• SonicOS 7 Rules and Policies
• Access Rules
  • Setting Firewall Access Rules
    • About Stateful Packet Inspection Default Access Rules
    • About Connection Limiting
    • Using Bandwidth Management with Access Rules
      • Enabling Bandwidth Management on an Access Rule
    • Configuring Access Rules
      • Configuring Access Rules for IPv6
      • Configuring Access Rules for NAT64
      • Access Rules for DNS Proxy
      • User Priority for Access Rules
      • Displaying Access Rules
        • By Zones
        • By Column
      • Configuring Access Rules for a Zone
    • Enabling and Disabling Access Rules
    • Editing Access Rules
    • Deleting Access Rules
    • Restoring Access Rules to Default Settings
    • Displaying Access Rule Traffic Statistics
  • Access Rule Configuration Examples
    • Enabling Ping
    • Blocking LAN Access for Specific Services
    • Allowing WAN Primary IP Access from the LAN Zone
• NAT Rules
  • About NAT in SonicOS
  • About NAT Load Balancing
    • Determining the NAT LB Method to Use
    • Caveats
    • How Load Balancing Algorithms are Applied
    • Sticky IP Algorithm Examples
      • Example One - Mapping to a Network
      • Example Two - Mapping to an IP Address Range
  • About NAT64
    • Use of Pref64::/n
  • About FQDN-based NAT
  • About Source MAC Address Override
  • Viewing NAT Policy Entries
    • Changing the Display
    • Filtering the Display
    • Displaying Information about Policies
  • Adding or Editing NAT or NAT64 Policies
  • Deleting NAT Policies
  • Creating NAT Rule Policies: Examples
    • Creating a One-to-One NAT Policy for Inbound Traffic
    • Creating a One-to-One NAT Policy for Outbound Traffic
    • Inbound Port Address Translation via One-to-One NAT Policy
    • Inbound Port Address Translation via WAN IP Address
    • Creating a Many-to-One NAT Policy
    • Creating a Many-to-Many NAT Policy
    • Creating a One-to-Many NAT Load Balancing Policy
    • Creating a NAT Load Balancing Policy for Two Web Servers
    • Creating a WAN-to-WAN Access Rule for a NAT64 Policy
    • DNS Doctoring
• Routing Rules
  • About Routing
    • About Metrics and Administrative Distance
      • About Metrics
      • About Administrative Distance
    • Route Advertisement
    • ECMP Routing
    • Policy-based Routing
    • Policy-based TOS Routing
    • PBR Metric-based Priority
    • Policy-based Routing and IPv6
    • OSPF and RIP Advanced Routing Services
      • About Routing Services
        • Protocol Type
        • Maximum Hops
        • Split-Horizon
        • Poison Reverse
        • Routing Table Updates
        • Subnet Sizes Supported
        • Autonomous System Topologies
      • OSPF Terms
    • Drop Tunnel Interface
    • App-based Routing
  • Rules and Policies > Routing Rules
    • Configuring Routing Rules
      • Adding Static Routes
      • Probe-Enabled Policy-based Routing Configuration
• Content Filter Rules
  • About Content Filtering Rules (CFS)
    • About Content Filter Rules
    • About UUIDs for CFS Policies
    • About Content Filter Objects
    • How CFS Works
  • Configuring CFS Policies
    • About the Content Filter Rule Table
      • Searching the Content Filter Rule Table
    • Adding a Content Filter Rule
    • Editing a Content Filter Rule
    • Deleting Content Filter Rules
• App Rules
  • About App Rules
    • What are App Rules?
      • About App Rules Policies
      • About App Rules Capabilities
    • Benefits of App Rules
    • How Does Application Control Work?
    • About App Rules Policy Creation
    • Licensing App Rules and App Control
    • Terminology
  • Rules and Policies > App Rules
    • Configuring an App Rules Policy
    • Using the App Rule Wizard
  • Verifying App Rules Configuration
    • Useful Tools
      • Wireshark
      • Hex Editor
  • App Rules Use Cases
    • Creating a Regular Expression in a Match Object
    • Policy-based Application Rules
    • Logging Application Signature-based Policies
    • Compliance Enforcement
    • Server Protection
    • Hosted Email Environments
    • Email Control
    • Web Browser Control
    • HTTP Post Control
    • Forbidden File Type Control
    • ActiveX Control
    • FTP Control
      • Blocking Outbound Proprietary Files Over FTP
      • Blocking Outbound UTF-8 / UTF-16 Encoded Files
      • Blocking FTP Commands
    • Bandwidth Management
    • Bypass DPI
    • Custom Signature
    • Reverse Shell Exploit Prevention
      • Generating the Network Activity
      • Capturing and Exporting the Payload to a Text File Using Wireshark
      • Creating a Match Object
      • Defining the Policy
• Endpoint Rules
• SonicWall Support
  • About This Document

