Chapitre 94
smart tv

Policy Configuration | GMS 8.3 Admin Guide | SonicWall

Loading...
UNITED STATES (ENGLISH)

Products (/en-us/products) (/home)

Convert to PDF

Introduction (/enus/support/technicaldocumentation/gms-8-3-adminguide/introduction)

BLOG (/EN-US/AUX-MENU/BLOG-1)

CONTACT SALES (/EN-US/AUX-MENU/CONTACT-SALES)

Solutions (/en-us/solutions)

Partners (/en-us/partners)

FREE TRIALS (/EN-US/AUX-MENU/FREE-TRIALS)

Support (/en-us/support)

Resources (/en-us/resources)

GMS 8.3 Admin Guide Dashboard (/enPolicy Configuration (/enReporting (/enPolicy Configuration us/support/technicalus/support/technicalus/support/technical• Introduction to Policy Management documentation/gms-8-3-admindocumentation/gms-8-3-admindocumentation/gms-8-3-adminguide/dashboard) guide/policy-configuration) guide/reporting) • Configuring Firewall System Settings • Configuring Firewall Network Settings • Configuring PortShield Interfaces for Dell Networking X-Series Switches • Configuring Firewall Dynamic Host Configuration Protocol • Configuring Switching • Viewing Firewall Diagnostic Information • Configuring Firewall 3G/4G/Modem Options • Configuring Firewall Wireless WAN Options • Configuring Firewall SonicPoints • Configuring Firewall Wireless Options • Configuring Firewall Access Rules • Configuring Firewall Appliance Settings • Configuring Firewall DPI-SSL Settings • Configuring the Firewall VoIP • Configuring Firewall Anti-Spam Settings • Configuring Firewall Virtual Private Networking • Configuring Firewall SSL VPN Settings • Configuring Virtual Assist • Configuring Firewall User Settings • Configuring Firewall High Availability • Configuring Firewall Security Services • Configuring Content Filtering Service • Configuring WAN Acceleration • Configuring Flow Activity • Configuring Firewall Log Settings • Configuring Firewall Events • Registering and Upgrading SonicWall Firewall Appliances • Managing SMA Polices • Managing Email Security Appliances

Monitoring (/enus/support/technicaldocumentation/gms-8 guide/monitoring)

Introduction to Policy Management This describes how to use SonicWall™ Global Management System (GMS) to configure policies on the full range of SonicWall platforms and includes the following: • • • •

SonicWall GMS Policy Configuration Overview Introduction to Firewall Policies Introduction to SMA Policies Introduction to Email Security Policies

SonicWall GMS Policy Configuration Overview The appliance panels enable administrators to add, delete, configure and view various SonicWall appliance types managed by SonicWall GMS. The policy panels include: • Firewall — For management and reporting on compatible firewall appliances. • SMA — For management and reporting on SonicWall SMA and Aventail appliances. • ES — For management of SonicWall Email Security appliances. The policy panels are used to configure SonicWall appliances. From these pages, you can apply settings to all SonicWall appliances being managed by SonicWall GMS, all SonicWall appliances within a group, or individual SonicWall appliances.

Introduction to Firewall Policies To open the Policies panel, click the Firewall tab at the top of the SonicWall GMS UI and then click Policies > System > Status. The SonicWall appropriate appliance Policies panel appears:

System This covers a variety SonicWall firewall appliance controls for managing system status information, registering the SonicWall firewall appliance, activating and managing SonicWall Security Services licenses, configuring SonicWall firewall appliance local and remote management options, managing firmware versions and preferences, and using included diagnostics tools for troubleshooting. It also describes how to use GMS to configure general System Policy settings on managed SonicWall appliances. The following describe how to configure the system settings: • Status—Provides a comprehensive collection of information to help you manage your SonicWall security appliances and SonicWall Security Services licenses. It includes GMS status information on Firewall, Management, Subscription, and Firewall Models. Refer to Viewing System Status. • Administrator—Describes how to change the administrator and password options for one or more SonicWall appliances. Refer to Configuring Administrator Settings. • Management—Describes how to edit the remote management settings on SonicWall security appliances for management by GMS or VPN client. Refer to Editing Management Settings. • SNMP—Describes how to configure Simple Network Management Protocol. Refer to Configuring SNMP. • Certificates (Unit-level view only)—Describes how to configure both third-party Certificate Authority (CA) certificates and local certificates. Refer to Navigating the System > Certificates Page. • Time—Describes how to change the time and time options for one or more SonicWall appliances. Refer to Configuring Time Settings. • Schedules—Describes how to create and configure schedule groups, which are used to apply firewall rules for specify days and hours of the week. Refer to Configuring Schedules. • Tools—Provides a set of common system configuration tasks for restarting an appliance, requesting diagnostic information, inheriting settings, system synchronization, and synchronizing the appliance to mysonicwall.com. Also includes options to generate a Tech Support Report (TSR) and the ability to email the TSR. Refer to Using Configuration Tools. • Info—Describes how to change contact information for one or more SonicWall appliances. Refer to Configuring Contact Information. • Settings—Describes how to backup and save SonicWall appliance settings as well as restore them from preferences files. Refer to Configuring System Settings. • Licensed Nodes (Unit-level view only)—Provides a Node License Status table listing the number of nodes your SonicWall security appliance is licensed to have connected at any one time, how many nodes are currently connected, and how many nodes you have in your Node license Exclusion List. Refer to Configuring Contact Information. Network This covers configuring the SonicWall firewall appliance for your network environment. Describing how to configure network settings for SonicWall appliances. It is divided into sections for SonicWall security appliances running SonicOS Enhanced and SonicOS Standard. • Overview of Interfaces • Configuring Network Settings in SonicOS Enhanced • Configuring Network Settings in SonicOS Standard DHCP This describes how to use the Global Management System (GMS) to configure SonicWall appliances as DHCP servers. Dynamic Host Configuration Protocol (DHCP) enables network administrators to automate the assignment of IP addresses from a centralized DHCP server. This conserves IP addresses and make it easy for mobile users to move among different segments of the network without having to manually enter new IP addresses. This includes the following: • Configuring DHCP Over VPN • Configuring DHCP Settings • Configuring Dynamic DHCP IP Address Ranges • Configuring Static IP Addresses • Configuring DHCP Option Objects • Configuring DHCP Option Groups • Configuring General DHCP Settings • Configuring Trusted DHCP Relay Agents Switching This describes how to configure switching on a SonicWall appliance. For GMS, switching is supported only on appliances running SonicOS 5.9 or higher. For an overview of switching and configuration procedures, refer to the following: • Overview of Switching • Configuring VLAN Trunking • Configuring Rapid Spanning Tree • Configuring Link Aggregation • Configuring Port Mirroring • Configuring Layer 2 QoS • Configuring Rate Control • Configuring Port Security Diagnostics SonicWall appliances store information about all devices with which they have communicated. When you generate diagnostic information, only one report can be generated at a time and the information is only maintained during the current session. For example, if you run a firewall log report and then log off or generate another report, the firewall log report data is lost until you run the report again. This includes the following: • Viewing Network Diagnostic Settings • Viewing Connections Monitor • Viewing CPU Monitor • Viewing Process Monitor • What is Packet Monitor? 3G/4G/Modem NOTE: For information on configuring wireless WAN (WWAN) settings, see Configuring WWAN Settings. This describes how to configure the dialup settings for SonicWall SmartPath (SP) and SmartPath ISDN (SPi) appliances. SonicWall SP appliances have a WAN Failover feature that enables automatic use of a built-in modem to establish Internet connectivity when the primary broadband connection becomes unavailable. This is ideal when the SonicWall appliance must remain connected to the Internet, regardless of network speed. This contains the following: • Configuring the Modem Profile • Configuring Modem Settings • Configuring Advanced Modem Settings WWAN This describes how to configure the Wireless Wide Area Network (WWAN) settings for SonicWall security appliances that use 3G and other Wireless WAN functionality to utilize data connections over cellular networks. This contains the following: • About Wireless WAN • Configuring the Connection Profile • Configuring WWAN Settings • Configuring Advanced Settings SonicPoint This describes how to configure SonicPoint managed secure wireless access points. This includes the following: • Managing SonicPoints • Viewing Station Status • Using and Configuring SonicPoint IDS • Using and Configuring Virtual Access Points • Configuring the RF Monitor • Configuring FairNet Wireless This describes how to configure wireless connectivity options for wireless SonicWall appliances. Included in this are the following: • Configuring General Wireless Settings • Configuring Wireless Security Settings • Configuring Advanced Wireless Settings • Configuring MAC Filter List Settings • Configuring Intrusion Detection Settings • Configuring Wireless Virtual Access Points WGS This describes how to configure Wireless Guest Services (WGS) enabled appliances running SonicOS Standard. For appliances running SonicOS Standard, these configuration options are available at the unit level. Wireless Guest Services allows the administrator to configure wireless access points for guest access. Wireless Guest Services is configured with optional custom login pages, user accounts and is compatible with several different authentication methods including those which require external authentication. Firewall This describes how to configure Access Rules and App Control policies for SonicWall firewalls from the GMS management interface. This includes the following sections: • Configuring Access Rules • App Control Overview • Configuring App Rules • Configuring App Control Advanced Policies • Configuring Address Objects • Configuring Match Objects • Configuring Action Objects • Configuring Service Objects • Configuring Email Address Objects • Configuring Bandwidth Objects • Configuring Content Filter Objects • Use Cases Firewall Settings The Firewall settings in SonicWall GMS are different for SonicWall security appliances running SonicOS Enhanced and Standard. The following describe how to configure Firewall settings for each of the operating systems: • Understanding the Network Access Rules Hierarchy • Configuring Firewall Settings in SonicOS Enhanced • Configuring Firewall Settings in SonicOS Standard DPI-SSL This describes the Deep Packet Inspection Secure Socket Layer (DPI-SSL) feature to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. Client DPI-SSL is used to inspect HTTPS traffic when clients on the SonicWall firewall appliance’s LAN access content located on the WAN. Server DPI-SSL is used to inspect HTTPS traffic when remote clients connect over the WAN to access content located on the SonicWall firewall appliance’s LAN. This contains the following: • DPI-SSL Overview • Configuring Client SSL • Configuring Server SSL Capture ATP Capture Advanced Threat Protection (ATP) is sold as an add-on security service to the firewall, similar to Gateway Anti-Virus (GAV). Capture ATP helps a firewall identify whether a file is malicious or not by transmitting the file to the cloud where the SonicWall Capture ATP service analyzes the file to determine if it contains a virus or other malicious elements. Capture ATP then sends the results to the firewall. This is done in real time while the file is being processed by the firewall. This contains the following: • About Capture ATP • Viewing Capture ATP Status VoIP This describes the Voice over IP (VoIP) feature. This contains the following: • Configuring Voice over IP Settings Anti-Spam This provides a quick, efficient, and effective way to add anti-spam, anti-phishing, and anti-virus capabilities to your SonicWall firewall appliance. There are two primary ways inbound messages are analyzed by the Anti-Spam feature - Advanced IP Reputation Management and Cloud-based Advanced Content Management. IP Address Reputation uses the GRID Network to identify the IP addresses of known spammers, and reject any mail from those senders without even allowing a connection. GRID Network Sender IP Reputation Management checks the IP address of incoming connecting requests against a series of lists and statistics to ensure that the connection has a probability of delivering valuable email. The lists are compiled using the collaborative intelligence of the SonicWall GRID Network. Known spammers are prevented from connecting to the SonicWall firewall appliance, and their junk email payloads never consume system resources on the targeted systems. This includes the following: • • • VPN •

