• SonicOS 7.1
• About SonicOS
  • Working with SonicOS
  • SonicOS Workflow
  • How to Use the SonicOS Administration Guides
  • Guide Conventions
• About Firewall
  • Firewall Workflow
• Advanced
  • Changing Between SonicOS
    • Changing From Classic to Policy Mode
    • Changing From Policy to Classic Mode
  • Detection Prevention
  • Dynamic Ports
  • Source Routed Packets
  • Internal VLAN
  • Access Rule Options
  • IP and UDP Checksum Enforcement
  • Jumbo Frame
  • Connections
  • Control Plane Flood Protection
  • IPv6 Advanced Configuration
  • TCP
    • TCP Settings
    • Layer 3 SYN Flood Protection- SYN Proxy
    • Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting
    • WAN DDOS Protection (Non-TCP Floods)
    • TCP Traffic Statistics
  • UDP
    • UDP Settings
    • UDP Flood Protection
    • UDP Traffic Statistics
    • UDPV6 Traffic Statistics
  • ICMP
    • ICMP Flood Protection for IPv4 version
    • ICMP Traffic Statistics
    • ICMP Flood Protection for IPv6 version
    • ICMPv6 Traffic Statistics
• Flood Protection
• SSL Control
  • Key Features of SSL Control
  • Key Concepts to SSL Control
  • Caveats and Advisories
  • Configuring SSL Control
  • Custom List
  • Enabling SSL Control on Zones
  • SSL Control Events
• Cipher Control
  • TLS Ciphers
    • Blocking/Unblocking Ciphers
    • Filtering Ciphers
      • Selecting Display Options
      • Displaying Ciphers by Strength
      • Displaying Ciphers by Block/Unblock
      • Displaying Ciphers by CBC Mode
      • Displaying Ciphers by TLS Protocol Version
  • SSH Ciphers
• Real-Time Black List (RBL) Filter
  • Configuring the RBL Filter
    • Enabling RBL Blocking
    • Adding RBL Services
    • Configuring User-Defined SMTP Server Lists
      • Configuring a White List
      • Configuring a Black List
    • Testing SMTP IP Addresses
• Use cases

Use cases

How can I configure the SonicWall to mitigate DDoS attacks?

• Use case: How can I configure the SonicWall to mitigate DDoS attacks?

• Resolution: You can use the SonicOS 7.X firmware, and harden your network against DDoS Attacks at the firewall level. Enable the following to prevent your network.

  • Intrusion Prevention

  • Block unused Ports from the WAN to the Internal Network

  • Flood Protection: Proxy WAN Connections will cause External Users who trigger the Flood Protection feature to be blocked from connecting to internal resources. If there is a chance any user can generate a false positive for this feature it is recommended to leave TCP Flood Protection in Watch and Report mode.

  • Geo-IP Filter and Botnet Filter: Many DDoS attacks occur when infected machines under the control of few individuals are all directed to one target. Often these attacks come from certain countries and do not have their IP addresses obfuscated. By using the Geo-IP Filter and Botnet Filter on the SonicWall it is possible to drop these packets as they attempt to enter the network.

• Configuration:

  To enable Intrusion Prevention, do the following

  1. Go to Policy > Security Services > Intrusion Prevention.

  2. Under IPS Global Settings, activate Enable IPS.

     To enforce SonicWall IPS not only between each Network Zone and the WAN, but also between internal zones, you should also apply SonicWall IPS to zones on the Object > Match Object > Zones Page.

  3. Under Signature Groups enable the following:

     Group	Prevent All	Detect All
     High Priority Attacks	ᵡ	ᵡ
     Medium Priority Attacks	ᵡ	ᵡ
     Low Priority Attacks	-	-

  4. Click Accept.

  To block unused Ports from the WAN to the Internal Network, do the following

  1. Go to Policy > Rules and Policies > Access Rules.

  2. Check the WAN to LAN, WAN to DMZ, WAN to WLAN, and WAN to any Custom Zones access rules.

  3. Ensure that any Allow rules are specified by Service (Port) as well as Source IP if possible.

  To enable Flood Protection, do the following

  1. Go to Network > Firewall > Flood Protection.

  2. Enable UDP and ICMP Flood Protection.

  3. Go to TCP > Layer 3 SYN Flood Protection- SYN Proxy , in the SYN Flood Protection Mode drop‐down menu, select Proxy WAN Client Connections when attack is suspected.

