Access Rule Configuration Examples

This section provides configuration examples on adding network access rules:
Enabling Ping
Blocking LAN Access for Specific Services
Allowing WAN Primary IP Access from the LAN Zone
Enabling Bandwidth Management on an Access Rule
Enabling Ping

This section provides a configuration example for an access rule to allow devices on the DMZ to send ping requests and receive ping responses from devices on the LAN. By default your SonicWALL security appliance does not allow traffic initiated from the DMZ to reach the LAN. Once you have placed one of your interfaces into the DMZ zone, then from the Firewall > Access Rules window, perform the following steps to configure an access rule that allow devices in the DMZ to send ping requests and receive ping responses from devices in the LAN.

To enable Ping:
1
Click Add to launch the Add Rule dialog.
2
Select the Allow radio button.
3
From the Service menu, select Ping.
4
From the Source menu, select DMZ Subnets.
5
From the Destination menu, select LAN Subnets.
6
Click OK.
Blocking LAN Access for Specific Services

This section provides a configuration example for an access rule blocking LAN access to NNTP servers on the Internet during business hours.

To configure an access rule blocking LAN access to NNTP servers based on a schedule:
1
Click Add to launch the Add dialog.
2
Select Deny from the Action settings.
3
Select NNTP from the Service menu. If the service is not listed in the list, you must to add it in the Add Service dialog.
4
Select Any from the Source menu.
5
Select WAN from the Destination menu.
6
Select the schedule from the Schedule menu.
7
Enter any comments in the Comment field.
8
Click Add.
Allowing WAN Primary IP Access from the LAN Zone

By creating an access rule, it is possible to allow access to a management IP address in one zone from a different zone on the same SonicWALL appliance. For example, you can allow HTTP/HTTPS management or ping to the WAN IP address from the LAN side. To do this, you must create an access rule to allow the relevant service between the zones, giving one or more explicit management IP addresses as the destination. Alternatively, you can provide an address group that includes single or multiple management addresses (for example, WAN Primary IP, All WAN IP, All X1 Management IP) as the destination. This type of rule allows the HTTP Management, HTTPS Management, SSH Management, Ping, and SNMP services between zones.

* 
NOTE: Access rules can only be set for inter-zone management. Intra-zone management is controlled per-interface by settings in the interface configuration
To create a rule that allows access to the WAN Primary IP from the LAN zone:
1
On the Firewall > Access Rules page, display the LAN > WAN access rules.
2
Click Add to launch the Add dialog.
3
Select Allow from the Action settings.
4
Select one of the following services from the Service menu:
HTTP
HTTPS
SSH Management
Ping
SNMP
5
Select Any from the Source menu.
6
Select an address group or address object containing one or more explicit WAN IP addresses from the Destination menu.
* 
NOTE: Do not select an address group or object representing a subnet, such as WAN Primary Subnet. This would allow access to devices on the WAN subnet (already allowed by default), but not to the WAN management IP address.
7
Select the user or group to have access from the Users Allowed menu.
8
Select the schedule from the Schedule menu.
9
Enter any comments in the Comment field.
10
Click Add.
Enabling Bandwidth Management on an Access Rule

Bandwidth management can be applied on both ingress and egress traffic using access rules. Access rules displaying the Funnel icon are configured for bandwidth management.

* 
TIP: Do not configure bandwidth management on multiple interfaces on a zone, where the configured guaranteed bandwidth for the zone is greater than the available bandwidth for the bound interface.

For information on configuring Bandwidth Management see Bandwidth Management Overview.