Access rules sometimes don't work
RikimaruHonjo
Newbie ✭
Hi,
I'm using NSA 2600 + SonicOS Enhanced 6.2.7.1-23n. (Sorry, this is an old version.)
I registered the following access rules. I'd like to create white lists for accessing WAN from LAN.
- Destination=FQDN Address object (e.g. api.github.com)
- Action=allow
- Service=Any
But, "connection resused" occurs occasionally when I access to the allowed FQDN. It looks that "connection refused" doesn't occur if I also permit IP address of the FQDN.
Is there any configurations to try?
Category: Entry Level Firewalls
0
Answers
Hi @RikimaruHonjo
Please fallow below list.
1) check access rules order is correct ( Wan to lan)
2) check dns resolve issues. dns server resolve the ip properly
3) why do you use wan to lan access rule on the network. Do you have onprem git hub repository? if inbound server has access outbound no need this rule.
4) check logs when access blocked.
5) try packet capture tools for problem save pcap file and if it is possible share here.
Hi @MitatOnge ,
>1) check access rules order is correct ( Wan to lan)
>4) check logs when access blocked.
>5) try packet capture tools for problem save pcap file and if it is possible share here.
OK, I confirm these points after this.
>2) check dns resolve issues. dns server resolve the ip properly
I use 8.8.8.8 and 8.8.4.4. And dns resolve issue doesn't occur.
>3) why do you use wan to lan access rule on the network. Do you have onprem git hub repository? if inbound server has access outbound no need this rule.
My company requires my environment the following rules.
Observe notes on there about how firewall harvests DNS responses. If you make sure clients are using same DNS servers as the Sonicwall itself then it is much more likely that both firewall and client will agree what IP a hostname resolves to, and that the rule will then work as expected. This is really more relevant with hosted services that resolve to many different IP addresses.