COMPREHENSIVE INTERNET SECURITY SonicWALL Internet Security Appliances SonicOS 4.
Table of Contents Table of Contents .........................................................................................iii Part 1: Introduction Chapter 1: Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Copyright Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Trademarks . . . . . . . . . . . . . . .
Part 2: System Chapter 4: Viewing the SonicWALL Security Dashboard . . . . . . . . . . . System > Security Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SonicWALL Security Dashboard Overview . . . . . . . . . . . . . . . . . . . . Using the SonicWALL Security Dashboard . . . . . . . . . . . . . . . . . . . Related Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 47 47 50 59 Chapter 5: Viewing Status Information . . . . . . . . . . . . .
Chapter 8: Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 System > Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Digital Certificates Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Certificates and Certificate Requests . . . . . . . . . . . . . . . . . . . . . . . . .86 Certificate Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 13: Using Diagnostic Tools & Restarting the Appliance . . . . System > Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tech Support Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Diagnostic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Connections Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CPU Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Configuring the LAN and OPT Interfaces (Static) . . . . . . . . . . . . . . .141 Configuring Advanced Settings for the Interface . . . . . . . . . . . . . . .142 Configuring Interfaces in Transparent Mode . . . . . . . . . . . . . . . . . .143 Configuring Wireless Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Configuring a WAN Interface . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 17: Configuring Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network > Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Zones Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Predefined Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Allow Interface Trust . . . . . . . . . . .
Chapter 21: Configuring NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . .245 Network > NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245 NAT Policies Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246 NAT Policy Settings Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 NAT Policies Q&A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249 NAT Load Balancing Overview . . . .
Chapter 25: Setting Up Web Proxy Forwarding . . . . . . . . . . . . . . . . . . Network > Web Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Automatic Proxy Forwarding (Web Only) . . . . . . . . . . Bypass Proxy Servers Upon Proxy Failure . . . . . . . . . . . . . . . . . . . 305 305 305 306 Chapter 26: Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . 307 Network > Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 30: Configuring Advanced Wireless Settings . . . . . . . . . . . . .339 Wireless > Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 Beaconing & SSID Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Wireless Client Communications . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Configurable Antenna Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Advanced Radio Settings . . . . . . . . . . . . . . . . . . .
Part 5: WWAN Chapter 34: Configuring Wireless WAN (TZ 190 only) . . . . . . . . . . . . . WWAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless WAN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless WAN Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing the WWAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Wireless WAN . . . . . . . . . . . . . . . . .
Chapter 40: Configuring Advanced Access Rule Settings . . . . . . . . . .433 Firewall > Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433 Detection Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 Dynamic Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 Source Routed Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 Connections . . . . . . . . . . . . . . . . .
Chapter 45: Managing Quality of Service . . . . . . . . . . . . . . . . . . . . . . . Firewall > QoS Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conditioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802.1p and DSCP QoS . . . . . . . .
Chapter 50: Configuring DHCP Over VPN . . . . . . . . . . . . . . . . . . . . . . .587 VPN > DHCP over VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587 DHCP Relay Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587 Configuring the Central Gateway for DHCP Over VPN . . . . . . . . . .588 Configuring DHCP over VPN Remote Gateway . . . . . . . . . . . . . . . .588 Current DHCP over VPN Leases . . . . . . . . . . . . . . . . . . . . . . . . . . .
Part 11: Security Services Chapter 54: Managing SonicWALL Security Services . . . . . . . . . . . . . SonicWALL Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Services Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing Security Services Online . . . . . . . . . . . . . . . . . . . . . . . . Security Services Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Services Information . . . . . . . . . . . . . . . . .
Chapter 57: Managing SonicWALL Gateway Anti-Virus Service . . . . .715 Security Services > Gateway Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . .715 SonicWALL GAV Multi-Layered Approach . . . . . . . . . . . . . . . . . . . .716 HTTP File Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .718 SonicWALL GAV Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . .718 Creating a mySonicWALL.com Account . . . . . . . . . . . . . . . . . . . . . .
Chapter 59: Activating Anti-Spyware Service . . . . . . . . . . . . . . . . . . . . Security Services > Anti-Spyware Service . . . . . . . . . . . . . . . . . . . . . . SonicWALL Gateway Anti-Virus, Anti-Spyware, and IPS Activation Creating a mySonicWALL.com Account . . . . . . . . . . . . . . . . . . . . . Registering Your SonicWALL Security Appliance . . . . . . . . . . . . . . Activating FREE TRIALs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 64: Configuring Syslog Settings . . . . . . . . . . . . . . . . . . . . . . . .775 Log > Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .775 Syslog Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .776 Syslog Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777 Chapter 65: Configuring Log Automation . . . . . . . . . . . . . . . . . . . . . . . .779 Log > Automation . . . .
Chapter 72: Configuring VPN Policies with the VPN Policy Wizard . . Wizards > VPN Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the VPN Policy Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connecting the Global VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Site-to-Site VPN using the VPN Wizard . . . . . . . . . . 827 827 828 831 832 Index .................................................................................
PART 1 Introduction SONICWALL SONICOS ENHANCED 4.
SONICWALL SONICOS ENHANCED 4.
CHAPTER 1 Chapter 1: Preface Preface Copyright Notice © 2007 SonicWALL, Inc. All rights reserved. Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original.
About this Guide Limited Warranty SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product.
About this Guide Note Always check for the latest version of this manual as well as other SonicWALL products and services documentation. Organization of this Guide The SonicWALL SonicOS Enhanced 4.0 Administrator’s Guide organization is structured into the following parts that follow the SonicWALL Web Management Interface structure. Within these parts, individual chapters correspond to SonicWALL security appliance management interface layout.
About this Guide • Dynamic DNS - configure the SonicWALL to dynamically register its WAN IP address with a DDNS service provider. Part 4 SonicPoint The part covers the configuration of the SonicWALL security appliance for provisioning and managing SonicWALL SonicPoints as part of a SonicWALL Distributed Wireless Solution. Part 5 Firewall This part covers tools for managing how the SonicWALL security appliance handles traffic through the firewall.
About this Guide Part 12 Log This part covers managing the SonicWALL security appliance’s enhanced logging, alerting, and reporting features. The SonicWALL security appliance’s logging features provide a comprehensive set of log categories for monitoring security and network activities.
About this Guide Tip Useful information about security features and configurations on your SonicWALL. Note Important information on a feature that requires callout for special attention. SonicWALL Technical Support For timely resolution of technical support questions, visit SonicWALL on the Internet at http://www.sonicwall.com/us/Support.html. Web-based resources are available to help you resolve most technical issues or contact SonicWALL Technical Support.
About this Guide Current Documentation Check the SonicWALL documentation Web site for that latest versions of this manual and all other SonicWALL product documentation. http://www.sonicwall.com/us/Support.html SonicOS Enhanced 4.
About this Guide 30 SonicOS Enhanced 4.
CHAPTER 2 Chapter 2: Common Criteria Guide Common Criteria The purpose of this chapter is to define the Common Criteria-compliant operation of SonicWALL Internet Security Appliances. Common Criteria is an information technology (IT) validation scheme adopted by the National Information Assurance Partnership (NIAP). NIAP is a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).
Common Criteria • GMS Remote Management • Syslog Logging • SonicPoint • Hardware Failover Before installing the SonicWALL Internet Security Appliance, the device should be examined for evidence of tampering. Each device includes a tamper-evident seal to prevent access to the inside of the unit. Verify that the tamper evident seal is intact. If there is a sign of tampering, contact SonicWALL Support Services by phone at 888.777.1476 or 408.752.7819.
Common Criteria Related Documents Several other SonicWALL documents provide information relating to the Common Criteria evaluated configuration of SonicWALL Internet Security Appliances. Those documents are described here. SonicOS Log Events Reference Guide During the operation of a SonicWALL security appliance, SonicOS software sends log event messages to the console. Event logging automatically begins when the SonicWALL security appliance is powered on and configured.
Common Criteria 34 SonicOS Enhanced 4.
CHAPTER 3 Chapter 3: Introduction Introduction SonicOS Enhanced 4.0 is the most powerful SonicOS operating system designed for the SonicWALL PRO 4060, and the PRO 5060. What’s New in SonicOS Enhanced 4.0 SonicOS Enhanced 4.0 introduces these new features: • Tip Strong SSL and TLS Encryption - The internal SonicWALL Web server now only supports SSL version 3.0 and TLS with strong ciphers (128 bits or greater) when negotiating HTTPS management sessions. SSL implementations prior to version 3.
Introduction appliances have been associated as a hardware failover pair on mysonicwall.com, you can enable this feature by selecting Enable Stateful Synchronization in the Hardware Failover > Advanced page. • Application Firewall - SonicOS Enhanced 4.0 introduces Application Firewall, which provides a way to create application-specific policies to regulate Web browsing, file transfer, email, and email attachments.
Introduction CLI (SSH or serial console). For instance, if a CLI session goes to the config level, it will ask you if you want to preempt an administrator who is at config level in the GUI or an SSH session. • Multiple and Read-only Administrator Login - SonicOS Enhanced 4.0 introduces Multiple Administrator Login, which provides a way for multiple users to be given administration rights, either full or read-only, for the SonicOS security appliance. Additionally, SonicOS Enhanced 4.
Introduction – Ad-Hoc station – Unassociated station – Wellenreiter attack – NetStumbler attack – EAPOL packet flood – Weak WEP IV • SMTP Authentication - SonicOS Enhanced 4.0 supports RFC 2554, which defines an SMTP service extension that allows the SMTP client to indicate an authentication method to the server, perform an authentication protocol exchange, and optionally negotiate a security layer for subsequent protocol interactions.
Introduction In SonicOS Enhanced 4.0, VAPs allow the network administrator to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point, and can be grouped and enforced on single or multiple physical SonicPoint access points simultaneously. You can configure up to eight VAPs per SonicPoint access point. • Layer 2 Bridge Mode - SonicOS Enhanced 4.
Introduction • BWM Rate Limiting - SonicOS Enhanced 4.0 enhances the Bandwidth Management feature to provide rate limiting functionality. You can now create traffic policies that specify maximum rates for Layer 2, 3, or 4 network traffic. This enables bandwidth management in cases where the primary WAN link fails over to a secondary connection that cannot handle as much traffic. • DHCP Client Reboot Behavior Control - In SonicOS Enhanced 4.
Introduction Navigating the Management Interface Navigating the SonicWALL management interface includes a hierarchy of menu buttons on the navigation bar (left side of your browser window). When you click a menu button, related management functions are displayed as submenu items in the navigation bar. To navigate to a submenu page, click the link. When you click a menu button, the first submenu item page is displayed. The first submenu page is automatically displayed when you click the menu button.
Introduction If the settings are contained in a secondary window within the management interface, when you click OK, the settings are automatically applied to the SonicWALL security appliance. Navigating Tables Navigate tables in the management interface with large number of entries by using the navigation buttons located on the upper right top corner of the table. The table navigation bar includes buttons for moving through table pages.
Introduction • Clicking on the edit icon displays a window for editing the settings. • Clicking on the delete • Moving the pointer over the comment icon deletes a table entry icon displays text from a Comment field entry. Getting Help Each SonicWALL security appliance includes Web-based on-line help available from the management interface. Clicking the question mark ? button on the top-right corner of every page accesses the context-sensitive help for the page.
Introduction 44 SonicOS Enhanced 4.
PART 2 System SONICWALL SONICOS ENHANCED 4.
SONICWALL SONICOS ENHANCED 4.
CHAPTER 4 Chapter 4: Viewing the SonicWALL Security Dashboard System > Security Dashboard This chapter describes how to use the SonicWALL Security Dashboard feature on a SonicWALL security appliance.
System > Security Dashboard What is the Security Dashboard? The SonicWALL Security Dashboard provides reports of the latest threat protection data from a single SonicWALL appliance and aggregated threat protection data from SonicWALL security appliances deployed globally. The SonicWALL Security Dashboard displays automatically upon successful authentication to a SonicWALL security appliance, and can be viewed at any time by navigating to the System > Security Dashboard menu in the left-hand menu.
System > Security Dashboard Benefits The Security Dashboard provides the latest threat protection information to keep you informed about potential threats being blocked by SonicWALL security appliances. If you subscribe to SonicWALL’s security services, including Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention Service (IPS), and Content Filtering Service, you are automatically protected from the threats reported by the SonicWALL Security Dashboard.
System > Security Dashboard How Does the Security Dashboard Work? The SonicWALL Security Dashboard provides global and appliance-level threat protection statistics. At the appliance level, threat protection data from your SonicWALL security appliance is displayed. At the global level, the SonicWALL Security Dashboard is updated hourly from the SonicWALL backend server with aggregated threat protection data from globally-deployed SonicWALL security appliances.
System > Security Dashboard SonicWALL Security Dashboard Configuration Overview The SonicWALL Security Dashboard can be configured to display global or appliance-level statistics, to display statistics for different time periods, and to generate a custom PDF file. For information about purchasing SonicWALL security services that protect against the threats reported in the SonicWALL Security Dashboard, refer to “Purchasing Security Services” on page 52.
System > Security Dashboard Selecting Custom Time Interval The SonicWALL Security Dashboard reports default to a view of reports from the “Last 14 Days,” providing an aggregate view of threats blocked during that time period. You can configure each report to one of four optional time periods. Each report can be configured to reflect a different time period.
System > Security Dashboard Note Your SonicWALL security appliance must be configured for Internet connectivity and must be connected to the Internet to use the Registration & License Wizard. SonicOS Enhanced 4.
System > Security Dashboard To purchase SonicWALL security services using the SonicWALL Registration & License Wizard, perform the following steps: Step 1 54 Log in to the SonicWALL appliance management interface. Step 2 In the left-navigation menu, click Wizards. The Configuration Wizard displays. Step 3 Select the radio button next to Registration & License Wizard and click Next. Step 4 The welcome screen displays. Click Next. SonicOS Enhanced 4.
System > Security Dashboard Step 5 If you have a mysonicwall.com account, enter your username and password in the Username and Password fields. If you do not have a mysonicwall.com account, select the radio button next to Create a sonicwall.com account. Click Next. Step 6 If you selected Create a sonicwall.com account, the User Registration page displays. Provide the information requested in order to create your account, then click Next. SonicOS Enhanced 4.
System > Security Dashboard Note 56 If you used an existing mysonicwall.com account by providing your username and password, you will not see this page. Skip to the next step. Step 7 Select the checkbox next to the service you want to purchase and click Next. Step 8 A notice displays that a separate browser window will be launched. Click OK. SonicOS Enhanced 4.
System > Security Dashboard Step 9 The mysonicwall.com page is launched in a separate browser window. Follow the on-screen instructions to complete the purchase of SonicWALL security services. Step 10 After you have purchased the security services, return to the wizard window. The License Synchronization window will synchronize the new security services with the SonicWALL security appliance. Click Next to complete the synchronization. SonicOS Enhanced 4.
System > Security Dashboard Step 11 The Congratulations page displays. You have successfully purchased and synchronized your security services. Click Close to close the wizard. To verify that the security services are licensed, navigate to Security Services > Summary in the left-hand menu and verify that the status of the services is Licensed. For information on advanced configuration for each service, refer to the SonicWALL Administrator’s Guides, available on the Web at: http://www.sonicwall.
System > Security Dashboard Related Features SonicWALL Registration & License Wizard - Use the SonicWALL Registration & License Wizard to purchase SonicWALL security services directly from your SonicWALL security appliance management interface. SonicWALL Security Services - SonicWALL provides a comprehensive offering of security services that protect against the threats reported in the SonicWALL Security Dashboard. For a full list, visit the SonicWALL website at http://www.sonicwall.com/us/Support.html.
System > Security Dashboard 60 SonicOS Enhanced 4.
CHAPTER 5 Chapter 5: Viewing Status Information System > Status The System > Status page provides a comprehensive collection of information and links to help you manage your SonicWALL security appliance and SonicWALL Security Services licenses.
System > Status • Setup Wizard - This wizard helps you quickly configure the SonicWALL security appliance to secure your Internet (WAN) and LAN connections. • Public Server Wizard - This wizard helps you quickly configure the SonicWALL security appliance to provide public access to an internal server, such as a Web or E-mail server. • VPN Wizard - This wizard helps you create a new site-to-site VPN Policy or configure the WAN GroupVPN to accept VPN connections from SonicWALL Global VPN Clients.
System > Status Latest Alerts Any messages relating to system errors or attacks are displayed in this section. Attack messages include AV Alerts, forbidden e-mail attachments, fraudulent certificates, etc. System errors include WAN IP changed and encryption errors. Clicking the blue arrow displays the Log > Log View page. For more information on SonicWALL security appliance logging, see “Log” on page 763. Security Services If your SonicWALL security appliance is not registered at mySonicWALL.
System > Status Registering Your SonicWALL Security Appliance Once you have established your Internet connection, it is recommended you register your SonicWALL security appliance.
System > Status To create a mySonicWALL.com account from the SonicWALL management interface: Step 1 In the Security Services section on the System > Status page, click the Register link in Your SonicWALL is not registered. Click here to Register your SonicWALL. Step 2 Click the here link in If you do not have a mySonicWALL account, please click here to create one on the mySonicWALL Login page.
System > Status Registering Your SonicWALL Security Appliance If you already have a mySonicWALL.com account, follow these steps to register your security appliance: Step 1 In the Security Services section on the System > Status page, click the Register link in Your SonicWALL is not registered. Click here to Register your SonicWALL. The mySonicWALL Login page is displayed. Step 2 In the mySonicWALL.com Login page, enter your mySonicWALL.
CHAPTER 6 Chapter 6: Managing SonicWALL Licenses System > Licenses The System > Licenses page provides links to activate, upgrade, or renew SonicWALL Security Services licenses. From this page in the SonicWALL Management Interface, you can manage all the SonicWALL Security Services licensed for your SonicWALL security appliance. The information listed in the Security Services Summary table is updated from your mySonicWALL.com account.
System > Licenses Excluding a Node When you exclude a node, you block it from connecting to your network through the security appliance. Excluding a node creates an address object for that IP address and assigns it to the Node License Exclusion List address group. To exclude a node: Step 1 Select the node you want to exclude in the Currently Licensed Nodes table on the System > Licenses page, and click the icon in the Exclude column for that node.
System > Licenses Manage Security Services Online To activate, upgrade, or renew services, click the link in To Activate, Upgrade, or Renew services, click here. Click the link in To synchronize licenses with mySonicWALL.com click here to synchronize your mySonicWALL.com account with the Security Services Summary table. You can also get free trial subscriptions to SonicWALL Content Filter Service and Client AntiVirus by clicking the For Free Trials click here link.
System > Licenses Manual Upgrade Manual Upgrade allows you to activate your services by typing the service activation key supplied with the service subscription not activated on mySonicWALL.com. Type the activation key from the product into the Enter upgrade key field and click Submit.
System > Licenses From the Management Interface of your SonicWALL Security Appliance Step 1 Make sure your SonicWALL security appliance is running SonicOS Standard or Enhanced 2.1 (or higher). Step 2 Paste (or type) the Keyset (from the step 3) into the Keyset field in the Manual Upgrade section of the System > Licenses page (SonicOS). Step 3 Click the Submit or the Apply button to update your SonicWALL security appliance.
System > Licenses 72 SonicOS Enhanced 4.
CHAPTER 7 Chapter 7: Configuring Administration Settings System > Administration The System Administration page provides settings for the configuration of SonicWALL security appliance for secure and remote management. You can manage the SonicWALL using a variety of methods, including HTTPS, SNMP or SonicWALL Global Management System (SonicWALL GMS).
System > Administration Changing the Administrator Password To set a new password for SonicWALL Management Interface access, type the old password in the Old Password field, and the new password in the New Password field. Type the new password again in the Confirm New Password field and click Apply. Once the SonicWALL security appliance has been updated, a message confirming the update is displayed at the bottom of the browser window.
System > Administration The Password must be changed every (days) setting requires users to change their passwords after the designated number of days has elapsed. When a user attempts to login with an expired password, a pop-up window will prompt the user to enter a new password. The User Login Status window now includes a Change Password button so that users can change their passwords at any time.
System > Administration Multiple Administrators SonicOS Enhanced provides the ability for multiple administrators to access the SonicOS Management Interface simultaneously. For more information on Multiple Administrators, see the “Multiple Administrator Support Overview” section on page 590. The System > Administration page contains a number of options to manage multiple administrators.
System > Administration Web Management Settings The SonicWALL security appliance can be managed using HTTP or HTTPS and a Web browser. Both HTTP and HTTPS are enabled by default. The default port for HTTP is port 80, but you can configure access through another port. Type the number of the desired port in the Port field, and click Apply. However, if you configure another port for HTTP management, you must include the port number when you use the IP address to log into the SonicWALL security appliance.
System > Administration SSH Management Settings If you use SSH to manage the SonicWALL appliance, you can change the SSH port for additional security. The default SSH port is 22. Advanced Management You can manage the SonicWALL security appliance using SNMP or SonicWALL Global Management System. The following sections explain how to configure the SonicWALL for management by these two options. For more information on SonicWALL Global Management System, go to http:// www.sonicwall.com.
System > Administration To enable SNMP on the SonicWALL security appliance, log into the Management interface and click System, then Administration. Select the Enable SNMP checkbox, and then click Configure. The Configure SNMP window is displayed. Step 1 Type the host name of the SonicWALL security appliance in the System Name field. Step 2 Type the network administrator’s name in the System Contact field. Step 3 Type an e-mail address, telephone number, or pager number in the System Location field.
System > Administration Enable GMS Management You can configure the SonicWALL security appliance to be managed by SonicWALL Global Management System (SonicWALL GMS). To configure the SonicWALL security appliance for GMS management: Step 1 Select the Enable Management using GMS checkbox, then click Configure. The Configure GMS Settings window is displayed. Step 2 Enter the host name or IP address of the GMS Console in the GMS Host Name or IP Address field.
System > Administration the GMS installation, and enter the IP address in the NAT Device IP Address field. The default VPN policy settings are displayed at the bottom of the Configure GMS Settings window. • Existing Tunnel - If this option is selected, the GMS server and the SonicWALL security appliance already have an existing VPN tunnel over the connection. Enter the GMS host name or IP address in the GMS Host Name or IP Address field. Enter the port number in the Syslog Server Port field.
System > Administration Step 7 • HTTPS - If this option is selected, HTTPS management is allowed from two IP addresses: the GMS Primary Agent and the Standby Agent IP address. The SonicWALL security appliance also sends encrypted syslog packets and SNMP traps using 3DES and the SonicWALL security appliance administrator’s password. The following configuration settings for HTTPS management mode are displayed: • Send Syslog Messages in Cleartext Format - Sends heartbeat messages as cleartext.
System > Administration The default URL http://help.mysonicwall.com/applications/vpnclient displays the SonicWALL Global VPN Client download site. You can point to any URL where you provide the SonicWALL Global VPN Client application. Selecting UI Language If your firmware contains other languages besides English, they can be selected in the Language Selection pulldown menu. Note Changing the language of the SonicOS UI requires that the SonicWALL security appliance be rebooted. SonicOS Enhanced 4.
System > Administration 84 SonicOS Enhanced 4.
CHAPTER 8 Chapter 8: Managing Certificates System > Certificates To implement the use of certificates for VPN policies, you must locate a source for a valid CA certificate from a third party CA service. Once you have a valid CA certificate, you can import it into the SonicWALL security appliance to validate your Local Certificates. You import the valid CA certificate into the SonicWALL security appliance using the System > Certificates page.
System > Certificates • OpenSSL • VeriSign Certificates and Certificate Requests The Certificate and Certificate Requests section provides all the settings for managing CA and Local Certificates. The View Style menu allows you to display your certificates in the Certificates and Certificate Requests table based on the following criteria: • All Certificates - displays all certificates and certificate requests.
System > Certificates Certificate Details Clicking on the icon in the Details column of the Certificates and Certificate Requests table lists information about the certificate, which may include the following, depending on the type of certificate: • Certificate Issuer • Subject Distinguished Name • Certificate Serial Number • Valid from • Expires On • Status (for Pending requests and local certificates) • CRL Status (for Certificate Authority certificates) The details shown in the Details mou
System > Certificates Importing a Certificate Authority Certificate To import a certificate from a certificate authority, perform these steps: 88 Step 1 Click Import. The Import Certificate window is displayed. Step 1 Select Import a CA certificate from a PKCS#7 (*.p7b) or DER (.der or .cer) encoded file. The Import Certificate window settings change.
System > Certificates Importing a Local Certificate To import a local certificate, perform these steps: Step 1 Click Import. The Import Certificate window is displayed. Step 2 Enter a certificate name in the Certificate Name field. Step 3 Enter the password used by your Certificate Authority to encrypt the PKCS#12 file in the Certificate Management Password field.
System > Certificates Importing a CRL You can import the CRL by manually downloading the CRL and then importing it into the SonicWALL security appliance. Step 1 Click on the Import certificate revocation list icon. The Import CRL window is displayed. Step 2 You can import the CRL from the certificate file by selecting Import CRL directly from a PEM (.pem) or DER (.der or .
System > Certificates To generate a local certificate, follow these steps: Step 1 Click the New Signing Request button. The Certificate Signing Request window is displayed. Step 2 In the Generate Certificate Signing Request section, enter an alias name for the certificate in the Certificate Alias field. Step 3 Select the Request field type from the menu, then enter information for the certificate in the Request fields.
System > Certificates 92 SonicOS Enhanced 4.
CHAPTER 9 Chapter 9: Configuring Time Settings System > Time The System > Time page defines the time and date settings to time stamp log events, to automatically update SonicWALL Security Services, and for other internal purposes. By default, the SonicWALL security appliance uses an internal list of public NTP servers to automatically update the time. Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a network of computers.
System > Time If you want to set your time manually, uncheck Set time automatically using NTP. Select the time in the 24-hour format using the Time (hh:mm:ss) menus and the date from the Date menus. Selecting Display UTC in logs (instead of local time) specifies the use universal time (UTC) rather than local time for log events. Selecting Display time in International format displays the date in International format, with the day preceding the month. After selecting your System Time settings, click Apply.
CHAPTER 10 Chapter 10: Setting Schedules System > Schedules The System > Schedules page allows you to create and manage schedule objects for enforcing schedule times for a variety of SonicWALL security appliance features. SonicOS Enhanced 4.
System > Schedules The Schedules table displays all your predefined and custom schedules. In the Schedules table, there are three default schedules: Work Hours, After Hours, and Weekend Hours. You can modify these schedules by clicking on the edit icon in the Configure column to display the Edit Schedule window. Note You cannot delete the default Work Hours, After Hours, or Weekend Hours schedules. You apply schedule objects for the specific security feature.
System > Schedules Adding a Schedule To create schedules, click Add. The Add Schedule window is displayed. Step 1 Enter a name for the schedule in the Name field. Step 2 Select the days of the week to apply to the schedule or select All. Step 3 Enter the time of day for the schedule to begin in the Start field. The time must be in 24-hour format, for example, 17:00 for 5 p.m. Step 4 Enter the time of day for the schedule to stop in the Stop field.
System > Schedules 98 SonicOS Enhanced 4.
CHAPTER 11 Chapter 11: Managing SonicWALL Security Appliance Firmware System > Settings This System > Settings page allows you to manage your SonicWALL security appliance’s SonicOS versions and preferences. SonicOS Enhanced 4.
System > Settings Settings Import Settings To import a previously saved preferences file into the SonicWALL security appliance, follow these instructions: Step 1 Click Import Settings to import a previously exported preferences file into the SonicWALL security appliance. The Import Settings window is displayed. Step 2 Click Browse to locate the file which has a *.exp file name extension. Step 3 Select the preferences file. Step 4 Click Import, and restart the firewall.
System > Settings Note • Boot to your choice of firmware and system settings. • Manage system backups. • Easily return your SonicWALL security appliance to the previous system state. SonicWALL security appliance SafeMode, which uses the same settings used Firmware Management, provides quick recovery from uncertain configuration states. Automatic Notification of New Firmware To receive automatic notification of new firmware, select the Notify me when new firmware is available check box.
System > Settings – Uploaded Firmware - the latest uploaded version from mySonicWALL.com. – Uploaded Firmware with Factory Default Settings - the latest version uploaded with factory default settings. – Uploaded Firmware with Backup Settings - a firmware image created by clicking Create Backup. • Version - the firmware version. • Date - the day, date, and time of downloading the firmware. • Size - the size of the firmware file in Megabytes (MB).
System > Settings SafeMode - Rebooting the SonicWALL Security Appliance SafeMode allows easy firmware and preferences management as well as quick recovery from uncertain configuration states. It is no longer necessary to reset the firmware by pressing and holding the Reset button on the appliance. Pressing the Reset button for one second launches the SonicWALL security appliance into SafeMode. SafeMode allows you to select the firmware version to load and reboot the SonicWALL security appliance.
System > Settings Note Clicking Boot next to any firmware image overwrites the existing current firmware image making it the Current Firmware image. Click Boot in the firmware row of your choice to restart the SonicWALL security appliance. FIPS When operating in FIPS (Federal Information Processing Standard) Mode, the SonicWALL security appliance supports FIPS 140-2 Compliant security.
CHAPTER 12 Chapter 12: Using SonicWALL Packet Capture System > Packet Capture This chapter contains the following sections: • “Packet Capture Overview” on page 105 • “Using Packet Capture” on page 107 • “Verifying Packet Capture Activity” on page 120 • “Related Information” on page 122 Packet Capture Overview This section provides an introduction to the SonicWALL SonicOS Enhanced packet capture feature.
System > Packet Capture • PPP negotiations details You can configure the packet capture feature in the SonicOS Enhanced user interface (UI). The UI provides a way to configure the capture criteria, display settings, and file export settings, and displays the captured packets. Benefits The SonicOS Enhanced packet capture feature provides the functionality and flexibility that you need to examine network traffic without the use of external utilities, such as Wireshark (formerly known as Ethereal).
System > Packet Capture Refresh: Click Refresh to display new buffer data in the Captured Packets window. You can then click any packet in the window to display its header information and data in the Packet Detail and Hex Dump windows. Export As: Display or save a snapshot of the current buffer in the file format that you select from the drop-down list. Saved files are placed on your local management system (where the UI is running).
System > Packet Capture Accessing Packet Capture in the UI This section describes how to access the packet capture tool in the SonicOS UI. There are two ways to access the Packet Capture screen. Step 1 Log in to the SonicOS UI as admin. Step 2 To go directly to the Packet Capture screen, in the left pane, under System, click Packet Capture. Step 3 Alternatively, to access packet capture from the Diagnostics screen, in the left pane, under System, click Diagnostics.
System > Packet Capture Starting packet capture Step 1 Navigate to the Packet Capture page in the UI. See “Accessing Packet Capture in the UI” on page 108. Step 2 Under Packet Capture, optionally click Reset. The Packet Capture page displays several lines of statistics above the Start and Stop buttons. You can click Reset to set the statistics back to zero. Step 3 Under Packet Capture, click Start. Step 4 To refresh the packet display windows to show new buffer data, click Refresh.
System > Packet Capture • Egress - The SonicWALL appliance interface on which the packet was captured when sent out – The subsystem type abbreviation is shown in parentheses.
System > Packet Capture About the Packet Detail Window When you click on a packet in the Captured Packets window, the packet header fields are displayed in the Packet Detail window. The display will vary depending on the type of packet that you select. About the Hex Dump Window When you click on a packet in the Captured Packets window, the packet data is displayed in hexadecimal and ASCII format in the Hex Dump window.
System > Packet Capture • “Configuring Advanced Settings” on page 119 • “Restarting FTP logging” on page 120 Configuring General Settings This section describes how to configure packet capture general settings, including the number of bytes to capture per packet and the buffer wrap option. You can specify the number of bytes using either decimal or hexadecimal, with a minimum value of 14.
System > Packet Capture You can specify up to ten Ethernet types separated by commas. Currently, the following Ethernet types are supported: ARP, IP, PPPoE-SES, and PPPoE-DIS. The latter two can be specified by PPPoE alone. This option is not case-sensitive. For example, to capture all supported types, you could enter: ARP, IP, PPPOE. You can use one or more negative values to capture all Ethernet types except those specified; for example: !ARP, !PPPoE.
System > Packet Capture To configure Packet Capture complete the following steps: Step 1 Navigate to the Packet Capture page in the UI. See “Accessing Packet Capture in the UI” on page 108. Step 2 Under Packet Capture, click Configure. Step 3 In the Packet Capture Configuration window, click the Capture Filter tab.
System > Packet Capture Configuring Display Filter Settings This section describes how to configure packet capture display filter settings. The values that you provide here are compared to corresponding fields in the captured packets, and only those packets that match are displayed. Display filter settings include the following: • Interface on your SonicWALL appliance You can specify up to ten interfaces separated by commas.
