Solved

Sonicwall Firewall Access Rule..

Posted on 2016-11-24
8
31 Views
Last Modified: 2016-11-30
I created a 'firewall access rule' to allow IPP printing between our wireless zone and our LAN zone.

When the rule had Destination: Any the IPP printer could not be added.
any rule
The moment I changed it to Destination: LAN Subnets the printer could be added and users can print.
lansubnets rule
Sure Any includes LAN Subnets?

Just a bit confused...
0
Comment
Question by:matedwards
8 Comments
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 41900609
Hi, If the printer is on the LAN subnet then it should be the right rule. However you can you be more specific and add a address based rule by adding Printer IP as a address entry.

Hope this helps.
0
 

Author Comment

by:matedwards
ID: 41900699
Thanks Ram.. the printer is on the LAN.

But why doesn't 'any' work as a destination as well?
0
 
LVL 27

Expert Comment

by:masnrock
ID: 41905939
That's very dangerous as you even have it defined. As you've set it up, it is generic enough to even imply that parties outside the firewall could set up the printer. If someone opened the IPP port on the firewall and pointed it to any of your printers, you'd get a demonstration of what I mean.

You should have source being whatever the source zone is, and the destination being the specific LAN that has the printers. Allow rules should always be operating off of the idea of least privilege.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 41906313
Allow from ANY means anyone, anywhere.. some nefarious person on the internet could print 10,000 copies of a totally black page.  To Anywhere means that it will also print over the internet Again as recommended above, least priviledge
0
 

Author Comment

by:matedwards
ID: 41907116
Thanks for the heads up guys.. I shall lock it down for sure.

Just a couple of questions if I could:

1. So LAN Subnets is not part of 'any'?

2. I thought the rule was WLAN zone to LAN zone, so how could this rule apply to anyone on the internet (wan zone)?

Thanks again guys
0
 
LVL 27

Expert Comment

by:masnrock
ID: 41907240
Now that you've said that, it makes more sense. I figured that was your intent, but you know what they say about assuming...

Even then, the Any/Any rule would imply any WLAN to any LAN. However, the Sonicwall may have had a rule that is explicitly blocking access ahead of it. Remember with firewalls, the order the rules are processed in are just as important as the rules themselves.

I'd name out the specific WLAN and LAN within the rule you're creating, then it's also obvious to anyone who has to look at the rule set.
1
 
LVL 2

Accepted Solution

by:
Robert Holmes earned 500 total points
ID: 41908030
Hi Matedwards,

What I have seen with firewalls is the concept of most specific rule overrules least specific rules, this is what could be happening here.

By being more specific in your rule (defining the LAN Subnet as the destination), the firewall will ensure the rule is delivered before any rules that are less specific (ones that have Any as the destination).

This will also depend on what type of zone is set for the WLAN zone. Different zone types in SonicWALL devices have different security levels and this may be affecting the Any destination rule.

As a general rule with developing firewall rules, the more specific or granular the better, it will provide more security and less time troubleshooting access issues.

Please reply if you have any questions or require clarification.
0
 

Author Comment

by:matedwards
ID: 41908264
Sorry mansrock, I missed your last post.
I will request to split the answer with your last comment and Roberts.
Many thanks to you both.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question