Activating Anti-Spam Configuring Anti-Spam Settings Configuring Anti-Spam Real-Time Black List Filtering

This covers how to create VPN policies on the SonicWall firewall appliance to support SonicWall Global VPN Clients as well as creating site-to-site VPN policies for connecting remote offices running SonicWall firewall appliances. A VPN is a private data network that uses encryption technologies to operate over public networks. This contains the following: • VPN SA Management Overview • Viewing the VPN Summary • Configuring VPN Settings • Configuring VPNs in SonicOS Enhanced • Configuring VPNs in SonicOS Standard • Setting up the L2TP Server • Monitoring VPN Connections • Management of VPN Client Users • VPN Terms and Concepts • Using OCSP with SonicWall Security Appliances SSL VPN This provides information on how to configure the SMA features on the SonicWall SMA appliances. SonicWall’s SMA features provide secure, seamless, remote access to resources on your local network using the NetExtender client. This contains the following: • SSL VPN NetExtender Overview • SSL VPN > Server Settings • SSL VPN > Portal Settings • SSL VPN > Client Settings • SSL VPN > Client Routes • Configuring Virtual Office • Remote Access EPC Virtual Assist Virtual Assist allows users to support customer technical issues without having to be on-site with the customer. This capability serves as an immense time-saver for support personnel, while adding flexibility in how they can respond to support needs. This contains the following: • Configuring Virtual Assist Settings Users This covers how to configure the SonicWall firewall appliances for user level authentication as well as manage guest services. Describing how to use the GMS to configure user and user access settings. Included in this are the following: • Configuring Users in SonicOS Enhanced • Configuring Users in SonicOS Standard Web Filters SonicWall Content Security Manager (CSM) CF provides appliance-based Internet filtering that enhances security and employee productivity, optimizes network utilization, and mitigates legal liabilities by managing access to objectionable and unproductive Web content. This provides configuration tasks for deploying these services. High Availability This describes how to use GMS to configure High Availability that allows the administrator to specify a primary and secondary SonicWall appliance. In the case that the connection to the primary device fails, connectivity will transfer to the backup device. In addition, SonicWall GMS can utilize the same device pairing technology to implement different forms of load balancing. Load balancing helps regulate the flow of network traffic by splitting that traffic between primary and secondary SonicWall devices. This includes the following: • About High Availability • About Active/Standby HA • About Stateful Synchronization • About Active/Active DPI HA • Active/Standby and Active/Active DPI Prerequisites • About Active/Active Clustering • Active/Active four-unit cluster • Active/Active two-node cluster • Configuring High Availability • Configuring Advanced High Availability Settings • Monitoring High Availability • Verifying High Availability Status Security Services This includes an overview of available SonicWall Security Services as well as instructions for activating the service, including FREE trials. These subscription-based services include SonicWall Gateway Anti-Virus, SonicWall Intrusion Prevention Service, SonicWall Content Filtering Service, SonicWall Client Anti-Virus, and well as other services. SonicWall firewall appliances offer several services for protecting networks against viruses and attacks. This provides concept overviews and configuration tasks for deploying these services. This contains the following: • Configuring Security Services Settings • Configuring SonicWall Network Anti-Virus • Configuring the SonicWall Content Filter Service • Configuring the SonicWall Intrusion Prevention Service • Configuring the SonicWall RBL Filter • Configuring the SonicWall Gateway Anti-Virus • Configuring the SonicWall Anti-Spyware Service • Configuring Geo-IP Filters • Configuring Botnet Filters Content Filter This describes how to use GMS to configure content filtering options for one or more SonicWall appliances. This functionality can be used to deny access to material supplied by the active content filtering subscription, specific domains, domains by keyword, and Web features such as ActiveX, Java, and cookies. This includes the following: • Security Services > Content Filter • About CFS 4.0 • Enabling CFS • Configuring a Custom List • Configuring Content Filtering Policies • Configuring the CFS Exclusion List • Configuring the CFS IP Address Range • Configuring CFS Custom Category • Blocking Web Features • N2H2 and Websense Enterprise Content Filtering WAN Acceleration This describes how to view and configure the WAN Acceleration service. • Viewing the WAN Acceleration Status • Configuring TCP Acceleration • Configuring WFS Acceleration • Configuring the Web Cache Flow Activity This describes how to configure the Flow Activity feature and contains the following: • • • •