System > Packet Capture SonicOS Enhanced adds one of four possible packet status values to each captured packet: forwarded, generated, consumed, and dropped. You can select one or more of these status values to match when displaying packets. The status value shows the state of the packet with respect to the firewall, as follows: – Forwarded - The packet arrived on one interface and the SonicWALL appliance sent it out on another interface.
System > Packet Capture Step 4 In the Interface Name(s) box, type the SonicWALL appliance interfaces for which to display packets, or use the negative format (!X0) to display packets captured from all interfaces except those specified. To display packets captured on all interfaces, leave blank. Step 5 In the Ether Type(s) box, enter the Ethernet types for which you want to display packets, or use the negative format (!ARP) to display packets of all Ethernet types except those specified.
System > Packet Capture If you configure automatic logging, this supersedes the setting for wrapping the buffer when full. With automatic FTP logging, the capture buffer is effectively wrapped when full, but you also retain all the data rather than overwriting it each time the buffer wraps. Step 1 Navigate to the Packet Capture page in the UI. See “Accessing Packet Capture in the UI” on page 108. Step 2 Under Packet Capture, click Configure.
System > Packet Capture month, day, and year. For example, packet-log--3-22-08292006.cap. For HTML format, file names are in the form: “packet-log_h-<>.html”. An example of an HTML file name is: packetlog_h-3-22-08292006.html. Step 8 To enable automatic transfer of the capture file to the FTP server when the buffer is full, select the Log To FTP Server Automatically checkbox. Files are transferred in both libcap and HTML format.
System > Packet Capture Even when interfaces specified in the capture filters do not match, this option ensures that packets generated by the SonicWALL appliance are captured. This includes packets generated by HTTP(S), L2TP, DHCP servers, PPP, PPPOE, and routing protocols. Captured packets are marked with ‘s’ in the incoming interface area when they are from the system stack. Otherwise, the incoming interface is not specified.
System > Packet Capture • Red: Capture is stopped • Green: Capture is running and the buffer is not full • Orange: Capture is running, but the buffer is full The UI also displays the buffer size, the number of packets captured, the percentage of buffer space used, and how much of the buffer has been lost. Lost packets occur when automatic FTP logging is turned on, but the file transfer is slow for some reason.
System > Packet Capture Resetting the Status Information You can reset the displayed statistics for the capture buffer and FTP logging. If a capture is in progress, it is not interrupted when you reset the statistics display. Step 1 Navigate to the Packet Capture page in the UI. Step 2 Under Packet Capture, click Reset.
System > Packet Capture HTML Format You can view the HTML format in a browser. The following is an example showing the header and part of the data for the first packet in the buffer. SonicOS Enhanced 4.
System > Packet Capture Text File Format You can view the text format output in a text editor. The following is an example showing the header and part of the data for the first packet in the buffer. 124 SonicOS Enhanced 4.
CHAPTER 13 Chapter 13: Using Diagnostic Tools & Restarting the Appliance System > Diagnostics The System > Diagnostics page provides several diagnostic tools which help troubleshoot network problems as well as Active Connections, CPU and Process Monitors. SonicOS Enhanced 4.
System > Diagnostics Tech Support Report The Tech Support Report generates a detailed report of the SonicWALL security appliance configuration and status, and saves it to the local hard disk using the Download Report button. This file can then be e-mailed to SonicWALL Technical Support to help assist with a problem. Tip You must register your SonicWALL security appliance on mySonicWALL.com to receive technical support.
System > Diagnostics • “Active Connections Monitor” on page 127 • “CPU Monitor” on page 128 • “DNS Name Lookup” on page 129 • “Find Network Path” on page 129 • “Packet Capture” on page 130 • “Ping” on page 131 • “Process Monitor” on page 132 • “Real-Time Black List Lookup” on page 132 • “Reverse Name Resolution” on page 132 • “Trace Route” on page 133 • “Web Server Monitor” on page 133 Active Connections Monitor The Active Connections Monitor displays real-time, exportable (plain text
System > Diagnostics The fields you enter values into are combined into a search string with a logical AND. For example, if you enter values for Source IP and Destination IP, the search string will look for connections matching: Source IP AND Destination IP Check the Group box next to any two or more criteria to combine them with a logical OR.
System > Diagnostics DNS Name Lookup The SonicWALL security appliance has a DNS lookup tool that returns the IP address of a domain name. Or, if you enter an IP address, it returns the domain name for that address. Step 1 Enter the host name or IP address in the Look up name field. Do not add http to the host name. Step 2 The SonicWALL security appliance queries the DNS Server and displays the result in the Result section. It also displays the IP address of the DNS Server used to perform the query.
System > Diagnostics Packet Capture The Packet Capture tool tracks the status of a communications stream as it moves from source to destination. This is a useful tool to determine if a communications stream is being stopped at the SonicWALL security appliance, or is lost on the Internet. To interpret this tool, it is necessary to understand the three-way handshake that occurs for every TCP connection.
System > Diagnostics Client sends a final ACK, and waits for start of data transfer. Step 6 TCP sent on WAN [ACK] From 207.88.211.116 / 1937 (00:40:10:0c:01:4e To 204.71.200.74 / 80 (02:00:cf:58:d3:6a) The SonicWALL security appliance forwards the client ACK to the remote host and waits for the data transfer to begin. When using packet capture to isolate network connectivity problems, look for the location where the three-way handshake is breaking down.
System > Diagnostics Process Monitor Process Monitor shows individual system processes, their CPU utilization, and their system time. Real-Time Black List Lookup The Real-Time Black List Lookup tool allows you to test SMTP IP addresses, RBL services, or DNS servers. Enter an IP address in the IP Address field, a FQDN for the RBL in the RBL Domain field and DNS server information in the DNS Server field. Click Go.
System > Diagnostics Trace Route Trace Route is a diagnostic utility to assist in diagnosing and troubleshooting router connections on the Internet. By using Internet Connect Message Protocol (ICMP) echo packets similar to Ping packets, Trace Route can test interconnectivity with routers and other hosts that are farther and farther along the network path until the connection fails or until the remote host responds. Type the IP address or domain name of the destination host. For example, type yahoo.
System > Restart System > Restart The SonicWALL security appliance can be restarted from the Web Management interface. Click System > Restart to display the Restart page. Click Restart... and then click Yes to confirm the restart. The SonicWALL security appliance takes approximately 60 seconds to restart, and the yellow Test light is lit during the restart. During the restart time, Internet access is momentarily interrupted on the LAN. 134 SonicOS Enhanced 4.
PART 3 Network SONICWALL SONICOS ENHANCED 4.
SONICWALL SONICOS ENHANCED 4.
CHAPTER 14 Chapter 14: Configuring Interfaces Network > Interfaces The Network > Interfaces page includes interface objects that are directly linked to physical interfaces. The SonicOS Enhanced scheme of interface addressing works in conjunction with network zones and address objects. Physical interface objects include the LAN, WAN, and depending on which SonicWALL security appliance you have, OPT, Modem, WLAN, and WWAN ports in the SonicWALL security appliance. SonicOS Enhanced 4.
Network > Interfaces Setup Wizard The Setup Wizard button accesses the Setup Wizard. The Setup Wizard walks you through the configuration of the SonicWALL security appliance for Internet connectivity. For Setup Wizard instructions, see “Wizards > Setup Wizard” section on page 793. Interface Settings The Interface Settings table lists the following information for each interface: • Name - Listed as LAN, WAN, WWAN, WLAN, or OPT depending on your SonicWALL security appliance model.
Network > Interfaces Caution You cannot change the Zones in the Edit Interface window for the LAN, WAN, Modem, and WLAN interfaces. Interface Traffic Statistics The Interface Traffic Statistics table lists received and transmitted information for all configured interfaces. The following information is displayed for all SonicWALL security appliance interfaces: • Rx Unicast Packets - indicates the number of point-to-point communications received by the interface.
Network > Interfaces Physical Interfaces Physical interfaces must be assigned to a Zone to allow for configuration of Access Rules to govern inbound and outbound traffic. Security zones are bound to each physical interface where it acts as a conduit for inbound and outbound traffic. If there is no interface, traffic cannot access the zone or exit the zone. For more information on zones, see “Network > Zones” on page 191.
Configuring Interfaces Transparent Mode Transparent Mode in SonicOS Enhanced uses interfaces as the top level of the management hierarchy. Transparent Mode supports unique addressing and interface routing.
Configuring Interfaces Note The administrator password is required to regenerate encryption keys after changing the SonicWALL security appliance’s address. Configuring Advanced Settings for the Interface If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL.
Configuring Interfaces Configuring Interfaces in Transparent Mode Transparent Mode enables the SonicWALL security appliance to bridge the WAN subnet onto an internal interface. You can configure the following interfaces in Transparent Mode: Note • TZ family and PRO 1260: Lan and Opt • PRO family: X0, X2 - X9, F0 You cannot configure the X1 or WAN interface in Transparent mode.
Configuring Interfaces • Range to specify a range of IP addresses by entering beginning and ending value of the range. • Network to specify a subnet by entering the beginning value and the subnet mask. The subnet must be within the WAN address range and cannot include the WAN interface IP address. c. Enter the IP address of the host, the beginning and ending address of the range, or the IP address and subnet mask of the network. d.
Configuring Interfaces Configuring Wireless Interfaces A Wireless interface is an interface that has been assigned to a Wireless zone and is used to support SonicWALL SonicPoint secure access points. Step 1 Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface window is displayed. You can configure X2 through X9, Opt, a VLAN sub-interface or a PortShield interface. Step 2 In the Zone list, select WLAN or a custom Wireless zone.
Configuring Interfaces Note The above table depicts the maximum subnet mask sizes allowed. You can still use classfull subnetting (class A, class B, or class C) or any variable length subnet mask that you wish on WLAN interfaces. You are encouraged to use a smaller subnet mask (e.g. 24bit class C - 255.255.255.0 - 254 total usable IPs), thus allocating more IP addressing space to clients if you have the need to support larger numbers of wireless clients.
Configuring Interfaces Caution If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL security appliance as well. You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC Address in the field. Check Enable Multicast Support to allow multicast reception on this interface. Check Enable 802.
Configuring Interfaces Note • DHCP - configures the SonicWALL to request IP settings from a DHCP server on the Internet. NAT with DHCP Client is a typical network addressing mode for cable and DSL customers. • PPPoE - uses Point to Point Protocol over Ethernet (PPPoE) to connect to the Internet. If desktop software and a username and password is required by your ISP, select NAT with PPPoE. This protocol is typically found when using a DSL modem.
Configuring Interfaces Ethernet Settings If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection.
Configuring Interfaces Use the Bandwidth Management section of the Edit Interface screen to enable or disable the ingress and egress bandwidth management. Egress and Ingress available link bandwidth can be used to configure the upstream and downstream connection speeds. The Bandwidth Management section allows you to specify the available outbound bandwidth for this interface in Kbps. • Enable Egress Bandwidth Management - Enables outbound bandwidth management.
Configuring Interfaces • Step 3 Subnet Mask: 255.255.255.0 is the default In the Switch Ports tab, chose which ports to add to the PortShield interface. SonicOS Enhanced 4.
Configuring Interfaces Configuring the Wireless WAN Interface The SonicWALL TZ 190 security appliance introduces support for 3G (third generation) Wireless WAN connections that utilize data connections over 3G cellular networks. The Wireless WAN (WWAN) can be used for: • WAN Failover to a connection that is not dependent on wire or cable. • Temporary networks where a pre-configured connection may not be available, such as trade-shows and kiosks.
Configuring Interfaces Managing WWAN Connections To initiate a WWAN connection, on the Network > Interfaces page, click on the Manage button in the WWAN interface line. The WWAN Connection window displays. Click the Connect button. The SonicWALL TZ 190 attempts to connect to the WWAN service provider. To disconnect a WWAN connection, click on the Manage button. The WWAN Connection window displays. Click Disconnect.
Configuring Interfaces For a detailed explanation of the behavior of the Ethernet with WWAN Failover setting refer to “Understanding Wireless WAN Connection Models” on page 274. Configuring Basic Wireless WAN Settings To configure basic WWAN interface settings, perform the following steps: 154 Step 1 Click the edit icon for the WWAN interface. The WWAN Settings window is displayed.
Configuring Interfaces Note To configure the SonicWALL TZ 190 for Connect on Data operation, you must select Dial on Data as the Dial Type for the Connection Profile. See “Configuring WWAN Connection Profiles” on page 283 in Chapter 32, Configuring Wireless WAN for more details.
Configuring Interfaces Configuring Remotely Triggered Dial-Out on the WWAN Before configuring the Remotely Triggered Dial-Out feature, ensure that your configuration meets the following prerequisites: • The WWAN profile is configured for dial-on-data. • The SonicWALL Security Appliance is configured to be managed using HTTPS, so that the device can be accessed remotely. • It is recommended that you enter a value in the Enable Max Connection Time (minutes) field.
Configuring Interfaces Configuring the Maximum Allowed WWAN Connections To configure the maximum number of nodes allowed to connect to the WWAN interface, enter the maximum number of nodes in the Max Host field. Entering 0 in the Max Host fields allows any number of nodes to connect. Creating a WLAN Subnet WLAN subnets are used to segment IP address space for use by Virtual Access Points (VAP). Each VAP must have a separate WLAN subnet, and you must create the WLAN subnet before creating the VAP.
Configuring Interfaces • SonicPoint Limit: The maximum number of allowed SonicPoints is configured automatically. • Comment: Optionally enter a comment about the subnet. • Management: Select the appropriate protocols to allow remote mangement of the SonicWALL security appliance from this subnet. • User Login: Select HTTP and/or HTTPS to allow users with limited management rights to log in to the SonicWALL security appliance.
CHAPTER 15 Chapter 15: Configuring PortShield Interfaces SonicWALL PortShield Interfaces SonicWALL PortShield is a feature of the SonicWALL TZ 180 and TZ 190 security appliances running SonicOS Enhanced 3.8 or newer. PortShield architecture enables you to configure some or all of the LAN switch ports on the TZ 180 and TZ 190 into separate security contexts, providing protection not only from the WAN and DMZ, but between devices inside your network as well.
SonicWALL PortShield Interfaces Network > SwitchPorts The Network > SwitchPorts page allows you to manage the assignments of ports to PortShield interfaces. Overview A PortShield interface is a virtual interface with a set of ports assigned to it. There are two IP assignment methods you can deploy to create PortShield interfaces. They are Static and Transparent modes. The following two sections describe each.
SonicWALL PortShield Interfaces When you create a PortShield interface in Transparent Mode, you create a range of addresses to be applied to the PortShield interface. You include these addresses in one entity called an Address Object. Address Objects allow for entities to be defined one time and to be re-used in multiple referential instances throughout the SonicOS interface.
SonicWALL PortShield Interfaces Creating a PortShield Interface from the Interfaces Area Before creating and adding a PortShield interface, think about why you are creating it and what role it will play in your network. To create and add a PortShield interface to the list of interfaces, perform the following steps: 162 4. Click on the Network > Interfaces page. 5. The interfaces in the list contain the following information: Column Description Name A string that identifies the interface.
SonicWALL PortShield Interfaces 6. Click the Add PortShield Interface button. The Add Port Shield dialog box displays. 7. Click the Zone list box and click on a zone type option to which you want to map the interface. Default zones are: – LAN – DMZ – WLAN – Unassigned If you want to create another zone, go to the section “Creating a New Zone for the PortShield Interface” on page 166. Note You can add PortShield interfaces only to Trusted, Public, and Wireless zones. SonicOS Enhanced 4.
SonicWALL PortShield Interfaces 8. After you select a zone option, the management software displays a more expanded version of the PortShield Interface Settings dialog box. 9. Type a string in the PortShield Interface Name field. 10. Click on the IP Assignment list box and select either Static or Transparent. Static indicates the interface obtains its IP address manually. Transparent mode allows for the WAN subnetwork to be shared by the current interface using Address Object assignments.
SonicWALL PortShield Interfaces Note This option only appears when creating a PortShield interface, not when editing an existing PortShield interface. You can make changes to the interface’s DHCP settings after creating an interface from the DHCP Server environment (Network > DHCP Server). 16. Click on the Switch Ports tab. The management software displays the PortShield Interface dialog box. 17.
SonicWALL PortShield Interfaces Creating a New Zone for the PortShield Interface You may want to create a zone for a PortShield interface that has different attributes to it than any of the default zones provide. To create a new zone for a PortShield interface, perform the following: 1. In the Add PortShield Interface window, click on the Zone list box and click on the Create New Zone option. The management software displays the General Settings dialog box. 2.
SonicWALL PortShield Interfaces 4. After selecting the security level for the PortShield interface, click on one of the following checkboxes that enables a security service for the zone: Checkbox Description Allow Interface Trust Automates the creation of Access Rules to allow traffic to flow between the interfaces of a zone instance.
SonicWALL PortShield Interfaces 4. Click the Configure button. The management software displays the Edit Multiple Switch Ports dialog box. You can refine your settings in this dialog box. The name of the PortShield interface group will be assigned by default. 5. Click on the Port Enable list box and click on either the Enable or Disable option to either activate or deactivate the interfaces in the PortShield interface group. 6.
SonicWALL PortShield Interfaces Creating Transparent Mode PortShield Interfaces You may find it useful to create address objects to bundle addresses into address objects and reference these objects when creating a PortShield interface. Address objects allow for entities to be defined one time and to be reused in multiple referential instances throughout SonicOS. The PortShield interface creation environment provides a convenient way to reference address objects.
SonicWALL PortShield Interfaces 7. Click on the Transparent Range list box and click on the Create new address object option. The management software displays the Add Address Object dialog box. 8. Fill out the fields as detailed in the next three sections to create the three different types of address objects. The three examples use a subnetwork of 67.115.118.0. Creating a Transparent Mode PortShield Interface with a Host Address Object To assign the Host Address Object 67.115.118.
SonicWALL PortShield Interfaces Creating a PortShield Using an Address Object Containing an Address Range To assign a Range Address Object with addresses extending from 67.115.118.100 to 67.115.118.102 to portshield2, perform the following steps: 1. Type the name portshield2 in the Name field to identify the address object. 2. Click the Zone Assignment list box and click the LAN option. 3. Click the Type list box and click the Range option to make the address object apply to a range of addresses.
SonicWALL PortShield Interfaces 2. Click on the Add button in the Address Objects list in the window. SonicOS displays the Add Address Object dialog box as shown in the following figure: 3. Enter the name portshield3 in the Name field. 4. Select Network from the Type menu. 5. Enter 67.115.118.200 in the network IP address and 255.255.255.0 in the Netmask field. 6. Click on the Zone Assignment list box and click on LAN. 7. Click OK.
SonicWALL PortShield Interfaces To select ports and apply them to a previously configured interface, perform the following steps: 1. Create a PortShield interface following the steps in “Overview” on page 160, but do not map ports to it by going into the Switch Ports tab. 2. Click the Networks option in the navigation pane and then click the Switch Ports option. SonicOS displays the Switch Ports window. 3. Note the color of the ports.
PortShield Deployment Scenario 6. Click on the PortShield Interface list box as shown in the following figure. Note the list contains called the entry called Accounting. This is the host address object you created. 7. Click on the Accounting entry. By selecting this entry, you mapped ports 3, 4, and 5 to the Accounting entry. 8. Click OK. Wait a moment. SonicOS displays the Switch Ports dialog box, displaying the results of your session. 9. Verify the PortShield interface port mappings.
PortShield Deployment Scenario Note The easiest way to configure this example is to use the PortShield Wizard. Configure it to have two PortShield interfaces, with three and two ports respectively. For more details on the PortShield Wizard, see Chapter 23, Configuring PortShield Interfaces Using the Setup Wizard. Office Internet Deployment Details This example uses the following zones and PortShield interfaces: Zones • LAN: Default LAN zone configuration. – Used for Office PortShield Group.
PortShield Deployment Scenario PortShield Interfaces The small business example uses two PortShield interfaces. • LAN: for office use – LAN zone – Ports 1 - 3. These ports are assigned to LAN by not assigning them to another PortShield interface. – 2 desktop workstations – 1 web and mail server.
PortShield Deployment Scenario – Name: Residents – Security Type: Wireless. Select Wireless so you can use the same context for the both the individual wired connections and the SonicPoints.
PortShield Deployment Scenario – SonicPoint Provisioning Profile: Select the SonicPoint profile you configured. The settings in this profile will automatically be applied to the SonicPoints you set up for wireless access. • Guest Services tab settings: – Enable Wireless Guest Services: Check this option to enable access to the internet for guest users who do not have resident accounts.
PortShield Deployment Scenario Configure the PortShield Interfaces with the PortShield Wizard In this example, two ports are assigned to a Wireless PortShield interface for the SonicPoints and three ports are assigned to the LAN interface for the Office. The easiest way to configure this is to use the PortShield Wizard and then modify the configuration. We will use the wizard to configure 2 PortShield interfaces with 3 and 2 ports respectively. 1.
PortShield Deployment Scenario 4. Uncheck the Enable Interface Trust for new PortShield Interface segments checkbox to prevent communication between the wireless segment and the office segment. If this level of security is not necessary, leave the checkbox checked. You can modify these settings on the Firewall > Access Rules page. Click Next. 5. Click Apply to create the interfaces.
CHAPTER 16 Chapter 16: Setting Up WAN Failover and Load Balancing Network > WAN Failover & Load Balancing WAN Failover and Load Balancing allows you to designate the one of the user-assigned interfaces as a Secondary or backup WAN port. The secondary WAN port can be used in a simple active/passive setup, where traffic is only routed through the secondary WAN port if the primary WAN port is down and/or unavailable. In this chapter, this feature is referred to as basic failover.
Network > WAN Failover & Load Balancing About Source and Destination IP Address Binding When you establish a connection with a WAN, you can create multiple interfaces, dividing up the task load over these interfaces. There are both Primary and Secondary WAN interfaces. This task distribution model maintains high performance, ensuring that one interface does not become an impasse to the point where it blocks traffic from passing. This process is WAN Load Balancing.
Network > WAN Failover & Load Balancing Creating a NAT Policy for the Secondary WAN Port You need to create a NAT policy on your SonicWALL for WAN Failover. Follow these steps to create a NAT policy on your SonicWALL using the OPT interface: Step 1 Select Network > NAT Policies. Step 2 Click Add. The Add NAT Policy window is displayed. Step 3 Select Any from the Original Source menu. Step 4 Select OPT IP from the Translated Source menu. Step 5 Select Any from the Original Destination menu.
Network > WAN Failover & Load Balancing Activating WAN Failover and Selecting the Load Balancing Method To configure the SonicWALL for WAN failover and load balancing, follow the steps below: 184 Step 1 On Network > WAN Failover & LB page, select Enable Load Balancing. Step 2 If there are multiple possible secondary WAN interfaces, select an interface from the Secondary WAN Interface. Step 3 Select a load balancing method.
Network > WAN Failover & Load Balancing – Basic Active/Passive Failover: When this setting is selected, the SonicWALL security appliance only sends traffic through the Secondary WAN interface if the Primary WAN interface has been marked inactive. The SonicWALL security appliance is set to use this as the default load balancing method. If the Primary WAN fails, then the SonicWALL security appliance reverts to this method instead of the ones described below.
Network > WAN Failover & Load Balancing entry box is required (percentage for Primary WAN) The management interface automatically populates the non-user-editable entry box with the remaining percentage assigned to the Secondary WAN interface. Please note this feature will be overridden by specific static route entries.
Network > WAN Failover & Load Balancing upstream. If your ISP is experiencing problems in its routing infrastructure, a successful ICMP ping of their router causes the SonicWALL security appliance to believe the line is usable, when in fact it may not be able to pass traffic to and from the public Internet at all. To perform reliable link monitoring, you can choose ICMP or TCP as monitoring method, and can specify up to two targets for each WAN port.
Network > WAN Failover & Load Balancing Note If there is a NAT device between the two devices sending and receiving TCP probes, the Any TCP-SYN to Port box must be checked, and the same port number must be configured here and in the Configure WAN Probe Monitoring window. Step 4 Click on the Configure button. The Configure WAN Probe Monitoring window is displayed.
Network > WAN Failover & Load Balancing Caution Note Before you begin, be sure you have configured a user-defined interface to mirror the WAN port settings. If the Probe Target is unable to contact the target device, the interface is deactivated and traffic is no longer sent to the primary WAN.
Network > WAN Failover & Load Balancing 190 SonicOS Enhanced 4.
CHAPTER 17 Chapter 17: Configuring Zones Network > Zones A Zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following strict physical interface scheme.
Network > Zones tunnels, which is a feature that users have long requested. SonicWALL security appliances can also drive VPN traffic through the NAT policy and zone policy, since VPNs are now logically grouped into their own VPN zone. How Zones Work An easy way to visualize how security zones work is to imagine a large new building, with several rooms inside the building, and a group of new employees that do not know their way around the building.
Network > Zones Predefined Zones The predefined zones on your the SonicWALL security appliance depend on the device. The following are all the SonicWALL security appliance’s predefined security zones: The predefined security zones on the SonicWALL security appliance are not modifiable and are defined as follows: Note • WAN: This zone can consist of either one or two interfaces.
Network > Zones • Trusted: Trusted is a security type that provides the highest level of trust—meaning that the least amount of scrutiny is applied to traffic coming from trusted zones. Trusted security can be thought of as being on the LAN (protected) side of the security appliance. The LAN zone is always Trusted. • Encrypted: Encrypted is a security type used exclusively by the VPN Zone. All traffic to and from an Encrypted zone is encrypted.
Network > Zones • Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones. • Enforce Global Security Clients - Enforces security policies for Global Security Clients on multiple interfaces in the same Trusted, Public or WLAN zones. • Create Group VPN - Creates a GroupVPN policy for the Zone, which is displayed in the VPN Policies table on the VPN > Settings page.
Network > Zones • Configure: Clicking the Notepad icon displays the Edit Zone window. Clicking the Trashcan icon deletes the zone. The Trashcan icon is dimmed for the predefined zones. You cannot delete these zones. Adding a New Zone To add a new Zone, click Add under the Zone Settings table. The Add Zone window is displayed. Step 1 Type a name for the new zone in the Name field. Step 2 Select a security type Trusted, Public or Wireless from the Security Type menu.
Network > Zones – Enable Gateway Anti-Virus Service - Enforces gateway anti-virus protection on your SonicWALL security appliance for all clients connecting to this zone. SonicWALL Gateway Anti-Virus manages the anti-virus service on the SonicWALL appliance. – SonicWALL Intrusion Protection Service (IPS) - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
Network > Zones – Enforce Global Security Clients - Enforces security policies for Global Security Clients on multiple interfaces in the same Trusted, Public or WLAN zones. – Create Group VPN - creates a GroupVPN policy for the Zone, which is displayed in the VPN Policies table on the VPN > Settings page. You can customize the GroupVPN policy on the VPN > Settings page. If you uncheck Create Group VPN, the GroupVPN policy is removed from the VPN > Settings page. Step 4 Click the Wireless tab.
Network > Zones – X5 IP Step 8 In the SSL-VPN Service list, select the service or group of services you want to allow for clients authenticated through the SSL-VPN. Step 9 Select WiFiSec Enforcement to require that all traffic that enters into the WLAN Zone interface be either IPsec traffic, WPA traffic, or both.
Network > Zones – Enable Dynamic Address Translation (DAT) - Wireless Guest Services (WGS) provides spur of the moment “hotspot” access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the TZ 170 Wireless DHCP services, and authenticate using any webbrowser.
CHAPTER 18 Chapter 18: Configuring DNS Settings Network > DNS The Domain Name System (DNS) is a distributed, hierarchical system that provides a method for identifying hosts on the Internet using alphanumeric names called fully qualified domain names (FQDNs) instead of using difficult to remember numeric IP addresses. The Network > DNS page allows you to manually configure your DNS settings, if necessary.
Network > DNS To use the DNS Settings configured for the WAN zone, select Inherit DNS Settings Dynamically from the WAN Zone. Click Apply to save your changes. 202 SonicOS Enhanced 4.
CHAPTER 19 Chapter 19: Configuring Address Objects Network > Address Objects Address Objects are one of four object classes (Address, User, Service, and Schedule) in SonicOS Enhanced. These Address Objects allow for entities to be defined one time, and to be re-used in multiple referential instances throughout the SonicOS interface. For example, take an internal Web-Server with an IP address of 67.115.118.80.
Network > Address Objects • MAC Address – MAC Address Objects allow for the identification of a host by its hardware address or MAC (Media Access Control) address. MAC Addresses are uniquely assigned to every piece of wired or wireless networking device by their hardware manufacturers, and are intended to be immutable. MAC addresses are 48 bit values that are expressed in 6 byte hex-notation. For example “My Access Point” with a MAC address of “00:06:01:AB:02:CD”.
Network > Address Objects • All Address Objects - displays all configured Address Objects. • Custom Address Objects - displays Address Objects with custom properties. • Default Address Objects - displays Address Objects configured by default on the SonicWALL security appliance. Sorting Address Objects allows you to quickly and easily locate Address Objects configured on the SonicWALL security appliance.
Network > Address Objects Default Address Objects and Groups The Default Address Objects view displays the default Address Objects and Address Groups for your SonicWALL security appliance. The Default Address Objects entries cannot be modified or deleted. Therefore, the Notepad (Edit) and Trashcan (delete) icons are dimmed.
Network > Address Objects Default Address Groups • LAN Subnets • Firewalled Subnets • LAN Interface IP • WAN Subnets • WAN Interface IP • DMZ Subnets • DMZ Interface IP • ALL WAN IP • All Interface IP • All X0 Management IP • All X1 Management IP • Custom Subnets • Custom Interface IP • All SonicPoints • All Authorized Access Points • WLAN Subnets • WLAN Interface IP • All SonicPoints • All Authorized Access Points • Node License Exclusion List • RBL User White List
Network > Address Objects • X4 Subnet • X5 IP • X5 Subnet • Default Gateway • Secondary Default Gateway • WAN Remote Access Networks • VPN DHCP Clients • LAN Remote Access Networks • SonicPoint Default Address Groups 208 • LAN Subnets • Firewalled Subnets • WAN Subnets • DMZ Subnets • ALL WAN IP • All Interface IP • All X0 Management IP • All X1 Management IP • All SonicPoints • All Authorized Access Points • LAN Interface IP • WAN Interface IP • DMZ Interface I
Network > Address Objects Adding an Address Object To add an Address Object, click Add button under the Address Objects table in the All Address Objects or Custom Address Objects views to display the Add Address Object window. Step 1 Enter a name for the Network Object in the Name field. Step 2 Select Host, Range, Network, MAC, or FQDN from the Type menu. – If you select Host, enter the IP address and netmask in the IP Address and Netmask fields.
Network > Address Objects – If you selected MAC, enter the MAC address and netmask in the Network and MAC Address field. – If you selected FQDN, enter the domain name for the individual site or range of sites (with a wildcard) in the FQDN field. Step 3 Select the zone to assign to the Address Object from the Zone Assignment menu. Editing or Deleting an Address Object To edit an Address Object, click the edit icon in the Configure column in the Address Objects table.
Network > Address Objects Creating Group Address Objects As more and more Address Objects are added to the SonicWALL security appliance, you can simplify managing the addresses and access policies by creating groups of addresses. Changes made to the group are applied to each address in the group. To add a Group of Address Objects, click Add Group to display the Add Address Object Group window. Step 1 Create a name for the group in the Name field.
Network > Address Objects Public Server Wizard SonicOS Enhanced includes the Public Server Wizard to automate the process of configuring the SonicWALL security appliance for handling public servers. For example, if you have an email and Web server on your network for access from users on the Internet. The Public Server Wizard allows you to select or define the server type (HTTP, FTP, Mail), the private (external) address objects, and the public (internal) address objects.
Network > Address Objects SonicOS Enhanced 3.5 redefined the operation of MAC AOs, and introduces Fully Qualified Domain Name (FQDN) AOs: • MAC – SonicOS Enhanced 3.5. and higher will resolve MAC AOs to an IP address by referring to the ARP cache on the SonicWALL. • FQDN – Fully Qualified Domain Names, such as ‘www.reallybadwebsite.com’, will be resolved to their IP address (or IP addresses) using the DNS server configured on the SonicWALL.
Network > Address Objects Feature Benefit FQDN wildcard support FQDN Address Objects support wildcard entries, such as “*.somedomainname.com”, by first resolving the base domain name to all its defined host IP addresses, and then by constantly actively gleaning DNS responses as they pass through the firewall. For example, creating an FQDN AO for “*.myspace.com” will first use the DNS servers configured on the firewall to resolve “myspace.com” to 63.208.226.40, 63.208.226.41, 63.208.226.42, and 63.208.
