|
|
The Access> Rules page allows you to create Network Access Rules to customize your firewall security. The SonicWALL evaluates the source IP address, the destination IP address, and the service type when determining whether to allow or deny traffic. Custom rules take precedence and override the SonicWALL default rules. By default, the SonicWALL blocks all traffic from the Internet to the LAN and allows all traffic from the LAN to the Internet. Custom rules can be created to modify the default rules. For example, rules can be created for the following purposes:
Allow traffic from the Internet to a mail server on the LAN.
Restrict users on the LAN from using a specified service.
Allow specified IP addresses on the Internet to access a sensitive server on the LAN.
Configure bandwidth management for individual services.
Alert!
Use extreme caution when creating or deleting Network Access Rules as you an
accidentally disable firewall protection or block access to the Internet.
Network Access Rules can be configured to apply to all users, authenticated users, the administrator, or on a per user basis.
The following lists the maximum number of rules supported by each SonicWALL Internet Security Appliance model.
GX Series: 300
PRO 300, PRO 330: 200
PRO 100, PRO 200, PRO 230: 100
TELE3, SOHO3: 100
TELE2, SOHO2, XPRS2, XPRS, PRO, PRO-VX: 100
It is important to fully consider the logic behind the new rule before it is added to the list. Use the following guidelines to help you evaluate the impact of a rule before adding it to the list:
State the intent of the rule. For example, “This rule restricts all IRC access from the LAN to the Internet.”
Is the intent of the rule to allow or deny traffic?
What is the direction of the traffic? From the LAN to the WAN, or from the WAN to the LAN?
List IP services affected by the rules.
List the computers on the LAN affected by the rule.
List the computers on the WAN affected by the rule. If allowing traffic from the WAN to the LAN, it is better to allow WAN traffic only to certain computers on the LAN.
Does the rule prevent users from accessing critical resources on the Internet?
Does the rule create any security vulnerabilities?
The rule hierarchy has two basic concepts:
Specific rules override general rules:
An individual service is more specific than the Default service.
A single Ethernet link, such as LAN or WAN, is more specific than * (all).
A single IP address is more specific than an IP address range.
Equally specific Deny rules override Allow rules.
Rules are displayed in the Current Network Access Rules list from the most specific to the least specific, and rules at the top override rules listed below.
The Current Network Access Rules table displays all the current rules in force on the SonicWALL. The following describes the columns in the Current Network Access Rules table:
Priority - the access rule priority over other access rules.
Action - whether the access rule denies or allows the specific service.
Users Allowed - the users affected by the access rule.
Service - the service impacted by the access rule.
Source - the network interface impacted by the access rule: LAN, WAN, or DMZ.
Destination - the destination of the traffic affected by the rule.
Time - the times the access is enabled, if other than the default always is used.
Day - The days the access rules is enabled, if other than the default always is used.
Enable - Click to enable or disable the access the rule.
Edit - click to edit the access rule settings.
Delete - click to delete the access rule.
Sort Rules - Click on the Priority, Action, Users Allowed, Service, Source, Destination, Time, Day or Enable table column header to sort the Current Network Access Rules table by that criteria. You can sort in ascending or descending order. The arrow next to the column header indicates the sort as ascending or descending.
Edit a Rule - To edit a rule, click the Note Pad icon to the right of the rule in the Rules window. The Edit Rule window is displayed with the current configuration settings of the rule. Make the desired changes and click Update to update the rule.
Delete a Rule - To delete a rule, click the Trash Can icon to the right of the rule in the Rules window. A dialog box appears with the message “Do you want to remove this rule?”. Click OK. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.
Enable/Disable a Rule - To disable a rule without permanently removing it, clear the Enable check box to the right of the rule in the Rules window. To enable a disabled rule, select the Enable check box. The configuration is updated automatically, and a message confirming the update is displayed at the bottom of the browser window.
Clicking the Add New Rule button displays the Add Rule window for adding a new network access rule.
The SonicWALL default network access rules prevent malicious intrusions and attacks, block all inbound IP traffic and allow all outbound IP traffic. If the SonicWALL Network Access Rules have been modified or deleted, you can restore the default network access rules by clicking the Restore Rules to Defaults button. A message dialog appears. Click OK to erase all non-default network access rules.