SonicOS 5.8.
Table of Contents Table of Contents .....................................................................................................iii Part 1: Introduction Chapter 1: Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Copyright Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Packet Rate Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Packet Size Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Connection Count Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Dashboard > AppFlow Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Filter Options . . . . . . . . . .
Chapter 8: Configuring Administration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 System > Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 Firewall Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 Administrator Name & Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 Login Security Settings . . . . . . . . . . .
Chapter 14: Using Diagnostic Tools & Restarting the Appliance . . . . . . . . . . . . . . . . . 165 System > Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Tech Support Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Diagnostic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Check Network Settings . . . . . . . . . . . .
Chapter 17: Setting Up Failover and Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . .275 Network > Failover & Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275 Failover and Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275 Load Balancing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278 Multiple WAN (MWAN) . . . . . . . . . . . . . . . . . . .
Creating NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Using NAT Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Chapter 24: Managing ARP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Network > ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Static ARP Entries . . . . . . . .
Chapter 29: Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419 Network > Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419 Supported DDNS Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420 Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420 Dynamic DNS Settings Table . . . . . . . . . . . .
Chapter 35: Configuring Wireless Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Wireless > Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Wireless Radio Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Wireless Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VAP Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535 Resetting the SonicPoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536 Switch Programming Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 49: Configuring Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Application Control Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Licensing Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 Firewall > App Control Advanced . . . . .
Enabling Multicast on LAN-Dedicated Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . .748 Enabling Multicast Through a VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .749 Chapter 54: Managing Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .751 Firewall Settings > QoS Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .751 Classification . . . . . . . . . . . . . . . . . . . . . . . . . . .
How Does the Anti-Spam Service Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 Purchasing an Anti-Spam License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838 Anti-Spam > Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840 Anti-Spam > Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842 Configuring Anti-Spam for UTM . . . . .
Part 14: SSL VPN Chapter 64: SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .931 SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .931 SSL VPN NetExtender Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .932 Configuring Users for SSL VPN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .935 SSL VPN > Status . .
Users > Guest Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129 Logging Accounts off the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129 Part 17: High Availability Chapter 68: Setting Up High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 73: Managing SonicWALL Gateway Anti-Virus Service . . . . . . . . . . . . . . . . .1223 Security Services > Gateway Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1223 SonicWALL GAV Multi-Layered Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1224 HTTP File Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1226 SonicWALL GAV Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 76: Configuring SonicWALL Real-Time Blacklist . . . . . . . . . . . . . . . . . . . . . 1259 SMTP Real-Time Black List Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1259 Chapter 77: Configuring Geo-IP and Botnet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . 1261 Security Services > Geo-IP Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1262 Security Services > Botnet Filter . . . . . . . . . . . . . . . . .
Part 20: Log Chapter 79: Managing Log Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1349 Log > View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1349 Log View Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1350 Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 85: Generating Log Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1389 Log > Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1389 Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1390 View Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Part 22: Appendices Appendix A: CLI Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1431 Input Data Format Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1431 Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1432 Editing and Completion Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1432 Command Hierarchy . . . . . .
xxii SonicOS 5.8.
PART 1 Part 1: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 1 Chapter 1: Preface Preface Copyright Notice © 2011 SonicWALL, Inc. All rights reserved. Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original.
Preface Limited Warranty SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product.
About this Guide About this Guide Welcome to the SonicOS Enhanced 5.8 Administrator’s Guide. This manual provides the information you need to successfully activate, configure, and administer SonicOS Enhanced 5.8 for SonicWALL security appliances. Note Always check for the latest version of this manual as well as other SonicWALL products and services documentation. Organization of this Guide The SonicOS Enhanced 5.
About this Guide • WAN Failover and Load Balancing - configure one of the user-defined interfaces to act as a secondary WAN port for backup or load balancing. • Zones - configure security zones on your network. • DNS - set up DNS servers for name resolution. • Address Objects - configure host, network, and address range objects. • Routing - view the Route Table, ARP Cache and configure static and dynamic routing by interface.
About this Guide Part 10 DPI-SSL This part describes the Deep Packet Inspection Secure Socket Layer (DPI-SSL) feature to allow for the inspection of encrypted HTTPS traffic and other SSLbased traffic. Client DPI-SSL is used to inspect HTTPS traffic when clients on the SonicWALL security appliance’s LAN access content located on the WAN. Server DPI-SSL is used to inspect HTTPS traffic when remote clients connect over the WAN to access content located on the SonicWALL security appliance’s LAN.
About this Guide Part 18 Security Services This part includes an overview of available SonicWALL Security Services as well as instructions for activating the service, including FREE trials. These subscription-based services include SonicWALL Gateway Anti-Virus, SonicWALL Intrusion Prevention Service, SonicWALL Content Filtering Service, SonicWALL Client Anti-Virus, and well as other services.
About this Guide Menu Item > Menu Item Indicates a multiple step Management Interface menu choice. For example, Security Services > Content Filter means select Security Services, then select Content Filter. Icons Used in this Manual These special messages refer to noteworthy information, and include a symbol for quick identification: Caution Important information that cautions about features affecting firewall performance, security features, or causing potential problems with your SonicWALL.
About this Guide Switzerland: +44 193.257.3929 UK: +44 193.257.3929 More Information on SonicWALL Products Contact SonicWALL, Inc. for information about SonicWALL products and services at: Web:http://www.sonicwall.com E-mail:sales@sonicwall.com Phone:(408) 745-9600 Fax:(408) 745-9300 32 SonicOS 5.8.
CHAPTER 2 Chapter 2: Introduction Introduction SonicOS Enhanced 5.8.1 is the most powerful SonicOS operating system for SonicWALL security appliances. This chapter contains the following sections: • “Key Features in SonicOS Enhanced 5.8.1” on page 33 • “Key Features in SonicOS Enhanced 5.8” on page 36 • “Key Features in SonicOS Enhanced 5.6” on page 40 • “Key Features in SonicOS Enhanced 5.5” on page 42 • “Key Features in SonicOS Enhanced 5.3” on page 42 • “Key Features in SonicOS Enhanced 5.
Introduction Although the entire SonicOS interface is available in different languages, sometimes the administrator does not want to change the entire UI language to a specific local one. However, if the firewall requires authentication before users can access other networks, or enables external access services (e.g. VPN, SSL-VPN), those login related pages usually should be localized to make them more usable for normal users.
Introduction Anti-virus exclusions which existed before the upgrade and which apply to hosts residing in custom zones will not be detected. IP address ranges not falling into the supported zones will default to the LAN zone. Conversion to the LAN zone occurs during the restart booting process. There is no message in the SonicOS management interface at login time regarding the conversion. • SonicWALL Enforced Client Anti Virus - SonicOS 5.8.1.0 supports a new SonicWALL Enforced Client Anti-Virus.
Introduction • Wire/Tap Mode - Wire Mode is a deployment option where the SonicWALL appliance can be deployed as a "Bump in the Wire." It provides a least-intrusive way to deploy the appliance in a network. Wire Mode is very well suited for deploying behind a pre-existing Stateful Packet Inspection (SPI) Firewall. Wire Mode is a simplified form of Layer 2 Bridge Mode. A Wire Mode interface does not take any IP address and it is typically configured as a bridge between a pair of interfaces.
Introduction Appliances newly registered and upgraded to SonicOS 5.8.0.0 or higher will receive a 30day free trial license of App Visualization by default. Navigate to the Log > Flow Reporting page to manually Enable Flow Reporting and Visualization feature. You can then view real-time application traffic on the Dashboard > Real-Time Monitor page and application activity in other Dashboard pages for the configured flows from the SonicWALL application signature database.
Introduction capable of utilizing DPI-SSL: Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention, Content Filtering, Application Control, Packet Monitor and Packet Mirror. DPISSL is supported on SonicWALL NSA models 240 and higher.
Introduction increases the efficiency of your SonicWALL security appliance by providing you the ability to configure user view settings and filter junk messages before users see it in their inboxes. The following enhancements are now available with CASS 2.0: – The Email Security Junk Store application can now reside outside the Exchange Server system. Unlike in version 1.0, Junk Store can now be installed on another remote server. – Dynamic discovery of Junk Store user interface pages has been added.
Introduction • DHCP Scalability Enhancements - The DHCP server in SonicWALL appliances has been enhanced to provide between 2 to 4 times the number of leases previously supported. To enhance the security of the DHCP infrastructure, the SonicOS DHCP server now provides server side conflict detection to ensure that no other device on the network is using the assigned IP address. Conflict detection is performed asynchronously to avoid delays when obtaining an address.
Introduction features are capable of utilizing DPI-SSL: Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention, Content Filtering, Application Firewall, Packet Capture and Packet Mirror. DPI-SSL is initially available on NSA-3500 and above hardware platforms. • Dynamic DNS per Interface - Provides the ability to assign a Dynamic DNS (DDNS) profile to a specific WAN interface.
Introduction • Virtual Access Points for SonicWALL TZ Wireless Platforms - The SonicWALL TZ 100w, TZ 200w and TZ 210w platforms now support Virtual Access Points (VAPs). VAPs enable users to segment different wireless groups by creating logical segmentation on a single wireless radio.
Introduction – Fully Customizable Block Page - The web page that is displayed when a user attempts to access a blocked site can now be fully customized. This enables organizations to brand the block page and display any organization-specific information. – Safe Search Enforcement - Safe Search Enforcement allows you to force Web search sites like Google and Yahoo that have content restriction options always to use their strictest settings.
Introduction connections. Once the primary and backup appliances have been associated as a high availability pair on mysonicwall.com, you can enable this feature by selecting Enable Stateful Synchronization in the High Availability > Advanced page. • Application Firewall - Application Firewall provides a way to create application-specific policies to regulate Web browsing, file transfer, email, and email attachments.
Introduction • Multiple and Read-only Administrator Login - Multiple Administrator Login provides a way for multiple users to be given administration rights, either full or read-only, for the SonicOS security appliance. Additionally, SonicOS Enhanced allows multiple users to concurrently manage the appliance, but only one user at a time can be in config mode with the ability to change configuration settings.
Introduction – EAPOL packet flood – Weak WEP IV • SMTP Authentication - SonicOS Enhanced supports RFC 2554, which defines an SMTP service extension that allows the SMTP client to indicate an authentication method to the server, perform an authentication protocol exchange, and optionally negotiate a security layer for subsequent protocol interactions. This feature helps prevent viruses that attack the SMTP server on port 25.
Introduction L2 Bridge Mode employs a secure learning bridge architecture, enabling it to pass and inspect traffic types that cannot be handled by many other methods of transparent security appliance integration. Using L2 Bridge Mode, a SonicWALL security appliance can be nondisruptively added to any Ethernet network to provide in-line deep-packet inspection for all traversing IPv4 TCP and UDP traffic. Unlike other transparent solutions, L2 Bridge Mode can pass all traffic types, including IEEE 802.
Introduction – Disabled: (Default) when the appliance reboots, the DHCP client performs a DHCP DISCOVERY query. • Dynamic Route Metric Recalculation Based on Interface Availability - To better support redundant or multiple path Advanced Routing configurations, when a defaultroute's interface is unavailable (due to no-link or negative WAN LB probe response), that default route's metric will be changed to 255, and the route will be instantly disabled.
Introduction new page, you first click on the heading, and then click on the sub-folder page you want. This eliminates the delay and redundant page loading that occurred in previous versions of SonicOS when clicking on a heading automatically loaded the first sub-folder page. If the navigation bar continues below the bottom of your browser, an up-and-down arrow symbol appears in the bottom right corner of the navigation bar. Mouse over the up or down arrow to scroll the navigation bar up or down.
Introduction Applying Changes Click the Accept button at the top right corner of the SonicWALL management interface to save any configuration changes you made on the page. If the settings are contained in a secondary window within the management interface, when you click OK, the settings are automatically applied to the SonicWALL security appliance. Tooltips SonicOS Enhanced 5.0 introduced embedded tool tips for many elements in the SonicOS UI.
Introduction The behavior of the Tooltips can be configured on the System > Administration page. Tooltips are enabled by default. To disable Tooltips, uncheck the Enable Tooltip checkbox. The duration of time before Tooltips display can be configured: • Form Tooltip Delay - Duration in milliseconds before Tooltips display for forms (boxes where you enter text). • Button Tooltip Delay - Duration in milliseconds before Tooltips display for radio buttons and checkboxes.
Introduction A number of tables now include an option to specify the number of items displayed per page. Many tables can now be re-sorted by clicking on the headings for the various columns. On tables that are sortable, a tooltip will pop-up when you mouseover headings that states Click to sort by. When tables are sorted, entries with the same value for the column are grouped together with the common value shaded as a sub-heading.
Introduction Several tables include a tooltip that displays the maximum number of entries that the SonicWALL security appliance supports. For example, the following image shows the maximum number of address groups the appliance supports. Tables that display the maximum entry tooltip include NAT policies, access rules, address objects, and address groups. Getting Help Each SonicWALL security appliance includes Web-based online help available from the management interface.
Introduction 54 SonicOS 5.8.
PART 2 Part 2: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 4 Chapter 4: Using the SonicOS Visualization Dashboard Visualization Dashboard The SonicWALL Visualization Dashboard offers administrators an effective and efficient interface to visually monitor their network in real time, providing effective flow charts of realtime data, customizable rules, and flexible interface settings.
Visualization Dashboard Note Several of the SonicWALL Visualization Dashboard pages now contain a blue pop-up button that will display the dashboard in a standalone browser window that allows for a wider display. Click on the blue pop-up icon to the right of the page name in the left-hand navigating bar to display a dashboard page as a standalone page.
Visualization Dashboard Step 3 Navigate to the Network > Interfaces page.Click the Configure icon for the interface you wish to enable flow reporting on. Step 4 In the Advanced tab, ensure that the Enable flow reporting checkbox is selected. Step 5 Click the OK button to save your changes. Step 6 Repeat steps 6 through 7 for each interface you wish to monitor. For more detailed information on configuring Flow Reporting settings, refer to the “Log > Flow Reporting” section on page 1369. SonicOS 5.8.
Dashboard > Real-Time Monitor Dashboard > Real-Time Monitor The Real-Time Monitor provides administrators an inclusive, multi-functional display with information about applications, bandwidth usage, packet rate, packet size, connection rate, connection count, multi-core monitoring, and memory usage. 60 SonicOS 5.8.
Dashboard > Real-Time Monitor This section contains the following subsections: • “Using the Toolbar” section on page 62 • “Applications Monitor” section on page 63 • “Ingress and Egress Bandwidth Flow” section on page 66 • “Packet Rate Monitor” section on page 68 • “Packet Size Monitor” section on page 69 • “Connection Count Monitor” section on page 70 SonicOS 5.8.
Dashboard > Real-Time Monitor Using the Toolbar The Real-Time Monitor Toolbar contains features to specify the refresh rate, export details, configure color palettes, change the amount of data displayed, and pause or play the data flow. Changes made to the toolbar apply across all the data flows. Option Widget Description Refresh rate Determines the frequency at which data is refreshed. A numerical integer between 1 to 10 seconds is required. One second is the default.
Dashboard > Real-Time Monitor Applications Monitor The Applications data flow provides a visual representation of the current applications accessing the network. Options are available to Display, Scale, and View the Application interface. Option Lock Unlock Application Display Widget Description Locks the Display options for the Application interface. The lock and unlock option is available when you select “Most Frequent Apps.
Dashboard > Real-Time Monitor Option Widget Scale Description Allows for Auto Y-Scaling or customized scaling of the Application Flow Chart. The values for customized scaling must be a numeric integer. Specifying a unit is optional. If a unit is desired, these are the available options: Bar Graph Flow Chart • K for Kilo. • M for Mega. • G for Giga. • % for percentage. If a custom scale of 100Kbps is desired, then “100K” should be entered.
Dashboard > Real-Time Monitor The flow chart format displays over lapping application data. In this graph, the x-axis displays the current time and the y-axis displays the traffic for each application. The following example is a “Bar Chart” view. SonicOS 5.8.
Dashboard > Real-Time Monitor Ingress and Egress Bandwidth Flow The Ingress and Egress Bandwidth data flow provides a visual representation of incoming and outgoing bandwidth traffic. The current percentage of total bandwidth used, average flow of bandwidth traffic, and the minimum and maximum amount of traffic that has gone through each interface is available in the display. Administrators are able to view the Ingress and Egress Bandwidth flow chart in a bar graph format or flow chart format.
Dashboard > Real-Time Monitor Options are available to customize the Display, Scale, and View of the Ingress and Egress Bandwidth interface. Option Interface Rate Display Widget Description Specifies which Interfaces are displayed in the Bandwidth Flow Chart. A drop menu provides the administrator with options to specify All Interfaces Rate, All Interfaces, and individual interfaces. The individual interfaces vary depending on the number of interfaces on the administrator’s network.
Dashboard > Real-Time Monitor Note The Bandwidth flow charts have no direct correlation to the Application flow charts. Packet Rate Monitor The Packet Rate Monitor provides the administrator with information on the ingress and egress packet rate in packet per second (pps). This can be configured to show packet rate by network interface. The graph shows the packet rate current average, minimum packet rate, and maximum packet rate for both ingress and egress network traffic. 68 SonicOS 5.8.
Dashboard > Real-Time Monitor Packet Size Monitor The Packet Size Monitor provides the administrator with information on the ingress and egress packet rate in kilobytes per second (Kps). This can be configured to show packet size by network interface. The graph shows the packet size current average, minimum packet size, and maximum packet size for both ingress and egress network traffic. SonicOS 5.8.
Dashboard > AppFlow Monitor Connection Count Monitor The Connection Count data flow provides the administrator a visual representation of “current” total number of connections, “peak” number of connections, and maximum. In this example, the y-axis displays the total number of connections from 0C (zero connections) to 1KC (one kilo connections). . Dashboard > AppFlow Monitor The AppFlow Monitor provides administrators with real-time, incoming and outgoing network data.
Dashboard > AppFlow Monitor This section contains the following subsections: • “Filter Options” section on page 71 • “AppFlow Monitor Tabs” section on page 72 • “AppFlow Monitor Toolbar” section on page 73 • “Group Options” section on page 74 • “AppFlow Monitor Status” section on page 75 • “AppFlow Monitor Views” section on page 76 Filter Options The AppFlow Monitor Filter Options allows the administrator to filter out incoming, real-time data.
Dashboard > AppFlow Monitor AppFlow Monitor Tabs The AppFlow Monitor Tabs contains details about incoming and outgoing network traffic. Each tab provides a faceted view of the network flow. The data is organized by Applications, Users, URLs, Initiators, Responders, Threats, VoIP, VPN, Devices, and Content. 72 • The Applications tab displays a list of Applications currently accessing the network. • The Users tab displays a list of Users currently connected to the network.
Dashboard > AppFlow Monitor AppFlow Monitor Toolbar The AppFlow Toolbar allows for customization of the AppFlow Monitor interface. The ability to create rules and add items to filters allows for more application and user control. Different views, pause and play abilities, customizable data intervals and refresh rates are also available to aid in visualizing incoming, real-time data. Option Widget Description Filter View Adds selected items to the filter.
Dashboard > AppFlow Monitor Option Widget Refresh Rate Description Rate at which data is refreshed. A numeric integer between 10 and 999 must be specified. If 300 is entered in the numeric field, that means the data flow will refresh every 300 seconds. Pause/Play Freezes and unfreezes the data flow. Doing so gives the administrator flexibility when analyzing real-time data. Group Options The Group option sorts data based on the specified group. Each tab contains different grouping options.
Dashboard > AppFlow Monitor • The VoIP tab can be grouped according to: – Media Type: Groups VoIP flows according to media type. – Caller ID: Groups VoIP flows according to caller ID. • The VPN tab can be grouped according to: – Remote IP Address: Groups VPN flows access according to the remote IP address. – Local IP Address: Groups VPN flows access according to the local IP address. – Name: Groups VPN flows access according to the tunnel name.
Dashboard > AppFlow Monitor AppFlow Monitor Views Three views are available for the AppFlow Monitor: Detailed, Pie Chart, and Flow Chart View. Each view provides the administrator a unique display of incoming, real-time data. List View In the List View, each AppFlow tab is comprised of columns displaying real-time data. These columns are organized into sortable categories. • Check Box: Allows the administrator to select the line item for creation of filters.
Dashboard > AppFlow Monitor • Information pertaining to the category, threat level, type of technology the item falls under, and other additional information. • Application details are particularly useful when an Administrator does not recognize the name of an Application. Graph View The Graph View displays the top applications and the percentage of bandwidth used.
Dashboard > AppFlow Monitor Using Filtering Options Using filtering options allow administrators to reduce the amount of data seen in the AppFlow Monitor. By doing so, administrators can focus on points of interest without distraction from other applications. To use the Filtering Options: Step 1 Log into the SonicWALL Network Security Appliance and go to Dashboard > AppFlow Monitor > Applications Tab. Then select the check boxes of the applications you wish to add to the filter.
Dashboard > Threat Reports Dashboard > Threat Reports This section describes how to use the SonicWALL Threat Reports feature on a SonicWALL security appliance. This chapter contains the following sections: • “SonicWALL Threat Reports Overview” on page 79 • “SonicWALL Threat Reports Configuration Tasks” on page 81 SonicWALL Threat Reports Overview This section provides an introduction to the Threat Reports feature.
Dashboard > Threat Reports What Are Threat Reports? The SonicWALL Threat Reports provides reports of the latest threat protection data from a single SonicWALL appliance and aggregated threat protection data from SonicWALL security appliances deployed globally. The SonicWALL Threat Reports displays automatically upon successful authentication to a SonicWALL security appliance, and can be viewed at any time by navigating to the Dashboard > Threat Reports menu in the left-hand menu.
Dashboard > Threat Reports Each report includes a graph of threats blocked over time and a table of the top blocked threats. Reports, which are updated hourly, can be customized to display data for the last 12 hours, 14 days, 21 days, or 6 months. For easier viewing, SonicWALL Threat Reports reports can be transformed into a PDF file format with the click of a button.
Dashboard > Threat Reports The SonicWALL Threat Reports displays automatically upon successful login to a SonicWALL security appliance. You can access the SonicWALL Threat Reports at any time by navigating to Dashboard > Threat Reports in the left-hand menu. You may see the introductory screen shown below while the appliance is gathering the latest threat data.
Dashboard > Threat Reports Switching to Global or Appliance-Level View To view SonicWALL Threat Reports global reports, select the radio button next to Global in the top of the Dashboard > Threat Reports screen. To view appliance-level reports, select the radio button next to the appliance serial number. Selecting Custom Time Interval The SonicWALL Threat Reports reports default to a view of reports from the “Last 14 Days,” providing an aggregate view of threats blocked during that time period.
Dashboard > User Monitor Dashboard > User Monitor The Dashboard > User Monitor page displays details on all user connections to the SonicWALL security appliance. 84 SonicOS 5.8.
Dashboard > BWM Monitor Dashboard > BWM Monitor The Dashboard > BWM Monitor page displays per-interface bandwidth management for ingress and egress network traffic. The BWM monitor graphs are available for real-time, highest, high, medium high, medium, medium low, low and lowest policy settings. The view range is configurable in 60 seconds, 2 minutes, 5 minutes, and 10 minutes (default). The refresh interval rate is configurable from 3 to 30 seconds.
Dashboard > Connections Monitor Viewing Connections The connections are listed in the Connections Monitor table. Filtering Connections Viewed You can filter the results to display only connections matching certain criteria. You can filter by Source IP, Destination IP, Destination Port, Src Interface, Dst Interface, and Protocol. Enter your filter criteria in the Connections Monitor Settings table. The fields you enter values into are combined into a search string with a logical AND.
Dashboard > Packet Monitor Dashboard > Packet Monitor Note For increased convenience and accessibility, the Packet Monitor page can be accessed either from Dashboard > Packet Monitor or System > Packet Monitor. The page is identical regardless of which tab it is accessed through. For detailed overview and configuration information on Packet Monitor, refer to the “System > Packet Monitor” on page 139.
Dashboard > Packet Monitor The Dashboard > Packet Monitor page is shown below: For an explanation of the status indicators near the top of the page, see “Understanding Status Indicators” on page 159.
Dashboard > Packet Monitor Step 5 To stop the packet capture, click Stop Capture. You can view the captured packets in the Captured Packets, Packet Detail, and Hex Dump sections of the screen. See “Viewing Captured Packets” on page 89. Starting and Stopping Packet Mirror You can start packet mirroring that uses your configured mirror settings by clicking Start Mirror. It is not necessary to first configure specific criteria for display, logging, FTP export, and other settings.
Dashboard > Packet Monitor • Egress - The SonicWALL appliance interface on which the packet was captured when sent out – The subsystem type abbreviation is shown in parentheses.
Dashboard > Log Monitor About the Packet Detail Window When you click on a packet in the Captured Packets window, the packet header fields are displayed in the Packet Detail window. The display will vary depending on the type of packet that you select. About the Hex Dump Window When you click on a packet in the Captured Packets window, the packet data is displayed in hexadecimal and ASCII format in the Hex Dump window.
Dashboard > Log Monitor 92 SonicOS 5.8.
PART 3 Part 3: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 5 Chapter 5: Viewing Status Information System > Status The System > Status page provides a comprehensive collection of information and links to help you manage your SonicWALL security appliance and SonicWALL Security Services licenses.
System > Status Wizards The Wizards button on the System > Status page provides access to the SonicWALL Configuration Wizard, which allows you to easily configure the SonicWALL security appliance using the following sub-wizards: • Setup Wizard - This wizard helps you quickly configure the SonicWALL security appliance to secure your Internet (WAN) and LAN connections.
System > Status • Connections - Displays the maximum number of network connections the SonicWALL security appliance can support, the peak number of conncurent connections, and the current number of connections. • Connection Usage - The percentage of the maximum number of connections that are currently established (i.e. this percentage is the current number of connections divided by the maximum number of connections).
System > Status the Arrow icon displays the System > Licenses page in the SonicWALL Web-based management interface. SonicWALL Security Services and SonicWALL security appliance registration is managed by mysonicwall.com. Refer to “Security Services” on page 1175 for more information on SonicWALL Security Services and activating them on the SonicWALL security appliance.
System > Status Note mysonicwall.com registration information is not sold or shared with any other company. You can also register your security appliance at the https://www.mysonicwall.com site by using the Serial Number and Authentication Code displayed in the Security Services section. Click the SonicWALL link to access your mysonicwall.com account. You will be given a registration code after you have registered your security appliance.
System > Status Registering Your SonicWALL Security Appliance If you already have a mysonicwall.com account, follow these steps to register your security appliance: Step 1 In the Security Services section on the System > Status page, click the Register link in Your SonicWALL is not registered. Click here to Register your SonicWALL. The mysonicwall Login page is displayed. Step 2 In the mysonicwall.com Login page, enter your mysonicwall.
CHAPTER 6 Chapter 6: Managing SonicWALL Licenses System > Licenses The System > Licenses page provides links to activate, upgrade, or renew SonicWALL Security Services licenses. From this page in the SonicWALL Management Interface, you can manage all the SonicWALL Security Services licensed for your SonicWALL security appliance. The information listed in the Security Services Summary table is updated from your mysonicwall.com account.
System > Licenses Excluding a Node When you exclude a node, you block it from connecting to your network through the security appliance. Excluding a node creates an address object for that IP address and assigns it to the Node License Exclusion List address group. To exclude a node: Step 1 Select the node you want to exclude in the Currently Licensed Nodes table on the icon in the Exclude column for that node.
System > Licenses Manage Security Services Online To activate, upgrade, or renew services, click the link in To Activate, Upgrade, or Renew services, click here. Click the link in To synchronize licenses with mysonicwall.com click here to synchronize your mysonicwall.com account with the Security Services Summary table. You can also get free trial subscriptions to SonicWALL Content Filter Service and Client AntiVirus by clicking the For Free Trials click here link.
System > Licenses Manual Upgrade for Closed Environments If your SonicWALL security appliance is deployed in a high security environment that does not allow direct Internet connectivity from the SonicWALL security appliance, you can enter the encrypted license key information from http://www.mysonicwall.com manually on the System > Licenses page in the SonicWALL Management Interface. Note Manual upgrade of the encrypted License Keyset is only for Closed Environments.
CHAPTER 7 Chapter 7: Viewing Support Services System > Support Services The System > Support Services page displays a summary of the current status of support services for the SonicWALL security appliance. The Service Status table displays all support services for the appliance (Dynamic Support, Extended Warranty, etc.), their current status, and their expiration date.
System > Support Services 106 SonicOS 5.8.
CHAPTER 8 Chapter 8: Configuring Administration Settings System > Administration The System Administration page provides settings for the configuration of SonicWALL security appliance for secure and remote management. You can manage the SonicWALL using a variety of methods, including HTTPS, SNMP or SonicWALL Global Management System (SonicWALL GMS).
System > Administration Changing the Administrator Password To set a new password for SonicWALL Management Interface access, type the old password in the Old Password field, and the new password in the New Password field. Type the new password again in the Confirm New Password field and click Accept. Once the SonicWALL security appliance has been updated, a message confirming the update is displayed at the bottom of the browser window.
System > Administration Internet Explorer, go to Tools > Internet Options, click on the Advanced tab, and scroll to the bottom of the Settings menu. In Firefox, go to Tools > Options, click on the Advanced tab, and then click on the Encryption tab. SonicOS Enhanced 5.0 introduced password constraint enforcement, which can be configured to ensure that administrators and users are using secure passwords.
System > Administration Tip If the Administrator Inactivity Timeout is extended beyond five minutes, you should end every management session by clicking Logout to prevent unauthorized access to the SonicWALL security appliance’s Management Interface. The Enable administrator/user lockout setting locks administrators out of accessing the appliance after the specified number of incorrect login attempts.
System > Administration Web Management Settings The SonicWALL security appliance can be managed using HTTP or HTTPS and a Web browser. HTTP web-based management is disabled by default. Use HTTPS to log into the SonicOS management interface with factory default settings. If you wish to use HTTP management, an Allow management via HTTP checkbox is available to allow the administrator to enable/disable HTTP management globally: The default port for HTTPS management is 443.
System > Administration Changing the Default Size for SonicWALL Management Interface Tables The SonicWALL Management Interface allows you to control the display of large tables of information across all tables in the management Interface. You can change the default table page size in all tables displayed in the SonicWALL Management Interface from the default 50 items per page to any size ranging from 1 to 5,000 items.
System > Administration The behavior of the Tooltips can be configured on the System > Administration page. Tooltips are enabled by default. To disable Tooltips, uncheck the Enable Tooltip checkbox. The duration of time before Tooltips display can be configured: • Form Tooltip Delay - Duration in milliseconds before Tooltips display for forms (boxes where you enter text). • Button Tooltip Delay - Duration in milliseconds before Tooltips display for radio buttons and checkboxes.
System > Administration Enabling SNMP Management SNMP (Simple Network Management Protocol) is a network protocol used over User Datagram Protocol (UDP) that allows network administrators to monitor the status of the SonicWALL security appliance and receive notification of critical events as they occur on the network. The SonicWALL security appliance supports SNMP v1/v2c and all relevant Management Information Base II (MIB) groups except egp and at.
System > Administration Configuring SNMP as a Service and Adding Rules By default, SNMP is disabled on the SonicWALL security appliance. To enable SNMP you must first enable SNMP on the System > Administration page, and then enable it for individual interfaces. To do this, go to the Network > Interfaces page and click on the Configure button for the interface you want to enable SNMP on. For instructions on adding services and rules to the SonicWALL security appliance, see Part five Firewall.
System > Administration the GMS installation, and enter the IP address in the NAT Device IP Address field. The default VPN policy settings are displayed at the bottom of the Configure GMS Settings window. • 116 Existing Tunnel - If this option is selected, the GMS server and the SonicWALL security appliance already have an existing VPN tunnel over the connection. Enter the GMS host name or IP address in the GMS Host Name or IP Address field. Enter the port number in the Syslog Server Port field.
System > Administration Step 7 • HTTPS - If this option is selected, HTTPS management is allowed from two IP addresses: the GMS Primary Agent and the Standby Agent IP address. The SonicWALL security appliance also sends encrypted syslog packets and SNMP traps using 3DES and the SonicWALL security appliance administrator’s password.
System > Administration not have Internet access, or has access only through a proxy server, you must manually specify a URL for the SonicPoint firmware. You do not need to include the http:// prefix, but you do need to include the filename at the end of the URL. The filename should have a .bin extension. Here are examples using an IP address and a domain name: 192.168.168.10/imagepath/sonicpoint.bin software.sonicwall.com/applications/sonicpoint/sonicpoint.
CHAPTER 9 Chapter 9: Managing Certificates System > Certificates To implement the use of certificates for VPN policies, you must locate a source for a valid CA certificate from a third party CA service. Once you have a valid CA certificate, you can import it into the SonicWALL security appliance to validate your Local Certificates. You import the valid CA certificate into the SonicWALL security appliance using the System > Certificates page.
System > Certificates (DN), validation period for the certificate, and optional information such as the target use of the certificate. The signature section includes the cryptographic algorithm used by the issuing CA, and the CA digital signature. SonicWALL security appliances interoperate with any X.509v3-compliant provider of Certificates.
System > Certificates • Details - the details of the certificate. Moving the pointer over the details of the certificate. • Configure - Displays the entry. edit and delete icon displays the icons for editing or deleting a certificate – Also displays the Import icon to import either certificate revocation lists (for CA certificates) or signed certificates (for Pending requests).
System > Certificates Importing a Certificate Authority Certificate To import a certificate from a certificate authority, perform these steps: 122 Step 1 Click Import. The Import Certificate window is displayed. Step 2 Select Import a CA certificate from a PKCS#7 (*.p7b) or DER (.der or .cer) encoded file. The Import Certificate window settings change.
System > Certificates Importing a Local Certificate To import a local certificate, perform these steps: Step 1 Click Import. The Import Certificate window is displayed. Step 2 Enter a certificate name in the Certificate Name field. Step 3 Enter the password used by your Certificate Authority to encrypt the PKCS#12 file in the Certificate Management Password field.
System > Certificates To generate a local certificate, follow these steps: Step 1 Click the New Signing Request button. The Certificate Signing Request window is displayed. Step 2 In the Generate Certificate Signing Request section, enter an alias name for the certificate in the Certificate Alias field. Step 3 Select the Request field type from the menu, then enter information for the certificate in the Request fields.
System > Certificates Configuring Simple Certificate Enrollment Protocol The Simple Certificate Enrollment Protocol (SCEP) is designed to support the secure issuance of certificates to network devices in a scalable manner. There are two enrollment scenarios for SCEP: • SCEP server CA automatically issues certificates • SCEP request is set to PENDING and the CA administrator manually issues the certificate. More information about SCEP can be found at: • http://tools.ietf.
System > Certificates 126 SonicOS 5.8.
CHAPTER 10 Chapter 10: Configuring Time Settings System > Time The System > Time page defines the time and date settings to time stamp log events, to automatically update SonicWALL Security Services, and for other internal purposes. By default, the SonicWALL security appliance uses an internal list of public NTP servers to automatically update the time. Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a network of computers.
System > Time If you want to set your time manually, uncheck Set time automatically using NTP. Select the time in the 24-hour format using the Time (hh:mm:ss) menus and the date from the Date menus. Selecting Display UTC in logs (instead of local time) specifies the use universal time (UTC) rather than local time for log events. Selecting Display date in International format displays the date in International format, with the day preceding the month.
CHAPTER 11 Chapter 11: Setting Schedules System > Schedules The System > Schedules page allows you to create and manage schedule objects for enforcing schedule times for a variety of SonicWALL security appliance features. SonicOS 5.8.
System > Schedules The Schedules table displays all your predefined and custom schedules. In the Schedules table, there are three default schedules: Work Hours, After Hours, and Weekend Hours. You can modify these schedules by clicking on the edit icon in the Configure column to display the Edit Schedule window. Note You cannot delete the default Work Hours, After Hours, or Weekend Hours schedules. You apply schedule objects for the specific security feature.
System > Schedules Adding a Schedule To create schedules, click Add. The Add Schedule window is displayed. Step 1 Enter a descriptive name for the schedule in the Name field. Step 2 Select one of the following radio buttons for Schedule type: • Once – For a one-time schedule between the configured Start and End times and dates. When selected, the fields under Once become active, and the fields under Recurring become inactive.
System > Schedules Step 6 Under Recurring, type in the time of day for the schedule to begin in the Start field. The time must be in 24-hour format, for example, 17:00 for 5 p.m. Step 7 Under Recurring, type in the time of day for the schedule to stop in the Stop field. The time must be in 24-hour format, for example, 17:00 for 5 p.m. Step 8 Click Add. Step 9 Click OK to add the schedule to the Schedule List.
CHAPTER 12 Chapter 12: Managing SonicWALL Security Appliance Firmware System > Settings This System > Settings page allows you to manage your SonicWALL security appliance’s SonicOS versions and preferences. SonicOS 5.8.
System > Settings Settings Import Settings To import a previously saved preferences file into the SonicWALL security appliance, follow these instructions: Step 1 Click Import Settings to import a previously exported preferences file into the SonicWALL security appliance. The Import Settings window is displayed. Step 2 Click Browse to locate the file which has a *.exp file name extension. Step 3 Select the preferences file. Step 4 Click Import, and restart the firewall.
System > Settings Firmware Management The Firmware Management section provides settings that allow for easy firmware upgrade and preferences management. The Firmware Management section allows you to: Note • Upload and download firmware images and system settings. • Boot to your choice of firmware and system settings. • Manage system backups. • Easily return your SonicWALL security appliance to the previous system state.
System > Settings • Size - the size of the firmware file in Mebibytes (MiB). • Download - clicking the icon saves the firmware file to a new location on your computer or network. Only uploaded firmware can be saved to a different location. • Boot - clicking the icon reboots the SonicWALL security appliance with the firmware version listed in the same row. Caution Clicking Boot next to any firmware image overwrites the existing current firmware image making it the Current Firmware image.
System > Settings After the SonicWALL security appliance reboots, open your Web browser and enter the current IP address of the SonicWALL security appliance or the default IP address: 192.168.168.168. The SafeMode page is displayed: SafeMode allows you to do any of the following: • Upload and download firmware images to the SonicWALL security appliance. • Upload and download system settings to the SonicWALL security appliance. • Boot to your choice of firmware options. • Create a system backup file.
System > Settings Caution Only select the Boot with firmware diagnostics enabled (if available) option if instructed to by SonicWALL technical support. Firmware Auto-Update Sonic OS Enhanced 5.2 release introduces the Firmware Auto-Update feature, which helps ensure that your SonicWALL security appliance has the latest firmware release. Firmware AutoUpdate contains the following options: Caution • Enable Firmware Auto-Update - Displays an Alert icon is available.
CHAPTER 13 Chapter 13: Using the Packet Monitor System > Packet Monitor Note For increased convenience and accessibility, the Packet Monitor page can be accessed either from Dashboard > Packet Monitor or System > Packet Monitor. The page is identical regardless of which tab it is accessed through.
System > Packet Monitor • Interface identification • MAC addresses • Ethernet type • Internet Protocol (IP) type • Source and destination IP addresses • Port numbers • L2TP payload details • PPP negotiations details You can configure the packet monitor feature in the SonicOS Enhanced management interface. The management interface provides a way to configure the monitor criteria, display settings, mirror settings, and file export settings, and displays the captured packets.
System > Packet Monitor Default settings are provided so that you can start using packet monitor without configuring it first. The basic functionality is as follows: Start: Click Start Capture to begin capturing all packets except those used for communication between the SonicWALL appliance and the management interface on your console system. Stop: Click Stop Capture to stop the packet capture. Clear: Click Clear to clear the status counters that are displayed at the top of the Packet Monitor page.
System > Packet Monitor Refer to the figure below to see a high level view of the packet monitor subsystem. This shows the different filters and how they are applied. Capture Buffer Management Host Remote FTP Server Monitor filter is applied before copying the packet into the capture buffer.
System > Packet Monitor • Encapsulate the packet and send it to a remote SonicWALL appliance. • Send a copy to a physical port with a VLAN configured. Classification is performed on the Monitor Filter and Advanced Monitor Filter tab of the Packet Monitor Configuration window. A local Sonicwall firewall can be configured to receive remotely mirrored traffic from a remote SonicWALL firewall.
System > Packet Monitor Step 2 In the Packet Monitor Configuration window, click the Settings tab. Step 3 Under General Settings in the Number of Bytes To Capture (per packet) box, type the number of bytes to capture from each packet. The minimum value is 64. Step 4 To continue capturing packets after the buffer fills up, select the Wrap Capture Buffer Once Full checkbox.
System > Packet Monitor To configure the general settings, perform the following steps: Step 1 Navigate to the Firewall > Access Rules page and click Configure icon for the rule(s) you wish to enable packet monitoring or flow reporting on. Step 2 Select the Enable packet monitor checkbox to send packet monitoring statistics for this rule. Step 3 Click the OK button to save your changes.
System > Packet Monitor Step 2 In the Packet Monitor Configuration window, click the Monitor Filter tab. Step 3 Choose to Enable filter based on the firewall/app rule if you are using firewall rules to capture specific traffic. Note Before the Enable filter based on the firewall/app rule option is selected, be certain you have selected one or more access rules on which to monitor packet traffic.
System > Packet Monitor specified; for example: !TCP, !UDP. You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. See “Supported Packet Types” on page 162. Note Step 5 • Source IP Address(es) - You can specify up to ten IP addresses separated by commas; for example: 10.1.1.1, 192.2.2.2. You can use one or more negative values to capture packets from all but the specified addresses; for example: !10.3.3.3, !10.4.4.
System > Packet Monitor To configure Packet Monitor display filter settings, complete the following steps: 148 Step 1 Navigate to the Dashboard > Packet Monitor page and click Configure. Step 2 In the Packet Monitor Configuration window, click the Display Filter tab. Step 3 In the Interface Name(s) box, type the SonicWALL appliance interfaces for which to display packets, or use the negative format (!X0) to display packets captured from all interfaces except those specified.
System > Packet Monitor Step 7 In the Source Port(s) box, type the port numbers from which you want to display packets, or use the negative format (!25) to display packets captured from all source ports except those specified. Step 8 In the Destination IP Address(es) box, type the IP addresses for which you want to display packets, or use the negative format (!10.1.2.3) to display packets with all destination addresses except those specified.
System > Packet Monitor Step 2 In the Packet Monitor Configuration window, click the Logging tab. Step 3 In the FTP Server IP Address box, type the IP address of the FTP server. Note Make sure that the FTP server IP address is reachable by the SonicWALL appliance. An IP address that is reachable only via a VPN tunnel is not supported. Step 4 In the Login ID box, type the login name that the SonicWALL appliance should use to connect to the FTP server.
System > Packet Monitor Restarting FTP Logging If automatic FTP logging is off, either because of a failed connection or simply disabled, you can restart it in Configure > Logging. Step 1 Navigate to the Dashboard > Packet Monitor page and click Configure. Step 2 In the Packet Monitor Configuration window, click the Logging tab. Step 3 Verify that the settings are correct for each item on the page. See “Configuring Logging Settings” on page 149.
System > Packet Monitor Even when other monitor filters do not match, this option ensures that packets generated by the SonicWALL appliance are captured. This includes packets generated by HTTP(S), L2TP, DHCP servers, PPP, PPPOE, and routing protocols. Captured packets are marked with ‘s’ in the incoming interface area when they are from the system stack. Otherwise, the incoming interface is not specified.
System > Packet Monitor Configuring Mirror Settings This section describes how to configure Packet Monitor mirror settings. Mirror settings provide a way to send packets to a different physical port of the same firewall or to send packets to, or receive them from, a remote SonicWALL firewall. To configure mirror settings, perform the following steps: Step 1 Navigate to the Dashboard > Packet Monitor page and click Configure. Step 2 In the Packet Monitor Configuration window, click the Mirror tab.
System > Packet Monitor Step 7 In the Encrypt remote mirrored packets via IPSec (preshared key-IKE) field, type the preshared key to be used to encrypt traffic when sending mirrored packets to the remote SonicWALL. Configuring this field enables an IPSec transport mode tunnel between this appliance and the remote SonicWALL. This pre-shared key is used by IKE to negotiate the IPSec keys. Note The Encrypt remote mirrored packets via IPSec (preshared key-IKE) option is inactive in SonicOS Enhanced 5.
System > Packet Monitor The Dashboard > Packet Monitor page is shown below: For an explanation of the status indicators near the top of the page, see “Understanding Status Indicators” on page 159.
System > Packet Monitor Step 5 To stop the packet capture, click Stop Capture. You can view the captured packets in the Captured Packets, Packet Detail, and Hex Dump sections of the screen. See “Viewing Captured Packets” on page 156. Starting and Stopping Packet Mirror You can start packet mirroring that uses your configured mirror settings by clicking Start Mirror. It is not necessary to first configure specific criteria for display, logging, FTP export, and other settings.
System > Packet Monitor • Egress - The SonicWALL appliance interface on which the packet was captured when sent out – The subsystem type abbreviation is shown in parentheses.
System > Packet Monitor About the Packet Detail Window When you click on a packet in the Captured Packets window, the packet header fields are displayed in the Packet Detail window. The display will vary depending on the type of packet that you select. About the Hex Dump Window When you click on a packet in the Captured Packets window, the packet data is displayed in hexadecimal and ASCII format in the Hex Dump window.
System > Packet Monitor Verifying Packet Monitor Activity This section describes how to tell if your packet monitor, mirroring, or FTP logging is working correctly according to the configuration. It contains the following sections: • “Understanding Status Indicators” on page 159 • “Clearing the Status Information” on page 161 Understanding Status Indicators The main Packet Monitor page displays status indicators for packet capture, mirroring, and FTP logging.
System > Packet Monitor Mirroring Status There are three status indicators for packet mirroring: Local mirroring – Packets sent to another physical interface on the same SonicWALL For local mirroring, the status indicator shows one of the following three conditions: • Red – Mirroring is off • Green – Mirroring is on • Yellow – Mirroring is on but disabled because the local mirroring interface is not specified The local mirroring row also displays the following statistics: • Mirroring to interface –
System > Packet Monitor FTP Logging Status The FTP logging status indicator shows one of the following three conditions: • Red – Automatic FTP logging is off • Green – Automatic FTP logging is on • Yellow – The last attempt to contact the FTP server failed, and logging is now off To restart automatic FTP logging, see “Restarting FTP Logging” on page 151.
System > Packet Monitor Related Information This section contains the following: • “Supported Packet Types” on page 162 • “File Formats for Export As” on page 162 Supported Packet Types When specifying the Ethernet or IP packet types that you want to monitor or display, you can use either the standard acronym for the type, if supported, or the corresponding hexadecimal representation. To determine the hex value for a protocol, refer to the RFC for the number assigned to it by IANA.
System > Packet Monitor Examples of the Html and Text formats are shown in the following sections: • “HTML Format” on page 163 • “Text File Format” on page 164 HTML Format You can view the HTML format in a browser. The following is an example showing the header and part of the data for the first packet in the buffer. SonicOS 5.8.
System > Packet Monitor Text File Format You can view the text format output in a text editor. The following is an example showing the header and part of the data for the first packet in the buffer. 164 SonicOS 5.8.
CHAPTER 14 Chapter 14: Using Diagnostic Tools & Restarting the Appliance System > Diagnostics The System > Diagnostics page provides several diagnostic tools which help troubleshoot network problems as well as Active Connections, CPU and Process Monitors. SonicOS 5.8.
System > Diagnostics Tech Support Report The Tech Support Report generates a detailed report of the SonicWALL security appliance configuration and status, and saves it to the local hard disk using the Download Report button. This file can then be e-mailed to SonicWALL Technical Support to help assist with a problem. Tip You must register your SonicWALL security appliance on mysonicwall.com to receive technical support.
System > Diagnostics Diagnostic Tools You select the diagnostic tool from the Diagnostic Tool drop-down list in the Diagnostic Tool section of the System > Diagnostics page.
System > Diagnostics Check Network Settings Check Network Settings is a diagnostic tool which automatically checks the network connectivity and service availability of several pre-defined functional areas of SonicOS, returns the results, and attempts to describe the causes if any exceptions are detected. This tool helps administrators locate the problem area when users encounter a network problem.
System > Diagnostics The Check Network Settings tool is dependent on the Network Monitor feature available on the Network > Network Monitor page of the SonicOS management interface. Whenever the Check Network Settings tool is being executed (except during the Content Filter test), a corresponding Network Monitor Policy appears on the Network Monitor page, with a special diagnostic tool policy name in the form “diagTestPolicyAuto__0”.
System > Diagnostics Active Connections Monitor Settings You can filter the results to display only connections matching certain criteria. You can filter by Source IP, Destination IP, Destination Port, Protocol, Src Interface, and Dst Interface. Enter your filter criteria in the Active Connections Monitor Settings table. The fields you enter values into are combined into a search string with a logical AND.
System > Diagnostics Multi-Core Monitor The Multi-Core Monitor displays dynamically updated statistics on utilization of the individual cores of the SonicWALL security appliances. Core 0 handles the control plane. The control plane processes all web server requests for the SonicOS UI as well as functions like FTP and VoIP control connections. Core 0 usage is displayed in green on the Multi-Core Monitor. The remaining cores handle the data plane.
System > Diagnostics Core Monitor The Core Monitor displays dynamically updated statistics on the utilization of a single specified core on the SonicWALL NSA E-Class series security appliances. The View Style provides a wide range of time intervals that can be displayed to review core usage. Note 172 High utilization on Core 0 is normal while browsing the Web management interface and applying changes. All Web management requests are processed by Core 0 and do not impact the other cores.
System > Diagnostics CPU Monitor The CPU Monitor diagnostic tool shows real-time CPU utilization in second, minute, hour, and day intervals (historical data does not persist across reboots). The CPU Monitor is only included on single core SonicWALL security appliances. The multi-core appliances display the MultiCore Monitor instead. Note High CPU utilization is normal during Web-management page rendering, and while saving preferences to flash.
System > Diagnostics Link Monitor The Link Monitor displays bandwidth utilization for the interfaces on the SonicWALL security appliance. Bandwidth utilization is shown as a percentage of total capacity. The Link Monitor can be configured to display inbound traffic, outbound traffic or both for each of the physical interfaces on the appliance. Packet Size Monitor The Packet Size Monitor displays sizes of packets on the interfaces on the SonicWALL security appliance.
System > Diagnostics DNS Name Lookup The SonicWALL security appliance has a DNS lookup tool that returns the IP address of a domain name. Or, if you enter an IP address, it returns the domain name for that address. Step 1 Enter the host name or IP address in the Look up name field. Do not add http to the host name. Step 2 The SonicWALL security appliance queries the DNS Server and displays the result in the Result section. It also displays the IP address of the DNS Server used to perform the query.
System > Diagnostics Core 0 Process Monitor The Core 0 Process Monitor shows the individual system processes on core 0, their CPU utilization, and their system time. The Core 0 process monitor is only available on the multi-core NSA E-Class appliances. Real-Time Black List Lookup The Real-Time Black List Lookup tool allows you to test SMTP IP addresses, RBL services, or DNS servers.
System > Diagnostics Reverse Name Resolution The Reverse Name Resolution tool is similar to the DNS name lookup tool, except that it looks up a server name, given an IP address. Enter an IP address in the Reverse Lookup the IP Address field, and it checks all DNS servers configured for your security appliance to resolve the IP address into a server name. Connection Limit TopX The Connection Limit TopX tool lists the top 10 connections by the source and destination IP addresses.
System > Diagnostics the output is displayed under Result. The results include the domain name or IP address that you entered, the DNS server from your list that was used, the resolved email server domain name and/or IP address, and the banner received from the domain server or a message that the connection was refused. The contents of the banner depends on the server you are looking up.
System > Diagnostics User Monitor The User Monitor tool displays details on all user connections to the SonicWALL security appliance. The following options can be configured to modify the User Monitor display: • View Style – Select whether to display the Last 30 Minutes, the Last 24 Hours, or the Last 30 Days. • Vertical Axis – Select whether the scale of the vertial axis should be set for 500 Users or 50 Users. SonicOS 5.8.
System > Restart • Show – Select whether to show All Users, Remote Users with GVC/L2TP Client, or Users Authenticated by Web Login. System > Restart The SonicWALL security appliance can be restarted from the Web Management interface. Click System > Restart to display the Restart page. Click Restart... and then click Yes to confirm the restart. The SonicWALL security appliance takes approximately 60 seconds to restart, and the yellow Test light is lit during the restart.
PART 4 Part 4: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 15 Chapter 15: Configuring Interfaces Network > Interfaces The Network > Interfaces page includes interface objects that are directly linked to physical interfaces. The SonicOS Enhanced scheme of interface addressing works in conjunction with network zones and address objects. The interfaces displayed on the Network > Interfaces page depend on the type of SonicWALL appliance. The page pictured below is for SonicWALL TZ 100 or 200 Wireless-N appliances.
Network > Interfaces • “IPS Sniffer Mode” on page 214 • “Configuring Interfaces” on page 219 • “Configuring Layer 2 Bridge Mode” on page 247 • “Configuring IPS Sniffer Mode” on page 258 • “Configuring Wire Mode” on page 262 Setup Wizard The Setup Wizard button accesses the Setup Wizard. The Setup Wizard walks you through the configuration of the SonicWALL security appliance for Internet connectivity. For Setup Wizard instructions, see “Wizards > Setup Wizard” on page 1397.
Network > Interfaces • Configure - click the Configure icon to display the Edit Interface window, which allows you to configure the settings for the specified interface. Interface Traffic Statistics The Interface Traffic Statistics table lists received and transmitted information for all configured interfaces. The following information is displayed for all SonicWALL security appliance interfaces: • Rx Unicast Packets - indicates the number of point-to-point communications received by the interface.
Network > Interfaces Physical Interfaces Physical interfaces must be assigned to a zone to allow for configuration of Access Rules to govern inbound and outbound traffic. Security zones are bound to each physical interface where it acts as a conduit for inbound and outbound traffic. If there is no interface, traffic cannot access the zone or exit the zone. For more information on zones, see “Network > Zones” on page 283.
Network > Interfaces Subinterfaces VLAN support on SonicOS Enhanced is achieved by means of subinterfaces, which are logical interfaces nested beneath a physical interface. Every unique VLAN ID requires its own subinterface. For reasons of security and control, SonicOS does not participate in any VLAN trunking protocols, but instead requires that each VLAN that is to be supported be configured and assigned appropriate security characteristics.
Network > Interfaces Zones are the hierarchical apex of SonicOS Enhanced’s secure objects architecture. SonicOS Enhanced includes predefined zones as well as allow you to define your own zones. Predefined zones include LAN, DMZ, WAN, WLAN, and Custom. Zones can include multiple interfaces, however, the WAN zone is restricted to a total of two interfaces.
Network > Interfaces You can also use L2 Bridge Mode in a High Availability deployment. This scenario is explained in the “Layer 2 Bridge Mode with High Availability” section on page 209.
Network > Interfaces Feature Benefit Mixed-Mode Operation L2 Bridge Mode can concurrently provide L2 Bridging and conventional security appliance services, such as routing, NAT, VPN, and wireless operations. This means it can be used as an L2 Bridge for one segment of the network, while providing a complete set of security services to the remainder of the network.
Network > Interfaces does not preclude an interface from conventional behavior; for example, if X1 is configured as a Primary Bridge Interface paired to X3 as a Secondary Bridge Interface, X1 can simultaneously operate in its traditional role as the Primary WAN, performing NAT for Internet-bound traffic through the Auto-added X1 Default NAT Policy. • Primary Bridge Interface – A designation that is assigned to an interface once a Secondary Bridge Interface has been paired to it.
Network > Interfaces – Wireless services with SonicPoints, where communications will occur between wireless clients and hosts on the Bridge-Pair.
Network > Interfaces interface or through a reboot. Once the router’s ARP cache is cleared, it can then send a new ARP request for 192.168.0.100, to which the SonicWALL will respond with its X1 MAC 00:06:B1:10:10:11. VLAN Support in Transparent Mode While the network depicted in the above diagram is simple, it is not uncommon for larger networks to use VLANs for segmentation of traffic.
Network > Interfaces Simple Transparent Mode Topology SonicWALL Firewall Transparent Mode WorkStation IP=192.168.0.200/24 GW=192.168.0.1 MAC=00:11:22:33:44:55 Server IP=192.168.0.200/24 GW=192.168.0.1 MAC=00:AA:BB:CC:DD:EE Switch LAN 192.168.0.x/24 Note: Hosts on this segment resolve 192.168.0.1 to 00:06:B1:10:10:10:10 X0 (LAN) IP= Transparent Mode (Range 192.168.0.100 to 192.168.0.
Network > Interfaces VLAN Support in L2 Bridge Mode On SonicWALL NSA series appliances, L2 Bridge Mode provides fine control over 802.1Q VLAN traffic traversing an L2 Bridge. The default handling of VLANs is to allow and preserve all 802.1Q VLAN tags as they pass through an L2 Bridge, while still applying all firewall rules, and stateful and deep-packet inspection to the encapsulated traffic. It is further possible to specify white/black lists for allowed/disallowed VLAN IDs through the L2 Bridge.
Network > Interfaces – If the VLAN ID is allowed, the packet is de-capsulated, the VLAN ID is stored, and the inner packet (including the IP header) is passed through the full packet handler. 3. Since any number of subnets is supported by L2 Bridging, no source IP spoof checking is performed on the source IP of the packet. It is possible to configure L2 Bridges to only support a certain subnet or subnets using Firewall Access Rules. 4. SYN Flood checking is performed. 5.
Network > Interfaces Multiple Subnets in L2 Bridge Mode L2 Bridge Mode is capable of handling any number of subnets across the bridge, as described above. The default behavior is to allow all subnets, but Access Rules can be applied to control traffic as needed. Non-IPv4 Traffic in L2 Bridge Mode Unsupported traffic will, by default, be passed from one L2 Bridge interface to the BridgePartner interface.
Network > Interfaces Subnets supported Any number of subnets is supported. Firewall Access Rules can be written to control traffic to/from any of the subnets as needed. In its default configuration, Transparent Mode only supports a single subnet (that which is assigned to, and spanned from the Primary WAN). It is possible to manually add support for additional subnets through the use of ARP entries and routes.
Network > Interfaces Stateful Packet Inspection Full stateful packet inspection will be applied to all IPv4 traffic traversing the L2 Bridge for all subnets, including VLAN traffic on SonicWALL NSA series appliances. Full stateful packet inspection will applied to traffic from/to the subnets defined by Transparent Mode Address Object assignment. Security services All security services (GAV, IPS, Anti-Spy, CFS) are fully supported. All regular IP traffic, as well as all 802.1Q encapsulated VLAN traffic.
Network > Interfaces L2 Bridge Path Determination Packets received by the SonicWALL on Bridge-Pair interfaces must be forwarded along to the appropriate and optimal path toward their destination, whether that path is the Bridge-Partner, some other physical or sub interface, or a VPN tunnel. Similarly, packets arriving from other paths (physical, virtual or VPN) bound for a host on a Bridge-Pair must be sent out over the correct Bridge-Pair interface.
Network > Interfaces L2 Bridge Interface Zone Selection Bridge-Pair interface zone assignment should be done according to your network’s traffic flow requirements. Unlike Transparent Mode, which imposes a system of “more trusted to less trusted” by requiring that the source interface be the Primary WAN, and the transparent interface be Trusted or Public, L2 Bridge mode allows for greater control of operational levels of trust.
Network > Interfaces Based on the source and destination, the packet’s directionality is categorized as either Incoming or Outgoing, (not to be confused with Inbound and Outbound) where the following criteria is used to make the determination: Dest Src Untrusted Public Wireless Encrypted Trusted Multicast Untrusted Incoming Incoming Incoming Incoming Incoming Incoming Public Outgoing Outgoing Outgoing Incoming Incoming Incoming Wireless Outgoing Outgoing Trust Trust Trust Incomin
Network > Interfaces Access Rule Defaults Default, zone-to-zone Access Rules. The default Access Rules should be considered, although they can be modified as needed. The defaults are as follows: WAN Connectivity Internet (WAN) connectivity is required for stack communications, such as licensing, security services signature downloads, NTP (time synchronization), and CFS (Content Filtering Services). At present, these communications can only occur through the Primary WAN interface.
