User's Manual

ManualsBrandsSonicWALL ManualsHome Safety ProductTZ 180

COMPREHENSIVE INTERNET SECURITY

SonicOS 4.0 Enhanced

Administrator’s Guide

SonicWALL Internet Security Appliances

For the SonicWALL TZ 180 and TZ 190

Summary of content (843 pages)

PAGE 1
COMPREHENSIVE INTERNET SECURITY SonicWALL Internet Security Appliances SonicOS 4.
PAGE 2
PAGE 3
Table of Contents Table of Contents .........................................................................................iii Part 1: Introduction Chapter 1: Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Copyright Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Trademarks . . . . . . . . . . . . . . .
PAGE 4
Part 2: System Chapter 4: Viewing the SonicWALL Security Dashboard . . . . . . . . . . . System > Security Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SonicWALL Security Dashboard Overview . . . . . . . . . . . . . . . . . . . . Using the SonicWALL Security Dashboard . . . . . . . . . . . . . . . . . . . Related Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 47 47 50 59 Chapter 5: Viewing Status Information . . . . . . . . . . . . .
PAGE 5
Chapter 8: Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 System > Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Digital Certificates Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Certificates and Certificate Requests . . . . . . . . . . . . . . . . . . . . . . . . .86 Certificate Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
Chapter 13: Using Diagnostic Tools & Restarting the Appliance . . . . System > Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tech Support Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Diagnostic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Active Connections Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CPU Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
Configuring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Configuring the LAN and OPT Interfaces (Static) . . . . . . . . . . . . . . .141 Configuring Advanced Settings for the Interface . . . . . . . . . . . . . . .142 Configuring Interfaces in Transparent Mode . . . . . . . . . . . . . . . . . .143 Configuring Wireless Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Configuring a WAN Interface . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 8
Chapter 17: Configuring Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network > Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Zones Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Predefined Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Allow Interface Trust . . . . . . . . . . .
PAGE 9
Chapter 21: Configuring NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . .245 Network > NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245 NAT Policies Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246 NAT Policy Settings Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 NAT Policies Q&A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249 NAT Load Balancing Overview . . . .
PAGE 10
Chapter 25: Setting Up Web Proxy Forwarding . . . . . . . . . . . . . . . . . . Network > Web Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Automatic Proxy Forwarding (Web Only) . . . . . . . . . . Bypass Proxy Servers Upon Proxy Failure . . . . . . . . . . . . . . . . . . . 305 305 305 306 Chapter 26: Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . 307 Network > Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 11
Chapter 30: Configuring Advanced Wireless Settings . . . . . . . . . . . . .339 Wireless > Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 Beaconing & SSID Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Wireless Client Communications . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Configurable Antenna Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Advanced Radio Settings . . . . . . . . . . . . . . . . . . .
PAGE 12
Part 5: WWAN Chapter 34: Configuring Wireless WAN (TZ 190 only) . . . . . . . . . . . . . WWAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless WAN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless WAN Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing the WWAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Wireless WAN . . . . . . . . . . . . . . . . .
PAGE 13
Chapter 40: Configuring Advanced Access Rule Settings . . . . . . . . . .433 Firewall > Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433 Detection Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 Dynamic Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 Source Routed Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 Connections . . . . . . . . . . . . . . . . .
PAGE 14
Chapter 45: Managing Quality of Service . . . . . . . . . . . . . . . . . . . . . . . Firewall > QoS Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conditioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802.1p and DSCP QoS . . . . . . . .
PAGE 15
Chapter 50: Configuring DHCP Over VPN . . . . . . . . . . . . . . . . . . . . . . .587 VPN > DHCP over VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587 DHCP Relay Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .587 Configuring the Central Gateway for DHCP Over VPN . . . . . . . . . .588 Configuring DHCP over VPN Remote Gateway . . . . . . . . . . . . . . . .588 Current DHCP over VPN Leases . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 16
Part 11: Security Services Chapter 54: Managing SonicWALL Security Services . . . . . . . . . . . . . SonicWALL Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Services Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing Security Services Online . . . . . . . . . . . . . . . . . . . . . . . . Security Services Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Services Information . . . . . . . . . . . . . . . . .
PAGE 17
Chapter 57: Managing SonicWALL Gateway Anti-Virus Service . . . . .715 Security Services > Gateway Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . .715 SonicWALL GAV Multi-Layered Approach . . . . . . . . . . . . . . . . . . . .716 HTTP File Downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .718 SonicWALL GAV Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . .718 Creating a mySonicWALL.com Account . . . . . . . . . . . . . . . . . . . . . .
PAGE 18
Chapter 59: Activating Anti-Spyware Service . . . . . . . . . . . . . . . . . . . . Security Services > Anti-Spyware Service . . . . . . . . . . . . . . . . . . . . . . SonicWALL Gateway Anti-Virus, Anti-Spyware, and IPS Activation Creating a mySonicWALL.com Account . . . . . . . . . . . . . . . . . . . . . Registering Your SonicWALL Security Appliance . . . . . . . . . . . . . . Activating FREE TRIALs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 19
Chapter 64: Configuring Syslog Settings . . . . . . . . . . . . . . . . . . . . . . . .775 Log > Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .775 Syslog Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .776 Syslog Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777 Chapter 65: Configuring Log Automation . . . . . . . . . . . . . . . . . . . . . . . .779 Log > Automation . . . .
PAGE 20
Chapter 72: Configuring VPN Policies with the VPN Policy Wizard . . Wizards > VPN Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the VPN Policy Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connecting the Global VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Site-to-Site VPN using the VPN Wizard . . . . . . . . . . 827 827 828 831 832 Index .................................................................................
PAGE 21
PART 1 Introduction SONICWALL SONICOS ENHANCED 4.
PAGE 22
SONICWALL SONICOS ENHANCED 4.
PAGE 23
CHAPTER 1 Chapter 1: Preface Preface Copyright Notice © 2007 SonicWALL, Inc. All rights reserved. Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original.
PAGE 24
About this Guide Limited Warranty SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product.
PAGE 25
About this Guide Note Always check for the latest version of this manual as well as other SonicWALL products and services documentation. Organization of this Guide The SonicWALL SonicOS Enhanced 4.0 Administrator’s Guide organization is structured into the following parts that follow the SonicWALL Web Management Interface structure. Within these parts, individual chapters correspond to SonicWALL security appliance management interface layout.
PAGE 26
About this Guide • Dynamic DNS - configure the SonicWALL to dynamically register its WAN IP address with a DDNS service provider. Part 4 SonicPoint The part covers the configuration of the SonicWALL security appliance for provisioning and managing SonicWALL SonicPoints as part of a SonicWALL Distributed Wireless Solution. Part 5 Firewall This part covers tools for managing how the SonicWALL security appliance handles traffic through the firewall.
PAGE 27
About this Guide Part 12 Log This part covers managing the SonicWALL security appliance’s enhanced logging, alerting, and reporting features. The SonicWALL security appliance’s logging features provide a comprehensive set of log categories for monitoring security and network activities.
PAGE 28
About this Guide Tip Useful information about security features and configurations on your SonicWALL. Note Important information on a feature that requires callout for special attention. SonicWALL Technical Support For timely resolution of technical support questions, visit SonicWALL on the Internet at http://www.sonicwall.com/us/Support.html. Web-based resources are available to help you resolve most technical issues or contact SonicWALL Technical Support.
PAGE 29
About this Guide Current Documentation Check the SonicWALL documentation Web site for that latest versions of this manual and all other SonicWALL product documentation. http://www.sonicwall.com/us/Support.html SonicOS Enhanced 4.
PAGE 30
About this Guide 30 SonicOS Enhanced 4.
PAGE 31
CHAPTER 2 Chapter 2: Common Criteria Guide Common Criteria The purpose of this chapter is to define the Common Criteria-compliant operation of SonicWALL Internet Security Appliances. Common Criteria is an information technology (IT) validation scheme adopted by the National Information Assurance Partnership (NIAP). NIAP is a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).
PAGE 32
Common Criteria • GMS Remote Management • Syslog Logging • SonicPoint • Hardware Failover Before installing the SonicWALL Internet Security Appliance, the device should be examined for evidence of tampering. Each device includes a tamper-evident seal to prevent access to the inside of the unit. Verify that the tamper evident seal is intact. If there is a sign of tampering, contact SonicWALL Support Services by phone at 888.777.1476 or 408.752.7819.
PAGE 33
Common Criteria Related Documents Several other SonicWALL documents provide information relating to the Common Criteria evaluated configuration of SonicWALL Internet Security Appliances. Those documents are described here. SonicOS Log Events Reference Guide During the operation of a SonicWALL security appliance, SonicOS software sends log event messages to the console. Event logging automatically begins when the SonicWALL security appliance is powered on and configured.
PAGE 34
Common Criteria 34 SonicOS Enhanced 4.
PAGE 35
CHAPTER 3 Chapter 3: Introduction Introduction SonicOS Enhanced 4.0 is the most powerful SonicOS operating system designed for the SonicWALL PRO 4060, and the PRO 5060. What’s New in SonicOS Enhanced 4.0 SonicOS Enhanced 4.0 introduces these new features: • Tip Strong SSL and TLS Encryption - The internal SonicWALL Web server now only supports SSL version 3.0 and TLS with strong ciphers (128 bits or greater) when negotiating HTTPS management sessions. SSL implementations prior to version 3.
PAGE 36
Introduction appliances have been associated as a hardware failover pair on mysonicwall.com, you can enable this feature by selecting Enable Stateful Synchronization in the Hardware Failover > Advanced page. • Application Firewall - SonicOS Enhanced 4.0 introduces Application Firewall, which provides a way to create application-specific policies to regulate Web browsing, file transfer, email, and email attachments.
PAGE 37
Introduction CLI (SSH or serial console). For instance, if a CLI session goes to the config level, it will ask you if you want to preempt an administrator who is at config level in the GUI or an SSH session. • Multiple and Read-only Administrator Login - SonicOS Enhanced 4.0 introduces Multiple Administrator Login, which provides a way for multiple users to be given administration rights, either full or read-only, for the SonicOS security appliance. Additionally, SonicOS Enhanced 4.
PAGE 38
Introduction – Ad-Hoc station – Unassociated station – Wellenreiter attack – NetStumbler attack – EAPOL packet flood – Weak WEP IV • SMTP Authentication - SonicOS Enhanced 4.0 supports RFC 2554, which defines an SMTP service extension that allows the SMTP client to indicate an authentication method to the server, perform an authentication protocol exchange, and optionally negotiate a security layer for subsequent protocol interactions.
PAGE 39
Introduction In SonicOS Enhanced 4.0, VAPs allow the network administrator to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point, and can be grouped and enforced on single or multiple physical SonicPoint access points simultaneously. You can configure up to eight VAPs per SonicPoint access point. • Layer 2 Bridge Mode - SonicOS Enhanced 4.
PAGE 40
Introduction • BWM Rate Limiting - SonicOS Enhanced 4.0 enhances the Bandwidth Management feature to provide rate limiting functionality. You can now create traffic policies that specify maximum rates for Layer 2, 3, or 4 network traffic. This enables bandwidth management in cases where the primary WAN link fails over to a secondary connection that cannot handle as much traffic. • DHCP Client Reboot Behavior Control - In SonicOS Enhanced 4.
PAGE 41
Introduction Navigating the Management Interface Navigating the SonicWALL management interface includes a hierarchy of menu buttons on the navigation bar (left side of your browser window). When you click a menu button, related management functions are displayed as submenu items in the navigation bar. To navigate to a submenu page, click the link. When you click a menu button, the first submenu item page is displayed. The first submenu page is automatically displayed when you click the menu button.
PAGE 42
Introduction If the settings are contained in a secondary window within the management interface, when you click OK, the settings are automatically applied to the SonicWALL security appliance. Navigating Tables Navigate tables in the management interface with large number of entries by using the navigation buttons located on the upper right top corner of the table. The table navigation bar includes buttons for moving through table pages.
PAGE 43
Introduction • Clicking on the edit icon displays a window for editing the settings. • Clicking on the delete • Moving the pointer over the comment icon deletes a table entry icon displays text from a Comment field entry. Getting Help Each SonicWALL security appliance includes Web-based on-line help available from the management interface. Clicking the question mark ? button on the top-right corner of every page accesses the context-sensitive help for the page.
PAGE 44
Introduction 44 SonicOS Enhanced 4.
PAGE 45
PART 2 System SONICWALL SONICOS ENHANCED 4.
PAGE 46
SONICWALL SONICOS ENHANCED 4.
PAGE 47
CHAPTER 4 Chapter 4: Viewing the SonicWALL Security Dashboard System > Security Dashboard This chapter describes how to use the SonicWALL Security Dashboard feature on a SonicWALL security appliance.
PAGE 48
System > Security Dashboard What is the Security Dashboard? The SonicWALL Security Dashboard provides reports of the latest threat protection data from a single SonicWALL appliance and aggregated threat protection data from SonicWALL security appliances deployed globally. The SonicWALL Security Dashboard displays automatically upon successful authentication to a SonicWALL security appliance, and can be viewed at any time by navigating to the System > Security Dashboard menu in the left-hand menu.
PAGE 49
System > Security Dashboard Benefits The Security Dashboard provides the latest threat protection information to keep you informed about potential threats being blocked by SonicWALL security appliances. If you subscribe to SonicWALL’s security services, including Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention Service (IPS), and Content Filtering Service, you are automatically protected from the threats reported by the SonicWALL Security Dashboard.
PAGE 50
System > Security Dashboard How Does the Security Dashboard Work? The SonicWALL Security Dashboard provides global and appliance-level threat protection statistics. At the appliance level, threat protection data from your SonicWALL security appliance is displayed. At the global level, the SonicWALL Security Dashboard is updated hourly from the SonicWALL backend server with aggregated threat protection data from globally-deployed SonicWALL security appliances.
PAGE 51
System > Security Dashboard SonicWALL Security Dashboard Configuration Overview The SonicWALL Security Dashboard can be configured to display global or appliance-level statistics, to display statistics for different time periods, and to generate a custom PDF file. For information about purchasing SonicWALL security services that protect against the threats reported in the SonicWALL Security Dashboard, refer to “Purchasing Security Services” on page 52.
PAGE 52
System > Security Dashboard Selecting Custom Time Interval The SonicWALL Security Dashboard reports default to a view of reports from the “Last 14 Days,” providing an aggregate view of threats blocked during that time period. You can configure each report to one of four optional time periods. Each report can be configured to reflect a different time period.
PAGE 53
System > Security Dashboard Note Your SonicWALL security appliance must be configured for Internet connectivity and must be connected to the Internet to use the Registration & License Wizard. SonicOS Enhanced 4.
PAGE 54
System > Security Dashboard To purchase SonicWALL security services using the SonicWALL Registration & License Wizard, perform the following steps: Step 1 54 Log in to the SonicWALL appliance management interface. Step 2 In the left-navigation menu, click Wizards. The Configuration Wizard displays. Step 3 Select the radio button next to Registration & License Wizard and click Next. Step 4 The welcome screen displays. Click Next. SonicOS Enhanced 4.
PAGE 55
System > Security Dashboard Step 5 If you have a mysonicwall.com account, enter your username and password in the Username and Password fields. If you do not have a mysonicwall.com account, select the radio button next to Create a sonicwall.com account. Click Next. Step 6 If you selected Create a sonicwall.com account, the User Registration page displays. Provide the information requested in order to create your account, then click Next. SonicOS Enhanced 4.
PAGE 56
System > Security Dashboard Note 56 If you used an existing mysonicwall.com account by providing your username and password, you will not see this page. Skip to the next step. Step 7 Select the checkbox next to the service you want to purchase and click Next. Step 8 A notice displays that a separate browser window will be launched. Click OK. SonicOS Enhanced 4.
PAGE 57
System > Security Dashboard Step 9 The mysonicwall.com page is launched in a separate browser window. Follow the on-screen instructions to complete the purchase of SonicWALL security services. Step 10 After you have purchased the security services, return to the wizard window. The License Synchronization window will synchronize the new security services with the SonicWALL security appliance. Click Next to complete the synchronization. SonicOS Enhanced 4.
PAGE 58
System > Security Dashboard Step 11 The Congratulations page displays. You have successfully purchased and synchronized your security services. Click Close to close the wizard. To verify that the security services are licensed, navigate to Security Services > Summary in the left-hand menu and verify that the status of the services is Licensed. For information on advanced configuration for each service, refer to the SonicWALL Administrator’s Guides, available on the Web at: http://www.sonicwall.
PAGE 59
System > Security Dashboard Related Features SonicWALL Registration & License Wizard - Use the SonicWALL Registration & License Wizard to purchase SonicWALL security services directly from your SonicWALL security appliance management interface. SonicWALL Security Services - SonicWALL provides a comprehensive offering of security services that protect against the threats reported in the SonicWALL Security Dashboard. For a full list, visit the SonicWALL website at http://www.sonicwall.com/us/Support.html.
PAGE 60
System > Security Dashboard 60 SonicOS Enhanced 4.
PAGE 61
CHAPTER 5 Chapter 5: Viewing Status Information System > Status The System > Status page provides a comprehensive collection of information and links to help you manage your SonicWALL security appliance and SonicWALL Security Services licenses.
PAGE 62
System > Status • Setup Wizard - This wizard helps you quickly configure the SonicWALL security appliance to secure your Internet (WAN) and LAN connections. • Public Server Wizard - This wizard helps you quickly configure the SonicWALL security appliance to provide public access to an internal server, such as a Web or E-mail server. • VPN Wizard - This wizard helps you create a new site-to-site VPN Policy or configure the WAN GroupVPN to accept VPN connections from SonicWALL Global VPN Clients.
PAGE 63
System > Status Latest Alerts Any messages relating to system errors or attacks are displayed in this section. Attack messages include AV Alerts, forbidden e-mail attachments, fraudulent certificates, etc. System errors include WAN IP changed and encryption errors. Clicking the blue arrow displays the Log > Log View page. For more information on SonicWALL security appliance logging, see “Log” on page 763. Security Services If your SonicWALL security appliance is not registered at mySonicWALL.
PAGE 64
System > Status Registering Your SonicWALL Security Appliance Once you have established your Internet connection, it is recommended you register your SonicWALL security appliance.
PAGE 65
System > Status To create a mySonicWALL.com account from the SonicWALL management interface: Step 1 In the Security Services section on the System > Status page, click the Register link in Your SonicWALL is not registered. Click here to Register your SonicWALL. Step 2 Click the here link in If you do not have a mySonicWALL account, please click here to create one on the mySonicWALL Login page.
PAGE 66
System > Status Registering Your SonicWALL Security Appliance If you already have a mySonicWALL.com account, follow these steps to register your security appliance: Step 1 In the Security Services section on the System > Status page, click the Register link in Your SonicWALL is not registered. Click here to Register your SonicWALL. The mySonicWALL Login page is displayed. Step 2 In the mySonicWALL.com Login page, enter your mySonicWALL.
PAGE 67
CHAPTER 6 Chapter 6: Managing SonicWALL Licenses System > Licenses The System > Licenses page provides links to activate, upgrade, or renew SonicWALL Security Services licenses. From this page in the SonicWALL Management Interface, you can manage all the SonicWALL Security Services licensed for your SonicWALL security appliance. The information listed in the Security Services Summary table is updated from your mySonicWALL.com account.
PAGE 68
System > Licenses Excluding a Node When you exclude a node, you block it from connecting to your network through the security appliance. Excluding a node creates an address object for that IP address and assigns it to the Node License Exclusion List address group. To exclude a node: Step 1 Select the node you want to exclude in the Currently Licensed Nodes table on the System > Licenses page, and click the icon in the Exclude column for that node.
PAGE 69
System > Licenses Manage Security Services Online To activate, upgrade, or renew services, click the link in To Activate, Upgrade, or Renew services, click here. Click the link in To synchronize licenses with mySonicWALL.com click here to synchronize your mySonicWALL.com account with the Security Services Summary table. You can also get free trial subscriptions to SonicWALL Content Filter Service and Client AntiVirus by clicking the For Free Trials click here link.
PAGE 70
System > Licenses Manual Upgrade Manual Upgrade allows you to activate your services by typing the service activation key supplied with the service subscription not activated on mySonicWALL.com. Type the activation key from the product into the Enter upgrade key field and click Submit.
PAGE 71
System > Licenses From the Management Interface of your SonicWALL Security Appliance Step 1 Make sure your SonicWALL security appliance is running SonicOS Standard or Enhanced 2.1 (or higher). Step 2 Paste (or type) the Keyset (from the step 3) into the Keyset field in the Manual Upgrade section of the System > Licenses page (SonicOS). Step 3 Click the Submit or the Apply button to update your SonicWALL security appliance.
PAGE 72
System > Licenses 72 SonicOS Enhanced 4.
PAGE 73
CHAPTER 7 Chapter 7: Configuring Administration Settings System > Administration The System Administration page provides settings for the configuration of SonicWALL security appliance for secure and remote management. You can manage the SonicWALL using a variety of methods, including HTTPS, SNMP or SonicWALL Global Management System (SonicWALL GMS).
PAGE 74
System > Administration Changing the Administrator Password To set a new password for SonicWALL Management Interface access, type the old password in the Old Password field, and the new password in the New Password field. Type the new password again in the Confirm New Password field and click Apply. Once the SonicWALL security appliance has been updated, a message confirming the update is displayed at the bottom of the browser window.
PAGE 75
System > Administration The Password must be changed every (days) setting requires users to change their passwords after the designated number of days has elapsed. When a user attempts to login with an expired password, a pop-up window will prompt the user to enter a new password. The User Login Status window now includes a Change Password button so that users can change their passwords at any time.
PAGE 76
System > Administration Multiple Administrators SonicOS Enhanced provides the ability for multiple administrators to access the SonicOS Management Interface simultaneously. For more information on Multiple Administrators, see the “Multiple Administrator Support Overview” section on page 590. The System > Administration page contains a number of options to manage multiple administrators.
PAGE 77
System > Administration Web Management Settings The SonicWALL security appliance can be managed using HTTP or HTTPS and a Web browser. Both HTTP and HTTPS are enabled by default. The default port for HTTP is port 80, but you can configure access through another port. Type the number of the desired port in the Port field, and click Apply. However, if you configure another port for HTTP management, you must include the port number when you use the IP address to log into the SonicWALL security appliance.
PAGE 78
System > Administration SSH Management Settings If you use SSH to manage the SonicWALL appliance, you can change the SSH port for additional security. The default SSH port is 22. Advanced Management You can manage the SonicWALL security appliance using SNMP or SonicWALL Global Management System. The following sections explain how to configure the SonicWALL for management by these two options. For more information on SonicWALL Global Management System, go to http:// www.sonicwall.com.
PAGE 79
System > Administration To enable SNMP on the SonicWALL security appliance, log into the Management interface and click System, then Administration. Select the Enable SNMP checkbox, and then click Configure. The Configure SNMP window is displayed. Step 1 Type the host name of the SonicWALL security appliance in the System Name field. Step 2 Type the network administrator’s name in the System Contact field. Step 3 Type an e-mail address, telephone number, or pager number in the System Location field.
PAGE 80
System > Administration Enable GMS Management You can configure the SonicWALL security appliance to be managed by SonicWALL Global Management System (SonicWALL GMS). To configure the SonicWALL security appliance for GMS management: Step 1 Select the Enable Management using GMS checkbox, then click Configure. The Configure GMS Settings window is displayed. Step 2 Enter the host name or IP address of the GMS Console in the GMS Host Name or IP Address field.
PAGE 81
System > Administration the GMS installation, and enter the IP address in the NAT Device IP Address field. The default VPN policy settings are displayed at the bottom of the Configure GMS Settings window. • Existing Tunnel - If this option is selected, the GMS server and the SonicWALL security appliance already have an existing VPN tunnel over the connection. Enter the GMS host name or IP address in the GMS Host Name or IP Address field. Enter the port number in the Syslog Server Port field.
PAGE 82
System > Administration Step 7 • HTTPS - If this option is selected, HTTPS management is allowed from two IP addresses: the GMS Primary Agent and the Standby Agent IP address. The SonicWALL security appliance also sends encrypted syslog packets and SNMP traps using 3DES and the SonicWALL security appliance administrator’s password. The following configuration settings for HTTPS management mode are displayed: • Send Syslog Messages in Cleartext Format - Sends heartbeat messages as cleartext.
PAGE 83
System > Administration The default URL http://help.mysonicwall.com/applications/vpnclient displays the SonicWALL Global VPN Client download site. You can point to any URL where you provide the SonicWALL Global VPN Client application. Selecting UI Language If your firmware contains other languages besides English, they can be selected in the Language Selection pulldown menu. Note Changing the language of the SonicOS UI requires that the SonicWALL security appliance be rebooted. SonicOS Enhanced 4.
PAGE 84
System > Administration 84 SonicOS Enhanced 4.
PAGE 85
CHAPTER 8 Chapter 8: Managing Certificates System > Certificates To implement the use of certificates for VPN policies, you must locate a source for a valid CA certificate from a third party CA service. Once you have a valid CA certificate, you can import it into the SonicWALL security appliance to validate your Local Certificates. You import the valid CA certificate into the SonicWALL security appliance using the System > Certificates page.
PAGE 86
System > Certificates • OpenSSL • VeriSign Certificates and Certificate Requests The Certificate and Certificate Requests section provides all the settings for managing CA and Local Certificates. The View Style menu allows you to display your certificates in the Certificates and Certificate Requests table based on the following criteria: • All Certificates - displays all certificates and certificate requests.
PAGE 87
System > Certificates Certificate Details Clicking on the icon in the Details column of the Certificates and Certificate Requests table lists information about the certificate, which may include the following, depending on the type of certificate: • Certificate Issuer • Subject Distinguished Name • Certificate Serial Number • Valid from • Expires On • Status (for Pending requests and local certificates) • CRL Status (for Certificate Authority certificates) The details shown in the Details mou
PAGE 88
System > Certificates Importing a Certificate Authority Certificate To import a certificate from a certificate authority, perform these steps: 88 Step 1 Click Import. The Import Certificate window is displayed. Step 1 Select Import a CA certificate from a PKCS#7 (*.p7b) or DER (.der or .cer) encoded file. The Import Certificate window settings change.
PAGE 89
System > Certificates Importing a Local Certificate To import a local certificate, perform these steps: Step 1 Click Import. The Import Certificate window is displayed. Step 2 Enter a certificate name in the Certificate Name field. Step 3 Enter the password used by your Certificate Authority to encrypt the PKCS#12 file in the Certificate Management Password field.
PAGE 90
System > Certificates Importing a CRL You can import the CRL by manually downloading the CRL and then importing it into the SonicWALL security appliance. Step 1 Click on the Import certificate revocation list icon. The Import CRL window is displayed. Step 2 You can import the CRL from the certificate file by selecting Import CRL directly from a PEM (.pem) or DER (.der or .
PAGE 91
System > Certificates To generate a local certificate, follow these steps: Step 1 Click the New Signing Request button. The Certificate Signing Request window is displayed. Step 2 In the Generate Certificate Signing Request section, enter an alias name for the certificate in the Certificate Alias field. Step 3 Select the Request field type from the menu, then enter information for the certificate in the Request fields.
PAGE 92
System > Certificates 92 SonicOS Enhanced 4.
PAGE 93
CHAPTER 9 Chapter 9: Configuring Time Settings System > Time The System > Time page defines the time and date settings to time stamp log events, to automatically update SonicWALL Security Services, and for other internal purposes. By default, the SonicWALL security appliance uses an internal list of public NTP servers to automatically update the time. Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a network of computers.
PAGE 94
System > Time If you want to set your time manually, uncheck Set time automatically using NTP. Select the time in the 24-hour format using the Time (hh:mm:ss) menus and the date from the Date menus. Selecting Display UTC in logs (instead of local time) specifies the use universal time (UTC) rather than local time for log events. Selecting Display time in International format displays the date in International format, with the day preceding the month. After selecting your System Time settings, click Apply.
PAGE 95
CHAPTER 10 Chapter 10: Setting Schedules System > Schedules The System > Schedules page allows you to create and manage schedule objects for enforcing schedule times for a variety of SonicWALL security appliance features. SonicOS Enhanced 4.
PAGE 96
System > Schedules The Schedules table displays all your predefined and custom schedules. In the Schedules table, there are three default schedules: Work Hours, After Hours, and Weekend Hours. You can modify these schedules by clicking on the edit icon in the Configure column to display the Edit Schedule window. Note You cannot delete the default Work Hours, After Hours, or Weekend Hours schedules. You apply schedule objects for the specific security feature.
PAGE 97
System > Schedules Adding a Schedule To create schedules, click Add. The Add Schedule window is displayed. Step 1 Enter a name for the schedule in the Name field. Step 2 Select the days of the week to apply to the schedule or select All. Step 3 Enter the time of day for the schedule to begin in the Start field. The time must be in 24-hour format, for example, 17:00 for 5 p.m. Step 4 Enter the time of day for the schedule to stop in the Stop field.
PAGE 98
System > Schedules 98 SonicOS Enhanced 4.
PAGE 99
CHAPTER 11 Chapter 11: Managing SonicWALL Security Appliance Firmware System > Settings This System > Settings page allows you to manage your SonicWALL security appliance’s SonicOS versions and preferences. SonicOS Enhanced 4.
PAGE 100
System > Settings Settings Import Settings To import a previously saved preferences file into the SonicWALL security appliance, follow these instructions: Step 1 Click Import Settings to import a previously exported preferences file into the SonicWALL security appliance. The Import Settings window is displayed. Step 2 Click Browse to locate the file which has a *.exp file name extension. Step 3 Select the preferences file. Step 4 Click Import, and restart the firewall.
PAGE 101
System > Settings Note • Boot to your choice of firmware and system settings. • Manage system backups. • Easily return your SonicWALL security appliance to the previous system state. SonicWALL security appliance SafeMode, which uses the same settings used Firmware Management, provides quick recovery from uncertain configuration states. Automatic Notification of New Firmware To receive automatic notification of new firmware, select the Notify me when new firmware is available check box.
PAGE 102
System > Settings – Uploaded Firmware - the latest uploaded version from mySonicWALL.com. – Uploaded Firmware with Factory Default Settings - the latest version uploaded with factory default settings. – Uploaded Firmware with Backup Settings - a firmware image created by clicking Create Backup. • Version - the firmware version. • Date - the day, date, and time of downloading the firmware. • Size - the size of the firmware file in Megabytes (MB).
PAGE 103
System > Settings SafeMode - Rebooting the SonicWALL Security Appliance SafeMode allows easy firmware and preferences management as well as quick recovery from uncertain configuration states. It is no longer necessary to reset the firmware by pressing and holding the Reset button on the appliance. Pressing the Reset button for one second launches the SonicWALL security appliance into SafeMode. SafeMode allows you to select the firmware version to load and reboot the SonicWALL security appliance.
PAGE 104
System > Settings Note Clicking Boot next to any firmware image overwrites the existing current firmware image making it the Current Firmware image. Click Boot in the firmware row of your choice to restart the SonicWALL security appliance. FIPS When operating in FIPS (Federal Information Processing Standard) Mode, the SonicWALL security appliance supports FIPS 140-2 Compliant security.
PAGE 105
CHAPTER 12 Chapter 12: Using SonicWALL Packet Capture System > Packet Capture This chapter contains the following sections: • “Packet Capture Overview” on page 105 • “Using Packet Capture” on page 107 • “Verifying Packet Capture Activity” on page 120 • “Related Information” on page 122 Packet Capture Overview This section provides an introduction to the SonicWALL SonicOS Enhanced packet capture feature.
PAGE 106
System > Packet Capture • PPP negotiations details You can configure the packet capture feature in the SonicOS Enhanced user interface (UI). The UI provides a way to configure the capture criteria, display settings, and file export settings, and displays the captured packets. Benefits The SonicOS Enhanced packet capture feature provides the functionality and flexibility that you need to examine network traffic without the use of external utilities, such as Wireshark (formerly known as Ethereal).
PAGE 107
System > Packet Capture Refresh: Click Refresh to display new buffer data in the Captured Packets window. You can then click any packet in the window to display its header information and data in the Packet Detail and Hex Dump windows. Export As: Display or save a snapshot of the current buffer in the file format that you select from the drop-down list. Saved files are placed on your local management system (where the UI is running).
PAGE 108
System > Packet Capture Accessing Packet Capture in the UI This section describes how to access the packet capture tool in the SonicOS UI. There are two ways to access the Packet Capture screen. Step 1 Log in to the SonicOS UI as admin. Step 2 To go directly to the Packet Capture screen, in the left pane, under System, click Packet Capture. Step 3 Alternatively, to access packet capture from the Diagnostics screen, in the left pane, under System, click Diagnostics.
PAGE 109
System > Packet Capture Starting packet capture Step 1 Navigate to the Packet Capture page in the UI. See “Accessing Packet Capture in the UI” on page 108. Step 2 Under Packet Capture, optionally click Reset. The Packet Capture page displays several lines of statistics above the Start and Stop buttons. You can click Reset to set the statistics back to zero. Step 3 Under Packet Capture, click Start. Step 4 To refresh the packet display windows to show new buffer data, click Refresh.
PAGE 110
System > Packet Capture • Egress - The SonicWALL appliance interface on which the packet was captured when sent out – The subsystem type abbreviation is shown in parentheses.
PAGE 111
System > Packet Capture About the Packet Detail Window When you click on a packet in the Captured Packets window, the packet header fields are displayed in the Packet Detail window. The display will vary depending on the type of packet that you select. About the Hex Dump Window When you click on a packet in the Captured Packets window, the packet data is displayed in hexadecimal and ASCII format in the Hex Dump window.
PAGE 112
System > Packet Capture • “Configuring Advanced Settings” on page 119 • “Restarting FTP logging” on page 120 Configuring General Settings This section describes how to configure packet capture general settings, including the number of bytes to capture per packet and the buffer wrap option. You can specify the number of bytes using either decimal or hexadecimal, with a minimum value of 14.
PAGE 113
System > Packet Capture You can specify up to ten Ethernet types separated by commas. Currently, the following Ethernet types are supported: ARP, IP, PPPoE-SES, and PPPoE-DIS. The latter two can be specified by PPPoE alone. This option is not case-sensitive. For example, to capture all supported types, you could enter: ARP, IP, PPPOE. You can use one or more negative values to capture all Ethernet types except those specified; for example: !ARP, !PPPoE.
PAGE 114
System > Packet Capture To configure Packet Capture complete the following steps: Step 1 Navigate to the Packet Capture page in the UI. See “Accessing Packet Capture in the UI” on page 108. Step 2 Under Packet Capture, click Configure. Step 3 In the Packet Capture Configuration window, click the Capture Filter tab.
