Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

DEAG Implementation

I am endeavoring to implement DEAG (Dynamic External Access Groups) across most of our client's sonicwalls, so we can build rules to allow access to Microsoft Update servers, ESET servers, RingCentral, Teams, etc....

I set up a dedicated website on AWS/Cloudfront (in part because of the CDN capability).

On that site, I created a "microsoft.txt" file that contains the list of subnets in CIDR format (xxx.xxx.xxx.xxx/xx), one per line. I set the protocol to HTTPS, and I can successfully load that file without errors from a browser. (SSL passes, etc).

When I attempt to load it, I get this on the stats icon:

Err: Connection Failure.

File format failure: "-"

The sonicwall log reports

Configuration failed: Download Dynamic Group Object, changed to [downloadDynGroup]

I figured that since it was HTTPs, and the documentation states that it would be a web page, I created an html format file with only the html tags, body tags, and a BR at the end of each line.

That yields the same results.

I tried a smaller file with just plain IP addresses in it. No Dice.

Sonicwall's documentation on the file is pretty sparse. Any guidance???

Category: Mid Range Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    webbdjwebbdj Newbie ✭
    Accepted Answer

    For anyone that finds this thread... here is where I landed on this one. Sonicwall appliances apparently are unable to connect to the AWS cloudfront service over SSL. I tried importing certificates, lowering the TLS support level on the AWS instance, and numerous other techniques to no avail. In the end I moved my hosting over to a paid provider, and procured a SSL certificate from Sectigo. The text files are stored as plain txt, with hash tags in front of the comment fields, and host IP addresses or CIDR entries. Unfortunately Sonicwall support was of no help in troubleshooting this problem. There does not appear to be any way to adequately troubleshoot SSL connection issues from the appliance itself.

Answers

  • webbdjwebbdj Newbie ✭

    As a further comment, I uploaded my txt file to an ftp server, and setup a test DEAG using FTP.

    It loaded without issues. Which tells me that the content of the file is ok.

    I do not want to deploy this to 200+ sonicwalls using my ftp server though.

    So what is the right way to do it with an HTTPS feed?

    Thanks

  • NatNat Newbie

    Did you check packet monitor and error on it?

    For HTTPS, do you have a valid certificate? Maybe it SSL cert untrust issue.

    Here is a sample to download list from github which clearly stated that firewall cannot read chinese characters.

    https://github.com/keqingrong/hosts/blob/master/docs/ip-blacklist.txt

  • webbdjwebbdj Newbie ✭

    On a further comment on the limitations of DEAG objects:

    1. Sonicwall apparently does not like something about AWS hosting. I had to take my hosting of the DAG objects elsewhere.
    2. The number of address lines in the TXT file seem to have a limit somewhere around 100 or so. I haven't been able to determine exactly what that limit is yet, but I cannot load the entire list of Microsoft subnets, which is somewhere around 160-180 as of this date.
    3. There seems to be a limit (unpublished) of FIVE DEAG object entries on some of the TZ500 firewalls. I haven't had an opportunity to try other models yet, but that is very disappointing... My goal was to provide a central place to manage these common access lists, and between Microsoft, AKAMAI, Other CDN Networks, Voice providers (Vonage/RingCentral, etc), AV companies, 2FA/Auth Providers (DUO, DSO, Okta, etc), I have a need to publish more than just five DEAG lists to a given firewall. The percentage rule does not seem to apply... I tried it on a brand new TZ500 with no other groups added and it still stopped me at five...


  • NatNat Newbie

    @webbdj

    Number of supporting DEAG is based on hardware models. You can find info on your device TSR.

    Dynamic Group - Cloud calloc count : 6 Cloud free count: 0


    Dynamic Address Runtime Info

    -----------------------------

    MAX Number of Dynamic External Address Objects      : 256

    MAX Number of Dynamic External Address Groups       : 32

    MAX Number of Dynamic External Address Objects(FQDN)   : 512

    Total Number of Dynamic External Address Objects     : 0

    Total Number of Dynamic External Address Groups      : 2

    Total Number of Dynamic External Address Objects(FQDN)  : 5

Sign In or Register to comment.