Most basic question regarding rules. In a sonicwall, if we have an interface/subnet that we do not want to have access to any other interfaces/subnets, do I need to set a deny rule for each one, or is the lack of an "allow" rule sufficient?
Another question. Does an Iphelper bypass firewall rules? For example we have an interface/subnet that I specified a Ip helper to an address in the "Lan" zone but also have a rule to deny all access from said interface to "Lan" zone. I have an additional rule with higher priority to allow DHCP only to LAN zone. I'm just curious because while DHCP is working, I don't see a hit counter increment on either of the rules. So basically we are using a DHCP server in the Lan zone rather than sonicwall DHCP server.
BWC Cybersecurity Overlord ✭✭✭
@djhurt1 for the first question I would say it depends on the Zone settings you have configured. There are four settings per Zone definition which can auto-configure Rules between Zones. First thing when I configure new appliances is to untick all of them. Only then you're safe to say that no traffic will be allowed between Interfaces (Zones) without Rules. Except you defined Interface Trust and all Interfaces are in the same Zone :)
About the 2nd question, I'am not 100% certain, but I believe it'll bypass the filters, because the traffic is initiated by the Firewall and not from the original Endpoint to the Destination.
Re-asking the OPs question... yes you can tick boxes to "auto-generate" rules, but all said and done, can I look at say the LAN to WAN rules and be confident that 1) it is the complete authoritative list of ALL auto-generated and custom rules in play and that 2) there is an implicit DENY for anything that is not explicitly ALLOWed?
I use the Zone to Zone selector matrix when viewing/managing rules, but often worry that beyond the shown rules there might be some other un-listed ALLOW activity based on the trust settings. With 5 LAN zones (risk bubbles) at home that should only be able to talk with the WAN rather than each other, I still end up defining 20 extra DENY rules just to be sure the LAN zones can't cross talk.
@siletzspey to the best of my knowledge, if you list Default & Custom Rules for a given Range (e.g. LAN - WAN) you'll see all Rules and the only one missing is the implicit Drop All Rule at the and of the Ruleset.
In my early days with SNWL I tended to manually add a Clean Up Rule at the end, because it was needed on other solutions I worked with, matter ob habit. But I don't do this anymore, except I need a Rule at the end to do some other tasks, like Packet Monitoring.
1) I have tested a lots of customer firewall. the lack of an "allow" rule is sufficient.
2) DHCP service is L2 level, Firewall rule is L3 level. packet processing comes from low level to highest level. so if you enable ip helper will be pass the other networks.
The option "Auto-generate Access Rules to allow traffic between zones of the same trust level" is the type of thing I'm trying to look out for. I assume that this will create rules that allow traffic to other zones with the same security type?
@djhurt1 correct, let's assume you have LAN and VOIP Zones each with a "Trusted" trust level, they'll be able to talk to each other due to the Auto Rule.
My approach, browse through all zones and untick all of these Auto Create checkmarks for each and every appliance I'll put my hands on.