Network > Interfaces See the following sections: • “Wireless Layer 2 Bridge” on page 204 • “Inline Layer 2 Bridge Mode” on page 205 • “Perimeter Security” on page 207 • “Internal Security” on page 208 • “Layer 2 Bridge Mode with High Availability” on page 209 • “Layer 2 Bridge Mode with SSL VPN” on page 210 Wireless Layer 2 Bridge In wireless mode, after bridging the wireless (WLAN) interface to a LAN or DMZ zone, the WLAN zone becomes the secondary bridged interface, allowing wireless clients
Network > Interfaces To configure a WLAN to LAN Layer 2 interface bridge: Step 1 Navigate to the Network > Interfaces page in the SonicOS management interface. Step 2 Click the Configure icon for the wireless interface you wish to bridge. The Edit Interface window displays. Step 3 Select Layer 2 Bridged Mode as the IP Assignment.
Network > Interfaces HP’s ProCurve Manager Plus (PCM+) and HP Network Immunity Manager (NIM) server software packages can be used to manage the switches as well as some aspects of the SonicWALL UTM appliance.
Network > Interfaces Perimeter Security The following diagram depicts a network where the SonicWALL is added to the perimeter for the purpose of providing security services (the network may or may not have an existing firewall between the SonicWALL and the router). SonicWALL Firewall L2 Bridge Mode WorkStation IP=10.0.100.200/24 GW=10.0.100.1 MAC=00:11:55:66:77:88 Workgroup Switch VLAN 100 X0 (LAN) IP= Transparent Mode (Range 192.168.0.100 to 192.168.0.250) MAC=00:06:B1:10:10:10 Server IP=10.0.100.
Network > Interfaces Internal Security SonicWALL Firewall Mixed L2 Bridge Mode KEY File Server IP=192.168.0.101/24 GW=192.168.0.1 MAC=00:CC:AA:BB:EE:EE Mail & DHCP Server IP=192.168.0.100/24 GW=192.168.0.1 MAC=00:AA:BB:CC:DD:EE WorkStation IP=192.168.0.200/24 GW=192.168.0.1 MAC=00:11:22:33:44:55 X1 (WAN) IP= 10.0.012/24 MAC= 00:06:B1:10:10:11 GW= 10.0.0.1 X2 (LAN) IP= 192.168.0.1/24 MAC= 00:06:B1:10:10:12 Workstation IP=192.168.0.200/24 GW=192.168.0.1 MAC=00:11:55:66:77:88 X3 (WLAN) IP= 172.16.31.
Network > Interfaces b. Security services directionality would be classified as Outgoing for traffic from the Workstations to the Server since the traffic would have a Trusted source zone and a Public destination zone. This might be sub-optimal since it would provide less scrutiny than the Incoming or (ideally) Trust classifications.
Network > Interfaces When setting up this scenario, there are several things to take note of on both the SonicWALLs and the switches. On the SonicWALL appliances: • Do not enable the Virtual MAC option when configuring High Availability. In a Layer 2 Bridge Mode configuration, this function is not useful. • Enabling Preempt Mode is not recommended in an inline environment such as this.
Network > Interfaces On the Firewall > Access Rules page, click the Configure icon for the intersection of WAN to LAN traffic. Click the Configure icon next to the default rule that implicitly blocks uninitiated traffic from the WAN to the LAN. In the Edit Rule window, select Allow for the Action setting, and then click OK.
Network > Interfaces For the Management setting, select the HTTPS and Ping check boxes. Click OK to save and activate the changes. To configure the LAN interface settings, navigate to the Network > Interfaces page and click the Configure icon for the LAN interface. For the IP Assignment setting, select Layer 2 Bridged Mode. For the Bridged to setting, select X1.
Network > Interfaces Click OK to save and activate the change. You may be automatically disconnected from the UTM appliance’s management interface. You can now disconnect your management laptop or desktop from the UTM appliance’s X0 interface and power the UTM appliance off before physically connecting it to your network.
Network > Interfaces Configure or verify settings From a management station inside your network, you should now be able to access the management interface on the UTM appliance using its WAN IP address. Make sure that all security services for the SonicWALL UTM appliance are enabled. See “Licensing Services” on page 248 and “Activating UTM Services on Each Zone” on page 250.
Network > Interfaces The WAN interface of the SonicWALL is used to connect to the SonicWALL Data Center for signature updates or other data. Gateway Main Mirrored Data WAN Port Data Center Access E7500 In IPS Sniffer Mode, a Layer 2 Bridge is configured between two interfaces in the same zone on the SonicWALL, such as LAN-LAN or DMZ-DMZ. You can also create a custom zone to use for the Layer 2 Bridge. Only the WAN zone is not appropriate for IPS Sniffer Mode.
Network > Interfaces checkbox should also be selected for IPS Sniffer Mode to ensure that the traffic from the mirrored switch port is not sent back out onto the network. (The Never route traffic on this bridge-pair setting is known as Captive-Bridge Mode.) For detailed instructions on configuring interfaces in IPS Sniffer Mode, see “Configuring IPS Sniffer Mode” on page 258. 216 SonicOS 5.8.
Network > Interfaces Sample IPS Sniffer Mode Topology This section provides an example topology that uses SonicWALL IPS Sniffer Mode in a Hewlitt Packard ProCurve switching environment. This scenario relies on the ability of HP’s ProCurve Manager Plus (PCM+) and HP Network Immunity Manager (NIM) server software packages to throttle or close ports from which threats are emanating.
Network > Interfaces To configure this deployment, navigate to the Network > Interfaces page and click on the configure icon for the X2 interface. On the X2 Settings page, set the IP Assignment to ‘Layer 2 Bridged Mode’ and set the Bridged To: interface to ‘X0’. Select the checkbox for Only sniff traffic on the bridge-pair. Click OK to save and activate the change. Next, go to the Network > Interfaces page and click on the configure icon for the X1 WAN interface.
Network > Interfaces Configuring Interfaces This section is divided into: • “Configuring the Static Interfaces” on page 219 • “Configuring Interfaces in Transparent Mode” on page 221 • “Configuring Wireless Interfaces” on page 223 • “Configuring a WAN Interface” on page 225 • “Configuring the NSA Expansion Pack Module Interface (NSA 2400MX and 250M only)” on page 229 • “Configuring Link Aggregation and Port Redundancy” on page 238 • “Configuring Routed Mode” on page 242 • “Configuring the U0
Network > Interfaces Note The administrator password is required to regenerate encryption keys after changing the SonicWALL security appliance’s address. Configuring Advanced Settings for the Interface If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL.
Network > Interfaces Configuring Interfaces in Transparent Mode Transparent Mode enables the SonicWALL security appliance to bridge the WAN subnet onto an internal interface. To configure an interface for transparent mode, complete the following steps: Step 1 Click on the Configure icon in the Configure column for Unassigned Interface you want to configure. The Edit Interface window is displayed. Step 2 Select an interface. • If you select a configurable interface, select LAN or DMZ for Zone.
Network > Interfaces c. Enter the IP address of the host, the beginning and ending address of the range, or the IP address and subnet mask of the network. d. Click OK to create the address object and return to the Edit Interface window. See “Network > Address Objects” on page 299 for more information. Step 5 Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table.
Network > Interfaces Configuring Wireless Interfaces A Wireless interface is an interface that has been assigned to a Wireless zone and is used to support SonicWALL SonicPoint secure access points. Step 1 Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface window is displayed. Step 2 In the Zone list, select WLAN or a custom Wireless zone. Step 3 Enter the IP address and subnet mask of the zone in the IP Address and Subnet Mask fields.
Network > Interfaces Note The above table depicts the maximum subnet mask sizes allowed. You can still use classfull subnetting (class A, class B, or class C) or any variable length subnet mask that you wish on WLAN interfaces. You are encouraged to use a smaller subnet mask (e.g. 24-bit class C - 255.255.255.0 - 254 total usable IPs), thus allocating more IP addressing space to clients if you have the need to support larger numbers of wireless clients.
Network > Interfaces On SonicWALL NSA series appliances, select the Enable 802.1p tagging checkbox to tag information passing through this interface with 802.1p priority information for Quality of Service (QoS) management. Packets sent through this interface are tagged with VLAN id=0 and carry 802.1p priority information. In order to make use of this priority information, devices connected to this interface should support priority frames.
Network > Interfaces • Note Step 4 L2TP - uses IPsec to connect a L2TP (Layer 2 Tunneling Protocol) server and encrypts all data transmitted from the client to the server. However, it does not encrypt network traffic to other destinations. For Windows clients, L2TP is supported by Windows 2000 and Windows XP. If you are running other versions of Windows, you must use PPTP as your tunneling protocol.
Network > Interfaces Ethernet Settings If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection.
Network > Interfaces Use the Bandwidth Management section of the Edit Interface screen to enable or disable the ingress and egress bandwidth management. Egress and Ingress available link bandwidth can be used to configure the upstream and downstream connection speeds in kilobits per second. Note The Bandwidth Management settings are applied to all interfaces in the WAN zone, not just to the interface being configured. • Enable Egress Bandwidth Management - Enables outbound bandwidth management.
Network > Interfaces If you are using PPPoE, a Client Settings section displays in the Protocol tab: Step 3 If you want PPPoE to disconnect after a specific time period, Click the Inactivity Disconnect checkbox and enter the time period (in minutes). Step 4 If you want to use LCP echo packets for server keep-alive, click the Strictly use LCP echo packets for server keep-alive checkbox.
Network > Interfaces Configuring the ADSL Expansion Module ADSL is an acronym for Asymmetric Digital Subscriber Line (or Loop). The line is asymmetric because, when connected to the ISP, the upstream and downstream speeds of transmission are different. The DSL technology allows non-voice services (data) to be provided on regular single copper wire-pair POTS connections (such as your home phone line).
Network > Interfaces The ADSL interface never unassigned. When plugged in, it is always present in the WAN zone and zone assignment cannot be modified by the administrator Click on the Configure icon to the right of the interface entry. You will see a menu with three tabs: General, Advanced, and DSL Settings. The DSL Settings tab allows you to configure ISP-specific settings for the ADSL connection.
Network > Interfaces When the ADSL module is first plugged in, it should be added to the WAN Load Balancing default group so that the ADSL module can be used to handle default route traffic. Go to the Failover and LB screen and click the Configure icon to edit the settings. 232 SonicOS 5.8.
Network > Interfaces On the General menu, add the ADSL interface to the Load Balancing group. If the default primary WAN, X1, is unused or unconfigured, it can be removed for a cleaner interface configuration. When done, click OK, and the ADSL module will be added to the group. Configuring the T1/E1 Module The 1-port T1/E1 Module provides the connection of a T1 or E1 (digitally multiplexed telecommunications carrier system) circuit to a SonicWALL appliance using an RJ-45 jack.
Network > Interfaces To configure the T1/E1 Module, perform the following tasks: Step 1 Click on the Edit icon in the Configure column for the Interface of the expansion module you want to configure. The Edit Interface window is displayed. The General tab allows you to set up the type of encapsulation: PPP or HDLC, as well as the management interface type and level of user security login. The Zone setting is disabled. 234 Step 2 Select the desired type of encapsulation: PPP, HDLC, or Cisco HDLC.
Network > Interfaces If you want to enable remote management of the SonicWALL security appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. You can also select HTTP for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS. You can also set the level of security (HTTP or HTTPS) at this time. Step 4 Click on the Advanced Tab. You will see two radio buttons, one for T1 and one for E1.
Network > Interfaces Step 9 Line Build Out is available with T1. The options are: 0.0 dB, -7.5 dB, -15 dB, -22.5 dB. CRC is configured with an enable/disable check-box. When T1 is selected, the check-box is labeled CRC6, when E1 is selected the check-box is labeled CRC4. You can also choose to enable multicast. Step 10 When finished with configuration, click OK.
Network > Interfaces Configuring the 2 Port SFP or 4 Port Gigabit Ethernet Modules (NSA 2400MX and NSA 250M) Step 1 Click on the Edit icon in the Configure column for the Interface of the expansion module you want to configure. The Edit Interface window is displayed. Step 2 If you’re configuring an Unassigned Interface, you can select any zone from the Zone menu. LAN is already selected in the Zone menu. Select one of the following LAN Network Addressing Modes from the IP Assignment menu.
Network > Interfaces Configuring the Advanced Settings for the Module Interface The Advanced tab includes settings for forcing an Ethernet speed and duplex, overriding the Default MAC address, enabling multicast support on the interface, and enabling 802.1p tagging. Packets sent out with 802.1p tagging are tagged VLAN id=0 and carry 802,1p priority information. Devices connected to this interface need to support priority frames.
Network > Interfaces Link Aggregation Link Aggregation is used to increase the available bandwidth between the firewall and a switch by aggregating up to four interfaces into a single aggregate link, referred to as a Link Aggregation Group (LAG). All ports in an aggregate link must be connected to the same switch. The firewall uses a round-robin algorithm for load balancing traffic across the interfaces in a Link Aggregation Group.
Network > Interfaces Note Note 2. Click on the Advanced tab. 3. In the Redundant/Aggregate Ports pulldown menu, select Link Aggregation. 4. The Aggregate Port option is displayed with a checkbox for each of the currently unassigned interfaces on the firewall. Select up to three other interfaces to assign to the LAG. After an interface is assigned to a Link Aggregation Group, its configuration is governed by the Link Aggregation master interface and it cannot be configured independently.
Network > Interfaces Port Redundancy Failover SonicWALL provides multiple methods for protecting against loss of connectivity in the case of a link failure, including High Availability (HA), Load Balancing Groups (LB Groups), and now Port Redundancy. If all three of these features are configured on a firewall, the following order of precedence is followed in the case of a link failure: 1. Port Redundancy 2. HA 3. LB Group When Port Redundancy is used with HA, Port Redundancy takes precedence.
Network > Interfaces Configuring Routed Mode Routed Mode provides an alternative for NAT for routing traffic between separate public IP address ranges. Consider the following topology where the firewall is routing traffic across two public IP address ranges: • 10.50.26.0/24 • 172.16.6.0/24 By enabling Routed Mode on the interface for the 172.16.6.0 network, all inbound and outbound traffic will be routed to the WAN interface configured for the 10.50.26.0 network.
Network > Interfaces 3. Under the Expert Mode Settings heading, select the Use Routed Mode - Add NAT Policy to prevent outbound\inbound translation checkbox to enable Routed Mode for the interface. 4. In the Set NAT Policy's outbound\inbound interface to pulldown menu, select the WAN interface that is to be used to route traffic for the interface. 5. Click OK. The firewall then creates two “No-NAT” policies for both the configured interface and the selected WAN interface.
Network > Interfaces Configuring SonicWALL PortShield Interfaces PortShield architecture enables you to configure some or all of the LAN ports into separate security contexts, providing protection not only from the WAN and DMZ, but between devices inside your network as well. In effect, each context has its own wire-speed PortShield that enjoys the protection of a dedicated, deep packet inspection firewall. PortShield is supported on SonicWALL TZ Series and NSA 240 appliances.
Network > Interfaces To configure a PortShield interface, perform the following steps: Step 1 Click on the Network > Interfaces page. Step 2 Click the Configure button for the interface you want to configure. The Edit Interface window displays. Step 3 In the Zone pulldown menu, select on a zone type option to which you want to map the interface. SonicOS 5.8.
Network > Interfaces Note You can add PortShield interfaces only to Trusted, Public, and Wireless zones. Step 4 In the IP Assignment pulldown menu, select PortShield Switch Mode. Step 5 In the PortShield to pulldown menu, select the interface you want to map this port to. Only ports that match the zone you have selected are displayed. Configuring VLAN Subinterfaces VLAN subinterfaces are supported on SonicWALL NSA series appliances.
Network > Interfaces Step 6 Configure the subinterface network settings based on the zone you selected.
Network > Interfaces • Apply security services to the appropriate zones Configuring the Common Settings for L2 Bridge Mode Deployments The following settings need to be configured on your SonicWALL UTM appliance prior to using it in most of the Layer 2 Bridge Mode topologies. Licensing Services When the appliance is successfully registered, go to the System > Licenses page and click Synchronize under Manage Security Services Online.
Network > Interfaces Then, click the Configure button. On the SNMP Settings page, enter all the relevant information for your UTM appliance: the GET and TRAP SNMP community names that the SNMP server expects, and the IP address of the SNMP server. Click OK to save and activate the changes. Enabling SNMP and HTTPS on the Interfaces On the Network > Interfaces page, enable SNMP and HTTP/HTTPS on the interface through which you will be managing the appliance. SonicOS 5.8.
Network > Interfaces Enabling Syslog On the Log > Syslog page, click on the Add button and create an entry for the syslog server. Click OK to save and activate the change. Activating UTM Services on Each Zone On the Network > Zones page, for each zone you will be using, make sure that the UTM services are activated. Then, on the Security Services page for each UTM service, activate and configure the settings that are most appropriate for your environment.
Network > Interfaces An example of the Intrusion Prevention settings is shown below: An example of the Anti-Spyware settings is shown below: SonicOS 5.8.
Network > Interfaces Creating Firewall Access Rules If you plan to manage the appliance from a different zone, or if you will be using a server such as the HP PCM+/NIM server for management, SNMP, or syslog services, create access rules for traffic between the zones. On the Firewall > Access Rules page, click on the icon for the intersection of the zone of the server and the zone that has users and servers (your environment may have more than one of these intersections).
Network > Interfaces Configuring Wireless Zone Settings In the case where you are using a HP PCM+/NIM system, if it will be managing a HP ProCurve switch on an interface assigned to a WLAN/Wireless zone, you will need to deactivate two features, otherwise you will not be able to manage the switch. Go to the Network > Zones page and select your Wireless zone. On the Wireless tab, clear the checkboxes next to Only allow traffic generated by a SonicPoint and WiFiSec Enforcement.
Network > Interfaces Configuring the Primary Bridge Interface Step 1 Select the Network tab, Interfaces folder from the navigation panel. Step 2 Click the Configure Step 3 Configure the interface with a Static IP address (e.g. 192.168.0.12). Note icon in the right column of the X1 (WAN) interface. The Primary Bridge Interface must have a Static IP assignment. Step 4 Configure the default gateway. This is required for the security appliance itself to reach the Internet.
Network > Interfaces Configuring the Secondary Bridge Interface Step 1 On the Network > Interfaces page, click the Configure (LAN) interface. icon in the right column of the X0 Step 2 In the IP Assignment drop-down list, select Layer 2 Bridged Mode. Step 3 In the Bridged to drop-down list, select the X1 interface. Step 4 Configure management (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP Redirects).
Network > Interfaces – Transformations and flow analysis (on SonicWALL NSA series appliances): H.323, SIP, RTSP, ILS/LDAP, FTP, Oracle, NetBIOS, Real Audio, TFTP – IPS and GAV At this point, if the packet has been validated as acceptable traffic, it is forwarded to its destination.
Network > Interfaces When creating a zone (either as part of general administration, or as a step in creating a subinterface), a checkbox will be presented on the zone creation page to control the autocreation of a GroupVPN for that zone. By default, only newly created Wireless type zones will have ‘Create GroupVPN for this zone’ enabled, although the option can be enabled for other zone types by selecting the checkbox during creation.
Network > Interfaces VPN Integration with Layer 2 Bridge Mode When configuring a VPN on an interface that is also configured for Layer 2 Bridge mode, you must configure an additional route to ensure that incoming VPN traffic properly traverses the SonicWALL security appliance. Navigate to the Network > Routing page, scroll to the bottom of the page, and click on the Add button.
Network > Interfaces • Connect the mirrored port on the switch to either one of the interfaces in the Bridge-Pair • Connect and configure the WAN to allow access to dynamic signature data over the Internet Configuring the Primary Bridge Interface Step 1 Select the Network tab, Interfaces folder from the navigation panel. Step 2 Click the Configure icon in the right column of interface X2. Step 3 In the Edit Interface dialog box on the General tab, select LAN from the Zone drop-down list.
Network > Interfaces Step 3 In the Edit Interface dialog box on the General tab, select LAN from the Zone drop-down list. Note that you do not need to configure settings on the Advanced or VLAN Filtering tabs. Step 4 In the IP Assignment drop-down list, select Layer 2 Bridged Mode. Step 5 In the Bridged to drop-down list, select the X2 interface. Step 6 Do not enable the Block all non-IPv4 traffic setting if you want to monitor non-IPv4 traffic.
Network > Interfaces To determine the traps that are possible when using IPS Sniffer Mode with Intrusion Prevention enabled, search for Intrusion in the table found in the Index of Log Event Messages section in the SonicOS Log Event Reference Guide. The SNMP trap number, if available for that event, is printed in the SNMP Trap Type column of the table.
Network > Interfaces Configuring Security Services (Unified Threat Management) The settings that you enable in this section will control what type of malicious traffic you detect in IPS Sniffer Mode. Typically you will want to enable Intrusion Prevention, but you may also want to enable other Security Services such as Gateway Anti-Virus or Anti-Spyware. To enable Security Services, your SonicWALL must be licensed for them and the signatures must be downloaded from the SonicWALL Data Center.
Network > Interfaces Table 1 Wire Mode Settings Wire Mode Setting Description Bypass Mode Bypass Mode allows for the quick and relatively non-interruptive introduction of Wire Mode into a network. Upon selecting a point of insertion into a network (e.g. between a core switch and a perimeter firewall, in front of a VM server farm, at a transition point between data classification domains) the SonicWALL security appliance is inserted into the physical data path, requiring a very short maintenance window.
Network > Interfaces Table 1 Wire Mode Settings Wire Mode Setting Description 264 Secure Mode Secure Mode is the progression of Inspect Mode, actively interposing the SonicWALL security appliance’s multi-core processors into the packet processing path. This unleashes the inspection and policy engines’ full-set of capabilities, including Application Intelligence and Control, Intrusion Prevention Services, Gateway and Cloud-based AntiVirus, Anti-Spyware, and Content Filtering.
Network > Interfaces To summarize the key functional differences between modes of interface configuration: Table 2 Functionality of the Different Wire Mode Settings Bypass Mode Inspect Secure Tap Mode Mode Mode L2 Bridge, Transparent, NAT, Route Modes Active/Active Clustering 1 No No No No No Application Control No No Yes No Yes Application Visibility No Yes Yes Yes Yes 1 No No No No Yes Comprehensive Anti-Spam Service 1 No No No No Yes Content Filtering No No Yes No
Network > Interfaces 3. To configure the Interface for Tap Mode, in the Mode / IP Assignment pulldown menu, select Tap Mode (1-Port Tap) and click OK. 4. To configure the Interface for Wire Mode, in the Mode / IP Assignment pulldown menu, select Wire Mode (2-Port Wire). 5. In the Wire Mode Type pulldown menu, select the appropriate mode: – Bypass Mode (via Internal Switch / Relay) – Inspect Mode (Passive DPI of Mirrored Traffic) – Secure Mode (Active DPI of Inline Traffic) 6.
CHAPTER 16 Chapter 16: Configuring PortShield Interfaces Network > PortShield Groups PortShield architecture enables you to configure some or all of the LAN ports into separate security contexts, providing protection not only from the WAN and DMZ, but between devices inside your network as well. In effect, each context has its own wire-speed PortShield that enjoy the protection of a dedicated, deep packet inspection firewall. PortShield is supported on SonicWALL TZ Series and NSA 240 appliances.
Network > PortShield Groups The Network > PortShield Groups page allows you to manage the assignments of ports to PortShield interfaces. Static Mode and Transparent Mode A PortShield interface is a virtual interface with a set of ports assigned to it. There are two IP assignment methods you can deploy to create PortShield interfaces. They are Static and Transparent modes. The following two sections describe each.
Network > PortShield Groups Note Make sure the IP address you assign to the PortShield interface is within the WAN subnetwork. When you create a PortShield interface in Transparent Mode, you create a range of addresses to be applied to the PortShield interface. You include these addresses in one entity called an Address Object. Address Objects allow for entities to be defined one time and to be re-used in multiple referential instances throughout the SonicOS interface.
Network > PortShield Groups Note 2. Click the Configure button for the interface you want to configure. The Edit Interface window displays. 3. In the Zone pulldown menu, select on a zone type option to which you want to map the interface. You can add PortShield interfaces only to Trusted, Public, and Wireless zones. 4. In the IP Assignment pulldown menu, select PortShield Switch Mode. 5. In the PortShield to pulldown menu, select the interface you want to map this port to.
Network > PortShield Groups • Interfaces that are the same color (other than black or yellow) are part of a PortShield group, with the master interface having a white outline around the color. • Interfaces that are greyed out cannot be added to a PortShield group. On the Network > PortShield Groups page, you can manually group ports together using the graphical PortShield Groups interface. Grouping ports allows them to share a common network subnet as well as common zone settings.
Network > PortShield Groups Configuring PortShield Interfaces with the PortShield Wizard The PortShield Wizard quickly and easily guides you through several common PortShield group configurations. To use the PortShield wizard, perform the following steps: 1. Click the Wizards button on the top right of the SonicOS UI and select PortShield Interface Wizard. Click Next. Mousing over the i symbol displays a summary of the current port assignment. 2.
Network > PortShield Groups • WAN/OPT/LAN Switch • WAN/LAN/HA Note • In the WAN/LAN/HA scenario, when High Availability is not enabled, the X6 port is assigned to the LAN zone. WAN/LAN/LAN2 Switch 3. Click Next. 4. The wizard displays a summary of the configuration changes it is about to make. 5. Click Apply. SonicOS 5.8.
Network > PortShield Groups 274 SonicOS 5.8.
CHAPTER 17 Chapter 17: Setting Up Failover and Load Balancing Network > Failover & Load Balancing This chapter contains the following sections: • “Failover and Load Balancing” on page 275 • “Load Balancing Statistics” on page 278 • “Multiple WAN (MWAN)” on page 279 Failover and Load Balancing For Failover & Load Balancing (LB), up to four WAN members are supported: • Primary WAN Ethernet Interface • Alternate WAN #1 • Alternate WAN #2 • Alternate WAN #3 The Primary WAN Ethernet Interface has
Network > Failover & Load Balancing • Any TCP-SYN to Port—This option is available when the Respond to Probes option is enabled. When selected, the appliance will only respond to TCP probe request packets having the same packet destination address TCP port number as the configured value. Load Balancing Members and Groups LB Members added to a LB Group take on certain “roles.” A member can only work in one of the following roles: • Primary—Only one member can be the Primary per Group.
Network > Failover & Load Balancing General Tab To configure the Group Member Rank settings, click the Configure icon of the Group you wish to configure on the Network > Failover & LB page. The General tab screen displays. The General tab allows the user to do modify the following settings: • Display name—Edit the display name of the Group • Type (or method) of LB—Choose the type of LB from the dropdown list (Basic Active/ Passive Failover, Round Robin, Spillover-Based, or Percentage-Based).
Network > Failover & Load Balancing Note The Interface Rank does not specify the operation that will be performed on the individual member. The operation that will be performed is specified by the Group Type. Probing Tab When Logical probing is enabled, test packets can be sent to remote probe targets to verify WAN path availability. A new option has been provided to allow probing through the additional WAN interfaces: Alternate WAN #3 and Alternate WAN #4.
Network > Failover & Load Balancing • Tx Unicast • Tx Bytes • Throughput (KB/s) • Throughput (Kbits/s) In the Display Statistics for pulldown menu, select which LB group you want to view statistics for. Click the Clear Statistic button on the bottom right of the Network > Failover & LB page to clear information from the Load Balancing Statistics table.
Network > Failover & Load Balancing Routing the Default & Secondary Default Gateways Because the gateway address objects previously associated with the Primary WAN and Secondary WAN are now deprecated, user-configured Static Routes need to be re-created in order to use the correct gateway address objects associated with the WAN interfaces. This will have to be configured manually as part of the firmware upgrade procedure.
Network > Failover & Load Balancing DNS When DNS name resolution issues are encountered with this firmware, you may need to select the Specify DNS Servers Manually option and set the servers to Public DNS Servers (ICANN or non-ICANN). Note Depending on your location, some DNS Servers may respond faster than others. Verify that these servers work correctly from your installation prior to using your SonicWALL appliance. SonicOS 5.8.
Network > Failover & Load Balancing 282 SonicOS 5.8.
CHAPTER 18 Chapter 18: Configuring Zones Network > Zones This section contains the following subsections: • “How Zones Work” on page 284 • “The Zone Settings Table” on page 287 • “Adding and Configuring Zones” on page 288 • “Deleting a Zone” on page 289 • “Configuring a Zone for Guest Access” on page 290 • “Configuring the WLAN Zone” on page 293 A zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler
Network > Zones tunnels, which is a feature that users have long requested. SonicWALL security appliances can also drive VPN traffic through the NAT policy and zone policy, since VPNs are now logically grouped into their own VPN zone. How Zones Work An easy way to visualize how security zones work is to imagine a large new building, with several rooms inside the building, and a group of new employees that do not know their way around the building.
Network > Zones doorperson can also elect to force people to put on a costume before traveling to another room, or to exit, or to another remote office. This hides the true identity of the person, masquerading the person as someone else. This process can be thought of as the NAT policy. Predefined Zones The predefined zones on your the SonicWALL security appliance depend on the device.
Network > Zones Note • Public: A Public security type offers a higher level of trust than an Untrusted zone, but a lower level of trust than a Trusted zone. Public zones can be thought of as being a secure area between the LAN (protected) side of the security appliance and the WAN (unprotected) side. The DMZ, for example, is a Public zone because traffic flows from it to both the LAN and the WAN. By default traffic from DMZ to LAN is denied. But traffic from LAN to ANY is allowed.
Network > Zones • Enable SSL Control – Requires inspection of all new SSL connections initiated from the zone. Note that SSL Control must first be enabled globally on the Firewall > SSL Control page. For more information, see “Firewall Settings > SSL Control” on page 777. • Enable SSLVPN Access – Enables users to establish SSL VPN connections to this zone. For more information, see “SSL VPN” on page 931.
Network > Zones • Enforce Global Security Clients – A check mark indicates users on this zone are required to use the Global Security client for desktop security. • Enable SSL Control – A check mark indicates inspection of all new SSL connections initiated from the zone is required. • Enable SSLVPN Access – A check mark indicates SSL VPN access is enabled to this zone. • Configure: Clicking the configure icon displays the Edit Zone window. Clicking the delete icon deletes the zone.
Network > Zones To configure the zone, perform the following steps: Step 1 Type a name for the new zone in the Name field. Step 2 Select a security type Trusted, Public or Wireless from the Security Type menu. Use Trusted for zones that you want to assign the highest level of trust, such as internal LAN segments. Use Public for zones with a lower level of trust requirements, such as a DMZ interface. Use Wireless for the WLAN interface.
Network > Zones Configuring a Zone for Guest Access SonicWALL User Guest Services providesd network administrators with an easy solution for creating wired and wireless guest passes and/or locked-down Internet-only network access for visitors or untrusted network nodes. This functionality can be extended to wireless or wired users on the WLAN, LAN, DMZ, or public/semi-public zone of your choice.
Network > Zones Step 3 Click the Guest Services tab. Step 4 Choose from the following configuration options for Guest Services: – Enable Guest Services - Enables guest services on the WLAN zone. – Enable inter-guest communication - Allows guests to communicate directly with other users who are connected to this zone. – Bypass AV Check for Guests - Allows guest traffic to bypass Anti-Virus protection. SonicOS 5.8.
Network > Zones – Enable External Guest Authentication - Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access. Note Refer to the SonicWALL Lightweight Hotspot Messaging Tech Note available at the SonicWALL documentation Web site http://www.sonicwall.com/us/Support.
Network > Zones Configuring the WLAN Zone Step 1 Click the Edit icon for the WLAN zone. The Edit Zone window is displayed. Step 2 In the General tab, select the Allow Interface Trust setting to automate the creation of Access Rules to allow traffic to flow between the interfaces of a zone instance.
Network > Zones – Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones. – Create Group VPN - creates a GroupVPN policy for the zone, which is displayed in the VPN Policies table on the VPN > Settings page. You can customize the GroupVPN policy on the VPN > Settings page. If you uncheck Create Group VPN, the GroupVPN policy is removed from the VPN > Settings page. 294 Step 4 Click the Wireless tab.
Network > Zones Tip Step 6 Uncheck Only allow traffic generated by a SonicPoint and use the zone on a wired interface to allow guest services on that interface. Select SSL VPN Enforcement to require that all traffic that enters into the WLAN zone be authenticated through a SonicWALL SSL VPN appliance. SonicOS 5.8.
Network > Zones Step 7 In the SSL VPN Server list, select an address object to direct traffic to the SonicWALL SSL VPN appliance. You can select: – Create new address object... – Default Gateway – Secondary Default Gateway – X0 IP – X1 IP – X2 IP – X3 IP – X4 IP – X5 IP Step 8 In the SSL VPN Service list, select the service or group of services you want to allow for clients authenticated through the SSL VPN.
CHAPTER 19 Chapter 19: Configuring DNS Settings Network > DNS The Domain Name System (DNS) is a distributed, hierarchical system that provides a method for identifying hosts on the Internet using alphanumeric names called fully qualified domain names (FQDNs) instead of using difficult to remember numeric IP addresses. The Network > DNS page allows you to manually configure your DNS settings, if necessary. SonicOS 5.8.
Network > DNS In the DNS Settings section, select Specify DNS Servers Manually and enter the IP address(es) into the DNS Server fields. Click Accept to save your changes. To use the DNS Settings configured for the WAN zone, select Inherit DNS Settings Dynamically from the WAN Zone. Click Accept to save your changes. DNS Rebinding Attack Prevention DNS rebinding is a DNS-based attack on code embedded in web pages.
CHAPTER 20 Chapter 20: Configuring Address Objects Network > Address Objects Address Objects are one of four object classes (Address, User, Service, and Schedule) in SonicOS Enhanced. These Address Objects allow for entities to be defined one time, and to be re-used in multiple referential instances throughout the SonicOS interface. For example, take an internal Web-Server with an IP address of 67.115.118.80.
Network > Address Objects • MAC Address – MAC Address Objects allow for the identification of a host by its hardware address or MAC (Media Access Control) address. MAC addresses are uniquely assigned to every piece of wired or wireless networking device by their hardware manufacturers, and are intended to be immutable. MAC addresses are 48-bit values that are expressed in 6 byte hex-notation. For example “My Access Point” with a MAC address of “00:06:01:AB:02:CD”.
Network > Address Objects You can view Address Objects in the following ways using the View Style menu: • All Address Objects - displays all configured Address Objects. • Custom Address Objects - displays Address Objects with custom properties. • Default Address Objects - displays Address Objects configured by default on the SonicWALL security appliance. Sorting Address Objects allows you to quickly and easily locate Address Objects configured on the SonicWALL security appliance.
Network > Address Objects Adding an Address Object To add an Address Object, click Add button under the Address Objects table in the All Address Objects or Custom Address Objects views to display the Add Address Object window. Step 1 Enter a name for the Network Object in the Name field. Step 2 Select Host, Range, Network, MAC, or FQDN from the Type menu. – If you select Host, enter the IP address and netmask in the IP Address and Netmask fields.
Network > Address Objects – If you selected MAC, enter the MAC address and netmask in the Network and MAC Address field. – If you selected FQDN, enter the domain name for the individual site or range of sites (with a wildcard) in the FQDN field. Step 3 Select the zone to assign to the Address Object from the Zone Assignment menu. Editing or Deleting an Address Object To edit an Address Object, click the edit icon in the Configure column in the Address Objects table.
Network > Address Objects Creating Group Address Objects As more and more Address Objects are added to the SonicWALL security appliance, you can simplify managing the addresses and access policies by creating groups of addresses. Changes made to the group are applied to each address in the group. To add a Group of Address Objects, complete the following steps: Step 1 Click Add Group to display the Add Address Object Group window. Step 2 Create a name for the group in the Name field.
Network > Address Objects See Part 21, Wizards for more information on configuring the SonicWALL security appliance using wizards. Working with Dynamic Addresses From its inception, SonicOS Enhanced has used Address Objects (AOs) to represent IP addresses in most areas throughout the user interface. Address Objects come in the following varieties: • Host – An individual IP address, netmask and zone association. • MAC (original) – Media Access Control, or the unique hardware address of an Ethernet host.
Network > Address Objects Key Features of Dynamic Address Objects The term Dynamic Address Object (DAO) describes the underlying framework enabling MAC and FQDN AOs. By transforming AOs from static to dynamic structures Firewall > Access Rules can automatically respond to changes in the network. Note 306 Initially, SonicOS Enhanced versions 4.0, 5.0, and 5.1 will only support Dynamic Address Objects within Access Rules.
Network > Address Objects FQDN wildcard FQDN Address Objects support wildcard entries, such as “*.somedomainname.com”, by first support resolving the base domain name to all its defined host IP addresses, and then by constantly actively gleaning DNS responses as they pass through the firewall. For example, creating an FQDN AO for “*.myspace.com” will first use the DNS servers configured on the firewall to resolve “myspace.com” to 63.208.226.40, 63.208.226.41, 63.208.226.42, and 63.208.226.
Network > Address Objects Feature Benefit FQDN entry caching Resolved FQDN values will be cached in the event of resolution attempt failures subsequent to initial resolution. In other words, if “www.moosifer.com” resolves to 71.35.249.153 with a TTL of 300, but fails to resolve upon TTL expiry (for example, due to temporary DNS server unavailability), the 71.35.249.153 will be cached and used as valid until resolution succeeds, or until manually purged.
Network > Address Objects • Create Access Rules in the relevant zones allowing only authorized SMTP servers on your network to communicate outbound SMTP; block all other outbound SMTP traffic to prevent intentional or unintentional outbound spamming. • Create Access Rules in the relevant zones allowing authorized DNS servers on your network to communicate with all destination hosts using DNS protocols (TCP/UDP 53).
Network > Address Objects Using MAC and FQDN Dynamic Address Objects MAC and FQDN DAOs provide extensive Access Rule construction flexibility. MAC and FQDN AOs are configured in the same fashion as static Address Objects, that is from the Network > Address Objects page. Once created, their status can be viewed by a mouse-over of their appearance, and log events will record their addition and deletion. Dynamic Address Objects lend themselves to many applications.
Network > Address Objects Step 1 – Create the FQDN Address Object • From Network > Address Objects, select Add and create the following Address Object: • When first created, this entry will resolve only to the address for dyndns.org, e.g. 63.208.196.110.
Network > Address Objects Using an Internal DNS Server for FQDN-based Access Rules It is common for dynamically configured (DHCP) network environments to work in combination with internal DNS servers for the purposes of dynamically registering internal hosts – a common example of this is Microsoft’s DHCP and DNS services.
Network > Address Objects to the 10.50.165.2 server, but to no other LAN resources. All other wireless clients should not be able to access the 10.50.165.2 server, but should have unrestricted access everywhere else.
Network > Address Objects Step 2 – Create the Firewall Access Rules Note • To create access rules, navigate to the Firewall > Access Rules page, click on the All Rules radio button, and scroll to the bottom of the page and click the Add button.
Network > Address Objects Step 2 – Create the Firewall Access Rule • Note From the Firewall > Access Rules page, LAN->WAN zone intersection, add an Access Rule as follows: If you do not see the Bandwidth tab, you can enable bandwidth management by declaring the bandwidth on your WAN interfaces. For more information on BWM, refer to the Configuring QoS and BWM document at: http://www.sonicwall.com/support/pdfs/ configuring_qos_and_bwm.
Network > Address Objects 316 SonicOS 5.8.
CHAPTER 21 Chapter 21: Configuring Firewall Services Network > Services SonicOS Enhanced supports an expanded IP protocol support to allow users to create services and access rules based on these protocols. See “Supported Protocols” on page 318 for a complete listing of support IP protocols. Services are used by the SonicWALL security appliance to configure network access rules for allowing or denying traffic to the network. The SonicWALL security appliance includes Default Services.
Network > Services Default Services Overview The Default Services view displays the SonicWALL security appliance default services in the Services table and Service Groups table. The Service Groups table displays clusters of multiple default services as a single service object. You cannot delete or edit these predefined services. The Services table displays the following attributes of the services: • Name—The name of the service. • Protocol—The protocol of the service.
Network > Services • ESP (50)—(Encapsulated Security Payload) A method of encapsulating an IP datagram inside of another datagram employed as a flexible method of data transportation by IPsec. • AH (51)—(Authentication Header) A security protocol that provides data authentication and optional anti-relay services. AH is embedded in the data to be protected (a full IP datagram). • EIGRP (88)—(Enhanced Interior Gateway Routing Protocol) Advanced version of IGRP.
Network > Services All custom services you create are listed in the Custom Services table. You can group custom services by creating a Custom Services Group for easy policy enforcement. If a protocol is not listed in the Default Services table, you can add it to the Custom Services table by clicking Add. Step 1 Enter the name of the service in the Name field. Step 2 Select the type of IP protocol from the Protocol pull-down menu.
Network > Services Note The generic service Any will not handle Custom IP Type Service Objects. In other words, simply defining a Custom IP Type Service Object for IP Type 126 will not allow IP Type 126 traffic to pass through the default LAN > WAN Allow rule. It will be necessary to create an Access Rules specifically containing the Custom IP Type Service Object to provide for its recognition and handling, as illustrated below.
Network > Services Step 8 Add a Service Group composed of the Custom IP Types Services. Step 9 From Firewall > Access Rules > WLAN > LAN, select Add. Step 10 Define an Access Rules allowing myServices from WLAN Subnets to the 10.50.165.26 Address Object. Note Select your zones, Services and Address Objects accordingly. It may be necessary to create an Access Rule for bidirectional traffic; for example, an additional Access Rule from the LAN > WLAN allowing myServices from 10.50.165.
Network > Services Adding a Custom Services Group You can add custom services and then create groups of services, including default services, to apply the same policies to them. For instance, you can allow SMTP and POP3 traffic only during certain hours or days of the week by adding the two services as a Custom Service Group. To create a Custom Services Group, click Add Group. Step 1 Enter a name for the custom group in the name field. Step 2 Select individual services from the list in the left column.
Network > Services 324 SonicOS 5.8.
CHAPTER 22 Chapter 22: Configuring Routes Network > Routing If you have routers on your interfaces, you can configure static routes on the SonicWALL security appliance on the Network > Routing page. You can create static routing policies that create static routing entries that make decisions based upon source address, source netmask, destination address, destination netmask, service, interface, gateway and metric.
Network > Routing Route Advertisement The SonicWALL security appliance uses RIPv1 or RIPv2 to advertise its static and dynamic routes to other routers on the network. Changes in the status of VPN tunnels between the SonicWALL security appliance and remote VPN gateways are also reflected in the RIPv2 advertisements. Choose between RIPv1 or RIPv2 based on your router’s capabilities or configuration.
Network > Routing Step 3 In the Advertise Default Route menu, select Never, or When WAN is up, or Always. Step 4 Enable Advertise Static Routes if you have static routes configured on the SonicWALL security appliance, enable this feature to exclude them from Route Advertisement. Step 5 Enable Advertise Remote VPN Networks if you want to advertise VPN networks. Step 6 Enter a value in seconds between advertisements broadcasted over a network in the Route Change Damp Time (seconds) field.
Network > Routing Policy Based Routing A simple static routing entry specifies how to handle traffic that matches specific criteria, such as destination address, destination mask, gateway to forward traffic, the interface that gateway is located, and the route metric. This method of static routing satisfies most static requirements, but is limited to forwarding based only on destination addressing.
Network > Routing All Policies displays all the routing policies including Custom Policies and Default Policies. Initially, only the Default Policies are displayed in the Route Policies table when you select All Policies from the View Style menu. The Route Policies table provides easy pagination for viewing a large number of routing policies.
Network > Routing Step 7 Enter the Metric for the route. The default metric for static routes is one. For more information on metrics, see the “Policy Based Routing” section on page 328 Step 8 (Optional) Select the Disable route when the interface is disconnected checkbox to have the route automatically disabled when the interface is disconnected. Step 9 (Optional) The Allow VPN path to take precedence option allows you to create a backup route for a VPN tunnel.
Network > Routing Network > WAN Failover & LB page. For this example, choose Per Connection RoundRobin as the load balancing method in the Network > WAN Failover & LB page. Click Accept to save your changes on the Network > WAN Failover & LB page. Step 1 Click the Add button under the Route Policies table. The Add Route Policy window is displayed.
Network > Routing Advanced Routing Services (OSPF and RIP) In addition to Policy Based Routing and RIP advertising, SonicOS Enhanced offers the option of enabling Advanced Routing Services (ARS). Advanced Routing Services provides full advertising and listening support for the Routing Information Protocol (RIPv1 - RFC1058) and (RIPv2 - RFC2453), and Open Shortest Path First (OSPFv2 – RFC2328).
Network > Routing • Protocol Type – Distance Vector protocols such as RIP base routing metrics exclusively on hop counts, while Link state protocols such as OSPF consider the state of the link when determining metrics. For example, OSPF determines interface metrics by dividing its reference bandwidth (100mbits by default) by the interface speed – the faster the link, the lower the cost and the more preferable the path.
Network > Routing OSPF does not have to impose a hop count limit because it does not advertise entire routing tables, rather it generally only sends link state updates when changes occur. This is a significant advantage in larger networks in that it converges more quickly, produces less update traffic, and supports an unlimited number of hops.
Network > Routing For example, if you had 8 class C networks: 192.168.0.0/24 through 192.168.7.0/ 24, rather than having to have a separate route statement to each of them, it would be possible to provide a single route to 192.168.0.0/21 which would encompass them all. This ability, in addition to providing more efficient and flexible allocation of IP address space, also allows routing tables and routing updates to be kept smaller.
Network > Routing used, which is generally discouraged). Area assignment is interface specific on an OSPF router; in other words, a router with multiple interfaces can have those interfaces configured for the same or different areas. • Neighbors – OSPF routers on a common network segment have the potential to become neighbors by means of sending Hello packets.
Network > Routing LSA’s are then exchanged within LSU’s across these adjacencies rather than between each possible pairing combination of routers on the segment. Link state updates are sent by non-DR routers to the multicast address 225.0.0.6, the RFC1583 assigned ‘OSPFIGP Designated Routers’ address. They are also flooded by DR routers to the multicast address 225.0.0.5 ‘OSPFIGP All Routers’ for all routers to receives the LSA’s.
Network > Routing – Type 5 (AS External Link Advertisements) – Sent by ASBR (Autonomous System Boundary Routers) to describe routes to networks in a different AS. Type 5 LSA’s are net sent to Stub Areas. There are two types of External Link Advertisements: • External Type 1 - Type 1 packets add the internal link cost to the external link cost when calculating a link’s metric. A Type 1 route is always preferred over a Type 2 route to the same destination.
Network > Routing • ABR (Area Border Router) – A router with interfaces in multiple areas. An ABR maintains LSDB’s for each area to which it is connected, one of which is typically the backbone. • Backbone Router – A router with an interface connected to area 0, the backbone. • ASBR (Autonomous System Boundary Router) – A router with an interface connected to a non-OSPF AS (such as a RIP network) which advertises external routing information from that AS into the OSPF AS.
Network > Routing The operation of the RIP and OSPF routing protocols is interface dependent. Each interface and virtual subinterface can have RIP and OSPF settings configured separately, and each interface can run both RIP and OSPF routers. Configure RIP and OSPF for default routes received from Advanced Routing protocols as follows: Configuring RIP To configure RIP routing on an interface, select the (Configure) icon in the interface’s row under the “Configure RIP” column.
Network > Routing Note Be sure the device sending RIPv2 updates uses multicast mode, or the updates will not be processed by the ars-rip router. Send (Available in ‘Send and Receive’ and ‘Send Only’ modes) • RIPv1 – Send broadcast RIPv1 packets. • RIPv2 - v1 compatible – Send multicast RIPv2 packets that are compatible with RIPv1. • RIPv2 – Send multicast RIPv2 packets.
Network > Routing Consider the following simple example network: The diagram illustrates an OSPF network where the backbone (area 0.0.0.0) comprises the X0 interface on the SonicWALL and the int1 interface on Router A. Two additional areas, 0.0.0.1 and 100.100.100.100 are connected, respectively, to the backbone via interface int2 on ABR Router A, and via the X4:100 VLAN subinterface on the SonicWALL.
Network > Routing OSPFv2 Setting • Disabled – OSPF Router is disabled on this interface • Enabled – OSPF Router is enabled on this interface • Passive – The OSPF router is enabled on this interface, but only advertises connected networks using type 1 LSA’s (Router Link Advertisements) into the local area.
Network > Routing • IBM – For interoperating with IBM’s ABR behavior, which expects the backbone to be configured before settings the ABR flag. • Shortcut – A ‘shortcut area’ enables traffic to go through the non-backbone area with a lower metric whether or not the ABR router is attached to area 0. Default Metric – Used to specify the metric that will be used when redistributing routes from other (Default, Static, Connected, RIP, or VPN) routing information sources.
Network > Routing Configuring Advanced Routing for Tunnel Interfaces In SonicOS versions 5.6 and higher, VPN Tunnel Interfaces can be configured for advanced routing. To do so, you must enable advanced routing for the tunnel interface on the Advanced tab of its configuration. See “Adding a Tunnel Interface” on page 906 for more information.
Network > Routing Guidelines for Configuring Tunnel Interfaces for Advanced Routing The following guidelines will ensure success when configuring Tunnel Interfaces for advanced routing: Tip • The borrowed interface must have a static IP address assignment. • The borrowed interface cannot have RIP or OSPF enabled on its configuration. SonicWALL recommends creating a VLAN interface that is dedicated solely for use as the borrowed interface. This avoids conflicts when using wired connected interfaces.
CHAPTER 23 Chapter 23: Configuring NAT Policies Network > NAT Policies This chapter contains the following sections: • “NAT Policies Table” on page 348 • “NAT Policy Settings Explained” on page 349 • “NAT Policies Q&A” on page 351 The Network Address Translation (NAT) engine in SonicOS Enhanced allows users to define granular NAT polices for their incoming and outgoing traffic.
Network > NAT Policies NAT Policies Table The NAT Policies table allows you to view your NAT Policies by Custom Policies, Default Policies, or All Policies. Tip Before configuring NAT Policies, be sure to create all Address Objects associated with the policy. For instance, if you are creating a One-to-One NAT policy, be sure you have Address Objects for your public and private IP addresses. Tip By default, LAN to WAN has a NAT policy predefined on the SonicWALL.
Network > NAT Policies NAT Policy Settings Explained The following explains the settings used to create a NAT policy entry in the Add NAT Policy or Edit NAT Policy windows. Click the Add button in the Network > NAT Policies page to display the Add NAT Policy window to create a new NAT policy or click the Edit icon in the Configure column for the NAT policy you want to edit to display the Edit NAT Policy window.
Network > NAT Policies 350 • Translated Service: This drop-down menu setting is what the SonicWALL security appliance translates the Original Service to as it exits the SonicWALL security appliance, whether it be to another interface, or into/out-of VPN tunnels. You can use the default services in the SonicWALL security appliance, or you can create your own entries. For many NAT Policies, this field is set to Original, as the policy is only altering source or destination IP addresses.
Network > NAT Policies NAT Policies Q&A Why is it necessary to specify ‘Any’ as the destination interface for inbound 1-2-1 NAT policies? It may seem counter-intuitive to do this, given that other types of NAT policies require you to specify the destination interface, but for this type of NAT policy, this is what is necessary.
Network > NAT Policies Why Do I Have to Write Two Policies for 1-2-1 Traffic? With the new NAT engine, it is necessary to write two policies – one to allow incoming requests to the destination public IP address to reach the destination private IP address (uninitiated inbound), and one to allow the source private IP address to be remapped to the source public IP address (initiated outbound). It takes a bit more work, but it is a lot more flexible.
Network > NAT Policies NAT LB Mechanisms NAT load balancing is configured on the Advanced tab of a NAT policy. Note This tab can only be activated when a group is specified in one of the drop-down fields on the General tab of a NAT Policy. Otherwise, the NAT policy defaults to Sticky IP as the NAT method. SonicOS offers the following NAT methods: • Sticky IP – Source IP always connects to the same Destination IP (assuming it is alive).
Network > NAT Policies Which NAT LB Method Should I Use? Requirement Deployment Example NAT LB Method Distribute load on server equally External/ Internal servers (i.e. Web, FTP, without need for persistence etc.) Round Robin Indiscriminate load balancing without need for persistence External/ Internal servers (i.e. Web, FTP, etc.
Network > NAT Policies Example one - Mapping to a network: 192.168.0.2 to 192.168.0.4 Translated Destination = 10.50.165.0/30 (Network) Packet Source IP = 192.168.0.2 192.168.0.2 = C0A80002 = 3232235522 = 11000000101010000000000000000010 (IP -> Hex -> Dec -> Binary) Sticky IP Formula = Packet Src IP = 3232235522 [modulo] TransDest Size = 2 = 3232235522 [modulo] 2 =0 (2 divides into numerator evenly. There is no remainder, thus 0) Stickyt IP Formula yields offset of 0. Destination remapping to 10.50.165.1.
Network > NAT Policies Creating NAT Policies NAT policies allow you the flexibility to control Network Address Translation based on matching combinations of Source IP address, Destination IP address, and Destination Services. Policybased NAT allows you to deploy different types of NAT simultaneously.
Network > NAT Policies • Original Service: Any • Translated Service: Original • Inbound Interface: X2 • Outbound Interface: X1 • Comment: Enter a short description • Enable NAT Policy: Checked • Create a reflective policy: Unchecked When done, click on the OK button to add and activate the NAT Policy.
Network > NAT Policies You can test the dynamic mapping by installing several systems on the LAN interface (by default, the X0 interface) at a spread-out range of addresses (for example, 192.168.10.10, 192.168.10.100, and 192.168.10.200) and accessing the public Website http:// www.whatismyip.com from each system. Each system should display a different IP address from the range we created and attached to the NAT policy.
Network > NAT Policies Creating a One-to-One NAT Policy for Inbound Traffic (Reflective) Note If “Translated Destination: Original” is selected in the NAT Policy Settings, this section does not apply because the “Create a reflective policy” checkbox is greyed out. This is the mirror policy for the one created in the previous section when you check Create a reflective policy. It allows you to translate an external public IP addresses into an internal private IP address.
Network > NAT Policies Configuring One-to-Many NAT Load Balancing One-to-Many NAT policies can be used to persistently load balance the translated destination using the original source IP address as the key to persistence. For example, SonicWALL security appliances can load balance multiple SonicWALL SSL VPN appliances, while still maintaining session persistence by always balancing clients to the correct destination SSL VPN. The following figure shows a sample topology and configuration.
Network > NAT Policies • Translated Destination: Select Create new address object... to bring up the Add Address Object screen. – Name: A descriptive name, such as mySSLVPN – Zone assignment: LAN – Type: Host – IP Address: The IP addresses for the devices to be load balanced (in the topology shown above, this is 192.168.200.10, 192.168.200.20, and 192.168.200.30.
Network > NAT Policies Note Step 3 Make sure you chose Any as the destination interface, and not the interface that the server is on. This may seem counter-intuitive, but it is actually the correct thing to do (if you try to specify the interface, you get an error). When finished, click on the OK button to add and activate the NAT Policy.
Network > NAT Policies In this section, we have five tasks to complete: 1. Create two custom service objects for the unique public ports the servers respond on. 2. Create two address objects for the servers’ private IP addresses. 3. Create two NAT entries to allow the two servers to initiate traffic to the public Internet. 4. Create two NAT entries to map the custom ports to the actual listening ports, and to map the private IP addresses to the SonicWALL’s WAN IP address. 5.
Network > NAT Policies • Enable NAT Policy: Checked • Create a reflective policy: Unchecked When finished, click on the OK button to add and activate the NAT policies. With these policies in place, the SonicWALL security appliance translates the servers’ private IP addresses to the public IP address when it initiates traffic out the WAN interface (by default, the X1 interface). Step 4 Go to the Network > NAT Policies menu and click on the Add button. The Add NAT Policy window is displayed.
Network > NAT Policies Note With previous versions of firmware, it was necessary to write rules to the private IP address. This has been changed as of SonicOS 2.0 Enhanced. If you write a rule to the private IP address, the rule does not work. Go to the Firewall > Access Rules page and choose the policy for the ‘WAN’ to ‘Sales’ zone intersection (or, whatever zone you put your serves in). Click on the ‘Add…’ button to bring up the pop-up window to create the policies.
Network > NAT Policies Using NAT Load Balancing This section contains the following subsections: • “NAT Load Balancing Topology” on page 366 • “Prerequisites” on page 366 • “Configuring NAT Load Balancing” on page 367 • “Troubleshooting NAT Load Balancing” on page 368 NAT Load Balancing Topology The following figure shows the topology for the NAT load balancing network. X6 X6 X4 X2 X4 JASPER & DAISY NSA E7500 HA PAIR X0 LAN: 192.168.25.10/24 X1 WAN: 204.180.153.102/27 X4 DMZ: 192.168.200.
Network > NAT Policies Configuring NAT Load Balancing To configure NAT load balancing, you must complete the following tasks: 1. Create address objects. 2. Create address group. 3. Create inbound NAT LB Policy. 4. Create outbound NAT LB Policy. 5. Create Firewall Rule. 6. Verify and troubleshoot the network if necessary.
Network > NAT Policies Troubleshooting NAT Load Balancing If the Web servers do not seem to be accessible, go to the Firewall > Access Rules page and mouseover the Statistics icon. If the rule is configured incorrectly you will not see any Rx or TX Bytes; if it is working, you will see these increment with each successful external access of the load balanced resources. You can also check the Firewall > NAT Policies page and mouseover the Statistics icon.
CHAPTER 24 Chapter 24: Managing ARP Traffic Network > ARP ARP (Address Resolution Protocol) maps layer 3 (IP addresses) to layer 2 (physical or MAC addresses) to enable communications between hosts residing on the same subnet. ARP is a broadcast protocol that can create excessive amounts of network traffic on your network. To minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously learned ARP information. Simplified NSA ARP Table LAN IP 192.168.168.
Network > ARP Static ARP Entries The Static ARP feature allows for static mappings to be created between layer 2 MAC addresses and layer 3 IP addresses, but also provides the following capabilities: • Publish Entry - Enabling the Publish Entry option in the Add Static ARP window causes the SonicWALL device to respond to ARP queries for the specified IP address with the specified MAC address.
Network > ARP Adding a Secondary Subnet using the Static ARP Method Step 1 Add a 'published' static ARP entry for the gateway address that will be used for the secondary subnet, assigning it the MAC address of the SonicWALL interface to which it will be connected. Step 2 Add a static route for that subnet, so that the SonicWALL regards it as valid traffic, and knows to which interface to route that subnet's traffic.
Network > ARP The entry will appear in the table. Navigate to the Network > Routing page, and add a static route for the 192.168.50.0/24 network, with the 255.255.255.0 subnet mask on the X3 Interface. To allow the traffic to reach the 192.168.50.0/24 subnet, and to allow the 192.168.50.0/24 subnet to reach the hosts on the LAN, navigate to the Firewall > Access Rules page, and add appropriate Access Rules to allow traffic to pass.
Network > ARP You can enter the policy number (the number listed before the policy name in the # Name column) in the Items field to move to a specific ARP entry. The default table configuration displays 50 entries per page. You can change this default number of entries for tables on the System > Administration page. You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order.
Network > ARP 374 SonicOS 5.8.
CHAPTER 25 Chapter 25: Configuring MAC-IP Anti-Spoof Network > MAC-IP Anti-Spoof This chapter describes how to plan, design, implement, and MAC-IP Anti-Spoof protection in SonicWALL SonicOS Enhanced.