PAGE 115
System > Packet Capture Configuring Display Filter Settings This section describes how to configure packet capture display filter settings. The values that you provide here are compared to corresponding fields in the captured packets, and only those packets that match are displayed. Display filter settings include the following: • Interface on your SonicWALL appliance You can specify up to ten interfaces separated by commas.
PAGE 116
System > Packet Capture SonicOS Enhanced adds one of four possible packet status values to each captured packet: forwarded, generated, consumed, and dropped. You can select one or more of these status values to match when displaying packets. The status value shows the state of the packet with respect to the firewall, as follows: – Forwarded - The packet arrived on one interface and the SonicWALL appliance sent it out on another interface.
PAGE 117
System > Packet Capture Step 4 In the Interface Name(s) box, type the SonicWALL appliance interfaces for which to display packets, or use the negative format (!X0) to display packets captured from all interfaces except those specified. To display packets captured on all interfaces, leave blank. Step 5 In the Ether Type(s) box, enter the Ethernet types for which you want to display packets, or use the negative format (!ARP) to display packets of all Ethernet types except those specified.
PAGE 118
System > Packet Capture If you configure automatic logging, this supersedes the setting for wrapping the buffer when full. With automatic FTP logging, the capture buffer is effectively wrapped when full, but you also retain all the data rather than overwriting it each time the buffer wraps. Step 1 Navigate to the Packet Capture page in the UI. See “Accessing Packet Capture in the UI” on page 108. Step 2 Under Packet Capture, click Configure.
PAGE 119
System > Packet Capture month, day, and year. For example, packet-log--3-22-08292006.cap. For HTML format, file names are in the form: “packet-log_h-<>.html”. An example of an HTML file name is: packetlog_h-3-22-08292006.html. Step 8 To enable automatic transfer of the capture file to the FTP server when the buffer is full, select the Log To FTP Server Automatically checkbox. Files are transferred in both libcap and HTML format.
PAGE 120
System > Packet Capture Even when interfaces specified in the capture filters do not match, this option ensures that packets generated by the SonicWALL appliance are captured. This includes packets generated by HTTP(S), L2TP, DHCP servers, PPP, PPPOE, and routing protocols. Captured packets are marked with ‘s’ in the incoming interface area when they are from the system stack. Otherwise, the incoming interface is not specified.
PAGE 121
System > Packet Capture • Red: Capture is stopped • Green: Capture is running and the buffer is not full • Orange: Capture is running, but the buffer is full The UI also displays the buffer size, the number of packets captured, the percentage of buffer space used, and how much of the buffer has been lost. Lost packets occur when automatic FTP logging is turned on, but the file transfer is slow for some reason.
PAGE 122
System > Packet Capture Resetting the Status Information You can reset the displayed statistics for the capture buffer and FTP logging. If a capture is in progress, it is not interrupted when you reset the statistics display. Step 1 Navigate to the Packet Capture page in the UI. Step 2 Under Packet Capture, click Reset.
PAGE 123
System > Packet Capture HTML Format You can view the HTML format in a browser. The following is an example showing the header and part of the data for the first packet in the buffer. SonicOS Enhanced 4.
PAGE 124
System > Packet Capture Text File Format You can view the text format output in a text editor. The following is an example showing the header and part of the data for the first packet in the buffer. 124 SonicOS Enhanced 4.
PAGE 125
CHAPTER 13 Chapter 13: Using Diagnostic Tools & Restarting the Appliance System > Diagnostics The System > Diagnostics page provides several diagnostic tools which help troubleshoot network problems as well as Active Connections, CPU and Process Monitors. SonicOS Enhanced 4.
PAGE 126
System > Diagnostics Tech Support Report The Tech Support Report generates a detailed report of the SonicWALL security appliance configuration and status, and saves it to the local hard disk using the Download Report button. This file can then be e-mailed to SonicWALL Technical Support to help assist with a problem. Tip You must register your SonicWALL security appliance on mySonicWALL.com to receive technical support.
PAGE 127
System > Diagnostics • “Active Connections Monitor” on page 127 • “CPU Monitor” on page 128 • “DNS Name Lookup” on page 129 • “Find Network Path” on page 129 • “Packet Capture” on page 130 • “Ping” on page 131 • “Process Monitor” on page 132 • “Real-Time Black List Lookup” on page 132 • “Reverse Name Resolution” on page 132 • “Trace Route” on page 133 • “Web Server Monitor” on page 133 Active Connections Monitor The Active Connections Monitor displays real-time, exportable (plain text
PAGE 128
System > Diagnostics The fields you enter values into are combined into a search string with a logical AND. For example, if you enter values for Source IP and Destination IP, the search string will look for connections matching: Source IP AND Destination IP Check the Group box next to any two or more criteria to combine them with a logical OR.
PAGE 129
System > Diagnostics DNS Name Lookup The SonicWALL security appliance has a DNS lookup tool that returns the IP address of a domain name. Or, if you enter an IP address, it returns the domain name for that address. Step 1 Enter the host name or IP address in the Look up name field. Do not add http to the host name. Step 2 The SonicWALL security appliance queries the DNS Server and displays the result in the Result section. It also displays the IP address of the DNS Server used to perform the query.
PAGE 130
System > Diagnostics Packet Capture The Packet Capture tool tracks the status of a communications stream as it moves from source to destination. This is a useful tool to determine if a communications stream is being stopped at the SonicWALL security appliance, or is lost on the Internet. To interpret this tool, it is necessary to understand the three-way handshake that occurs for every TCP connection.
PAGE 131
System > Diagnostics Client sends a final ACK, and waits for start of data transfer. Step 6 TCP sent on WAN [ACK] From 207.88.211.116 / 1937 (00:40:10:0c:01:4e To 204.71.200.74 / 80 (02:00:cf:58:d3:6a) The SonicWALL security appliance forwards the client ACK to the remote host and waits for the data transfer to begin. When using packet capture to isolate network connectivity problems, look for the location where the three-way handshake is breaking down.
PAGE 132
System > Diagnostics Process Monitor Process Monitor shows individual system processes, their CPU utilization, and their system time. Real-Time Black List Lookup The Real-Time Black List Lookup tool allows you to test SMTP IP addresses, RBL services, or DNS servers. Enter an IP address in the IP Address field, a FQDN for the RBL in the RBL Domain field and DNS server information in the DNS Server field. Click Go.
PAGE 133
System > Diagnostics Trace Route Trace Route is a diagnostic utility to assist in diagnosing and troubleshooting router connections on the Internet. By using Internet Connect Message Protocol (ICMP) echo packets similar to Ping packets, Trace Route can test interconnectivity with routers and other hosts that are farther and farther along the network path until the connection fails or until the remote host responds. Type the IP address or domain name of the destination host. For example, type yahoo.
PAGE 134
System > Restart System > Restart The SonicWALL security appliance can be restarted from the Web Management interface. Click System > Restart to display the Restart page. Click Restart... and then click Yes to confirm the restart. The SonicWALL security appliance takes approximately 60 seconds to restart, and the yellow Test light is lit during the restart. During the restart time, Internet access is momentarily interrupted on the LAN. 134 SonicOS Enhanced 4.
PAGE 135
PART 3 Network SONICWALL SONICOS ENHANCED 4.
PAGE 136
SONICWALL SONICOS ENHANCED 4.
PAGE 137
CHAPTER 14 Chapter 14: Configuring Interfaces Network > Interfaces The Network > Interfaces page includes interface objects that are directly linked to physical interfaces. The SonicOS Enhanced scheme of interface addressing works in conjunction with network zones and address objects. Physical interface objects include the LAN, WAN, and depending on which SonicWALL security appliance you have, OPT, Modem, WLAN, and WWAN ports in the SonicWALL security appliance. SonicOS Enhanced 4.
PAGE 138
Network > Interfaces Setup Wizard The Setup Wizard button accesses the Setup Wizard. The Setup Wizard walks you through the configuration of the SonicWALL security appliance for Internet connectivity. For Setup Wizard instructions, see “Wizards > Setup Wizard” section on page 793. Interface Settings The Interface Settings table lists the following information for each interface: • Name - Listed as LAN, WAN, WWAN, WLAN, or OPT depending on your SonicWALL security appliance model.
PAGE 139
Network > Interfaces Caution You cannot change the Zones in the Edit Interface window for the LAN, WAN, Modem, and WLAN interfaces. Interface Traffic Statistics The Interface Traffic Statistics table lists received and transmitted information for all configured interfaces. The following information is displayed for all SonicWALL security appliance interfaces: • Rx Unicast Packets - indicates the number of point-to-point communications received by the interface.
PAGE 140
Network > Interfaces Physical Interfaces Physical interfaces must be assigned to a Zone to allow for configuration of Access Rules to govern inbound and outbound traffic. Security zones are bound to each physical interface where it acts as a conduit for inbound and outbound traffic. If there is no interface, traffic cannot access the zone or exit the zone. For more information on zones, see “Network > Zones” on page 191.
PAGE 141
Configuring Interfaces Transparent Mode Transparent Mode in SonicOS Enhanced uses interfaces as the top level of the management hierarchy. Transparent Mode supports unique addressing and interface routing.
PAGE 142
Configuring Interfaces Note The administrator password is required to regenerate encryption keys after changing the SonicWALL security appliance’s address. Configuring Advanced Settings for the Interface If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL.
PAGE 143
Configuring Interfaces Configuring Interfaces in Transparent Mode Transparent Mode enables the SonicWALL security appliance to bridge the WAN subnet onto an internal interface. You can configure the following interfaces in Transparent Mode: Note • TZ family and PRO 1260: Lan and Opt • PRO family: X0, X2 - X9, F0 You cannot configure the X1 or WAN interface in Transparent mode.
PAGE 144
Configuring Interfaces • Range to specify a range of IP addresses by entering beginning and ending value of the range. • Network to specify a subnet by entering the beginning value and the subnet mask. The subnet must be within the WAN address range and cannot include the WAN interface IP address. c. Enter the IP address of the host, the beginning and ending address of the range, or the IP address and subnet mask of the network. d.
PAGE 145
Configuring Interfaces Configuring Wireless Interfaces A Wireless interface is an interface that has been assigned to a Wireless zone and is used to support SonicWALL SonicPoint secure access points. Step 1 Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface window is displayed. You can configure X2 through X9, Opt, a VLAN sub-interface or a PortShield interface. Step 2 In the Zone list, select WLAN or a custom Wireless zone.
PAGE 146
Configuring Interfaces Note The above table depicts the maximum subnet mask sizes allowed. You can still use classfull subnetting (class A, class B, or class C) or any variable length subnet mask that you wish on WLAN interfaces. You are encouraged to use a smaller subnet mask (e.g. 24bit class C - 255.255.255.0 - 254 total usable IPs), thus allocating more IP addressing space to clients if you have the need to support larger numbers of wireless clients.
PAGE 147
Configuring Interfaces Caution If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL security appliance as well. You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Address and entering the MAC Address in the field. Check Enable Multicast Support to allow multicast reception on this interface. Check Enable 802.
PAGE 148
Configuring Interfaces Note • DHCP - configures the SonicWALL to request IP settings from a DHCP server on the Internet. NAT with DHCP Client is a typical network addressing mode for cable and DSL customers. • PPPoE - uses Point to Point Protocol over Ethernet (PPPoE) to connect to the Internet. If desktop software and a username and password is required by your ISP, select NAT with PPPoE. This protocol is typically found when using a DSL modem.
PAGE 149
Configuring Interfaces Ethernet Settings If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection.
PAGE 150
Configuring Interfaces Use the Bandwidth Management section of the Edit Interface screen to enable or disable the ingress and egress bandwidth management. Egress and Ingress available link bandwidth can be used to configure the upstream and downstream connection speeds. The Bandwidth Management section allows you to specify the available outbound bandwidth for this interface in Kbps. • Enable Egress Bandwidth Management - Enables outbound bandwidth management.
PAGE 151
Configuring Interfaces • Step 3 Subnet Mask: 255.255.255.0 is the default In the Switch Ports tab, chose which ports to add to the PortShield interface. SonicOS Enhanced 4.
PAGE 152
Configuring Interfaces Configuring the Wireless WAN Interface The SonicWALL TZ 190 security appliance introduces support for 3G (third generation) Wireless WAN connections that utilize data connections over 3G cellular networks. The Wireless WAN (WWAN) can be used for: • WAN Failover to a connection that is not dependent on wire or cable. • Temporary networks where a pre-configured connection may not be available, such as trade-shows and kiosks.
PAGE 153
Configuring Interfaces Managing WWAN Connections To initiate a WWAN connection, on the Network > Interfaces page, click on the Manage button in the WWAN interface line. The WWAN Connection window displays. Click the Connect button. The SonicWALL TZ 190 attempts to connect to the WWAN service provider. To disconnect a WWAN connection, click on the Manage button. The WWAN Connection window displays. Click Disconnect.
PAGE 154
Configuring Interfaces For a detailed explanation of the behavior of the Ethernet with WWAN Failover setting refer to “Understanding Wireless WAN Connection Models” on page 274. Configuring Basic Wireless WAN Settings To configure basic WWAN interface settings, perform the following steps: 154 Step 1 Click the edit icon for the WWAN interface. The WWAN Settings window is displayed.
PAGE 155
Configuring Interfaces Note To configure the SonicWALL TZ 190 for Connect on Data operation, you must select Dial on Data as the Dial Type for the Connection Profile. See “Configuring WWAN Connection Profiles” on page 283 in Chapter 32, Configuring Wireless WAN for more details.
PAGE 156
Configuring Interfaces Configuring Remotely Triggered Dial-Out on the WWAN Before configuring the Remotely Triggered Dial-Out feature, ensure that your configuration meets the following prerequisites: • The WWAN profile is configured for dial-on-data. • The SonicWALL Security Appliance is configured to be managed using HTTPS, so that the device can be accessed remotely. • It is recommended that you enter a value in the Enable Max Connection Time (minutes) field.
PAGE 157
Configuring Interfaces Configuring the Maximum Allowed WWAN Connections To configure the maximum number of nodes allowed to connect to the WWAN interface, enter the maximum number of nodes in the Max Host field. Entering 0 in the Max Host fields allows any number of nodes to connect. Creating a WLAN Subnet WLAN subnets are used to segment IP address space for use by Virtual Access Points (VAP). Each VAP must have a separate WLAN subnet, and you must create the WLAN subnet before creating the VAP.
PAGE 158
Configuring Interfaces • SonicPoint Limit: The maximum number of allowed SonicPoints is configured automatically. • Comment: Optionally enter a comment about the subnet. • Management: Select the appropriate protocols to allow remote mangement of the SonicWALL security appliance from this subnet. • User Login: Select HTTP and/or HTTPS to allow users with limited management rights to log in to the SonicWALL security appliance.
PAGE 159
CHAPTER 15 Chapter 15: Configuring PortShield Interfaces SonicWALL PortShield Interfaces SonicWALL PortShield is a feature of the SonicWALL TZ 180 and TZ 190 security appliances running SonicOS Enhanced 3.8 or newer. PortShield architecture enables you to configure some or all of the LAN switch ports on the TZ 180 and TZ 190 into separate security contexts, providing protection not only from the WAN and DMZ, but between devices inside your network as well.
PAGE 160
SonicWALL PortShield Interfaces Network > SwitchPorts The Network > SwitchPorts page allows you to manage the assignments of ports to PortShield interfaces. Overview A PortShield interface is a virtual interface with a set of ports assigned to it. There are two IP assignment methods you can deploy to create PortShield interfaces. They are Static and Transparent modes. The following two sections describe each.
PAGE 161
SonicWALL PortShield Interfaces When you create a PortShield interface in Transparent Mode, you create a range of addresses to be applied to the PortShield interface. You include these addresses in one entity called an Address Object. Address Objects allow for entities to be defined one time and to be re-used in multiple referential instances throughout the SonicOS interface.
PAGE 162
SonicWALL PortShield Interfaces Creating a PortShield Interface from the Interfaces Area Before creating and adding a PortShield interface, think about why you are creating it and what role it will play in your network. To create and add a PortShield interface to the list of interfaces, perform the following steps: 162 4. Click on the Network > Interfaces page. 5. The interfaces in the list contain the following information: Column Description Name A string that identifies the interface.
PAGE 163
SonicWALL PortShield Interfaces 6. Click the Add PortShield Interface button. The Add Port Shield dialog box displays. 7. Click the Zone list box and click on a zone type option to which you want to map the interface. Default zones are: – LAN – DMZ – WLAN – Unassigned If you want to create another zone, go to the section “Creating a New Zone for the PortShield Interface” on page 166. Note You can add PortShield interfaces only to Trusted, Public, and Wireless zones. SonicOS Enhanced 4.
PAGE 164
SonicWALL PortShield Interfaces 8. After you select a zone option, the management software displays a more expanded version of the PortShield Interface Settings dialog box. 9. Type a string in the PortShield Interface Name field. 10. Click on the IP Assignment list box and select either Static or Transparent. Static indicates the interface obtains its IP address manually. Transparent mode allows for the WAN subnetwork to be shared by the current interface using Address Object assignments.
PAGE 165
SonicWALL PortShield Interfaces Note This option only appears when creating a PortShield interface, not when editing an existing PortShield interface. You can make changes to the interface’s DHCP settings after creating an interface from the DHCP Server environment (Network > DHCP Server). 16. Click on the Switch Ports tab. The management software displays the PortShield Interface dialog box. 17.
PAGE 166
SonicWALL PortShield Interfaces Creating a New Zone for the PortShield Interface You may want to create a zone for a PortShield interface that has different attributes to it than any of the default zones provide. To create a new zone for a PortShield interface, perform the following: 1. In the Add PortShield Interface window, click on the Zone list box and click on the Create New Zone option. The management software displays the General Settings dialog box. 2.
PAGE 167
SonicWALL PortShield Interfaces 4. After selecting the security level for the PortShield interface, click on one of the following checkboxes that enables a security service for the zone: Checkbox Description Allow Interface Trust Automates the creation of Access Rules to allow traffic to flow between the interfaces of a zone instance.
PAGE 168
SonicWALL PortShield Interfaces 4. Click the Configure button. The management software displays the Edit Multiple Switch Ports dialog box. You can refine your settings in this dialog box. The name of the PortShield interface group will be assigned by default. 5. Click on the Port Enable list box and click on either the Enable or Disable option to either activate or deactivate the interfaces in the PortShield interface group. 6.
PAGE 169
SonicWALL PortShield Interfaces Creating Transparent Mode PortShield Interfaces You may find it useful to create address objects to bundle addresses into address objects and reference these objects when creating a PortShield interface. Address objects allow for entities to be defined one time and to be reused in multiple referential instances throughout SonicOS. The PortShield interface creation environment provides a convenient way to reference address objects.
PAGE 170
SonicWALL PortShield Interfaces 7. Click on the Transparent Range list box and click on the Create new address object option. The management software displays the Add Address Object dialog box. 8. Fill out the fields as detailed in the next three sections to create the three different types of address objects. The three examples use a subnetwork of 67.115.118.0. Creating a Transparent Mode PortShield Interface with a Host Address Object To assign the Host Address Object 67.115.118.
PAGE 171
SonicWALL PortShield Interfaces Creating a PortShield Using an Address Object Containing an Address Range To assign a Range Address Object with addresses extending from 67.115.118.100 to 67.115.118.102 to portshield2, perform the following steps: 1. Type the name portshield2 in the Name field to identify the address object. 2. Click the Zone Assignment list box and click the LAN option. 3. Click the Type list box and click the Range option to make the address object apply to a range of addresses.
PAGE 172
SonicWALL PortShield Interfaces 2. Click on the Add button in the Address Objects list in the window. SonicOS displays the Add Address Object dialog box as shown in the following figure: 3. Enter the name portshield3 in the Name field. 4. Select Network from the Type menu. 5. Enter 67.115.118.200 in the network IP address and 255.255.255.0 in the Netmask field. 6. Click on the Zone Assignment list box and click on LAN. 7. Click OK.
PAGE 173
SonicWALL PortShield Interfaces To select ports and apply them to a previously configured interface, perform the following steps: 1. Create a PortShield interface following the steps in “Overview” on page 160, but do not map ports to it by going into the Switch Ports tab. 2. Click the Networks option in the navigation pane and then click the Switch Ports option. SonicOS displays the Switch Ports window. 3. Note the color of the ports.
PAGE 174
PortShield Deployment Scenario 6. Click on the PortShield Interface list box as shown in the following figure. Note the list contains called the entry called Accounting. This is the host address object you created. 7. Click on the Accounting entry. By selecting this entry, you mapped ports 3, 4, and 5 to the Accounting entry. 8. Click OK. Wait a moment. SonicOS displays the Switch Ports dialog box, displaying the results of your session. 9. Verify the PortShield interface port mappings.
PAGE 175
PortShield Deployment Scenario Note The easiest way to configure this example is to use the PortShield Wizard. Configure it to have two PortShield interfaces, with three and two ports respectively. For more details on the PortShield Wizard, see Chapter 23, Configuring PortShield Interfaces Using the Setup Wizard. Office Internet Deployment Details This example uses the following zones and PortShield interfaces: Zones • LAN: Default LAN zone configuration. – Used for Office PortShield Group.
PAGE 176
PortShield Deployment Scenario PortShield Interfaces The small business example uses two PortShield interfaces. • LAN: for office use – LAN zone – Ports 1 - 3. These ports are assigned to LAN by not assigning them to another PortShield interface. – 2 desktop workstations – 1 web and mail server.
PAGE 177
PortShield Deployment Scenario – Name: Residents – Security Type: Wireless. Select Wireless so you can use the same context for the both the individual wired connections and the SonicPoints.
PAGE 178
PortShield Deployment Scenario – SonicPoint Provisioning Profile: Select the SonicPoint profile you configured. The settings in this profile will automatically be applied to the SonicPoints you set up for wireless access. • Guest Services tab settings: – Enable Wireless Guest Services: Check this option to enable access to the internet for guest users who do not have resident accounts.
PAGE 179
PortShield Deployment Scenario Configure the PortShield Interfaces with the PortShield Wizard In this example, two ports are assigned to a Wireless PortShield interface for the SonicPoints and three ports are assigned to the LAN interface for the Office. The easiest way to configure this is to use the PortShield Wizard and then modify the configuration. We will use the wizard to configure 2 PortShield interfaces with 3 and 2 ports respectively. 1.
PAGE 180
PortShield Deployment Scenario 4. Uncheck the Enable Interface Trust for new PortShield Interface segments checkbox to prevent communication between the wireless segment and the office segment. If this level of security is not necessary, leave the checkbox checked. You can modify these settings on the Firewall > Access Rules page. Click Next. 5. Click Apply to create the interfaces.
PAGE 181
CHAPTER 16 Chapter 16: Setting Up WAN Failover and Load Balancing Network > WAN Failover & Load Balancing WAN Failover and Load Balancing allows you to designate the one of the user-assigned interfaces as a Secondary or backup WAN port. The secondary WAN port can be used in a simple active/passive setup, where traffic is only routed through the secondary WAN port if the primary WAN port is down and/or unavailable. In this chapter, this feature is referred to as basic failover.
PAGE 182
Network > WAN Failover & Load Balancing About Source and Destination IP Address Binding When you establish a connection with a WAN, you can create multiple interfaces, dividing up the task load over these interfaces. There are both Primary and Secondary WAN interfaces. This task distribution model maintains high performance, ensuring that one interface does not become an impasse to the point where it blocks traffic from passing. This process is WAN Load Balancing.
PAGE 183
Network > WAN Failover & Load Balancing Creating a NAT Policy for the Secondary WAN Port You need to create a NAT policy on your SonicWALL for WAN Failover. Follow these steps to create a NAT policy on your SonicWALL using the OPT interface: Step 1 Select Network > NAT Policies. Step 2 Click Add. The Add NAT Policy window is displayed. Step 3 Select Any from the Original Source menu. Step 4 Select OPT IP from the Translated Source menu. Step 5 Select Any from the Original Destination menu.
PAGE 184
Network > WAN Failover & Load Balancing Activating WAN Failover and Selecting the Load Balancing Method To configure the SonicWALL for WAN failover and load balancing, follow the steps below: 184 Step 1 On Network > WAN Failover & LB page, select Enable Load Balancing. Step 2 If there are multiple possible secondary WAN interfaces, select an interface from the Secondary WAN Interface. Step 3 Select a load balancing method.
PAGE 185
Network > WAN Failover & Load Balancing – Basic Active/Passive Failover: When this setting is selected, the SonicWALL security appliance only sends traffic through the Secondary WAN interface if the Primary WAN interface has been marked inactive. The SonicWALL security appliance is set to use this as the default load balancing method. If the Primary WAN fails, then the SonicWALL security appliance reverts to this method instead of the ones described below.
PAGE 186
Network > WAN Failover & Load Balancing entry box is required (percentage for Primary WAN) The management interface automatically populates the non-user-editable entry box with the remaining percentage assigned to the Secondary WAN interface. Please note this feature will be overridden by specific static route entries.
PAGE 187
Network > WAN Failover & Load Balancing upstream. If your ISP is experiencing problems in its routing infrastructure, a successful ICMP ping of their router causes the SonicWALL security appliance to believe the line is usable, when in fact it may not be able to pass traffic to and from the public Internet at all. To perform reliable link monitoring, you can choose ICMP or TCP as monitoring method, and can specify up to two targets for each WAN port.
PAGE 188
Network > WAN Failover & Load Balancing Note If there is a NAT device between the two devices sending and receiving TCP probes, the Any TCP-SYN to Port box must be checked, and the same port number must be configured here and in the Configure WAN Probe Monitoring window. Step 4 Click on the Configure button. The Configure WAN Probe Monitoring window is displayed.
PAGE 189
Network > WAN Failover & Load Balancing Caution Note Before you begin, be sure you have configured a user-defined interface to mirror the WAN port settings. If the Probe Target is unable to contact the target device, the interface is deactivated and traffic is no longer sent to the primary WAN.
PAGE 190
Network > WAN Failover & Load Balancing 190 SonicOS Enhanced 4.
PAGE 191
CHAPTER 17 Chapter 17: Configuring Zones Network > Zones A Zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following strict physical interface scheme.
PAGE 192
Network > Zones tunnels, which is a feature that users have long requested. SonicWALL security appliances can also drive VPN traffic through the NAT policy and zone policy, since VPNs are now logically grouped into their own VPN zone. How Zones Work An easy way to visualize how security zones work is to imagine a large new building, with several rooms inside the building, and a group of new employees that do not know their way around the building.
PAGE 193
Network > Zones Predefined Zones The predefined zones on your the SonicWALL security appliance depend on the device. The following are all the SonicWALL security appliance’s predefined security zones: The predefined security zones on the SonicWALL security appliance are not modifiable and are defined as follows: Note • WAN: This zone can consist of either one or two interfaces.
PAGE 194
Network > Zones • Trusted: Trusted is a security type that provides the highest level of trust—meaning that the least amount of scrutiny is applied to traffic coming from trusted zones. Trusted security can be thought of as being on the LAN (protected) side of the security appliance. The LAN zone is always Trusted. • Encrypted: Encrypted is a security type used exclusively by the VPN Zone. All traffic to and from an Encrypted zone is encrypted.
PAGE 195
Network > Zones • Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones. • Enforce Global Security Clients - Enforces security policies for Global Security Clients on multiple interfaces in the same Trusted, Public or WLAN zones. • Create Group VPN - Creates a GroupVPN policy for the Zone, which is displayed in the VPN Policies table on the VPN > Settings page.
PAGE 196
Network > Zones • Configure: Clicking the Notepad icon displays the Edit Zone window. Clicking the Trashcan icon deletes the zone. The Trashcan icon is dimmed for the predefined zones. You cannot delete these zones. Adding a New Zone To add a new Zone, click Add under the Zone Settings table. The Add Zone window is displayed. Step 1 Type a name for the new zone in the Name field. Step 2 Select a security type Trusted, Public or Wireless from the Security Type menu.
PAGE 197
Network > Zones – Enable Gateway Anti-Virus Service - Enforces gateway anti-virus protection on your SonicWALL security appliance for all clients connecting to this zone. SonicWALL Gateway Anti-Virus manages the anti-virus service on the SonicWALL appliance. – SonicWALL Intrusion Protection Service (IPS) - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
PAGE 198
Network > Zones – Enforce Global Security Clients - Enforces security policies for Global Security Clients on multiple interfaces in the same Trusted, Public or WLAN zones. – Create Group VPN - creates a GroupVPN policy for the Zone, which is displayed in the VPN Policies table on the VPN > Settings page. You can customize the GroupVPN policy on the VPN > Settings page. If you uncheck Create Group VPN, the GroupVPN policy is removed from the VPN > Settings page. Step 4 Click the Wireless tab.
PAGE 199
Network > Zones – X5 IP Step 8 In the SSL-VPN Service list, select the service or group of services you want to allow for clients authenticated through the SSL-VPN. Step 9 Select WiFiSec Enforcement to require that all traffic that enters into the WLAN Zone interface be either IPsec traffic, WPA traffic, or both.
PAGE 200
Network > Zones – Enable Dynamic Address Translation (DAT) - Wireless Guest Services (WGS) provides spur of the moment “hotspot” access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the TZ 170 Wireless DHCP services, and authenticate using any webbrowser.
PAGE 201
CHAPTER 18 Chapter 18: Configuring DNS Settings Network > DNS The Domain Name System (DNS) is a distributed, hierarchical system that provides a method for identifying hosts on the Internet using alphanumeric names called fully qualified domain names (FQDNs) instead of using difficult to remember numeric IP addresses. The Network > DNS page allows you to manually configure your DNS settings, if necessary.
PAGE 202
Network > DNS To use the DNS Settings configured for the WAN zone, select Inherit DNS Settings Dynamically from the WAN Zone. Click Apply to save your changes. 202 SonicOS Enhanced 4.
PAGE 203
CHAPTER 19 Chapter 19: Configuring Address Objects Network > Address Objects Address Objects are one of four object classes (Address, User, Service, and Schedule) in SonicOS Enhanced. These Address Objects allow for entities to be defined one time, and to be re-used in multiple referential instances throughout the SonicOS interface. For example, take an internal Web-Server with an IP address of 67.115.118.80.
PAGE 204
Network > Address Objects • MAC Address – MAC Address Objects allow for the identification of a host by its hardware address or MAC (Media Access Control) address. MAC Addresses are uniquely assigned to every piece of wired or wireless networking device by their hardware manufacturers, and are intended to be immutable. MAC addresses are 48 bit values that are expressed in 6 byte hex-notation. For example “My Access Point” with a MAC address of “00:06:01:AB:02:CD”.
PAGE 205
Network > Address Objects • All Address Objects - displays all configured Address Objects. • Custom Address Objects - displays Address Objects with custom properties. • Default Address Objects - displays Address Objects configured by default on the SonicWALL security appliance. Sorting Address Objects allows you to quickly and easily locate Address Objects configured on the SonicWALL security appliance.
PAGE 206
Network > Address Objects Default Address Objects and Groups The Default Address Objects view displays the default Address Objects and Address Groups for your SonicWALL security appliance. The Default Address Objects entries cannot be modified or deleted. Therefore, the Notepad (Edit) and Trashcan (delete) icons are dimmed.
PAGE 207
Network > Address Objects Default Address Groups • LAN Subnets • Firewalled Subnets • LAN Interface IP • WAN Subnets • WAN Interface IP • DMZ Subnets • DMZ Interface IP • ALL WAN IP • All Interface IP • All X0 Management IP • All X1 Management IP • Custom Subnets • Custom Interface IP • All SonicPoints • All Authorized Access Points • WLAN Subnets • WLAN Interface IP • All SonicPoints • All Authorized Access Points • Node License Exclusion List • RBL User White List
PAGE 208
Network > Address Objects • X4 Subnet • X5 IP • X5 Subnet • Default Gateway • Secondary Default Gateway • WAN Remote Access Networks • VPN DHCP Clients • LAN Remote Access Networks • SonicPoint Default Address Groups 208 • LAN Subnets • Firewalled Subnets • WAN Subnets • DMZ Subnets • ALL WAN IP • All Interface IP • All X0 Management IP • All X1 Management IP • All SonicPoints • All Authorized Access Points • LAN Interface IP • WAN Interface IP • DMZ Interface I
PAGE 209
Network > Address Objects Adding an Address Object To add an Address Object, click Add button under the Address Objects table in the All Address Objects or Custom Address Objects views to display the Add Address Object window. Step 1 Enter a name for the Network Object in the Name field. Step 2 Select Host, Range, Network, MAC, or FQDN from the Type menu. – If you select Host, enter the IP address and netmask in the IP Address and Netmask fields.
PAGE 210
Network > Address Objects – If you selected MAC, enter the MAC address and netmask in the Network and MAC Address field. – If you selected FQDN, enter the domain name for the individual site or range of sites (with a wildcard) in the FQDN field. Step 3 Select the zone to assign to the Address Object from the Zone Assignment menu. Editing or Deleting an Address Object To edit an Address Object, click the edit icon in the Configure column in the Address Objects table.
PAGE 211
Network > Address Objects Creating Group Address Objects As more and more Address Objects are added to the SonicWALL security appliance, you can simplify managing the addresses and access policies by creating groups of addresses. Changes made to the group are applied to each address in the group. To add a Group of Address Objects, click Add Group to display the Add Address Object Group window. Step 1 Create a name for the group in the Name field.
PAGE 212
Network > Address Objects Public Server Wizard SonicOS Enhanced includes the Public Server Wizard to automate the process of configuring the SonicWALL security appliance for handling public servers. For example, if you have an email and Web server on your network for access from users on the Internet. The Public Server Wizard allows you to select or define the server type (HTTP, FTP, Mail), the private (external) address objects, and the public (internal) address objects.
PAGE 213
Network > Address Objects SonicOS Enhanced 3.5 redefined the operation of MAC AOs, and introduces Fully Qualified Domain Name (FQDN) AOs: • MAC – SonicOS Enhanced 3.5. and higher will resolve MAC AOs to an IP address by referring to the ARP cache on the SonicWALL. • FQDN – Fully Qualified Domain Names, such as ‘www.reallybadwebsite.com’, will be resolved to their IP address (or IP addresses) using the DNS server configured on the SonicWALL.
PAGE 214
Network > Address Objects Feature Benefit FQDN wildcard support FQDN Address Objects support wildcard entries, such as “*.somedomainname.com”, by first resolving the base domain name to all its defined host IP addresses, and then by constantly actively gleaning DNS responses as they pass through the firewall. For example, creating an FQDN AO for “*.myspace.com” will first use the DNS servers configured on the firewall to resolve “myspace.com” to 63.208.226.40, 63.208.226.41, 63.208.226.42, and 63.208.
PAGE 215
Network > Address Objects Feature Benefit FQDN resolution using DNS FQDN Address Objects are resolved using the DNS servers configured on the SonicWALL in the Network > DNS page. Since it is common for DNS entries to resolve to multiple IP addresses, the FQDN DAO resolution process will retrieve all of the addresses to which a host name resolves, up to 256 entries per AO.
