SD-WAN - Default Access Rules
Feit
Newbie ✭
Hey there,
I think there is a massive malfunction in the automatic firewall rule creation of SDWAN.
It is the same behaviar in all SonicWall OS7x and I have no idea why it was programmed that way.
An "SDWAN Group" (e.g. with 2 tunnel interfaces) is built. Then a "Path Selection Profile". Everything is good so far. If you now create an SDWAN rule, e.g. from a secured zone (ITSec network) to the remote station (VPN network), TWO firewall rules are automatically created.
1. ITSec network to VPN network with Any allow (as far as OK)
2. VPN network to ITSec network with Any allow (this must not happen automatically).
The firewall rules are thus opened in both directions.
In the diag site I enabled tho option "Enable the ability to remove and fully edit auto-added access rules" so I can delete the wrong direction. But if I change the SDWAN rule (just a sign in the comment) then both rules were created again.
For special SDWAN rules like ANY to VPN (default route just like "tunnel all") it means that automatically rules from VPN to ANY (VPN to WAN, VPN to LAN, VPN to DMZ…) were created, too.
If I build an routing rule for the route type SD-WAN I have the same behaviar. Two or more firewall rules were created.
Can someone explain this? Am I misunderstanding SDWAN in SonicWall firealls?
Greetings from the sunny North of Germany,
Sebastian
Answers
Sonicwall will automatically create Access Rules based on settings in various locations (it is a Zone-based firewall). If you do not want Access Rules automatically created for certain Zones, edit the Zone (via Objects \ Match Objects \ Zone) and disable the 'auto-generate access rules…' options.
There is also an option in Site to Site VPNs to disable automatic Access Rule creation. I know this doesnt apply to your situation but I want to be thorough.