How to restrict Ping to SonicWall WAN interfaces from specific public IP addresses

Description

How to restrict Ping to SonicWall WAN interfaces from specific public IP addresses from outside the network

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.


Feature:
Restrictions can be applied to WAN interfaces so that only a specific IP address or a range of IP address can ping the WAN interface from outside the network. This involves the following steps:
Step 1: Allowing Ping on the WAN interface.
Step 2: Creating an address object or address group containing the IP addresses that are allowed to Ping the interface.
Step 3: Modifying the Firewall Access Rule so that only that specific address or range of IP addresses can ping the interface.


Scenario:
The following scenario covers how to restrict the Ping on the X1 WAN interface so that only 1 public IP address (111.111.111.111) can ping the interface.


Procedure:

Step 1. Enabling the Ping on the X1 WAN interface:

Navigate to Network | System | Interfaces tab and edit WAN interface by clicking on the "configure" button located on hovering over to the X1 WAN interface and Enable Ping.

Image


Step 2. Create an address object in the WAN zone containing the IP address (111.111.111.111) that is allowed to ping the interface. 

Navigate to Object | Match Objects | Addresses and create an address object as shown below:

Image

Step 3: Modify the Firewall Access Rule so that only that specific address can ping the interface.
a. Go to Policy | Rules and Policies | Access Rules click on the "Matrix" radio button and click on the intersection from WAN to WAN zone.
b. Edit the rule that allows the Ping to the X1 WAN interface by clicking on the edit button by hovering over to the rule in question.

Image

c. Change the source to the address object we created at Step 2.

Image

NOTE: If you are unable to modify the default access rule, then you will have to allow first the ability to modify default access rules from diag page. But make sure to disable the ability once you will be done making the changes as it is not recommended to keep them on always enabled mode. Follow below article for help:

How To Enable the Ability To Remove and Fully Edit Auto-added Access Rules


Now only the public IP address 111.111.111.111 will be allowed to ping the X1 WAN interface. 


Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


Feature:
Restrictions can be applied to WAN interfaces so that only a specific IP address or a range of IP address can ping the WAN interface from outside the network. This involves the following steps:
Step 1: Allowing Ping on the WAN interface.
Step 2: Creating an address object or address group containing the IP addresses that are allowed to Ping the interface.
Step 3: Modifying the Firewall Access Rule so that only that specific address or range of IP addresses can ping the interface.


Scenario:
The following scenario covers how to restrict the Ping on the X1 WAN interface so that only 1 public IP address (111.111.111.111) can ping the interface.


Procedure:

Step 1. Enabling the Ping on the X1 WAN interface:

Navigate to Manage | Network | Interfaces tab and edit WAN interface by clicking on the "configure" button located on the right-hand side of the X1 WAN interface and Enable Ping.

Image

Step 2. Create an address object in the WAN zone containing the IP address (111.111.111.111) that is allowed to ping the interface. 
Navigate to Manage | Objects | Address Objects and create an address object as shown below

Image


Step 3: Modify the Firewall Access Rule so that only that specific address can ping the interface.
a. Go to Manage | Rules | Access Rules click on the "Matrix" radio button and click on the intersection from WAN to WAN zone.
b. Edit the rule that allows the Ping to the x1 WAN interface by clicking on the edit button located on the right-hand side.


Image


c. Change the source to the address object we created at Step 2.

Image

NOTE: If you are unable to modify the default access rule, then you will have to allow first the ability to modify default access rules from diag page. But make sure to disable the ability once you will be done making the changes as it is not recommended to keep them on always enabled mode. Follow below article for help:

How To Enable the Ability To Remove and Fully Edit Auto-added Access Rules


Now only the public IP address 111.111.111.111 will be allowed to ping the X1 WAN interface. 



Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.


Feature:

Restrictions can be applied to WAN interfaces so that only a specific IP address or a range of IP address can ping the interface. This involves the following steps:

Step 1: Allowing Ping on the WAN interface.
Step 2: Creating an address object or address group containing the IP addresses that are allowed to Ping the interface.
Step 3: Modifying the Firewall Access Rule so that only that specific address or range of IP addresses can ping the interface.


Scenario

The following scenario covers how to restrict the Ping in the x1 interface so that only 1 public IP address (111.111.111.111) can ping the interface.


Procedure

Step 1. Enabling the Ping on the x1 WAN interface:

Enable the Ping on the WAN interface by clicking on the "configure" button located on the right-hand side of the x1 WAN interface and enable the "Ping" checkbox:

Image


Image

Step 2. Create an address object in the WAN zone containing the IP address (111.111.111.111) that is allowed to ping the interface. 

To do that, go to Firewall | Address Objects and create an address object as shown below

Image

Image




Step 3: Modify the Firewall Access Rule so that only that specific address can ping the interface.

a. Go to "Firewall" > "Access Rules" > click on the "Matrix" radio button and click on the intersection FROM WAN TO WAN zone.


Image



b. Edit the rule that allows the Ping to the x1 WAN interface by clicking on the edit button located on the right-hand side.


Image


c. Change the source to the address object we created at Step 2.


Image

Now only the public IP address 111.111.111.111 will be allowed to ping the x1 WAN interface. 

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall NSA Series
Networking
Firewalls
SonicWall SuperMassive 9000 Series
Networking
Firewalls
TZ Series
Networking
not finding your answers?
Ask the Community