PAGE 216
Network > Address Objects • Create Address Object Groups of sanctioned servers (e.g. SMTP, DNS, etc.) • Create Access Rules in the relevant Zones allowing only authorized SMTP servers on your network to communicate outbound SMTP; block all other outbound SMTP traffic to prevent intentional or unintentional outbound spamming. • Create Access Rules in the relevant Zones allowing authorized DNS servers on your network to communicate with all destination hosts using DNS protocols (TCP/UDP 53).
PAGE 217
Network > Address Objects Blocking All Protocol Access to a Domain using FQDN DAOs There might be instances where you wish to block all protocol access to a particular destination IP because of non-standard ports of operations, unknown protocol use, or intentional traffic obscuration through encryption, tunneling, or both.
PAGE 218
Network > Address Objects Step 2 – Create the Firewall Access Rule • Note From the Firewall > Access Rules page, LAN->WAN Zone intersection, Add an Access Rule as follows: Rather than specifying ‘LAN Subnets’ as the source, a more specific source could be specified, as appropriate, so that only certain hosts are denied access to the targets. • When a host behind the firewall attempts to resolve moosifer.dyndns.
PAGE 219
Network > Address Objects The following illustrates a packet dissection of a typical DNS dynamic update process, showing the dynamically configured host 10.50.165.249 registering its full hostname bohuymuth.moosifer.com with the (DHCP provided) DNS server 10.50.165.3: In such environments, it could prove useful to employ FQDN AOs to control access by hostname.
PAGE 220
Network > Address Objects Step 1 – Create the MAC Address Objects • From Network > Address Objects, select Add and create the following Address Object (multi-homing optional, as needed): • Once created, if the hosts were present in the SonicWALL’s ARP cache, they will be resolved immediately, otherwise they will appear in an unresolved state until they are activated and are discovered through ARP: • Create an Address Object Group comprising the Handheld devices: Step 2 – Create the Firewall Access Ru
PAGE 221
Network > Address Objects Bandwidth Managing Access to an Entire Domain Streaming media is one of the most profligate consumers of network bandwidth. But trying to control access, or manage bandwidth allotted to these sites is difficult because most sites that serve streaming media tend to do so off of large server farms. Moreover, these sites frequently re-encode the media and deliver it over HTTP, making it even more difficult to classify and isolate.
PAGE 222
Network > Address Objects Step 2 – Create the Firewall Access Rule • Note 222 From the Firewall > Access Rules page, LAN->WAN Zone intersection, add an Access Rule as follows: If you do not see the Bandwidth tab, you can enable bandwidth management by declaring the bandwidth on your WAN interfaces. For more information on BWM, refer to the Configuring QoS and BWM document at: http://www.sonicwall.com/support/pdfs/ configuring_qos_and_bwm.pdf SonicOS Enhanced 4.
PAGE 223
Network > Address Objects • The BWM icon will appear within the Access Rule table indicating that BWM is active, and providing statistics: • Access to all *.youtube.com hosts, using any protocol, will now be cumulatively limited to 2% of your total available bandwidth for all user sessions. SonicOS Enhanced 4.
PAGE 224
Network > Address Objects 224 SonicOS Enhanced 4.
PAGE 225
CHAPTER 20 Chapter 20: Configuring Routes Network > Routing If you have routers on your interfaces, you can configure static routes on the SonicWALL security appliance on the Network > Routing page. You can create static routing policies that create static routing entries that make decisions based upon source address, source netmask, destination address, destination netmask, service, interface, gateway and metric.
PAGE 226
Network > Routing Route Advertisement The SonicWALL security appliance uses RIPv1 or RIPv2 to advertise its static and dynamic routes to other routers on the network. Changes in the status of VPN tunnels between the SonicWALL security appliance and remote VPN gateways are also reflected in the RIPv2 advertisements. Choose between RIPv1 or RIPv2 based on your router’s capabilities or configuration.
PAGE 227
Network > Routing • RIPv2 Enabled (broadcast) - To send route advertisements using broadcasting (a single data packet to all nodes on the network). Step 3 In the Advertise Default Route menu, select Never, or When WAN is up, or Always. Step 4 Enable Advertise Static Routes if you have static routes configured on the SonicWALL security appliance, enable this feature to exclude them from Route Advertisement. Step 5 Enable Advertise Remote VPN Networks if you want to advertise VPN networks.
PAGE 228
Network > Routing A metric is a weighted cost assigned to static and dynamic routes. Metrics have a value between 0 and 255. Lower metrics are considered better and take precedence over higher costs. SonicOS Enhanced adheres to Cisco defined metric values for directly connected interfaces, statically encoded routes, and all dynamic IP routing protocols.
PAGE 229
Network > Routing You can enter the policy number (the number listed before the policy name in the # Name column) in the Items field to move to a specific routing policy. The default table configuration displays 50 entries per page. You can change this default number of entries for tables on the System > Administration page. You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order.
PAGE 230
Network > Routing To test the Telnet policy-based route, telnet to route-server.exodus.net and when logged in, issue the who command. It displays the IP address (or resolved FQDN) of the WAN IP address of the secondary WAN interface and not the primary WAN interface. Advanced Routing Services (OSPF and RIP) In addition to Policy Based Routing and RIP advertising, SonicOS Enhanced offers the option of enabling Advanced Routing Services (ARS).
PAGE 231
Network > Routing • Protocol Type – Distance Vector protocols such as RIP base routing metrics exclusively on hop counts, while Link state protocols such as OSPF consider the state of the link when determining metrics. For example, OSPF determines interface metrics by dividing its reference bandwidth (100mbits by default) by the interface speed – the faster the link, the lower the cost and the more preferable the path.
PAGE 232
Network > Routing OSPF does not have to impose a hop count limit because it does not advertise entire routing tables, rather it generally only sends link state updates when changes occur. This is a significant advantage in larger networks in that it converges more quickly, produces less update traffic, and supports an unlimited number of hops.
PAGE 233
Network > Routing For example, if you had 8 class C networks: 192.168.0.0/24 through 192.168.7.0/ 24, rather than having to have a separate route statement to each of them, it would be possible to provide a single route to 192.168.0.0/21 which would encompass them all. This ability, in addition to providing more efficient and flexible allocation of IP address space, also allows routing tables and routing updates to be kept smaller.
PAGE 234
Network > Routing used, which is generally discouraged). Area assignment is interface specific on an OSPF router; in other words, a router with multiple interfaces can have those interfaces configured for the same or different areas. • Neighbors – OSPF routers on a common network segment have the potential to become neighbors by means of sending Hello packets.
PAGE 235
Network > Routing LSA’s are then exchanged within LSU’s across these adjacencies rather than between each possible pairing combination of routers on the segment. Link state updates are sent by non-DR routers to the multicast address 224.0.0.6, the RFC1583 assigned ‘OSPFIGP Designated Routers’ address. They are also flooded by DR routers to the multicast address 224.0.0.5 ‘OSPFIGP All Routers’ for all routers to receives the LSA’s.
PAGE 236
Network > Routing – Type 4 (AS Summary Link Advertisements) – Sent across areas by ABR’s to describe networks within a different AS. Type 4 LSA’s are not sent to Stub Areas. – Type 5 (AS External Link Advertisements) – Sent by ASBR (Autonomous System Boundary Routers) to describe routes to networks in a different AS. Type 5 LSA’s are net sent to Stub Areas.
PAGE 237
Network > Routing • Router Types – OSPF recognizes 4 types of routers, based on their roles: • IR (Internal Router) - A router whose interfaces are all contained within the same area. An internal router’s LSDB only contains information about its own area. • ABR (Area Border Router) – A router with interfaces in multiple areas. An ABR maintains LSDB’s for each area to which it is connected, one of which is typically the backbone.
PAGE 238
Network > Routing By default, Advanced Routing Services are disabled, and must be enabled to be made available. At the top of the Network > Routing page, is a checkbox Use Advanced Routing. Toggling the state of this checkbox will require a reboot for the changes to take effect. When the SonicWALL is running in Advanced Routing mode, the top of the Network > Routing page will look as follows: The operation of the RIP and OSPF routing protocols is interface dependent.
PAGE 239
Network > Routing RIP Modes • Disabled – RIP is disabled on this interface • Send and Receive – The RIP router on this interface will send updates and process received updates. • Send Only – The RIP router on this interface will only send updates, and will not process received updates. This is similar to the basic routing implementation. • Receive Only – The RIP router on this interface will only process received updates.
PAGE 240
Network > Routing Redistribute Connected Networks - Enables or disables the advertising of locally connected networks into the RIP system. The metric can be explicitly set for this redistribution, or it can use the value (default) specified in the ‘Default Metric’ setting. Redistribute OSPF Routes - Enables or disables the advertising of routes learned via OSPF into the RIP system.
PAGE 241
Network > Routing The diagram illustrates an OSPF network where the backbone (area 0.0.0.0) comprises the X0 interface on the SonicWALL and the int1 interface on Router A. Two additional areas, 0.0.0.1 and 100.100.100.100 are connected, respectively, to the backbone via interface int2 on ABR Router A, and via the X4:100 VLAN sub-interface on the SonicWALL. To configure OSPF routing on the X0 and the X4:100 interfaces, select the (Configure) icon in the interface’s row under the “Configure OSPF” column.
PAGE 242
Network > Routing • Message Digest – An MD5 hash is used to securely identify the OSPF router on this interface. OSPF Area – The OSPF Area can be represented in either IP or decimal notation. For example, you may represent the area connected to X4:100 as either 100.100.100.100 or 1684300900. OSPFv2 Area Type – See the ‘OSPF Terms’ section above for a more detailed description of these settings. • Normal – Receives and sends all applicable LSA types.
PAGE 243
Network > Routing Redistribute Static Routes – Enables or disables the advertising of static (Policy Based Routing) routes into the OSPF system. Redistribute Connected Networks - Enables or disables the advertising of locally connected networks into the OSPF system. Redistribute RIP Routes - Enables or disables the advertising of routes learned via RIP into the OSPF system. Redistribute Remote VPN Networks - Enables or disables the advertising of static (Policy Based Routing) routes into the RIP system.
PAGE 244
Network > Routing 244 SonicOS Enhanced 4.
PAGE 245
CHAPTER 21 Chapter 21: Configuring NAT Policies Network > NAT Policies • “NAT Policies Table” on page 246 • “NAT Policy Settings Explained” on page 248 • “NAT Policies Q&A” on page 249 The Network Address Translation (NAT) engine in SonicOS Enhanced allows users to define granular NAT polices for their incoming and outgoing traffic.
PAGE 246
Network > NAT Policies NAT Policies Table The NAT Policies table allows you to view your NAT Policies by Custom Policies, Default Policies, or All Policies. 246 SonicOS Enhanced 4.
PAGE 247
Network > NAT Policies Tip Before configuring NAT Policies, be sure to create all Address Objects associated with the policy. For instance, if you are creating a One-to-One NAT policy, be sure you have Address Objects for your public and private IP addresses. Tip By default, LAN to WAN has a NAT policy predefined on the SonicWALL. Navigating and Sorting NAT Policy Entries You can change the view your route policies in the NAT Policies table by selecting one of the view settings in the View Style menu.
PAGE 248
Network > NAT Policies NAT Policy Settings Explained The following explains the settings used to create a NAT policy entry in the Add NAT Policy or Edit NAT Policy windows. Click the Add button in the Network > NAT Policies page to display the Add NAT Policy window to create a new NAT policy or click the Edit icon in the Configure column for the NAT policy you want to edit to display the Edit NAT Policy window.
PAGE 249
Network > NAT Policies • Translated Service: This drop-down menu setting is what the SonicWALL security appliance translates the Original Service to as it exits the SonicWALL security appliance, whether it be to another interface, or into/out-of VPN tunnels. You can use the default services in the SonicWALL security appliance, or you can create your own entries. For many NAT Policies, this field is set to Original, as the policy is only altering source or destination IP addresses.
PAGE 250
Network > NAT Policies to translate all LAN systems to the WAN IP Address, then create a policy saying that a specific system on that LAN use a different IP address, and additionally, create a policy saying that specific use another IP address when using HTTP. Can I have multiple NAT policies for the same objects? Yes – please read the section above. What are the NAT ‘System Polices’? On the Network > NAT Policies page, notice a radio button labeled System Polices.
PAGE 251
Network > NAT Policies This document details how to configure the necessary NAT, load balancing, health check, logging, and firewall rules to allow systems from the public Internet to access a Virtual IP (VIP) that maps to one or more internal systems, such as Web servers, FTP servers, or SonicWALL SSL-VPN appliances. This Virtual IP may be independent of the SonicWALL appliance or it may be shared, assuming the SonicWALL appliance itself is not using the port(s) in question.
PAGE 252
Network > NAT Policies • Round Robin – Source IP cycles through each live load-balanced resource for each connection. This method is best for equal load distribution when persistence is not required. • Block Remap/Symmetrical Remap – These two methods are useful when you know the source IP addresses/networks (e.g. when you want to precisely control how traffic from one subnet is translated to another). • Random Distribution – Source IP connects to Destination IP randomly.
PAGE 253
Network > NAT Policies Details of Load Balancing Algorithms This appendix describes how the SonicWALL security appliance applies the load balancing algorithms: • Round Robin - Source IP connects to Destination IP alternately • Random Distribution - Source IP connects to Destination IP randomly • Sticky IP - Source IP connects to same Destination IP • Block Remap - Source network is divided by size of the Destination pool to create logical segments • Symmetrical Remap - Source IP maps to Destinatio
PAGE 254
Network > NAT Policies Creating NAT Policies NAT policies allow you the flexibility to control Network Address Translation based on matching combinations of Source IP address, Destination IP address, and Destination Services. Policybased NAT allows you to deploy different types of NAT simultaneously.
PAGE 255
Network > NAT Policies • Original Service: Any • Translated Service: Original • Inbound Interface: Opt • Outbound Interface: WAN • Comment: Enter a short description • Enable NAT Policy: Checked • Create a reflective policy: Unchecked When done, click on the OK button to add and activate the NAT Policy.
PAGE 256
Network > NAT Policies You can test the dynamic mapping by installing several systems on the LAN interface at a spread-out range of addresses (for example, 192.168.10.10, 192.168.10.100, and 192.168.10.200) and accessing the public website http://www.whatismyip.com from each system. Each system should display a different IP address from the range we created and attached to the NAT policy.
PAGE 257
Network > NAT Policies Creating a One-to-One NAT Policy for Inbound Traffic (Reflective) This is the mirror policy for the one created in the previous section when you check Create a reflective policy. It allows you to translate an external public IP addresses into an internal private IP address.
PAGE 258
Network > NAT Policies Figure 21:1 One-to-Many NAT Load Balancing Topology and Configuration To configure One-to-Many NAT load balancing, first go to the Firewall > Access Rules page and choose the policy for WAN to LAN. Click on the Add… button to bring up the pop-up access policy screen.
PAGE 259
Network > NAT Policies – IP Address: The network IP address for the devices to be load balanced (in the topology shown in Figure 18.1, this is 192.168.200.
PAGE 260
Network > NAT Policies Note Step 3 Make sure you chose Any as the destination interface, and not the interface that the server is on. This may seem counter-intuitive, but it’s actually the correct thing to do (if you try to specify the interface, you get an error). When finished, click on the OK button to add and activate the NAT Policy.
PAGE 261
Network > NAT Policies 3. Create two NAT entries to allow the two servers to initiate traffic to the public Internet. 4. Create two NAT entries to map the custom ports to the actual listening ports, and to map the private IP addresses to the SonicWALL’s WAN IP address. 5. Create two access rule entries to allow any public user to connect to both servers via the SonicWALL’s WAN IP address and the servers’ respective unique custom ports. Step 1 Create a custom service for the different port.
PAGE 262
Network > NAT Policies When finished, click on the OK button to add and activate the NAT policies. With these policies in place, the SonicWALL security appliance translates the servers’ private IP addresses to the public IP address when it initiates traffic out the WAN interface. Step 4 Go to the Network > NAT Policies menu and click on the Add button. The Add NAT Policy window is displayed.
PAGE 263
Network > NAT Policies Note With previous versions of firmware, it was necessary to write rules to the private IP address. This has been changed as of SonicOS 2.0 Enhanced. If you write a rule to the private IP address, the rule does not work. Go to the Firewall > Access Rules page and choose the policy for the ‘WAN’ to ‘Sales’ zone intersection (or, whatever zone you put your serves in). Click on the ‘Add…’ button to bring up the pop-up window to create the policies.
PAGE 264
Network > NAT Policies Figure 1 NAT Load Balancing Topology Prerequisites The examples shown in the Tasklist section on the next few pages utilize IP addressing information from a demo setup – please make sure and replace any IP addressing information shown in the examples with the correct addressing information for your setup. Also note that the interface names may be different. Note It is strongly advised that you enable logging for all categories, and enable name resolution for logging.
PAGE 265
Network > NAT Policies and activate the changes. For an example, see the screenshot below. Debug logs should only be used for initial configuration and troubleshooting, and it is advised that once setup is complete, you set the logging level to a more appropriate level for your network environment.
PAGE 266
Network > NAT Policies Step 2 266 Create Address Group -- Now create an address group named www_group and add the two internal server address objects you just created. SonicOS Enhanced 4.
PAGE 267
Network > NAT Policies Step 3 Note Step 4 Create Inbound NAT Rule for Group -- Now create a NAT rule to allow anyone attempting to access the VIP to get translated to the address group you just created, using Sticky IP as the NAT method. For an example see the screenshot below. Do not save the NAT rule just yet.
PAGE 268
Network > NAT Policies Note Step 5 268 Before you go any further, check the logs and the status page to see if the resources have been detected and have been logged as online. If you do not see the two messages below (with your IP addresses), check the steps above. Create Outbound NAT Rule for LB Group -- Write a NAT rule to allow the internal servers to get translated to the VIP when accessing resources out the WAN interface. SonicOS Enhanced 4.
PAGE 269
Network > NAT Policies Step 6 Create Firewall Rule for VIP -- Write a firewall rule to allow traffic from the outside to access the internal Web servers via the VIP. Step 7 Test Your Work – From a laptop outside the WAN, connect via HTTP to the VIP using a Web browser. Note If you wish to load balance one or more SSL-VPN Appliances, repeat steps 1-7, using HTTPS instead as the allowed service.
PAGE 270
Network > NAT Policies You can also check the Firewall > NAT Policies page and mouse-over the Statistics icon. If the policy is configured incorrectly you will not see any Rx or TX Bytes; if it is working, you will see these increment with each successful external access of the load balanced resources.
PAGE 271
CHAPTER 22 Chapter 22: Managing ARP Traffic Network > ARP SonicOS Enhanced 4.
PAGE 272
Network > ARP ARP (Address Resolution Protocol) maps layer 3 (IP addresses) to layer 2 (physical or MAC addresses) to enable communications between hosts residing on the same subnet. ARP is a broadcast protocol that can create excessive amounts of network traffic on your network. To minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously learned ARP information.
PAGE 273
Network > ARP address on any other interface. It will also remove any dynamically cached references to that MAC address that might have been present, and it will prohibit additional (non-unique) static mappings of that MAC address. • Update IP Address Dynamically - The Update IP Address Dynamically setting in the Add Static ARP window is a sub-feature of the Bind MAC Address option. This allows for a MAC address to be bound to an interface when DHCP is being used to dynamically allocate IP addressing.
PAGE 274
Network > ARP To support the above configuration, first create a published static ARP entry for 192.168.50.1, the address which will serve as the gateway for the secondary subnet, and associate it with the DMZ/OPT interface. From the Network > ARP page, select the Add button in the Static ARP Entries section, and add the following entry: The entry will appear in the table as follows: Navigate to the Network > Routing page, and add a static route for the 192.168.50.
PAGE 275
Network > ARP To allow the traffic to reach the 192.168.50.0/24 subnet, and to allow the 192.168.50.0/24 subnet to reach the hosts on the LAN, navigate to the Firewall > Access Rules page, and add the following Access Rule: Navigating and Sorting the ARP Cache Table The ARP Cache table provides easy pagination for viewing a large number of ARP entries.
PAGE 276
Network > ARP Navigating and Sorting the ARP Cache Table Entries The ARP Cache table provides easy pagination for viewing a large number of ARP entries. You can navigate a large number of ARP entries listed in the ARP Cache table by using the navigation control bar located at the top right of the ARP Cache table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page.
PAGE 277
CHAPTER 23 Chapter 23: Setting Up the DHCP Server Network > DHCP Server This chapter contains the following sections: • “DHCP Server Options Overview” on page 278 • “DHCP Server Persistence Overview” on page 279 • “Enabling the DHCP Server” on page 280 • “DHCP Server Lease Scopes” on page 280 • “Configuring DHCP Server for Dynamic Ranges” on page 281 • “Configuring Static DHCP Entries” on page 283 • “Configuring SonicWALL DHCP Server Options” on page 285 • “Current DHCP Leases” on page 294
PAGE 278
Network > DHCP Server The SonicWALL security appliance includes a DHCP (Dynamic Host Configuration Protocol) server to distribute IP addresses, subnet masks, gateway addresses, and DNS server addresses to your network clients. The Network > DHCP Server page includes settings for configuring the SonicWALL security appliance’s DHCP server. You can use the SonicWALL security appliance’s DHCP server or use existing DHCP servers on your network.
PAGE 279
Network > DHCP Server clients on the network, it provides vendor-specific configuration and service information. The “DHCP Option Numbers” on page 294 provides a list of DHCP options by RFC-assigned option number. Benefits The SonicWALL DHCP server options feature provides a simple interface for selecting DHCP options by number or name, making the DHCP configuration process quick, easy, and compliant with RFC-defined DHCP standards.
PAGE 280
Network > DHCP Server How Does DHCP Server Persistence Work? DHCP server persistence works by storing DHCP lease information periodically to flash memory. This ensures that users have predicable IP addresses and minimizes the risk of IP addressing conflicts after a reboot. Enabling the DHCP Server If you want to use the SonicWALL security appliance’s DHCP server, select Enable DHCP Server on the Network > DHCP Server page.
PAGE 281
Network > DHCP Server Configuring DHCP Server for Dynamic Ranges To configure DHCP server for dynamic IP address ranges, follow these instructions: Step 1 In the Network > DHCP Server page, at the bottom of the DHCP Server Lease Scopes table, click Add Dynamic. The Dynamic Ranges Configuration window is displayed. General Settings Step 2 In the General page, make sure the Enable this DHCP Range is checked, if you want to enable this range. Step 3 Select the interface from the Interface menu.
PAGE 282
Network > DHCP Server DNS/WINS Settings Step 9 Click the DNS/WINS tab to continue configuring the DHCP Server feature. Step 10 If you have a domain name for the DNS server, type it in the Domain Name field. Step 11 Inherit DNS Settings Dynamically using SonicWALL’s DNS Settings automatically populates the DNS and WINS settings with the settings in the Network > DNS page. This option is selected by default.
PAGE 283
Network > DHCP Server VoIP Settings Step 14 Click on the VoIP Settings tab. The VoIP Settings tab allows you to configure the SonicWALL DHCP server to send Cisco Call Manager information to VoIP clients on the network. Step 15 Enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You can add two additional VoIP Call Manager addresses. Step 16 Click OK to add the settings to the SonicWALL security appliance.
PAGE 284
Network > DHCP Server General Settings Step 2 In the General tab, make sure the Enable this DHCP Entry is checked, if you want to enable this range. Step 3 Select the interface from the Interface menu. The IP addresses are in the same private subnet as the selected interface. Step 4 Enter a name for the static DNS entry in the Entry Name field. Step 5 Type the device IP address in the Static IP Address field. Step 6 Type the device Ethernet (MAC) address in the Ethernet Address field.
PAGE 285
Network > DHCP Server VoIP Settings Step 15 Click on the VoIP Settings tab. The VoIP Settings tab allows you to configure the SonicWALL DHCP server to send Cisco Call Manager information to VoIP clients on the network. Step 16 Enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You can add two additional VoIP Call Manager addresses. Step 17 Click OK to add the settings to the SonicWALL. Step 18 Click Apply for the settings to take effect on the SonicWALL.
PAGE 286
Network > DHCP Server Configuring DHCP Option Objects To configure DHCP option objects, perform the following steps: 286 Step 1 In the left-hand navigation panel, navigate to Network > DHCP Server. Step 2 Under DHCP Server Lease Scopes, click the Option Objects button. The Option Objects page displays. Step 3 Click the Add Option button. The Add DHCP Option Objects page displays. SonicOS Enhanced 4.
PAGE 287
Network > DHCP Server Step 4 Type a name for the option in the Option Name field. Step 5 From the Option Number drop-down list, select the option number that corresponds to your DHCP option. For a list of option numbers and names, refer to “DHCP Option Numbers” on page 294. SonicOS Enhanced 4.
PAGE 288
Network > DHCP Server Step 6 288 Optionally check the Option Array box to allow entry of multiple option values in the Option Value field. SonicOS Enhanced 4.
PAGE 289
Network > DHCP Server Step 7 The option type displays in the Option Type drop-down menu. If only one option type is available, for example, for Option Number 2 (Time Offset), the drop-down menu will be greyed out. If there are multiple option types available, for example, for Option Number 77 (User Class Information), the drop-down menu will be functional. Step 8 Type the option value, for example, an IP address, in the Option Value field.
PAGE 290
Network > DHCP Server Configuring DHCP Option Groups To configure DHCP option groups, perform the following steps: 290 Step 1 In the left-hand navigation panel, navigate to Network > DHCP Server. Step 2 Under DHCP Server Lease Scopes, click Option Groups. The Option Groups page displays. Step 3 Click the Add Group button. The Add DHCP Option Group page displays. SonicOS Enhanced 4.
PAGE 291
Network > DHCP Server Step 4 Enter a name for the group in the Name field. Step 5 Select an option object from the left column and click the -> button to add it to the group. To select multiple option objects at the same time, hold the Ctrl key while selecting the option objects. Step 6 Click OK. The group displays in the Option Groups list. SonicOS Enhanced 4.
PAGE 292
Network > DHCP Server Configuring DHCP Generic Options for DHCP Lease Scopes Note Before generic options for a DHCP lease scope can be configured, a static or dynamic DHCP server lease scope must be created. To configure DHCP generic options for DHCP server lease scopes, perform the following tasks: Step 1 292 If modifying an existing DHCP lease scope, locate the lease scope under DHCP Server Lease Scopes on the Network > DHCP Server page and click the configure icon, then click the Advanced tab.
PAGE 293
Network > DHCP Server Step 2 Select a DHCP option or option group in the DHCP Generic Option Group drop-down menu. Step 3 To always use DHCP options for this DHCP server lease scope, check the box next to Send Generic options always. Step 4 Click OK. SonicOS Enhanced 4.
PAGE 294
Network > DHCP Server Current DHCP Leases The current DHCP lease information is displayed in the Current DHCP Leases table. Each binding entry displays the IP Address, the Ethernet Address, and the Type of binding (Dynamic, Dynamic BOOTP, or Static BOOTP). To delete a binding, which frees the IP address on the DHCP server, click the Delete icon next to the entry. For example, use the Delete icon to remove a host when it has been removed from the network, and you need to reuse its IP address.
PAGE 295
Network > DHCP Server Option Number Name Description 23 Default IP TTL Default IP time-to-live 24 Path MTU Aging Timeout Path MTU aging timeout 25 MTU Plateau Path MTU plateau table 26 Interface MTU Size Interface MTU size 27 All Subnets Are Local All subnets are local 28 Broadcast Address Broadcast address 29 Perform Mask Discovery Perform mask discovery 30 Provide Mask to Others Provide mask to others 31 Perform Router Discovery Perform router discovery 32 Router Solicitation
PAGE 296
Network > DHCP Server Option Number Name 296 Description 55 Parameter Request List Parameter request list 56 Message DHCP error message 57 DHCP Maximum Message Size DHCP maximum message size 58 Renew Time Value DHCP renewal (T1) time 59 Rebinding Time Value DHCP rebinding (T2) time 60 Client Identifier Client identifier 61 Client Identifier Client identifier 62 Netware/IP Domain Name Netware/IP domain name 63 Netware/IP sub Options Netware/IP sub options 64 NIS+ V3 Client Domai
PAGE 297
Network > DHCP Server Option Number Name Description 84 Undefined N/A 85 Novell Directory Servers Novell Directory Services servers 86 Novell Directory Server Tree Name Novell Directory Services server tree name 87 Novell Directory Server Context Novell Directory Services server context 88 BCMCS Controller Domain Name List CMCS controller domain name list 89 BCMCS Controller IPv4 Address List BCMCS controller IPv4 address list 90 Authentication Authentication 91 Undefined N/A 92 U
PAGE 298
Network > DHCP Server 298 Option Number Name Description 115 Undefined N/A 116 Auto Configure DHCP auto-configuration 117 Name Service Search Name service search 118 Subnet Collection Subnet selection 119 DNS Domain Search List DNS domain search list 120 SIP Servers DHCP Option SIP servers DHCP option 121 Classless Static Route Option Classless static route option 122 CCC, CableLabs Client Configuration CableLabs client configuration 123 GeoConf GeoConf 124 Vendor-Identifying
PAGE 299
Network > DHCP Server Option Number Name Description 147 Undefined N/A 148 Undefined N/A 149 Undefined N/A 150 TFTP Server Address, Etherboot, GRUB Config TFTP server address, Etherboot, GRUB configuration 151 Undefined 152 Undefined N/A 153 Undefined N/A 154 Undefined N/A 155 Undefined N/A 156 Undefined N/A 157 Undefined N/A 158 Undefined N/A 159 Undefined N/A 160 Undefined N/A 161 Undefined N/A 162 Undefined N/A 163 Undefined N/A 164 Undefined N/A 16
PAGE 300
Network > DHCP Server 300 Option Number Name Description 183 Undefined N/A 184 Undefined N/A 185 Undefined N/A 186 Undefined N/A 187 Undefined N/A 188 Undefined N/A 189 Undefined N/A 190 Undefined N/A 191 Undefined N/A 192 Undefined N/A 193 Undefined N/A 194 Undefined N/A 195 Undefined N/A 196 Undefined N/A 197 Undefined N/A 198 Undefined N/A 199 Undefined N/A 200 Undefined N/A 201 Undefined N/A 202 Undefined N/A 203 Undefined N/A 204 Undef
PAGE 301
Network > DHCP Server Option Number Name Description 220 Subnet Allocation Subnet allocation 221 Virtual Subnet Allocation Virtual subnet selection 222 Undefined N/A 223 Undefined N/A 224 Private Use Private use 225 Private Use Private use 226 Private Use Private use 227 Private Use Private use 228 Private Use Private use 229 Private Use Private use 230 Private Use Private use 231 Private Use Private use 232 Private Use Private use 233 Private Use Private use 234
PAGE 302
Network > DHCP Server 302 SonicOS Enhanced 4.
PAGE 303
CHAPTER 24 Chapter 24: Using IP Helper Network > IP Helper The IP Helper allows the SonicWALL security appliance to forward DHCP requests originating from the interfaces on a SonicWALL security appliance to a centralized DHCP server on the behalf of the requesting client. IP Helper is used extensively in routed VLAN environments where a DHCP server is not available for each interface, or where the layer 3 routing mechanism is not capable of acting as a DHCP server itself.
PAGE 304
Network > IP Helper • Enable NetBIOS Support - enables NetBIOS broadcast forwarding with the DHCP requests. NetBIOS is required to allow Windows operating systems to browse for resources on a network. IP Helper Policies IP Helper Policies allow you to forward DHCP and NetBIOS broadcasts from one interface to another interface. Adding an IP Helper Policy Step 1 Click the Add button under the IP Helper Policies table. The Add IP Helper Policy window is displayed.
PAGE 305
CHAPTER 25 Chapter 25: Setting Up Web Proxy Forwarding Network > Web Proxy A Web proxy server intercepts HTTP requests and determines if it has stored copies of the requested Web pages. If it does not, the proxy completes the request to the server on the Internet, returning the requested information to the user and also saving it locally for future requests.
PAGE 306
Network > Web Proxy To configure a Proxy Web sever, select the Network > Web Proxy page. Step 1 Connect your Web proxy server to a hub, and connect the hub to the SonicWALL security appliance WAN port. Step 2 Type the name or IP address of the proxy server in the Proxy Web Server (name or IP address) field. Step 3 Type the proxy IP port in the Proxy Web Server Port field. Step 4 To bypass the Proxy Servers if a failure occurs, select the Bypass Proxy Servers Upon Proxy Server Failure check box.
PAGE 307
CHAPTER 26 Chapter 26: Configuring Dynamic DNS Network > Dynamic DNS Dynamic DNS (DDNS) is a service provided by various companies and organizations that allows for dynamic changing IP addresses to automatically update DNS records without manual intervention. This service allows for network access using domain names rather than IP addresses, even when the target’s IP addresses change.
PAGE 308
Network > Dynamic DNS • Dyndns.org http://www.dyndns.org - SonicOS requires a username, password, Mail Exchanger, and Backup MX to configure DDNS from Dyndns.org. • Changeip.com http://www.changeip.com - A single, traditional Dynamic DNS service requiring only username, password, and domain name for SonicOS configuration. • No-ip.com http://www.no-ip.com - Dynamic DNS service requiring only username, password, and domain name for SonicOS configuration. Also supports hostname grouping. • Yi.
PAGE 309
Network > Dynamic DNS To configure Dynamic DNS on the SonicWALL security appliance, perform these steps: Step 1 From the Network > Dynamic DNS page, click the Add button. The Add DDNS Profile window is displayed. Step 2 If Enable this DDNS Profile is checked, the profile is administratively enabled, and the SonicWALL security appliance takes the actions defined in the Online Settings section on the Advanced tab. Step 3 If Use Online Settings is checked, the profile is administratively online.
PAGE 310
Network > Dynamic DNS – Static - A free DNS service for static IP addresses. Step 9 When using DynDNS.org, you may optionally select Enable Wildcard and/or configure an MX entry in the Mail Exchanger field. Check Backup MX if this is the backup mail exchanger. Step 10 Click the Advanced tab. You can typically leave the default settings on this page. Step 11 The On-line Settings section provides control over what address is registered with the dynamic DNS provider.
PAGE 311
Network > Dynamic DNS Dynamic DNS Settings Table The Dynamic DNS Settings table provides a table view of configured DDNS profiles. Dynamic DNS Settings table includes the following columns: • Profile Name - The name assigned to the DDNS entry during its creation. This can be any value, and is used only for identification. • Domain - The fully qualified domain name (FQDN) of the DDNS entry. • Provider - The DDNS provider with whom the entry is registered.
