SonicOS 7.1 Firewall

Use cases

How can I configure the SonicWall to mitigate DDoS attacks?

  • Use case: How can I configure the SonicWall to mitigate DDoS attacks?
  • Resolution: You can use the SonicOS 7.X firmware, and harden your network against DDoS Attacks at the firewall level. Enable the following to prevent your network.

    • Intrusion Prevention

    • Block unused Ports from the WAN to the Internal Network

    • Flood Protection: Proxy WAN Connections will cause External Users who trigger the Flood Protection feature to be blocked from connecting to internal resources. If there is a chance any user can generate a false positive for this feature it is recommended to leave TCP Flood Protection in Watch and Report mode.

    • Geo-IP Filter and Botnet Filter: Many DDoS attacks occur when infected machines under the control of few individuals are all directed to one target. Often these attacks come from certain countries and do not have their IP addresses obfuscated. By using the Geo-IP Filter and Botnet Filter on the SonicWall it is possible to drop these packets as they attempt to enter the network.

  • Configuration:

    To enable Intrusion Prevention, do the following

    1. Go to Policy > Security Services > Intrusion Prevention.

    2. Under IPS Global Settings, activate Enable IPS.

      To enforce SonicWall IPS not only between each Network Zone and the WAN, but also between internal zones, you should also apply SonicWall IPS to zones on the Object > Match Object > Zones Page.

    3. Under Signature Groups enable the following:

      Group Prevent All Detect All
      High Priority Attacks
      Medium Priority Attacks
      Low Priority Attacks - -
    4. Click Accept.

    To block unused Ports from the WAN to the Internal Network, do the following

    1. Go to Policy > Rules and Policies > Access Rules.

    2. Check the WAN to LAN, WAN to DMZ, WAN to WLAN, and WAN to any Custom Zones access rules.

    3. Ensure that any Allow rules are specified by Service (Port) as well as Source IP if possible.

    To enable Flood Protection, do the following

    1. Go to Network > Firewall > Flood Protection.

    2. Enable UDP and ICMP Flood Protection.

    3. Go to TCP > Layer 3 SYN Flood Protection- SYN Proxy , in the SYN Flood Protection Mode drop‐down menu, select Proxy WAN Client Connections when attack is suspected.

    To enable Geo-IP Filter, do the following

    1. Go to Policy > Security Services > Geo-IP Filter.

    2. In the Settings tab, enable Block connections to/from countries.

    3. In the Countries tab, select the countries to be blocked.

      Enabling Geo-IP Filter blocks Outbound Connections to any device that has a Public IP Address associated with the selected country. If you'd like to setup Geo-IP Filter for a more granular block please reference How to configure SonicWall Geo-IP Filter using Firewall Access Rules.

    4. Click Accept.

    To enable Botnet Filter, do the following

    1. Go to Policy > Security Services > Botnet Filter.

    2. In the Settings tab, enable Block connections to/from Botnet Command and Control Servers.

      Botnet IP addresses are maintained by SonicWall for internal use. If you like to test a Domain/IP for possibly being flagged as a Botnet, navigate to Policy > Security Services > Botnet Filter > Diagnostics and enter the desired IP Address in the Lookup IP Tool.

      Enabling Botnet Filter blocks Outbound Connections to any device that has a Public IP Address associated with the selected country.

    3. Click Accept.

How to Block HTTPS access to Gmail using SSL Control

  • Use case: How to Block HTTPS access to Gmail using SSL Control.
  • Resolution: SSL Control provides visibility into the handshake of Secure Socket Layer (SSL) sessions, and a method for configuring policies to control the establishment of SSL sessions. One of the main features of SSL control is to specify which HTTPS certificates should be blocked. You can use SonicOS 7.x to block access to https://www.gmail.com using SSL Control from the LAN zone. Using this method blocks all websites with the Common Name (CN) www.google.com.
  • Configuration:

    To block access to https://www.gmail.com using SSL Control, do the following

    1. Login to the SonicWall Management interface.

    2. Go to the Object > Zones page and click on edit on the LAN zone.

    3. Edit the LAN zone.

    4. In General settings, enable SSL Control.

    5. This affects all LAN users since SSL Control is enabled for LAN zone.

    6. Go to Network > Firewall > SSL Control and enable SSL Control.

    7. Under Configuration enable Blacklist.

    8. Click Custom list tab, under Blacklist click Add.

    9. Enter www.gmail.com in Certificate Common Name.

    10. Click OK.

  • To test the SSL control blocking https://www.gmail.com

  1. Logout of the SonicWall Management interface.

  2. Open an internet browser.

  3. Try to open https://www.gmail.com or https://mail.gmail.com.

    A Connection Interrupted message is displayed.

How does RBL filter identify if a SMTP server is Blacklisted (possible SPAM)?

  • Use case: How does RBL filter identify if a SMTP server is Blacklisted (possible SPAM)
  • Resolution: The Real Time Blacklist (RBL) list providers publish their lists via DNS. Blacklisted IP addresses appear in the database of the list provider's DNS domain using inverted IP notation of the SMTP server in question as a prefix to the domain name. A response code from 127.0.0.2 to 127.0.0.9 indicates some type of undesirability.

    For example: An SMTP server with IP address 1.2.3.4 has been blacklisted by RBL list provider sbl-xbl.spamhaus.org, and then a DNS query to 4.3.2.1.sbl-xbl.spamhaus.org will provide a 127.0.0.4 response, indicating that the server is a known source of spam, and the connection will be dropped.

    You can use SonicOS 7.x to block subsequent delivery attempts sent from hijacked or zombie machines running a thin SMTP server implementation using SonicWall RBL filter feature.

  • Configuration:

    To configure RBL filter, do the following

    1. Login to the SonicWall Management Interface.

    2. Navigate to Network > RBL Filter.

    3. In the Real-time Black List Settings tab, enable Real-time Black List Blocking.

    4. Select Specify DNS Servers Manually or Inherit Settings from WAN Zone.

      The inbound connections from hosts on the WAN, or outbound connections to hosts on the WAN are checked against each enabled RBL service with a DNS request to the DNS servers configured.

    To configure add additional RBL Services, do the following

    1. Under Real-time Black List Services tab, click Add.

    2. In the Add Black-List Service window do the following:

      1. Enable RBL domain.

      2. Select the RBL Blocked Responses.

    3. The Block All Responses option is generally selected.

    To configure User-Defined SMTP Server Lists, do the following

    The User Defined SMTP Server Lists section allows for Address Objects to be used to construct a white-list (explicit allow) or black-list (explicit deny) of SMTP servers.

    1. Under User Defined SMTP Server Lists, click Add.

    2. In Add User-Defined SMTP Server, enter the Name, Zone Assignment, Type, and IP Address.

    3. Click the edit icon on the RBL User White List row, and add the Address Object.

      The table will be updated, and that server will always be allowed to make SMTP exchanges.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden