Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Application Control Bypass

Hi, Running the new NSA 3700 on SonicOS 7.0.1-R1456

We have enabled Application Control on a number of applications and signatures one of which is Gmail. We also have an Address Group where the IP's of certain machines can bypass the application block. However we have noticed that for applications like Gmail, the requests (source) are coming from our Domain controller (DNS) server not the machine making the request and therefore the bypass is not taking effect. Adding the DNS server to the bypass is an absolute no no. Anyone else experienced this? Not sure if it is a bug in SonicOS 7.x or misconfiguration on my part.

Other applications work fine and the bypass seems to be effective.

thanks

Category: Firewall Security Services
Reply

Best Answer

  • CORRECT ANSWER
    shiprasahu93shiprasahu93 Moderator
    Answer ✓

    Hello @stevmorr,

    Welcome to the SonicWall community.

    If you using an internal DNS server on the machines that are connected to LAN, all DNS requests come to the firewall using the DNS server's IP address. This is expected behavior.

    I would request you to specifically unblock the DNS signature for Gmail (without any inclusions/exclusions) and keep all other signatures enabled. The firewall can then block the Gmail traffic using other signatures and apply the necessary inclusions/exclusions as the HTTP or other requests reach the firewall from the original client IP address.

    An easier solution will be using global DNS like 8.8.8.8 machines, but if it is a domain environment, it is possible you might not want it that way.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Answers

  • stevmorrstevmorr Newbie ✭

    shiprasahu93,

    Thanks for your quick response and sorry for the delay in response. You are absolutely correct - when blocking Gmail at the 'application' level (instead of the individual 'signature' level) it includes DNS query. Allowing this and keeping the block enabled for the others works perfectly!

    Thanks again for your help. 😁

Sign In or Register to comment.