NSM & public WAN access
The recommendation has always been that firewall management is disabled on the WAN port, but cloud NSM requires this as VPN tunnel can't be created between endpoints.
Is the recommendation now to enable management access from the whole internet or can restrictions be setup to allow only NSM but nothing else? For example certificate based authentication.
Best Answers
-
BWC Cybersecurity Overlord ✭✭✭
AFAIK it does not alter the WAN management access. ZeroTouch connects to the backend and a site-to-site tunnel gets created with some random IP addresses involved, hopefully not issuing an address conflict.
Over this tunnel the NSM connects back to your appliance.
I have modified HTTPS Management rules in place and it does not interfere.
--Michael@BWC
0 -
Saravanan Moderator
@SONICADMIN80 - I would suggest you to ensure below points in place prior.
- Let the Primary NSv be the Active Firewall when you wanna acquire using NSM.
- If you are using ZT feature, ensure TCP/UDP 21021 port is opened on the Firewall ISP side both inbound and outbound directions. || (ZT communication happens on TCP/UDP 21021).
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
0
Answers
Hi @SonicAdmin80
MGMT access does not have to be enabled on the WAN interface CSC-MA/NSM is using a VPN tunnel for this, not the WAN IP.
If you need access from the Internet on the MGMT for other matters, I suggest to edit the WAN-WAN HTTPS Management rule to allow only from specific source address objects. Works great if you're having static IP addresses or DynDNS objects.
If possible, never make the MGMT interface available in the open. Just my € .02.
--Michael@BWC
@BWC Does that mean that with cloud NSM the WAN access has to be open for long enough for NSM to acquire the device, then it sets up the VPN tunnel and disables the WAN management after that? Or how does it work exactly?
Hi @SonicAdmin80
no, this is done with the magic of ZeroTouch, this needs to be enabled (IMHO it is by default), the appliance phones home and gets automatically assigned to the NSM when "Managed by" is set to cloud on the details page of your appliance in MySonicWall.
I believe this was it, did it only once.
--Michael@BWC
I wonder how it works if I manually acquire a device already setup? I guess I find out when I do it.
It'll import the current settings, staying them synced is something I'am struggling with, but it's probably me doing it wrong.
--Michael@BWC
Yes I read about that, that local modifications aren't really recommended which is a shame. But I wonder what manually acquiring does the the WAN management access and if it disables it, how does NSM communicate with the appliance.
Hi @SONICADMIN80,
The Communication between the NSM and Firewall(s) happens as pointed below,
With Zero Touch enabled, the ZT client on the Firewall securely communicates to the ZT server (NSM) via MySonicWall. So, without WAN management enabled on the Firewall, the communication between NSM and Firewall gets possible. This is because Firewall establishes the communication to the NSM first as per ZT client incorporated on it and NSM comes to know about the public IP address of the Firewall.
With Zero Touch Disabled, still the Firewall establishes the communication to NSM first based on the NSM cloud address cloud.sonicwall.com that we define in the Firewall GUI section, Appliance | Base Settings | Advanced Management.
Hope this clarifies.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
@BWC @Saravanan Ok great, so the acquisition should be quite seamless. I will be acquiring a NSv HA setup that has already been configured. Is there any risk that acquisition could cause connectivity issues?
Hi @SonicAdmin80
I wouldn't expect any connectivity issues.
Fingers crossed :)
--Michael@BWC
Cheers, I'll probably do it over the weekend just in case.
Cool @SONICADMIN80
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services