PAGE 312
Network > Dynamic DNS 312 • Online - When selected, this profile is administratively online. The setting can also be controlled using the Use Online Settings checkbox on the entry's Profile tab. Deselecting this checkbox while the profile is enabled will take the profile offline, and the SonicWALL will take the Offline Settings action that is configured on the Advanced tab.
PAGE 313
PART 4 Wireless • SONICWALL SONICOS ENHANCED 4.
PAGE 314
SONICWALL SONICOS ENHANCED 4.
PAGE 315
CHAPTER 27 Chapter 27: Viewing WLAN Settings, Statistics, and Station Status Wireless Overview The SonicWALL Wireless security appliances support two wireless protocols called IEEE 802.11b and 802.11g, commonly known as Wi-Fi, and send data via radio transmissions.
PAGE 316
Wireless Overview • VPN tunnel Considerations for Using Wireless Connections • Mobility - if the majority of your network is laptop computers, wireless is more portable than wired connections. • Convenience - wireless networks do not require cabling of individual computers or opening computer cases to install network cards. • Speed - if network speed is important to you, you may want to consider using Ethernet connections rather than wireless connections.
PAGE 317
Wireless Overview • Try to place the wireless security appliance in a direct line with other wireless components. Best performance is achieved when wireless components are in direct line of sight with each other. • Building construction can make a difference on wireless performance. Avoid placing the wireless security appliance near walls, fireplaces, or other large solid objects.
PAGE 318
Wireless > Status WiFiSec uses the easy provisioning capabilities of the SonicWALL Global VPN client making it easy for experienced and inexperienced administrators to implement on the network. The level of interaction between the Global VPN Client and the user depends on the WiFiSec options selected by the administrator. WiFiSec IPsec terminates on the WLAN/LAN port, and is configured using the Group VPN Security Policy including noneditable parameters specifically for wireless access.
PAGE 319
Wireless > Status WLAN Settings The WLAN Settings table lists the configuration information for the built-in radio. All configurable settings in the WLAN Settings table are hyperlinks to their respective pages for configuration. Enabled features are displayed in green, and disabled features are displayed in red. Click on a setting to go the page in the Management Interface where you can configure that setting.
PAGE 320
Wireless > Status WLAN Settings Value Radio Mode Current power level of the radio signal transmission WLAN Statistics The WLAN Statistics table lists all of the traffic sent and received through the WLAN. The Wireless Statistics column lists the kinds of traffic recorded, the Rx column lists received traffic, and the Tx column lists transmitted traffic. Wireless Statistics Rx/TX Good Packets Number of allowed packets received and transmitted.
PAGE 321
Wireless > Status Station Status The Station Status table displays information about wireless connections associated with the wireless security appliance. • Station - the name of the connection used by the MAC address • MAC Address - the wireless network card MAC address • Authenticated - status of 802.11b authentication • Associated - status of 802.
PAGE 322
Wireless > Status 322 SonicOS Enhanced 4.
PAGE 323
CHAPTER 28 Chapter 28: Configuring Wireless Settings Wireless > Settings The Wireless > Settings page allows you to configure your wireless settings. On the Wireless>Settings page, you can enable or disable the WLAN port by selecting or clearing the Enable WLAN checkbox. Wireless Radio Mode Select either Access Point to configure the SonicWALL as the default gateway on your network or select Wireless Bridge from the Radio Role menu to configure the SonicWALL to act as an intermediary wireless device.
PAGE 324
Wireless > Settings Wireless Settings Enable WLAN Radio: Check this checkbox to turn the radio on, and enable wireless networking. Click Apply in the top right corner of the management interface to have this setting take effect. Schedule: The schedule determines when the radio is on to send and receive data. The default value is Always on. The Schedule list displays the schedule objects you create and manage in the System > Schedule page.
PAGE 325
Wireless > Settings mode. Operating in Wireless Bridge mode, the wireless security appliance connects to another wireless security appliance acting as an access point, and allows communications between the connected networks via the wireless bridge. Secure Wireless Bridging employs a WiFiSec VPN policy, providing security to all communications between the wireless networks. Previous bridging solutions offered no encryption, or at best, WEP encryption. SonicOS Enhanced 4.
PAGE 326
Wireless > Settings Configuring a Secure Wireless Bridge When switching from Access Point mode to Wireless Bridge mode, all clients are disconnected, and the navigation panel on the left changes to reflect the new mode of operation. To configure a secure wireless bridge, follow these steps: Step 1 Click Wireless, then Settings. Step 2 In the Wireless Radio Mode section, select Wireless Bridge from the Radio Role menu. The wireless security appliance updates the interface.
PAGE 327
Wireless > Settings For example, in the previous network diagram, the wireless security appliance are configured as follows: • SSID on all three wireless security appliance are set to “myWLAN”. • WLAN addressing for all the wireless security appliance's connected via Wireless Bridge must place the WLAN interfaces on the same subnet: 172.16.31.1 for TZ 170 Wireless1, 172.16.31.2 for TZ 170 Wireless2, and 172.16.31.3 for TZ 170 Wireless3.
PAGE 328
Wireless > Settings • Static routes must be entered on the Access Point TZ 170 Wireless to route back to the LAN subnets of the Bridge Mode TZ 170 Wireless. Referring to the example network, TZ 170 Wireless1 must have static routes to 10.20.20.x/24 via 172.16.31.2 and to 10.30.30.x/24 via 172.16.31.3 Configuring VPN Policies for the Access Point and Wireless Bridge Access Point Configuration After Wireless Settings are defined, the WiFiSec connections (VPN Policies) must be configured.
PAGE 329
Wireless > Settings • One policy to the Site_B address object at 10.30.30.0: SonicOS Enhanced 4.
PAGE 330
Wireless > Settings Configuration for VPN Policies 330 Step 1 Click Network. Step 2 Under Local Networks, select Choose local network from list and select LAN Interface IP. Step 3 Under Destination Networks, select Choose destination network from list and select or create an address object for the destination (Site_A - 10.20.20.0 or Site_B - 10.30.30.0 in the example). Step 4 Click Advanced. Step 5 Select Enable Keep Alive. Step 6 Select Enable Windows Networking (NetBIOS) Broadcast.
PAGE 331
Wireless > Settings Wireless Bridge VPN Policy Configuration The Wireless Bridge VPN Policy is configured as follows: Step 1 Click VPN, then Configure. Step 2 Select IKE using Preshared Secret from the IPsec Keying Mode menu. Step 3 Enter a name for the SA in the Name field. Step 4 Type the IP address of the Access Point in the IPsec Gateway field. In our example network, the IP address is 172.16.31.1.
PAGE 332
Wireless > Settings 332 SonicOS Enhanced 4.
PAGE 333
CHAPTER 29 Chapter 29: Configuring WEP and WPA Security Wireless > WEP/WPA Security Note When the SonicWALL wireless security appliance is configured in Access Point mode, this page is called Security. When the appliance is configured in Wireless Bridge mode, this page is called WEP Encryption. Wired Equivalent Protocol (WEP) can be used to protect data as it is transmitted over the wireless network, but it provides no protection past the SonicWALL.
PAGE 334
Wireless > WEP/WPA Security Authentication Overview Below is a list of available authentication types with descriptive features and uses for each: WEP • Lower security • For use with older legacy devices, PDAs, wireless printers WPA • Good security (uses TKIP) • For use with trusted corporate wireless clients • Transparent authentication with Windows log-in • No client software needed in most cases WPA2 • Best security (uses AES) • For use with trusted corporate wireless clients • Transpar
PAGE 335
Wireless > WEP/WPA Security WEP Encryption Keys Step 1 Select the key number, 1,2,3, or 4, from the Default Key menu. Step 2 Select the key type to be either Alphanumeric or Hexadecimal. WEP - 64-bit WEP - 128-bit Alphanumeric - 5 characters (0-9, A-Z) Alphanumeric - 13 characters (0-9, A-Z) Hexadecimal - 10 characters (0-9, A-F) Hexadecimal - 26 characters (0-9, A-F) Step 3 Type your keys into each field. Step 4 Click Apply.
PAGE 336
Wireless > WEP/WPA Security WPA Settings • Cypher Type: select TKIP. Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis. • Group Key Update: Specifies when the SonicWALL Secure Anti-Virus Router 80 Wireless updates the key. Select By Timeout to generate a new group key after an interval specified in seconds. Select By Packet to generate a new group key after a specific number of packets. Select Disabled to use a static key.
PAGE 337
Wireless > WEP/WPA Security • Radius Server 2 IP and Port: Enter the IP address and port number for your secondary RADIUS server, if you have one. • Radius Server 2 Secret: Enter the password for access to Radius Server Click Apply in the top right corner to apply your WPA settings. WPA/WPA2 Encryption Settings Like WPA, WPA2 supports two protocols for storing and generating keys: Note • Pre-Shared Key (PSK): PSK allows WPA2 to generate keys from a pre-shared passphrase that you configure.
PAGE 338
Wireless > WEP/WPA Security Preshared Key Settings (PSK) • Passphrase: Enter the passphrase from which the key is generated. Click Apply in the top right corner to apply your WPA2 settings. WPA2-EAP Settings Encryption Mode: In the Authentication Type field, select WPA-EAP. WPA Settings • Cypher Type: select AES. Advanced Encryption Standard (AES) is an advanced block cipher protocol for enforcing key integrity.
PAGE 339
CHAPTER 30 Chapter 30: Configuring Advanced Wireless Settings Wireless > Advanced To access Advanced configuration settings for the SonicWALL wireless security appliance, log into the SonicWALL, click Wireless, and then Advanced. The Wireless > Advanced page is only available when the SonicWALL is acting as an access point. SonicOS Enhanced 4.
PAGE 340
Wireless > Advanced Beaconing & SSID Controls 1. Select Hide SSID in Beacon. Suppresses broadcasting of the SSID name and disables responses to probe requests. Checking this option helps prevent your wireless SSID from being seen by unauthorized wireless clients. 2. Type a value in milliseconds for the Beacon Interval. Decreasing the interval time makes passive scanning more reliable and faster because Beacon frames announce the network to the wireless connection more frequently.
PAGE 341
Wireless > Advanced • 2: Select 2 to restrict the wireless security appliance to use antenna 2 only. Facing the rear of the SonicPoint, antenna 2 is on the right, closest to the power supply. You can disconnect antenna 1 when using only antenna 2. Antenna 1 Antenna 2 SonicOS Enhanced 4.
PAGE 342
Wireless > Advanced Advanced Radio Settings The following other advanced settings can be configured. Step 1 Enable Short Slot Time: Select Enable Short Slot Time to increase performance if you only expect 802.11g traffic. 802.11b is not compatible with short slot time. Step 2 Select High from the Transmit Power menu to send the strongest signal on the WLAN. For example, select High if the signal is going from building-to-building.
PAGE 343
Wireless > Advanced overlapping SonicPoints. However, it can slow down performance. Auto is probably the best setting, as it will engage only in the case of overlapping SonicPoints. Step 11 Protection Rate: The protection rate determines the data rate when protection is on. The slowest rate offers the greatest degree of protection but the slowest data transmission rate. Choose 1 Mbps, 2 Mbps, 5 Mbps, or 11 Mbps.
PAGE 344
Wireless > Advanced 344 SonicOS Enhanced 4.
PAGE 345
CHAPTER 31 Chapter 31: Configuring MAC Filter List Wireless > MAC Filter List Wireless networking provides native MAC filtering capabilities which prevents wireless clients from authenticating and associating with the wireless security appliance. If you enforce MAC filtering on the WLAN, wireless clients must provide you with the MAC address of their wireless networking card. To set up your MAC Filter List, log into the SonicWALL, and click Wireless, then MAC Filter List.
PAGE 346
Wireless > MAC Filter List The items in the list are address object groups, defined groups of objects that represent specific IP addresses or ranges of addresses that can be used throughout the management interface to specify network resources. An address object group can contain other address object groups. The Allow List and Deny List are also address object groups.
PAGE 347
CHAPTER 32 Chapter 32: Configuring Wireless IDS Wireless > IDS Wireless Intrusion Detection Services (IDS) greatly increase the security capabilities of the SonicWALL wireless security appliances by enabling them to recognize and even take countermeasures against the most common types of illicit wireless activity. WIDS consists of three types of services, namely, Sequence Number Analysis, Association Flood Detection, and Rogue Access Point Detection.
PAGE 348
Wireless > IDS Access Point IDS When the Radio Role of the wireless security appliance is set to Access Point mode, all three types of WIDS services are available, but Rogue Access Point detection, by default, acts in a passive mode (passively listening to other Access Point Beacon frames only on the selected channel of operation).
PAGE 349
Wireless > IDS Enable Association Flood Detection is selected by default. The Association Flood Threshold is set to 5 Association attempts within 5 seconds by default. Intrusion Detection Settings Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network.
PAGE 350
Wireless > IDS Scanning for Access Points Active scanning occurs when the wireless security appliance starts up, and at any time Scan Now is clicked at the bottom of the Discovered Access Points table. When the wireless security appliance is operating in a Bridge Mode, the Scan Now feature does not cause any interruption to the bridged connectivity.
PAGE 351
CHAPTER 33 Chapter 33: Configuring Virtual Access Points Wireless > Virtual Access Point This chapter describes the Virtual Access Point feature and includes the following sections: • “SonicPoint VAP Overview” section on page 352 – “What Is a Virtual Access Point?” section on page 352 – “What Is an SSID?” section on page 352 – “Wireless Roaming with ESSID” section on page 353 – “What Is a BSSID?” section on page 353 – “Benefits of Using Virtual APs” section on page 353 • “Virtual AP Configuration Task
PAGE 352
Wireless > Virtual Access Point SonicPoint VAP Overview This section provides an introduction to the Virtual Access Point feature.
PAGE 353
Wireless > Virtual Access Point Wireless Roaming with ESSID An ESSID (Extended Service Set IDentifier) is a collection of Access Points (or Virtual Access Points) sharing the same SSID. A typical wireless network comprises more than one AP for the purpose of covering geographic areas larger than can be serviced by a single AP.
PAGE 354
Wireless > Virtual Access Point • “Virtual Access Points” section on page 363 • “Virtual Access Point Groups” section on page 364 VAP Configuration Overview The following are required areas of configuration for VAP deployment. This sequence of steps is designed specifically to honor dependencies, provide configuration task efficiency, and minimize the total number of required steps for VAP configuration. 1. Zone - The Zone is the backbone of your VAP configuration.
PAGE 355
Wireless > Virtual Access Point A network security zone is a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. With the zone-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface.
PAGE 356
Wireless > Virtual Access Point General 356 Feature Description Name Create a name for your custom Zone Security Type Select Wireless in order to enable and access wireless security options. Allow Interface Trust Select this option to automatically create access rules to allow traffic to flow between the interfaces of a zone. This will effectively allow users on a wireless zone to communicate with each other. This option is often disabled when setting up Wireless Guest Services (WGS).
PAGE 357
Wireless > Virtual Access Point Wireless Feature Description Only allow traffic generated by a SonicPoint Restricts traffic on this zone to SonicPoint-generated traffic only. SSL-VPN Enforcement Redirects all traffic entering the Wireless Zone to a defined SonicWALL SSL-VPN appliance. This allows all wireless traffic to be authenticated and encrypted by the SSL-VPN, using, for example, NetExtender to tunnel all traffic.
PAGE 358
Wireless > Virtual Access Point Guest Services The Enable Wireless Guest Services option allows the following guest services to be applied to a zone: Feature Description Enable inter-guest communication Allows guests connecting to SonicPoints in this Wireless Zone to communicate directly and wirelessly with each other.
PAGE 359
Wireless > Virtual Access Point Feature Description Redirect SMTP traffic to Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to. Deny Networks Blocks traffic from the networks you specify. Select the subnet, address group, or IP address to block traffic from. Pass Networks Automatically allows traffic through the Wireless Zone from the networks you select.
PAGE 360
Wireless > Virtual Access Point • Subnet Name: The name of the interface. • IP Address: The first IP address in the subnet. Make sure that the IP address subnet does not conflict with another address range. • Subnet Mask: 255.255.255.0 is the default • SonicPoint Limit: The maximum number of allowed SonicPoints is configured automatically. • Comment: Optionally enter a comment about the subnet.
PAGE 361
Wireless > Virtual Access Point Virtual Access Points Profiles A Virtual Access Point Profile allows the administrator to pre-configure and save access point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Access Points. Virtual Access Point Profiles are created by clicking the Add... button in the Virtual Access Point Profiles section of the Wireless > Virtual Access Point page.
PAGE 362
Wireless > Virtual Access Point Feature Description Multicast Cipher The multicast cipher will be automatically chosen based on the authentication type. Maximum Clients Choose the maximum number of concurrent client connections permissible for this virtual access point. WPA-PSK / WPA2-PSK Encryption Settings Pre-Shared Key (PSK) is available when using WPA or WPA2. This solution utilizes a shared key.
PAGE 363
Wireless > Virtual Access Point Virtual Access Points Virtual Access Points are configured from the Wireless > Virtual Access Point page by clicking the Add... button in the Virtual Access Points section. General VAP Settings Feature Description SSID Create a friendly name for your VAP. Subnet name Select the WLAN subnet that will be used for this VAP. The WLAN subnet must be created on the Network > Interfaces page before you can create the VAP. Enable Virtual Access Point Enables this VAP.
PAGE 364
Wireless > Virtual Access Point Virtual Access Point Groups The VAP Group feature allows for grouping of multiple VAP objects to be simultaneously applied to the integrated wireless radio of the SonicWALL security appliance. Virtual Access Point Groups are configured from the Wireless > Virtual Access Point page. After you have created your VAPs, you must add them to the VAP group. 364 Step 1 Click the Configure icon next to the Virtual Access Point group, which is named Internal AP Group by default.
PAGE 365
Thinking Critically About VAPs Thinking Critically About VAPs This section provides content to help determine what your VAP requirements are and how to apply these requirements to a useful VAP configuration.
PAGE 366
Thinking Critically About VAPs Determining Security Configurations Understanding these requirements, you can then define the Zones (and interfaces) and VAPs that will provide wireless services to these users: • Corp Wireless – Highly trusted wireless Zone. Employs WPA2-AUTO-EAP security. WiFiSec (WPA) Enforced. • WEP & PSK – Moderate trust wireless Zone. Comprises two virtual APs and sub-interfaces, one for legacy WEP devices (e.g.
PAGE 367
Thinking Critically About VAPs Questions How many different types of users will I need to support? How many users will each VAP need to support? Examples Corporate wireless, guest access, visiting partners, wireless devices are all common user types, each requiring their own VAP Your Configurations: Solutions Plan out the number of different VAPs needed.
PAGE 368
Thinking Critically About VAPs Questions What security services to I wish to apply to my users? 368 Examples Corporate users who you want protected by the full SonicWALL security suite. Guest users who have no LAN access. Your Configurations: SonicOS Enhanced 4.0 Administrator Guide Solutions Enable all SonicWALL security services. Disable all SonicWALL security services.
PAGE 369
PART 5 WWAN SONICWALL SONICOS ENHANCED 4.
PAGE 370
SONICWALL SONICOS ENHANCED 4.
PAGE 371
CHAPTER 34 Chapter34: Configuring Wireless WAN (TZ 190 only) WWAN This chapter describes how to configure the Wireless WAN interface on the SonicWALL TZ 190 appliance.
PAGE 372
WWAN • Primary WAN connection where wire-based connections are not available and 3G Cellular is. Wireless Wide Area Networks provide untethered remote network access through the use of mobile or cellular data networks. While legacy cellular networks, such as GSM, were only able to provide data rates of about 14 Kbps, today's emerging WWAN technologies (such as UMTS and HSDPA) provide theoretical data rates of up to 10 Mbps, rivaling many wired technologies.
PAGE 373
WWAN Understanding WWAN Failover When the WAN Connection Model is set to Ethernet with WWAN Failover, the WAN (Ethernet) interface is the primary connection. If the WAN interface fails, the SonicWALL TZ 190 fails over to the WWAN interface. Note It is important to note that the WAN-to-WWAN failover process is different for the three different WWAN Connection Profile dial types: Persistent, Dial on Data, and Manual Dial.
PAGE 374
WWAN If a secondary Ethernet WAN (the OPT port) is configured, the TZ190 will first failover to the secondary Ethernet WAN before failing over to the WWAN. In this situation, WWAN failover will only occur when both the WAN and OPT paths are unavailable. 3.
PAGE 375
WWAN Caution It is not recommended to configure a policy-based route that uses the WWAN connection when the WAN Connection Model is set for Ethernet with WWAN Failover. If a policybased route is configured to use the WWAN connection, the connection will remain up until the Maximum Connection Time (if configured) is reached.
PAGE 376
WWAN Wireless WAN PC Card Support To use the wireless WAN interface you must have a wireless WAN PC card and a contract with a wireless service provider. Because both GSM and CDMA provide virtually the same performance, a WWAN service provider should be selected based primarily on the availability of supported hardware. SonicOS Enhanced 3.
PAGE 377
WWAN Viewing the WWAN Status The WWAN > Status page displays the current status of WWAN on the SonicWALL TZ190. It indicates the status of the WWAN connection, the current active WAN interface, or the current backup WAN interface. It also displays IP address information, DNS server addresses, the current active dial up profile, and the current signal strength.
PAGE 378
WWAN • “Management/User Login” on page 379 • “WWAN Probe Settings” on page 379 Connect on Data The Connect on Data Categories settings allow you to configure the WWAN interface to automatically connect to the WWAN service provider when the SonicWALL TZ 190 detects specific types of traffic.
PAGE 379
WWAN Management/User Login The Management/User Login section must be configure to enable remote management of the SonicWALL TZ 190 appliance over the WWAN interface. You can select any of the supported management protocol(s): HTTPS, Ping, and/or SNMP. You can also select HTTP for management traffic. However, bear in mind that HTTP traffic is less secure than HTTPS.
PAGE 380
WWAN Configuring WWAN Advanced Settings The WWAN > Advanced page is used to configure the Remotely Triggered Dial-Out feature on the SonicWALL TZ 190. The Remotely Triggered Dial-Out feature enables network administrators to remotely initiate a WWAN connection from a SonicWALL TZ 190. Configuring Remotely Triggered Dial-Out Before configuring the Remotely Triggered Dial-Out feature, ensure that your configuration meets the following prerequisites: • The WWAN profile is configured for dial-on-data.
PAGE 381
WWAN Configuring WWAN Connection Profiles Use the WWAN > Connection Profiles to configure WWAN connection profiles and set the primary and alternate profiles. Select the Primary WWAN connection profile in the Primary Profile pulldown menu. Optionally, you can select up to two alternate WWAN profiles. To create a WWAN connection profile, perform the following steps: 1. On the WWAN > Connection Profiles page, click on the Add button. The WWAN Profile Configuration window displays. 2.
PAGE 382
WWAN 3. Select the Service Provider that you have created an account with. Note that only service providers supported in the country you selected are displayed. 4. In the Plan Type window, select the WWAN plan you have subscribed to with the service provider. If your specific plan type is listed in the pulldown menu, the rest of the fields in the General tab are automatically provisioned. Verify that these fields are correct and click on the Parameters tab. 5.
PAGE 383
WWAN 13. Select the Enable Inactivity Disconnect (minutes) checkbox and enter a number in the field to have the WWAN connection disconnected after the specified number of minutes of inactivity. Note that this option is not available if the Dial Type is Persistent Connection. 14. Select the Enable Max Connection Time (minutes) checkbox and enter a number in the field to have the WWAN connection disconnected after the specified number of minutes, regardless if the session is inactive or not.
PAGE 384
WWAN 19. Click on the Data Limiting tab. Tip If your WWAN account has a monthly data or time limit, it is strongly recommended that you enable Data Usage Limiting. 20. Select the Enable Data Usage Limiting checkbox to have the WWAN interface become automatically disabled when the specified data or time limit has been reached for the month. 21. Select the day of the month to start tracking the monthly data or time usage in the Billing Cycle Start Date pulldown menu. 22.
PAGE 385
WWAN To disconnect a WWAN connection, click on the Manage button. The WWAN Connection window displays. Click Disconnect. See “Configuring the Wireless WAN Interface” on page 152 for more information. Specifying the WAN Connection Model To configure the WAN connection model, navigate to the Network > Interfaces page and select one of the following options in the WAN Connection Model pulldown menu: • WWAN only - The WAN interface is disabled and the WWAN interface is used exclusively.
PAGE 386
WWAN Note The Data Usage table is only estimate of the current usage and should not be used to calculate actual charges. Contact your Service Provider for accurate billing information. The Session History table displays a summary of information about WWAN sessions. To view additional details about a specific session, place your mouse cursor over the Properties balloon.
PAGE 387
WWAN GPRS has an additional advantage over GSM in that it is a packet-switched technology, meaning that stations only send data when there is data to send (rather than reserving the entire channel as occurs in GSM's circuit-switched networks) thus making more efficient use of available bandwidth. The process of connecting to a GPRS network generally involves attachment to the network, followed by the construction and activation of a PDP context, as performed by a series of AT commands.
PAGE 388
WWAN • 388 W-CDMA - Wideband Code Division Multiple Access - The technology underlying UMTS, W-CDMA is an evolution of the GSM protocol. Referred to a Wideband because its carrier channels are four times wider than then original CDMA standard (5 MHz versus 1.25 MHz). SonicOS Enhanced 4.
PAGE 389
PART 6 SonicPoint SONICWALL SONICOS ENHANCED 4.
PAGE 390
SONICWALL SONICOS ENHANCED 4.
PAGE 391
CHAPTER 35 Chapter 35: Managing SonicPoints SonicPoint > SonicPoints SonicWALL SonicPoints are wireless access points specially engineered to work with SonicWALL security appliances to provide wireless access throughout your enterprise. The SonicPoint section of the Management Interface lets you manage the SonicPoints connected to your system.
PAGE 392
SonicPoint > SonicPoints • Attach the SonicPoints to the interfaces in the Wireless zone. • Test SonicPoints SonicPoint Provisioning Profiles SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSID’s, and channels of operation.
PAGE 393
SonicPoint > SonicPoints Configuring a SonicPoint Profile You can add any number of SonicPoint profiles. To configure a SonicPoint provisioning profile: Step 1 To add a new profile click Add below the list of SonicPoint provisioning profiles. To edit an existing profile, select the profile and click the edit icon in the same line as the profile you are editing.
PAGE 394
SonicPoint > SonicPoints – Country Code: Select the country where you are operating the SonicPoints. The country code determines which regulatory domain the radio operation falls under. Step 3 In the 802.11g tab, Configure the radio settings for the 802.11g (2.4GHz band) radio: – Enable 802.11g Radio: Check this to automatically enable the 802.11g radio bands on all SonicPoints provisioned with this profile. – Select a schedule to determine when the radio is enabled. The default is Always on.
PAGE 395
SonicPoint > SonicPoints – Default Key: Select which key in the list below is the default key, which will be tried first when trying to authenticate a user. – Key Entry: Select whether the key is alphanumeric or hexadecimal. – Key 1 - Key 4: Enter the encryptions keys for WEP encryption. Enter the most likely to be used in the field you selected as the default key. Step 4 In the 802.11g Advanced tab, configure the performance settings for the 802.11g radio. For most 802.
PAGE 396
SonicPoint > SonicPoints – DTIM Interval: Enter the interval in milliseconds. – Fragmentation Threshold (bytes): Enter the number of bytes of fragmented data you want the network to allow. – RTS Threshold (bytes): Enter the number of bytes. – Maximum Client Associations: Enter the maximum number of clients you want the SonicPoint to support on this radio at one time. – Preamble Length: Select the length of the preamble--the initial wireless communication send when associating with a wireless host.
PAGE 397
SonicPoint > SonicPoints that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS will then use the profile associated with the relevant Zone to configure the 2.4GHz and 5GHz radio settings. Modifications to profiles will not affect units that have already been provisioned and are in an operational state.
PAGE 398
SonicPoint > SonicPoints The options on these tabs are the same as the Add SonicPoint Profile screen. See Configuring a SonicPoint Profile for instructions on configuring these settings. Step 3 Click OK to apply these settings. Synchronize SonicPoints Click Synchronize SonicPoints at the top of the SonicPoint > SonicPoints page to update the settings for each SonicPoint reported on the page.
PAGE 399
SonicPoint > SonicPoints Step 6 Caution Click Apply. It is imperative that you download the corresponding SonicPoint image for the SonicOS firmware version that is running on your SonicWALL. The mysonicwall.com Web site provides information about the corresponding versions. When upgrading your SonicOS firmware, be sure to upgrade to the correct SonicPoint image.
PAGE 400
SonicPoint > SonicPoints 400 • Operational – Once the SonicPoint has peered with a SonicOS device and has its configuration validated, it will enter into a operational state, and will be ready for clients. • Provisioning – If the SonicPoint configuration requires an update, the SonicOS device will engage an SSPP channel to update the SonicPoint. During this brief process it will enter the provisioning state.
PAGE 401
CHAPTER 36 Chapter 36: Viewing Station Status SonicPoint > Station Status The SonicPoint > Station Status page reports on the statistics of each SonicPoint. The table lists entries for each wireless client connected to each SonicPoint. The sections of the table are divided by SonicPoint. Under each SonicPoint, is the list of all clients currently connected to it. Click the Refresh button in the top right corner to refresh the list. By default, the page displays the first 50 entries found.
PAGE 402
SonicPoint > Station Status Click on the Statistics icon to see a detailed report for an individual station. Each SonicPoint device reports for both radios, and for each station, the following information to its SonicOS peer: • MAC Address – The client’s (Station’s) hardware address. • Station State – The state of the station. States can include: – None – No state information yet exists for the station. – Authenticated – The station has successfully authenticated.
PAGE 403
SonicPoint > Station Status – Re-association request – Re-association response – Probe request – Probe response – Beacon frame – ATIM message – Disassociation – Authentication – De-authentication • Management Frames Transmitted – Total number of Management frames transmitted. • Control Frames Received – Total number of Control frames received.
PAGE 404
SonicPoint > Station Status 404 SonicOS Enhanced 4.
PAGE 405
CHAPTER 37 Chapter 37: Using and Configuring IDS SonicPoint > IDS You can have many wireless access points within reach of the signal of the SonicPoints on your network. The SonicPoint > IDS page reports on all access points the SonicWALL security appliance can find by scanning the 802.11a and 802.11g radio bands.
PAGE 406
SonicPoint > IDS Intrusion Detection Settings Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates a easy environment for introducing rogue access points.
PAGE 407
SonicPoint > IDS Discovered Access Points The Discovered Access points displays information on every access point that can be detected by the SonicPoint radio: • SonicPoint: The SonicPoint that detected the access point. • MAC Address (BSSID): The MAC address of the radio interface of the detected access point. • SSID: The radio SSID of the access point. • Type: The range of radio bands used by the access point, 2.4 GHz or 5 GHz. • Channel: The radio channel used by the access point.
PAGE 408
SonicPoint > IDS 408 SonicOS Enhanced 4.
PAGE 409
CHAPTER 38 Chapter 38: Configuring RF Monitoring SonicPoint > RF Monitoring This chapter describes how to plan, design, implement, and maintain the RF Monitoring feature in SonicWALL SonicOS 4.0 Enhanced.
PAGE 410
SonicPoint > RF Monitoring Why RF Monitoring? Radio Frequency (RF) technology used in today’s 802.11-based wireless networking devices poses an attractive target for intruders. If left un-managed, RF devices can leave your wireless (and wired) network open to a variety of outside threats, from Denial of Service (DoS) to network security breaches. In order to help secure your SonicPoint Wireless Access Point (AP) stations, SonicWALL takes a closer look at these threats.
PAGE 411
SonicPoint > RF Monitoring Enabling RF Monitoring on SonicPoint(s) In order for RF Monitoring to be enforced, you must enable the RF Monitoring option on all available SonicPoint devices. The following section provides instructions to re-provision all available SonicPoints with RF Monitoring enabled. Step 1 Navigate to SonicPoint > SonicPoints in the SonicWALL security appliance management interface. Step 2 Click the Configure button corresponding to the desired SonicPoint Provisioning Profile.
PAGE 412
SonicPoint > RF Monitoring RF Monitoring Interface Overview The top portion of the RF Monitoring interface allows you to: • View the number of threats logged for each group/signature • Select which RF signature types your SonicWALL looks for The bottom (Discovered RF Threat Stations) portion of the interface allows you to: • View a detailed log of the most current threats • Configure a watch list for discovered stations Set the Measurement Interval In the RF Monitoring Summary section, the Measurem
PAGE 413
SonicPoint > RF Monitoring Tip For a complete list of RF Threat types and their descriptions, see the “Types of RF Threat Detection” section on page 414 of this document. Viewing Discovered RF Threat Stations The RF Monitoring Discovered Threat Stations list allows you to view, sort and manage a list of the most recent threats to your wireless network.
PAGE 414
SonicPoint > RF Monitoring To add a station to the watch list: Step 1 In the SonicPoint > RF Monitoring page, navigate to the Discovered RF threat stations section. Step 2 Click the Step 3 A confirmation screen will appear. Click OK to add the station to the watch list. Step 4 If you have accidentally added a station to the watch list, or would otherwise like a station removed from the list, click the icon that corresponds to the threat station you wish to remove.
PAGE 415
SonicPoint > RF Monitoring • Ad-Hoc Station Detection - Ad-Hoc stations are nodes which provide access to wireless clients by acting as a bridge between the actual access point and the user. Wireless users are often tricked into connecting to an Ad-Hoc station instead of the actual access point, as they may have the same SSID. This allows the Ad-Hoc station to intercept any wireless traffic that connected clients send to or receive from the access point.
PAGE 416
SonicPoint > RF Monitoring Timesaver For this section in particular (and as a good habit in general), you may find it helpful to keep a record of the locations and MAC addresses of your SonicPoint devices. Step 1 Navigate to the SonicPoint > RF Monitoring page in the SonicWALL Management Interface. Step 2 In the Discovered RF Threat Stations table, locate the Sensor for the SonicPoint that is detecting the targeted RF threat and record the number. Step 3 Navigate to SonicPoint > SonicPoints.
PAGE 417
SonicPoint > RF Monitoring Using RSSI to Determine RF Threat Proximity This section builds on what was learned in the “Using Sensor ID to Determine RF Threat Location” section on page 415. In the Discovered RF Threat Stations list, the Rssi field indicates the signal strength at which a particular Sonic Point is detecting an RF threat. The Rssi field allows you to easily determine the proximity of an RF threat to the SonicPoint that is detecting that threat.
PAGE 418
SonicPoint > RF Monitoring A high Rssi usually indicates an RF threat that is closer to the SonicPoint. A low Rssi can indicate obstructions or a more distant RF threat. 20 SonicWALL PRO 5060 with RF Management enabled PRO 3060 rssi - Identifies signal strength of the RF threat, allowing for approximate distance gauging. SonicPoint Strong signal rssi: 33 Weak signal rssi: 12 418 SonicOS Enhanced 4.
