Link to home
Avatar of tymccoy
tymccoy

asked on

Sonic wall dynamic block list

Can I set up Sonicwall to use a dynamically generated block list? Rather than go through the web-based configuration tools every time I need to block a new IP address?
SOLUTION
Avatar of Blue Street Tech
Blue Street Tech
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of tymccoy
tymccoy

ASKER

I'm talking about blocking inbound ip addresses. My users aren't trying to crash my servers. Some guy using China-based machines is whacking at us. Adding an IP address to the Sonicwall block list is a manual process, so far as I can tell from Google searches. I want my applications to update a block file whenever they detect bad behavior.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of tymccoy

ASKER

We need a way to automate updates to the Sonicwall IP Block list. Sonicwall provides a web-based GUI for manually updating that list. We need an approach that enables automation.
Avatar of tymccoy

ASKER

We can identify misbehavior. We can identify misbehaving IP addresses. All we want to do is block the IP address. Should be simple.
If sonicwall used a sql database, we'd add a record to the database table. if sonicwall used a text dat file or an xml file, we'd update that file with a new IP address.
What does the sonicwall have that we can update in realtime with automation?
Why not use region based blocking, and block all traffic from china. we have done this at our firewall's the reason to do this is simple.
we dont have to be contacted by hosts from china
Hi Benjamin,

I already suggested this in my previous comment (https:#a41717838) it's called Geo-IP filtering and I also provided two better ways of configuring open ports that are secure (limiting the Source IPs & Certificate-based Auth). Even if you limit from China via Geo-IP filtering, which is a good step (if you do not do business with them or indirectly use any of their datacenters via your vendors or others) you are still working on deprecated security principals: Stateless Packet Inspection and blacklisting over whitelisting (meaning you allow everything in and blacklist specific IPs). Both are poor security practices - conversely the OP should be implementing DPI (Deep Packet Inspection) so that each packet's data is being inspected and implementing a whitelisting over blacklisting methodology (blocking everything; allowing only specifics in), otherwise the OP will never win in this game because inevitably the OP will set themselves up in a reactionary way instead of a proactive way. I can spoof and change IPs all day long and even encrypt my attacks. You'll never keep up and never know what is legitimate traffic and what is nefarious unless you are implementing what I have discussed and in the encrypted attack setting up DPI-SSL but a whitelisting over blacklisting methodology and/or a cert-based auth in the scenarios where you cannot limit the Source IPs will thwart this type of attack.