Table of Contents Previous Next


Policies_Firewall_AccessRules_Snwls

Understanding the Network Access Rules Hierarchy

To determine whether packets are allowed through the SonicWALL firewall appliance, each SonicWALL checks the destination IP address, source IP address, and port against the firewall rules.

 
Note
Firewall rules take precedence over the default Firewall functions. Because it is possible to disable all protection or block all access to the Internet, use caution when creating or deleting network access rules.

Network access rules do not disable protection from Denial of Service attacks such as SYN Flood, Ping of Death, LAND, and so on. However, it is possible to create vulnerabilities to attacks that exploit application weaknesses.

It is important to consider the purpose and ramifications of a rule before adding it to the firewall rule list. Use the following guidelines to determine the rule logic:

 
What is the purpose of the rule? For example, “This rule will restrict all Internet Relay Chat (IRC) access from the LAN (WorkPort) to the Internet.” Or, “This rule will allow a remote Lotus Notes server to synchronize with our internal Notes server via the Internet.
 
Will the rule allow or deny traffic?
 
What is the flow of the traffic: LAN (WorkPort) to Internet or Internet to LAN (WorkPort)?
 
Which IP services will be affected?
 
Which computers on the LAN (WorkPort) will be affected?
 
Which computers on the Internet will be affected? Be as specific as possible. For example, if traffic is being allowed from the Internet to the LAN (WorkPort), it is better to only allow specific computers to access the LAN or WorkPort.

After determining the logic of the rule, consider the ramifications:

 
Will this rule stop LAN (WorkPort) users from accessing important resources on the Internet? For example, if IRC is blocked, are there users who require this service?
 
Can the rule be modified to be more specific? For example, if IRC is blocked for all users, will a rule that only blocks certain users be more effective?
 
Will this rule allow Internet users to access LAN or WorkPort resources in a way that makes the LAN vulnerable? For example, if NetBIOS ports (UDP 137,138, 139) are allowed from the Internet to the LAN, Internet users may be able to connect to PCs that have file sharing enabled.
 
Does this rule conflict with other rules?

The rule hierarchy uses two basic concepts:

 
Specific rules override general rules.
 
Equally specific Deny rules override Allow rules.

For example: a rule defining a specific service is more specific than the Default rule; a defined Ethernet link, such as LAN (WorkPort), or WAN, is more specific than * (all); and a single IP address is more specific than an IP address range.

Rules are listed in the LAN (WorkPort) Interface window from most specific to the least specific, and rules at the top override rules listed below.

To illustrate this, consider the rules shown below:

 
Table 11
Sample Rules.
#

1

Deny

Chat (IRC)

206.18.25.4 (LAN)

148.178.90.55 (WAN)

2

Allow

Ping

199.2.23.0 - 199.2.23.255 (WAN)

206.18.25.4 (LAN)

3

Deny

Web (HTTP)

216.37.125.0 - 216.37.125.255 (WAN)

*

4

Allow

Lotus Notes

WAN

LAN (WorkPort)

5

Deny

News (NNTP)

LAN (WorkPort)

*

6

Deny

Default

*

LAN (WorkPort)

7

Allow

Default

LAN (WorkPort)

*

The Default Allow Rule (#7) at the bottom of the page allows all traffic from the LAN (WorkPort) out to the WAN. However, Rule #5 blocks all NNTP traffic from the LAN (WorkPort).

The Default Deny Rule (#6) blocks traffic from the WAN to the LAN (WorkPort). However, Rule #4 overrides part of this rule by allowing Lotus Notes into the LAN (WorkPort) from the WAN.

Configuring Firewall Settings in SonicOS Enhanced

The following sections describe how to configure Firewall settings in SonicOS Enhanced:

 
“Configuring Firewall Rules in SonicOS Enhanced” section
 
“Configuring Advanced Firewall Settings” section
 
“Configuring Bandwidth Management” section
 
“Configuring Multicast Settings” section
 
“Configuring Voice over IP Settings” section
 
“Configuring TCP Settings” section
 
“Configuring Quality of Service Mapping” section
 
“Configuring SSL Control” section

Configuring Firewall Rules in SonicOS Enhanced

To configure rules for SonicOS Enhanced, the service or service group that the rule will apply to must first be defined. If it is not, you can define the service or service group and then create one or more rules for it.

To create one or more rules for the service, refer to the “Configuring Access Rules” section.

To configure a service or service group, refer to the “Configuring Service Objects” section and the “Adding a Service Group” section.

Configuring Access Rules

The following procedure describes how to add, modify, reset to defaults, or delete firewall rules for SonicWALL firewall appliances running SonicOS Enhanced. For appliances running SonicOS Enhanced, GMS supports paginated navigation and sorting by column header on the Access Rules screen. In the Access Rules table, you can click the column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table.

By hovering your mouse over entries on the Access Rules screen, you can display information about an object, such as an Address Object or Service.

