Sonicwall Admin User Not Allowed From Here

[Miriam]

Pleaseconsider the result of allowing remote administration of your sonicwall device.

You should be aware that allowing external admin access to the sonicwall could present a security risk.

If external administration is required, you may be better off setting up a VPN connection to your network and administering the firewall from the LAN side via the VPN.

*Scenario 1. *Error is generated while trying to manage the SonicWALL via

VPN tunnel.

Scenario 2. If SonicWALL is configured to enforce users to enter a

username and password before accessing the Internet

websites

Ok. I cannot login with the admin user to the web interface or cli. I don't know what happened. I am currently using it as testing for some network changes we are doing. (we have 2 sonicwalls..) TZ500's It had been unplugged for a few weeks - I just booted it back up today.

However, I can access SSH (but not web-management) with a different account I created for myself, with admin rights. From the CLI, I can see that web management is enable for http & https on X0, which is what my machine is connected to. I also enabled it on X5 and tried it on there with another machine, but no matter what, I get this error:

It is possible to have access to the CLI/SSH but not have access to the web-management interface, for the same user account? That seems to be the issue at hand. Could I add web-management access role from the CLI for the user?

I was able to regain access by VPN connecting from my home machine, then accessing the SonicWall management interface (it auto-logged me in because I was VPN-authenticated). From there, I switched on user-login and that allowed me to login again from anywhere.

I guess you are computer is connected on different interface and you are trying to access the sonicWALL using different interface ip address, for ex, if you are connected to x2 interface and trying to hit the x0 ip, it wont allow you to log in.( this works only if the x2 is port shield mode with x0)

I am trying to make a few changes on a firewall by connecting remotely to a desktop at work. I need to do a change that I think may reset and change the LAN interface.... I am worried about being kicked out and having to travel to work to reset it.

Now, to diagnose, I had a constant running ping... When I either disabled ping under interfaces, or, changed the source away from any under firewall, the ping stopped.... so I am sure that this is where I need to make the change... However, I just can't seem to connect via SSH/HTTP/HTTPS...

All I can think of is that the WAN port is not a trusted interface, but, surely by enabling management, I overwrite that setting? ... Is there something hidden somewhere I need to do to enable remote management?

If you have enabled the SSLVPN you will probably have changed the management port to something else... generally 8443 but you can check this in the System -> Administration menu. you should see the port setting in the HTTPS administration port setting.

Also check the logs of the firewall after trying to login. If its being denied it should tell you and hopefully give a useful reason why. if you still have problems please port the logs and I will have a look.

I brought this to the attention of SonicWall/Dell and after fighting with them for so long that I was not trying to apply a broadcast IP/network IP to the interface and showed them RFC 3021, they finally gave in that the firewall does not support it.

Anyway, that was almost (if not longer than) a year ago and we managed to do a workaround in that it applied the /31 fine via DHCP... and, everything worked great - until I wanted to do remote management!

GerryEgan was very helpful, but, after he finished trying to help, I noticed that my computer was transmitting to the SonicWall but not recieving anything back - however the statistics on the Sonicwall for TX on the HTTPS rule were going up and RX remained still.

I just had an idea that maybe this /31 subnet goes much deeper in the firewall and after changing the subnet from /31 to /30, I confirmed everything worked fine - so confirmed that the issue is due to SonicWall not supporting /31 subnets - even if it successfully applies via DHCP.

I'm stuck away from work here in Liverpool due to heavy snow and can't get administrator access to any machine here, so I can't install the usual Sonicwall Global VPN client to connect to work!

I'm running Windows 7 64 bit, if anyone knows any way I could get connected with or without the official Sonicwall client, and without administrator access, I'd be very much in your debt! (e.g. is there a portable version available??) Thanks, Sam ;)

Yes! Certainly this isn't limited to SonicWall, but here's a link to their browser-based VPN appliance. I could've sworn someone was pitching a separate license/service we could purchase for our existing firewall, but I may have misunderstood - I'm not finding a link. However, that would get around your non-admin access to the computers within reach.

You will not be able to install the VPN client through any clever tricks. The VPN adapter functions to windows similarly to a hardware network adapter - that is to say, you need permissions such that you'd be able to add "hardware" to the system. Blocking non-admins from this kind of access is a central part of the distinction between admin and user access.

Global sales of smartphones are increasing every year, and with that, the number of users accessing applications is increasing along with the use of web for office-related tasks. Network admins are also utilizing mobile devices to get work done: These devices allow them to extend their presence, enabling faster responses and easier network configuration and setup.

As part of our commitment to anytime, anywhere cybersecurity, users can use the SonicExpress mobile app to manage their SonicWall devices. The SonicExpress mobile app simplifies firewall onboarding with device registration, initial setup, basic configuration and monitoring for Gen 7 SonicWall next-generation firewalls (NGFWs). The application also simplifies the onboarding process for SonicWall Access Points and Switches. Designed for Apple and Android platforms, the SonicExpress app is now available for download from the Apple App Store and the Google Play Store.

The typical onboarding process involves device registration and several other steps that must be completed to get new SonicWall devices ready for configuration and use. With SonicExpress, onboarding of SonicWall devices can be completed with three simple steps.

Zero-touch deployments require firewalls to connect to the internet using a DHCP address on the WAN interface. However, in specific deployments, WAN interfaces are assigned static IP addresses or configured over a PPPoE interface. There is typically no internet connectivity for firewalls being set up for closed network deployments. SonicExpress helps with these deployments and other initial setup configurations by connecting the firewall using the USB interface.

The SonicExpress Setup Guide walks users through registering their firewalls and setting up specific deployment use cases. Alternatively, users can register the firewall without going through the entire setup process by simply scanning a QR code.

The SonicExpress app allows users to monitor SonicWall devices and Wireless Network Manager (WNM) for threat alerts, resource utilization and system status via an intuitive dashboard. It offers the flexibility of being able to check the health of your network from anywhere and the convenience of making easy, quick changes to ensure the security posture of your network.

While there are obviously other/better ways to accomplish this and I realize how silly this is, given the limited scope I'm presently working in, I need to find a way to replicate a feature they presently "require".

In Sonicwall world, a user outside the corporate network can browse to the WAN IP of the firewall and log in with their credentials to become a "Trusted User" on the firewall. A firewall rule applying only to "Trusted Users" then allows them to RDP to a different IP in their /28 which gets NAT-ed through to a Remote Desktop server on the inside. Kind of a "Captive Portal in reverse", I guess.

You can set up and customize a captive portal to direct user authentication by way of an authentication profile, an authentication sequence, or a client certificate profile. Captive portal can be used in conjunction with the User-ID Agent to extend user identification functions beyond the Active Directory domain. Users are directed to the portal and authenticated, thereby creating a user-to-IP address mapping.

Also If the user cannot be identified based on login information, an established session or client probe, the firewall can redirect any outbound HTTP requests and redirect the user to a web form. The web form can transparently authenticate the user through a NTLM challenge, which is automatically evaluated and answered by the web-browser or through an explicit login page.

If these users need connect from the outside/internet, enabling CP on WAN interface would be taxing for the firewall resources. Only alternative that I can think of is using Global Protect configured with External Gateway.

3a8082e126