icon.To add access rules to the SonicWALL security appliance, perform the following steps:
|
Step 1
|
|
Step 2
|
In the
General
tab, select Allow
| Deny | Discard
from the Action
list to permit or block IP traffic.
|
|
Step 3
|
|
Step 4
|
Select the service or group of services affected by the access rule from the
Service
list. The Default
service encompasses all IP services.
If the service is not listed, you must define the service in the Add Service window. Select Create New Service or Create New Group to display the Add Service window or Add Service Group window. |
|
Step 5
|
Select the source of the traffic affected by the access rule from the
Source
list. Selecting Create New Network
displays the Add Address Object
window.
|
|
Step 6
|
If you want to define the source IP addresses that are affected by the access rule, such as
restricting certain users from accessing the Internet, type the starting IP addresses of the address range in the Address Range Begin
field and the ending IP address in the Address
Range
End
field. To include all IP addresses, type *
in the Address Range Begin
field.
|
|
Step 7
|
Select the destination of the traffic affected by the access rule from the
Source
list. Selecting Create New Network
displays the Add Address Object
window.
|
|
Step 8
|
From the
Users Allowed
menu, add the user or user group affected by the access rule.
|
|
Step 9
|
|
Step 10
|
Enter any comments to help identify the access rule in the
Comments
field.
|
|
Step 11
|
The
Allow Fragmented Packets
check box is enabled by default. Large IP packets are often divided into fragments before they are routed over the Internet and then reassembled at a destination host. One reason to disable this setting is because it is possible to exploit IP fragmentation in Denial of Service (DoS) attacks.
|
|
Step 12
|
Click on the
Advanced
tab.
|
|
Step 13
|
If you would like for the access rule to timeout after a period of TCP inactivity, set the amount
of time, in minutes, in the TCP Connection
Inactivity Timeout (minutes)
field. The default value is 5
minutes.
|
|
Step 14
|
If you would like for the access rule to timeout after a period of UDP inactivity, set the amount
of time, in minutes, in the UDP Connection
Inactivity Timeout (minutes)
field. The default value is 30
minutes.
|
|
Step 15
|
Specify the number of connections allowed as a percent of maximum number of connections
allowed by the SonicWALL security appliance in the Number of connections allowed (% of
maximum connections)
field. Refer to “Connection Limiting Overview” on page 521
for more information on connection limiting.
|
|
Step 16
|
Select
Create a reflexive rule
if you want to create a matching access rule to this one in the opposite direction--from your destination zone or address object to your source zone or address object.
|
|
Step 17
|
Click on the
QoS
tab if you want to apply DSCP or 802.1p Quality of Service management to traffic governed by this rule. See “802.1p and DSCP QoS”
for more information on managing QoS marking in access rules.
|
|
Step 18
|
Under
DSCP Marking Settings
select the DSCP Marking Action
. You can select None
, Preserve
, Explicit
, or Map
. Preserve
is the default.
|
|
–
|
None
: DSCP values in packets are reset to 0.
|
|
–
|
Preserve
: DSCP values in packets will remain unaltered.
|
|
–
|
Explicit
: Set the DSCP value to the value you select in the Explicit DSCP Value
field. This is a numeric value between 0 and 63. Some of the standard values are:
|
|
•
|
0
- Best effort/Default (default)
|
|
•
|
8
- Class 1
|
|
•
|
10
- Class 1, Gold (AF11)
|
|
•
|
12
- Class 1, Silver (AF12)
|
|
•
|
14
- Class 1, Bronze (AF13)
|
|
•
|
16
- Class 2
|
|
•
|
18
- Class 2, Gold (AF21)
|
|
•
|
20
- Class 2, Silver (AF22)
|
|
•
|
22
- Class 2, Bronze (AF23)
|
|
•
|
24
- Class 3
|
|
•
|
26
- Class 3, Gold (AF31)
|
|
•
|
27
- Class 3, Silver (AF32)
|
|
•
|
30
- Class 3, Bronze (AF33)
|
|
•
|
32
- Class 4
|
|
•
|
34
- Class 4, Gold (AF41)
|
|
•
|
36
- Class 4, Silver (AF42)
|
|
•
|
38
- Class 4, Bronze (AF43)
|
|
•
|
40
- Express Forwarding
|
|
•
|
46
- Expedited Forwarding (EF)
|
|
•
|
48
- Control
|
|
•
|
56
- Control
|
|
–
|
Map
: The QoS mapping settings on the Firewall > QoS Mapping
page will be used. See “802.1p and DSCP QoS”
for instructions on configuring the QoS Mapping. If you select Map, you can select Allow 802.1p Marking to override DSCP
values
.
