Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Access rules sometimes don't work

Hi,


I'm using NSA 2600 + SonicOS Enhanced 6.2.7.1-23n. (Sorry, this is an old version.)


I registered the following access rules. I'd like to create white lists for accessing WAN from LAN.


  • Destination=FQDN Address object (e.g. api.github.com)
  • Action=allow
  • Service=Any

But, "connection resused" occurs occasionally when I access to the allowed FQDN. It looks that "connection refused" doesn't occur if I also permit IP address of the FQDN.


Is there any configurations to try?

Category: Entry Level Firewalls
Reply

Answers

  • MitatOngeMitatOnge Cybersecurity Overlord ✭✭✭

    Hi @RikimaruHonjo


    Please fallow below list.

    1) check access rules order is correct ( Wan to lan)

    2) check dns resolve issues. dns server resolve the ip properly

    3) why do you use wan to lan access rule on the network. Do you have onprem git hub repository? if inbound server has access outbound no need this rule.

    4) check logs when access blocked.

    5) try packet capture tools for problem save pcap file and if it is possible share here.

  • Hi @MitatOnge ,


    >1) check access rules order is correct ( Wan to lan)

    >4) check logs when access blocked.

    >5) try packet capture tools for problem save pcap file and if it is possible share here.


    OK, I confirm these points after this.


    >2) check dns resolve issues. dns server resolve the ip properly


    I use 8.8.8.8 and 8.8.4.4. And dns resolve issue doesn't occur.


    >3) why do you use wan to lan access rule on the network. Do you have onprem git hub repository? if inbound server has access outbound no need this rule.

    My company requires my environment the following rules.

    • Basically deny all access to WAN
    • Only allow access to specified hosts/FQDN
  • ArkwrightArkwright Enthusiast ✭✭

    Observe notes on there about how firewall harvests DNS responses. If you make sure clients are using same DNS servers as the Sonicwall itself then it is much more likely that both firewall and client will agree what IP a hostname resolves to, and that the rule will then work as expected. This is really more relevant with hosted services that resolve to many different IP addresses.

Sign In or Register to comment.