Configuring Access Rules

• Configuring Access Rules for IPv6
• Configuring Access Rules for NAT64
• Access Rules for DNS Proxy
• User Priority for Access Rules
• Displaying Access Rules
• Configuring Access Rules for a Zone

To configure rules, the service or service group that the rule applies to must first be defined. If it is not, you can define the service or service group and then create one or more rules for it.

The following procedure describes how to add, modify, reset to defaults, or delete firewall rules for firewall appliances running SonicOS. For appliances running SonicOS, paginated navigation and sorting by column header is supported on the Access Rules screen. In the Access Rules table, you can click the column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table.

By hovering your mouse over entries on the Access Rules screen, you can display information about an object, such as an Address Object or Service.

IPv6 is supported for Access Rules. Filter for IPv6 Access Rules from the Access Rules Search drop-down menus. A list of results displays in a table.

From there you can click the Configure icon for the Access Rule you want to edit. The IPv6 configuration for Access Rules is almost identical to IPv4.

To configure an access rule

1. Navigate to POLICY | Rules and Policies > Access Rules. The Access Rules page displays. The Access Rules page enables you to see multiple views of any Access Rule by clicking the associated arrow on the left side of the Access Rule table.
2. From the default view, hover over the appropriate Access Rule and the Configure options appear on the right side. Click the Edit pencil icon to view the Source and Destination interfaces for which you are configuring the rule. The Editing Rule page for that interface pair displays.

3. Or from the Access Rules table, click +Add at the bottom of the table. The Adding Rule dialog box displays.

   

4. In the initial view, add or edit the My Rule Name.
5. You can provide a short description of your access rule in the Description area.

6. Select an Action, whether to Allow, Deny, or Discard access.

   • Allow - As long as the Enable option is selected, your access rule is active.

   • Deny - The firewall denies all connections matching this rule and blocks the page specified and the action profile is served for web traffic. The firewall also resets the connections on both sides.

   • Discard - Firewall silently drops any packets matching this rule.

7. Specify the IP Version, IPv4 or IPv6.
8. Set your access rule's Priority. You can choose to Auto Prioritize, Insert at the End, or a Manual priority for your access rule.

9. Specify when the rule is applied by selecting a schedule from the Schedule drop-down menu. If the rule is always applied On, select Always. If the schedule you want is not listed in the drop-down menu, click the pencil icon to the right of the menu and create a New Schedule Object. The Adding Schedule Object dialog appears.

   

10. Enter the specifics that meet your scheduling requirements. Additional options appear depending on your selections. Click Save. Your custom scheduling option appears in the Schedule drop-down menu already selected.

11. After you are satisfied with all Action settings, click the Enable option to activate the access rule.

Source / Destination

With the basis of the access rule established, you are now ready to assign specifics to your interface pair.

1. In the Source/Destination tab, select the desired Source and Destination Zone/Interface options from the appropriate drop-down menus.

• There are no default Zones or Interfaces. Any is supported for both Zone/Interface fields.

Select or create a Source network address object from the Address drop-down menu.

Select or create a Destination network address object from the Address drop-down menu.

For Port/Services, select or create a Service Object or Service Group in the Source column. When configured, the access rule filters traffic based on the source port defined in the selected Port/Services. The Port/Services selected must have the same protocol types as the ones selected in Destination Port/Services.

Click Show Diagram for a view of the connections you have created.

