how do you add IP's to a white-list on a Sonicwall firewall

I need to add one of our vendors IP's to our Sonicwall so they are not blocked.

How?
J.R. SitmanIT DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi J.R.

In what security service are they being blocked, e.g. GAV, IPS, Geo-IP/Botnet Filtering, etc.?

In any case you need to create an Address Object in with their WAN IP address. Then you can add it to the security service Exclusions List. I'd recommend creating an Address Object Group after you create the Address Object then add the Address Object to the Group and make the Group the default Exclusions List object.

Let me know if you have any other questions!
0
J.R. SitmanIT DirectorAuthor Commented:
Can you give me step by step, please.   My Firewall support guy is on vacation.
0
Blue Street TechLast KnightCommented:
What is the model and SonicOS version...both can be found once you login on the Status page?

How are you seeing them being blocked...logs, someone telling you? You are going to have to provide a little more info than...Need to add IP address!
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

J.R. SitmanIT DirectorAuthor Commented:
TZ 215  OS 5.9.0.6-3o
0
Blue Street TechLast KnightCommented:
OK, thanks but I'm going to need to know more info...like which network segment are they being blocked from? Which service is blocking them? How are they trying to gain access to your network? Does the vendor have more than one IP address? Is it dynamic or static?

Go to Network > Address Objects and click Add.

Name: <put in the vendors name then WAN>
Zone Assignment: <WAN but not sure until you provide more info>
Type: FQDN (I changed this from Host based on your comment below)
IP Address: <Public IP address of your vendor>

I need answers to these questions to accurately instruct you!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
J.R. SitmanIT DirectorAuthor Commented:
They are not being blocked.  It is our Payflow account.  See below for what they sent us.  

We announced earlier this year our plans to provide a more robust service by introducing additional IP addresses to the Payflow production and pilot environments. To minimize potential impact, we recommend that you use Domain Name Service (DNS) host names instead of hard-coding Payflow IP addresses.
However, if you must allow particular IP addresses through your firewall or proxy servers, please review our list of Payflow IP addresses to ensure that the appropriate IPs are configured in your firewall/proxy settings by January 10, 2018.

Please review our bulletin for additional information (including potential impacts) regarding this initiative. Any changes to the schedule will be updated on the bulletin.
0
Blue Street TechLast KnightCommented:
Ok I changed my post above to reflect that (changed Type from Host to FQDN). So this is an application that requires inbound access to your network? Do you have the FQDNs? What port/services do they require open? What networks and servers does it need to reach?

There is a lot of info needed into order to do this and I'm not sure you have it all. But if you can answer these then we can set it up!
0
masnrockCommented:
It would be outbound traffic that would have to be worried about, and it also appears that the whitelisting revolves around CFS (content filter). While chances are that nothing will have to get done, it never hurts to get it over with either.

I second Blue's comment about whitelisting by FQDN rather than by IP address, which may require at some point getting rid of the IPs and substituting in the FQDNs. You should have an Address Group that has the appropriate FQDN Address Objects. Rather than type out all of the instructions, I'm going to present an article from Sonicwall's knowledgebase: https://www.sonicwall.com/en-us/support/knowledge-base/170504529577299
0
J.R. SitmanIT DirectorAuthor Commented:
I don't know why I never received notice that this post had been updated.  See attached for what is being required of us.

ip's
0
masnrockCommented:
I would use the domains in the URLs you were provided.
0
Blue Street TechLast KnightCommented:
If nothing is being blocked then it is still unclear what you are trying to do with this vendor...

Please answer the questions from my earlier post:

  • So this is an application that requires inbound access to your network?
  • Do you have the FQDNs?
  • What port/services do they require open?
  • What networks and servers does it need to reach?
0
J.R. SitmanIT DirectorAuthor Commented:
@Blue Street Tech.  Yes, we used it to transmit and receive funds and run reports
I only have their IP's that I listed
They do not require a specific port.  They are asking us to "Whitelist" their IP's
Needs to reach the IP's the provided
0
Blue Street TechLast KnightCommented:
These are the most vague instructions... you have to understand.

They are asking us to "Whitelist" their IP's
If we are talking about your mail server... this would not require anymore info in order to achieve but we are talking about a UTM (Unified Threat Management) device... it requires more info by default.

If nothing is being blocked why are you whitelisting anything? Are you wanting to preventatively wishlist your security services, e.g. Content Web Filtering, Gateway Antivirus, etc.? If so, do you have active licenses? You can check System > Licensing and screenshot that page. If you have the licensing I have already provided the steps to whitelist those IPs from your security services above.

If you don't know what ports that need to be opened nor what internal servers need to communicate with this service you can't allow communication in your network. Outbound communication will occur by default unless you are filtering outbound traffic, in which case, again you'll need to know ports and internal servers.

Call your vendor they aren't providing enough info.
0
J.R. SitmanIT DirectorAuthor Commented:
Thanks.  I reviewed both posts and believe I understand what needs to be done.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.