Network > MAC-IP Anti-Spoof • ARP packets; both ARP requests and responses • Static ARP entries from user-created entries • MAC-IP Anti-Spoof Cache The MAC-IP Anti-Spoof subsystem achieves egress control by locking the ARP cache, so egress packets (packets exiting the network) are not spoofed by a bad device or by unwanted ARP packets. This prevents a firewall from routing a packet to the unintended device, based on mapping.
Network > MAC-IP Anti-Spoof To configure settings for a particular interface, click Configure icon for the desired interface. The Settings window is now displayed for the selected interface. In this window, the following settings can be enabled or disabled by clicking on the corresponding checkbox. Once your setting selections for this interface are complete, click OK.
Network > MAC-IP Anti-Spoof Once the settings have been adjusted, the interface’s listing will be updated on the MAC-IP Anti-Spoof panel. The green circle with white check mark icons denote which settings have been enabled. Note The following interfaces are excluded from the MAC-IP Anti-Spoof list: Non-ethernet interfaces, port-shield member interfaces, Layer 2 bridge pair interfaces, high availability interfaces, and high availability data interfaces.
Network > MAC-IP Anti-Spoof If you need to edit a static Anti-Spoof cache entry, select the checkbbox to the left of the IP address, then click the pencil icon, under the “Configure” column, on the same line. Single, or multiple, static anti-spoof cache entries can be deleted. To do this, select the “delete checkbox” next to each entry, then click the “Delete” button. To clear cache statistics, select the desired devices, then click “Clear Stats.
Network > MAC-IP Anti-Spoof Spoof Detect List The Spoof Detect List displays devices that failed to pass the ingress anti-spoof cache check. Entries on this list can be added as a static anti-spoof entry. To do this, click on the pencil icon, under the “Add” column, for the desired device. An alert message window will open, asking if you wish to add this static entry. Click “OK” to proceed, on “Cancel” to return to the Spoof Detected List.
Network > MAC-IP Anti-Spoof Operator Value with a type String AND OR Negative Mixed Syntax Options • Ip=1.1.1.1 or ip=1.1.1.0/24 • Mac=00:01:02:03:04:05 • Iface=x1 • X1 • 00:01 • Tst-mc • 1.1. • Ip=1.1.1.1;iface=x1 • Ip=1.1.1.0/24;iface=x1;just-string • Ip=1.1.1.1,2.2.2.2,3.3.3.0/24 • Iface=x1,x2,x3 • !ip=1.1.1.1;!just-string • !iface=x1,x2 • Ip=1.1.1.1,2.2.2.2;mac=00:01:02:03:04:05; just-string;!iface=x1,x2 SonicOS 5.8.
Network > MAC-IP Anti-Spoof Extension to IP Helper In order to support leases from the DHCP relay subsystem of IP Helper, the following changes have been made in the IP Helper panel, located at Network > IP Helper: • As part of the DHCP relay logic, IP Helper learns leases exchanged between clients and the DHCP server, then saves them into flash memory. • These learned leases are synched to the idle firewall, as part of the IP Helper state sync messages.
CHAPTER 26 Chapter 26: Setting Up the DHCP Server Network > DHCP Server This chapter contains the following sections: • “DHCP Server Options Overview” on page 384 • “Multiple DHCP Scopes per Interface” on page 385 • “Configuring the DHCP Server” on page 387 • “DHCP Server Lease Scopes” on page 388 • “Current DHCP Leases” on page 388 • “Configuring Advanced DHCP Server Options” on page 389 • “Configuring DHCP Server for Dynamic Ranges” on page 393 • “Configuring Static DHCP Entries” on page
Network > DHCP Server The SonicWALL security appliance includes a DHCP (Dynamic Host Configuration Protocol) server to distribute IP addresses, subnet masks, gateway addresses, and DNS server addresses to your network clients. The Network > DHCP Server page includes settings for configuring the SonicWALL security appliance’s DHCP server. You can use the SonicWALL security appliance’s DHCP server or use existing DHCP servers on your network.
Network > DHCP Server clients on the network, it provides vendor-specific configuration and service information. The “DHCP Option Numbers” on page 400 provides a list of DHCP options by RFC-assigned option number. Benefits The SonicWALL DHCP server options feature provides a simple interface for selecting DHCP options by number or name, making the DHCP configuration process quick, easy, and compliant with RFC-defined DHCP standards.
Network > DHCP Server Multiple Scopes for Group VPN – When using an internal DHCP server, a SonicWALL GVC client could be configured using scope ranges that differ from the LAN/DMZ subnet. The scope range for the SonicWALL GVC client is decided by the “Relay IP Address (Optional)” set in the central gateway. Compatible with Conflict Detection – Currently, the SonicWALL DHCP server performs server-side conflict detection when this feature is enabled.
Network > DHCP Server Figure 26:2 Trusted DHCP Relay Agents Configuring the DHCP Server If you want to use the SonicWALL security appliance’s DHCP server, select Enable DHCP Server on the Network > DHCP Server page. The following DHCP server options can be configured: • Select Enable Conflict Detection to turn on automatic DHCP scope conflict detection on each zone.
Network > DHCP Server To configure Option Objects, Option Groups, and Trusted Agents, click the Advanced button. For detailed information on configuring these features, see “Configuring Advanced DHCP Server Options” on page 389. Configuring DHCP Server Persistence DHCP server persistence is the ability of the firewall save DHCP lease information and to provide the client with a predictable IP address that does not conflict with another use on the network, even after a client reboot.
Network > DHCP Server Configuring Advanced DHCP Server Options • “Configuring DHCP Option Objects” on page 389 • “Configuring DHCP Option Groups” on page 390 • “Configuring a Trusted DHCP Relay Agent Address Group” on page 391 • “Enabling Trusted DHCP Relay Agents” on page 392 The “DHCP Option Numbers” on page 400 provides a list of DHCP options by RFC-assigned option number.
Network > DHCP Server Step 5 From the Option Number drop-down list, select the option number that corresponds to your DHCP option. For a list of option numbers and names, refer to “DHCP Option Numbers” on page 400. Step 6 Optionally check the Option Array box to allow entry of multiple option values in the Option Value field. Step 7 The option type displays in the Option Type drop-down menu.
Network > DHCP Server Step 5 Enter a name for the group in the Name field. Step 6 Select an option object from the left column and click the -> button to add it to the group. To select multiple option objects at the same time, hold the Ctrl key while selecting the option objects. Step 7 Click OK. The group displays in the Option Groups list.
Network > DHCP Server Enabling Trusted DHCP Relay Agents In the DHCP Advanced Settings page, you can enable the Trusted Relay Agent List option using the Default Trusted Relay Agent List Address Group or create another Address Group using existing Address Objects. To enable the Trusted Relay Agent List option and select the desired Address Group, perform the following steps: Step 1 In the left-hand navigation panel, navigate to the Network > DHCP Server page.
Network > DHCP Server Configuring DHCP Server for Dynamic Ranges Because SonicOS Enhanced allows multiple DHCP scopes per interface, there is no requirement that the subnet range is attached to the interface when configuring DHCP scopes. To configure DHCP server for dynamic IP address ranges, follow these instructions: Step 1 In the Network > DHCP Server page, at the bottom of the DHCP Server Lease Scopes table, click Add Dynamic. The Dynamic Ranges Configuration window is displayed.
Network > DHCP Server BOOTP stands for bootstrap protocol, which is a TCP/IP protocol and service that allows diskless workstations to obtain their IP address, other TCP/IP configuration information, and their boot image file from a BOOTP server. DNS/WINS Settings Step 9 Click the DNS/WINS tab to continue configuring the DHCP Server feature. Step 10 If you have a domain name for the DNS server, type it in the Domain Name field.
Network > DHCP Server Advanced Settings Step 14 Click on the Advanced tab. The Advanced tab allows you to configure the SonicWALL DHCP server to send Cisco Call Manager information to VoIP clients on the network. Step 15 Under VoIP Call Managers, enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You can add two additional VoIP Call Manager addresses.
Network > DHCP Server Configuring Static DHCP Entries Static entries are IP addresses assigned to servers requiring permanent IP settings. Because SonicOS Enhanced allows multiple DHCP scopes per interface, there is no requirement that the subnet range is attached to the interface when configuring DHCP scopes. To configure static entries, follow these steps: Step 1 In the Network > DHCP Server page, at the bottom of the DHCP Server Lease Scopes table, click Add Static.
Network > DHCP Server Step 7 Note To populate the Default Gateway and Subnet Mask fields with default values for a certain interface, select the Interface Pre-Populate checkbox near the bottom of the page and choose the interface from the drop-down list. The populated IP addresses are in the same private subnet as the selected interface. To select an interface from the Interface menu, it must first be fully configured and it must be of the zone type, LAN, WLAN, or DMZ, or be a VLAN sub-interface.
Network > DHCP Server Advanced Settings Step 15 Click on the Advanced tab. The Advanced tab allows you to configure the SonicWALL DHCP server to send Cisco Call Manager information to VoIP clients on the network. Step 16 Enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You can add two additional VoIP Call Manager addresses.
Network > DHCP Server Configuring DHCP Generic Options for DHCP Lease Scopes This section provides configuration tasks for DHCP generic options for lease scopes. Note Before generic options for a DHCP lease scope can be configured, a static or dynamic DHCP server lease scope must be created. The “DHCP Option Numbers” on page 400 provides a list of DHCP options by RFC-assigned option number.
Network > DHCP Server DHCP Option Numbers This section provides a list of RFC-defined DHCP option numbers and descriptions: 400 Option Number Name Description 2 Time Offset Time offset in seconds from UTC 3 Router N/4 router addresses 4 Time Servers N/4 time server addresses 5 Name Servers N/4 IEN-116 server addresses 6 DNS Servers N/4 DNS server addresses 7 Log Servers N/4 logging server addresses 8 Cookie Servers N/4 quote server addresses 9 LPR Servers N/4 printer server addre
Network > DHCP Server Option Number Name Description 33 Static Routing Table Static routing table 34 Trailer Encapsulation Trailer encapsulation 35 ARP Cache Timeout ARP cache timeout 36 Ethernet Encapsulation Ethernet encapsulation 37 Default TCP Time to Live Default TCP time to live 38 TCP Keepalive Interval TCP keepalive interval 39 TCP Keepalive Garbage TCP keepalive garbage 40 NIS Domain Name NIS domain name 41 NIS Server Addresses NIS server addresses 42 NTP Servers Addre
Network > DHCP Server Option Number Name 402 Description 65 NIS+ V3 Server Address NIS+ V3 server address 66 TFTP Server Name TFTP server name 67 Boot File Name Boot file name 68 Home Agent Addresses Home agent addresses 69 Simple Mail Server Addresses Simple mail server addresses 70 Post Office Server Addresses Post office server addresses 71 Network News Server Addresses Network news server addresses 72 WWW Server Addresses WWW server addresses 73 Finger Server Addresses Finger
Network > DHCP Server Option Number Name Description 94 Client Network Device Interface Client network device interface 95 LDAP Use Lightweight Directory Access Protocol 96 Undefined N/A 97 UUID/GUID Based Client Identifier UUID/GUID-based client identifier 98 Open Group’s User Authentication Open group’s user authentication 99 Undefined N/A 100 Undefined N/A 101 Undefined N/A 102 Undefined N/A 103 Undefined N/A 104 Undefined N/A 105 Undefined N/A 106 Undefined N/A
Network > DHCP Server 404 Option Number Name Description 124 Vendor-Identifying Vendor Class Vendor-identifying vendor class 125 Vendor Identifying Vendor Specific Vendor-identifying vendor specific 126 Undefined N/A 127 Undefined N/A 128 TFTP Server IP Address TFTP server IP address for IP phone software load 129 Call Server IP Address Call server IP address 130 Discrimination String Discrimination string to identify vendor 131 Remote Statistics Server IP Address Remote statistics
Network > DHCP Server Option Number Name Description 157 Undefined N/A 158 Undefined N/A 159 Undefined N/A 160 Undefined N/A 161 Undefined N/A 162 Undefined N/A 163 Undefined N/A 164 Undefined N/A 165 Undefined N/A 166 Undefined N/A 167 Undefined N/A 168 Undefined N/A 169 Undefined N/A 170 Undefined N/A 171 Undefined N/A 172 Undefined N/A 173 Undefined N/A 174 Undefined N/A 175 Ether Boot Ether Boot 176 IP Telephone IP telephone 177 Ether Boot
Network > DHCP Server 406 Option Number Name Description 194 Undefined N/A 195 Undefined N/A 196 Undefined N/A 197 Undefined N/A 198 Undefined N/A 199 Undefined N/A 200 Undefined N/A 201 Undefined N/A 202 Undefined N/A 203 Undefined N/A 204 Undefined N/A 205 Undefined N/A 206 Undefined N/A 207 Undefined N/A 208 pxelinux.magic (string) = 241.0.116.126 pxelinux.magic (string) = 241.0.116.126 209 pxelinux.configfile (text) pxelinux.
Network > DHCP Server Option Number Name Description 230 Private Use Private use 231 Private Use Private use 232 Private Use Private use 233 Private Use Private use 234 Private Use Private use 235 Private Use Private use 236 Private Use Private use 237 Private Use Private use 238 Private Use Private use 239 Private Use Private use 240 Private Use Private use 241 Private Use Private use 242 Private Use Private use 243 Private Use Private use 244 Private Use Priv
Network > DHCP Server 408 SonicOS 5.8.
CHAPTER 27 Chapter 27: Using IP Helper Network > IP Helper Many User Datagram Protocols (UDP) rely on broadcaset/multicast to find its respective server, usually requiring their servers to be present on the same broadcast subnet.To support cases where servers lie on different subnets than clients, a mechanism is needed to forward these UDP broadcasts/multicasts to those subnets. This mechanism is referred to as UDP broadcast forwarding.
Network > IP Helper Caution The SonicWALL DHCP Server feature must be disabled before you can enable DHCP Support on the IP Helper. The Enable DHCP Support checkbox is greyed out until the DHCP Server setting is disabled. • Enable NetBIOS Support - Enables NetBIOS broadcast forwarding. NetBIOS is required to allow Windows operating systems to browse for resources on a network. IP Helper Policies IP Helper Policies allow you to forward DHCP and NetBIOS broadcasts from one interface to another interface.
Network > IP Helper Adding an IP Helper Policy for NetBIOS Step 1 Click the Add button under the IP Helper Policies table. The Add IP Helper Policy window is displayed. Step 2 The policy is enabled by default. To configure the policy without enabling it, clear the Enabled check box. Step 3 Select NetBIOS from the Protocol menu. Step 4 Select a source Address Group or Address Object from the From menu. Select Create a new network to create a new Address Object.
Network > IP Helper • Raw Mode—Unidirectional forwarding that does not create an IP Helper cache. This is suitable for most of the user-defined protocols that are used for discovery, for example WOL/mDNS. Figure 27:3 Enhanced IP Helper UI Each protocol has the following configurable options: 412 • Name—The name of the protocols. Note that these are case sensitive and must be unique. • Port 1/2—The unique UDP port number. • Translate IP—Translation of the source IP while forwarding a packet.
Network > IP Helper Adding User-Defined Protocols Click the Add button on the lower left side of the protocol list table. The following fields must be configured in order to add a protocol. • Name—Create a unique case-sensitive name. • Port 1/2—The unique UDP port numbers. • Timeout—This is optional. IP Helper cache timeout in seconds at an increment of 10. If not specified, a default value of 30 seconds is selected.
Network > IP Helper Displaying IP Helper Cache from TSR The TSR will show all the IP Helper caches, current policies, and protocols: #IP_HELPER_START IP Helper -----IP Helper Global Run-time Data------IP Helper is OFF IP Helper - DHCP Relay is OFF IP Helper - Netbios Relay is OFF Total Number Of Fwded Packets :0 Total Number Of Dropped Packets :0 Total Number Of Passed Packets :0 Total Number Of Unknown Packets :0 Total Number Of record create failure :0 Total Number Of element create failure :0
Network > IP Helper mDNS Forwarding In order to enable Apple support for iRemote, iTunes, and Apple TV, the mDNS protocol must be enabled. A policy is needed to forward these packets. The following graphic illustrates the process of how Enhanced IP Helper works with mDNS Forwarding: SonicOS 5.8.
Network > IP Helper To configure SonicOS to support mDNS, perform the following steps: 416 Step 1 Navigate to the Network > IP Helper page. Step 2 Select the Enable IP Helper checkbox. Step 3 In the Relay Protocols section, click the Enable checkbox for mDNS. Step 4 In the Policies section, click the Add... button. Step 5 Click the Protocol drop-down menu, then select mDNS. Step 6 Click the From: drop-down menu, then select the source interface.
CHAPTER 28 Chapter 28: Setting Up Web Proxy Forwarding Network > Web Proxy A Web proxy server intercepts HTTP requests and determines if it has stored copies of the requested Web pages. If it does not, the proxy completes the request to the server on the Internet, returning the requested information to the user and also saving it locally for future requests.
Network > Web Proxy Configuring Automatic Proxy Forwarding (Web Only) Note The proxy server must be located on the WAN or DMZ; it can not be located on the LAN. To configure a Proxy Web sever, select the Network > Web Proxy page. Step 1 Connect your Web proxy server to a hub, and connect the hub to the SonicWALL security appliance WAN or DMZ port. Step 2 Type the name or IP address of the proxy server in the Proxy Web Server (name or IP address) field.
CHAPTER 29 Chapter 29: Configuring Dynamic DNS Network > Dynamic DNS Dynamic DNS (DDNS) is a service provided by various companies and organizations that allows for dynamic changing IP addresses to automatically update DNS records without manual intervention. This service allows for network access using domain names rather than IP addresses, even when the target’s IP addresses change.
Network > Dynamic DNS Supported DDNS Providers Not all services and features from all providers are supported, and the list of supported providers is subject to change. SonicOS currently supports the following services from four Dynamic DNS providers: • Dyndns.org - SonicOS requires a username, password, Mail Exchanger, and Backup MX to configure DDNS from Dyndns.org. • Changeip.com - A single, traditional Dynamic DNS service requiring only username, password, and domain name for SonicOS configuration.
Network > Dynamic DNS To configure Dynamic DNS on the SonicWALL security appliance, perform these steps: Step 1 From the Network > Dynamic DNS page, click the Add button. The Add DDNS Profile window is displayed. Step 2 If Enable this DDNS Profile is checked, the profile is administratively enabled, and the SonicWALL security appliance takes the actions defined in the Online Settings section on the Advanced tab. Step 3 If Use Online Settings is checked, the profile is administratively online.
Network > Dynamic DNS – Static - A free DNS service for static IP addresses. Step 10 When using DynDNS.org, you may optionally select Enable Wildcard and/or configure an MX entry in the Mail Exchanger field. Check Backup MX if this is the backup mail exchanger. Step 11 Click the Advanced tab. You can typically leave the default settings on this page. Step 12 The On-line Settings section provides control over what address is registered with the dynamic DNS provider.
Network > Dynamic DNS Dynamic DNS Settings Table The Dynamic DNS Settings table provides a table view of configured DDNS profiles. Dynamic DNS Settings table includes the following columns: • Profile Name - The name assigned to the DDNS entry during its creation. This can be any value, and is used only for identification. • Domain - The fully qualified domain name (FQDN) of the DDNS entry. • Provider - The DDNS provider with whom the entry is registered.
Network > Dynamic DNS 424 SonicOS 5.8.
CHAPTER 30 Chapter 30: Configuring Network Monitor Network > Network Monitor The Network > Network Monitor page provides a flexible mechanism for monitoring network path viability. The results and status of this monitoring are displayed dynamically on the Network Monitor page, and are also provided to affected client components and logged in the system log. Each custom NM policy defines a destination Address Object to be probed. This Address Object may be a Host, Group, Range, or FQDN.
Network > Network Monitor You can view details of the probe status by hovering your mouse over the green, red, or yellow light for a policy. The following information is displayed in the probe status: 426 • The percent of successful probes. • The number of resolved probe targets. • The total number of probes sent. • The total number of successful probe responses received. • A list of resolved probe targets, and their status. SonicOS 5.8.
Network > Network Monitor Adding a Network Monitor Policy To add a network monitor policy on the SonicWALL security appliance, perform these steps: Step 1 From the Network > Network Monitor page, click the Add button. The Add Network Monitor Policy window is displayed. Step 2 Enter the following information to define the network monitor policy: • Name - Enter a description of the Network Monitor policy. • Probe Target - Select the Address Object or Address Group to be the target of the policy.
Network > Network Monitor same interface within the Response Timeout time window. When a SYN/ACK is received, a RST is sent to close the connection. If a RST is received, no response is returned. – Ping (ICMP) - Explicit Route - This probe bypasses the route table and uses the source IP address of the interface specified in the Outbound Interface pulldown menu to send a Ping to the targets.
PART 5 Part 5: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 31 Chapter 31: 3G/Modem Selection 3G/Modem SonicWALL UTM appliances with a USB extension port can support either an external 3G interface or analog modem interface. When the appliance does not detect an external interface, a 3G/Modem tab is displayed in the left-side navigation bar. SonicOS 5.8.
3G/Modem Selecting the 3G/Modem Status By default, the SonicWALL UTM appliance will attempt to auto-detect whether a connected external device is a 3G interface or an analog modem interface. You can manually specify which type of interface you want to configure on the 3G/Modem > Settings page. The 3G/Modem Device Type pulldown menu provides the following options: 432 • Auto-detect - The appliance attempts to determine if the device is a 3G or analog modem.
CHAPTER 32 Chapter 32: Configuring 3G 3G This chapter describes how to configure the 3G wireless WAN interface on the SonicWALL UTM appliance. It contains the following sections: • “3G Overview” on page 433 • “3G > Status” on page 440 • “3G > Settings” on page 440 • “3G > Advanced” on page 442 • “3G > Connection Profiles” on page 444 • “3G > Data Usage” on page 450 • “Other 3G Configuration Tasks” on page 450 • “3G Glossary” on page 451 3G Overview This section provides an overview of 3G.
3G • Temporary networks where a pre-configured connection may not be available, such as trade-shows and kiosks. • Mobile networks, where the SonicWALL appliance is based in a vehicle. • Primary WAN connection where wire-based connections are not available and 3G Cellular is. Wireless Wide Area Networks provide untethered remote network access through the use of mobile or cellular data networks.
3G Understanding 3G Failover When the WAN Connection Model is set to Ethernet with 3G Failover, the WAN (Ethernet) interface is the primary connection. If the WAN interface fails, the SonicWALL appliance fails over to the 3G interface.
3G Persistent Connection 3G Failover The following diagram depicts the sequence of events that occur when the WAN ethernet connection fails and the 3G Connection Profile is configured for Persistent Connection. Internet Internet WWAN link/spd activity NSA 240 Ethernet WAN Primary Ethernet connection re-established (successive pings succeed) 1. Primary Ethernet connection available – The Ethernet WAN interface is connected and used as the primary connection.
3G Dial on Data 3G Failover The following diagram depicts the sequence of events that occur when the WAN ethernet connection fails and the 3G Connection Profile is configured for Dial on Data. User/node attempts LAN>WAN transfer with “qualified” data Caution 1. Primary Ethernet connection available – The Ethernet WAN interface is connected and used as the primary connection.
3G Manual Dial 3G Failover The following diagram depicts the sequence of events that occur when the WAN ethernet connection fails and the 3G Connection Profile is configured for Manual Dial. Caution It is not recommended to use a Manual Dial 3G Connection Profile when the WAN Connection Model is set for Ethernet with 3G Failover. The Manual Dial 3G Connection Profile is only intended to be used when the device's WAN Connection Model is set to 3G Only in the Network > Interfaces page.
3G 3G Wireless WAN Service Provider Support SonicOS Enhanced supports the following 3G Wireless network providers (this list is subject to change): • Cingular Wireless • H3G • Sprint PCS Wireless • Verizon Wireless • Vodafone • Telecom Italia Mobile • Telefonica • T-Mobile • TDC Song • Orange 3G Prerequisites Before configuring the 3G interface, you must complete the following prerequisites: Note • Purchase a 3G service plan from a supported third-party wireless provider • Configur
3G 3G > Status The 3G > Status page displays the current status of 3G on the SonicWALL appliance. It indicates the status of the 3G connection, the current active WAN interface, or the current backup WAN interface. It also displays IP address information, DNS server addresses, the current active dial up profile, and the current signal strength.
3G • Syslog traffic To configure the SonicWALL appliance for Connect on Data operation, you must select Dial on Data as the Dial Type for the Connection Profile. See “3G > Connection Profiles” on page 444 for more details. Management/User Login The Management/User Login section must be configured to enable remote management of the SonicWALL appliance over the 3G interface. You can select any of the supported management protocol(s): HTTPS, Ping, and/or SNMP.
3G 3. In the Probe Type menu, select one of the following options: – Probe succeeds when either Main Target or Alternate Target responds – Probe succeeds when both Main Target and Alternative Target respond – Probe succeeds when Main Target responds – Succeeds Always (no probing) 4. For both the Main Target and, when applicable, the Alternate Target configure the following: a. Select Ping (ICMP) or TCP from the Probe Target menu. b. Enter the IP address of the main target device in the IP Address field.
3G • The SonicWALL Security Appliance is configured to be managed using HTTPS, so that the device can be accessed remotely. • It is recommended that you enter a value in the Enable Max Connection Time (minutes) field. This field is located in the 3G Profile Configuration window on the Parameters tab. See “3G > Connection Profiles” on page 444 for more information.
3G 3G_profiles 3G > Connection Profiles Use the 3G > Connection Profiles to configure 3G connection profiles and set the primary and alternate profiles. Select the Primary 3G connection profile in the Primary Profile pulldown menu. Optionally, you can select up to two alternate 3G profiles.
3G General Tab The General tab allows the administrator to configure general connection settings for the 3G service provider. After selecting your country, service provider, and plan type, the rest of the fields are automatically field for most service providers. 1. On the 3G > Connection Profiles page, click on the Add button. The 3G Profile Configuration window displays. 2. Select the Country where the SonicWALL appliance is deployed. 3.
3G Parameters Tab The Parameters tab allows the administrator to configure under what conditions the 3G service connects. The three connection types are Persistent, Connect on Data, and Manual. The mechanics of these connection types are described in the “Understanding 3G Connection Models” section on page 434. 1. Click on the Parameters tab. 2. In the Dial Type pulldown menu, select whether the connection profile is a Persistent Connection, Dial on Data, or Manual Dial.
3G 7. Select the Disable VPN when Dialed checkbox to disable VPN connections over the 3G interface. IP Addresses Tab The IP Addresses tab allows the administrator to configure dynamic or static IP addressing for this interface. In most cases, this feature is set to Obtain an IP Address Automatically, however, it is possible to configure manual IP addresses for both your gateway IP address and one or more DNS server IP addresses if this is required by your service provider. 1.
3G Note When this feature is enabled, if a the checkbox for a day is not selected, 3G access will be denied for that entire day. 1. Click on the Schedule tab. 2. Select the Limit Times for Connection Profile checkbox to enable the scheduling feature for this interface. 3. Select the checkbox for each Day of Week you wish to allow access on. 4. Enter the desired Start Time and End Time (in 24-hour format) for each day of the week.
3G 2. Select the Enable Data Usage Limiting checkbox to have the 3G interface become automatically disabled when the specified data or time limit has been reached for the month. 3. Select the day of the month to start tracking the monthly data or time usage in the Billing Cycle Start Date pulldown menu. 4. Enter a value in the Limit field and select the appropriate limiting factor: either GB, MB, KB, or minutes. 5. Click OK.
3G 3G_data 3G > Data Usage On the 3G > Data Usage page, you can monitor the amount of data transferred over the 3G interface in the Data Usage table and view details of 3G sessions in the Session History table. The Data Usage table displays the current data usage and online time for the current Year, Month, Week, Day, and Billing Cycle. Billing cycle usage is only calculated if the Enable Data Usage Limiting option is enabled on the 3G Connection Profile.
3G Managing 3G Connections To initiate a 3G connection, perform the following steps, click on the Manage button in the 3G interface line on the Network > Interfaces page. The 3G Connection window displays. Click the Connect button. The SonicWALL appliance attempts to connect to the 3G service provider. To disconnect a 3G connection, click on the Manage button. The 3G Connection window displays. Click Disconnect.
3G • Generation - WWAN protocols are divided by generation, such as 2G, 2.5G, and 3G, where 1G would be the original analog cellular networks. Generations advanced is usually characterized by improvements in speed and capacity. Although 3G is most commonly used to describe Wireless Wide Area Networking, 3G only refers to a single set of available protocols. A list of popular protocols by generation: – 1G - Analog – 2G - GSM – 2.5G - GPRS – 2.75G - EDGE, 1xRTT – 3G - UMTS, 1xEV-DO – 3.
3G allow for a subscriber's identity to move from one GSM device to another. Many operators lock their devices to prevent the use of other operator's SIM cards, but operators will sometimes unlock their devices if certain conditions are met. • TDMA - Time Division Multiple Access - TDMA is used by most currently available GSM networks. It allows multiple concurrent access to a frequency by dividing it into time-slots, where each station takes turns transmitting.
3G 454 SonicOS 5.8.
CHAPTER 33 Chapter 33: Configuring Modem modem Modem The following sections describe how to configure and use the modem functionality on a SonicWALL UTM appliance: • “Modem > Status” on page 455 • “Modem > Settings” on page 456 • “Modem > Advanced” on page 457 • “Modem > Connection Profiles” on page 459 Modem > Status The Modem > Status page displays dialup connection information when the modem is active.
Modem If the modem is inactive, the Status page displays a list of possible reasons that your modem is inactive. When the modem is active, the network settings from the ISP are used for WAN access. Modem > Settings The Modem > Settings page allows you to configure modem settings, specify Connect on Data categories, select management and user login options, and select the primary and alternate modem profiles.
Modem The Connect on Data Categories include: • NTP packets • GMS Heartbeats • System log e-mails • AV Profile Updates • SNMP Traps • Licensed Updates • Firmware Update requests • Syslog traffic Management/User Login The Management/User Login section allows you to enable remote management of the SonicWALL security appliance or user login from the Modem interface. You can select any of the supported management protocol(s): HTTPS, Ping, SNMP and/or SSH.
Modem Note 3. The SonicWALL then initiates a modem connection to its dial-up ISP, based on the configured dial profile. 4. The network administrator accesses the SonicWALL web management interface to perform the required tasks. If LAN- to-WAN traffic on the SonicWALL generates a dial-out request at the same time as a Remotely Triggered Dial-out session is being authenticated, the Remotely Triggered Dialout session is terminated and the SonicWALL initiates its own dial-out session.
Modem 2. Click the Enable Ingress Bandwidth Management checkbox to enable bandwidth management policy enforcement on inbound traffic. 3. Select a Compression Multiplier from the drop-down list. Connection Limit The Connection Limit section allows the administrator to set a host/node limit on the modem connection. This feature is especially useful for deployments where the modem connection is used as an overflow or in load-balanced situations to avoid over-taxing the connection.
Modem Configuring a Profile 1. In the Modem > Connection Profiles page, click the Add button. The Modem Profile Configuration window is displayed for configuring a dialup profile. Once you create your profiles, you can then configure specify which profiles to use for WAN failover or Internet access. To configure your ISP settings, you must obtain your Internet information from your dial-up Internet Service Provider. Tip! 1.
Modem 8. Click the ISP Address tab. 9. In the ISP Address Setting section, select Obtain an IP Address Automatically if you do not have a permanent dialup IP address from your ISP. If you have a permanent dialup IP address from your ISP, select Use the following IP Address and enter the IP address in the corresponding field. 10. If you obtain an IP address automatically for your DNS server(s), select Obtain an IP Address Automatically.
Modem applications such as AutoUpdate and Anti-Virus. If Enable WAN Failover is selected on the Modem > Failover page, the pings generated by the probe can trigger the modem to dial when no WAN Ethernet connection is detected. If the Primary Profile cannot connect, the modem uses the Alternate Profile 1 to dial an ISP. Manual Connection - Selecting Manual Connection for a Primary Profile means that a modem connection does not automatically occur.
Modem 21. Click the Schedule tab. 22. If you want to specify scheduled times the modem can connect, select Limit Times for Dialup Profile. Enter times for each day in 24-hour format that you want the modem to be able to make a connection. 23. Click OK to add the dial-up profile to the SonicWALL security appliance. The Dialup Profile appears in the Connection Profiles table. Chat Scripts Some legacy servers can require company-specific chat scripts for logging onto the dial-up servers.
Modem The next line has OK as the expected string, and the interpreters waits for OK to be returned in response to the previous command, ATV1, before continuing the script. If OK is not returned within the default time period of 50 seconds, the chat interpreter aborts the script and the connection fails. If OK is received, the prefix and phone number of the selected dial-up account is dialled. The \T command is replaced by chat script interpreter with the prefix and phone number of the dial-up account.
PART 6 Part 6: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 34 Chapter 34: Viewing WLAN Settings, Statistics, and Station Status Wireless Overview Note The wireless features described apply only to SonicWALL appliances equipped with internal wireless hardware, such as the TZ series, the NSA 220W, and the NSA 250MW. The SonicWALL Wireless security appliances support wireless protocols called IEEE 802.11b, 802.11g, and 802.11n commonly known as Wi-Fi, and send data via radio transmissions.
Wireless Overview • VPN tunnel Considerations for Using Wireless Connections • Mobility - if the majority of your network is laptop computers, wireless is more portable than wired connections. • Convenience - wireless networks do not require cabling of individual computers or opening computer cases to install network cards. • Speed - if network speed is important to you, you may want to consider using Ethernet connections rather than wireless connections.
Wireless Overview • Try to place the wireless security appliance in a direct line with other wireless components. Best performance is achieved when wireless components are in direct line of sight with each other. • Building construction can make a difference on wireless performance. Avoid placing the wireless security appliance near walls, fireplaces, or other large solid objects.
Wireless > Status Wireless > Status The Wireless > Status page provides status information for wireless network, including WLAN Settings, WLAN Statistics, WLAN Activities and Station Status. The Wireless > Status page has four tables: 470 • “WLAN Settings” on page 471 • “WLAN Statistics” on page 472 • “WLAN Activities” on page 472 • “Station Status” on page 473 SonicOS 5.8.
Wireless > Status WLAN Settings The WLAN Settings table lists the configuration information for the built-in radio. All configurable settings in the WLAN Settings table are hyperlinks to their respective pages for configuration. Enabled features are displayed in green, and disabled features are displayed in red. Click on a setting to go the page in the Management Interface where you can configure that setting.
Wireless > Status WLAN Statistics The WLAN Statistics table lists all of the traffic sent and received through the WLAN. The Wireless Statistics column lists the kinds of traffic recorded, the Rx column lists received traffic, and the Tx column lists transmitted traffic. Wireless Statistics Rx/TX Good Packets Number of allowed packets received and transmitted. Bad Packets Number of packets that were dropped that were received and transmitted. Good Bytes Total number of bytes in the good packets.
Wireless > Status Station Status The Station Status table displays information about wireless connections associated with the wireless security appliance.
Wireless > Status 474 SonicOS 5.8.
CHAPTER 35 Chapter 35: Configuring Wireless Settings Wireless > Settings The Wireless > Settings page allows you to configure settings for the 802.11 wireless antenna. SonicOS 5.8.
Wireless > Settings Wireless Radio Mode The Radio Role allows you to configure the SonicWALL TZ wireless for one of two modes: Note Be aware that when switching between radio roles, the SonicWALL may require a restart. Access Point - Configures the SonicWALL as an Internet/network gateway for wireless clients. Wired LAN 10.10.20.x Wireless LAN 10.10.50.
Wireless > Settings Wireless Settings Enable WLAN Radio: Check this checkbox to turn the radio on, and enable wireless networking. Click Apply in the top right corner of the management interface to have this setting take effect. Schedule: The schedule determines when the radio is on to send and receive data. The default value is Always on. The Schedule list displays the schedule objects you create and manage in the System > Schedule page.
Wireless > Settings – Standard Channel - This pulldown menu only displays when the 20 MHz channel is selected. By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity. Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. • Wide - 40 MHz Channel - Specifies that the 802.
CHAPTER 36 Chapter 36: Configuring Wireless Security Wireless > Security Note When the SonicWALL wireless security appliance is configured in Access Point mode, this page is called Security. When the appliance is configured in Wireless Bridge mode, this page is called WEP Encryption. Wired Equivalent Protocol (WEP) can be used to protect data as it is transmitted over the wireless network, but it provides no protection past the SonicWALL.
Wireless > Security • Transparent authentication with Windows log-in • No client software needed in most cases WPA2 • Best security (uses AES) • For use with trusted corporate wireless clients • Transparent authentication with Windows log-in • Client software install may be necessary in some cases • Supports 802.11i “Fast Roaming” feature • No backend authentication needed after first log-in (allows for faster roaming) WPA2-AUTO • Tries to connect using WPA2 security.
Wireless > Security WPA2 and WPA PSK Settings Encryption Mode: In the Authentication Type field, select either WPA-PSK, WPA2-PSK, or WPA2-Auto-PSK. WPA Settings • Cypher Type: select TKIP. Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis. • Group Key Update: Specifies when the SonicWALL security appliance updates the key. Select By Timeout to generate a new group key after an interval specified in seconds.
Wireless > Security WPA2 and WPA EAP Settings Encryption Mode: In the Authentication Type field, select either WPA-EAP, WPA2-EAP, or WPA2-AUTO-EAP. WPA Settings • Cypher Type: Select TKIP. Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis. • Group Key Interval: Eenter the number of seconds before WPA automatically generates a new group key.
Wireless > Security • Both (Open System & Shared Key): The Default Key assignments are not important as long as the identical keys are used in each field. If Shared Key is selected, then the key assignment is important. To configure wireless security on the SonicWALL, navigate to the Wireless > Security page and perform the following tasks: Step 1 Select the appropriate authentication type from the Authentication Type list.
Wireless > Security 484 SonicOS 5.8.
CHAPTER 37 Chapter 37: Configuring Advanced Wireless Settings Wireless > Advanced To access Advanced configuration settings for the SonicWALL wireless security appliance, log into the SonicWALL, click Wireless, and then Advanced. The Wireless > Advanced page is only available when the SonicWALL is acting as an access point. SonicOS 5.8.
Wireless > Advanced Beaconing & SSID Controls 1. Select Hide SSID in Beacon. Suppresses broadcasting of the SSID name and disables responses to probe requests. Checking this option helps prevent your wireless SSID from being seen by unauthorized wireless clients. 2. Type a value in milliseconds for the Beacon Interval. Decreasing the interval time makes passive scanning more reliable and faster because Beacon frames announce the network to the wireless connection more frequently.
Wireless > Advanced Step 8 The Association Timeout (seconds) is 300 seconds by default, and the allowed range is from 60 to 36000 seconds. If your network is very busy, you can increase the timeout by increasing the number of seconds in the Association Timeout (seconds) field. Step 9 Set the Maximum Client Associations to limit the number of stations that can connect wirelessly at one time. The default is 128. Step 10 Data Rate: Select the speed at which the data is transmitted and received.
Wireless > Advanced 488 SonicOS 5.8.
CHAPTER 38 Chapter 38: Configuring MAC Filter List Wireless > MAC Filter List Wireless networking provides native MAC filtering capabilities which prevents wireless clients from authenticating and associating with the wireless security appliance. If you enforce MAC filtering on the WLAN, wireless clients must provide you with the MAC address of their wireless networking card. To set up your MAC Filter List, log into the SonicWALL, and click Wireless, then MAC Filter List.
Wireless > MAC Filter List The items in the list are address object groups, defined groups of objects that represent specific IP addresses or ranges of addresses that can be used throughout the management interface to specify network resources. An address object group can contain other address object groups. The Allow List and Deny List are also address object groups.
CHAPTER 39 Chapter 39: Configuring Wireless IDS Wireless > IDS Wireless Intrusion Detection Services (IDS) greatly increase the security capabilities of the SonicWALL wireless security appliances by enabling them to recognize and even take countermeasures against the most common types of illicit wireless activity. WIDS consists of three types of services, namely, Sequence Number Analysis, Association Flood Detection, and Rogue Access Point Detection.
Wireless > IDS connectivity for associated wireless clients. While in Access Point mode, the Scan Now function should only be used if no clients are actively associated, or if the possibility of client interruption is acceptable. Intrusion Detection Settings Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network.
Wireless > IDS Discovered Access Points The Discovered Access Points table displays information on every access point that can be detected by all your SonicPoints or on a individual SonicPoint basis: • MAC Address (BSSID): The MAC address of the radio interface of the detected access point. • SSID: The radio SSID of the access point. • Channel: The radio channel used by the access point. • Manufacturer: The manufacturer of the access point.
Wireless > IDS 494 SonicOS 5.8.
CHAPTER 40 Chapter 40: Configuring Virtual Access Points with Internal Wireless Radio Wireless > Virtual Access Point This chapter describes the Virtual Access Point feature and includes the following sections: • “Wireless VAP Overview” section on page 495 • “Wireless Virtual AP Configuration Task List” section on page 496 • “VAP Sample Configuration” section on page 507 Wireless VAP Overview This section provides an introduction to the Virtual Access Point feature for SonicWALL UTM appliances equip
Wireless > Virtual Access Point to scale their existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual APs (VAP) feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11 standard for the media access control (MAC) protocol layer that includes a unique Basic Service Set Identifier (BSSID) and Service Set Identified (SSID).
Wireless > Virtual Access Point Wireless VAP Configuration Overview The following are required areas of configuration for VAP deployment: Step 1 Zone - The zone is the backbone of your VAP configuration. Each zone you create will have its own security and access control settings and you can create and apply multiple zones to a single physical interface by way of Wireless Subnets.
Wireless > Virtual Access Point Network Zones This section contains the following subsections: • “The Wireless Zone” section on page 498 • “Custom Wireless Zone Settings” section on page 498 A network security zone is a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone.
Wireless > Virtual Access Point General Feature Description Name Create a name for your custom zone Security Type Select Wireless in order to enable and access wireless security options. Allow Interface Trust Select this option to automatically create access rules to allow traffic to flow between the interfaces of a zone. This will effectively allow users on a wireless zone to communicate with each other. This option is often disabled when setting up Guest Services.
Wireless > Virtual Access Point Wireless Feature Description Only allow traffic generated by a SonicPoint Restricts traffic on this zone to internally-generated traffic only. SSL VPN Enforcement Redirects all traffic entering the Wireless zone to a defined SonicWALL SSL VPN appliance. This allows all wireless traffic to be authenticated and encrypted by the SSL VPN, using, for example, NetExtender to tunnel all traffic.
Wireless > Virtual Access Point Guest Services The Enable Guest Services option allows the following guest services to be applied to a zone: Feature Description Enable inter-guest communication Allows guests connecting to SonicPoints in this Wireless zone to communicate directly and wirelessly with each other.
Wireless > Virtual Access Point Feature Description Pass Networks Automatically allows traffic through the Wireless zone from the networks you select. Max Guests Specifies the maximum number of guest users allowed to connect to the Wireless zone. The default is 10. Wireless LAN Subnets A Wireless LAN (WLAN) subnet allows you to split a single wireless radio interface (W0) into many virtual network connections, each carrying its own set of configurations.
Wireless > Virtual Access Point Feature Description User Login Select the protocols you will make available to clients who access this subnet. DHCP Server Select the Create default DHCP Lease Scope option to enable DHCP on this subnet, along with the default number of available leases. Read the “DHCP Server Scope” section on page 503 for more information on DHCP lease requirements. DHCP Server Scope The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes”.
Wireless > Virtual Access Point Virtual Access Point Profile Settings The table below lists configuration parameters and descriptions for Virtual Access Point Profile Settings: Feature Description Name Choose a friendly name for this VAP Profile. Choose something descriptive and easy to remember as you will later apply this profile to new VAPs. Type Set to Wireless-Internal-Radio by default.
Wireless > Virtual Access Point WPA-PSK / WPA2-PSK Encryption Settings Pre-Shared Key (PSK) is available when using WPA or WPA2. This solution utilizes a shared key. Feature Description Pass Phrase The shared passphrase users will enter when connecting with PSKbased authentication. Group Key Interval The time period for which a Group Key is valid. The default value is 86400 seconds. Setting to low of a value can cause connection issues.
Wireless > Virtual Access Point General VAP Settings Feature Description SSID Create a friendly name for your VAP. Subnet Name Select a subnet name to associate this VAP with. Settings for this VAP will be inherited from the subnet you select from this list. Enable Virtual Access Point Enables this VAP. Enable SSID Suppress Suppresses broadcasting of the SSID name and disables responses to probe requests.
Wireless > Virtual Access Point Enabling the Virtual Access Point Group After your VAPs are configured and added to a VAP group, that group must be specified in the Wireless > Settings page in order for the VAPs to be available through your internal wireless radio. The default group is called Internal AP Group. After this selection has been made and applied. VAP Sample Configuration This section provides configuration examples based on real-world wireless needs.
Wireless > Virtual Access Point General Settings Tab Step 1 In the General tab, enter a friendly name such as “WLAN_Faculty” in the Name field. Step 2 Select Wireless from the Security Type drop-down menu. Step 3 Select the Allow Interface Trust checkbox to allow communication between faculty users. Step 4 Select checkboxes for all of the security services you would normally apply to faculty on the wired LAN.
Wireless > Virtual Access Point Your new zone now appears at the bottom of the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step. Creating a New Wireless Subnet In this section you will create and configure a new wireless subnet on your current WLAN. This wireless subnet will be linked to the zone you created in the “Configuring a Zone” section on page 507. Step 1 In the Network > Interfaces page, click the Add WLAN Subnet button.
Wireless > Virtual Access Point Creating the Wireless VAP In this section, you will create and configure a new Virtual Access Point and associate it with the wireless subnet you created in “Creating a New Wireless Subnet” section on page 509. General Tab Step 1 In the left-hand menu, navigate to the Wireless > Virtual Access Point page. Step 2 Click the Add... button in the Virtual Access Points section. Step 3 Enter a default name (SSID) for the VAP. In this case we chose Campus_Faculty.
Wireless > Virtual Access Point Deploying VAPs to the Wireless Radio In the following section you will group and deploy your new VAPs, associating them with the internal wireless radio. Users will not be able to access your VAPs until you complete this process: • Grouping Multiple VAPs, page 511 • Associating a VAP Group with your Wireless Radio, page 511 Grouping Multiple VAPs In this section, you will group multiple VAPs into a single group to be associated with your SoncPoint(s).
Wireless > Virtual Access Point 512 SonicOS 5.8.
PART 7 Part 7: SonicOS 5.8.
SONICOS 5.8.
CHAPTER 41 Chapter 41: Managing SonicPoints SonicPoint > SonicPoints SonicWALL SonicPoints are wireless access points specially engineered to work with SonicWALL security appliances to provide wireless access throughout your enterprise. The SonicPoint section of the Management Interface lets you manage the SonicPoints connected to your system.
SonicPoint > SonicPoints Before Managing SonicPoints Before you can manage SonicPoints in the Management Interface, you must first: • Verify that the SonicPoint image is downloaded to your SonicWALL security appliance. See “Updating SonicPoint Firmware” on page 527. • Configure your SonicPoint Provisioning Profiles. • Configure a Wireless zone. • Assign profiles to wireless zones. This step is optional.
SonicPoint > SonicPoints ACL Enforcement Disabled ACL Enforcement Disabled ACL Enforcement Disabled Authentication Type WEP - Both Authentication Open System Type & Shared Key WEP - Both Open System & Shared Key Authentication Type WEP - Both Open System & Shared Key Schedule IDS Scan Disabled Schedule IDS Scan Disabled Schedule IDS Scan Disabled Data Rate Best Data Rate Best Data Rate Best Antenna Diversity Best Antenna Diversity Best Antenna Diversity Best Configuring a SonicPoint
SonicPoint > SonicPoints – 802.11n Virtual AP Group: (optional; on SonicWALL NSA only) Select a Virtual Access Point (VAP) group to assign these SonicPointNs to a VAP. This pulldown menu allows you to create a new VAP group. For more information on VAPs, see “SonicPoint > Virtual Access Point” on page 547. Step 3 In the 802.11n tab, configure the radio settings for the 802.11n radio: – Enable Radio: Check this to automatically enable the 802.
SonicPoint > SonicPoints • 5 GHz 802.11a Only - Select this mode if only 802.11a clients access your wireless network. – SSID: Enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that will appear in clients’ lists of available wireless connections. Note If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another.
SonicPoint > SonicPoints Step 4 In the Wireless Security section of the 802.11n Radio tab, configure the following settings: – Authentication Type: Select the method of authentication for your wireless network. You can select WEP - Both (Open System & Shared Key), WEP - Open System, WEP - Shared Key, WPA - PSK, WPA - EAP, WPA2-PSK, WPA2-EAP, WPA2-AUTOPSK, and WPA2-AUTO-EAP. WEP Configuration – WEP Key Mode: Select the size of the encryption key.
SonicPoint > SonicPoints – Schedule IDS Scan: Select a time when there are fewer demands on the wireless network to schedule an Intrusion Detection Service (IDS) scan to minimize the inconvenience of dropped wireless connections. – Data Rate: Select the speed at which the data is transmitted and received. Best automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate. – Transmit Power: Select the transmission power.
SonicPoint > SonicPoints Modifications to profiles will not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways: • Via manual configuration changes – Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone.
SonicPoint > SonicPoints – 802.11g Virtual AP Group and 802.11a Virtual AP Group: (optional; on SonicWALL NSA only) Select a Virtual Access Point (VAP) group to assign these SonicPoints to a VAP. This pulldown menu allows you to create a new VAP group. For more information on VAPs, see “SonicPoint > Virtual Access Point” on page 547. Step 3 In the 802.11g tab, Configure the radio settings for the 802.11g (2.4GHz band) radio: – Enable 802.11g Radio: Check this to automatically enable the 802.
SonicPoint > SonicPoints – WEP Key Mode: Select the size of the encryption key. – Default Key: Select which key in the list below is the default key, which will be tried first when trying to authenticate a user. – Key Entry: Select whether the key is alphanumeric or hexadecimal. – Key 1 - Key 4: Enter the encryptions keys for WEP encryption. Enter the most likely to be used in the field you selected as the default key. Step 4 In the 802.11g Advanced tab, configure the performance settings for the 802.
SonicPoint > SonicPoints The SonicPoint-N wireless security appliance employs three antennas. The Antenna Diversity is set to Best by default, this is the only setting available for this appliance. • 1: Select 1 to restrict the SonicPoint to use antenna 1 only. Facing the rear of the SonicPoint, antenna 1 is on the left, closest to the power supply. • 2: Select 2 to restrict the SonicPoint to use antenna 2 only. Facing the rear of the SonicPoint, antenna 2 is on the right, closest to the console port.
SonicPoint > SonicPoints If the SonicPoint does locate, or is located by a peer SonicOS device, via the SonicWALL Discovery Protocol, an encrypted exchange between the two units will ensue wherein the profile assigned to the relevant Wireless zone will be used to automatically configure (provision) the newly added SonicPoint unit.
SonicPoint > SonicPoints Edit SonicPoint Settings To edit the settings of an individual SonicPoint: Step 1 Under SonicPoint Settings, click the Edit icon to edit. in the same line as the SonicPoint you want Step 2 In Edit SonicPoint screen, make the changes you want. See “Configuring a SonicPoint Profile” on page 517 for instructions on configuring these settings. Step 3 Click OK to apply these settings.
SonicPoint > SonicPoints You can change the file name of the SonicPoint image, but you should keep the extension in tact (ex: .bin.sig). Step 3 In the SonicOS user interface on your SonicWALL appliance, in the navigation pane, click System and then click Administration. Step 4 In the System > Administration screen, under Download URL, click the Manually specify SonicPoint image URL checkbox to enable it. Step 5 In the text box, type the URL for the SonicPoint image file on your local Web server.
SonicPoint Deployment Best Practices • Safemode – Safemode can be engaged by depressing the reset button, or from the SonicOS peer device. Placing a SonicPoint into Safemode returns its configuration to defaults, disables the radios, and disables SDP. The SonicPoint must then be rebooted to enter either a stand-alone, or some other functional state. • Non-Responsive – If a SonicOS device loses communications with a previously peered SonicPoint, it will report its state as non-responsive.
SonicPoint Deployment Best Practices http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA1-9147ENUC.
SonicPoint Deployment Best Practices Layer 2 and Layer 3 Considerations for SonicPoints SonicWALL uses two proprietary protocols (SDP and SSPP) and both *cannot* be routed across any layer 3 device. Any SonicPoint that will be deployed must have an Ethernet connection back to the provisioning SonicWALL UTM appliance, in the same broadcast domain/ network. The SonicWALL UTM appliance must have an interface or sub-interface in same VLAN/ broadcast domain as SonicPoint.
SonicPoint Deployment Best Practices (microwaves, CAT Scan equipment, etc…) In area’s were a lot of electrical equipment is placed, also take a look at the cabling being used. In areas with a lot of electrical equipment UTP should not be used, FTP or STP is required. • Survey three dimensionally, wireless signals cross over to different floors. • Determine where you can locate APs based on power and cabling.
SonicPoint Deployment Best Practices • Intel PRO/Wireless 2200BG Network Connection • Intel PRO/Wireless 2915ABG Network Connection • Intel PRO/Wireless 3945ABG Network Connection These wireless cards are provided to OEM laptop manufacturers and are often rebranded under the manufacturers name – for example, both Dell and IBM use the above wireless cards but the drivers are branded under their own name.
SonicPoint Deployment Best Practices • Because of this, make sure each port can get 10 Watts guaranteed if possible, and set the PoE priority to critical or high. • One thing to be particularly careful to plan for is that not all PoE switches can provide the full 15.4 watts of power to each of its PoE ports – it might have 24 but it can’t actually have all ports with PoE devices attached without the addition of an external redundant power supply.
SonicPoint Deployment Best Practices Troubleshooting Older SonicPoints If you have an older SonicPoint and it’s consistently port flapping, or doesn’t power up at all, or is stuck reboot cycling, or reports in the GUI as stuck in provisioning, check to see if you are running a current version of firmware, and that the SonicWALL UTM appliance has public internet access. You may need to RMA for a newer SonicPoint.
SonicPoint Deployment Best Practices • Note that SonicPoints have a ‘Standalone Mode’ which they will transition to if they can’t find a SonicWALL UTM appliance. If you have more than one SonicPoint, you may have issues as all of the SonicPoints will revert to the same default IP address of 192.168.1.20/ 24.
SonicPoint Deployment Best Practices Sample Cisco Catalyst switch configuration Any Cisco POE Switch: On the connecting interface/port, issue the command ‘Power inline static 10000’. 2900/3500-series: 1. On the connecting interface/port, issue the command ‘spanning-tree portfast’, which will greatly reduce the time STP is performed on the interface/port. 2. If you are using a 2950 or 3550 switch, issue the command ‘switchport mode access’ to disable trunking on the interface/port. 3.
SonicPoint Deployment Best Practices • no lldp enable • mdix on • mdix auto • no port storm-control broadcast enable Sample D-Link switch configuration The D-Link PoE switches do not have a CLI, so you will need to use their web GUI. Note that D-Link recommends upgrading to Firmware Version 1.20.09 if you are using multicast in your environment.
CHAPTER 42 Chapter 42: Viewing Station Status SonicPoint > Station Status The SonicPoint > Station Status page reports on the statistics of each SonicPoint. . The table lists entries for each wireless client connected to each SonicPoint. The sections of the table are divided by SonicPoint. Under each SonicPoint, is the list of all clients currently connected to it. Click the Refresh button in the top left corner to refresh the list. By default, the page displays the first 50 entries found.
SonicPoint > Station Status Click on the Statistics icon to see a detailed report for an individual station. Each SonicPoint device reports for both radios, and for each station, the following information to its SonicOS peer: • MAC Address – The client’s (Station’s) hardware address. • Station State – The state of the station. States can include: – None – No state information yet exists for the station. – Authenticated – The station has successfully authenticated.
SonicPoint > Station Status • Management Frames Received – Total number of Management frames received. Management Frames include: – Association request – Association response – Re-association request – Re-association response – Probe request – Probe response – Beacon frame – ATIM message – Disassociation – Authentication – De-authentication • Management Frames Transmitted – Total number of Management frames transmitted. • Control Frames Received – Total number of Control frames received.
SonicPoint > Station Status 542 SonicOS 5.8.
CHAPTER 43 Chapter 43: Using and Configuring IDS SonicPoint > IDS You can have many wireless access points within reach of the signal of the SonicPoints on your network. The SonicPoint > IDS page reports on all access points the SonicWALL security appliance can find by scanning the 802.11a and 802.11g radio bands.
SonicPoint > IDS Intrusion Detection Settings Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates a easy environment for introducing rogue access points.
SonicPoint > IDS Discovered Access Points The Discovered Access points displays information on every access point that can be detected by the SonicPoint radio: • SonicPoint: The SonicPoint that detected the access point. • MAC Address (BSSID): The MAC address of the radio interface of the detected access point. • SSID: The radio SSID of the access point. • Type: The range of radio bands used by the access point, 2.4 GHz or 5 GHz. • Channel: The radio channel used by the access point.
SonicPoint > IDS 546 SonicOS 5.8.
CHAPTER 44 Chapter 44: Configuring Virtual Access Points SonicPoint > Virtual Access Point This chapter describes the Virtual Access Point feature and includes the following sections: • “SonicPoint VAP Overview” section on page 547 • “Prerequisites” section on page 550 • “Deployment Restrictions” section on page 551 • “SonicPoint Virtual AP Configuration Task List” section on page 551 • “Thinking Critically About VAPs” section on page 562 • “VAP Sample Configurations” section on page 565 Sonic
SonicPoint > Virtual Access Point What Is a Virtual Access Point? A Virtual Access Point is a multiplexed instantiation of a single physical Access Point (AP) so that it presents itself as multiple discrete Access Points. To wireless LAN clients, each Virtual AP appears to be an independent physical AP, when in actuality there is only a single physical AP.
SonicPoint > Virtual Access Point What Is an SSID? A Service Set IDentifier (SSID) is the name assigned to a wireless network. Wireless clients must use this same, case-sensitive SSID to communicate to the SonicPoint. The SSID consists of a text string up to 32 bytes long. Multiple SonicPoints on a network can use the same SSIDs. You can configure up to 8 unique SSIDs on SonicPoints and assign different configuration settings to each SSID.
SonicPoint > Virtual Access Point Benefits of Using Virtual APs This section includes a list of benefits in using the Virtual AP feature: • Radio Channel Conservation—Prevents building overlapped infrastructures by allowing a single Physical Access Point to be used for multiple purposes to avoid channel collision problem. Channel conservation. Multiple providers are becoming the norm within public spaces such as airports.
SonicPoint > Virtual Access Point Deployment Restrictions When configuring your VAP setup, be aware of the following deployment restrictions: • Maximum SonicPoint restrictions apply and differ based on your SonicWALL security appliance. Review these restrictions in the “Custom VLAN Settings” section on page 557. SonicPoint Virtual AP Configuration Task List A SonicPoint VAP deployment requires several steps to configure.
SonicPoint > Virtual Access Point must use the same set of WEP keys. Up to 4 keys can be defined per-SonicPoint, and WEPenabled VAPs can use these 4 keys independently. WEP keys are configured on individual SonicPoints or on SonicPoint Profiles from the SonicPoint > SonicPoints page.
SonicPoint > Virtual Access Point A network security zone is a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. With the zone-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface. Network zones are configured from the Network > Zones page.
SonicPoint > Virtual Access Point General 554 Feature Description Name Create a name for your custom zone Security Type Select Wireless in order to enable and access wireless security options. Allow Interface Trust Select this option to automatically create access rules to allow traffic to flow between the interfaces of a zone. This will effectively allow users on a wireless zone to communicate with each other. This option is often disabled when setting up Guest Services.