PAGE 419
PART 7 Firewall SONICWALL SONICOS ENHANCED 4.
PAGE 420
SONICWALL SONICOS ENHANCED 4.
PAGE 421
CHAPTER 39 Chapter 39: Configuring Access Rules Firewall > Access Rules This chapter provides an overview on your SonicWALL security appliance stateful packet inspection default access rules and configuration examples to customize your access rules to meet your business requirements. Access rules are network management tools that allow you to define inbound and outbound access policy, configure user authentication, and enable remote management of the SonicWALL security appliance.
PAGE 422
Firewall > Access Rules Stateful Packet Inspection Default Access Rules Overview By default, the SonicWALL security appliance’s stateful packet inspection allows all communication from the LAN to the Internet, and blocks all traffic to the LAN from the Internet. The following behaviors are defined by the “Default” stateful inspection packet access rule enabled in the SonicWALL security appliance: • Allow all sessions originating from the LAN, WLAN to the WAN, DMZ, or OPT.
PAGE 423
Firewall > Access Rules The outbound SMTP traffic is guaranteed 20 percent of available bandwidth available to it and can get as much as 40 percent of available bandwidth. If this is the only access rule using bandwidth management, it has priority over all other access rules on the SonicWALL security appliance. Other access rules use the remaining bandwidth (minus 20 percent of bandwidth, or greater than minus 20 percent and less than minus 40 percent of bandwidth).
PAGE 424
Firewall > Access Rules Tip You can also view access rules by Zones. Use the Option checkboxes in the From Zone and To Zone column. Select LAN, WAN, VPN, ALL from the From Zone column. And then select LAN, WAN, VPN, ALL from the To Zone column. Click OK to display the access rules. Each view displays a table of defined network access rules. For example, selecting All Rules displays all the network access rules for all zones.
PAGE 425
Firewall > Access Rules You can change the priority ranking of an access rule by clicking the Arrows icon in the Priority column. The Change Priority window is displayed. Enter the new priority number (1-10) in the Priority field, and click OK. Tip If the Trashcan or Notepad icons are dimmed (unavailable), the access rule cannot be changed or deleted from the list. SonicOS Enhanced 4.
PAGE 426
Firewall > Access Rules Adding Access Rules To add access rules to the SonicWALL security appliance, perform the following steps: Step 1 Click Add at the bottom of the Access Rules table. The Add Rule window is displayed. Step 2 In the General tab, select Allow | Deny | Discard from the Action list to permit or block IP traffic. Step 3 Select the from and to zones from the From Zone and To Zone menus. Step 4 Select the service or group of services affected by the access rule from the Service list.
PAGE 427
Firewall > Access Rules Step 13 If you would like for the access rule to timeout after a period of TCP inactivity, set the amount of time, in minutes, in the TCP Connection Inactivity Timeout (minutes) field. The default value is 5 minutes. Step 14 If you would like for the access rule to timeout after a period of UDP inactivity, set the amount of time, in minutes, in the UDP Connection Inactivity Timeout (minutes) field. The default value is 30 minutes.
PAGE 428
Firewall > Access Rules – None: DSCP values in packets are reset to 0. – Preserve: DSCP values in packets will remain unaltered. – Explicit: Set the DSCP value to the value you select in the Explicit DSCP Value field. This is a numeric value between 0 and 63.
PAGE 429
Firewall > Access Rules • 6 - Voice (<10ms latency) • 7 - Network control – Map: The QoS mapping settings on the Firewall > QoS Mapping page will be used. See “Firewall > QoS Mapping” section on page 467 for instructions on configuring the QoS Mapping. Step 20 Click OK to add the rule. Tip Although custom access rules can be created that allow inbound IP traffic, the SonicWALL security appliance does not disable protection from DoS attacks, such as the SYN Flood and Ping of Death attacks.
PAGE 430
Firewall > Access Rules Coupled with IPS, this can be used to mitigate the spread of a certain class of malware as exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections to random addresses at atypically high rates. For example, each host infected with Nimda attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and Sasser was capable of 5,120 attempts per second.
PAGE 431
Firewall > Access Rules Enabling Ping This sections provides a configuration example for an access rule to allow devices on the DMZ to send ping requests and receive ping responses from devices on the LAN. By default your SonicWALL security appliance does not allow traffic initiated from the DMZ to reach the LAN.
PAGE 432
Firewall > Access Rules 432 SonicOS Enhanced 4.
PAGE 433
CHAPTER 40 Chapter 40: Configuring Advanced Access Rule Settings Firewall > Advanced To configure advanced access rule options, select Firewall > Advanced under Firewall. The Advanced Rule Options page is displayed. The Advanced Rule Options includes the following firewall configuration option groups: • Detection Prevention • Dynamic Ports • Source Routed Packets • Connections • Access Rule Service Options • IP and UDP Checksum Enforcement SonicOS Enhanced 4.
PAGE 434
Firewall > Advanced • UDP Detection Prevention • Enable Stealth Mode - By default, the security appliance responds to incoming connection requests as either “blocked” or “open.” If you enable Stealth Mode, your security appliance does not respond to blocked inbound connection requests. Stealth Mode makes your security appliance essentially invisible to hackers.
PAGE 435
Firewall > Advanced Access Rule Service Options Force inbound and outbound FTP data connections to use default port 20 - The default configuration allows FTP connections from port 20 but remaps outbound traffic to a port such as 1024. If the check box is selected, any FTP data connection through the security appliance must come from port 20 or the connection is dropped. The event is then logged as a log event on the security appliance.
PAGE 436
Firewall > Advanced 436 SonicOS Enhanced 4.
PAGE 437
CHAPTER 41 Chapter 41: Configuring TCP Settings Firewall > TCP Settings The TCP Settings lets you view statistics on TCP Traffic through the security appliance and manage TCP traffic settings.
PAGE 438
Firewall > TCP Settings – When the TCP SACK Permitted (Selective Acknowledgement, see RFC1072) option is encountered, but the calculated option length is incorrect. – When the TCP MSS (Maximum Segment Size) option is encountered, but the calculated option length is incorrect. – When the TCP SACK option data is calculated to be either less than the minimum of 6 bytes, or modulo incongruent to the block size of 4 bytes. – When the TCP option length is determined to be invalid.
PAGE 439
Firewall > TCP Settings The TCP Settings section allows you to: • Enable TCP Stateful Inspection – Enabling TCP stateful inspection requires that all TCP connections rigidly adhere to the following TCP setup requirements: – TCP session establishment involves a three-way handshake between two hosts and consists of the following: • Initiator --> SYN --> Responder • Initiator <-- SYN/ACK <-- Responder • Initiator --> ACK --> Responder • (Session established) After the initial SYN, it is permissible
PAGE 440
Firewall > TCP Settings A SYN Flood attack is considered to be in progress if the number of unanswered SYN/ACK packets sent by the SonicWALL (half-opened TCP connections) exceeds the threshold set in the “Flood rate until attack logged (unanswered SYN/ACK packets per second)” field. The default value for the field is 20, the minimum is 5, and the maximum is 999,999.
PAGE 441
Firewall > TCP Settings • SYN Blacklisting (Layer 2) – This mechanism blocks specific devices from generating or forwarding SYN flood attacks. You can enable SYN Blacklisting on any interface. Understanding SYN Watchlists The internal architecture of both SYN Flood protection mechanisms is based on a single list of Ethernet addresses that are the most active devices sending initial SYN packets to the firewall. This list is called a SYN watchlist.
PAGE 442
Firewall > TCP Settings Each contains various types of SYN Flood Protection. The following sections describe these features. Working with SYN Flood Protection Modes A SYN Flood Protection mode is the level of protection that you can select to defend against half-opened TCP sessions and high-frequency SYN packet transmissions.
PAGE 443
Firewall > TCP Settings To provide more control over the options sent to WAN clients when in SYN Proxy mode, you can configure the following two objects: SACK (Selective Acknowledgment) – This parameter controls whether or not Selective ACK is enabled. With SACK enabled, a packet or series of packets can be dropped, and the received informs the sender which data has been received and where holes may exist in the data.
PAGE 444
Firewall > TCP Settings Never blacklist WAN machines – This checkbox ensures that systems on the WAN are never added to the SYN Blacklist. This option is recommended as leaving it unchecked may interrupt traffic to and from the firewall’s WAN ports. Always allow SonicWALL management traffic – This checkbox causes IP traffic from a blacklisted device targeting the firewall’s WAN IP addresses to not be filtered.
PAGE 445
Firewall > TCP Settings The following are SYN Flood statistics. Column Description Max Incomplete WAN Connections / sec The maximum number of pending embryonic half-open connections recorded since the firewall has been up (or since the last time the TCP statistics were cleared). The average number of pending embryonic half-open connections, based on Average Incomplete WAN the total number of samples since bootup (or the last TCP statistics reset).
PAGE 446
Firewall > TCP Settings Column Description Total FIN The total number of packets dropped because of the FIN blacklist. Blacklist Packets Rejected Invalid SYN Flood Cookies Received 446 The total number of invalid SYN flood cookies received. SonicOS Enhanced 4.
PAGE 447
CHAPTER 42 Chapter 42: Configuring Firewall Services Firewall > Services SonicOS Enhanced supports an expanded IP protocol support to allow users to create services and access rules based on these protocols. See “Supported Protocols” on page 449 for a complete listing of support IP protocols. Services are used by the SonicWALL security appliance to configure network access rules for allowing or denying traffic to the network. The SonicWALL security appliance includes Default Services.
PAGE 448
Firewall > Services Selecting All Services from View Style displays both Custom Services and Default Services. Default Services Overview The Default Services view displays the SonicWALL security appliance default services in the Services table and Service Groups table. The Service Groups table displays clusters of multiple default services as a single service object. You cannot delete or edit these predefined services.
PAGE 449
Firewall > Services Supported Protocols The following IP protocols are available for custom services: • ICMP (1)—(Internet Control Message Protocol) A TCP/IP protocol used to send error and control messages. • IGMP (2)—(Internet Group Management Protocol) The protocol that governs the management of multicast groups in a TCP/IP network. • TCP (6)—(Transmission Control Protocol) The TCP part of TCP/IP. TCP is a transport protocol in TCP/IP.
PAGE 450
Firewall > Services GRE 47 IPsec ESP 50 IPsec AH 51 IGMP 2 EIGRP 88 OSPF 89 PIM SM 103 L2T2 115 All custom services you create are listed in the Custom Services table. You can group custom services by creating a Custom Services Group for easy policy enforcement. If a protocol is not listed in the Default Services table, you can add it to the Custom Services table by clicking Add. Step 1 Enter the name of the service in the Name field.
PAGE 451
Firewall > Services Click the Enable Logging checkbox to disable or enable the logging of the service activities. Adding Custom IP Type Services Using only the predefined IP types, if the security appliance encounters traffic of any other IP Protocol type it drops it as unrecognized. However, there exists a large and expanding list of other registered IP types, as governed by IANA (Internet Assigned Numbers Authority): http:// www.iana.
PAGE 452
Firewall > Services Note 452 Attempts to define a Custom IP Type Service Object for a pre-defined IP type will not be permitted, and will result in an error message. Step 5 Click OK Step 6 From the Firewall > Service Objects page, Service Group section, select Add Group. Step 7 Add a Service Group composed of the Custom IP Types Services. Step 8 From Firewall > Access Rules > WLAN > LAN, select Add. Step 9 Define an Access Rules allowing myServices from WLAN Subnets to the 10.50.165.
PAGE 453
Firewall > Services Note Select your Zones, Services and Address Objects accordingly. It may be necessary to create an Access Rule for bidirectional traffic; for example, an additional Access Rule from the LAN > WLAN allowing myServices from 10.50.165.26 to WLAN Subnets. Step 10 Click OK IP protocol 46 and 119 traffic will now be recognized, and will be allowed to pass from WLAN Subnets to 10.50.165.26.
PAGE 454
Firewall > Services Adding a Custom Services Group You can add custom services and then create groups of services, including default services, to apply the same policies to them. For instance, you can allow SMTP and POP3 traffic only during certain hours or days of the week by adding the two services as a Custom Service Group. To create a Custom Services Group, click Add Group. Step 1 Enter a name for the custom group in the name field.
PAGE 455
Firewall > Services Deleting Custom Services Groups Click the Trashcan icon to delete the individual custom service group entry. You can delete all custom service groups by clicking the Delete button. SonicOS Enhanced 4.
PAGE 456
Firewall > Services 456 SonicOS Enhanced 4.
PAGE 457
CHAPTER 43 Chapter 43: Configuring Multicast Settings Firewall > Multicast Multicasting, also called IP multicasting, is a method for sending one Internet Protocol (IP) packet simultaneously to multiple hosts. Multicast is suited to the rapidly growing segment of Internet traffic - multimedia presentations and video conferencing. For example, a single host transmitting an audio or video stream and ten hosts that want to receive this stream.
PAGE 458
Firewall > Multicast Multicast Snooping This section provides configuration tasks for Multicast Snooping. • Enable Multicast - This checkbox is disabled by default. Select this checkbox to support multicast traffic. • Require IGMP Membership reports for multicast data forwarding - This checkbox is enabled by default. Select this checkbox to improve performance by regulating multicast data to be forwarded to only interfaces joined into a multicast group address using IGMP.
PAGE 459
Firewall > Multicast To create a multicast address object: Step 1 In the Enable reception for the following multicast addresses list, select Create new multicast object. Step 2 In the Add Address Object window, configure: – Name: The name of the address object. – Zone Assignment: Select MULTICAST. – Type: Select Host, Range, Network, or MAC. – IP Address: If you selected Host or Network, the IP address of the host or network. The IP address must be in the range for multicast, 224.0.0.0 to 239.255.255.
PAGE 460
Firewall > Multicast Enabling Multicast on LAN-Dedicated Interfaces Perform the following steps to enable multicast support on LAN-dedicated interfaces. Step 1 Enable multicast support on your SonicWALL security appliance. In the Firewall > Multicast setting, click on the Enable Multicast checkbox. And in the Multicast Policy section, select the Enable the reception of all multicast addresses. Step 2 Enable multicast support on LAN interfaces.
PAGE 461
Firewall > Multicast Enabling Multicast Through a VPN To enable multicast across the WAN through a VPN, follow: Step 1 Enable multicast globally. On the Firewall > Multicast page, check the Enable Multicast checkbox, and click the Apply button for each security appliance. Step 2 Enable multicast support on each individual interface that will be participating in the multicast network.
PAGE 462
Firewall > Multicast Note Step 5 Notice that the default WLAN'MULTICAST access rule for IGMP traffic is set to 'DENY'. This will need to be changed to 'ALLOW' on all participating appliances to enable multicast, if they have multicast clients on their WLAN zones. Make sure the tunnels are active between the sites, and start the multicast server application and client applications. As multicast data is sent from the multicast server to the multicast group (224.0.0.0 through 239.255.255.
PAGE 463
CHAPTER 44 Chapter 44: Monitoring Active Connections Firewall > Connections Monitor The Firewall > Connections Monitor page displays details on all active connections to the security appliance. SonicOS Enhanced 4.
PAGE 464
Firewall > Connections Monitor Viewing Connections The connections are listed in the Active Connections Monitor table. The table lists: • Source IP • Source Port • Destination IP • Destination Port • Protocol • Src Interface • Dst Interface • Tx Bytes • Rx Bytes Click on a column heading to sort by that column. Filtering Connections Viewed You can filter the results to display only connections matching certain criteria.
PAGE 465
Firewall > Connections Monitor Check the Group box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group next to Source IP and Destination IP, the search string will look for connections matching: (Source IP OR Destination IP) AND Protocol Click Apply Filter to apply the filter immediately to the Active Connections table. Click Reset to clear the filter and display the unfiltered results again.
PAGE 466
Firewall > Connections Monitor 466 SonicOS Enhanced 4.
PAGE 467
CHAPTER 45 Chapter 45: Managing Quality of Service Firewall > QoS Mapping Quality of Service (QoS) refers to a diversity of methods intended to provide predictable network behavior and performance. This sort of predictability is vital to certain types of applications, such as Voice over IP (VoIP), multimedia content, or business-critical applications such as order or credit-card processing.
PAGE 468
Firewall > QoS Mapping But all is not lost. Once SonicOS Enhanced classifies the traffic, it can tag the traffic to communicate this classification to certain external systems that are capable of abiding by CoS tags; thus they too can participate in providing QoS. Note Many service providers do not support CoS tags such as 802.1p or DSCP. Also, most network equipment with standard configurations will not be able to recognize 802.1p tags, and could drop tagged traffic.
PAGE 469
Firewall > QoS Mapping section on page 479. SonicOS’s BWM is a perfectly effective solution for fully autonomous private networks with sufficient bandwidth, but can become somewhat less effective as more unknown external network elements and bandwidth contention are introduced. Refer to the Example Scenario in the “Example Scenario” section on page 472 for a description of contention issues.
PAGE 470
Firewall > QoS Mapping Enabling 802.1p SonicOS Enhanced supports layer 2 and layer 3 CoS methods for broad interoperability with external systems participating in QoS enabled environments. The layer 2 method is the IEEE 802.1p standard wherein 3 bits of an additional 16 bits inserted into the header of the Ethernet frame can be used to designate the priority of the frame, as illustrated in the following figure: .
PAGE 471
Firewall > QoS Mapping Although Enable 802.1p tagging does not appear as an option on VLAN sub-interfaces on the PRO 4060 and PRO 5060, the 802.1p field is already present within the 802.1q tags of VLAN sub-interfaces. The behavior of the 802.1p field within these tags can be controlled by Access Rules. The default 802.1p Access Rule action of None will reset existing 802.1p tags to 0, unless otherwise configured (see “Managing QoS Marking” section on page 476 for details). Enabling 802.
PAGE 472
Firewall > QoS Mapping Example Scenario In the scenario above, we have Remote Site 1 connected to ‘Main Site’ by an IPsec VPN. The company uses an internal 802.1p/DSCP capable VoIP phone system, with a private VoIP signaling server hosted at the Main Site. The Main Site has a mixed gigabit and Fast-Ethernet infrastructure, while Remote Site 1 is all Fast Ethernet. Both sites employ 802.1p capable switches for prioritization of internal traffic. 1.
PAGE 473
Firewall > QoS Mapping QoS Mapping is a feature which converts layer 2 802.1p tags to layer 3 DSCP tags so that they can safely traverse (in mapped form) 802.1p-incapable links; when the packet arrives for delivery to the next 802.1p-capable segment, QoS Mapping converts from DSCP back to 802.1p tags so that layer 2 QoS can be honored. In our above scenario, the firewall at the Main Site assigns a DSCP tag (e.g.
PAGE 474
Firewall > QoS Mapping DSCP 26 27 30 32 34 36 38 40 46 48 56 DSCP Description Class 3, gold (AF31) Class 3, silver (AF32) Class 3, bronze (AF33) Class 4 Class 4, gold (AF41) Class 4, silver (AF42) Class 4, bronze (AF43) Express forwarding Expedited forwarding (EF) Control Control Legacy IP Precedence 3 (Flash – 011) 3 (Flash – 011) 3 (Flash – 011) 4 (Flash Override – 100) 4 (Flash Override – 100) 4 (Flash Override – 100) 4 (Flash Override – 100) 5 (CRITIC/ECP – 101) 5 (CRITIC/ECP – 101) 6 (Internet Contr
PAGE 475
Firewall > QoS Mapping Configure for 802.1p CoS 4 – Controlled load If you want to change the inbound mapping of DSCP tag 15 from its default 802.1p mapping of 1 to an 802.1p mapping of 2, it would have to be done in two steps because mapping ranges cannot overlap. Attempting to assign an overlapping mapping will give the error DSCP range already exists or overlaps with another range. First, you will have to remove 15 from its current end-range mapping to 802.
PAGE 476
Firewall > QoS Mapping Each of these mappings can be reconfigured. If you wanted to change the outbound mapping of 802.1p tag 4 from its default DSCP value of 32 to a DSCP value of 43, you can click the Configure icon for 4 – Controlled load and select the new To DSCP value from the drop-down box: 802.1p CoS 1 end-range remap 802.1p CoS 2 start-range remap You can restore the default mappings by clicking the Reset QoS Settings button.
PAGE 477
Firewall > QoS Mapping Action 802.1p (layer 2 CoS) DSCP (layer 3) Notes Explicit An explicit 802.1p tag An explicit DSCP tag value can be assigned (0-63) from a drop-down value can be assigned (0-7) from a menu that will be presented. drop-down menu that will be presented. If either the 802.1p or the DSCP action is set to Explicit while the other is set to Map, the explicit assignment occurs first, and then the other is mapped according to that assignment.
PAGE 478
Firewall > QoS Mapping One practical application for this behavior would be configuring an 802.1p marking rule for traffic destined for the VPN Zone. Although 802.1p tags cannot be sent across the VPN, reply packets coming back across the VPN can be 802.1p tagged on egress from the tunnel. This requires that 802.1p tagging is active of the physical egress interface, and that the [Zone] > VPN Access Rule has an 802.1p marking action other than None. After ensuring 802.
PAGE 479
Firewall > QoS Mapping To examine the effects of the second Access Rule (VPN>LAN), we’ll look at the Access Rules configured at the Main Site: VoIP traffic (as defined by the Service Group) arriving from Remote Site 1 Subnets across the VPN destined to LAN Subnets on the LAN zone at the Main Site would hit the Access Rule for inbound VoIP calls. Traffic arriving at the VPN zone will not have any 802.1p tags, only DSCP tags. – Traffic exiting the tunnel containing a DSCP tag (e.g.
PAGE 480
Firewall > QoS Mapping configure BWM and QoS (i.e. layer 2 and/or layer 3 marking) settings on a single Access Rule. This allows those external systems to benefit from the classification performed on the SonicWALL even after it has already shaped the traffic. BWM configurations begin by enabling BWM on the relevant WAN interface, and declaring the interface’s available bandwidth in Kbps (Kilobits per second).
PAGE 481
Firewall > QoS Mapping Once one or both BWM settings are enabled on the WAN interface and the available bandwidth has been declared, a Ethernet BWM tab will appear on Access Rules. The Bandwidth tab will present either Inbound settings, Outbound settings, or both, depending on what was enabled on the WAN interface: The configuration on the General tab will classify the traffic.
PAGE 482
Firewall > QoS Mapping Outbound Bandwidth Management Bandwidth Management as employed by SonicOS Enhanced is based on an amalgamation of queue management and congestion avoidance techniques, but in empirical practice it most closely resembles Class Base Queuing (CBQ), as defined by Sally Floyd and Van Jacobson in Link-sharing and Resource Management Models for Packet Networks, while incorporating elements of RFC2309 Recommendations on Queue Management and Congestion Avoidance in the Internet and various cr
PAGE 483
Firewall > QoS Mapping to be processed. When Guaranteed queue credits are depleted, the next queue in that priority ring is processed. The same process is repeated for the remaining priority rings, and upon completing priority ring 7 begins again with priority ring 0. The scheduling for excess bandwidth is strict priority, with per-packet round-robin within each priority.
PAGE 484
Firewall > QoS Mapping Outbound BWM Packet Processing Path a. Determine that the packet is bound for the WAN Zone. b. Determine that the packet is classifiable as a Firewall packet. c. Match the packet to an Access Rule to determine BWM setting. d. Queue the packet in the appropriate rule queue. Guaranteed Bandwidth Processing This algorithm depicts how all the policies use up the GBW. a. Start with a link credit equal to available link BW. b. Initialize the class credit with configured GBW for the rule.
PAGE 485
Firewall > QoS Mapping Example of Outbound BWM The above diagram shows 4 policies are configured for OBWM with a link capacity of 100 Kbps. This means that the link capacity is 12800 Bytes/sec. Below table gives the BWM values for each rule in Bytes per second. BWM values FTP GBW 1280 MBW 2560 H323 2560 5120 Yahoo Messenger 640 1920 VNC 2560 3200 a. For GBW processing, we start with the first queue in the rule queue list which is FTP. Link credit is 12800 and class credit is 1280.
PAGE 486
Firewall > QoS Mapping f. Start off with the highest priority ring 0 and process all queues in this priority in a round robin fashion. H323 has Pkt3 of 500B which is sent since it can use up to max = 2560 (MBW-GBW). Now Link credit = 7500 and max = 2060. g. Move to the next queue in this priority ring which is VNC queue. Pkt3 of 500B is sent out leaving link credit = 7000B and class max = 140 (MBW-GBW - 500). h. Move to the next queue in this priority ring.
PAGE 487
Firewall > QoS Mapping Algorithm for Inbound Bandwidth Management IBWM maintains eight priority rings, where each priority ring has one queue for a rule that has IBWM enabled. The IBWM pool is processed from the highest to lowest priority ring further shaping the traffic. IBWM employs three key algorithms: Ingress Rate Update This algorithm processes each packet from the WAN and updates the ingress rate of the class to which it belongs. It also marks the traffic class if it has over utilized the link. a.
PAGE 488
Firewall > QoS Mapping e. Record class credit as remaining credit. f. If remaining credit is greater than or equal to average rate, process the ACK packet and deduct average rate from remaining credit. g. Repeat g until remaining credit is not enough or the ingress ACK queue is empty. h. Repeat steps f through h for the next rule queue in the ring. i. Repeat steps f through i for the next lowest priority ring.
PAGE 489
Firewall > QoS Mapping Glossary • 802.1p – IEEE 802.1p is a Layer 2 (MAC layer) Class of Service mechanism that tags packets by using 3 priority bits (for a total of 8 priority levels) within the additional 16 bits of an 802.1q header. 802.1p processing requires compatible equipment for tag generation, recognition and processing, and should only be employed on compatible networks. • Bandwidth Management (BWM) – Refers to any of a variety of algorithms or methods used to shape traffic or police traffic.
PAGE 490
Firewall > QoS Mapping – Weighted Random Early Detection (WRED) – An implementation of RED that factors DSCP markings into its discard decision process. 490 • DSCP – (Differentiate Services Code Points) – The repurposing of the ToS field of an IP header as described by RFC2747. DSCP uses 64 Code Point values to enable DiffServ (Differentiated Services). By marking traffic according to its class, each packet can be treated appropriately at every hop along the network.
PAGE 491
Firewall > QoS Mapping • Marking – Also known as tagging or coloring – The act of applying layer 2 (802.1p) or layer 3 (DSCP) information to a packet for the purpose of differentiation, so that it can be properly classified (recognized) and prioritized by network devices along the path to its destination. • MPLS - Multi Protocol Label Switching.
PAGE 492
Firewall > QoS Mapping 492 • Shaping – An attempt by a QoS system to modify the rate of traffic flow, usually by employing some feedback mechanism to the sender. The most common example of this is TCP rate manipulation, where acknowledgements (ACKs) sent back to a TCP sender are queued and delayed so as to increase the calculated round-trip time (RTT), leveraging the inherent behavior of TCP to force the sender to slow the rate at which it sends data.
PAGE 493
CHAPTER 46 Chapter 46: Configuring SSL Control Firewall > SSL Control This chapter describes how to plan, design, implement, and maintain the SSL Control feature.
PAGE 494
Firewall > SSL Control of TCP based network communications, with its most common and well-known application being HTTPS (HTTP over SSL). SSL provides digital certificate-based endpoint identification, and cryptographic and digest-based confidentiality to network communications. An effect of the security provided by SSL is the obscuration of all payload, including the URL (Uniform Resource Locator, for example, https://www.mysonicwall.com) being requested by a client when establishing an HTTPS session.
PAGE 495
Firewall > SSL Control Key Features of SSL Control Feature Benefit Common-Name based White and Black Lists The administrator can define lists of explicitly allowed or denied certificate subject common names (described in Key Concepts). Entries will be matched on substrings, for example, a blacklist entry for “prox” will match “www.megaproxy.com”, “www.proxify.com” and “proxify.net”.
PAGE 496
Firewall > SSL Control Feature Benefit SSL version, Cipher SSL Control provides additional management of SSL sessions Strength, and Certificate based on characteristics of the negotiation, including the ability to Validity Control disallow the potentially exploitable SSLv2, the ability to disallow weak encryption (ciphers less than 64 bits), and the ability to disallow SSL negotiations where a certificate’s date ranges are invalid.
PAGE 497
Firewall > SSL Control SSL is not limited to securing HTTP, but can also be used to secure other TCP protocols such as SMTP, POP3, IMAP, and LDAP. For more information, see http://wp.netscape.com/ eng/security/SSL_2.html. SSL session establishment occurs as follows: • SSLv2 – The earliest version of SSL still in common use.
PAGE 498
Firewall > SSL Control – TLS – Transport Layer Security (version 1.0), also known as SSLv3.
PAGE 499
Firewall > SSL Control mismatch elicits a browser alert, it is not always a sure sign of deception. For example, if a client browses to https://mysonicwall.com, which resolves to the same IP address as www.mysonicwall.com, the server will present its certificate bearing the subject CN of www.mysonicwall.com. An alert will be presented to the client, despite the total legitimacy of the connection.
PAGE 500
Firewall > SSL Control Caveats and Advisories 1. Self-signed and Untrusted CA enforcement – If enforcing either of these two options, it is strongly advised that you add the common names of any SSL secured network appliances within your organization to the whitelist to ensure that connectivity to these devices is not interrupted. For example, the default subject name of SonicWALL UTM appliances is “192.168.168.168”, and the default common name of SonicWALL SSL-VPN appliances is “192.168.200.1”. 2.
PAGE 501
Firewall > SSL Control SSL Control Configuration SSL Control is located on Firewall panel, under the SSL Control Folder. SSL Control has a global setting, as well as a per-zone setting. By default, SSL Control is not enabled at the global or zone level. The individual page controls are as follows (refer the Key Concepts for SSL Control section for more information on terms used below). • Enable SSL Control – The global setting for SSL Control.
PAGE 502
Firewall > SSL Control • Detect Self-signed certificates – Controls the detection of certificates where both the issuer and the subject have the same common name. • Detect Certificates signed by an Untrusted CA – Controls the detection of certificates where the issuer’s certificate is not in the SonicWALL’s System > Certificates trusted store.
PAGE 503
Firewall > SSL Control To configure the Whitelist and Blacklist, click the Configure button to bring up the following window. Entries can be added, edited and deleted with the buttons beneath each list window. Note List matching will be based on the subject common name in the certificate presented in the SSL exchange, not in the URL (resource) requested by the client.
PAGE 504
Firewall > SSL Control sent in response for evaluation against the configured policy. Enabling SSL Control on the LAN Zone, for example, will inspect all SSL traffic initiated by clients on the LAN to any destination zone.
PAGE 505
Firewall > SSL Control Log events will include the client’s username in the notes section (not shown) if the user logged in manually, or was identified through CIA/Single Sign On. If the user’s identity is not available, the note will indicate that the user is Unidentified. SonicOS Enhanced 4.
PAGE 506
Firewall > SSL Control 506 SonicOS Enhanced 4.
PAGE 507
PART 8 VoIP SONICWALL SONICOS ENHANCED 4.
PAGE 508
SONICWALL SONICOS ENHANCED 4.
PAGE 509
CHAPTER 47 Chapter 47: Configuring VoIP Support VoIP This chapter contains the following sections: • “VoIP Overview” on page 509 • “SonicWALL’s VoIP Capabilities” on page 512 • “Configuring SonicWALL VoIP Features” on page 520 • “VoIP Deployment Scenarios” on page 531 VoIP Overview This section provides an overview of VoIP.
PAGE 510
VoIP VoIP Security Companies implementing VoIP technologies in an effort to cut communication costs and extend corporate voice services to a distributed workforce face security risks associated with the convergence of voice and data networks. VoIP security and network integrity are an essential part of any VoIP deployment. The same security threats that plague data networks today are inherited by VoIP but the addition of VoIP as an application on the network makes those threats even more dangerous.
PAGE 511
VoIP VoIP Protocols VoIP technologies are built on two primary protocols, H.323 and SIP. H.323 H.323 is a standard developed by the International Telecommunications Union (ITU). It’s a comprehensive suite of protocols for voice, video, and data communications between computers, terminals, network devices, and network services. H.323 is designed to enable users to make point-to-point multimedia phone calls over connectionless packet-switching networks such as private IP networks and the Internet. H.
PAGE 512
VoIP • Redirect Server - Responds to request but does not forward requests. • Registration Server - Handles UA authentication and registration.
PAGE 513
VoIP also provides proactive defense against newly discovered application and protocol vulnerabilities. Signature granularity allows SonicWALL IPS to detect and prevent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives. VoIP Network • Note VoIP over Wireless LAN (WLAN) - SonicWALL extends complete VoIP security to attached wireless networks with its Distributed Wireless Solution.
PAGE 514
VoIP • Validation of headers for all media packets - SonicOS examines and monitors the headers within media packets to allow detection and discarding of out-of-sequence and retransmitted packets (beyond window). Also, by ensuring that a valid header exists, invalid media packets are detected and discarded. By tracking the media streams as well as the signaling, SonicWALL provides protection for the entire VoIP session.
PAGE 515
VoIP SIP SonicOS provides the following support for SIP: – Base SIP standard (both RFC 2543 and RFC 3261) – SIP INFO method (RFC 2976) – Reliability of provisional responses in SIP (RFC 3262) – SIP specific event notification (RFC 3265) – SIP UPDATE method (RFC 3311) – DHCP option for SIP servers (RFC 3361) – SIP extension for instant messaging (RFC 3428) – SIP REFER method (RFC 3515) – Extension to SIP for symmetric response routing (RFC 3581) SonicOS Enhanced 4.
PAGE 516
VoIP SonicWALL VoIP Vendor Interoperability The following is a partial list of devices from leading manufacturers with which SonicWALL VoIP interoperates. H.
PAGE 517
VoIP • H.264, H.263, and H.261 for video • MPEG4, G.711, G.722, G.723, G.728, G.729 for audio VoIP Protocols that SonicOS Does Not Perform Deep Packet Inspection on SonicWALL security appliances do not currently support deep packet inspection for the following protocols; therefore, these protocols should only be used in non-NAT environments. • Proprietary extensions to H.323 or SIP • MGCP • Megaco/H.
PAGE 518
VoIP 1. Phone B registers with VoIP server - The SonicWALL security appliance builds a database of the accessible IP phones behind it by monitoring the outgoing VoIP registration requests. SonicOS translates between phone B’s private IP address and the firewall’s public IP address used in registration messages. The VoIP server is unaware that phone B is behind a firewall and has a private IP address—it associates phone B with the firewall’s public IP address. 2.
