1. Click OK to close the window, and then click Apply for the settings to take effect on the SonicWALL.
Wireless Bridge VPN Policy The Wireless Bridge VPN Policy is configured as follows: 1. Click VPN, then Configure. 2. Select IKE using Preshared Secret from the IPSec Keying Mode menu. 3. Enter a name for the SA in the Name field. 4. Type the IP address of the Access Point in the IPSec Gateway field. In our example network, the IP address is 172.16.31.1. 5. Select Use this VPN Tunnel as default route for all Internet traffic from the Destination Networks section.
To configure WEP on the SonicWALL, log into the SonicWALL and click Wireless, then WEP Encryption. 1. Select the authentication type from the Authentication Type list. Both (Open System & Shared Key) is selected by default. 2. Select 64-bit or 128-bit from the WEP Key Mode. 128-bit is considered more secure than 64-bit. This value is applied to all keys. WEP Encryption Keys 3. Select the key number, 1,2,3, or 4, from the Default Key menu. 4. Select the key type to be either Alphanumeric or Hexadecimal.
Wireless>Advanced To access Advanced configuration settings for the TZ 170 Wireless, log into the SonicWALL, click Wireless, and then Advanced. Beaconing & SSID Controls 1. Select Hide SSID in Beacon. If you select Hide SSID in Beacon, your wireless network is invisible to anyone who does not know your SSID. This is a good way to prevent “drive by hackers” from seeing your wireless connection. 2. Type a value in milliseconds for the Beacon Interval.
receive antenna. As radio signals arrive at both antennas on the TZ 170 Wireless, the strength and integrity of the signals are evaluated, and the best received signal is used. The selection process between the two antennas is constant during operation to always provide the best possible signal. To allow for external (e.g. higher gain uni-directional) antennas to be used, antenna diversity can now be disabled from the Wireless > Advanced > Advanced Radio Settings section.
5. The Fragmentation Threshold (bytes) is 2346 by default. Increasing the value means that frames are delivered with less overhead but a lost or damaged frame must be discarded and retransmitted. 6. The RTS Threshold (bytes) is 2432 by default. If network throughput is slow or a large number of frame retransmissions is occurring, decrease the RTS threshold to enable RTS clearing. 7. The default value for the DTIM Interval is 3.
Once the MAC address is added to the MAC Address List, you can select Allow or Block next to the entry. For example, if the user with the wireless card is not always in the office, you can select Block to deny access during the times the user is offsite. Click on the Notepad icon under Configure to edit the entry. Click on the Trashcan icon to delete the entry. To delete all entries, click Delete All.
Enable Client Null Probing The control to block Null probes is not available on the 802.11g card built into the TZ170. Instead, enabling this setting allows the TZ 170 Wireless to detect and log Null Probes, such as those used by Netstumbler and other similar tools.
• • • Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects. Persistent connections (protocols such as FTP) are impaired or severed. WiFiSec connections should automatically re-establish and resume with no noticeable interruption to the client.
6 Wireless Guest Services Wireless Guest Services allow you to manage wireless users’s access to your network. Wireless Guest Services are located under the WGS button in the left navigation pane.
Wireless Guest Services Select Enable Wireless Guest Services to allow configured guest accounts access to the TZ 170 Wireless. Bypass Guest Authentication Bypass Guest Authentication feature is designed to allow a TZ 170 Wireless running WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication.
To disable a Guest Account, clear the Enable check box in the Guest Account entry line. To edit an existing Guest Account, click on the Notepad icon under Configure. To delete a Guest Account, click the Trashcan icon under Configure. To delete all Guest Accounts, click Delete All. URL Allow List Enable URL Allow List for Unauthenticated Users, when selected, allows for the creation of a list of URLs (HTTP and HTTPS only) that WGS users can visit even before they authenticate.
IP Deny List When IP Address Deny List for authenticated users is selected, allows for the specification of IP addresses/subnet masks to which WGS users are explicitly denied access. Individual hosts can be entered by using a 32 bit subnet mask (255.255.255.255), networks can be entered with appropriate subnet mask, or network ranges can be aggregated using CIDR notation or supernetting (e.g. entering 192.168.0.0/255.255.240.0 to cover individual class C networks 192.168.0.0/24 through 192.168.15.0/ 24). 1.
Configuring Wireless Guests To configure new wireless guest accounts, click Add. The Add Guest Account window is displayed. By default, the following settings are selected: Enable Account When selected, the wireless guest account is automatically enabled. You can clear the checkbox to disable the account until necessary. Auto-Prune Account By default, newly created accounts are set to Auto-Prune, automatically deleted when expired.
