This chapter provides an overview on your SonicWALL security appliance stateful packet inspection default access rules and configuration examples to customize your access rules to meet your business requirements.
Access rules are network management tools that allow you to define inbound and outbound access policy, configure user authentication, and enable remote management of the SonicWALL security appliance.
The SonicOS Firewall > Access Rules page provides a sortable access rule management interface. The subsequent sections provide high-level overviews on configuring access rules by zones and configuring bandwidth management using access rules.
By default, the SonicWALL security appliance’s stateful packet inspection allows all communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet. The following behaviors are defined by the “Default” stateful inspection packet access rule enabled in the SonicWALL security appliance:
|
•
|
Allow all sessions originating from the LAN, WLAN to the WAN, or DMZ (except when the
destination WAN IP address is the WAN interface of the SonicWALL appliance itself)
|
Additional network access rules can be defined to extend or override the default access rules. For example, access rules can be created that allow access from the LAN zone to the WAN Primary IP address, or block certain types of traffic such as IRC from the LAN to the WAN, or allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN, or restrict use of certain protocols such as Telnet to authorized users on the LAN.
Custom access rules evaluate network traffic source IP addresses, destination IP addresses, IP protocol types, and compare the information to access rules created on the SonicWALL security appliance. Network access rules take precedence, and can override the SonicWALL security appliance’s stateful packet inspection. For example, an access rule that blocks IRC traffic takes precedence over the SonicWALL security appliance default setting of allowing this type of traffic.
|
Caution
|
The ability to define network access rules is a very powerful tool. Using custom access rules
can disable firewall protection or block all access to the Internet. Use caution when creating or deleting network access rules.
|
Bandwidth management allows you to assign guaranteed and maximum bandwidth to services and prioritize traffic on all WAN zones. Using access rules, bandwidth management can be enabled on a per-interface basis. Packets belonging to a bandwidth management enabled policy will be queued in the corresponding priority queue before being sent on the bandwidth management-enabled WAN interface. All other packets will be queued in the default queue and will be sent in a First In and First Out (FIFO) manner (a storage method that retrieves the item stored for the longest time).
If you create an access rule for outbound mail traffic (such as SMTP) and enable bandwidth management with the following parameters:
The outbound SMTP traffic is guaranteed 20 percent of available bandwidth available to it and can get as much as 40 percent of available bandwidth. If this is the only access rule using bandwidth management, it has priority over all other access rules on the SonicWALL security appliance. Other access rules use the remaining bandwidth (which is at least 60 percent of available bandwidth and up to 80 percent of available bandwidth if SMTP traffic does not exceed the 20 percent threshold.)
|
Note
|
Note:
Access rules using bandwidth management have a higher priority than access rules
not using bandwidth management. Access rules without bandwidth management are given
lowest priority.
|
|
Tip
|
You must select Bandwidth Management on the
WAN > Ethernet
page. Navigate to the Network > Interfaces
, click the Configure
icon for the WAN
interface, and select the Advanced
tab. Enter your available egress and ingress bandwidths in the Available
interface Egress Bandwidth
(Kbps
) and Available interface Ingress Bandwidth
(Kbps
) fields, respectively.
|
This section provides a list of the following configuration tasks:
Access rules can be displayed in multiple views using SonicOS Enhanced. You can select the type of view from the selections in the View Style section. The following View Styles are available:
|
•
|
All Rules
- Select All Rules
to display all access rules configured on the SonicWALL security appliance.
|
|
•
|
Matrix
- Displays as From/To
with LAN
, WAN
, VPN
, or other interface in the From
row, and LAN
, WAN
, VPN
, or other interface in the To
column. Select the Edit
icon
 in the table cell to view the access rules. |
|
•
|
Drop-down Boxes
- Displays two pull-down menus: From Zone
and To Zone
. Select an interface from the From Zone
menu and select an interface from the To Zone
menu. Click OK
and access rules defined for the two interfaces are displayed.
|
|
Tip
|
You can also view access rules by zones. Use the Option checkboxes in the
From Zone
and To Zone
column. Select LAN
, WAN
, VPN
, ALL
from the From Zone
column. And then select LAN, WAN, VPN, ALL from the To Zone
column. Click OK
to display the access rules.
|
Each view displays a table of defined network access rules. For example, selecting All Rules displays all the network access rules for all zones.
To display the Access Rules for a specific zone, select a zone from the Matrix , Drop-down Boxes , or All Rules view.
The access rules are sorted from the most specific at the top, to less specific at the bottom of the table. At the bottom of the table is the Any rule. The default access rule is all IP services except those listed in the Access Rules page. Access rules can be created to override the behavior of the Any rule; for example, the Any rule allows users on the LAN to access all Internet services, including NNTP News.
You can change the priority ranking of an access rule by clicking the Arrows icon in the Priority column. The Change Priority window is displayed. Enter the new priority number (1-10) in the Priority field, and click OK .
|
Tip
|
If the
Delete
or Edit
icons are dimmed (unavailable), the access rule cannot be changed or deleted from the list.
|