Customer's firewall configuration review (first pass)
ฝัง
- เผยแพร่เมื่อ 22 ส.ค. 2024
- This is a technical video where I do a firewall config review of a customer’s firewall. I pick that customer because that firewall has a very standard config, the kind of config I see very often. So I felt that maybe you guys will appreciate a video where I go through the config and spot weakness and provide recommendation. Because again, their config is the type of config is see very often. So it might have many things in common with your actual config. So I hope you will learn a lot from this video.
many videos of product overview and technical videos were referred here.
you will find all product reviews videos here: • SonicWall Products Ove...
and tech training videos here: • Sonicwall Firewall tec...
stay tuned for part 2 soon!
Nice video, helped out a lot. wish he had the new sonicwall 7 but still very informative, love your videos you explained everything clearly and that allowed me to move to the new Sonicwall 7 last year when I was having doubts about cofiguration of a new unit. ! Keep it up!
Great Video. More like this. Always cool to see and comment on other's configs as opposed to just a quick rundown of how a technology works. You should do more of these.
Cool!
I wasn’t sure people would find it interesting. I took a guess. In one day stats and comments leads me to think it was a good idea!
Thanks for the settings review! Your explanations are concise and easy to understand.
I like your videos sir and the way you explain things and options.
Great video, I did wonder how come you never went over WAN > LAN rules? Only LAN > WAN.
Right. I could have looked at it. I usually do when I see very wide open and no une NAT policies. Cuz the WAN to LAN policies need a NAT rule for anything to work. So I tend to skip that when I see specific NAT policies. But you are right. Worth checking :-)
Nice haircut dude and happy new year albeit a bit late 😄👍🏽
Lol. Thanks. Girlfriend forced me
Ya I use to do GEO-IP ALL CONNECTIONS but the "exclusion list" gets out of hand x 7 firewalls, AND THAT SONICWALL does not yet have a way to export/import of IPs (address objects) I got tired of type 1400 IPs in each firewall for vendors like SE or Microsoft. so the better option was to change to Firewall Rule based Connections and block all INBOUND foreign countries and ONLY certain countries OUTBOUND. example IRELAND is allowed on LAN->WAN connections but WAN>LAN its blocked.
because the initiator is what makes the connection possible (so LAN>WAN initiator to Ireland will allow traffic both ways once the LAN PC has made that connection to an IRELAND server then any get request is returned by ireland ok) ** yes i still have to do some exclusions , but its WAY less than before.
hi Michael,
have a look at my configuration migration video. in there I cover how to export/import stuff through CLI. I believe the example I demoed was exactly what you asked (address objects)
it's basicly the good old cisco way... have putty save your SSH output to a file, issue "show address objects" then take the portion where it list all address object and paste that in the firewall.
have a look at the video, I actually do it in the video.
Sure hope this was the customer and not the admin, they really didn't know up from down when it comes to networks
Great Video Jean!
I have some doubts to segregate VoiP on separate zone, becasuse in most of customer network that i support, they use the softphones like 3cx or zoiper in
computers locate in a LAN zones, in this case what do you suggest?
In that case then make sure you are very specific between your employees network and your voip network.
Like only open the required ports to the 3cx server. The source of the access rule could be controlled using AD group so unknown devices won’t be able to access 3cx
Hey JP, Great video as always! Would you by chance have a video on configuring/using Sonicwall logs for troubleshooting, particularly IPsec problems? I find the logs very confusing. I know the Sonicwall KB has an admin reference guide, but I find it a bit confusing as well. Thanks JP...
Hi randy!
Thanks for the feedback!
A troubleshooting video is already on my todo list. But I haven’t started it yet. If you need help, feel free to call sonicwall support. They are great and very quick to pick the line (less than 5 minutes usually)
@@JeanPierTalbot Sounds good . I will be looking for anything new on the channel. A focus on logs would be fantastic. Thanks JP!
Portsheild is one concept i don't understand.😢
thanks for the video.
I have few questions on firewall replacement.
Sure!
Please reach out to your favorite sonicwall reseller. If you don’t know any, reach out to your local sonicwall team. If you don’t know them, email me. I’ll introduce you to them.
@@JeanPierTalbot replacing a juniper fw with sonicwall. am using the migration tool but the VPN IS NOT able to use the tool.
Super interesting video! Love it. Is there a report I can generate off of my current firewall to see which services are used by who and where they going? So I can then stop the any any and create rules per services I do requird
Hi jrg,
Sonicwall sell a log and report solution called Analytics. That will give you the information you are looking for.
You can also simply enable logging on the firewall, turn on the obvious access rules (21,53,80,443) and have a ANY policy at the end that logs everything going thought it. That should tell you who’s doing what that’s outside the standard ports.
Hope that helps
The other alternative is to create rules for services you know people use (80, 443, 53, etc), then have an ANY ANY rule at the end of all that, but enable packet capture on it. Anything that didn't get stopped bu a previous rule will come here. Once you collect all the services, determine if they are needed and add those to your allow rules, when all done change the ANY ANY to deny. I learned this from a previous JP video.
@@williamschellhaas8900 The real MVP, JP for president. Thanks fellas!!!
You should do consulting, my company would benefit from your review of my policies that I setup.
Actually you should be able to find a local reseller able to perform such review. If you don’t know any, please reach out to your local sonicwall team, they will put you in touch with one.
Should inter-vlan routing be performed on the firewall or core switch? If on the firewall, which is more ideal using different interfaces or sub-interfaces?
I personally prefer to do it on the firewall as it provides WAY more security features than a switch… WAY more! :-)
If you enable SSO on the Sonicwall, would it conflict to the use of using a 3rd party SSO solution such as OKTA which is used to authenticate with Office 365
SSO with the firewall does not require any agent on workstations. Firewall see an ip going to the web, it will ask the SSO agent installed on a server to know who’s loged to that IP and its group membership. So I doubt it will affect OKTA. But I would advice testing as I never had the chance to play with OKTA.
I recently posted a video on sonicwall sso. Hopefully that will answer some questions for you
is the TZ570 sonicwall supports 400 users?
otherwise could you please suggest any model?
No. That’s way too many users for a tz, IMO.
I would advice a NSa4700 for 400 users.
Jean,
One more doubt, how many employees can i have behind a TZ270 gen7 using DPI SSL?
Rule of thumb, 10-12 users
@JeanPierTalbot
Oh my god, I have around 80th authenticate users behind an TZ270 😄.
What's appliance do you recommend?
Hi @Jean-Pier Talbot at 59:42 min of this vide you mentioned that we can apply CFS policies per AD security groups. Can you do a video how to do that. Thanks!
th-cam.com/video/8veTxrL-ql4/w-d-xo.html
I will not apply jp tips blind le.
That’s the most important part!
Understand it and test it first!