NSA2600: How to prevent filtering on one of my two WAN static IP addresses?
One of the static IP addresses is assigned to my primary WAN interface. The other is used exclusively for email. Both IP addresses are part of the same .248 subnet.
The NSA2600 uses:
- Comprehensive/Advanced Gateway Security Suite
- Gateway AV/Anti-Spyware/Intrusion Prevention/App Control/App Visualization
- Content Filtering: Premium Edition
All traffic on that interface is currently being filtered.
The issue is that I have an email scanner appliance that should processes all email sent to the IP address assigned to email but the firewall is blocking some of it.
How do I prevent all filtering on that one IP address?
Best Answer
-
kboyle Newbie ✭
I now have a workaround. I believe all my SMTP email is now reaching the email scanner appliance.
I had to disable DPI on the access rule so that malware wouldn't be blocked and I had to completely disable RBL checking to prevent the firewall from dropping connections from blacklisted IPs. Whitelisting specific IP addresses or groups of IP addresses is not a workable solution and I am unable to find another solution other than completely disabling RBL checking.
Thank you for your help.
0
Answers
Hi @KBOYLE,
Welcome to SonicWall Community.
You can try to disable the DPI on the email service rule that you have built in SonicWall from WAN to LAN or DMZ. Please try the instructions as per below KB article as a reference.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hello @kboyle,
Welcome to SonicWall community.
I would suggest adding an access rule as per the right zones and disabling DPI on it, so that it can be bypassed from all security checks.
Please take a look at this KB:
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Hi @kboyle
if the Firewall is filtering traffic due to one of the security services (Gateay AV, Application control, etc.) there is a exclusion option in all of them, just add your email scanner in it and you should be good to go. Usually I like to have only IPS activated for SMTP which is forwarded to an email appliances, all other services excluded.
e.g. GAV:
--Michael@BWC
@Saravanan. @shiprasahu93, @BWC
Thank you all for your responses. You have introduced me to configuration settings I have not yet explored.
The option that best suits my needs is to disable DPI on the advanced tab of the appliance access rule. That will not completely disable DPI scans for all traffic to that IP address and opens up additional possibilities. It may also resolve another issue I have where I'm experiencing timeouts due, I think, to high latencies.
There is still an issue preventing access to the appliance. Some email originates from blacklisted IP addresses and is being blocked. Obviously I can't create exceptions for specific IP addresses. I would like to disable blacklist checks for all incoming email or, if necessary, all traffic to the IP address associated with incoming SMTP traffic.
Any suggestions?
I would suggest looking at the RBL filter. That feature checks for blacklisted SMTP servers. It might be causing the interruptions that you see.
https://www.sonicwall.com/support/knowledge-base/configuring-smtp-real-time-black-list-rbl-filtering-on-the-sonicwall/170505557998744/
Also, you might need to check the logs and perform packet captures to see what exactly could be causing this issue.
I hope it helps!
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
@shiprasahu93
I am quite familiar with how RBLs work and, yes, connections are being blocked because they are on an RBL.
I had already seen the knowledge-base article you provided. It explains how to create exceptions for specific IP addresses but that is not a workable solution. I need to disable it completely for incoming SMTP traffic or for all traffic destined for the one WAN IP address.
Another workaround I considered was to create a new interface for email but I got an error saying that I had two interfaces with overlapping subnets.
Kevin
@KBOYLE - The best method to get a workaround to your scenario is to find the logs on the SonicWall during the email traffic hit activity and we can see which specific feature blocks the traffic and what remedy can be done. Please check the logs and share it here and we can guide you.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
@Saravanan
Thanks for the reply.
I know the sending IP address is blacklisted. That's what I am trying to circumvent.
I've temporally disabled RBL on the firewall and doing further testing.
Kevin
@kboyle - Understood. I think if the blacklisted IP addresses falls into a specific range, then you may whitelist the entire range or subnet in SonicWall's RBL filter. Please do further testing and let us know for any help.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services