Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Block all service port exclude some service port

FansaFansa Newbie ✭
edited August 2021 in Mid Range Firewalls

Hi All,

I have 2 internal server connected to Sonicwall TZ400 using Vlan. My Goals is i want to block all services port exclude some port service such 8080, 80, 443 and for exclude port service i already create group service.


FYI, I have done create configuration on access rules as a screenshot, which I already create 2 rules each and have to set the priority too. But still doesn't work well


Need your help guys for this case.


Many Thanks,

Fansa

Category: Mid Range Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Fansa if DC and DRC are in the same subnet, the packets between these two Hosts will never touch the Firewall because of subnet routing.

    --Michael@BWC

  • FansaFansa Newbie ✭

    Hi @BWC


    The topology is Sonicwall - Unmanage switch - 2 Server. DRC using vlan 11 & DC using vlan 12 (trunk). Both Vlan is from Sonicwall.

    If this scenario doesn't work, did you have any suggestion?


    Thanks,

    Fansa

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Fansa ok then, I guess you have Interface trust enabled and having X0:V11 and X0:V12 (or any other Interface) put into the LAN zone? If Interface Trust enabled all the traffic between these Interfaces is allowed and your Block Rule does not catch it.

    Can you try disabling Interface Trust in the Zone settings for the LAN zone?

    --Michael@BWC

  • FansaFansa Newbie ✭
    edited August 2021

    Hi @BWC

    Here's what I Config on our interface

    For disabling "interface trust zone" you mean i have to create new custom zone?

    Or just by uncheck "allow interface trust"?

    Because we can't change "security type" on LAN Zone...


    Thanks,

    Fansa

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Fansa you can disable Interface Trust for the LAN zone if you wanna control traffic between these Interfaces. Without disabling this Option the Firewall does not check the traffic between them. IMHO no need for a new custom Zone, except you have other Interfaces bound to this Zone as well and need the Interfaces trust. Then you have to create a new one.

    --Michael@BWC

Sign In or Register to comment.