Network > Address Objects Feature Benefit FQDN resolution using DNS FQDN Address Objects are resolved using the DNS servers configured on the SonicWALL in the Network > DNS page. Since it is common for DNS entries to resolve to multiple IP addresses, the FQDN DAO resolution process will retrieve all of the addresses to which a host name resolves, up to 256 entries per AO.
Network > Address Objects • Create Address Object Groups of sanctioned servers (e.g. SMTP, DNS, etc.) • Create Access Rules in the relevant Zones allowing only authorized SMTP servers on your network to communicate outbound SMTP; block all other outbound SMTP traffic to prevent intentional or unintentional outbound spamming. • Create Access Rules in the relevant Zones allowing authorized DNS servers on your network to communicate with all destination hosts using DNS protocols (TCP/UDP 53).
Network > Address Objects Blocking All Protocol Access to a Domain using FQDN DAOs There might be instances where you wish to block all protocol access to a particular destination IP because of non-standard ports of operations, unknown protocol use, or intentional traffic obscuration through encryption, tunneling, or both.
Network > Address Objects Step 2 – Create the Firewall Access Rule • Note From the Firewall > Access Rules page, LAN->WAN Zone intersection, Add an Access Rule as follows: Rather than specifying ‘LAN Subnets’ as the source, a more specific source could be specified, as appropriate, so that only certain hosts are denied access to the targets. • When a host behind the firewall attempts to resolve moosifer.dyndns.
Network > Address Objects The following illustrates a packet dissection of a typical DNS dynamic update process, showing the dynamically configured host 10.50.165.249 registering its full hostname bohuymuth.moosifer.com with the (DHCP provided) DNS server 10.50.165.3: In such environments, it could prove useful to employ FQDN AOs to control access by hostname.
Network > Address Objects Step 1 – Create the MAC Address Objects • From Network > Address Objects, select Add and create the following Address Object (multi-homing optional, as needed): • Once created, if the hosts were present in the SonicWALL’s ARP cache, they will be resolved immediately, otherwise they will appear in an unresolved state until they are activated and are discovered through ARP: • Create an Address Object Group comprising the Handheld devices: Step 2 – Create the Firewall Access Ru
Network > Address Objects Bandwidth Managing Access to an Entire Domain Streaming media is one of the most profligate consumers of network bandwidth. But trying to control access, or manage bandwidth allotted to these sites is difficult because most sites that serve streaming media tend to do so off of large server farms. Moreover, these sites frequently re-encode the media and deliver it over HTTP, making it even more difficult to classify and isolate.
Network > Address Objects Step 2 – Create the Firewall Access Rule • Note 222 From the Firewall > Access Rules page, LAN->WAN Zone intersection, add an Access Rule as follows: If you do not see the Bandwidth tab, you can enable bandwidth management by declaring the bandwidth on your WAN interfaces. For more information on BWM, refer to the Configuring QoS and BWM document at: http://www.sonicwall.com/support/pdfs/ configuring_qos_and_bwm.pdf SonicOS Enhanced 4.
Network > Address Objects • The BWM icon will appear within the Access Rule table indicating that BWM is active, and providing statistics: • Access to all *.youtube.com hosts, using any protocol, will now be cumulatively limited to 2% of your total available bandwidth for all user sessions. SonicOS Enhanced 4.
Network > Address Objects 224 SonicOS Enhanced 4.
CHAPTER 20 Chapter 20: Configuring Routes Network > Routing If you have routers on your interfaces, you can configure static routes on the SonicWALL security appliance on the Network > Routing page. You can create static routing policies that create static routing entries that make decisions based upon source address, source netmask, destination address, destination netmask, service, interface, gateway and metric.
Network > Routing Route Advertisement The SonicWALL security appliance uses RIPv1 or RIPv2 to advertise its static and dynamic routes to other routers on the network. Changes in the status of VPN tunnels between the SonicWALL security appliance and remote VPN gateways are also reflected in the RIPv2 advertisements. Choose between RIPv1 or RIPv2 based on your router’s capabilities or configuration.
Network > Routing • RIPv2 Enabled (broadcast) - To send route advertisements using broadcasting (a single data packet to all nodes on the network). Step 3 In the Advertise Default Route menu, select Never, or When WAN is up, or Always. Step 4 Enable Advertise Static Routes if you have static routes configured on the SonicWALL security appliance, enable this feature to exclude them from Route Advertisement. Step 5 Enable Advertise Remote VPN Networks if you want to advertise VPN networks.
Network > Routing A metric is a weighted cost assigned to static and dynamic routes. Metrics have a value between 0 and 255. Lower metrics are considered better and take precedence over higher costs. SonicOS Enhanced adheres to Cisco defined metric values for directly connected interfaces, statically encoded routes, and all dynamic IP routing protocols.
Network > Routing You can enter the policy number (the number listed before the policy name in the # Name column) in the Items field to move to a specific routing policy. The default table configuration displays 50 entries per page. You can change this default number of entries for tables on the System > Administration page. You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order.
Network > Routing To test the Telnet policy-based route, telnet to route-server.exodus.net and when logged in, issue the who command. It displays the IP address (or resolved FQDN) of the WAN IP address of the secondary WAN interface and not the primary WAN interface. Advanced Routing Services (OSPF and RIP) In addition to Policy Based Routing and RIP advertising, SonicOS Enhanced offers the option of enabling Advanced Routing Services (ARS).
Network > Routing • Protocol Type – Distance Vector protocols such as RIP base routing metrics exclusively on hop counts, while Link state protocols such as OSPF consider the state of the link when determining metrics. For example, OSPF determines interface metrics by dividing its reference bandwidth (100mbits by default) by the interface speed – the faster the link, the lower the cost and the more preferable the path.
Network > Routing OSPF does not have to impose a hop count limit because it does not advertise entire routing tables, rather it generally only sends link state updates when changes occur. This is a significant advantage in larger networks in that it converges more quickly, produces less update traffic, and supports an unlimited number of hops.
Network > Routing For example, if you had 8 class C networks: 192.168.0.0/24 through 192.168.7.0/ 24, rather than having to have a separate route statement to each of them, it would be possible to provide a single route to 192.168.0.0/21 which would encompass them all. This ability, in addition to providing more efficient and flexible allocation of IP address space, also allows routing tables and routing updates to be kept smaller.
Network > Routing used, which is generally discouraged). Area assignment is interface specific on an OSPF router; in other words, a router with multiple interfaces can have those interfaces configured for the same or different areas. • Neighbors – OSPF routers on a common network segment have the potential to become neighbors by means of sending Hello packets.
Network > Routing LSA’s are then exchanged within LSU’s across these adjacencies rather than between each possible pairing combination of routers on the segment. Link state updates are sent by non-DR routers to the multicast address 224.0.0.6, the RFC1583 assigned ‘OSPFIGP Designated Routers’ address. They are also flooded by DR routers to the multicast address 224.0.0.5 ‘OSPFIGP All Routers’ for all routers to receives the LSA’s.
Network > Routing – Type 4 (AS Summary Link Advertisements) – Sent across areas by ABR’s to describe networks within a different AS. Type 4 LSA’s are not sent to Stub Areas. – Type 5 (AS External Link Advertisements) – Sent by ASBR (Autonomous System Boundary Routers) to describe routes to networks in a different AS. Type 5 LSA’s are net sent to Stub Areas.
Network > Routing • Router Types – OSPF recognizes 4 types of routers, based on their roles: • IR (Internal Router) - A router whose interfaces are all contained within the same area. An internal router’s LSDB only contains information about its own area. • ABR (Area Border Router) – A router with interfaces in multiple areas. An ABR maintains LSDB’s for each area to which it is connected, one of which is typically the backbone.
Network > Routing By default, Advanced Routing Services are disabled, and must be enabled to be made available. At the top of the Network > Routing page, is a checkbox Use Advanced Routing. Toggling the state of this checkbox will require a reboot for the changes to take effect. When the SonicWALL is running in Advanced Routing mode, the top of the Network > Routing page will look as follows: The operation of the RIP and OSPF routing protocols is interface dependent.
Network > Routing RIP Modes • Disabled – RIP is disabled on this interface • Send and Receive – The RIP router on this interface will send updates and process received updates. • Send Only – The RIP router on this interface will only send updates, and will not process received updates. This is similar to the basic routing implementation. • Receive Only – The RIP router on this interface will only process received updates.
Network > Routing Redistribute Connected Networks - Enables or disables the advertising of locally connected networks into the RIP system. The metric can be explicitly set for this redistribution, or it can use the value (default) specified in the ‘Default Metric’ setting. Redistribute OSPF Routes - Enables or disables the advertising of routes learned via OSPF into the RIP system.
Network > Routing The diagram illustrates an OSPF network where the backbone (area 0.0.0.0) comprises the X0 interface on the SonicWALL and the int1 interface on Router A. Two additional areas, 0.0.0.1 and 100.100.100.100 are connected, respectively, to the backbone via interface int2 on ABR Router A, and via the X4:100 VLAN sub-interface on the SonicWALL. To configure OSPF routing on the X0 and the X4:100 interfaces, select the (Configure) icon in the interface’s row under the “Configure OSPF” column.
Network > Routing • Message Digest – An MD5 hash is used to securely identify the OSPF router on this interface. OSPF Area – The OSPF Area can be represented in either IP or decimal notation. For example, you may represent the area connected to X4:100 as either 100.100.100.100 or 1684300900. OSPFv2 Area Type – See the ‘OSPF Terms’ section above for a more detailed description of these settings. • Normal – Receives and sends all applicable LSA types.
Network > Routing Redistribute Static Routes – Enables or disables the advertising of static (Policy Based Routing) routes into the OSPF system. Redistribute Connected Networks - Enables or disables the advertising of locally connected networks into the OSPF system. Redistribute RIP Routes - Enables or disables the advertising of routes learned via RIP into the OSPF system. Redistribute Remote VPN Networks - Enables or disables the advertising of static (Policy Based Routing) routes into the RIP system.
Network > Routing 244 SonicOS Enhanced 4.
CHAPTER 21 Chapter 21: Configuring NAT Policies Network > NAT Policies • “NAT Policies Table” on page 246 • “NAT Policy Settings Explained” on page 248 • “NAT Policies Q&A” on page 249 The Network Address Translation (NAT) engine in SonicOS Enhanced allows users to define granular NAT polices for their incoming and outgoing traffic.
Network > NAT Policies NAT Policies Table The NAT Policies table allows you to view your NAT Policies by Custom Policies, Default Policies, or All Policies. 246 SonicOS Enhanced 4.
Network > NAT Policies Tip Before configuring NAT Policies, be sure to create all Address Objects associated with the policy. For instance, if you are creating a One-to-One NAT policy, be sure you have Address Objects for your public and private IP addresses. Tip By default, LAN to WAN has a NAT policy predefined on the SonicWALL. Navigating and Sorting NAT Policy Entries You can change the view your route policies in the NAT Policies table by selecting one of the view settings in the View Style menu.
Network > NAT Policies NAT Policy Settings Explained The following explains the settings used to create a NAT policy entry in the Add NAT Policy or Edit NAT Policy windows. Click the Add button in the Network > NAT Policies page to display the Add NAT Policy window to create a new NAT policy or click the Edit icon in the Configure column for the NAT policy you want to edit to display the Edit NAT Policy window.
Network > NAT Policies • Translated Service: This drop-down menu setting is what the SonicWALL security appliance translates the Original Service to as it exits the SonicWALL security appliance, whether it be to another interface, or into/out-of VPN tunnels. You can use the default services in the SonicWALL security appliance, or you can create your own entries. For many NAT Policies, this field is set to Original, as the policy is only altering source or destination IP addresses.
Network > NAT Policies to translate all LAN systems to the WAN IP Address, then create a policy saying that a specific system on that LAN use a different IP address, and additionally, create a policy saying that specific use another IP address when using HTTP. Can I have multiple NAT policies for the same objects? Yes – please read the section above. What are the NAT ‘System Polices’? On the Network > NAT Policies page, notice a radio button labeled System Polices.
Network > NAT Policies This document details how to configure the necessary NAT, load balancing, health check, logging, and firewall rules to allow systems from the public Internet to access a Virtual IP (VIP) that maps to one or more internal systems, such as Web servers, FTP servers, or SonicWALL SSL-VPN appliances. This Virtual IP may be independent of the SonicWALL appliance or it may be shared, assuming the SonicWALL appliance itself is not using the port(s) in question.
Network > NAT Policies • Round Robin – Source IP cycles through each live load-balanced resource for each connection. This method is best for equal load distribution when persistence is not required. • Block Remap/Symmetrical Remap – These two methods are useful when you know the source IP addresses/networks (e.g. when you want to precisely control how traffic from one subnet is translated to another). • Random Distribution – Source IP connects to Destination IP randomly.
Network > NAT Policies Details of Load Balancing Algorithms This appendix describes how the SonicWALL security appliance applies the load balancing algorithms: • Round Robin - Source IP connects to Destination IP alternately • Random Distribution - Source IP connects to Destination IP randomly • Sticky IP - Source IP connects to same Destination IP • Block Remap - Source network is divided by size of the Destination pool to create logical segments • Symmetrical Remap - Source IP maps to Destinatio
Network > NAT Policies Creating NAT Policies NAT policies allow you the flexibility to control Network Address Translation based on matching combinations of Source IP address, Destination IP address, and Destination Services. Policybased NAT allows you to deploy different types of NAT simultaneously.
Network > NAT Policies • Original Service: Any • Translated Service: Original • Inbound Interface: Opt • Outbound Interface: WAN • Comment: Enter a short description • Enable NAT Policy: Checked • Create a reflective policy: Unchecked When done, click on the OK button to add and activate the NAT Policy.
Network > NAT Policies You can test the dynamic mapping by installing several systems on the LAN interface at a spread-out range of addresses (for example, 192.168.10.10, 192.168.10.100, and 192.168.10.200) and accessing the public website http://www.whatismyip.com from each system. Each system should display a different IP address from the range we created and attached to the NAT policy.
Network > NAT Policies Creating a One-to-One NAT Policy for Inbound Traffic (Reflective) This is the mirror policy for the one created in the previous section when you check Create a reflective policy. It allows you to translate an external public IP addresses into an internal private IP address.
Network > NAT Policies Figure 21:1 One-to-Many NAT Load Balancing Topology and Configuration To configure One-to-Many NAT load balancing, first go to the Firewall > Access Rules page and choose the policy for WAN to LAN. Click on the Add… button to bring up the pop-up access policy screen.
Network > NAT Policies – IP Address: The network IP address for the devices to be load balanced (in the topology shown in Figure 18.1, this is 192.168.200.
Network > NAT Policies Note Step 3 Make sure you chose Any as the destination interface, and not the interface that the server is on. This may seem counter-intuitive, but it’s actually the correct thing to do (if you try to specify the interface, you get an error). When finished, click on the OK button to add and activate the NAT Policy.
Network > NAT Policies 3. Create two NAT entries to allow the two servers to initiate traffic to the public Internet. 4. Create two NAT entries to map the custom ports to the actual listening ports, and to map the private IP addresses to the SonicWALL’s WAN IP address. 5. Create two access rule entries to allow any public user to connect to both servers via the SonicWALL’s WAN IP address and the servers’ respective unique custom ports. Step 1 Create a custom service for the different port.
Network > NAT Policies When finished, click on the OK button to add and activate the NAT policies. With these policies in place, the SonicWALL security appliance translates the servers’ private IP addresses to the public IP address when it initiates traffic out the WAN interface. Step 4 Go to the Network > NAT Policies menu and click on the Add button. The Add NAT Policy window is displayed.
Network > NAT Policies Note With previous versions of firmware, it was necessary to write rules to the private IP address. This has been changed as of SonicOS 2.0 Enhanced. If you write a rule to the private IP address, the rule does not work. Go to the Firewall > Access Rules page and choose the policy for the ‘WAN’ to ‘Sales’ zone intersection (or, whatever zone you put your serves in). Click on the ‘Add…’ button to bring up the pop-up window to create the policies.
Network > NAT Policies Figure 1 NAT Load Balancing Topology Prerequisites The examples shown in the Tasklist section on the next few pages utilize IP addressing information from a demo setup – please make sure and replace any IP addressing information shown in the examples with the correct addressing information for your setup. Also note that the interface names may be different. Note It is strongly advised that you enable logging for all categories, and enable name resolution for logging.
Network > NAT Policies and activate the changes. For an example, see the screenshot below. Debug logs should only be used for initial configuration and troubleshooting, and it is advised that once setup is complete, you set the logging level to a more appropriate level for your network environment.
Network > NAT Policies Step 2 266 Create Address Group -- Now create an address group named www_group and add the two internal server address objects you just created. SonicOS Enhanced 4.
Network > NAT Policies Step 3 Note Step 4 Create Inbound NAT Rule for Group -- Now create a NAT rule to allow anyone attempting to access the VIP to get translated to the address group you just created, using Sticky IP as the NAT method. For an example see the screenshot below. Do not save the NAT rule just yet.
Network > NAT Policies Note Step 5 268 Before you go any further, check the logs and the status page to see if the resources have been detected and have been logged as online. If you do not see the two messages below (with your IP addresses), check the steps above. Create Outbound NAT Rule for LB Group -- Write a NAT rule to allow the internal servers to get translated to the VIP when accessing resources out the WAN interface. SonicOS Enhanced 4.
Network > NAT Policies Step 6 Create Firewall Rule for VIP -- Write a firewall rule to allow traffic from the outside to access the internal Web servers via the VIP. Step 7 Test Your Work – From a laptop outside the WAN, connect via HTTP to the VIP using a Web browser. Note If you wish to load balance one or more SSL-VPN Appliances, repeat steps 1-7, using HTTPS instead as the allowed service.
Network > NAT Policies You can also check the Firewall > NAT Policies page and mouse-over the Statistics icon. If the policy is configured incorrectly you will not see any Rx or TX Bytes; if it is working, you will see these increment with each successful external access of the load balanced resources.
CHAPTER 22 Chapter 22: Managing ARP Traffic Network > ARP SonicOS Enhanced 4.
Network > ARP ARP (Address Resolution Protocol) maps layer 3 (IP addresses) to layer 2 (physical or MAC addresses) to enable communications between hosts residing on the same subnet. ARP is a broadcast protocol that can create excessive amounts of network traffic on your network. To minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously learned ARP information.
Network > ARP address on any other interface. It will also remove any dynamically cached references to that MAC address that might have been present, and it will prohibit additional (non-unique) static mappings of that MAC address. • Update IP Address Dynamically - The Update IP Address Dynamically setting in the Add Static ARP window is a sub-feature of the Bind MAC Address option. This allows for a MAC address to be bound to an interface when DHCP is being used to dynamically allocate IP addressing.
Network > ARP To support the above configuration, first create a published static ARP entry for 192.168.50.1, the address which will serve as the gateway for the secondary subnet, and associate it with the DMZ/OPT interface. From the Network > ARP page, select the Add button in the Static ARP Entries section, and add the following entry: The entry will appear in the table as follows: Navigate to the Network > Routing page, and add a static route for the 192.168.50.
Network > ARP To allow the traffic to reach the 192.168.50.0/24 subnet, and to allow the 192.168.50.0/24 subnet to reach the hosts on the LAN, navigate to the Firewall > Access Rules page, and add the following Access Rule: Navigating and Sorting the ARP Cache Table The ARP Cache table provides easy pagination for viewing a large number of ARP entries.
Network > ARP Navigating and Sorting the ARP Cache Table Entries The ARP Cache table provides easy pagination for viewing a large number of ARP entries. You can navigate a large number of ARP entries listed in the ARP Cache table by using the navigation control bar located at the top right of the ARP Cache table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page.
CHAPTER 23 Chapter 23: Setting Up the DHCP Server Network > DHCP Server This chapter contains the following sections: • “DHCP Server Options Overview” on page 278 • “DHCP Server Persistence Overview” on page 279 • “Enabling the DHCP Server” on page 280 • “DHCP Server Lease Scopes” on page 280 • “Configuring DHCP Server for Dynamic Ranges” on page 281 • “Configuring Static DHCP Entries” on page 283 • “Configuring SonicWALL DHCP Server Options” on page 285 • “Current DHCP Leases” on page 294
Network > DHCP Server The SonicWALL security appliance includes a DHCP (Dynamic Host Configuration Protocol) server to distribute IP addresses, subnet masks, gateway addresses, and DNS server addresses to your network clients. The Network > DHCP Server page includes settings for configuring the SonicWALL security appliance’s DHCP server. You can use the SonicWALL security appliance’s DHCP server or use existing DHCP servers on your network.
Network > DHCP Server clients on the network, it provides vendor-specific configuration and service information. The “DHCP Option Numbers” on page 294 provides a list of DHCP options by RFC-assigned option number. Benefits The SonicWALL DHCP server options feature provides a simple interface for selecting DHCP options by number or name, making the DHCP configuration process quick, easy, and compliant with RFC-defined DHCP standards.
Network > DHCP Server How Does DHCP Server Persistence Work? DHCP server persistence works by storing DHCP lease information periodically to flash memory. This ensures that users have predicable IP addresses and minimizes the risk of IP addressing conflicts after a reboot. Enabling the DHCP Server If you want to use the SonicWALL security appliance’s DHCP server, select Enable DHCP Server on the Network > DHCP Server page.
Network > DHCP Server Configuring DHCP Server for Dynamic Ranges To configure DHCP server for dynamic IP address ranges, follow these instructions: Step 1 In the Network > DHCP Server page, at the bottom of the DHCP Server Lease Scopes table, click Add Dynamic. The Dynamic Ranges Configuration window is displayed. General Settings Step 2 In the General page, make sure the Enable this DHCP Range is checked, if you want to enable this range. Step 3 Select the interface from the Interface menu.
Network > DHCP Server DNS/WINS Settings Step 9 Click the DNS/WINS tab to continue configuring the DHCP Server feature. Step 10 If you have a domain name for the DNS server, type it in the Domain Name field. Step 11 Inherit DNS Settings Dynamically using SonicWALL’s DNS Settings automatically populates the DNS and WINS settings with the settings in the Network > DNS page. This option is selected by default.
Network > DHCP Server VoIP Settings Step 14 Click on the VoIP Settings tab. The VoIP Settings tab allows you to configure the SonicWALL DHCP server to send Cisco Call Manager information to VoIP clients on the network. Step 15 Enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You can add two additional VoIP Call Manager addresses. Step 16 Click OK to add the settings to the SonicWALL security appliance.
Network > DHCP Server General Settings Step 2 In the General tab, make sure the Enable this DHCP Entry is checked, if you want to enable this range. Step 3 Select the interface from the Interface menu. The IP addresses are in the same private subnet as the selected interface. Step 4 Enter a name for the static DNS entry in the Entry Name field. Step 5 Type the device IP address in the Static IP Address field. Step 6 Type the device Ethernet (MAC) address in the Ethernet Address field.
Network > DHCP Server VoIP Settings Step 15 Click on the VoIP Settings tab. The VoIP Settings tab allows you to configure the SonicWALL DHCP server to send Cisco Call Manager information to VoIP clients on the network. Step 16 Enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You can add two additional VoIP Call Manager addresses. Step 17 Click OK to add the settings to the SonicWALL. Step 18 Click Apply for the settings to take effect on the SonicWALL.
Network > DHCP Server Configuring DHCP Option Objects To configure DHCP option objects, perform the following steps: 286 Step 1 In the left-hand navigation panel, navigate to Network > DHCP Server. Step 2 Under DHCP Server Lease Scopes, click the Option Objects button. The Option Objects page displays. Step 3 Click the Add Option button. The Add DHCP Option Objects page displays. SonicOS Enhanced 4.
Network > DHCP Server Step 4 Type a name for the option in the Option Name field. Step 5 From the Option Number drop-down list, select the option number that corresponds to your DHCP option. For a list of option numbers and names, refer to “DHCP Option Numbers” on page 294. SonicOS Enhanced 4.
Network > DHCP Server Step 6 288 Optionally check the Option Array box to allow entry of multiple option values in the Option Value field. SonicOS Enhanced 4.
Network > DHCP Server Step 7 The option type displays in the Option Type drop-down menu. If only one option type is available, for example, for Option Number 2 (Time Offset), the drop-down menu will be greyed out. If there are multiple option types available, for example, for Option Number 77 (User Class Information), the drop-down menu will be functional. Step 8 Type the option value, for example, an IP address, in the Option Value field.
Network > DHCP Server Configuring DHCP Option Groups To configure DHCP option groups, perform the following steps: 290 Step 1 In the left-hand navigation panel, navigate to Network > DHCP Server. Step 2 Under DHCP Server Lease Scopes, click Option Groups. The Option Groups page displays. Step 3 Click the Add Group button. The Add DHCP Option Group page displays. SonicOS Enhanced 4.
Network > DHCP Server Step 4 Enter a name for the group in the Name field. Step 5 Select an option object from the left column and click the -> button to add it to the group. To select multiple option objects at the same time, hold the Ctrl key while selecting the option objects. Step 6 Click OK. The group displays in the Option Groups list. SonicOS Enhanced 4.
Network > DHCP Server Configuring DHCP Generic Options for DHCP Lease Scopes Note Before generic options for a DHCP lease scope can be configured, a static or dynamic DHCP server lease scope must be created. To configure DHCP generic options for DHCP server lease scopes, perform the following tasks: Step 1 292 If modifying an existing DHCP lease scope, locate the lease scope under DHCP Server Lease Scopes on the Network > DHCP Server page and click the configure icon, then click the Advanced tab.
Network > DHCP Server Step 2 Select a DHCP option or option group in the DHCP Generic Option Group drop-down menu. Step 3 To always use DHCP options for this DHCP server lease scope, check the box next to Send Generic options always. Step 4 Click OK. SonicOS Enhanced 4.
Network > DHCP Server Current DHCP Leases The current DHCP lease information is displayed in the Current DHCP Leases table. Each binding entry displays the IP Address, the Ethernet Address, and the Type of binding (Dynamic, Dynamic BOOTP, or Static BOOTP). To delete a binding, which frees the IP address on the DHCP server, click the Delete icon next to the entry. For example, use the Delete icon to remove a host when it has been removed from the network, and you need to reuse its IP address.
Network > DHCP Server Option Number Name Description 23 Default IP TTL Default IP time-to-live 24 Path MTU Aging Timeout Path MTU aging timeout 25 MTU Plateau Path MTU plateau table 26 Interface MTU Size Interface MTU size 27 All Subnets Are Local All subnets are local 28 Broadcast Address Broadcast address 29 Perform Mask Discovery Perform mask discovery 30 Provide Mask to Others Provide mask to others 31 Perform Router Discovery Perform router discovery 32 Router Solicitation
Network > DHCP Server Option Number Name 296 Description 55 Parameter Request List Parameter request list 56 Message DHCP error message 57 DHCP Maximum Message Size DHCP maximum message size 58 Renew Time Value DHCP renewal (T1) time 59 Rebinding Time Value DHCP rebinding (T2) time 60 Client Identifier Client identifier 61 Client Identifier Client identifier 62 Netware/IP Domain Name Netware/IP domain name 63 Netware/IP sub Options Netware/IP sub options 64 NIS+ V3 Client Domai
Network > DHCP Server Option Number Name Description 84 Undefined N/A 85 Novell Directory Servers Novell Directory Services servers 86 Novell Directory Server Tree Name Novell Directory Services server tree name 87 Novell Directory Server Context Novell Directory Services server context 88 BCMCS Controller Domain Name List CMCS controller domain name list 89 BCMCS Controller IPv4 Address List BCMCS controller IPv4 address list 90 Authentication Authentication 91 Undefined N/A 92 U
Network > DHCP Server 298 Option Number Name Description 115 Undefined N/A 116 Auto Configure DHCP auto-configuration 117 Name Service Search Name service search 118 Subnet Collection Subnet selection 119 DNS Domain Search List DNS domain search list 120 SIP Servers DHCP Option SIP servers DHCP option 121 Classless Static Route Option Classless static route option 122 CCC, CableLabs Client Configuration CableLabs client configuration 123 GeoConf GeoConf 124 Vendor-Identifying
Network > DHCP Server Option Number Name Description 147 Undefined N/A 148 Undefined N/A 149 Undefined N/A 150 TFTP Server Address, Etherboot, GRUB Config TFTP server address, Etherboot, GRUB configuration 151 Undefined 152 Undefined N/A 153 Undefined N/A 154 Undefined N/A 155 Undefined N/A 156 Undefined N/A 157 Undefined N/A 158 Undefined N/A 159 Undefined N/A 160 Undefined N/A 161 Undefined N/A 162 Undefined N/A 163 Undefined N/A 164 Undefined N/A 16
Network > DHCP Server 300 Option Number Name Description 183 Undefined N/A 184 Undefined N/A 185 Undefined N/A 186 Undefined N/A 187 Undefined N/A 188 Undefined N/A 189 Undefined N/A 190 Undefined N/A 191 Undefined N/A 192 Undefined N/A 193 Undefined N/A 194 Undefined N/A 195 Undefined N/A 196 Undefined N/A 197 Undefined N/A 198 Undefined N/A 199 Undefined N/A 200 Undefined N/A 201 Undefined N/A 202 Undefined N/A 203 Undefined N/A 204 Undef
Network > DHCP Server Option Number Name Description 220 Subnet Allocation Subnet allocation 221 Virtual Subnet Allocation Virtual subnet selection 222 Undefined N/A 223 Undefined N/A 224 Private Use Private use 225 Private Use Private use 226 Private Use Private use 227 Private Use Private use 228 Private Use Private use 229 Private Use Private use 230 Private Use Private use 231 Private Use Private use 232 Private Use Private use 233 Private Use Private use 234
Network > DHCP Server 302 SonicOS Enhanced 4.
CHAPTER 24 Chapter 24: Using IP Helper Network > IP Helper The IP Helper allows the SonicWALL security appliance to forward DHCP requests originating from the interfaces on a SonicWALL security appliance to a centralized DHCP server on the behalf of the requesting client. IP Helper is used extensively in routed VLAN environments where a DHCP server is not available for each interface, or where the layer 3 routing mechanism is not capable of acting as a DHCP server itself.
Network > IP Helper • Enable NetBIOS Support - enables NetBIOS broadcast forwarding with the DHCP requests. NetBIOS is required to allow Windows operating systems to browse for resources on a network. IP Helper Policies IP Helper Policies allow you to forward DHCP and NetBIOS broadcasts from one interface to another interface. Adding an IP Helper Policy Step 1 Click the Add button under the IP Helper Policies table. The Add IP Helper Policy window is displayed.
CHAPTER 25 Chapter 25: Setting Up Web Proxy Forwarding Network > Web Proxy A Web proxy server intercepts HTTP requests and determines if it has stored copies of the requested Web pages. If it does not, the proxy completes the request to the server on the Internet, returning the requested information to the user and also saving it locally for future requests.
Network > Web Proxy To configure a Proxy Web sever, select the Network > Web Proxy page. Step 1 Connect your Web proxy server to a hub, and connect the hub to the SonicWALL security appliance WAN port. Step 2 Type the name or IP address of the proxy server in the Proxy Web Server (name or IP address) field. Step 3 Type the proxy IP port in the Proxy Web Server Port field. Step 4 To bypass the Proxy Servers if a failure occurs, select the Bypass Proxy Servers Upon Proxy Server Failure check box.
CHAPTER 26 Chapter 26: Configuring Dynamic DNS Network > Dynamic DNS Dynamic DNS (DDNS) is a service provided by various companies and organizations that allows for dynamic changing IP addresses to automatically update DNS records without manual intervention. This service allows for network access using domain names rather than IP addresses, even when the target’s IP addresses change.
Network > Dynamic DNS • Dyndns.org http://www.dyndns.org - SonicOS requires a username, password, Mail Exchanger, and Backup MX to configure DDNS from Dyndns.org. • Changeip.com http://www.changeip.com - A single, traditional Dynamic DNS service requiring only username, password, and domain name for SonicOS configuration. • No-ip.com http://www.no-ip.com - Dynamic DNS service requiring only username, password, and domain name for SonicOS configuration. Also supports hostname grouping. • Yi.
Network > Dynamic DNS To configure Dynamic DNS on the SonicWALL security appliance, perform these steps: Step 1 From the Network > Dynamic DNS page, click the Add button. The Add DDNS Profile window is displayed. Step 2 If Enable this DDNS Profile is checked, the profile is administratively enabled, and the SonicWALL security appliance takes the actions defined in the Online Settings section on the Advanced tab. Step 3 If Use Online Settings is checked, the profile is administratively online.
Network > Dynamic DNS – Static - A free DNS service for static IP addresses. Step 9 When using DynDNS.org, you may optionally select Enable Wildcard and/or configure an MX entry in the Mail Exchanger field. Check Backup MX if this is the backup mail exchanger. Step 10 Click the Advanced tab. You can typically leave the default settings on this page. Step 11 The On-line Settings section provides control over what address is registered with the dynamic DNS provider.
