How to configure SonicWall Application Control
Вставка
- Опубліковано 19 жов 2024
- in this video I explain and configure application control and explain the difference between application control and content filtering. I will also talk DPI-SSL as this is needed in many cases for application control to fully work. Ill also apply application control to active directory group.
Here a re the links
How to configure SonicWall DPI-SSL: • How to configure Sonic...
How to configure SonicWall Active Directory integration: • How to configure Sonic...
How to configure SonicWall Single Sign On (SSO): • How to configure Sonic...
Jean-Pier, your videos have helped me a lot so keep the great work that you've been doing. As an item of a wish list, it would be great if you could create a video tutorial about Sonicwall switches and the integration with the Sonicwall firewalls. In all your videos I've seen that you use the firewall interfaces but as you know in the corporate world there are always switches involved. Configuring zone assignment, trunks, VLANs, etc between switches and the firewall would be great to learn. The Sonicwall documentation is vague about the integration (other than how to manage a switch from the firewall UI) and there are no videos (at least no that I know of) about it either.
Thanks Mario for the feedback!
Yes I’ll add sonicwall switches to my todo list
Hello Jean.
Thanks again for the content. That helps a lot.
Much appreciated for the knowledge🎉🎉,
I've one small doubt, to turn on app control for each zone, is it necessary to turn on DPI-SSL..., few things i blocked like, downloading, games, UA-cam downloader... Still sites working at workstation
Merci pour cette vidéo !
Ca fait plaisir!
@@JeanPierTalbot C'est toujours intéressant de suivre tes vidéos, cela permet d'optimiser encore nos connaissances et de comparer nos points de vue sur telle ou telle technique pour améliorer une peu plus la sécurité de nos clients Sonicwall ;-)
Hi Jean-Pier !! First, thanks for sharing your knowledge with the community, please continue. I have a huge problem which is blocking the Anydesk remote access tool. I've tried through App Control, App Rules, and also via ACL. Any ideas on how to block effectively? I know it would be possible by DPI-SSL, but I wouldn't want to deploy it in the client's environment because the box probably won't support it. Thanks.
Sorry, forgot to mention, the box is a TZ270.
Thanks for the feedback on the videos!
Yes you might need to turn on DPI-SSL for app control to work.
Quick googleing leads me to block dns request to anydesk.com and also to block port 6568 tcp outbound.
Haven’t tried, but give it a try and let us know :-)
@@JeanPierTalbot Hello,
I blocked several anydesk urls next to port 6568 through access rules. It got blocked for a day, but the next day it connected through another url. From what I tested and researched, it should really be used DPI-SSL in this case. Anyway thanks, and keep sharing content because it's very important!
Hello JP. Thanks for this content. Regarding the BWM policy you have proposed for mitigating bittorrent usage on reserved University network for BYOD devices, could be cumbersome to activate DPI-SSL due to certificate deployment on unmanaged devices: is this needed in this specific case for a proper bwm shaping behaviour? Thanks.
Generally speaking, no need for DPI-SSL to identify torrent protocol:-)
But yes, I would not advice DPI-SSL on BYOD networks.
hello sir . hope you are fine . I have a question regarding this Firewall that in play list there are 28 videos about the configuration setups so if I learn all the 28 videos it's enough for me to say that I am expert on SonicWALL ? . please Don't take me wrong it's just a mind satisfaction for me . Thanks to briefly explain everything on the video regarding every topic .
If that makes you feel good, go for it!
Personally I believe you will be an expert when things don’t work and you fix it in a few minutes. Also when you can get all you want done without videos or KB. Each his own level of expertness :-)
@@JeanPierTalbot thanks for your respectful Answer .
Hi Jean!
I have some issues with exclusion for app control, whats the best practice to use this?
Can I use address object or is better use Users Group imported from active directory?
Is better set exclusion by aplication category or signature?
Tks a lot.