Configuring Flow Activity Introduction to Firewall Policies Introduction to SMA Policies Introduction to Email Security Policies NOTE: This feature is only available for SonicWall security appliances running SonicOS 6.1 and higher firmware. Log This covers managing the SonicWall firewall appliance’s logging, alerting, and reporting features. The SonicWall firewall appliance’s logging features provide a comprehensive set of log categories for monitoring security and network activities. This describes how to use GMS to configure where the SonicWall appliance(s) send their logs, how often the logs are sent, and what information is included. This includes the following: • Configuring Log Settings • Configuring Log Categories • Configuring Name Resolution Register/Upgrades This describes how to register and upgrade your SonicWall firewall appliances. This contains the following: • Registering SonicWall Appliances • Upgrading Firmware • Upgrading Licenses • Searching • Creating License Sharing Groups • Viewing Used Activation Codes Events This provides an introduction to the SonicOS Event Alerts feature. This contains the following: • • • • •

Adding Alerts Enabling/Disabling Alerts Deleting Alerts Editing Alerts Current Alerts

Introduction to SMA Policies This provides instructions for modifying the general status and tools for SonicWall SMA platforms. To modify the general status and tools of a SMA appliance using SonicWall GMS, click the SMA tab the at the top of the screen, then select the Policies subtab. In the center pane, select General. You will see the options Status, Tools, and Info.

System • The System > Status section provides the current status of the SMA appliance and allows for an instant update of appliance information using Fetch Information. • The System > Tools section provides the following options: Restart Appliance, Synchronize Now, Synchronize the Appliance with mysonicwall.com. NOTE: The Restart Appliance option is not available for SonicWall Aventail SMA appliances. • The System > Info section provides the ability to update the contact information for the SMA appliance. Register/Upgrades • The Register/Upgrades > Register SonicWalls screen provides the ability to register SMA appliances with your mysonicwall.com account. NOTE: Registering SonicWall Aventail SMA appliances from GMS is not supported. Events • The Events > Alert Settings screen allows you to add, edit, or delete a Unit Status alert for managed SMA appliances. • The Events > Current Alerts screen displays all active alerts for this appliance.

Introduction to Email Security Policies After a SonicWall Email Security appliance has been added to SonicWall GMS, the unit can be managed through the ES Policies panel.

System The System > Status windows displays both general deployment status, as well as individual appliance status for Email Security appliances. The System > Tools section provides options to force your SonicWall ES appliance to synchronize its license and subscription information with MySonicWall.com immediately. The System > Info screen allows you to edit Email Security appliance information on a global or unit level. Register/Upgrades The Register/Upgrades > Register ESA screen provides the ability to register ESA appliances with your mysonicwall.com account. Events • The Events > Alert Settings screen allows you to add, edit, or delete a Unit Status alert for managed ES appliances. • The Events > Current Alerts screen displays all active alerts for this appliance.

Configuring Firewall System Settings This details the SonicWall™ Global Management System (GMS) management interface and configuration procedures for the Policies > System pages and includes the following: • • • • • • • • •

Viewing System Status Configuring Administrator Settings Editing Management Settings Configuring SNMP Configuring Time Settings Configuring Schedules Using Configuration Tools Configuring Contact Information Configuring System Settings

Viewing System Status The System Status page provides a comprehensive collection of information to help you manage your SonicWall security appliances and SonicWall Security Services licenses. In the global view mode, it provides a summary of all of the devices that are managed by the SonicWall GMS, including the number of appliances, whether the appliances are up or down, and the number of security services subscriptions. To view a summary of all devices managed by the GMS, click the Change View icon at the top left and select GlobalView. Expand the System tree in the middle panel, and click on Status. The Status page displays.

At the individual appliance level, the Status page provides more details such as the serial number, firmware version, and information on management, reporting, and security service subscriptions. To view a summary of the status of an individual appliance, select the appliance in the left pane, and then click System > Status in the navigation pane. The Status page displays.

If tasks are pending for the selected unit, GMS provides a hyperlink that takes the user to the Tasks Screen for that unit. Also in System > Status, GMS displays the Last Log Entry for the unit with a hyperlink that takes the user to the unit Logs screen. The links are only provided if the user actually has permissions to access those screens on the Console tab. In the Subscription section header, GMS provides a click here for details link that displays your current subscription details on the Register/Upgrades > Search screen. The search parameters are pre-populated for retrieving the subscription services that are currently active on the appliance(s) and the search is executed and the results are sorted by Expiry Date for your convenience. This page provides a PDF icon that you can click to get a PDF file containing the same content as the Web page. At the bottom of the status screen, GMS provides a way to retrieve dynamic information about the selected appliance, and also provides a link to the GMS Getting Started Guide. You can click the Fetch Information link to view the following dynamic information: • Firewall UpTime because Last Reboot • Last Modified Time and the user who last modified the appliance • Modem speed and active profile used (only for dial-up appliances) You can retrieved this information by clicking Fetch Information at the global, group, or unit level. The actual results, however, are displayed only at the unit level. To view the SonicWall GMS Getting Started Guide, click Open Getting Started Instructions In New Window.

