Categories
SonicWall

Automating SonicWall NetExtender

Just published to my Github a Python script that automates logging into NetExtender with us of PyAutoGUI.

This script will take static variable inputs then try launching NetExtender and looking in with those preset login information that was provided in the script. The script will also error check making sure that the service and the application are started and if they are not it will go ahead and launch them.

Most of this is statically set like, Username, Password, Server IP, Domain, and the location of your NetExtender install.

The Github repo provides the needed images for the script to run, so make sure you download those as well. Images may need to be updated if you are using a different version than SonicWall NetExtender 8.6.263.

Here is the repo: https://github.com/brd651/SonicWall-NetExtender-AutoLogin

Categories
SonicWall

How to hide Virtual office Download Links in SonicWall

Some of the times the SonicWall Virtual Office page does not have the latest version or most stable version of NetExtender so sometimes you would like to hide it to prevent users from downloading it. Here is a simple Javascript way of doing so.

Default view

In the Sonicwall head on over to your Portal Settings page and then inside of the Home Page Message box put the following:

<html><head><script>
x = document.querySelector(“form”);
myDivs = x.querySelectorAll(“div”);
myDivs[1].style.display = “none”;
myDivs[2].style.display = “none”;
</script></head></html>

Now when you visit the page it will look something like this:

After applying the code
Categories
SonicWall

Locking Down SonicWall Management

This post is all based on 6.5+ SonicWall UTM firmware. Most of this does apply to the SonicWall in general but some features may be mentioned that are only available on 6.5+

To start this of, we will first need to talk about a unique feature of the SonicWall. An that is the Service objects that it uses to identify the management features of the SonicWall to separate them from any other port/service used in the rule sets. There will be a service object for each of the management type; HTTP, HTTPS, SSH, Ping and SNMP.

These objects will change when you modify them in any of the appliance configurations. The only ones you cannot change are SNMP and Ping because they follow the industry standard for them.

When creating access rules these Service Objects would need to be used or else these access rules will not affect the Management of the SonicWall.

Access Rule Lockdown

This is a simply method, but also can be confusing for times if you do not understand flow of traffic and how it works within the SonicWall.

First one we will look at is the WAN lockdown rule.

Head on over to Access Rules and select WAN to WAN as the rule set that you are looking out. You should be seeing the rules for the management settings that you have enabled already. They should look like this:

If you do not see these rules, then you do not have these management options enabled on your WAN interface(s)

All you need to do is change the Source object and assign whatever IP address that you would like to allow management to the WAN side.

TIP:

It would be suggested that you use at least 1 DNS object in here if you are mainly remotely managing your SonicWalls. This will allow for a simple DNS change to regain access to the SonicWall if ever for some reason you lose access from that Static Address.

This method can be applied to any of the Access Rules that you would like to lockdown and ensure systems do not have access to your SonicWall that should not. Like internally on your LAN, if your IT machines are assigned static IP address you create the rule on LAN to LAN to lock it down to ensure that not some random user to pull up the admin login page on the SonicWall.

Port Changing

Changing the ports, goes along with the old school rule in security of “Security by obscurity” which really does not stand true anymore today with all the scanning and fingerprinting tools out there, you cannot truly hide openly like this. With that said, it is still generally best practice to change these ports, especially if you are allowing WAN management so the standard bots out on the Internet are not finding your edge device.

Having this enabled is not always the best, as this just allows another port to be able to be found to bring someone directly to the admin login page.

Changing the Management ports on the SonicWall, when you first start configuring, is also a best practice as using 80, 443, and 22 could interfere with any future NAT policies that you may implement if using the IP address on that WAN interface.

Certificate Authorization

This would be something to implement if you would like to really restrict your management and if you have something like a CAC system implemented. (Will go more in detail on this feature in a future post)

One Time Password

Setting up and actually using the TOTP feature would be something that would be highly effective on locking your system down, if you are unable to IP lockdown your access. Adding on a 2FA (2 Factor Authentication) will add that additional layer security to whatever options you may choice to implement.