Solved

How can I bypass the sonicwall  content filter

Posted on 2015-01-08
9
687 Views
Last Modified: 2015-01-08
HI I have a sonicwall 2040 with content filter which is used to block all web access to the internet except from machines on an exclusion list. Our network uses 192.168.4.XXX for IP addresses.

Everything worked as planned until recently when we  setup a private VPN to Microsoft Azure and configured one of the servers to house an internal website and a source control server. To do this we first had to setup a network in Azure (10.0.0.0) and then the server IP addresses were 10.0.0.XXX

We can rdp to the machines in Azure and mount file systems with no problem. However, when we try to access a web page or the source control server from Visual Studio (which uses http) the content filter kicks in an blocks the access. I tried all the following which does not seem to work:
a) Added 10.0.0.4 to the trusted domain sites
b) Created a custom policy and added 10.0.0.4 to the Allowed Domains in the default and in the new policy

The only thing that seemed to work was to uncheck the "Not Rated" site in the URL list for the default policy. I am uncomfortable doing this because I do not want to allow access to a site just because it is not rated. There has to be a better way.

Any help to configure the sonic wall to allow access to all content on the 10.0.0.4 server is appreciated.
0
Comment
Question by:shenoya
  • 4
  • 3
  • 2
9 Comments
 
LVL 5

Expert Comment

by:CoSmismgr
ID: 40538471
I believe the CFS applies to zones. You should be able to just clear the checkbox to apply filtering to the VPN zone.
0
 

Author Comment

by:shenoya
ID: 40538520
If you are referring to the check boxes under Network > Zones there is nothing currently checked for VPN
0
 
LVL 5

Accepted Solution

by:
CoSmismgr earned 500 total points
ID: 40538537
To add a range of IP addresses to the CFS Exclusion List, follow these steps:

Step 1 Login to the SonicWALL Management Interface
Step 2 Go to Security Services > Content Filter
Step 3 Select the Enable CFS Exclusion List checkbox.
Step 4 Click Add. The Add CFS Range Entry window is displayed.
Step 5 Enter the first IP address in the range in the IP Address From: field and the last address in the IP Address To: field.
Step 6 Click OK.
Step 7 Click Accept on the Security Services > Content Filter page. The IP address range is added to the CFS Exclusion List.

from Here
0
 

Author Comment

by:shenoya
ID: 40538852
Thanks. I tried this and it works.

Just want to make sure that I am not opening up something else by putting that Azure machine on  "Exclusion List"

My understanding is that CFS exclusion  bypasses all web content filtering for anyone logged in to a machine that is on the exclusion list. I was not aware that it could also be used to view content originating from a server on the exclusion list ( 10.0.0.4 )

All the documentation suggests that this should be done using the policy settings in the content filter. What I need is a way to still enforce web content filtering for all machines on the local LAN but allow full access to  10.0.0.XXX network which is on the VPN . Please advise
thanks
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40538916
since the 10.x.x.x range is a non-routable private range it will not affect the previous content ratings settings.
0
 
LVL 5

Expert Comment

by:CoSmismgr
ID: 40538953
Just thought of something else. If I am understanding your scenario correctly, the traffic is http session from the servers public IP, so adding the private IP address to allowed domain will not work. You would need to add that servers public IP (or hostname)  to the allowed domain list, and apply the custom policy. This might be a better solution over adding to the exclusion list.
0
 

Author Comment

by:shenoya
ID: 40539043
Yes you are understanding the scenario correctly. Unfortunately ...

I don't have the public IP of the private Azure server. I only have the address of Azure Gateway IP which was given to me when I setup the Azure Virtual Network and configured the site to site VPN and created the gateway. I turned off direct internet access to the Virtual server using the Azure Configuration Manager so the private server is only accessible through the internal network / VPN

Already tried Adding the servers private IP in the allowed domain list - it  did not work
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40539423
Perhaps my statement wasn't clear enough. What you have changed will not screw up your web filtering
0
 
LVL 5

Expert Comment

by:CoSmismgr
ID: 40539443
It's okay to talk about something even though a solution has been found. ;)
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now