SonicWALL SMA - End Point Control

To Next Page

To Previous Page

SonicWallSMAConnectTunnel12.0DeploymentPlanningGuide

PlanningYourVPN

DesignGuidelinesforAccessRules

Becausetheappliance processesyouraccesscontrolrulessequentially,theorderinwhichyouorganizethemis

significantintermsofwhetheraccessispermittedordenied.Carefullyreviewyoursecuritypolicysettingsto

avoidinadvertentlyplacingrulesinthewrongorder.

•Putyourmostspecificrulesatthetopof

thelist.Asageneralrule,itisbesttoputyourmostspecific

rulesatthetopofthelist.Puttingbroaderrulesthatgrantmorepermissionsatthetopofthelistmay

causetheappliancetofindamatchbeforeithasachancetoprocessyourmore

restrictiverules.

•BecarefulwithAnyrules.Ifyoucreatearulethatdoesnotrestrictaccesstoaparticularuseror

destinationresource,carefullyconsideritsimpactonpolicyrules.

• Optimizingperformance.Becausetheapplianceevaluatesrulesinsequentialorder,youcanoptimize

performancebyplacingthenetworkresources

thatareaccessedmostfrequentlyatthetopofthelist.

•Avoidresourceandaccessmethodincompatibilities.Insomeveryspecificcases,certaincombinations

ofresourcetypesandaccessmethodscancreateproblemswithyouraccesspolicy.AMCvalidatesyour

ruleandnotifiesyouofpotentialproblemswhenyousaveit.

Referto“SecurityAdministration”inthe

InstallationandAdministrationGuidefordetailsonresolvingincompatibilityissues.

EndPointControl

YoucanuseEndPointControltoclassify devicesastheyattempttoconnecttotheappliance.Whenadevice

matchesaprofilethatyouhavecreated,itisassignedtoanEPCzoneoftrust,wherethedeviceisgranteda

certainamountofaccess,quarantined,ordeniedaccessaltogether.

Inaddition,onceadeviceisclassifiedintoa

givenzone,youcankeepcheckingitatasetintervaltoseeifitmeetsyourEPCrequirements.

AnEPCzonecanreferenceoneormoredeviceprofiles.Multipledeviceprofilesareusefulifuserswithsimilar

VPNaccessneeds

usedifferentcomputerplatforms.Forexample,youcouldconfigureanEPCzonethat

referencesadeviceprofileforWindowscomputers,andanotherzoneforMacintoshcomputers.

Zonesareinturnreferencedinacommunity,whichdetermineswhatdataprotectionagentsaredeployed.

Optionally,youcanreferenceazoneinanaccess

controlruletodeterminewhichresourcesareavailableto

usersinthatzone.

EPCevaluationprocessillustratestheEPCevaluationprocessperformedbytheSMAappliancewhenauser

connectstoit.

EPCevaluationprocess

Related product manuals