TZ_210_GSG.book Page 10 Thursday, November 13, 2008 7:41 PM Creating a MySonicWALL Account A MySonicWALL account is required for product registration. If you already have an account, continue to the Registering and Licensing Your Appliance on MySonicWALL section. Perform the following steps to create a MySonicWALL account: 1. 2. In your browser, navigate to www.mysonicwall.com. In the login screen, click the Not a registered user? link.
TZ_210_GSG.book Page 11 Thursday, November 13, 2008 7:41 PM Security Services and Software The Service Management - Associated Products page in MySonicWALL lists security services, support options, and software, such as ViewPoint, that you can purchase or try with a free trial. For details, click the Info button.
TZ_210_GSG.book Page 12 Thursday, November 13, 2008 7:41 PM Activating Security Services and Software Trying or Purchasing Security Services If you purchase a service subscription or upgrade from a sales representative, you will receive an activation key. This key is emailed to you after online purchases, or is on the front of the certificate that was included with your purchase. To try a Free Trial of a service, click Try in the Service Management page.
TZ_210_GSG.book Page 13 Thursday, November 13, 2008 7:41 PM Enabling Security Services 3 In this Section: Security services are an essential component of a secure network deployment. This section provides instructions for registering and enabling security services on your SonicWALL TZ 210 series appliance.
TZ_210_GSG.book Page 14 Thursday, November 13, 2008 7:41 PM Enabling Security Services in SonicOS Verifying Licenses After completing the registration process in SonicOS, perform the tasks listed below to activate your licenses and enable your licensed services from within the SonicOS user interface. Verify that your security services are licensed on the System > Status page. SonicWALL security services are key components of threat management in SonicOS.
TZ_210_GSG.book Page 15 Thursday, November 13, 2008 7:41 PM Enabling Gateway Anti-Virus To enable Gateway Anti-Virus (GAV) in SonicOS: 1. 2. Navigate to the Security Services > Gateway Anti-Virus page. Select the Enable Gateway Anti-Virus checkbox and click Accept to apply changes.
TZ_210_GSG.book Page 16 Thursday, November 13, 2008 7:41 PM Enabling Intrusion Prevention Services Intrusion Prevention contains other useful features, including: To enable Intrusion Prevention (IPS) in SonicOS: • 1. 2. Navigate to the Security Services > Intrusion Prevention page. Select the Enable Intrusion Prevention checkbox. • Exclusion Lists for network nodes where IPS enforcement is not necessary.
TZ_210_GSG.book Page 17 Thursday, November 13, 2008 7:41 PM Enabling Anti-Spyware Anti-Spyware contains other useful features, including: To enable Anti-Spyware in SonicOS: • 1. 2. • Navigate to the Security Services > Anti-Spyware page. Select the Enable Anti-Spyware checkbox. • • • Exclusion Lists excludes network nodes when Anti-Spyware enforcement is not necessary. Log Redundancy controls log size during high-volume intrusion attack attempts by enforcing a delay between log entries.
TZ_210_GSG.book Page 18 Thursday, November 13, 2008 7:41 PM Enabling Content Filtering Service To enable Content Filtering Service (CFS) in SonicOS: 1. 2. Navigate to the Security Services > Content Filter page. Select SonicWALL CFS in the Content Filter Type dropdown list and then click the Configure button.
TZ_210_GSG.book Page 19 Thursday, November 13, 2008 7:41 PM Verifying Security Services on Zones Security services such as Gateway Anti-Virus are automatically applied to the LAN and WAN network zones. To protect other zones such as the DMZ or Wireless LAN (WLAN), you must apply the security services to the network zones. For example, you can configure SonicWALL Intrusion Prevention Service for incoming and outgoing traffic on the WLAN zone to add more security for internal network traffic.
TZ_210_GSG.
TZ_210_GSG.book Page 21 Thursday, November 13, 2008 7:41 PM Advanced Network Configuration 4 In this Section: This section provides detailed overviews of advanced deployment scenarios, as well as configuration instructions for connecting your SonicWALL TZ 210 series appliance to various network devices.
TZ_210_GSG.book Page 22 Thursday, November 13, 2008 7:41 PM An Introduction to Zones and Interfaces Zones split a network infrastructure into logical areas, each with its own set of usage rules, security services, and policies. Most networks include multiple definitions for zones, including those for trusted, untrusted, public, encrypted, and wireless traffic. Some basic (default) zone types include: The X1 and X0 interfaces are preconfigured as WAN and LAN respectively.
TZ_210_GSG.book Page 23 Thursday, November 13, 2008 7:41 PM SonicWALL Wireless Firewalling When a wireless device uses an access point to communicate with a device on another subnet or on a completely different network, traffic between the devices is forced to traverse the network gateway. This traversal enables Unified Threat Management (UTM) services to be enforced at the gateway.