To configure an access rule, perform the following steps:

1.
Select the global icon, a group, or a SonicWALL appliance.
2.
Expand the Firewall tree and click Access Rules. The Access Rules page displays. The Firewall > Access Rules page enables you to select multiple views of Access Rules, including pull-down boxes, Matrix, and All Rules. The default view is the Matrix View which provides a matrix of source and destination nodes between LAN, WAN, VPN, Multicast, and WLAN.

3.
From the Matrix View, click the Edit icon (). for the source and destination interfaces for which you will configure a rule. The Access Rules table for that interface pair displays.
4.
Below the Access Rules table, click Add Rule. The Add Rule dialog box displays.

5.
Select whether access to this service will be allowed or denied.

 
Note
If a policy has a “No-Edit” policy action, the Action radio buttons will not be editable.

6.
Select a service from the from the Service Name list box. If the service does not exist, refer to the “Configuring Service Objects” section.
7.
Select the source Address Object from the Source list box.
8.
Select the destination Address Object from the Destination list box.
9.
Specify if this rule applies to all users or to an individual user or group in the Users Allowed list box.
10.
Specify when the rule will be applied by selecting a schedule or Schedule Group from the Schedule list box. If the rule will always be applied, select Always on. If the schedule does not exist, refer to the ““Configuring Schedules” section.
11.
To enable logging for this rule, select the Logging check box.
12.
Check the Allow Fragmented Packets checkbox to allow fragmented packets.
 
Caution
Fragmented packets are used in certain types of Denial of Service attacks and, by default, are blocked. You should only enable the Allow Fragmented Packets check box if users are experiencing problems accessing certain applications and the SonicWALL logs show many dropped fragmented packets.
13.
Add any comments to the Comment field.
14.
Click the Advanced tab.

15.
Specify how long (in minutes) TCP connections may remain idle before the connection is terminated in the TCP Connectivity Inactivity Timeout field.
16.
Specify how long (in seconds) UDP connections may remain idle before the connection is terminated in the UDP Connectivity Inactivity Timeout field.
17.
Specify the percentage of the maximum connections this rule is to allow in the Number of connections allowed (% of maximum connections) field.
18.
Set a limit for the maximum number of connections allowed per source IP Address by selecting Enable connection limit for each Source IP Address and entering the value in the Threshold field.(Only available for Allow rules).
19.
Set a limit for the maximum number of connections allowed per destination IP Address by selecting Enable connection limit for each Destination IP Address field and entering the value in the Threshold field.(Only available for Allow rules).
20.
Click the QoS tab. For information on configuring the QoS tab, refer to the “Configuring Quality of Service Mapping” section.
21.
Click the Bandwidth tab. The Bandwidth page displays.

22.
SonicWALL appliances can manage inbound and outbound traffic on the primary WAN interface using bandwidth management.
23.
To enable outbound bandwidth management for this service, select the Enable Outbound Bandwidth Management check box.

Enter the amount of bandwidth that will always be available to this service in the Guaranteed Bandwidth field, and select either % or Kbps in the pull-down list. Keep in mind that this bandwidth will be permanently assigned to this service and not available to other services, regardless of the amount of bandwidth this service does or does not use.

Enter the maximum amount of bandwidth that will be available to this service in the Maximum Bandwidth field.

Select the priority of this service from the Bandwidth Priority list box. Select a priority from 0 (highest) to 7 (lowest).

24.
To enable inbound bandwidth management for this service, select the Enable Inbound Bandwidth Management check box.

Enter the amount of bandwidth that will always be available to this service in the Guaranteed Bandwidth field, and select either % or Kbps in the pull-down list. Keep in mind that this bandwidth will be permanently assigned to this service and not available to other services, regardless of the amount of bandwidth this service does or does not use.

Enter the maximum amount of bandwidth that will be available to this service in the Maximum Bandwidth field.

Select the priority of this service from the Bandwidth Priority list box. Select a priority from 0 (highest) to 7 (lowest).

 
Note
In order to configure bandwidth management for this service, bandwidth management must be enabled on the SonicWALL appliance. For information on configuring bandwidth management in SonicOS Standard, refer to the “Configuring Ethernet Settings” section. For SonicOS Enhanced, refer to the “Overview of Interfaces” section.
25.
To track bandwidth usage for this service, select the Enable Tracking Bandwidth Usage check box.
26.
To add this rule to the rule list, click OK. You are returned to the Access Rules page.
27.
If the network access rules have been modified or deleted, you can restore the Default Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP traffic and allow all outbound IP traffic. To restore the network access rules to their default settings, click Restore Rules to Defaults and then click Update. A task is scheduled to update the rules page for each selected SonicWALL appliance.
28.
To modify a rule, click its Edit icon (). The Add/Modify Rule dialog box displays. When you are finished making changes, click OK. SonicWALL GMS creates a task that modifies the rule for each selected SonicWALL appliance.
29.
To enable logging for a rule, select its Logging check box.
30.
To disable a rule without deleting it, deselect its Enable check box.
31.
To delete a rule, click its trash can icon. SonicWALL GMS creates a task that deletes the rule for each selected SonicWALL appliance.

Table of Contents Previous Next