SonicWall Management HTTPS traffic on non-standard port blocked by App Control Advanced

03/26/2020 9 11882

DESCRIPTION:
SonicWall Management HTTPS traffic on non-standard port blocked by App Control Advanced signature SID # 5, Encrypted Key Exchange -- TCP Random Encryption.

RESOLUTION:

When SonicWall HTTPS management is configured on a non-standard port (the default is the standard TCP port 443) and if the Application Control Advanced signature SID # 5 is enabled to block, attempting to login to a remote SonicWall management GUI over either WAN or VPN will be blocked.

SID # 5 is one of the critical signatures used to block traffic of such applications as UltraSurf, Skype or Emule. Due to the high importance of blocking such traffic, it is not recommended to disable this signature. Instead, we propose the following workaround of excluding the interface IP address of the destination SonicWall. 

1. Login to the SonicWall Management GUI.
2. Navigate to the Network | Address Objects page.
3. Scroll down to the Address Objects section and click on Add.
4. Enter a name for the address object.
5. Set Zone Assignment as either WAN or VPN as the case maybe.
6. Set Type as Host
7. Under IP Address, enter the IP address of the destination SonicWall's interface.
8. Click on Add to save.

NOTE: If the appliance is to be managed over VPN, create an address object of zone type VPN with IP address of the X0 interface. If there are multiple SonicWall appliances, create an address object for each and add them to a group under Add Group.

1. Navigate to the Firewall | App Control Advanced page. In Gen5 TZ devices this page is under Security Services | App Control
2. Under App Control Advanced, enter 5 under Lookup Signature ID to open the Edit App Control Signature window.
3. Within this window, from the drop-down in Excluded IP Address Range, select the address object or address group created earlier.
4. Click on OK to save the changes.