Sonicwall: Allow Ping from Only IP Range

[partner1220]

Our new ISP requires us to allow ping from their IP range to our Sonicwall. I've tried a few ways, but can't seem to get it to work ONLY from that IP range. Seems to be all or nothing, so I assume I have an error in my rules.

Sonicwall Enhanced OS 5.8.1.5-46o
Right now, this is backup WAN until we are satisfied, then it will move to primary. It is connected to X2

When I configure Network > Interfaces > WAN > Allow Ping, ping works. However, it works from ANY IP. I only want it allowed from x.x.x.1 through x.x.x.254.

I tried unchecking Ping, then creating the firewall rules as follows, but it then doesn't allow ping from anywhere, including the IP I've allowed.

Address Object created called 'ISP Monitoring' with the range x.x.x.0 through x.x.x.254

Access Rule:
From Zone: WAN
To Zone: LAN
Service: Ping
Source: ISP Monitoring
Destination: Any

Am I missing something or going about this the wrong way?

Thanks in advance! Let me know if I can provide any additional details.

 

[StickyLoad]

You should add your ISP's IP range into an address book entry and then use that as the from address with the ping service.

 

[TCM]

Why do you block Ping anyway?

 

[partner1220]

You should add your ISP's IP range into an address book entry and then use that as the from address with the ping service.

Already done - Info is in the original post.

 

[partner1220]

Why do you block Ping anyway?

I know there's disagreement on this (blocking ping), but I've always tried to take the stance to allow only what's required.

Maybe this is just old/outdated best practice on my part. I'd still like to make this work, though.

 

[Wrench00]

I know there's disagreement on this (blocking ping), but I've always tried to take the stance to allow only what's required.

Maybe this is just old/outdated best practice on my part. I'd still like to make this work, though.

Its called least priveledge. I never enable ping on the wan or any public zone.

 

[diizzy]

It's usually a bad idea and not just for yourself, use rate-limiting if you need it and be sure not to block all ICMP types as you'll brake lot of things such as PMTU(D).
//Danne

 

[partner1220]

Any ideas how to get this working properly?

 

[/usr/home]

Why do they need to be able to ping you? Monitoring purposes?

 

[partner1220]

Why do they need to be able to ping you? Monitoring purposes?

Correct

 

[partner1220]

Got it

I enabled Ping on the WAN interface, which as I mentioned, allows for all.

Then I modified the rule that was created (WAN>WAN) and changed the source to only my ISP's range.