TZ_210_GSG.book Page 24 Thursday, November 13, 2008 7:41 PM Configuring Interfaces Interfaces, also known as ports, are physical network connections that can be configured to provide different networking and security features based on your network needs. Note: If only X0 and X1 interfaces are displayed in the Interfaces list, click the Show PortShield Interfaces button to show all interfaces. Note: For more information on Zone types, see “An Introduction to Zones and Interfaces” on page 22.
TZ_210_GSG.book Page 25 Thursday, November 13, 2008 7:41 PM PortShield Wizard With PortShield, multiple ports can share the network settings of a single interface. The SonicWALL PortShield feature enables you to easily configure the ports on the SonicWALL TZ 210 series appliance into common deployments. 3. Selection Port Assignment Usage WAN/LAN X0, X2-X6: LAN X1: WAN Connect any local network device to X0, or X2-X6 for local and Internet connectivity.
TZ_210_GSG.book Page 26 Thursday, November 13, 2008 7:41 PM Manual PortShield Configuration You can also manually group ports together using the graphical PortShield Groups interface. Grouping ports allows them to share a common network subnet as well as common zone settings. Note: Interfaces must be configured before being grouped with PortShield. For instructions, see the Configuring an Interface section, on page 24. To manually configure a PortShield interface: 1. 2.
TZ_210_GSG.book Page 27 Thursday, November 13, 2008 7:41 PM To create an access rule: Creating Network Access Rules A Zone is a logical grouping of one or more interfaces designed to make management a simpler and more intuitive process than following a strict physical interface scheme. 1. 2. On the Firewall > Access Rules page in the matrix view, select two zones that will be bridged by this new rule. On the Access Rules page, click Add.
TZ_210_GSG.book Page 28 Thursday, November 13, 2008 7:41 PM 3. In the Add Rule page on the General tab, select Allow or Deny or Discard from the Action list to permit or block IP traffic. Page 28 Creating Network Access Rules 4. Configure the other settings on the General tab as explained below: • Select the service or group of services affected by the access rule from the Service drop-down list. If the service is not listed, you must define the service in the Add Service window.
TZ_210_GSG.book Page 29 Thursday, November 13, 2008 7:41 PM 5. Click on the Advanced tab. Address Objects Address Objects are one of four object classes (Address, User, Service, and Schedule) in SonicOS Enhanced. Once you define an Address Object, it becomes available for use wherever applicable throughout the SonicOS management interface. For example, consider an internal Web server with an IP address of 67.115.118.80. 6. 7. 8.
TZ_210_GSG.book Page 30 Thursday, November 13, 2008 7:41 PM 3. In the Add Address Object dialog box, enter a name for the Address Object in the Name field. 4. Select the zone to assign to the Address Object from the Zone Assignment drop-down list. Select Host, Range, Network, MAC, or FQDN from the Type menu. - For Host, enter the IP address in the IP Address field. - For Range, enter the starting and ending IP addresses in the Starting IP Address and Ending IP Address fields.
TZ_210_GSG.book Page 31 Thursday, November 13, 2008 7:41 PM Network Address Translation Configuring NAT Policies The Network Address Translation (NAT) engine in SonicOS Enhanced allows users to define granular NAT policies for their incoming and outgoing traffic. By default, the SonicWALL security appliance has a preconfigured NAT policy to perform Many-to-One NAT between the systems on the LAN and the IP address of the WAN interface.
TZ_210_GSG.book Page 32 Thursday, November 13, 2008 7:41 PM This section describes how to configure a One-to-One NAT policy. One-to-One is the most common NAT policy used to route traffic to an internal server, such as a Web server. Most of the time, this means that incoming requests from external IP addresses are translated from the IP address of the SonicWALL security appliance WAN port to the IP address of the internal Web server.
TZ_210_GSG.book Page 33 Thursday, November 13, 2008 7:41 PM Advanced Deployments 5 In this Section: The advanced deployments contained in this chapter are based on the most common customer deployments and contain best-practice guidelines for deploying your SonicWALL TZ 210 series appliances. These deployments are designed as modular concepts to help in deploying your SonicWALL as a comprehensive security solution.
TZ_210_GSG.book Page 34 Thursday, November 13, 2008 7:41 PM SonicPoints for Wireless Access This section describes how to configure SonicPoints with the SonicWALL TZ 210 series appliance. SonicPoints can be used to add wireless features to a SonicWALL TZ 210 wired appliance, or to create a more robust distributed wireless network with a SonicWALL TZ 210 Wireless-N appliance.
TZ_210_GSG.
TZ_210_GSG.book Page 36 Thursday, November 13, 2008 7:41 PM Configuring Provisioning Profiles SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSIDs, and channels of operation. Once you have defined a SonicPoint profile, you can apply it to a Wireless zone. Each Wireless zone can be configured with one SonicPoint profile.
TZ_210_GSG.book Page 37 Thursday, November 13, 2008 7:41 PM • • MAC addresses in the group. The Deny List is enforced before the Allow List. Under WEP/WPA Encryption, select the Authentication Type for your wireless network. SonicWALL recommends using WPA2 as the authentication type. Fill in the fields specific to the authentication type that you selected. The remaining fields change depending on the selected authentication type. 3. 4. 5. In the 802.
