audit firewall
hello community !
I am the new administrator of a company. Currently we have 5 WAN links, each one has its use (VPN, Server mail, etc.), we have a new connection (Colt), and we will need to terminate 3 of them.
I would have to carry out a complete audit of the networks, and these current links to know how to replace all the services they use with the new link, could I have an approach on how to do this on a sonicwall?
thank you !
i'm under SonicOS 7 , NSa 2700
Best Answer
-
Arkwright All-Knowing Sage ✭✭✭✭
This kind of question is really too vague to work as a forum discussion.
I would start with using the Connection Monitor and filtering on each WAN interface. Identify what traffic is on there. Move those services over to your new WAN. Keep watching for connections on your old WANs, you should seem them reducing in number as your services are moved over. Eventually there will be so few connections that a packet capture would be required to spot what is left.
0
Answers
This isnt specific to Sonicwalls, more of a general question, but nonetheless.
Hopefully you got either a static or group of static IPs on the new WAN otherwise this will be an exercise in futility.
For inbound connections: Assess the config, specifically publicly accessible services, by looking at WAN to LAN (or more appropriately DMZ) NAT and access rules. Setup the appropriate rules utilizing the new service, then after your tested migrate your public DNS A records to point to the appropriate IP of the new service (assuming you have proper DNS setup for your publicly accessible services).
Watch for overlapping services (same port number on same IP)!
As far as outbound connections: Add new WAN to load balancing / failover. Mimic any previous outbound NAT translations to new IPs. Adjust any IP-restricted services (Payroll, Azure, etc.) to allow access from the new IP(s).
Standard stuff.
thank's @TKWITS
Yes, Of course, we have a pool of static IPs for this new link. and we manage our DNS Zone with OVH, but as I am a newbie, I would like to know the best practices to switch all my other links to this one without having any blocking or unpleasant surprises, and I admit that I do not really master monitoring on sonicwalls
"without having any blocking or unpleasant surprises"
Good luck with that. You have to expect at least one thing will be missed.
Hello @Arkwright ! thank's for your answer, i'm starting to use the connexion monitor, and I admit that it helps me a lot
can you give me more tips with the use of the connexion monitor ?
Thank's
my biggest fear is the IP addresses that have been declared on the other side of the VPNs that we don't manage
The less certain you are, the more overlap you will need between moving services to new WAN and cancelling old ones.
Regarding the connection monitor: only traffic that is allowed will ever appear in there. So don't take lack of a connection in the list to mean that nobody is trying. If something is trying and they are rejected, you will see that in the Packet Monitor.
Make sure you clearly communicate the change to the vendors that manage the other VPN endpoints, and give them a schedule to work from. Testing new connections can begin on date X, full cutover 2 weeks later. You have to force peoples hands sometimes, and sometimes that means things won't work while people get their heads out of their butts.