Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

define many objects for ACL LAN->WAN - suggestion

AlbertoAlberto Enthusiast ✭✭
edited October 2020 in Mid Range Firewalls


Hi I would like to have a suggestion for the following activity.


I need to create a LAN-> WAN ACL to allow a server to reach certain destinations.


Example:


security.ubuntu.com port 80 tcp

it.archive.ubuntu.com por 80 tcp

security.ubuntu.com port 443 tcp

it.archive.ubuntu.com port 443 tcp

keyserver.ubuntu.com port 11371 tcp


downloads-distro.mongodb.org 80 tcp

repo.mongodb.org 443


comped01.weblicman.com 443 tcp

* .multicertify.com 389 tcp


and many more.


How do you manage them? Do I have to put them all by hand?

Do you recommend putting them via CLI? It can be done ?


Alberto

Category: Mid Range Firewalls
Reply

Answers

  • Hello @Alberto,

    You can either perform these tasks via CLI or SonicOS API. Please take a look at the following KBs.

    Once the objects/groups are added, the access rule in a single step process. Most of the services are built-in, you can manually add any custom ones.

    I hope this helps!

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • AlbertoAlberto Enthusiast ✭✭

    which is the syntax to add an object of type fqdn ?

  • Hello @Alberto,

    From CLI, you can use the syntax

     address-object fqdn <Name_of_the_object> domain <Name_of_the_domain> zone WAN

    commit

    Eg: address-object fqdn Test domain www.google.com zone WAN

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • AlbertoAlberto Enthusiast ✭✭

    thanks !


    config(18B16953FB2C)# address-object fqdn Test domain www.google.com zone WAN

    (add-fqdn-address-object[Test])# commit

    % Applying changes...

    [AUDIT] ID=20, TransactionID=14, Index="Test", Description="Added 'FQDN Address Object' ", Old="", New="Test", auditPath="", User="admin", Session="SSH";

    [AUDIT] ID=21, TransactionID=14, Index="Test", Description=" 'FQDN Address Object Type' ", Old="", New="FQDN", auditPath="", User="admin", Session="SSH";

    [AUDIT] ID=22, TransactionID=14, Index="Test", Description=" 'FQDN Address Object Zone' ", Old="", New="WAN", auditPath="", User="admin", Session="SSH";

    [AUDIT] ID=23, TransactionID=14, Index="Test", Description=" 'FQDN Hostname' ", Old="", New="www.google.com", auditPath="", User="admin", Session="SSH";

    % Status returned processing command:

      commit

    % Changes made.

    (edit-fqdn-address-object[Test])# 

  • Perfect! You can similarly add all address objects, group them and then use in the access rule.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • AlbertoAlberto Enthusiast ✭✭

    thanks but for example:

    address-object fqdn medas_security.ubuntu.com domain security.ubuntu.com zone WAN

    address-object fqdn medas_it.archive.ubuntu.com domain it.archive.ubuntu.com zone WAN

    address-object fqdn medas_en.archive.ubuntu.com domain en.archive.ubuntu.com zone WAN

    address-object fqdn medas_keyserver.ubuntu.com domain keyserver.ubuntu.com zone WAN


    I can define only "ubuntu.com" ?

  • shiprasahu93shiprasahu93 Moderator
    edited October 2020

    @Alberto,

    Instead of just ubuntu.com, I would suggest using *.ubuntu.com as below:

    address-object fqdn Ubuntu domain *.ubuntu.com zone WAN

    This will include all subdomains of ubuntu.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Alberto

    ff you wanna allow LDAP to all hosts in the domain * .multicertify.com you will be out of luck, this is where IP based Access Rules and Name based requierements drift apart. The FQDN cannot hold the whole multicertify.com zone, you need to define all server names as one object or define a network object if they are in the same range.

    --Michael@BWC

Sign In or Register to comment.