTPS)      Allow       
Allow-Sharepoint-by-IP      172.16.0.17      Web (HTTP)                     Allow       
Allow-MMS-by-IP              172.16.0.16      Telnet                            Allow       
Allow-TS-by-IP                      172.16.0.11      All Services                   Allow       
Deny All               0.0.0.0-255.255.255.255      All Services         Deny

After bring up my NetExtender, I am not able to access my 172.16.0.16 server via telnet.  If no Deny All rule, I can.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34926715
hey...i have just a moment to respond.  if you take out the deny rule, are you able to ping other resources BESIDES the ones you've specified in the policies or can you ONLY ping the resources specified in the policies?
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34939824
Hi;

yes, if I take out the deny rule; I can ping all resources in LAN.  not only the resources in allow policy but also all other resources or IP not in the policy.  This is what I don't want.  I just want to let them access to those resources listed in the Allow policy, all other should be denied.

Don't know how to do it.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34948931
under netextender > client routes, did you setup routes?  i'm looking at a ssl-vpn 2000 unit so i don't know if the settings are going to be different from the SRA2400.

ok, go to your group and review the policies.  if you still have the deny all rule you created, delete it.  then, click Add and in the Apply Policy To drop down and select All Addresses.  give the policy a name.  set options based on the screen shot attached to this solution.

let me know how it goes.
greenshot-2011-02-21-23-43-23.jpg
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34973424
yes, I have a route setup in NetExtender Client Setup, and the tunnel all mode  is enable.

If I added the above policy, I cannot access to my server until I remove the policy.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34974981
i'm at a loss then.  are you running the latest firmware on your appliance?
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 35077669
Hi;

I called Sonicwall, they asked me to put the deny all rule in global policy and using the allow rule for group policy only.

that solve my problem.
0
 
LVL 33

Accepted Solution

by:
digitap earned 250 total points
ID: 35078033
isn't that where  we were putting it or were we putting it only in the group? i'm going to have to check my sslvpn appliance and see where my rule is.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now