-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
MSS FW Best Practices: 05 Firewall Management
12/10/2024 
0 People found this article helpful
9,075 Views
Description
CAUTION: These documents are intended to provide partners with firewall configuration recommendations ONLY. They contain examples and caution should be exercised when making changes to your firewall as unplanned changed could result in downtime based on the complexity of the environment and/or configuration.
MSS Recomended SonicWall Firewall Best Practices Index
Restricting WAN HTTPS Management
IMPORTANT
Doing this without having the correct public IPs specified will disconnect you from the unit.
If you are locked out of the WAN management side of the unit, you may still manage the unit locally.
- You will need to have the public IPs that will be allowed to manage the firewall added as Address Objects.
- If there are multiple public IPs, you will need to add them to an Address Object group.
Restricting WAN HTTPS Management
- Go to Policies → Rules and Policies → Access Rules
- Change the View to WAN to WAN
- Here you will see default rules for HTTPS Management
- You only want to look for the HTTPS Management rules with the source of Any.
- There will be one for each WAN interface so if you only have 1 WAN interface, there will only be 1 matching rule.
- These are the rules we want to modify
- Edit that/those rules and change the source to the Address Object/Group created above and click save
Managing Firewalls without a Static Public IP Address
If a firewall is behind an ISP circuit without a static IP address, public access will be blocked by default by the ISP’s modem. There however are still a couple of ways that it can be managed.
Bridge Mode (Best/Preferred)
This is done by:
- Putting the ISP’s modem into “Bridge” or “Pass-Through” mode.
Pros
- Disables all layer 3 functionality and allows the ISP’s modem to “pass-through” a public IP address which will be picked up by the firewall’s WAN interface.
- This allows the firewall to sit directly on the internet (how God intended
) and does not require any additional port forwarding or other configuration.
Cons
- Not always supported by the ISP.
- Not always possible if the modem is providing other services.
DMZ (Better)
This is done by:
- Configuring a static private IP within the range of the ISP modem’s LAN subnet to the WAN interface of the firewall.
- Enabling the DMZ setting of the ISP’s modem for the private IP address configured on the firewall’s WAN interface in step 1 above.
Pros
- The DMZ settings forwards all inbound traffic to the IP address specified in the DMZ settings.
- This will allow all ports inbound to the firewall.
Cons
- The firewall is in a “Double-NAT” state.
- You will need to ensure that the static public IP configured on the firewall’s WAN interface is outside of the ISP Modem’s LAN DHCP scope.
- Most modems lose this setting when rebooted so you will need to re-do this in those cases.
Port Forward (Last Resort)
This is done by:
- Configuring a static private IP within the range of the ISP modem’s LAN subnet to the WAN interface of the firewall.
- Creating individual port forwarding rules in the ISP’s modem for each needed service that needs to be opened to the firewall.
Pros
- Good if you have no other option?
Cons
- The firewall is in a “Double-NAT” state.
- You will need to ensure that the static public IP configured on the firewall’s WAN interface is outside of the ISP Modem’s LAN DHCP scope.
- There could potentially be many services needed which could result in needing to create many port forwarding rules.
- Most modems lose this setting when rebooted so you will need to re-do this in those cases.
Related Articles
- MSS FW Best Practices: 19 Zoom & Teams
- MSS FW Best Practices: 11 Wireless (Wi-Fi)
- MSS FW Best Practices: 07 VPN (Site to Site & Client)
Categories
- Managed Security Services > Firewall Monitoring and Management > Firewall Configuration and Best Practices
YES
NO