Session Lifetime Defines how long a WGS session remains active after it has been activated. By default, activation occurs the first time a WGS user logs into an account. Alternatively, activation can occur at the time the account is created by clearing the Activate account upon first login checkbox. The Session Lifetime cannot exceed the value set in the Account Lifetime. Idle Timeout Defines the maximum period of time when no traffic is passed on an activated WGS session.
clients, inhibiting crucial functions such as wireless print servers, Microsoft Outlook mail notification, or any other function requiring LAN initiated communications to WLAN clients. Any LAN clients attempting to resolve an IP address of a Global VPN Virtual Adapter address receives a response from the TZ 170 Wireless LAN. This allows any client on the LAN to communicate directly with WLAN client via the secure WiFiSec link, enabling configurations like the one below.
example above, PRO 330 does not require a route to the 172.16.31.X as long as the Virtual Adapter is used by all clients. To configure routing on the TZ 170 Wireless to support the above example, click Network and then Routing. 1. Under Default Route, click Configure. The Edit Default Route window is displayed. 2. Enter the IP address in the Default Gateway field, and then select LAN, WAN, or WLAN from the Interface menu. Click OK. The default gateway is now configured.
Prior to SonicOS 1.5.0.0, Wireless Guest Services were only available in default route on WAN configurations. This scheme provided an automatic differentiation of destinations for WGS traffic. In other words, WGS traffic bound for the WAN was permitted, but WGS traffic attempting to reach the LAN (local traffic), to cross the LAN (to reach an adjacent network connected via a router) or to cross a VPN tunnel was dropped.
Page 134 SonicWALL SonicOS Standard Administrator’s Guide
7 Modem The SonicWALL TZ 170 SP contains a built in modem. You can use the modem as: • • A backup connection for the WAN connection. See Modem > Failover. The only internet connection for the TZ 170 SP. See Modem > Settings Modem > Status The Status page displays dialup connection information when the modem is active. You create modem dialup profiles in the Modem Profile Configuration window, which you access from the Modem>Dialup Profiles page.
Modem > Settings The Modem > Settings page lets you select from a list of modem profiles, select the volume of the modem, and also configure AT commands for modem initialization. Configuring Profile and Modem Settings To configure the SonicWALL modem settings, follow these steps: 1. Select the profile you want to use for the primary profile from the Primary Profile menu that the SonicWALL uses to access the modem. If you have enabled Manual Dial for the Primary Profile, the Alternate Profile 1 is not used.
Modem > Failover To improve the operational availability of networks and ensure fast recovery from network failures, the Modem > Failover page allows you to configure the SonicWALL modem for use as a secondary WAN port. The secondary WAN port can be used in a simple "active/passive" setup to allow traffic to be only routed through the secondary WAN port if the primary WAN port is unavailable.
Alert! The SonicWALL modem can only dial out. Dialing into the internal modem is not supported. However, an external modem can be connected to the Console port for remotely accessing the SonicWALL for out-of-band support. Configuring Modem Failover Use the following instructions to configure the Failover Settings: 1. Select Enable WAN Failover. 2.
Modem > Dialup Profiles The Modem > Dialup Profiles page allows you to configure modem profiles on the SonicWALL using your dial-up ISP information for the connection. Multiple modem profiles can be used when you have a different profile for individual ISPs. Tip! The SonicWALL supports a maximum of 10 configuration profiles.
Modem > Dialup Profiles > Modem Profile Configuration The Modem Profile Configuration window allows you to configure your modem dial-up connections. Once you create your profiles, you can then configure specify which profiles to use for WAN failover or Internet access. Configuring a Dialup Profile To configure your ISP settings, you must obtain your Internet information from your dial-up Internet Service Provider. 1. In the ISP User page, enter a name for your dialup profile in the Profile Name field. 2.
8. Click the ISP Address tab. 9. In the ISP Address Setting section, select Obtain an IP Address Automatically if you do not have a permanent dialup IP address from your ISP. If you have a permanent dialup IP address from your ISP, select Use the following IP Address and enter the IP address in the corresponding field. 10.If you obtain an IP address automatically for your DNS server(s), select Obtain an IP Address Automatically.
• • Dial on Data - Using Dial on Data requires that outbound data is detected before the modem dials the ISP. Outbound data does not need to originate from computers on the LAN, but can also be packets generated by the SonicWALL internal applications such as AutoUpdate and Anti-Virus. If Enable WAN Failover is selected on the Modem > Failover page, the pings generated by the probe can trigger the modem to dial when no WAN Ethernet connection is detected.
