Blacklisted IP Address Object

tnywatkns

Greetings, one of my firewalls has been subject to numerous port scans from two IPs over the past several days. I intended to create an address object and block them following these instructions:

https://www.sonicwall.com/support/knowledge-base/using-firewall-access-rules-to-block-incoming-and-outgoing-traffic/170503532387172#Resolution2

However, creating a per entry per IP sounds cumbersome and I'd rather make an address group and then chuck the blocked address in there. Is this possible on SonicWall's? I am new to managing SonicWall appliances. I appreciate and help and direction.

Arkwright

Yes, groups are used instead of individual objects, when all members of the group should be treated the same. Which is not to say that blocking IPs that do ports scans is a worthwhile use of your time :D

tnywatkns

https://community.sonicwall.com/technology-and-support/discussion/comment/22456#Comment_22456

Looking at some other sites I'm seeing port scans are frequent. Along that same subject, where can I go to see which ports the firewall is listening on? Apologies for the likely 101 questions but I've taken over for place who hasn't had any IT for a few months with no documentation.

Arkwright

Management services are enabled per-interface [look at checkboxes]. Each one enabled then creates access rules in that zone [look at WAN→WAN access rules]

Other services:

• SSLVPN, this is enabled in the SSLVPN settings per-zone. Again, enabling creates rules as above.
• DNS proxy? I am not sure if it's possible to enable this on the WAN.

I can't think of any other services that the firewall listens on. There may be others.

Other inbound services to devices on your LAN can be enabled with custom NAT policies + and a matching zone→zone access rule.

To summarise the above - firewall doesn't listen for or allow in anything by default, it all has to be done manually [which is as it should be!].