Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

blocking site with a simple Deny rule

Hello,

I'm, trying to block a simple FQDN Network object, from LAN>WAN, making a simple Deny rule (1st position rule), and I can't block it.

For example FQDN Hostname = *.instagram.com

I made a Group for some forbidden sites, and I was trying to use that Group in my Deny rule Destination field , like detailed in some SW articles.

I am testing an old Sonicwall TZ215W with enhanced Enhanced 5.9.1.10-1o, but same result over a SOHO Wireless with SonicOS Enhanced 6.5.4.7-83n.

What am I doing wrong? it seems to ignore de Deny rule, or maybe I am missing the fqdn definition...

Thanks for your time.

Category: Mid Range Firewalls
Reply

Answers

  • @SWuservpn,

    I would suggest using CFS to block domains. The FQDN address objects rely on DNS and the firewall might not have all the IP addresses mapped to the object and slowly gets that info for wildcard objects.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • SWuservpnSWuservpn Newbie ✭

    Your are right shiprasahu93, but I don't have that licensed in all my devices, and yes, it works fine where it is licensed.

    So, I sould assume that there is no reliable way to deny an FQDN object via a simple deny rule...shouldn't I?

    Thanks!

  • TKWITSTKWITS Cybersecurity Overlord ✭✭✭
    edited February 5

    You can deny traffic to/from websites via an access rule.

    You can create an Address Object for the FQDN/IP address that you want blocked. Then create a deny access rule with the destination of the appropriate address object. Be sure the deny rules priority is before any allows in the table.

    It seems like that is what you've done but it isn't effective.

    Since major services use content delivery networks, blocking *.instagram.com likely won't work. You'd have to identify other domains used by instagram and its content delivery networks. Then add those to your deny access rule.

    Hope that helps.

  • @TKWITS - you are so right about this. There might be five or ten domains serving content for a top site like IG.

Sign In or Register to comment.