Chat Scripts Some legacy servers can require company-specific chat scripts for logging onto the dial-up servers. A chat script, like other types of scripts, automates the act of typing commands using a keyboard. It consists of commands and responses, made up of groups of expect-response pairs as well as additional control commands, used by the chat script interpreter on the TELE3 SP.
A custom chat script can look like the following script: ABORT `NO CARRIER' ABORT `NO DIALTONE' ABORT `BUSY' " ATQ0 " ATE0 " ATM1 " ATW2 " ATV1 OK ATDT\T CONNECT " sername: \L assword: \P Tip! The first character of username and password are ignored during PPP authentication. The script looks a lot like the previous script with the exception of the commands at the end. There is an empty string (") after CONNECT which sends a carriage return command to the server.
8 Firewall Network Access Rules are management tools that allow you to define inbound and outbound access policy, configure user authentication, and enable remote management of the SonicWALL. By default, the SonicWALL’s stateful packet inspection allows all communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet.
Firewall>Access Rules The Access Rules page displays a table of defined Network Access Rules. Rules are sorted from the most specific at the top, to less specific at the bottom of the table. At the bottom of the table is the Default rule. The Default rule is all IP services except those listed in the Access Rules page. Rules can be created to override the behavior of the Default rule; for example, the Default rule allows users on the LAN to access all Internet services, including NNTP News. .
Adding Rules using the Network Access Rule Wizard The Network Access Rule Wizard takes you step by step through the process of creating network access rules on the SonicWALL. To launch the Access Rules Wizard, click the Rule Wizard button at the top right of the Firewall>Access Rules page. Note: The image on the left pane of the Network Access Rules Wizard changes according to the SonicWALL you’re using but all the wizard pages are the same for the TZ170, PRO 2040, or PRO 3060. 1.
Configuring a Public Server Rule Step 2: Public Server 3. Select the type of service for the rule from the Service menu. In this example, select Web (HTTP) to allow network traffic to a Web Server on your LAN. 4. Type the IP address of the mail server in the IP address field. 5. Select the destination of the network traffic from the Destination Interface menu. In this case, you are sending traffic to the LAN. Select LAN. 6. Click Next. 7.
Configuring a General Network Access Rule To launch the Access Rules Wizard, select the System>Wizards page and click the Rule Wizard button. The Network Access Rule Wizard is displayed. 1. To continue, click Next. Step 1: Access Rule Type 2. Select the type of network access rule you want to create, in this case, General. Click Next.
Step 2: Access Rule Service 3. Select the type of service for the rule. If you do not see the service in the list, you must add it manually to the list of services on the Firewall>Services page. Click Next. Step 3: Access Rule Action 4. Select Allow to allow the service to the network, or select Deny to disallow the service to the network. 5. Enter a value in minutes in the Inactivity Timeout (minutes) field. The default value is 5 minutes. 6. Click Next.
Step 4: Access Rule Source Interface and Address 7. If you have a range of IP addresses, enter the first one in the IP Address Begin field. If you do not want to specify an IP address, enter “*” in the IP Address Begin field. By typing * (asterisk) in the field, all traffic using the service is either allowed or denied to all computers on the network. Click Next. 8. Select the source of the service from the Interface menu. If you want to allow or deny the service from the Internet, select WAN.
Step 6: Access Rule Time 11. The rule is always active unless you specify a time period for the rule to be active. For instance, you can deny access to News (NNTP) between 8 a.m. and 5 p.m. Monday through Friday, but allow access after work hours and on weekends. Click Next. Completing the Network Access Rule Wizard 12. Click Apply to save your new rule. The new rule is listed in the Access Rules table.
Adding Rules Using the Add Rule Window To add Access Rules to the SonicWALL, click Add at the bottom of the Access Rules table. The Add Rule window is displayed. 1. Select Allow or Deny from the Action list depending upon whether the rule is intended to permit or block IP traffic. 2. Select the name of the service affected by the Rule from the Service list. If the service is not listed, you must define the service in the Add Service window. The Default service encompasses all IP services. 3.
10. Select from the Apply this Rule menu to define the specific time and day of week to enforce the rule. Enter the time of day (in 24-hour format) to begin and end enforcement. Then select the day of the week to begin and end enforcement. Tip! If you want to enable the rule at different times depending on the day of the week, make additional rules for each time period. 11.
Enabling Ping By default, your SonicWALL does not respond to ping requests from the Internet. This Rule allows ping requests from your ISP servers to your SonicWALL. 1. Click Add to launch the Add Rule window. 2. Select Allow from the Action menu. 3. Select Ping from the Service menu. 4. Select WAN from the Source Ethernet menu. 5. Enter the starting IP address of the ISP network in the Source Address Range Begin field and the ending IP address of the ISP network in the Source Address Range End field. 6.