|
|
Step 19
|
Under
802.1p Marking Settings
select the 802.1p Marking Action
. You can select None
, Preserve
, Explicit
, or Map
. None
is the default.
|
|
–
|
None
: No 802.1p tagging is added to the packets.
|
|
–
|
Preserve
: 802.1p values in packets will remain unaltered.
|
|
–
|
Explicit
: Set the 802.1p value to the value you select in the Explicit 802.1p Value field. This is a numeric value between 0 and 7. The standard values are:
|
|
•
|
0
- Best effort (default)
|
|
•
|
1
- Background
|
|
•
|
2
- Spare
|
|
•
|
3
- Excellent effort
|
|
•
|
4
- Controlled load
|
|
•
|
5
- Video (<100ms latency)
|
|
•
|
6
- Voice (<10ms latency)
|
|
•
|
7
- Network control
|
|
–
|
Map
: The QoS mapping settings on the Firewall > QoS Mapping
page will be used. See “802.1p and DSCP QoS”
for instructions on configuring the QoS Mapping.
|
|
Step 20
|
Click
OK
to add the rule.
|
|
Tip
|
Although custom access rules can be created that allow inbound IP traffic, the SonicWALL
security appliance does not disable protection from DoS attacks, such as the SYN Flood and Ping of Death attacks.
|
To display the
Edit Rule
window (includes the same settings as the Add Rule
window), click the Edit
icon.
To delete the individual access rule, click on the
Delete
icon. To delete all the checkbox selected access rules, click the Delete
button.
To enable or disable an access rule, click the Enable checkbox.
To remove all end-user configured access rules for a zone, click the Default button. This will restore the access rules for the selected zone to the default access rules initially setup on the SonicWALL security appliance.
Move your mouse pointer over the Graph icon to display the following access rule receive (Rx) and transmit (Tx) traffic statistics:
|
•
|
|
•
|
The Connection Limiting feature is intended to offer an additional layer of security and control when coupled with such SonicOS features as SYN Cookies and Intrusion Prevention Services (IPS). Connection limiting provides a means of throttling connections through the SonicWALL using Access Rules as a classifier, and declaring the maximum percentage of the total available connection cache that can be allocated to that class of traffic.
Coupled with IPS, this can be used to mitigate the spread of a certain class of malware as exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections to random addresses at atypically high rates. For example, each host infected with Nimda attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and Sasser was capable of 5,120 attempts per second. Typical, non-malicious network traffic generally does not establish anywhere near these numbers, particularly when it is Trusted ->Untrusted traffic (i.e. LAN->WAN). Malicious activity of this sort can consume all available connection-cache resources in a matter of seconds, particularly on smaller appliances.
The following table delineates the connection-cache size of currently available SonicWALL devices running SonicOS Enhanced with Unified Threat Management (UTM) security services enabled or disabled (numbers are subject to change):
|
SonicWALL Security
Appliance
|
|||
In addition to mitigating the propagation of worms and viruses, Connection limiting can be used to alleviate other types of connection-cache resource consumption issues, such as those posed by uncompromised internal hosts running peer-to-peer software (assuming IPS is configured to allow these services), or internal or external hosts using packet generators or scanning tools.
Finally, connection limiting can be used to protect publicly available servers (e.g. Web servers) by limiting the number of legitimate inbound connections permitted to the server (i.e. to protect the server against the Slashdot-effect). This is different from SYN flood protection which attempts to detect and prevent partially-open or spoofed TCP connection. This will be most applicable for Untrusted traffic, but it can be applied to any zone traffic as needed.
