Protect SonicOS SSLVPN service and SSH/HTTPS management with botnet filtering

Description

This article covers how to use SonicWall Botnet Filtering service to protect the firewall’s SSLVPN service and SSH/HTTPS Management services. This article demonstrates how to enable Botnet Filtering and how to modify a firewall access rule to enable protection from Botnet Command and Control server addresses.

NOTE:
When implementing Botnet Filtering, ensure that you evaluate all dependent business applications. Blocking access to Botnet-listed addresses may impact dependent applications/processes. 

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Option 1: Apply Botnet Filtering globally to block all connections to/from Botnet Command and Control servers.

Step 1: Click POLICY in the top navigation menu

Navigate to Security Services | Botnet Filter

  • Enable “Block connections to/from Botnet Command and Control Servers”.
  • Select “All Connections”.
  • Enable the “Enable Logging” option.
  • Click on ACCEPT to Save.

Image

Option 2: Only apply Botnet Filtering based on firewall access rules.

Step 1: Click POLICY in the top navigation menu

Navigate to Security Services | Botnet Filter

  • Enable “Block connections to/from Botnet Command and Control Servers”.
  • Select “Firewall Rule-based Connections”.
  • Enable the “Enable Logging” option.
  • Click on ACCEPT to Save.

Image

Step 2: Edit the system-created WAN to WAN Access Rule for each service that we want to apply the Botnet Filter service to.

SSLVPN:

  • Click POLICY in the top navigation menu

  • Navigate to Rules and Policies | Access Rules

  • Find the default access rule with the following configuration:

     

    • Source Zone: WAN

    • Destination Zone: WAN

    • Source Address: Any

    • Destination Address: WAN Interface IP

    • Destination Service: SSLVPN

       

  • Edit the access rule. Click on the Security Profiles tab

  • Enable the BotNet/CC option. Click Save

     

Image

 

Image

 

SSH Management:

  • Click POLICY in the top navigation menu

  • Navigate to Rules and Policies | Access Rules

  • Find the default access rule with the following configuration:

    • Source Zone: WAN

    • Destination Zone: WAN

    • Source Address: Any

    • Destination Address: All X1 Management IP

    • Destination Service: SSH Management

  • Edit the access rule. Click on the Security Profiles tab

  • Enable the BotNet/CC option. Click Save

     

HTTPS Management:

  • Click POLICY in the top navigation menu

  • Navigate to Rules and Policies | Access Rules

  • Find the default access rule with the following configuration:

    • Source Zone: WAN

    • Destination Zone: WAN

    • Source Address: Any

    • Destination Address: All X1 Management IP

    • Destination Service: HTTPS Management

  • Edit the access rule. Click on the Security Profiles tab

  • Enable the BotNet/CC option. Click Save

     

 

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Option 1: Apply Botnet Filtering globally to block all connections to/from Botnet Command and Control servers.

Step 1: Click MANAGE in the top navigation menu

Navigate to Security Services | Botnet Filter

  • Enable “Block connections to/from Botnet Command and Control Servers”.

  • Select “All Connections”.

  • Enable the “Enable Logging” option.

  • Click on ACCEPT to Save.

     

Image

 

Option 2: Only apply Botnet Filtering based on firewall access rules.

Step 1: Click MANAGE in the top navigation menu

Navigate to Security Services | Botnet Filter

  • Enable “Block connections to/from Botnet Command and Control Servers”.
  • Select “Firewall Rule-based Connections”.
  • Enable the “Enable Logging” option.
  • Click on ACCEPT to Save.

Image

Step 2: Edit the system-created WAN to WAN Access Rule that we want to apply the Botnet Filter service to.

SSLVPN:

  • Click MANAGE in the top navigation menu
  • Navigate to Policies | Rules > Access Rules
  • Find the default access rule with the following configuration:
    • Source Zone (From): WAN
    • Destination Zone (To): WAN
    • Source Address: Any
    • Destination Address: WAN Interface IP
    • Destination Service: SSLVPN
  • Edit the access rule.
  • Enable the Enable Botnet Filter option. Click OK.

Image

SSH Management:

  • Click MANAGE in the top navigation menu
  • Navigate to Policies | Rules > Access Rules
  • Find the default access rule with the following configuration:
    • Source Zone (From): WAN
    • Destination Zone (To): WAN
    • Source Address: Any
    • Destination Address: All X1 Management IP
    • Destination Service: SSH Management
  • Edit the access rule.
  • Enable the Enable Botnet Filter option. Click OK.

HTTPS Management:

  • Click MANAGE in the top navigation menu
  • Navigate to Policies | Rules > Access Rules
  • Find the default access rule with the following configuration:
    • Source Zone (From): WAN
    • Destination Zone (To): WAN
    • Source Address: Any
    • Destination Address: All X1 Management IP
    • Destination Service: HTTPS Management
  • Edit the access rule.
  • Enable the Enable Botnet Filter option. Click OK.

 

 

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
NSa Series
Firewalls
NSv Series
Firewalls
TZ Series
not finding your answers?
Ask the Community