Configuring Administrator Settings SYSTEM > ADMINISTRATOR The System > Administration page provides settings for the configuration of the SonicWall Security Appliance for secure and remote management. The Administrator page configures administrator settings for the SonicWall appliance. These settings affect both GMS and other administrators. To change administrator settings on one or more SonicWall appliances, complete the following steps: 1 Expand the System tree and click Administrator. The Administrator page displays.

Firewall Name

2 The firewall name is displayed. This field is read-only and cannot be configured from GMS. 3 An option is available to Auto-Append HA/Clustering suffix to Firewall Name. To facilitate recognition of the primary/secondary firewalls in the Log Monitor log, appends an appropriate suffix automatically to the firewall name in the Dashboard > Log Monitor: • Primary • Secondary • Primary Node • Secondary Node This option is not selected by default. 4 Enter the Firewall’s Domain Name. Can be private, for internal users, or an externally registered domain name. This domain name is used in conjunction with User Web Login Settings on the Users > Settings page for user-authentication redirects. Administrator Name

5 Enter the login name for the administrator in the Administrator Login Name field. Login Security

6 Specify the maximum number of days after which the a password expires and must be updated in the Password must be changed every (days) field. 7 Specify the number of previous passwords that are remembered and that a new password cannot match in the Bar repeated passwords for this many changes field. 8 Select New password must contain 4 characters different from the old password to make the user create a password that has four different characters than the old one if they are changing the password. 9 Specify the minimum password length in the Enforce a minimum password length of field. 10 Select the level of password complexity from the Enforce Password Complexity pull-down list. You can select one of the following: • None • Require both alphanumeric and numeric characters • Require alphabetic, numeric and symbolic characters After the password complexity is chosen, enter the complexity requirements: • Upper Case Characters • Lower Case Characters • Numeric Characters • Symbolic Characters The appliance password should be in compliance with selected password complexity. Otherwise the appliance password has to be set manually from its web interface. 11 Select Administrators to apply these password constraints only to full and read-only administrators. 12 Select Other full administrators to apply these password constraints to all administrators with local passwords. 13 Select Limited administrators to apply these password constraints to all local users with limited administrator privileges. 14 Select Other local users to apply these password constraints only to non-administrator users. 15 Specify how long the SonicWall appliance(s) wait (in minutes) before logging out inactive administrators in the Log out the Administrator after inactivity of field. 16 To lockout the SonicWall appliance after user login failure, select Enable administrator/user lockout. Then, specify the number of login failure attempts that must occur before the user is locked out in the Failed login attempts per minute before lockout field and how long the user will be locked out in the Lockout Period field. 17 Indicate the Max login attempts through CLI. Specifies the number of incorrect login attempts from the command line interface (CLI) within a one-minute time frame that triggers a lockout. The minimum number is 1, the maximum number is 9999, and the default is 5. Multiple Administrators

18 Under the Multiple Administrators section, the On preemption by another administrator setting configures what happens when one administrator preempts another administrator using the Multiple Administrators feature. The preempted administrator can either be converted to non-config mode or logged out. Configure the following options: • Drop to non-config mode - move the preempted administrator to non-configuration mode • Log out - log out the preempted administrator. NOTE: Selecting Log Out disables Non-Config mode and prevents entering Non-Config mode manually. • Allow preemption by a lower priority administrator after inactivity of (minutes) - Enter the number of minutes of inactivity by the current administrator that allows a lower-priority administrator to preempt. The default is 10 minutes. • Enable inter-administrator messaging - Select to allow administrators to send text messages through the management interface to other administrators logged into the appliance. The message will appear in the browser’s status bar. • Enable Multiple Administrator Roles – Enables access by System Administrators, Cryptographic (Crypto) Administrators, and Audit Administrators. This option is disabled by default. When this option is disabled, the three administrators cannot access the system and all related user groups and information about them are hidden. • Messaging polling interval (seconds) - Sets how often the administrator’s browser will check for interadministrator messages. If there are likely to be multiple administrators who need to access the appliance, this should be set to a reasonably short interval to ensure timely delivery of messages. The default is 10 minutes. Enhanced Audit Logging Support

In the Enhanced Audit Logging Support section: • Enable Enhanced Audit Logging – Enables logging of all configuration changes in the Log > Log Monitor page. The log entry contains the parameter changed and user name. Web Management Settings

In the Web Management Settings section: 19 If you wish to use HTTP management, Allow management via HTTP is available to allow the administrator to enable/disable HTTP management globally.

