Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.
Best practises Sonicwall firewall tz100 (latest os)
Hi,
I installed a Sonicwall in my home-network and see my LAN network has Internet-access.
I would like to set different things:
-remove Internet-access but only via proxy for most of my network devices
-set specific access to certain sites for specific devices (f.e. update from specific url for NAS)
Please advise on best practises: work with groups etc?
Note that I want to move to VLAN so I want to keep it as flexible as possible (might need to change ip’s).
I installed a Sonicwall in my home-network and see my LAN network has Internet-access.
I would like to set different things:
-remove Internet-access but only via proxy for most of my network devices
-set specific access to certain sites for specific devices (f.e. update from specific url for NAS)
Please advise on best practises: work with groups etc?
Note that I want to move to VLAN so I want to keep it as flexible as possible (might need to change ip’s).
Asked:
5-
4
- +1
1 Solution
You have many option, below are drawed in the drawing
i dont understand the reason of using proxy? you can achive almost all above using SNA. you can use Content Filtering for URL filteration
i dont understand the reason of using proxy? you can achive almost all above using SNA. you can use Content Filtering for URL filteration
Sonicwall TZ100 offers great UTM most likely you do not need proxy unless you want caching of the pages. Sonicwall can not do it as as per previous post you have a few options. Read about SSO you may like it to give access to specific users or user groups. It requires AD!
For the home network you can use static IPs on your home computers and build ACL on the sonicwall allowing or denying access for LAN to WAN.
Soncwall supports only 5 VLANs you will need L2 switch that can support VLANs and trunking.
You are looking at another $300-$500.
It is difficult to provide "Best practices" as I do not understand all requirements. Good thing is that sonicwall is pretty flexible and most likely you will be able to build a nice solution for the house.
Good luck!
For the home network you can use static IPs on your home computers and build ACL on the sonicwall allowing or denying access for LAN to WAN.
Soncwall supports only 5 VLANs you will need L2 switch that can support VLANs and trunking.
You are looking at another $300-$500.
It is difficult to provide "Best practices" as I do not understand all requirements. Good thing is that sonicwall is pretty flexible and most likely you will be able to build a nice solution for the house.
Good luck!
I'd need a proxy to connect remote vpn-users to connect to Internet or can I solve this differently? I'm not using the Sonicwall VPN, but Openvpn since I have more option (portable Openvpn-client etc).
Hi,
I do not think you need any proxy to connect remote VPN users to internet. They are usually already on the Internet when they are connecting to your head office. You may however scan give up split tunnel and have all traffic generated by them scanned by sonicwall.
I do not know much about Openvpn-client as most of my customers are commercial institutions and can not afford any security related open technology. Sonicwall offers IPsec VPN with GVC - Windows only, SSLVPN - Windows, Linux, MAC. Mobile Connect (SRA1200) for tablets, etc and L2TP for everything else. All this with advantage of your gateway security services.
To the PROXY comment. Unless you have very poor internet connection the need for caching proxy does not exist in modern IT. I do not remember when I saw proxy server last time and I 43 ;-) The UTM offers more features and deals with more protocols than any proxy server in the past. Take a look at sonicwalls Application control and visualization along with URL filtering this is most likely what you are looking for. You will need NSA 220 or up to have it.
Another thing that your client will appreciate is reporting with Analyzer. You will be able to justify that the money was well spend.
I hope this answers your questions. If not do not hesitate to contact me.
Good luck!
I do not think you need any proxy to connect remote VPN users to internet. They are usually already on the Internet when they are connecting to your head office. You may however scan give up split tunnel and have all traffic generated by them scanned by sonicwall.
I do not know much about Openvpn-client as most of my customers are commercial institutions and can not afford any security related open technology. Sonicwall offers IPsec VPN with GVC - Windows only, SSLVPN - Windows, Linux, MAC. Mobile Connect (SRA1200) for tablets, etc and L2TP for everything else. All this with advantage of your gateway security services.
To the PROXY comment. Unless you have very poor internet connection the need for caching proxy does not exist in modern IT. I do not remember when I saw proxy server last time and I 43 ;-) The UTM offers more features and deals with more protocols than any proxy server in the past. Take a look at sonicwalls Application control and visualization along with URL filtering this is most likely what you are looking for. You will need NSA 220 or up to have it.
Another thing that your client will appreciate is reporting with Analyzer. You will be able to justify that the money was well spend.
I hope this answers your questions. If not do not hesitate to contact me.
Good luck!
Regarding the proxy: I'd be happy not to use it. However, when I want remote users to use the Internet of the remote location NOT the one they are connected with throught Internet (and that IS what I want), I don't see another option then setting proxy in Internet Explorer/browser. If you have other suggestions to achieve this, please advise.
This is simple. Then kill your "split tunnel" and have them brows through the sonicwall at the head office. Keep in mind that you have to sort out your DNS and VPN ->WAN ports. So you limit their access. I had the clients who got RBL'd because someone at home had a mass mailer and was using office IP to blast spam. Also, this connection will put some overhead on your ISP at the head office.
Otherwise it works out of the box.
Good luck!
Tom
Otherwise it works out of the box.
Good luck!
Tom
Not an option. I need the remote users to be able to choose between remote location or vpn location to surf. They should be able to surf both networks.
Then I guess you need your proxy server. You are looking at technology from M86, etc. Keep in mind that you will have to lock down the workstation so users can not change proxy settings on the browser or install any other browsers (portable apps).
I understand what you are trying to achieve. I is difficult and it will cost some money and require a lot of work.
Perhaps you can look at SOPHOS AV they offer some URL filtering for remote users. Nothing special since it is the first version of the product with this feature but it may work for you.
Let me know what you think about it.
I understand what you are trying to achieve. I is difficult and it will cost some money and require a lot of work.
Perhaps you can look at SOPHOS AV they offer some URL filtering for remote users. Nothing special since it is the first version of the product with this feature but it may work for you.
Let me know what you think about it.
Installed Squid proxy a long time ago and works fine. Not that easy to configure but it does work correctly. Just wanted to be sure/doublecheck that I really need the proxy.
The Squid will work but you need to know what you are doing and this thing requires a lot of attention. If your client is willing to pay for it, than it makes sense. Also, keep in mind that threads are coming over other channels as well and the AV / URL filtering may not be able to pick them up.
I am not sure how good it the URL list on the squid server. I know that it uses some open source thing. Usually you pay some money for it. Unless you use sonicwall as your URL.AV filter for Squid server.
Also, users will be able to run other browsers circumventing your solution.
Anyway, good luck!
I am not sure how good it the URL list on the squid server. I know that it uses some open source thing. Usually you pay some money for it. Unless you use sonicwall as your URL.AV filter for Squid server.
Also, users will be able to run other browsers circumventing your solution.
Anyway, good luck!
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
I would also create groups for all protocols / ports that a specific software update service uses and then create one rule in the firewall from that machines ip to the configure services.
Hope this helps