The best way to deny access to servers in Sonicwall SRA4200

Hi;

In Sonicwall SRA 4200, I have a group for users who need access to some servers in LAN.  I added a couple policies to allow what servers or IP should be able to access, also I setup a policy to deny all address.  However, I found that once the deny all address is added, it blocked all other too.

What is the best setup to let the user access to some servers while blocking all others?
LVL 1
KANEWONGAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
digitapConnect With a Mentor Commented:
isn't that where  we were putting it or were we putting it only in the group? i'm going to have to check my sslvpn appliance and see where my rule is.
0
 
digitapCommented:
is the block all policy first in the list?  it needs to be first, then the allow policy will only apply to the ip address you've specified in the allow policy.
0
 
KANEWONGAuthor Commented:
this is what I tried but I cannot ping all other resource below that blocking policy after establish a NetExtender.
0
The eGuide to Automating Firewall Change Control

Today‚Äôs IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
digitapCommented:
OK...i looked at my sslvpn appliance.  i have all the policies before the deny all policy.  it also doesn't look like i can move the policy up or down.  if you do this, what results do you get?
0
 
digitapCommented:
also, what does the deny all rule look like?  i think we talked about this in a previous question so i think you have it right.  just in case, i have attached what my deny all looks like.
greenshot-2011-02-17-21-34-07.jpg
0
 
KANEWONGAuthor Commented:
Hello;

In my first try, I was using the network object in Policy setting, in this case; the deny-all rule will be the first rule in policy, that would block everything even though I have my server listed below.

Then I tried to use by IP address, in this case; the DENY rule (like your snapshot example) is shown at the last rule in policy.
0
 
KANEWONGAuthor Commented:
also, is it possible to set the account lock out in SRA if the user who is using local user database but failed to sign on for more than 3 times.
0
 
digitapCommented:
so, is it working?  i don't think a lockout policy is possible.  i've tried to do this in the past and i could never get it to work.  you can configure a lockout policy if through AD.
0
 
KANEWONGAuthor Commented:
Yes, if using IP address, not network object, it works but weird.  They should be the same.
0
 
digitapCommented:
yes, i would agree with that.  does seem strange, but i don't think i'd ever considered using an object.  i'll  have to try that next week.  taking the family to the zoo tomorrow...yes, a whole day without EE!!
0
 
KANEWONGAuthor Commented:
Hi;

Sorry, my test was wrong.  If the BLOCK ALL ADDRESS rule is the last policy, I still not able access to those resource above it.

My rules are configured like this

Allow-OWA-by-IP              172.16.0.5      Secure Web (HTTPS)      Allow       
Allow-Sharepoint-by-IP      172.16.0.17      Web (HTTP)                     Allow       
Allow-MMS-by-IP              172.16.0.16      Telnet                            Allow       
Allow-TS-by-IP                      172.16.0.11      All Services                   Allow       
Deny All               0.0.0.0-255.255.255.255      All Services         Deny

After bring up my NetExtender, I am not able to access my 172.16.0.16 server via telnet.  If no Deny All rule, I can.
0
 
digitapCommented:
hey...i have just a moment to respond.  if you take out the deny rule, are you able to ping other resources BESIDES the ones you've specified in the policies or can you ONLY ping the resources specified in the policies?
0
 
KANEWONGAuthor Commented:
Hi;

yes, if I take out the deny rule; I can ping all resources in LAN.  not only the resources in allow policy but also all other resources or IP not in the policy.  This is what I don't want.  I just want to let them access to those resources listed in the Allow policy, all other should be denied.

Don't know how to do it.
0
 
digitapCommented:
under netextender > client routes, did you setup routes?  i'm looking at a ssl-vpn 2000 unit so i don't know if the settings are going to be different from the SRA2400.

ok, go to your group and review the policies.  if you still have the deny all rule you created, delete it.  then, click Add and in the Apply Policy To drop down and select All Addresses.  give the policy a name.  set options based on the screen shot attached to this solution.

let me know how it goes.
greenshot-2011-02-21-23-43-23.jpg
0
 
KANEWONGAuthor Commented:
yes, I have a route setup in NetExtender Client Setup, and the tunnel all mode  is enable.

If I added the above policy, I cannot access to my server until I remove the policy.
0
 
digitapCommented:
i'm at a loss then.  are you running the latest firmware on your appliance?
0
 
KANEWONGAuthor Commented:
Hi;

I called Sonicwall, they asked me to put the deny all rule in global policy and using the allow rule for group policy only.

that solve my problem.
0
All Courses

From novice to tech pro — start learning today.