Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Program a Sonicwall TZ100...

Posted on 2011-09-06
Medium Priority
Last Modified: 2012-05-12
I had two Hotbrick hardware firewalls, they both failed and the company ceased to exist... The nice thing was how easy it was to set up a whitelist, just enter some numerical url's, declare them as whitelist and voila!! The entire internet was blocked off except for a few chosen commercial url's which I wanted my Windows machine to access. There was no need for any antivirus, antispyware, windows updates, etc, and the XP machine ran flawlessly all day every day... It would not accept url's with the :port tacked on the end, that would have been nicer... So I'm looking for alternatives. I REALLY don't want to mess with Linux so Smoothwall and DD-WRT are out.. so I had this SonicWall thingy sitting here, I decided to try to find out if it would do what I want without paying them for a subscription service... I got on their forum and got a sort of ambiguous reply so I'm asking here....

I'm looking for specific instructions for entering a list of url's and making them the only url's available to a single Windows computer on a SonicWall TZ100 hardware firewall... I'll want undetectibility and SPI also but I can probably suss that out...
Question by:FuturesTrader
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 17

Assisted Solution

OriNetworks earned 1000 total points
ID: 36495099
Most of the advanced filtering services from sonicwall are only available with paid licensing to activate those features. Other than that, you're stuck configuring firewall rules using ip addresses of the websites you want to access.

I wouldn't say you're secure by any means with this type of setup only blinded by what could happen although I certainly agree your scope of vulnerability is more limited which is good. First you want to make sure a few of the basic firewall rules are allowed. You could create address groups in its firewall for DNS Whitelist, HTTPWhitelist, HTTPSWhitelist then add your up addresses to that. This would be easier to maintain by just adding addresses to the group rather than creating new rules each time you want to whitelist a client.

LAN->LAN = source=all, destination=all, ports=all
LAN->WAN = source=LAN, destination=DNSWhitelist, ports=DNS
LAN->WAN = source=LAN, destination=HTTPWhitelist, ports=HTTP(80)
LAN->WAN = source=LAN, destination=HTTPSWhitelist, ports=HTTP(443)

Accepted Solution

amatson78 earned 1000 total points
ID: 36495561
Just remember the SonicWALL follows a top down order. Make the first lines with the destinations you want allowed and the deny statements at the bottom :) You can also group the ports (services) so you can have a list with one Firewall outbound rule instead of multiple for each port. This uses less resources on the SonicWALL.

Alan, SonicWALL CSSA
LVL 33

Expert Comment

ID: 36496559
@Alan :: I've noticed that SW has instituted allowed and forbidden domains globally and per CFS policy...finally. In the past, setting up a whitelist was impossible within the sonicwall and I've had to use something like CCProxy instead. With this new feature (and possibly others) is a whitelist possible or is that not something I should hold my breath for? Seems creating whitelist access to the Internet (as FuturesTrader has indicated) is the best way to curtail malicious infections on user's workstations (minus removing Internet access period). Thanks for the feedback!

Expert Comment

ID: 36500284
@Digitap, AFAIK They are not looking at implementing an import type solution. As of 5.8.1 it is still the enter one line at a time method or integrate with something 3rd party with a proxy such as Websense.
LVL 33

Expert Comment

ID: 36500379
@Alan :: That seems to fit what I've seen. Thanks for confirming.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How does someone stay on the right and legal side of the hacking world?
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question