Solved

SonicWall - how to Setup    Control Port 20021      Data port range 25000-25500

Posted on 2014-11-13
13
234 Views
Last Modified: 2014-11-17
We have a SonicWall TZ 210 and are installing   FTP on a few of our Workstations for our Bank.

Our Bank tech support wants me to open the above Control port and data port range.

I normally run the Public Server Wizard for forwarding outside traffic like Security Cameras or HVAC controls but I think what they want is the Firewall to allow traffic WAN to LAN on the Control port and data port mentioned above.

Am I thinking about this in the right way ?
0
Comment
Question by:azpete
  • 6
  • 5
  • 2
13 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40442364
Yes use the public server wizard and then just edit the created service groups to have those ports
0
 

Author Comment

by:azpete
ID: 40442465
I should have added more in the question.

We want to open the above control port and data range for the entire LAN. (From Wan)

By default all LAN to WAN traffic and services are "ALLOW" and all WAN to LAN are "DENY"
Is it possible to modify the WAN to LAN to "ALLOW" that control Port and Data RANGE
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40442500
That will only work if you have 1 to 1 wan to lan up mapping.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:azpete
ID: 40442538
Aaron, I understand and have done the 1 to 1 mapping via the Wizard many times for many clients on all models of SonicWalls.
  If the bank  said ,
"hey firewall guy, set up a public SFTP  PC on your LAN"   the public server wiz does that in 20 seconds.  But thats not the case.  We want to setup 5 or so PCs with SFTP software applications, and the bank just repeats the mantra " open your firewalls control port and data range ( to the numbers above)  My assumption may be wrong but shouldnt it be that you can say " Sure..., DENY all WAN to LAN services ( that are not initiated by the LAN" BUT add a rule that says " EXCEPT services for this control port and data range ???
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40442558
Yes you can put an allow rule above the deny rule. They get processed in order. However I would strongly suggest this is not a good idea
0
 

Author Comment

by:azpete
ID: 40442654
I agree that the rule would be a big hole but ( besides the 1 to 1)  how would you answer the banks direction to "open the control port  and that data range on the firewall but not to a specific PC ?
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40442801
You can't, you can open it on all pcs with 1 to 1 nat.
0
 

Author Comment

by:azpete
ID: 40442860
i dont know what that means        " open it on all pcs with 1 to 1 nat"  can you explain ?
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40443015
If you have 1 to 1 nat, then each wan ip maps to a lan ip. So you can add a firewall rule that states for those services from wan to lan, allow it. If that's not what they want then I really don't understand their request.
0
 

Author Comment

by:azpete
ID: 40443124
I agree, either the bank tech support statement is incomplete or misleading or my concept of opening wan to lan ports is too shallow.  I will be in contact with the bank and see if I can get more information. They may simply want a public server but are unwilling to say so directly.  Stand by and I will get more info
0
 
LVL 27

Accepted Solution

by:
masnrock earned 500 total points
ID: 40444350
Do you block outgoing communication? If not, then you have nothing to do.  Some companies do, in which case it would be applicable to open ports for outbound communication.
0
 

Author Comment

by:azpete
ID: 40444415
By default , SonicWall has a "ALLOW all services from LAN to WAN" rule .  I assume that means that a LAN PC can open communications on ANY port and ANY data range.  Since the bank appears to be saying we are not setting up a public server then I think we will be ok with no changes to the SonicWall.  

I I have sent such a statement to the Banks tech support folks and am looking forward to their reply.

  I suspect that a CISCO PIX or other brands of firewalls default to DENY all services from LAN to WAN and the admin must specifically open the ones they want.
0
 
LVL 27

Expert Comment

by:masnrock
ID: 40444572
Exactly. Some companies also prefer to block everything and only allow what should be necessary for work. You are in the clear.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question