Locking Down SonicWall Management

This post is all based on 6.5+ SonicWall UTM firmware. Most of this does apply to the SonicWall in general but some features may be mentioned that are only available on 6.5+

To start this of, we will first need to talk about a unique feature of the SonicWall. An that is the Service objects that it uses to identify the management features of the SonicWall to separate them from any other port/service used in the rule sets. There will be a service object for each of the management type; HTTP, HTTPS, SSH, Ping and SNMP.

These objects will change when you modify them in any of the appliance configurations. The only ones you cannot change are SNMP and Ping because they follow the industry standard for them.

When creating access rules these Service Objects would need to be used or else these access rules will not affect the Management of the SonicWall.

Access Rule Lockdown

This is a simply method, but also can be confusing for times if you do not understand flow of traffic and how it works within the SonicWall.

First one we will look at is the WAN lockdown rule.

Head on over to Access Rules and select WAN to WAN as the rule set that you are looking out. You should be seeing the rules for the management settings that you have enabled already. They should look like this:

If you do not see these rules, then you do not have these management options enabled on your WAN interface(s)

All you need to do is change the Source object and assign whatever IP address that you would like to allow management to the WAN side.

TIP:

It would be suggested that you use at least 1 DNS object in here if you are mainly remotely managing your SonicWalls. This will allow for a simple DNS change to regain access to the SonicWall if ever for some reason you lose access from that Static Address.

This method can be applied to any of the Access Rules that you would like to lockdown and ensure systems do not have access to your SonicWall that should not. Like internally on your LAN, if your IT machines are assigned static IP address you create the rule on LAN to LAN to lock it down to ensure that not some random user to pull up the admin login page on the SonicWall.

Port Changing

Changing the ports, goes along with the old school rule in security of “Security by obscurity” which really does not stand true anymore today with all the scanning and fingerprinting tools out there, you cannot truly hide openly like this. With that said, it is still generally best practice to change these ports, especially if you are allowing WAN management so the standard bots out on the Internet are not finding your edge device.

Having this enabled is not always the best, as this just allows another port to be able to be found to bring someone directly to the admin login page.

Changing the Management ports on the SonicWall, when you first start configuring, is also a best practice as using 80, 443, and 22 could interfere with any future NAT policies that you may implement if using the IP address on that WAN interface.

Certificate Authorization

This would be something to implement if you would like to really restrict your management and if you have something like a CAC system implemented. (Will go more in detail on this feature in a future post)

One Time Password

Setting up and actually using the TOTP feature would be something that would be highly effective on locking your system down, if you are unable to IP lockdown your access. Adding on a 2FA (2 Factor Authentication) will add that additional layer security to whatever options you may choice to implement.