Managing Tooltips

GMS introduced embedded tool tips for many elements in the GMS UI. These Tooltips are small pop-up windows that are displayed when you hover your mouse over a UI element. They provide brief information describing the element. Tooltips are displayed for many forms, buttons, table headings and entries. NOTE: Not all UI elements have Tooltips. If a Tooltip does not display after hovering your mouse over an element for a couple of seconds, you can safely conclude that it does not have an associated Tooltip. When applicable, Tooltips display the minimum, maximum, and default values for form entries. These entries are generated directly from the GMS firmware, so the values will be correct for the specific platform and firmware combination you are using. Tooltips are enabled by default. To disable Tooltips, clear Enable Tooltip. You can configure the duration of time before Tooltips display: • Form Tooltip Delay - Duration in milliseconds before Tooltips display for forms (boxes where you enter text). The default is 2000 ms. • Button Tooltip Delay - Duration in milliseconds before Tooltips display for radio buttons and checkboxes. The default is 3000 ms. • Text Tooltip Delay - Duration in milliseconds before Tooltips display for UI text. The default is 500 ms. Enforcing TSL GMS supports versions 1.1 and 1.2 of the Transport Layer Security (TLS) protocol. To enforce use of TLS versions 1.1 and above, select Enforce TLS 1.1 and Above. Client Certificate Check

20 On the System > Administration page, the Client Certificate Check section enables you to configure certificate verification with or without a Common Access Card (CAC). About Common Access Card A Common Access Card (CAC) is a United States Department of Defense (DoD) smart card used by military personnel and other government and non-government personnel who require highly secure access over the internet. A CAC uses PKI authentication and encryption.

NOTE: Using a CAC requires an external card reader connected on a USB port. The Client Certificate Check was developed for use with a CAC; however, it is useful in any scenario that requires a client certificate on an HTTPS/SSL connection. CAC support is available for client certification only on HTTPS connections.

NOTE: CACs may not work with browsers other than Microsoft Internet Explorer. Options NOTE: By default, all options are disabled and unavailable.



• Enable Client Certificate Check – Enables or disables client certificate checking and CAC support on the SonicWall security appliance. If you enable this option, all other options become available. • Enable Client Certificate Cache – Activates the certification cache, which expires in 24 hours after being enabled. • User Name Field – Specifies from which certificate field the user name is obtained: • Subject: Common Name (default) • Sub Alt: Email • Sub Alt: Microsoft Universal Principal Name • Client Certificate Issuer – Lists the Certification Authority (CA) certificate issuers available to sign the client certificate. The default is ComSign CA. NOTE: If the appropriate CA is not listed, you need to import that CA into the SonicWall security appliance. • CAC user group memberships retrieve method – Select how to obtain the CAC user group membership and, thus, determine the correct user privilege: • Local Configured (default) – If selected, you should create local user groups with proper memberships. • From LDAP – If selected, you need to configure the LDAP server on the Users > Settings page. • Enable OCSP Checking – Enables or disables the Online Certificate Status Protocol (OCSP) check for the client certificate to verify the certificate is still valid and has not been revoked. When this option is enabled, the OCSP Responder URL field displays. • OCSP Responder URL – Enter the URL of the OSCP server that verifies the status of the client certificate. The OCSP Responder URL is usually embedded inside the client certificate and does not need to be entered. If the client certificate does not have an OCSP link, you can enter the URL link. The link should point to the Common Gateway Interface (CGI) on the server side, which processes the OCSP checking. For example: http://10.103.63.251/ocsp. • Enable periodic OCSP Check – Enables or disables a periodic OCSP check for the client certificate to verify that the certificate is still valid and has not been revoked. • OCSP check interval 1~72 (in hours) – Enter the interval between OCSP checks, in hours. The minimum interval is 1 hour, the maximum is 72 hours, and the default is 24 hours. Using the Client Certificate Check If you use the client certificate check without a CAC, you must manually import the client certificate into the browser. If you use the Client Certificate Check with a CAC, the client certificate is automatically installed on the browser by middleware. When you begin a management session through HTTPS, the certificate selection window is displayed asking you to confirm the certificate. After you select the client certificate from the drop-down menu, the HTTPS/SSL connection is resumed, and the SonicWall security appliance checks the Client Certificate Issuer to verify that the client certificate is signed by the CA. If a match is found, the administrator login page is displayed. If no match is found, the browser displays a standard browser connection fail message, such as: .....cannot display web page! If OCSP is enabled, before the administrator login page is displayed, the browser performs an OCSP check and displays the following message while it is checking. Client Certificate OCSP Checking..... If a match is found, the administrator login page is displayed, and you can use your administrator credentials to continue managing the SonicWall security appliance. If no match is found, the browser displays the following message: OCSP Checking fail! Please contact system administrator! Troubleshooting User Lock Out When using the client certificate feature, these situations can lock the user out of the SonicWall security appliance: • Enable Client Certificate Check is checked, but no client certificate is installed on the browser. • Enable Client Certificate Check is checked and a client certificate is installed on the browser, but either no Client Certificate Issuer is selected or the wrong Client Certificate Issuer is selected. • Enable OSCP Checking is enabled, but either the OSCP server is not available or a network problem is preventing the SonicWall security appliance from accessing the OSCP server. To restore access to a user who is locked out, the following CLI commands are provided: • web-management client-cert disable • web-management ocsp disable Certificate expire checking settings

• Enable periodic certificate expiration check – Activates periodic checks of certificate’s expiration. When enabled, the Certificate expiration alert interval option becomes available. • Certificate expiration alert interval: 1 - 168 (in hours) – Sets the interval between certificate checks, in hours. The minimum time is 1 hour, the maximum is 168 hours, and the default is 168. Download URL