SonicPoint > Virtual Access Point Wireless Feature Description Only allow traffic generated by a SonicPoint Restricts traffic on this zone to SonicPoint-generated traffic only. SSL VPN Enforcement Redirects all traffic entering the Wireless zone to a defined SonicWALL SSL VPN appliance. This allows all wireless traffic to be authenticated and encrypted by the SSL VPN, using, for example, NetExtender to tunnel all traffic.
SonicPoint > Virtual Access Point Guest Services The Enable Guest Services option allows the following guest services to be applied to a zone: Feature Description Enable inter-guest communication Allows guests connecting to SonicPoints in this Wireless zone to communicate directly and wirelessly with each other.
SonicPoint > Virtual Access Point Feature Description Pass Networks Automatically allows traffic through the Wireless zone from the networks you select. Max Guests Specifies the maximum number of guest users allowed to connect to the Wireless zone. The default is 10. VLAN Subinterfaces A Virtual Local Area Network (VLAN) allows you to split your physical network connections (X2, X3, etc...) into many virtual network connection, each carrying its own set of configurations.
SonicPoint > Virtual Access Point DHCP Server Scope The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes”. The default ranges for DHCP scopes are often excessive for the needs of most SonicPoint deployments, for instance, a scope of 200 addresses for an interface that will only use 30. Because of this, DHCP ranges must be set carefully in order to ensure the available lease scope is not exhausted.
SonicPoint > Virtual Access Point Virtual Access Point Profile Settings The table below lists configuration parameters and descriptions for Virtual Access Point Profile Settings: Feature Description Name Choose a friendly name for this VAP Profile. Choose something descriptive and easy to remember as you will later apply this profile to new VAPs. Type Set to SonicPoint by default.
SonicPoint > Virtual Access Point WPA-PSK / WPA2-PSK Encryption Settings Pre-Shared Key (PSK) is available when using WPA or WPA2. This solution utilizes a shared key. Feature Description Pass Phrase The shared passphrase users will enter when connecting with PSKbased authentication. Group Key Interval The time period for which a Group Key is valid. The default value is 86400 seconds. Setting to low of a value can cause connection issues.
SonicPoint > Virtual Access Point Virtual Access Points The VAP Settings feature allows for setup of general VAP settings. SSID and VLAN ID are configured through VAP Settings. Virtual Access Points are configured from the SonicPoint > Virtual Access Point page. General VAP Settings Feature Description SSID Create a friendly name for your VAP. VLAN ID When using platforms that support VLAN, you may optionally select a VLAN ID to associate this VAP with.
SonicPoint > Virtual Access Point Virtual Access Point Groups The Virtual Access Point Groups feature is available on SonicWALL NSA appliances. It allows for grouping of multiple VAP objects to be simultaneously applied to your SonicPoint(s). Virtual Access Point Groups are configured from the SonicPoint > Virtual Access Point page.
SonicPoint > Virtual Access Point A Sample Network The following is a sample VAP network configuration, describing four separate VAPs: • VAP #1, Corporate Wireless Users – A set of users who are commonly in the office, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure.
SonicPoint > Virtual Access Point Questions Examples Solutions How many users will each VAP need to support? A corporate campus has 100 employees, all of whom have wireless capabilities The DHCP scope for the visitor zone is set to provide at least 100 addresses A corporate campus often has a few dozen wireless capable visitors The DHCP scope for the visitor zone is set to provide at least 25 addresses Your Configurations: How do I want to secure different A corporate user who has access to wirele
SonicPoint > Virtual Access Point VAP Sample Configurations This section provides configuration examples based on real-world wireless needs.
SonicPoint > Virtual Access Point General Settings Tab Step 1 In the General tab, enter a friendly name such as “VAP-Guest” in the Name field. Step 2 Select Wireless from the Security Type drop-down menu. Step 3 De-select the Allow Interface Trust checkbox to disallow communication between wireless guests. Wireless Settings Tab 566 Step 1 In the Wireless tab, check the Only allow traffic generated by a SonicPoint checkbox. Step 2 Uncheck all other options in this tab.
SonicPoint > Virtual Access Point Guest Services Tab Step 1 Note In the Guest Services tab, check the Enable Guest Services checkbox. In the following example, steps 2 through 7 are optional, they only represent a typical guest VAP configuration using guest services. Steps 2 and 7, however, are recommended. Step 2 Check the Enable Dynamic Address Translation (DAT) checkbox to allow guest users full communication with addresses outside the local network.
SonicPoint > Virtual Access Point Your new zone now appears at the bottom of the Network > Zones page, although you may notice it is not yet linked to a Member Interface. This is your next step. Creating a Wireless LAN (WLAN) Interface In this section you will configure one of your ports to act as a WLAN. If you already have a WLAN configured, skip to the “Creating a Wireless LAN (WLAN) Interface” section on page 568.
SonicPoint > Virtual Access Point Creating a VLAN Subinterface on the WLAN In this section you will create and configure a new VLAN subinterface on your current WLAN. This VLAN will be linked to the zone you created in the “Configuring a Zone” section on page 565. Step 1 In the Network > Interfaces page, click the Add Interface button. Step 2 In the Zone drop-down menu, select the zone you created in “Configuring a Zone, page 565”. In this case, we have chosen VAP-Guest.
SonicPoint > Virtual Access Point Note If the interface you created does not appear on the Network > DHCP Server page, it is possible that you have already exceeded the number of allowed DHCP leases for your SonicWALL. For more information on DHCP lease exhaustion, refer to the “DHCP Server Scope” section on page 558. Step 3 Edit the Range Start and Range End fields to meet your deployment needs Step 4 Click the OK button to save these changes.
SonicPoint > Virtual Access Point Creating the SonicPoint VAP In this section, you will create and configure a new Virtual Access Point and associate it with the VLAN you created in “Creating a VLAN Subinterface on the WLAN” section on page 569. Step 1 In the left-hand menu, navigate to the SonicPoint > Virtual Access Point page. Step 2 Click the Add... button in the Virtual Access Points section. Step 3 Enter a default name (SSID) for the VAP.
SonicPoint > Virtual Access Point Configuring a VAP for Corporate LAN Access You can use a Corporate LAN VAP for a set of users who are commonly in the office, and to whom should be given full access to all network resources, providing that the connection is authenticated and secure. These users would already belong to the network’s Directory Service, Microsoft Active Directory, which provides an EAP interface through IAS – Internet Authentication Services.
SonicPoint > Virtual Access Point Wireless Settings Tab Step 1 In the Wireless tab, check the Only allow traffic generated by a SonicPoint checkbox. Step 2 Select the checkbox for WiFiSec Enforcement to enable WiFiSec security on this connection. Step 3 Select Trust WPA/WPA2 traffic as WiFiSec to enable WPA/WPA2 users access to this connection. Step 4 Select a provisioning profile from the SonicPoint Provisioning Profile drop-down menu (if applicable).
SonicPoint > Virtual Access Point Creating a VLAN Subinterface on the WLAN In this section you will create and configure a new VLAN subinterface on your current WLAN. This VLAN will be linked to the zone you created in the “Configuring a Zone” section on page 572. Step 1 In the Network > Interfaces page, click the Add Interface button. Step 2 In the Zone drop-down menu, select the zone you created in “Configuring a Zone, page 572”. In this case, we have chosen VAP-Corporate.
SonicPoint > Virtual Access Point Note If the interface you created does not appear on the Network > DHCP Server page, it is possible that you have already exceeded the number of allowed DHCP leases for your SonicWALL. For more information on DHCP lease exhaustion, refer to the “DHCP Server Scope” section on page 558. Step 3 Edit the Range Start and Range End fields to meet your deployment needs Step 4 Click the OK button to save these changes.
SonicPoint > Virtual Access Point Creating the SonicPoint VAP In this section, you will create and configure a new Virtual Access Point and associate it with the VLAN you created in “Creating a VLAN Subinterface on the WLAN” section on page 574. General Tab Step 1 In the left-hand menu, navigate to the SonicPoint > Virtual Access Point page. Step 2 Click the Add... button in the Virtual Access Points section. Step 3 Enter a default name (SSID) for the VAP.
SonicPoint > Virtual Access Point Tip Remember that more VAPs can always be added at a later time. New VAPs can then be deployed simultaneously to all of your SonicPoints by following the steps in the “Deploying VAPs to a SonicPoint” section on page 577. Deploying VAPs to a SonicPoint In the following section you will group and deploy your new VAPs, associating them with one or more SonicPoint Radios.
SonicPoint > Virtual Access Point Creating a SonicPoint Provisioning Profile In this section, you will associate the group you created in the “Grouping Multiple VAPs” section on page 577 with a SonicPoint by creating a provisioning profile. This profile will allow you to provision settings from a group of VAPs to all of your SonicPoints. Step 1 In the left-hand menu, navigate to the SonicPoint > SonicPoints page. Step 2 Click the Add button in the SonicPoint Provisioning Profiles section.
SonicPoint > Virtual Access Point Associating a VAP Group with your SonicPoint If you did not create a SonicPoint Provisioning Profile, you can provision your SonicPoint(s) manually. You may want to use this method if you have only one SonicPoint to provision. This section is not necessary if you have created and provisioned your SonicPoints using a SonicPoint Profile. Step 1 In the left-hand menu, navigate to the SonicPoint > SonicPoints page.
SonicPoint > Virtual Access Point 580 SonicOS 5.8.
CHAPTER 45 Chapter 45: Configuring RF Management SonicPoint > RF Management This chapter describes how to plan, design, implement, and maintain the RF Management feature in SonicWALL SonicOS Enhanced.
SonicPoint > RF Management RF Management Overview The following section provides a brief overview of the RF Management feature found on SonicWALL security appliances running SonicOS Enhanced 5.0 or higher. This section contains the following subsections: • “Why RF Management?” section on page 582 • “Benefits” section on page 582 Why RF Management? Radio Frequency (RF) technology used in today’s 802.11-based wireless networking devices poses an attractive target for intruders.
SonicPoint > RF Management Enabling RF Management on SonicPoint(s) In order for RF Management to be enforced, you must enable the RF Management option on all available SonicPoint devices. The following section provides instructions to re-provision all available SonicPoints with RF Management enabled. Step 1 Navigate to SonicPoint > SonicPoints in the SonicWALL security appliance management interface. Step 2 Click the Configure button corresponding to the desired SonicPoint Provisioning Profile.
SonicPoint > RF Management Using The RF Management Interface The RF Management interface (SonicPoint > RF Management) provides a central location for selecting RF signature types, viewing discovered RF threat stations, and adding discovered threat stations to a watch list.
SonicPoint > RF Management Selecting RF Signature Types The RF Management interface allows you to select which types of RF threats your SonicWALL monitors and logs. Step 1 Navigate to SonicPoint > RF Management in the SonicWALL security appliance management interface. RF threat types are displayed, with a checkbox next to each. Step 2 Click the checkbox next to the RF threat to enable/disable management of that threat. By default, all RF threats are checked as managed.
SonicPoint > RF Management Tip Did you know? It is possible to find approximate locations of RF Threat devices by using logged threat statistics. For more practical tips and information on using the RF Management threat statistics, see the “Practical RF Management Field Applications” section on page 587 Adding a Threat Station to the Watch List The RF Management Discovered Threat Stations “Watch List” feature allows you to create a watch list of threats to your wireless network.
SonicPoint > RF Management • Null Probe Response - When a wireless client sends out a probe request, the attacker sends back a response with a Null SSID. This response causes many popular wireless cards and devices to stop responding. • Broadcasting De-Authentication - This DoS variation sends a flood of spoofed deauthentication frames to wireless clients, forcing them to constantly de-authenticate and subsequently re-authenticate with an access point.
SonicPoint > RF Management Before Reading this Section When using RF data to locate threats, keep in mind that wireless signals are affected by many factors. Before continuing, take note of the following: • Signal strength is not always a good indicator of distance - Obstructions such as walls, wireless interference, device power output, and even ambient humidity and temperature can affect the signal strength of a wireless device.
SonicPoint > RF Management Using RSSI to Determine RF Threat Proximity This section builds on what was learned in the “Using Sensor ID to Determine RF Threat Location” section on page 588. In the Discovered RF Threat Stations list, the Rssi field indicates the signal strength at which a particular Sonic Point is detecting an RF threat. The Rssi field allows you to easily determine the proximity of an RF threat to the SonicPoint that is detecting that threat.
SonicPoint > RF Management 590 SonicOS 5.8.
CHAPTER 46 Chapter 46: Using RF Analysis SonicPoint > RF Analysis This chapter describes how to use the RF Analysis feature in SonicWALL SonicOS Enhanced to help best utilize the wireless bandwidth with SonicPoint and SonicPoint-N appliances.
SonicPoint > RF Analysis The RF Environment The IEEE 802.11maintains that devices use ISM 2.4 GHz and 5GHz bands, with most of the current deployed wireless devices using the 2.4 GHz band. Because each channel occupies 20MHz wide spectrum, only three channels out of the 11 available are not overlapping. In the United States, channel 1, 6, and 11 are non-overlapping. In most cases, these are the three channels used when deploying a large number of SonicPoints.
SonicPoint > RF Analysis Channel Utilization Graphs and Information In searching a way to show how channel is utilized for all connected SonicPoints, we resulted in displaying such a channel utilization graph. Figure 46:2 RFA Channel Utilization There are two color bars for each channel. The number on the top of each color bar indicates the number of SonicPoints that detect the particular issue in that channel.
SonicPoint > RF Analysis Making Sense of the RF Score RF Score is a calculated number on a scale of 1-10 which is used to represent the overall condition for a channel. The higher the score, the better the RF environment is. Low scores indicate that attention is needed by the administrator. SonicWALL wireless driver report signal strength in RSSI, this number is used in the below equation to get a raw score on a scale of 1 to 100.
SonicPoint > RF Analysis RFA Highly Interfered Channels Not only APs working in the same channel will create interference, APs working in adjacent channels (channel number less than 5 apart) will also interfere with each other. RFA will give a warning when it detects that around a certain SonicPoint, there are more than five active APs in the channels that are less than five apart. No matter how strong their signal strength is, RFA will mark the channel as highly interfered.
SonicPoint > RF Analysis 596 SonicOS 5.8.
CHAPTER 47 Chapter 47: SonicPoint FairNet SonicPoint > FairNet This chapter describes how to plan, design, implement, and SonicPoint FairNet policies in SonicWALL SonicOS Enhanced to configure bandwidth limits for WLAN clients. This chapter contains the following sections: • “SonicPoint FairNet Overview” section on page 597 • “Configuring SonicPoint FairNet Bandwidth Limit Policies” section on page 598 SonicPoint FairNet Overview IEEE 802.
SonicPoint > FairNet Configuring SonicPoint FairNet Bandwidth Limit Policies To configure SonicPoint FairNet, perform the following tasks: 1. Navigate to the SonicPoint > FairNet page. 2. Select the Enable FairNet checkbox 3. Click Accept at the top of the page. 4. Click the Add button to add a SonicPoint FairNet policy for an IP address or range of addresses. The Add FairNet Policy window displays. 5. By default the Enable Policy option is checked.
SonicPoint > FairNet 8. In the Min Rate(kbps) field, enter the minimum bandwidth that clients will be guaranteed. 9. In the Max Rate(kbps) field, enter the maximum bandwidth that clients will be allowed. 10. In the Interface pulldown menu, select the WLAN interface that corresponds to the IP address range you configured. 11. Click OK.
SonicPoint > FairNet 600 SonicOS 5.8.
PART 8 Part 8: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 48 Chapter 48: Configuring Access Rules Firewall > Access Rules This chapter provides an overview on your SonicWALL security appliance stateful packet inspection default access rules and configuration examples to customize your access rules to meet your business requirements. Access rules are network management tools that allow you to define inbound and outbound access policy, configure user authentication, and enable remote management of the SonicWALL security appliance.
Firewall > Access Rules Stateful Packet Inspection Default Access Rules Overview By default, the SonicWALL security appliance’s stateful packet inspection allows all communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet.
Firewall > Access Rules Using Bandwidth Management with Access Rules Overview Bandwidth management (BWM) allows you to assign guaranteed and maximum bandwidth to services and prioritize traffic on all BWM-enabled interfaces. Using access rules, BWM can be applied on specific network traffic. Packets belonging to a bandwidth management enabled policy will be queued in the corresponding priority queue before being sent on the bandwidth management-enabled interface.
Firewall > Access Rules Tip You must configure Bandwidth Management individually for each interface on the Network > Interfaces page. Click the Configure icon for the interface, and select the Advanced tab. Enter your available egress and ingress bandwidths in the Available interface Egress Bandwidth (Kbps) and Available interface Ingress Bandwidth (Kbps) fields, respectively. This applies when the Bandwidth Management Type on the Firewall Services > BWM page is set to either WAN or Global.
Firewall > Access Rules Each view displays a table of defined network access rules. For example, selecting All Rules displays all the network access rules for all zones. Configuring Access Rules for a Zone To display the Access Rules for a specific zone, select a zone from the Matrix, Drop-down Boxes, or All Rules view. The access rules are sorted from the most specific at the top, to less specific at the bottom of the table. At the bottom of the table is the Any rule.
Firewall > Access Rules Tip If the Delete or Edit icons are dimmed (unavailable), the access rule cannot be changed or deleted from the list. Adding Access Rules To add access rules to the SonicWALL security appliance, perform the following steps: 608 Step 1 Click Add at the bottom of the Access Rules table. The Add Rule window is displayed. Step 2 In the General tab, select Allow | Deny | Discard from the Action list to permit or block IP traffic.
Firewall > Access Rules Step 8 From the Users Allowed menu, add the user or user group affected by the access rule. Step 9 Select a schedule from the Schedule menu. The default schedule is Always on. Step 10 Enter any comments to help identify the access rule in the Comments field. Step 11 The Allow Fragmented Packets check box is enabled by default. Large IP packets are often divided into fragments before they are routed over the Internet and then reassembled at a destination host.
Firewall > Access Rules Step 16 Select Create a reflexive rule if you want to create a matching access rule to this one in the opposite direction--from your destination zone or address object to your source zone or address object. Step 17 Click on the QoS tab if you want to apply DSCP or 802.1p Quality of Service management to traffic governed by this rule. See “802.1p and DSCP QoS” on page 754 for more information on managing QoS marking in access rules.
Firewall > Access Rules • 27 - Class 3, Silver (AF32) • 30 - Class 3, Bronze (AF33) • 32 - Class 4 • 34 - Class 4, Gold (AF41) • 36 - Class 4, Silver (AF42) • 38 - Class 4, Bronze (AF43) • 40 - Express Forwarding • 46 - Expedited Forwarding (EF) • 48 - Control • 56 - Control – Map: The QoS mapping settings on the Firewall > QoS Mapping page will be used. See “802.1p and DSCP QoS” on page 754 for instructions on configuring the QoS Mapping. If you select Map, you can select Allow 802.
Firewall > Access Rules Editing an Access Rule To display the Edit Rule window (includes the same settings as the Add Rule window), click the Edit icon. Deleting an Access Rule To delete the individual access rule, click on the Delete selected access rules, click the Delete button. icon. To delete all the checkbox Enabling and Disabling an Access Rule To enable or disable an access rule, click the Enable checkbox.
Firewall > Access Rules Note The maximum number of connections a SonicWALL security appliance can support depends on the specific configuration, including whether App Flow is enabled and if an external collector is configured, as well as the physical capabilities of the particular model on the SonicWALL security appliance. For more information see the “Connections” section on page 714. Finally, connection limiting can be used to protect publicly available servers (e.g.
Firewall > Access Rules Access Rule Configuration Examples This section provides configuration examples on adding network access rules: • “Enabling Ping” on page 614 • “Blocking LAN Access for Specific Services” on page 614 • “Allowing WAN Primary IP Access from the LAN Zone” on page 615 • “Enabling Bandwidth Management on an Access Rule” on page 616 Enabling Ping This section provides a configuration example for an access rule to allow devices on the DMZ to send ping requests and receive ping resp
Firewall > Access Rules Allowing WAN Primary IP Access from the LAN Zone By creating an access rule, it is possible to allow access to a management IP address in one zone from a different zone on the same SonicWALL appliance. For example, you can allow HTTP/HTTPS management or ping to the WAN IP address from the LAN side. To do this, you must create an access rule to allow the relevant service between the zones, giving one or more explicit management IP addresses as the destination.
Firewall > Access Rules Enabling Bandwidth Management on an Access Rule Bandwidth management can be applied on both ingress and egress traffic using access rules. Access rules displaying the Funnel icon are configured for bandwidth management. Tip Do not configure bandwidth management on multiple interfaces on a zone, where the configured guaranteed bandwidth for the zone is greater than the available bandwidth for the bound interface.
CHAPTER 49 Chapter 49: Configuring Application Control Application Control This chapter describes how to configure and manage the Application Control feature in SonicOS.
Application Control What is Application Control? Application Control provides a solution for setting policy rules for application signatures. Application Control policies include global App Control policies, and App Rules policies that are more targeted. Beginning in SonicOS 5.8.1, you can also create certain types of App Control policies on the fly directly from the Dashboard > App Flow Monitor page.
Application Control external network access based on various criteria. You can use Packet Monitor to take a deeper look at application traffic, and can select among various bandwidth management settings to reduce network bandwidth usage by an application. Based on SonicWALL’s Reassembly Free Deep Packet Inspection technology, Application Control also features intelligent prevention functionality which allows you to create custom, policy-based actions.
Application Control • Administrators can use the Create Rule button to quickly apply bandwidth management or packet monitoring to an application that they notice while viewing the App Flow Monitor page, or can completely block the application. • Administrators can configure policy settings for individual signatures without influencing other signatures of the same application.
Application Control • “App Rules Policy Creation” on page 630 • “Match Objects” on page 634 • “Application List Objects” on page 640 • “Action Objects” on page 642 • “Email Address Objects” on page 646 Actions Using Bandwidth Management Application layer bandwidth management (BWM) allows you to create policies that regulate bandwidth consumption by specific file types within a protocol, while allowing other file types to use unlimited bandwidth.
Application Control bandwidth management provide a link to the Firewall Settings > BWM page so that you can easily configure global bandwidth management settings for the type and the guaranteed and maximum percentages allowed for each priority level. Figure 49:5 Firewall Settings > BWM Page It is a best practice to configure Global Bandwidth Management settings before configuring App Control policies that use BWM.
Application Control your custom BWM action after a change from Type WAN to Global or back again. The values you set for Guaranteed Bandwidth and Maximum Bandwidth are converted in the action object to the guaranteed and maximum values set in the Global Priority Queue table for the selected priority level. When the Type changes back to WAN, the guaranteed and maximum settings are returned to their custom settings in the action object.
Application Control Figure 49:8 Bandwidth Management Type Global on Firewall Settings > BWM Figure 49:9 shows the Bandwidth Priority selections in the Add/Edit Action Objects screen when the global Bandwidth Management Type is set to Global on the Firewall Settings > BWM page. Figure 49:9 Add/Edit Action Objects Page with BWM Type Global Note 624 All priorities will be displayed (Realtime - Lowest) regardless if all have been configured.
Application Control When the Bandwidth Management Type is set to WAN as in Figure 49:10, the Add/Edit Action Object screen provides Per Action or Per Policy Bandwidth Aggregation Method options and you can specify values for Guaranteed Bandwidth, Maximum Bandwidth, and Bandwidth Priority.
Application Control • Using the Per Action aggregation method, the downloads of executable files and traffic from P2P applications combined cannot exceed 500 Kbit/sec. • Using the Per Policy bandwidth aggregation method, a bandwidth of 500 Kbit/sec is allowed for executable file downloads while concurrent P2P traffic is also allowed a bandwidth of 500 Kbit/sec. The predefined BWM High, BWM Medium, and BWM Low actions are all Per Action. In releases previous to SonicOS 5.
Application Control Figure 49:12 Packet Monitor - Monitor Filter Tab To set up mirroring, go to the Mirror tab and pick an interface to which to send the mirrored traffic in the Mirror filtered packets to Interface (NSA platforms only) field under Local Mirroring Settings. You can also configure one of the Remote settings. This allows you to mirror the application packets to another computer and store everything on the hard disk.
Application Control Figure 49:13 shows the Create Rule window displayed over the Dashboard > App Flow Monitor page. Figure 49:13 Dashboard > App Flow Monitor Page with Create Rule Window The Create Rule feature is available from App Flow Monitor on the list view page setting. The Create Rule button is visible, but disabled, on the pie chart and graphical monitoring views.
Application Control BWM page, see the “Actions Using Bandwidth Management” section on page 621. The Bandwidth Manage options you see in the Create Rule window reflect the options that are enabled in the Global Priority Queue.
Application Control App Rules Policy Creation You can use Application Control to create custom App Rules policies to control specific aspects of traffic on your network. A policy is a set of match objects, properties, and specific prevention actions.When you create a policy, you first create a match object, then select and optionally customize an action, then reference these when you create the policy.
Application Control The following table describes the characteristics of the available App Rules policy types.
Application Control Valid Source Service / Description Default Valid Destination Service / Valid Match Valid Action Default Object Type Type An attempt to download a file over FTP (RETR command) FTP Control Filename, / FTP file Control extension Reset/Drop, Client Side Bypass DPI, Packet Monitor, No Action, BWM Global-*, WAN BWM * FTP Data Data Any / Transfer transferred Any Policy over the FTP Data channel Any / Any Reset/Drop, Bypass DPI, Packet Monitor, No Action HTTP Client Policy which Any /
Application Control Valid Source Service / Description Default Valid Destination Service / Valid Match Valid Action Default Object Type Type IPS Content Policy using dynamic Intrusion Prevention related objects for any application layer protocol N/A IPS Signature Category List, IPS Signature List Reset/Drop, N/A Bypass DPI, Packet Monitor, No Action, BWM Global-*, WAN BWM * POP3 Client Policy to Any / inspect Any traffic generated by a POP3 client; typically useful for a POP3 server admin POP3 (Re
Application Control Match Objects Match objects represent the set of conditions which must be matched in order for actions to take place. This includes the object type, the match type (exact, partial, prefix, or suffix), the input representation (text or hexadecimal), and the actual content to match. Match objects were referred to as application objects in previous releases.
Application Control Match Types Negative Matching Object Type Description Extra Properties CFS Category List Allows selection of N/A one or more Content Filtering categories No A list of 64 categories is provided to choose from Custom Object Allows specification of an IPS-style custom set of conditions.
Application Control 636 Description File Content Allows specification Partial of a pattern to match in the content of a file. The pattern will be matched even if the file is compressed. No ‘Disable attachment’ action should never be applied to this object. Filename In cases of email, Exact, Partial, this is an Prefix, Suffix attachment name. In cases of HTTP, this is a filename of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename of an uploaded or downloaded file.
Application Control Negative Matching Extra Properties Content found Exact, Partial, inside of the HTTP Prefix, Suffix Host header. Represents hostname of the destination server in the HTTP request, such as www.google.com. Yes None HTTP Referrer Header Allows specification Exact, Partial, of content of a Prefix, Suffix Referrer header sent by a browser – this can be useful to control or keep stats of which Web sites redirected a user to customer’s Web site.
Application Control Object Type Description Match Types Negative Matching Extra Properties IPS Signature Category List Allows selection of one or more IPS signature groups. Each group contains multiple pre-defined IPS signatures. N/A No None IPS Signature List Allows selection of N/A one or more specific IPS signatures for enhanced granularity. No None You can see the available types of match objects in a drop-down list in the Match Object Settings screen.
Application Control You can use the Load From File button to import content from predefined text files that contain multiple entries for a match object to match. Each entry in the file must be on its own line. The Load From File feature allows you to easily move Application Control settings from one SonicWALL security appliance to another. Multiple entries, either from a text file or entered manually, are displayed in the List area.
Application Control Application List Objects The Firewall > Match Objects page also contains the Add Application List Object button, which opens the Create Match Object screen. This screen provides two tabs: • Application – You can create an application filter object on this tab. This screen allows selection of the application category, threat level, type of technology, and attributes. After selections are made, the list of applications matching those criteria is displayed.
Application Control As you select the applications for your filter, they appear in the Application Group field on the right. You can edit the list in this field by deleting individual items or by clicking the eraser to delete all items. The image below shows several applications in the Application Group field. The selected applications are also marked with a green checkmark icon in the application list on the left side.
Application Control Category Filters The Category tab provides a list of application categories for selection. You can select any combination of categories and then save your selections as a category filter object with a custom name. The image below shows the screen with the description of the IM category displayed. You can hover your mouse pointer over each category in the list to see a description of it.
Application Control levels of BWM are available. If the Bandwidth Management Type is set to WAN, the predefined actions list includes three levels of WAN BWM. For more information about BWM actions, see the “Actions Using Bandwidth Management” section on page 621. The following table shows predefined default actions that are available when adding a policy.
Application Control The following table describes the available action types. 644 Predefined or Custom Action Type Description BWM Global-Realtime Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100% of total available bandwidth, sets a priority of zero.
Application Control Predefined or Custom Action Type Description Bypass DPI Bypasses Deep Packet Inspection components IPS, Predefined GAV, Anti-Spyware and Application Control. This action persists for the duration of the entire connection as soon as it is triggered. Special handling is applied to FTP control channels that are never bypassed for Application Control inspection. This action supports proper handling of the FTP data channel.
Application Control Predefined or Custom Action Type Description HTTP Redirect Provides HTTP Redirect functionality. For example, if Custom someone would like to redirect people to the Google Web site, the customizable part will look like: http:// www.google.com If an HTTP Redirect is sent from Application Control to a browser that has a form open, the information in the form will be lost.
Application Control In the screenshot below, the settings exclude the support group from a policy that prevents executable files from being attached to outgoing email. You can use the email address object in either the MAIL FROM or RCPT TO fields of the SMTP client policy. The MAIL FROM field refers to the sender of the email. The RCPT TO field refers to the intended recipient.
Application Control Note Upon registration on MySonicWALL, or when you load SonicOS 5.8 onto a registered SonicWALL device, supported SonicWALL appliances begin an automatic 30-day trial license for App Visualization and App Control, and application signatures are downloaded to the appliance. A free 30-day trial is also available for the other security services in the bundle, but it is not automatically enabled as it is for App Visualization and App Control.
Application Control To begin using App Control, you must enable it on the Firewall > App Control Advanced page. See the screenshot below. To create policies using App Rules (included with the App Control license), select Enable App Rules on the Firewall > App Rules page. See the screenshot below.
Firewall > App Control Advanced Note If you disable Visualization in the SonicOS management interface, application signature updates are discontinued until the feature is enabled again. When High Availability is configured between two SonicWALL appliances, the appliances can share the Security Services license. To use this feature, you must register the SonicWALL appliances on MySonicWALL as Associated Products. Both appliances must be the same SonicWALL model.
Firewall > App Control Advanced App Control is a licensed service, and you must also enable it to activate the functionality. To enable App Control and configure the global settings: Step 1 To globally enable App Control, select the Enable App Control checkbox. Step 2 To enable App Control on a network zone, navigate to the Network > Zones page, and click the Configure icon for the desired zone. Step 3 Select the Enable App Control Service checkbox, then click OK.
Firewall > App Control Advanced The Network > Zones page displays a green indicator in the App Control column for any zones that have the App Control service enabled. 652 Step 4 You can configure a global exclusion list for App Control policies on the Firewall > App Control Advanced page. To configure the exclusion list, click the Configure App Control Settings button. The App Control Exclusion List window opens.
Firewall > App Control Advanced Step 6 To use an address object for the exclusion list, select the Use Application Control Exclusion Address Object radio button, and then select an address object from the drop-down list. Step 7 Click OK. Step 8 To reset App Control settings and policy configuration to the factory default values, click the Reset App Control Settings & Policies button on the Firewall > App Control Advanced page, and then click OK in the confirmation dialog box.
Firewall > App Control Advanced Step 2 Under App Control Advanced, select an application category from the Category drop-down list. A Configure button appears to the right of the field as soon as a category is selected. Step 3 Click the Configure button to open up the App Control Category Settings window for the selected category. Step 4 To block applications in this category, select Enable in the Block drop-down list.
Firewall > App Control Advanced • SU-S 00:00 to 24:00 – Enable the policy at all times (Sunday through Saturday, 24 hours a day). • Weekend Hours – Enable the policy Friday at 5:00 PM through Monday at 8:00 AM. Step 11 To specify a delay between log entries for repetitive events, type the number of seconds for the delay into the Log Redundancy Filter field. Step 12 Click OK.
Firewall > App Control Advanced default to the current settings of the category to which the application belongs. To retain this connection to the category settings for one or more fields, leave this selection in place for those fields. Step 5 To block this application, select Enable in the Block drop-down list. Step 6 To create a log entry when this application is detected, select Enable in the Log drop-down list.
Firewall > App Control Advanced • Weekend Hours – Enable the policy Friday at 5:00 PM through Monday at 8:00 AM. Step 12 To specify a delay between log entries for repetitive events, type the number of seconds for the delay into the Log Redundancy Filter field. Step 13 To see detailed information about the application, click here in the Note at the bottom of the window. Step 14 Click OK.
Firewall > App Control Advanced The default policy settings for the signature are set to the current settings for the application to which the signature belongs. To retain this connection to the application settings for one or more fields, leave this selection in place for those fields. Step 6 To block this signature, select Enable in the Block drop-down list. Step 7 To create a log entry when this signature is detected, select Enable in the Log drop-down list.
Firewall > App Rules • M-T-W-T-F 00:00 to 08:00 – Enable the policy Monday through Friday, midnight to 8:00 AM. • M-T-W-T-F 17:00 to 24:00 – Enable the policy Monday through Friday, 5:00 PM to midnight. • SU-S 00:00 to 24:00 – Enable the policy at all times (Sunday through Saturday, 24 hours a day). • Weekend Hours – Enable the policy Friday at 5:00 PM through Monday at 8:00 AM.
Firewall > App Rules You must enable App Rules to activate the functionality. App Rules is licensed as part of App Control, which is licensed on www.mysonicwall.com on the Service Management - Associated Products page under GATEWAY SERVICES. You can view the status of your license at the top of the Firewall > App Rules page, as shown below. To enable App Rules and configure the global settings: Step 1 To enable App Rules, select the Enable App Rules checkbox.
Firewall > App Rules For information about policies and policy types, see “App Rules Policy Creation” on page 630. 603 To configure an App Rules policy, perform the following steps: Step 1 In the navigation pane on the left side, click Firewall, and then click App Rules. Step 2 Below the App Rules Policies table, click Add New Policy. Step 3 In the App Control Policies Settings window, type a descriptive name into the Policy Name field. Step 4 Select a Policy Type from the drop-down list.
Firewall > App Rules Step 10 For Users/Groups, select from the drop-down lists for both Included and Excluded. The selected users or group under Excluded will not be affected by the policy. Step 11 If the policy type is SMTP Client, select from the drop-down lists for MAIL FROM and RCPT TO, for both Included and Excluded. The selected users or group under Excluded will not be affected by the policy. Step 12 For Schedule, select from the drop-down list.
Firewall > App Rules Using the Application Control Wizard The Application Control wizard provides safe configuration of App Control policies for many common use cases, but not for everything. If at any time during the wizard you are unable to find the options that you need, you can click Cancel and proceed using manual configuration.
Firewall > App Rules • Do one of the following: Note If you selected a choice with the words except the ones specified in the previous step, content that you enter here will be the only content that does not cause the action to occur. See “Negative Matching” on page 639. – In the Content text box, type or paste a text or hexadecimal representation of the content to match, and then click Add. Repeat until all content is added to the List text box.
Firewall > Match Objects The second Application Control Action Settings screen is only displayed when you selected an action in the previous step that requires additional text. For a Web Access policy type, if you selected an action that redirects the user, you can type the new URL into the Content text box. Step 10 In the Select Name for Application Control Policy screen, in the Policy Name text box, type a descriptive name for the policy, and then click Next.
Firewall > Match Objects Step 3 In the Match Object Settings window, in the Object Name text box, type a descriptive name for the object. Step 4 Select an Match Object Type from the drop-down list. Your selection here will affect available options in this screen. See “Match Objects” on page 634 for a description of match object types. Step 5 Select a Match Type from the drop-down list. The available selections depend on the match object type.
Firewall > Match Objects Step 2 Near the bottom of the page, click the Add Application List Object button. The Create Match Object page opens. You can control which applications are displayed by selecting one or more application categories, threat levels, and technologies. When the application list is reduced to a list that is focussed on your preferences, you can select the individual applications for your filter.
Firewall > Action Objects Step 7 Click the plus sign next to each application you want to add to your filter object. To display a description of the application, click its name in the Name column. As you select the applications for your filter, the plus sign icon becomes a green checkmark icon and the selected applications appear in the Application Group pane on the right. You can edit the list in this field by deleting individual items or by clicking the eraser to delete all items.
Firewall > Action Objects Step 6 If HTTP Block Page was selected as the action, a Color drop-down list is displayed. Choose a background color for the block page from the Color drop-down list. Color choices are white, yellow, red, or blue. Step 7 Click OK. Configuring Application Layer Bandwidth Management To use application layer bandwidth management, you must first enable bandwidth management on the interface that will handle the traffic.
Firewall > Action Objects Step 4 Step 5 Do one or both of the following: • Under Bandwidth Management, to manage outbound bandwidth, select the Enable Egress Bandwidth Management checkbox, and optionally set the Available Interface Egress Bandwidth (Kbps) field to the maximum for the interface.
Firewall > Action Objects Step 5 Step 6 Step 7 In the Bandwidth Aggregation Method drop-down list, select one of the following: • Per Policy – When multiple policies are using the same Bandwidth Management action, each policy can consume up to the configured bandwidth even when the policies are active at the same time.
Firewall > Address Objects Firewall > Address Objects Note For increased convenience and accessibility, the Address Objects page can be accessed either from Network > Address Objects or Firewall > Address Objects. The page is identical regardless of which tab it is accessed through. For information on configuring Address Objects, see “Network > Address Objects” on page 299.
Verifying App Control Configuration Step 5 In the Content text box, type the content to match and then click Add. Repeat this step until you have added as many elements as you want. For example, to match on a domain, select Partial Match in the previous step and then type @ followed by the domain name in the Content field, for example, type: @sonicwall.com.
Verifying App Control Configuration Wireshark Wireshark is a network protocol analyzer that you can use to capture packets from applications on your network. You can examine the packets to determine the unique identifier for an application, which you can use to create a match object for use in an App Rules policy. Wireshark is freely available at: http://www.wireshark.org The process of finding the unique identifier or signature of a Web browser is illustrated in the following packet capture sequence.
Verifying App Control Configuration Step 3 In the captured output, locate and click the HTTP GET command in the top pane, and view the source for it in the center pane. In the source code, locate the line beginning with User-Agent. Step 4 Scroll to the right to find the unique identifier for the browser. In this case it is Firefox/1.5.0.7. SonicOS 5.8.
Verifying App Control Configuration Step 5 Type the identifier into the Content text box in the Match Objects Settings screen and click OK to create a match object that you can use in a policy. Hex Editor You can use a hexadecimal (hex) editor to view the hex representation of a file or a graphic image. One such hex editor is XVI32, developed by Christian Maas and available at no cost at the following URL: http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.
Verifying App Control Configuration Using the SonicWALL graphic as an example, you would take the following steps: Step 1 Start XVI32 and click File > Open to open the graphic image GIF file. Step 2 In the left pane, mark the first 50 hex character block by selecting Edit > Block chars… and then select the decimal option and type 50 in the space provided. This will mark the first 50 characters in the file, which is sufficient to generate a unique thumbprint for use in a custom match object.
Verifying App Control Configuration When the block is marked, it changes to red font. To unmark a block of characters, press Ctrl+U. Step 3 After you mark the block, click Edit > Clipboard > Copy As Hex String. Step 4 In Textpad or another text editor, press Ctrl+V to paste the selection and then press Enter to end the line. This intermediary step is necessary to allow you to remove spaces from the hex string. Step 5 In Textpad, click Search > Replace to bring up the Replace dialog box.
Verifying App Control Configuration Step 12 Click Add. Step 13 Click OK. You now have an Match Object containing a unique identifier for the image. You can create an App Rules policy to block or log traffic that contains the image matched by this Match Object. For information about creating a policy, see “Configuring an App Rules Policy” on page 660. SonicOS 5.8.
App Control Use Cases App Control Use Cases Application Control provides the functionality to handle several types of access control very efficiently.
App Control Use Cases The example below shows a match object targeted at LimeWire and Napster Peer to Peer sharing applications. SonicOS 5.8.
App Control Use Cases After creating a signature-based match object, create a new App Rules policy of type App Control Content that uses the match object. The example below shows a policy which uses the newly created “Napster/LimeWire P2P” match object to drop all Napster and LimeWire traffic. Logging Application Signature-Based Policies As with other match object policy types, logging can be enabled on application content policies.
App Control Use Cases When you configure the policy or policies for this purpose, you can select Direction > Basic > Outgoing to specifically apply your file transfer restrictions to outbound traffic. Or, you can select Direction > Advanced and then specify the exact zones between which to prevent file transfer. For example, you can specify LAN to WAN, LAN to DMZ, or any other zones that you have defined.
App Control Use Cases Hosted Email Environments A hosted email environment is one in which email is available on a user’s Internet Service Provider (ISP). Typically, POP3 is the protocol used for email transfer in this environment. Many small-business owners use this model, and would like to control email content as well as email attachments. Running Application Control on the gateway provides a solution for controlling POP3-based as well as SMTP-based email.
App Control Use Cases File Type Common Extension Microsoft Visio vsd Microsoft Visual Basic vbp Microsoft Word doc Microsoft Works wps Portable Document Format pdf Rich Text Format rft SIT archives sit Text files txt WordPerfect wpd XML xml Tar archives (“tarballs”) tar ZIP archives zip, gzip Web Browser Control You can also use Application Control to protect your Web servers from undesirable browsers.
App Control Use Cases You can use this match object in a policy to block browsers that are not MSIE 6.0. For information about using Wireshark to find a Web browser identifier, see “Wireshark” on page 674. For information about negative matching, see “Negative Matching” on page 639. Another example of a use case for controlling Web browser access is a small e-commerce site that is selling discounted goods that are salvaged from an overseas source.
App Control Use Cases Wireshark will jump to the first frame that contains the requested data. You should see something like the screen shown below. This indicates that the HTTP POST method is transmitted immediately after the TCP header information and is comprised of the first four bytes (504f5354) of the TCP payload (HTTP application layer). You can use that information to create a custom match object that detects the HTTP POST method.
App Control Use Cases Next, navigate to Firewall > App Rules and click Add New Policy. Create a policy like the one shown below. To test, use a browser to open the Post.htm document you created earlier. Type in your name and then click Submit. The connection should be dropped this time and you should see an alert in the log similar to the one shown below. Forbidden File Type Control You can use Application Control to prevent risky or forbidden file types (e.g.
App Control Use Cases Navigate to Firewall > Match Objects and click Add New Match Object. Create an object like the one shown below. Next, navigate to Firewall > Action Objects and click Add New Action Object. Create an action like the one shown below. SonicOS 5.8.
App Control Use Cases To create a policy that uses this object and action, navigate to Firewall > App Rules and click Add New Policy. Create a policy like the one shown below. To test this policy, you can open a Web browser and try to download any of the file types specified in the match object (exe, vbs, scr). Below are a few URLs that you can try: http://download.skype.com/SkypeSetup.exe http://us.dl1.yimg.com/download.yahoo.com/dl/msgr8/us/msgr8us.exe http://g.msn.
App Control Use Cases Some ActiveX types and their classid’s are shown in the following table. ActiveX Type Classid Apple Quicktime 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B Macromedia Flash v6, v7 D27CDB6E-AE6D-11cf-96B8-444553540000 Macromedia Shockwave D27CDB6E-AE6D-11cf-96B8-444553540000 Microsoft Windows Media Player v6.
App Control Use Cases You can look up the class ID for these Active X controls on the Internet, or you can view the source in your browser to find it. For example, the screenshot below shows a source file with the class ID for Macromedia Shockwave or Flash. FTP Control Application Control provides control over the FTP control channel and FTP uploads and downloads with the FTP Command and File Content match object types. Using these, you can regulate FTP usage very effectively.
App Control Use Cases First, you would create a match object of type File Content that matches on keywords in files. Optionally, you can create a customized FTP notification action that sends a message to the client. Next, you would create a policy that references this match object and action. If you prefer to simply block the file transfer and reset the connection, you can select the Reset/Drop action when you create the policy. SonicOS 5.8.
App Control Use Cases Blocking Outbound UTF-8 / UTF-16 Encoded Files Native Unicode UTF-8 and UTF-16 support by Application Control allows encoded multi-byte characters, such as Chinese or Japanese characters, to be entered as match object content keywords using the alphanumeric input type. Application Control supports keyword matching of UTF-8 encoded content typically found in Web pages and email applications, and UTF-16 encoded content typically found in Windows OS / Microsoft Office based documents.
App Control Use Cases Next, create a policy that references the match object, as shown below. This policy blocks the file transfer and resets the connection. Enable Logging is selected so that any attempt to transfer a file containing the UTF-16 encoded keyword is logged. A log entry is generated after a connection Reset/Drop. An example of a log entry is shown below, including the Message stating that it is an Application Control Alert, displaying the Policy name and the Action Type of Reset/Drop.
App Control Use Cases The first step is to create a match object that matches on the put command. Because the mput command is a variation of the put command, a match object that matches on the put command will also match on the mput command. Optionally, you can create a customized FTP notification action that sends a message to the client. A customized action is shown in the screenshot below. 696 SonicOS 5.8.
App Control Use Cases Next, you would create a policy that references this match object and action. If you prefer to simply block the put command and reset the connection, you can select the Reset/Drop action when you create the policy. Bandwidth Management You can use application layer bandwidth management to control the amount of network bandwidth that can be used to transfer certain file types. This allows you to discourage nonproductive traffic and encourage productive traffic on your network.
App Control Use Cases The first step is to enable bandwidth management on the interface that will handle the traffic. You can access this setting on the Network > Interfaces screen of the SonicOS management interface, shown below. For complete instructions, see “Configuring Application Layer Bandwidth Management” on page 669. Next, define a match object of type File Extension for the MP3 file extension. 698 SonicOS 5.8.
App Control Use Cases Next, you can create an application layer bandwidth management action that limits inbound transfers to 400 kbps. The Bandwidth Management Type on Firewall Settings > BWM must be set to WAN in order to do this in the Action Object Settings screen. If the BWM Type is Global, go to the Firewall Settings > BWM page and adjust the Maximum/Burst setting there. SonicOS 5.8.
App Control Use Cases Now you are ready to create a policy that applies the bandwidth management action to the MP3 file extension object. Bypass DPI You can use the Bypass DPI action to increase performance over the network if you know that the content being accessed is safe. For example, this might be the case if your company has a corporate video that you want to stream to company employees over HTTP by having them access a URL on a Web server.
App Control Use Cases Only two steps are needed to create the policy. First, you can define a match object for the corporate video using a match object type of HTTP URI Content: Note that the leading slash (/) of the URL should always be included for Exact Match and Prefix Match types for URI Content match objects. You do not need to include the host header, such as “www.company.com”, in the Content field.
App Control Use Cases Custom Signature You can create a custom match object that matches any part of a packet if you want to control traffic that does not have a predefined object type in Application Control. This allows you to create a custom signature for any network protocol. For instance, you can create a custom signature to match HTTP GET request packets. You might use this if you want to prevent Web browsing from your local area network.
App Control Use Cases the first byte in the packet is counted as number one (not zero). Decimal numbers are used rather than hexadecimal to calculate offset and depth. Offset and depth associated with a custom match object are calculated starting from the packet payload (the beginning of the TCP or UDP payload). In this case, the offset is 1 and the depth is 3. Now you can create a custom match object that uses this information.
App Control Use Cases action or a default action such as Reset/Drop. For the Connection Side, select Client Side. You can also modify other settings. For more information about creating a policy, see “Configuring an App Rules Policy” on page 660. Reverse Shell Exploit Prevention The reverse shell exploit is an attack that you can prevent by using Application Control’s custom signature capability (See “Custom Signature” on page 702).
App Control Use Cases Note Networks using unencrypted Telnet service must configure policies that exclude those servers’ IP addresses. While this use case refers to the specific case of reverse shell payloads (outbound connections), it is more secure to configure the policy to be effective also for inbound connections. This protects against a case where the executed payload spawns a listening shell onto the vulnerable host and the attacker connects to that service across misconfigured firewalls.
App Control Use Cases The hexadecimal data can be exported to a text file for trimming off the packet header, unneeded or variable parts and spaces. The relevant portion here is “Microsoft… reserved.” You can use the Wireshark hexadecimal payload export capability for this. For information about Wireshark, see “Wireshark” on page 674.
App Control Use Cases Defining the Policy After creating the match objects, you can define a policy that uses them. The image below shows the other policy settings. This example as shown is specific for reverse shells in both the Policy Name and the Direction settings. As mentioned, it may also be tailored for a wider scope with the Direction setting changed to Both and a more generic name. A log entry with a Category of Network Access is generated after a connection Reset/Drop.
App Control Use Cases Glossary Application layer: The seventh level of the 7-layer OSI model; examples of application layer protocols are AIM, DNS, FTP, HTTP, IMAP, MSN Messenger, POP3, SMTP, SNMP, TELNET, and Yahoo Messenger Bandwidth management: The process of measuring and controlling the traffic on a network link to avoid network congestion and poor performance of the network Client: Typically, the client (in a client-server architecture) is an application that runs on a personal computer or workstatio
PART 9 Part 9: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 50 Chapter 50: Configuring Advanced Access Rule Settings Firewall Settings > Advanced To configure advanced access rule options, select Firewall Settings > Advanced under Firewall. SonicOS 5.8.
Firewall Settings > Advanced The Firewall Settings > Advanced page includes the following firewall configuration option groups: • “Detection Prevention” on page 712 • “Dynamic Ports” on page 712 • “Source Routed Packets” on page 713 • “Connections” on page 714 • “Access Rule Service Options” on page 714 • “IP and UDP Checksum Enforcement” on page 715 • “UDP” on page 715 • “Connection Limiting” on page 715 Detection Prevention • Enable Stealth Mode - By default, the security appliance respo
Firewall Settings > Advanced b. On the Network > Services page, create a custom Service for the FTP Server with the following values: • Name: FTP Custom Port Control • Protocol: TCP(6) • Port Range: 2121 - 2121 c. On the Network > NAT Policies page, create the following NAT Policy, and on the Firewall Settings > Advanced page, create the following Access Rule d.
Firewall Settings > Advanced Connections The Connections section provides the ability to fine-tune the performance of the appliance to prioritize either optimal performance or support for an increased number of simultaneous connections that are inspected by UTM services. There is no change in the level of security protection provided by either of the DPI Connections settings below.
Firewall Settings > Advanced Apply firewall rules for intra-LAN traffic to/from the same interface - Applies firewall rules that is received on a LAN interface and that is destined for the same LAN interface. Typically, this only necessary when secondary LAN subnets are configured. IP and UDP Checksum Enforcement • Enable IP header checksum enforcement - Select this to enforce IP header checksums. • Enable UDP checksum enforcement - Select this to enforce IP header checksums.
Firewall Settings > Advanced 716 SonicOS 5.8.
CHAPTER 51 Chapter 51: Configuring Bandwidth Management Firewall Settings > BWM Bandwidth management (BWM) is a means of allocating bandwidth resources to critical applications on a network. SonicOS Enhanced offers an integrated traffic shaping mechanism through its outbound (Egress) and inbound (Ingress) BWM interfaces. BWM can be applied to traffic to and from an interface with Ingress and Egress BWM enabled.
Firewall Settings > BWM Understanding Bandwidth Management BWM is controlled by the SonicWALL Security Appliance on ingress and egress traffic. It allows network administrators to guarantee minimum bandwidth and prioritize traffic based on access rules created in the Firewall > Access Rules page on the SonicWALL management interface.
Firewall Settings > BWM Configuring the Firewall Settings > BWM Page BWM works by first configuring the BWM type on the Firewall Settings > BWM page, then enabling BWM on an interface, and then allocating the available bandwidth for that interface on the ingress and egress traffic. It then assigns individual limits for each class of network traffic by adding firewall access rules or application policies and configuring the required guaranteed and maximum bandwidths for the specific traffic.
Firewall Settings > BWM Note When you change the Bandwidth Management Type from Global to WAN, the default BWM actions that are in use in any App Rules policies will be automatically converted to WAN BWM Medium, no matter what level they were set to before the change. When you change the Type from WAN to Global, the default BWM actions are converted to BWM Global-Medium. The firewall does not store your previous action priority levels when you switch the Type back and forth.
Firewall Settings > BWM Configuring Interfaces To configure BWM per interface, perform the following steps: Step 1 Navigate to the Firewall Settings > BWM page. Step 2 Select Bandwidth Management Type: Global, WAN, or none, and then click Accept. Step 3 Navigate to the Network > Interfaces page. SonicOS 5.8.
Firewall Settings > BWM Step 4 Note Click the Configure icon in the Configure column for the interface for which you want to set BWM. The Edit Interface dialog is displayed. If using Bandwidth Management Type WAN, you can only enable BWM on a WAN interface. If using Type: None, you cannot set the Ingress or Egress bandwidth. Step 5 Click the Advanced tab.
Firewall Settings > BWM Step 1 Navigate to the Firewall > Access Rules page. Step 2 Click the Configure icon for the rule you want to edit. The Edit Rule General tab dialog is displayed. Step 3 Click the Ethernet BWM tab. Step 4 Select the checkboxes, select the Bandwidth Priority, and then click OK. Note Step 5 All priorities will be displayed (Realtime – Lowest) regardless if all have been configured. Refer to the Firewall Settings > BWM page to determine which priorities are enabled.
Firewall Settings > BWM Configuring Application Rules Application layer BWM allows you to create policies that regulate bandwidth consumption by specific file types within a protocol, while allowing other file types to use unlimited bandwidth. This enables you to distinguish between desirable and undesirable traffic within the same protocol.
Firewall Settings > BWM To configure BWM for a specific application, perform the following steps: Step 1 Navigate to the Firewall > App Rules page. Step 2 Under App Rules Policies, select the Action Type: Bandwidth Management. The page will sort by Action Type Bandwidth Management. Step 3 Click the Configure icon in the Configure column for the policy you want to change. The Edit App Control Policy window is displayed. SonicOS 5.8.
Firewall Settings > BWM Step 4 Note Change the Action Object to the desired BWM setting, and then click OK. All priorities will be displayed (Realtime – Lowest) regardless if all have been configured. Refer to the Firewall Settings > BWM page to determine which priorities are enabled. If you select a Bandwidth Priority that is not enabled, the traffic is automatically mapped to the Medium Priority (default). The change will take effect when you return to the App Rules page.
Firewall Settings > BWM The following table lists the predefined default actions that are available when adding a policy.
Firewall Settings > BWM To create a new BWM action or policy, perform the following steps: Step 1 Navigate to the Firewall > Action Objects page. Step 2 Click Add New Action Object at the bottom of the page. The Add/Edit Action Object window is displayed. Step 3 If the BWM type is Global, do the following: • Action Name field: Enter a name for the policy. • Action drop-down: Select Bandwidth Management • Check Enable Outbound Bandwidth Management checkbox and select the Bandwidth Priority.
Firewall Settings > BWM In case of a BWM type of WAN, the configuration of these options is included in the following steps. Note Step 4 Step 5 Step 6 All priorities will be displayed (0 –7) regardless if all have been configured. Refer to the Firewall Settings > BWM page to determine which priorities are enabled. If you select a Bandwidth Priority that is not enabled, the traffic is automatically mapped to the Medium Priority (default).
Firewall Settings > BWM If you plan to use this custom action for rate limiting rather than guaranteeing bandwidth, you do not need to change the Guaranteed Bandwidth field. Step 7 To specify the Maximum Bandwidth, optionally enter a value either as a percentage or as kilobits per second. In the drop-down list, select either % or Kbps. If you plan to use this custom action for guaranteeing bandwidth rather than rate limiting, you do not need to change the Maximum Bandwidth field.
Firewall Settings > BWM To configure BWM using the App Flow Monitor, perform the following steps: Step 1 Navigate to the Dashboard > App Flow Monitor page. Step 2 Check the service-based applications or signature-based applications to which you want to apply global BWM. Note General applications cannot be selected. Service-based applications and signature-based applications cannot be mixed in a single rule. SonicOS 5.8.
Firewall Settings > BWM Note Step 3 Create rule for service-based applications will result in creating a firewall access rule and create rule for signature-based applications will create an application control policy. Click Create Rule. The Create Rule pop-up is displayed. Service-based Application Options 732 Signature-based Applications Options Step 4 Select the Bandwidth Manage radio button, and then select a global BWM priority. Step 5 Click Create Rule. A confirmation pop-up is displayed.
Firewall Settings > BWM Service-based Application Successful Signature-based Applications Successful Step 6 Click OK. Step 7 Navigate to Firewall > Access Rules page (for service-based applications) and Firewall > App Rules (for signature-based applications) to verify that the rule was created. Note For service-based applications, the new rule is identified with a tack in the Comments column and a prefix in Service column of ~services=. For example, ~services=NTP&t=1306361297.
Firewall Settings > BWM Guaranteed Bandwidth: A declared percentage of the total available bandwidth on an interface which will always be granted to a certain class of traffic. Applicable to both inbound and outbound BWM. The total Guaranteed Bandwidth across all BWM rules cannot exceed 100% of the total available bandwidth. SonicOS Enhanced 5.0 and higher enhances the Bandwidth Management feature to provide rate limiting functionality.
CHAPTER 52 Chapter 52: Configuring Flood Protection Firewall Settings > Flood Protection The Firewall Settings > Flood Protection page lets you view statistics on TCP Traffic through the security appliance and manage TCP traffic settings.
Firewall Settings > Flood Protection TCP Settings The TCP Settings section allows you to: • Enforce strict TCP compliance with RFC 793 and RFC 1122 – Select to ensure strict compliance with several TCP timeout rules. This setting maximizes TCP security, but it may cause problems with the Window Scaling feature for Windows Vista users. • Enable TCP handshake enforcement – Require a successful three-way TCP handshake for all TCP connections.
Firewall Settings > Flood Protection – Maximum value: 60 seconds SYN Flood Protection Methods SYN/RST/FIN Flood protection helps to protect hosts behind the SonicWALL from Denial of Service (DoS) or Distributed DoS attacks that attempt to consume the host’s available resources by creating one of the following attack mechanisms: • Sending TCP SYN packets, RST packets, or FIN packets with invalid or spoofed IP addresses. • Creating excessive numbers of half-opened TCP connections.
Firewall Settings > Flood Protection Each watchlist entry contains a value called a hit count. The hit count value increments when the device receives the an initial SYN packet from a corresponding device. The hit count decrements when the TCP three-way handshake completes. The hit count for any particular device generally equals the number of half-open connections pending since the last time the device reset the hit count. The device default for resetting a hit count is once a second.
Firewall Settings > Flood Protection A SYN Flood Protection mode is the level of protection that you can select to defend against half-opened TCP sessions and high-frequency SYN packet transmissions. This feature enables you to set three different levels of SYN Flood Protection: • Watch and Report Possible SYN Floods – This option enables the device to monitor SYN traffic on all interfaces on the device and to log suspected SYN flood activity that exceeds a packet count threshold.
Firewall Settings > Flood Protection • SACK (Selective Acknowledgment) – This parameter controls whether or not Selective ACK is enabled. With SACK enabled, a packet or series of packets can be dropped, and the received informs the sender which data has been received and where holes may exist in the data. • MSS (Minimum Segment Size) – This sets the threshold for the size of TCP segments, preventing a segment that is too large to be sent to the targeted server.
Firewall Settings > Flood Protection The SYN/RST/FIN Blacklisting region contains the following options: • Threshold for SYN/RST/FIN flood blacklisting (SYNs / Sec) – The maximum number of SYN, RST, and FIN packets allowed per second. The default is 1,000. This value should be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local attacks or severe attacks from a WAN network.