  To enable Geo-IP Filter, do the following

  1. Go to Policy > Security Services > Geo-IP Filter.

  2. In the Settings tab, enable Block connections to/from countries.

  3. In the Countries tab, select the countries to be blocked.

     Enabling Geo-IP Filter blocks Outbound Connections to any device that has a Public IP Address associated with the selected country. If you'd like to setup Geo-IP Filter for a more granular block please reference How to configure SonicWall Geo-IP Filter using Firewall Access Rules.

  4. Click Accept.

  To enable Botnet Filter, do the following

  1. Go to Policy > Security Services > Botnet Filter.

  2. In the Settings tab, enable Block connections to/from Botnet Command and Control Servers.

     Botnet IP addresses are maintained by SonicWall for internal use. If you like to test a Domain/IP for possibly being flagged as a Botnet, navigate to Policy > Security Services > Botnet Filter > Diagnostics and enter the desired IP Address in the Lookup IP Tool.

     Enabling Botnet Filter blocks Outbound Connections to any device that has a Public IP Address associated with the selected country.

  3. Click Accept.

How to Block HTTPS access to Gmail using SSL Control

• Use case: How to Block HTTPS access to Gmail using SSL Control.
• Resolution: SSL Control provides visibility into the handshake of Secure Socket Layer (SSL) sessions, and a method for configuring policies to control the establishment of SSL sessions. One of the main features of SSL control is to specify which HTTPS certificates should be blocked. You can use SonicOS 7.x to block access to https://www.gmail.com using SSL Control from the LAN zone. Using this method blocks all websites with the Common Name (CN) www.google.com.
• Configuration:

  To block access to https://www.gmail.com using SSL Control, do the following

  1. Login to the SonicWall Management interface.

  2. Go to the Object > Zones page and click on edit on the LAN zone.

  3. Edit the LAN zone.

  4. In General settings, enable SSL Control.

  5. This affects all LAN users since SSL Control is enabled for LAN zone.

  6. Go to Network > Firewall > SSL Control and enable SSL Control.

  7. Under Configuration enable Blacklist.

  8. Click Custom list tab, under Blacklist click Add.

  9. Enter www.gmail.com in Certificate Common Name.

  10. Click OK.

To test the SSL control blocking https://www.gmail.com

1. Logout of the SonicWall Management interface.

2. Open an internet browser.

3. Try to open https://www.gmail.com or https://mail.gmail.com.

   A Connection Interrupted message is displayed.

How does RBL filter identify if a SMTP server is Blacklisted (possible SPAM)?

• Use case: How does RBL filter identify if a SMTP server is Blacklisted (possible SPAM)
• Resolution: The Real Time Blacklist (RBL) list providers publish their lists via DNS. Blacklisted IP addresses appear in the database of the list provider's DNS domain using inverted IP notation of the SMTP server in question as a prefix to the domain name. A response code from 127.0.0.2 to 127.0.0.9 indicates some type of undesirability.

  For example: An SMTP server with IP address 1.2.3.4 has been blacklisted by RBL list provider sbl-xbl.spamhaus.org, and then a DNS query to 4.3.2.1.sbl-xbl.spamhaus.org will provide a 127.0.0.4 response, indicating that the server is a known source of spam, and the connection will be dropped.

  You can use SonicOS 7.x to block subsequent delivery attempts sent from hijacked or zombie machines running a thin SMTP server implementation using SonicWall RBL filter feature.

• Configuration:

  To configure RBL filter, do the following

  1. Login to the SonicWall Management Interface.

  2. Navigate to Network > RBL Filter.

  3. In the Real-time Black List Settings tab, enable Real-time Black List Blocking.

  4. Select Specify DNS Servers Manually or Inherit Settings from WAN Zone.

     The inbound connections from hosts on the WAN, or outbound connections to hosts on the WAN are checked against each enabled RBL service with a DNS request to the DNS servers configured.

  To configure add additional RBL Services, do the following

  1. Under Real-time Black List Services tab, click Add.

  2. In the Add Black-List Service window do the following:

     1. Enable RBL domain.

     2. Select the RBL Blocked Responses.

  The Block All Responses option is generally selected.

To configure User-Defined SMTP Server Lists, do the following

The User Defined SMTP Server Lists section allows for Address Objects to be used to construct a white-list (explicit allow) or black-list (explicit deny) of SMTP servers.

1. Under User Defined SMTP Server Lists, click Add.

2. In Add User-Defined SMTP Server, enter the Name, Zone Assignment, Type, and IP Address.

3. Click the edit icon on the RBL User White List row, and add the Address Object.

   The table will be updated, and that server will always be allowed to make SMTP exchanges.