7.1.1 SonicOSX (NSv and 15K Firewalls) Source-based restriction for management traffic has no effect on the VPN traffic.
Description
Although you have a source address base restriction on an interface on the firewall, VPN users will still be able to access and the source restriction will not have an effect on management traffic.
For example:
If you try to restrict the management traffic from X0 subnet only.
SSLVPN and VPN users can still or could manage the firewall via HTTPS.
-Source-based-restriction-for-management-traffic-has-no-effect-on-the-VPN-traffic.-kA1VN0000000Dzs0AE-0EMVN00000EnspL.png)
Source Limiting HTTPS / ping / SSH Management is done differently in SonicOS / SonicOSX 7.1.1, compared to SonicOS / SonicOSX 7.0.1. The new features work as designed, and this means that configurations where source objects chosen under the Network Interfaces for these management services, correctly allow only specified sources from LAN to LAN, or from WAN to WAN, and block sources which are not allowed there. Any previously done customizations of Security Policies, from LAN to LAN, or from WAN to WAN, etc., will have no effect now.
On this sample I am trying to add a group from two different zones LAN and WAN address abject group.
Â
-Source-based-restriction-for-management-traffic-has-no-effect-on-the-VPN-traffic.-kA1VN0000000Dzs0AE-0EMVN00000EnspJ.png)
 -Source-based-restriction-for-management-traffic-has-no-effect-on-the-VPN-traffic.-kA1VN0000000Dzs0AE-0EMVN00000EnspO.gif)
NOTE: This is a know issue and we are actively working to address it.
Â
Resolution
Create a security policy to Deny the HTTPS management traffic from the VPN remote subnets.
Â
-Source-based-restriction-for-management-traffic-has-no-effect-on-the-VPN-traffic.-kA1VN0000000Dzs0AE-0EMVN00000EnspN.png)
-Source-based-restriction-for-management-traffic-has-no-effect-on-the-VPN-traffic.-kA1VN0000000Dzs0AE-0EMVN00000EnspM.png)
Â
