Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

when is sonic osx7 on NSv*70 ready for use ?

We can buy a licence, we can install the machine, but we can´t Restrict Admin Access To The Device ...

So, we can´t sell the machine to customers.

Any idea when this confusion will be ended ?

rudik

Category: Virtual Firewall
Reply

Answers

  • Hi @RKRONENBERG,

    Thank you for visiting SonicWall community.

    Are you looking for restricting admin access to the NSv 7.0 based on the users or IP addresses?

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Hi,

    in former times we had:

    How can I restrict admin access to the device? | SonicWall

    but this does noct work on WAN/LAN so there is a strange security hole, so

  • Hi @RKRONENBERG,

    Yes, you are right. The KB mentioned by you is the right resource to restrict the admin access to the firewall appliance based on Source IP address(es).

    Have you tried building the rule from WAN to WAN or LAN to LAN zones? What is the error that's been reported by the SonicWall if any? Is the rule itself not getting created?

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • TomChouTomChou Newbie ✭


    I have done a test on NSv270 SonicOSX 7.0.0-1128


    ZONE WAN to ZONE WAN security policy was created:


    SOURCE any DESTINATION X1 IP (or "All X1 Management IP" or "WAN Interface IP"  

    Action "Deny"


    Interface X1 MANAGEMENT option "HTTPS" ,"PING" and "SSH" was enabled


    I thought the security policy can limit access to firewall "HTTPS" ,"PING" and "SSH" on WAN IP.


    But the test results are anywhere can access firewall "HTTPS" ,"PING" and "SSH"


    The ZONE WAN to ZONE WAN security policy seems not work? 😕

  • Hi @TOMCHOU,

    If you are trying to restrict the WAN management for all users, please have the HTTPS management check box on the WAN interface disabled.

    If you are trying to restrict the web management for certain users based on IP addresses, please specify the source field on the access rule with allowed IPs with action set to allow.

    There is no direct deny rule can be enforced instead disabling the web management completely on the WAN interface.

    Hope this clarifies.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Hi SARAVANAN ,

    >If you are trying to restrict the WAN management for all users, please have the HTTPS management check box on the WAN interface >disabled.

    >If you are trying to restrict the web management for certain users based on IP addresses, please specify the source field on the access >rule with allowed IPs with action set to allow.

    >There is no direct deny rule can be enforced instead disabling the web management completely on the WAN interface.

    >Hope this clarifies.

    did you tried this?

    or is this your hope ???

    I did not work, when the management is disabled then it is disabled !

    @TOMCHOU , please check:

    LAN an WAN the same, it did not work , using x7 as DMZ then there will the rule-management work as expected ...

    The device is sold since months and no one one as checked this ???

  • @RKRONENBERG - My comment is based on my recent testing.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • @SARAVANAN,

    i have SonicOSX 7.0.0-1128-31e37b64 on Vmware vsphere 6.5

    X0,X1 Management not useable, because not restrictable ...

    and this is a serious Problem

  • @RKRONENBERG - I understand. Please approach our support team and take further help as the issue needs real-time assistance.


    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • @SARAVANAN :

    for critical issues pls. open a ticket, give full tsr. and so and so on ...

    I think, it is very critical. So why a tsr ??? You can check it it in your own environment.

    Support told me: made by design ...

    There is already a case open, but we loose too much time while thinking about tsrs and so on ...

  • TomChouTomChou Newbie ✭

    Obviously, this issue is on any os7x security policy with DESTINATION is any interface IP

    on os6.x if any Interface MANAGEMENT option "HTTPS" ,"PING" and "SSH" was enabled

    The allow rules will be created automatically.

    Then we can change the SOURCE "any" to other address object to allow only particular IP addresses.


    Begin from os7x, The allow rules will not be created automatically.

    So If we want to limit access to interface IP we can only create policy manually.

    But unfortunately  any security policy with DESTINATION on any interface IP (ex. X0(LAN),X1(WAN)...) seems not work!

  • @TOMCHOU 

    when you hit the info-button in

    Policy / Rules and Policies / Security Policy / Configuration

    will get this Info: There are no system default rules. 

    Packets are dropped if failed to match a rule

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^

    That is wrong, because in syslog-output i can see:

    Jan 30 04:56:22 10.0.0.17  id=nsv270  sn=******** time="2021-01-30 04:56:22" fw=aaa.bbb.ccc.ddd pri=4 c=2 m=658 msg="IKE Responder: Proposed IKE ID mismatch" n=1 src=216.218.206.118:53926 dst=aaa.bbb.ccc.ddd:500 proto=udp/500 note="VPN policy does not exist for peer IP address: 

    216.218.206.118" fw_action="NA"

    That means: There was an IKE Request from "216.218.206.118" and there was not the right policy exixtent ...

    But we have no Security Policy to allow IKE from Wan to X1 IP !!!

  • TIJUTIJU Moderator

    hi @rkronenberg (Ruediger) We are checking this issue and do have a bug created for tracking this. Hi @Saravanan Can you make sure all these data is added to the open bug for WAN to WAN access not restricted issue. You can reahc out to me in case you are unable to find the open issue.

  • rkronenbergrkronenberg Newbie ✭

    Hi all,

    now with 7.0.1 on a NSv 270 in classic mode: Filtering htps/snmp/ssh access to the device ist working like expectet (as it was for very long time).

    But in policy mode it is not working !!!

    There is not possibility to restrict access to the device Wan-Port ...

    When will this be repaired ???

  • SbarrettSbarrett Newbie ✭

    Just Deployed an NSV270 in Azure and I also can't lock down the Management on the WAN interfaces - this is crazy. The Deny Rules are matching but the Traffic still flows. Pretty much the most basic function of a firewall and it doesn't work?!

Sign In or Register to comment.