Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Restrict SSLVPN access based on Source WAN IP's?

radersupportradersupport Newbie ✭

Hi, I'm wondering if there's a way for me to restrict access to the SSL VPN based on a group of whitelisted WAN IP's? The default access rule allows 0.0.0.0/0 access from SSLVPN to VPN, and I'm unable to edit that source group. So I thought maybe a WAN to SSLVPN deny/allow rule combo might work... but I get a 'rule overlap' error.

Any help would be appreciated.

Thanks

Category: SSL VPN
Reply

Best Answer

Answers

  • SaravananSaravanan Moderator
    edited July 3

    Hi @RADERSUPPORT,

    Thanks for reaching out to us on Community.

    We should be able to restrict the access to users based on their public IP's. Please check the WAN to WAN default SSLVPN rule that is, "Any, WAN Interface IP, SSLVPN, Allow" and check if you have an option to change Source field to the custom address object/group.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • radersupportradersupport Newbie ✭

    Thanks for the quick response @Saravanan

    I'm still having a bit of trouble - this WAN to WAN rule doesn't seem to allow much tweaking, and I'm unable to change it to 'deny'. Forgive my inexperience, but would you be a bit more explicit on the method? Thank you.


  • SaravananSaravanan Moderator

    @RADERSUPPORT - Thanks for your immediate response.

    Please try below steps and you should be all set with the requirement.

    • Once logged into your firewall, replace the keyword main in URL with diag (For ex: https://ipaddress/diag.html) and hit enter.
    • Click on Internal Settings and search for the section Firewall Settings.
    • Enable the checkbox "Enable the ability to remove and fully edit auto-added access rules".
    • Click Accept.
    • Navigate to Rules | Access Rules page and visit WAN to WAN rules section.
    • Now, you should be capable of changing the rule with Source to any custom address objects/groups.
    • After modifying the access rule, please save the rule accordingly.

    You are all set then.

    Note: Once done with the rule changes, please revisit the diag page and deselect the option "Enable the ability to remove and fully edit auto-added access rules". Click Accept.

    The modified rule should remain same even after disabling the option from diag page.

    Hope this helps.

    I'm moving this topic to QA category since your post is more of a question and I do this for tracking purpose.

    Have a good day!!!

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • radersupportradersupport Newbie ✭

    @Saravanan It doesn't look like I have that option in internal settings


  • SaravananSaravanan Moderator

    @RADERSUPPORT - Luckily we have an KB article on the default access rule edit. I have got it for your reference. This KB would be useful for you in such future scenarios 🙂


    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • SaravananSaravanan Moderator

    @RADERSUPPORT - Please share your device model and firmware version on it.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • radersupportradersupport Newbie ✭

    It's a TZ 215 on firmware SonicOS Enhanced 5.9.1.13-5o

  • radersupportradersupport Newbie ✭

    Thanks for all of your help @Saravanan

  • SaravananSaravanan Moderator

    You are Most Welcome @RADERSUPPORT. Thanks for providing us an opportunity to serve you.

    Have a better day.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Sign In or Register to comment.