User & TCP/UDP

1. Specify if this rule applies to all users or to an individual user or group of users in the Include drop-down menu. You can exclude users in the same way using the Exclude drop-down menu.
2. To have the access rule time out after a period of TCP inactivity, set the amount of time, in minutes, in the TCP Inactivity Timeout (minutes) field. The default value is 15 minutes.
3. To have the access rule time out after a period of UDP inactivity, set the amount of time, in minutes, in the UDP Inactivity Timeout (seconds) field. The default value is 30 seconds.
4. Click Show Diagram for a view of the connections you have created.

Security Profiles

In the Decryption Services section:

1. To disable Deep Packet Inspection (DPI) scanning on a per-rule basis, deselect DPI. This option is enabled by default.
2. To disable client-side DPI-SSL scanning of traffic matching this rule, deselect Client DPI-SSL. Client DPI-SSL scanning inspects HTTPS traffic when clients on the appliance’s LAN access content located on the WAN.
3. To disable server-side DPI-SSL scanning of traffic matching this rule, deselect Server DPI-SSL. Server DPI-SSL scanning inspects HTTPS traffic when remote clients connect over the WAN to access content located on the appliance’s LAN.

Botnet / CC

1. If you want to use the Botnet Filter, enable Botnet /CC. It is disabled by default.

Geo-IP Filter

To configure GeoIP settings

1. Enable Geo-IP Filter to apply a filter to traffic matching this rule.
2. For the Geo-IP Filter Mode, select Global to apply the entire Allowed Countries list for this rule, or select Custom to specify a customized Allowed Countries list for this rule. Enabling the Geo-IP Filter and the Custom Geo-IP Filter Mode enables the Allowed Countries and Blocked Countries fields.
   1. To select a country, click it in the Allowed Countries list and use the right arrow to move it to the Blocked Countries list.
   2. To remove a country from the Blocked Countries list, click it and use the left arrow to move it back to the Allowed Countries list.
3. Select Block Unknown Countries to block traffic matching no known country.
4. Click Show Diagram for a view of the connections you have created.

Traffic Shaping

Configure QoS (Quality of Service) if you want to apply DSCP Marking or 802.1p Marking Quality of Service management to all traffic governed by this rule.

1. Under DSCP Marking, select the DSCP Marking action from the drop-down menu:

   • None: DSCP values in packets are reset to 0.
   • Preserve (default): DSCP values in packets remain unaltered.
   • Explicit: The Explicit DSCP Value drop-down menu displays. Select a numeric value between 0 and 63. Some standard values are:

   • 0 - Best effort/Default (default)	20 - Class 2, Silver (AF22)	34 - Class 4, Gold (AF41)
     8 - Class 1	22 - Class 2, Bronze (AF23)	36 - Class 4, Silver (AF42)
     10 - Class 1, Gold (AF11)	24 - Class 3	38 - Class 4, Bronze (AF43)
     12 - Class 1, Silver (AF12)	26 - Class 3, Gold (AF31)	40 - Express Forwarding
     14 - Class 1, Bronze (AF13)	27 - Class 3, Silver (AF32)	46 - Expedited Forwarding (EF)
     16 - Class 2	30 - Class 3, Bronze (AF33)	48 - Control
     18 - Class 2, Gold (AF21)	32 - Class 4	56 - Control

   • Map: The page displays, “Note: The QoS Mapping Settings on the POLICY | Firewall > QoS Mapping page will be used.”
     • The Allow 802.1p Marking to override DSCP values checkbox displays. Select it to allow DSCP values to be overridden by 802.1p marking. This option is disabled by default.

2. Under 802.1p Marking select the 802.1p Marking action from the drop-down menu:

   • None (default): No 802.1p tagging is added to the packets.

   • Preserve: 802.1p values in packets remain unaltered.

   • Explicit: The Explicit 802.1p Value drop-down menu displays. Select a numeric value between 0 and 7:

   • 0 - Best effort (default)	4 - Controlled load
     1 - Background	5 - Video (<100ms latency)
     2 - Spare	6 - Voice (<10ms latency)
     3 - Excellent effort	7 - Network control

   • Map: The page displays, “Note: The QoS Mapping Settings on the POLICY | Firewall > QoS Mapping page will be used.”