Network > Dynamic DNS Dynamic DNS Settings Table The Dynamic DNS Settings table provides a table view of configured DDNS profiles. Dynamic DNS Settings table includes the following columns: • Profile Name - The name assigned to the DDNS entry during its creation. This can be any value, and is used only for identification. • Domain - The fully qualified domain name (FQDN) of the DDNS entry. • Provider - The DDNS provider with whom the entry is registered.
Network > Dynamic DNS 312 • Online - When selected, this profile is administratively online. The setting can also be controlled using the Use Online Settings checkbox on the entry's Profile tab. Deselecting this checkbox while the profile is enabled will take the profile offline, and the SonicWALL will take the Offline Settings action that is configured on the Advanced tab.
PART 4 Wireless • SONICWALL SONICOS ENHANCED 4.
SONICWALL SONICOS ENHANCED 4.
CHAPTER 27 Chapter 27: Viewing WLAN Settings, Statistics, and Station Status Wireless Overview The SonicWALL Wireless security appliances support two wireless protocols called IEEE 802.11b and 802.11g, commonly known as Wi-Fi, and send data via radio transmissions.
Wireless Overview • VPN tunnel Considerations for Using Wireless Connections • Mobility - if the majority of your network is laptop computers, wireless is more portable than wired connections. • Convenience - wireless networks do not require cabling of individual computers or opening computer cases to install network cards. • Speed - if network speed is important to you, you may want to consider using Ethernet connections rather than wireless connections.
Wireless Overview • Try to place the wireless security appliance in a direct line with other wireless components. Best performance is achieved when wireless components are in direct line of sight with each other. • Building construction can make a difference on wireless performance. Avoid placing the wireless security appliance near walls, fireplaces, or other large solid objects.
Wireless > Status WiFiSec uses the easy provisioning capabilities of the SonicWALL Global VPN client making it easy for experienced and inexperienced administrators to implement on the network. The level of interaction between the Global VPN Client and the user depends on the WiFiSec options selected by the administrator. WiFiSec IPsec terminates on the WLAN/LAN port, and is configured using the Group VPN Security Policy including noneditable parameters specifically for wireless access.
Wireless > Status WLAN Settings The WLAN Settings table lists the configuration information for the built-in radio. All configurable settings in the WLAN Settings table are hyperlinks to their respective pages for configuration. Enabled features are displayed in green, and disabled features are displayed in red. Click on a setting to go the page in the Management Interface where you can configure that setting.
Wireless > Status WLAN Settings Value Radio Mode Current power level of the radio signal transmission WLAN Statistics The WLAN Statistics table lists all of the traffic sent and received through the WLAN. The Wireless Statistics column lists the kinds of traffic recorded, the Rx column lists received traffic, and the Tx column lists transmitted traffic. Wireless Statistics Rx/TX Good Packets Number of allowed packets received and transmitted.
Wireless > Status Station Status The Station Status table displays information about wireless connections associated with the wireless security appliance. • Station - the name of the connection used by the MAC address • MAC Address - the wireless network card MAC address • Authenticated - status of 802.11b authentication • Associated - status of 802.
Wireless > Status 322 SonicOS Enhanced 4.
CHAPTER 28 Chapter 28: Configuring Wireless Settings Wireless > Settings The Wireless > Settings page allows you to configure your wireless settings. On the Wireless>Settings page, you can enable or disable the WLAN port by selecting or clearing the Enable WLAN checkbox. Wireless Radio Mode Select either Access Point to configure the SonicWALL as the default gateway on your network or select Wireless Bridge from the Radio Role menu to configure the SonicWALL to act as an intermediary wireless device.
Wireless > Settings Wireless Settings Enable WLAN Radio: Check this checkbox to turn the radio on, and enable wireless networking. Click Apply in the top right corner of the management interface to have this setting take effect. Schedule: The schedule determines when the radio is on to send and receive data. The default value is Always on. The Schedule list displays the schedule objects you create and manage in the System > Schedule page.
Wireless > Settings mode. Operating in Wireless Bridge mode, the wireless security appliance connects to another wireless security appliance acting as an access point, and allows communications between the connected networks via the wireless bridge. Secure Wireless Bridging employs a WiFiSec VPN policy, providing security to all communications between the wireless networks. Previous bridging solutions offered no encryption, or at best, WEP encryption. SonicOS Enhanced 4.
Wireless > Settings Configuring a Secure Wireless Bridge When switching from Access Point mode to Wireless Bridge mode, all clients are disconnected, and the navigation panel on the left changes to reflect the new mode of operation. To configure a secure wireless bridge, follow these steps: Step 1 Click Wireless, then Settings. Step 2 In the Wireless Radio Mode section, select Wireless Bridge from the Radio Role menu. The wireless security appliance updates the interface.
Wireless > Settings For example, in the previous network diagram, the wireless security appliance are configured as follows: • SSID on all three wireless security appliance are set to “myWLAN”. • WLAN addressing for all the wireless security appliance's connected via Wireless Bridge must place the WLAN interfaces on the same subnet: 172.16.31.1 for TZ 170 Wireless1, 172.16.31.2 for TZ 170 Wireless2, and 172.16.31.3 for TZ 170 Wireless3.
Wireless > Settings • Static routes must be entered on the Access Point TZ 170 Wireless to route back to the LAN subnets of the Bridge Mode TZ 170 Wireless. Referring to the example network, TZ 170 Wireless1 must have static routes to 10.20.20.x/24 via 172.16.31.2 and to 10.30.30.x/24 via 172.16.31.3 Configuring VPN Policies for the Access Point and Wireless Bridge Access Point Configuration After Wireless Settings are defined, the WiFiSec connections (VPN Policies) must be configured.
Wireless > Settings • One policy to the Site_B address object at 10.30.30.0: SonicOS Enhanced 4.
Wireless > Settings Configuration for VPN Policies 330 Step 1 Click Network. Step 2 Under Local Networks, select Choose local network from list and select LAN Interface IP. Step 3 Under Destination Networks, select Choose destination network from list and select or create an address object for the destination (Site_A - 10.20.20.0 or Site_B - 10.30.30.0 in the example). Step 4 Click Advanced. Step 5 Select Enable Keep Alive. Step 6 Select Enable Windows Networking (NetBIOS) Broadcast.
Wireless > Settings Wireless Bridge VPN Policy Configuration The Wireless Bridge VPN Policy is configured as follows: Step 1 Click VPN, then Configure. Step 2 Select IKE using Preshared Secret from the IPsec Keying Mode menu. Step 3 Enter a name for the SA in the Name field. Step 4 Type the IP address of the Access Point in the IPsec Gateway field. In our example network, the IP address is 172.16.31.1.
Wireless > Settings 332 SonicOS Enhanced 4.
CHAPTER 29 Chapter 29: Configuring WEP and WPA Security Wireless > WEP/WPA Security Note When the SonicWALL wireless security appliance is configured in Access Point mode, this page is called Security. When the appliance is configured in Wireless Bridge mode, this page is called WEP Encryption. Wired Equivalent Protocol (WEP) can be used to protect data as it is transmitted over the wireless network, but it provides no protection past the SonicWALL.
Wireless > WEP/WPA Security Authentication Overview Below is a list of available authentication types with descriptive features and uses for each: WEP • Lower security • For use with older legacy devices, PDAs, wireless printers WPA • Good security (uses TKIP) • For use with trusted corporate wireless clients • Transparent authentication with Windows log-in • No client software needed in most cases WPA2 • Best security (uses AES) • For use with trusted corporate wireless clients • Transpar
Wireless > WEP/WPA Security WEP Encryption Keys Step 1 Select the key number, 1,2,3, or 4, from the Default Key menu. Step 2 Select the key type to be either Alphanumeric or Hexadecimal. WEP - 64-bit WEP - 128-bit Alphanumeric - 5 characters (0-9, A-Z) Alphanumeric - 13 characters (0-9, A-Z) Hexadecimal - 10 characters (0-9, A-F) Hexadecimal - 26 characters (0-9, A-F) Step 3 Type your keys into each field. Step 4 Click Apply.
Wireless > WEP/WPA Security WPA Settings • Cypher Type: select TKIP. Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis. • Group Key Update: Specifies when the SonicWALL Secure Anti-Virus Router 80 Wireless updates the key. Select By Timeout to generate a new group key after an interval specified in seconds. Select By Packet to generate a new group key after a specific number of packets. Select Disabled to use a static key.
Wireless > WEP/WPA Security • Radius Server 2 IP and Port: Enter the IP address and port number for your secondary RADIUS server, if you have one. • Radius Server 2 Secret: Enter the password for access to Radius Server Click Apply in the top right corner to apply your WPA settings. WPA/WPA2 Encryption Settings Like WPA, WPA2 supports two protocols for storing and generating keys: Note • Pre-Shared Key (PSK): PSK allows WPA2 to generate keys from a pre-shared passphrase that you configure.
Wireless > WEP/WPA Security Preshared Key Settings (PSK) • Passphrase: Enter the passphrase from which the key is generated. Click Apply in the top right corner to apply your WPA2 settings. WPA2-EAP Settings Encryption Mode: In the Authentication Type field, select WPA-EAP. WPA Settings • Cypher Type: select AES. Advanced Encryption Standard (AES) is an advanced block cipher protocol for enforcing key integrity.
CHAPTER 30 Chapter 30: Configuring Advanced Wireless Settings Wireless > Advanced To access Advanced configuration settings for the SonicWALL wireless security appliance, log into the SonicWALL, click Wireless, and then Advanced. The Wireless > Advanced page is only available when the SonicWALL is acting as an access point. SonicOS Enhanced 4.
Wireless > Advanced Beaconing & SSID Controls 1. Select Hide SSID in Beacon. Suppresses broadcasting of the SSID name and disables responses to probe requests. Checking this option helps prevent your wireless SSID from being seen by unauthorized wireless clients. 2. Type a value in milliseconds for the Beacon Interval. Decreasing the interval time makes passive scanning more reliable and faster because Beacon frames announce the network to the wireless connection more frequently.
Wireless > Advanced • 2: Select 2 to restrict the wireless security appliance to use antenna 2 only. Facing the rear of the SonicPoint, antenna 2 is on the right, closest to the power supply. You can disconnect antenna 1 when using only antenna 2. Antenna 1 Antenna 2 SonicOS Enhanced 4.
Wireless > Advanced Advanced Radio Settings The following other advanced settings can be configured. Step 1 Enable Short Slot Time: Select Enable Short Slot Time to increase performance if you only expect 802.11g traffic. 802.11b is not compatible with short slot time. Step 2 Select High from the Transmit Power menu to send the strongest signal on the WLAN. For example, select High if the signal is going from building-to-building.
Wireless > Advanced overlapping SonicPoints. However, it can slow down performance. Auto is probably the best setting, as it will engage only in the case of overlapping SonicPoints. Step 11 Protection Rate: The protection rate determines the data rate when protection is on. The slowest rate offers the greatest degree of protection but the slowest data transmission rate. Choose 1 Mbps, 2 Mbps, 5 Mbps, or 11 Mbps.
Wireless > Advanced 344 SonicOS Enhanced 4.
CHAPTER 31 Chapter 31: Configuring MAC Filter List Wireless > MAC Filter List Wireless networking provides native MAC filtering capabilities which prevents wireless clients from authenticating and associating with the wireless security appliance. If you enforce MAC filtering on the WLAN, wireless clients must provide you with the MAC address of their wireless networking card. To set up your MAC Filter List, log into the SonicWALL, and click Wireless, then MAC Filter List.
Wireless > MAC Filter List The items in the list are address object groups, defined groups of objects that represent specific IP addresses or ranges of addresses that can be used throughout the management interface to specify network resources. An address object group can contain other address object groups. The Allow List and Deny List are also address object groups.
CHAPTER 32 Chapter 32: Configuring Wireless IDS Wireless > IDS Wireless Intrusion Detection Services (IDS) greatly increase the security capabilities of the SonicWALL wireless security appliances by enabling them to recognize and even take countermeasures against the most common types of illicit wireless activity. WIDS consists of three types of services, namely, Sequence Number Analysis, Association Flood Detection, and Rogue Access Point Detection.
Wireless > IDS Access Point IDS When the Radio Role of the wireless security appliance is set to Access Point mode, all three types of WIDS services are available, but Rogue Access Point detection, by default, acts in a passive mode (passively listening to other Access Point Beacon frames only on the selected channel of operation).
Wireless > IDS Enable Association Flood Detection is selected by default. The Association Flood Threshold is set to 5 Association attempts within 5 seconds by default. Intrusion Detection Settings Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network.
Wireless > IDS Scanning for Access Points Active scanning occurs when the wireless security appliance starts up, and at any time Scan Now is clicked at the bottom of the Discovered Access Points table. When the wireless security appliance is operating in a Bridge Mode, the Scan Now feature does not cause any interruption to the bridged connectivity.
CHAPTER 33 Chapter 33: Configuring Virtual Access Points Wireless > Virtual Access Point This chapter describes the Virtual Access Point feature and includes the following sections: • “SonicPoint VAP Overview” section on page 352 – “What Is a Virtual Access Point?” section on page 352 – “What Is an SSID?” section on page 352 – “Wireless Roaming with ESSID” section on page 353 – “What Is a BSSID?” section on page 353 – “Benefits of Using Virtual APs” section on page 353 • “Virtual AP Configuration Task
Wireless > Virtual Access Point SonicPoint VAP Overview This section provides an introduction to the Virtual Access Point feature.
Wireless > Virtual Access Point Wireless Roaming with ESSID An ESSID (Extended Service Set IDentifier) is a collection of Access Points (or Virtual Access Points) sharing the same SSID. A typical wireless network comprises more than one AP for the purpose of covering geographic areas larger than can be serviced by a single AP.
Wireless > Virtual Access Point • “Virtual Access Points” section on page 363 • “Virtual Access Point Groups” section on page 364 VAP Configuration Overview The following are required areas of configuration for VAP deployment. This sequence of steps is designed specifically to honor dependencies, provide configuration task efficiency, and minimize the total number of required steps for VAP configuration. 1. Zone - The Zone is the backbone of your VAP configuration.
Wireless > Virtual Access Point A network security zone is a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. With the zone-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface.
Wireless > Virtual Access Point General 356 Feature Description Name Create a name for your custom Zone Security Type Select Wireless in order to enable and access wireless security options. Allow Interface Trust Select this option to automatically create access rules to allow traffic to flow between the interfaces of a zone. This will effectively allow users on a wireless zone to communicate with each other. This option is often disabled when setting up Wireless Guest Services (WGS).
Wireless > Virtual Access Point Wireless Feature Description Only allow traffic generated by a SonicPoint Restricts traffic on this zone to SonicPoint-generated traffic only. SSL-VPN Enforcement Redirects all traffic entering the Wireless Zone to a defined SonicWALL SSL-VPN appliance. This allows all wireless traffic to be authenticated and encrypted by the SSL-VPN, using, for example, NetExtender to tunnel all traffic.
Wireless > Virtual Access Point Guest Services The Enable Wireless Guest Services option allows the following guest services to be applied to a zone: Feature Description Enable inter-guest communication Allows guests connecting to SonicPoints in this Wireless Zone to communicate directly and wirelessly with each other.
Wireless > Virtual Access Point Feature Description Redirect SMTP traffic to Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to. Deny Networks Blocks traffic from the networks you specify. Select the subnet, address group, or IP address to block traffic from. Pass Networks Automatically allows traffic through the Wireless Zone from the networks you select.
Wireless > Virtual Access Point • Subnet Name: The name of the interface. • IP Address: The first IP address in the subnet. Make sure that the IP address subnet does not conflict with another address range. • Subnet Mask: 255.255.255.0 is the default • SonicPoint Limit: The maximum number of allowed SonicPoints is configured automatically. • Comment: Optionally enter a comment about the subnet.
Wireless > Virtual Access Point Virtual Access Points Profiles A Virtual Access Point Profile allows the administrator to pre-configure and save access point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Access Points. Virtual Access Point Profiles are created by clicking the Add... button in the Virtual Access Point Profiles section of the Wireless > Virtual Access Point page.
Wireless > Virtual Access Point Feature Description Multicast Cipher The multicast cipher will be automatically chosen based on the authentication type. Maximum Clients Choose the maximum number of concurrent client connections permissible for this virtual access point. WPA-PSK / WPA2-PSK Encryption Settings Pre-Shared Key (PSK) is available when using WPA or WPA2. This solution utilizes a shared key.
Wireless > Virtual Access Point Virtual Access Points Virtual Access Points are configured from the Wireless > Virtual Access Point page by clicking the Add... button in the Virtual Access Points section. General VAP Settings Feature Description SSID Create a friendly name for your VAP. Subnet name Select the WLAN subnet that will be used for this VAP. The WLAN subnet must be created on the Network > Interfaces page before you can create the VAP. Enable Virtual Access Point Enables this VAP.
Wireless > Virtual Access Point Virtual Access Point Groups The VAP Group feature allows for grouping of multiple VAP objects to be simultaneously applied to the integrated wireless radio of the SonicWALL security appliance. Virtual Access Point Groups are configured from the Wireless > Virtual Access Point page. After you have created your VAPs, you must add them to the VAP group. 364 Step 1 Click the Configure icon next to the Virtual Access Point group, which is named Internal AP Group by default.
Thinking Critically About VAPs Thinking Critically About VAPs This section provides content to help determine what your VAP requirements are and how to apply these requirements to a useful VAP configuration.
Thinking Critically About VAPs Determining Security Configurations Understanding these requirements, you can then define the Zones (and interfaces) and VAPs that will provide wireless services to these users: • Corp Wireless – Highly trusted wireless Zone. Employs WPA2-AUTO-EAP security. WiFiSec (WPA) Enforced. • WEP & PSK – Moderate trust wireless Zone. Comprises two virtual APs and sub-interfaces, one for legacy WEP devices (e.g.
Thinking Critically About VAPs Questions How many different types of users will I need to support? How many users will each VAP need to support? Examples Corporate wireless, guest access, visiting partners, wireless devices are all common user types, each requiring their own VAP Your Configurations: Solutions Plan out the number of different VAPs needed.
Thinking Critically About VAPs Questions What security services to I wish to apply to my users? 368 Examples Corporate users who you want protected by the full SonicWALL security suite. Guest users who have no LAN access. Your Configurations: SonicOS Enhanced 4.0 Administrator Guide Solutions Enable all SonicWALL security services. Disable all SonicWALL security services.
PART 5 WWAN SONICWALL SONICOS ENHANCED 4.
SONICWALL SONICOS ENHANCED 4.
CHAPTER 34 Chapter34: Configuring Wireless WAN (TZ 190 only) WWAN This chapter describes how to configure the Wireless WAN interface on the SonicWALL TZ 190 appliance.
WWAN • Primary WAN connection where wire-based connections are not available and 3G Cellular is. Wireless Wide Area Networks provide untethered remote network access through the use of mobile or cellular data networks. While legacy cellular networks, such as GSM, were only able to provide data rates of about 14 Kbps, today's emerging WWAN technologies (such as UMTS and HSDPA) provide theoretical data rates of up to 10 Mbps, rivaling many wired technologies.
WWAN Understanding WWAN Failover When the WAN Connection Model is set to Ethernet with WWAN Failover, the WAN (Ethernet) interface is the primary connection. If the WAN interface fails, the SonicWALL TZ 190 fails over to the WWAN interface. Note It is important to note that the WAN-to-WWAN failover process is different for the three different WWAN Connection Profile dial types: Persistent, Dial on Data, and Manual Dial.
WWAN If a secondary Ethernet WAN (the OPT port) is configured, the TZ190 will first failover to the secondary Ethernet WAN before failing over to the WWAN. In this situation, WWAN failover will only occur when both the WAN and OPT paths are unavailable. 3.
WWAN Caution It is not recommended to configure a policy-based route that uses the WWAN connection when the WAN Connection Model is set for Ethernet with WWAN Failover. If a policybased route is configured to use the WWAN connection, the connection will remain up until the Maximum Connection Time (if configured) is reached.
WWAN Wireless WAN PC Card Support To use the wireless WAN interface you must have a wireless WAN PC card and a contract with a wireless service provider. Because both GSM and CDMA provide virtually the same performance, a WWAN service provider should be selected based primarily on the availability of supported hardware. SonicOS Enhanced 3.
WWAN Viewing the WWAN Status The WWAN > Status page displays the current status of WWAN on the SonicWALL TZ190. It indicates the status of the WWAN connection, the current active WAN interface, or the current backup WAN interface. It also displays IP address information, DNS server addresses, the current active dial up profile, and the current signal strength.
WWAN • “Management/User Login” on page 379 • “WWAN Probe Settings” on page 379 Connect on Data The Connect on Data Categories settings allow you to configure the WWAN interface to automatically connect to the WWAN service provider when the SonicWALL TZ 190 detects specific types of traffic.
WWAN Management/User Login The Management/User Login section must be configure to enable remote management of the SonicWALL TZ 190 appliance over the WWAN interface. You can select any of the supported management protocol(s): HTTPS, Ping, and/or SNMP. You can also select HTTP for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS.
WWAN Configuring WWAN Advanced Settings The WWAN > Advanced page is used to configure the Remotely Triggered Dial-Out feature on the SonicWALL TZ 190. The Remotely Triggered Dial-Out feature enables network administrators to remotely initiate a WWAN connection from a SonicWALL TZ 190. Configuring Remotely Triggered Dial-Out Before configuring the Remotely Triggered Dial-Out feature, ensure that your configuration meets the following prerequisites: • The WWAN profile is configured for dial-on-data.
WWAN Configuring WWAN Connection Profiles Use the WWAN > Connection Profiles to configure WWAN connection profiles and set the primary and alternate profiles. Select the Primary WWAN connection profile in the Primary Profile pulldown menu. Optionally, you can select up to two alternate WWAN profiles. To create a WWAN connection profile, perform the following steps: 1. On the WWAN > Connection Profiles page, click on the Add button. The WWAN Profile Configuration window displays. 2.
WWAN 3. Select the Service Provider that you have created an account with. Note that only service providers supported in the country you selected are displayed. 4. In the Plan Type window, select the WWAN plan you have subscribed to with the service provider. If your specific plan type is listed in the pulldown menu, the rest of the fields in the General tab are automatically provisioned. Verify that these fields are correct and click on the Parameters tab. 5.
WWAN 13. Select the Enable Inactivity Disconnect (minutes) checkbox and enter a number in the field to have the WWAN connection disconnected after the specified number of minutes of inactivity. Note that this option is not available if the Dial Type is Persistent Connection. 14. Select the Enable Max Connection Time (minutes) checkbox and enter a number in the field to have the WWAN connection disconnected after the specified number of minutes, regardless if the session is inactive or not.
WWAN 19. Click on the Data Limiting tab. Tip If your WWAN account has a monthly data or time limit, it is strongly recommended that you enable Data Usage Limiting. 20. Select the Enable Data Usage Limiting checkbox to have the WWAN interface become automatically disabled when the specified data or time limit has been reached for the month. 21. Select the day of the month to start tracking the monthly data or time usage in the Billing Cycle Start Date pulldown menu. 22.
WWAN To disconnect a WWAN connection, click on the Manage button. The WWAN Connection window displays. Click Disconnect. See “Configuring the Wireless WAN Interface” on page 152 for more information. Specifying the WAN Connection Model To configure the WAN connection model, navigate to the Network > Interfaces page and select one of the following options in the WAN Connection Model pulldown menu: • WWAN only - The WAN interface is disabled and the WWAN interface is used exclusively.
WWAN Note The Data Usage table is only estimate of the current usage and should not be used to calculate actual charges. Contact your Service Provider for accurate billing information. The Session History table displays a summary of information about WWAN sessions. To view additional details about a specific session, place your mouse cursor over the Properties balloon.
WWAN GPRS has an additional advantage over GSM in that it is a packet-switched technology, meaning that stations only send data when there is data to send (rather than reserving the entire channel as occurs in GSM's circuit-switched networks) thus making more efficient use of available bandwidth. The process of connecting to a GPRS network generally involves attachment to the network, followed by the construction and activation of a PDP context, as performed by a series of AT commands.
WWAN • 388 W-CDMA - Wideband Code Division Multiple Access - The technology underlying UMTS, W-CDMA is an evolution of the GSM protocol. Referred to a Wideband because its carrier channels are four times wider than then original CDMA standard (5 MHz versus 1.25 MHz). SonicOS Enhanced 4.
PART 6 SonicPoint SONICWALL SONICOS ENHANCED 4.
SONICWALL SONICOS ENHANCED 4.
CHAPTER 35 Chapter 35: Managing SonicPoints SonicPoint > SonicPoints SonicWALL SonicPoints are wireless access points specially engineered to work with SonicWALL security appliances to provide wireless access throughout your enterprise. The SonicPoint section of the Management Interface lets you manage the SonicPoints connected to your system.
SonicPoint > SonicPoints • Attach the SonicPoints to the interfaces in the Wireless zone. • Test SonicPoints SonicPoint Provisioning Profiles SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSID’s, and channels of operation.
SonicPoint > SonicPoints Configuring a SonicPoint Profile You can add any number of SonicPoint profiles. To configure a SonicPoint provisioning profile: Step 1 To add a new profile click Add below the list of SonicPoint provisioning profiles. To edit an existing profile, select the profile and click the edit icon in the same line as the profile you are editing.
SonicPoint > SonicPoints – Country Code: Select the country where you are operating the SonicPoints. The country code determines which regulatory domain the radio operation falls under. Step 3 In the 802.11g tab, Configure the radio settings for the 802.11g (2.4GHz band) radio: – Enable 802.11g Radio: Check this to automatically enable the 802.11g radio bands on all SonicPoints provisioned with this profile. – Select a schedule to determine when the radio is enabled. The default is Always on.
SonicPoint > SonicPoints – Default Key: Select which key in the list below is the default key, which will be tried first when trying to authenticate a user. – Key Entry: Select whether the key is alphanumeric or hexadecimal. – Key 1 - Key 4: Enter the encryptions keys for WEP encryption. Enter the most likely to be used in the field you selected as the default key. Step 4 In the 802.11g Advanced tab, configure the performance settings for the 802.11g radio. For most 802.
SonicPoint > SonicPoints – DTIM Interval: Enter the interval in milliseconds. – Fragmentation Threshold (bytes): Enter the number of bytes of fragmented data you want the network to allow. – RTS Threshold (bytes): Enter the number of bytes. – Maximum Client Associations: Enter the maximum number of clients you want the SonicPoint to support on this radio at one time. – Preamble Length: Select the length of the preamble--the initial wireless communication send when associating with a wireless host.
SonicPoint > SonicPoints that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS will then use the profile associated with the relevant Zone to configure the 2.4GHz and 5GHz radio settings. Modifications to profiles will not affect units that have already been provisioned and are in an operational state.
SonicPoint > SonicPoints The options on these tabs are the same as the Add SonicPoint Profile screen. See Configuring a SonicPoint Profile for instructions on configuring these settings. Step 3 Click OK to apply these settings. Synchronize SonicPoints Click Synchronize SonicPoints at the top of the SonicPoint > SonicPoints page to update the settings for each SonicPoint reported on the page.
SonicPoint > SonicPoints Step 6 Caution Click Apply. It is imperative that you download the corresponding SonicPoint image for the SonicOS firmware version that is running on your SonicWALL. The mysonicwall.com Web site provides information about the corresponding versions. When upgrading your SonicOS firmware, be sure to upgrade to the correct SonicPoint image.
SonicPoint > SonicPoints 400 • Operational – Once the SonicPoint has peered with a SonicOS device and has its configuration validated, it will enter into a operational state, and will be ready for clients. • Provisioning – If the SonicPoint configuration requires an update, the SonicOS device will engage an SSPP channel to update the SonicPoint. During this brief process it will enter the provisioning state.
CHAPTER 36 Chapter 36: Viewing Station Status SonicPoint > Station Status The SonicPoint > Station Status page reports on the statistics of each SonicPoint. The table lists entries for each wireless client connected to each SonicPoint. The sections of the table are divided by SonicPoint. Under each SonicPoint, is the list of all clients currently connected to it. Click the Refresh button in the top right corner to refresh the list. By default, the page displays the first 50 entries found.
SonicPoint > Station Status Click on the Statistics icon to see a detailed report for an individual station. Each SonicPoint device reports for both radios, and for each station, the following information to its SonicOS peer: • MAC Address – The client’s (Station’s) hardware address. • Station State – The state of the station. States can include: – None – No state information yet exists for the station. – Authenticated – The station has successfully authenticated.
SonicPoint > Station Status – Re-association request – Re-association response – Probe request – Probe response – Beacon frame – ATIM message – Disassociation – Authentication – De-authentication • Management Frames Transmitted – Total number of Management frames transmitted. • Control Frames Received – Total number of Control frames received.
SonicPoint > Station Status 404 SonicOS Enhanced 4.
CHAPTER 37 Chapter 37: Using and Configuring IDS SonicPoint > IDS You can have many wireless access points within reach of the signal of the SonicPoints on your network. The SonicPoint > IDS page reports on all access points the SonicWALL security appliance can find by scanning the 802.11a and 802.11g radio bands.
SonicPoint > IDS Intrusion Detection Settings Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates a easy environment for introducing rogue access points.
SonicPoint > IDS Discovered Access Points The Discovered Access points displays information on every access point that can be detected by the SonicPoint radio: • SonicPoint: The SonicPoint that detected the access point. • MAC Address (BSSID): The MAC address of the radio interface of the detected access point. • SSID: The radio SSID of the access point. • Type: The range of radio bands used by the access point, 2.4 GHz or 5 GHz. • Channel: The radio channel used by the access point.
SonicPoint > IDS 408 SonicOS Enhanced 4.
CHAPTER 38 Chapter 38: Configuring RF Monitoring SonicPoint > RF Monitoring This chapter describes how to plan, design, implement, and maintain the RF Monitoring feature in SonicWALL SonicOS 4.0 Enhanced.
SonicPoint > RF Monitoring Why RF Monitoring? Radio Frequency (RF) technology used in today’s 802.11-based wireless networking devices poses an attractive target for intruders. If left un-managed, RF devices can leave your wireless (and wired) network open to a variety of outside threats, from Denial of Service (DoS) to network security breaches. In order to help secure your SonicPoint Wireless Access Point (AP) stations, SonicWALL takes a closer look at these threats.
SonicPoint > RF Monitoring Enabling RF Monitoring on SonicPoint(s) In order for RF Monitoring to be enforced, you must enable the RF Monitoring option on all available SonicPoint devices. The following section provides instructions to re-provision all available SonicPoints with RF Monitoring enabled. Step 1 Navigate to SonicPoint > SonicPoints in the SonicWALL security appliance management interface. Step 2 Click the Configure button corresponding to the desired SonicPoint Provisioning Profile.
SonicPoint > RF Monitoring RF Monitoring Interface Overview The top portion of the RF Monitoring interface allows you to: • View the number of threats logged for each group/signature • Select which RF signature types your SonicWALL looks for The bottom (Discovered RF Threat Stations) portion of the interface allows you to: • View a detailed log of the most current threats • Configure a watch list for discovered stations Set the Measurement Interval In the RF Monitoring Summary section, the Measurem
SonicPoint > RF Monitoring Tip For a complete list of RF Threat types and their descriptions, see the “Types of RF Threat Detection” section on page 414 of this document. Viewing Discovered RF Threat Stations The RF Monitoring Discovered Threat Stations list allows you to view, sort and manage a list of the most recent threats to your wireless network.
SonicPoint > RF Monitoring To add a station to the watch list: Step 1 In the SonicPoint > RF Monitoring page, navigate to the Discovered RF threat stations section. Step 2 Click the Step 3 A confirmation screen will appear. Click OK to add the station to the watch list. Step 4 If you have accidentally added a station to the watch list, or would otherwise like a station removed from the list, click the icon that corresponds to the threat station you wish to remove.
SonicPoint > RF Monitoring • Ad-Hoc Station Detection - Ad-Hoc stations are nodes which provide access to wireless clients by acting as a bridge between the actual access point and the user. Wireless users are often tricked into connecting to an Ad-Hoc station instead of the actual access point, as they may have the same SSID. This allows the Ad-Hoc station to intercept any wireless traffic that connected clients send to or receive from the access point.
SonicPoint > RF Monitoring Timesaver For this section in particular (and as a good habit in general), you may find it helpful to keep a record of the locations and MAC addresses of your SonicPoint devices. Step 1 Navigate to the SonicPoint > RF Monitoring page in the SonicWALL Management Interface. Step 2 In the Discovered RF Threat Stations table, locate the Sensor for the SonicPoint that is detecting the targeted RF threat and record the number. Step 3 Navigate to SonicPoint > SonicPoints.
