Firewall > Access Rules

The Firewall>Access Rules page provides a sortable access rule management interface. Use this interface to configure access rules by zones and configuring bandwidth management using access rules.

Alert! The ability to define Network Access Rules is a very powerful tool. Using custom rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting Network Access Rules.

Tip! More information on Network Access Rules.

Note! The SonicWALL supports up to 300 Network Access Rules.

Displaying Access Rules with View Styles

Access rules can be displayed in multiple views using SonicOS Enhanced. You can select the type of view from the selections in the View Style section. The following View Styles are available:

Tip: You can also view access rules by Zones. Use the Option checkboxes in the From Zone and To Zone column. Select LAN, WAN, VPN, ALL from the From Zone column. And then select LAN, WAN, VPN, ALL from the To Zone column. Click OK to display the access rules.

Each view displays a table of defined network access rules. For example, selecting All Rules displays all the network access rules for all zones.

Configuring Access Rules for a Zone

To display the Access Rules for a specific zone, select a zone from the Matrix, Drop-down Boxes, or All Rules view.

The access rules are sorted from the most specific at the top, to less specific at the bottom of the table. At the bottom of the table is the Any rule. The default access rule is all IP services except those listed in the Access Rules page. Access rules can be created to override the behavior of the Any rule; for example, the Any rule allows users on the LAN to access all Internet services, including NNTP News.

You can change the priority ranking of an access rule by clicking the Arrows icon in the Priority column. The Change Priority window is displayed. Enter the new priority number (1-10) in the Priority field, and click OK.

Tip: If the Trash can or Notepad icons are dimmed (unavailable), the access rule cannot be changed or deleted from the list.

Adding Access Rules

To add access rules to the SonicWALL security appliance, click the Add at the bottom of the Access Rules table. The Add Rule window is displayed.

Connection Limiting

The Connection Limiting feature is intended to offer an additional layer of security and control when coupled with such SonicOS features as SYN Cookies and Intrusion Prevention Services (IPS). Connection limiting provides a means of throttling connections through the SonicWALL using Access Rules as a classifier, and declaring the maximum percentage of the total available connection cache that can be allocated to that class of traffic.

Coupled with IPS, this can be used to mitigate the spread of a certain class of malware as exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections to random addresses at atypically high rates. For example, each host infected with Nimda attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and Sasser was capable of 5,120 attempts per second. Typical, non-malicious network traffic generally does not establish anywhere near these numbers, particularly when it is Trusted ->Untrusted traffic (i.e. LAN->WAN). Malicious activity of this sort can consume all available connection-cache resources in a matter of seconds, particularly on smaller appliances.

The following table delineates the connection-cache size of currently available SonicWALL devices running SonicOS Enhanced (numbers are subject to change):

SonicWALL Security Appliance Connection Cache Maximum
SonicWALL Security Appliance Connection Cache Maximum
TZ 150 2,048
TZ 170 (all versions) 6,144
PRO 2040 32,768
PRO 3060 131,072
PRO 4060 524,288
PRO 5060 750,000

In addition to mitigating the propagation of worms and viruses, Connection limiting can be used to alleviate other types of connection-cache resource consumption issues, such as those posed by uncompromised internal hosts running peer-to-peer software (assuming IPS is configured to allow these services), or internal or external hosts using packet generators or scanning tools.

Finally, connection limiting can be used to protect publicly available servers (e.g. web-servers) by limiting the number of legitimate inbound connections permitted to the server (i.e. to protect the server against the Slashdot-effect). This is different from SYN flood protection which attempts to detect and prevent partially-open or spoofed TCP connection. This will be most applicable for Untrusted'Trusted traffic, but it can be applied to any Zone'Zone traffic as needed.

Connection limiting is applied by defining a percentage of the total maximum allowable connections that may be allocated to a particular type of traffic. The above figures show the default LAN ->WAN setting, where all available resources may be allocated to LAN->WAN (any source, any destination, any service) traffic.

More specific rules can be constructed; for example, to limit the percentage of connections that can be consumed by a certain type of traffic (e.g. FTP traffic to any destination on the WAN), or to prioritize important traffic (e.g. HTTPS traffic to a critical server) by allowing 100% to that class of traffic, and limiting general traffic to a smaller percentage (minimum allowable value is 1%).

It is not possible to use IPS signatures as a connection limiting classifier; only Access Rules (i.e. Address Objects and Service Objects) are permissible.

Configuring QoS and BWM in SonicOS Enhanced

Note: For complete QoS and BWM configuration intrustions refer to the SonicOS Enhanced 3.1 Administrator's Guide available on the SonicWALL Web site

SonicOS Enhanced 3.1 supports Quality of Service (QoS), which adds the ability to recognize, map, modify and generate the
industry-standard 802.1p and Differentiated Services Code Points (DSCP) Class of Service (CoS) designators. When used in combination with a Quality of Service (QoS) capable network infrastructure, SonicOS QoS features provide predictability that is vital for certain types of applications, such as Voice over IP (VoIP), multimedia content, or business-critical applications such as credit-card processing.

Note: 802.1p tagging is not supported on the SonicWALL PRO 1260.

SonicOS Enhanced also offers an integrated traffic shaping mechanism through its Egress (outbound) and Ingress (inbound) bandwidth management (BWM) interfaces. Outbound BWM can be applied to traffic sourced from Trusted and Public Zones (e.g. LAN and DMZ) destined to Untrusted and Encrypted Zones (e.g. WAN and VPN). Inbound BWM can be applied to traffic sourced from Untrusted and Encrypted Zones destined to Trusted and Public Zones.

Note: Although BWM is a fully integrated QoS system, wherein classification and shaping is performed on the single SonicWALL appliance, effectively eliminating the dependency on external systems and thus obviating the need for marking, it is possible to concurrently configure BWM and QoS (i.e. layer 2 and/or layer 3 marking) settings on a single Access Rule. This allows those external systems to benefit from the classification performed on the SonicWALL even after it has already shaped the traffic.

Help Table of Contents