SonicWALL Network Security Appliances NET WORK SECURIT Y NSA 5000/4500/3500 Getting Started Guide
SonicWALL NSA Getting Started Guide This Getting Started Guide provides instructions for basic installation and configuration of the SonicWALL Network Security Appliance (NSA) 5000/4500/3500 running SonicOS Enhanced. After you complete this guide, computers on your Local Area Network (LAN) will have secure Internet access. Document Contents This document contains the following sections: 1 Pre-Configuration Tasks - page 3 2 Registering Your Appliance on mysonicwall.
SonicWALL NSA Series Front Network Security Appliance NSA Back Form Factor 1U rack-mountable Dimensions 17 x 13.25 x 1.75 in 43.18 x 33.65 x 4.44 cm Weight 11.30 lbs/5.14 kg WEEE Weight 11.30 lbs/5.14 kg PML I o Note: Always observe proper safety and regulatory guidelines when removing administrator-serviceable parts from the SonicWALL NSA appliance. Proper guidelines can be found in the Safety and Regulatory Information section, on page 66 of this guide.
Pre-Configuration Tasks 1 In this Section: This section provides pre-configuration information. Review this section before setting up your SonicWALL NSA Series appliance.
Check Package Contents Before setting up your SonicWALL NSA appliance, verify that your package contains the following parts: 1 2 3 4 5 NSA Appliance DB9 -> RJ45 (CLI) Cable Standard Power Cord* Ethernet Cable Red Crossover Cable 1 6 7 8 9 Any Items Missing? If any items are missing from your package, please contact SonicWALL support. Release Notes Global Support Services Guide Thank You Card Getting Started Guide A listing of the most current support options is available online at:
Obtain Configuration Information Please record and keep for future reference the following setup information: Registration Information Serial Number: Record the serial number found on the bottom panel of your SonicWALL appliance. Authentication Code: Record the authentication code found on the bottom panel of your SonicWALL appliance. Networking Information LAN IP Address: . . . Subnet Mask: . . . Ethernet WAN IP Address: . . .
The Front Panel Network Security Appliance A Icon A B C D E Feature Console Port Description Used to access the SonicOS Command Line Interface (CLI) via the DB9 -> RJ45 cable. USB Ports (2) Future extension. Reset Button Press and hold the button for a few seconds to manually reset the appliance using SafeMode. LED (from left to right) -Power LED: Indicates the SonicWALL NSA appliance is powered on. -Test LED: Flickering: Indicates the appliance is initializing.
The Back Panel I o B A Icon Feature Fans (2) Description The SonicWALL NSA Series includes two fans for system temperature control. Power Supply The SonicWALL NSA Series power supply.
Page 8 The Back Panel
Registering Your Appliance on mysonicwall.com 2 In this Section: This section provides instructions for registering your SonicWALL NSA Series appliance. • • • Before You Register - page 10 Creating a mysonicwall.com Account - page 11 Registering and Licensing Your Appliance on mysonicwall.
Before You Register You need a mysonicwall.com account to register the SonicWALL NSA appliance. You can create a new mysonicwall.com account on www.mysonicwall.com or directly from the SonicWALL management interface. This section describes how to create an account by using the Web site. You can use mysonicwall.com to register your SonicWALL appliance and activate or purchase licenses for Security Services, ViewPoint Reporting and other services, support, or software before you even connect your device.
Creating a mysonicwall.com Account To create a mysonicwall.com account, perform the following steps: 1. 2. In your browser, navigate to www.mysonicwall.com. In the login screen, If you are not a registered user, click Not a registered user? Registering and Licensing Your Appliance on mysonicwall.
Licensing Security Services and Software The Service Management - Associated Products page in www.mysonicwall.com lists security services, support options, and software such as ViewPoint that you can purchase or try with a free trial. For details, click the Info button. Your current licenses are indicated in the Status column with either a license key or an expiration date. You can purchase additional services now or at a later time.
