Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

SD-WAN - Default Access Rules

FeitFeit Newbie ✭
in Mid Range Firewalls

Hey there,

I think there is a massive malfunction in the automatic firewall rule creation of SDWAN.

It is the same behaviar in all SonicWall OS7x and I have no idea why it was programmed that way.

An "SDWAN Group" (e.g. with 2 tunnel interfaces) is built. Then a "Path Selection Profile". Everything is good so far. If you now create an SDWAN rule, e.g. from a secured zone (ITSec network) to the remote station (VPN network), TWO firewall rules are automatically created.

1. ITSec network to VPN network with Any allow (as far as OK)

2. VPN network to ITSec network with Any allow (this must not happen automatically).

The firewall rules are thus opened in both directions.

In the diag site I enabled tho option "Enable the ability to remove and fully edit auto-added access rules" so I can delete the wrong direction. But if I change the SDWAN rule (just a sign in the comment) then both rules were created again.

For special SDWAN rules like ANY to VPN (default route just like "tunnel all") it means that automatically rules from VPN to ANY (VPN to WAN, VPN to LAN, VPN to DMZ…) were created, too.

If I build an routing rule for the route type SD-WAN I have the same behaviar. Two or more firewall rules were created.

Can someone explain this? Am I misunderstanding SDWAN in SonicWall firealls?

Greetings from the sunny North of Germany,

Sebastian

Category: Mid Range Firewalls
Reply

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited March 4

    Sonicwall will automatically create Access Rules based on settings in various locations (it is a Zone-based firewall). If you do not want Access Rules automatically created for certain Zones, edit the Zone (via Objects \ Match Objects \ Zone) and disable the 'auto-generate access rules…' options.

    There is also an option in Site to Site VPNs to disable automatic Access Rule creation. I know this doesnt apply to your situation but I want to be thorough.

  • FeitFeit Newbie ✭

    Hey TKWITS,

    thanks for the answer and I can tell you that this is not the problem so far.

    I think there is a potentially high risk misprogramming in the SDWAN area.

    As I said there were one or more rules created in the wrong direction.

    for example:

    Add a SDWAN rule from Zone ITSec to VPN with any allow.

    Two instead of one automatic Access Rules were build:

    From Zone ITSec to VPN any allow

    and

    from Zone VPN to ITSec any allow.

    There is an ANY Allow rule automatically created from VPN to the security zone!

    ___

    If you create a SDWAN rule with source any to VPN clients network

    A lot more firewall rules were automatically build:

    from LAN to VPN clients network

    from WAN to VPN clients network

    from DMZ to VPN clients network

    from "High security zones" to VPN clients network

    and from VPN clients network to all of these zone with any allow!

    VPN to LAN/WAN/DMZ/"High security zones"…

    Btw. I am working with SonicWall firewalls for more than 15 years and I always disable the automatic rule creation in Zones and I always configure the VPN rules manually (Suppress automatic Access Rules). Both has nothing to do with this automatic SDWAN Rules creation.

    Greetings from the sunny North of Germany,

    Sebastian

Sign In or Register to comment.