Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Options

Webserver Protection with DPI SSL Server and Contentfiltering

I have a web-server inside a DMZ. A NAT Policy and an access rule from WAN to DMZ, to make the Web-Server accessable from the internet. Certain Access Rules from LAN to DMZ for management. I use a Let's encrypt Certificate and dpi ssl-server with all features activated.

I have also created a set of URI, for a contentfilter profile, and this is where the trouble starts.

What I want:

Access should be denied if the server is reached via incorrect URL, correct URL would be DNS-Name/URLpath, if the Webserver is addressed via ip or with an incorrect URLPath, access should be denied.

What I did:

I created a Contentfilter Profile with:

Allowed URI List A-DNS-Name/URLPath

Forbidden URI List A-DNS-Name, IP-Address/*

so far the Server is reachable via IP and on every URLPath, which is very unsettling.

Contentfilter Policy from WAN to Any Zone with the above Profile.

What to do, to solve this problem?

Running NSa 2650 with SonicOS Enhanced 6.5.4.6-79n--HFGEN6-1285-3n

Category: Network Security Manager
Reply

Answers

  • Options
    BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @VaFrance

    ContentFilter is for Client communication only, from LAN to WAN for example and not covered by DPI-SSL Server to be inspectable by CFS.

    Maybe you can work it out somehow with App Rules, I highly recommend to do this on the Web-Server itself or having some form of Offload in front of your Web-Server. Like a NGiNX reverse proxy, a SonicWall SMA etc.

    --Michael@BWC

Sign In or Register to comment.