To manage your licenses, perform the following tasks: 1. 2. 3. In the mysonicwall.com Service Management - Associated Products page, check the Applicable Services table for services that your SonicWALL appliance is already licensed for. Your initial purchase may have included security services or other software bundled with the appliance. These licenses are enabled on mysonicwall.com when the SonicWALL appliance is delivered to you.
Registering a Second Appliance as a Backup 6. To ensure that your network stays protected if your SonicWALL appliance has an unexpected failure, you can associate a second SonicWALL of the same model as the first in a high availability (HA) pair. You can associate the two appliances as part of the registration process on mysonicwall.com. This feature is enabled on the NSA 5000 and NSA 4500 appliances, but requires a separate license to be enabled on the NSA 3500.
Deployment Scenarios 3 In this Section: This section provides detailed overviews of advanced deployment scenarios as well as configuration instructions for connecting your SonicWALL NSA Series.
Selecting a Deployment Scenario Before continuing, select a deployment scenario that best fits your network scheme. Reference the table below and the diagrams on the pages for help in choosing a scenario. Current Gateway Configuration No gateway appliance Existing Internet gateway appliance Existing SonicWALL gateway appliance New Gateway Configuration Use Scenario Single SonicWALL NSA as a primary gateway. A - NAT/Route Mode Gateway Pair of SonicWALL NSA appliances for high availability.
Scenario A: NAT/Route Mode Gateway For new network installations or installations where the SonicWALL NSA Series is replacing the existing network gateway. In this scenario, the SonicWALL NSA Series is configured in NAT/Route mode to operate as a single network gateway. Two Internet sources may be routed through the SonicWALL appliance for load balancing and failover purposes.
Scenario B: State Sync Pair in NAT/Route Mode For network installations with two SonicWALL NSA Series appliances of the same model configured as a stateful synchronized pair for redundant high-availability networking. In this scenario, one SonicWALL NSA Series operates as the primary gateway device and the other SonicWALL NSA Series is in passive mode.
Scenario C: L2 Bridge Mode For network installations where the SonicWALL NSA Series is running in tandem with an existing network gateway. In this scenario, the original gateway is maintained. The SonicWALL NSA Series is integrated seamlessly into the existing network, providing the benefits of deep packet inspection and comprehensive security services on all network traffic.
Initial Setup Accepted Browser Browser Version Number Internet Explorer 6.0 or higher This section contains the following sub-sections: Firefox 2.0 or higher • • • • • • • • • Netscape 9.0 or higher Opera 9.10 or higher for Windows Safari 2.0 or higher for MacOS This section provides initial configuration instructions for connecting your SonicWALL NSA Series. Follow these steps if you are setting up Scenario A, B, or C.
Connecting the LAN Port The Power LEDs 1. plug in the SonicWALL NSA . The Alarm 2. Connect one end of the provided Ethernet cable to the computer you are using to manage the SonicWALL NSA Series. Connect the other end of the cable to the X0 port on your SonicWALL NSA Series.
Accessing the Management Interface Accessing the Setup Wizard The computer you use to manage the SonicWALL NSA Series must be set up to accept a dynamic IP address, or it must have an unused IP address on the 192.168.168.x/24 subnet, such as 192.168.168.20.
Connecting to Your Network Testing Your Connection 1. SonicWALL NSA Network Security Appliance NSA Internet 2. 3. 4. The SonicWALL NSA Series ships with the internal DHCP server active on the LAN port. However, if a DHCP server is already active on your LAN, the SonicWALL will disable its own DHCP server to prevent conflicts. As shown in the illustration on this page, ports X1 and X0 are preconfigured as WAN and LAN respectively.
Activating Licenses in SonicOS After completing the registration process in SonicOS, you must perform the following tasks to activate your licenses and enable your licensed services from within the SonicOS user interface: • • • Activate licenses Enable security services Apply services to network zones This section describes how to activate your licenses.