SonicPoint > RF Monitoring Using RSSI to Determine RF Threat Proximity This section builds on what was learned in the “Using Sensor ID to Determine RF Threat Location” section on page 415. In the Discovered RF Threat Stations list, the Rssi field indicates the signal strength at which a particular Sonic Point is detecting an RF threat. The Rssi field allows you to easily determine the proximity of an RF threat to the SonicPoint that is detecting that threat.
SonicPoint > RF Monitoring A high Rssi usually indicates an RF threat that is closer to the SonicPoint. A low Rssi can indicate obstructions or a more distant RF threat. 20 SonicWALL PRO 5060 with RF Management enabled PRO 3060 rssi - Identifies signal strength of the RF threat, allowing for approximate distance gauging. SonicPoint Strong signal rssi: 33 Weak signal rssi: 12 418 SonicOS Enhanced 4.
PART 7 Firewall SONICWALL SONICOS ENHANCED 4.
SONICWALL SONICOS ENHANCED 4.
CHAPTER 39 Chapter 39: Configuring Access Rules Firewall > Access Rules This chapter provides an overview on your SonicWALL security appliance stateful packet inspection default access rules and configuration examples to customize your access rules to meet your business requirements. Access rules are network management tools that allow you to define inbound and outbound access policy, configure user authentication, and enable remote management of the SonicWALL security appliance.
Firewall > Access Rules Stateful Packet Inspection Default Access Rules Overview By default, the SonicWALL security appliance’s stateful packet inspection allows all communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet. The following behaviors are defined by the “Default” stateful inspection packet access rule enabled in the SonicWALL security appliance: • Allow all sessions originating from the LAN, WLAN to the WAN, DMZ, or OPT.
Firewall > Access Rules The outbound SMTP traffic is guaranteed 20 percent of available bandwidth available to it and can get as much as 40 percent of available bandwidth. If this is the only access rule using bandwidth management, it has priority over all other access rules on the SonicWALL security appliance. Other access rules use the remaining bandwidth (minus 20 percent of bandwidth, or greater than minus 20 percent and less than minus 40 percent of bandwidth).
Firewall > Access Rules Tip You can also view access rules by Zones. Use the Option checkboxes in the From Zone and To Zone column. Select LAN, WAN, VPN, ALL from the From Zone column. And then select LAN, WAN, VPN, ALL from the To Zone column. Click OK to display the access rules. Each view displays a table of defined network access rules. For example, selecting All Rules displays all the network access rules for all zones.
Firewall > Access Rules You can change the priority ranking of an access rule by clicking the Arrows icon in the Priority column. The Change Priority window is displayed. Enter the new priority number (1-10) in the Priority field, and click OK. Tip If the Trashcan or Notepad icons are dimmed (unavailable), the access rule cannot be changed or deleted from the list. SonicOS Enhanced 4.
Firewall > Access Rules Adding Access Rules To add access rules to the SonicWALL security appliance, perform the following steps: Step 1 Click Add at the bottom of the Access Rules table. The Add Rule window is displayed. Step 2 In the General tab, select Allow | Deny | Discard from the Action list to permit or block IP traffic. Step 3 Select the from and to zones from the From Zone and To Zone menus. Step 4 Select the service or group of services affected by the access rule from the Service list.
Firewall > Access Rules Step 13 If you would like for the access rule to timeout after a period of TCP inactivity, set the amount of time, in minutes, in the TCP Connection Inactivity Timeout (minutes) field. The default value is 5 minutes. Step 14 If you would like for the access rule to timeout after a period of UDP inactivity, set the amount of time, in minutes, in the UDP Connection Inactivity Timeout (minutes) field. The default value is 30 minutes.
Firewall > Access Rules – None: DSCP values in packets are reset to 0. – Preserve: DSCP values in packets will remain unaltered. – Explicit: Set the DSCP value to the value you select in the Explicit DSCP Value field. This is a numeric value between 0 and 63.
Firewall > Access Rules • 6 - Voice (<10ms latency) • 7 - Network control – Map: The QoS mapping settings on the Firewall > QoS Mapping page will be used. See “Firewall > QoS Mapping” section on page 467 for instructions on configuring the QoS Mapping. Step 20 Click OK to add the rule. Tip Although custom access rules can be created that allow inbound IP traffic, the SonicWALL security appliance does not disable protection from DoS attacks, such as the SYN Flood and Ping of Death attacks.
Firewall > Access Rules Coupled with IPS, this can be used to mitigate the spread of a certain class of malware as exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections to random addresses at atypically high rates. For example, each host infected with Nimda attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and Sasser was capable of 5,120 attempts per second.
Firewall > Access Rules Enabling Ping This sections provides a configuration example for an access rule to allow devices on the DMZ to send ping requests and receive ping responses from devices on the LAN. By default your SonicWALL security appliance does not allow traffic initiated from the DMZ to reach the LAN.
Firewall > Access Rules 432 SonicOS Enhanced 4.
CHAPTER 40 Chapter 40: Configuring Advanced Access Rule Settings Firewall > Advanced To configure advanced access rule options, select Firewall > Advanced under Firewall. The Advanced Rule Options page is displayed. The Advanced Rule Options includes the following firewall configuration option groups: • Detection Prevention • Dynamic Ports • Source Routed Packets • Connections • Access Rule Service Options • IP and UDP Checksum Enforcement SonicOS Enhanced 4.
Firewall > Advanced • UDP Detection Prevention • Enable Stealth Mode - By default, the security appliance responds to incoming connection requests as either “blocked” or “open.” If you enable Stealth Mode, your security appliance does not respond to blocked inbound connection requests. Stealth Mode makes your security appliance essentially invisible to hackers.
Firewall > Advanced Access Rule Service Options Force inbound and outbound FTP data connections to use default port 20 - The default configuration allows FTP connections from port 20 but remaps outbound traffic to a port such as 1024. If the check box is selected, any FTP data connection through the security appliance must come from port 20 or the connection is dropped. The event is then logged as a log event on the security appliance.
Firewall > Advanced 436 SonicOS Enhanced 4.
CHAPTER 41 Chapter 41: Configuring TCP Settings Firewall > TCP Settings The TCP Settings lets you view statistics on TCP Traffic through the security appliance and manage TCP traffic settings.
Firewall > TCP Settings – When the TCP SACK Permitted (Selective Acknowledgement, see RFC1072) option is encountered, but the calculated option length is incorrect. – When the TCP MSS (Maximum Segment Size) option is encountered, but the calculated option length is incorrect. – When the TCP SACK option data is calculated to be either less than the minimum of 6 bytes, or modulo incongruent to the block size of 4 bytes. – When the TCP option length is determined to be invalid.
Firewall > TCP Settings The TCP Settings section allows you to: • Enable TCP Stateful Inspection – Enabling TCP stateful inspection requires that all TCP connections rigidly adhere to the following TCP setup requirements: – TCP session establishment involves a three-way handshake between two hosts and consists of the following: • Initiator --> SYN --> Responder • Initiator <-- SYN/ACK <-- Responder • Initiator --> ACK --> Responder • (Session established) After the initial SYN, it is permissible
Firewall > TCP Settings A SYN Flood attack is considered to be in progress if the number of unanswered SYN/ACK packets sent by the SonicWALL (half-opened TCP connections) exceeds the threshold set in the “Flood rate until attack logged (unanswered SYN/ACK packets per second)” field. The default value for the field is 20, the minimum is 5, and the maximum is 999,999.
Firewall > TCP Settings • SYN Blacklisting (Layer 2) – This mechanism blocks specific devices from generating or forwarding SYN flood attacks. You can enable SYN Blacklisting on any interface. Understanding SYN Watchlists The internal architecture of both SYN Flood protection mechanisms is based on a single list of Ethernet addresses that are the most active devices sending initial SYN packets to the firewall. This list is called a SYN watchlist.
Firewall > TCP Settings Each contains various types of SYN Flood Protection. The following sections describe these features. Working with SYN Flood Protection Modes A SYN Flood Protection mode is the level of protection that you can select to defend against half-opened TCP sessions and high-frequency SYN packet transmissions.
Firewall > TCP Settings To provide more control over the options sent to WAN clients when in SYN Proxy mode, you can configure the following two objects: SACK (Selective Acknowledgment) – This parameter controls whether or not Selective ACK is enabled. With SACK enabled, a packet or series of packets can be dropped, and the received informs the sender which data has been received and where holes may exist in the data.
Firewall > TCP Settings Never blacklist WAN machines – This checkbox ensures that systems on the WAN are never added to the SYN Blacklist. This option is recommended as leaving it unchecked may interrupt traffic to and from the firewall’s WAN ports. Always allow SonicWALL management traffic – This checkbox causes IP traffic from a blacklisted device targeting the firewall’s WAN IP addresses to not be filtered.
Firewall > TCP Settings The following are SYN Flood statistics. Column Description Max Incomplete WAN Connections / sec The maximum number of pending embryonic half-open connections recorded since the firewall has been up (or since the last time the TCP statistics were cleared). The average number of pending embryonic half-open connections, based on Average Incomplete WAN the total number of samples since bootup (or the last TCP statistics reset).
Firewall > TCP Settings Column Description Total FIN The total number of packets dropped because of the FIN blacklist. Blacklist Packets Rejected Invalid SYN Flood Cookies Received 446 The total number of invalid SYN flood cookies received. SonicOS Enhanced 4.
CHAPTER 42 Chapter 42: Configuring Firewall Services Firewall > Services SonicOS Enhanced supports an expanded IP protocol support to allow users to create services and access rules based on these protocols. See “Supported Protocols” on page 449 for a complete listing of support IP protocols. Services are used by the SonicWALL security appliance to configure network access rules for allowing or denying traffic to the network. The SonicWALL security appliance includes Default Services.
Firewall > Services Selecting All Services from View Style displays both Custom Services and Default Services. Default Services Overview The Default Services view displays the SonicWALL security appliance default services in the Services table and Service Groups table. The Service Groups table displays clusters of multiple default services as a single service object. You cannot delete or edit these predefined services.
Firewall > Services Supported Protocols The following IP protocols are available for custom services: • ICMP (1)—(Internet Control Message Protocol) A TCP/IP protocol used to send error and control messages. • IGMP (2)—(Internet Group Management Protocol) The protocol that governs the management of multicast groups in a TCP/IP network. • TCP (6)—(Transmission Control Protocol) The TCP part of TCP/IP. TCP is a transport protocol in TCP/IP.
Firewall > Services GRE 47 IPsec ESP 50 IPsec AH 51 IGMP 2 EIGRP 88 OSPF 89 PIM SM 103 L2T2 115 All custom services you create are listed in the Custom Services table. You can group custom services by creating a Custom Services Group for easy policy enforcement. If a protocol is not listed in the Default Services table, you can add it to the Custom Services table by clicking Add. Step 1 Enter the name of the service in the Name field.
Firewall > Services Click the Enable Logging checkbox to disable or enable the logging of the service activities. Adding Custom IP Type Services Using only the predefined IP types, if the security appliance encounters traffic of any other IP Protocol type it drops it as unrecognized. However, there exists a large and expanding list of other registered IP types, as governed by IANA (Internet Assigned Numbers Authority): http:// www.iana.
Firewall > Services Note 452 Attempts to define a Custom IP Type Service Object for a pre-defined IP type will not be permitted, and will result in an error message. Step 5 Click OK Step 6 From the Firewall > Service Objects page, Service Group section, select Add Group. Step 7 Add a Service Group composed of the Custom IP Types Services. Step 8 From Firewall > Access Rules > WLAN > LAN, select Add. Step 9 Define an Access Rules allowing myServices from WLAN Subnets to the 10.50.165.
Firewall > Services Note Select your Zones, Services and Address Objects accordingly. It may be necessary to create an Access Rule for bidirectional traffic; for example, an additional Access Rule from the LAN > WLAN allowing myServices from 10.50.165.26 to WLAN Subnets. Step 10 Click OK IP protocol 46 and 119 traffic will now be recognized, and will be allowed to pass from WLAN Subnets to 10.50.165.26.
Firewall > Services Adding a Custom Services Group You can add custom services and then create groups of services, including default services, to apply the same policies to them. For instance, you can allow SMTP and POP3 traffic only during certain hours or days of the week by adding the two services as a Custom Service Group. To create a Custom Services Group, click Add Group. Step 1 Enter a name for the custom group in the name field.
Firewall > Services Deleting Custom Services Groups Click the Trashcan icon to delete the individual custom service group entry. You can delete all custom service groups by clicking the Delete button. SonicOS Enhanced 4.
Firewall > Services 456 SonicOS Enhanced 4.
CHAPTER 43 Chapter 43: Configuring Multicast Settings Firewall > Multicast Multicasting, also called IP multicasting, is a method for sending one Internet Protocol (IP) packet simultaneously to multiple hosts. Multicast is suited to the rapidly growing segment of Internet traffic - multimedia presentations and video conferencing. For example, a single host transmitting an audio or video stream and ten hosts that want to receive this stream.
Firewall > Multicast Multicast Snooping This section provides configuration tasks for Multicast Snooping. • Enable Multicast - This checkbox is disabled by default. Select this checkbox to support multicast traffic. • Require IGMP Membership reports for multicast data forwarding - This checkbox is enabled by default. Select this checkbox to improve performance by regulating multicast data to be forwarded to only interfaces joined into a multicast group address using IGMP.
Firewall > Multicast To create a multicast address object: Step 1 In the Enable reception for the following multicast addresses list, select Create new multicast object. Step 2 In the Add Address Object window, configure: – Name: The name of the address object. – Zone Assignment: Select MULTICAST. – Type: Select Host, Range, Network, or MAC. – IP Address: If you selected Host or Network, the IP address of the host or network. The IP address must be in the range for multicast, 224.0.0.0 to 239.255.255.
Firewall > Multicast Enabling Multicast on LAN-Dedicated Interfaces Perform the following steps to enable multicast support on LAN-dedicated interfaces. Step 1 Enable multicast support on your SonicWALL security appliance. In the Firewall > Multicast setting, click on the Enable Multicast checkbox. And in the Multicast Policy section, select the Enable the reception of all multicast addresses. Step 2 Enable multicast support on LAN interfaces.
Firewall > Multicast Enabling Multicast Through a VPN To enable multicast across the WAN through a VPN, follow: Step 1 Enable multicast globally. On the Firewall > Multicast page, check the Enable Multicast checkbox, and click the Apply button for each security appliance. Step 2 Enable multicast support on each individual interface that will be participating in the multicast network.
Firewall > Multicast Note Step 5 Notice that the default WLAN'MULTICAST access rule for IGMP traffic is set to 'DENY'. This will need to be changed to 'ALLOW' on all participating appliances to enable multicast, if they have multicast clients on their WLAN zones. Make sure the tunnels are active between the sites, and start the multicast server application and client applications. As multicast data is sent from the multicast server to the multicast group (224.0.0.0 through 239.255.255.
CHAPTER 44 Chapter 44: Monitoring Active Connections Firewall > Connections Monitor The Firewall > Connections Monitor page displays details on all active connections to the security appliance. SonicOS Enhanced 4.
Firewall > Connections Monitor Viewing Connections The connections are listed in the Active Connections Monitor table. The table lists: • Source IP • Source Port • Destination IP • Destination Port • Protocol • Src Interface • Dst Interface • Tx Bytes • Rx Bytes Click on a column heading to sort by that column. Filtering Connections Viewed You can filter the results to display only connections matching certain criteria.
Firewall > Connections Monitor Check the Group box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group next to Source IP and Destination IP, the search string will look for connections matching: (Source IP OR Destination IP) AND Protocol Click Apply Filter to apply the filter immediately to the Active Connections table. Click Reset to clear the filter and display the unfiltered results again.
Firewall > Connections Monitor 466 SonicOS Enhanced 4.
CHAPTER 45 Chapter 45: Managing Quality of Service Firewall > QoS Mapping Quality of Service (QoS) refers to a diversity of methods intended to provide predictable network behavior and performance. This sort of predictability is vital to certain types of applications, such as Voice over IP (VoIP), multimedia content, or business-critical applications such as order or credit-card processing.
Firewall > QoS Mapping But all is not lost. Once SonicOS Enhanced classifies the traffic, it can tag the traffic to communicate this classification to certain external systems that are capable of abiding by CoS tags; thus they too can participate in providing QoS. Note Many service providers do not support CoS tags such as 802.1p or DSCP. Also, most network equipment with standard configurations will not be able to recognize 802.1p tags, and could drop tagged traffic.
Firewall > QoS Mapping section on page 479. SonicOS’s BWM is a perfectly effective solution for fully autonomous private networks with sufficient bandwidth, but can become somewhat less effective as more unknown external network elements and bandwidth contention are introduced. Refer to the Example Scenario in the “Example Scenario” section on page 472 for a description of contention issues.
Firewall > QoS Mapping Enabling 802.1p SonicOS Enhanced supports layer 2 and layer 3 CoS methods for broad interoperability with external systems participating in QoS enabled environments. The layer 2 method is the IEEE 802.1p standard wherein 3 bits of an additional 16 bits inserted into the header of the Ethernet frame can be used to designate the priority of the frame, as illustrated in the following figure: .
Firewall > QoS Mapping Although Enable 802.1p tagging does not appear as an option on VLAN sub-interfaces on the PRO 4060 and PRO 5060, the 802.1p field is already present within the 802.1q tags of VLAN sub-interfaces. The behavior of the 802.1p field within these tags can be controlled by Access Rules. The default 802.1p Access Rule action of None will reset existing 802.1p tags to 0, unless otherwise configured (see “Managing QoS Marking” section on page 476 for details). Enabling 802.
Firewall > QoS Mapping Example Scenario In the scenario above, we have Remote Site 1 connected to ‘Main Site’ by an IPsec VPN. The company uses an internal 802.1p/DSCP capable VoIP phone system, with a private VoIP signaling server hosted at the Main Site. The Main Site has a mixed gigabit and Fast-Ethernet infrastructure, while Remote Site 1 is all Fast Ethernet. Both sites employ 802.1p capable switches for prioritization of internal traffic. 1.
Firewall > QoS Mapping QoS Mapping is a feature which converts layer 2 802.1p tags to layer 3 DSCP tags so that they can safely traverse (in mapped form) 802.1p-incapable links; when the packet arrives for delivery to the next 802.1p-capable segment, QoS Mapping converts from DSCP back to 802.1p tags so that layer 2 QoS can be honored. In our above scenario, the firewall at the Main Site assigns a DSCP tag (e.g.
Firewall > QoS Mapping DSCP 26 27 30 32 34 36 38 40 46 48 56 DSCP Description Class 3, gold (AF31) Class 3, silver (AF32) Class 3, bronze (AF33) Class 4 Class 4, gold (AF41) Class 4, silver (AF42) Class 4, bronze (AF43) Express forwarding Expedited forwarding (EF) Control Control Legacy IP Precedence 3 (Flash – 011) 3 (Flash – 011) 3 (Flash – 011) 4 (Flash Override – 100) 4 (Flash Override – 100) 4 (Flash Override – 100) 4 (Flash Override – 100) 5 (CRITIC/ECP – 101) 5 (CRITIC/ECP – 101) 6 (Internet Contr
Firewall > QoS Mapping Configure for 802.1p CoS 4 – Controlled load If you want to change the inbound mapping of DSCP tag 15 from its default 802.1p mapping of 1 to an 802.1p mapping of 2, it would have to be done in two steps because mapping ranges cannot overlap. Attempting to assign an overlapping mapping will give the error DSCP range already exists or overlaps with another range. First, you will have to remove 15 from its current end-range mapping to 802.
Firewall > QoS Mapping Each of these mappings can be reconfigured. If you wanted to change the outbound mapping of 802.1p tag 4 from its default DSCP value of 32 to a DSCP value of 43, you can click the Configure icon for 4 – Controlled load and select the new To DSCP value from the drop-down box: 802.1p CoS 1 end-range remap 802.1p CoS 2 start-range remap You can restore the default mappings by clicking the Reset QoS Settings button.
Firewall > QoS Mapping Action 802.1p (layer 2 CoS) DSCP (layer 3) Notes Explicit An explicit 802.1p tag An explicit DSCP tag value can be assigned (0-63) from a drop-down value can be assigned (0-7) from a menu that will be presented. drop-down menu that will be presented. If either the 802.1p or the DSCP action is set to Explicit while the other is set to Map, the explicit assignment occurs first, and then the other is mapped according to that assignment.
Firewall > QoS Mapping One practical application for this behavior would be configuring an 802.1p marking rule for traffic destined for the VPN Zone. Although 802.1p tags cannot be sent across the VPN, reply packets coming back across the VPN can be 802.1p tagged on egress from the tunnel. This requires that 802.1p tagging is active of the physical egress interface, and that the [Zone] > VPN Access Rule has an 802.1p marking action other than None. After ensuring 802.
Firewall > QoS Mapping To examine the effects of the second Access Rule (VPN>LAN), we’ll look at the Access Rules configured at the Main Site: VoIP traffic (as defined by the Service Group) arriving from Remote Site 1 Subnets across the VPN destined to LAN Subnets on the LAN zone at the Main Site would hit the Access Rule for inbound VoIP calls. Traffic arriving at the VPN zone will not have any 802.1p tags, only DSCP tags. – Traffic exiting the tunnel containing a DSCP tag (e.g.
Firewall > QoS Mapping configure BWM and QoS (i.e. layer 2 and/or layer 3 marking) settings on a single Access Rule. This allows those external systems to benefit from the classification performed on the SonicWALL even after it has already shaped the traffic. BWM configurations begin by enabling BWM on the relevant WAN interface, and declaring the interface’s available bandwidth in Kbps (Kilobits per second).
Firewall > QoS Mapping Once one or both BWM settings are enabled on the WAN interface and the available bandwidth has been declared, a Ethernet BWM tab will appear on Access Rules. The Bandwidth tab will present either Inbound settings, Outbound settings, or both, depending on what was enabled on the WAN interface: The configuration on the General tab will classify the traffic.
Firewall > QoS Mapping Outbound Bandwidth Management Bandwidth Management as employed by SonicOS Enhanced is based on an amalgamation of queue management and congestion avoidance techniques, but in empirical practice it most closely resembles Class Base Queuing (CBQ), as defined by Sally Floyd and Van Jacobson in Link-sharing and Resource Management Models for Packet Networks, while incorporating elements of RFC2309 Recommendations on Queue Management and Congestion Avoidance in the Internet and various cr
Firewall > QoS Mapping to be processed. When Guaranteed queue credits are depleted, the next queue in that priority ring is processed. The same process is repeated for the remaining priority rings, and upon completing priority ring 7 begins again with priority ring 0. The scheduling for excess bandwidth is strict priority, with per-packet round-robin within each priority.
Firewall > QoS Mapping Outbound BWM Packet Processing Path a. Determine that the packet is bound for the WAN Zone. b. Determine that the packet is classifiable as a Firewall packet. c. Match the packet to an Access Rule to determine BWM setting. d. Queue the packet in the appropriate rule queue. Guaranteed Bandwidth Processing This algorithm depicts how all the policies use up the GBW. a. Start with a link credit equal to available link BW. b. Initialize the class credit with configured GBW for the rule.
Firewall > QoS Mapping Example of Outbound BWM The above diagram shows 4 policies are configured for OBWM with a link capacity of 100 Kbps. This means that the link capacity is 12800 Bytes/sec. Below table gives the BWM values for each rule in Bytes per second. BWM values FTP GBW 1280 MBW 2560 H323 2560 5120 Yahoo Messenger 640 1920 VNC 2560 3200 a. For GBW processing, we start with the first queue in the rule queue list which is FTP. Link credit is 12800 and class credit is 1280.
Firewall > QoS Mapping f. Start off with the highest priority ring 0 and process all queues in this priority in a round robin fashion. H323 has Pkt3 of 500B which is sent since it can use up to max = 2560 (MBW-GBW). Now Link credit = 7500 and max = 2060. g. Move to the next queue in this priority ring which is VNC queue. Pkt3 of 500B is sent out leaving link credit = 7000B and class max = 140 (MBW-GBW - 500). h. Move to the next queue in this priority ring.
Firewall > QoS Mapping Algorithm for Inbound Bandwidth Management IBWM maintains eight priority rings, where each priority ring has one queue for a rule that has IBWM enabled. The IBWM pool is processed from the highest to lowest priority ring further shaping the traffic. IBWM employs three key algorithms: Ingress Rate Update This algorithm processes each packet from the WAN and updates the ingress rate of the class to which it belongs. It also marks the traffic class if it has over utilized the link. a.
Firewall > QoS Mapping e. Record class credit as remaining credit. f. If remaining credit is greater than or equal to average rate, process the ACK packet and deduct average rate from remaining credit. g. Repeat g until remaining credit is not enough or the ingress ACK queue is empty. h. Repeat steps f through h for the next rule queue in the ring. i. Repeat steps f through i for the next lowest priority ring.
Firewall > QoS Mapping Glossary • 802.1p – IEEE 802.1p is a Layer 2 (MAC layer) Class of Service mechanism that tags packets by using 3 priority bits (for a total of 8 priority levels) within the additional 16 bits of an 802.1q header. 802.1p processing requires compatible equipment for tag generation, recognition and processing, and should only be employed on compatible networks. • Bandwidth Management (BWM) – Refers to any of a variety of algorithms or methods used to shape traffic or police traffic.
Firewall > QoS Mapping – Weighted Random Early Detection (WRED) – An implementation of RED that factors DSCP markings into its discard decision process. 490 • DSCP – (Differentiate Services Code Points) – The repurposing of the ToS field of an IP header as described by RFC2747. DSCP uses 64 Code Point values to enable DiffServ (Differentiated Services). By marking traffic according to its class, each packet can be treated appropriately at every hop along the network.
Firewall > QoS Mapping • Marking – Also known as tagging or coloring – The act of applying layer 2 (802.1p) or layer 3 (DSCP) information to a packet for the purpose of differentiation, so that it can be properly classified (recognized) and prioritized by network devices along the path to its destination. • MPLS - Multi Protocol Label Switching.
Firewall > QoS Mapping 492 • Shaping – An attempt by a QoS system to modify the rate of traffic flow, usually by employing some feedback mechanism to the sender. The most common example of this is TCP rate manipulation, where acknowledgements (ACKs) sent back to a TCP sender are queued and delayed so as to increase the calculated round-trip time (RTT), leveraging the inherent behavior of TCP to force the sender to slow the rate at which it sends data.
CHAPTER 46 Chapter 46: Configuring SSL Control Firewall > SSL Control This chapter describes how to plan, design, implement, and maintain the SSL Control feature.
Firewall > SSL Control of TCP based network communications, with its most common and well-known application being HTTPS (HTTP over SSL). SSL provides digital certificate-based endpoint identification, and cryptographic and digest-based confidentiality to network communications. An effect of the security provided by SSL is the obscuration of all payload, including the URL (Uniform Resource Locator, for example, https://www.mysonicwall.com) being requested by a client when establishing an HTTPS session.
Firewall > SSL Control Key Features of SSL Control Feature Benefit Common-Name based White and Black Lists The administrator can define lists of explicitly allowed or denied certificate subject common names (described in Key Concepts). Entries will be matched on substrings, for example, a blacklist entry for “prox” will match “www.megaproxy.com”, “www.proxify.com” and “proxify.net”.
Firewall > SSL Control Feature Benefit SSL version, Cipher SSL Control provides additional management of SSL sessions Strength, and Certificate based on characteristics of the negotiation, including the ability to Validity Control disallow the potentially exploitable SSLv2, the ability to disallow weak encryption (ciphers less than 64 bits), and the ability to disallow SSL negotiations where a certificate’s date ranges are invalid.
Firewall > SSL Control SSL is not limited to securing HTTP, but can also be used to secure other TCP protocols such as SMTP, POP3, IMAP, and LDAP. For more information, see http://wp.netscape.com/ eng/security/SSL_2.html. SSL session establishment occurs as follows: • SSLv2 – The earliest version of SSL still in common use.
Firewall > SSL Control – TLS – Transport Layer Security (version 1.0), also known as SSLv3.
Firewall > SSL Control mismatch elicits a browser alert, it is not always a sure sign of deception. For example, if a client browses to https://mysonicwall.com, which resolves to the same IP address as www.mysonicwall.com, the server will present its certificate bearing the subject CN of www.mysonicwall.com. An alert will be presented to the client, despite the total legitimacy of the connection.
Firewall > SSL Control Caveats and Advisories 1. Self-signed and Untrusted CA enforcement – If enforcing either of these two options, it is strongly advised that you add the common names of any SSL secured network appliances within your organization to the whitelist to ensure that connectivity to these devices is not interrupted. For example, the default subject name of SonicWALL UTM appliances is “192.168.168.168”, and the default common name of SonicWALL SSL-VPN appliances is “192.168.200.1”. 2.
Firewall > SSL Control SSL Control Configuration SSL Control is located on Firewall panel, under the SSL Control Folder. SSL Control has a global setting, as well as a per-zone setting. By default, SSL Control is not enabled at the global or zone level. The individual page controls are as follows (refer the Key Concepts for SSL Control section for more information on terms used below). • Enable SSL Control – The global setting for SSL Control.
Firewall > SSL Control • Detect Self-signed certificates – Controls the detection of certificates where both the issuer and the subject have the same common name. • Detect Certificates signed by an Untrusted CA – Controls the detection of certificates where the issuer’s certificate is not in the SonicWALL’s System > Certificates trusted store.
Firewall > SSL Control To configure the Whitelist and Blacklist, click the Configure button to bring up the following window. Entries can be added, edited and deleted with the buttons beneath each list window. Note List matching will be based on the subject common name in the certificate presented in the SSL exchange, not in the URL (resource) requested by the client.
Firewall > SSL Control sent in response for evaluation against the configured policy. Enabling SSL Control on the LAN Zone, for example, will inspect all SSL traffic initiated by clients on the LAN to any destination zone.
Firewall > SSL Control Log events will include the client’s username in the notes section (not shown) if the user logged in manually, or was identified through CIA/Single Sign On. If the user’s identity is not available, the note will indicate that the user is Unidentified. SonicOS Enhanced 4.
Firewall > SSL Control 506 SonicOS Enhanced 4.
PART 8 VoIP SONICWALL SONICOS ENHANCED 4.
SONICWALL SONICOS ENHANCED 4.
CHAPTER 47 Chapter 47: Configuring VoIP Support VoIP This chapter contains the following sections: • “VoIP Overview” on page 509 • “SonicWALL’s VoIP Capabilities” on page 512 • “Configuring SonicWALL VoIP Features” on page 520 • “VoIP Deployment Scenarios” on page 531 VoIP Overview This section provides an overview of VoIP.
VoIP VoIP Security Companies implementing VoIP technologies in an effort to cut communication costs and extend corporate voice services to a distributed workforce face security risks associated with the convergence of voice and data networks. VoIP security and network integrity are an essential part of any VoIP deployment. The same security threats that plague data networks today are inherited by VoIP but the addition of VoIP as an application on the network makes those threats even more dangerous.
VoIP VoIP Protocols VoIP technologies are built on two primary protocols, H.323 and SIP. H.323 H.323 is a standard developed by the International Telecommunications Union (ITU). It’s a comprehensive suite of protocols for voice, video, and data communications between computers, terminals, network devices, and network services. H.323 is designed to enable users to make point-to-point multimedia phone calls over connectionless packet-switching networks such as private IP networks and the Internet. H.
VoIP • Redirect Server - Responds to request but does not forward requests. • Registration Server - Handles UA authentication and registration.
VoIP also provides proactive defense against newly discovered application and protocol vulnerabilities. Signature granularity allows SonicWALL IPS to detect and prevent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives. VoIP Network • Note VoIP over Wireless LAN (WLAN) - SonicWALL extends complete VoIP security to attached wireless networks with its Distributed Wireless Solution.
VoIP • Validation of headers for all media packets - SonicOS examines and monitors the headers within media packets to allow detection and discarding of out-of-sequence and retransmitted packets (beyond window). Also, by ensuring that a valid header exists, invalid media packets are detected and discarded. By tracking the media streams as well as the signaling, SonicWALL provides protection for the entire VoIP session.
VoIP SIP SonicOS provides the following support for SIP: – Base SIP standard (both RFC 2543 and RFC 3261) – SIP INFO method (RFC 2976) – Reliability of provisional responses in SIP (RFC 3262) – SIP specific event notification (RFC 3265) – SIP UPDATE method (RFC 3311) – DHCP option for SIP servers (RFC 3361) – SIP extension for instant messaging (RFC 3428) – SIP REFER method (RFC 3515) – Extension to SIP for symmetric response routing (RFC 3581) SonicOS Enhanced 4.
VoIP SonicWALL VoIP Vendor Interoperability The following is a partial list of devices from leading manufacturers with which SonicWALL VoIP interoperates. H.
