Arkwright All-Knowing Sage ✭✭✭✭
Reactions
Comments
-
Not really enough detail about the network topology to give much more advice than….do a packet capture on the Soho. Look for the traffic you are expecting. Does it hit the Soho at all? Is it dropped, or ???
-
How much is your time worth to you? If it's $0, then you are being paid $100 to accept a spare set of hardware :) You would have a cold-spare box with no services on it, ready for emergency use, or for "lab" testing. TZ670 has 2x power inlets so you'd have a second PSU. If you don't care about the time you'd spend on doing…
-
You need to configure logical probing on each interface. It's physical by default. Logical probing would mean that an interface is taken out of the group when the internet is unreachable through it. Physical means it's only withdrawn if the ethernet link is down. Better than nothing, I guess! Which LB strategy you use…
-
Create the relevant address objects. Add a NAT policy using those objects. When you add the policy, it should be pretty much self-explanatory what goes in each field.
-
It barely makes any difference which forum you put it in because the software and configuration options are almost identical from TZ270 to SM9700 [or whatever the biggest one is]. So TBH, the problem here is that the forums are split by subjective firewall size rather than what task you are trying to achieve! I assume you…
-
Yes, NAT policy.
-
I think it's supposed to be a security feature. If you don't decrement the TTL, you [hopefully] don't show up in a traceroute. I always enable it.
-
I agree LE support would be nice, but HTTP challenge mechanism requires 80/443 open from everywhere. That is the problem. For the sake of saving a small amount of money vs. a paid-for cert, it is simply not worth it. Sonicwall could implement the other challenge types.
-
Zones are apparently based on trust. Zones are groups of interfaces. The "trust level" is a shorthand for, "by default, should traffic from here to there be allowed or not?". You can tweak the default rules to taste. What good is that model if one of your trusted machines is compromised? How the firewall is managed won't…
-
You cannot assign user based rules or manage traffics. Why is this? AFAIK the SSO functionality is based on L3 source address, not L2, right? I.e., the firewall asks SSO Agent "who is logged on to IP address 192.168.1.1?" when 192.168.1.1 makes a connection outbound, there is no conversation/knowledge about L2 address, so…
-
Is there a requirement need to implement security services within the core for traffic or would this to be used to protect specific services within the network that is not externally exposed. The customer would like to protect inter-VLAN traffic but he understands that this massively increases the capacity requirements of…
-
Look at Network tab in web developer tools.
-
Translated destination should be "Original" because you aren't translating the destination, right? I.e. the destination is already correct when the client sends the packet. It does seem a bit unusual to be NATing between clients and a server in this kind of arrangement. We would never NAT our clients to the server we host…
-
Your source subnet should be X0 not X2, because the X0 network is where the traffic of interest is originating from, right?
-
RFC 4638.