Upgrading Firmware on Your SonicWALL Saving a Backup Copy of Your Preferences The following procedures are for upgrading an existing SonicOS Enhanced image to a newer version: Before beginning the update process, make a system backup of your SonicWALL security appliance configuration settings.
Upgrading the Firmware with Current Settings Upgrading the Firmware with Factory Defaults Perform the following steps to upload new firmware to your SonicWALL appliance and use your current configuration settings upon startup. Perform the following steps to upload new firmware to your SonicWALL appliance and start it up using the default configuration: 1. Tip: The appliance must be properly registered before it can be upgraded. Refer to Registering and Licensing Your Appliance on mysonicwall.
To use SafeMode to upgrade firmware on the SonicWALL security appliance, perform the following steps: 1. 2. 3. 4. 5. Connect your computer to the X0 port on the SonicWALL appliance and configure your IP address with an address on the 192.168.168.0/24 subnet, such as 192.168.168.20. Use a narrow, straight object, like a straightened paper clip or a toothpick, to press and hold the reset button on the front of the security appliance for one second. The reset button is in a small hole next to the USB ports.
Configuring a State Sync Pair in NAT/Route Mode This section provides instructions for configuring a pair of SonicWALL NSA appliances for high availability (HA). This section is relevant to administrators following deployment scenario B. Initial High Availability Setup Before you begin the configuration of HA on the Primary SonicWALL security appliance, perform the following setup: 1. This section contains the following sub-sections: 2.
Configuring High Availability Configuring Advanced HA Settings The first task in setting up HA after initial setup is configuring the High Availability > Settings page on the Primary SonicWALL security appliance. Once you configure HA on the Primary SonicWALL security appliance, it communicates the settings to the Backup SonicWALL security appliance. 1. Navigate to the High Availability > Advanced page. 2. To configure Stateful HA, select Enable Stateful Synchronization.
5. 6. 7. Optionally adjust the Heartbeat Interval to control how often the two units communicate. The default is 5000 milliseconds; the minimum recommended value is 1000 milliseconds. Less than this may cause unnecessary failovers, especially when the SonicWALL is under a heavy load. Set the Probe Level for the interval in seconds between communication with upstream or downstream systems. SonicWALL recommends that you set the interval for at least 5 seconds.
Synchronizing Settings Once you have configured the HA setting on the Primary SonicWALL security appliance, click the Synchronize Settings button. You should see a HA Peer Firewall has been updated message at the bottom of the management interface page. Also note that the management interface displays Logged Into: Primary SonicWALL Status: (green ball) Active in the upperright-hand corner. By default, the Include Certificate/Keys setting is enabled.
Adjusting High Availability Settings Synchronizing Firmware On the High Availability > Settings page, there are four userconfigurable timers that can be adjusted to suit your network’s needs: Checking the Synchronize Firmware Upload and Reboot checkbox allows the Primary and Backup SonicWALL security appliances in HA mode to have firmware uploaded on both devices at once, in staggered sequence to ensure security is always maintained.
HA License Configuration Overview You can configure HA license synchronization by associating two SonicWALL security appliances as HA Primary and HA Secondary on mysonicwall.com. Note that the Backup appliance of your HA pair is referred to as the HA Secondary unit on mysonicwall.com. You must purchase a single set of security services licenses for the HA Primary appliance. To use Stateful HA, you must first activate the Stateful High Availability Upgrade license for the primary unit in SonicOS.
Associating Pre-Registered Appliances 7. To associate two already-registered SonicWALL security appliances so that they can use HA license synchronization, perform the following steps: 8. 1. 2. 3. 4. 5. 6. Login to mysonicwall.com. In the left navigation bar, click My Products. On the My Products page, under Registered Products, scroll down to find the appliance that you want to use as the parent, or primary, unit. Click the product name or serial number.