PAGE 519
VoIP Figure 47:2 Local VoIP Call Flow The following describes the sequence of events shown in Figure 42.2: 1. Phones A and B register with VoIP server - The SonicWALL security appliance builds a database of the accessible IP phones behind it by monitoring the outgoing VoIP registration requests. SonicOS translates between the phones’ private IP addresses and the firewall’s public IP address. The VoIP server is unaware that the phones are behind a firewall.
PAGE 520
VoIP Configuring SonicWALL VoIP Features Configuring the SonicWALL security appliance for VoIP deployments builds on your basic network configuration in the SonicWALL management interface. This chapter assumes the SonicWALL security appliance is configured for your network environment.
PAGE 521
VoIP General VoIP Configuration SonicOS includes the VoIP configuration settings on the VoIP > Settings page. This page is divided into three configuration settings sections: General Settings, SIP Settings, and H.323 Settings. Configuring Consistent Network Address Translation (NAT) Consistent NAT enhances standard NAT policy to provide greater compatibility with peer-topeer applications that require a consistent IP address to connect to, such as VoIP.
PAGE 522
VoIP Configuring SIP Settings By default, SIP clients use their private IP address in the SIP Session Definition Protocol (SDP) messages that are sent to the SIP proxy. If your SIP proxy is located on the public (WAN) side of the SonicWALL security appliance and SIP clients are on the private (LAN) side behind the firewall, the SDP messages are not translated and the SIP proxy cannot reach the SIP clients.
PAGE 523
VoIP The Additional SIP signaling port (UDP) for transformations setting allows you to specify a non-standard UDP port used to carry SIP signaling traffic. Normally, SIP signaling traffic is carried on UDP port 5060. However, a number of commercial VOIP services use different ports, such as 1560. Using this setting, the security appliance performs SIP transformation on these non-standard ports. Tip Vonage’s VoIP service uses UDP port 5061. Configuring H.323 Transformations Select Enable H.
PAGE 524
VoIP Bandwidth Management SonicOS offers an integrated traffic shaping mechanism through its Egress (outbound) and Ingress (inbound) management interfaces. Outbound BWM can be applied to traffic sourced from Trusted and Public Zones (such as LAN and DMZ) destined to Untrusted and Encrypted Zones (such as WAN and VPN). Inbound bandwidth management can be applied to traffic sourced from Untrusted and Encrypted Zones destined to Trusted and Public Zones.
PAGE 525
VoIP Configuring Bandwidth on the WAN Interface BWM configurations begin by enabling BWM on the relevant WAN interface, and specifying the interface’s available bandwidth in Kbps. This is performed from the Network > Interfaces page by selecting the Configure icon for the WAN interface, and navigating to the Advanced tab: Egress and Ingress BWM can be enabled jointly or separately on WAN interfaces. Different bandwidth values may be entered for outbound and inbound bandwidth to support asymmetric links.
PAGE 526
VoIP If you are defining VoIP access for client to use a VoIP service provider from the WAN, you configure network access rules between source and destination interface or zones to enable clients behind the firewall to send and receive VoIP calls. If your SIP Proxy or H.323 Gateway is located behind the firewall, you can use the SonicWALL Public Server Wizard to automatically configure access rules.
PAGE 527
VoIP • For SIP, select SIP Step 6 Select the source of the traffic affected by the access rule from the Source list. Selecting Create New Network displays the Add Address Object window. Step 7 If you want to define the source IP addresses that are affected by the access rule, such as restricting certain users from accessing the Internet, select Range in the Type: pulldown menu. The enter the lowest and highest IP addresses in the range in the Starting IP Address: and Ending IP Address fields.
PAGE 528
VoIP Tip Rules using Bandwidth Management take priority over rules without bandwidth management. Using the Public Server Wizard The SonicWALL Public Server Wizard provides an easy method for configuring firewall access rules for a SIP Proxy or H.323 Gatekeeper running on your network behind the firewall. Using this wizard performs all the configuration settings you need for VoIP clients to access your VoIP servers. Step 1 Click Wizards on the SonicOS navigation bar.
PAGE 529
VoIP Note SonicWALL recommends NOT selecting VoIP from the Services menu. Selecting this option opens up more TCP/UDP ports than is required, potentially opening up unnecessary security vulnerabilities. Step 5 Enter the name of the server in the Server Name field. Step 6 Enter the private IP address of the server. Specify an IP address in the range of addresses assigned to the zone where the server is located.
PAGE 530
VoIP Step 10 The Summary page displays a summary of all the configuration you have performed in the wizard. It should show: • Server Address Objects - The wizard creates the address object for the new server. Because the IP address of the server added in the example is in the IP address range assigned to the LAN zone, the wizard binds the address object to the LAN zone. • Server Service Group Object - The wizard creates a service group object for the services used by the new server.
PAGE 531
VoIP Configuring VoIP Logging You can enable the logging of VoIP events in the SonicWALL security appliance log in the Log > Categories page. Log entries are displayed on the Log > View page. To enable logging: Step 1 Select Log > Categories. Step 2 Select Expanded Categories from the View Style menu in the Log Categories section. Step 3 Locate the VoIP (VOIP H.323/RAS, H.323/H.225, H.323/H.245 activity) entry in the table.
PAGE 532
VoIP Figure 47:3 Point-to-Point VoIP Service Topology This deployment does not require a VoIP server. The Public IP address of the SonicWALL security appliance is used as the main VoIP number for hosts on the network. This requires a static Public IP address or the use of a Dynamic DNS service to make the public address available to callers from the WAN. Incoming call requests are routed through the SonicWALL security appliance using NAT, DHCP Server, and network access rules.
PAGE 533
VoIP Figure 47:4 Public VoIP Service Topology For VoIP clients that register with a server from the WAN, the SonicWALL security appliance automatically manages NAT policies and access rules. The SonicWALL security appliance performs stateful monitoring of registration and permits incoming calls for clients while they remain registered. No configuration of clients is required. See the “Using the Public Server Wizard” section for information on configuring this deployment.
PAGE 534
VoIP Figure 47:5 Trusted VoIP Service Topology For VoIP clients that register with a server on the DMZ or LAN, the SonicWALL security appliance automatically manages NAT policies and access rules. The SonicWALL security appliance performs stateful monitoring of registration and permits incoming calls for clients while they remain registered. No configuration on the VoIP clients is required. To make a server on the LAN accessible to clients on the WAN: 7.
PAGE 535
PART 9 VPN SONICWALL SONICOS ENHANCED 4.
PAGE 536
SONICWALL SONICOS ENHANCED 4.
PAGE 537
CHAPTER 48 Chapter 48: Configuring VPN Policies VPN > Settings The VPN > Settings page provides the SonicWALL features for configuring your VPN policies. You configure site-to-site VPN policies and GroupVPN policies from this page. VPN Overview A Virtual Private Network (VPN) provides a secure connection between two or more computers or protected networks over the public internet. It provides authentication to ensure that the information is going to and from the correct parties.
PAGE 538
VPN > Settings Prior to the invention of Internet Protocol Security (IPsec) and Secure Socket Layer (SSL), secure connections between remote computers or networks required a dedicated line or satellite link. This was both inflexible and expensive. A VPN creates a connection with similar reliability and security by establishing a secure tunnel through the internet.
PAGE 539
VPN > Settings One advantage of SSL VPN is that SSL is built into most Web Browsers. No special VPN client software or hardware is required. Note SonicWALL makes SSL-VPN devices that you can use in concert with or independently of a SonicWALL UTM appliance running SonicOS. For information on SonicWALL SSL-VPN devices, see the SonicWALL Website :http://www.sonicwall.com/us/ Secure_Remote_Access.
PAGE 540
VPN > Settings Aggressive Mode: To reduce the number of messages exchanged during authentication by half, the negotiation of which cryptographic algorithm to use is eliminated. The initiator proposes one algorithm and the responder replies if it supports that algorithm: 1. The initiator proposes a cryptographic algorithms to use and sends its public key. 2. The responder replies with a public key and identity proof. 3. The initiator sends an identification proof.
PAGE 541
VPN > Settings Note There is no restriction on nesting IKE v1 tunnels within an IKE v2 tunnel and visa-versa. For example, if you are connecting to a wireless device using WiFiSec, which uses an IKE v1 tunnel, you can then connect over the internet to a corporate network using a site-to-site VPN tunnel established with IKE v2. Initialization and Authentication in IKE v2 IKE v2 initializes a VPN tunnel with a pair of message exchanges (two message/response pairs).
PAGE 542
VPN > Settings • “VPN Auto-Added Access Rule Control” section on page 578 Configuring VPNs in SonicOS Enhanced SonicWALL VPN, based on the industry-standard IPsec VPN implementation, provides a easyto-setup, secure solution for connecting mobile users, telecommuters, remote offices and partners via the Internet.
PAGE 543
VPN > Settings E-Mail ID Domain name. • Peer ID Filter if using 3rd party certificates. • IKE (Phase 1) Proposal: – DH Group: Note – Group 1 – Group 2 – Group 5 The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5.
PAGE 544
VPN > Settings Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5.
PAGE 545
VPN > Settings GSC only (Require Global Security Client checked on security appliance) • Shared secret, if selected on security appliance: • Certificate, if selected on security appliance: • User’s user name and password if XAUTH is required on the security appliance. Site-to-Site VPN Planning Checklist On the Initiator Typically, the request for an IKE VPN SA is made from the remote site.
PAGE 546
VPN > Settings Choose local network from list (select an address object): Local network obtains IP addresses using DHCP through this VPN Tunnel (not used with IKEv2) Any address • Destination Networks Use this VPN Tunnel as default route for all Internet traffic Destination network obtains IP addresses using DHCP through this VPN Tunnel Choose destination network from list (select an address object): • IKE (Phase 1) Proposal: – Exchange: – Main Mode – Aggressive Mode – IKEv2 Mode – DH Group: Note
PAGE 547
VPN > Settings – AES-192 – AES-256 – Authentication: – MD5 – SHA1 – Enable Perfect Forward Secrecy – DH Group (if perfect forward secrecy is enabled): Note – Group 1 – Group 2 – Group 5 The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5.
PAGE 548
VPN > Settings On the Responder The settings on the responder must be the same as on the initiator except: • Name of this VPN: • IPsec Primary Gateway Name or Address: not required on the responder • IPsec Secondary Gateway Name or Address: not required on the responder • IKE Authentication for IKE using Preshared Secret: – Local IKE ID: (must match Peer IKE ID on initiator) – IP Address – Domain Name – Email Address – SonicWALL Identifier – Peer IKE ID: (must match Local IKE ID on initiato
PAGE 549
VPN > Settings VPN Policy Wizard The VPN Policy Wizard walks you step-by-step through the configuration of GroupVPN or siteto-site VPN policies on the SonicWALL security appliance. After completing the configuration, the wizard creates the necessary VPN settings for the selected policy. You can use the SonicWALL Management Interface for optional advanced configuration options. Note For step-by-step instructions on using the VPN Policy Wizard, see Chapter 50 Configuring VPNs with the VPN Policy Wizard.
PAGE 550
VPN > Settings VPN Policies All existing VPN policies are displayed in the VPN Policies table. Each entry displays the following information: • Name: Displays the default name or user-defined VPN policy name. • Gateway: Displays the IP address of the remote SonicWALL. If 0.0.0.0 is used, no Gateway is displayed. • Destinations: Displays the IP addresses of the destination networks. • Crypto Suite: Displays the type of encryption used for the VPN policy.
PAGE 551
VPN > Settings You can enter the policy number (the number listed before the policy name in the # Name column) in the Items field to move to a specific VPN policy. The default table configuration displays 50 entries per page. You can change this default number of entries for tables on the System > Administration page. You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order.
PAGE 552
VPN > Settings • “Creating Site-to-Site VPN Policies” section on page 562 • “VPN Auto-Added Access Rule Control” section on page 578 Configuring GroupVPN Policies SonicWALL GroupVPN facilitates the set up and deployment of multiple SonicWALL Global VPN Clients by the SonicWALL security appliance administrator. GroupVPN is only available for SonicWALL Global VPN Clients and it is recommended you use XAUTH/RADIUS or third party certificates in conjunction with the Group VPNfor added security.
PAGE 553
VPN > Settings Configuring GroupVPN with IKE using Preshared Secret on the WAN Zone To configure the WAN GroupVPN, follow these steps: Step 1 Click the edit icon for the WAN GroupVPN entry. The VPN Policy window is displayed. Step 2 In the General tab, IKE using Preshared Secret is the default setting for Authentication Method. A Shared Secret is automatically generated by the SonicWALL security appliance in the Shared Secret field, or you can generate your own shared secret.
PAGE 554
VPN > Settings – Select the DH Group from the DH Group menu. Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5. – Select 3DES, AES-128, or AES-256 from the Encryption menu. – Select the desired authentication method from the Authentication menu. – Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
PAGE 555
VPN > Settings – Management via this SA: - If using the VPN policy to manage the SonicWALL security appliance, select the management method, either HTTP or HTTPS. – Default Gateway - Allows the network administrator to specify the IP address of the default network route for incoming IPsec packets for this VPN policy. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL security appliance.
PAGE 556
VPN > Settings • Always - Global VPN Client user prompted for username and password only once when connection is enabled. When prompted, the user will be given the option of caching the username and password. – Virtual Adapter Settings - The use of the Virtual Adapter by the Global VPN Client (GVC) is dependent upon a DHCP server, either the internal SonicOS or a specified external DHCP server, to allocate addresses to the Virtual Adapter.
PAGE 557
VPN > Settings Configuring GroupVPN with IKE using 3rd Party Certificates To configure GroupVPN with IKE using 3rd Party Certificates, follow these steps: Caution Before configuring GroupVPN with IKE using 3rd Party Certificates, your certificates must be installed on the SonicWALL. Step 1 In the VPN > Settings page click the edit icon under Configure. The VPN Policy window is displayed.
PAGE 558
VPN > Settings – Distinguished Name - based on the certificates Subject Distinguished Name field, which is contained in all certificates by default. Valid entries for this field are based on country (c=), organization (o=), organization unit (ou=), and /or commonName (cn=). Up to three organizational units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to contain a semi-colon. You must enter at least one entry, i.e. c=us.
PAGE 559
VPN > Settings traffic. For packets received via an IPsec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. – Enable OCSP Checking and OCSP Responder URL - Enables use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status.
PAGE 560
VPN > Settings • This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected along with Set Default Route as this Gateway, then the Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, then the Internet traffic is blocked.
PAGE 561
VPN > Settings Caution The GroupVPN SA must be enabled on the SonicWALL to export a configuration file. Step 1 Click the Disk icon in the Configure column for the GroupVPN entry in the VPN Policies table. The Export VPN Client Policy window appears. Step 2 rcf format is required for SonicWALL Global VPN Clients is selected by default. Files saved in the rcf format can be password encrypted. The SonicWALL provides a default file name for the configuration file, which you can change. Step 3 Click Yes.
PAGE 562
VPN > Settings • Hub and Spoke Design - All SonicWALL VPN gateways are configured to connect to a central SonicWALL (hub), such as a corporate SonicWALL. The hub must have a static IP address, but the spokes can have dynamic IP addresses. If the spokes are dynamic, the hub must be a SonicWALL. • Mesh Design - All sites connect to all other sites. All sites must have static IP addresses. See “Planning Your VPN” on page 542 for a planning sheet to help you set up your VPN.
PAGE 563
VPN > Settings Configuring a VPN Policy with IKE using Preshared Secret To configure a VPN Policy using Internet Key Exchange (IKE), follow the steps below: Step 1 Click Add on the VPN > Settings page. The VPN Policy window is displayed. Step 2 In the General tab, select IKE using Preshared Secret from the Authentication Method menu. Step 3 Enter a name for the policy in the Name field.
PAGE 564
VPN > Settings Optionally, specify a Local IKE ID (optional) and Peer IKE ID (optional) for this Policy. By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the SonicWALL Identifier (ID_USER_FQDN) is used for Aggressive Mode. Step 7 Click the Network tab. Step 8 Under Local Networks, select a local network from Choose local network from list if a specific local network can access the VPN tunnel.
PAGE 565
VPN > Settings Destination network obtains IP addresses using DHCP server through this tunnel. Alternatively, select Choose Destination network from list, and select the address object or group. Step 10 Click Proposals. Step 11 Under IKE (Phase 1) Proposal, select either Main Mode, Aggressive Mode, or IKEv2 from the Exchange menu. Aggressive Mode is generally used when WAN addressing is dynamically assigned.
PAGE 566
VPN > Settings – If you selected Main Mode or Aggressive Mode in the Proposals tab: 566 • Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalives will allow for the automatic renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
PAGE 567
VPN > Settings – If you selected IKEv2 in the Proposals tab: • Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalives will allow for the automatic renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
PAGE 568
VPN > Settings The term Trigger Packet refers to the use of initial Traffic Selector payloads populated with the IP addresses from the packet that caused SA negotiation to begin. It is recommended practice to include Trigger Packets to assist the IKEv2 Responder in selecting the correct protected IP address ranges from its Security Policy Database. Not all implementations support this feature, so it may be appropriate to disable the inclusion of Trigger Packets to some IKE peers. Step 15 Click OK.
PAGE 569
VPN > Settings Configuring the Local SonicWALL Security Appliance Step 1 Click Add on the VPN > Settings page. The VPN Policy window is displayed. Step 2 In the General tab of the VPN Policy window, select Manual Key from the IPsec Keying Mode menu. The VPN Policy window displays the manual key options. Step 3 Enter a name for the policy in the Name field. Step 4 Enter the host name or IP address of the remote connection in the IPsec Gateway Name or Address field. Step 5 Click the Network tab.
PAGE 570
VPN > Settings Destination network from list, and select the address object or group. Step 7 Click on the Proposals tab. Step 8 Define an Incoming SPI and an Outgoing SPI. The SPIs are hexadecimal (0123456789abcedf) and can range from 3 to 8 characters in length. Caution Each Security Association must have unique SPIs; no two Security Associations can share the same SPIs. However, each Security Association Incoming SPI can be the same as the Outgoing SPI.
PAGE 571
VPN > Settings Tip Valid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption key. If you enter an incorrect encryption key, an error message is displayed at the bottom of the browser window. Step 12 Click the Advanced tab and select any of the following optional settings you want to apply to your VPN policy.
PAGE 572
VPN > Settings Configuring the Remote SonicWALL Security Appliance Step 1 Click Add on the VPN > Settings page. The VPN Policy window is displayed. Step 2 In the General tab, select Manual Key from the IPsec Keying Mode menu. Step 3 Enter a name for the SA in the Name field. Step 4 Enter the host name or IP address of the local connection in the IPsec Gateway Name or Address field. Step 5 Click the Network tab.
PAGE 573
VPN > Settings – Select Apply NAT Policies if you want the SonicWALL to translate the Local, Remote or both networks communicating via this VPN tunnel. To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network drop-down box. To translate the Remote Network, select or create an Address Object in the Translated Remote Network drop-down box.
PAGE 574
VPN > Settings To create a VPN SA using IKE and third party certificates, follow these steps: Step 1 In the VPN > Settings page, click Add. The VPN Policy window is displayed. Step 2 In the Authentication Method list in the General tab, select IKE using 3rd Party Certificates.The VPN Policy window displays the 3rd party certificate options. Step 3 Type a Name for the Security Association in the Name field.
PAGE 575
VPN > Settings Up to three organizational units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final entry does not need to contain a semi-colon. You must enter at least one entry, i.e. c=us. Step 7 Type an ID string in the Peer IKE ID field. Step 8 Click on the Network tab. Step 9 Under Local Networks, select a local network from Choose local network from list if a specific local network can access the VPN tunnel.
PAGE 576
VPN > Settings Destination network obtains IP addresses using DHCP server through this tunnel. Alternatively, select Choose Destination network from list, and select the address object or group. Step 11 Click the Proposals tab. Step 12 In the IKE (Phase 1) Proposal section, select the following settings: – Select Main Mode or Aggressive Mode from the Exchange menu. – Select the desired DH Group from the DH Group menu.
PAGE 577
VPN > Settings – Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours. Step 14 Click the Advanced tab. Select any optional configuration options you want to apply to your VPN policy: – Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel.
PAGE 578
VPN > Settings – If you wish to use a router on the LAN for traffic entering this tunnel destined for an unknown subnet, for example, if you configured the other side to Use this VPN Tunnel as default route for all Internet traffic, you should enter the IP address of your router into the Default LAN Gateway (optional) field. – Select an interface or Zone from the VPN Policy bound to menu.
PAGE 579
VPN > Settings SonicOS Enhanced 4.
PAGE 580
VPN > Settings 580 SonicOS Enhanced 4.
PAGE 581
CHAPTER 49 Chapter 49: Configuring Advanced VPN Settings VPN > Advanced The VPN > Advanced page includes optional settings that affect all VPN policies. Advanced VPN Settings • Enable IKE Dead Peer Detection - Select if you want inactive VPN tunnels to be dropped by the SonicWALL. SonicOS Enhanced 4.
PAGE 582
VPN > Advanced – Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The default value is 60 seconds. – Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the SonicWALL security appliance. The SonicWALL security appliance uses a UDP packet protected by Phase 1 Encryption as the heartbeat.
PAGE 583
VPN > Advanced • IKEv2 Dynamic Client Proposal - SonicOS Enhanced 4.0 introduces IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes rather than using the default settings. Clicking the Configure button launches the Configure IKEv2 Dynamic Client Proposal window. Previously, only the default settings were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication method.
PAGE 584
VPN > Advanced Online Certificate Status Protocol determines the current status of a digital certificate without using a CRL. OCSP enables the client or application to directly determine the status of an identified digital certificate. This provides more timely information about the certificate than is possible with CRLs. In addition, each client typically only checks a few certificates and does not incur the overhead of downloading an entire CRL for only a few entries.
PAGE 585
VPN > Advanced Using OCSP with VPN Policies The SonicWALL OCSP settings can be configured on a policy level or globally. To configure OCSP checking for individual VPN policies, use the Advanced tab of the VPN Policy configuration page. Step 1 Select the radio button next to Enable OCSP Checking. Step 2 Specify the OCSP Responder URL of the OCSP server, for example http:// 192.168.168.220:2560 where 192.168.168.
PAGE 586
VPN > Advanced 586 SonicOS Enhanced 4.
PAGE 587
CHAPTER 50 Chapter 50: Configuring DHCP Over VPN VPN > DHCP over VPN The VPN > DHCP over VPN page allows you to configure a SonicWALL security appliance to obtain an IP address lease from a DHCP server at the other end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks on one logical IP subnet, and create the appearance of all VPN networks residing in one IP subnet address space. This facilitates IP address administration for the networks using VPN tunnels.
PAGE 588
VPN > DHCP over VPN Configuring the Central Gateway for DHCP Over VPN To configure DHCP over VPN for the Central Gateway, use the following steps: 1. Select VPN > DHCP over VPN. 2. Select Central Gateway from the DHCP Relay Mode menu. 3. Click Configure. The DHCP over VPN Configuration window is displayed. 4. Select Use Internal DHCP Server to enable the SonicWALL Global VPN Client or a remote firewall or both to use an internal DHCP server to obtain IP addressing information.
PAGE 589
VPN > DHCP over VPN Note 2. Click Configure. The DHCP over VPN Configuration window is displayed. 3. In the General tab, the VPN policy name is automatically displayed in the Relay DHCP through this VPN Tunnel filed if the VPN policy has the setting Local network obtains IP addresses using DHCP through this VPN Tunnel enabled. Only VPN policies using IKE can be used as VPN tunnels for DHCP. 4. Select the interface the DHCP lease is bound from the DHCP lease bound to menu. 5.
PAGE 590
VPN > DHCP over VPN Devices 9. To configure devices on your LAN, click the Devices tab. 10. To configure Static Devices on the LAN, click Add to display the Add LAN Device Entry window, and type the IP address of the device in the IP Address field and then type the Ethernet address of the device in the Ethernet Address field. An example of a static device is a printer as it cannot obtain an IP lease dynamically.
PAGE 591
VPN > DHCP over VPN Note You must configure the local DHCP server on the remote SonicWALL security appliance to assign IP leases to these computers. Note If a remote site has trouble connecting to a central gateway and obtaining a lease, verify that Deterministic Network Enhancer (DNE) is not enabled on the remote computer. Tip If a static LAN IP address is outside of the DHCP scope, routing is possible to this IP, i.e. two LANs.
PAGE 592
VPN > DHCP over VPN 592 SonicOS Enhanced 4.
PAGE 593
CHAPTER 51 Chapter 51: Configuring L2TP Server VPN > L2TP Server The SonicWALL security appliance can terminate L2TP-over-IPsec connections from incoming Microsoft Windows 2000 and Windows XP clients. In situations where running the SonicWALL Global VPN Client is not possible, you can use the SonicWALL L2TP Server to provide secure access to resources behind the SonicWALL security appliances. You can use Layer 2 Tunneling Protocol (L2TP) to create VPN over public networks such as the Internet.
PAGE 594
VPN > L2TP Server Configuring the L2TP Server The VPN > L2TP Server page provides the settings for configuring the SonicWALL security appliance as a LT2P Server. To configure the L2TP Server, follow these steps: 594 1. To enable L2TP Server functionality on the SonicWALL security appliance, select Enable L2TP Server. Then click Configure to display the L2TP Server Configuration window. 2.
PAGE 595
VPN > L2TP Server 6. If the L2TP Server provides IP addresses, select Use the Local L2TP IP pool. Enter the range of private IP addresses in the Start IP and End IP fields. The private IP addresses should be a range of IP addresses on the LAN. 7. If you have configured a specific user group defined for using L2TP, select it from the User Group for L2TP users menu or use Everyone. 8. Click OK.
PAGE 596
VPN > L2TP Server 596 SonicOS Enhanced 4.
PAGE 597
PART 10 User Management SONICWALL SONICOS ENHANCED 4.
PAGE 598
SONICWALL SONICOS ENHANCED 4.
PAGE 599
CHAPTER 52 Chapter 52: Managing Users and Authentication Settings User Management This chapter describes the user management capabilities of your SonicWALL security appliance for locally and remotely authenticated users.
PAGE 600
User Management encrypted connection. The SonicWALL authenticates all users as soon as they attempt to access network resources in a different zone (such as WAN, VPN, WLAN, etc), which causes the network traffic to pass through the SonicWALL. Users who log into a computer on the LAN, but perform only local tasks are not authenticated by the SonicWALL.User level authentication can be performed using a local user database, LDAP, RADIUS, or a combination of a local database with either LDAP or RADIUS.
PAGE 601
User Management Figure 52:2 Local Groups Authentication Flow Diagram ,QWHUQHW 02/ 5SER 7ORKSTATION 5SER ATTEMPTS TO ACCESS THE WEB 3.7, REQUIRES AUTHENTICATION OF THE 5SER REDIRECTS WORKSTATION TO AUTHENTICATE 5SER AUTHENTICATES WITH CREDENTIALS 3.
PAGE 602
User Management Using RADIUS for Authentication Remote Authentication Dial In User Service (RADIUS) is a protocol used by SonicWALL security appliances to authenticate users who are attempting to access the network. The RADIUS server contains a database with user information, and checks a user’s credentials using authentication schemes such as Password Authentication Protocol (PAP), Challengehandshake authentication protocol (CHAP), Microsoft CHAP (MSCHAP), or MSCHAPv2.
PAGE 603
User Management Figure 52:4 LDAP User Group Authentication Flow Diagram ,QWHUQHW 5SER 7ORKSTATION 5SER ATTEMPTS TO ACCESS THE WEB 02/ 3.
PAGE 604
User Management LDAP Terms The following terms are useful when working with LDAP and its variants: • Schema – The schema is the set of rules or the structure that defines the types of data that can be stored in a directory, and how that data can be stored. Data is stored in the form of ‘entries’. • Active Directory (AD) – The Microsoft directory service, commonly used with Windowsbased networking. Microsoft Active Directory is compatible with LDAP.
PAGE 605
User Management • Samba SMB: Development information is available at http://us5.samba.org/samba/ • Novell eDirectory: LDAP integration information is available at http://www.novell.com/ documentation/edir873/index.html?page=/documentation/edir873/edir873/data/ h0000007.html • User-defined schemas: See the documentation for your LDAP installation. You can also see general information on LDAP at http://rfc.net/rfc1777.
PAGE 606
User Management Users that are identified but lack the group memberships required by the configured policy rules are redirected to the Access Barred page. Benefits SonicWALL SSO is a reliable and time-saving feature that utilizes a single login to provide access to multiple network resources based on administrator-configured group memberships and policy matching. SonicWALL SSO is transparent to end users and requires minimal administrator configuration.
PAGE 607
User Management • Net API or WMI How Does Single Sign-On Work? SonicWALL SSO requires minimal administrator configuration and is a transparent to the user. There are six steps involved in SonicWALL SSO authentication, as illustrated in Figure 52:5. Figure 52:5 SonicWALL Single Sign-On Process The SonicWALL SSO authentication process is initiated when user traffic passes through a SonicWALL security appliance, for example, when a user accesses the Internet.
PAGE 608
User Management User names are returned from the authorization agent running the SSO Agent in the format /. For locally configured user groups, the user name can be configured to be the full name returned from the authorization agent running the SSO Agent (configuring the names in the SonicWALL security appliance local user database to match) or a simple user name with the domain component stripped off (default).
PAGE 609
User Management Figure 52:6 SonicWALL SSO Agent Process The SonicWALL security appliance queries the SonicWALL SSO Agent over the default port 2258. The SSO Agent then communicates between the client and the SonicWALL security appliance to determine the client’s user ID. The SonicWALL SSO Agent is polled, at a rate that is configurable by the administrator, by the SonicWALL security appliance to continually confirm a user’s login status.
PAGE 610
User Management Note • User login denied - SSO Agent agent name resolution failed: The SonicWALL SSO Agent is unable to resolve the user name. • SSO Agent returned user name too long: The user name is too long. • SSO Agent returned domain name too long: The domain name is too long. The notes field of log messages specific to the SSO Agent will contain the text , authentication by SSO Agent.
PAGE 611
User Management • “User Groups” section on page 612 • “Priority for Preempting Administrators” section on page 612 • “GMS and Multiple Administrator Support” section on page 613 Configuration Modes In order to allow multiple concurrent administrators, while also preventing potential conflicts caused by multiple administrators making configuration changes at the same time, the following configuration modes have been defined: • Note Configuration mode - Administrator has full privileges to edit the
PAGE 612
User Management Function Full admin Full admin in Read-only Limited in config mode non-config mode administrator administrator Renegotiate VPN tunnels X X Log users off X X Unlock locked-out users X X Clear log X X Filter logs X X X X Export log X X X X Email log X X X Configure log categories X X X X guest users only X Configure log settings X X Generate log reports X X Browse the full UI X X Generate log reports X X X X X User Groups The Multiple Administrat
PAGE 613
User Management GMS and Multiple Administrator Support When using SonicWALL GMS to manage a SonicWALL security appliance, GMS frequently logs in to the appliance (for such activities as ensuring that GMS management IPSec tunnels have been created correctly). These frequent GMS log-ins can make local administration of the appliance difficult because the local administrator can be preempted by GMS. Viewing Status on Users > Status The Users > Status page displays Active User Sessions on the SonicWALL.
PAGE 614
User Management Configuring Settings on Users > Settings On this page, you can configure the authentication method required, global user settings, and an acceptable user policy that is displayed to users when logging onto your network.
PAGE 615
User Management User Login Settings In the Authentication method for login drop-down list, select the type of user account management your network uses: • Select Local Users to configure users in the local database in the SonicWALL appliance using the Users > Local Users and Users > Local Groups pages. For information about using the local database for authentication, see “Using Local Users and Groups for Authentication” on page 600.
PAGE 616
User Management Select Enforce login uniqueness to prevent the same user name from being used to log into the network from more than one location at a time. This setting applies to both local users and RADIUS/LDAP users. However the login uniqueness setting does not apply to the default administrator with the username admin. Select Redirect users from HTTPS to HTTP on completion of login if you want users to be connected to the network through your SonicWALL appliance via HTTP after logging in via HTTPS.
PAGE 617
User Management • Enable disconnected user detection: Causes the SonicWALL to detect when a user’s connection is no longer valid and end the session. • Timeout on heartbeat from user's login status window (minutes): Sets the time needed without a reply from the heartbeat before ending the user session. Other Global User Settings • Allow these HTTP URLs to bypass users authentication access rules: Define a list of URLs users can connect to without authenticating.
PAGE 618
User Management Acceptable use policy page content - Enter your Acceptable Use Policy text in the text box. You can include HTML formatting. The page that is displayed to the user includes an I Accept button or Cancel button for user confirmation.
PAGE 619
User Management See the following sections for configuration instructions: • “Viewing, Editing and Deleting Local Users” on page 619 • “Adding Local Users” on page 620 • “Editing Local Users” on page 621 Viewing, Editing and Deleting Local Users You can view all the groups to which a user belongs on the Users > Local Users page. Click on the expand icon next to a user to view the group memberships for that user. The three columns to the right of the user’s name list the privileges that the user has.
PAGE 620
User Management Adding Local Users You can add local users to the internal database on the SonicWALL security appliance from the Users > Local Users page. To add local users to the database: 620 Step 1 Click Add User. The Add User configuration window displays. Step 2 On the Settings tab, type the user name into the Name field. Step 3 In the Password field, type a password for the user.
PAGE 621
User Management Step 9 Click OK to complete the user configuration. Editing Local Users You can edit local users from the Users > Local Users screen. To edit a local user: Step 1 In the list of users, click the edit icon in same line as the user you want to edit. Step 2 Configure the Settings, Groups, and VPN Access exactly as when adding a new user. See “Adding Local Users” on page 620. Configuring Local Groups Local groups are displayed in the Local Groups table.
PAGE 622
User Management A default group, Everyone, is listed in the first row of the table. Click the Notepad icon in the Configure column to review or change the settings for Everyone. See the following sections for configuration instructions: 622 • “Creating a Local Group” on page 623 • “Importing Local Groups from LDAP” on page 624 SonicOS Enhanced 4.
PAGE 623
User Management Creating a Local Group Step 1 Click the Add Group button to display the Add Group window. Step 2 On the Settings tab, type a user name into the Name field. Step 3 On the Members tab, to add users and other groups to this group, select the user or group from the Non-Members Users and Groups list and click the right arrow button ->.
PAGE 624
User Management Note Step 6 You can create custom Content Filtering Service policies in the Security Services > Content Filter page. See “Security Services > Content Filter” section on page 695. Click OK. Importing Local Groups from LDAP You can configure local user groups on the SonicWALL by retrieving the user group names from your LDAP server. The Import from LDAP... button launches a dialog box containing the list of user group names available for import to the SonicWALL.