21 The Download URL section provides fields for specifying the URL address of a site for downloading the SonicPoint images. SonicOS Enhanced 5.0 and higher does not contain an image of the SonicPoint firmware. If your SonicWall appliance has Internet connectivity, it will automatically download the correct version of the SonicPoint image from the SonicWall server when you connect a SonicPoint device. If your SonicWall appliance does not have Internet access, or has access only through a proxy server, you must manually specify a URL for the SonicPoint firmware. You do not need to include the http:// prefix, but you do need to include the filename at the end of the URL. The filename should have a .bin extension. CAUTION: It is imperative that you download the corresponding SonicPoint image for the SonicOS firmware version that is running on your SonicWall network security appliance. The MySonicWall.com (www.MySonicWall.com) Web site provides information about the corresponding versions. When upgrading your SonicOS firmware, be sure to upgrade to the correct SonicPoint image. 22 Select the type of image or images to download by clicking on the appropriate checkbox and entering the image download location in the associated field: • Manually specify SonicPoint-N image URL (http://) • Manually specify SonicPoint-Ni/Ne image URL (http://) • Manually specify SonicPoint-NDR image URL (http://) • Manually specify SonicPoint-ACe/ACi/N2 image URL (http://) Change the Administrator Password

23 Select from the following options to change the SonicWall appliance password(s): • If you are configuring a SonicWall appliance at the unit level, enter and reenter the new SonicWall password. Then, enter the GMS password and click Change Password. The password is changed. • If you are configuring a SonicWall appliance at the group or global level, enter the GMS password and click Change Password. Each SonicWall appliance will receive a unique randomly generated password. This unique password is encrypted and recorded in the GMS database. At the non-unit level, passwords can be configured in two ways: • GMS can assign random passwords to the appliances (recommended for security purposes). • The user can specify a specific password which will be assigned to all the appliances in the node (not recommended). To have GMS assign random passwords, leave the New SonicWall Password and Confirm New SonicWall Passwords fields empty. NOTE: The unique encrypted password is also written into a file in /etc/. The filename format is Prefs.pwd; each file contains the old and the new password for the SonicWall appliance. The file gets overwritten every time the password for the SonicWall appliance is changed. The encryption is base64. 24 When you are finished, click Update. A task gets spooled and after it is executed successfully, the settings are updated for the selected SonicWall appliances. 25 To clear all screen settings and start over, click Reset.

Editing Management Settings To edit the remote management settings for a SonicWall security appliance, complete the following steps: 1 Expand the System tree and click System > Management. The Management page displays.

CAUTION: Changing the management parameters can cause units to be disconnected from GMS. 2 Enter the port number for HTTP connections in the HTTP Port field. 3 To enable HTTPS access to the appliance, select Enable HTTPS Access to the unit and enter the port number in the HTTPS Port field. For the SonicWall Aventail appliance, use port 8443 for HTTPS access. 4 The Certificate Common Name field defaults to the SonicWall LAN Address. This allows you to continue using a certificate without downloading a new one each time you log into the appliance. NOTE: To change the HTTP or HTTPS ports for SonicOS Enhanced units, go to the Firewalls > Service Objects screen and edit the corresponding service object. 5 Specify whether the appliance is to be managed by GMS or a VPN client in the Enable Management Using pull-down menu. 6 Enter the IP address or host name of the GMS server in the GMS HostName or IPAddress field. 7 Enter the syslog server port (default: 514) in the GMS Syslog Server Port field. 8 If the GMS is behind a device doing Network Address Translation (NAT), select GMS behind NAT Device and enter the IP address in the NAT Device IP Address field. 9 If the appliance is managed over an existing VPN tunnel, select GMS on VPN (No SA Required). 10 Enable Out of Band Management on the management port to enable the automatic creation of a management interface address object for the MGMT interface, which works as an out-of-band interface, and configures a route policy for the newly created address object. NOTE: To avoid confliction for delete/create route policies, updating this option to create a management interface address object and configure route policy causes system reboot. This management interface provides a trusted interface to the management appliance. Network connections to this interface is very limited. If the NTP, DNS, and SYSLOG servers are configured in the MGMT subnet, the appliance uses the MGMT IP as the source IP and creates MGMT address object and route policies automatically. All traffic from the management interface is routed by this policy. Created routes display on the Network > Routing page. The MGMT address object and route policies are create/update IPv4 management IP. As the IPv6 management IP address object is created by default, this feature doesn't work on IPv6 management IP address object creation. 11 To minimize the amount of syslog between the GMS and the SonicWall security appliance, select Send Heartbeat Status Messages Only. This option should be used if you do not need the data to generate reports in GMS. When you check this setting, the unit will only send heartbeat (m=96) messages that tell GMS that the unit is alive. Click Change. 12 To allow users on the LAN interface to ping the appliance to verify that it is online, select Enable Ping from LAN/WorkPort to management interface. Click Change. 13 To allow GMS administrators to preempt users who are logged in directly to the SonicWall security appliance, select Allow GMS to preempt a logged in administrator. 14 If you have configured security associations on the appliance the Security Association Information section displays at the bottom of the Management page. Enter the SA keys in the Encryption Key and Authentication Key fields and click Change Only SA Keys.

ONE-TOUCH CONFIGURATION OVERRIDES

The One-Touch Configuration Overrides feature is configured on the System > Management page. It can be thought of us as a quick tune-up for your SonicWall network security appliance’s security settings. With a single click, One-Touch Configuration Override applies over sixty configuration settings to implement SonicWall’s recommended best practices. These settings ensure that your appliance is taking advantage of SonicWall’s security features.

