SonicWALL SonicWALL UTM Appliance manual SonicOS Options That Leverage Groups/Users

Page 17

If everything is working correctly, you should then see users authenticated on the Log>View page.

SonicOS Options That Leverage Groups/Users

Now that we have a means of authenticating users to the SonicWALL firewall, we can leverage the groups/users that are in LDAP/Active Directory for a myriad of options:

Create firewall rules for specific groups/users

Create different content filtering policies for different groups

Create Application Firewall policies for specific groups/users

Leverage IPS signatures for specific groups/users

Allow/deny VPN access for specific groups/users

Allow/deny VPN access to specific internal networks via VPN for specific groups/users

Allow/deny access to WLAN resources for specific groups/users

Bandwidth Limit different groups/users with Application Firewall

Creating Firewall Rules with LDAP Groups/Users

Firewall rules get processed from top down. As soon as a rule has a match, further rule processing stops, meaning you want the more specific rule at the top of the list and the more general rule below it. The default rule in SonicOS for LAN > WAN is to allow ANY user, ANY service, from ANY source. This is a very unrestrictive rule but allows for an easy implementation. The recommendation is to change the default rule from ANY, ANY, ANY to deny. This does create more work for the network admin as it now will be necessary to create rules to allow traffic to leave the internal network. The flipside to this additional work is a more secure network. Depending on your default rule, it will change the way you create FW rules.

So, can you create FW rules that leverage specific groups/users with desirable results? Possibly. The way FW rule processing works is as follows (as of SonicOS 5.2):

Rules are processed from top down

17

Image 17
Contents Contents Page Integrating LDAP/Active Directory with Sonicwall UTM Configuring the CA on the Active Directory ServerImporting the CA Certificate onto the SonicWALL Configuring the SonicWALL Appliance for LdapPage Page Page Page Page Page Page Enable Radius to Ldap Relay Enables this feature Authentication Page Page Page Creating Firewall Rules with Ldap Groups/Users SonicOS Options That Leverage Groups/UsersPage Page Firewall Rules with Bandwidth Management & Logging Page Blocking Domains with Firewall Rules Blocking Websites Domain Names for Groups/UsersPage Page Navigate to Firewall Access Rules Create a rule to allow Http traffic for your allowed lists Do the same for Https Create the deny rules for Http and Https Firewall rules should now look like the below picture Blocking Https SSL Domains with SSL Control Configuring a SSL Blacklist and Whitelist Page Applying Different CFS Policies to Groups Page Creating Custom CFS Policies Navigate to the Policy tab and add a new CFS policy Page Page Page Http//$$fwinterface$$/$#SWLSTYLESCSS#$ Variables for Custom Block Page in SonicOSAdvanced Sample Code for SonicOS Basic Sample Code for SonicOSPage Page Sample Code for SonicOS 5.1 or Earlier Sample JavaScript Code for SonicOSApplying Application Firewall Polices to Groups/Users Page Page Page Page Tightening Control over the Browsing Behavior of Users Blocking IM Traffic Categorically Applying Granular IM Policies Global VPN Client GVC Applying VPN Access Policies to Groups/UsersPage SSL-VPN NetExtender Guest Services Wireless Guest Services