DEAG Implementation
webbdj
Newbie ✭
I am endeavoring to implement DEAG (Dynamic External Access Groups) across most of our client's sonicwalls, so we can build rules to allow access to Microsoft Update servers, ESET servers, RingCentral, Teams, etc....
I set up a dedicated website on AWS/Cloudfront (in part because of the CDN capability).
On that site, I created a "microsoft.txt" file that contains the list of subnets in CIDR format (xxx.xxx.xxx.xxx/xx), one per line. I set the protocol to HTTPS, and I can successfully load that file without errors from a browser. (SSL passes, etc).
When I attempt to load it, I get this on the stats icon:
Err: Connection Failure.
File format failure: "-"
The sonicwall log reports
Configuration failed: Download Dynamic Group Object, changed to [downloadDynGroup]
I figured that since it was HTTPs, and the documentation states that it would be a web page, I created an html format file with only the html tags, body tags, and a BR at the end of each line.
That yields the same results.
I tried a smaller file with just plain IP addresses in it. No Dice.
Sonicwall's documentation on the file is pretty sparse. Any guidance???
Best Answer
-
CORRECT ANSWERwebbdj
Newbie ✭
For anyone that finds this thread... here is where I landed on this one. Sonicwall appliances apparently are unable to connect to the AWS cloudfront service over SSL. I tried importing certificates, lowering the TLS support level on the AWS instance, and numerous other techniques to no avail. In the end I moved my hosting over to a paid provider, and procured a SSL certificate from Sectigo. The text files are stored as plain txt, with hash tags in front of the comment fields, and host IP addresses or CIDR entries. Unfortunately Sonicwall support was of no help in troubleshooting this problem. There does not appear to be any way to adequately troubleshoot SSL connection issues from the appliance itself.
0
Answers
As a further comment, I uploaded my txt file to an ftp server, and setup a test DEAG using FTP.
It loaded without issues. Which tells me that the content of the file is ok.
I do not want to deploy this to 200+ sonicwalls using my ftp server though.
So what is the right way to do it with an HTTPS feed?
Thanks
Did you check packet monitor and error on it?
For HTTPS, do you have a valid certificate? Maybe it SSL cert untrust issue.
Here is a sample to download list from github which clearly stated that firewall cannot read chinese characters.
https://github.com/keqingrong/hosts/blob/master/docs/ip-blacklist.txt
On a further comment on the limitations of DEAG objects:
@webbdj
Number of supporting DEAG is based on hardware models. You can find info on your device TSR.
Dynamic Group - Cloud calloc count : 6 Cloud free count: 0
Dynamic Address Runtime Info
-----------------------------
MAX Number of Dynamic External Address Objects : 256
MAX Number of Dynamic External Address Groups : 32
MAX Number of Dynamic External Address Objects(FQDN) : 512
Total Number of Dynamic External Address Objects : 0
Total Number of Dynamic External Address Groups : 2
Total Number of Dynamic External Address Objects(FQDN) : 5