PAGE 625
User Management Configuring RADIUS Authentication If you selected RADIUS or RADIUS + Local Users from the Authentication method for login drop-down list, the Configure button becomes available. Step 1 Click Configure to set up your RADIUS server settings on the SonicWALL. The RADIUS Configuration window is displayed. Step 2 Under Global RADIUS Settings, type in a value for the RADIUS Server Timeout (seconds). The allowable range is 1-60 seconds with a default value of 5.
PAGE 626
User Management RADIUS Servers In the RADIUS Servers section, you can designate the primary and optionally, the secondary RADIUS server. An optional secondary RADIUS server can be defined if a backup RADIUS server exists on the network. Step 4 In the Primary Server section, type the host name or IP address of the RADIUS server in the Name or IP Address field. Step 5 Type the RADIUS server administrative password or “shared secret” in the Shared Secret field.
PAGE 627
User Management RADIUS Users Settings To configure the RADIUS user settings: Step 10 On the RADIUS Users tab, select Allow only users listed locally if only the users listed in the SonicWALL database are authenticated using RADIUS. Step 11 Select the mechanism used for setting user group memberships for RADIUS users from the following choices: • Select Use SonicWALL vendor-specific attribute on RADIUS server to apply a configured vendor-specific attribute from the RADIUS server.
PAGE 628
User Management Creating a New User Group for RADIUS Users In the RADIUS User Settings screen, you can create a new group by choosing Create a new user group... from the Default user group to which all RADIUS users belong drop-down list: 628 Step 1 Select Create a new user group... The Add Group window displays. Step 2 In the Settings tab, enter a name for the group. You may enter a descriptive comment as well. Step 3 In the Members tab, select the members of the group.
PAGE 629
User Management Note You can add any group as a member of another group except Everybody and All RADIUS Users. Be aware of the membership of the groups you add as members of another group. Step 4 In the VPN Access tab, select the network resources to which this group will have VPN Access by default. Step 5 If you have Content Filtering Service (CFS) on your security appliance, you can configure the content filtering policy for this group on the CFS Policy tab.
PAGE 630
User Management When Use LDAP to retrieve user group information is selected, after authenticating a user via RADIUS, his/her user group membership information will be looked up via LDAP in the directory on the LDAP/AD server. Clicking the Configure button launches the LDAP configuration window.
PAGE 631
User Management • Step 9 MSCHAPv2: Select this to use the Microsoft version 2 implementation of CHAP. MSCHAPv2 works for Windows 2000 and later versions of Windows. Click the Test button. If the validation is successful, the Status messages changes to Success. If the validation fails, the Status message changes to Failure. To complete the RADIUS configuration, click OK.
PAGE 632
User Management http://support.microsoft.com/kb/931125. Step 6 Launch the Domain Security Policy application: Navigate to Start > Run and run the command: dompol.msc. Step 7 Open Security Settings > Public Key Policies. Step 8 Right click Automatic Certificate Request Settings. Step 9 Select New > Automatic Certificate Request. Step 10 Step through the wizard, and select Domain Controller from the list.
PAGE 633
User Management Configuring the SonicWALL Appliance for LDAP The Users > Settings page in the administrative interface provides the settings for managing your LDAP integration: Step 1 In the SonicOS administrative interface, open the Users > Settings page. Step 2 In the Authentication method for login drop-down list, select either LDAP or LDAP + Local Users. Step 3 Click Configure.
PAGE 634
User Management • Port Number – The default LDAP over TLS port number is TCP 636. The default LDAP (unencrypted) port number is TCP 389. If you are using a custom listening port on your LDAP server, specify it here. • Server timeout – The amount of time, in seconds, that the SonicWALL will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999 (in case you’re running your LDAP server on a VIC-20 located on the moon), with a default of 10 seconds.
PAGE 635
User Management and location in the directory) as the login to the primary server. This may entail creating a special user in the directory for the SonicWALL login. Note that only read access to the directory is required.
PAGE 636
User Management Step 7 • User group membership attribute – Select the attribute that contains information about the groups to which the user object belongs. This is memberOf in Microsoft Active Directory. The other pre-defined schemas store group membership information in the group object rather than the user object, and therefore do not use this field. • Framed IP address attribute – Select the attribute that can be used to retrieve a static IP address that is assigned to a user in the directory.
PAGE 637
User Management Note AD has some built-in containers that do not conform (e.g. the DN for the top level Users container is formatted as “cn=Users,dc=…”, using ‘cn’ rather than ‘ou’) but the SonicWALL knows about and deals with these, so they can be entered in the simpler URL format. Ordering is not critical, but since they are searched in the given order it is most efficient to place the most commonly used trees first in each list.
PAGE 638
User Management If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing the Domain to search value accordingly and selecting Append to existing trees on each subsequent run. Step 8 638 On the LDAP Users tab, configure the following fields: • Allow only users listed locally – Requires that LDAP users also be present in the SonicWALL local user database for logins to be allowed.
PAGE 639
User Management • Import user groups – You can click this button to configure user groups on the SonicWALL by retrieving the user group names from your LDAP server. The Import user groups button launches a dialog box containing the list of user group names available for import to the SonicWALL. In the LDAP Import User Groups dialog box, select the checkbox for each group that you want to import into the SonicWALL, and then click Save.
PAGE 640
User Management The SonicWALL appliance can retrieve group memberships efficiently in the case of Active Directory by taking advantage of its unique trait of returning a ‘memberOf’ attribute for a user.
PAGE 641
User Management Note The ‘Bypass filters’ and ‘Limited management capabilities’ privileges are returned based on membership to user groups named ‘Content Filtering Bypass’ and ‘Limited Administrators’ – these are not configurable. Step 10 Select the Test tab to test the configured LDAP settings: The Test LDAP Settings page allows for the configured LDAP settings to be tested by attempting authentication with specified user and password credentials.
PAGE 642
User Management – “Configuring User Settings” section on page 669 642 SonicOS Enhanced 4.
PAGE 643
User Management Installing the SonicWALL SSO Agent The SonicWALL SSO Agent is part of the SonicWALL Directory Connector. The SonicWALL SSO Agent must be installed on a workstation or server in the Windows domain that is accessible using VPN or IP. The SonicWALL SSO Agent must have access to your SonicWALL security appliance running SonicOS 4.0 or higher. To install the SonicWALL SSO Agent, perform the following steps: Step 1 Locate the SonicWALL Directory Connector executable file and double click it.
PAGE 644
User Management 644 Step 4 On the Customer Information page, enter your name in the User Name field and your organization name in the Organization field. Select to install the application for Anyone who uses this computer (all users) or Only for me. Click Next to continue. Step 5 Select the destination folder. To use the default folder, C:\Program Files\SonicWALL\DCON, click Next. To specify a custom location, click Browse, select the folder, and click Next.
PAGE 645
User Management SonicWALL SSO Agent feature. Click Next. Step 7 Click Install to install SSO Agent. Step 8 To configure a common service account that the SSO Agent will use to log into a specified Windows domain, enter the username of an account with administrative privileges in the Username field, the password for the account in the Password field, and the domain name of the account in the Domain Name field. Click Next. SonicOS Enhanced 4.
PAGE 646
User Management Note Step 9 Note 646 This section can be configured at a later time. To skip this step and configure it later, click Skip. Enter the IP address of your SonicWALL security appliance running SonicOS Enhanced 4.0 in the SonicWALL Appliance IP field. Type the port number for the same appliance in the SonicWALL Appliance Port field. Enter a shared key (a hexadecimal number from 1 to 16 digits in length) in the Shared Key field. Click Next to continue.
PAGE 647
User Management The SonicWALL SSO Agent installs. The status bar displays. Step 10 When installation is complete, optionally check the Launch SonicWALL Directory Connector box to launch the SonicWALL Directory Connector, and click Finish. SonicOS Enhanced 4.
PAGE 648
User Management If you checked the Launch SonicWALL Directory Connector box, the SonicWALL Directory Connector will display. Configuring the SonicWALL SSO Agent The SonicWALL SSO Agent communicates with workstations using NetAPI or WMI, which both provide information about users that are logged into a workstation, including domain users, local users, and Windows services. WMI is pre-installed on Windows Server 2003, Windows XP, Windows ME, and Windows 2000. For other Windows versions, visit www.microsoft.
PAGE 649
User Management To configure the communication properties of the SonicWALL SSO Agent, perform the following tasks: Step 1 Launch the SonicWALL Configuration Tool by double-clicking the desktop shortcut or by navigating to Start > All Programs > SonicWALL > SonicWALL Directory Connector > SonicWALL Configuration Tool. Note If the IP address for a default SonicWALL security appliance was not configured, or if it was configured incorrectly, a pop up will display.
PAGE 650
User Management If the message SonicWALL SSO Agent service is not running. Please check the configuration and start the service displays, the SSO Agent service will be disabled by default. To enable the service, expand the SonicWALL Directory Connector Configuration Tool in the left navigation panel by clicking the + icon, highlight the SonicWALL SSO Agent underneath it, and click the button.
PAGE 651
User Management Note When Logging Level 2 is selected, the SSO Agent service will terminate if the Windows event log reaches its maximum capacity. Step 4 In the Refresh Time field, enter the frequency, in seconds, that the SSO Agent will refresh user log in status. The default is 60 seconds. Step 5 From the Query Source pull-down menu, select the protocol that the SSO Agent will use to communicate with workstations, either NETAPI or WMI. SonicOS Enhanced 4.
PAGE 652
User Management 652 Note NetAPI will provide faster, though possibly slightly less accurate, performance. WMI will provide slower, though possibly more accurate, performance. WMI is pre-installed on Windows Server 2003, Windows XP, Windows Me, and Windows 2000. Both NetAPI and WMI can be manually downloaded and installed. NetAPI and WMI provide information about users that are logged into a workstation, including domain users, local users, and Windows services.
PAGE 653
User Management Adding a SonicWALL Security Appliance Use these instructions to manually add a SonicWALL security appliance if you did not add one during installation, or to add additional SonicWALL security appliances. To add a SonicWALL security appliance, perform the following steps: Step 1 Launch the SonicWALL SSO Agent Configurator. Step 2 Expand the SonicWALL Directory Connector and SonicWALL SSO Agent trees in the left column by clicking the + button.
PAGE 654
User Management Your appliance will display in the left-hand navigation panel under the SonicWALL Appliances tree. Editing Appliances in SonicWALL SSO Agent You can edit all settings on SonicWALL security appliances previously added in SonicWALL SSO Agent, including IP address, port number, friendly name, and shared key. To edit a SonicWALL security appliance in SonicWALL SSO Agent, select the appliance from the lefthand navigation panel and click the edit icon above the left-hand navigation panel.
PAGE 655
User Management Modifying Services in SonicWALL SSO Agent You can start, stop, and pause SonicWALL SSO Agent services to SonicWALL security appliances. To pause services for an appliance, select the appliance from the left-hand navigation panel and click the pause button . To stop services for an appliance, select the appliance from the left-hand navigation panel and click the stop button . To resume services, click the start button .
PAGE 656
User Management Step 4 Click Configure.The Authentication Agent Settings page displays. Step 5 In the Name or IP Address field, enter the name or IP Address of the workstation on which SonicWALL SSO Agent is installed. Step 6 In Port Number, enter the port number of the workstation on which SonicWALL SSO Agent is installed. The default port is 2258. Step 7 In the Shared Key field, enter the shared key that you created or generated in the SonicWALL SSO Agent. The shared key must match exactly.
PAGE 657
User Management Step 11 Check the box next to Allow only users listed locally to allow only users listed locally to be authenticated. Step 12 Check the box next to Simple user names in local database to use simple user names. This setting ignores the domain component of a user name. If this box is not checked, user names in the local database must match exactly the full names returned from the agent, including the domain component.
PAGE 658
User Management Note The Content Filter tab is only displayed if Premium CFS is enabled on the SonicWALL security appliance. Step 19 To bypass SSO for content filtering traffic and apply the default content filtering policy to the traffic, select the appropriate address object or address group from the pulldown menu. 658 SonicOS Enhanced 4.
PAGE 659
User Management This setting should be used where traffic that would be subject to content filtering can emanate from a device other than a user's workstation (such as an internal proxy web server). It prevents the SonicWALL from attempting to identify such a device as a network user in order to select the content filtering policy to apply. The default content filtering policy will be used for all traffic from the selected IP addresses. Step 20 Click the Test tab.
PAGE 660
User Management Step 22 Select the Check user radio button, enter the IP address of a workstation in the Workstation IP address field, then click Test. This will test if the agent is property configured to identify the user logged into a workstation. Note Performing tests on this page applies any changes that have been made. Tip If you receive the messages Agent is not responding or Configuration error, check your settings and perform these tests again. Step 23 When you are finished, click OK.
PAGE 661
User Management Advanced LDAP Configuration If you selected Use LDAP to retrieve user group information in step 14 of “Configuring Your SonicWALL Security Appliance” section on page 655, you must configure your LDAP settings. To configure LDAP settings, perform the following steps: Step 1 The Settings tab displays. In the Name or IP address field, enter the name or IP address of your LDAP server. Step 2 In the Port Number field, enter the port number of your LDAP server. The default port is 636.
PAGE 662
User Management Note 662 Use the user’s name in the Login user name field, not a username or login ID. For example, John Doe would login as John Doe, not jdoe. Step 6 Select the LDAP version from the Protocol version drop-down menu, either LDAP version 2 I (LDAPv2) or LDAP version 3 (LDAPv3). Most implementations of LDAP, including AD, employ LDAPv3. Step 7 Check the Use TLS (SSL) box to use Transport Layer Security (SSL) to login to the LDAP server.
PAGE 663
User Management Note Step 9 Only check the Send LDAP ‘Start TLS’ request box if your LDAP server uses the same port number for TLS and non-TLS. Check the Require valid certificate from server to require a valid certificate from the server. Validates the certificate presented by the server during the TLS exchange, matching the name specified above to the name on the certificate.
PAGE 664
User Management Step 14 The Object class field defines which attribute represents the individual user account to which the next two fields apply. This will not be modifiable unless you select User defined. Step 15 The Login name attribute field defines which attribute is used for login authentication. This will not be modifiable unless you select User defined.
PAGE 665
User Management Step 23 In the User tree for login to server field, specify the tree in which the user specified in the ‘Settings’ tab resides. For example, in AD the ‘administrator’ account’s default tree is the same as the user tree. Step 24 In the Trees containing users field, specify the trees where users commonly reside in the LDAP directory.
PAGE 666
User Management If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing the ‘Domain to search’ accordingly and selecting ‘Append to existing trees’ on each subsequent run. Step 27 Select the LDAP Users tab. Step 28 Check the Allow only users listed locally box to require that LDAP users also be present in the SonicWALL security appliance local user database for logins to be allowed.
PAGE 667
User Management The SonicWALL security appliance can retrieve group memberships more efficiently in the case of Active Directory by taking advantage of its unique trait of returning a ‘memberOf’ attribute for a user. Step 31 Click the Import user groups button to import user groups from the LDAP server. The names of user groups on the LDAP server need to be duplicated on the SonicWALL if they are to be used in policy rules, CFS policies, etc. Step 32 Select the LDAP Relay tab.
PAGE 668
User Management – VPN Zone Step 35 In the RADIUS shared secret field, enter a shared secret common to all remote SonicWALL security appliances. Step 36 In the User groups for legacy users fields, define the user groups that correspond to the legacy ‘VPN users,’ ‘VPN client users,’ ‘L2TP users’ and ‘users with Internet access’ privileges.
PAGE 669
User Management Configuring Firewall Access Rules Firewall access rules provide the administrator with the ability to control user access. Rules set under Firewall > Access Rules are checked against the user group memberships returned from a SSO LDAP query, and are applied automatically. Access rules are network management tools that allow you to define inbound and outbound access policy, configure user authentication, and enable remote management of the SonicWALL security appliance.
PAGE 670
User Management The Enable login session limit and corresponding Login session limit (minutes) settings under User Session Settings apply to users logged in using SSO. SSO users will be logged out according to session limit settings, but will be automatically and transparently logged back in when they send further traffic. Note Do not set the login session limit interval too low. This could potentially cause performance problems, especially for deployments with many users.
PAGE 671
User Management Configuring Additional Administrator User Profiles To configure additional administrator user profiles, perform the following steps: Step 1 While logged in as admin, navigate to the Users > Local Users page. Step 2 Click the Add User button. Step 3 Enter a Name and Password for the user. Step 4 Click on the Group Membership tab.
PAGE 672
User Management When using RADIUS or LDAP authentication, if you want to keep the configuration of administrative users local to the appliance whilst having those users authenticated by RADIUS/ LDAP, perform these steps: Step 1 Navigate to the Users > Settings page. Step 2 Select either the RADIUS + Local Users or LDAP + Local Users authentication method. Step 3 Click the Configure button.
PAGE 673
User Management Activating Configuration Mode When logging in as a user with full administrator rights (that is not the admin user), the User Login Status window is displayed. To go to the SonicWALL user interface, click the Manage button. You will be prompted to enter your password again. This is a safeguard to protect against unauthorized access when administrators ar away from their computers and do not logout of their session. SonicOS Enhanced 4.
PAGE 674
User Management To switch from non-config mode to full configuration mode, perform the following steps: 674 Step 1 Navigate to the System > Administration page. Step 2 In the Web Management Settings section, click on the Configuration mode button. If there is not currently an administrator in configuration mode, you will automatically be entered into configuration mode. Step 3 If another administrator is in configuration mode, the following message displays.
PAGE 675
User Management Verifying Multiple Administrators Support Configuration User accounts with administrator and read-only administrators can be viewed on the Users > Local Groups page. Administrators can determine which configuration mode they are in by looking at either the top right corner of the management interface or at the status bar of their browser. To display the status bar in Firefox and Internet Explorer, click on the View menu and enable status bar. By default, Internet Explorer 7.
PAGE 676
User Management When the administrator is in read-only mode, the top right corner of the interface displays Read-Only Mode. The status bar displays Read-only mode - no changes can be made. When the administrator is in non-config mode, the top right of the interface displays NonConfig Mode. Clicking on this text links to the System > Administration page where you can enter full configuration mode. The status bar displays Non-config mode - configuration changes not allowed.
PAGE 677
CHAPTER 53 Chapter 53: Managing Guest Services and Guest Accounts Users > Guest Services Guest accounts are temporary accounts set up for users to log into your network. You can create these accounts manually, as needed or generate them in batches. SonicOS includes profiles you can configure in advance to automate configuring guest accounts when you generate them. Guest accounts are typically limited to a pre-determined life-span. After their life span, by default, the accounts are removed.
PAGE 678
Users > Guest Services Global Guest Settings Check Show guest login status window with logout button to display a user login window on the users’s workstation whenever the user is logged in. Users must keep this window open during their login session. The window displays the time remaining in their current session. Users can log out but clicking the Logout button in the login status window.
PAGE 679
Users > Guest Accounts – Auto-Prune Account: Check this to have the account removed from the database after its lifetime expires. – Enforce login uniqueness: Check this to allow only a single instance of an account to be used at any one time. By default, this feature is enabled when creating a new guest account. If you want to allow multiple users to login with a single account, disable this enforcement by clearing the Enforce login uniqueness checkbox.
PAGE 680
Users > Guest Accounts Viewing Guest Account Statistics To view statistics on a guest account, hover your mouse over the Statistics icon in the line of the guest account. The statistics window will display the cumulative total bytes and packets sent and received for all completed sessions. Currently active sessions will not be added to the statistics until the guest user logs out. Adding Guest Accounts You can add guest accounts individually or generate multiple guest accounts automatically.
PAGE 681
Users > Guest Accounts – Enable Guest Services Privilege: Check this for the account to be enabled upon creation. – Enforce login uniqueness: Check this to allow only one instance of this account to log into the security appliance at one time. Leave it unchecked to allow multiple users to use this account at once. – Automatically prune account upon account expiration: Check this to have the account removed from the database after its lifetime expires.
PAGE 682
Users > Guest Accounts – Comment: Enter a descriptive comment. Step 3 In the Guest Services tab, configure: – Enable Guest Services Privilege: Check this for the accounts to be enabled upon creation. – Enforce login uniqueness: Check this to allow only one instance of each generated account to log into the security appliance at one time. Leave it unchecked to allow multiple users to use this account at once.
PAGE 683
Users > Guest Status Printing Account Details. You can print a summary of a guest account. Click the print icon account report page and send that page to an active printer. to launch a summary Users > Guest Status The Guest Status page reports on all the guest accounts currently logged in to the security appliance. The page lists: • Name: The name of the guest account. • IP: The IP address the guest user is connecting to.
PAGE 684
Users > Guest Status • Session Expiration: The time when the current session expires. • Statistics: hover your mouse over the Statistics icon to view statistics for total received and sent bytes and packets for this guest user’s current session. • Logout: Click the Logout icon to log the guest user off of the security appliance. Click Refresh in the top right of the page at any time to update the information in the list.
PAGE 685
PART 11 Security Services SONICWALL SONICOS ENHANCED 4.
PAGE 686
SONICWALL SONICOS ENHANCED 4.
PAGE 687
CHAPTER 54 Chapter 54: Managing SonicWALL Security Services SonicWALL Security Services SonicWALL, Inc. offers a variety of subscription-based security services to provide layered security for your network. SonicWALL security services are designed to integrate seamlessly into your network to provide complete protection.
PAGE 688
SonicWALL Security Services Note For more information on SonicWALL security services, please visit http:// www.sonicwall.com. Note Complete product documentation for SonicWALL security services are available on the SonicWALL documentation Web site http://www.sonicwall.com/us/Support.html. Security Services Summary The Security Services > Summary page lists the available SonicWALL security services and upgrades for your SonicWALL security appliance and provides access to mySonicWALL.
PAGE 689
SonicWALL Security Services If your SonicWALL security appliance is not registered, the Security Services > Summary page does not include the Services Summary table. Your SonicWALL security appliance must be registered to display the Services Summary table. mySonicWALL.com To activate SonicWALL Security Services, you need to have a mySonicWALL.com account and your SonicWALL security appliance must be registered. Creating a mySonicWALL.com account is easy and free. You can create a mySonicWALL.
PAGE 690
SonicWALL Security Services Managing Security Services Online Clicking the Manage Licenses button displays the mySonicWALL.com Login page for accessing your MySonicWALL.com account licensing information. Enter your mySonicWALL.com username and password in the User Name and Password fields, and then click Submit. The System > Licenses page is displayed with the Manage Services Online table. The information in the Manage Services Online table is updated from your mysSonicWALL.com account.
PAGE 691
SonicWALL Security Services Security Services Information This section includes a brief overview of services available for your SonicWALL security appliance. Update Signature Manually The Manual Signature Update feature is intended for networks where reliable, broadband Internet connectivity is either not possible or not desirable (for security reasons). The Manual Signature Update feature provides a method to update the latest signatures at the network administrator’s discretion.
PAGE 692
SonicWALL Security Services To manually update signature files, complete the following steps: 692 Step 1 On the Security Services > Summary page, scroll to the Update Signatures Manually heading at the bottom of the page. Note the Signature File ID for the device. Step 2 Log on to http://www.mysonicwall.com using the mysonicwall.com account that was used to register the SonicWALL security appliance. SonicOS Enhanced 4.
PAGE 693
SonicWALL Security Services Note The signature file can only be used on SonicWALL security appliances that are registered to the mysonicwall.com account that downloaded the signature file. Step 3 Click on Download Signatures under the Downloads heading. Step 4 In the pull down window next to Signature ID:, select the appropriate SFID for your SonicWALL security appliance. Step 5 Download the signature update file by clicking on Click here to download the Signature file.
PAGE 694
SonicWALL Security Services 694 SonicOS Enhanced 4.
PAGE 695
CHAPTER 55 Chapter 55: Configuring SonicWALL Content Filtering Service Security Services > Content Filter The Security Services > Content Filter page allows you to configure the SonicWALL Restrict Web Features and Trusted Domains settings, which are included with SonicOS Enhanced. You can activate and configure SonicWALL Content Filtering Service (SonicWALL CFS) as well as two third-party Content Filtering products from the Security Services > Content Filter page.
PAGE 696
Security Services > Content Filter SonicWALL Content Filtering Service SonicWALL Content Filtering Service (CFS) enforces protection and productivity policies for businesses, schools and libraries to reduce legal and privacy risks while minimizing administration overhead. SonicWALL CFS utilizes a dynamic database of millions of URLs, IP addresses and domains to block objectionable, inappropriate or unproductive Web content.
PAGE 697
Security Services > Content Filter You can also access the SonicWALL CFS URL Rating Review Request form by clicking on the here link in If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click here. If SonicWALL CFS is not activated, you must activate it. If you do not have an Activation Key, you must purchase SonicWALL CFS from a SonicWALL reseller or from your mySonicWALL.com account (limited to customer in the USA and Canada).
PAGE 698
Security Services > Content Filter • SonicWALL CFS - Selecting SonicWALL CFS as the Content Filter Type allows you to use the SonicWALL Content Filtering Service that is available as an upgrade. You can obtain more information about SonicWALL Content Filtering Service at http://www.sonicwall.com/products/cfs.html • N2H2 - N2H2 is a third party content filter software package supported by SonicWALL security appliance.
PAGE 699
Security Services > Content Filter Trusted Domains Trusted Domains can be added to enable content from specific domains to be exempt from Restrict Web Features. If you trust content on specific domains and want them exempt from Restrict Web Features, follow these steps to add them: Step 1 Check the Don’t block Java/ActiveX/Cookies to Trusted Domains checkbox. Step 2 Click Add. The Add Trusted Domain Entry window is displayed. Step 3 Enter the trusted domain name in the Domain Name field.
PAGE 700
Security Services > Content Filter Message to Display when Blocking You can enter your customized text to display to the user when access to a blocked site is attempted. The default message is This site is blocked by the SonicWALL Content Filter Service. Any message, including embedded HTML, up to 255 characters long, can be entered in this field. Configuring SonicWALL Filter Properties You can customize SonicWALL filter features included with SonicOS from the SonicWALL Filter Properties window.
PAGE 701
Security Services > Content Filter Warning Do not include the prefix “http://” in either the Allowed Domains or Forbidden Domains the fields. All subdomains are affected. For example, entering “yahoo.com” applies to “mail.yahoo.com” and “my.yahoo.com”. To remove a trusted or forbidden domain, select it from the appropriate list, and click Delete. Once the domain has been deleted, the Status bar displays Ready. Enable Keyword Blocking To enable blocking using Keywords, select Enable Keyword Blocking.
PAGE 702
Security Services > Content Filter the page defined in the Consent page URL field. Enter the time limit, in minutes, in the Maximum Web usage field. When the default value of zero (0) is entered, this feature is disabled. • User Idle Timeout (minutes) - After a period of Web browser inactivity, the SonicWALL security appliance requires the user to agree to the terms outlined in the Consent page before accessing the Internet again.
PAGE 703
Security Services > Content Filter Configuring N2H2 Internet Filtering N2H2 is a third party Internet filtering package that allows you to use Internet content filtering through the SonicWALL. Step 1 Select N2H2 from the Content Filter Type list. Step 2 Click Configure to display the N2H2 Properties window. Note Note! You specify enforcement of content filtering on the Network > Zones page. N2H2 Properties The General page includes the following settings.
PAGE 704
Security Services > Content Filter URL Cache • Tip Cache Size (KB) - Configure the size of the URL Cache in KB for the SonicWALL. Tip! A larger URL Cache size can provide noticeable improvements in Internet browsing response times.
PAGE 705
Security Services > Content Filter Message to Display when Blocking You can enter your customized text in the Message to Display when Blocking text box that displays to the user when access to a blocked site is attempted. The default message is The site is blocked by the SonicWALL Content Filter Service. Any message, including embedded HTML, up to 255 characters long, can be entered in this field.
PAGE 706
Security Services > Content Filter – Block traffic to all Web sites - Selecting this option blocks traffic to all Web sites except Allowed Domains until the N2H2 server is available. – Allow traffic to all Web sites - Selecting this option allows traffic to all Web sites without Websense Enterprise server filtering. However, Forbidden Domains and Keywords, if enabled, are still blocked. URL Cache • Tip Cache Size (KB) - Configure the size of the URL Cache in KB.
PAGE 707
Security Services > Content Filter Trusted Domains Trusted Domains can be added in the Restrict Web Features section. If you trust content on specific domains, you can select Don’t block Java/ActiveX/Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL by clicking on Add. The Add Trusted Domain Entry window appears for entering the trusted domain name.
PAGE 708
Security Services > Content Filter 708 SonicOS Enhanced 4.
PAGE 709
CHAPTER 56 Chapter 56: Activating SonicWALL Client Anti-Virus Security Services > Anti-Virus By their nature, anti-virus products typically require regular, active maintenance on every PC. When a new virus is discovered, all anti-virus software deployed within an organization must be updated with the latest virus definition files. Failure to do so severely limits the effectiveness of anti-virus software and disrupts productive work time.
PAGE 710
Security Services > Anti-Virus Activating SonicWALL Client Anti-Virus If Sonic WALL Client Anti-Virus is not activated, you must activate it. If you do not have an Activation Key, you must purchase SonicWALL Client Anti-Virus from a SonicWALL reseller or from your mySonicWALL.com account (limited to customer in the USA and Canada). Note For complete SonicWALL Client Anti-Virus documentation, see the SonicWALL Client AntiVirus Administrator’s Guide available at http://www.sonicwall.com/us/Support.
PAGE 711
Security Services > Anti-Virus Note You must have a mySonicWALL.com account and your SonicWALL must be registered to activate SonicWALL Client Anti-Virus. Step 1 Click the SonicWALL Client Anti-Virus Subscription link on the Security Services > AntiVirus page. The mySonicWALL.com Login page is displayed. Step 2 Enter your mySonicWALL.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed.
PAGE 712
Security Services > Anti-Virus Activating a SonicWALL Client Anti-Virus FREE TRIAL You can try a FREE TRIAL of SonicWALL Client Anti-Virus by following these steps: Step 1 Click the FREE TRIAL link. The mySonicWALL.com Login page is displayed. Step 2 Enter your mySonicWALL.com account username and password in the User Name and Password fields, then click Submit. The System > Licenses page is displayed. If your SonicWALL security appliance is already connected to your mySonicWALL.
PAGE 713
Security Services > Anti-Virus – Low Risk - A virus that is not reported in the field and is considered unlikely to be found in the field in the future has a low risk. Even if such a virus includes a very serious or unforeseeable damage payload, its risk is still low. – Medium Risk - If a virus is found in the field, and if it uses a less common infection mechanism, it is considered to be medium risk. If its prevalence stays low and its payload is not serious, it can be downgraded to a low risk.
PAGE 714
Security Services > E-mail Filter Security Services > E-mail Filter The E-Mail Filter allows the administrator to selectively delete or disable inbound e-mail attachments as they pass through the SonicWALL security appliance. This feature provides control over executable files and scripts, and applications sent as e-mail attachments. Note E-Mail Filter is included with the Client Anti-Virus service subscription. When you activate SonicWALL Client Anti-Virus, E-Mail Filter is automatically activated.
PAGE 715
CHAPTER 57 Chapter 57: Managing SonicWALL Gateway AntiVirus Service Security Services > Gateway Anti-Virus SonicWALL GAV delivers real-time virus protection directly on the SonicWALL security appliance by using SonicWALL’s IPS-Deep Packet Inspection v2.0 engine to inspect all traffic that traverses the SonicWALL gateway. Building on SonicWALL’s reassembly-free architecture, SonicWALL GAV inspects multiple application protocols, as well as generic TCP streams, and compressed traffic.
PAGE 716
Security Services > Gateway Anti-Virus SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching downloaded or e-mailed files against an extensive and dynamically updated database of threat virus signatures. Virus attacks are caught and suppressed before they travel to desktops. New signatures are created and added to the database by a combination of SonicWALL’s SonicAlert Team, third-party virus analysts, open source developers and other sources.
PAGE 717
Security Services > Gateway Anti-Virus Remote Site Protection Step 1 Users send typical e-mail and files between remote sites and the corporate office. Step 2 SonicWALL GAV scans and analyses files and e-mail messages on the SonicWALL security appliance. Step 3 Viruses are found and blocked before infecting remote desktop. Step 4 Virus is logged and alert is sent to administrator.
PAGE 718
Security Services > Gateway Anti-Virus HTTP File Downloads Step 1 Client makes a request to download a file from the Web. Step 2 File is downloaded through the Internet. Step 3 File is analyzed the SonicWALL GAV engine for malicious code and viruses. Step 4 If virus found, file discarded. Step 5 Virus is logged and alert sent to administrator. Infected FIle PRO 5060 HTTP Request Virus Discarded Web Server Alert Logged Server Protection Step 1 Outside user sends an incoming e-mail.
PAGE 719
Security Services > Gateway Anti-Virus single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without ever buffering any of the bytes within the stream.
PAGE 720
Security Services > Gateway Anti-Virus Note If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security Appliance” on page 721. Step 1 Log into the SonicWALL security appliance management interface. Step 2 If the System > Status page is not displayed in the management interface, click System in the left-navigation menu, and then click Status.
PAGE 721
Security Services > Gateway Anti-Virus Registering Your SonicWALL Security Appliance Step 1 Log into the SonicWALL security appliance management interface. Step 2 If the System > Status page is not displaying in the management interface, click System in the left-navigation menu, and then click Status. Step 3 On the System > Status page, in the Security Services section, click the Register link. The mySonicWALL.com Login page is displayed. Step 4 Enter your mySonicWALL.
PAGE 722
Security Services > Gateway Anti-Virus If you have an Activation Key for SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, perform these steps to activate the combined services: Step 1 On the Security Services > Gateway Anti--Virus page, click the SonicWALL Gateway Anti-Virus Subscription link. The mySonicWALL.com Login page is displayed. Step 2 Enter your mySonicWALL.com account username and password in the User Name and Password fields, then click Submit.
PAGE 723
Security Services > Gateway Anti-Virus Activating FREE TRIALs You can try FREE TRIAL versions of SonicWALL Gateway Anti-Virus, SonicWALL AntiSpyware, and SonicWALL Intrusion Prevention Service. You must activate each service separately from the Manage Services Online table on the System > Licenses page or by clicking the FREE TRIAL link on the respective Security Services page (i.e. Security Services > Gateway Anti-Virus).
PAGE 724
Security Services > Gateway Anti-Virus The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL GAV on your SonicWALL security appliance. Enabling SonicWALL GAV You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings section to enable SonicWALL GAV on your SonicWALL security appliance.You must specify the Zones you want SonicWALL GAV protection on the Network > Zones page.
PAGE 725
Security Services > Gateway Anti-Virus Applying SonicWALL GAV Protection on Zones You can enforce SonicWALL GAV not only between each network zone and the WAN, but also between internal zones. For example, enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing LAN traffic.
PAGE 726
Security Services > Gateway Anti-Virus Note You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit Zone window.