VoIP • H.264, H.263, and H.261 for video • MPEG4, G.711, G.722, G.723, G.728, G.729 for audio VoIP Protocols that SonicOS Does Not Perform Deep Packet Inspection on SonicWALL security appliances do not currently support deep packet inspection for the following protocols; therefore, these protocols should only be used in non-NAT environments. • Proprietary extensions to H.323 or SIP • MGCP • Megaco/H.
VoIP 1. Phone B registers with VoIP server - The SonicWALL security appliance builds a database of the accessible IP phones behind it by monitoring the outgoing VoIP registration requests. SonicOS translates between phone B’s private IP address and the firewall’s public IP address used in registration messages. The VoIP server is unaware that phone B is behind a firewall and has a private IP address—it associates phone B with the firewall’s public IP address. 2.
VoIP Figure 47:2 Local VoIP Call Flow The following describes the sequence of events shown in Figure 42.2: 1. Phones A and B register with VoIP server - The SonicWALL security appliance builds a database of the accessible IP phones behind it by monitoring the outgoing VoIP registration requests. SonicOS translates between the phones’ private IP addresses and the firewall’s public IP address. The VoIP server is unaware that the phones are behind a firewall.
VoIP Configuring SonicWALL VoIP Features Configuring the SonicWALL security appliance for VoIP deployments builds on your basic network configuration in the SonicWALL management interface. This chapter assumes the SonicWALL security appliance is configured for your network environment.
VoIP General VoIP Configuration SonicOS includes the VoIP configuration settings on the VoIP > Settings page. This page is divided into three configuration settings sections: General Settings, SIP Settings, and H.323 Settings. Configuring Consistent Network Address Translation (NAT) Consistent NAT enhances standard NAT policy to provide greater compatibility with peer-topeer applications that require a consistent IP address to connect to, such as VoIP.
VoIP Configuring SIP Settings By default, SIP clients use their private IP address in the SIP Session Definition Protocol (SDP) messages that are sent to the SIP proxy. If your SIP proxy is located on the public (WAN) side of the SonicWALL security appliance and SIP clients are on the private (LAN) side behind the firewall, the SDP messages are not translated and the SIP proxy cannot reach the SIP clients.
VoIP The Additional SIP signaling port (UDP) for transformations setting allows you to specify a non-standard UDP port used to carry SIP signaling traffic. Normally, SIP signaling traffic is carried on UDP port 5060. However, a number of commercial VOIP services use different ports, such as 1560. Using this setting, the security appliance performs SIP transformation on these non-standard ports. Tip Vonage’s VoIP service uses UDP port 5061. Configuring H.323 Transformations Select Enable H.
VoIP Bandwidth Management SonicOS offers an integrated traffic shaping mechanism through its Egress (outbound) and Ingress (inbound) management interfaces. Outbound BWM can be applied to traffic sourced from Trusted and Public Zones (such as LAN and DMZ) destined to Untrusted and Encrypted Zones (such as WAN and VPN). Inbound bandwidth management can be applied to traffic sourced from Untrusted and Encrypted Zones destined to Trusted and Public Zones.
VoIP Configuring Bandwidth on the WAN Interface BWM configurations begin by enabling BWM on the relevant WAN interface, and specifying the interface’s available bandwidth in Kbps. This is performed from the Network > Interfaces page by selecting the Configure icon for the WAN interface, and navigating to the Advanced tab: Egress and Ingress BWM can be enabled jointly or separately on WAN interfaces. Different bandwidth values may be entered for outbound and inbound bandwidth to support asymmetric links.
VoIP If you are defining VoIP access for client to use a VoIP service provider from the WAN, you configure network access rules between source and destination interface or zones to enable clients behind the firewall to send and receive VoIP calls. If your SIP Proxy or H.323 Gateway is located behind the firewall, you can use the SonicWALL Public Server Wizard to automatically configure access rules.
VoIP • For SIP, select SIP Step 6 Select the source of the traffic affected by the access rule from the Source list. Selecting Create New Network displays the Add Address Object window. Step 7 If you want to define the source IP addresses that are affected by the access rule, such as restricting certain users from accessing the Internet, select Range in the Type: pulldown menu. The enter the lowest and highest IP addresses in the range in the Starting IP Address: and Ending IP Address fields.
VoIP Tip Rules using Bandwidth Management take priority over rules without bandwidth management. Using the Public Server Wizard The SonicWALL Public Server Wizard provides an easy method for configuring firewall access rules for a SIP Proxy or H.323 Gatekeeper running on your network behind the firewall. Using this wizard performs all the configuration settings you need for VoIP clients to access your VoIP servers. Step 1 Click Wizards on the SonicOS navigation bar.
VoIP Note SonicWALL recommends NOT selecting VoIP from the Services menu. Selecting this option opens up more TCP/UDP ports than is required, potentially opening up unnecessary security vulnerabilities. Step 5 Enter the name of the server in the Server Name field. Step 6 Enter the private IP address of the server. Specify an IP address in the range of addresses assigned to the zone where the server is located.
VoIP Step 10 The Summary page displays a summary of all the configuration you have performed in the wizard. It should show: • Server Address Objects - The wizard creates the address object for the new server. Because the IP address of the server added in the example is in the IP address range assigned to the LAN zone, the wizard binds the address object to the LAN zone. • Server Service Group Object - The wizard creates a service group object for the services used by the new server.
VoIP Configuring VoIP Logging You can enable the logging of VoIP events in the SonicWALL security appliance log in the Log > Categories page. Log entries are displayed on the Log > View page. To enable logging: Step 1 Select Log > Categories. Step 2 Select Expanded Categories from the View Style menu in the Log Categories section. Step 3 Locate the VoIP (VOIP H.323/RAS, H.323/H.225, H.323/H.245 activity) entry in the table.
VoIP Figure 47:3 Point-to-Point VoIP Service Topology This deployment does not require a VoIP server. The Public IP address of the SonicWALL security appliance is used as the main VoIP number for hosts on the network. This requires a static Public IP address or the use of a Dynamic DNS service to make the public address available to callers from the WAN. Incoming call requests are routed through the SonicWALL security appliance using NAT, DHCP Server, and network access rules.
VoIP Figure 47:4 Public VoIP Service Topology For VoIP clients that register with a server from the WAN, the SonicWALL security appliance automatically manages NAT policies and access rules. The SonicWALL security appliance performs stateful monitoring of registration and permits incoming calls for clients while they remain registered. No configuration of clients is required. See the “Using the Public Server Wizard” section for information on configuring this deployment.
VoIP Figure 47:5 Trusted VoIP Service Topology For VoIP clients that register with a server on the DMZ or LAN, the SonicWALL security appliance automatically manages NAT policies and access rules. The SonicWALL security appliance performs stateful monitoring of registration and permits incoming calls for clients while they remain registered. No configuration on the VoIP clients is required. To make a server on the LAN accessible to clients on the WAN: 7.
PART 9 VPN SONICWALL SONICOS ENHANCED 4.
SONICWALL SONICOS ENHANCED 4.
CHAPTER 48 Chapter 48: Configuring VPN Policies VPN > Settings The VPN > Settings page provides the SonicWALL features for configuring your VPN policies. You configure site-to-site VPN policies and GroupVPN policies from this page. VPN Overview A Virtual Private Network (VPN) provides a secure connection between two or more computers or protected networks over the public internet. It provides authentication to ensure that the information is going to and from the correct parties.
VPN > Settings Prior to the invention of Internet Protocol Security (IPsec) and Secure Socket Layer (SSL), secure connections between remote computers or networks required a dedicated line or satellite link. This was both inflexible and expensive. A VPN creates a connection with similar reliability and security by establishing a secure tunnel through the internet.
VPN > Settings One advantage of SSL VPN is that SSL is built into most Web Browsers. No special VPN client software or hardware is required. Note SonicWALL makes SSL-VPN devices that you can use in concert with or independently of a SonicWALL UTM appliance running SonicOS. For information on SonicWALL SSL-VPN devices, see the SonicWALL Website :http://www.sonicwall.com/us/ Secure_Remote_Access.
VPN > Settings Aggressive Mode: To reduce the number of messages exchanged during authentication by half, the negotiation of which cryptographic algorithm to use is eliminated. The initiator proposes one algorithm and the responder replies if it supports that algorithm: 1. The initiator proposes a cryptographic algorithms to use and sends its public key. 2. The responder replies with a public key and identity proof. 3. The initiator sends an identification proof.
VPN > Settings Note There is no restriction on nesting IKE v1 tunnels within an IKE v2 tunnel and visa-versa. For example, if you are connecting to a wireless device using WiFiSec, which uses an IKE v1 tunnel, you can then connect over the internet to a corporate network using a site-to-site VPN tunnel established with IKE v2. Initialization and Authentication in IKE v2 IKE v2 initializes a VPN tunnel with a pair of message exchanges (two message/response pairs).
VPN > Settings • “VPN Auto-Added Access Rule Control” section on page 578 Configuring VPNs in SonicOS Enhanced SonicWALL VPN, based on the industry-standard IPsec VPN implementation, provides a easyto-setup, secure solution for connecting mobile users, telecommuters, remote offices and partners via the Internet.
VPN > Settings E-Mail ID Domain name. • Peer ID Filter if using 3rd party certificates. • IKE (Phase 1) Proposal: – DH Group: Note – Group 1 – Group 2 – Group 5 The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5.
VPN > Settings Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5.
VPN > Settings GSC only (Require Global Security Client checked on security appliance) • Shared secret, if selected on security appliance: • Certificate, if selected on security appliance: • User’s user name and password if XAUTH is required on the security appliance. Site-to-Site VPN Planning Checklist On the Initiator Typically, the request for an IKE VPN SA is made from the remote site.
VPN > Settings Choose local network from list (select an address object): Local network obtains IP addresses using DHCP through this VPN Tunnel (not used with IKEv2) Any address • Destination Networks Use this VPN Tunnel as default route for all Internet traffic Destination network obtains IP addresses using DHCP through this VPN Tunnel Choose destination network from list (select an address object): • IKE (Phase 1) Proposal: – Exchange: – Main Mode – Aggressive Mode – IKEv2 Mode – DH Group: Note
VPN > Settings – AES-192 – AES-256 – Authentication: – MD5 – SHA1 – Enable Perfect Forward Secrecy – DH Group (if perfect forward secrecy is enabled): Note – Group 1 – Group 2 – Group 5 The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5.
VPN > Settings On the Responder The settings on the responder must be the same as on the initiator except: • Name of this VPN: • IPsec Primary Gateway Name or Address: not required on the responder • IPsec Secondary Gateway Name or Address: not required on the responder • IKE Authentication for IKE using Preshared Secret: – Local IKE ID: (must match Peer IKE ID on initiator) – IP Address – Domain Name – Email Address – SonicWALL Identifier – Peer IKE ID: (must match Local IKE ID on initiato
VPN > Settings VPN Policy Wizard The VPN Policy Wizard walks you step-by-step through the configuration of GroupVPN or siteto-site VPN policies on the SonicWALL security appliance. After completing the configuration, the wizard creates the necessary VPN settings for the selected policy. You can use the SonicWALL Management Interface for optional advanced configuration options. Note For step-by-step instructions on using the VPN Policy Wizard, see Chapter 50 Configuring VPNs with the VPN Policy Wizard.
VPN > Settings VPN Policies All existing VPN policies are displayed in the VPN Policies table. Each entry displays the following information: • Name: Displays the default name or user-defined VPN policy name. • Gateway: Displays the IP address of the remote SonicWALL. If 0.0.0.0 is used, no Gateway is displayed. • Destinations: Displays the IP addresses of the destination networks. • Crypto Suite: Displays the type of encryption used for the VPN policy.
VPN > Settings You can enter the policy number (the number listed before the policy name in the # Name column) in the Items field to move to a specific VPN policy. The default table configuration displays 50 entries per page. You can change this default number of entries for tables on the System > Administration page. You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order.
VPN > Settings • “Creating Site-to-Site VPN Policies” section on page 562 • “VPN Auto-Added Access Rule Control” section on page 578 Configuring GroupVPN Policies SonicWALL GroupVPN facilitates the set up and deployment of multiple SonicWALL Global VPN Clients by the SonicWALL security appliance administrator. GroupVPN is only available for SonicWALL Global VPN Clients and it is recommended you use XAUTH/RADIUS or third party certificates in conjunction with the Group VPNfor added security.
VPN > Settings Configuring GroupVPN with IKE using Preshared Secret on the WAN Zone To configure the WAN GroupVPN, follow these steps: Step 1 Click the edit icon for the WAN GroupVPN entry. The VPN Policy window is displayed. Step 2 In the General tab, IKE using Preshared Secret is the default setting for Authentication Method. A Shared Secret is automatically generated by the SonicWALL security appliance in the Shared Secret field, or you can generate your own shared secret.
VPN > Settings – Select the DH Group from the DH Group menu. Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5. – Select 3DES, AES-128, or AES-256 from the Encryption menu. – Select the desired authentication method from the Authentication menu. – Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
VPN > Settings – Management via this SA: - If using the VPN policy to manage the SonicWALL security appliance, select the management method, either HTTP or HTTPS. – Default Gateway - Allows the network administrator to specify the IP address of the default network route for incoming IPsec packets for this VPN policy. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL security appliance.
VPN > Settings • Always - Global VPN Client user prompted for username and password only once when connection is enabled. When prompted, the user will be given the option of caching the username and password. – Virtual Adapter Settings - The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS or a specified external DHCP server, to allocate addresses to the Virtual Adapter.
VPN > Settings Configuring GroupVPN with IKE using 3rd Party Certificates To configure GroupVPN with IKE using 3rd Party Certificates, follow these steps: Caution Before configuring GroupVPN with IKE using 3rd Party Certificates, your certificates must be installed on the SonicWALL. Step 1 In the VPN > Settings page click the edit icon under Configure. The VPN Policy window is displayed.
VPN > Settings – Distinguished Name - based on the certificates Subject Distinguished Name field, which is contained in all certificates by default. Valid entries for this field are based on country (c=), organization (o=), organization unit (ou=), and /or commonName (cn=). Up to three organizational units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to contain a semi-colon. You must enter at least one entry, i.e. c=us.
VPN > Settings traffic. For packets received via an IPsec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. – Enable OCSP Checking and OCSP Responder URL - Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status.
VPN > Settings • This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected along with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.
VPN > Settings Caution The GroupVPN SA must be enabled on the SonicWALL to export a configuration file. Step 1 Click the Disk icon in the Configure column for the GroupVPN entry in the VPN Policies table. The Export VPN Client Policy window appears. Step 2 rcf format is required for SonicWALL Global VPN Clients is selected by default. Files saved in the rcf format can be password encrypted. The SonicWALL provides a default file name for the configuration file, which you can change. Step 3 Click Yes.
VPN > Settings • Hub and Spoke Design - All SonicWALL VPN gateways are configured to connect to a central SonicWALL (hub), such as a corporate SonicWALL. The hub must have a static IP address, but the spokes can have dynamic IP addresses. If the spokes are dynamic, the hub must be a SonicWALL. • Mesh Design - All sites connect to all other sites. All sites must have static IP addresses. See “Planning Your VPN” on page 542 for a planning sheet to help you set up your VPN.
VPN > Settings Configuring a VPN Policy with IKE using Preshared Secret To configure a VPN Policy using Internet Key Exchange (IKE), follow the steps below: Step 1 Click Add on the VPN > Settings page. The VPN Policy window is displayed. Step 2 In the General tab, select IKE using Preshared Secret from the Authentication Method menu. Step 3 Enter a name for the policy in the Name field.
VPN > Settings Optionally, specify a Local IKE ID (optional) and Peer IKE ID (optional) for this Policy. By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the SonicWALL Identifier (ID_USER_FQDN) is used for Aggressive Mode. Step 7 Click the Network tab. Step 8 Under Local Networks, select a local network from Choose local network from list if a specific local network can access the VPN tunnel.
VPN > Settings Destination network obtains IP addresses using DHCP server through this tunnel. Alternatively, select Choose Destination network from list, and select the address object or group. Step 10 Click Proposals. Step 11 Under IKE (Phase 1) Proposal, select either Main Mode, Aggressive Mode, or IKEv2 from the Exchange menu. Aggressive Mode is generally used when WAN addressing is dynamically assigned.
VPN > Settings – If you selected Main Mode or Aggressive Mode in the Proposals tab: 566 • Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalives will allow for the automatic renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
VPN > Settings – If you selected IKEv2 in the Proposals tab: • Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalives will allow for the automatic renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
VPN > Settings The term Trigger Packet refers to the use of initial Traffic Selector payloads populated with the IP addresses from the packet that caused SA negotiation to begin. It is recommended practice to include Trigger Packets to assist the IKEv2 Responder in selecting the correct protected IP address ranges from its Security Policy Database. Not all implementations support this feature, so it may be appropriate to disable the inclusion of Trigger Packets to some IKE peers. Step 15 Click OK.
VPN > Settings Configuring the Local SonicWALL Security Appliance Step 1 Click Add on the VPN > Settings page. The VPN Policy window is displayed. Step 2 In the General tab of the VPN Policy window, select Manual Key from the IPsec Keying Mode menu. The VPN Policy window displays the manual key options. Step 3 Enter a name for the policy in the Name field. Step 4 Enter the host name or IP address of the remote connection in the IPsec Gateway Name or Address field. Step 5 Click the Network tab.
VPN > Settings Destination network from list, and select the address object or group. Step 7 Click on the Proposals tab. Step 8 Define an Incoming SPI and an Outgoing SPI. The SPIs are hexadecimal (0123456789abcedf) and can range from 3 to 8 characters in length. Caution Each Security Association must have unique SPIs; no two Security Associations can share the same SPIs. However, each Security Association Incoming SPI can be the same as the Outgoing SPI.
VPN > Settings Tip Valid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption key. If you enter an incorrect encryption key, an error message is displayed at the bottom of the browser window. Step 12 Click the Advanced tab and select any of the following optional settings you want to apply to your VPN policy.
VPN > Settings Configuring the Remote SonicWALL Security Appliance Step 1 Click Add on the VPN > Settings page. The VPN Policy window is displayed. Step 2 In the General tab, select Manual Key from the IPsec Keying Mode menu. Step 3 Enter a name for the SA in the Name field. Step 4 Enter the host name or IP address of the local connection in the IPsec Gateway Name or Address field. Step 5 Click the Network tab.
VPN > Settings – Select Apply NAT Policies if you want the SonicWALL to translate the Local, Remote or both networks communicating via this VPN tunnel. To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network drop-down box. To translate the Remote Network, select or create an Address Object in the Translated Remote Network drop-down box.
VPN > Settings To create a VPN SA using IKE and third party certificates, follow these steps: Step 1 In the VPN > Settings page, click Add. The VPN Policy window is displayed. Step 2 In the Authentication Method list in the General tab, select IKE using 3rd Party Certificates.The VPN Policy window displays the 3rd party certificate options. Step 3 Type a Name for the Security Association in the Name field.
VPN > Settings Up to three organizational units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to contain a semi-colon. You must enter at least one entry, i.e. c=us. Step 7 Type an ID string in the Peer IKE ID field. Step 8 Click on the Network tab. Step 9 Under Local Networks, select a local network from Choose local network from list if a specific local network can access the VPN tunnel.
VPN > Settings Destination network obtains IP addresses using DHCP server through this tunnel. Alternatively, select Choose Destination network from list, and select the address object or group. Step 11 Click the Proposals tab. Step 12 In the IKE (Phase 1) Proposal section, select the following settings: – Select Main Mode or Aggressive Mode from the Exchange menu. – Select the desired DH Group from the DH Group menu.
VPN > Settings – Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours. Step 14 Click the Advanced tab. Select any optional configuration options you want to apply to your VPN policy: – Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel.
VPN > Settings – If you wish to use a router on the LAN for traffic entering this tunnel destined for an unknown subnet, for example, if you configured the other side to Use this VPN Tunnel as default route for all Internet traffic, you should enter the IP address of your router into the Default LAN Gateway (optional) field. – Select an interface or Zone from the VPN Policy bound to menu.
VPN > Settings SonicOS Enhanced 4.
VPN > Settings 580 SonicOS Enhanced 4.
CHAPTER 49 Chapter 49: Configuring Advanced VPN Settings VPN > Advanced The VPN > Advanced page includes optional settings that affect all VPN policies. Advanced VPN Settings • Enable IKE Dead Peer Detection - Select if you want inactive VPN tunnels to be dropped by the SonicWALL. SonicOS Enhanced 4.
VPN > Advanced – Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The default value is 60 seconds. – Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the SonicWALL security appliance. The SonicWALL security appliance uses a UDP packet protected by Phase 1 Encryption as the heartbeat.
VPN > Advanced • IKEv2 Dynamic Client Proposal - SonicOS Enhanced 4.0 introduces IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes rather than using the default settings. Clicking the Configure button launches the Configure IKEv2 Dynamic Client Proposal window. Previously, only the default settings were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication method.
VPN > Advanced Online Certificate Status Protocol determines the current status of a digital certificate without using a CRL. OCSP enables the client or application to directly determine the status of an identified digital certificate. This provides more timely information about the certificate than is possible with CRLs. In addition, each client typically only checks a few certificates and does not incur the overhead of downloading an entire CRL for only a few entries.
VPN > Advanced Using OCSP with VPN Policies The SonicWALL OCSP settings can be configured on a policy level or globally. To configure OCSP checking for individual VPN policies, use the Advanced tab of the VPN Policy configuration page. Step 1 Select the radio button next to Enable OCSP Checking. Step 2 Specify the OCSP Responder URL of the OCSP server, for example http:// 192.168.168.220:2560 where 192.168.168.
VPN > Advanced 586 SonicOS Enhanced 4.
CHAPTER 50 Chapter 50: Configuring DHCP Over VPN VPN > DHCP over VPN The VPN > DHCP over VPN page allows you to configure a SonicWALL security appliance to obtain an IP address lease from a DHCP server at the other end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks on one logical IP subnet, and create the appearance of all VPN networks residing in one IP subnet address space. This facilitates IP address administration for the networks using VPN tunnels.
VPN > DHCP over VPN Configuring the Central Gateway for DHCP Over VPN To configure DHCP over VPN for the Central Gateway, use the following steps: 1. Select VPN > DHCP over VPN. 2. Select Central Gateway from the DHCP Relay Mode menu. 3. Click Configure. The DHCP over VPN Configuration window is displayed. 4. Select Use Internal DHCP Server to enable the SonicWALL Global VPN Client or a remote firewall or both to use an internal DHCP server to obtain IP addressing information.
VPN > DHCP over VPN Note 2. Click Configure. The DHCP over VPN Configuration window is displayed. 3. In the General tab, the VPN policy name is automatically displayed in the Relay DHCP through this VPN Tunnel filed if the VPN policy has the setting Local network obtains IP addresses using DHCP through this VPN Tunnel enabled. Only VPN policies using IKE can be used as VPN tunnels for DHCP. 4. Select the interface the DHCP lease is bound from the DHCP lease bound to menu. 5.
VPN > DHCP over VPN Devices 9. To configure devices on your LAN, click the Devices tab. 10. To configure Static Devices on the LAN, click Add to display the Add LAN Device Entry window, and type the IP address of the device in the IP Address field and then type the Ethernet address of the device in the Ethernet Address field. An example of a static device is a printer as it cannot obtain an IP lease dynamically.
VPN > DHCP over VPN Note You must configure the local DHCP server on the remote SonicWALL security appliance to assign IP leases to these computers. Note If a remote site has trouble connecting to a central gateway and obtaining a lease, verify that Deterministic Network Enhancer (DNE) is not enabled on the remote computer. Tip If a static LAN IP address is outside of the DHCP scope, routing is possible to this IP, i.e. two LANs.
VPN > DHCP over VPN 592 SonicOS Enhanced 4.
CHAPTER 51 Chapter 51: Configuring L2TP Server VPN > L2TP Server The SonicWALL security appliance can terminate L2TP-over-IPsec connections from incoming Microsoft Windows 2000 and Windows XP clients. In situations where running the SonicWALL Global VPN Client is not possible, you can use the SonicWALL L2TP Server to provide secure access to resources behind the SonicWALL security appliances. You can use Layer 2 Tunneling Protocol (L2TP) to create VPN over public networks such as the Internet.
VPN > L2TP Server Configuring the L2TP Server The VPN > L2TP Server page provides the settings for configuring the SonicWALL security appliance as a LT2P Server. To configure the L2TP Server, follow these steps: 594 1. To enable L2TP Server functionality on the SonicWALL security appliance, select Enable L2TP Server. Then click Configure to display the L2TP Server Configuration window. 2.
VPN > L2TP Server 6. If the L2TP Server provides IP addresses, select Use the Local L2TP IP pool. Enter the range of private IP addresses in the Start IP and End IP fields. The private IP addresses should be a range of IP addresses on the LAN. 7. If you have configured a specific user group defined for using L2TP, select it from the User Group for L2TP users menu or use Everyone. 8. Click OK.
VPN > L2TP Server 596 SonicOS Enhanced 4.
PART 10 User Management SONICWALL SONICOS ENHANCED 4.
SONICWALL SONICOS ENHANCED 4.
CHAPTER 52 Chapter 52: Managing Users and Authentication Settings User Management This chapter describes the user management capabilities of your SonicWALL security appliance for locally and remotely authenticated users.
User Management encrypted connection. The SonicWALL authenticates all users as soon as they attempt to access network resources in a different zone (such as WAN, VPN, WLAN, etc), which causes the network traffic to pass through the SonicWALL. Users who log into a computer on the LAN, but perform only local tasks are not authenticated by the SonicWALL.User level authentication can be performed using a local user database, LDAP, RADIUS, or a combination of a local database with either LDAP or RADIUS.
User Management Figure 52:2 Local Groups Authentication Flow Diagram ,QWHUQHW 02/ 5SER 7ORKSTATION 5SER ATTEMPTS TO ACCESS THE WEB 3.7, REQUIRES AUTHENTICATION OF THE 5SER REDIRECTS WORKSTATION TO AUTHENTICATE 5SER AUTHENTICATES WITH CREDENTIALS 3.
User Management Using RADIUS for Authentication Remote Authentication Dial In User Service (RADIUS) is a protocol used by SonicWALL security appliances to authenticate users who are attempting to access the network. The RADIUS server contains a database with user information, and checks a user’s credentials using authentication schemes such as Password Authentication Protocol (PAP), Challengehandshake authentication protocol (CHAP), Microsoft CHAP (MSCHAP), or MSCHAPv2.
User Management Figure 52:4 LDAP User Group Authentication Flow Diagram ,QWHUQHW 5SER 7ORKSTATION 5SER ATTEMPTS TO ACCESS THE WEB 02/ 3.
User Management LDAP Terms The following terms are useful when working with LDAP and its variants: • Schema – The schema is the set of rules or the structure that defines the types of data that can be stored in a directory, and how that data can be stored. Data is stored in the form of ‘entries’. • Active Directory (AD) – The Microsoft directory service, commonly used with Windowsbased networking. Microsoft Active Directory is compatible with LDAP.
User Management • Samba SMB: Development information is available at http://us5.samba.org/samba/ • Novell eDirectory: LDAP integration information is available at http://www.novell.com/ documentation/edir873/index.html?page=/documentation/edir873/edir873/data/ h0000007.html • User-defined schemas: See the documentation for your LDAP installation. You can also see general information on LDAP at http://rfc.net/rfc1777.
User Management Users that are identified but lack the group memberships required by the configured policy rules are redirected to the Access Barred page. Benefits SonicWALL SSO is a reliable and time-saving feature that utilizes a single login to provide access to multiple network resources based on administrator-configured group memberships and policy matching. SonicWALL SSO is transparent to end users and requires minimal administrator configuration.
User Management • Net API or WMI How Does Single Sign-On Work? SonicWALL SSO requires minimal administrator configuration and is a transparent to the user. There are six steps involved in SonicWALL SSO authentication, as illustrated in Figure 52:5. Figure 52:5 SonicWALL Single Sign-On Process The SonicWALL SSO authentication process is initiated when user traffic passes through a SonicWALL security appliance, for example, when a user accesses the Internet.
User Management User names are returned from the authorization agent running the SSO Agent in the format /. For locally configured user groups, the user name can be configured to be the full name returned from the authorization agent running the SSO Agent (configuring the names in the SonicWALL security appliance local user database to match) or a simple user name with the domain component stripped off (default).
User Management Figure 52:6 SonicWALL SSO Agent Process The SonicWALL security appliance queries the SonicWALL SSO Agent over the default port 2258. The SSO Agent then communicates between the client and the SonicWALL security appliance to determine the client’s user ID. The SonicWALL SSO Agent is polled, at a rate that is configurable by the administrator, by the SonicWALL security appliance to continually confirm a user’s login status.
User Management Note • User login denied - SSO Agent agent name resolution failed: The SonicWALL SSO Agent is unable to resolve the user name. • SSO Agent returned user name too long: The user name is too long. • SSO Agent returned domain name too long: The domain name is too long. The notes field of log messages specific to the SSO Agent will contain the text , authentication by SSO Agent.
User Management • “User Groups” section on page 612 • “Priority for Preempting Administrators” section on page 612 • “GMS and Multiple Administrator Support” section on page 613 Configuration Modes In order to allow multiple concurrent administrators, while also preventing potential conflicts caused by multiple administrators making configuration changes at the same time, the following configuration modes have been defined: • Note Configuration mode - Administrator has full privileges to edit the
User Management Function Full admin Full admin in Read-only Limited in config mode non-config mode administrator administrator Renegotiate VPN tunnels X X Log users off X X Unlock locked-out users X X Clear log X X Filter logs X X X X Export log X X X X Email log X X X Configure log categories X X X X guest users only X Configure log settings X X Generate log reports X X Browse the full UI X X Generate log reports X X X X X User Groups The Multiple Administrat
User Management GMS and Multiple Administrator Support When using SonicWALL GMS to manage a SonicWALL security appliance, GMS frequently logs in to the appliance (for such activities as ensuring that GMS management IPSec tunnels have been created correctly). These frequent GMS log-ins can make local administration of the appliance difficult because the local administrator can be preempted by GMS. Viewing Status on Users > Status The Users > Status page displays Active User Sessions on the SonicWALL.
User Management Configuring Settings on Users > Settings On this page, you can configure the authentication method required, global user settings, and an acceptable user policy that is displayed to users when logging onto your network.
User Management User Login Settings In the Authentication method for login drop-down list, select the type of user account management your network uses: • Select Local Users to configure users in the local database in the SonicWALL appliance using the Users > Local Users and Users > Local Groups pages. For information about using the local database for authentication, see “Using Local Users and Groups for Authentication” on page 600.
User Management Select Enforce login uniqueness to prevent the same user name from being used to log into the network from more than one location at a time. This setting applies to both local users and RADIUS/LDAP users. However the login uniqueness setting does not apply to the default administrator with the username admin. Select Redirect users from HTTPS to HTTP on completion of login if you want users to be connected to the network through your SonicWALL appliance via HTTP after logging in via HTTPS.
User Management • Enable disconnected user detection: Causes the SonicWALL to detect when a user’s connection is no longer valid and end the session. • Timeout on heartbeat from user's login status window (minutes): Sets the time needed without a reply from the heartbeat before ending the user session. Other Global User Settings • Allow these HTTP URLs to bypass users authentication access rules: Define a list of URLs users can connect to without authenticating.
User Management Acceptable use policy page content - Enter your Acceptable Use Policy text in the text box. You can include HTML formatting. The page that is displayed to the user includes an I Accept button or Cancel button for user confirmation.
User Management See the following sections for configuration instructions: • “Viewing, Editing and Deleting Local Users” on page 619 • “Adding Local Users” on page 620 • “Editing Local Users” on page 621 Viewing, Editing and Deleting Local Users You can view all the groups to which a user belongs on the Users > Local Users page. Click on the expand icon next to a user to view the group memberships for that user. The three columns to the right of the user’s name list the privileges that the user has.
User Management Adding Local Users You can add local users to the internal database on the SonicWALL security appliance from the Users > Local Users page. To add local users to the database: 620 Step 1 Click Add User. The Add User configuration window displays. Step 2 On the Settings tab, type the user name into the Name field. Step 3 In the Password field, type a password for the user.
User Management Step 9 Click OK to complete the user configuration. Editing Local Users You can edit local users from the Users > Local Users screen. To edit a local user: Step 1 In the list of users, click the edit icon in same line as the user you want to edit. Step 2 Configure the Settings, Groups, and VPN Access exactly as when adding a new user. See “Adding Local Users” on page 620. Configuring Local Groups Local groups are displayed in the Local Groups table.
