Restrict SSLVPN access based on Source WAN IP's? (2025)

radersupport Newbie ✭

July 2020 in SSL VPN

Hi, I'm wondering if there's a way for me to restrict access to the SSL VPN based on a group of whitelisted WAN IP's? The default access rule allows 0.0.0.0/0 access from SSLVPN to VPN, and I'm unable to edit that source group. So I thought maybe a WAN to SSLVPN deny/allow rule combo might work... but I get a 'rule overlap' error.

Any help would be appreciated.

Thanks

Category: SSL VPN

CORRECT ANSWER

Saravanan Moderator

July 2020 Answer ✓
Hi @radersupport,
Unfortunately, Gen 5 and Gen 5.5 firewalls are not embedded with option to tweak the default rules/policies and hence we are not seeing the prescribed option in your TZ 215 (Gen 5.5) device. The embedded feature is available from Gen 6 firewalls. The alternate way of accomplishing your requirement is to use Geo-IP filter based on access rule. At-least this way you should be able to control the sources IPs to an extent. Please refer below KB article for instructions on configuring Geo-IP filter feature using access rules.

https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-sonicwall-geo-ip-filter-using-firewall-access-rules/170505480197552/
Since we are applying Geo-IP based on access rule, only the Geo-IP enabled access rule will have impact and other rules are not affected. We have two ways of achieving your requirement here,
Block all countries in the WAN to WAN SSLVPN access rule and exclude only the SSLVPN users public IP addresses in Geo-IP filter. (or)
Allow the countries in the WAN to WAN SSLVPN access rule meant for the SSLVPN users public IP addresses.
I can really understand that, this is kind of a long approach that we are trying because there is a limitation with TZ 215, other Gen 5 and 5.5 firewalls with the easiest configuration proposed previously.
If you are planning to move to Gen 6 firewalls, you can perform a product Secure Upgrade. Please dive into below web-link for more information.

https://www.sonicwall.com/customers/loyalty-trade-in-program/secure-upgrade-plus/
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
5

Answers

Saravanan Moderator

July 2020 edited July 2020

Hi @RADERSUPPORT,
Thanks for reaching out to us on Community.
We should be able to restrict the access to users based on their public IP's. Please check the WAN to WAN default SSLVPN rule that is, "Any, WAN Interface IP, SSLVPN, Allow" and check if you have an option to change Source field to the custom address object/group.

Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
radersupport Newbie ✭

July 2020

Thanks for the quick response @Saravanan
I'm still having a bit of trouble - this WAN to WAN rule doesn't seem to allow much tweaking, and I'm unable to change it to 'deny'. Forgive my inexperience, but would you be a bit more explicit on the method? Thank you.
Saravanan Moderator

July 2020
@RADERSUPPORT- Thanks for your immediate response.
Please try below steps and you should be all set with the requirement.
Once logged into your firewall, replace the keyword main in URL with diag (For ex: https://ipaddress/diag.html) and hit enter.
Click on Internal Settings and search for the section Firewall Settings.
Enable the checkbox "Enable the ability to remove and fully edit auto-added access rules".
Click Accept.

Navigate to Rules | Access Rules page and visit WAN to WAN rules section.
Now, you should be capable of changing the rule with Source to any custom address objects/groups.

After modifying the access rule, please save the rule accordingly.
You are all set then.
Note: Once done with the rule changes, please revisit the diag page and deselect the option "Enable the ability to remove and fully edit auto-added access rules". Click Accept.
The modified rule should remain same even after disabling the option from diag page.

Hope this helps.
I'm moving this topic to QA category since your post is more of a question and I do this for tracking purpose.
Have a good day!!!
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
radersupport Newbie ✭

July 2020

@Saravanan It doesn't look like I have that option in internal settings
Saravanan Moderator

July 2020

@RADERSUPPORT - Luckily we have an KB article on the default access rule edit. I have got it for your reference. This KB would be useful for you in such future scenarios 🙂

https://www.sonicwall.com/support/knowledge-base/how-to-enable-the-ability-to-remove-and-fully-edit-auto-added-access-rules/170505477737822/

Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Saravanan Moderator

July 2020

@RADERSUPPORT - Please share your device model and firmware version on it.

Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
radersupport Newbie ✭

July 2020

It's a TZ 215 on firmware SonicOS Enhanced 5.9.1.13-5o
radersupport Newbie ✭

July 2020

Thanks for all of your help @Saravanan

1
Saravanan Moderator

July 2020

You are Most Welcome @RADERSUPPORT. Thanks for providing us an opportunity to serve you.
Have a better day.

Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
1
NirajSojitra Newbie ✭

June 2021

I have SonicWall TZ570 and I am not getting main.html url after log into 192.168.1.1?

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Quick Links

Categories
Latest Discussions
Best Of...
Unanswered

All Time Community Leaders

2890 Points BWC
2186 Points shiprasahu93
1932 Points TKWITS
1734 Points Saravanan
1213 Points Ajishlal
1122 Points Arkwright
970 Points Larry
874 Points preston
646 Points MustafaA
521 Points MitatOnge

Weekly Community Leaders

10 Points e__n
5 Points PaulJ
5 Points kikep
5 Points KaranM
3 Points Arkwright
2 Points BWC
1 Point Espen_Langøy
1 Point StefanvGils
1 Point Simon_Weel