SonicWall - How to best block a specific WAN address TZ 300 6.2.4.2

We have been notified by our Internet cable vendor that one we have an infected machine that has the "SpySheriff" virus/malware running.  The internet Vendor tech told me the address it was trying to talk with  ( 54.149.139.199)  
I could not quickly deter-main what PC was talking to that address so I simply created a quick Address object ( Wan, Host ) with that IP and created a DENY  RULE
LAN to WAN Source Any Destination ( IP OBJECT)         Service Any        Action Deny.

If the above should be the other way around WAN to LAN   let me know asap
and if there is an efficient way to see what lan address is talking to 54.149.139.199 that would be helpful
azpeteAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian MurphyIT ArchitectCommented:
So, are you using 192.168.x.x addressing internal?

The most efficient is www.wireshark.org?

If you can plug each PC into a hub first, and another PC into that same Hub but having Wireshark installed (Free).

You can easily filter for that address tcp == 54.149.139.199

You can do this before it terminates into your Sonic Wall or after the patch panel for example.

This way you don't need a "Spanned Port" or "Mirrored Port" or expensive Port Aggregator.

Wireshark is most definitely your quick and easy and free.
azpeteAuthor Commented:
I wish I could do that but its a 5 hour drive and reconnecting everyone from their switch to a HUB ( although their switch may be apple to set their a port on their switch to mirror everyone. and if its a machine that off, it would be best to leave my notebook with wireshark running,
Anyway I am pretty sure this latest generation brand new SonicWall can handle all that and I just need a little direction on it.  But thanks for the reminder about wireshark,
Brian MurphyIT ArchitectCommented:
It does support, depending on version.  But, you cannot mirror across a WAN unless you some type of Spanning that looks like one network.
https://support.software.dell.com/kb/sw12079
https://support.software.dell.com/kb/sw9916

You need Wireshark on a remote guest.  And you would have to mirror one port at a time unless it would let you see all the packets from every host.  Generally, mirrored port supports single PC.

But if you could get something on the other side of your IP facing
(www.whatsmyip.com)

You would see the traffic but not the Internal Host.  Get it?  At layer 2 everything is MAC (Arp Table).

That is why you must use a segment at a time.  You will only see the traffic for each segment at once although more than one PC can plug in to a single segment.

That is how you will find it.  And I know it works, I've done it.

I just happen to like Wireshark.  I am member of Wireshark University, read all their curriculum.  I collect pcapng files.  

I collect pcap from BSD (like Netscaler), Server 2008, Server 2012, Windows 7, 8, 10.

I study and memorize patterns.

I also have the Riverbed tool (www.wireshark.org).  Cost a lot of money but allows me to find patterns quickly.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Brian MurphyIT ArchitectCommented:
This is good
• Increased security across multiple switch ports – The PortShield architecture provides the flexibility to configure all switch ports into separate security zones such as LANs, WLANs and DMZs, providing protection not only from the WAN and DMZ, but also between devices inside the LAN. Effectively, each security zone has its own wire-speed ‘mini-switch’ that benefits from the protection of a dedicated deep packet inspection firewall.

This allows you to see all Layer 2 across that switch for all ports.

That is what you want.

Still need a PC at the remote site.  The mirror port corresponds to that PC that has Wireshark and configured for spanned mirror.

Now, if the traffic were not exiting that site and using a WAN back to your home office (happens a lot) then you would have Wireshark at both ends just to confirm.

You need the full TCP SYN ACK traffic.  Once you find that first SYN for that IP.

Right click, "FOLLOW TCP STREAM"
Brian MurphyIT ArchitectCommented:
I think you stated this but easiest way to trap that traffic without loosing the Layer 2 information is Sonic Wall supports blocking IP address - You probably already know.

https://support.software.dell.com/kb/sw9982

Now, at this level you have logging at FW level of Sonic Wall.  But, it still may not give you the actual internal IP and hostname of the offending device.  It will probably just say "blocked....blocked...."

One mirrored port on one clean remote machine, RDP Client (MSTSC), install Wireshark in Promiscuous Mode.

Must be in that mode on Layer 2 Switch with mirroring or it sees another MAC and disrupts packet capture.
Brian MurphyIT ArchitectCommented:
There is also the aspect of that IP communicating somehow to your firewall.  Normally, this cannot happen unless you add hosts to DMZ facing.  But....

Now, if it were me - I would do ARIN / Whois lookup on that IP and find out where it originates.

I block all countries I can depending on the company.  I block the entire range assigned to Nigeria, China, et cetera.  I do immediate "packet drop" or TCP Reset.

I worked with SonicWall prior to Dell purchase.  I started out long time ago on Cisco PIX Firewall I think 15 years ago when I got my Cisco CCNA certifications.  I really liked PIX because everything was disabled.  And the syntax was reverse of Cisco IOS.

Sonic wall is probably something like
    Firewall > Access Rules
    Click Add rule
    Action - Deny
    From - LAN
    To - WAN \ Internet
    Destination > Create New Network
    Assign a Name for the IP/Site
    Zone Assignment - WAN
    Type - Host or network if you want to block the entire IP range, I prefer range
    Enter the IP of the site or network range
    Click OK and then click Add
azpeteAuthor Commented:
Looking SPECIFICALLY for an answer to how to solve this with my SONICWALL.
pgm554Commented:
I've managed a Sonicwall in the past and from I remember, there was was a screen on the management software that allowed you to see what node was talking to what internet IP address.
azpeteAuthor Commented:
Understood,  but I still would like a review and comment on my Custom rule and specifics on the connection to that wan address.....
masnrockCommented:
I would do both WAN to LAN and LAN to WAN. That way any traffic flowing either way should get blocked. However, in terms of knowing exactly which machine, you could look through the logs that the Sonicwall keeps for that specific IP address because for at least a short while, you can sift for things like that. The better recommendation over time would be something like Wireshark, even though you could put the Sonicwall Analyzer on an available machine.
azpeteAuthor Commented:
Understood, but what I am looking for is not the general idea but the specifics.
Aaron TomoskyDirector of Solutions ConsultingCommented:
Sonicwall has a built in realtime packet monitor. You can put the wan ip you are looking for and it should pop right up. However you may have to remove the lan to wan blocking rule to see it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
azpeteAuthor Commented:
AGREED, The Packet Monitor seems to be the perfect tool.  I would like to see an example of how to fill out the "other" fields for a simple search,  Can anyone provide a sample list ?
Aaron TomoskyDirector of Solutions ConsultingCommented:
its a filter, you don't need to fill in the other fields
azpeteAuthor Commented:
Oh, that is cool, thank you, I did not realize that. I see that now,....if you hover over "current configuration filter" it shows you that it fills in all the "other" fields like you said.  
So that is  a big part of my question answered, thanks !
 Could you comment on my custom Rule ( does it sound reasonable ?)
Aaron TomoskyDirector of Solutions ConsultingCommented:
the lan->wan rule will block computers from initiating a connection to that server, probably good enough just like that. If you want to be really safe, you can create a reflexive rule (both directions).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.