Connection limiting is applied by defining a percentage of the total maximum allowable connections that may be allocated to a particular type of traffic. The above figures show the default LAN ->WAN setting, where all available resources may be allocated to LAN->WAN (any source, any destination, any service) traffic.
More specific rules can be constructed; for example, to limit the percentage of connections that can be consumed by a certain type of traffic (e.g. FTP traffic to any destination on the WAN), or to prioritize important traffic (e.g. HTTPS traffic to a critical server) by allowing 100% to that class of traffic, and limiting general traffic to a smaller percentage (minimum allowable value is 1%).
|
Note
|
It is not possible to use IPS signatures as a connection limiting classifier; only Access Rules
(i.e. Address Objects and Service Objects) are permissible.
|
This section provides configuration examples on adding network access rules:
This section provides a configuration example for an access rule to allow devices on the DMZ to send ping requests and receive ping responses from devices on the LAN. By default your SonicWALL security appliance does not allow traffic initiated from the DMZ to reach the LAN. Once you have placed one of your interfaces into the DMZ zone, then from the Firewall > Access Rules window, perform the following steps to configure an access rule that allow devices in the DMZ to send ping requests and receive ping responses from devices in the LAN.
|
Step 1
|
|
Step 2
|
Select the
Allow
radio button.
|
|
Step 3
|
|
Step 4
|
|
Step 5
|
|
Step 6
|
Click
OK
.
|
This section provides a configuration example for an access rule blocking LAN access to NNTP servers on the Internet during business hours.
Perform the following steps to configure an access rule blocking LAN access to NNTP servers based on a schedule:
|
Step 1
|
|
Step 2
|
|
Step 3
|
Select
NNTP
from the Service
menu. If the service is not listed in the list, you must to add it in the Add Service
window.
|
|
Step 4
|
|
Step 5
|
|
Step 6
|
Select the schedule from the
Schedule
menu.
|
|
Step 7
|
Enter any comments in the
Comment
field.
|
|
Step 8
|
Click
Add
.
|
By creating an access rule, it is possible to allow access to a management IP address in one zone from a different zone on the same SonicWALL appliance. For example, you can allow HTTP/HTTPS management or ping to the WAN IP address from the LAN side. To do this, you must create an access rule to allow the relevant service between the zones, giving one or more explicit management IP addresses as the destination. Alternatively, you can provide an address group that includes single or multiple management addresses (e.g. WAN Primary IP, All WAN IP, All X1 Management IP) as the destination. This type of rule allows the HTTP Management, HTTPS Management, SSH Management, Ping, and SNMP services between zones.
|
Note
|
Access rules can only be set for inter-zone management. Intra-zone management is
controlled per-interface by settings in the interface configuration
|
To create a rule that allows access to the WAN Primary IP from the LAN zone:
|
Step 1
|
On the Firewall > Access Rules page, display the
LAN > WAN
access rules.
|
|
Step 2
|
|
Step 3
|
|
Step 4
|
Select one of the following services from the
Service
menu:
|
|
•
|
|
•
|
|
•
|
|
•
|
|
Step 5
|
|
Step 6
|
Select an address group or address object containing one or more explicit WAN IP addresses
from the Destination
menu.
|
|
Note
|
Do not select an address group or object representing a subnet, such as WAN
Primary Subnet. This would allow access to devices on the WAN subnet (already allowed by default), but not to the WAN management IP address.
|
|
Step 7
|
Select the user or group to have access from the
Users Allowed
menu.
|
|
Step 8
|
Select the schedule from the
Schedule
menu.
|
|
Step 9
|
Enter any comments in the
Comment
field.
|
|
Step 10
|
Click
Add
.
|
Bandwidth management can be applied on both ingress and egress traffic using access rules. Access rules displaying the Funnel icon are configured for bandwidth management.
|
Tip
|
Do not configure bandwidth management on multiple interfaces on a zone, where the
configured guaranteed bandwidth for the zone is greater than the available bandwidth for
the bound interface.
|
For more information on Bandwidth Management see “Bandwidth Management” .