Solved

Sonicwall Firewall Access Rule..

Posted on 2016-11-24
8
32 Views
Last Modified: 2016-11-30
I created a 'firewall access rule' to allow IPP printing between our wireless zone and our LAN zone.

When the rule had Destination: Any the IPP printer could not be added.
any rule
The moment I changed it to Destination: LAN Subnets the printer could be added and users can print.
lansubnets rule
Sure Any includes LAN Subnets?

Just a bit confused...
0
Comment
Question by:matedwards
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 41900609
Hi, If the printer is on the LAN subnet then it should be the right rule. However you can you be more specific and add a address based rule by adding Printer IP as a address entry.

Hope this helps.
0
 

Author Comment

by:matedwards
ID: 41900699
Thanks Ram.. the printer is on the LAN.

But why doesn't 'any' work as a destination as well?
0
 
LVL 29

Expert Comment

by:masnrock
ID: 41905939
That's very dangerous as you even have it defined. As you've set it up, it is generic enough to even imply that parties outside the firewall could set up the printer. If someone opened the IPP port on the firewall and pointed it to any of your printers, you'd get a demonstration of what I mean.

You should have source being whatever the source zone is, and the destination being the specific LAN that has the printers. Allow rules should always be operating off of the idea of least privilege.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 41906313
Allow from ANY means anyone, anywhere.. some nefarious person on the internet could print 10,000 copies of a totally black page.  To Anywhere means that it will also print over the internet Again as recommended above, least priviledge
0
 

Author Comment

by:matedwards
ID: 41907116
Thanks for the heads up guys.. I shall lock it down for sure.

Just a couple of questions if I could:

1. So LAN Subnets is not part of 'any'?

2. I thought the rule was WLAN zone to LAN zone, so how could this rule apply to anyone on the internet (wan zone)?

Thanks again guys
0
 
LVL 29

Expert Comment

by:masnrock
ID: 41907240
Now that you've said that, it makes more sense. I figured that was your intent, but you know what they say about assuming...

Even then, the Any/Any rule would imply any WLAN to any LAN. However, the Sonicwall may have had a rule that is explicitly blocking access ahead of it. Remember with firewalls, the order the rules are processed in are just as important as the rules themselves.

I'd name out the specific WLAN and LAN within the rule you're creating, then it's also obvious to anyone who has to look at the rule set.
1
 
LVL 2

Accepted Solution

by:
Robert Holmes earned 500 total points
ID: 41908030
Hi Matedwards,

What I have seen with firewalls is the concept of most specific rule overrules least specific rules, this is what could be happening here.

By being more specific in your rule (defining the LAN Subnet as the destination), the firewall will ensure the rule is delivered before any rules that are less specific (ones that have Any as the destination).

This will also depend on what type of zone is set for the WLAN zone. Different zone types in SonicWALL devices have different security levels and this may be affecting the Any destination rule.

As a general rule with developing firewall rules, the more specific or granular the better, it will provide more security and less time troubleshooting access issues.

Please reply if you have any questions or require clarification.
0
 

Author Comment

by:matedwards
ID: 41908264
Sorry mansrock, I missed your last post.
I will request to split the answer with your last comment and Roberts.
Many thanks to you both.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question