Table of Contents
Advertisement
10 Select Track Per Remote Address to enforce rate limiting against rule chain matches coming from the
same IP address. Tracking per remote address uses the remote address as seen by the SMA/SRA
appliance. This covers the case where different clients sit behind a firewall with NAT enabled, causing
them to effectively send packets with the same source IP.
11 Select Track Per Session to enable rate limiting based on an attacker's browser session. This method
sets a cookie for each browser session. Tracking by user session is not as effective as tracking by remote
IP if the attacker initiates a new user session for each attack.
12 Click Accept to save the rule chain. A Rule Chain ID is automatically generated.
13 Next, add one or more rules to the rule chain. See
detailed information.
Cloning a Rule Chain
To clone a rule chain:
1
On the Web Application Firewall > Rules page, click its Clone Rule Chain icon
2
Click OK in the confirmation dialog box.
You can now edit the rule chain to customize it. See
Deleting a Rule Chain
NOTE:
Deleting a rule chain also deletes all the associated rules.
To delete a rule chain:
1
On the Web Application Firewall > Rules page, click the Delete Rule Chain icon
for the rule chain you want to delete.
2
Click OK in the confirmation dialog box.
3
Click Accept.
Correcting Misconfigured Rule Chains
Misconfigured rule chains are not automatically detected at the time of configuration. When a misconfiguration
occurs, the administrator must log in and fix or delete the bad rules.
NOTE:
If any rules or rule chains are misconfigured, the appliance does not enforce any custom rules or
rule chains.
It is difficult to detect a false positive from a misconfigured rule chain unless a user runs into it and reports it to
the administrator. If the rule chain has been set to PREVENT, then the user sees the Web Application Firewall
block page (as configured on the Web Application Firewall > Settings page). If not, there is a log message
indicating that the "threat" has been detected.
Consider a scenario in which the administrator inadvertently creates a custom rule chain that blocks access to
all portals of the SMA/SRA appliance. For example, the admin might have wanted to enforce a rule for an
Application Offloading portal. However, he or she forgot to add another rule to narrow the criteria for the
match to requests for that portal, host or URL. If the first rule was too broad, then this means a denial of
service for the appliance. Specifically, the administrator creates a rule chain to deny using the GET HTTP
method for a specific URL that expects a POST request.
For this, the administrator needs to create two rules:
1
The first rule is to match GET requests.
2
The second rule is to match a specific URL.
If the administrator forgets to create the second rule, then access to the SMA/SRA appliance is denied, because
the Secure Mobile Access web-based management interface depends on the GET method.
Configuring Rules in a Rule Chain
Adding or Editing a Rule Chain
Dell SonicWALL Secure Mobile Access 8.5
on page
300
for
under Configure.
on page 298.
under Configure
299
Administration Guide
Advertisement
Chapters
Table of Contents
Troubleshooting