User Management A default group, Everyone, is listed in the first row of the table. Click the Notepad icon in the Configure column to review or change the settings for Everyone. See the following sections for configuration instructions: 622 • “Creating a Local Group” on page 623 • “Importing Local Groups from LDAP” on page 624 SonicOS Enhanced 4.
User Management Creating a Local Group Step 1 Click the Add Group button to display the Add Group window. Step 2 On the Settings tab, type a user name into the Name field. Step 3 On the Members tab, to add users and other groups to this group, select the user or group from the Non-Members Users and Groups list and click the right arrow button ->.
User Management Note Step 6 You can create custom Content Filtering Service policies in the Security Services > Content Filter page. See “Security Services > Content Filter” section on page 695. Click OK. Importing Local Groups from LDAP You can configure local user groups on the SonicWALL by retrieving the user group names from your LDAP server. The Import from LDAP... button launches a dialog box containing the list of user group names available for import to the SonicWALL.
User Management Configuring RADIUS Authentication If you selected RADIUS or RADIUS + Local Users from the Authentication method for login drop-down list, the Configure button becomes available. Step 1 Click Configure to set up your RADIUS server settings on the SonicWALL. The RADIUS Configuration window is displayed. Step 2 Under Global RADIUS Settings, type in a value for the RADIUS Server Timeout (seconds). The allowable range is 1-60 seconds with a default value of 5.
User Management RADIUS Servers In the RADIUS Servers section, you can designate the primary and optionally, the secondary RADIUS server. An optional secondary RADIUS server can be defined if a backup RADIUS server exists on the network. Step 4 In the Primary Server section, type the host name or IP address of the RADIUS server in the Name or IP Address field. Step 5 Type the RADIUS server administrative password or “shared secret” in the Shared Secret field.
User Management RADIUS Users Settings To configure the RADIUS user settings: Step 10 On the RADIUS Users tab, select Allow only users listed locally if only the users listed in the SonicWALL database are authenticated using RADIUS. Step 11 Select the mechanism used for setting user group memberships for RADIUS users from the following choices: • Select Use SonicWALL vendor-specific attribute on RADIUS server to apply a configured vendor-specific attribute from the RADIUS server.
User Management Creating a New User Group for RADIUS Users In the RADIUS User Settings screen, you can create a new group by choosing Create a new user group... from the Default user group to which all RADIUS users belong drop-down list: 628 Step 1 Select Create a new user group... The Add Group window displays. Step 2 In the Settings tab, enter a name for the group. You may enter a descriptive comment as well. Step 3 In the Members tab, select the members of the group.
User Management Note You can add any group as a member of another group except Everybody and All RADIUS Users. Be aware of the membership of the groups you add as members of another group. Step 4 In the VPN Access tab, select the network resources to which this group will have VPN Access by default. Step 5 If you have Content Filtering Service (CFS) on your security appliance, you can configure the content filtering policy for this group on the CFS Policy tab.
User Management When Use LDAP to retrieve user group information is selected, after authenticating a user via RADIUS, his/her user group membership information will be looked up via LDAP in the directory on the LDAP/AD server. Clicking the Configure button launches the LDAP configuration window.
User Management • Step 9 MSCHAPv2: Select this to use the Microsoft version 2 implementation of CHAP. MSCHAPv2 works for Windows 2000 and later versions of Windows. Click the Test button. If the validation is successful, the Status messages changes to Success. If the validation fails, the Status message changes to Failure. To complete the RADIUS configuration, click OK.
User Management http://support.microsoft.com/kb/931125. Step 6 Launch the Domain Security Policy application: Navigate to Start > Run and run the command: dompol.msc. Step 7 Open Security Settings > Public Key Policies. Step 8 Right click Automatic Certificate Request Settings. Step 9 Select New > Automatic Certificate Request. Step 10 Step through the wizard, and select Domain Controller from the list.
User Management Configuring the SonicWALL Appliance for LDAP The Users > Settings page in the administrative interface provides the settings for managing your LDAP integration: Step 1 In the SonicOS administrative interface, open the Users > Settings page. Step 2 In the Authentication method for login drop-down list, select either LDAP or LDAP + Local Users. Step 3 Click Configure.
User Management • Port Number – The default LDAP over TLS port number is TCP 636. The default LDAP (unencrypted) port number is TCP 389. If you are using a custom listening port on your LDAP server, specify it here. • Server timeout – The amount of time, in seconds, that the SonicWALL will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999 (in case you’re running your LDAP server on a VIC-20 located on the moon), with a default of 10 seconds.
User Management and location in the directory) as the login to the primary server. This may entail creating a special user in the directory for the SonicWALL login. Note that only read access to the directory is required.
User Management Step 7 • User group membership attribute – Select the attribute that contains information about the groups to which the user object belongs. This is memberOf in Microsoft Active Directory. The other pre-defined schemas store group membership information in the group object rather than the user object, and therefore do not use this field. • Framed IP address attribute – Select the attribute that can be used to retrieve a static IP address that is assigned to a user in the directory.
User Management Note AD has some built-in containers that do not conform (e.g. the DN for the top level Users container is formatted as “cn=Users,dc=…”, using ‘cn’ rather than ‘ou’) but the SonicWALL knows about and deals with these, so they can be entered in the simpler URL format. Ordering is not critical, but since they are searched in the given order it is most efficient to place the most commonly used trees first in each list.
User Management If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing the Domain to search value accordingly and selecting Append to existing trees on each subsequent run. Step 8 638 On the LDAP Users tab, configure the following fields: • Allow only users listed locally – Requires that LDAP users also be present in the SonicWALL local user database for logins to be allowed.
User Management • Import user groups – You can click this button to configure user groups on the SonicWALL by retrieving the user group names from your LDAP server. The Import user groups button launches a dialog box containing the list of user group names available for import to the SonicWALL. In the LDAP Import User Groups dialog box, select the checkbox for each group that you want to import into the SonicWALL, and then click Save.
User Management The SonicWALL appliance can retrieve group memberships efficiently in the case of Active Directory by taking advantage of its unique trait of returning a ‘memberOf’ attribute for a user.
User Management Note The ‘Bypass filters’ and ‘Limited management capabilities’ privileges are returned based on membership to user groups named ‘Content Filtering Bypass’ and ‘Limited Administrators’ – these are not configurable. Step 10 Select the Test tab to test the configured LDAP settings: The Test LDAP Settings page allows for the configured LDAP settings to be tested by attempting authentication with specified user and password credentials.
User Management – “Configuring User Settings” section on page 669 642 SonicOS Enhanced 4.
User Management Installing the SonicWALL SSO Agent The SonicWALL SSO Agent is part of the SonicWALL Directory Connector. The SonicWALL SSO Agent must be installed on a workstation or server in the Windows domain that is accessible using VPN or IP. The SonicWALL SSO Agent must have access to your SonicWALL security appliance running SonicOS 4.0 or higher. To install the SonicWALL SSO Agent, perform the following steps: Step 1 Locate the SonicWALL Directory Connector executable file and double click it.
User Management 644 Step 4 On the Customer Information page, enter your name in the User Name field and your organization name in the Organization field. Select to install the application for Anyone who uses this computer (all users) or Only for me. Click Next to continue. Step 5 Select the destination folder. To use the default folder, C:\Program Files\SonicWALL\DCON, click Next. To specify a custom location, click Browse, select the folder, and click Next.
User Management SonicWALL SSO Agent feature. Click Next. Step 7 Click Install to install SSO Agent. Step 8 To configure a common service account that the SSO Agent will use to log into a specified Windows domain, enter the username of an account with administrative privileges in the Username field, the password for the account in the Password field, and the domain name of the account in the Domain Name field. Click Next. SonicOS Enhanced 4.
User Management Note Step 9 Note 646 This section can be configured at a later time. To skip this step and configure it later, click Skip. Enter the IP address of your SonicWALL security appliance running SonicOS Enhanced 4.0 in the SonicWALL Appliance IP field. Type the port number for the same appliance in the SonicWALL Appliance Port field. Enter a shared key (a hexadecimal number from 1 to 16 digits in length) in the Shared Key field. Click Next to continue.
User Management The SonicWALL SSO Agent installs. The status bar displays. Step 10 When installation is complete, optionally check the Launch SonicWALL Directory Connector box to launch the SonicWALL Directory Connector, and click Finish. SonicOS Enhanced 4.
User Management If you checked the Launch SonicWALL Directory Connector box, the SonicWALL Directory Connector will display. Configuring the SonicWALL SSO Agent The SonicWALL SSO Agent communicates with workstations using NetAPI or WMI, which both provide information about users that are logged into a workstation, including domain users, local users, and Windows services. WMI is pre-installed on Windows Server 2003, Windows XP, Windows ME, and Windows 2000. For other Windows versions, visit www.microsoft.
User Management To configure the communication properties of the SonicWALL SSO Agent, perform the following tasks: Step 1 Launch the SonicWALL Configuration Tool by double-clicking the desktop shortcut or by navigating to Start > All Programs > SonicWALL > SonicWALL Directory Connector > SonicWALL Configuration Tool. Note If the IP address for a default SonicWALL security appliance was not configured, or if it was configured incorrectly, a pop up will display.
User Management If the message SonicWALL SSO Agent service is not running. Please check the configuration and start the service displays, the SSO Agent service will be disabled by default. To enable the service, expand the SonicWALL Directory Connector Configuration Tool in the left navigation panel by clicking the + icon, highlight the SonicWALL SSO Agent underneath it, and click the button.
User Management Note When Logging Level 2 is selected, the SSO Agent service will terminate if the Windows event log reaches its maximum capacity. Step 4 In the Refresh Time field, enter the frequency, in seconds, that the SSO Agent will refresh user log in status. The default is 60 seconds. Step 5 From the Query Source pull-down menu, select the protocol that the SSO Agent will use to communicate with workstations, either NETAPI or WMI. SonicOS Enhanced 4.
User Management 652 Note NetAPI will provide faster, though possibly slightly less accurate, performance. WMI will provide slower, though possibly more accurate, performance. WMI is pre-installed on Windows Server 2003, Windows XP, Windows Me, and Windows 2000. Both NetAPI and WMI can be manually downloaded and installed. NetAPI and WMI provide information about users that are logged into a workstation, including domain users, local users, and Windows services.
User Management Adding a SonicWALL Security Appliance Use these instructions to manually add a SonicWALL security appliance if you did not add one during installation, or to add additional SonicWALL security appliances. To add a SonicWALL security appliance, perform the following steps: Step 1 Launch the SonicWALL SSO Agent Configurator. Step 2 Expand the SonicWALL Directory Connector and SonicWALL SSO Agent trees in the left column by clicking the + button.
User Management Your appliance will display in the left-hand navigation panel under the SonicWALL Appliances tree. Editing Appliances in SonicWALL SSO Agent You can edit all settings on SonicWALL security appliances previously added in SonicWALL SSO Agent, including IP address, port number, friendly name, and shared key. To edit a SonicWALL security appliance in SonicWALL SSO Agent, select the appliance from the lefthand navigation panel and click the edit icon above the left-hand navigation panel.
User Management Modifying Services in SonicWALL SSO Agent You can start, stop, and pause SonicWALL SSO Agent services to SonicWALL security appliances. To pause services for an appliance, select the appliance from the left-hand navigation panel and click the pause button . To stop services for an appliance, select the appliance from the left-hand navigation panel and click the stop button . To resume services, click the start button .
User Management Step 4 Click Configure.The Authentication Agent Settings page displays. Step 5 In the Name or IP Address field, enter the name or IP Address of the workstation on which SonicWALL SSO Agent is installed. Step 6 In Port Number, enter the port number of the workstation on which SonicWALL SSO Agent is installed. The default port is 2258. Step 7 In the Shared Key field, enter the shared key that you created or generated in the SonicWALL SSO Agent. The shared key must match exactly.
User Management Step 11 Check the box next to Allow only users listed locally to allow only users listed locally to be authenticated. Step 12 Check the box next to Simple user names in local database to use simple user names. This setting ignores the domain component of a user name. If this box is not checked, user names in the local database must match exactly the full names returned from the agent, including the domain component.
User Management Note The Content Filter tab is only displayed if Premium CFS is enabled on the SonicWALL security appliance. Step 19 To bypass SSO for content filtering traffic and apply the default content filtering policy to the traffic, select the appropriate address object or address group from the pulldown menu. 658 SonicOS Enhanced 4.
User Management This setting should be used where traffic that would be subject to content filtering can emanate from a device other than a user's workstation (such as an internal proxy web server). It prevents the SonicWALL from attempting to identify such a device as a network user in order to select the content filtering policy to apply. The default content filtering policy will be used for all traffic from the selected IP addresses. Step 20 Click the Test tab.
User Management Step 22 Select the Check user radio button, enter the IP address of a workstation in the Workstation IP address field, then click Test. This will test if the agent is property configured to identify the user logged into a workstation. Note Performing tests on this page applies any changes that have been made. Tip If you receive the messages Agent is not responding or Configuration error, check your settings and perform these tests again. Step 23 When you are finished, click OK.
User Management Advanced LDAP Configuration If you selected Use LDAP to retrieve user group information in step 14 of “Configuring Your SonicWALL Security Appliance” section on page 655, you must configure your LDAP settings. To configure LDAP settings, perform the following steps: Step 1 The Settings tab displays. In the Name or IP address field, enter the name or IP address of your LDAP server. Step 2 In the Port Number field, enter the port number of your LDAP server. The default port is 636.
User Management Note 662 Use the user’s name in the Login user name field, not a username or login ID. For example, John Doe would login as John Doe, not jdoe. Step 6 Select the LDAP version from the Protocol version drop-down menu, either LDAP version 2 I (LDAPv2) or LDAP version 3 (LDAPv3). Most implementations of LDAP, including AD, employ LDAPv3. Step 7 Check the Use TLS (SSL) box to use Transport Layer Security (SSL) to login to the LDAP server.
User Management Note Step 9 Only check the Send LDAP ‘Start TLS’ request box if your LDAP server uses the same port number for TLS and non-TLS. Check the Require valid certificate from server to require a valid certificate from the server. Validates the certificate presented by the server during the TLS exchange, matching the name specified above to the name on the certificate.
User Management Step 14 The Object class field defines which attribute represents the individual user account to which the next two fields apply. This will not be modifiable unless you select User defined. Step 15 The Login name attribute field defines which attribute is used for login authentication. This will not be modifiable unless you select User defined.
User Management Step 23 In the User tree for login to server field, specify the tree in which the user specified in the ‘Settings’ tab resides. For example, in AD the ‘administrator’ account’s default tree is the same as the user tree. Step 24 In the Trees containing users field, specify the trees where users commonly reside in the LDAP directory.
User Management If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing the ‘Domain to search’ accordingly and selecting ‘Append to existing trees’ on each subsequent run. Step 27 Select the LDAP Users tab. Step 28 Check the Allow only users listed locally box to require that LDAP users also be present in the SonicWALL security appliance local user database for logins to be allowed.
User Management The SonicWALL security appliance can retrieve group memberships more efficiently in the case of Active Directory by taking advantage of its unique trait of returning a ‘memberOf’ attribute for a user. Step 31 Click the Import user groups button to import user groups from the LDAP server. The names of user groups on the LDAP server need to be duplicated on the SonicWALL if they are to be used in policy rules, CFS policies, etc. Step 32 Select the LDAP Relay tab.
User Management – VPN Zone Step 35 In the RADIUS shared secret field, enter a shared secret common to all remote SonicWALL security appliances. Step 36 In the User groups for legacy users fields, define the user groups that correspond to the legacy ‘VPN users,’ ‘VPN client users,’ ‘L2TP users’ and ‘users with Internet access’ privileges.
User Management Configuring Firewall Access Rules Firewall access rules provide the administrator with the ability to control user access. Rules set under Firewall > Access Rules are checked against the user group memberships returned from a SSO LDAP query, and are applied automatically. Access rules are network management tools that allow you to define inbound and outbound access policy, configure user authentication, and enable remote management of the SonicWALL security appliance.
User Management The Enable login session limit and corresponding Login session limit (minutes) settings under User Session Settings apply to users logged in using SSO. SSO users will be logged out according to session limit settings, but will be automatically and transparently logged back in when they send further traffic. Note Do not set the login session limit interval too low. This could potentially cause performance problems, especially for deployments with many users.
User Management Configuring Additional Administrator User Profiles To configure additional administrator user profiles, perform the following steps: Step 1 While logged in as admin, navigate to the Users > Local Users page. Step 2 Click the Add User button. Step 3 Enter a Name and Password for the user. Step 4 Click on the Group Membership tab.
User Management When using RADIUS or LDAP authentication, if you want to keep the configuration of administrative users local to the appliance whilst having those users authenticated by RADIUS/ LDAP, perform these steps: Step 1 Navigate to the Users > Settings page. Step 2 Select either the RADIUS + Local Users or LDAP + Local Users authentication method. Step 3 Click the Configure button.
User Management Activating Configuration Mode When logging in as a user with full administrator rights (that is not the admin user), the User Login Status window is displayed. To go to the SonicWALL user interface, click the Manage button. You will be prompted to enter your password again. This is a safeguard to protect against unauthorized access when administrators ar away from their computers and do not logout of their session. SonicOS Enhanced 4.
User Management To switch from non-config mode to full configuration mode, perform the following steps: 674 Step 1 Navigate to the System > Administration page. Step 2 In the Web Management Settings section, click on the Configuration mode button. If there is not currently an administrator in configuration mode, you will automatically be entered into configuration mode. Step 3 If another administrator is in configuration mode, the following message displays.
User Management Verifying Multiple Administrators Support Configuration User accounts with administrator and read-only administrators can be viewed on the Users > Local Groups page. Administrators can determine which configuration mode they are in by looking at either the top right corner of the management interface or at the status bar of their browser. To display the status bar in Firefox and Internet Explorer, click on the View menu and enable status bar. By default, Internet Explorer 7.
User Management When the administrator is in read-only mode, the top right corner of the interface displays Read-Only Mode. The status bar displays Read-only mode - no changes can be made. When the administrator is in non-config mode, the top right of the interface displays NonConfig Mode. Clicking on this text links to the System > Administration page where you can enter full configuration mode. The status bar displays Non-config mode - configuration changes not allowed.
CHAPTER 53 Chapter 53: Managing Guest Services and Guest Accounts Users > Guest Services Guest accounts are temporary accounts set up for users to log into your network. You can create these accounts manually, as needed or generate them in batches. SonicOS includes profiles you can configure in advance to automate configuring guest accounts when you generate them. Guest accounts are typically limited to a pre-determined life-span. After their life span, by default, the accounts are removed.
Users > Guest Services Global Guest Settings Check Show guest login status window with logout button to display a user login window on the users’s workstation whenever the user is logged in. Users must keep this window open during their login session. The window displays the time remaining in their current session. Users can log out but clicking the Logout button in the login status window.
Users > Guest Accounts – Auto-Prune Account: Check this to have the account removed from the database after its lifetime expires. – Enforce login uniqueness: Check this to allow only a single instance of an account to be used at any one time. By default, this feature is enabled when creating a new guest account. If you want to allow multiple users to login with a single account, disable this enforcement by clearing the Enforce login uniqueness checkbox.
Users > Guest Accounts Viewing Guest Account Statistics To view statistics on a guest account, hover your mouse over the Statistics icon in the line of the guest account. The statistics window will display the cumulative total bytes and packets sent and received for all completed sessions. Currently active sessions will not be added to the statistics until the guest user logs out. Adding Guest Accounts You can add guest accounts individually or generate multiple guest accounts automatically.
Users > Guest Accounts – Enable Guest Services Privilege: Check this for the account to be enabled upon creation. – Enforce login uniqueness: Check this to allow only one instance of this account to log into the security appliance at one time. Leave it unchecked to allow multiple users to use this account at once. – Automatically prune account upon account expiration: Check this to have the account removed from the database after its lifetime expires.
Users > Guest Accounts – Comment: Enter a descriptive comment. Step 3 In the Guest Services tab, configure: – Enable Guest Services Privilege: Check this for the accounts to be enabled upon creation. – Enforce login uniqueness: Check this to allow only one instance of each generated account to log into the security appliance at one time. Leave it unchecked to allow multiple users to use this account at once.
Users > Guest Status Printing Account Details. You can print a summary of a guest account. Click the print icon account report page and send that page to an active printer. to launch a summary Users > Guest Status The Guest Status page reports on all the guest accounts currently logged in to the security appliance. The page lists: • Name: The name of the guest account. • IP: The IP address the guest user is connecting to.
Users > Guest Status • Session Expiration: The time when the current session expires. • Statistics: hover your mouse over the Statistics icon to view statistics for total received and sent bytes and packets for this guest user’s current session. • Logout: Click the Logout icon to log the guest user off of the security appliance. Click Refresh in the top right of the page at any time to update the information in the list.
PART 11 Security Services SONICWALL SONICOS ENHANCED 4.
SONICWALL SONICOS ENHANCED 4.
CHAPTER 54 Chapter 54: Managing SonicWALL Security Services SonicWALL Security Services SonicWALL, Inc. offers a variety of subscription-based security services to provide layered security for your network. SonicWALL security services are designed to integrate seamlessly into your network to provide complete protection.
SonicWALL Security Services Note For more information on SonicWALL security services, please visit http:// www.sonicwall.com. Note Complete product documentation for SonicWALL security services are available on the SonicWALL documentation Web site http://www.sonicwall.com/us/Support.html. Security Services Summary The Security Services > Summary page lists the available SonicWALL security services and upgrades for your SonicWALL security appliance and provides access to mySonicWALL.
SonicWALL Security Services If your SonicWALL security appliance is not registered, the Security Services > Summary page does not include the Services Summary table. Your SonicWALL security appliance must be registered to display the Services Summary table. mySonicWALL.com To activate SonicWALL Security Services, you need to have a mySonicWALL.com account and your SonicWALL security appliance must be registered. Creating a mySonicWALL.com account is easy and free. You can create a mySonicWALL.
SonicWALL Security Services Managing Security Services Online Clicking the Manage Licenses button displays the mySonicWALL.com Login page for accessing your MySonicWALL.com account licensing information. Enter your mySonicWALL.com username and password in the User Name and Password fields, and then click Submit. The System > Licenses page is displayed with the Manage Services Online table. The information in the Manage Services Online table is updated from your mysSonicWALL.com account.
SonicWALL Security Services Security Services Information This section includes a brief overview of services available for your SonicWALL security appliance. Update Signature Manually The Manual Signature Update feature is intended for networks where reliable, broadband Internet connectivity is either not possible or not desirable (for security reasons). The Manual Signature Update feature provides a method to update the latest signatures at the network administrator’s discretion.
SonicWALL Security Services To manually update signature files, complete the following steps: 692 Step 1 On the Security Services > Summary page, scroll to the Update Signatures Manually heading at the bottom of the page. Note the Signature File ID for the device. Step 2 Log on to http://www.mysonicwall.com using the mysonicwall.com account that was used to register the SonicWALL security appliance. SonicOS Enhanced 4.
SonicWALL Security Services Note The signature file can only be used on SonicWALL security appliances that are registered to the mysonicwall.com account that downloaded the signature file. Step 3 Click on Download Signatures under the Downloads heading. Step 4 In the pull down window next to Signature ID:, select the appropriate SFID for your SonicWALL security appliance. Step 5 Download the signature update file by clicking on Click here to download the Signature file.
SonicWALL Security Services 694 SonicOS Enhanced 4.
CHAPTER 55 Chapter 55: Configuring SonicWALL Content Filtering Service Security Services > Content Filter The Security Services > Content Filter page allows you to configure the SonicWALL Restrict Web Features and Trusted Domains settings, which are included with SonicOS Enhanced. You can activate and configure SonicWALL Content Filtering Service (SonicWALL CFS) as well as two third-party Content Filtering products from the Security Services > Content Filter page.
Security Services > Content Filter SonicWALL Content Filtering Service SonicWALL Content Filtering Service (CFS) enforces protection and productivity policies for businesses, schools and libraries to reduce legal and privacy risks while minimizing administration overhead. SonicWALL CFS utilizes a dynamic database of millions of URLs, IP addresses and domains to block objectionable, inappropriate or unproductive Web content.
Security Services > Content Filter You can also access the SonicWALL CFS URL Rating Review Request form by clicking on the here link in If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click here. If SonicWALL CFS is not activated, you must activate it. If you do not have an Activation Key, you must purchase SonicWALL CFS from a SonicWALL reseller or from your mySonicWALL.com account (limited to customer in the USA and Canada).
Security Services > Content Filter • SonicWALL CFS - Selecting SonicWALL CFS as the Content Filter Type allows you to use the SonicWALL Content Filtering Service that is available as an upgrade. You can obtain more information about SonicWALL Content Filtering Service at http://www.sonicwall.com/products/cfs.html • N2H2 - N2H2 is a third party content filter software package supported by SonicWALL security appliance.
Security Services > Content Filter Trusted Domains Trusted Domains can be added to enable content from specific domains to be exempt from Restrict Web Features. If you trust content on specific domains and want them exempt from Restrict Web Features, follow these steps to add them: Step 1 Check the Don’t block Java/ActiveX/Cookies to Trusted Domains checkbox. Step 2 Click Add. The Add Trusted Domain Entry window is displayed. Step 3 Enter the trusted domain name in the Domain Name field.
Security Services > Content Filter Message to Display when Blocking You can enter your customized text to display to the user when access to a blocked site is attempted. The default message is This site is blocked by the SonicWALL Content Filter Service. Any message, including embedded HTML, up to 255 characters long, can be entered in this field. Configuring SonicWALL Filter Properties You can customize SonicWALL filter features included with SonicOS from the SonicWALL Filter Properties window.
Security Services > Content Filter Warning Do not include the prefix “http://” in either the Allowed Domains or Forbidden Domains the fields. All subdomains are affected. For example, entering “yahoo.com” applies to “mail.yahoo.com” and “my.yahoo.com”. To remove a trusted or forbidden domain, select it from the appropriate list, and click Delete. Once the domain has been deleted, the Status bar displays Ready. Enable Keyword Blocking To enable blocking using Keywords, select Enable Keyword Blocking.
Security Services > Content Filter the page defined in the Consent page URL field. Enter the time limit, in minutes, in the Maximum Web usage field. When the default value of zero (0) is entered, this feature is disabled. • User Idle Timeout (minutes) - After a period of Web browser inactivity, the SonicWALL security appliance requires the user to agree to the terms outlined in the Consent page before accessing the Internet again.
Security Services > Content Filter Configuring N2H2 Internet Filtering N2H2 is a third party Internet filtering package that allows you to use Internet content filtering through the SonicWALL. Step 1 Select N2H2 from the Content Filter Type list. Step 2 Click Configure to display the N2H2 Properties window. Note Note! You specify enforcement of content filtering on the Network > Zones page. N2H2 Properties The General page includes the following settings.
Security Services > Content Filter URL Cache • Tip Cache Size (KB) - Configure the size of the URL Cache in KB for the SonicWALL. Tip! A larger URL Cache size can provide noticeable improvements in Internet browsing response times.
Security Services > Content Filter Message to Display when Blocking You can enter your customized text in the Message to Display when Blocking text box that displays to the user when access to a blocked site is attempted. The default message is The site is blocked by the SonicWALL Content Filter Service. Any message, including embedded HTML, up to 255 characters long, can be entered in this field.
Security Services > Content Filter – Block traffic to all Web sites - Selecting this option blocks traffic to all Web sites except Allowed Domains until the N2H2 server is available. – Allow traffic to all Web sites - Selecting this option allows traffic to all Web sites without Websense Enterprise server filtering. However, Forbidden Domains and Keywords, if enabled, are still blocked. URL Cache • Tip Cache Size (KB) - Configure the size of the URL Cache in KB.
Security Services > Content Filter Trusted Domains Trusted Domains can be added in the Restrict Web Features section. If you trust content on specific domains, you can select Don’t block Java/ActiveX/Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL by clicking on Add. The Add Trusted Domain Entry window appears for entering the trusted domain name.
Security Services > Content Filter 708 SonicOS Enhanced 4.
CHAPTER 56 Chapter 56: Activating SonicWALL Client Anti-Virus Security Services > Anti-Virus By their nature, anti-virus products typically require regular, active maintenance on every PC. When a new virus is discovered, all anti-virus software deployed within an organization must be updated with the latest virus definition files. Failure to do so severely limits the effectiveness of anti-virus software and disrupts productive work time.
Security Services > Anti-Virus Activating SonicWALL Client Anti-Virus If Sonic WALL Client Anti-Virus is not activated, you must activate it. If you do not have an Activation Key, you must purchase SonicWALL Client Anti-Virus from a SonicWALL reseller or from your mySonicWALL.com account (limited to customer in the USA and Canada). Note For complete SonicWALL Client Anti-Virus documentation, see the SonicWALL Client AntiVirus Administrator’s Guide available at http://www.sonicwall.com/us/Support.
Security Services > Anti-Virus Note You must have a mySonicWALL.com account and your SonicWALL must be registered to activate SonicWALL Client Anti-Virus. Step 1 Click the SonicWALL Client Anti-Virus Subscription link on the Security Services > AntiVirus page. The mySonicWALL.com Login page is displayed. Step 2 Enter your mySonicWALL.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed.
Security Services > Anti-Virus Activating a SonicWALL Client Anti-Virus FREE TRIAL You can try a FREE TRIAL of SonicWALL Client Anti-Virus by following these steps: Step 1 Click the FREE TRIAL link. The mySonicWALL.com Login page is displayed. Step 2 Enter your mySonicWALL.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your SonicWALL security appliance is already connected to your mySonicWALL.
Security Services > Anti-Virus – Low Risk - A virus that is not reported in the field and is considered unlikely to be found in the field in the future has a low risk. Even if such a virus includes a very serious or unforeseeable damage payload, its risk is still low. – Medium Risk - If a virus is found in the field, and if it uses a less common infection mechanism, it is considered to be medium risk. If its prevalence stays low and its payload is not serious, it can be downgraded to a low risk.
Security Services > E-mail Filter Security Services > E-mail Filter The E-Mail Filter allows the administrator to selectively delete or disable inbound e-mail attachments as they pass through the SonicWALL security appliance. This feature provides control over executable files and scripts, and applications sent as e-mail attachments. Note E-Mail Filter is included with the Client Anti-Virus service subscription. When you activate SonicWALL Client Anti-Virus, E-Mail Filter is automatically activated.
CHAPTER 57 Chapter 57: Managing SonicWALL Gateway AntiVirus Service Security Services > Gateway Anti-Virus SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects multiple application protocols, as well as generic TCP streams, and compressed traffic.
Security Services > Gateway Anti-Virus SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching downloaded or e-mailed files against an extensive and dynamically updated database of threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts, open source developers and other sources.
Security Services > Gateway Anti-Virus Remote Site Protection Step 1 Users send typical e-mail and files between remote sites and the corporate office. Step 2 SonicWALL GAV scans and analyses files and e-mail messages on the SonicWALL security appliance. Step 3 Viruses are found and blocked before infecting remote desktop. Step 4 Virus is logged and alert is sent to administrator.
Security Services > Gateway Anti-Virus HTTP File Downloads Step 1 Client makes a request to download a file from the Web. Step 2 File is downloaded through the Internet. Step 3 File is analyzed the SonicWALL GAV engine for malicious code and viruses. Step 4 If virus found, file discarded. Step 5 Virus is logged and alert sent to administrator. Infected FIle PRO 5060 HTTP Request Virus Discarded Web Server Alert Logged Server Protection Step 1 Outside user sends an incoming e-mail.
Security Services > Gateway Anti-Virus single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without ever buffering any of the bytes within the stream.
Security Services > Gateway Anti-Virus Note If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security Appliance” on page 721. Step 1 Log into the SonicWALL security appliance management interface. Step 2 If the System > Status page is not displayed in the management interface, click System in the left-navigation menu, and then click Status.
Security Services > Gateway Anti-Virus Registering Your SonicWALL Security Appliance Step 1 Log into the SonicWALL security appliance management interface. Step 2 If the System > Status page is not displaying in the management interface, click System in the left-navigation menu, and then click Status. Step 3 On the System > Status page, in the Security Services section, click the Register link. The mySonicWALL.com Login page is displayed. Step 4 Enter your mySonicWALL.
Security Services > Gateway Anti-Virus If you have an Activation Key for SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, perform these steps to activate the combined services: Step 1 On the Security Services > Gateway Anti--Virus page, click the SonicWALL Gateway Anti-Virus Subscription link. The mySonicWALL.com Login page is displayed. Step 2 Enter your mySonicWALL.com account username and password in the User Name and Password fields, then click Submit.
Security Services > Gateway Anti-Virus Activating FREE TRIALs You can try FREE TRIAL versions of SonicWALL Gateway Anti-Virus, SonicWALL AntiSpyware, and SonicWALL Intrusion Prevention Service. You must activate each service separately from the Manage Services Online table on the System > Licenses page or by clicking the FREE TRIAL link on the respective Security Services page (i.e. Security Services > Gateway Anti-Virus).