BWM (Bandwidth Management)

Bandwidth Management (BWM) is disabled for both inbound and outbound traffic. You can enable Bandwidth Management with a Profile Object at OBJECT | Profile Objects > Bandwidth.

To disable BWM for outbound (egress) and inbound (ingress) traffic

1. Select Egress BWM. This option is disabled by default.

   1. Select the bandwidth object from the drop-down menu.

2. To disable BWM for inbound traffic, select Ingress BWM. This option is disabled by default.

   1. Select a bandwidth object from the drop-down menu.

3. To track bandwidth usage, select Track Bandwidth Usage. This option is disabled by default. To select this option, you must enable either or both of the BWM options.

4. Click Show Diagram for a view of the connections you have created.

Logging

1. To disable logging for this rule, deselect Logging.
2. To enable Flow Reporting enable the slider to allow flow reporting.
3. Click Show Diagram for a view of the connections you have created.

Optional Settings

VoIP Transformations

1. To enable SIP transformation on traffic matching this access rule, slide on the SIP toggle. This option is not selected by default.

   By default, SIP clients use their private IP address in the SIP (Session Initiation Protocol) Session Definition Protocol (SDP) messages that are sent to the SIP proxy. If your SIP proxy is located on the public (WAN) side of the firewall and the SIP clients are located on the private (LAN) side of the firewall, the SDP messages are not translated and the SIP proxy cannot reach the SIP clients. Enabling SIP transformation solves this problem by having SonicOS transform SIP messages going from LAN to WAN by changing the private IP address and assigned port.

2. To enable H.323 transformation on traffic matching this access rule, slide on the H.323 toggle.

   H.323 is supported for both IPv4 and IPv6. However, H.323 does not function as a bridge between IPv4 and IPv6. If an ingress H.323 stream to the firewall is in IPv4 mode, on the egress side it stays in IPv4 mode. The same is true for IPv6 mode. The associated media sessions (like audio and video sessions) as hosted by the H.323 signaling stream has the same address mode as the H.323 signaling session. For example, if the H.323 signaling handshake is in IPv6 mode, all the RTP/RTCP streams generated from this H.323 signaling stream are in IPv6 mode as well.

TCP Options

Allow TCP Urgent Packets - Sets an action for TCP urgent packets. Enable to allow the packet, or clear the toggle to disallow the packet. The default is to clear the packet.

SonicOS tags urgent packets to indicate the packet contains information of higher priority than other data found within the stream. The exact interpretation of an urgent packet is vague, therefore, end systems handle these urgent offsets in different ways, which could make the firewall vulnerable to attacks. Use this feature cautiously.

Connection Thresholds

1. Specify the number of connections allowed as a percent of the maximum number of connections allowed by the appliance in the Number of Connections allowed (% of max connections) field. Refer to About Connection Limiting, for more information on connection limiting.
2. Select Enable Connection Threshold for each Source IP to define a Threshold for dropped packets. When this threshold is exceeded, connections and packets from the corresponding Source IP are dropped. The minimum number is 0, the maximum is 65535, and the default is 128.
3. Select Enable Connection Threshold for each Destination IP to define a Threshold for dropped packets. When this threshold is exceeded, connections and packets destined for the corresponding Destination IP are dropped. The minimum number is 0, the maximum is 65535, and the default is 128.

Others

1. Click Allow Management Traffic. If this option is enabled, both management and non-management traffic is allowed.
2. Check Allow Fragmented Packets to allow fragmented packets. Fragmented packets are used in certain types of Denial of Service attacks and, by default, are blocked. You should only enable Allow Fragmented Packets if users are experiencing problems accessing certain applications and the SonicWall logs show many dropped fragmented packets.
3. Check Enable Packet Monitor to allow packets to be monitored.
4. Check Create Reflexive Rule to automatically create a reflexive firewall rule for the protected host. The Reflexive Rule uses the same policies as those that are configured for the hosted server but instead of configuring the source zone to the destination zone, this rule is applicable on traffic from the destination zone to the source zone.
5. Click Show Diagram for a view of the connections you have created.