MSS FW Best Practices: Firewall Management

Description

CAUTION: These documents are intended to provide partners with firewall configuration recommendations ONLY. They contain examples and caution should be exercised when making changes to your firewall as unplanned changed could result in downtime based on the complexity of the environment and/or configuration. 

MSS Recomended SonicWall Firewall Best Practices Index

Restricting WAN HTTPS Management

IMPORTANT

Doing this without having the correct public IPs specified will disconnect you from the unit.

If you are locked out of the WAN management side of the unit, you may still manage the unit locally.

  • You will need to have the public IPs that will be allowed to manage the firewall added as Address Objects.
  • If there are multiple public IPs, you will need to add them to an Address Object group.

ImageRestricting WAN HTTPS Management

  1. Go to Policies → Rules and Policies → Access Rules
  2. Change the View to WAN to WAN
    1. Here you will see default rules for HTTPS Management
    2. You only want to look for the HTTPS Management rules with the source of Any.
    3. There will be one for each WAN interface so if you only have 1 WAN interface, there will only be 1 matching rule.
    4. These are the rules we want to modify

Image

  1. Edit that/those rules and change the source to the Address Object/Group created above and click save

Image

Managing Firewalls without a Static Public IP Address

If a firewall is behind an ISP circuit without a static IP address, public access will be blocked by default by the ISP’s modem. There however are still a couple of ways that it can be managed.

Bridge Mode (Best/Preferred)

This is done by:

  1. Putting the ISP’s modem into “Bridge” or “Pass-Through” mode.

Pros

  • Disables all layer 3 functionality and allows the ISP’s modem to “pass-through” a public IP address which will be picked up by the firewall’s WAN interface.
  • This allows the firewall to sit directly on the internet (how God intended (smile) ) and does not require any additional port forwarding or other configuration.

Cons

  • Not always supported by the ISP.
  • Not always possible if the modem is providing other services.

DMZ (Better)

This is done by:

  1. Configuring a static private IP within the range of the ISP modem’s LAN subnet to the WAN interface of the firewall.
  2. Enabling the DMZ setting of the ISP’s modem for the private IP address configured on the firewall’s WAN interface in step 1 above.

Pros

  • The DMZ settings forwards all inbound traffic to the IP address specified in the DMZ settings.
  • This will allow all ports inbound to the firewall.

Cons

  • The firewall is in a “Double-NAT” state.
  • You will need to ensure that the static public IP configured on the firewall’s WAN interface is outside of the ISP Modem’s LAN DHCP scope.
  • Most modems lose this setting when rebooted so you will need to re-do this in those cases.

Port Forward (Last Resort)

This is done by:

  1. Configuring a static private IP within the range of the ISP modem’s LAN subnet to the WAN interface of the firewall.
  2. Creating individual port forwarding rules in the ISP’s modem for each needed service that needs to be opened to the firewall.

Pros

  • Good if you have no other option?

Cons

  • The firewall is in a “Double-NAT” state.
  • You will need to ensure that the static public IP configured on the firewall’s WAN interface is outside of the ISP Modem’s LAN DHCP scope.
  • There could potentially be many services needed which could result in needing to create many port forwarding rules.
  • Most modems lose this setting when rebooted so you will need to re-do this in those cases.

Related Articles

  • CS : Child CID Provisioning
    Read More
  • Cylance - Uninstalling Agent
    Read More
  • Cylance - Support Collection Tool
    Read More

Categories

Managed Security Services
Firewall Monitoring and Management
Firewall Configuration and Best Practices
not finding your answers?
Ask the Community
was this article helpful?
YesNo