Security Services > Gateway Anti-Virus The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL GAV on your SonicWALL security appliance. Enabling SonicWALL GAV You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings section to enable SonicWALL GAV on your SonicWALL security appliance.You must specify the Zones you want SonicWALL GAV protection on the Network > Zones page.
Security Services > Gateway Anti-Virus Applying SonicWALL GAV Protection on Zones You can enforce SonicWALL GAV not only between each network zone and the WAN, but also between internal zones. For example, enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing LAN traffic.
Security Services > Gateway Anti-Virus Note You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit Zone window.
Security Services > Gateway Anti-Virus Updating SonicWALL GAV Signatures By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for new signature updates. You can also manually update your SonicWALL GAV database at any time by clicking the Update button located in the Gateway Anti-Virus Status section. SonicWALL GAV signature updates are secured.
Security Services > Gateway Anti-Virus The Enable Inbound Inspection protocol traffic handling represented as a table: Enabling Outbound SMTP Inspection The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the internally hosted SMTP server for viruses.
Security Services > Gateway Anti-Virus • Restrict Transfer of password-protected Zip files - Disables the transfer of password protected ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP) that are enabled for inspection. • Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) Disables the transfers of any MS Office 97 and above files that contain VBA macros. • Restrict Transfer of packed executable files (UPX, FSG, etc.
Security Services > Gateway Anti-Virus If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a virus is detected in an e-mail or attachment, check the Disable SMTP Responses box. Configuring HTTP Clientless Notification The HTTP Clientless Notification feature notifies users when GAV detects an incoming threat from an HTTP server.
Security Services > Gateway Anti-Virus Optionally, you can configure the timeout for the HTTP Clientless Notification on the Security Services > Summary page under the Security Services Summary heading. Configuring a SonicWALL GAV Exclusion List Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded from SonicWALL GAV scanning.
Security Services > Gateway Anti-Virus Viewing SonicWALL GAV Signatures The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the SonicWALL GAV signature database downloaded to your SonicWALL security appliance. Note Signature entries in the database change over time in response to new threats.
Security Services > Gateway Anti-Virus Searching the Gateway Anti-Virus Signature Database You can search the signature database by entering a search string in the Lookup Signatures Containing String field, then clicking the edit (Notepad) icon. The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table. SonicOS Enhanced 4.
Security Services > Gateway Anti-Virus 734 SonicOS Enhanced 4.
CHAPTER 58 Chapter 58: Activating Intrusion Prevention Service Security Services > Intrusion Prevention Service SonicWALL Intrusion Prevention Service (SonicWALL IPS) delivers a configurable, high performance Deep Packet Inspection engine for extended protection of key network services such as Web, e-mail, file transfer, Windows services and DNS. SonicWALL IPS is designed to protect against application vulnerabilities as well as worms, Trojans, and peer-to-peer, spyware and backdoor exploits.
Security Services > Intrusion Prevention Service How SonicWALL’s Deep Packet Inspection Works Deep Packet Inspection technology enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. This is the technology behind SonicWALL Intrusion Prevention Service.
Security Services > Intrusion Prevention Service • Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. • Intrusion Detection - a process of identifying and flagging malicious activity aimed at information technology. • False Positive - a falsely identified attack traffic pattern.
Security Services > Intrusion Prevention Service Tip If your SonicWALL security appliance is connected to the Internet and registered at mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL Gateway AntiVirus, SonicWALL Anti-Spyware, and SonicWALL Intrusion Prevention Service separately from the Security Services > Gateway Anti-Virus, Security Services > Anti-Spyware, and Security Services > Intrusion Prevention pages in the management interface.
Security Services > Intrusion Prevention Service Note Remember your username and password to access your mySonicWALL.com account. Step 6 Click Submit after completing the MySonicWALL Account form. Step 7 When the mySonicWALL.com server has finished processing your account, you will see a page saying that your account has been created. Click Continue. Congratulations. Your mySonicWALL.com account is activated. Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
Security Services > Intrusion Prevention Service Note Clicking on the Continue button does not activate the FREE TRIAL versions of these SonicWALL Security Services. Step 6 At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security appliance in the Friendly Name field. The friendly name allows you to easily identify your SonicWALL content security appliance in your mySonicWALL.com account. Step 7 Please complete the Product Survey.
Security Services > Intrusion Prevention Service If you have an Activation Key for SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, perform these steps to activate the combined services: Step 1 On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion Prevention Service Subscription link. The mySonicWALL.com Login page is displayed. Step 2 Enter your mySonicWALL.
Security Services > Intrusion Prevention Service Setting Up SonicWALL Intrusion Prevention Service Protection Activating the SonicWALL Intrusion Prevention Service license on your SonicWALL security appliance does not automatically enable the protection. To configure SonicWALL Intrusion Prevention Service to begin protecting your network, you need to perform the following steps: Step 1 Enable SonicWALL Intrusion Prevention Service. Step 2 Specify the Priority attack Groups.
Security Services > Intrusion Prevention Service information on configuring global signature groups, refer to “Configuring Global Signature Groups” in the SonicWALL Intrusion Prevention Service Administrator’s Guide available on the SonicWALL Resource CD or at
Security Services > Intrusion Prevention Service 744 SonicOS Enhanced 4.
CHAPTER 59 Chapter 59: Activating Anti-Spyware Service Security Services > Anti-Spyware Service SonicWALL Anti-Spyware is part of the SonicWALL Gateway Anti-Virus, Anti-Virus and Intrusion Prevention Service solution that provides comprehensive, real-time protection against viruses, worms, Trojans, spyware, and software vulnerabilities.
Security Services > Anti-Spyware Service Note Refer to the SonicWALL Anti-Spyware Administrator’s Guide on the SonicWALL Web site: http://www.sonicwall.com/us/Support.html for complete product documentation.
Security Services > Anti-Spyware Service Creating a mySonicWALL.com Account Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online registration form in the SonicWALL security appliance management interface. Note If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security Appliance” on page 748. Step 1 Log into the SonicWALL security appliance management interface.
Security Services > Anti-Spyware Service Registering Your SonicWALL Security Appliance Step 1 Log into the SonicWALL security appliance management interface. Step 2 If the System > Status page is not displaying in the management interface, click System in the left-navigation menu, and then click Status. Step 3 On the System > Status page, in the Security Services section, click the Register link. The mySonicWALL.com Login page is displayed. Step 4 Enter your mySonicWALL.
Security Services > Anti-Spyware Service To try a FREE TRIAL of SonicWALL Gateway Anti-Virus, SonicWALL Anti-Spyware, or SonicWALL Intrusion Prevention Service, perform these steps: Step 1 Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus, Security Services > Anti-Spyware, or Security Services > Intrusion Prevention page. The mySonicWALL.com Login page is displayed. Step 2 Enter your mySonicWALL.
Security Services > Anti-Spyware Service If you have an Activation Key for SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, perform these steps to activate the combined services: Step 1 On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion Prevention Service Subscription link. The mySonicWALL.com Login page is displayed. Step 2 Enter your mySonicWALL.com account username and password in the User Name and Password fields, then click Submit.
Security Services > Anti-Spyware Service Refer to the SonicWALL Anti-Spyware Administrator’s Guide on the SonicWALL Web site: http://www.sonicwall.com/us/Support.html for complete configuration instructions.
Security Services > Anti-Spyware Service 752 SonicOS Enhanced 4.
CHAPTER 60 Chapter 60: Configuring SonicWALL Real-Time Blacklist SMTP Real-Time Black List Filtering SMTP Real-time Black List (RBL) is a mechanism for publishing the IP addresses of SMTP servers from which or through which spammers operate. There are a number of organizations that compile this information both for free http://www.spamhaus.org, and for profit http:// www.mail-abuse.com. A well maintained list of RBL services and their efficacy can be found at: http://www.sdsc.edu/~jeff/spam/cbc.
Security Services > RBL Filter Note Most spam today is known to be sent from hijacked or zombie machines running a thin SMTP server implementation, unbeknownst to the hosts operator. These zombie machines rarely attempt to retry failed delivery attempts, as would be the behavior of a legitimate SMTP server. As such, once the delivery attempt is thwarted by the SonicWALL RBL filter, no subsequent delivery attempts for that same piece of spam will be made.
Security Services > RBL Filter To add an RBL services, click the Add button. In the Add RBL Domain window, you specify the RBL domain to be queried, enable it for use, and specify its expected response codes. Most RBL services list the responses they provide on their Web site, although selecting Block All Responses is generally acceptable. Statistics are maintained for each RBL Service in the RBL Service table, and can be viewed with a mouse-over of the (statistics) icon to the right on the service entry.
Security Services > RBL Filter 756 SonicOS Enhanced 4.
CHAPTER 61 Chapter 61: Configuring SonicWALL Global Security Client Security Services > Global Security Client The SonicWALL Global Security Client combines gateway enforcement, central management, configuration flexibility and software deployment to deliver comprehensive desktop security for remote/mobile workers and corporate networks.
Security Services > Global Security Client gateway administrator automatically updates the Global Security Client with the latest security policies and software updates. No prompting or intervention is necessary by the administrator or the remote user - it’s completely seamless and transparent.
Security Services > Global Security Client • Policy Management - enables network administrator’s to create, distribute and manage global security policies for remote and mobile users from a central location. Once a new policy is created, it is seamlessly distributed to every system on the network with no end-user interaction required. Configuration options include specifying the minimum application version, policy levels and behavior for clients not in compliance.
Security Services > Global Security Client SonicWALL’s Distributed Enforcement Architecture (DEA) technology enables the policy enforcement capabilities that provide the framework for the Global Security Client’s complete security solution for all remote and network desktops.
Security Services > Global Security Client Configuring Security Policies for Global Security Clients The Security Services > Global Security Client page provides the settings for configuring the security policies for Global Security Clients. SonicOS Enhanced 4.
Security Services > Global Security Client 762 SonicOS Enhanced 4.
PART 12 Log SONICWALL SONICOS ENHANCED 4.
SONICWALL SONICOS ENHANCED 4.
CHAPTER 62 Chapter 62: Managing Log Events Log > View The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. The log is displayed in a table and can be sorted by column. The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance.
Log > View Log View Table The log is displayed in a table and is sortable by column. The log table columns include: • Time - the date and time of the event. • Priority - the level of priority associated with your log event.
Log > View Clear Log To delete the contents of the log, click the Clear Log button near the top right corner of the page. Export Log To export the contents of the log to a defined destination, click the Export Log button below the filter table.You can export log content to two formats: • Plain text format--Used in log and alert e-mail. • Comma-separated value (CSV) format--Used for importing into Excel or other presentation development applications.
Log > View Source interface AND Destination interface Step 3 Check the Group box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group next to Source IP and Destination IP, the search string will look for connections matching: (Source IP OR Destination IP) AND Protocol Step 4 Click Apply Filter to apply the filter immediately to the Active Connections table.
CHAPTER 63 Chapter 63: Configuring Log Categories Log > Categories This chapter provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWALL security appliance for troubleshooting and diagnostics. Note You can extend your SonicWALL security appliance log reporting capabilities by using SonicWALL ViewPoint. ViewPoint is a web-based graphical reporting tool for detailed and comprehensive reports.
Log > Categories Log Priority This section provides information on configuring the level of priority log messages are captured and corresponding alert messages are sent through e-mail for notification. Logging Level The Logging Level control filters events by priority. Events of equal of greater priority are passed, and events of lower priority are dropped.
Log > Categories Log Categories SonicWALL security appliances provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it’s become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats.
Log > Categories Log Type Category Description Firewall Logging Extended Logs general events and errors Firewall Rule Extended Logs firewall rule modifications GMS Extended Logs GMS status event High Availability Extended Logs High Availability activity IPcomp Extended Logs IP compression activity Intrusion Prevention Extended Logs intrusion prevention related activity L2TP Client Extended Logs L2TP client activity L2TP Server Extended Logs L2TP server activity Multicast Extended
Log > Categories Managing Log Categories The Log Categories table displays log category information organized into the following columns: • Category - Displays log category name. • Description - Provides description of the log category activity type. • Log - Provides checkbox for enabling/disabling the display of the log events in on the Log > View page. • Alerts - Provides checkbox for enabling/disabling the sending of alerts for the category.
Log > Categories 774 SonicOS Enhanced 4.
CHAPTER 64 Chapter 64: Configuring Syslog Settings Log > Syslog In addition to the standard event log, the SonicWALL security appliance can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514.
Log > Syslog Syslog Settings Syslog Facility • Note See RCF 3164 - The BSD Syslog Protocol for more information. • Note Syslog Facility - Allows you to select the facilities and severities of the messages based on the syslog protocol. Override Syslog Settings with ViewPoint Settings - Check this box to override Syslog settings, if you’re using SonicWALL ViewPoint for your reporting solution. For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.
Log > Syslog Syslog Servers Adding a Syslog Server To add syslog servers to the SonicWALL security appliance Step 1 Click Add. The Add Syslog Server window is displayed. Step 2 Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL security appliance are then sent to the servers. Step 3 If your syslog is not using the default port of 514, type the port number in the Port Number field. Step 4 Click OK.
Log > Syslog 778 SonicOS Enhanced 4.
CHAPTER 65 Chapter 65: Configuring Log Automation Log > Automation The Log > Automation page includes settings for configuring the SonicWALL to send log files using e-mail and configuring mail server settings. SonicOS Enhanced 4.
Log > Automation E-mail Log Automation • Send Log to E-mail address - Enter your e-mail address (username@mydomain.com) in this field to receive the event log via e-mail. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed. • Send Alerts to E-mail address - Enter your e-mail address (username@mydomain.com) in the Send alerts to field to be immediately e-mailed when attacks or system errors occur.
CHAPTER 66 Chapter 66: Configuring Name Resolution Log > Name Resolution The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports. The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups.
Log > Name Resolution • None: The security appliance will not attempt to resolve IP addresses and Names in the log reports. • DNS: The security appliance will use the DNS server you specify to resolve addresses and names. • NetBios: The security appliance will use NetBios to resolve addresses and names. If you select NetBios, no further configuration is necessary. • DNS then NetBios: The security appliance will first use the DNS server you specify to resolve addresses and names.
CHAPTER 67 Chapter 67: Generating Log Reports Log > Reports The SonicWALL security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page. Note SonicWALL ViewPoint provides a comprehensive Web-based reporting solution for SonicWALL security appliances.
Log > Reports Data Collection The Reports window includes the following functions and commands: • Start Data Collection Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection. • Reset Data Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL security appliance is restarted.
Log > Reports Bandwidth Usage by IP Address Selecting Bandwidth Usage by IP Address from the Report to view menu displays a table showing the IP Address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period. Bandwidth Usage by Service Selecting Bandwidth Usage by Service from the Report to view menu displays a table showing the name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc.
Log > Reports 786 SonicOS Enhanced 4.
CHAPTER 68 Chapter 68: Activating SonicWALL ViewPoint Log > ViewPoint SonicWALL ViewPoint is a Web-based graphical reporting tool that provides unprecedented security awareness and control over your network environment through detailed and comprehensive reports of your security and network activities.
Log > ViewPoint Activating ViewPoint The Log > ViewPoint page allows you to activate the ViewPoint license directly from the SonicWALL Management Interface using two methods. If you received a license activation key, enter the activation key in the Enter upgrade key field, and click Apply. Warning 788 You must have a mySonicWALL.com account and your SonicWALL security appliance must be registered to activate SonicWALL ViewPoint for your SonicWALl security appliance. 1.
Log > ViewPoint 3. Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit. 4. If you activated SonicWALL ViewPoint at mySonicWALL.com, the SonicWALL ViewPoint activation is automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on the Security Services > Summary page to update your SonicWALL.
Log > ViewPoint 790 SonicOS Enhanced 4.
PART 13 Wizards SONICWALL SONICOS ENHANCED 4.
SONICWALL SONICOS ENHANCED 4.
CHAPTER 69 Chapter 69: Configuring Internet Connectivity Using the Setup Wizard Wizards > Setup Wizard The first time you log into the SonicWALL, the Setup Wizard is launched automatically. To launch the Setup Wizard at any from the Management Interface, log into the SonicWALL. Click Wizards and select Setup Wizard.
Wizards > Setup Wizard The Setup Wizard screens change depending on the choices you make. For example, if you choose Guest Internet Gateway, The Setup Wizard will display the screens for Modem, WAN, WLAN, and Wireless Guest Services setup. It will not display the screens for LAN and WiFiSec setup, because they do not apply in a Guest Internet Gateway deployment. 794 SonicOS Enhanced 4.
Wizards > Setup Wizard Configuring a Static IP Address with NAT Enabled Using NAT to set up your SonicWALL eliminates the need for public IP addresses for all computers on your LAN. It is a way to conserve IP addresses available from the pool of IPv4 addresses for the Internet. NAT also allows you to conceal the addressing scheme of your network. If you do not have enough individual IP addresses for all computers on your network, you can use NAT for your network configuration.
Wizards > Setup Wizard Note Your Web browser must be Java-enabled and support HTTP uploads in order to fully manage SonicWALL. Internet Explorer 5.0 and above as well as Netscape Navigator 4.0 and above meet these criteria. 1. Click the Setup Wizard button on the Network > Settings page. Read the instructions on the Welcome window and click Next to continue. Change Password 2. Tip 796 To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next.
Wizards > Setup Wizard Change Time Zone 3. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. WAN Network Mode 4. Confirm that you have the proper network information necessary to configure the SonicWALL to access the Internet. Click the hyperlinks for definitions of the networking terms. You can choose: • Static IP, if your ISP assigns you a specific IP address or group of addresses.
Wizards > Setup Wizard WAN Network Mode: NAT Enabled 6. Enter the public IP address provided by your ISP in the SonicWALL WAN IP Address, then fill in the rest of the fields: WAN/OPT/DMZ Subnet Mask, WAN Gateway (Router) Address, and DNS Server Addresses. Click Next. 7. The LAN page allows the configuration of the SonicWALL LAN IP Addresses and the LAN Subnet Mask.The SonicWALL LAN IP Addresses are the private IP address assigned to the LAN port of the SonicWALL.
Wizards > Setup Wizard LAN DHCP Settings 8. The Optional-SonicWALL DHCP Server window configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically configures the IP settings of computers on the LAN. To enable the DHCP server, select Enable DHCP Server, and specify the range of IP addresses that are assigned to computers on the LAN. If Disable DHCP Server is selected, you must configure each computer on your network with a static IP address on your LAN. Click Next.
Wizards > Setup Wizard Setup Wizard Complete 10. The SonicWALL stores the network settings. 11. Click Close to return to the SonicWALL Management Interface. Configuring DHCP Networking Mode DHCP is a networking mode that allows you to obtain an IP address for a specific length of time from a DHCP server. The length of time is called a lease which is renewed by the DHCP server typically after a few days. When the lease is ready to expire, the client contacts the server to renew the lease.
Wizards > Setup Wizard Change Password 3. Tip To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next. It is very important to choose a password which cannot be easily guessed by others. Change Time Zone 4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. SonicOS Enhanced 4.
Wizards > Setup Wizard WAN Network Mode 5. Select DHCP, the Obtain an IP address automatically window is displayed. Click Next. WAN Network Mode: NAT with DHCP Client 6. 802 The Obtain an IP address automatically window states that the ISP dynamically assigns an IP address to the SonicWALL. To confirm this, click Next. DHCP-based configurations are most common with cable modem connections. SonicOS Enhanced 4.
Wizards > Setup Wizard LAN Settings 7. The Fill in information about your LAN page allows the configuration of SonicWALL LAN IP Addresses and Subnet Masks. SonicWALL LAN IP Addresses are the private IP addresses assigned to the LAN of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the networks. The default values provided by the SonicWALL are useful for most networks. Click Next. 8. The Optional-SonicWALL DHCP Server window configures the SonicWALL DHCP Server.
Wizards > Setup Wizard SonicWALL Configuration Summary 9. The Configuration Summary window displays the configuration defined using the Installation Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet window. If the configuration is correct, click Next. Setup Wizard Complete 10. The SonicWALL stores the network settings. 11. Click Close to return to the SonicWALL Management Interface.
Wizards > Setup Wizard Configuring NAT Enabled with PPPoE NAT with PPPoE Client is a network protocol that uses Point to Point Protocol over Ethernet to connect with a remote site using various Remote Access Service products. This protocol is typically found when using a DSL modem with an ISP requiring a user name and password to log into the remote server. The ISP may then allow you to obtain an IP address automatically or give you a specific IP address. 1.
Wizards > Setup Wizard Change Password 3. Tip To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next. It is very important to choose a password which cannot be easily guessed by others. Change Time Zone 4. 806 Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. SonicOS Enhanced 4.
Wizards > Setup Wizard WAN Network Mode 5. The SonicWALL automatically detects the presence of a PPPoE server on the WAN. If not, then select PPPoE: Your ISP provided you with desktop software, a user name and password. Click Next. WAN Network Mode: NAT with PPPoE Client 6. Select whether to use a dynamic or static IP address, and enter the user name and password provided by your ISP into the User Name and Password fields. Click Next. SonicOS Enhanced 4.
Wizards > Setup Wizard LAN Settings 7. The LAN Settings page allows the configuration of SonicWALL LAN IP Addresses and LAN Subnet Mask.The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN. The default values provided by the SonicWALL are useful for most networks. If you do not use the default settings, enter your preferred IP addresses in the fields. Click Next. 8.
Wizards > Setup Wizard SonicWALL Configuration Summary 9. The Configuration Summary window displays the configuration defined using the Installation Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet window. If the configuration is correct, click Next. Setup Wizard Complete 10. The SonicWALL stores the network settings. 11. Click Close to return to the SonicWALL Management Interface. SonicOS Enhanced 4.
Wizards > Setup Wizard Configuring PPTP Network Mode NAT with PPTP Client mode uses Point to Point Tunneling Protocol (PPTP) to connect to a remote server. It supports older Microsoft implementations requiring tunneling connectivity. 810 1. Click the Setup Wizard button on the Network > Settings page. 2. Read the instructions on the Welcome window and click Next to continue. SonicOS Enhanced 4.
Wizards > Setup Wizard Change Password 3. Tip To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next. It is very important to choose a password which cannot be easily guessed by others. Change Time Zone Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. SonicOS Enhanced 4.
Wizards > Setup Wizard WAN Network Mode 4. Select PPTP: Provided you with a server IP address, a user name and password. Click Next. WAN Network Mode: NAT with PPTP Client 5. 812 Enter the user name and password provided by your ISP into the User Name and Password fields. Click Next. SonicOS Enhanced 4.
Wizards > Setup Wizard LAN Settings 6. The LAN Settings page allows the configuration of SonicWALL LAN IP Addresses and LAN Subnet Mask.The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN. The default values provided by the SonicWALL are useful for most networks. If you do not use the default settings, enter your preferred IP addresses in the fields. Click Next. 7.
Wizards > Setup Wizard SonicWALL Configuration Summary 8. The Configuration Summary window displays the configuration defined using the Installation Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet window. If the configuration is correct, click Next. Setup Wizard Complete 9. The SonicWALL stores the network settings. 10. Click Close to return to the SonicWALL Management Interface. 814 SonicOS Enhanced 4.
CHAPTER 70 Chapter70: Using the Registration & License Wizard Wizards > Registration & License Wizard The SonicWALL Registration and License Wizard simplifies the process of registering your SonicWALL security appliance and obtaining licenses for additional security services. To use the Registration and License Wizard, complete the following steps: Step 1 Launch the SonicWALL Configuration Wizard window by clicking Wizards in the left navigation panel. SonicOS Enhanced 4.
Wizards > Registration & License Wizard 816 Step 2 Select Registration and License Wizard and click Next. Step 3 A screen displays confirming that you are using the Registration and License Wizard. Click Next. Step 4 If you already have a mysonicwall.com account, enter your username and password. Click Next. If you do not have a mysonicwall.com account, select Create a sonicwall.com account and click Next. Complete the fields on the User Registration page to create a mysonicwall.
Wizards > Registration & License Wizard Step 5 On the Choose security services page, select the security services you would like to purchase and click Next. Step 6 The Registration and License Wizard launches your mysonicwall.com shopping cart. Make sure that your pop-up blocker is turned off. SonicOS Enhanced 4.
Wizards > Registration & License Wizard 818 Step 7 Verify that the services you want to purchase are listed in the shopping cart. When you are finished selecting security services, click Checkout. Step 8 The mysonicwall.com checkout page displays. Enter your credit card and billing information and click Confirm. SonicOS Enhanced 4.
Wizards > Registration & License Wizard Step 9 The Confirm page displays. Verify that your order is correct and click Confirm. You can now print a copy of your completed order. Step 10 Close the mysonicwall.com window and return to the Registration and License Wizard. Step 11 Click Next to synchronize your newly purchased licenses. The SonicWALL security appliance synchronizes with mysonicwall.com. SonicOS Enhanced 4.
Wizards > Registration & License Wizard Step 12 Your new security services are now available on the SonicWALL security appliance. Click Close to close the wizard. 820 SonicOS Enhanced 4.
CHAPTER 71 Chapter 71: Configuring a Public Server with the Wizard Wizards > Public Server Wizard 1. Start the wizard: In the navigator, click Wizards. SonicOS Enhanced 4.
Wizards > Public Server Wizard 822 2. Select Public Server Wizard and click Next. 3. Select the type of server from the Server Type list. Depending on the type you select, the available services change. Check the box for the services you are enabling on this server. Click Next 4. Enter the name of the server. 5. Enter the private IP address of the server. Specify an IP address in the range of addresses assigned to zone where you want to put this server.
Wizards > Public Server Wizard 6. Click Next. 7. Enter the public IP address of the server. The default is the WAN public IP address. If you enter a different IP, the Public Server Wizard will create an address object for that IP address and bind the address object to the WAN zone. 8. Click Next. SonicOS Enhanced 4.
Wizards > Public Server Wizard 9. • The Summary page displays a summary of all the configuration you have performed in the wizard. It should show: Server Address Objects The wizard creates the address object for the new server. Because the IP address of the server added in the example is in the IP address range assigned to the DMZ, the wizard binds the address object to the DMZ zone. It gives the object a name of the name you specified for the server plus “_private”.
Wizards > Public Server Wizard 10. Click Apply in the Public Server Configuration Summary page to complete the wizard and apply the configuration to your SonicWALL. Tip The new IP address used to access the new server, internally and externally is displayed in the URL field of the Congratulations window. 11. Click Close to close the wizard. SonicOS Enhanced 4.
Wizards > Public Server Wizard 826 SonicOS Enhanced 4.
CHAPTER 72 Chapter 72: Configuring VPN Policies with the VPN Policy Wizard Wizards > VPN Wizard The VPN Policy Wizard walks you step-by-step through the configuration of GroupVPN on the SonicWALL. After the configuration is completed, the wizard creates the necessary VPN settings for the selected VPN policy. You can use the SonicWALL Management Interface for optional advanced configuration options. SonicOS Enhanced 4.
Wizards > VPN Wizard Using the VPN Policy Wizard 828 Step 1 In the top right corner of the VPN > Settings page, click on VPN Policy Wizard. Step 2 Click Next. Step 3 In the VPN Policy Type page, select WAN GroupVPN and click Next. Step 4 In the IKE Phase 1 Key Method page, you select the authentication key to use for this VPN policy: SonicOS Enhanced 4.
Wizards > VPN Wizard – Default Key: If you choose the default key, all your Global VPN Clients and Global Security Clients will automatically use the default key generated by the SonicWALL to authenticate with the SonicWALL. – Use this Key: If you choose a custom preshared key, you must distribute the key to every VPN Client because the user is prompted for this key when connecting to the SonicWALL.
Wizards > VPN Wizard – Encryption: This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security. DES is the least secure and the and takes the least amount of time to encrypt and decrypt. AES-256 is the most secure and takes the longest time to encrypt and decrypt. You can choose. DES, 3DES, AES-128, or AES256. The VPN uses this for all data through the tunnel.
Wizards > VPN Wizard Note Step 9 If you enable user authentication, the users must be entered in the SonicWALL database for authentication. Users are entered into the SonicWALL database on the Users > Local Users page, and then added to groups in the Users > Local Groups page. Click Next. Step 10 In the Configure Virtual IP Adapter page, select whether you want to use the SonicWALL’s internal DHCP server to assign each VPN client IP address from the LAN zone’s IP range.
Wizards > VPN Wizard • The shared secret if you selected a custom preshared secret in the VPN Wizard. • The authentication username and password. Configuring a Site-to-Site VPN using the VPN Wizard You use the VPN Policy Wizard to create the site-to-site VPN policy. 832 SonicOS Enhanced 4.
Wizards > VPN Wizard Using the VPN Wizard to Configure Preshared Secret Step 1 On the System > Status page, click on Wizards. Step 2 In the Welcome to the SonicWALL Configuration Wizard page select VPN Wizard and click Next. Step 3 In the VPN Policy Type page, select Site-to-Site and click Next. Step 4 In the Create Site-to-Site Policy page, enter the following information: SonicOS Enhanced 4.
Wizards > VPN Wizard – Policy Name: Enter a name you can use to refer to the policy. For example, Boston Office. – Preshared Key: Enter a character string to use to authenticate traffic during IKE Phase 1 negotiation. You can use the default SonicWALL generated Preshared Key. – I know my Remote Peer IP Address (or FQDN): If you check this option, this SonicWALL can initiate the contact with the named remote peer. If you do not check this option, the peer must initiate contact to create a VPN tunnel.
Wizards > VPN Wizard If the object or group you want has not been created yet, select Create Object or Create Group. Create the new object or group in the dialog box that pops up. Then select the new object or group. For this example, select LAN Subnets. – Destination Networks: Select the network resources on the destination end of the VPN Tunnel. If the object or group does not exist, select Create new Address Object or Create new Address Group. For example: a. Select Create new Address Group. b.
Wizards > VPN Wizard – Encryption: This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security. DES is the least secure and the and takes the least amount of time to encrypt and decrypt. AES-256 is the most secure and takes the longest time to encrypt and decrypt. You can choose. DES, 3DES, AES-128, or AES256.
Index Symbols 401, 793, 796–797, 800–803, 805–808, 811–813, 815, 821, 827–828 Numerics 802.11a 394 802.
filter properties 700 FIPS 104 firmware management automatic notification 100–101 backup firmware image 102 booting firmware 102 export settings 100 import settings 100 safemode 103 updating firmware 102 fragmentation threshold 342 fragmented packet handling 582 D deep packet inspection 718 DF bit 582 DH group 829 VPN policy wizard 835 DHCP relay mode 587 setup wizard 797 VPN central gateway 588 VPN remote gateway 588 DHCP over VPN leases 591 DHCP server 278 current leases 294 dynamic ranges 281 static en
I IDS authorizing access points 407 rogue access points 406 IEEE 802.11b 315 IEEE 802.
settings 248 translated destination 248 translated service 249 translated source 248 NAT policy loopback policy 824 outbound interface 249 public server wizard 824 reflective policy 249 NAT traversal 582 network anti-virus 709 activating 710 network settings setup wizard 796 O objects service group 824 open system 334 outbound SMTP inspection 728 P packet capture advanced settings 119 basic operation 107 benefits 106 configuring 111 display filter 115 export as HTML 123 export as text 124 filter settings
LAN settings 798–799, 803–804, 808, 813–814 NAT with DHCP client 802 NAT with PPPoE 805 NAT with PPPoE client 807 NAT with PPTP 810 NAT with PPTP client 812 static IP address with NAT enabled 795 WAN Network mode 812 WAN network mode 797, 802, 807 shared key 334 signatures 727 manually update 691 signatures table 732 SIP 511 media 522 signaling 522 transforming SIP messages 522 UDP port 523 site-to-site VPN policy name 834 VPN policy wizard 832 SMTP messages, suppressing 730 SonicPoint provisioning profiles
authentication 830, 836 configuration summary 836 connecting Global VPN Clients 831 destination networks 835 DH group 829, 835 encryption 830, 836 IKE phase 1 key method 828 IKE security settings 829, 835 life time 836 local networks 834 peer IP address 834 policy name 834 preshared key 834 site-to-site VPN 832 user authentication 830 virtual IP adapter 831 VPN policy type 828 data limiting 384 failover 153, 372–375 glossary 386 GSM 372 maximum allowed connections 157 maximum connection time 383 monitoring
SonicWALL, Inc. 1143 Borregas Avenue T +1 408.745.9600 Sunnyvale CA 94089-1306 F +1 408.745.9300 www.sonicwall.com PN: 232-001213-00 Rev A 06/08 ©2008 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/o r registered trademarks of their respective companies. Specifications and descriptions subject to change without notice.