?
Solved

The best way to deny access to servers in Sonicwall SRA4200

Posted on 2011-02-17
17
Medium Priority
?
1,097 Views
Last Modified: 2012-05-11
Hi;

In Sonicwall SRA 4200, I have a group for users who need access to some servers in LAN.  I added a couple policies to allow what servers or IP should be able to access, also I setup a policy to deny all address.  However, I found that once the deny all address is added, it blocked all other too.

What is the best setup to let the user access to some servers while blocking all others?
0
Comment
Question by:KANEWONG
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
17 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34919026
is the block all policy first in the list?  it needs to be first, then the allow policy will only apply to the ip address you've specified in the allow policy.
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34922662
this is what I tried but I cannot ping all other resource below that blocking policy after establish a NetExtender.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34923087
OK...i looked at my sslvpn appliance.  i have all the policies before the deny all policy.  it also doesn't look like i can move the policy up or down.  if you do this, what results do you get?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 33

Expert Comment

by:digitap
ID: 34923110
also, what does the deny all rule look like?  i think we talked about this in a previous question so i think you have it right.  just in case, i have attached what my deny all looks like.
greenshot-2011-02-17-21-34-07.jpg
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34923182
Hello;

In my first try, I was using the network object in Policy setting, in this case; the deny-all rule will be the first rule in policy, that would block everything even though I have my server listed below.

Then I tried to use by IP address, in this case; the DENY rule (like your snapshot example) is shown at the last rule in policy.
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34923186
also, is it possible to set the account lock out in SRA if the user who is using local user database but failed to sign on for more than 3 times.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34923252
so, is it working?  i don't think a lockout policy is possible.  i've tried to do this in the past and i could never get it to work.  you can configure a lockout policy if through AD.
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34923575
Yes, if using IP address, not network object, it works but weird.  They should be the same.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34923607
yes, i would agree with that.  does seem strange, but i don't think i'd ever considered using an object.  i'll  have to try that next week.  taking the family to the zoo tomorrow...yes, a whole day without EE!!
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34923667
Hi;

Sorry, my test was wrong.  If the BLOCK ALL ADDRESS rule is the last policy, I still not able access to those resource above it.

My rules are configured like this

Allow-OWA-by-IP              172.16.0.5      Secure Web (HTTPS)      Allow       
Allow-Sharepoint-by-IP      172.16.0.17      Web (HTTP)                     Allow       
Allow-MMS-by-IP              172.16.0.16      Telnet                            Allow       
Allow-TS-by-IP                      172.16.0.11      All Services                   Allow       
Deny All               0.0.0.0-255.255.255.255      All Services         Deny

After bring up my NetExtender, I am not able to access my 172.16.0.16 server via telnet.  If no Deny All rule, I can.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34926715
hey...i have just a moment to respond.  if you take out the deny rule, are you able to ping other resources BESIDES the ones you've specified in the policies or can you ONLY ping the resources specified in the policies?
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34939824
Hi;

yes, if I take out the deny rule; I can ping all resources in LAN.  not only the resources in allow policy but also all other resources or IP not in the policy.  This is what I don't want.  I just want to let them access to those resources listed in the Allow policy, all other should be denied.

Don't know how to do it.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34948931
under netextender > client routes, did you setup routes?  i'm looking at a ssl-vpn 2000 unit so i don't know if the settings are going to be different from the SRA2400.

ok, go to your group and review the policies.  if you still have the deny all rule you created, delete it.  then, click Add and in the Apply Policy To drop down and select All Addresses.  give the policy a name.  set options based on the screen shot attached to this solution.

let me know how it goes.
greenshot-2011-02-21-23-43-23.jpg
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 34973424
yes, I have a route setup in NetExtender Client Setup, and the tunnel all mode  is enable.

If I added the above policy, I cannot access to my server until I remove the policy.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34974981
i'm at a loss then.  are you running the latest firmware on your appliance?
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 35077669
Hi;

I called Sonicwall, they asked me to put the deny all rule in global policy and using the allow rule for group policy only.

that solve my problem.
0
 
LVL 33

Accepted Solution

by:
digitap earned 1000 total points
ID: 35078033
isn't that where  we were putting it or were we putting it only in the group? i'm going to have to check my sslvpn appliance and see where my rule is.
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question