TZ_210_GSG.book Page 38 Thursday, November 13, 2008 7:41 PM necessary Access Rules to allow hosts on these interfaces to communicate with each other. 3. 4. Click on the Wireless tab. • In the Wireless Settings section, select Only allow traffic generated by a SonicPoint to allow only traffic from SonicWALL SonicPoints to enter the WLAN Zone interface. This provides maximum security on your WLAN.
TZ_210_GSG.book Page 39 Thursday, November 13, 2008 7:41 PM Assigning an Interface to the Wireless Zone 3. Once the wireless zone is configured, you can assign an interface to it. This is the interface where you will connect the SonicPoint. 4. 1. On the Network > Interfaces page, click the Configure icon on the row of the interface that you want to use, for example, X3. The interface must be unassigned. 5. 6. 2.
TZ_210_GSG.book Page 40 Thursday, November 13, 2008 7:41 PM Connecting the SonicPoint Public Server on DMZ When a SonicPoint unit is first connected and powered up, it attempts to find a SonicOS device with which to peer. If it is unable to find a peer SonicOS device, it will enter into a standalone mode of operation with a separate stand-alone configuration allowing it to operate as a standard Access Point.
TZ_210_GSG.book Page 41 Thursday, November 13, 2008 7:41 PM Internet Gateway with Public Server on DMZ In this deployment, the SonicWALL TZ 210 is configured to operate as a network gateway with the following zones: X1 WAN Local Network (LAN) - wired local client computers and servers Wireless (WLAN)* - wireless local client computers and devices DMZ - wired resources available to public Internet such as Web servers and Mail servers.
TZ_210_GSG.book Page 42 Thursday, November 13, 2008 7:41 PM Completing the Public Server Wizard 6. Enter a Server Comment (optional) and click Next. 7. Enter the Server Public IP Address in the field (normally your primary WAN IP address). This IP Address is used to access your Web server from the Internet. Click Next and then click Apply to finish the wizard. The Public Server Wizard guides you through a few simple steps, automatically creating address objects and rules to allow server access.
TZ_210_GSG.book Page 43 Thursday, November 13, 2008 7:41 PM Configuring a DMZ Zone Since the public server is added to the LAN zone by default, configure a DMZ zone by performing the following steps: 1. In the Network > Interfaces panel, click the Configure button for the X2 interface. The Edit Interface window displays. Tip: Since we used 192.168.168.123 in the example on page 42, use 192.168.168.1 as the DMZ interface IP. The newly created DMZ interface appears in the Interfaces list.
TZ_210_GSG.book Page 44 Friday, November 14, 2008 10:29 AM Editing the Firewall Access Rule Schedule Always on, unless you choose to specify an uptime schedule such as “business hours only”. An access rule that allows traffic from the WAN zone to the server on the DMZ must be created, and the original WAN > LAN rule that was created by the Public Server Wizard should be deleted. Comment Leave a comment such as “Web server on DMZ” 1. 2. 3. 4. 5.
TZ_210_GSG.book Page 45 Thursday, November 13, 2008 7:41 PM High-Availability Mode In this scenario, two SonicWALL TZ 210 series appliances are each configured with a single LAN zone and High Availability (HA) zone and linked to the LAN and WAN segments with a hub or switch.
TZ_210_GSG.book Page 46 Friday, November 14, 2008 10:29 AM About High Availability Initial HA Setup In this scenario, one SonicWALL TZ 210 series appliance operates as the Primary gateway device and the other acts as the Backup. Once configured for High Availability, the Backup SonicWALL contains a real-time mirrored configuration of the Primary SonicWALL via an Ethernet link between the designated HA interfaces on each appliance.
TZ_210_GSG.book Page 47 Friday, November 14, 2008 10:29 AM HA License Synchronization Overview You can configure HA license synchronization by associating two SonicWALL security appliances as HA Primary and HA Secondary on MySonicWALL. Note that the Backup appliance of your HA pair is referred to as the HA Secondary unit on MySonicWALL. You need only purchase a single license for SonicOS Enhanced, a single Support subscription, and a single set of security services licenses for the HA Primary appliance.
TZ_210_GSG.book Page 48 Friday, November 14, 2008 10:29 AM Associating Pre-Registered Appliances To associate two already-registered SonicWALL security appliances so that they can use HA license synchronization, perform the following steps: 1. 2. 3. 4. 5. 6. 7. Login to MySonicWALL and click My Products. On the My Products page, under Registered Products, scroll down to find the appliance that you want to use as the parent, or primary, unit. Click the product name or serial number.
TZ_210_GSG.book Page 49 Friday, November 14, 2008 10:29 AM 5. 6. In the PortShield Wizard Complete screen, click Close. Log into the management interface of the other appliance in the HA Pair, and repeat this procedure. Configuring Advanced HA Settings 1. Navigate to the High Availability > Advanced page. 2. To configure the HA Pair so that the Primary SonicWALL resumes the Active role when coming back online after a failover, select Enable Preempt Mode.