Firewall Settings > Flood Protection • Invalid Flag Packets Dropped - Incremented under the following conditions: – When a non-SYN packet is received that cannot be located in the connection-cache (while SYN Flood protection is disabled). – When a packet with flags other than SYN, RST+ACK or SYN+ACK is received during session establishment (while SYN Flood protection is enabled). • TCP XMAS Scan will be logged if the packet has FIN, URG, and PSH flags set.
Firewall Settings > Flood Protection Column Description Total SYN, RST, or FIN Floods Detected The total number of events in which a forwarding device has exceeded the lower of either the SYN attack threshold or the SYN/RST/FIN flood blacklisting threshold. TCP Connection SYN-Proxy Indicates whether or not Proxy-Mode is currently on the WAN State (WAN only) interfaces. Current SYN-Blacklisted Machines The number of devices currently on the SYN blacklist.
Firewall Settings > Flood Protection 744 SonicOS 5.8.
CHAPTER 53 Chapter 53: Configuring Multicast Settings Firewall Settings > Multicast Multicasting, also called IP multicasting, is a method for sending one Internet Protocol (IP) packet simultaneously to multiple hosts. Multicast is suited to the rapidly growing segment of Internet traffic - multimedia presentations and video conferencing. For example, a single host transmitting an audio or video stream and ten hosts that want to receive this stream.
Firewall Settings > Multicast Multicast Snooping This section provides configuration tasks for Multicast Snooping. • Enable Multicast - This checkbox is disabled by default. Select this checkbox to support multicast traffic. • Require IGMP Membership reports for multicast data forwarding - This checkbox is enabled by default. Select this checkbox to improve performance by regulating multicast data to be forwarded to only interfaces joined into a multicast group address using IGMP.
Firewall Settings > Multicast To create a multicast address object: Step 1 In the Enable reception for the following multicast addresses list, select Create new multicast object. Step 2 In the Add Address Object window, configure: – Name: The name of the address object. – Zone Assignment: Select MULTICAST. – Type: Select Host, Range, Network, or MAC. – IP Address: If you selected Host or Network, the IP address of the host or network. The IP address must be in the range for multicast, 224.0.0.
Firewall Settings > Multicast Enabling Multicast on LAN-Dedicated Interfaces Perform the following steps to enable multicast support on LAN-dedicated interfaces. Step 1 Enable multicast support on your SonicWALL security appliance. In the Firewall Settings > Multicast setting, click on the Enable Multicast checkbox. And in the Multicast Policy section, select the Enable the reception of all multicast addresses. Step 2 Enable multicast support on LAN interfaces.
Firewall Settings > Multicast Enabling Multicast Through a VPN To enable multicast across the WAN through a VPN, follow: Step 1 Enable multicast globally. On the Firewall Settings > Multicast page, check the Enable Multicast checkbox, and click the Apply button for each security appliance. Step 2 Enable multicast support on each individual interface that will be participating in the multicast network.
Firewall Settings > Multicast Note Step 5 Notice that the default WLAN'MULTICAST access rule for IGMP traffic is set to 'DENY'. This will need to be changed to 'ALLOW' on all participating appliances to enable multicast, if they have multicast clients on their WLAN zones. Make sure the tunnels are active between the sites, and start the multicast server application and client applications. As multicast data is sent from the multicast server to the multicast group (224.0.0.0 through 239.255.255.
CHAPTER 54 Chapter 54: Managing Quality of Service Firewall Settings > QoS Mapping Quality of Service (QoS) refers to a diversity of methods intended to provide predictable network behavior and performance. This sort of predictability is vital to certain types of applications, such as Voice over IP (VoIP), multimedia content, or business-critical applications such as order or credit-card processing.
Firewall Settings > QoS Mapping But all is not lost. Once SonicOS Enhanced classifies the traffic, it can tag the traffic to communicate this classification to certain external systems that are capable of abiding by CoS tags; thus they too can participate in providing QoS. Note Many service providers do not support CoS tags such as 802.1p or DSCP. Also, most network equipment with standard configurations will not be able to recognize 802.1p tags, and could drop tagged traffic.
Firewall Settings > QoS Mapping Conditioning The traffic can be conditioned (or managed) using any of the many policing, queuing, and shaping methods available. SonicOS provides internal conditioning capabilities with its Egress and Ingress Bandwidth Management (BWM), detailed in the “Bandwidth Management” section on page 765.
Firewall Settings > QoS Mapping such as DSCP. SonicOS Enhanced has the ability to DSCP mark traffic after classification, as well as the ability to map 802.1p tags to DSCP tags for external network traversal and CoS preservation. For VPN traffic, SonicOS can DSCP mark not only the internal (payload) packets, but the external (encapsulating) packets as well so that QoS capable service providers can offer QoS even on encrypted VPN traffic.
Firewall Settings > QoS Mapping The behavior of the 802.1p field within these tags can be controlled by Access Rules. The default 802.1p Access Rule action of None will reset existing 802.1p tags to 0, unless otherwise configured (see “Managing QoS Marking” section on page 760 for details). Enabling 802.1p marking will allow the target interface to recognize incoming 802.1p tags generated by 802.1p capable network devices, and will also allow the target interface to generate 802.
Firewall Settings > QoS Mapping Example Scenario .ETWORK 3ECURITY !PPLIANCE In the scenario above, we have Remote Site 1 connected to ‘Main Site’ by an IPsec VPN. The company uses an internal 802.1p/DSCP capable VoIP phone system, with a private VoIP signaling server hosted at the Main Site. The Main Site has a mixed gigabit and Fast-Ethernet infrastructure, while Remote Site 1 is all Fast Ethernet. Both sites employ 802.1p capable switches for prioritization of internal traffic. 1.
Firewall Settings > QoS Mapping prioritize the traffic. The Remote Site switch would treat the VoIP traffic the same as the lower-priority file transfer because of the link saturation, introducing delay—maybe even dropped packets—to the VoIP flow, resulting in call quality degradation. So how can critical 802.1p priority information from the Main Site LAN persist across the VPN/WAN link to Remote Site LAN? Through the use of QoS Mapping. QoS Mapping is a feature which converts layer 2 802.
Firewall Settings > QoS Mapping The following table shows the commonly used code points, as well as their mapping to the legacy Precedence and ToS settings.
Firewall Settings > QoS Mapping If symptoms of such a scenario emerge (e.g. excessive retransmissions of low-priority traffic), it is recommended that you create a separate VPN policy for the high-priority and low-priority classes of traffic. This is most easily accomplished by placing the high-priority hosts (e.g. the VoIP network) on their own subnet. Configure for 802.1p CoS 4 – Controlled load If you want to change the inbound mapping of DSCP tag 15 from its default 802.1p mapping of 1 to an 802.
Firewall Settings > QoS Mapping Note Mapping will not occur until you assign Map as an action of the QoS tab of an Access Rule. The mapping table only defines the correspondence that will be employed by an Access Rule’s Map action. For example, according to the default table, an 802.1p tag with a value of 2 will be outbound mapped to a DSCP value of 16, while a DSCP tag of 43 will be inbound mapped to an 802.1 value of 5. Each of these mappings can be reconfigured.
Firewall Settings > QoS Mapping The following table describes the behavior of each action on both methods of marking: Action None 802.1p (layer 2 CoS) DSCP (layer 3) When packets match- The DSCP tag is explicitly set (or ing this class of traffic reset) to 0. (as defined by the Access Rule) are sent out the egress interface, no 802.1p tag will be added. Preserve Existing 802.1p tag will be preserved. Explicit An explicit 802.
Firewall Settings > QoS Mapping For example, refer to the following figure which provides a bi-directional DSCP tag action. P TAG $3#0 TAG P TAG 6O)0 6O)0 .ETWORK 3ECURITY !PPLIANCE $3#0 TAG ./ $3#0 TAG HTTP access from a Web-browser on 192.168.168.100 to the Web server on 10.50.165.2 will result in the tagging of the inner (payload) packet and the outer (encapsulating ESP) packets with a DSCP value of 8.
Firewall Settings > QoS Mapping Setting Access Rule 1 Access Rule 2 Destination Main Site Subnets Lan Primary Subnet Users Allowed All All Schedule Always on Always on Enable Logging Enabled Enabled Allow Fragmented Packets Enabled Enabled DSCP Marking Action Map Map Allow 802.1p Marking to override DSCP values Enabled Enabled 802.
Firewall Settings > QoS Mapping To examine the effects of the second Access Rule (VPN>LAN), we’ll look at the Access Rules configured at the Main Site.
Firewall Settings > QoS Mapping Bandwidth Management Although bandwidth management (BWM) is a fully integrated QoS service, wherein classification and shaping is performed on the single SonicWALL appliance, effectively eliminating the dependency on external systems and thus obviating the need for marking, it is possible to concurrently configure BWM and QoS (layer 2 and/or layer 3 marking) settings on a single Access Rule.
Firewall Settings > QoS Mapping Queue processing utilizes a time division scheme of approximately 1/256th of a second per time-slice. Within a time-slice, evaluation begins with priority 0 queues, and on a packet-bypacket basis transmission eligibility is determined by measuring the packet’s length against the queue credit pool. If sufficient credit is available, the packet is transmitted and the queue and link credit pools are decremented accordingly.
Firewall Settings > QoS Mapping • Web Sense • Syslog • NTP • Security Services (AV, signature updates, license manager) Outbound BWM Packet Processing Path a. Determine that the packet is bound for the WAN zone. b. Determine that the packet is classifiable as a Firewall packet. c. Match the packet to an Access Rule to determine BWM setting. d. Queue the packet in the appropriate rule queue. Guaranteed Bandwidth Processing This algorithm depicts how all the policies use up the GBW. a.
Firewall Settings > QoS Mapping Example of Outbound BWM Priority 0 Priority 1 Priority 6 Priority Ring 0 Priority 7 Priority Ring 7 Rule 4 Rule 1 Rule 3 Rule 2 Default Queue BWM Queue Structure The above diagram shows 4 policies are configured for OBWM with a link capacity of 100 Kbps. This means that the link capacity is 12800 Bytes/sec. Below table gives the BWM values for each rule in Bytes per second.
Firewall Settings > QoS Mapping e. Since all the queues have been processed for GBW we now move onto use up the left over link credit of 8000. f. Start off with the highest priority 0 and process all queues in this priority in a round robin fashion. H323 has Pkt3 of 500B which is sent since it can use up to max = 2560 (MBWGBW). Now Link credit = 7500 and max = 2060. g. Move to the next queue in this priority which is VNC queue.
Firewall Settings > QoS Mapping An ingress module monitors and records the ingress rate for each traffic class. It also monitors the egress ACKs and queues them if the ingress rate has to be reduced. According to ingress BW availability and average rate, the ACKs will be released.
Firewall Settings > QoS Mapping Process ACKs This algorithm is used to update the BW parameters per class according to the amount of BW usage in the previous time slice. Amount of BW usage is given by the total number of bytes received for the class in the previous time slice. The algorithm is also used to process the packets from the ingress module queues according to the available credit for the class.
Firewall Settings > QoS Mapping b. Row 2a shows an egress ACK for the class. Since class credit is less than the rate this packet is queued in the appropriate ingress queue. And it will not be processed until class credit is at least equal to the rate. c. In the following time slices, class credit gets accumulated until it matches the rate. Hence, after two time slices class credit becomes 1900 (620 + 640 + 640). The queued ACK packet is process from the ingress pool at this point.
Firewall Settings > QoS Mapping include at a minimum Default, Assured Forwarding, and Expedited Forwarding. DiffServ is supported on SonicWALL NSA platforms. Refer to the “DSCP Marking” section on page 757 for more information. • Discarding – A congestion avoidance mechanism that is employed by QoS systems in an attempt to predict when congestion might occur on a network, and to prevent the congestion by dropping over-limit traffic.
Firewall Settings > QoS Mapping limiting functionality. You can now create traffic policies that specify maximum rates for Layer 2, 3, or 4 network traffic. This enables bandwidth management in cases where the primary WAN link fails over to a secondary connection that cannot handle as much traffic.The Maximum Bandwidth can be set to 0%, which will prevent all traffic. • Outbound (Egress or OBWM) – Conditioning the rate at which traffic is sent out an interface.
Firewall Settings > QoS Mapping – Token Based CBQ – An enhancement to CBQ that employs a token, or a credit-based system that helps to smooth or normalize link utilization, avoiding burstiness as well as under-utilization. Employed by SonicOS’ BWM. • RSVP – Resource Reservation Protocol. An IntServ signaling protocol employed by some applications where the anticipated need for network behavior (e.g. delay and bandwidth) is requested so that it can be reserved along the network path.
Firewall Settings > QoS Mapping 776 SonicOS 5.8.
CHAPTER 55 Chapter 55: Configuring SSL Control Firewall Settings > SSL Control This chapter describes how to plan, design, implement, and maintain the SSL Control feature. This chapter contains the following sections: • “Overview of SSL Control” section on page 777 • “SSL Control Configuration” section on page 785 • “Enabling SSL Control on Zones” section on page 787 • “SSL Control Events” section on page 787 Overview of SSL Control This section provides an overview of SSL Control.
Firewall Settings > SSL Control well-known application being HTTPS (HTTP over SSL). SSL provides digital certificate-based endpoint identification, and cryptographic and digest-based confidentiality to network communications. HTTPS Server Client 1 Client browses to http://www.mysonicwall.com 2 DNS resolves target to 64.41.140.173 3 Client Sends TCP SYN to 64.41.140.173 port 443.
Firewall Settings > SSL Control simple Web-search. The challenge is not the ever-increasing number of such services, but rather their unpredictable nature. Since these services are often hosted on home networks using dynamically addressed DSL and cable modem connections, the targets are constantly moving. Trying to block an unknown SSL target would require blocking all SSL traffic, which is practically infeasible.
Firewall Settings > SSL Control Feature Benefit Untrusted Certificate Authority Control Like the use of self-signed certificates, encountering a certificate issued by an untrusted CA is not an absolute indication of disreputable obscuration, but it does suggest questionable trust. SSL Control can compare the issuer of the certificate in SSL exchanges against the certificates in the SonicWALL’s certificate store.
Firewall Settings > SSL Control SSL is not limited to securing HTTP, but can also be used to secure other TCP protocols such as SMTP, POP3, IMAP, and LDAP. For more information, see http://www.mozilla.org/ projects/security/pki/nss/ssl/draft02.html. SSL session establishment occurs as follows: • SSLv2 – The earliest version of SSL still in common use.
Firewall Settings > SSL Control – TLS – Transport Layer Security (version 1.0), also known as SSLv3.
Firewall Settings > SSL Control mismatch elicits a browser alert, it is not always a sure sign of deception. For example, if a client browses to https://mysonicwall.com, which resolves to the same IP address as www.mysonicwall.com, the server will present its certificate bearing the subject CN of www.mysonicwall.com. An alert will be presented to the client, despite the total legitimacy of the connection.
Firewall Settings > SSL Control Caveats and Advisories 1. Self-signed and Untrusted CA enforcement – If enforcing either of these two options, it is strongly advised that you add the common names of any SSL secured network appliances within your organization to the whitelist to ensure that connectivity to these devices is not interrupted. For example, the default subject name of SonicWALL UTM appliances is “192.168.168.168”, and the default common name of SonicWALL SSL VPN appliances is “192.168.200.1”.
Firewall Settings > SSL Control SSL Control Configuration SSL Control is located on Firewall panel, under the SSL Control Folder. SSL Control has a global setting, as well as a per-zone setting. By default, SSL Control is not enabled at the global or zone level. The individual page controls are as follows (refer the Key Concepts for SSL Control section for more information on terms used below). • Enable SSL Control – The global setting for SSL Control.
Firewall Settings > SSL Control • Detect Weak Ciphers (<64 bits) – Controls the detection of SSL sessions negotiated with symmetric ciphers less than 64 bits, commonly indicating export cipher usage. • Detect MD5 Digest – Controls the detection of certificates that were created using an MD5 Hash. • Configure Blacklist and Whitelist – Allows the administrator to define strings for matching common names in SSL certificates.
Firewall Settings > SSL Control Entries can be added, edited and deleted with the buttons beneath each list window. Note List matching will be based on the subject common name in the certificate presented in the SSL exchange, not in the URL (resource) requested by the client. Changes to any of the SSL Control settings will not affect currently established connections; only new SSL exchanges that occur following the change commit will be inspected and affected.
Firewall Settings > SSL Control 788 # Event Message Conditions When it Occurs 3 SSL Control: Self-signed certificate The certificate is self-signed (the CN of the issuer and the subject match). 4 SSL Control: Untrusted CA The certificate has been issued by a CA that is not in the System > Certificates store of the SonicWALL. 5 SSL Control: Website found in blacklist The common name of the subject matched a pattern entered into the blacklist.
Firewall Settings > SSL Control SonicOS 5.8.
Firewall Settings > SSL Control 790 SonicOS 5.8.
PART 10 Part 10: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 56 Chapter 56: Configuring Client DPI-SSL Settings DPI-SSL > Client SSL This chapter contains the following sections: • “DPI-SSL Overview” on page 793 • “Configuring Client DPI-SSL” on page 794 DPI-SSL Overview Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWALL’s Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSLbased traffic.
DPI-SSL > Client SSL The DPI-SSL feature is available in SonicOS Enhanced 5.6 and higher. The following table shows which platforms support DPI-SSL and the maximum number of concurrent connections on which the appliance can perform DPI-SSL inspection.
DPI-SSL > Client SSL To enable Client DPI-SSL inspection, perform the following steps: 1. Navigate to the DPI-SSL > Client SSL page. 2. Select the Enable SSL Inspection checkbox. 3. Select which of the following services to perform inspection with: Intrusion Prevent, Gateway Anti-Virus, Gateway Anti-Spyware, Application Firewall, and Content Filter. 4. Click Accept. Configuring the Inclusion/Exclusion List By default, the DPI-SSL applies to all traffic on the appliance when it is enabled.
DPI-SSL > Client SSL Common Name Exclusions The Common Name Exclusions section is used to add domain names to the exclusion list. To add a domain name, type it in the text box and click Add. Click Apply at the top of the page to confirm the configuration. Note The maximum size of the Common Name Exclusion list is a total of 8192 bytes (or 8192 characters). Tip You can enter multiple entries at once by separating the entries with the ^ delimiter.
DPI-SSL > Client SSL Creating PKCS-12 Formatted Certificate File PKCS12 formatted certificate file can be created using Linux system with OpenSSL. In order to create a PKCS-12 formatted certificate file, one needs to have two main components of the certificate: • Private key (typically a file with .key extension or the word key in the filename) • Certificate with a public key (typically a file with .crt extension or the word cert as part of filename).
DPI-SSL > Client SSL Application Firewall Enable Application Firewall checkbox on the Client DPI-SSL screen and enable Application Firewall on the Application Firewall >Policies screen. 1. Navigate to the DPI-SSL > Client SSL page 2. Select the Enable SSL Inspection checkbox and the Application Firewall checkbox. 3. Click Apply. 4. Navigate to the Application Firewall > Policies page. 5. Enable Application Firewall. 6. Configure an HTTP Client policy to block Microsoft Internet Explorer browser.
CHAPTER 57 Chapter 57: Configuring Server DPI-SSL Settings DPI-SSL > Server SSL This chapter contains the following sections: • “DPI-SSL Overview” on page 799 • “Configuring Server DPI-SSL Settings” on page 800 DPI-SSL Overview Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWALL’s Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSLbased traffic.
DPI-SSL > Server SSL The DPI-SSL feature is available in SonicOS Enhanced 5.6. The following table shows which platforms support DPI-SSL and the maximum number of concurrent connections on which the appliance can perform DPI-SSL inspection.
DPI-SSL > Server SSL Configuring General Server DPI-SSL Settings To enable Server DPI-SSL inspection, perform the following steps: 1. Navigate to the DPI-SSL > Server SSL page. 2. Select the Enable SSL Inspection checkbox. 3. Select which of the following services to perform inspection with: Intrusion Prevent, Gateway Anti-Virus, Gateway Anti-Spyware, and Application Firewall. 4. Click Apply. 5.
DPI-SSL > Server SSL • On the User Object/Group line, select a user object or group from the Exclude pulldown menu to exempt it from DPI-SSL inspection. Note The Include pulldown menu can be used to fine tune the specified exclusion list. For example, by selecting the Remote-office-California address object in the Exclude pulldown and the Remote-office-Oakland address object in the Include pulldown.
PART 11 Part 11: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 58 Chapter 58: Configuring VoIP Support VoIP Overview This section provides an overview of VoIP.
VoIP Overview The same security threats that plague data networks today are inherited by VoIP but the addition of VoIP as an application on the network makes those threats even more dangerous. By adding VoIP components to your network, you’re also adding new security requirements. VoIP encompasses a number of complex standards that leave the door open for bugs and vulnerabilities within the software implementation.
VoIP Overview H.323 H.323 is a standard developed by the International Telecommunications Union (ITU). It is a comprehensive suite of protocols for voice, video, and data communications between computers, terminals, network devices, and network services. H.323 is designed to enable users to make point-to-point multimedia phone calls over connectionless packet-switching networks such as private IP networks and the Internet. H.
VoIP Overview SonicWALL’s VoIP Capabilities The following sections describe SonicWALL’s integrated VoIP service: • “VoIP Security” on page 808 • “VoIP Network” on page 809 • “VoIP Network Interoperability” on page 809 • “Supported VoIP Protocols” on page 810 • “How SonicOS Handles VoIP Calls” on page 813 • Traffic legitimacy - Stateful inspection of every VoIP signaling and media packet traversing the firewall ensures all traffic is legitimate.
VoIP Overview VoIP Network • Note VoIP over Wireless LAN (WLAN) - SonicWALL extends complete VoIP security to attached wireless networks with its Distributed Wireless Solution. All of the security features provided to VoIP devices attached to a wired network behind a SonicWALL are also provided to VoIP devices using a wireless network. SonicWALL’s Secure Wireless Solution includes the network enablers to extend secure VoIP communications over wireless networks.
VoIP Overview • Configurable inactivity timeouts for signaling and media - In order to ensure that dropped VoIP connections do not stay open indefinitely, SonicOS monitors the usage of signaling and media streams associated with a VoIP session. Streams that are idle for more than the configured timeout are shut down to prevent potential security holes. • SonicOS allows the administrator to control incoming calls - By requiring that all incoming calls are authorized and authenticated by the H.
VoIP Overview – SIP INFO method (RFC 2976) – Reliability of provisional responses in SIP (RFC 3262) – SIP specific event notification (RFC 3265) – SIP UPDATE method (RFC 3311) – DHCP option for SIP servers (RFC 3361) – SIP extension for instant messaging (RFC 3428) – SIP REFER method (RFC 3515) – Extension to SIP for symmetric response routing (RFC 3581) SonicWALL VoIP Vendor Interoperability The following is a partial list of devices from leading manufacturers with which SonicWALL VoIP interoperates. H.
VoIP Overview CODECs SonicOS supports media streams from any CODEC - Media streams carry audio and video signals that have been processed by a hardware/software CODEC (COder/DECoder) within the VoIP device. CODECs use coding and compression techniques to reduce the amount of data required to represent audio/video signals. Some examples of CODECs are: • H.264, H.263, and H.261 for video • MPEG4, G.711, G.722, G.723, G.728, G.
VoIP Overview How SonicOS Handles VoIP Calls SonicOS provides an efficient and secure solution for all VoIP call scenarios. The following are examples of how SonicOS handles VoIP call flows. Incoming Calls The following figure shows the sequence of events that occurs during an incoming call. 92,3 6HUYHU .ETWORK 3ECURITY !PPLIANCE The following describes the sequence of events shown in the figure above: 7.
VoIP Overview 11. VoIP server returns phone B media IP information to phone A - Phone A now has enough information to begin exchanging media with Phone B. Phone A does not know that Phone B is behind a firewall, as it was given the public address of the firewall by the VoIP Server. 12. Phone A and phone B exchange audio/video/data through the VoIP server - Using the internal database, SonicOS ensures that media comes from only Phone A and is only using the specific media streams permitted by Phone B.
VoIP Settings 6. Phone A and phone B directly exchange audio/video/data - The SonicWALL security appliance routes traffic directly between the two phones over the LAN. Directly connecting the two phones reduces the bandwidth requirements for transmitting data to the VoIP server and eliminates the need for the SonicWALL security appliance to perform address translation.
VoIP Settings General VoIP Configuration SonicOS includes the VoIP configuration settings on the VoIP > Settings page. This page is divided into three configuration settings sections: General Settings, SIP Settings, and H.323 Settings. Configuring Consistent Network Address Translation (NAT) Consistent NAT enhances standard NAT policy to provide greater compatibility with peer-topeer applications that require a consistent IP address to connect to, such as VoIP.
VoIP Settings Configuring SIP Settings By default, SIP clients use their private IP address in the SIP Session Definition Protocol (SDP) messages that are sent to the SIP proxy. If your SIP proxy is located on the public (WAN) side of the SonicWALL security appliance and SIP clients are on the private (LAN) side behind the firewall, the SDP messages are not translated and the SIP proxy cannot reach the SIP clients.
VoIP Settings The Additional SIP signaling port (UDP) for transformations setting allows you to specify a non-standard UDP port used to carry SIP signaling traffic. Normally, SIP signaling traffic is carried on UDP port 5060. However, a number of commercial VOIP services use different ports, such as 1560. Using this setting, the security appliance performs SIP transformation on these non-standard ports. Tip Vonage’s VoIP service uses UDP port 5061. Configuring H.323 Transformations Select Enable H.
VoIP Settings Bandwidth Management SonicOS offers an integrated traffic shaping mechanism through its Egress (outbound) and Ingress (inbound) management interfaces. Outbound BWM can be applied to traffic sourced from Trusted and Public zones (such as LAN and DMZ) destined to Untrusted and Encrypted zones (such as WAN and VPN). Inbound bandwidth management can be applied to traffic sourced from Untrusted and Encrypted zones destined to Trusted and Public zones.
VoIP Settings Configuring Bandwidth on the WAN Interface BWM configurations begin by enabling BWM on the relevant WAN interface, and specifying the available bandwidth on the interface in Kbps. This is performed from the Network > Interfaces page by selecting the Configure icon for the WAN interface, and navigating to the Advanced tab: Egress and Ingress BWM can be enabled jointly or separately on WAN interfaces.
VoIP Settings To configure Bandwidth Management on the SonicWALL security appliance: Step 1 Select Network > Interfaces. Step 2 Click the Edit icon in the Configure column in the WAN (X1) line of the Interfaces table. The Edit Interface window is displayed. Step 3 Click the Advanced tab. Step 4 Check Enable Egress (Outbound) Bandwidth Management and enter the total available WAN bandwidth in the Available Interface Egress Bandwidth Management field.
VoIP Settings Note You must select Bandwidth Management on the Network > Interfaces page for the WAN interface before you can configure bandwidth management for network access rules. Step 1 To add access rules for VoIP traffic on the SonicWALL security appliance: Go to the Firewall > Access Rules page, and under View Style click All Rules. Step 2 Click Add at the bottom of the Access Rules table. The Add Rule window is displayed.
VoIP Settings Step 13 Select Bandwidth Management, and enter the Guaranteed Bandwidth in Kbps. Step 14 Enter the maximum amount of bandwidth available to the Rule at any time in the Maximum Bandwidth field. Step 15 Assign a priority from 0 (highest) to 7 (lowest) in the Bandwidth Priority list. For higher VoIP call quality, ensure VoIP traffic receives HIGH priority. Tip Rules using Bandwidth Management take priority over rules without bandwidth management.
VoIP Settings Note SonicWALL recommends NOT selecting VoIP from the Services menu. Selecting this option opens up more TCP/UDP ports than is required, potentially opening up unnecessary security vulnerabilities. Step 5 Enter the name of the server in the Server Name field. Step 6 Enter the private IP address of the server. Specify an IP address in the range of addresses assigned to the zone where the server is located.
VoIP Settings • Server Address Objects - The wizard creates the address object for the new server. Because the IP address of the server added in the example is in the IP address range assigned to the LAN zone, the wizard binds the address object to the LAN zone. • Server Service Group Object - The wizard creates a service group object for the services used by the new server.
VoIP Settings Generic Deployment Scenario All three of the follow deployment scenarios begin with the following basic configuration procedure: Step 1 Enable bandwidth management on the WAN interface on Network > Interfaces. Step 2 Configure SIP or H.323 transformations and inactivity settings on VoIP > Settings. Step 3 Configure the DHCP Server on the Network > DHCP Server page with static private IP address assignments to VoIP clients.
VoIP Settings See the “Using the Public Server Wizard” section for information on configuring this deployment. Deployment Scenario 2: Public VoIP Service The Public VoIP Service deployment uses a VoIP service provider, which maintains the VoIP server (either a SIP Proxy Server or H.323 Gatekeeper). The SonicWALL security appliance public IP address provides the connection from the SIP Proxy Server or H.323 Gatekeeper operated by the VoIP service provider.
VoIP Call Status Deployment Scenario 3: Trusted VoIP Service The organization deploys its own VoIP server on a DMZ or LAN to provide in-house VoIP services that are accessible to VoIP clients on the Internet or from local network users behind the security gateway. The following figure shows a trusted VoIP service topology. 0UBLIC 6O)0 #LIENTS .
VoIP Call Status • Called IP • Caller-ID • Protocol • Bandwidth • Time Started Click Flush All to remove all VoIP call entries. SonicOS 5.8.
VoIP Call Status 830 SonicOS 5.8.
PART 12 Part 12: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 59 Chapter 59: Configuring Anti-Spam Anti-Spam This chapter describes how to activate, configure, and manage the Comprehensive Anti-Spam Service on a SonicWALL UTM appliance.
Anti-Spam What is Anti-Spam? The Anti-Spam feature provides a quick, efficient, and effective way to add anti-spam, antiphishing, and anti-virus capabilities to your existing SonicWALL UTM appliance. In a typical configuration of Anti-Spam, the administrator chooses to add Anti-Spam capabilities by selecting it in the SonicOS interface and licensing it.
Anti-Spam • Better protection for users from phishing attacks How Does the Anti-Spam Service Work? This section describes the Anti-Spam feature, including the SonicWALL GRID Network, and how it interacts with SonicOS as a whole. The two points of significant connection with SonicOS are Address and Service Objects. You can use the address and service objects to configure the Anti-Spam feature to function smoothly with SonicOS.
Anti-Spam Evaluation Description Block-list This IP address is banned from connecting to the SonicWALL UTM appliance. Reputation-list If the IP address is not in the previous lists, the SonicWALL UTM appliance checks with the GRID Network to see if this IP address has a bad reputation. Defer-list Connections from this IP address are deferred. A set interval must pass before the connection is allowed.
Anti-Spam Objects Created When the Anti-Spam Service Is Enabled This section provides an example of the type of rules and objects generated automatically as Firewall Access Rules, NAT Policies and Service Objects. These objects are not editable and will be removed if the Anti-Spam service is disabled. The Firewall > Access Rules page shows the generated rules used for Anti-Spam. Figure 59:14 Generated Access Rules The rows outlined in red are the access rules generated when Anti-Spam is activated.
Purchasing an Anti-Spam License Figure 59:16 Generated NAT Policies The rows outlined in red are the policies generated when Anti-Spam is activated. The row outlined in green is the default policy that Anti-Spam creates if there are no existing mail server policies. Objects Created by the Wizard Objects created from an administrator’s interaction with the wizard can be edited and stay in the system even if the Anti-Spam service is disabled.
Purchasing an Anti-Spam License • Anti-Spam License for the UTM • One of the following Microsoft Windows Servers: – Windows Server 2003 (32-bit) – Windows SBS 2003 Server (32-bit) – Windows Server 2008 (32-bit, 64-bit) – Windows SBS 2008 Server (64-bit) SonicOS 5.8.
Anti-Spam > Status Purchasing an Anti-Spam license for the firewall be done directly through mySonicWALL.com or through your reseller. Note Your UTM appliance must be registered with mySonicWALL.com before use. Refer to the SonicWALL UTM Getting Started Guide for further information on registering your appliance. Step 1 Open a Web browser on the computer you are using to manage the SonicWALL Product_Name Variable, and enter http://www.mySonicWALL.com in the location or address field.
Anti-Spam > Status The status page also includes the Email Stream Diagnostics Capture section. Start the capture to create an application-formatted report on the SMTP-related traffic passing through your SonicWALL UTM appliance. Stop the capture at any time. Download the data to view the information in another application. This report only contains inbound traffic.
Anti-Spam > Settings Anti-Spam > Settings Once you have registered Anti-Spam for UTM, activate it to start your UTM appliance-level protection from spam, phishing, and virus messages. Step 1 Navigate to the Anti-Spam menu item in the navigation bar. You are directed to the Settings submenu. Step 2 Click Enable Anti-Spam Service to activate the Anti-Spam for UTM feature. Step 3 Next, Click the Junk Store Installer icon to install the junk store on your Windows server.
Anti-Spam > Settings Response Effect Store in Junk Box The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. This option is the recommended setting. (default setting) Permanently Delete The email message is permanently deleted. CAUTION: If you select this option, your organization risks losing wanted email.
Anti-Spam > Settings Installing the Junk Store Anti-Spam for UTM can create a Junk Store on your Microsoft Exchange Server. The Junk Store quarantines messages for end-user analysis and provides statistics. Log in to your Exchange system, then open a browser and log in to the SonicWALL Web management interface, and install the Junk Store. Note that while SonicWALL supports non-Exchange SMTP servers, such as Sendmail and Lotus Domino, it is not required to install the Junk Store on one of these servers.
Anti-Spam > Statistics Step 7 Navigate to the Anti-Spam > Status page and verify that the SonicWALL Junk Store is Operational. It typically takes about 15 minutes for the Junk Store to become operational. Anti-Spam > Statistics Use this page to view the statistics on how many messages are being blocked by your AntiSpam for UTM feature. The type of message blocked and the number are listed.
Anti-Spam > Real-Time Black List Filter RBL list providers publish their lists using DNS. Blacklisted IP addresses appear in the database of the list provider's DNS domain using inverted IP notation of the SMTP server in question as a prefix to the domain name. A response code from 127.0.0.2 to 127.0.0.9 indicates some type of undesirability: For example, if an SMTP server with IP address 1.2.3.4 has been blacklisted by RBL list provider sbl-xbl.spamhaus.org, then a DNS query to 4.3.2.1.sbl-xbl.spamhaus.
Anti-Spam > Real-Time Black List Filter When Enable Real-time Black List Blocking is enabled on the Anti-Spam > RBL Filter page, inbound connections from hosts on the WAN, or outbound connections to hosts on the WAN are checked against each enabled RBL service with a DNS request to the DNS servers configured under RBL DNS Servers. The RBL DNS Servers menu allows you to specify the DNS servers. You can choose Inherit Settings from WAN Zone or Specify DNS Servers Manually.
Anti-Spam > Real-Time Black List Filter Adding RBL Services You can add additional RBL services in the Real-time Black List Services section. To add an RBL service, click the Add button. In the Add RBL Domain window, you specify the RBL domain to be queried, enable it for use, and specify its expected response codes. Most RBL services list the responses they provide on their Web site, although selecting Block All Responses is generally acceptable.
Anti-Spam > Junk Box Summary Anti-Spam > Junk Box Summary The Junk Store sends an email message to users listing all the messages that have been placed in their Junk Box. The Junk Box Summary includes a number of blocked messages (per user) and a list of quarantined emails, with corresponding links to view and unjunk these messages. To manage the Junk Box summary: Step 1 Choose Frequency of Summaries from the drop-down box. Step 2 Choose the dates and times to receive email notification.
Anti-Spam > Junk Box View Anti-Spam > Junk Box View On the Anti-Spam > Junk Box View page, you can view, search, and manage all email messages that are currently in the Junk Store on the Exchange or SMTP server. This functionality is only available if the Junk Store is installed. Searching the Junk Store Search the Junk Store for a text string in any of the following email fields: • To • Subject • From • Date Or, select one or more email threat categories to search.
Anti-Spam > Junk Box View Click the Go button to perform the search. The results are displayed in the bottom section of the page. Managing the Junk Store in the Junk Box View Use the buttons at the top and bottom of the search results list to perform the following Junk Store management tasks on the Anti-Spam > Junk Box View page: Check All Select the checkbox for all lines on the page.
Anti-Spam > Junk Box Settings Anti-Spam > Junk Box Settings The Junk Box Settings page allows the Administrator to set the length of time that messages are stored in the Junk Box before being deleted and the number of Junk Box messages to be displayed per page. Anti-Spam > User View Setup The User View Setup page allows the Administrator to select and configure which settings will be visible for Users. 852 SonicOS 5.8.
Anti-Spam > Address Books Address Book To allow users to see their own Address Book in the navigation toolbar, select the Address Books toolbar from the User View Setup section. User Download Settings Select the corresponding checkbox to Allow users to download the SonicWALL Junk Button for Outlook or Allow users to download SonicWALL Anti-Spam Desktop for Outlook and Outlook Express from the User View.
Anti-Spam > Address Books Allowed Lists To add a sender to the Corporate Allowed List, navigate to the Allowed tab, then click the Add button. A dialog box will display where you will need to select the list type between People, Companies, or Lists. After selecting one of these, you can then enter the email address(es) in the space provided. Click Add to finish. The email address(es) will be added to the list on the Allowed Address Books page.
Anti-Spam > Address Books Blocked Lists To add a sender to the Corporate Blocked List, navigate to the Blocked tab, then click the Add button. A dialog box will display where you will need to select the list type between People and Companies. After selecting one of these, you can then enter the email address(es) in the space provided. Click Add to finish. The email address(es) will be added to the list on the Blocked Address Books page.
Anti-Spam > Manage Users Anti-Spam > Manage Users The Users page allows the Administrator to add, remove, and manage all users, both on the Global and LDAP servers. For more information regarding LDAP Configuration, refer to “AntiSpam > LDAP Configuration” section on page 857. User View Setup Using Source The Using Source field allows the administrator to select which server, or source, to view.
Anti-Spam > LDAP Configuration Adding Users To add a user to the Global or LDAP Server, click the Add button. Enter the Primary Address of the user, select which server the user belongs to from the Using Source dropdown menu, then enter any Aliases. Click Add to finish adding a user. Anti-Spam > LDAP Configuration The LDAP Configuration screen allows the Administrator to configure various settings specific to the LDAP server.
Anti-Spam > LDAP Configuration • Port Number—The port number of the LDAP Server. The default port number is 389. • LDAP Server Type—Choose from the dropdown list of servers: Active Directory, Lotus Domino, Exchange 5.5, Sun ONE iPlanet, or Other. • LDAP Page Size—The maximum page size on the LDAP Server to be queried. • Requires SSL—Selecting this enables the LDAP Server to require SSL. • Allow LDAP Referrals—Selecting this allows LDAP referrals.
Anti-Spam > LDAP Configuration • Directory Node to Begin Search—Specify a full LDAP directory path that points towards a node containing the information for all groups in the directory. • Filter—Specify an LDAP filter to easily find and identify users and mailing lists on the server. In this example, (&(|(objectClass=group)(objectClass=person)(objectClass=publicFolder))(mail=*)) • User Login Name Attribute—Specify the text attribute the user will use as their ‘login name.
Anti-Spam > LDAP Configuration 5. Add the NetBIOS domain name(s) to the Domains section, separating multiple domains with a comma. 6. Click Save Changes to finish. Conversion Rules On certain LDAP servers, such as Lotus Domino, some valid email addresses do not appear in the LDAP. The Conversion Rules section changes the way the SonicWALL Email Security appliance interprets certain email addresses, providing a way to map the email address to the LDAP Server.
Anti-Spam > Advanced Anti-Spam > Advanced The Advanced page allows the Administrator to download system or log files, as well as configure the log level. Download System/Log Files You can download log files or system configuration files from your SonicWALL Email Security server. Select from the Type of file dropdown list to select the type of file to download. Then under the Choose specific files category, you can select one or more specific items.
Anti-Spam > Downloads Anti-Spam > Downloads The Downloads page allows the Administrator to download and install one of SonicWALL’s latest spam-blocking buttons on your desktop. 862 SonicOS 5.8.
PART 13 Part 13: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 60 Chapter 60: Configuring VPN Policies VPN > Settings The VPN > Settings page provides the SonicWALL features for configuring your VPN policies. You can configure site-to-site VPN policies and GroupVPN policies from this page. VPN Overview A Virtual Private Network (VPN) provides a secure connection between two or more computers or protected networks over the public Internet. It provides authentication to ensure that the information is going to and from the correct parties.
VPN > Settings Prior to the invention of Internet Protocol Security (IPsec) and Secure Socket Layer (SSL), secure connections between remote computers or networks required a dedicated line or satellite link. This was both inflexible and expensive. A VPN creates a connection with similar reliability and security by establishing a secure tunnel through the Internet.
VPN > Settings One advantage of SSL VPN is that SSL is built into most Web Browsers. No special VPN client software or hardware is required. Note SonicWALL makes SSL VPN devices that you can use in concert with or independently of a SonicWALL UTM appliance running SonicOS. For information on SonicWALL SSL VPN appliances, see the SonicWALL Website: http://www.sonicwall.com/us/products/ Secure_Remote_Access.
VPN > Settings Aggressive Mode: To reduce the number of messages exchanged during authentication by half, the negotiation of which cryptographic algorithm to use is eliminated. The initiator proposes one algorithm and the responder replies if it supports that algorithm: 1. The initiator proposes a cryptographic algorithm to use and sends its public key. 2. The responder replies with a public key and identity proof. 3. The initiator sends an identification proof.
VPN > Settings Initialization and Authentication in IKE v2 IKE v2 initializes a VPN tunnel with a pair of message exchanges (two message/response pairs). • Initialize communication: The first pair of messages (IKE_SA_INIT) negotiate cryptographic algorithms, exchange nonces (random values generated and sent to guard against repeated messages), and perform a public key exchange. a. Initiator sends a list of supported cryptographic algorithms, public keys, and a nonce. b.
VPN > Settings (DSL or cable) or dialup Internet access can securely and easily access your network resources with the SonicWALL Global VPN Client and SonicWALL GroupVPN on your SonicWALL. Remote office networks can securely connect to your network using site-to-site VPN connections that enable network-to- network VPN connections. Note For more information on the SonicWALL Global VPN Client, see the SonicWALL Global VPN Client Administrator’s Guide.
VPN > Settings – E-Mail ID – Domain name. • Peer ID Filter if using 3rd party certificates. • IKE (Phase 1) Proposal: – DH Group: Note • Group 1 • Group 2 • Group 5 The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5.
VPN > Settings Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5.
VPN > Settings • Certificate, if selected on security appliance: • User’s user name and password if XAUTH is required on the security appliance. Site-to-Site VPN Planning Checklist On the Initiator Typically, the request for an IKE VPN SA is made from the remote site.
VPN > Settings • Domain name • IP Address (IPV4) – Peer IKE ID: • Local Networks Choose local network from list (select an address object): Local network obtains IP addresses using DHCP through this VPN Tunnel (not used with IKEv2) Any address • Destination Networks Use this VPN Tunnel as default route for all Internet traffic Destination network obtains IP addresses using DHCP through this VPN Tunnel Choose destination network from list (select an address object): • IKE (Phase 1) Proposal: – Exch
VPN > Settings • AH – Encryption: • DES • 3DES • AES-128 • AES-192 • AES-256 • None – Authentication: – • MD5 • SHA1 • None Enable Perfect Forward Secrecy – Life Time (seconds): (default 28800) • Enable Keep Alive • Suppress automatic Access Rules creation for VPN Policy • Require authentication of VPN clients by XAUTH (not with IKEv2) – User Group for XAUTH users (the user group that will have access to this VPN if XAUTH is selected): • Enable Windows Networking (NetBIOS) Br
VPN > Settings • Name of this VPN: • IPsec Primary Gateway Name or Address: not required on the responder • IPsec Secondary Gateway Name or Address: not required on the responder • IKE Authentication for IKE using Preshared Secret: – Local IKE ID: (must match Peer IKE ID on initiator) • IP Address • Domain Name • Email Address • SonicWALL Identifier – Peer IKE ID: (must match Local IKE ID on initiator) • • IP Address • Domain Name • Email Address • SonicWALL Identifier IKE Authenti
VPN > Settings VPN Policy Wizard The VPN Policy Wizard walks you step-by-step through the configuration of GroupVPN or siteto-site VPN policies on the SonicWALL security appliance. After completing the configuration, the wizard creates the necessary VPN settings for the selected policy. You can use the SonicWALL Management Interface for optional advanced configuration options. Note For step-by-step instructions on using the VPN Policy Wizard, see “Wizards > VPN Wizard” on page 1417.
VPN > Settings • Configure: Clicking the Edit icon allows you to edit the VPN policy. Clicking the Delete icon allows you to delete the VPN policy. The predefined GroupVPN policies cannot be deleted, so the Delete icons are dimmed. GroupVPN policies also have a Disk icon for exporting the VPN policy configuration as a file for local installation by SonicWALL Global VPN Clients. The number of VPN policies defined, policies enabled, and the maximum number of Policies allowed is displayed below the table.
VPN > Settings • Packets Out: The number of packets sent out from this tunnel. • Bytes In: The number of bytes received from this tunnel. • Bytes Out: The number of bytes sent out from this tunnel. • Fragmented Packets In: The number of fragmented packets received from this tunnel. • Fragmented Packets Out: The number of fragmented packets sent out from this tunnel.
VPN > Settings Configuring GroupVPN with IKE using Preshared Secret on the WAN Zone To configure the WAN GroupVPN, follow these steps: 880 Step 1 Click the edit icon for the WAN GroupVPN entry. The VPN Policy window is displayed. Step 2 In the General tab, IKE using Preshared Secret is the default setting for Authentication Method. A Shared Secret is automatically generated by the SonicWALL security appliance in the Shared Secret field, or you can generate your own shared secret.
VPN > Settings Step 4 In the IKE (Phase 1) Proposal section, use the following settings: – Select the DH Group from the DH Group menu. Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5. – Select 3DES, AES-128, or AES-256 from the Encryption menu. – Select the desired authentication method from the Authentication menu. – Enter a value in the Life Time (seconds) field.
VPN > Settings – Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours. Step 6 Click the Advanced tab. Step 7 Select any of the following optional settings you want to apply to your GroupVPN policy: – Enable Windows Networking (NetBIOS) broadcast - Allows access to remote network resources by browsing the Windows® Network Neighborhood.
VPN > Settings – Allow Unauthenticated VPN Client Access - Allows you to enable unauthenticated VPN client access. If you uncheck Require Authentication of VPN Clients via XAUTH, the Allow Unauthenticated VPN Client Access menu is activated. Select an Address Object or Address Group from menu of predefined options, or select Create new address object or Create new address group to create a new one.
VPN > Settings • DHCP Lease - The Virtual Adapter will obtain its IP configuration from the DHCP Server only, as configure in the VPN > DHCP over VPN page. • DHCP Lease or Manual Configuration - When the GVC connects to the SonicWALL, the policy from the SonicWALL instructs the GVC to use a Virtual Adapter, but the DHCP messages are suppressed if the Virtual Adapter has been manually configured.
VPN > Settings Configuring GroupVPN with IKE using 3rd Party Certificates To configure GroupVPN with IKE using 3rd Party Certificates, follow these steps: Caution Before configuring GroupVPN with IKE using 3rd Party Certificates, your certificates must be installed on the SonicWALL. Step 1 In the VPN > Settings page click the edit icon under Configure. The VPN Policy window is displayed.
VPN > Settings (L=), and vary with the issuing Certificate Authority. The actual Subject Distinguished Name field in an X.509 Certificate is a binary object which must be converted to a string for matching purposes. The fields are separated by the forward slash character, for example: /C=US/O=SonicWALL, Inc./OU=TechPubs/CN=Joe Pub Up to three organizational units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to contain a semi-colon.
VPN > Settings compared to static routes configured in the SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPsec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
VPN > Settings – Allow Connections to - Client network traffic matching destination networks of each gateway is sent through the VPN tunnel of that specific gateway. • This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected along with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel.
VPN > Settings Exporting a VPN Client Policy If you want to export the Global VPN Client configuration settings to a file for users to import into their Global VPN Clients, follow these instructions: Caution The GroupVPN SA must be enabled on the SonicWALL to export a configuration file. Step 1 Click the Disk icon in the Configure column for the GroupVPN entry in the VPN Policies table. The Export VPN Client Policy window appears.
VPN > Settings Site-to-Site VPN Configurations When designing VPN connections, be sure to document all pertinent IP addressing information and create a network diagram to use as a reference. A sample planning sheet is provided on the next page. The SonicWALL must have a routable WAN IP address whether it is dynamic or static. In a VPN network with dynamic and static IP addresses, the VPN gateway with the dynamic address must initiate the VPN connection.
VPN > Settings Configuring a VPN Policy with IKE using Preshared Secret To configure a VPN Policy using Internet Key Exchange (IKE), follow the steps below: Step 1 Click Add on the VPN > Settings page. The VPN Policy window is displayed. Step 2 In the General tab, select IKE using Preshared Secret from the Authentication Method menu. Step 3 Enter a name for the policy in the Name field.
VPN > Settings Optionally, specify a Local IKE ID (optional) and Peer IKE ID (optional) for this Policy. By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the SonicWALL Identifier (ID_USER_FQDN) is used for Aggressive Mode. Step 7 Click the Network tab. Step 8 Under Local Networks, select a local network from Choose local network from list if a specific local network can access the VPN tunnel.
VPN > Settings Destination network obtains IP addresses using DHCP server through this tunnel. Alternatively, select Choose Destination network from list, and select the address object or group. Step 10 Click Proposals. Step 11 Under IKE (Phase 1) Proposal, select either Main Mode, Aggressive Mode, or IKEv2 from the Exchange menu. Aggressive Mode is generally used when WAN addressing is dynamically assigned.
VPN > Settings – If you selected Main Mode or Aggressive Mode in the Proposals tab: 894 • Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalives will allow for the automatic renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
VPN > Settings • If you wish to use a router on the LAN for traffic entering this tunnel destined for an unknown subnet, for example, if you configured the other side to Use this VPN Tunnel as default route for all Internet traffic, you should enter the IP address of your router into the Default LAN Gateway (optional) field. • Select an interface or zone from the VPN Policy bound to menu.
VPN > Settings • To manage the local SonicWALL through the VPN tunnel, select HTTP, HTTPS, or both from Management via this SA. Select HTTP, HTTPS, or both in the User login via this SA to allow users to login using the SA. • Enter the Default LAN Gateway if you have more than one gateway and you want this one always to be used first. • Select an interface or zone from the VPN Policy bound to menu.
VPN > Settings Step 5 Click the Network tab. Step 6 Select a local network from Choose local network from list if a specific local network can access the VPN tunnel. If traffic can originate from any local network, select Any Address. Use this option is a peer has Use this VPN Tunnel as default route for all Internet traffic selected. You can only configure one SA to use this setting. Alternatively, select Choose Destination network from list, and select the address object or group.
VPN > Settings Note The values for Protocol, Phase 2 Encryption, and Phase 2 Authentication must match the values on the remote SonicWALL. Step 10 Enter a 16 character hexadecimal encryption key in the Encryption Key field or use the default value. This encryption key is used to configure the remote SonicWALL encryption key, therefore, write it down to use when configuring the SonicWALL.
VPN > Settings – If you have an IP address for a gateway, enter it into the Default LAN Gateway (optional) field. – Select an interface from the VPN Policy bound to menu. Step 13 Click OK. Step 14 Click Accept on the VPN > Settings page to update the VPN Policies. Configuring the Remote SonicWALL Security Appliance Step 1 Click Add on the VPN > Settings page. The VPN Policy window is displayed. Step 2 In the General tab, select Manual Key from the IPsec Keying Mode menu.
VPN > Settings Tip Valid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption key. If you enter an incorrect encryption key, an error message is displayed at the bottom of the browser window.
VPN > Settings Configuring a VPN Policy with IKE using a Third Party Certificate Warning You must have a valid certificate from a third party Certificate Authority installed on your SonicWALL before you can configure your VPN policy with IKE using a third party certificate. To create a VPN SA using IKE and third party certificates, follow these steps: Step 1 In the VPN > Settings page, click Add. The VPN Policy window is displayed.
VPN > Settings – Distinguished Name - Based on the certificates Subject Distinguished Name field, which is contained in all certificates by default. As with the E-Mail ID and Domain Name above, the entire Distinguished Name field must be entered for site-to-site VPNs Wild card characters are not supported. The format of any Subject Distinguished Name is determined by the issuing Certificate Authority.
VPN > Settings Step 11 Click the Proposals tab. Step 12 In the IKE (Phase 1) Proposal section, select the following settings: – Select Main Mode or Aggressive Mode from the Exchange menu. – Select the desired DH Group from the DH Group menu. Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5. – Select 3DES, AES-128, AES-192, or AES-256 from the Encryption menu.
VPN > Settings – Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours. Step 14 Click the Advanced tab. Select any optional configuration options you want to apply to your VPN policy: – Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel.
VPN > Settings – To manage the remote SonicWALL through the VPN tunnel, select HTTP, HTTPS, or both from Management via this SA. Select HTTP, HTTPS, or both in the User login via this SA to allow users to login using the SA.
VPN > Settings Not only does Route Based VPN make configuring and maintaining the VPN policy easier, a major advantage of the Route Based VPN feature is that it provides flexibility on how traffic is routed. With this feature, users can now define multiple paths for overlapping networks over a clear or redundant VPN. Using Route Based VPN Route Based VPN configuration is a two step process. The first step involves creating a Tunnel Interface.
VPN > Settings Step 3 Next, navigate to the Proposal tab and configure the IKE and IPSec proposals for the tunnel negotiation. Step 4 Navigate to the Advanced tab to configure the advanced properties for the Tunnel Interface. By default, Enable Keep Alive is enabled. This is to establish the tunnel with remote gateway proactively.
VPN > Settings • Enable Transport Mode - Forces the IPsec negotiation to use Transport mode instead of Tunnel Mode. This has been introduced for compatibility with Nortel. When this option is enabled on the local firewall, it MUST be enabled on the remote firewall as well for the negotiation to succeed. • Require authentication of VPN clients by XAUTH - Requires that all inbound traffic on this VPN tunnel is from an authenticated user.
VPN > Settings Route Entries for Different Network Segments After a tunnel interface is created, multiple route entries can be configured to use the same tunnel interface for different networks. This provides a mechanism to modify the network topology without making any changes to the tunnel interface.
VPN > Settings Creating a Static Route for Drop Tunnel Interface To add a static route for drop tunnel interface, navigate to Network>Routing>Routing Policies. Click the Add button. Similar to configuring a static route for a tunnel interface, configure the values for Source, Destination, and Service Objects. Under Interface, select “Drop_tunnelIf.” Once added, the route is enabled and displayed in the Route Polices.
VPN > Settings are addresses using address spaces that can easily be supernetted. For example, assume we wanted to provide access to/from the LAN and DMZ at the hub site to one subnet at each of 2,000 remote sites, addressed as follows: remoteSubnet0=Network 10.0.0.0/24 (mask 255.255.255.0, range 10.0.0.0-10.0.0.255) remoteSubnet1=Network 10.0.1.0/24 (mask 255.255.255.0, range 10.0.1.0-10.0.1.255) remoteSubnet2=Network 10.0.2.0/24 (mask 255.255.255.0, range 10.0.2.0-10.0.2.255) remoteSubnet2000=10.7.207.
VPN > Settings 912 SonicOS 5.8.
CHAPTER 61 Chapter 61: Configuring Advanced VPN Settings VPN > Advanced The VPN > Advanced page includes optional settings that affect all VPN policies. SonicOS 5.8.
VPN > Advanced Advanced VPN Settings • Enable IKE Dead Peer Detection - Select if you want inactive VPN tunnels to be dropped by the SonicWALL. – Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The default value is 60 seconds. – Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the SonicWALL security appliance.
VPN > Advanced Note • Password updates can only be done by LDAP when using Active Directory with TLS and binding to it using an administrative account, or when using Novell eDirectory. IKEv2 Dynamic Client Proposal - SonicOS Enhanced firmware versions 4.0 and higher provide IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes rather than using the default settings.
VPN > Advanced Online Certificate Status Protocol determines the current status of a digital certificate without using a CRL. OCSP enables the client or application to directly determine the status of an identified digital certificate. This provides more timely information about the certificate than is possible with CRLs. In addition, each client typically only checks a few certificates and does not incur the overhead of downloading an entire CRL for only a few entries.
VPN > Advanced Using OCSP with VPN Policies The SonicWALL OCSP settings can be configured on a policy level or globally. To configure OCSP checking for individual VPN policies, use the Advanced tab of the VPN Policy configuration page. Step 1 Select the radio button next to Enable OCSP Checking. Step 2 Specify the OCSP Responder URL of the OCSP server, for example http:// 192.168.168.220:2560 where 192.168.168.
VPN > Advanced 918 SonicOS 5.8.
CHAPTER 62 Chapter 62: Configuring DHCP Over VPN VPN > DHCP over VPN The VPN > DHCP over VPN page allows you to configure a SonicWALL security appliance to obtain an IP address lease from a DHCP server at the other end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks on one logical IP subnet, and create the appearance of all VPN networks residing in one IP subnet address space. This facilitates IP address administration for the networks using VPN tunnels.
VPN > DHCP over VPN Configuring the Central Gateway for DHCP Over VPN To configure DHCP over VPN for the Central Gateway, use the following steps: 1. Select VPN > DHCP over VPN. 2. Select Central Gateway from the DHCP Relay Mode menu. 3. Click Configure. The DHCP over VPN Configuration window is displayed. 4. Select Use Internal DHCP Server to enable the SonicWALL Global VPN Client or a remote firewall or both to use an internal DHCP server to obtain IP addressing information.
VPN > DHCP over VPN Configuring DHCP over VPN Remote Gateway Note 1. Select Remote Gateway from the DHCP Relay Mode menu. 2. Click Configure. The DHCP over VPN Configuration window is displayed. 3. In the General tab, the VPN policy name is automatically displayed in the Relay DHCP through this VPN Tunnel filed if the VPN policy has the setting Local network obtains IP addresses using DHCP through this VPN Tunnel enabled. Only VPN policies using IKE can be used as VPN tunnels for DHCP. 4.
VPN > DHCP over VPN Devices 9. To configure devices on your LAN, click the Devices tab. 10. To configure Static Devices on the LAN, click Add to display the Add LAN Device Entry window, and type the IP address of the device in the IP Address field and then type the Ethernet address of the device in the Ethernet Address field. An example of a static device is a printer as it cannot obtain an IP lease dynamically.
VPN > DHCP over VPN Tip If a static LAN IP address is outside of the DHCP scope, routing is possible to this IP, i.e. two LANs. Current DHCP over VPN Leases The scrolling window shows the details on the current bindings: IP and Ethernet address of the bindings, along with the Lease Time, and Tunnel Name. To delete a binding, which frees the IP address in the DHCP server, select the binding from the list, and then click the Delete icon. The operation takes a few seconds to complete.
VPN > DHCP over VPN 924 SonicOS 5.8.
CHAPTER 63 Chapter 63: Configuring L2TP Server VPN > L2TP Server The SonicWALL security appliance can terminate L2TP-over-IPsec connections from incoming Microsoft Windows 2000 and Windows XP clients. In situations where running the SonicWALL Global VPN Client is not possible, you can use the SonicWALL L2TP Server to provide secure access to resources behind the SonicWALL security appliances. You can use Layer 2 Tunneling Protocol (L2TP) to create VPN over public networks such as the Internet.
VPN > L2TP Server Configuring the L2TP Server The VPN > L2TP Server page provides the settings for configuring the SonicWALL security appliance as a LT2P Server. To configure the L2TP Server, follow these steps: 926 1. To enable L2TP Server functionality on the SonicWALL security appliance, select Enable L2TP Server. Then click Configure to display the L2TP Server Configuration window. 2.
