Access rule error when using a destination address object meant for another zone

03/26/2020 9 People found this article helpful 490,073 Views

Description

Internal Hosts need to communicate with an internal Server which is located in another Customer Zone and in order to reach to that Publicly hosted service, internal hosts needs to access it over its WAN IP and then loop back policy will translated the destination to host on which the service is hosted.

To accomplish this task many "Access Rules" from each zone towards the destination host located in another custom zone will be required and this can be achieved quickly by adding one Access Rule using From ALL Zones builtin object but this method will not add the Access rule because the destination address object will be member of a WAN zone as the customer are trying to reach the host which is hosted on Firewall WAN interface.

When trying to add the Access Rule using the Add Access Rule Wizard for Loop back access wherein the destination address object (WAN Zone) doesn't match the destination Zone, a message pops up as show below:

Click OK to close and accept the above Webpage message, and wait for "Rule Action Done, please check rule table" status message to display. Screenshot below display the Rule Action done, but no "Access Rules" have been added from ALL Zones to Custom Zone DMZ_Public:

Cause

See message displayed after adding the Access Rule: Some rule may not be created since network object does not match related zone.

Resolution

Workaround

To Allow Loop back Access from Internal Hosts from various Zones towards public host which will be then translated to internal host per NAT Policy on SonicWall, follow the steps:

Note: It's highly recommend to export current SonicWall Firewall Settings, keep an up to date System Backup, and plan a maintenance window to perform the required changes.

Log in to the SonicWall with your admin account.
Select Network | Address Object | search for Address Object, for example "Web_Mail_Public" and click on the edit pencil icon under configure and change the Zone Assignment to DMZ_public custom Zone and Click OK. The screenshot below is now showing Zone Assignment as DMZ_Public.
Select Firewall | Access Rules | Under "Access Rules" choose View Style as Drop-down Boxes | From Zone select pull down option ALL and From To Zone select DMZ_Public and click OK.
Click Add and fill in the required fields as shown in the Add Access Rule Window shown in the screenshot below and then Click Add. A pop up will be displayed, read and accept the message, click OK, and wait for Access Rules to be added:
Click Add from above Access Rule displayed window after the Access Rule Window has returned the message "Rule action done, please check rule tables".
Check if the Access Rule table for selected Zones "(ALL > DMZ_Public)", five Access Rule have been added see screenshot below:
After verifying the newly added Access Rules, repeat step 2 from above and change the Zone membership of Address Object to WAN, as shown in the screenshot below:
Repeat step 6 from above to verify the Access Rule after changing the Address Object Zone Assignment to WAN, see screenshot below taken after changing the Address Object Zone Assignment to WAN showing 5 Access Rules: