Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Sonicwall Firewall Access Rule..

Posted on 2016-11-24
8
Medium Priority
?
48 Views
Last Modified: 2016-11-30
I created a 'firewall access rule' to allow IPP printing between our wireless zone and our LAN zone.

When the rule had Destination: Any the IPP printer could not be added.
any rule
The moment I changed it to Destination: LAN Subnets the printer could be added and users can print.
lansubnets rule
Sure Any includes LAN Subnets?

Just a bit confused...
0
Comment
Question by:matedwards
8 Comments
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 41900609
Hi, If the printer is on the LAN subnet then it should be the right rule. However you can you be more specific and add a address based rule by adding Printer IP as a address entry.

Hope this helps.
0
 

Author Comment

by:matedwards
ID: 41900699
Thanks Ram.. the printer is on the LAN.

But why doesn't 'any' work as a destination as well?
0
 
LVL 33

Expert Comment

by:masnrock
ID: 41905939
That's very dangerous as you even have it defined. As you've set it up, it is generic enough to even imply that parties outside the firewall could set up the printer. If someone opened the IPP port on the firewall and pointed it to any of your printers, you'd get a demonstration of what I mean.

You should have source being whatever the source zone is, and the destination being the specific LAN that has the printers. Allow rules should always be operating off of the idea of least privilege.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 41906313
Allow from ANY means anyone, anywhere.. some nefarious person on the internet could print 10,000 copies of a totally black page.  To Anywhere means that it will also print over the internet Again as recommended above, least priviledge
0
 

Author Comment

by:matedwards
ID: 41907116
Thanks for the heads up guys.. I shall lock it down for sure.

Just a couple of questions if I could:

1. So LAN Subnets is not part of 'any'?

2. I thought the rule was WLAN zone to LAN zone, so how could this rule apply to anyone on the internet (wan zone)?

Thanks again guys
0
 
LVL 33

Expert Comment

by:masnrock
ID: 41907240
Now that you've said that, it makes more sense. I figured that was your intent, but you know what they say about assuming...

Even then, the Any/Any rule would imply any WLAN to any LAN. However, the Sonicwall may have had a rule that is explicitly blocking access ahead of it. Remember with firewalls, the order the rules are processed in are just as important as the rules themselves.

I'd name out the specific WLAN and LAN within the rule you're creating, then it's also obvious to anyone who has to look at the rule set.
1
 
LVL 2

Accepted Solution

by:
Robert Holmes earned 2000 total points
ID: 41908030
Hi Matedwards,

What I have seen with firewalls is the concept of most specific rule overrules least specific rules, this is what could be happening here.

By being more specific in your rule (defining the LAN Subnet as the destination), the firewall will ensure the rule is delivered before any rules that are less specific (ones that have Any as the destination).

This will also depend on what type of zone is set for the WLAN zone. Different zone types in SonicWALL devices have different security levels and this may be affecting the Any destination rule.

As a general rule with developing firewall rules, the more specific or granular the better, it will provide more security and less time troubleshooting access issues.

Please reply if you have any questions or require clarification.
0
 

Author Comment

by:matedwards
ID: 41908264
Sorry mansrock, I missed your last post.
I will request to split the answer with your last comment and Roberts.
Many thanks to you both.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Still wondering grappling over to strengthen your password, worry no more. Choose a Strong Passphrase instead though second factor is highly recommended. Read on more on the how-to and tips to enhance your "password" using easier to remember passphr…
Although free tools can be helpful to a limited extent, it’s better to stick to paid versions for business use.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question