VPN > L2TP Server Currently Active L2TP Sessions Tip • User Name - The user name assigned in the local user database or the RADIUS user database. • PPP IP - The source IP address of the connection. • Zone - The zone used by the LT2P client. • Interface - The interface used to access the L2TP Server, whether it is a VPN client or another SonicWALL security appliance. • Authentication - Type of authentication used by the L2TP client.
VPN > L2TP Server 928 SonicOS 5.8.
PART 14 Part 14: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 64 Chapter 64: SSL VPN SSL VPN This chapter provides information on how to configure the SSL VPN features on the SonicWALL security appliance. SonicWALL’s SSL VPN features provide secure remote access to the network using the NetExtender client. NetExtender is an SSL VPN client for Windows, Mac, or Linux users that is downloaded transparently and that allows you to run any application securely on the company’s network. It uses Point-to-Point Protocol (PPP).
SSL VPN SSL VPN NetExtender Overview This section provides an introduction to the SonicOS Enhanced SSL VPN NetExtender feature. This section contains the following subsections: • “What is SSL VPN NetExtender?” on page 932 • “Benefits” on page 932 • “NetExtender Concepts” on page 932 What is SSL VPN NetExtender? SonicWALL’s SSL VPN NetExtender feature is a transparent software application for Windows, Mac, and Linux users that enables remote users to securely connect to the remote network.
SSL VPN Once the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from their PC’s Start > Programs menu and configure NetExtender to launch when Windows boots. Mac users can launch NetExtender from their system Applications folder, or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This can be dragged to the shortcut bar in environments like Gnome and KDE.
SSL VPN NetExtender provides three options for configuring proxy settings: • Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD)), which can push the proxy settings script to the client automatically. • Use automatic configuration script - If you know the location of the proxy settings script, you can select this option and provide the URL of the script.
SSL VPN Configuring Users for SSL VPN Access In order for users to be able to access SSL VPN services, they must be assigned to the SSLVPN Services group. Users who attempt to login through the Virtual Office who do not belong to the SSLVPN Services group will be denied access.
SSL VPN Configuring SSL VPN Access for RADIUS Users To configure RADIUS users for SSL VPN access, you must add the users to the SSLVPN Services user group. To do so, perform the following steps: Step 1 Navigate to the Users > Settings page. Step 2 In the Authentication Method for login pulldown menu, select RADIUS or RADIUS + Local Users. Step 3 Click the Configure button for Authentication Method for login. The RADIUS Configuration window displays. Step 4 Click on the RADIUS Users tab.
SSL VPN > Status SSL VPN > Status The SSL VPN > Status page displays a summary of active NetExtender sessions, including the name, the PPP IP address, the physical IP address, login time, length of time logged in and logout time. The following table provides a description of the status items. Status Item Description User Name The user name. Client Virtual IP The IP address assigned to the user from the client IP address Client WAN IP The physical IP address of the user.
SSL VPN > Server Settings SSL VPN > Server Settings The SSL VPN > Server Settings page is used to configure details of the SonicWALL security appliance’s behavior as an SSL VPN server. The following options can be configured on the SSL VPN > Server Settings page. Note 938 • SSL VPN Status on Zones: This displays the SSL VPN Access status on each Zone. Green indicates active SSL VPN status, while red indicates inactive SSL VPN status.
SSL VPN > Portal Settings SSL VPN > Portal Settings The SSL VPN > Portal Settings page is used to configure the appearance and functionality of the SSL VPN Virtual Office web portal. The Virtual Office portal is the website that uses log in to launch NetExtender. It can be customized to match any existing company website or design style. The following settings configure the appearance of the Virtual Office portal: • Portal Site Title - The text displayed in the top title of the web browser.
SSL VPN > Client Settings The Customized Logo field is used to display a logo other than the SonicWALL logo at the top of the Virtual Office portal. Enter the URL of the logo in the Customized Logo field. The logo must be in GIF format of size 155 x 36, and a transparent or light background is recommended.
SSL VPN > Client Settings Configuring the SSL VPN Client Address Range The SSL VPN Client Address Range defines the IP address pool from which addresses will be assigned to remote users during NetExtender sessions. The range needs to be large enough to accommodate the maximum number of concurrent NetExtender users you wish to support plus one (for example, the range for 15 users requires 16 addresses, such as 192.168.200.100 to 192.168.200.115).
SSL VPN > Client Settings Configuring NetExtender Client Settings NetExtender client settings are configured on the bottom of the SSL VPN > Client Settings page. The following settings to customize the behavior of NetExtender when users connect and disconnect. 942 • Default Session Timeout (minutes) - The default timeout value for client inactivity, after which the client’s session is terminated. • Enable NetBIOS Over SSLVPN - Allows NetExtender clients to broadcast NetBIOS to the SSL VPN subnet.
SSL VPN > Client Routes SSL VPN > Client Routes The SSL VPN > Client Routes page allows the administrator to control the network access allowed for SSL VPN users. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access via the SSL VPN connection.
SSL VPN > Client Routes To configure SSL VPN NetEextender users and groups for Tunnel All Mode, perform the following steps. Step 1 Navigate to the Users > Local Users or Users > Local Groups page. Step 2 Click on the Configure button for an SSL VPN NetExtender user or group. Step 3 Click on the VPN Access tab. Step 4 Select the WAN RemoteAccess Networks address object and click the right arrow (->) button. Step 5 Click OK.
SSL VPN > Virtual Office SSL VPN > Virtual Office The SSL VPN > Virtual Office page displays the Virtual Office web portal inside of the SonicOS UI.
SSL VPN > Virtual Office • One of the following browsers: – Internet Explorer 6.0 and higher – Mozilla Firefox 1.5 and higher • To initially install the NetExtender client, the user must be logged in to the PC with administrative privileges. • Downloading and running scripted ActiveX files must be enabled on Internet Explorer.
SSL VPN > Virtual Office • “Uninstalling NetExtender” section on page 963 • “Verifying NetExtender Operation from the System Tray” section on page 964 The following section describe how to install and use NetExtender on a MacOS platform: • “Installing NetExtender on MacOS” section on page 965 • “Using NetExtender on MacOS” section on page 966 The following section describe how to install and use NetExtender on a Linux platform: • “Installing and Using NetExtender on Linux” section on page 968 Son
SSL VPN > Virtual Office Installing NetExtender Using the Mozilla Firefox Browser To use NetExtender for the first time using the Mozilla Firefox browser, perform the following: 948 Step 1 Navigate to the IP address of the SonicWALL security appliance. Click the link at the bottom of the Login page that says “Click here for sslvpn login.” Step 2 Click the NetExtender button.
SSL VPN > Virtual Office Step 8 When NetExtender completes installing, the NetExtender Status window displays, indicating that NetExtender successfully connected. Closing the windows (clicking on the x icon in the upper right corner of the window) will not close the NetExtender session, but will minimize it to the system tray for continued operation. Step 9 Review the following table to understand the fields in the NetExtender Status window.
SSL VPN > Virtual Office Note It may be necessary to restart your computer when installing NetExtender on Windows Vista. Internet Explorer Prerequisites It is recommended that you add the URL or domain name of your SonicWALL security appliance to Internet Explorer’s trusted sites list. This will simplify the process of installing NetExtender and logging in, by reducing the number of security warnings you will receive.
SSL VPN > Virtual Office Installing NetExtender from Internet Explorer To install and launch NetExtender for the first time using the Internet Explorer browser, perform the following: Step 1 Navigate to the IP address of the SonicWALL security appliance. Click the link at the bottom of the Login page that says “Click here for sslvpn login.” Step 2 Click the NetExtender button. Step 3 The first time you launch NetExtender, you must first add the SSL VPN portal to your list of trusted sites.
SSL VPN > Virtual Office 952 Step 4 Click Instructions to add SSL VPN server address into trusted sites for help. Step 5 In Internet Explorer, go to Tools > Internet Options. Step 6 Click on the Security tab. Step 7 Click on the Trusted Sites icon and click on the Sites... button to open the Trusted sites window. SonicOS 5.8.
SSL VPN > Virtual Office Step 8 Enter the URL or domain name of your SonicWALL security appliance in the Add this Web site to the zone field and click Add. Step 9 Click OK in the Trusted Sites and Internet Options windows. Step 10 Return to the SSL VPN portal and click on the NetExtender button. The portal will automatically install the NetExtender stand-alone application on your computer. The NetExtender installer window opens.
SSL VPN > Virtual Office Step 12 If a warning message that NetExtender has not passed Windows Logo testing is displayed, click Continue Anyway. SonicWALL testing has verified that NetExtender is fully compatible with Windows Vista, XP, 2000, and 2003. Step 13 When NetExtender completes installing, the NetExtender Status window displays, indicating that NetExtender successfully connected. 954 SonicOS 5.8.
SSL VPN > Virtual Office Launching NetExtender Directly from Your Computer After the first access and installation of NetExtender, you can launch NetExtender directly from your computer without first navigating to the SSL VPN portal. To launch NetExtender, complete the following procedure: Step 1 Navigate to Start > All Programs. Step 2 Select the SonicWALL SSL VPN NetExtender folder, and then click on SonicWALL SSL VPN NetExtender. The NetExtender login window is displayed.
SSL VPN > Virtual Office Configuring NetExtender Preferences Complete the following procedure to configure NetExtender preferences: 956 Step 1 Right click on the icon in the system tray and click on Preferences... The NetExtender Preferences window is displayed. Step 2 The Connection Profiles tab displays the SSL VPN connection profiles you have used, including the IP address of the server, the domain, and the username.
SSL VPN > Virtual Office Step 5 Note To have NetExtender automatically connect when you start your computer, check the Automatically connect with Connection Profile checkbox and select the appropriate connection profile from the pulldown menu. Only connection profiles that allow you to save your username and password can be set to automatically connect. Step 6 To have NetExtender launch when you log in to your computer, check the Automatically start NetExtender UI.
SSL VPN > Virtual Office Configuring NetExtender Connection Scripts SonicWALL SSL VPN provides users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or websites. To configure NetExtender Connection Scripts, perform the following tasks. Step 1 Right click on the icon in the task bar and click on Preferences... The NetExtender Preferences window is displayed.
SSL VPN > Virtual Office Configuring Batch File Commands NetExtender Connection Scripts can support any valid batch file commands. For more information on batch files, see the following Wikipedia entry: http://en.wikipedia.org/wiki/.bat. The following tasks provide an introduction to some commonly used batch file commands. Step 1 To configure the script that runs when NetExtender connects, click the Edit “NxConnect.bat” button. The NxConnect.bat file is displayed.
SSL VPN > Virtual Office Configuring Proxy Settings SonicWALL SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings. To manually configure NetExtender proxy settings, perform the following tasks. Step 1 Right click on the icon in the task bar and click on Preferences...
SSL VPN > Virtual Office – Use proxy server - Select this option to enter the Address and Port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses that bypass the proxy server. If required, enter a User name and Password for the proxy server.
SSL VPN > Virtual Office To save the log, either click the Export icon or go to Log > Export. To filter the log to display entries from a specific duration of time, go to the Filter menu and select the cutoff threshold. To filter the log by type of entry, go to Filter > Level and select one of the level categories. The available options are Fatal, Error, Warning, and Info, in descending order of severity. The log displays all entries that match or exceed the severity level.
SSL VPN > Virtual Office Disconnecting NetExtender To disconnect NetExtender, perform the following steps: Step 1 Right click on the NetExtender icon in the system tray to display the NetExtender icon menu and click Disconnect. Step 2 Wait several seconds. The NetExtender session disconnects. You can also disconnect by double clicking on the NetExtender icon to open the NetExtender window and then clicking the Disconnect button.
SSL VPN > Virtual Office Verifying NetExtender Operation from the System Tray To view options in the NetExtender system tray, right click on the NetExtender icon in the system tray. The following are some tasks you can perform with the system tray. Displaying Route Information To display the routes that NetExtender has installed on your system, click the Route Information option in the system tray menu. The system tray menu displays the default route and the associated subnet mask.
SSL VPN > Virtual Office Installing NetExtender on MacOS SonicWALL SSL VPN supports NetExtender on MacOS. To use NetExtender on your MacOS system, your system must meet the following prerequisites: • MacOS 10.4 and higher • Java 1.4 and higher • Both PowerPC and Intel Macs are supported. To install NetExtender on your MacOS system, perform the following tasks: Step 1 Navigate to the IP address of the SonicWALL security appliance.
SSL VPN > Virtual Office Step 5 When NetExtender is successfully installed and connected, the NetExtender status window displays. Using NetExtender on MacOS 966 Step 1 To launch NetExtender, go the Applications folder in the Finder and double click on NetExtender.app. Step 2 The first time you connect, you must enter the server name or IP address in the SSL VPN Server field. Step 3 Enter your username and password. Step 4 The first time you connect, you must enter the domain name.
SSL VPN > Virtual Office Step 7 When NetExtender is connected, the NetExtender icon is displayed in the status bar at the top right of your display. Click on the icon to display NetExtender options. Step 8 To display a summary of your NetExtender session, click Connection Status. Step 9 To view the routes that NetExtender has installed, go to the NetExtender menu and select Routes. Step 10 To view the NetExtender Log, go to Window > Log. SonicOS 5.8.
SSL VPN > Virtual Office Step 11 To generate a diagnostic report with detailed information on NetExtender performance, go to Help > Generate diagnostic report. Step 12 Click Save to save the diagnostic report using the default nxdiag.txt file name in your NetExtender directory. Installing and Using NetExtender on Linux SonicWALL SSL VPN supports NetExtender on Linux.
SSL VPN > Virtual Office To install NetExtender on your Linux system, perform the following tasks: Step 1 Navigate to the IP address of the SonicWALL security appliance. Click the link at the bottom of the Login page that says “Click here for sslvpn login.” Step 2 Click the NetExtender button. A pop-up window indicates that you have chosen to open the NetExtender.tgz file. Click OK to save it to your default download directory.
SSL VPN > Virtual Office 970 Step 6 Launch the NetExtender.tgz file and follow the instructions in the NetExtender installer. The new netExtender directory contains a NetExtender shortcut that can be dragged to your desktop or toolbar. Step 7 The first time you connect, you must enter the server name or IP address in the SSL VPN Server field. NetExtender will remember the server name in the future. Step 8 Enter your username and password.
SSL VPN > Virtual Office Note You must be logged in as root to install NetExtender, although many Linux systems will allow the sudo ./install command to be used if you are not logged in as root. Step 10 To view the NetExtender routes, go to the NetExtender menu and select Routes. Step 11 To view the NetExtender Log, go to NetExtender > Log. Step 12 To generate a diagnostic report with detailed information on NetExtender performance, go to Help > Generate diagnostic report.
SSL VPN > Virtual Office Step 14 Click Add Bookmark. The Add Bookmark window displays. When user bookmarks are defined, the user will see the defined bookmarks from the SonicWALL SSL VPN Virtual Office home page. Individual user members are not able to delete or modify bookmarks created by the administrator. Step 1 Type a descriptive name for the bookmark in the Bookmark Name field.
SSL VPN > Virtual Office Step 3 For the specific service you select from the Service drop-down list, additional fields may appear. Fill in the information for the service you selected. Select one of the following service types from the Service drop-down list: Terminal Services (RDP - ActiveX) or Terminal Services (RDP - Java) Note If you select Terminal Services (RDP - ActiveX) while using a browser other than Internet Explorer, the selection is automatically switched to Terminal Services (RDP - Java).
SSL VPN > Virtual Office the RDP Java client on Windows is a native RDP client that supports Plugin DLLs by default. The Enable plugin DLLs option is not available for RDP - Java. See “Enabling Plugin DLLs” section on page 974. – Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current SSL VPN session for login to the RDP server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark.
SSL VPN > Virtual Office Creating Bookmarks with Custom SSO Credentials The administrator can configure custom Single Sign On (SSO) credentials for each user, group, or globally in RDP bookmarks. This feature is used to access resources that need a domain prefix for SSO authentication. Users can log into SonicWALL SSL VPN as username, and click a customized bookmark to access a server with domain\username. Either straight textual parameters or variables may be used for login credentials.
SSL VPN > Virtual Office • Themes • Bitmap caching If the Java client application is RDP 6, it also supports: 976 • Dual monitors • Font smoothing • Desktop composition Note RDP bookmarks can use a port designation if the service is not running on the default port. Tip To terminate your remote desktop session, be sure to log off from the Terminal Server session.
SSL VPN > Virtual Office Step 3 A window is displayed indicating that the Remote Desktop Client is loading. The remote desktop then loads in its own windows. You can now access all of the applications and files on the remote computer. Using VNC Bookmarks Step 1 Note Click the VNC bookmark. The following window is displayed while the VNC client is loading. VNC can have a port designation if the service is running on a different port. SonicOS 5.8.
SSL VPN > Virtual Office Step 2 When the VNC client has loaded, you will be prompted to enter your password in the VNC Authentication window. Step 3 To configure VNC options, click the Options button. The Options window is displayed. Table 2 describes the options that can be configured for VNC. Table 2 978 VNC Options Option Default Description of Options Encoding Tight Hextile is a good choice for fast networks, while Tight is better suited for low-bandwidth connections.
SSL VPN > Virtual Office Table 2 VNC Options Option Default Cursor shape updates Enable Description of Options Cursor shape updates is a protocol extension used to handle remote cursor movements locally on the client side, saving bandwidth and eliminating delays in mouse pointer movement. Note that current implementation of cursor shape updates does not allow a client to track mouse cursor position at the server side.
SSL VPN > Virtual Office Step 2 Click OK to any warning messages that are displayed. A Java-based Telnet window launches. Step 3 If the device you are Telnetting to is configured for authentication, enter your username and password. Using SSHv1 Bookmarks Note 980 SSH bookmarks can use a port designation for servers not running on the default port. Step 1 Click on the SSHv1 bookmark. A Java-based SSH window is launched. Step 2 Enter your username and password.
SSL VPN > Virtual Office Tip Some versions of the JRE may cause the SSH authentication window to pop up behind the SSH window. Using SSHv2 Bookmarks Note SSH bookmarks can use a port designation for servers not running on the default port. Step 1 Click on the SSHv2 bookmark. A Java-based SSH window displays. Type your user name in the Username field and click Login. Step 2 A hostkey popup displays. Click Yes to accept and proceed with the login process. SonicOS 5.8.
SSL VPN > Virtual Office 982 Step 3 Enter your password and click OK. Step 4 The SSH terminal launches in a new screen. SonicOS 5.8.
PART 15 Part 15: Virtual Assist • SonicOS 5.8.
SonicOS 5.8.
CHAPTER 65 Chapter 65: Configuring Virtual Assist Virtual Assist This chapter contains the following sections: • “Virtual Assist Overview” on page 985 • “Virtual Assist > Status” on page 985 • “Virtual Assist > Settings” on page 986 • “Using Virtual Assist” on page 990 Virtual Assist Overview Virtual Assist allows users to support customer technical issues without having to be on-site with the customer.
Virtual Assist > Settings The status of each customer includes whether the customer is currently receiving Virtual Assist support, or their position in the queue to receive support. The status screen can also provide a summary of each customer’s issue, and the name of the assigned technician. The technician or administrator providing Virtual Assist must be located inside the local network of the appliance.
Virtual Assist > Settings By setting a global assistance code for customers, you can restrict who enters the system to request help. The code can be a maximum of eight (8) characters, and can be entered in the Assistance Code field. Customers receive the code through an email provided by the technician or administrator. To allow customers to request Virtual Assist support without needing to provide a code, leave the Assistance Code field blank, and select the checkbox to “Enable Support without invitation.
Virtual Assist > Settings These variables can also be used in the “Invitation Message” field, where users can further customize the body of the invitation email, by entering the desired text. The message can be a maximum length of 800 characters. To utilize the email invitation capabilities of Virtual Assist, you must configure the appropriate Mail Server and Mail from Address settings on the Log > Automation screen within the SonicOS management interface: 988 SonicOS 5.8.
Virtual Assist > Settings In the “Request Settings” screen section, on the Virtual Assist > Settings screen, you can configure various settings related to support request limits. The “Maximum Requests” field allows you to limit the number of customers that can be awaiting assistance in the queue at one time. The “Limit Message” field allows you to enter text to be displayed as a message to customers, when there are currently no available spots in the queue, as the maximum requests limit has been reached.
Using Virtual Assist Enter the “Source Address Type” and “IP Address” that you wish to deny support requests from. Click “OK” to submit the information. The newly blocked address will now appear in the “Deny Request From Defined Address” screen section. Once you have completed all necessary adjustments to the Virtual Assist > Settings screen, click the “Accept” button to lock-in your settings. Click “Cancel” to revert to the most recent settings.
Using Virtual Assist The customer can download and install the VASAC from the customer login page if the option, “Enable Support without Invitation,” has been previously enabled by the administrator. If the option is disabled, customers must click the provided link from the invite email sent by the technician, to download and launch the VASAC.
Using Virtual Assist Once the technician has installed the VASAC, they can proceed to login to Virtual Assist. The technician selects the “Technician” tab, fills in the required login parameters, and clicks the “Login” button. The main panel will then display for the technician. From this panel, the technician can doubleclick “Start” from the pop-up menu to initiate the support tunnel with the customer.
PART 16 Part 16: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 66 Chapter 66: Managing Users and Authentication Settings User Management This chapter describes the user management capabilities of your SonicWALL security appliance for locally and remotely authenticated users.
User Management SonicWALL security appliances provide a mechanism for user level authentication that gives users access to the LAN from remote locations on the Internet as well as a means to enforce or bypass content filtering policies for LAN users attempting to access the Internet. You can also permit only authenticated users to access VPN tunnels and send data across the encrypted connection.
User Management Creating entries for dozens of users and groups takes time, although once the entries are in place they are not difficult to maintain. For networks with larger numbers of users, user authentication using LDAP or RADIUS servers can be more efficient. Internet 4 1 3 2 Network Security Appliance E7500 User Workstation 1 User attempts to access the web. 2 SNWL requires authentication of the User: redirects workstation to authenticate. 3 User authenticates with credentials.
User Management You can also add or edit local groups. The configurable settings for groups include the following: • Group settings - For administrator groups, you can configure SonicOS to allow login to the management interface without activating the login status popup window. • Group members - Groups have members that can be local users or other local groups. • VPN access - VPN access for groups is configured in the same way as VPN access for users.
User Management Using LDAP / Active Directory / eDirectory Authentication Lightweight Directory Access Protocol (LDAP) defines a directory services structure for storing and managing information about elements in your network, such as user accounts, user groups, hosts, and servers. Several different standards exist that use LDAP to manage user account, group, and permissions. Some are proprietary systems like Microsoft Active Directory which you can manage using LDAP.
User Management SonicOS Enhanced provides support for directory servers running the following protocols: • LDAPv2 (RFC3494) • LDAPv3 (RFC2251-2256, RFC3377) • LDAPv3 over TLS (RFC2830) • LDAPv3 with STARTTLS (RFC2830) • LDAP Referrals (RFC2251) LDAP Terms The following terms are useful when working with LDAP and its variants: • Schema – The schema is the set of rules or the structure that defines the types of data that can be stored in a directory, and how that data can be stored.
User Management Further Information on LDAP Schemas • Microsoft Active Directory: Schema information is available at http://msdn.microsoft.com/ library/default.asp?url=/library/en-us/adschema/adschema/active_directory_schema.asp and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ ldap_reference.asp • RFC2798 InetOrgPerson: Schema definition and development information is available at http://rfc.net/rfc2798.
User Management Single Sign-On Overview This section provides an introduction to the SonicWALL SonicOS Enhanced Single Sign-On feature.
User Management Benefits of SonicWALL SSO SonicWALL SSO is a reliable and time-saving feature that utilizes a single login to provide access to multiple network resources based on administrator-configured group memberships and policy matching. SonicWALL SSO is transparent to end users and requires minimal administrator configuration.
User Management The SonicWALL SSO feature supports LDAP and local database protocols. SonicWALL SSO supports SonicWALL Directory Connector. SonicWALL SSO can also interwork with ADConnector in an installation that includes a SonicWALL CSM, but Directory Connector is recommended. For all features of SonicWALL SSO to work properly, SonicOS Enhanced 5.5 should be used with Directory Connector 3.1.7 or higher. To use SonicWALL SSO with Windows Terminal Services or Citrix, SonicOS Enhanced 5.
User Management How Does Single Sign-On Work? SonicWALL SSO requires minimal administrator configuration and is transparent to the user.
User Management SonicWALL SSO Authentication Using the SSO Agent For users on individual Windows workstations, the SSO Agent (on the SSO workstation) handles the authentication requests from the SonicWALL appliance. There are six steps involved in SonicWALL SSO authentication using the SSO Agent, as illustrated in the following figure.
User Management SonicWALL SSO Authentication Using the Terminal Services Agent For users logged in from a Terminal Services or Citrix server, the SonicWALL TSA takes the place of the SSO Agent in the authentication process. The process is different in several ways: • The TSA runs on the same server that the user is logged into, and includes the user name and domain along with the server IP address in the initial notification to the SonicWALL appliance.
User Management SonicWALL SSO Authentication Using Browser NTLM Authentication For users who are browsing using Mozilla-based browsers (including Internet Explorer, Firefox, Chrome and Safari) the SonicWALL appliance supports identifying them via NTLM (NT LAN Manager) authentication. NTLM is part of a browser authentication suite known as “Integrated Windows Security” and is supported by all Mozilla-based browsers.
User Management Note The shared key is generated in the SSO Agent and the key entered in the SonicWALL security appliance during SSO configuration must match the SSO Agent-generated key exactly. SonicWALL SSO with SSO Agent SonicWALL UTM Appliance Network Security Appliance Internet E7500 2 5 1 4 SSO Agent default port 2258 SSO Agent is installed on any server with LAN access* 3 1 A client logs into the network and attempts to access the Internet or other network resources.
User Management Note 1010 • User login denied - SSO Agent agent timeout – Attempts to contact the SonicWALL SSO Agent have timed out. • User login denied - SSO Agent configuration error – The SSO Agent is not properly configured to allow access for this user. • User login denied - SSO Agent communication problem – There is a problem communicating with the workstation running the SonicWALL SSO Agent.
User Management How Does SonicWALL Terminal Services Agent Work? The SonicWALL TSA can be installed on any Windows Server machine with Terminal Services or Citrix installed. The server must belong to a Windows domain that can communicate with the SonicWALL security appliance directly using the IP address or using a path, such as VPN.
User Management Multiple TSA Support To accommodate large installations with thousands of users, SonicWALL network security appliances are configurable for operation with multiple terminal services agents (one per terminal server). The number of agents supported depends on the model, as shown in Table 3.
User Management Connections to Local Subnets The TSA dynamically learns network topology based on information returned from the appliance and, once learned, it will not send notifications to the appliance for subsequent user connections that do not go through the appliance. As there is no mechanism for the TSA to “unlearn” these local destinations, the TSA should be restarted if a subnet is moved between interfaces on the appliance.
User Management • User group memberships can be set locally by duplicating LDAP user names (set in the LDAP configuration and applicable when the user group membership mechanism is LDAP) • Polling rate NTLM Authentication of Non-Domain Users With NTLM, non-domain users could be users who are logged into their PC rather than into the domain , or could be users who were prompted to enter a user name and password and entered something other than their domain credentials.
User Management • Browsers on Non-PC Platforms – Non-PC platforms such as Linux and Mac can access resources in a Windows domain through Samba, but do not have the concept of “logging the PC into the domain” as Windows PCs do. Hence, browsers on these platforms do not have access to the user’s domain credentials and cannot use them for NTLM.
User Management How Does Multiple Administrators Support Work? The following sections describe how the Multiple Administrators Support feature works: • “Configuration Modes” section on page 1016 • “User Groups” section on page 1017 • “Priority for Preempting Administrators” section on page 1017 • “GMS and Multiple Administrator Support” section on page 1018 Configuration Modes In order to allow multiple concurrent administrators, while also preventing potential conflicts caused by multiple adminis
User Management Function Full admin Full admin in Read-only Limited in config mode non-config mode administrator administrator Configure network X Flush ARP cache X Setup DHCP Server X Renegotiate VPN tunnels X X Log users off X X Unlock locked-out users X X Clear log X X Filter logs X X X X Export log X X X X Email log X X X Configure log categories X X X X X X X guest users only X Configure log settings X X Generate log reports X X Browse the full UI X X
User Management 3. A user that is a member of the Limited Administrators user group can only preempt other members of the Limited Administrators group. GMS and Multiple Administrator Support When using SonicWALL GMS to manage a SonicWALL security appliance, GMS frequently logs in to the appliance (for such activities as ensuring that GMS management IPSec tunnels have been created correctly).
User Management Configuring Settings on Users > Settings On this page, you can configure the authentication method required, global user settings, and an acceptable user policy that is displayed to users when logging onto your network. SonicOS 5.8.
User Management Configuration instructions for the settings on this page are provided in the following sections: • “User Login Settings” on page 1020 • “User Session Settings” on page 1021 • “Other Global User Settings” on page 1022 • “Acceptable Use Policy” on page 1024 • “Customize Login Pages” on page 1026 User Login Settings In the Authentication method for login drop-down list, select the type of user account management your network uses: • Select Local Users to configure users in the local
User Management • Select Browser NTLM authentication only if you want to authenticate Web users without using the SonicWALL SSO Agent or TSA. Users are identified as soon as they send HTTP traffic. NTLM requires RADIUS to be configured (in addition to LDAP, if using LDAP), for access to MSCHAP authentication. If LDAP is selected above, a separate Configure button for RADIUS appears here when NTLM is selected. • Select None if not using SSO.
User Management • Enable login session limit: you can limit the time a user is logged into the SonicWALL by selecting the check box and typing the amount of time, in minutes, in the Login session limit (minutes) field. The default value is 30 minutes. • Show user login status window: causes a status window to display with a Log Out button during the user’s session. The user can click the Log Out button to log out of their session.
User Management Auto-Configuration of URLs to Bypass User Authentication You can use the Auto-Configure utility to temporarily allow traffic from a single specified IP address to bypass authentication. The destinations that traffic accesses are then recorded and used to allow that traffic to bypass user authentication. Typically this is used to allow traffic such as anti-virus updates and Windows updates.
User Management Tip Step 6 Tip Windows Updates access some destinations via HTTPS, and those can only be tracked by IP address. However, the actual IP addresses accessed each time may vary and so rather than trying to set up a bypass for each such IP address, it may be better to use the Convert to network(s) option to set it up to allow bypass for HTTPS to all IP addresses in that network. When you have detected all of the necessary addresses click Stop and click Save Selected.
User Management Acceptable use policy page content - Enter your Acceptable Use Policy text in the text box. You can include HTML formatting. The page that is displayed to the user includes an I Accept button or Cancel button for user confirmation.
User Management Customize Login Pages SonicOS now provides the ability to customize the text of the login authentication pages that are presented to users. Administrators can translate the login-related pages with their own wording and apply the changes so that they take effect without rebooting. Although the entire SonicOS interface is available in different languages, sometimes the administrator does not want to change the entire UI language to a specific local language.
User Management Note The "var strXXX =" lines in the template pages are customized JavaScript Strings. You can change them into your preferring wonrding. Modifications should follow the JavaScript syntax. You can also edit the wording in the HTML section. 5. Click Preview to preview how the customized page will look. 6. When you are finished editing the page, click Apply. Leave the Login Page Contents field blank and apply the change to revert the default page to users.
User Management • “Editing Local Users” on page 1031 • “Importing Local Users from LDAP” on page 1031 Configuring Local User Settings The following global settings can be configured for all local users on the Users > Local Users page: • Note Apply password constraints for all local users - Applies the password constraints that are specified on the System > Administration page to all local users. For more information on password constraints, see “Login Security Settings” on page 108.
User Management • In the expanded view, click the remove icon group. • Click the edit icon • Click the delete icon under Configure to remove the user from a under Configure to edit the user. under Configure to delete the user or group in that row. Adding Local Users You can add local users to the internal database on the SonicWALL security appliance from the Users > Local Users page.
User Management • If you select a limited lifetime, select the Prune account upon expiration checkbox to have the user account deleted after the lifetime expires. Disable this checkbox to have the account simply be disabled after the lifetime expires. The administrator can then re-enable the account by resetting the account lifetime. Step 8 Optionally enter a comment in the Comment field.
User Management Note Users must be members of the SSLVPN Services group before you can configure Bookmarks for them. Step 12 Click OK to complete the user configuration. Editing Local Users You can edit local users from the Users > Local Users screen. To edit a local user: Step 1 In the list of users, click the edit icon under Configure in same line as the user you want to edit. Step 2 Configure the Settings, Groups, VPN Access, and Bookmark tabs exactly as when adding a new user.
User Management To import users from the LDAP server: 1032 Step 1 In the Users > Settings page, set the Authentication Method to LDAP or LDAP + Local Users. Step 2 In the Users > Local Users page, click Import from LDAP. SonicOS 5.8.
User Management Step 3 In the LDAP Import Users dialog box, you can select individual users or select all users. To select all users in the list, select the Select/deselect all checkbox at the top of the list. To clear all selections, click it again.
User Management • To remove certain users from the list on the basis of their location in the LDAP directory, select the All users radio button. In the first field, select either at or at or under from the drop-down list. In the second field, select the LDAP directory location from the drop-down list. Note It is not necessary to remove users from the list in order not to import them. Doing so simply makes it easier to see those remaining in the list.
User Management A default group, Everyone, is listed in the table. Click the edit column to review or change the settings for Everyone. icon in the Configure See the following sections for configuration instructions: • “Creating a Local Group” on page 1035 • “Importing Local Groups from LDAP” on page 1038 Creating a Local Group This section describes how to create a local group, but also applies to editing existing local groups.
User Management Note Step 3 On the Members tab, to add users and other groups to this group, select the user or group from the Non-Members Users and Groups list and click the right arrow button ->. Step 4 The VPN Access tab configures which network resources VPN users (either GVC, NetExtender, or Virtual Office bookmarks) can access. On the VPN Access tab, select one or more networks from the Networks list and click the right arrow button (->) to move them to the Access List column.
User Management Note You can configure SSL VPN Access Lists for numerous users at the group level. To do this, build an Address Object on the Network > Address Objects management interface, such as for a public file server that all users of a group need access to. This newly created object now appears on the VPN Access tab under “Networks,” so that you may assign groups by adding it to the Access List.
User Management Importing Local Groups from LDAP You can configure local user groups on the SonicWALL by retrieving the user group names from your LDAP server. The Import from LDAP... button launches a dialog box containing the list of user group names available for import to the SonicWALL. Having user groups on the SonicWALL with the same name as existing LDAP/AD user groups allows SonicWALL group memberships and privileges to be granted upon successful LDAP authentication.
User Management Step 3 In the LDAP Import User Groups dialog box, optionally select the checkbox for groups that you do not want to import, and then click Remove from list. Step 4 To undo all changes made to the list of groups, click Undo and then click OK in the confirmation dialog box. Step 5 When finished pruning the list to a manageable size, select the checkbox for each group that you want to import into the SonicWALL, and then click Save selected.
User Management • With L2TP, the relevant RADIUS protocol is automatically selected according to the PPP protocol being used. • With VPN including Global VPN Client, RADIUS MSCHAP/MSCHAPv2 mode can be forced to allow password updating. This can be selected in the VPN > Advanced page and the SSL VPN > Server Settings page. • Other scenarios all involve authenticating internal users and there is no need to provide a mechanism for password update (they can do it locally on their PCs).
User Management RADIUS Servers In the RADIUS Servers section, you can designate the primary and optionally, the secondary RADIUS server. An optional secondary RADIUS server can be defined if a backup RADIUS server exists on the network. Step 1 In the Primary Server section, type the host name or IP address of the RADIUS server in the Name or IP Address field. Step 2 Type the RADIUS server administrative password or “shared secret” in the Shared Secret field.
User Management RADIUS Users Settings To configure the RADIUS user settings: Step 1 On the RADIUS Users tab, select Allow only users listed locally if only the users listed in the SonicWALL database are authenticated using RADIUS. Step 2 Select the mechanism used for setting user group memberships for RADIUS users from the following choices: Step 3 • Select Use SonicWALL vendor-specific attribute on RADIUS server to apply a configured vendor-specific attribute from the RADIUS server.
User Management Step 3 Note Step 4 Note Step 5 In the Members tab, select the members of the group. Select the users or groups you want to add in the left column and click the -> button. Click Add All to add all users and groups. You can add any group as a member of another group except Everybody and All RADIUS Users. Be aware of the membership of the groups you add as members of another group. In the VPN Access tab, select the network resources to which this group will have VPN Access by default.
User Management RADIUS with LDAP for user groups When RADIUS is used for user authentication, there is an option on the RADIUS Users page in the RADIUS configuration to allow LDAP to be selected as the mechanism for setting user group memberships for RADIUS users: When Use LDAP to retrieve user group information is selected, after authenticating a user via RADIUS, his/her user group membership information will be looked up via LDAP in the directory on the LDAP/AD server.
User Management RADIUS Client Test In the RADIUS Configuration dialog box, you can test your RADIUS Client user name, password and other settings by typing in a valid user name and password and selecting one of the authentication choices for Test. Performing the test will apply any changes that you have made. To test your RADIUS settings: Step 1 In the User field, type a valid RADIUS login name. Step 2 In the Password field, type the password.
User Management Configuring LDAP Integration in SonicOS Enhanced Integrating your SonicWALL appliance with an LDAP directory service requires configuring your LDAP server for certificate management, installing the correct certificate on your SonicWALL appliance, and configuring the SonicWALL appliance to use the information from the LDAP Server. For an introduction to LDAP, see “Using LDAP / Active Directory / eDirectory Authentication” on page 999.
User Management Exporting the CA Certificate from the Active Directory Server To export the CA certificate from the AD server: Step 1 Launch the Certification Authority application: Start > Run > certsrv.msc. Step 2 Right click on the CA you created, and select properties. Step 3 On the General tab, click the View Certificate button. Step 4 On the Details tab, select Copy to File. Step 5 Step through the wizard, and select the Base-64 Encoded X.509 (.cer) format.
User Management Step 5 On the Settings tab of the LDAP Configuration window, configure the following fields: • Name or IP Address – The FQDN or the IP address of the LDAP server against which you wish to authenticate. If using a name, be certain that it can be resolved by your DNS server. Also, if using TLS with the ‘Require valid certificate from server’ option, the name provided here must match the name to which the server certificate was issued (i.e. the CN) or the TLS exchange will fail.
User Management • The domain components all use “dc=” If the “User tree for login to server” field is given as a dn, you can also select this option if the bind dn conforms to the first bullet above, but not to the second and/or the third bullet. – Give bind distinguished name – Select this option if the bind dn does not conform to the first bullet above (if the first name component does not begin with “cn=”). This option can always be selected if the dn is known.
User Management • Local certificate for TLS – Optional, to be used only if the LDAP server requires a client certificate for connections. Useful for LDAP server implementations that return passwords to ensure the identity of the LDAP client (Active Directory does not return passwords). This setting is not required for Active Directory.
User Management • Login name attribute – Select one of the following to define the attribute that is used for login authentication: – sAMAccountName for Microsoft Active Directory – inetOrgPerson for RFC2798 inetOrgPerson – posixAccount for RFC2307 Network Information Service – sambaSAMAccount for Samba SMB – inetOrgPerson for Novell eDirectory • Qualified login name attribute – Optionally select an attribute of a user object that sets an alternative login name for the user in name@domain format.
User Management Step 7 On the Directory tab, configure the following fields: • Primary Domain – The user domain used by your LDAP implementation. For AD, this will be the Active Directory domain name, e.g. yourADdomain.com. Changes to this field will, optionally, automatically update the tree information in the rest of the page. This is set to mydomain.com by default for all schemas except Novell eDirectory, for which it is set to o=mydomain.
User Management Note AD has some built-in containers that do not conform (e.g. the DN for the top level Users container is formatted as “cn=Users,dc=…”, using ‘cn’ rather than ‘ou’) but the SonicWALL knows about and deals with these, so they can be entered in the simpler URL format. Ordering is not critical, but since they are searched in the given order it is most efficient to place the most commonly used trees first in each list.
User Management If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing the Domain to search value accordingly and selecting Append to existing trees on each subsequent run. Step 8 1054 On the Referrals tab, configure the following fields: • Allow referrals – Select this option any time that user information is located on an LDAP server other than the configured primary one.
User Management Step 9 On the LDAP Users tab, configure the following fields: • Allow only users listed locally – Requires that LDAP users also be present in the SonicWALL local user database for logins to be allowed. • User group membership can be set locally by duplicating LDAP user names – Allows for group membership (and privileges) to be determined by the intersection of local user and LDAP user configurations.
User Management • Import users – You can click this button to configure local users on the SonicWALL by retrieving the user names from your LDAP server. The Import users button launches a window containing the list of user names available for import to the SonicWALL. In the LDAP Import Users window, select the checkbox for each user that you want to import into the SonicWALL, and then click Save selected.
User Management • Import user groups – You can click this button to configure user groups on the SonicWALL by retrieving the user group names from your LDAP server. The Import user groups button launches a window containing the list of user group names available for import to the SonicWALL. In the LDAP Import User Groups window, select the checkbox for each group that you want to import into the SonicWALL, and then click Save selected.
User Management Step 10 On the LDAP Relay tab, configure the following fields: The RADIUS to LDAP Relay feature is designed for use in a topology where there is a central site with an LDAP/AD server and a central SonicWALL with remote satellite sites connected into it via low-end SonicWALL security appliances that may not support LDAP.
User Management • Note User groups for legacy users with Internet access – Defines the user group that corresponds to the legacy ‘Allow Internet access (when access is restricted)’ privileges. When a user in this user group is authenticated, the remote SonicWALL is notified to give the user the relevant privileges.
User Management This change in default authentication protocol order, combined with the iOS behavior of accepting the first supported authentication protocol will default to SonicOS and iOS devices using RADIUS authentication (because Active Directory does not support CHAP, MS-CHAP, or MS-CHAPv2). To force L2TP connections from iOS devices to use LDAP instead of RADIUS, follow the steps outlined below. Note 1. Navigate to the VPN > L2TP Server page. 2. Click Configure. 3. Click on the PPP tab. 4.
User Management The following sections describe how to configure SSO: • “Installing the SonicWALL SSO Agent” on page 1062 • “Installing the SonicWALL Terminal Services Agent” on page 1065 • “Configuring the SonicWALL SSO Agent” on page 1067 – “Adding a SonicWALL Security Appliance” on page 1072 – “Editing Appliances in SonicWALL SSO Agent” on page 1073 – “Deleting Appliances in SonicWALL SSO Agent” on page 1074 – “Modifying Services in SonicWALL SSO Agent” on page 1074 • “Configuring the SonicWALL T
User Management Installing the SonicWALL SSO Agent The SonicWALL SSO Agent is part of the SonicWALL Directory Connector. The SonicWALL SSO Agent must be installed on at least one, and up to eight, workstations or servers in the Windows domain that have access to the Active Directory server using VPN or IP. The SonicWALL SSO Agent must have access to your SonicWALL security appliance.
User Management Step 5 Select the destination folder. To use the default folder, C:\Program Files\SonicWALL\DCON, click Next. To specify a custom location, click Browse, select the folder, and click Next. Step 6 On the Custom Setup page, the installation icon SonicWALL SSO Agent feature. Click Next. Step 7 Click Install to install SSO Agent.
User Management Note Step 9 Note This section can be configured at a later time. To skip this step and configure it later, click Skip. Enter the IP address of your SonicWALL security appliance in the SonicWALL Appliance IP field. Type the port number for the same appliance in the SonicWALL Appliance Port field. Enter a shared key (a hexadecimal number from 1 to 16 digits in length) in the Shared Key field. Click Next to continue. This information can be configured at a later time.
User Management If you checked the Launch SonicWALL Directory Connector box, the SonicWALL Directory Connector will display. Installing the SonicWALL Terminal Services Agent Install the SonicWALL TSA on one or more terminal servers on your network within the Windows domain. The SonicWALL TSA must have access to your SonicWALL security appliance, and the appliance must have access to the TSA.
User Management 1066 Step 5 On the Select Installation Folder window, select the destination folder. To use the default folder, C:\Program Files\SonicWALL\SonicWALL Terminal Services Agent\, click Next. To specify a custom location, click Browse, select the folder, and click Next. Step 6 On the Confirm Installation window, click Next to start the installation. Step 7 Wait while the SonicWALL Terminal Services Agent installs. The progress bar indicates the status.
User Management Configuring the SonicWALL SSO Agent The SonicWALL SSO Agent communicates with workstations using NetAPI or WMI, which both provide information about users that are logged into a workstation, including domain users, local users, and Windows services. WMI is pre-installed on Windows Server 2003, Windows XP, Windows ME, and Windows 2000. For other Windows versions, visit www.microsoft.com to download WMI. Verify that WMI or NetAPI is installed prior to configuring the SonicWALL SSO Agent.
User Management If you clicked Yes, the message Successfully restored the old configuration will display. Click OK. If you clicked No, or if you clicked Yes but the default configuration is incorrect, the message SonicWALL SSO Agent service is not running. Please check the configuration and start the service. will display. Click OK. If the message SonicWALL SSO Agent service is not running. Please check the configuration and start the service displays, the SSO Agent service will be disabled by default.
User Management Note Step 4 When Logging Level 2 is selected, the SSO Agent service will terminate if the Windows event log reaches its maximum capacity. In the Refresh Time field, enter the frequency, in seconds, that the SSO Agent will refresh user log in status. The default is 60 seconds. SonicOS 5.8.
User Management Step 5 Note From the Query Source pull-down menu, select the protocol that the SSO Agent will use to communicate with workstations, either NETAPI or WMI. NetAPI will provide faster, though possibly slightly less accurate, performance. WMI will provide slower, though possibly more accurate, performance. With NetAPI, Windows reports the last login to the workstation whether or not the user is still logged in.
User Management Step 6 In the Configuration File field, enter the path for the configuration file. The default path is C:\Program Files\SonicWALL\DCON\SSO\CIAConfig.xml. Step 7 Click Accept. Step 8 Click OK. SonicOS 5.8.
User Management Adding a SonicWALL Security Appliance Use these instructions to manually add a SonicWALL security appliance if you did not add one during installation, or to add additional SonicWALL security appliances. To add a SonicWALL security appliance, perform the following steps: 1072 Step 1 Launch the SonicWALL SSO Agent Configurator. Step 2 Expand the SonicWALL Directory Connector and SonicWALL SSO Agent trees in the left column by clicking the + button.
User Management Step 3 Enter the appliance IP address for your SonicWALL security appliance in the Appliance IP field. Enter the port for the same appliance in the Appliance Port field. The default port is 2258. Give your appliance a friendly name in the Friendly Name field. Enter a shared key in the Shared Key field or click Generate Key to generate a shared key. When you are finished, click OK. Your appliance will display in the left-hand navigation panel under the SonicWALL Appliances tree.
User Management Deleting Appliances in SonicWALL SSO Agent To delete a SonicWALL security appliance you previously added in SonicWALL SSO Agent, select the appliance from the left-hand navigation panel and click the delete icon above the left-hand navigation panel. Modifying Services in SonicWALL SSO Agent You can start, stop, and pause SonicWALL SSO Agent services to SonicWALL security appliances.
User Management Adding a SonicWALL Network Security Appliance to SonicWALL TSA Settings Perform the following steps to add a SonicWALL appliance to the SonicWALL TSA: Step 1 Double-click the SonicWALL TSA desktop icon. Step 2 The SonicWALL Terminal Services Agent window displays. On the Settings tab, type the IP address of the SonicWALL appliance into the Appliance IP field. Step 3 Type the communication port into the Appliance Port field.
User Management Perform the following steps to create a TSR for the SonicWALL TSA: Step 1 Double-click the SonicWALL TSA desktop icon. Step 2 The SonicWALL Terminal Services Agent window displays. Click the Reports tab. Step 3 To generate the TSR and automatically email it to SonicWALL Technical Support, click Send. Step 4 To generate the TSR and examine it in your default text editor, click View. Step 5 To generate the TSR and save it as a text file, click Save As.
User Management Configuring Your SonicWALL Security Appliance for SonicWALL SSO Agent To use single sign-on, your SonicWALL security appliance must be configured to use either SonicWALL SSO Agent or Browser NTLM authentication only as the SSO method. SonicWALL SSO Agent is also the correct method to select when configuring the appliance to use the SonicWALL Terminal Services Agent. The following procedure describes how to configure your SonicWALL security appliance to use SonicWALL SSO Agent.
User Management Step 4 On the Authentication Agent Settings page, click the Add button to add an agent. The page is updated to display a new row in the table at the top, and two new tabs and their input fields in the lower half of the page. Step 5 In the Host Name or IP Address field, enter the name or IP address of the workstation on which SonicWALL SSO Agent is installed. As you type in values for the fields, the row at the top is updated in red to highlight the new information.
User Management Step 12 Click the Users tab. The User Settings page displays. Step 13 Check the box next to Allow only users listed locally to allow only users listed locally on the appliance to be authenticated. Step 14 Check the box next to Simple user names in local database to use simple user names. When selected, the domain component of a user name will be ignored. User names returned from the authentication agent typically include a domain component, for example, domain1/user1.
User Management network may be blocking them. For example, if you have an Access Control List set on a router in your network to allow NetAPI from the agent’s IP address only, that ACL will block the probes to the NetAPI port from the appliance. Probe test mode is useful for initial SSO deployment and troubleshooting.
User Management To edit a service account name, select the name, click Edit, make the desired changes in the Service User name dialog box, and then click OK. To remove service account names, select one or more names and then click Remove. Step 24 Click on the Enforcement tab if you want to either trigger SSO on traffic from a particular zone, or bypass SSO for traffic from non-user devices such as internal proxy web servers or IP phones.
User Management The second setting is appropriate for user traffic that does not need to be authenticated, and triggering SSO might cause an unacceptable delay for the service. SSO bypass settings do not apply when SSO is triggered by firewall access rules requiring user authentication. To configure this type of SSO bypass, add access rules that do not require user authentication for the affected traffic. See “Adding Access Rules” on page 608 for more information on configuring access rules.
User Management As you type in values for the fields, the row at the top is updated in red to highlight the new information. Step 30 In the Port field, enter the port number of the workstation on which SonicWALL TSA is installed. The default port is 2259. Note that agents at different IP addresses can have the same port number. Step 31 In the Shared Key field, enter the shared key that you created or generated in the SonicWALL TSA. The shared key must match exactly.
User Management Step 35 Select one of the following choices from the Use NTLM to authenticate HTTP traffic pulldown list: • Never – Never use NTML authentication. • Before attempting SSO via the agent – Try to authenticate users with NTLM before using the SonicWALL SSO agent. • Only if SSO via the agent fails – Try to authenticate users via the SSO agent first; if that fails, try using NTLM.
User Management Step 41 Click the Test tab. The Test Authentication Agent Settings page displays. You can test the connectivity between the appliance and an SSO agent or TSA. You can also test whether the SSO agent is properly configured to identify a user logged into a workstation. Note Performing tests on this page applies any changes that have been made. Step 42 If you have multiple agents configured, select the SSO agent or TSA to test from the Select agent to test drop-down list.
User Management Step 43 Select the Check agent connectivity radio button and then click the Test button. This will test communication with the authentication agent. If the SonicWALL security appliance can connect to the SSO agent, you will see the message Agent is ready. If testing a TSA, the Test Status field displays the message, and the version and server IP address are displayed in the Information returned from the agent field.
User Management Configuring Your SonicWALL Appliance for Browser NTLM Authentication To use single sign-on, your SonicWALL security appliance must be configured to use either SonicWALL SSO Agent or Browser NTLM authentication only as the SSO method. The following procedure describes how to configure your SonicWALL security appliance to use Browser NTLM authentication only. Perform the following steps: Step 1 Log in to your SonicWALL security appliance and navigate to Users > Settings.
User Management Step 8 To use locally configured user group settings, select the Local configuration radio button. Step 9 In the Polling rate (minutes) field, enter a polling interval, in minutes. The security appliance will poll the workstation running SSO Agent once every interval to verify that users are still logged on. The default is 1.
User Management To configure a Windows 7 or Vista machine to use NTLMv2 Session Security, perform the following steps: Step 1 To open Windows Group Policy, open the Control Panel and select Administrative Tools. Step 2 Select Local Security Policy to open the Local Security Policy window. Step 3 Expand Local Policies and click on Security Options.
User Management Advanced LDAP Configuration If you selected Use LDAP to retrieve user group information on the Users tab in step 19 of “Configuring Your SonicWALL Security Appliance for SonicWALL SSO Agent” on page 1077, you must configure your LDAP settings. To configure LDAP settings, perform the following steps: Step 1 On the Users tab in the SSO Configure window, click the Configure button next to the Use LDAP to retrieve user group information option. Step 2 The Settings tab displays.
User Management Select Give bind distinguished name to access the tree with the distinguished name. Step 7 Note To log in with a user’s name and password, enter the user’s name in the Login user name field and the password in the Login password field. The login name will automatically be presented to the LDAP server in full ‘dn’ notation. Use the user’s name in the Login user name field, not a username or login ID. For example, John Doe would log in as John Doe, not jdoe.
User Management Step 14 Click the Schema tab. Step 15 From the LDAP Schema drop-down menu, select one of the following LDAP schemas. Selecting any of the predefined schemas will automatically populate the fields used by that schema with their correct values. Selecting ‘user-defined’ will allow you to specify your own values – use this only if you have a specific or proprietary LDAP schema configuration.
User Management Step 19 The User group membership attribute field contains the information in the user object of which groups it belongs to. This is memberOf in Microsoft Active Directory. The other predefined schemas store group membership information in the group object rather than the user object, and therefore do not use this field. Step 20 In the Additional user group ID attribute field, enter the attribute that contains the user’s primary group ID.
User Management Step 25 Select the Directory tab. Step 26 In the Primary Domain field, specify the user domain used by your LDAP implementation. For AD, this will be the Active Directory domain name, such as yourADdomain.com. Changes to this field will, optionally, automatically update the tree information in the rest of the page. This is set to mydomain.com by default for all schemas except Novell eDirectory, for which it is set to o=mydomain.
User Management Note AD has some built-in containers that do not conform (for example, the DN for the top level Users container is formatted as “cn=Users,dc=…”, using ‘cn’ rather than ‘ou’) but the SonicWALL knows about and deals with these, so they can be entered in the simpler URL format. Ordering is not critical, but since they are searched in the given order it is most efficient to place the most commonly used trees first in each list.
User Management Step 31 Select the Referrals tab. Step 32 If multiple LDAP servers are in use in your network, LDAP referrals may be necessary. Select one or more of the following check boxes: 1096 • Allow referrals – Select when user information is located on an LDAP server other than the primary one. • Allow continuation references during user authentication – Select when individual directory trees span multiple LDAP servers.
User Management Step 33 Select the LDAP Users tab. Step 34 Check the Allow only users listed locally box to require that LDAP users also be present in the SonicWALL security appliance local user database for logins to be allowed. Step 35 Check the User group membership can be set locally by duplicating LDAP user names box to allow for group membership (and privileges) to be determined by the intersection of local user and LDAP user configurations.
User Management Step 38 Select the LDAP Relay tab. Step 39 Select the Enable RADIUS to LDAP Relay checkbox to enable RADIUS to LDAP relay. The RADIUS to LDAP Relay feature is designed for use in a topology where there is a central site with an LDAP/AD server and a central SonicWALL security appliance with remote satellite sites connected into it using SonicWALL security appliances that may not support LDAP.
User Management Step 42 In the User groups for legacy users fields, define the user groups that correspond to the legacy ‘VPN users,’ ‘VPN client users,’ ‘L2TP users’ and ‘users with Internet access’ privileges. When a user in one of the given user groups is authenticated, the remote SonicWALL security appliances will be informed that the user is to be given the relevant privilege.
User Management Tuning Single Sign-On Advanced Settings This section provides detailed information to help you tune the advanced SSO settings on your SonicWALL appliance.
User Management Statistics in the TSR” on page 1103 and “Viewing SSO Mouseover Statistics and Tooltips” on page 1101). Requests waiting on the ring buffer for too long could lead to slow response times in SSO authentication. This setting works in conjunction with the automatically calculated number of user requests per message to the agent when polling to check the status of logged in users. The number of user requests per message is calculated based on recent polling response times.
User Management To view the statistics for all SSO activity on the appliance, hover your mouse pointer over the statistics icon at the bottom of the table, in the same row as the Add button. To close the statistics display, click close. To clear all the displayed values, click Click to reset. To view the tooltips available for many fields in the SSO configuration screens, hover your mouse pointer over the triangular icon to the right of the field.
User Management Using the Single Sign-On Statistics in the TSR A rich set of SSO performance and error statistics is included in the trouble shooting report (TSR). These can be used to gauge how well SSO is performing in your installation. Download the TSR on the System > Diagnostics page and search for the title “SSO operation statistics”. The following are the counters to look at in particular: 1.
User Management 6. If using multiple agents, then also under SSO agent statistics look at the error and timeout rates reported for the different agents, and also their response times. Significant differences between agents could indicate a problem specific to one agent that could be addressed by upgrading or changing settings for that agent in particular. 7.
User Management Configuring Firewall Access Rules Enabling SonicWALL SSO affects policies on the Firewall > Access Rules page of the SonicOS Enhanced management interface. Rules set under Firewall > Access Rules are checked against the user group memberships returned from a SSO LDAP query, and are applied automatically.
User Management • To use SonicWALL SSO with Linux/Mac users, the SonicWALL SSO Agent must be configured to use NetAPI rather than WMI to get the user login information from the user's machine. • For Samba to receive and respond to the requests from the SonicWALL SSO Agent, it must be set up as a member of the domain and the Samba server must be running and properly configured to use domain authentication. These and other configuration details are described in the following technote: http://www.
User Management unauthenticated HTTP connections that match it will be directed straight to the login page. Typically, the Source field would be set to an address object containing the IP addresses of Mac and Linux systems. In the case of CFS, a rule with this checkbox enabled can be added “in front of” CFS so that HTTP sessions from Mac and Linux systems are automatically redirected to log in, avoiding the need for these users to log in manually.
User Management White Listing IP Addresses to Bypass SSO and Authentication If you have IP addresses that should always be allowed access without requiring user authentication, they can be white-listed. To white-list IP addresses so that they do not require authentication and can bypass SSO: Step 1 On the Network > Address Objects page, create an Address Group containing the IP addresses to be white-listed.
User Management That can be done in one of two ways. The source zone is shown as LAN here, but can be any applicable zone(s): 1. Change Users Allowed in the default LAN -> WAN rule to Everyone or Trusted Users. These are authenticated users. Then add rules to allow out traffic that you do not want to be blocked for unidentified users (such as DNS, email, ...) with Users Allowed set to All. 2.
User Management About Firewall Access Rules Firewall access rules provide the administrator with the ability to control user access. Rules set under Firewall > Access Rules are checked against the user group memberships returned from a SSO LDAP query, and are applied automatically. Access rules are network management tools that allow you to define inbound and outbound access policy, configure user authentication, and enable remote management of the SonicWALL security appliance.
User Management • On a failure to identify a user due to communication problems with the TSA, an HTTP browser session is not redirected to the Web login page (as happens on a failure in the SSO case). Instead, it goes to a new page with the message “The destination that you were trying to reach is temporarily unavailable due to network problems.” Viewing and Managing SSO User Sessions This section provides information to help you manage SSO on your SonicWALL appliance.
User Management Viewing SSO and LDAP Messages with Packet Monitor In SonicOS Enhanced 5.6 and above, the Packet Monitor feature available on System > Packet Monitor provides two checkboxes to enable capture of decrypted messages to and from the SSO agent, and decrypted LDAP over TLS (LDAPS) messages. In SonicOS Enhanced 5.5, this functionality was introduced in the Packet Capture feature available on System > Packet Capture.
