SonicOS 7.0 Objects
- SonicOS 7.0
- Match Objects
- Zones
- How Zones Work
- Default Zones
- Security Types
- Allow Interface Trust
- Effect of Wireless Controller Modes
- Zones Overview
- The Zones Page
- Adding a New Zone
- Adding a New Zone in Policy Mode
- Adding a New Zone in Classic Mode
- Configuring a Zone for Guest Access
- Configuring a Zone for Open Authentication and Social Login
- Configuring the WLAN Zone
- Configuring the RADIUS Server
- Configuring DPI-SSL Granular Control per Zone
- Enabling Automatic Redirection to the User-Policy Page
- Cloning a Zone
- Editing a Zone
- Deleting Custom Zones
- Addresses
- Addresses Page
- About UUIDs for Address Objects and Groups
- Working with Dynamic Address Objects
- Services
- URI Lists
- Schedules
- Dynamic Group
- Email Addresses
- Match Objects
- Countries
- Applications
- Web Categories
- Websites
- Match Patterns
- Custom Match
- Profile Objects
- Endpoint Security
- Bandwidth
- QoS Marking
- Content Filter
- DHCP Option
- Block Page
- Anti-Spyware
- Gateway Anti-Virus
- Log and Alerts
- Intrusion Prevention
- AWS
- Action Profiles
- Security Action Profile
- DoS Action Profile
- Action Objects
- App Rule Actions
- Content Filter Actions
- Object Viewer
- SonicWall Support
Controlling a Dynamic Host’s Network Access by MAC Address
Since DHCP is far more common than static addressing in most networks, it is sometimes difficult to predict the IP address of dynamically configured hosts, particularly in the absence of dynamic DNS updates or reliable hostnames. In these situations, it is possible to use MAC address objects to control a host’s access by its relatively immutable MAC (hardware) address.
Like most other methods of access control, this can be employed either inclusively, for example, to deny access to/for a specific host or group of hosts, or exclusively, where only a specific host or group of hosts are granted access, and all other are denied. In this example, we will illustrate the latter.
Example
Assuming you had a set of DHCP-enabled wireless clients running a proprietary operating system which precluded any type of user-level authentication, and that you wanted to only allow these clients to access an application-specific server (for example, 10.50.165.2) on your LAN. The WLAN segment is using WPA-PSK for security, and this set of clients should only have access to the 10.50.165.2 server, but to no other LAN resources. All other wireless clients should not be able to access the 10.50.165.2 server, but should have unrestricted access everywhere else.
To control a Dynamic Host’s network access by MAC address for above example
-
Create MAC Address Objects.
- Navigate to OBJECT | Match Objects > Addresses > Address Objects.
-
Click the Add icon and create the following MAC address objects (multi-homing is optional).
Once created, if the hosts are present in the firewall’s ARP cache, they will be resolved immediately, otherwise they will appear in an unresolved state in the Address Objects table until they are activated and are discovered through ARP.
- Create an address group for the handheld devices according to Adding Address Groups.
-
Create an Access Rule or a Security Policy.
Classic Mode: Create an access rule on the POLICY | Rules and Policies > Access Rules page. For more information, refer to Configuring Access Rules section in SonicOS 7.0 Rules and Policies Administration Guide for Classic Mode.
Policy Mode: Create a security policy on the POLICY | Rules and Policies > Security Policy page. For more information, refer to Security Policy section in SonicOS 7.0 Rules and Policies Administration Guide for Policy Mode.
Sample access rules Setting Access Rule 1 Access Rule 2 Access Rule 3 Access Rule 4 Allow / Deny Allow Deny Allow Deny From Zone WLAN WLAN WLAN WLAN To Zone LAN LAN LAN LAN Service MediaMoose Services MediaMoose Services Any Any Source Handheld Devices Any Handheld Devices Any Destination 10.50.165.2 10.50.165.2 Any Any Users allowed All All All All Schedule Always on Always on Always on Always on The MediaMoose Services service is used to represent the specific application used by the handheld devices. The declaration of a specific service is optional, as needed.
Was This Article Helpful?
Help us to improve our support portal