Configuring L2 Bridge Mode Configuring the Primary Bridge Interface This section provides instructions to configure the SonicWALL NSA appliance in tandem with an existing Internet gateway device. This section is relevant to users following deployment scenario C. The primary bridge interface is your existing Internet gateway device. The only step involved in setting up your primary bridge interface is to ensure that the WAN interface is configured for a static IP address.
Configuring the Secondary Bridge Interface Complete the following steps to configure the SonicWALL appliance: 1. 2. 3. 4. 5. Navigate to the Network > Interfaces page from the navigation panel. Click the Configure icon in the right column of the X0 (LAN) interface. In the IP Assignment drop-down, select Layer 2 Bridged Mode. In the Bridged to drop-down, select the X1 interface. Configure management options (HTTP, HTTPS, Ping, SNMP, SSH, User logins, or HTTP redirects).
Additional Deployment Configuration 4 In this Section: This section provides basic configuration information to begin building network security policies for your deployment. This section also contains several SonicOS diagnostic tools and a deployment configuration reference checklist.
To create an access rule: Creating Network Access Rules A zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of access rules, a simpler and more intuitive process than following a strict physical interface scheme. 1. 2. On the Firewall > Access Rules page in the matrix view, click the arrow connecting the two zones that need a rule. On the Access Rules page, click Add.
3. In the Add Rule page in the General tab, select Allow | Deny | Discard from the Action list to permit or block IP traffic. • • • • • • • Select the from and to zones from the From Zone and To Zone menus. Select the service or group of services affected by the access rule from the Service list. If the service is not listed, you must define the service in the Add Service window. Select Create New Service or Create New Group to display the Add Service window or Add Service Group window.
4. Click on the Advanced tab. 5. 6. Click on the QoS tab if you want to apply DSCP or 802.1p Quality of Service coloring/marking to traffic governed by this rule. See the SonicOS Enhanced Administrator’s Guide for more information on managing QoS marking in access rules. Click OK to add the rule.
Before configuring NAT Policies, you must create all Address Objects associated with the policy. For instance, if you are creating a One-to-One NAT policy, first create Address Objects for your public and private IP addresses. Address Objects are one of four object classes (Address, User, Service and Schedule) in SonicOS Enhanced. These Address Objects allow for entities to be defined one time, and to be reused in multiple referential instances throughout the SonicOS interface.
Configuring Address Objects 4. The Network > Address Objects page allows you to create and manage your Address Objects. You can view Address Objects in the following ways using the View Style menu: 5. • • • All Address Objects - displays all configured Address Objects. Custom Address Objects - displays Address Objects with custom properties. Default Address Objects - displays Address Objects configured by default on the SonicWALL security appliance. To add an Address Object: 1. 2. 3.
Configuring NAT Policies NAT policies allow you the flexibility to control Network Address Translation based on matching combinations of Source IP address, Destination IP address and Destination Services. Policy-based NAT allows you to deploy different types of NAT simultaneously.
Enabling Security Services in SonicOS Enabling Gateway Anti-Virus You must enable each security service individually in the SonicOS user interface. See the following procedures to enable and configure the three security services that must be enabled: To enable Gateway Anti-Virus in SonicOS: • • • 1. Navigate to the Security Services > Gateway Anti-Virus page. Select the Enable Gateway Anti-Virus checkbox. 2. Select the Enable Inbound Inspection checkboxes for the protocols to inspect.
3. 4. The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the internally hosted SMTP server for viruses. For each protocol you can restrict the transfer of files with specific attributes by clicking on the Settings button under the protocol.
7. Select Enable HTTP Clientless Notification Alerts and customize the message. This feature informs the user that GAV detected a threat from the HTTP server. 8. Select Enable Gateway AV Exclusion List and then click Add to define a range of IP addresses whose traffic will be excluded from SonicWALL GAV scanning. 9. When finished in the Add GAV Range dialog box, click OK. 10. In the Gateway AV Config View window, click OK. 11. In the Security Services > Gateway Anti-Virus page, click Accept.