All options are viable options. Really depends on what you want to do. If goal is to allow an app for a group of individual, the do it in n the app itself and tie it to an AD group
Hi Jean,
Love your content. I was trying to figure out how to block all internet and enable only windows updates with fqdns is this possible??
It has been a while I played with windows update, but back in the day, they had WSUS to push updates to workstations. You could then only allows WSUS (or whatever is its replacement) to get internet and nothing for the others.
Great content! Can you do a video about Comprehensive Spam Service setup for Junk Store on a non-Exchange Server? There is a brief mention that it is possible, but there is no instruction (that I can find) available on SonicWall's support site. Thanks!
Hi Greg, unfortunately I don’t think I’ll ever cover that. I think you will agree that this setup is clearly not commun. Most people emails are on office 365 or g-suite, which I covered with Cloud Application Security.
The less and less commun would be with email server on-prem, like exchange. And every day this setup and less and less used in favour of O365.
So a setup with on-prem email without exchange is very rare. But I still miss groupwise. It was THE best!
You can contact sonicwall support. They are not there to do it for you, but can definitely guide you if you can’t get it to work.
Hi JP! I saw that the "WAN zone" there no Security Services marked allowed... no box marked... Have I to mark Gateway AV, SSL Control, IPS, Anti-spyware.... for this zone? Or just for my LAN zones? Thanks in advance.
As you want. If you have everything checked on LAN and WAN, it won’t scan twice.
In my case I have many zones and wanted to be more granular in regards to which zones get the services. Simply because I have a couple zones when I run viruses and I don’t want the firewall to block my experiences…
@@JeanPierTalbot great! I´ll activate on both. Thanks so much.
Hi Jean!
Could you ask me a question?
How do I monitor what sites each user in my AD is surfing on the internet?
Hi Matheus,
You will need a few things:
1: enable CFS so logs are generated for web site activities
2: turn on AD integration and SSO So you get log/reports with Active Directory username instead of IP addressed.
3: get something for log and report: sonicwall analytics on-Orem (a VM) or sonicwall NSM advanced (for cloud log and report) or use anything that does syslog and see how you can generate report yourself with that 3rd party syslog solution.
Allo JP,
I want to allow my zone "Servers" to access Webroot, Microsoft Update, N-Able and Acronis but nothing else. (off course: for the updates and fonctionality).
It's not really apps control (dpi-ssl) I need but more DNS filtering to only allow their services.
On a client that had a Fortinet I added "Internet Services" as destination in a firewall rule with "source" = Zone Servers
But is there an equivalent with Sonicwall's ?
tx!
Yes. But like in the fortinet, you need to define “internet services”
I would assume webroot and others will provide you what needs to be open for their stuff to work. That’s what you will put in access rules for stuff to work
@@JeanPierTalbot What's pratical is that there is no need to defined them: you just select them and apply to the rule and with just that your servers can communicate with all the Windows updates Serveurs.
I just let the "Destination Ports" at Any.
Here's the details for this exemple:
Microsoft-Microsoft.Update
Name Microsoft-Microsoft.Update
Type Predefined
Primary Internet Service ID 327793
Direction Destination
Total IP Ranges 9,963
Total IPs 11,813
So Fortinet manage the IP lists of their serveurs and the rule permits my Servers to open their IPs
One single user could never inputs and maintain that much IPs so its done for us
Dear JP
Thanks for the video. I need some kind of assistant from yourself. My current FIREWALL TZ400 model 12431 unable to access to selected website. Sometimes able to got to the site but unable to login for instant ...bank website. Will you able to assist me about this matter
Hi,
Best would be to call sonicwall technical support. It’s free (if you maintained your licences current)
hi sir how are you i have firewall sonic wall I'm facing issue with that i want to configure site to site vpn sonic wall to FortiGate firewall can you help or anyone can help me for that
Hi!
You can call sonicwall tech support. They are not there to do the vpn for you (a consultant would do that at a price) but if your vpn is set and does not work, support can help.