Article Applies To:
Affected SonicWALL Security Appliance Platforms:
Gen6 SM E10000 series: NSA E10800, NSA E10400, NSA E10200, NSA E10100
Gen6 SM 9000 series: NSA 9600, NSA 9400, NSA 9200
Gen6 NSA Series: NSA 6600, NSA 5600, NSA 4600, NSA 3600, NSA 2600
Gen5 NSA Series: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W NSA 240, NSA 250M, NSA250MW
Gen5 TZ series: TZ 100, TZ 100W, TZ 105, TZ 105W, TZ 200, TZ 200W, TZ 205, TZ 205W, TZ 210, TZ 210W,TZ 215, TZ 215W.
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless.
Firmware/Software Version: All SonicOS Enhanced versions.
Services: Firewall Access Rules
This technote will show users how to block specific ports with the SonicWALL. A lot of traffic on the Internet operates on well-known or static ports. Well-known ports are ports which have numbers that are pre-assigned (http://www.iana.org/assignments/port-numbers) to them by the Internet Assigned Numbers Authority (IANA). Some examples would be SSH (TCP port 22), tftp (UDP port 69), and http (TCP port 80). Ports are blocked to stop certain types of traffic (e.g. SSH, http, or tftp) from passing though the firewall.
This is useful to network administrators who want to disallow specific types of traffic on their network such as Secure Shell (SSH) TCP port 22. Also, the ability to block ports is important to help stop the spread of viruses if your network is infected. Users can block ports between any two interfaces. LAN to WAN, LAN to DMZ, and LAN to VPN are the most common interfaces to block ports between. Some traffic on the Internet can operate on dynamic ports (e.g. Instant Messaging Applications). In this case, SonicWALL offers the Intrusion Prevention Service (IPS), which can be used to detect or block many types of traffic that use dynamic ports.
All SonicOS Enhanced versions
Customers with current service/software support contracts can obtain updated versions of SonicWALL firmware from the MySonicWALL customer portal at https://www.mysonicwall.com. Updated firmware is also freely available to customers who have registered the SonicWALL device on MySonicWALL for the first 90 days.
Before You Begin
1. Protocol Type (UDP or TCP) of the traffic you want to block. (e.g. http traffic would be TCP)
2. Port Number of the traffic you want to block. (e.g. http traffic would be port 80)
Example #1: Configure Port Blocking from LAN to WAN with a predefined service (FTP).
TIP: The following procedure also applies to blocking traffic from LAN zone to any other zone (e.g. LAN to VPN, LAN to DMZ, etc).
Step 1: Login to the SonicWALL Management Interface
Step 2: Select Firewall > Access Rules.
Step 3: Select the LAN to WAN (or LAN to VPN) edit icon. See below
See Also: Refere KBID 7486 for more information about Address Objects.
Step 9: Click Add and close the window.
Step 10: Verify that the rule just created has a higher priority than the default rule for LAN to WAN.
See Also: Refere KBID 3716 for more information about Priority settings.
Step 1: Login to SonicWALL Management Interface
Step 2: Select Firewall > Services
Step 3: Scroll to the bottom and Click Add in the Services Section
- Enter Name (e.g. DCOM RPC)
Step 4: Click Add and create a similar Service for TCP port 4444.
|- Enter Name (e.g. Blaster)
- Enter Port Range (e.g. 4444 - 4444)
- Enter Protocol (e.g. TCP(6))
- Click OK
Step 5: Click Add Group on the Access Rules Screen
|- Enter Name: (e.g. Blaster Virus)
- Select Blaster from the list on the left, Click the right arrow
- Select DCOM RPC from the list on the left, Click the right arrow
- Select TFTP from the list on the left, Click the right arrow
- Click OK
Step 6: Select Firewall > Access Rules
Step 7: Select the LAN to WAN edit icon. See below
|- Click Add
- Select Action (e.g. Deny)
- Select Service (e.g. Blaster Virus)
- Select Source (e.g. LAN Subnets)
- Select Destination (e.g. Any)
- Click OK
Step 8: Verify that the rule just created has a higher priority than the default rule for LAN to WAN
SonicWALL NSA Series
4500, 3500, 2400, 240
SonicWALL E-Class NSA Series
E7500, E6500, E5500
SonicWALL TZ Series
210W, 210, 200W, 200, 100W, 100
SonicWALL PRO Series
5060, 4100, 4060, 3060, 2040, 1260
190W, 190, 180W, 180, 170
Created on: 6/1/2010
Last Update on: 9/3/2014