Enabling Anti-Spyware To enable Anti-Spyware in SonicOS: 1. Navigate to the Security Services > Anti-Spyware page. Select the Enable Anti-Spyware checkbox. 2. In the Signature Groups table, select the Prevent All and Detect All checkbox for each spyware danger level that you want to prevent. 3. To log all spyware attacks, leave the Log Redundancy Filter field set to zero. To enforce a delay between log entries for detections of the same attack, enter the number of seconds to delay. 4.
Applying Security Services to Network Zones 4. On the Edit Zone page, select the checkboxes for the security services that you want to enable. 5. 6. Click OK. To enable security services on other zones, repeat steps 2 through 4 for each zone. A network zone is a logical group of one or more interfaces to which you can apply security rules to regulate traffic passing from one zone to another zone.
Deploying SonicPoints for Wireless Access This section describes how to configure SonicPoints with the SonicWALL NSA Series.
To add a new profile click Add below the list of SonicPoint provisioning profiles. To edit an existing profile, select the profile and click the Configure icon in the same line as the profile you are editing. • 1. • 2. In the Add/Edit SonicPoint Profile window on the General tab: • Select Enable SonicPoint. • Enter a Name Prefix to be used as the first part of the name for each SonicPoint provisioned. • Select the Country Code for where the SonicPoints are operating. In the 802.
4. 5. 6. In the 802.11a Radio and 802.11a Adv tabs, configure the settings for the operation of the 802.11a radio bands. The SonicPoint has two separate radios built in. Therefore, it can send and receive on both the 802.11a and 802.11g bands at the same time. The settings in the 802.11a Radio and 802.11a Advanced tabs are similar to the settings in the 802.11g Radio and 802.11g Advanced tabs. When finished, click OK.
Assigning an Interface to the Wireless Zone Note: If you have configured WPA2 as your authentication type, you do not need to enable WiFiSec. • 5. 6. If you have enabled WiFiSec Enforcement, you can specify the following: • Select WiFiSec Exception Service to select services that are allowed to bypass the WiFiSec enforcement. • Select Require WiFiSec for Site-to-Site VPN Tunnel Traversal to require WiFiSec security for all wireless connections through the WLAN zone that are part of a Site-to-Site VPN.
Connecting the SonicPoint When a SonicPoint unit is first connected and powered up, it will have a factory default configuration (IP Address 192.168.1.20, username: admin, password: password). Upon initializing, it will attempt to find a SonicOS device with which to peer. If it is unable to find a peer SonicOS device, it will enter into a standalone mode of operation with a separate stand-alone configuration allowing it to operate as a standard Access Point.
Troubleshooting Diagnostic Tools Using Packet Capture SonicOS provides a number of diagnostic tools to help you maintain your network and troubleshoot problems. Several tools can be accessed on the System > Diagnostics page, and others are available on other screens. Packet Capture allows you to capture and examine the contents of individual data packets that traverse your SonicWALL firewall appliance. The captured packets contain both data and addressing information.
The SonicOS user interface provides three windows to display different views of the captured packets: • • • Captured Packets Packet Detail Hex Dump • • • Display Filter - interfaces, packet types, source/ destination Logging - automatic transfer of buffer to FTP server Advanced - generated packets, GMS, syslog, management Using Ping Ping is available on the System > Diagnostics page. Click the Configure button to customize the settings for the capture.
Using the Active Connections Monitor The Active Connections Monitor displays real-time, exportable (plain text or CSV), filterable views of all connections to and through the SonicWALL security appliance. This tool is available on the Systems > Diagnostics page. Page 56 Troubleshooting Diagnostic Tools You can filter the results to display only connections matching certain criteria. You can filter by Source IP, Destination IP, Destination Port, Protocol, Src Interface and Dst Interface.
