Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register
Options

SSL Certificate PKI-validation

billmayerbillmayer Newbie ✭
in Entry Level Firewalls

I'm trying to install an SSL certificate on my Sonicwall firewall so that I can resolve a vulnerability reported by CISA in their weekly scans. However, it seems that in order to get the cert installed the provider requires access to a PKI-validation file. I can understand how this works in IIS with a server file but how do I get a validation/confirmation for the provider when there's only the Sonicwall and no web server behind it?


Thanks!

Category: Entry Level Firewalls
Reply

Answers

  • Options
    MustafaAMustafaA SonicWall Employee

    @billmayer if you are referring to the CA (Certificate Authority), as the Provider, all you need is the CSR (Certificate Signing Request), which can be either generated on the firewall or with third party tools such as OpenSSL, PowerShell etc. If you are referring to something different, please clarify and share more details.

  • Options
    billmayerbillmayer Newbie ✭

    Thanks for the quick response. Here are the vulnerabilities identified by CISA:

    image.png

    What is your recommendation to resolve these related to SSL? Additionally thoughts on resolving the TLS vulnerability?

    Vulnerabilities.JPG

    Thanks again,

  • Options
    ArkwrightArkwright All-Knowing Sage ✭✭✭✭
    https://www.sonicwall.com/support/knowledge-base/how-can-i-request-and-install-a-custom-certificate/170505280266541/


    https://www.sonicwall.com/support/knowledge-base/disable-tls-1-1-support/170505966236333/


    But perhaps what would be even more secure than either of those would be to restrict access to the firewall so that it cannot be reached from the internet. There is definitely no need for management to be open to everywhere, but if you're using the SSLVPN service on the firewall then you cannot turn that off.

  • Options
    MustafaAMustafaA SonicWall Employee

    Option 1:

    If you are not using either HTTPS or SSLVPN, then simply disable those services.

    Option 2:

    Don't leave access to the HTTPS Management and/or the the SSLVPN Ports wide open. Use WAN to WAN Access Rule to limit based on source IP addresses. If you have remote users utilizing SSLVPN and they have changing public IPs, you can use Dynamic DNS client applications to identify remote users' public IP addresses and still limit access with the WAN to WAN Access Rule based on the Dynamic DNS names of the remote users.

    Option 3:

    If you want to use HTTPS Management and/or SSLVPN Ports, and leave it wide open, then purchase a CA-signed certificate instead of using the self-signed certificate.

    On the firewall you have the option to disable TLS 1.1 and even you can select which ciphers to use/block under Cipher Control.

  • Options
    billmayerbillmayer Newbie ✭

    Hello


    HTTPS and SSLVPN are not enabled on the WAN interface yet I'm still getting the errors identified by CISA as shown previously. Any other suggestions will be greatly appreciated.

  • Options
    MustafaAMustafaA SonicWall Employee
    edited May 2023

    @billmayer , please check the scanned port that is associated to the report? Do you have any port forwarding for that? Also, please ensure the report is for the correct firewall. Trust me, I've seen such mistakes, and not limited with few.

    Otherwise, create a web case and attach the Scan Report, TSR, and EXP files to be reviewed.

Sign In or Register to comment.