Best practises Sonicwall firewall tz100 (latest os)


I installed a Sonicwall in my home-network and see my LAN network has Internet-access.

I would like to set different things:
-remove Internet-access but only via proxy for most of my network devices
-set specific access to certain sites for specific devices (f.e. update from specific url for NAS)

Please advise on best practises: work with groups etc?
Note that I want to move to VLAN so I want to keep it as flexible as possible (might need to change ip’s).
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

For the proxy I would install a proxy server and point it to the sonicwall so that the users that enter the proxy IP int their IE settings can have internet access, all other PC's deny LAN > WAN
I would also create groups for all protocols / ports that a specific software update service uses and then create one rule in the firewall from that machines ip to the configure services.

Hope this helps
Syed_M_UsmanSystem AdministratorCommented:
You have many option, below are drawed in the drawingBest practises Sonicwall firewall tz100
i dont understand the reason of using proxy? you can achive almost all above using SNA. you can use Content Filtering for URL filteration

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sonicwall TZ100 offers great UTM most likely you do not need proxy unless you want caching of the pages. Sonicwall can not do it as as per previous post you have a few options. Read about SSO you may like it to give access to specific users or user groups. It requires AD!

For the home network you can use static IPs on your home computers and build ACL on the sonicwall allowing or denying access for LAN to WAN.

Soncwall supports only 5 VLANs you will need L2 switch that can support VLANs and trunking.
You are looking at another $300-$500.

It is difficult to provide "Best practices" as I do not understand all requirements. Good thing is that sonicwall is pretty flexible and most likely you will be able to build a nice solution for the house.

Good luck!
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

janhoedtAuthor Commented:
I'd need a proxy to connect remote vpn-users to connect to Internet or can I solve this differently? I'm not using the Sonicwall VPN, but Openvpn since I have more option (portable Openvpn-client etc).

I do not think you need any proxy to connect remote VPN users to internet. They are usually already on the Internet when they are connecting to your head office. You may however scan  give up split tunnel and have all traffic generated by them scanned by sonicwall.

I do not know much about Openvpn-client as most of my customers are commercial institutions and can not afford any security related open technology. Sonicwall offers IPsec VPN with GVC - Windows only, SSLVPN - Windows, Linux, MAC. Mobile Connect (SRA1200) for tablets,  etc and L2TP for everything else. All this with advantage of your gateway security services.

To the PROXY comment. Unless you have very poor internet connection the need for caching proxy does not exist in modern IT. I do not remember when I saw proxy server last time and I 43 ;-) The UTM offers more features and deals with more protocols than any proxy server in the past. Take a look at sonicwalls Application control and visualization along with URL filtering this is most likely what you are looking for. You will need NSA 220 or up to have it.

Another thing that your client will appreciate is reporting with Analyzer. You will be able to justify that the money was well spend.

I hope this answers your questions. If not do not hesitate to contact me.

Good luck!
janhoedtAuthor Commented:
Regarding the proxy: I'd be happy not to use it. However, when I want remote users to use the Internet of the remote location NOT the one they are connected with throught Internet (and that IS what I want), I don't see another option then setting proxy in Internet Explorer/browser. If you have other suggestions to achieve this, please advise.
This is simple. Then kill your "split tunnel" and have them brows through the sonicwall at the head office. Keep in mind that you have to sort out your DNS and VPN ->WAN ports. So you limit their access. I had the clients who got RBL'd because someone at home had a mass mailer and was using office IP to blast spam. Also, this connection will put some overhead on your ISP at the head office.

Otherwise it works out of the box.

Good luck!

janhoedtAuthor Commented:
Not an option. I need the remote users to be able to choose between remote location or vpn location to surf. They should be able to surf both networks.
Then I guess you need your proxy server. You are looking at technology from M86, etc. Keep in mind that you will have to lock down the workstation so users can not change proxy settings on the browser or install  any other browsers (portable apps).
I understand what you are trying to achieve. I is difficult and it will cost some money and require a lot of work.
Perhaps you can look at SOPHOS AV they offer some URL filtering for remote users. Nothing special since it is the first version of the product with this feature but it may work for you.

Let me know what you think about it.
janhoedtAuthor Commented:
Installed Squid proxy a long time ago and works fine. Not that easy to configure but it does work correctly. Just wanted to be sure/doublecheck  that I really need the proxy.
The Squid will work but you need to know what you are doing and this thing requires a lot of attention. If your client is willing to pay for it, than it makes sense. Also, keep in mind that threads are coming over other channels as well and the AV / URL filtering may not be able to pick them up.
I am not sure how good it the URL list on the squid server. I know that it uses some open source thing. Usually you pay some money for it. Unless you use sonicwall as your URL.AV filter for Squid server.
Also, users will be able to run other browsers circumventing your solution.

Anyway, good luck!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.