Using Log > View The SonicWALL security appliance maintains an Event log for tracking potential security threats. You can view the log in the Log > View page, or it can be automatically sent to an email address for convenience and archiving. The log is displayed in a table and can be sorted by column. You can filter the results to display only event logs matching certain criteria. You can filter by Priority, Category, Source (IP or Interface), and Destination (IP or Interface).
Deployment Configuration Reference Checklist Use this checklist to find more information about various deployment tasks within the SonicOS Enhanced Administrator’s Guide. For this Task... See this Chapter...
Support and Training Options 5 In this Section: This section provides overviews of customer support and training options for the SonicWALL NSA Series.
Customer Support Support Services SonicWALL offers Web-based and telephone support to customers who have a valid Warranty or who purchased a Support Contract. Please review our Warranty Support Policy for product coverage. SonicWALL also offers a full range of consulting services to meet your needs, from our innovative implementation services to traditional statement of work-based services.
SonicWALL Live Product Demos Knowledge Portal Get an interactive insight into SonicWALL security products and services with the following series of live product demos: The Knowledge Portal is a resource that allows users to search for SonicWALL documents, and set alerts when new content is available, based on the following types of search tools: • Browse • Bookmarks and alerts • Search for keywords • Full-text search • Top 25 categories • • • • • • • • • Unified Threat Management Platform Secure Cellul
User Forums The SonicWALL User Forums is a resource that provides users the ability to communicate and discuss a variety of security and appliance subject matters.
Training SonicWALL offers an extensive sales and technical training curriculum for Network Administrators, Security Experts and SonicWALL Medallion Partners who need to enhance their knowledge and maximize their investment in SonicWALL Products and Security Applications. SonicWALL Training provides the following resources for its customers: • • • • • E-Training Instructor-Led Training Custom Training Technical Certification Authorized Training Partners For further information, visit:
Related Documentation See the following related documents for more information: • • • • • • • • • SonicOS Enhanced Administrator’s Guide SonicOS Enhanced Release Notes SonicOS Enhanced Feature Modules • Application Firewall • Dashboard • HF License Sync • Multiple Admin • NAT Load Balancing • Packet Capture • RF Management • Single Sign On • SSL Control • Virtual Access Points SonicWALL GVC 4.0 Administrator’s Guide SonicWALL ViewPoint 4.1 Administrator’s Guide SonicWALL GAV 2.
Product Safety and Regulatory Information 6 In this Section: This section provides regulatory along with trademark and copyright information.
Safety and Regulatory Information Regulatory Model/Type Product Name 1RK13-051 1RK13-051 1RK13-052 NSA 5000 NSA 4500 NSA 3500 Rack Mounting the SonicWALL The above SonicWALL appliances are designed to be mounted in a standard 19-inch rack mount cabinet. The following conditions are required for proper installation: • • • • • • • • Use the mounting hardware recommended by the rack manufacturer and ensure that the rack is adequate for the application.
Safety and Regulatory Information in German • Weitere Hinweise zur Montage Die oben genannten SonicWALL-Modelle sind für eine Montage in einem standardmäßigen 19-Zoll-Rack konzipiert. Für eine ordnungsgemäße Montage sollten die folgenden Hinweise beachtet werden: • • • • • • • • Vergewissern Sie sich, dass das Rack für dieses Gerät geeignet ist und verwenden Sie das vom Rack-Hersteller empfohlene Montagezubehör.
FCC Part 15 Class A Notice CISPR 22 (EN 55022) Class A NOTE: This equipment was tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy.
Copyright Notice © 2008 SonicWALL, Inc. All rights reserved. Under the copyright laws, this manual or the software described within, cannot be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original.
Notes Page 70 Notes
Notes SonicWALL NSA 5000/4500/3500 Getting Started Guide Page 71
Notes Page 72 Notes
SonicWALL, Inc. 1143 Borregas Avenue Sunnyvale CA 94089-1306 T +1 408.745.9600 F +1 408.745.9300 www.sonicwall.com P/N 232-001265-50 Rev A 01/08 ©2008 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice.
