TZ470W - how to validate configuration?
So another exclusion problem. We use the 'ADP Payroll' service. If you try to log on to that service, the firewall will block the site: IPS Prevention Alert: INFO Obfuscated VBScript/JavaScript Code 31, SID: 13660
. So created an address object for *.adp.com and added that to the list for IPS exceptions. And it doesn't work - site is stil blocked with the same message. Now the System Log doesn't list the FQDN - it lists the IP-address: 195.200.254.251. So created an address object for this and also added it to the IPS exception list. Stil no luck. Well, maybe I should leave out the asterisk in the address object for the FQDN, so I changed that to adp.com. Doesn't make a difference. Stil blocked with the same message.
There are issues with exclusions on other fronts as well. So I wonder if there's a configuration problem. When I set up the TZ470, I imported the settings from our TZ400 appliance. Don't know if that's a cause for problems, but I wonder if there's a way to validate the configuration?
Best Answer
-
Larry All-Knowing Sage ✭✭✭✭
The TSR contains useful information. The upside is that all your modifications are there. The downside is that it contains all the default stuff from SonicWall - and wading through that is a chore.
I'm taking the dual screen approach to manually rebuilding. On one screen I've got the existing TZ Gen 6.5 device. On another screen I'm remotely connected to a laptop linked to the Gen 7 device. I set both devices to use the "classic" menu mode and I scroll down the left-hand side menu topic-by-topic and then screen-by-screen, switching between the two devices as needed.
Note: I have previously documented all of the expected and standardized Address Objects and Groups, so that makes things easier for me.
I'm also reconfiguring the networks at these sites, so using the Migration Tool would have propagated stuff I would have to delete and re-work. I've also decided NOT to check the automatic creation of firewall rules. Instead, I'm building the explicit ones I need so as not to have more clutter than necessary (e.g., DMZ rules when no DMZ zone is in use at either site).
Hope that helps.
0
Answers
@Simon_Weel Regarding your statement:
I imported the settings from our TZ400 appliance
See my comment in this thread: https://community.sonicwall.com/technology-and-support/discussion/4800/new-tz350-cant-upload-firmware-update#latest
Forgot to mention - I did use the Migration Tool.
Well, that's a major difference.
Note that this SID (
13660
) is Low Priority. Do you happen to have Prevent enabled or not in your settings?And how do the Gen 7 settings compare with your previous device?
The only way I know to "validate" this stuff is to push out a TSR from each device - one from the old, and one from the new immediately after migration and compare them. It's awful, awkward work, but sometimes it pays off.
Or, as many have already pointed out to me: Build the Gen 7 from scratch (which is the approach I'm taking with two new TZ670 devices for clients).
As for IPS - I have set to block Low Priority Attacks as well. I'll see what happens if I switch that off.
Comparing the settings between both models is no longer an option, I think, since there's been so many changes.
I was thinking along the lines of rebuilding the thing, but I wonder if that will fix the problems - I guess we have to experience that. As for a rebuild, what's the best way to gather all current settings. Does a TSR churn out all settings?