User Management Captured SSO messages are displayed fully decoded on the System > Packet Monitor screen. Capturing LDAP Over TLS Messages To capture decrypted LDAP over TLS (LDAPS) packets, perform the following steps: Step 1 Click the Configuration button in the System > Packet Monitor page Step 2 Click the Advanced Monitor Filter tab Step 3 Select the Monitor intermediate Packets checkbox. Step 4 Select the Monitor intermediate decrypted LDAP over TLS packets checkbox. Step 5 Click OK.
User Management The packets will be marked with (ldp) in the ingress/egress interface field. They will have dummy Ethernet, TCP, and IP headers, so some values in these fields may not be correct. The LDAP server port will be set to 389 so that an external capture analysis program (such as Wireshark) will know to decode these packets as LDAP. Passwords in captured LDAP bind requests will be obfuscated.
User Management Configuring Additional Administrator User Profiles To configure additional administrator user profiles, perform the following steps: Step 1 While logged in as admin, navigate to the Users > Local Users page. Step 2 Click the Add User button. Step 3 Enter a Name and Password for the user. Step 4 Click on the Group Membership tab.
User Management When using RADIUS or LDAP authentication, if you want to keep the configuration of administrative users local to the appliance whilst having those users authenticated by RADIUS/ LDAP, perform these steps: Step 1 Navigate to the Users > Settings page. Step 2 Select either the RADIUS + Local Users or LDAP + Local Users authentication method. Step 3 Click the Configure button.
User Management Activating Configuration Mode When logging in as a user with administrator rights (that is not the admin user), the User Login Status popup window is displayed. To go to the SonicWALL user interface, click the Manage button. You will be prompted to enter your password again. This is a safeguard to protect against unauthorized access when administrators are away from their computers and do not log out of their session.
User Management If you want some user accounts to be administrative only, while other users need to log in for privileged access through the appliance, but also with the ability to administer it (that is, some go straight to the management interface on login, while others get the User Login Status popup window with a Manage button), this can be achieved as follows: 1118 Step 1 Create a local group with the Members go straight to the management UI on web login checkbox selected.
User Management To switch from non-config mode to full configuration mode, perform the following steps: Step 1 Navigate to the System > Administration page. Step 2 In the Web Management Settings section, click on the Configuration mode button. If there is not currently an administrator in configuration mode, you will automatically be entered into configuration mode. Step 3 If another administrator is in configuration mode, the following message displays.
User Management Verifying Multiple Administrators Support Configuration User accounts with administrator and read-only administrators can be viewed on the Users > Local Groups page. Administrators can determine which configuration mode they are in by looking at either the top right corner of the management interface or at the status bar of their browser. To display the status bar in Firefox and Internet Explorer, click on the View menu and enable status bar. By default, Internet Explorer 7.
User Management The status bar displays Read-only mode - no changes can be made. When the administrator is in non-config mode, the top right of the interface displays NonConfig Mode. Clicking on this text links to the System > Administration page where you can enter full configuration mode. The status bar displays Non-config mode - configuration changes not allowed.
User Management 1122 SonicOS 5.8.
CHAPTER 67 Chapter 67: Managing Guest Services and Guest Accounts Users > Guest Services Guest accounts are temporary accounts set up for users to log into your network. You can create these accounts manually, as needed or generate them in batches. SonicOS includes profiles you can configure in advance to automate configuring guest accounts when you generate them. Guest accounts are typically limited to a pre-determined life-span. After their life span, by default, the accounts are removed.
Users > Guest Services Global Guest Settings Check Show guest login status window with logout button to display a user login window on the users’s workstation whenever the user is logged in. Users must keep this window open during their login session. The window displays the time remaining in their current session. Users can log out by clicking the Logout button in the login status window.
Users > Guest Accounts – Account Lifetime: This setting defines how long an account remains on the security appliance before the account expires. If Auto-Prune is enabled, the account is deleted when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list of guest accounts with an Expired status, allowing easy reactivation. – Session Lifetime: Defines how long a guest login session remains active after it has been activated.
Users > Guest Accounts Adding Guest Accounts You can add guest accounts individually or generate multiple guest accounts automatically. To Add an Individual Account: Step 1 Under the list of accounts, click Add Guest. Step 2 In the Settings tab of the Add Guest Account window configure: – Profile: Select the Guest Profile to generate this account from. – Name: Enter a name for the account or click Generate. The generated name is the prefix in the profile and a random two or three digit number.
Users > Guest Accounts – Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. The Session Lifetime cannot exceed the value set in the Account Lifetime. This setting overrides the session lifetime setting in the profile. – Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session.
Users > Guest Accounts – Session Lifetime: Defines how long a guest login session remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account. The Session Lifetime cannot exceed the value set in the Account Lifetime. This setting overrides the session lifetime setting in the profile. – Idle Timeout: Defines the maximum period of time when no traffic is passed on an activated guest services session.
Users > Guest Status Users > Guest Status The Guest Status page reports on all the guest accounts currently logged in to the security appliance. The page lists: • Name: The name of the guest account. • IP: The IP address the guest user is connecting to. • Interface: The interface on the security appliance through which the user account is connecting to the appliance.
Users > Guest Status 1130 SonicOS 5.8.
PART 17 Part 17: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 68 Chapter 68: Setting Up High Availability High Availability This chapter describes how to configure and manage the High Availability feature on SonicWALL security appliances.
High Availability High Availability provides a way to share SonicWALL licenses between two SonicWALL security appliances when one is acting as a high availability system for the other. To use this feature, you must register the SonicWALL appliances on MySonicWALL as Associated Products. Both appliances must be the same SonicWALL model.
High Availability How High Availability Works High Availability requires one SonicWALL device configured as the Primary SonicWALL, and an identical SonicWALL device configured as the Backup SonicWALL. During normal operation, the Primary SonicWALL is in an Active state and the Backup SonicWALL in an Idle state.
High Availability • Preempt - Applies to a post-failover condition in which the Primary unit has failed, and the Backup unit has assumed the Active role. Enabling Preempt will cause the Primary unit to seize the Active role from the Backup after the Primary has been restored to a verified operational state. Virtual MAC Address The Virtual MAC address allows the High Availability pair to share the same MAC address, which dramatically reduces convergence time following a failover.
High Availability • “Benefits” on page 1137 • “How Does Stateful High Availability Work?” on page 1137 What is Stateful High Availability? The original version of SonicOS Enhanced provided a basic High Availability feature where a Backup firewall assumes the interface IP addresses of the configured interfaces when the Primary unit fails. Upon failover, layer 2 broadcasts are issued (ARP) to inform the network that the IP addresses are now owned by the Backup unit.
High Availability The following table lists the information that is synchronized and information that is not currently synchronized by Stateful High Availability.
High Availability Stateful High Availability Example The following figure shows a sample Stateful High Availability network. B SonicWALL NSA 2 SonicWALL HA / Failover Pair NSA HA Link SonicWALL NSA 1 Network Security Appliance Internet Local Network In case of a failover, the following sequence of events occurs: 1. A PC user connects to the network, and the Primary SonicWALL security appliance creates a session for the user. 2. The Primary appliance synchronizes with the Backup appliance.
High Availability Active/Active DPI Overview This section provides an introduction to the Active/Active DPI feature. Active/Active DPI requires Stateful High Availability and is supported on SonicWALL E-Class NSA appliances.
High Availability High Availability License Synchronization Overview This section provides an introduction to the SonicWALL High Availability license synchronization feature.
High Availability • On SonicWALL appliances that support the PortShield feature (SonicWALL TZ series and NSA 240), High Availability can only be enabled if PortShield is disabled on all interfaces of both the Primary and Backup appliances. • Both units must be registered and associated as a High Availability pair on MySonicWALL before physically connecting them. • The WAN virtual IP address and interfaces must use static IP addresses.
High Availability If you will not be using Primary/Backup WAN Management IP address, make sure each entry field is set to ‘0.0.0.0’ (in the High Availability > Monitoring Page) – the SonicWALL will report an error if the field is left blank. Note If each SonicWALL has a Primary/Backup WAN Management IP address for remote management, the WAN IP addresses must be in the same subnet.
High Availability • Make sure Primary SonicWALL and Backup SonicWALL security appliance’s LAN, WAN, and other interfaces are properly configured for seamless failover. • Connect the Primary SonicWALL and Backup SonicWALL appliances with a CAT5 or CAT6-rated crossover cable. The Primary and Backup SonicWALL security appliances must have a dedicated connection between each other for High Availability.
High Availability Perform the following steps: Step 1 Decide which interface to use for the additional connection between the appliances. The same interface must be selected on each appliance. For example, you could connect X4 on the Primary unit to X4 on the Backup, in which case X4 would be the HA Data Interface. Step 2 In the SonicOS Enhanced management interface, navigate to the Network > Interfaces page and ensure that the Zone is Unassigned for the intended HA Data Interface.
High Availability To use Stateful High Availability on SonicWALL NSA appliances, you must purchase a Stateful High Availability Upgrade license for the Primary unit. Stateful High Availability is a licensed service that must be activated for the Primary appliance on mysonicwall.com. The license is shared with the Backup unit. License synchronization is used in a high availability deployment so that the Backup appliance can maintain the same level of network protection provided before the failover.
High Availability Associating an Appliance at First Registration To register a new SonicWALL security appliance and associate it as a Backup unit to an existing Primary unit so that it can use High Availability license synchronization, perform the following steps: Step 1 Login to MySonicWALL. Step 2 On the main page, in the left pane, in the text box under Quick Register, type the appliance serial number and then press Enter or click the arrow button.
High Availability Step 6 If you clicked Continue without selecting a choice for HA Primary in the preceding step, click the radio button under Child Product Type to select a choice for HA Secondary (Backup unit), and then click Continue. Your new appliance will be the HA Primary unit for the device that you select.
High Availability You can click HA Secondary to display the My Product - Associated Products page for the child/secondary/Backup unit. Note that you can also change the associated product (parent) for this child on this page. SonicOS 5.8.
High Availability Associating Pre-Registered Appliances To associate two already-registered SonicWALL security appliances so that they can use High Availability license synchronization, perform the following steps: Step 1 Login to MySonicWALL. Step 2 On the main page under Most Recently Registered Products, click View all registered products. Step 3 On the My Products page, under Registered Products, scroll down to find the appliance that you want to use as the parent, or Primary, unit.
High Availability • If the existing unit is an HA Primary or an unassociated appliance, click HA Secondary. • If the existing unit is an HA Secondary appliance, click HA Primary. Step 6 On the My Product - Associated Products page, in the text boxes under Associate New Products, type the serial number and the friendly name of the new appliance that you want to register as the associated unit. Step 7 Click Register.
High Availability Removing an HA Association You can remove the association between two SonicWALL security appliances on MySonicWALL at any time. You might need to remove an existing HA association if you replace an appliance or reconfigure your network. For example, if one of your SonicWALL security appliances fails, you will need to replace it. Or, you might need to switch the HA Primary appliance with the Backup, or HA Secondary, unit after a network reconfiguration.
High Availability Replacing a SonicWALL Security Appliance If your SonicWALL security appliance has a hardware failure while still under warranty, SonicWALL will replace it. In this case, you need to remove the HA association containing the failed appliance in MySonicWALL, and add a new HA association that includes the replacement. If you contact SonicWALL Technical Support to arrange the replacement (known as an RMA), Support will often take care of this for you.
High Availability Configuring High Availability in SonicOS To configure High Availability, you must configure High Availability in the SonicOS management interface using the two SonicWALL appliances associated on MySonicWALL. For information about associating two appliances, see “Associating Appliances on MySonicWALL for High Availability” on page 1145.
High Availability Disabling PortShield with the PortShield Wizard On SonicWALL appliances that support the PortShield feature, High Availability can only be enabled if PortShield is disabled on all interfaces of both the Primary and Backup appliances. Perform the procedure for each of the appliances while logged into its individual management IP address.
High Availability Disabling PortShield Manually On SonicWALL appliances that support the PortShield feature, High Availability can only be enabled if PortShield is disabled on all interfaces of both the Primary and Backup appliances. Perform the procedure for each of the appliances while logged into its individual management IP address.
High Availability Step 3 Click the Configure button. Step 4 In the Switch Port Settings dialog box, select Unassigned in the PortShield Interface dropdown list. Step 5 Click OK. The Network > PortShield Groups page displays the interfaces as unassigned. High Availability > Settings The configuration tasks on the High Availability > Settings page are performed on the Primary unit and then are automatically synchronized to the Backup. SonicOS 5.8.
High Availability To configure the settings on the High Availability > Settings page: 1158 Step 1 Login as an administrator to the SonicOS user interface on the Primary SonicWALL. Step 2 In the left navigation pane, navigate to High Availability > Settings. See “Verifying High Availability Status” on page 1169 for a description of the fields listed in the High Availability Status table. Step 3 Select the Enable High Availability checkbox.
High Availability High Availability > Advanced Settings The configuration tasks on the High Availability > Advanced page are performed on the Primary unit and then are automatically synchronized to the Backup. To configure the settings on the High Availability > Advanced page, perform the following steps: Step 1 Login as an administrator to the SonicOS user interface on the Primary SonicWALL. Step 2 In the left navigation pane, navigate to High Availability > Advanced.
High Availability Note SonicWALL High Availability cannot be configured using the built-in wireless interface, nor can it be configured using Dynamic WAN interfaces. The selected interface must be the same one that you physically connected as described in “Initial Active/Active DPI Setup” on page 1144. Step 7 To configure the High Availability Pair so that the Primary unit takes back the Primary role once it restarts after a failure, select Enable Preempt Mode.
High Availability the newly-Active appliance keeps the dynamic routes it had previously learned in its route table. During this time, the newly-Active appliance relearns the dynamic routes in the network. When the Dynamic Route Hold-Down Time duration expires, it deletes the old routes and implements the new routes it has learned from RIP or OSPF. The default value is 45 seconds. In large or complex networks, a larger value may improve network stability during a failover.
High Availability When using logical monitoring, the HA Pair will ping the specified Logical Probe IP address target from the Primary as well as from the Backup SonicWALL. The IP address set in the Primary IP Address or Backup IP Address field is used as the source IP address for the ping. If both units can successfully ping the target, no failover occurs.
High Availability Step 5 In the Primary IP Address field, enter the unique LAN management IP address of the Primary unit. Step 6 In the Backup IP Address field, enter the unique LAN management IP address of the Backup unit. Step 7 Select the Allow Management on Primary/Backup IP Address checkbox. When this option is enabled for an interface, a green icon appears in the interface’s Management column in the Monitoring Settings table on the High Availability > Monitoring page.
High Availability Tip A compromise between the convenience of synchronizing Certificates and the added security of not synchronizing Certificates is to temporarily enable the Include Certificate/ Keys setting and manually synchronize the settings, and then disable Include Certificate/ Keys. To verify that Primary and Backup SonicWALL security appliances are functioning correctly, wait a few minutes, then power off the Primary SonicWALL device.
High Availability Applying Licenses to SonicWALL Security Appliances When your SonicWALL security appliances have Internet access, each appliance in a High Availability Pair must be individually registered from the SonicOS management interface while the administrator is logged into the individual management IP address of each appliance. This allows the Backup unit to synchronize with the SonicWALL licensing server and share licenses with the associated Primary appliance.
High Availability 1166 Step 4 Click Submit. Step 5 On the Systems > Licenses page under Manage Security Services Online, verify the services listed in the Security Services Summary table. Step 6 Repeat this procedure for the other appliance in the HA Pair. SonicOS 5.8.
High Availability Copying the License Keyset from MySonicWALL You can follow the procedure in this section to view the license keyset on MySonicWALL and copy it to the SonicWALL security appliance. Perform the procedure for each of the appliances in a High Availability Pair while logged into its individual LAN management IP address. See “High Availability > Monitoring” on page 1161 to configure the individual IP addresses. Step 1 Login to your MySonicWALL account at .
High Availability This is the license keyset for the SonicWALL security appliance that you selected in Step 3. Step 6 To copy the license keyset to the clipboard, press Ctrl+C. Step 7 Log in to the SonicOS user interface by using the individual LAN management IP address. Step 8 On the Systems > Licenses page under Manual Upgrade, press Ctrl+V to paste the license keyset into the Or enter keyset text box. Step 9 Click Submit. Step 10 Repeat this procedure for the other appliance in the HA Pair.
High Availability Verifying High Availability Status There are several ways to view High Availability status in the SonicOS Enhanced management interface.
High Availability instead of HA. When the HA interfaces are not connected or the link is down, the field displays the status in the form X5 No Link. When High Availability is not enabled, the field displays Disabled. • Found Backup - Indicates Yes if the Primary appliance has detected the Backup appliance, and No if there is no HA link or if the Backup is rebooting.
High Availability – ERROR – Indicates that the Backup unit has reached an error condition. – REBOOT – Indicates that the Backup unit is rebooting. – NONE – When viewed on the Backup unit, NONE indicates that HA is not enabled on the Backup. When viewed on the Primary unit, NONE indicates that the Primary unit is not receiving heartbeats from the Backup unit. • Active Up Time - Indicates how long the current Active firewall has been Active, since it last became Active.
High Availability • “Responses to DPI UTM Matches” on page 1173 • “Logging” on page 1173 Comparing CPU Activity on Both Appliances As soon as Active/Active UTM is enabled on the Stateful HA pair, you can observe a change in CPU utilization on both appliances. CPU activity goes down on the active unit, and goes up on the idle unit. To view and compare CPU activity: 1172 Step 1 In two browser windows, log into the Monitoring IP address of each unit, active and idle.
High Availability Additional Parameters in TSR You can tell that Active/Active UTM is correctly configured on your Stateful HA pair by generating a Tech Support Report on the System > Diagnostics page. The following configuration parameters should appear with their correct values in the Tech Support Report: • Enable Active/Active UTM • HA Data Interface configuration To generate a TSR for this purpose: Step 1 Log into the Stateful HA pair using the shared IP address.
High Availability 1174 SonicOS 5.8.
PART 18 Part 18: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 70 Chapter 70: Managing SonicWALL Security Services SonicWALL Security Services SonicWALL, Inc. offers a variety of subscription-based security services to provide layered security for your network. SonicWALL security services are designed to integrate seamlessly into your network to provide complete protection.
SonicWALL Security Services Note For more information on SonicWALL security services, please visit http:// www.sonicwall.com. Note Complete product documentation for SonicWALL security services are available on the SonicWALL documentation Web site http://www.sonicwall.com/us/Support.html. Security Services Summary The top of the Security Services > Summary page provides a brief overview of services available for your SonicWALL security appliance.
SonicWALL Security Services At the top of the list, you can click the link to the System > Licenses page to view license status and the available SonicWALL security services and upgrades for your SonicWALL security appliance and access mysonicwall.com for activating services using Activation Keys. A list of currently available services is displayed in the Security Services Summary table. Subscribed services are displayed with Licensed in the Status column.
SonicWALL Security Services • Purchase/Activate SonicWALL security service licenses • Receive SonicWALL firmware and security service updates and alerts • Manage your SonicWALL security services • Access SonicWALL Technical Support Your mysonicwall.com account is accessible from any Internet connection with a Web browser using the HTTPS (Hypertext Transfer Protocol Secure) protocol to protect your sensitive information. You can also access mysonicwall.
SonicWALL Security Services If you are already connected to your mysonicwall.com account from the management interface, the Security Services Summary table is displayed. Click Synchronize to update the licensing and subscription information on the SonicWALL security appliance from your mysonicwall.com account.
SonicWALL Security Services • HTTP Clientless Notification Timeout for Gateway AntiVirus and AntiSpyware - Set the timeout duration after which the SonicWALL security appliance notifies users when GAV or Anti-Spyware detects an incoming threat from an HTTP server. The default timeout is one day (86400 seconds).
SonicWALL Security Services 5. If the appliance has not been registered with mySonicWALL.com, two additional fields are displayed: – MySonicWALL Username - Enter the username for the MySonicWALL.com account that the appliance is to be registered to. – MySonicWALL Password - Enter the MySonicWALL.com account password. 6. Click Accept at the top of the page.
SonicWALL Security Services Note The remaining steps can be performed while disconnected from the Internet. Step 6 Return to the Security Services > Summary page on the SonicWALL security appliance GUI. Step 7 Click on the Import Signatures box. Step 8 In pop-up window that appears, click the browse button, and navigate to the location of the signature update file. Step 9 Click Import. The signatures are uploaded for the security services that are enabled on the SonicWALL security appliance.
CHAPTER 71 Chapter 71: Configuring SonicWALL Content Filtering Service Security Services > Content Filter The Security Services > Content Filter page allows you to configure the Restrict Web Features and Trusted Domains settings, which are included with SonicOS Enhanced. You can activate and configure SonicWALL Content Filtering Service (SonicWALL CFS) as well as a third-party Content Filtering product from the Security Services > Content Filter page.
Security Services > Content Filter For complete SonicWALL Content Filtering Service documentation, see the SonicWALL Content Filtering Service Administrator’s Guide available at http://www.sonicwall.com/us/Support.html.
Security Services > Content Filter established by the administrator. Almost instantaneously, the Web site request is either allowed through or a Web page is generated by the SonicWALL security appliance informing the user that the site has been blocked according to policy. With SonicWALL CFS, network administrators have a flexible tool to provide comprehensive filtering based on keywords, time of day, trusted and forbidden domain designations, and file types such as Cookies, Java™ and ActiveX® for privacy.
Security Services > Content Filter The CFS App Control Policy Settings Screen There are multiple changes/additions to the CFS policy creation window when used in conjunction with Application Control. The table and image in this section provide information on Application Control interface for CFS. 1188 SonicOS 5.8.
Security Services > Content Filter Feature Function Policy Name A friendly name for the policy. If applying a single policy to multiple groups, it is often a good idea to include the group name in this field. Policy Type Select “CFS” to show the content filtering options. Address Address or address group to which this policy is applied. The default value is “Any”, which is also the most common selection for CFS policies. Exclusion Address Address or address group to exclude from this policy.
Security Services > Content Filter Choosing CFS Policy Management Type The choice of which policy management method to use – Via User and Zone Screens or Via Application Control – is made in the Security Services > Content Filter page. Note While the new Application Control method of CFS management offers more control and flexibility, the administrator can still choose the previous user/zone management method to perform content filtering.
Security Services > Content Filter Bandwidth Management Methods Bandwidth Management feature can be implemented in two separate ways: • Per Policy Method – The bandwidth limit specified in a policy is applied individually to each policy – Example: two policies each have an independent limit of 500kb/s, the total possible bandwidth between those two rules is 1000kb/s • Per Action Aggregate Method – The bandwidth limit action is applied (shared) across all policies to which it is applied – Example: two po
Security Services > Content Filter Policies and Precedence: How Policies are Enforced This section provides an overview of policy enforcement mechanism in CFS 3.0 to help the policy administrator create a streamlined set of rules without unnecessary redundancy or conflicting rule logic enforcement.
Security Services > Content Filter Create an Application Object Create an application object containing forbidden content: Step 1 Navigate to the Firewall > Match Objects page in the SonicOS management interface. Step 2 Click the Add New Match Object button, the Add/Edit Match Object window displays. Step 3 Enter a descriptive Object Name, such as ‘Forbidden Content’. Step 4 Select ‘CFS Category List’ from the Match Object Type dropdown list.
Security Services > Content Filter Create an Application Control Policy to Block Forbidden Content Create an Application Control policy to block content defined in the Application Object: Step 1 Navigate to the Firewall > App Rules page in the SonicOS management interface. Step 2 Click the Add Policy button, the Add/Edit Application Firewall Policy window displays. Step 3 Enter a descriptive name for this action in the Policy Name field, such as ‘Block Forbidden Content’.
Security Services > Content Filter Bandwidth Managing Content To create a CFS Policy for applying BWM to non-productive content: • Create an Application Object — page 1193 • Create a Bandwidth Management Action Object — page 1195 • Create an Application Control Policy to Block Forbidden Content — page 1194 Create an Application Object for Non-Productive Content Create an application object containing non-productive content: Step 1 Navigate to the Firewall > Match Objects page in the SonicOS manageme
Security Services > Content Filter To create a new BWM action: Step 1 Navigate to the Firewall > Action Objects page in the SonicOS management interface. Step 2 Click the Add New Action Object button, the Add/Edit Action Object window displays. Step 3 Enter a descriptive Action Name for this action. Step 4 Select ‘Bandwidth Management’ from the Action dropdown list. Step 5 Select from the Bandwidth Aggregation Method dropdown list: a. Per Policy - to apply this limit to each individual policy.
Security Services > Content Filter Note If you chose not to create a custom BWM object, you may use one of the pre-defined BWM objects (BWM high, BWM medium, or BWM low). Step 7 Optionally, select the Users/Groups who this policy is to be Included or Excluded on from the dropdown list. Our example uses the defaults of including ‘all’ and excluding ‘none’. Step 8 Optionally, select a Schedule of days and times when this rule is to be enforced from the dropdown list.
Security Services > Content Filter Create a Group-Specific Application Control Policy Create an Application Control policy to block content defined in the Application Object: Step 1 Navigate to the Firewall > App Rules page in the SonicOS management interface. Step 2 Click the Add Policy button, the Add/Edit Application Firewall Policy window displays. Step 3 Enter a descriptive name for this action in the Policy Name field.
Security Services > Content Filter Creating a Custom CFS Category This section details creating a custom CFS category entry. CFS allows the administrator not only to create custom Policies, but also allows for custom domain name entries to the existing CFS rating categories. This allows for insertion of custom CFS-managed content into the existing and very flexible category structure.
Security Services > Content Filter Note Step 5 All subdomains of the domain entered are affected. For example, entering “yahoo.com” applies to “mail.yahoo.com” and “my.yahoo.com”, hence it is not necessary to enter all FQDN entries for subdomains of a parent domain. Click the OK button to add this custom entry. Legacy Content Filtering Examples The following sections describe how to configure the settings on the Security Services > Content Filter page using legacy Cotent Filtering methods.
Security Services > Content Filter Content Filter Status If SonicWALL CFS is activated, the Content Filter Status section displays the status of the Content Filter Server, as well as the date and time that your subscription expires. The expiration date and time is displayed in Universal Time Code (UTC) format. You can also access the SonicWALL CFS URL Rating Review Request form by clicking on the here link in If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click here.
Security Services > Content Filter Content Filter Type There are three types of content filtering available on the SonicWALL security appliance. These options are available from the Content Filter Type menu. • SonicWALL CFS - Selecting SonicWALL CFS as the Content Filter Type allows you to access SonicWALL CFS functionality that is included with SonicOS Enhanced, and also to configure custom CFS Policies that are available only with a valid subscription.
Security Services > Content Filter If you trust content on specific domains and want them to be exempt from Restrict Web Features, follow these steps to add them: Step 1 Select the Do not block Java/ActiveX/Cookies to Trusted Domains checkbox. Step 2 Click Add. The Add Trusted Domain Entry window is displayed. Step 3 Enter the trusted domain name in the Domain Name field. Step 4 Click OK. The trusted domain entry is added to the Trusted Domains table.
Security Services > Content Filter Modifying or Temporarily Disabling the CFS Exclusion List To modify or temporarily disable the CFS Exclusion List, perform these tasks: Step 1 To keep the CFS Exclusion List entries but temporarily allow content filtering to be applied to these IP addresses, uncheck the Enable CFS Exclusion List checkbox.
Security Services > Content Filter Note SonicWALL recommends that you make the Default CFS Premium policy the most restrictive policy. Custom CFS policies are subject to content filter inheritance. This means that all custom CFS policies inherit the filters from the Default CFS policy.
Security Services > Content Filter • Enable IP based HTTPS Content Filtering - Select this checkbox to enable HTTPS content filtering. HTTPS content filtering is IP-based, and will not inspect the URL. While HTTP content filtering can perform redirects to enforce authentication or provide a block page, HTTPS filtered pages will be silently blocked. You must provide the IP address for any HTTPS Web sites to be filtered.
Security Services > Content Filter Local Groups page. The Default CFS policy is always inherited by every user. A custom CFS policy allows you to modify the default CFS configuration to tailor content filtering policies for particular user groups on your network. Note To ensure proper content filtering, the Default CFS policy should be configured to be the most restrictive policy, and then each custom policy should be configured to grant privileges that are otherwise restricted by the Default policy.
Security Services > Content Filter Step 5 Click the Settings tab. Step 6 Under Custom List Settings, select any of the following settings: – Disable Allowed Domains - select this setting to disable the allowed domains that are listed on the Custom List tab in the SonicWALL Filter Properties window. – Enable Forbidden Domains - select this setting to enable forbidden domains that are listed on the Custom List tab in the SonicWALL Filter Properties window.
Security Services > Content Filter Tip Time of Day restrictions only apply to the Content Filter List, Customized blocking and Keyword blocking. Consent and Restrict Web Features are not affected. Custom List You can customize your URL list to include Allowed Domains and Forbidden Domains. By customizing your URL list, you can include specific domains to be accessed, blocked, and include specific keywords to block sites.
Security Services > Content Filter To remove a trusted or forbidden domain, select it from the appropriate list, and click Delete. Once the domain has been deleted, the Status bar displays Ready. To remove a keyword, select it from the list and click Delete. Once the keyword has been removed, the Status bar displays Ready. Click OK when finished.
Security Services > Content Filter – Enable Keyword Blocking - select this setting to enable keyword blocking for the URLs that are listed in the Keyword Blocking section on the Custom List tab. Step 2 Click OK. Disable all Web traffic except for Allowed Domains Selecting the Disable Web traffic except for Allowed Domains check box causes the SonicWALL security appliance to allow Web access only to sites on the Allowed Domains list.
Security Services > Content Filter Consent The Consent tab allows you to enforce content filtering on designated computers and provide optional filtering on other computers. Consent can be configured to require the user to agree to the terms outlined in an Acceptable Use Policy window before Web browsing is allowed. To enable the Consent properties, select Require Consent.
Security Services > Content Filter • Consent Accepted URL (filtering on) - When a user accepts the terms outlined in the Consent page and chooses to access the Internet with the protection of Content Filtering, they are shown a Web page confirming their selection. Enter the URL of this page in the Consent Accepted (filtering on) field. This page must reside on a Web server and be accessible as a URL by users on the network.
Security Services > Content Filter Settings Warning • Server Host Name or IP Address - Enter the Server Host Name or the IP address of the Websense Enterprise server used for the Content Filter List. • Server Port - Enter the UDP port number for the SonicWALL to “listen” for the Websense Enterprise traffic. The default port number is 15868. • User Name - To enable reporting of users and groups defined on the Websense Enterprise server, leave this field blank.
CHAPTER 72 Chapter 72: Activating SonicWALL Client Anti-Virus Security Services > Client AV Enforcement By their nature, anti-virus products typically require regular, active maintenance on every PC. When a new virus is discovered, all anti-virus software deployed within an organization must be updated with the latest virus definition files. Failure to do so severely limits the effectiveness of anti-virus software and disrupts productive work time.
Security Services > Client AV Enforcement SonicOS supports both McAfee and Kaspersky client anti-virus for client AV enforcement. These services are licensed separately, allowing you to purchase the desired number of each license for your deployment. Activating SonicWALL Client Anti-Virus If Sonic WALL Client Anti-Virus is not activated, you must activate it. If you do not have an Activation Key, you must purchase SonicWALL Client Anti-Virus from a SonicWALL reseller or from your mysonicwall.
Security Services > Client AV Enforcement Your SonicWALL Client Anti-Virus subscription is activated on your SonicWALL security appliance. Step 4 When you activate SonicWALL Client Anti-Virus at www.mysonicwall.com, the SonicWALL Client Anti-Virus activation is automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on the Security Services > Summary page to update your SonicWALL security appliance.
Security Services > Client AV Enforcement Step 3 In the configuration window, select the Enable Client AV Enforcement Service checkbox. Step 4 Click OK. Configuring Client Anti-Virus Settings The Settings section provides basic policy and enforcement configuration. 1218 SonicOS 5.8.
Security Services > Client AV Enforcement Configuring Client Anti-Virus Policies The following features are available in the Client Anti-Virus Policies section: • Disable policing from Trusted to Public - Unchecked, this option enforces anti-virus policies on computers located on Trusted zones. Choosing this option allows computers on a trusted zone (such as a LAN) to access computers on public zones (such as DMZ), even if anti-virus software is not installed on the LAN computers.
Security Services > Client AV Enforcement Step 2 In the Edit Address Object Group window, select the address groups for which McAfee should be enforced in the left box and click the right arrow to move them into the box on the right. Step 3 Click OK. Step 4 To create another address group for McAfee enforcement, click the Add Entry (plus sign) button, and fill in the Name, Zone, Starting IP Address, and Ending IP Address for the range of clients in the Add Address Object window. Click OK.
Security Services > Client AV Enforcement Step 12 To create another address group for enforcement exclusion, click the Add Entry (plus sign) button, and fill in the Name, Zone, Starting IP Address, and Ending IP Address for the range of clients in the Add Address Object window. Click OK. Step 13 For computers whose addresses do not fall in any of the above lists, select the default enforcement setting from the drop-down list below the Client Anti-Virus Enforcement section.
Security Services > Client AV Enforcement 1222 SonicOS 5.8.
CHAPTER 73 Chapter 73: Managing SonicWALL Gateway AntiVirus Service Security Services > Gateway Anti-Virus SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects multiple application protocols, as well as generic TCP streams, and compressed traffic.
Security Services > Gateway Anti-Virus desktops. New signatures are created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts, open source developers and other sources. SonicWALL GAV can be configured to protect against internal threats as well as those originating outside the network.
Security Services > Gateway Anti-Virus Remote Site Protection Step 1 Users send typical e-mail and files between remote sites and the corporate office. Step 2 SonicWALL GAV scans and analyses files and e-mail messages on the SonicWALL security appliance. Step 3 Viruses are found and blocked before infecting remote desktop. Step 4 Virus is logged and alert is sent to administrator.
Security Services > Gateway Anti-Virus HTTP File Downloads Step 1 Client makes a request to download a file from the Web. Step 2 File is downloaded through the Internet. Step 3 File is analyzed the SonicWALL GAV engine for malicious code and viruses. Step 4 If virus found, file discarded. Step 5 Virus is logged and alert sent to administrator. Infected FIle Network Security Appliance Virus Discarded Alert Logged Server Protection Step 1 Outside user sends an incoming e-mail.
Security Services > Gateway Anti-Virus single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without ever buffering any of the bytes within the stream.
Security Services > Gateway Anti-Virus Note If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security Appliance” on page 1229. Step 1 Log into the SonicWALL security appliance management interface. Step 2 If the System > Status page is not displayed in the management interface, click System in the left-navigation menu, and then click Status.
Security Services > Gateway Anti-Virus Registering Your SonicWALL Security Appliance Step 1 Log into the SonicWALL security appliance management interface. Step 2 If the System > Status page is not displaying in the management interface, click System in the left-navigation menu, and then click Status. Step 3 On the System > Status page, in the Security Services section, click the Register link. The mysonicwall.com Login page is displayed. Step 4 Enter your mysonicwall.
Security Services > Gateway Anti-Virus If you have an Activation Key for SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, perform these steps to activate the combined services: Step 1 On the Security Services > Gateway Anti--Virus page, click the SonicWALL Gateway Anti-Virus Subscription link. The mysonicwall.com Login page is displayed. Step 2 Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit.
Security Services > Gateway Anti-Virus Activating FREE TRIALs You can try FREE TRIAL versions of SonicWALL Gateway Anti-Virus, SonicWALL AntiSpyware, and SonicWALL Intrusion Prevention Service. You must activate each service separately from the Manage Services Online table on the System > Licenses page or by clicking the FREE TRIAL link on the respective Security Services page (i.e. Security Services > Gateway Anti-Virus).
Security Services > Gateway Anti-Virus The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL GAV on your SonicWALL security appliance. Enabling SonicWALL GAV You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings section to enable SonicWALL GAV on your SonicWALL security appliance.You must specify the zones you want SonicWALL GAV protection on the Network > Zones page.
Security Services > Gateway Anti-Virus Applying SonicWALL GAV Protection on Zones You can enforce SonicWALL GAV not only between each network zone and the WAN, but also between internal zones. For example, enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing LAN traffic.
Security Services > Gateway Anti-Virus • Signature Database Timestamp displays the last update to the SonicWALL GAV signature database, not the last update to your SonicWALL security appliance. • Last Checked indicates the last time the SonicWALL security appliance checked the signature database for updates. The SonicWALL security appliance automatically attempts to synchronize the database on startup, and once every hour.
Security Services > Gateway Anti-Virus Application-level awareness of the type of protocol that is transporting the violation allows SonicWALL GAV to perform specific actions within the context of the application to gracefully handle the rejection of the payload. By default, SonicWALL GAV inspects all inbound HTTP, FTP, IMAP, SMTP and POP3 traffic.
Security Services > Gateway Anti-Virus Restricting File Transfers For each protocol you can restrict the transfer of files with specific attributes by clicking on the Settings button under the protocol in the Gateway Anti-Virus Global Settings section. These restrict transfer settings include: 1236 • Restrict Transfer of password-protected Zip files - Disables the transfer of password protected ZIP files over any enabled protocol. This option only functions on protocols (e.g.
Security Services > Gateway Anti-Virus Configuring Gateway AV Settings Clicking the Configure Gateway AV Settings button at the bottom of the Gateway Anti-Virus Global Settings section displays the Gateway AV Settings window, which allows you to configure clientless notification alerts and create a SonicWALL GAV exclusion list.
Security Services > Gateway Anti-Virus Tip The HTTP Clientless Notification feature is also available for SonicWALL Anti-Spyware. Optionally, you can configure the timeout for the HTTP Clientless Notification on the Security Services > Summary page under the Security Services Summary heading. Configuring a SonicWALL GAV Exclusion List Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.
Security Services > Gateway Anti-Virus Optionally, certain cloud-signatures can be excluded from being enforced to alleviate false positive problems or to enable downloading specific virus files as necessary. To configure the exclusion list, click Cloud AV DB Exclusion Settings. 1. Enter the Cloud AV Signature ID. This must be a numeric value. 2. Click the Add button. 3. To view the latest information on a signature, select the signature ID in the list and click the Sig Info button.
Security Services > Gateway Anti-Virus gav_signatures Viewing SonicWALL GAV Signatures The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the SonicWALL GAV signature database downloaded to your SonicWALL security appliance. Note Signature entries in the database change over time in response to new threats.
Security Services > Gateway Anti-Virus Navigating the Gateway Anti-Virus Signatures Table The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures table. The Items field displays the table number of the first signature. If you’re displaying the first page of a signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
Security Services > Gateway Anti-Virus 1242 SonicOS 5.8.
CHAPTER 74 Chapter 74: Activating Intrusion Prevention Service Security Services > Intrusion Prevention Service SonicWALL Intrusion Prevention Service (SonicWALL IPS) delivers a configurable, high performance Deep Packet Inspection engine for extended protection of key network services such as Web, e-mail, file transfer, Windows services and DNS. SonicWALL IPS is designed to protect against application vulnerabilities as well as worms, Trojans, and peer-to-peer, spyware and backdoor exploits.
Security Services > Intrusion Prevention Service How SonicWALL’s Deep Packet Inspection Works Deep Packet Inspection technology enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. This is the technology behind SonicWALL Intrusion Prevention Service.
Security Services > Intrusion Prevention Service SonicWALL IPS Terminology • Stateful Packet Inspection - looking at the header of the packet to control access based on port, protocol, and IP address. • Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities.
Security Services > Intrusion Prevention Service Tip If your SonicWALL security appliance is connected to the Internet and registered at mysonicwall.com, you can activate a 30-day FREE TRIAL of SonicWALL Gateway AntiVirus, SonicWALL Anti-Spyware, and SonicWALL Intrusion Prevention Service separately from the Security Services > Gateway Anti-Virus, Security Services > Anti-Spyware, and Security Services > Intrusion Prevention pages in the management interface.
Security Services > Intrusion Prevention Service Step 5 Note In the mysonicwall Account page, enter in your information in the Account Information, Personal Information and Preferences fields. All fields marked with an asterisk (*) are required fields. Remember your username and password to access your mysonicwall.com account. Step 6 Click Submit after completing the MySonicWALL Account form. Step 7 When the mysonicwall.
Security Services > Intrusion Prevention Service Step 7 Please complete the Product Survey. SonicWALL uses this information to further tailor services to fit your needs. Step 8 Click Submit. Step 9 When the mysonicwall.com server has finished processing your registration, a page is displayed informing you that the SonicWALL security appliance is registered. Click Continue, and the System > Licenses page is displayed showing you the available services.
Security Services > Intrusion Prevention Service Step 4 Type in the Activation Key in the New License Key field and click Submit. SonicWALL Intrusion Prevention Service is activated. The System > Licenses page is displayed with the Anti-Spyware and Gateway Anti-Virus links displayed at the bottom of the Manage Services Online table with the child Activation Keys. Step 5 Click on the Gateway Anti-Virus link. The child Activation Key is automatically entered in the New License Key field.
Security Services > Intrusion Prevention Service Note For complete instructions on setting up SonicWALL Intrusion Prevention Service, refer to the SonicWALL Intrusion Prevention Service Administrator’s Guide available on the SonicWALL documentation Web site http://www.sonicwall.com/us/Support.html. Selecting Security Services > Intrusion Prevention displays the configuration settings for SonicWALL IPS on your SonicWALL security appliance.
Security Services > Intrusion Prevention Service Applying SonicWALL IPS Protection on Zones You apply SonicWALL IPS to zones on the Network > Zones page to enforce SonicWALL IPS not only between each network zone and the WAN, but also between internal zones. For example, enabling SonicWALL IPS on the LAN zone enforces SonicWALL IPS on all incoming and outgoing LAN traffic.
Security Services > Intrusion Prevention Service 1252 SonicOS 5.8.
CHAPTER 75 Chapter 75: Activating Anti-Spyware Service Security Services > Anti-Spyware Service SonicWALL Anti-Spyware is part of the SonicWALL Gateway Anti-Virus, Anti-Virus and Intrusion Prevention Service solution that provides comprehensive, real-time protection against viruses, worms, Trojans, spyware, and software vulnerabilities.
Security Services > Anti-Spyware Service Note Refer to the SonicWALL Anti-Spyware Administrator’s Guide on the SonicWALL Web site: http://www.sonicwall.com/us/Support.html for complete product documentation.
Security Services > Anti-Spyware Service Creating a mysonicwall.com Account Creating a mysonicwall.com account is fast, simple, and FREE. Simply complete an online registration form in the SonicWALL security appliance management interface. Note If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security Appliance” on page 1256. Step 1 Log into the SonicWALL security appliance management interface.
Security Services > Anti-Spyware Service Registering Your SonicWALL Security Appliance Step 1 Log into the SonicWALL security appliance management interface. Step 2 If the System > Status page is not displaying in the management interface, click System in the left-navigation menu, and then click Status. Step 3 On the System > Status page, in the Security Services section, click the Register link. The mysonicwall.com Login page is displayed. Step 4 Enter your mysonicwall.
Security Services > Anti-Spyware Service To try a FREE TRIAL of SonicWALL Gateway Anti-Virus, SonicWALL Anti-Spyware, or SonicWALL Intrusion Prevention Service, perform these steps: Step 1 Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus, Security Services > Anti-Spyware, or Security Services > Intrusion Prevention page. The mysonicwall.com Login page is displayed. Step 2 Enter your mysonicwall.
Security Services > Anti-Spyware Service Step 5 Click on the Gateway Anti-Virus link. The child Activation Key is automatically entered in the New License Key field. The child Activation Key is a different key than the parent key for the SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service. Step 6 Click Submit.
CHAPTER 76 Chapter 76: Configuring SonicWALL Real-Time Blacklist SMTP Real-Time Black List Filtering The Security Services > RBL Filter page has been moved to Anti-Spam > RBL Filter. Clicking the RBL Filter selection under Security Services in the left navigation pane will open the AntiSpam > RBL Filter page. SonicOS 5.8.
SMTP Real-Time Black List Filtering 1260 SonicOS 5.8.
CHAPTER 77 Chapter 77: Configuring Geo-IP and Botnet Filters This chapter contains the following sections: • “Security Services > Geo-IP Filter” on page 1262 • “Security Services > Botnet Filter” on page 1264 SonicOS 5.8.
Security Services > Geo-IP Filter Security Services > Geo-IP Filter The Geo-IP Filter feature allows administrators to block connections to or from a geographic location based. The SonicWALL appliance uses IP address to determine to the location of the connection. To configure Geo-IP Filtering, perform the following steps: 1. Enable Block connections to/from following countries to block all connections to and from specific countries. 2.
Security Services > Geo-IP Filter For this feature to work correctly, the country database must be downloaded to the appliance. The Status indicator at the top right of the page turns yellow if this download fails. Green status indicates that the database has been successfully downloaded. Click the Status button to display more information. In order for the country database to be downloaded, the appliance must be able to resolve the address, "geodnsd.global.sonicwall.com".
Security Services > Botnet Filter Security Services > Botnet Filter The Botnet Filtering feature allows administrators to block connections to or from Botnet command and control servers. To configure Botnet filtering, perform the following steps: 1. Enable Block connections to/from Botnet Command and Control Servers to block all servers that are designated as Botnet servers. Use the exclusion list below to exclude approved IP addresses. 2.
Security Services > Botnet Filter Checking Geographic Location and Botnet Server Status The Botnet Filter also provides the ability to look up IP addresses to determine the domain name, DNS server, the country of origin, and whether or not it is classified as a Botnet server. To do so, perform the following steps: 1. Scroll to the bottom of the Security Services > Botnet Filter page. 2. Enter the IP address in the Lookup IP field and click Go.
Security Services > Botnet Filter Note 1266 This Geo Location and Botnet Server status tool can also be accessed from the System > Diagnostics page. SonicOS 5.8.
PART 19 Part 19: SonicOS 5.
SonicOS 5.
CHAPTER 78 Chapter 78: WAN Acceleration WAN Acceleration Overview This chapter provides an overview of the SonicWALL WXA series appliance, basic and advanced deployment scenarios, and configuration and verification examples.
WAN Acceleration Overview What is WAN Acceleration? The SonicWALL WXA series appliances deployed in one-arm mode with SonicWALL NSA/TZ series appliances allow network administrators to accelerate WAN traffic using Transmission Control Protocol (TCP) and Windows File Sharing (WFS) between a data center and a remote site.
WAN Acceleration Overview The three separate TCP connections are created between network devices that work together to accelerate traffic using TCP Acceleration. This reduces response time to packet losses and increases throughput. The three TCP connections are created independently, with the remote site’s PC to the remote site’s SonicWALL WXA series appliance connection being the initiator. If one of the sessions is not established, then the remaining connections are closed immediately.
WAN Acceleration Overview Benefits The WFS Acceleration service provides the following benefits: • Increased data transfer speeds • Low latency • Advanced data security How Does Windows File Sharing Acceleration Work? WFS Acceleration reduces overall network congestion with techniques such as data compression and storing recurrent data patterns in a local cache.
WAN Acceleration Overview Step 3 The SonicWALL WXA at the data center is configured to share All Shares on the File Server. Step 4 The SonicWALL WXA at the remote site is configured to share All Shares on the WXA appliance located at the data center. Steps 3 and 4 allow the domain users to access shares on the data center.
WAN Acceleration > Status • It is recommended that the WXA appliance retrieve NTP updates from the Domain Controller. • It is recommended that the DNS server accept secure updates. • Configure the zone properties of an interface to which the WXA appliance is connected as a LAN zone. Configuration Task List Overview This section provides an overview of the SonicOS user interface for the SonicWALL WXA series appliance.
WAN Acceleration > Status Figure 4 WAN Acceleration > Status Page Name Description Action Items Provides the options to Refresh, Probe for WXA, Create static DHCP lease for WXA, and Apply Changes. See “Action Items” section on page 1276 for details. System Information Panel Displays system details of the SonicWALL WXA series appliance. See “System Information Panel” section on page 1276 for details. Device Configuration Panel Enables and configures the SonicWALL WXA series appliance.
WAN Acceleration > Status Action Items Name Refresh Probe for WXA Create Static DHCP Lease for WXA Apply Changes Description Refreshes the WAN Acceleration > Status page. The refresh interval can be entered in the text field. The interval can be increased to a maximum of 600 seconds. Click the Refresh symbol to manually update the Status page. Click the Pause button to stop updates on the page. Checks for the presence of a SonicWALL WXA series appliance.
WAN Acceleration > Status Name WXA Interface WXA IP Address Description Displays the SonicWALL NSA/TZ series appliance interface that the SonicWALL WXA series appliance is connected to. Displays the IP address of the SonicWALL WXA series appliance. Note: this field is read-only.
WAN Acceleration > TCP Acceleration WFS Acceleration Panel Name Enabled Operational Status Windows Domain Total Data Reduction (%) WAN Capacity Increase Factor Cache Size Description This checkbox is selected by default and greyed out if the WAN Acceleration service is enabled. Disable WFS Acceleration by navigating to WAN Acceleration > WFS Acceleration. The current status of the WFS Acceleration connection, displayed as a colored icon. • Green shows a ready status.
WAN Acceleration > TCP Acceleration Name Description Configuration Tab Enable the TCP Acceleration service and selects the mode, service object, and exclude objects. The WAN Acceleration feature must be enabled before you can enable or configure the TCP Acceleration service. Enable WAN Acceleration in the WAN Acceleration > Status page. See “Configuration Tab” section on page 1280 for details. Statistics Tab Displays egress and ingress data for the TCP Acceleration service.
WAN Acceleration > TCP Acceleration Configuration Tab Figure 6 1280 TCP Acceleration > Configuration Name Description Enable TCP Acceleration Enables or disables the TCP Acceleration service. This is selected by default. TCP Acceleration Mode Selects exceptions to the TCP Acceleration service. TCP Acceleration Service Object Selects service objects to exclude from the TCP Acceleration service. To add new service objects to the drop-down list, navigate to Network > Address Objects.
WAN Acceleration > TCP Acceleration Statistics Tab Figure 7 TCP Acceleration > Statistics Name Description Covering Period Click the Covering Period drop-down list and select the period of time the data displays on the Statistics tab. Refresh Actions Refreshes the WAN Acceleration > Statistics tab. The refresh interval can be entered in the text field. The interval can be increased to a maximum of 600 seconds. Click the Refresh symbol to manually update the Statistics tab.
WAN Acceleration > TCP Acceleration Connections Tab Figure 8 1282 TCP Acceleration > Connections Name Description Remote Node Select the remote node that your SonicWALL WXA series appliance is associated with. # Entries Select the number of entries to display in the Connections tab. Refresh Actions Refreshes the WAN Acceleration > Connections tab. The refresh interval can be entered in the text field. The interval can be increased to a maximum of 600 seconds.
WAN Acceleration > WFS Acceleration WAN Acceleration > WFS Acceleration This section describes the entities that are present on the WAN Acceleration > WFS Acceleration page. Figure 9 Name Configuration Tab Domain Details Tab Shares Tab Statistics Tab Tools Tab WAN Acceleration > WFS Acceleration Description Enables WFS Acceleration and allows user to choose the IP address to associate with the service. See “” section on page 1283 for details.
WAN Acceleration > WFS Acceleration Configuration Tab The Configuration tab allows you to enable the WFS Acceleration service and select a public IP address for the WXA series appliance. Figure 10 WFS Acceleration > Configuration Name Enable WFS Acceleration Checkbox ‘Public’ WFS Acceleration Address Drop-down Apply Changes Button Note 1284 Description Enables (checked) the WFS Acceleration service on the WXA series appliance. Enabled by default.
WAN Acceleration > WFS Acceleration Domain Details Tab The Domain Details tab allows you to configure the SonicWALL WXA series appliance to match that of the Microsoft Windows Domain it is to join. The SonicWALL WXA series appliance may automatically discover the domain details if the DNS server configured on the SonicWALL NSA/ TZ series appliance is a domain controller and the DNS server is correctly configured in the domain.
WAN Acceleration > WFS Acceleration Figure 12 WFS Acceleration > Domain Details (Name Auto-discovered) Action Buttons Name Description Auto-discovered Domain Panel Fully Qualified Domain Name: The fully qualified domain name (FQDN) of your Windows domain that the SonicWALL WXA series appliance will join. To change the FQDN, you must unjoin the domain. Click the Edit button to modify the FQDN, Figure 13 on page 1288.
WAN Acceleration > WFS Acceleration Name Hostname: Description Displays the hostname for the SonicWALL WXA series appliance. If an account is created on the domain using the SonicWALL WXA series appliance hostname, the SonicWALL WXA series appliance attempts to join the domain.
WAN Acceleration > WFS Acceleration Name Join Domain Description The SonicWALL WXA series appliance joins the domain (becomes part of the domain) that is identified in the FQDN. The Join Domain Pop-up Window is displayed, Figure 18 on page 1291. If the SonicWALL WXA series appliance has previously joined the domain, the Rejoin Domain button is displayed. Removes all information about the current domain that the SonicWALL WXA series appliance has joined. Tests the WFS Acceleration service.
WAN Acceleration > WFS Acceleration Figure 14 Name Description Hostname: Text Field Input the desired hostname or leave the input field blank to use the default hostname. Apply Button Applies all changes. Cancel Button Cancels the operation. Note If the device has already joined the domain, changing the host name requires the device to rejoin the domain.
WAN Acceleration > WFS Acceleration Figure 16 Time Synchronization Pop-up Window Name Use the Domain Controller for Time Synchronization: Checkbox NTP Server: Text Field Validate Button Apply Button Cancel Button 1290 SonicOS 5.8.1 Administrator Guide Description When enabled (checked) the domain controller is used as the time synchronization source. Overrides the domain controller synchronization by specify a NTP server in the required field.
WAN Acceleration > WFS Acceleration Figure 17 Advanced Options Pop-up Window Name Client Signing: Drop-down Server Signing: Drop-down Max Transmit: Text Field Apply Button Cancel Button Figure 18 Description Identifies the server message block (SMB) signing between the SonicWALL WXA series appliance and the Windows client. Identifies the SMB signing between the SonicWALL WXA series appliance and the server. Sets the largest block of data that can be written at any one time. Applies all changes.
WAN Acceleration > WFS Acceleration Shares Tab The Shares tab configures the SonicWALL WXA series appliance to accelerate specific shares and servers. Figure 19 WFS Acceleration > Shares Name Add New Server... Link Remote Server Name Column Local Device Name Column Default Cache Enabled Column Default Cache Read Ahead Column Configure Column Add New Share...
WAN Acceleration > WFS Acceleration Figure 20 Add Server and Edit Server Details Pop-up Windows Name Remote Server Name: Text Field and Drop-down Description The name of the remote server. If you do not remember the name, select a name from the drop-down which displays a list of the detected servers (not always available). Note Local Device Name: Text Field and Drop-down The remote server can either be a Windows server or another SonicWALL WXA series appliance acting as a proxy server.
WAN Acceleration > WFS Acceleration Name Default Cache Read Ahead: Text Field (Add Server Pop-up only) Add All Shares: Checkbox Apply Button Cancel Button Figure 21 Add Share and Edit Share Details Pop-up Windows Name All Shares Option Share Name: Option with Text Field and Drop-down Cache Enabled: Checkbox Cache Read Ahead: Text Field Apply Button Cancel Button 1294 Description The default size (measured in bytes) for read-ahead speed in the cache.
WAN Acceleration > WFS Acceleration Statistics Tab The Statistics tab displays performance statistics for the WFS Acceleration service. Figure 22 WFS Acceleration > Statistics Covering Period: Drop-down Name Covering Period Drop-down Overview Table Overview Table Refresh Actions Description The time interval of the displayed statistics.
WAN Acceleration > WFS Acceleration Name Refresh Actions Egress Charts Ingress Charts Flush Cache Button Description Refreshes the current page. The refresh interval can be entered in the text field. The maximum time interval that can be set is 600 seconds. Click the Refresh symbol to manually update the page. Click the Pause symbol to stop updates on the page. Displays the egress (out going) traffic in Bytes and Packets reviewed. Displays the ingress (incoming) traffic in Bytes and Packets reviewed.
WAN Acceleration > WFS Acceleration Figure 23 DNS Name Lookup Panel The DNS Name Lookup Panel displays the following information: Name Description Primary DNS: (read-only) Displays the primary DNS which was configured on SonicWALL NSA/TZ security appliance using the Network > DNS page or Network > DHCP Server > Edit > DNS/WINS tab.
WAN Acceleration > WFS Acceleration Figure 24 Available Shares Panel The Available Shares Panel provides the following configuration options: Note If the SonicWALL WXA series appliance has already joined the domain, you can use the SonicWALL WXA series appliance credentials and the username/password does not need to be entered. Name Host: Text Field Username: Text Field Password: Text Field Go Button 1298 SonicOS 5.8.1 Administrator Guide Description The name of the server that the shares reside.
WAN Acceleration > WFS Acceleration Figure 25 Test WFS Configuration Option The Test WFS Configuration Panel provides the following configuration options: Name Username: Text Field Password: Text Field Run WFS Configuration Tests Button Figure 26 Description The username for the user’s account. The password for the user’s account.
WAN Acceleration > System WAN Acceleration > System This section describes the entities that are present in the WAN Acceleration > System tabs. Figure 27 1300 WAN Acceleration > System Name Description System Status Tab Displays the system details about the SonicWALL WXA series appliance including system information, time settings, and system statistics. Interface Status Tab Monitors the WAN Acceleration interfaces by displaying the status and statistics.
WAN Acceleration > System System Status Tab Figure 28 Advanced > System Status Name Description System Information Panel (Read-only) Displays the following information: • Model Number • Serial Number • Firmware Version. Time Settings Panel Configure the time synchronization source Figure 29, refresh the UTC time, or view the local time on client. The SonicWALL WXA series appliance is required to synchronize its time with the domain controller.
WAN Acceleration > System Name Description Diagnostics Report Button Downloads a diagnostics report file. This file is sent to technical support and reviewed for diagnostic help. Power Off Button Shuts down the SonicWALL WXA series appliance. Reboot Button Reboots the SonicWALL WXA series appliance. Set Time Button Resets the time on the appliance. This synchronizes the SonicWALL WXA series appliance with the time on the domain controller.
WAN Acceleration > System Interface Status Tab Figure 30 System > Interface Status Name Description Refresh Refreshes the Interface Status tab. The refresh interval can be entered in the text field. The interval can be increased to a maximum of 600 seconds. Click the Refresh button to manually update the Interface Status tab. Click the Pause button to stop updates on the page.
WAN Acceleration > System Name Description Statistics Panel Displays the following (Read-Only) information: packet flow information using active flows, • # Bytes • Packet Count • Packet Errors • Dropped Packets • Collisions • Actual MTU Ping Gateway Sends a ping request to the SonicWALL WXA series appliance. The SonicWALL NSA/TZ series appliance uses Address Resolution Protocol (ARP) to ping the gateway. Renew DHCP Lease Renews the DHCP lease for the SonicWALL WXA series appliance.
WAN Acceleration > System Management Tab Figure 32 System > Management Name Description SNMP Panel Enables the simple network monitoring protocol server. Add read-only and read-write communities for a specific client IP or subnet, see Figure 33. Syslog Server Panel Sets the server IP address that sends log messages. Apply Changes Button Applies all changes. SonicOS 5.8.
WAN Acceleration > System Figure 33 Add New Community Pop-Up Window Name Community Name Description Access Select none, read-only, or read-write. Any Source Select the Any Source checkbox remove all source restrictions. Source Select the Source checkbox to enter a source manually. Apply Applies all changes. Cancel Cancels the operation. Enter the community name being used to communicate with the SNMP feature.
WAN Acceleration > System Firmware Tab Figure 35 System > Firmware Name Description Current Settings Panel Allows you to download a copy of the current settings. Perform this before making any changes to the firmware. Firmware Upgrade Panel Configures the SonicWALL WXA series appliance with the latest firmware. A step-by-step procedure walks you through the firmware upgrade process. Factory Reset Panel Restores the SonicWALL WXA series appliance to the factory default settings.
