Cybersecurity Overlord ✭✭✭

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

BWC Cybersecurity Overlord ✭✭✭

Badges (25)

4 Year Anniversary3 Year Anniversary250 Likes100 Answers100 Helpfuls2 Year Anniversary1,000 Comments50 Answers1 Year Anniversary500 Comments25 Answers100 Likes25 Helpfuls100 CommentsWork Out Loud5 Answers25 LikesFirst Answer10 Comments5 HelpfulsFirst Comment5 LikesPhotogenicName DropperEarly Adopter


  • @pantom you cannot redirect the client, but you could create a NAT rule which translates Original Destination x.x.x.x to Translated Destination y.y.y.y Maybe this causes trouble later on in case your client software somewhat a certificate for x.x.x.x etc, but it's worth a try. --Michael@BWC
  • Ok, due to the missing knowledge of any details take this as an example. X3 IP Address: X3 Subnet mask: X3 Default GW: As usual, if you wanna publish any service destined to X3 IP you would create a NAT Rule for X3 IP translated to your internal address. Access Rule has to be WAN to DMZ…
  • It's pretty straight forward, you need to head over to the signatures of the IPS Security Service. Use this for orientation, but you leave Detection enabled and add an Address Object for Excluded IP. --Michael@BWC
  • Because it's not needed, it can be accomplished with only NAT rules. --Michael@BWC
  • @ASIRWA you might disable logging for low prio events all along or you exclude the ip of your nework monitor for the signatures ICMP PING and ICMP Echo Reply. --Michael@BWC
  • You get a drop message because of IP spoof (did you removed the static arp entry?) or because of Access Rule? --Michael@BWC
  • What is the subnet mask of your X3 interface? I assume you checked that the secondary is neither network or broadcast of that subnet? Did you do a packet monitor on X3 just for ARP to see if there are any ARP requests? If your CPE is not asking for your address it won't work. --Michael@BWC
  • @darkmen11 if X3 is your WAN Interface and WAN2 holds the secondary address I would assume that you don't need to change anything. If the rule does not get any hits from WAN then probably CPE is not doing the ARP request? How does your X3 gets it's addess assigned, PPPoE, DHCP or static? --Michael@BWC
  • @darkmen11 is the secondary IP in the same subnet as your primary IP? If yes you don't need a secondary IP, it can be managed with NAT only. If it's in a different subnet you need an additional route from ANY to the Secondary Subnet to Interface X! (or whatever it is). --Michael@BWC
  • @Docwagner I would not rely only on the System Log, Packet Monitor is most helpful. I guess you have to wait until it is not working again, then do the Packet Monitor again and inspect the conversation between your client and server (which is hopefully unencrypted for the sake of diagnostics). EPSV was just a shot in the…
  • @PeterParker can you connect to the server address via Browser or is this not working too? You should see a LoginPage (if not disabled). If there is a MITM-Proxy for any reason you might see this as well in an unexpected certificate. --Michael@BWC
  • @Docwagner did you checked the Packet Monitor for the IP of your webserver with no filtering on the ports? Is there any chance that EPSV is involved, which does not explain that it worked just days before. EPSV should work by now, but who knows. If FTP is unencrypted you can see the conversation between client and server…
  • @Docwagner do a Packet-Monitor limited to the address of your web server and start from there. If anything gets blocked we can search for a reason. Check the System Log as well to make sure nothing gets blocked by any Security Service. --Michael@BWC
  • @babayaga_122 you can't download the firmware without having a TZ 300 in your account. You should contact customer support and explain the situation and they'll provide a solution (if possible). --Michael@BWC
  • @dbdan22 long story short, sending packets to a MAC address does not work over Layer 3 (everything routed, such as VPN). Broadcast does not apply here, because you cannot send a broadcast packet into the SSLVPN which ends up in your LAN. I implemented something similar with SonicWall SMA, which comes with a WoL client that…