PAGE 727
Security Services > Gateway Anti-Virus Updating SonicWALL GAV Signatures By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for new signature updates. You can also manually update your SonicWALL GAV database at any time by clicking the Update button located in the Gateway Anti-Virus Status section. SonicWALL GAV signature updates are secured.
PAGE 728
Security Services > Gateway Anti-Virus The Enable Inbound Inspection protocol traffic handling represented as a table: Enabling Outbound SMTP Inspection The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the internally hosted SMTP server for viruses.
PAGE 729
Security Services > Gateway Anti-Virus • Restrict Transfer of password-protected Zip files - Disables the transfer of password protected ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP) that are enabled for inspection. • Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) Disables the transfers of any MS Office 97 and above files that contain VBA macros. • Restrict Transfer of packed executable files (UPX, FSG, etc.
PAGE 730
Security Services > Gateway Anti-Virus If you want to suppress the sending of e-mail messages (SMTP) to clients from SonicWALL GAV when a virus is detected in an e-mail or attachment, check the Disable SMTP Responses box. Configuring HTTP Clientless Notification The HTTP Clientless Notification feature notifies users when GAV detects an incoming threat from an HTTP server.
PAGE 731
Security Services > Gateway Anti-Virus Optionally, you can configure the timeout for the HTTP Clientless Notification on the Security Services > Summary page under the Security Services Summary heading. Configuring a SonicWALL GAV Exclusion List Any IP addresses listed in the exclusion list bypass virus scanning on their traffic.The Gateway AV Exclusion List section provides the ability to define a range of IP addresses whose traffic will be excluded from SonicWALL GAV scanning.
PAGE 732
Security Services > Gateway Anti-Virus Viewing SonicWALL GAV Signatures The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV signature database. All the entries displayed in the Gateway Anti-Virus Signatures table are from the SonicWALL GAV signature database downloaded to your SonicWALL security appliance. Note Signature entries in the database change over time in response to new threats.
PAGE 733
Security Services > Gateway Anti-Virus Searching the Gateway Anti-Virus Signature Database You can search the signature database by entering a search string in the Lookup Signatures Containing String field, then clicking the edit (Notepad) icon. The signatures that match the specified string are displayed in the Gateway Anti-Virus Signatures table. SonicOS Enhanced 4.
PAGE 734
Security Services > Gateway Anti-Virus 734 SonicOS Enhanced 4.
PAGE 735
CHAPTER 58 Chapter 58: Activating Intrusion Prevention Service Security Services > Intrusion Prevention Service SonicWALL Intrusion Prevention Service (SonicWALL IPS) delivers a configurable, high performance Deep Packet Inspection engine for extended protection of key network services such as Web, e-mail, file transfer, Windows services and DNS. SonicWALL IPS is designed to protect against application vulnerabilities as well as worms, Trojans, and peer-to-peer, spyware and backdoor exploits.
PAGE 736
Security Services > Intrusion Prevention Service How SonicWALL’s Deep Packet Inspection Works Deep Packet Inspection technology enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. This is the technology behind SonicWALL Intrusion Prevention Service.
PAGE 737
Security Services > Intrusion Prevention Service • Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. • Intrusion Detection - a process of identifying and flagging malicious activity aimed at information technology. • False Positive - a falsely identified attack traffic pattern.
PAGE 738
Security Services > Intrusion Prevention Service Tip If your SonicWALL security appliance is connected to the Internet and registered at mySonicWALL.com, you can activate a 30-day FREE TRIAL of SonicWALL Gateway AntiVirus, SonicWALL Anti-Spyware, and SonicWALL Intrusion Prevention Service separately from the Security Services > Gateway Anti-Virus, Security Services > Anti-Spyware, and Security Services > Intrusion Prevention pages in the management interface.
PAGE 739
Security Services > Intrusion Prevention Service Note Remember your username and password to access your mySonicWALL.com account. Step 6 Click Submit after completing the MySonicWALL Account form. Step 7 When the mySonicWALL.com server has finished processing your account, you will see a page saying that your account has been created. Click Continue. Congratulations. Your mySonicWALL.com account is activated. Now you need to log into mySonicWALL.com to register your SonicWALL security appliance.
PAGE 740
Security Services > Intrusion Prevention Service Note Clicking on the Continue button does not activate the FREE TRIAL versions of these SonicWALL Security Services. Step 6 At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security appliance in the Friendly Name field. The friendly name allows you to easily identify your SonicWALL content security appliance in your mySonicWALL.com account. Step 7 Please complete the Product Survey.
PAGE 741
Security Services > Intrusion Prevention Service If you have an Activation Key for SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, perform these steps to activate the combined services: Step 1 On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion Prevention Service Subscription link. The mySonicWALL.com Login page is displayed. Step 2 Enter your mySonicWALL.
PAGE 742
Security Services > Intrusion Prevention Service Setting Up SonicWALL Intrusion Prevention Service Protection Activating the SonicWALL Intrusion Prevention Service license on your SonicWALL security appliance does not automatically enable the protection. To configure SonicWALL Intrusion Prevention Service to begin protecting your network, you need to perform the following steps: Step 1 Enable SonicWALL Intrusion Prevention Service. Step 2 Specify the Priority attack Groups.
PAGE 743
Security Services > Intrusion Prevention Service information on configuring global signature groups, refer to “Configuring Global Signature Groups” in the SonicWALL Intrusion Prevention Service Administrator’s Guide available on the SonicWALL Resource CD or at
PAGE 744
Security Services > Intrusion Prevention Service 744 SonicOS Enhanced 4.
PAGE 745
CHAPTER 59 Chapter 59: Activating Anti-Spyware Service Security Services > Anti-Spyware Service SonicWALL Anti-Spyware is part of the SonicWALL Gateway Anti-Virus, Anti-Virus and Intrusion Prevention Service solution that provides comprehensive, real-time protection against viruses, worms, Trojans, spyware, and software vulnerabilities.
PAGE 746
Security Services > Anti-Spyware Service Note Refer to the SonicWALL Anti-Spyware Administrator’s Guide on the SonicWALL Web site: http://www.sonicwall.com/us/Support.html for complete product documentation.
PAGE 747
Security Services > Anti-Spyware Service Creating a mySonicWALL.com Account Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online registration form in the SonicWALL security appliance management interface. Note If you already have a mysonicWALL.com account, go to “Registering Your SonicWALL Security Appliance” on page 748. Step 1 Log into the SonicWALL security appliance management interface.
PAGE 748
Security Services > Anti-Spyware Service Registering Your SonicWALL Security Appliance Step 1 Log into the SonicWALL security appliance management interface. Step 2 If the System > Status page is not displaying in the management interface, click System in the left-navigation menu, and then click Status. Step 3 On the System > Status page, in the Security Services section, click the Register link. The mySonicWALL.com Login page is displayed. Step 4 Enter your mySonicWALL.
PAGE 749
Security Services > Anti-Spyware Service To try a FREE TRIAL of SonicWALL Gateway Anti-Virus, SonicWALL Anti-Spyware, or SonicWALL Intrusion Prevention Service, perform these steps: Step 1 Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus, Security Services > Anti-Spyware, or Security Services > Intrusion Prevention page. The mySonicWALL.com Login page is displayed. Step 2 Enter your mySonicWALL.
PAGE 750
Security Services > Anti-Spyware Service If you have an Activation Key for SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, perform these steps to activate the combined services: Step 1 On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion Prevention Service Subscription link. The mySonicWALL.com Login page is displayed. Step 2 Enter your mySonicWALL.com account username and password in the User Name and Password fields, then click Submit.
PAGE 751
Security Services > Anti-Spyware Service Refer to the SonicWALL Anti-Spyware Administrator’s Guide on the SonicWALL Web site: http://www.sonicwall.com/us/Support.html for complete configuration instructions.
PAGE 752
Security Services > Anti-Spyware Service 752 SonicOS Enhanced 4.
PAGE 753
CHAPTER 60 Chapter 60: Configuring SonicWALL Real-Time Blacklist SMTP Real-Time Black List Filtering SMTP Real-time Black List (RBL) is a mechanism for publishing the IP addresses of SMTP servers from which or through which spammers operate. There are a number of organizations that compile this information both for free http://www.spamhaus.org, and for profit http:// www.mail-abuse.com. A well maintained list of RBL services and their efficacy can be found at: http://www.sdsc.edu/~jeff/spam/cbc.
PAGE 754
Security Services > RBL Filter Note Most spam today is known to be sent from hijacked or zombie machines running a thin SMTP server implementation, unbeknownst to the hosts operator. These zombie machines rarely attempt to retry failed delivery attempts, as would be the behavior of a legitimate SMTP server. As such, once the delivery attempt is thwarted by the SonicWALL RBL filter, no subsequent delivery attempts for that same piece of spam will be made.
PAGE 755
Security Services > RBL Filter To add an RBL services, click the Add button. In the Add RBL Domain window, you specify the RBL domain to be queried, enable it for use, and specify its expected response codes. Most RBL services list the responses they provide on their Web site, although selecting Block All Responses is generally acceptable. Statistics are maintained for each RBL Service in the RBL Service table, and can be viewed with a mouse-over of the (statistics) icon to the right on the service entry.
PAGE 756
Security Services > RBL Filter 756 SonicOS Enhanced 4.
PAGE 757
CHAPTER 61 Chapter 61: Configuring SonicWALL Global Security Client Security Services > Global Security Client The SonicWALL Global Security Client combines gateway enforcement, central management, configuration flexibility and software deployment to deliver comprehensive desktop security for remote/mobile workers and corporate networks.
PAGE 758
Security Services > Global Security Client gateway administrator automatically updates the Global Security Client with the latest security policies and software updates. No prompting or intervention is necessary by the administrator or the remote user - it’s completely seamless and transparent.
PAGE 759
Security Services > Global Security Client • Policy Management - enables network administrator’s to create, distribute and manage global security policies for remote and mobile users from a central location. Once a new policy is created, it is seamlessly distributed to every system on the network with no end-user interaction required. Configuration options include specifying the minimum application version, policy levels and behavior for clients not in compliance.
PAGE 760
Security Services > Global Security Client SonicWALL’s Distributed Enforcement Architecture (DEA) technology enables the policy enforcement capabilities that provide the framework for the Global Security Client’s complete security solution for all remote and network desktops.
PAGE 761
Security Services > Global Security Client Configuring Security Policies for Global Security Clients The Security Services > Global Security Client page provides the settings for configuring the security policies for Global Security Clients. SonicOS Enhanced 4.
PAGE 762
Security Services > Global Security Client 762 SonicOS Enhanced 4.
PAGE 763
PART 12 Log SONICWALL SONICOS ENHANCED 4.
PAGE 764
SONICWALL SONICOS ENHANCED 4.
PAGE 765
CHAPTER 62 Chapter 62: Managing Log Events Log > View The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. The log is displayed in a table and can be sorted by column. The SonicWALL security appliance can alert you of important events, such as an attack to the SonicWALL security appliance.
PAGE 766
Log > View Log View Table The log is displayed in a table and is sortable by column. The log table columns include: • Time - the date and time of the event. • Priority - the level of priority associated with your log event.
PAGE 767
Log > View Clear Log To delete the contents of the log, click the Clear Log button near the top right corner of the page. Export Log To export the contents of the log to a defined destination, click the Export Log button below the filter table.You can export log content to two formats: • Plain text format--Used in log and alert e-mail. • Comma-separated value (CSV) format--Used for importing into Excel or other presentation development applications.
PAGE 768
Log > View Source interface AND Destination interface Step 3 Check the Group box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group next to Source IP and Destination IP, the search string will look for connections matching: (Source IP OR Destination IP) AND Protocol Step 4 Click Apply Filter to apply the filter immediately to the Active Connections table.
PAGE 769
CHAPTER 63 Chapter 63: Configuring Log Categories Log > Categories This chapter provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWALL security appliance for troubleshooting and diagnostics. Note You can extend your SonicWALL security appliance log reporting capabilities by using SonicWALL ViewPoint. ViewPoint is a web-based graphical reporting tool for detailed and comprehensive reports.
PAGE 770
Log > Categories Log Priority This section provides information on configuring the level of priority log messages are captured and corresponding alert messages are sent through e-mail for notification. Logging Level The Logging Level control filters events by priority. Events of equal of greater priority are passed, and events of lower priority are dropped.
PAGE 771
Log > Categories Log Categories SonicWALL security appliances provide automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it’s become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats.
PAGE 772
Log > Categories Log Type Category Description Firewall Logging Extended Logs general events and errors Firewall Rule Extended Logs firewall rule modifications GMS Extended Logs GMS status event High Availability Extended Logs High Availability activity IPcomp Extended Logs IP compression activity Intrusion Prevention Extended Logs intrusion prevention related activity L2TP Client Extended Logs L2TP client activity L2TP Server Extended Logs L2TP server activity Multicast Extended
PAGE 773
Log > Categories Managing Log Categories The Log Categories table displays log category information organized into the following columns: • Category - Displays log category name. • Description - Provides description of the log category activity type. • Log - Provides checkbox for enabling/disabling the display of the log events in on the Log > View page. • Alerts - Provides checkbox for enabling/disabling the sending of alerts for the category.
PAGE 774
Log > Categories 774 SonicOS Enhanced 4.
PAGE 775
CHAPTER 64 Chapter 64: Configuring Syslog Settings Log > Syslog In addition to the standard event log, the SonicWALL security appliance can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514.
PAGE 776
Log > Syslog Syslog Settings Syslog Facility • Note See RCF 3164 - The BSD Syslog Protocol for more information. • Note Syslog Facility - Allows you to select the facilities and severities of the messages based on the syslog protocol. Override Syslog Settings with ViewPoint Settings - Check this box to override Syslog settings, if you’re using SonicWALL ViewPoint for your reporting solution. For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.
PAGE 777
Log > Syslog Syslog Servers Adding a Syslog Server To add syslog servers to the SonicWALL security appliance Step 1 Click Add. The Add Syslog Server window is displayed. Step 2 Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL security appliance are then sent to the servers. Step 3 If your syslog is not using the default port of 514, type the port number in the Port Number field. Step 4 Click OK.
PAGE 778
Log > Syslog 778 SonicOS Enhanced 4.
PAGE 779
CHAPTER 65 Chapter 65: Configuring Log Automation Log > Automation The Log > Automation page includes settings for configuring the SonicWALL to send log files using e-mail and configuring mail server settings. SonicOS Enhanced 4.
PAGE 780
Log > Automation E-mail Log Automation • Send Log to E-mail address - Enter your e-mail address (username@mydomain.com) in this field to receive the event log via e-mail. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed. • Send Alerts to E-mail address - Enter your e-mail address (username@mydomain.com) in the Send alerts to field to be immediately e-mailed when attacks or system errors occur.
PAGE 781
CHAPTER 66 Chapter 66: Configuring Name Resolution Log > Name Resolution The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports. The security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups.
PAGE 782
Log > Name Resolution • None: The security appliance will not attempt to resolve IP addresses and Names in the log reports. • DNS: The security appliance will use the DNS server you specify to resolve addresses and names. • NetBios: The security appliance will use NetBios to resolve addresses and names. If you select NetBios, no further configuration is necessary. • DNS then NetBios: The security appliance will first use the DNS server you specify to resolve addresses and names.
PAGE 783
CHAPTER 67 Chapter 67: Generating Log Reports Log > Reports The SonicWALL security appliance can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page. Note SonicWALL ViewPoint provides a comprehensive Web-based reporting solution for SonicWALL security appliances.
PAGE 784
Log > Reports Data Collection The Reports window includes the following functions and commands: • Start Data Collection Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection. • Reset Data Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL security appliance is restarted.
PAGE 785
Log > Reports Bandwidth Usage by IP Address Selecting Bandwidth Usage by IP Address from the Report to view menu displays a table showing the IP Address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period. Bandwidth Usage by Service Selecting Bandwidth Usage by Service from the Report to view menu displays a table showing the name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc.
PAGE 786
Log > Reports 786 SonicOS Enhanced 4.
PAGE 787
CHAPTER 68 Chapter 68: Activating SonicWALL ViewPoint Log > ViewPoint SonicWALL ViewPoint is a Web-based graphical reporting tool that provides unprecedented security awareness and control over your network environment through detailed and comprehensive reports of your security and network activities.
PAGE 788
Log > ViewPoint Activating ViewPoint The Log > ViewPoint page allows you to activate the ViewPoint license directly from the SonicWALL Management Interface using two methods. If you received a license activation key, enter the activation key in the Enter upgrade key field, and click Apply. Warning 788 You must have a mySonicWALL.com account and your SonicWALL security appliance must be registered to activate SonicWALL ViewPoint for your SonicWALl security appliance. 1.
PAGE 789
Log > ViewPoint 3. Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit. 4. If you activated SonicWALL ViewPoint at mySonicWALL.com, the SonicWALL ViewPoint activation is automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on the Security Services > Summary page to update your SonicWALL.
PAGE 790
Log > ViewPoint 790 SonicOS Enhanced 4.
PAGE 791
PART 13 Wizards SONICWALL SONICOS ENHANCED 4.
PAGE 792
SONICWALL SONICOS ENHANCED 4.
PAGE 793
CHAPTER 69 Chapter 69: Configuring Internet Connectivity Using the Setup Wizard Wizards > Setup Wizard The first time you log into the SonicWALL, the Setup Wizard is launched automatically. To launch the Setup Wizard at any from the Management Interface, log into the SonicWALL. Click Wizards and select Setup Wizard.
PAGE 794
Wizards > Setup Wizard The Setup Wizard screens change depending on the choices you make. For example, if you choose Guest Internet Gateway, The Setup Wizard will display the screens for Modem, WAN, WLAN, and Wireless Guest Services setup. It will not display the screens for LAN and WiFiSec setup, because they do not apply in a Guest Internet Gateway deployment. 794 SonicOS Enhanced 4.
PAGE 795
Wizards > Setup Wizard Configuring a Static IP Address with NAT Enabled Using NAT to set up your SonicWALL eliminates the need for public IP addresses for all computers on your LAN. It is a way to conserve IP addresses available from the pool of IPv4 addresses for the Internet. NAT also allows you to conceal the addressing scheme of your network. If you do not have enough individual IP addresses for all computers on your network, you can use NAT for your network configuration.
PAGE 796
Wizards > Setup Wizard Note Your Web browser must be Java-enabled and support HTTP uploads in order to fully manage SonicWALL. Internet Explorer 5.0 and above as well as Netscape Navigator 4.0 and above meet these criteria. 1. Click the Setup Wizard button on the Network > Settings page. Read the instructions on the Welcome window and click Next to continue. Change Password 2. Tip 796 To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next.
PAGE 797
Wizards > Setup Wizard Change Time Zone 3. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. WAN Network Mode 4. Confirm that you have the proper network information necessary to configure the SonicWALL to access the Internet. Click the hyperlinks for definitions of the networking terms. You can choose: • Static IP, if your ISP assigns you a specific IP address or group of addresses.
PAGE 798
Wizards > Setup Wizard WAN Network Mode: NAT Enabled 6. Enter the public IP address provided by your ISP in the SonicWALL WAN IP Address, then fill in the rest of the fields: WAN/OPT/DMZ Subnet Mask, WAN Gateway (Router) Address, and DNS Server Addresses. Click Next. 7. The LAN page allows the configuration of the SonicWALL LAN IP Addresses and the LAN Subnet Mask.The SonicWALL LAN IP Addresses are the private IP address assigned to the LAN port of the SonicWALL.
PAGE 799
Wizards > Setup Wizard LAN DHCP Settings 8. The Optional-SonicWALL DHCP Server window configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically configures the IP settings of computers on the LAN. To enable the DHCP server, select Enable DHCP Server, and specify the range of IP addresses that are assigned to computers on the LAN. If Disable DHCP Server is selected, you must configure each computer on your network with a static IP address on your LAN. Click Next.
PAGE 800
Wizards > Setup Wizard Setup Wizard Complete 10. The SonicWALL stores the network settings. 11. Click Close to return to the SonicWALL Management Interface. Configuring DHCP Networking Mode DHCP is a networking mode that allows you to obtain an IP address for a specific length of time from a DHCP server. The length of time is called a lease which is renewed by the DHCP server typically after a few days. When the lease is ready to expire, the client contacts the server to renew the lease.
PAGE 801
Wizards > Setup Wizard Change Password 3. Tip To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next. It is very important to choose a password which cannot be easily guessed by others. Change Time Zone 4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. SonicOS Enhanced 4.
PAGE 802
Wizards > Setup Wizard WAN Network Mode 5. Select DHCP, the Obtain an IP address automatically window is displayed. Click Next. WAN Network Mode: NAT with DHCP Client 6. 802 The Obtain an IP address automatically window states that the ISP dynamically assigns an IP address to the SonicWALL. To confirm this, click Next. DHCP-based configurations are most common with cable modem connections. SonicOS Enhanced 4.
PAGE 803
Wizards > Setup Wizard LAN Settings 7. The Fill in information about your LAN page allows the configuration of SonicWALL LAN IP Addresses and Subnet Masks. SonicWALL LAN IP Addresses are the private IP addresses assigned to the LAN of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the networks. The default values provided by the SonicWALL are useful for most networks. Click Next. 8. The Optional-SonicWALL DHCP Server window configures the SonicWALL DHCP Server.
PAGE 804
Wizards > Setup Wizard SonicWALL Configuration Summary 9. The Configuration Summary window displays the configuration defined using the Installation Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet window. If the configuration is correct, click Next. Setup Wizard Complete 10. The SonicWALL stores the network settings. 11. Click Close to return to the SonicWALL Management Interface.
PAGE 805
Wizards > Setup Wizard Configuring NAT Enabled with PPPoE NAT with PPPoE Client is a network protocol that uses Point to Point Protocol over Ethernet to connect with a remote site using various Remote Access Service products. This protocol is typically found when using a DSL modem with an ISP requiring a user name and password to log into the remote server. The ISP may then allow you to obtain an IP address automatically or give you a specific IP address. 1.
PAGE 806
Wizards > Setup Wizard Change Password 3. Tip To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next. It is very important to choose a password which cannot be easily guessed by others. Change Time Zone 4. 806 Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. SonicOS Enhanced 4.
PAGE 807
Wizards > Setup Wizard WAN Network Mode 5. The SonicWALL automatically detects the presence of a PPPoE server on the WAN. If not, then select PPPoE: Your ISP provided you with desktop software, a user name and password. Click Next. WAN Network Mode: NAT with PPPoE Client 6. Select whether to use a dynamic or static IP address, and enter the user name and password provided by your ISP into the User Name and Password fields. Click Next. SonicOS Enhanced 4.
PAGE 808
Wizards > Setup Wizard LAN Settings 7. The LAN Settings page allows the configuration of SonicWALL LAN IP Addresses and LAN Subnet Mask.The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN. The default values provided by the SonicWALL are useful for most networks. If you do not use the default settings, enter your preferred IP addresses in the fields. Click Next. 8.
PAGE 809
Wizards > Setup Wizard SonicWALL Configuration Summary 9. The Configuration Summary window displays the configuration defined using the Installation Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet window. If the configuration is correct, click Next. Setup Wizard Complete 10. The SonicWALL stores the network settings. 11. Click Close to return to the SonicWALL Management Interface. SonicOS Enhanced 4.
PAGE 810
Wizards > Setup Wizard Configuring PPTP Network Mode NAT with PPTP Client mode uses Point to Point Tunneling Protocol (PPTP) to connect to a remote server. It supports older Microsoft implementations requiring tunneling connectivity. 810 1. Click the Setup Wizard button on the Network > Settings page. 2. Read the instructions on the Welcome window and click Next to continue. SonicOS Enhanced 4.
PAGE 811
Wizards > Setup Wizard Change Password 3. Tip To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next. It is very important to choose a password which cannot be easily guessed by others. Change Time Zone Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. SonicOS Enhanced 4.
PAGE 812
Wizards > Setup Wizard WAN Network Mode 4. Select PPTP: Provided you with a server IP address, a user name and password. Click Next. WAN Network Mode: NAT with PPTP Client 5. 812 Enter the user name and password provided by your ISP into the User Name and Password fields. Click Next. SonicOS Enhanced 4.
PAGE 813
Wizards > Setup Wizard LAN Settings 6. The LAN Settings page allows the configuration of SonicWALL LAN IP Addresses and LAN Subnet Mask.The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN. The default values provided by the SonicWALL are useful for most networks. If you do not use the default settings, enter your preferred IP addresses in the fields. Click Next. 7.
PAGE 814
Wizards > Setup Wizard SonicWALL Configuration Summary 8. The Configuration Summary window displays the configuration defined using the Installation Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet window. If the configuration is correct, click Next. Setup Wizard Complete 9. The SonicWALL stores the network settings. 10. Click Close to return to the SonicWALL Management Interface. 814 SonicOS Enhanced 4.
PAGE 815
CHAPTER 70 Chapter70: Using the Registration & License Wizard Wizards > Registration & License Wizard The SonicWALL Registration and License Wizard simplifies the process of registering your SonicWALL security appliance and obtaining licenses for additional security services. To use the Registration and License Wizard, complete the following steps: Step 1 Launch the SonicWALL Configuration Wizard window by clicking Wizards in the left navigation panel. SonicOS Enhanced 4.
PAGE 816
Wizards > Registration & License Wizard 816 Step 2 Select Registration and License Wizard and click Next. Step 3 A screen displays confirming that you are using the Registration and License Wizard. Click Next. Step 4 If you already have a mysonicwall.com account, enter your username and password. Click Next. If you do not have a mysonicwall.com account, select Create a sonicwall.com account and click Next. Complete the fields on the User Registration page to create a mysonicwall.
PAGE 817
Wizards > Registration & License Wizard Step 5 On the Choose security services page, select the security services you would like to purchase and click Next. Step 6 The Registration and License Wizard launches your mysonicwall.com shopping cart. Make sure that your pop-up blocker is turned off. SonicOS Enhanced 4.
PAGE 818
Wizards > Registration & License Wizard 818 Step 7 Verify that the services you want to purchase are listed in the shopping cart. When you are finished selecting security services, click Checkout. Step 8 The mysonicwall.com checkout page displays. Enter your credit card and billing information and click Confirm. SonicOS Enhanced 4.
PAGE 819
Wizards > Registration & License Wizard Step 9 The Confirm page displays. Verify that your order is correct and click Confirm. You can now print a copy of your completed order. Step 10 Close the mysonicwall.com window and return to the Registration and License Wizard. Step 11 Click Next to synchronize your newly purchased licenses. The SonicWALL security appliance synchronizes with mysonicwall.com. SonicOS Enhanced 4.
PAGE 820
Wizards > Registration & License Wizard Step 12 Your new security services are now available on the SonicWALL security appliance. Click Close to close the wizard. 820 SonicOS Enhanced 4.
PAGE 821
CHAPTER 71 Chapter 71: Configuring a Public Server with the Wizard Wizards > Public Server Wizard 1. Start the wizard: In the navigator, click Wizards. SonicOS Enhanced 4.
PAGE 822
Wizards > Public Server Wizard 822 2. Select Public Server Wizard and click Next. 3. Select the type of server from the Server Type list. Depending on the type you select, the available services change. Check the box for the services you are enabling on this server. Click Next 4. Enter the name of the server. 5. Enter the private IP address of the server. Specify an IP address in the range of addresses assigned to zone where you want to put this server.
PAGE 823
Wizards > Public Server Wizard 6. Click Next. 7. Enter the public IP address of the server. The default is the WAN public IP address. If you enter a different IP, the Public Server Wizard will create an address object for that IP address and bind the address object to the WAN zone. 8. Click Next. SonicOS Enhanced 4.
PAGE 824
Wizards > Public Server Wizard 9. • The Summary page displays a summary of all the configuration you have performed in the wizard. It should show: Server Address Objects The wizard creates the address object for the new server. Because the IP address of the server added in the example is in the IP address range assigned to the DMZ, the wizard binds the address object to the DMZ zone. It gives the object a name of the name you specified for the server plus “_private”.
PAGE 825
Wizards > Public Server Wizard 10. Click Apply in the Public Server Configuration Summary page to complete the wizard and apply the configuration to your SonicWALL. Tip The new IP address used to access the new server, internally and externally is displayed in the URL field of the Congratulations window. 11. Click Close to close the wizard. SonicOS Enhanced 4.
PAGE 826
Wizards > Public Server Wizard 826 SonicOS Enhanced 4.
PAGE 827
CHAPTER 72 Chapter 72: Configuring VPN Policies with the VPN Policy Wizard Wizards > VPN Wizard The VPN Policy Wizard walks you step-by-step through the configuration of GroupVPN on the SonicWALL. After the configuration is completed, the wizard creates the necessary VPN settings for the selected VPN policy. You can use the SonicWALL Management Interface for optional advanced configuration options. SonicOS Enhanced 4.
PAGE 828
Wizards > VPN Wizard Using the VPN Policy Wizard 828 Step 1 In the top right corner of the VPN > Settings page, click on VPN Policy Wizard. Step 2 Click Next. Step 3 In the VPN Policy Type page, select WAN GroupVPN and click Next. Step 4 In the IKE Phase 1 Key Method page, you select the authentication key to use for this VPN policy: SonicOS Enhanced 4.
PAGE 829
Wizards > VPN Wizard – Default Key: If you choose the default key, all your Global VPN Clients and Global Security Clients will automatically use the default key generated by the SonicWALL to authenticate with the SonicWALL. – Use this Key: If you choose a custom preshared key, you must distribute the key to every VPN Client because the user is prompted for this key when connecting to the SonicWALL.
PAGE 830
Wizards > VPN Wizard – Encryption: This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security. DES is the least secure and the and takes the least amount of time to encrypt and decrypt. AES-256 is the most secure and takes the longest time to encrypt and decrypt. You can choose. DES, 3DES, AES-128, or AES256. The VPN uses this for all data through the tunnel.
PAGE 831
Wizards > VPN Wizard Note Step 9 If you enable user authentication, the users must be entered in the SonicWALL database for authentication. Users are entered into the SonicWALL database on the Users > Local Users page, and then added to groups in the Users > Local Groups page. Click Next. Step 10 In the Configure Virtual IP Adapter page, select whether you want to use the SonicWALL’s internal DHCP server to assign each VPN client IP address from the LAN zone’s IP range.
PAGE 832
Wizards > VPN Wizard • The shared secret if you selected a custom preshared secret in the VPN Wizard. • The authentication username and password. Configuring a Site-to-Site VPN using the VPN Wizard You use the VPN Policy Wizard to create the site-to-site VPN policy. 832 SonicOS Enhanced 4.
PAGE 833
Wizards > VPN Wizard Using the VPN Wizard to Configure Preshared Secret Step 1 On the System > Status page, click on Wizards. Step 2 In the Welcome to the SonicWALL Configuration Wizard page select VPN Wizard and click Next. Step 3 In the VPN Policy Type page, select Site-to-Site and click Next. Step 4 In the Create Site-to-Site Policy page, enter the following information: SonicOS Enhanced 4.
PAGE 834
Wizards > VPN Wizard – Policy Name: Enter a name you can use to refer to the policy. For example, Boston Office. – Preshared Key: Enter a character string to use to authenticate traffic during IKE Phase 1 negotiation. You can use the default SonicWALL generated Preshared Key. – I know my Remote Peer IP Address (or FQDN): If you check this option, this SonicWALL can initiate the contact with the named remote peer. If you do not check this option, the peer must initiate contact to create a VPN tunnel.
PAGE 835
Wizards > VPN Wizard If the object or group you want has not been created yet, select Create Object or Create Group. Create the new object or group in the dialog box that pops up. Then select the new object or group. For this example, select LAN Subnets. – Destination Networks: Select the network resources on the destination end of the VPN Tunnel. If the object or group does not exist, select Create new Address Object or Create new Address Group. For example: a. Select Create new Address Group. b.
PAGE 836
Wizards > VPN Wizard – Encryption: This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security. DES is the least secure and the and takes the least amount of time to encrypt and decrypt. AES-256 is the most secure and takes the longest time to encrypt and decrypt. You can choose. DES, 3DES, AES-128, or AES256.
PAGE 837
Index Symbols 401, 793, 796–797, 800–803, 805–808, 811–813, 815, 821, 827–828 Numerics 802.11a 394 802.
PAGE 838
filter properties 700 FIPS 104 firmware management automatic notification 100–101 backup firmware image 102 booting firmware 102 export settings 100 import settings 100 safemode 103 updating firmware 102 fragmentation threshold 342 fragmented packet handling 582 D deep packet inspection 718 DF bit 582 DH group 829 VPN policy wizard 835 DHCP relay mode 587 setup wizard 797 VPN central gateway 588 VPN remote gateway 588 DHCP over VPN leases 591 DHCP server 278 current leases 294 dynamic ranges 281 static en
PAGE 839
I IDS authorizing access points 407 rogue access points 406 IEEE 802.11b 315 IEEE 802.
PAGE 840
settings 248 translated destination 248 translated service 249 translated source 248 NAT policy loopback policy 824 outbound interface 249 public server wizard 824 reflective policy 249 NAT traversal 582 network anti-virus 709 activating 710 network settings setup wizard 796 O objects service group 824 open system 334 outbound SMTP inspection 728 P packet capture advanced settings 119 basic operation 107 benefits 106 configuring 111 display filter 115 export as HTML 123 export as text 124 filter settings
PAGE 841
LAN settings 798–799, 803–804, 808, 813–814 NAT with DHCP client 802 NAT with PPPoE 805 NAT with PPPoE client 807 NAT with PPTP 810 NAT with PPTP client 812 static IP address with NAT enabled 795 WAN Network mode 812 WAN network mode 797, 802, 807 shared key 334 signatures 727 manually update 691 signatures table 732 SIP 511 media 522 signaling 522 transforming SIP messages 522 UDP port 523 site-to-site VPN policy name 834 VPN policy wizard 832 SMTP messages, suppressing 730 SonicPoint provisioning profiles
PAGE 842
authentication 830, 836 configuration summary 836 connecting Global VPN Clients 831 destination networks 835 DH group 829, 835 encryption 830, 836 IKE phase 1 key method 828 IKE security settings 829, 835 life time 836 local networks 834 peer IP address 834 policy name 834 preshared key 834 site-to-site VPN 832 user authentication 830 virtual IP adapter 831 VPN policy type 828 data limiting 384 failover 153, 372–375 glossary 386 GSM 372 maximum allowed connections 157 maximum connection time 383 monitoring
PAGE 843
SonicWALL, Inc. 1143 Borregas Avenue T +1 408.745.9600 Sunnyvale CA 94089-1306 F +1 408.745.9300 www.sonicwall.com PN: 232-001213-00 Rev A 06/08 ©2008 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/o r registered trademarks of their respective companies. Specifications and descriptions subject to change without notice.