Best Of
Re: SSL VPN Can't Resolve DNS
DNS search list. You need to add corporate.local to it so that clients know how to form DNS requests.
Re: Help With SSLVPN - Allow by FQDN /IP
No, you don't need any custom rules for this, delete them. Deny is implicit and the Allow Rule is the Default (no modified with your source object).
I meant the default rules for management, you can limit them as well to only allow specific addresses, if this is possible in your scenario.
You can add Botnet and GeoIP Filtering as well, to block certain countries etc.
--Michael@BWC
Re: Help With SSLVPN - Allow by FQDN /IP
@stokie21 I'am sorry, I've told you only the half of the story.
You have to enable the Option "Enable the ability to remove and fully edit auto-added access rules" on the internal settings page, then you can edit the default Access Rule.
Sorry for that.
--Michael@BWC
Re: Help With SSLVPN - Allow by FQDN /IP
You have to edit the SSLVPN Rule that's in the WAN-to-WAN selection, it's #13 in your latest screenshot.
If you're in the WAN-to-WAN rules anyways, you should check if you can limit the Management Rules (HTTP + HTTPS Management, SNMP and SSH) to avoid any access to your Firewall that is not wanted, just as precaution.
--MIchael@BWC
Re: Help With SSLVPN - Allow by FQDN /IP
@stokie21 list custom & default rules (All Types), the default one is probably above your deny rule. Get rid of your two custom rules and set the Source of the default rule to your WAN_FQDN_HOME_WORKERS object.
--Michael@BWC
Re: Help With SSLVPN - Allow by FQDN /IP
You can add multiple FQDN address objects to an address object group, and use this group in the WAN>WAN rule for SSLVPN services.
Re: Advice for NSa3700 drops/ignores OSFP IPv4 routing
An OSPF issue appeared when updated another SonicWall pair to SonicOS 7.1.1-7047-R5557.
After the upgrade, the SonicOS would not form a relationship with the OSPF DR and BDR. The OSPF DR and BDR routers were constantly in a EXCHANGE/DROTHER state.
10.1.xxx.xx 1 EXCHANGE/DROTHER00:00:31 192.168.xxx.xx GigabitEthernet0/0/1
- The effect was that the SonicWall IP addresses and default route were never advertised to the rest of the company.
- The only work around was to ‘clear ip ospf process’ on the OSPF DR router. Usually just 1 execution of the command was needed.
- FIX – Drop mtu-ignore
- Drop mtu-ignore in the SonicWall configuration
- Drop mtu-ignore in every running Cisco ISR router.
- The line is in the configuration of interface Gi 0/0/1, which connects to the internal network.
Re: Default DNS Servers
@MikeSun this is part of the new DNS Security which came with SonicOS 7.1.1. It's powered by Vercara and might be their product UltraDNS used for DNS resolving. I'am not 100% sure if it's used for CFS 5.0 as well.
--Michael@BWC
Re: Site to Site IPSec VPN from TZ470 to Grandstream GWN7062 firewall
UPDATE: just to provide an update here - it would seem that there is a BUG in one or the other of the products in play here. but with the aid of SonicWall engineering we were able to find a configuration that worked. But not an explanation of why the other methods did not.
on the SonicWall side of the equation they have a bit more granularity with regards to the configuration of the IPSec VPN site to site setup. For the Peer and Local IKE ID they allow for the following:
I have always used the Firewall Identifier Mode ( MAC ADDRESS) and SonicWall to SonicWall it works.
On the GrandStream side - there is not that level of granularity - only the Local and Remote ID.
so I was trying the MAC address on both sides, we tried the IP address ( even though the GS side is dynamic) and also simple strings. Finally we tried a domain name flipping the granular field to “Domain Name” on the SonicWall and just putting the domain names in the GS fields. And that worked… no explanation as to why none of the other versions worked - but domain name did - SonicWall Engineering has taken this as a potential Bug on there end as it seems most likely that is where the issue is.
Thank you - for your assistance and now we have a way to make it work if any one else runs into the same situation.
Re: Can I use a TZ470 as a secondary DNS server in a Windows domain?
@Simon_Weel DNS on the Firewall is just a resolver (proxy) not an authoritative DNS, therefore it cannot be used as a slave.
--Michael@BWC