Restrict SSLVPN access based on Source WAN IP's?
radersupport
Newbie ✭
Hi, I'm wondering if there's a way for me to restrict access to the SSL VPN based on a group of whitelisted WAN IP's? The default access rule allows 0.0.0.0/0 access from SSLVPN to VPN, and I'm unable to edit that source group. So I thought maybe a WAN to SSLVPN deny/allow rule combo might work... but I get a 'rule overlap' error.
Any help would be appreciated.
Thanks
Best Answer
-
CORRECT ANSWER
Saravanan
Moderator
Hi @radersupport,
Unfortunately, Gen 5 and Gen 5.5 firewalls are not embedded with option to tweak the default rules/policies and hence we are not seeing the prescribed option in your TZ 215 (Gen 5.5) device. The embedded feature is available from Gen 6 firewalls. The alternate way of accomplishing your requirement is to use Geo-IP filter based on access rule. At-least this way you should be able to control the sources IPs to an extent. Please refer below KB article for instructions on configuring Geo-IP filter feature using access rules.
Since we are applying Geo-IP based on access rule, only the Geo-IP enabled access rule will have impact and other rules are not affected. We have two ways of achieving your requirement here,
- Block all countries in the WAN to WAN SSLVPN access rule and exclude only the SSLVPN users public IP addresses in Geo-IP filter. (or)
- Allow the countries in the WAN to WAN SSLVPN access rule meant for the SSLVPN users public IP addresses.
I can really understand that, this is kind of a long approach that we are trying because there is a limitation with TZ 215, other Gen 5 and 5.5 firewalls with the easiest configuration proposed previously.
If you are planning to move to Gen 6 firewalls, you can perform a product Secure Upgrade. Please dive into below web-link for more information.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
5
Answers
Hi @RADERSUPPORT,
Thanks for reaching out to us on Community.
We should be able to restrict the access to users based on their public IP's. Please check the WAN to WAN default SSLVPN rule that is, "Any, WAN Interface IP, SSLVPN, Allow" and check if you have an option to change Source field to the custom address object/group.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Thanks for the quick response @Saravanan
I'm still having a bit of trouble - this WAN to WAN rule doesn't seem to allow much tweaking, and I'm unable to change it to 'deny'. Forgive my inexperience, but would you be a bit more explicit on the method? Thank you.
@RADERSUPPORT - Thanks for your immediate response.
Please try below steps and you should be all set with the requirement.
You are all set then.
Note: Once done with the rule changes, please revisit the diag page and deselect the option "Enable the ability to remove and fully edit auto-added access rules". Click Accept.
The modified rule should remain same even after disabling the option from diag page.
Hope this helps.
I'm moving this topic to QA category since your post is more of a question and I do this for tracking purpose.
Have a good day!!!
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
@Saravanan It doesn't look like I have that option in internal settings
@RADERSUPPORT - Luckily we have an KB article on the default access rule edit. I have got it for your reference. This KB would be useful for you in such future scenarios 🙂
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
@RADERSUPPORT - Please share your device model and firmware version on it.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
It's a TZ 215 on firmware SonicOS Enhanced 5.9.1.13-5o
Thanks for all of your help @Saravanan
You are Most Welcome @RADERSUPPORT. Thanks for providing us an opportunity to serve you.
Have a better day.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
I have SonicWall TZ570 and I am not getting main.html url after log into 192.168.1.1?