Firewall_ruleTable

Firewall > Access Rules

This chapter provides an overview on your SonicWALL security appliance stateful packet inspection default access rules and configuration examples to customize your access rules to meet your business requirements.

Access rules are network management tools that allow you to define inbound and outbound access policy, configure user authentication, and enable remote management of the SonicWALL security appliance.

The SonicOS Firewall > Access Rules page provides a sortable access rule management interface. The subsequent sections provide high-level overviews on configuring access rules by zones and configuring bandwidth management using access rules.

Stateful Packet Inspection Default Access Rules Overview

By default, the SonicWALL security appliance’s stateful packet inspection allows all communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet. The following behaviors are defined by the “Default” stateful inspection packet access rule enabled in the SonicWALL security appliance:

 
Allow all sessions originating from the LAN, WLAN to the WAN, or DMZ (except when the destination WAN IP address is the WAN interface of the SonicWALL appliance itself)
 
Allow all sessions originating from the DMZ to the WAN.
 
Deny all sessions originating from the WAN to the DMZ.
 
Deny all sessions originating from the WAN and DMZ to the LAN or WLAN.

Additional network access rules can be defined to extend or override the default access rules. For example, access rules can be created that allow access from the LAN zone to the WAN Primary IP address, or block certain types of traffic such as IRC from the LAN to the WAN, or allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN, or restrict use of certain protocols such as Telnet to authorized users on the LAN.

Custom access rules evaluate network traffic source IP addresses, destination IP addresses, IP protocol types, and compare the information to access rules created on the SonicWALL security appliance. Network access rules take precedence, and can override the SonicWALL security appliance’s stateful packet inspection. For example, an access rule that blocks IRC traffic takes precedence over the SonicWALL security appliance default setting of allowing this type of traffic.

 
Caution
The ability to define network access rules is a very powerful tool. Using custom access rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting network access rules.

Using Bandwidth Management with Access Rules Overview

Bandwidth management (BWM) allows you to assign guaranteed and maximum bandwidth to services and prioritize traffic on all BWM-enabled interfaces. Using access rules, BWM can be applied on specific network traffic. Packets belonging to a bandwidth management enabled policy will be queued in the corresponding priority queue before being sent on the bandwidth management-enabled interface. All other packets will be queued in the default queue and will be sent in a First In and First Out (FIFO) manner (a storage method that retrieves the item stored for the longest time).

Example Scenario

If you create an access rule for outbound mail traffic (such as SMTP) and enable bandwidth management with the following parameters:

 
Guaranteed bandwidth of 20 %
 
Maximum bandwidth of 4 0%
 
Priority of 0 (zero)

The outbound SMTP traffic is guaranteed 20 % of available bandwidth available to it and can get as much as 40% of available bandwidth. If SMTP traffic is the only BWM enabled rule:

 
When SMTP traffic is using its maximum configured bandwidth (which is the 40% maximum described above), all other traffic gets the remaining 60% of bandwidth.
 
When SMTP traffic is using less than its maximum configured bandwidth, all other traffic gets between 60% and 100% of the link bandwidth.

Now consider adding the following BWM-enabled rule for FTP:

 
Guaranteed bandwidth of 60%
 
Maximum bandwidth of 70%
 
Priority of 1

When configured along with the previous SMTP rule, the traffic behaves as follows:

 
60% of total bandwidth is always reserved for FTP traffic (because of its guarantee). 20% of total bandwidth is always reserved for SMTP traffic (because of its guarantee).
 
SMTP traffic can use up to 40% of total bandwidth (because it has a higher priority than FTP), which, when combined with FTP’s 60% guarantee, results in no other traffic being sent, because all 100% of the bandwidth is being used by higher priority traffic.
 
If SMTP traffic reduces and only uses 10% of total bandwidth, then FTP can use up to 70% and all the other traffic gets the remaining 20%.
 
If SMTP traffic stops, FTP gets 70% and all other traffic gets the remaining 30% of bandwidth.
 
If FTP traffic has stopped, SMTP gets 40% and all other traffic get the remaining 60% of bandwidth.
 
Note
When the Bandwidth Management Type on the Firewall Services > BWM page is set to WAN : Access rules using bandwidth management have a higher priority than access rules not using bandwidth management. Access rules without bandwidth management are given lowest priority. When the Bandwidth Management Type is set to Global , the default priority is Medium (4).
 
Tip
You must configure Bandwidth Management individually for each interface on the Network > Interfaces page. Click the C onfigure icon for the interface, and select the Advanced tab. Enter your available egress and ingress bandwidths in the Available interface Egress Bandwidth (Kbps ) and Available interface Ingress Bandwidth (Kbps ) fields, respectively.

This applies when the Bandwidth Management Type on the Firewall Services > BWM page is set to either WAN or Global .

Configuration Task List

This section provides a list of the following configuration tasks:

 
Displaying Access Rules with View Styles
 
Configuring Access Rules for a Zone
 
Adding Access Rules
 
Editing an Access Rule
 
Deleting an Access Rule
 
Enabling and Disabling an Access Rule
 
Restoring Access Rules to Default Zone Settings
 
Displaying Access Rule Traffic Statistics
 
Connection Limiting Overview
 
Access Rule Configuration Examples

Displaying Access Rules with View Styles

Access rules can be displayed in multiple views using SonicOS Enhanced. You can select the type of view from the selections in the View Style section. The following View Styles are available:

 
All Rules - Select All Rules to display all access rules configured on the SonicWALL security appliance.
 
Matrix - Displays as From/To with LAN , WAN , VPN , or other interface in the From row, and LAN , WAN , VPN , or other interface in the To column. Select the Edit icon in the table cell to view the access rules.
 
Drop-down Boxes - Displays two pull-down menus: From Zone and To Zone . Select an interface from the From Zone menu and select an interface from the To Zone menu. Click OK and access rules defined for the two interfaces are displayed.
 
Tip
You can also view access rules by zones. Use the Option checkboxes in the From Zone and To Zone column. Select LAN , WAN , VPN , ALL from the From Zone column. And then select LAN, WAN, VPN, ALL from the To Zone column. Click OK to display the access rules.

Each view displays a table of defined network access rules. For example, selecting All Rules displays all the network access rules for all zones.

Configuring Access Rules for a Zone

To display the Access Rules for a specific zone, select a zone from the Matrix , Drop-down Boxes , or All Rules view.

The access rules are sorted from the most specific at the top, to less specific at the bottom of the table. At the bottom of the table is the Any rule. The default access rule is all IP services except those listed in the Access Rules page. Access rules can be created to override the behavior of the Any rule; for example, the Any rule allows users on the LAN to access all Internet services, including NNTP News.

You can change the priority ranking of an access rule by clicking the Arrows icon in the Priority column. The Change Priority window is displayed. Enter the new priority number (1-10) in the Priority field, and click OK .

 
Tip
If the Delete or Edit icons are dimmed (unavailable), the access rule cannot be changed or deleted from the list.