Sonicwall Rule to only allow specific IP addresses (host based) through firewall

Hi Guys,

I would like to create a rule on my firewall to only allow a range of specific IP addresses to visit a website which is being hosted by one of my internal web servers. I know I can use built in host based security on Apache, however I would also like to block at the firewall level. Can you please provide a step by step guide on how I can accomplish this? I already have a rule setup to open up the website to internet, however it the site is open to all IP addresses through my firewall and I want my Sonicwall to only allow a small limited range of IP address through.
TbalzAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi Tbalz,

What model is your SonicWALL?
What is the SonicOS version?
Which zone is the server located in e.g. DMZ, LAN, etc?
What type is the range of specific IP addresses:
a network like 25.25.x.0/24 or
a group of different IP addresses e.g. 25.25.x.x, 89.89.x.x, etc. or
a range e.g. 36.34.x.10-36.34.x.60?

If everything is working, meaning you can access the website without issues from outside your network, then it should be very straight forward. Follow below:

1. Create the Address Object(s) for external IP addresses
Go to Network > Address Objects.
Click on View Style & click Custom Address Objects.
Under the Address Objects section, click Add...

Name: {what ever you want to identify the object}
Zone Assignment: select WAN
Type: select either Host (single IP address), Range (starting & ending IP), or Network (e.g. 24.x.x.0, 255.255.255.192)
Click Add.

NOTE: If you use Host as your Type or you have multiple Ranges or Networks simply create as many as you need. You can name them External Host 01, External Host 02, and so on or however you like. If you need to create multiple Address Objects follow the steps below to create an Address Object Group, which will be a single object including all the other objects.

1.a. Create the Address Object Group for external IP addresses
Go to Network > Address Objects.
Click on View Style & click Custom Address Objects.
Under Address Groups section, click Add Group...

Name: {what ever you want to identify the object group}
Select all the newly created Address Objects above and click the -> button to move them over to the new column
Click OK.

2. Limit the Inbound Firewall Rule for already allowing access.
Go to Firewall > Access Rules
Click on the rule you already created to allow anyone to access the server.
Click on the Source and select your newly created Address Object or Address Object Group above. (if you created an Address Object Group then use that).
Click OK.

Let me know if you have any questions!
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TbalzAuthor Commented:
Hi Thank you so much for this wonderful information. I will try it out and let you know if it working correctly. The name of the sonicwall is the NSA 240 by the way.
0
Blue Street TechLast KnightCommented:
Your welcome. Thanks for the update.

What version is your SonicOS (System > Status > Firmware Version:)? This is necessary for the instruction to apply here. For example, if you have a Standard firmware version or an older version the prompts may be slightly different.
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

TbalzAuthor Commented:
Hi Thanks for checking up. I have firemware version SonicOS Enhanced 5.5.0.0-37o

Would this change anything?
0
Blue Street TechLast KnightCommented:
Nope! What I provided is specific to that: It is the enhanced version and its 5.x which is the newer firmware version.

Have at it and let me know how it goes!
0
TbalzAuthor Commented:
Thanks so much! I'm confused about the rules. Do i need to put in a Deny all rule under an accept rule for the firewall? I'm also wondering how I would know if something is blocked by the firewall? Would it be a specific message?

I'm also confused because I put in a host that i know to deny just to test, however it blocks all ip addresses when i put that one rule in? Is there a priority order I have to put in an allow or deny rule?
0
Blue Street TechLast KnightCommented:
A deny rule should be at the bottom (lowest priority) by default of your inbound Zones e.g. WAN>LAN, WAN>WLAN, etc. There should not be a need to add or re-prioritize these unless someone has modified or removed these default rules.

You will know explicitly if something is blocked in the Logs. Under Logs > Categories place a check next to Log at the very top of the column thereby selecting all categories under Log. Then click OK. Now you will see everything. Regardless if there is something being blocked by your firewall rules you will see a note next to the line item in the Logs stating which rule blocked the traffic with a link to it.

