Link to home
Start Free TrialLog in
Avatar of Matt Hodge
Matt HodgeFlag for United States of America

asked on

Problem with outside attack on phone system - using Sonicwall TZ300

Hi - We have been having an issue lately where our phone system is randomly being attacked by different outside IP addresses. I've created an address object for that IP with the zone assignment WAN / Type HOST / and the IP address. Then created a DENY access rule:
From: WAN
To: LAN
Source Port: Any
Service: Any
Source: Any
Destination: (the address object i created)
Users: All

But yet, After running wireshark, i'm still seeing this IP is STILL somehow connecting and causing an issue. Am I doing something wrong? Any suggestions would be appeciated!
Avatar of ScriptAddict
ScriptAddict
Flag of United States of America image
The best thing to do is reach out to SonicWall support if you have access to them.  

Look for other rules that may have priority over the rule you created that are allowing access.  
Avatar of Paul MacDonald
Paul MacDonald
Flag of United States of America image
I agree with contacting SonicWall, but shouldn't you be blocking that IP as the Source, not the Destination?

From: WAN
To: LAN
Source Port: Any
Service: Any
Source: (the address object i created)
Destination: Any
Users: All
Avatar of kenfcamp
kenfcamp
Flag of United States of America image
shouldn't you be blocking that IP as the Source, not the Destination

@Paul MacDonald brought up a good point. For WAN -> LAN, your object should be set as "source" not Destination

You will need to make sure the custom deny comes before any custom WAN->LAN allow rules.

Interestingly enough, unless you opened ports to the outside (WAN), WAN->LAN traffic is denied by default unless modified or otherwise allowed
Avatar of Matt Hodge
Matt Hodge
Flag of United States of America image

ASKER

This makes sense. Thank you for the response. One thing also to mention, the problem here is, this is the 3rd time this has happened in 2 months, and of course, all with different IP addresses. If it continues to happen, creating this deny rule will only be putting a band aid on the problem without actually fixing it. After running wireshark, we noticed that the attack was using SIP protocol. Would it make sense to create a rule like:

DENY
From:WAN
To: LAN
Source Port: SIP
Service: Any
Source: Any
Destination: Any or address object of phone system

Any help would be appreciated!
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.