SonicWall - How to Block Everyone from the Gmail Website Using Firewall Access Rules

SonicWall - How to Block Everyone from the Gmail Website Using Firewall Access Rules

Introduction

At times, administrators may want to block a specific website from being accessed by any user behind their firewall.  In this article, we demonstrate how to block everyone from the Gmail website using the firewall access rules.

Prerequisites

• SonicOS 5.8.0.2 or greater
• One of the following SonicWALL Security Appliance Platforms:
• TZ 215
• NSA 220
• NSA 240
• NSA 250M
• NSA 2400
• NSA 3500
• NSA 3600
• NSA 4500
• NSA 4600
• NSA E5500
• NSA 5600
• NSA E6500
• NSA 6600
• NSA E7500
• NSA E8500
• NSA E8510

Components Used

The information in this document is based on the SonicOS 5.8.1.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure the Firewall

In this section, you are presented with the information to configure the Firewall to block everyone from the Gmail website using the firewall access rules.

About Access Rules

Access Rules are what traditionally define a firewall.  SonicWall Access Rules are similar to Access Control Lists that are seen in other vendors’ firewalls, but with added functionality.  

How Access Rules Are Used

Access Rules are used to Allow/Deny/Drop network packets between the SonicWall Firewall Zones.  Access Rules only look at the network packet header in order to determine whether to Allow/Deny/Drop the network packet.  The packet header contains the following information:

• Source IP
• Destination IP
• Source Port
• Destination Port
• Service

How Access Rules Work

The firewall uses the first policy that that the packet matches.  Order is very important.  Place rules in this order: most permissive first and most restrictive last, with last rule denying everything.  This order will allow you to restrict what traffic will be going through the firewall.

Warning About Access Rules

For Next Generation Firewalls, Access Rules are NOT the recommended method of writing application firewall rules.  This is because Access Rules only look at the header of the packet and not the payload of the packet.  Next Generation firewalls use Deep Packet Inspection (DPI) to look at the header AND the payload of the packet in order to more securely scan the packet.  Therefore, using Application Control and Application Firewall Rules is the preferred method of writing firewall rules in SonicWall Firewalls.  

Configuration Stages

There are two stages to this configuration process:

1. Stage I – Create Address Object
2. Stage II – Create Access Rule

Other items included in this article:

3. How to Test
4. How to Troubleshoot
5. Related Resources

1. Stage I - Create Address Object

Complete these steps in the SonicWall GUI in order to create an address object for the Gmail website.  The Gmail website actually has the URL of mail.google.com, so we need to create an address object for mail.google.com.

1. Navigate to Firewall > Address Objects.

Note: The firewall does a DNS lookup on mail.google.com to find the IP addresses associated with that URL and then compares the TO address in the packet header to those addresses.

2. Scroll down to the Address Objects section on the bottom half of the page, and then click on Add.

3. On the Address Object  page, select the following:

• Name: Gmail Address Object (type this in)
• Zone Assignment: WAN (Choose WAN because Gmail exists on the internet, which is part of the WAN zone)
• Type: FQDN (Fully Qualified Domain Name)
• FQDN Hostname: mail.google.com

Then click Add.

Note:

“Type:” can be any of the following values:

• Host – Single IP address of a single host on the network. For example: 192.168.1.27
• Range – Range of IP addresses listing only the beginning and ending IP addresses.  For example: 10.1.1.50 – 10.1.1.100
• MAC – MAC address of the single host.  For example: 00:06:01:AB:02:CD
• Network – Range of IP addresses that are defined by a network and a subnet mask.  For example:  172.16.20.0 / 255.255.255.0
• FQDN – Fully Qualified Domain Name of one or multiple IP addresses.  For example: mail.google.com is the FQDN of 74.125.227.213 and 74.125.227.214

4. Verify that the Address Object was created by viewing it at the bottom of the page.

2. Stage II - Create Access Rule

Complete these steps in the SonicWall GUI in order to create an Access Rule to block the Gmail website.  The Access Rule will match the Address Object and then perform a Deny of that packet.

1. Navigate to Firewall > Access Rules.

2. Under View Style, click on Matrix.

Note:  The default view for the access rules lists all of the rules together on one page.  This can be confusing, so SonicWall created two additional views to better organize your firewall rules: Matrix view and Drop-down Box view.  

-All Rules – Lists all of the Access Rules on one page

-Matrix View – Organizes the Access Rules in a From/To grid and limits the rules that are seen to whatever From/To combination is picked.

-Drop-down boxes view – Reduces the user’s choices to two drop-down boxes: One box has the “From” zones while the other box has the “To” zones.

3. In the Matrix view, Click on the arrow where the From:LAN intersects with the To:WAN.

4. Click on Add.

5. Choose the following items:

Action: Deny (this will block the packet)

Service: Any (this will include all TCP/UDP ports)

Source: Any (This will include all source IP addresses)

Destination: Gmail Address Object (this is the address object that we created in the previous stage)

Then Click Add

6. Verify that the Access Rule that you created is active by viewing it in the list of Access Rules.

3. How to Test

Complete these steps in order to test the Firewall Access Rules configuration.

1. From a computer within the network, open a web browser and go to the following web page:

https://mail.google.com

You should receive an error page like the one in this picture.  This means that your rule is working.

4. How to Troubleshoot

Check the following items in order to troubleshoot this configuration:

Symptom	Resolution

5. Related Resources

SonicWall OS 5.8.1 Administrator’s Guide

UTM: How to Block Ports using Firewall Access Rules in SonicOS Enhanced:  https://www.sonicwall.com/us/en/support/2213.html?fuzeurl=https://www.fuzeqna.com/sonicwallkb/ext/kb8110-utm-how-to-block-ports-using-firewall-access-rules-in-sonicos-enhanced

UTM: Using Firewall Access Rules to block incoming and outgoing traffic:  https://www.sonicwall.com/us/en/support/2213.html?fuzeurl=https://www.fuzeqna.com/sonicwallkb/ext/kb8110-utm-how-to-block-ports-using-firewall-access-rules-in-sonicos-enhanced

How to Block Ports in SonicWall: http://www.sonicwall.com/downloads/How_to_Block_Ports(1).pdf

Last Updated on 6/6/2013