Deny Rules should always have the lowest priority over the service they are blocking. So if you are blocking all traffic to a zone then you should see the deny rule at the very bottom of the list. If it isn't you can click on the priority to change it. In your case where you are explicitly allowing Ping to a set of IPs, you are essentially creating a deny rule too by only specifying those select IPs to gain access to Ping, everything else will be blocked by the default deny rule therefore you do not need to create a specific deny rule for specific IPs trying to access Ping. The default deny rule denies all services for everyone.

Make sense?
0
TbalzAuthor Commented:
Iits a little confusing but its working for me now but everything seems to be working like i want it to. I have a specific IP address getting access to my webserver which is great its given priority 7 and then under it I have another rule blocking all traffic to my webserver with priority 8. Would this be the correct way of doing things? I have attached an image for you to take a look at.
ee.PNG
0
Blue Street TechLast KnightCommented:
That would be correct in the sense of prioritization but not in the execution of the deny rule. Change the services and users to all and any. That will do it...assuming there is no other deny rule in this zone.

Are those the only rules you have?
0
TbalzAuthor Commented:
Yes just one rule now to just let one IP address pass through for testing purposes. It is working as intented, so I'm not sure why I would change the allow rule to all and any?

Thanks again so much!
0
Blue Street TechLast KnightCommented:
I'm glad I could help. You're welcome.

You are correct, don't change the allow rule - its setup as I specified. With regards to the "deny" rule; in order to have it function as a firewall it must be set as follows:

WAN > LAN
Source: Any
Destination: Any
Service: Any

Action: Deny or Discard
Users: All

So just change your Destination to "Any" and your Service to "Any". This is what will block all access except that which is explicitly allowed e.g. your allow rule we created. Otherwise there is no reason to have a firewall.
0
TbalzAuthor Commented:
Oh I understand. What this rule is doing is denying specific access to the webserver group. I don't want it to deny anything other than this. There are a lot of other services going in and out of the firewall and this is just a small one I'm in charge of. Would this be ok?
0
Blue Street TechLast KnightCommented:
Exactly!

It's up to you, but if you don't have the "deny" rule that I specified above (https:#a39450560) at the very bottom of the WAN>LAN access rules, then there is no reason to have a firewall. Malicious traffic will be allowed in all the time on every service from every source using any protocol available. This sole deny rule is the key principal to making any firewall truly a firewall. That is why I said without it there is no point to having a firewall because everything will be wide open.

You have to understand that in networking security the proper setup is to block everything inbound generally. This still allows all sorts of traffic to "come in" because the requests are actually being sent from the LAN, WLAN or DMZ (all behind the firewall) therefore to have HTTP access, email (exchange), lync, VOIP, etc. you don't need to specify inbound rules because all those service and ports are being initiated on the LAN, WLAN, DMZ zones respectively.

There are isolated cases where you need to actually setup inbound rules like for Exchange server/OWA, web server,or in your case where you want to allow specific hosts to access a server.

See now?
0
Blue Street TechLast KnightCommented:
Any update on this? How's it going?
0
TbalzAuthor Commented:
This was the best help I ever received!
0
Blue Street TechLast KnightCommented:
Wow thank you! It was a pleasure working with you. I'm glad I could help & thanks for the points.
0
Jayesh BhandariIT ManagerCommented:
in  FQDN for lan to Wan. what wiil work  *.xyz.com work ? (sub domain)
0
Blue Street TechLast KnightCommented:
This is off topic & if you require further help then I'd suggest you ask a separate question and I'd be glad to help in a deeper capacity.

Alas, wildcarding FQDNs will most certainly work but it depends where in the SonicWALL you are trying to do this - some areas of the UTM will only accept IP Addresses for security reasons. In general it is a Best Practice to use IP addresses instead of FQDN where possible because of DNS poisoning attacks, etc. For DNS resolution of wildcards, it depends on where you have pointed your DNS (internally or externally). For example if you point to an external DNS server then any wildcard for your domain may not resolve depending on your public DNS settings; regardless the results will be different than intended.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.