Filter
Top Products
User Management
1110
SonicOS 5.8.1 Administrator Guide
About Firewall Access Rules
Firewall access rules provide the administrator with the ability to control user access. Rules set
under Firewall > Access Rules are checked against the user group memberships returned
from a SSO LDAP query, and are applied automatically. Access rules are network management
tools that allow you to define inbound and outbound access policy, configure user
authentication, and enable remote management of the SonicWALL security appliance. The
SonicOS Firewall > Access Rules page provides a sortable access rule management
interface.
Note More specific policy rules should be given higher priority than general policy rules. The
general specificity hierarchy is source, destination, service. User identification elements, for
example, user name and corresponding group permissions, are not included in defining the
specificity of a policy rule.
By default, SonicWALL security appliance’s stateful packet inspection allows all communication
from the LAN to the Internet, and blocks all traffic to the LAN from the Internet.
Additional network access rules can be defined to extend or override the default access rules.
For example, access rules can be created that block certain types of traffic such as IRC from
the LAN to the WAN, or allow certain types of traffic, such as Lotus Notes database
synchronization, from specific hosts on the Internet to specific hosts on the LAN, or restrict use
of certain protocols such as Telnet to authorized users on the LAN.
Note The ability to define network access rules is a powerful tool. Using custom access rules can
disable firewall protection or block all access to the Internet. Use caution when creating or
deleting network access rules.
For detailed information about access rules, see “Firewall > Access Rules” on page 603.
Managing SonicOS with HTTP Login from a Terminal Server
The SonicWALL appliance normally grants access through policies based on authentication
credentials supplied via HTTP login for one user at an IP address. For users on a terminal
server, this method of authenticating one user per IP address is not possible. However, HTTP
login is still allowed from a terminal server only for the purpose of administration of the
appliance, subject to the following limitations and requirements:
• Internet access from the terminal server is controlled from the TSA, and HTTP login does
not override that – a user on a terminal server is not granted any access through the
appliance based on credentials supplied via HTTP login.
• HTTP login from a terminal server is allowed only for the built-in admin account and other
user accounts with administrator privileges. An attempt to log in with a non-administrative
account will fail with the error “Not allowed from this location.”
• On successful HTTP login, an administrative user is taken straight to the management
interface. The small “User Login Status” page is not displayed.
• The administrative user account used for HTTP login from the terminal server does not
need to be the same user account that was used for login to the terminal server. It is shown
on the appliance as an entirely separate login session.
• Only one user at a time can manage the appliance from a given terminal server. If two users
attempt to do so simultaneously, the most recently logged in user takes precedence, and
the other user will see the error “This is not the browser most recently used to log in.”