WAN Acceleration > Logs WAN Acceleration > Logs The WAN Acceleration > Log page provides a detailed list of the log event messages. On this page, you can configure how the Logs are viewed. Figure 36 1308 WAN Acceleration > Log Name Description Minimum Priority Displays the log entries by minimum priority type. Categories Displays the log entries by categories. # Entries Selects the number of entries displayed in the logs list. Refresh Refreshes the WAN Acceleration > Logs page.
Configuring WAN Acceleration Configuring WAN Acceleration This section includes procedures for configuring the SonicWALL WXA series appliance. All configuration procedures are performed on the SonicWALL NSA/TZ series appliance’s management interface. Refer to “Configuration Task List Overview” section on page 1274 for details on the SonicWALL NSA/TZ management interface.
Configuring WAN Acceleration The Interface Settings General Tab is displayed. Step 9 Enter and do the following: • Zone: Drop-down — LAN • Mode/IP Assignment: Drop-down — Static IP Mode • IP Address: Text Field — Enter the IP Address for the port. This example uses 10.203.30.162. • Subnet Mask: Text Field — Enter the subnet mask for the port. • (Optional) Comment: Text Field — Enter text that describes the device. For example, WXA connection.
Configuring WAN Acceleration Step 13 Under the DCHP Server Lease Scopes, click Add Dynamic. The Dynamic Range Configuration window is displayed. Step 14 Do the following: a. Select the Enable this DHCP Scope checkbox. b. Select the Interface Pre-Populate checkbox and then select port X5 in the drop-down. The information will be auto populated. c. Click OK. Step 15 Connect an Ethernet cable from the SonicWALL WXA series appliance to the X5 port on the SonicWALL NSA/TZ security appliance. SonicOS 5.8.
Configuring WAN Acceleration Step 16 Confirm that the SonicWALL NSA/TZ has a DCHP lease for the SonicWALL WXA. Navigate to the Network > DHCP Server page. 1312 SonicOS 5.8.
Configuring WAN Acceleration Step 17 Navigate to the WAN Acceleration > Status page. Step 18 Click Create static DHCP lease for WXA. A DHCP lease will be set for the SonicWALL WXA series appliance. SonicOS 5.8.
Configuring WAN Acceleration Step 19 Verify that the lease was created. Navigate to the Network > DHCP Server page. A dynamic range is set for the WXA appliance. 1314 SonicOS 5.8.
Configuring WAN Acceleration Configuring TCP Acceleration The TCP Acceleration service can be deployed in three different deployment scenarios including: site-to-site VPN, routed mode, and layer 2 bridge mode.
Configuring WAN Acceleration The Configure VPN Policy pop-up window displays. Figure 38 VPN Policy Advanced Configuration Step 3 Select the Advanced tab. Step 4 Select the checkbox for Permit TCP Acceleration. Step 5 Click the OK button. Your SonicWALL WXA series appliance is now configured to permit TCP Acceleration, see Configuring the TCP Acceleration Tab, page 1323 to finish configuring the TCP Acceleration service. 1316 SonicOS 5.8.
Configuring WAN Acceleration Configuring TCP Acceleration on a Non-VPN (Routed Mode) If you do not have a VPN configured on your network and you are using a custom routing policy, you need to add two routing policies on each site: One for outgoing traffic, and one for incoming traffic. Both routing policies are configured to permit TCP Acceleration. The illustration below displays the configuration between two non-VPN sites.
Configuring WAN Acceleration Configuring a Routing Policy for Outgoing Traffic The steps in this section are configured from the Remote Site. Follow the same steps for configuring the Data Center. Step 1 Navigate to the Network > Address Objects page. Figure 40 Step 2 Network > Address Objects Click the Add button. The Add Address Object Group pop-up window displays. Figure 41 1318 Add Address Object Group Step 3 Enter a name (Data Center) for the address object in the Name text field.
Configuring WAN Acceleration Step 9 Navigate to the Network > Routing page. Figure 42 Add Routing Policies Step 10 Click the Add button. SonicOS 5.8.
Configuring WAN Acceleration The Route Policy Settings pop-up window displays. Figure 43 Route Policy Settings Step 11 Click the Source drop-down, select Any. Step 12 Click the Destination drop-down, select the address object you created (Data Center.) Step 13 Click the Service drop-down, select Any. Step 14 Click the Gateway drop-down, select the X1 Default Gateway. Step 15 Click the Interface drop-down, select the X1 interface. Step 16 Enter 1 in the Metric text field.
Configuring WAN Acceleration Configuring a Routing Policy for Incoming Traffic The steps in this section are configured from the Remote Site. Follow the same steps for configuring the Data Center. Step 1 Navigate to the Network > Address Objects page. Figure 44 Step 2 Network > Address Objects Click the Add button. The Add Address Object Group pop-up window displays. Figure 45 Add Address Object Group Step 3 Enter a name (Remote Site) for the address object in the Name text field.
Configuring WAN Acceleration Step 9 Navigate to the Network > Routing page. Figure 46 Add Routing Policies Step 10 Click the Add button. The Route Policy Settings pop-up window displays. Figure 47 Route Policy Settings Step 11 Click the Source drop-down, select Data Center. Step 12 Click the Destination drop-down, select the address object you created (Remote Site.) Step 13 Click the Service drop-down, select Any. 1322 SonicOS 5.8.
Configuring WAN Acceleration Step 14 Click the Gateway drop-down, select (0.0.0.0). Step 15 Click the Interface drop-down, select the X0 interface. Step 16 Enter 1 in the Metric text field. This gives the route policy a high priority level. A larger metric number would have a lower priority. Step 17 Select the Permit TCP Acceleration checkbox. Step 18 Click the OK button.
Configuring WAN Acceleration Example 2 To configure acceleration of only the HTTP web traffic. Follow the steps below: Step 1 Navigate to WAN Acceleration > TCP Acceleration. Step 2 Select the Configuration tab. Figure 49 1324 Configuring TCP Acceleration Example 2 Step 3 Click the Enable TCP Acceleration checkbox. Step 4 In the TCP Acceleration Mode drop-down, select Only TCP Services Specified in TCP Acceleration Service Object.
Configuring WAN Acceleration Example 3 To configure acceleration of everything except Microsoft SQL database traffic or traffic to the Guest Authentication Servers. Follow the steps below: Step 1 Navigate to WAN Acceleration > TCP Acceleration. Step 2 Select the Configuration tab. Figure 50 Configuring TCP Acceleration Example 3 Step 3 Select the Enable TCP Acceleration checkbox.
Configuring WAN Acceleration Configuring WFS Acceleration This section provides details on configuring WFS Acceleration. The SonicWALL WXA series appliance must be connected to a SonicWALL NSA or TZ series appliance on a port other than X0 and X1. In this example, X5 is used as the connection to the SonicWALL WXA series appliance.
Configuring WAN Acceleration Enabling WFS Acceleration Once you have configured the network interface for the port you want to connect the SonicWALL WXA series appliance to the SonicWALL NSA or TZ series appliance, you can configure WFS Acceleration. Before you chose how you want to join the SonicWALL WXA series appliance to the domain, you must enable WFS Acceleration on your SonicWALL NSA/TZ security appliance.
Configuring WAN Acceleration Joining the Domain After you have configured the network interface, enabled WFS Acceleration, and created a DHCP Scope, you can configure the local and remote domains.
Configuring WAN Acceleration Step 3 Enter your settings, and then click Apply Changes. The page will be populated with the Configured Domain settings. Step 4 Click Join Domain. The Join Domain pop-up window displays. Step 5 Enter the username and password for the administrator of the domain. It will be an account on the domain controller. The WXA series appliance will create a computer account on the domain controller, using the hostname that was used in step 2. SonicOS 5.8.
Configuring WAN Acceleration At the SonicWALL NSA/TZ security appliance, nearest to the domain controller (data center site), perform the following steps: 1330 Step 1 Login to the SonicWALL NSA/TZ security appliance at the data center. Step 2 Navigate to the WAN Acceleration > WFS Acceleration page. Step 3 Click the Shares tab. Step 4 Click Add New Server.... The Add Server Pop-up window is displayed.
Configuring WAN Acceleration At the SonicWALL NSA/TZ security appliance, farthest from the domain controller (remote site), perform the following steps: Step 1 Login to the NSA/TZ security appliance at your remote site. Step 2 Navigate to the WAN Acceleration > WFS Acceleration page. Step 3 Click the Shares tab. Step 4 Click Add New Server.... Step 5 Make sure the Remote Server Name and the Local Device Name (from step 4 for the data center site) text fields match.
Configuring WAN Acceleration Automatically Joining the Domain for WFS Acceleration To auto-join the SonicWALL WXA series appliances, perform the following steps: 1332 Step 1 Access the domain controller and create a computer account. The computer account must use the default hostname or a hostname specified in the Domain Details tab (the name of the WXA series appliance). If a new hostname is entered in the Domain Details tab, it overrides the default hostname.
Configuring WAN Acceleration Step 4 Right click on the computer account, go to Properties and select the setting Trusted for Delegation. Step 5 Open a cmd.exe window. Step 6 Set the password for the computer account, where ABCD-EFGH is the auth code. Note The password for the computer account must be the auth code found on the WAN Acceleration > Status page on the SonicWALL NSA/TZ security appliance. SonicOS 5.8.
Configuring WAN Acceleration At the SonicWALL NSA/TZ security appliance, nearest to the domain controller (data center site), perform the following steps: 1334 Step 1 Login to the SonicWALL NSA/TZ security appliance at the data center. Step 2 On the SonicWALL NSA/TZ security appliance, navigate to the WAN Acceleration > WFS Acceleration page. Step 3 Navigate to the WAN Acceleration > WFS Acceleration page. Step 4 Click Domain Details.
Configuring WAN Acceleration Step 6 Click Add New Server.... The Add Server Pop-up window is displayed. • Remote Server Name: Text Field — Enter the host name of the DC/Share server. • Local Device Name: Text Field — Enter the domain name of the SonicWALL WXA series appliance on the local site or one of its SPN Aliases and must resolve to the public WFS IP address or select a local device name from the drop-down list. • Select the Add All Shares: Checkbox. Deselect this to add shares manually.
Configuring WAN Acceleration Step 5 Make sure the Remote Server Name and the Local Device Name (from step 4 for the data center site) text fields match. Step 6 Enter the information for this server, and then click Apply. Step 7 Explore the path \\fastbox\ on the PC located at the remote site.
Configuring WAN Acceleration Configuring Reverse Lookup After both WXA appliances are added to the domain, corresponding Computer Accounts for WXA appliances, DNS Host name, and PTR records are automatically created on the DC and DNS servers. For PTR records to be updated, relevant Reverse Lookup Zones must be configured on the DNS servers. Networks used for Reverse Lookup Zones depend on whether WFS acceleration is using NAT.
Configuring WAN Acceleration File Server PC WXA series appliance Switch Remote Site (A) NSA/TZ series appliance Switch Domain Controller Switch File Server WXA series appliance Data Center WXA series appliance PC Remote Site (B) Note For WFS, you must assess the share name that is mapped to the WXA appliance and not the actual file share. For example, //WXA-Test rather than //FileServer1. Note For adding/configuring shares for FileServer1, see “Joining the Domain” on page 1328.
Configuring WAN Acceleration Step 1 Add WXA 4000-GMS hostname as the SPN for host WXA-4000. setspn -A CIFS/WXA-4000-GMS WXA-4000 Step 2 Add WXA-4000-GMS.utm.soniclab.us hostname as the SPN for host WXA-4000. setspn -A CIFS/WXA-4000-GMS.utm.soniclab.us WXA-4000 Step 3 Confirm that the hostnames were added correctly. setspn -L WXA-4000 Step 4 Add WXA 2000-GMS hostname as the SPN for host WXA-2000. setspn -A CIFS/WXA-2000-GMS WXA-2000 Step 5 Add WXA-2000-GMS.utm.soniclab.
Configuring WAN Acceleration Step 9 Configure FileServer2 on the data center as follows: On the NSA/TZ security appliance, navigate to the WAN Acceleration > WFS Acceleration > Click the Shares tab, expand Shares in the Configuration column, and then click the Add New Shares.... The Add Server window appears. Step 10 Enter and do the following: a. Remote Server Name: GMSSERVER (FileServer1 name) b. Local Device Name: WXA-4000-GMS (refers to FileServer2) c. Click Apply.
Configuring WAN Acceleration Note The newly created hostname for the data center and remote office should be updated with the NAT IP of the X0 interface on the NSA/TZ security appliance that is located at the data center and remote office, respectively. Data Center Step 6 Remote Office Ping the IPs at the data center and remote offices to verify correct connectivity. The WXA-4000 will resolve to X.X.1.100 and the WXA-2000 will resolve to A.A.240.1.
Configuring WAN Acceleration Figure 53 1342 Remote Office SonicOS 5.8.
Configuring WAN Acceleration Verifying WAN Acceleration Configurations This section details how to verify if the TCP Acceleration and WFS Acceleration on your SonicWALL WXA series appliance is configured correctly. Verifying the TCP Acceleration Configuration After you complete the TCP Acceleration configuration procedures, verify TCP Acceleration is working by checking the WAN Acceleration > Statistics Tab.
Configuring WAN Acceleration Verifying the WFS Acceleration Configuration After completing the step-by-step WFS Acceleration configuration procedures. Verify WFS Acceleration is working by two different methods: • Click the Test Configuration button in the WFS Acceleration > Domain Details tab. • Click the Run WFS Configuration Tests button in the WFS Acceleration > Tools tab.
Configuring WAN Acceleration Verify Using the WFS Acceleration > Tools Tab To verify that the WFS Acceleration service was successful using the WFS Acceleration > Tools tab, perform the following steps: Step 1 Navigate to the WAN Acceleration > WFS Acceleration. Step 2 Click the Tools tab. Step 3 In the Diagnostic Tools drop-down, select Test WFS Configuration. Step 4 Click Run WFS Configuration Test. The results display when the test is complete. SonicOS 5.8.
Configuring WAN Acceleration Troubleshooting WFS Acceleration Problem: The Joined Domains checkbox is not selected in the Domain Details tab. Solution: Click Join Domain at the bottom of the page. When the Join Domain pop-up window is displayed, leave the fields empty, and then click Apply. This action will force the WXA series appliance to join the domain.
PART 20 Part 20: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 79 Chapter 79: Managing Log Events Log > View The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. The log is displayed in a table and can be sorted by column. The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance.
Log > View Log View Table The log is displayed in a table and is sortable by column. The log table columns include: • Time - the date and time of the event. • Priority - the level of priority associated with your log event.
Log > View Clear Log To delete the contents of the log, click the Clear Log button near the top right corner of the page. Export Log To export the contents of the log to a defined destination, click the Export Log button below the filter table.You can export log content to two formats: • Plain text format--Used in log and alert e-mail. • Comma-separated value (CSV) format--Used for importing into Excel or other presentation development applications.
Log > View Step 3 Check the Group Filters box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group Filters next to Source IP and Destination IP, the search string will look for connections matching: (Source IP OR Destination IP) AND Protocol Step 4 Click Apply Filter to apply the filter immediately to the Log View Settings table.
Log > View While data-recorders are good at recording data, they lack the sort of deep-packet inspection intelligence afforded by IPS/GAV/ASPY/AF. Consider the minimal requirements of effective data analysis: • Reliable storage of data • Effective indexing of data • Classification of interesting-content Together, a UTM device (a SonicWALL appliance) and data-recorder (a Solera Networks appliance) satisfy the requirements to offer outstanding forensic and data-leakage capabilities.
Log > View 6. The requested data will be presented to the client as a .cap file, and can be saved or viewed on the local machine. Methods of Access The client and NPCS must be able to reach one another. Usually, this means the client and the NPCS will be in the same physical location, both connected to the SonicWALL appliance. In any case, the client will be able to directly reach the NPCS, or will be able to reach the NPCS through the SonicWALL.
CHAPTER 80 Chapter 80: Configuring Log Categories Log > Categories This chapter provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWALL security appliance for troubleshooting and diagnostics. Note You can extend your SonicWALL security appliance log reporting capabilities by using SonicWALL ViewPoint. ViewPoint is a Web-based graphical reporting tool for detailed and comprehensive reports.
Log > Categories Log Severity/Priority This section provides information on configuring the level of priority log messages are captured and corresponding alert messages are sent through e-mail for notification. Logging Level The Logging Level control filters events by priority. Events of equal of greater priority are passed, and events of lower priority are dropped.
Log > Categories Log Categories SonicWALL security appliances provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it has become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats.
Log > Categories Log Type Category Description Dropped TCP Legacy Logs blocked incoming TCP connections Dropped UDP Legacy Logs blocked incoming UDP packets Dynamic Address Objects Extended Logs Dynamic Address Object (DAO) activity Firewall Event Extended Logs internal firewall activity Firewall Hardware Extended Logs firewall hardware error events Firewall Logging Extended Logs general events and errors Firewall Rule Extended Logs firewall rule modifications FTP Extended Logs FT
Log > Categories Log Type Category Description System Environment Extended Logs system environment activity System Errors Legacy Logs problems with DNS or e-mail System Maintenance Legacy Logs general system activity, such as system activations User Activity Legacy Logs successful and unsuccessful log in attempts VOIP Extended Logs VoIP H.323/RAS, H.323/H.225, and H.323/H.
Log > Categories 1360 SonicOS 5.8.
CHAPTER 81 Chapter 81: Configuring Syslog Settings Log > Syslog In addition to the standard event log, the SonicWALL security appliance can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514.
Log > Syslog Syslog Settings Syslog Facility • Note See RCF 3164 - The BSD Syslog Protocol for more information. • Note Syslog Facility - Allows you to select the facilities and severities of the messages based on the syslog protocol. Override Syslog Settings with ViewPoint Settings - Check this box to override Syslog settings, if you’re using SonicWALL ViewPoint for your reporting solution. For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.
Log > Syslog Syslog Servers Adding a Syslog Server To add syslog servers to the SonicWALL security appliance Step 1 Click Add. The Add Syslog Server window is displayed. Step 2 Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL security appliance are then sent to the servers. Step 3 If your syslog is not using the default port of 514, type the port number in the Port Number field. Step 4 Click OK.
Log > Syslog 1364 SonicOS 5.8.
CHAPTER 82 Chapter 82: Configuring Log Automation Log > Automation The Log > Automation page includes settings for configuring the SonicWALL to send log files using e-mail and configuring mail server settings. E-mail Log Automation • Send Log to E-mail address - Enter your e-mail address (username@mydomain.com) in this field to receive the event log via e-mail. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed.
Log > Automation • Send Log - Determines the frequency of sending log files. The options are When Full, Weekly, or Daily. If the Weekly or Daily option is selected, then select the day of the week the log is sent in the every menu and the time of day in 24-hour format in the At field. • Email Format - Specifies whether log emails will be sent in Plain Text or HTML format.
Log > Automation • Confirm Password - Confirm the password. – Mask Password - Leave this enabled to send the password as encrypted text. • DeepSee Base URL - Defines the format for the base URL for the DeepSee path. In the actual URL, the special tokens are replaced with the actual values. • PCAP Base URL - Defines the format for the base URL for the PCAP path. In the actual URL, the special tokens are replaced with the actual values.
Log > Automation 1368 SonicOS 5.8.
CHAPTER 83 Chapter 83: Configuring Flow Reporting Log > Flow Reporting The Log > Flow Reporting page includes settings for configuring the SonicWALL to view statistics based on Flow Reporting and Internal Reporting. From this screen, you can also configure settings for internal and external flow reporting.
Log > Flow Reporting • “NetFlow Tables” on page 1381 External Flow Reporting Statistics The External Flow Reporting Statistics apply to all external flows. This section shows reports of the flows that are sent to the server, not collected, dropped, stored in and removed from the memory, reported and non reported to the server. This section also includes the number of NetFlow and IP Flow Information Export (IPFIX) templates sent and general static flows reported.
Log > Flow Reporting Internal App Flow Reporting Statistics The App Flow Reporting Statistics apply to all internal flows. Similar to the Flow Reporting Statistics, this section shows reports of the flows that are sent to the server, not collected, dropped, stored in and removed from the memory, reported and non reported to the server. This section also includes the number of static flows removed from the queue, internal errors, and the total number of flows within the internal database.
Log > Flow Reporting • Top Apps—Displays the Applications graph. • Bits per second—Displays the Bandwidth graph. • Packets per second—Displays the Packet Rate graph. • Average packet size—Displays the Packet Size graph. • Connections per second—Displays the Connection Rate graph. • Core utility—Displays the Core Utilization graph. External Collector Settings The External Collector Settings section has configurable options for AppFlow reporting to an IPFIX or other external collector.
Log > Flow Reporting • External Collector’s IP address—Type in the external collector IP address to which the appliance will generate flow reports. This IP address must be reachable from the firewall. If this IP address is over a VPN tunnel, then the source IP must also be specified. • Source IP To Use For Collector On A VPN tunnel—If the collector specified in the previous field is reachable via a VPN tunnel, then type in the source IP address that matches the correct VPN policy.
Log > Flow Reporting – URL ratings – VPNs – Devices – SPAMs – Locations – VOIPs • Include Following Additional Reports via IPFIX—Additional IPFIX reports can be generated from the firewall in IPFIX with extensions mode. Select one or more reports from this drop-down list: – Top 10 Apps—Generate information about the top ten applications seen. – Interface Stats—Generate interface statistics such as interface name, interface bandwidth utilization, MAC address, link status.
Log > Flow Reporting no rules have the flow reporting option enabled, no data will be reported to the AppFlow collector. This option is an additional way to control which flows are reported internally or externally. • Report On Connection OPEN—Select this checkbox to report flows when a connection is opened. This is typically when a connection is established. Enabled by default. • Report On Connection CLOSE—Select this checkbox to report flows when a connection is closed. Enabled by default.
Log > Flow Reporting • Include Following URL Types—Use this drop-down list to select the type of URLs to be reported. To skip reporting for specific types of URLs, clear the associated checkbox. This option applies to both App Flow (internal) and external reporting when using IPFIX with extensions. Select from the following: – Gifs – Jpegs – Pngs – Js – Xmls – Jsons – Css – Htmls – Aspx – Cms • Enable Geo-IP and Domain Resolution—Select this checkbox to enable Geo-IP and Domain resolution.
Log > Flow Reporting User Configuration Tasks Depending on the type of flows you are collecting, you will need to determine which type of reporting will work best with your setup and configuration. This section includes configuration examples for each supported NetFlow solution, as well as a section on viewing reports in Scrutinizer.
Log > Flow Reporting Step 3 Select Netflow version-9 from the External Flow Reporting Format drop-down list. Step 4 Specify the External Collector’s IP address in the provided field. Step 5 For the Source IP to Use For Collector on a VPN tunnel, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional. Step 6 Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
Log > Flow Reporting Note The above fields are the required fields for successful IPFIX configuration. All other configurable fields are optional. IPFIX with Extensions Configuration Procedures To configure IPFIX with extensions flow reporting, follow the steps listed below. Step 1 In Settings, select the checkbox to Enable AppFlow To Local Collector.
Log > Flow Reporting Step 13 Select the tables for which to receive dynamic flows from the Send Dynamic AppFlow For Following Tables drop-down list. Step 14 Select any additional reports to be generated for a flow from the Include Following Additional Reports via IPFIX drop-down list. Viewing IPFIX with Extensions Reports With Scrutinizer One external flow reporting option that works with IPFIX with Extensions is the third-party collector called Plixer Scrutinizer.
Log > Flow Reporting Step 6 Select the tables for which to receive static flows from the Send Static AppFlow For Following Tables drop-down list. Then, click Accept. . Note Currently, Scrutinizer supports Applications and Threats only. Future versions of Scrutinizer will support the following Static Flows: Location Map, Services, Rating Map, Table Map, and Column Map. Step 7 Next, navigate to the Network > Interfaces screen.
Log > Flow Reporting Static Tables Static Tables are tables with data that does not change over time. However, this data is required to correlate with other tables. Static tables are usually reported at a specified interval, but may also be configured to send just once. The following is a list of Static IPFIX tables that may be exported: • Table Layout Map—This table reports SonicWALL’s list of tables to be exported, including Table ID and Table Names.
Log > Flow Reporting • Connected Devices—This table reports the list of all devices connected through the SonicWALL appliance, including the MAC addresses, IP addresses, Interface, and NETBIOS name of connected devices. • VPN Tunnels—This table reports all VPN tunnels established through the SonicWALL appliance. • URL Rating—This table reports Rating IDs for all URLs accessed through the SonicWALL appliance.
Log > Flow Reporting NetFlow version 5 Flow Record Format Bytes Contents Description 0-3 srcaddr Source IP address 4-7 dstaddr Destination IP address 8-11 nexthop IP address of the next hop router 12-13 input SNMP index of input interface 14-15 output SNMP index of output interface 10-19 dPkts Packets in the flow 20-23 dOctets Total number of Layer 3 bytes in the packets of the flow 24-27 First SysUptime at start of flow 28-31 Last SysUptime at the time the last packet of the f
Log > Flow Reporting The following table details the NetFlow version 9 Template FlowSet Field Descriptions. Field Name Description Template ID The SonicWALL appliance generates templates with a unique ID based on FlowSet templates matching the type of NetFlow data being exported. Name The name of the NetFlow template. Number of Elements The amount of fields listed in the NetFlow template. Total Length The total length in bytes of all reported fields in the NetFlow template.
Log > Flow Reporting The following Name Template is a standard for the IPFIX with extensions templates. The values specified are static and correlate to the Table Name of all the NetFlow exportable templates. The following template is an example of an IPFIX with extensions template. 1386 SonicOS 5.8.
CHAPTER 84 Chapter 84: Configuring Name Resolution Log > Name Resolution The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports. The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups.
Log > Name Resolution • None: The security appliance will not attempt to resolve IP addresses and Names in the log reports. • DNS: The security appliance will use the DNS server you specify to resolve addresses and names. • NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. If you select NetBIOS, no further configuration is necessary. • DNS then NetBIOS: The security appliance will first use the DNS server you specify to resolve addresses and names.
CHAPTER 85 Chapter 85: Generating Log Reports Log > Reports The SonicWALL security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page. Note SonicWALL ViewPoint provides a comprehensive Web-based reporting solution for SonicWALL security appliances.
Log > Reports Data Collection The Reports window includes the following functions and commands: • Data Collection section Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection. • View Data Section Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL security appliance is restarted.
CHAPTER 86 Chapter 86: Activating SonicWALL ViewPoint Log > ViewPoint SonicWALL ViewPoint is a Web-based graphical reporting tool that provides unprecedented security awareness and control over your network environment through detailed and comprehensive reports of your security and network activities.
Log > ViewPoint Activating ViewPoint The Log > ViewPoint page allows you to activate the ViewPoint license directly from the SonicWALL Management Interface using two methods. If you received a license activation key, enter the activation key in the Enter upgrade key field, and click Accept. Warning You must have a mysonicwall.com account and your SonicWALL security appliance must be registered to activate SonicWALL ViewPoint for your SonicWALl security appliance. 1.
Log > ViewPoint 2. Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your SonicWALL security appliance is already connected to your mysonicwall.com account, the System > Licenses page appears after you click the SonicWALL Content Filtering Subscription link. 3. Click Activate or Renew in the Manage Service column in the Manage Services Online table.
Log > ViewPoint Note The Override Syslog Settings with ViewPoint Settings control on the Log > Syslog page is automatically checked when you enable ViewPoint from the Log > ViewPoint page. The IP address or FQDN you entered in the Add Syslog Server window is also displayed on the Log > Syslog page as well as in the Syslog Servers table on the Log > ViewPoint page. Clicking the Edit icon displays the Add Syslog Server window for editing the ViewPoint server information.
PART 21 Part 21: SonicOS 5.8.
SonicOS 5.8.
CHAPTER 87 Chapter 87: Configuring Internet Connectivity on SonicWALL Appliances Wizards > Setup Wizard The first time you log into your SonicWALL appliance, the Setup Wizard is launched automatically. To launch the Setup Wizard at any time from the management interface, click the Wizards button in the top right corner, and select Setup Wizard.
Wizards > Setup Wizard Essentially, NAT translates the IP addresses in one network into those for a different network. As a form of packet filtering for firewalls, it protects a network from outside intrusion from hackers by replacing the internal (LAN) IP address on packets passing through a SonicWALL with a “fake” one from a fixed pool of addresses. The actual IP addresses of computers on the LAN are hidden from outside view. This section describes configuring the SonicWALL appliance in the NAT mode.
Wizards > Setup Wizard Change Password 4. Tip To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next. It is very important to choose a password which cannot be easily guessed by others. Change Time Zone 5. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL’s internal clock is set automatically by a Network Time Server on the Internet. Click Next. SonicOS 5.8.
Wizards > Setup Wizard Configure 3G/Modem 6. If you are setting up a SonicWALL TZ series appliance that supports 3G devices for Wireless WAN connection over cellular networks, or supports analog modem devices for dial-up WAN connection, select the type of device: – 3G/mobile – Analog Modem Configure 3G 7. If you are setting up a SonicWALL TZ series appliance that supports 3G devices for Wireless WAN connection over cellular networks, select how you will use the 3G device.
Wizards > Setup Wizard 10. Click Next. Configure Modem 11. If you are setting up a SonicWALL TZ series appliance that supports analog modem devices for dial-up WAN connection, select how you will use the modem. You can choose to use the modem: – As a backup to your WAN – As your primary internet connection. Note: If you choose to use the modem as your primary connection, the Setup Wizard will not ask you to configure the WAN interface. – Not use the modem 12. Click Next. 13.
Wizards > Setup Wizard WAN Network Mode: NAT Enabled 17. Enter the public IP address provided by your ISP in the SonicWALL WAN IP Address, then fill in the rest of the fields: WAN Subnet Mask, WAN Gateway (Router) Address, and DNS Server Addresses. Click Next. 18. Proceed to “LAN Settings” on page 1404. WAN Network Mode: NAT with DHCP Client DHCP is a networking mode that allows you to obtain an IP address for a specific length of time from a DHCP server.
Wizards > Setup Wizard WAN Network Mode: NAT with PPPoE Client NAT with PPPoE Client is a network protocol that uses Point to Point Protocol over Ethernet to connect with a remote site using various Remote Access Service products. This protocol is typically found when using a DSL modem with an ISP requiring a user name and password to log into the remote server. The ISP may then allow you to obtain an IP address automatically or give you a specific IP address. 21.
Wizards > Setup Wizard LAN Settings Note On a SonicWALL TZ series appliance, the LAN Settings and LAN DHCP Server settings are only displayed if you selected the Office Gateway deployment scenario. 27. The LAN page allows the configuration of the SonicWALL LAN IP Addresses and the LAN Subnet Mask.The SonicWALL LAN IP Addresses are the private IP address assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN.
Wizards > Setup Wizard WLAN Radio Settings (SonicWALL wireless security appliances only) Select whether or not you want to configure WiIf Protected Access (WPA) security: Note • WPA/WPA2 Mode - WPA is the security wireless protocol based on 802.11i standard. It is the recommended protocol if your wireless clients support WPA also. • Connectivity - Caution! This mode offers no encryption or access controls and allows unrestrained wireless access to the device.
Wizards > Setup Wizard Ports Assignment 30. (SonicWALL TZ series and NSA 240 appliances only) Optionally, you can configure the initial PortShield group assignments for your appliance. See “Configuring PortShield Interfaces with the PortShield Wizard” on page 272 for more information on the PortShield wizard. Click Next. 1406 SonicOS 5.8.
Wizards > Setup Wizard SonicWALL Configuration Summary 31. The Configuration Summary window displays the configuration defined using the Installation Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet window. If the configuration is correct, click Next. 32. The SonicWALL stores the network settings. 33. Click Close to return to the SonicWALL Management Interface. SonicOS 5.8.
Wizards > Setup Wizard 1408 SonicOS 5.8.
CHAPTER 88 Chapter88: Using the Registration & License Wizard Wizards > Registration & License Wizard The SonicWALL Registration and License Wizard simplifies the process of registering your SonicWALL security appliance and obtaining licenses for additional security services. To use the Registration and License Wizard, complete the following steps: Step 1 Launch the SonicWALL Configuration Wizard window by clicking Wizards in the left navigation panel.
Wizards > Registration & License Wizard Step 6 The Registration and License Wizard launches your mysonicwall.com shopping cart. Make sure that your pop-up blocker is turned off. Step 7 Verify that the services you want to purchase are listed in the shopping cart. When you are finished selecting security services, click Checkout. Step 8 The mysonicwall.com checkout page displays. Enter your credit card and billing information and click Confirm. Step 9 The Confirm page displays.
Wizards > Registration & License Wizard Step 11 Click Next to synchronize your newly purchased licenses. The SonicWALL security appliance synchronizes with mysonicwall.com. Step 12 Your new security services are now available on the SonicWALL security appliance. Click Close to close the wizard. SonicOS 5.8.
Wizards > Registration & License Wizard 1412 SonicOS 5.8.
CHAPTER 89 Chapter 89: Configuring a Public Server with the Wizard Wizards > Public Server Wizard 1. Start the wizard: In the navigator, click Wizards. 2. Select Public Server Wizard and click Next. SonicOS 5.8.
Wizards > Public Server Wizard 1414 3. Select the type of server from the Server Type list. Depending on the type you select, the available services change. Check the box for the services you are enabling on this server. Click Next 4. Enter the name of the server. 5. Enter the private IP address of the server. Specify an IP address in the range of addresses assigned to zone where you want to put this server.
Wizards > Public Server Wizard 9. • The Summary page displays a summary of the configuration you selected in the wizard. Server Address Objects - The wizard creates the address object for the new server. Because the IP address of the server added in the example is in the IP address range assigned to the DMZ, the wizard binds the address object to the DMZ zone. It gives the object a name of the name you specified for the server plus “_private”.
Wizards > Public Server Wizard 1416 SonicOS 5.8.
CHAPTER 90 Chapter 90: Configuring VPN Policies with the VPN Policy Wizard Wizards > VPN Wizard The VPN Policy Wizard walks you step-by-step through the configuration of GroupVPN on the SonicWALL. After the configuration is completed, the wizard creates the necessary VPN settings for the selected VPN policy. You can use the SonicWALL Management Interface for optional advanced configuration options.
Wizards > VPN Wizard Step 4 In the IKE Phase 1 Key Method page, you select the authentication key to use for this VPN policy: – Default Key: If you choose the default key, all your Global VPN Clients will automatically use the default key generated by the SonicWALL to authenticate with the SonicWALL. – Use this Key: If you choose a custom preshared key, you must distribute the key to every VPN Client because the user is prompted for this key when connecting to the SonicWALL.
Wizards > VPN Wizard – DH Group: The Diffie-Hellman (DH) group are the group of numbers used to create the key pair. Each subsequent group uses larger numbers to start with. You can choose Group 1, Group 2, or Group 5. The VPN Uses this during IKE negotiation to create the key pair. – Encryption: This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security. DES is the least secure and the and takes the least amount of time to encrypt and decrypt.
Wizards > VPN Wizard Note Step 9 If you enable user authentication, the users must be entered in the SonicWALL database for authentication. Users are entered into the SonicWALL database on the Users > Local Users page, and then added to groups in the Users > Local Groups page. Click Next. Step 10 In the Configure Virtual IP Adapter page, select whether you want to use the SonicWALL’s internal DHCP server to assign each VPN client IP address from the LAN zone’s IP range.
Wizards > VPN Wizard Configuring a Site-to-Site VPN using the VPN Wizard You use the VPN Policy Wizard to create the site-to-site VPN policy. Using the VPN Wizard to Configure Preshared Secret Step 1 On the System > Status page, click on Wizards. Step 2 In the Welcome to the SonicWALL Configuration Wizard page select VPN Wizard and click Next. Step 3 In the VPN Policy Type page, select Site-to-Site and click Next.
Wizards > VPN Wizard – Policy Name: Enter a name you can use to refer to the policy. For example, Boston Office. – Preshared Key: Enter a character string to use to authenticate traffic during IKE Phase 1 negotiation. You can use the default SonicWALL generated Preshared Key. – I know my Remote Peer IP Address (or FQDN): If you check this option, this SonicWALL can initiate the contact with the named remote peer. If you do not check this option, the peer must initiate contact to create a VPN tunnel.
Wizards > VPN Wizard If the object or group you want has not been created yet, select Create Object or Create Group. Create the new object or group in the dialog box that pops up. Then select the new object or group. For this example, select LAN Subnets. – Destination Networks: Select the network resources on the destination end of the VPN Tunnel. If the object or group does not exist, select Create new Address Object or Create new Address Group. For example: a. Select Create new Address Group. b.
Wizards > VPN Wizard – Encryption: This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security. DES is the least secure and the and takes the least amount of time to encrypt and decrypt. AES-256 is the most secure and takes the longest time to encrypt and decrypt. You can choose. DES, 3DES, AES-128, or AES256.
CHAPTER 91 Chapter 91: Using the Application Firewall Wizard Wizards > Application Firewall Wizard The Application Firewall wizard provides safe configuration for many common use cases, but not for everything. If at any time during the wizard you are unable to find the options that you need, you can click Cancel and proceed using manual configuration. See “Application Control” on page 617 for more information on manual configuration.
Wizards > Application Firewall Wizard Step 7 The screen displayed here will vary depending on your choice of policy rule in the previous step. For the following policy rules, the wizard displays the Set Application Firewall Object Content screen on which you can select the traffic direction to scan, and the content or keywords to match.
Wizards > Application Firewall Wizard Step 9 • Blocking Action - reset connection (Web Access, FTP) • Blocking Action - add block message (FTP) • Add Email Banner (append text at the end of email) (SMTP) • Log Only (SMTP, POP3, Web Access, FTP) In the Application Firewall Action Settings screen (if it is displayed), in the Content text box, type the text or URL that you want to use, and then click Next.
Wizards > Application Firewall Wizard 1428 SonicOS 5.8.
PART 22 Part 22: SonicOS 5.8.
SonicOS 5.8.
Appendix A: CLI Guide Appendix A: CLI Guide Appendix A: CLI Guide This appendix contains a categorized listing of Command Line Interface (CLI) commands for SonicOS Enhanced firmware. Each command is described, and where appropriate, an example of usage is included.
Appendix A: CLI Guide Data Data Format Integer Values 0xH Integer Range D-D Text Conventions Bold text indicates a command executed by interacting with the user interface. Courier bold text indicates commands and text entered using the CLI. Italic text indicates the first occurrence of a new term, as well as a book title, and also emphasized text. In this command summary, items presented in italics represent user-specified information. Items within angle brackets (“< >”) are required information.
Appendix A: CLI Guide Key(s) Up Arrow Function Displays the previous command in the command history Displays the next command in the command history Down Arrow Most configuration commands require completing all fields in the command. For commands with several possible completing commands, the Tab or ? key display all options.
Appendix A: CLI Guide Configuration Security SonicWALL Internet Security appliances allow easy, flexible configuration without compromising the security of their configuration or your network. Passwords The SonicWALL CLI currently uses the administrator’s password to obtain access. SonicWALL devices are shipped with a default password of password. Setting passwords is important in order to access the SonicWALL and configure it over a network.
Appendix A: CLI Guide Management Methods for the SonicWALL Network Security Appliance You can configure the SonicWALL appliance using one of three methods: • • Using a serial connection and the configuration manager – An IP address assignment is not necessary for appliance management. – A device must be managed while physically connected via a serial cable. Web browser-based User Interface – In IP address must have been assigned to the appliance for management or use the default of 192.168.168.168.
Appendix A: CLI Guide Initiating an SSH Management Session via Ethernet Note This option works for customers administering a device that does not have a cable for console access to the CLI. Follow the steps below to initiate an SSH management session through an Ethernet connection from a client to the appliance. 1. Attach an Ethernet cable to the interface port marked XO. Attach the other end of the Ethernet cable to an Ethernet port on the configuring computer. 2.
Appendix A: CLI Guide Command clear pp-stats clear screen clear ssh clear ssh clear ssh all cls configure exit export preferences export preferences ftp export trace all export trace all ftp export trace current export trace current ftp export trace last export trace last ftp export tsr export tsr ftp firmware boot current firmware boot current factory firmware boot uploaded firmware boot uploaded factory firmware download current firmware download uploaded firmware upload help impor
Appendix A: CLI Guide Command language-override chinese language-override english language-override french language-override german language-override italian language-override japanese language-override spanish logout monitor no nslookup ping remote-console restart restore safemode show access-rules show address-group show address-group show address-object show address-object show alerts show all show arp show ars all s
Appendix A: CLI Guide Command show ars rip Description Displays all ARS paths using Routing Information Protocol (RIP) show baud Displays current baud rate show buf-memzone Displays current available space in buffer memory zone show build-info Displays current OS build information show continuous core-work Displays continuous core work resources show continuous core-work specified by particular integer or hexidecimal input show continuous interface Displa
Appendix A: CLI Guide Command show mem-pools show memory show memzone show messages show multicore show nat show show show show netstat network pp-stats processes show processes show route show security-services show service show service-groups show service-groups show service show show show show show session sonicpoint sonicpoint sessions sonicpoint status ssh show sslvpn all show sslvpn clientRoutes show sslvpn clientRoutes 1440 Soni
Appendix A: CLI Guide Command show sslvpn client Settings show sslvpn connections show sslvpn portalSettings show status show syslog show system show show show show show show tech-support timeout tracelog all tracelog current tracelog last tsr access-rules show tsr active-utm show tsr address-objects show tsr all show tsr anti-spam show tsr arp-cache show tsr av show tsr buf-memzone show tsr bwm-rules show tsr cache-check show tsr content-filtering show tsr db-trace show tsr dhcp-client show tsr dhcp-
Appendix A: CLI Guide Command show tsr dhcp-server show tsr dhcp-server-stat show tsr diag show tsr dynamic-dns show tsr ethernet show tsr fdr show tsr gav show tsr gsc show tsr guest-profile-objects show tsr h323 show tsr ha show tsr hypervisor show tsr idp show tsr interfaces show tsr ip-helper show tsr ip-reassembly show tsr ipsec show tsr l2tp-client show tsr l2tp-server show tsr ldap show tsr license show tsr log show tsr management show tsr mcast-igmp-config show tsr memzone 1442 SonicOS Enhanced
Appendix A: CLI Guide Command show tsr mirror-state show tsr msn show tsr nat-policies show tsr network show tsr objects show tsr pki show tsr pppoe-client show tsr pptp-client show tsr pref-status show tsr product show tsr qos show tsr radius show tsr route-policies show tsr rtsp show tsr schedule-objects show tsr service-objects show tsr single-sign-on show tsr sip show tsr snmp show tsr sonicpoint show tsr ssl-control show tsr stateful-stats show tsr stateful-sync show tsr status Description Displays
Appendix A: CLI Guide Command show tsr time show tsr timers show tsr update show tsr user-objects show tsr users show tsr vx-net-stats show tsr wireless (Available on UTM appliances with built in wireless interfaces) show tsr wlan-zone show tsr wlb show tsr zone-objects show vpn policy show vpn policy show vpn sa show vpn sa detail show vpn sa summary show vpn sa ike show vpn sa ike detail show vpn sa ike summary show vpn sa ipsec show vpn sa ipsec detail show vpn sa ipsec summary show v
Appendix A: CLI Guide Command show vpn sa ike show show show show show mary show show show show show show show show show show show show Description Displays Internet Key Exchange data for a VPN security association, specified by a particular string input vpn sa ike detail Displays details for Internet Key Exchange data for a VPN security association, specified by a particular string input vpn sa ike summary Displays a summary for Internet Key Exchange data for a VPN
Appendix A: CLI Guide Command show zones stacktrace stacktrace sync-prefs synchronize-licenses traceroute 1446 SonicOS Enhanced 5.
Appendix A: CLI Guide Table 7 Configure Level Commands Command ACCESS RULES SUB-COMMANNDS access-rules commands action advanced [no] allow-fragments comment destination info [no] logging maxconns qos dscp [] qoa 802.
Appendix A: CLI Guide Command commands action advanced [no] allow-fragments comment destination info [no] logging qos dscp [] qos 802.1p [] maxconns schedule service source tcptimeout udptimeout user show access-rules 1448 SonicOS Enhanced 5.
Appendix A: CLI Guide Command Description ADDRESS GROUP/ADDRESS OBJECT SUB-COMMANDS abort Exits to top-level menu and cancels changes where needed [no] address-object Configures or modifies an address
Appendix A: CLI Guide Command GMS SUB-COMMANDS algorithm [no] authentication-key [no] behind-nat bound-interface [no] enable encryption-key end finished help info [no] nat-address [no] over-vpn [no] send-heartbeat [no] server [no] standby-managementsa syslog-port HIGH AVAILABILITY SUB-COMMAND ha 1450 SonicOS Enhanced 5.
Appendix A: CLI Guide Command NAT SUB-COMMANDS nat Description Accesses sub-commands to configure NAT policies commands orig-src trans-src orig-dst orig-svc trans-svc inbound-interface outbound-interface [no] enable [no] reflexive comment info commands delete Sets the original source obj
Appendix A: CLI Guide Command commands [no] enable [no] comment orig-src trans-src orig-dst trans-dst orig-svc trans-svc inbound-interface outbound-interface info ROUTE SUB-COMMANDS route ars-nsm route ars-ospf route ars-rip 1452 SonicOS Enhanced 5.
Appendix A: CLI Guide Command SERVICE SUB-COMMANDS service Description Accesses sub-commands to configure individual services commands [no] service ip-type port-begin port-end info subtype commands Allows configuration of a new service type to be associated to the appliance Allows configuration of a new service group name Allows/Removes configuration of service type Allows ip-type to be set for a particul
Appendix A: CLI Guide Command Description SONICPOINT SUB-COMMANDS sync country-code Configures a SonicPoint profile Synchronizes configured SonicPoints Sets applicable country code for a SonicPoint [no] delete Deletes an operational SonicPoint from a deployment [no] enable Enables or disables a configured SonicPoint end Exits configuration mode exit Exits menu and applies changes finished Exits to top-level and applies changes where needed info Displays information on a spe
Appendix A: CLI Guide Command radio-a authtype radio-a beacon-interval radio-a channel radio-a datarate <6|9|12|18|24|36|48|54| best> radio-a dtim radio-a frag-thresh [no] radio-a hide-ssid radio-a maxclients radio-a radio-mode radio-a rts-thresh radio-a sched-onoff radio-a sched-scan radio-a ssid radio-a txpower radio-a wep key-value <1-4>
Appendix A: CLI Guide Command 1456 Description radio-a wpa interval Sets the length of time between re-keying the WPA key radio-a wpa psk Sets WiFi Protected Access Pre-shared key passphrase [no] radio-g enable Enables or disables 802.11g radio band wireless connections [no] radio-g acl enable Enables or disables the Access Control List radio-g acl allow Adds a specific MAC address to the Access Control List (ACL) to allow 802.
Appendix A: CLI Guide Command radio-g ofdm-power [no] radio-g preamblelong radio-g protection mode radio-g protection rate <1|2|5|11> radio-g protection type radio-g radio-mode radio-g rts-thresh radio-g ssid radio-g sched-onoff radio-g sched-scan [no] radio-g short-slot radio-g txpower radius1 address radius1 port radius1 secret radius2 address
Appendix A: CLI Guide Command SSH SUB-COMMANDS ssh enable ssh genkey ssh port ssh restore ssh terminate SSL VPN SUB-COMMANDS sslvpn client sslvpn portal sslvpn settings TIMEOUT SUB-COMMAND timeout VPN SUB-COMMANDS [no] vpn [no] vpn policy [preshared| manual|cert] VPN SUB-COMMANDS (PRE-SHARED SECRET) abort [no] advanced apply-nat [no] advanced auto-addrule advanced bound-to interface
Appendix A: CLI Guide Command [no] advanced multicast [no] advanced netbios [no] advanced use-xauth [no] advanced user-login http [no] advanced user-login https cancel end exit finished gw domain-name gw ip-address id local id remote info network local |any|dhcp> network remote
Appendix A: CLI Guide Command proposal ipsec [] [encr ] [auth ] [dh <1|2|5>] [lifetime ] sec-gw domain-name sec-gw ip-address 1460 SonicOS Enhanced 5.
Appendix A: CLI Guide Command VPN SUB-COMMANDS (MANUAL KEY) abort Description [no] advanced apply-nat [no] advanced auto-addrule advanced bound-to interface advanced bound-to zone [no] advanced keepalive [no] advanced management http [no] advanced managment https [no] advanced multicast [no] advanced netbios [no] advanced use-xauth [no] advanced user-login http [no] advanced user-login https cancel end exit finished gw domain-nam
Appendix A: CLI Guide Command proposal ipsec [] [encr ] [auth ] [dh <1|2|5>] [lifetime ] sa [in-spi ] [out-spi ] [encr-key ] [auth-key ] VPN SUB-COMMANDS (3rd PARTY CERTIFICATE) abort [no] advanced apply-nat [no] advanced auto-addrule advanced bound-to interface advanced bound-to zone [no] advanced defaultlan-gw [no] advanced keepalive [no] advan
Appendix A: CLI Guide Command cert end exit finished gw domain-name gw ip-address id remote info network local | any> network remote | any> proposal ike [] [encr ] [auth ] [dh <1|2|5>] [lifetime ] proposal ipsec [] [encr
Appendix A: CLI Guide Command SSL VPN CLIENT SUB-COMMANDS abort Description Exits to top-level menu without applying changes address which NetExtender clients are assigned an IP address [no] auto-update Enables/Disables auto-update which assists users in updating their NetExtender client when a newer version is required to establish a connection cache-username-password Sets the user name and password
Appendix A: CLI Guide Command SSL VPN PORTAL SUB-COMMANDS abort Description [no] auto-launch banner-title [no] cache-control cancel custom logo [no] default-logo [no] display-cert end exit finished help info no show site-title Exits to top-level menu without applying changes Enables/Disables automatic launch of NetExtender after a user logs into the portal Sets the portal banner title that displays next to the logo on the portal home page Ena
Appendix A: CLI Guide Command SSL VPN ROUTE SUB-COMMANDS abort add-routes
cancel delete-routes end exit finished help info no show [no] tunnel-all WEB MANAGEMENT SUB-COMMANDS [no] web-management otp enable 1466 SonicOS Enhanced 5.Appendix A: CLI Guide Table 8 LAN Interface Configuration Command interface [] auto comment Description Assigns zone and enters the configuration mode for the interface Sets the interface to auto negotiate Adds comment as part of the port configuration duplex Sets the interface duplex speed end Exits the configuration mode finished Exits configuration mode to the top menu help Displays the command and description [no] https-redirect Enables
Appendix A: CLI Guide Table 9 Command WAN Interface Configuration auto bandwidth-management enable bandwidth-management size comment duplex end finished fragment-packets ignore-df-bit help [no] https-redirect enable info [no] management enable [no] user-login mode Description Sets the interface to auto-negotiate Enables bandwidth management Sets the bandwidth management size Adds comme
Appendix A: CLI Guide Command Mode DHCP WAN Interface Configuration Description end finished help info [no] hostname release renew Exits configuration mode Exits configuration mode to top menu Displays help for given command Displays IP information about the interface Sets the hostname for the interface Releases IP address information Renews IP address information Mode PPTP WAN Interface Configuration [no] dynamic end finished help [no] hostname [no] inactivity tim
Appendix A: CLI Guide Command info [no] ip [no] password [no] server ip start stop [no] username mtu name speed <10|100> Description Displays IP information about the interface Sets/Clears the IP address for the interface Sets/Clears the L2TP password Sets/Clears the L2TP server IP address Sets/Clears the L2TP username Sets the MTU of the interface Sets the name for the interface Sets the interface speed Other Interface Configu
Appendix A: CLI Guide Command info [no] lan-icmp [no]lan-tcp [no]lan-udp [no]maintenance [no] mgmt-80211b [no] modem-debug [no] sys-env [no] sys-err [no] tcp [no] udp [no] user-activity [no] vpn-stat [no] vpn-tunnel-status [no] log filter-time log ordering [invert] name [no] route default [no] route [metric ] [no] web-management http enable web-management http port
Appendix A: CLI Guide Command zone end finished [no] intrazone-communications auto bandwidth-management enable bandwidth-management size comment duplex end finished fragment-packets ignore-df-bit show zone all [no] sslvpn-access 1472 SonicOS Enhanced 5.
Appendix A: CLI Guide Command SUB-COMMANDS Description abort bypass antivirus bypass auth custom header-text custom header-type deny enable end exit finished help info maxguests no pass post enable post url show smtp-redirect Exits to top-level menu and cancels changes w
Appendix A: CLI Guide Configuring Site-to-Site VPN Using CLI This section describes how to create a VPN policy using the Command Line Interface. You can configure all of the parameters using the CLI, and enable the VPN without using the Web management interface. Note In this example, the VPN policy on the other end has already been created. CLI Access 1. Use a DB9 to RJ45 connector to connect the serial port of your PC to the console port of your firewall. 2.
Appendix A: CLI Guide Configuration In this example, a site-to-site VPN is configured between two TZ 200 appliance, with the following settings: Local TZ 200 (home): WAN IP: 10.50.31.150 LAN subnet: 192.168.61.0 Mask 255.255.255.0 Remote TZ 200 (office): WAN IP: 10.50.31.104 LAN subnet: 192.168.15.0 Mask: 255.255.255.
Appendix A: CLI Guide 4. Configure the Pre-Shared Key. In this example, the Pre-Shared Key is sonicwall: (config-vpn[OfficeVPN])> pre-shared-secret sonicwall 5. Configure the IPSec gateway: (config-vpn[OfficeVPN])> gw ip-address 10.50.31.104 6. Define the local and the remote networks: (config-vpn[OfficeVPN])> network local address-object "LAN Primary Subnet" (config-vpn[OfficeVPN])> network remote address-object "OfficeLAN" 7.
Appendix A: CLI Guide Set Default Route OFF, Apply VPN Access Control List OFF Require GSC OFF Use Default Key OFF Policy: OfficeVPN (Enabled) Key Mode: Pre-shared Primary GW: 10.50.31.104 Secondary GW: 0.0.0.
Appendix A: CLI Guide Lan Default GW: 0.0.0.0 Require XAUTH: OFF Bound To: Zone WAN 3. Type the command show vpn sa “name” to see the active SA: (config[TZ200])> show vpn sa "OfficeVPN" Policy: OfficeVPN IKE SAs GW: 10.50.31.150:500 --> 10.50.31.104:500 Main Mode, 3DES SHA, DH Group 2, Responder Cookie: 0x0ac298b6328a670b (I), 0x28d5eec544c63690 (R) Lifetime: 28800 seconds (28783 seconds remaining) IPsec SAs GW: 10.50.31.150:500 --> 10.50.31.104:500 (192.168.61.0 - 192.168.61.255) --> (192.168.15.0 - 192.
Appendix A: CLI Guide -t 1 automatic detect setting; 2 configuration script; 3 proxy server -s proxy address/URL of automatic configuration script -o port -u user name -p password -b bypass proxy -save queryproxy reconnect viewlog -profile servername: connect to server directly when password has been saved Example: NECLI -version NECLI connect -s 10.103.62.208 -d LocalDomain -u admin -p password NECLI connect -s 10.103.62.
Appendix A: CLI Guide -r filename -v -h Generate a diagnostic report. Display NetExtender version information. Display this usage information. server: Specify the server either in FQDN or IP address. The default port for server is 443 if not specified. Example: netExtender -u u1 -p p1 -d LocalDomain sslvpn.company.com [root@linux]# netExtender -u demo sslvpn.demo.sonicwall.
Index Symbols 1409, 1413, 1417–1418 Numerics 802.11a 516, 522 802.11b 467 802.11g 467, 516, 522 802.
application control action objects 642, 668 application list objects 640, 666 bandwidth management 621, 669 BWM actions, predefined 642 BWM policy precedence 626 components 620 create rule from App Flow Monitor 627 data leakage prevention 618 email address objects 646, 672 filter by application 640 filter by category 642 licensing 647 load from file 639, 647 match objects 634, 665 negative matching 639 packet monitor action 626 per action vs per policy BWM 625 use cases 680 wizard 663 application flow monit
diagnostics 165 active connections monitor 169 check network settings 168 core monitor 172 CPU monitor 173 DNS name lookup 175 find network path 175 link monitor 174 multi-core monitor 171 packet size monitor 174 ping 175 reverse name resolution 177 tech support report 166 trace route 178 user monitor 179 web server monitor 178 Diffie-Hellman, see DH group Distributed Enforcement Architecture (DEA) DNS configuring 297 inherit settings dynamically 298 rebinding attack prevention 298 specify DNS servers manua
high availability active/active UTM overview 1140 active/active UTM prerequisites 1154 applying licenses to each unit 1165 associating appliances on MySonicWALL configuring Active/Active UTM 1159 configuring advanced settings 1159 configuring in SonicOS 1154 configuring monitoring 1161 configuring settings 1157 configuring Stateful HA 1159 crash detection 1136 disabling PortShield 1155 forcing transitions 1164 how active/active UTM works 1140 how it works 1135 how stateful HA works 1137 initial active/activ
N log automation 57, 1365, 1369 DeepSee 1367 e-mail alert addresses 1365 e-mailing logs 1351 event message priority levels exporting 1351 generating reports 1389 legacy attacks 1357 log categories 1359 mail server settings 1365 name resolution 1387 PCAP 1367 redundancy filter 1356 view table 1350 viewing events 1349 login pages customize 1026 recovery 1027 login status window 1124 logs priority, configuring 1356 loopback policy 1415 M 1352 MAC address 471 MAC filter list 469, 489 Macintosh using Samba
P Q packet monitor advanced filter settings 151 basic operation 87, 154 benefits 140 configuring 143 display filter 147 export file types 162 firewall rules based 144 FTP logging 151 hex dump 91, 158 logging 149 mirror settings 153 mirroring status 160 monitor filter settings 145 overview 139–140 packet details 91, 158 starting capture 88, 155 starting mirror 89, 156 status indicators 159 supported packet types 162 viewing packets 89, 156 packet size monitor 174 password setup wizard 1399 PCAP 1367 phase
security services licenses 102 managing online 1180 manual upgrade 103 manual upgrade for closed environments manually update 1183 summary 1177 security services settings maximum security 1181 performance optimized 1181 server protection 1226 service group public server wizard 1415 services 317 adding custom services 320 adding custom services group 323 default services 318 supported protocols 318 settings users 1019 VPN 865 setup wizard change password 1399 change time zone 1399 configuration summary 1407
V syslog adding server 1363 event redundancy rate 1362 server settings 1362 syslog server 1361 system alerts 97 information 96 network interfaces 100 status 95 T tap mode 262 Terminal Server 976 testing URL for user view in junk box summary time NTP settings 128 setting 127 time zone setup wizard 1399 tooltips 50 transmit power 486 Transparent Mode 188, 190, 192 trusted domains 1202 849 U URL cache size 1206 user authentication VPN policy wizard 1419 user monitor 179 users acceptable use policy 1024 a
WAN Acceleration 1269 advanced page 1300 configuration task list 1274 configuring 1309 configuring WFS acceleration 1326 deployment considerations 1273 logs 1308 non-VPN configuration 1317 overview 1270 prerequisites 1273 status 1274 TCP acceleration 1278 verifying configuration 1343 VPN configuration 1315 WFS acceleration 1283 WAN failover statistics 278 web proxy 417 bypass proxy servers 418 configuring 418 WEP 520, 524 wire mode 262 wireless IDS 543 SonicPoints 515 wireless encryption authentication type
SonicWALL, Inc. 1143 Borregas Avenue T +1 408.745.9600 Sunnyvale CA 94089-1306 F +1 408.745.9300 P/N: 232-000738-00 Rev E, 4/12 ©2012 descriptions subject to change without notice. 07/07 SW 145 www.sonicwall.