NOTE: A system restart is required for the updates to take full effect. There is a set of One-Touch Configuration Overrides buttons: • DPI and Stateful Firewall Security – For network environments with Deep Packet Inspection (DPI) security services enabled, such as Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, and App Rules. • Stateful Firewall Security – For network environments that do not have DPI security services enabled, but still want to employ SonicWall’s stateful firewall security best practices. Both of the One-Touch Configuration Override deployments implement the following configurations: • Configure Administrator security best practices • Enforce HTTPS login and disables ping • Configure DNS Rebinding • Configure Access Rules best practices • Configure Firewall Settings best practices • Configure Firewall Flood Protection best practices • Configure VPN Advanced settings best practices • Configure Log levels • Enable Flow Reporting and Visualization The DPI and Stateful Firewall Security deployment also configures the following DPI-related configurations: • Enable DPI services on all applicable zones • Enable App Rules • Configure Gateway Anti-Virus best practices • Configure Intrusion Prevention best practices • Configure Anti-Spyware best practices To see exactly which settings are reconfigured, click on the Preview applicable changes link next to each button. A page displays with a list of each setting and the value to which it will be set. CAUTION: Be aware that the One-Touch Configuration Override may change the behavior of your SonicWall security appliance. Review the list of configurations before applying One-Touch Configuration Override. In particular, the following configurations may affect your experience: • Administrator password requirements on the System > Administration page • Requiring HTTPS management • Disabling HTTP to HTTPS redirect • Disabling Ping management



To apply One-Touch Configuration, complete the following steps: 1 Apply one-touch configuration overrides by clicking the DPI and Stateful Firewall Security or Stateful Firewall Security links. To view the changes that will be made for each link, click the Preview applicable changes link and a list of configuration changes is displayed. If you are currently connected using HTTP, you will have to manually reconnect through HTTPS after the reboot. 2 When you have finished configuring remote management settings, click OK.

FIPS

When operating in FIPS (Federal Information Processing Standard) Mode, the SonicWall Security Appliance supports FIPS 140-2 Compliant security. Among the FIPS-compliant features of the SonicWall Security Appliance include PRNG-based on SHA-1 and only FIPS-approved algorithms are supported (DES, 3DES, and AES with SHA-1). NOTE: FIPS in SonicOS 6.2.5.1 supports FIPS 2K certificate signing support (112 bits of security strength; 2048-bit key) while maintaining backward compatibility with previous signature modes. To enable FIPs and see a list of which of your current configurations are not allowed or are not present: NOTE: The Enable FIPS Mode checkbox cannot be enabled at the same time as the Enable NDPP Mode checkbox, which is also on the Settings page. 1 Go to the Systems > Management page. 2 Scroll to the bottom to the FIPS section.

3 Select Enable FIPS Mode. The FIPS Mode Verification dialog appears with a list of your required and not allowed configurations.

4 If your SonicWall appliance: • Complies with the checklist, go to Step 5. • Does not comply with the checklist, manually change or disable settings to be compliant with FIPS mode requirement. TIP: Leave the checklist window open while you make the configuration changes. If you click OK before all required changes are complete, Enable FIPS Mode is cleared automatically upon closing the verification window. Select the checkbox again to see what configuration changes are still needed for FIPS compliance. 5 Click OK to reboot the security appliance in FIPS mode. A second warning displays. 6 Click Yes to continue rebooting. To return to normal operation, clear Enable FIPS Mode and reboot the firewall in non-FIPS mode. CAUTION: When using the SonicWall Security Appliance for FIPS-compliant operation, the tamper-evident sticker that is affixed to the SonicWall Security Appliance must remain in place and untouched.

NDPP A SonicWall network security appliance can be enabled to be compliant with Network Device Protection Profile (NDPP), but certain firewall configurations are not allowed or are required. NOTE: NDPP is a part of Common Criteria (CC) certification. However, NDPP in GMS is not currently certified. The security objectives for a device that claims compliance to a Protection Profile are defined as follows: Compliant TOEs (Targets Of Evaluation) will provide security functionality that address threats to the TOE and implement policies that are imposed by law or regulation. The security functionality provided includes protected communications to and between elements of the TOE; administrative access to the TOE and its configuration capabilities; system monitoring for detection of security relevant events; control of resource availability; and the ability to verify the source of updates to the TOE. You enable NDPP by selecting Enable NDPP Mode on the System > Settings page. Once you do this, a popup message displays with the NDPP mode setting compliance checklist. The checklist displays every setting in your current GMS configuration that violates NDPP compliance so that you can change these settings. You need to navigate around the GMS management interface to make the changes. The checklist for an appliance with factory default settings is shown in the following procedure. To enable NDPP and see a list of which of your current configurations are not allowed or are not present: NOTE: Enable NDPP Mode cannot be enabled at the same time as Enable FIPS Mode, which is also on the System > Settings page. 1 Go to the Systems > Management page. 2 Scroll to the bottom to the NDPP section.

3 Select Enable NDPP Mode. The NDPP Mode Setting Verification message appears with a list of your required and not allowed configurations.

4 If your SonicWall appliance: • Complies with the checklist, go to Step 5. • Does not comply with the checklist, manually change or disable settings to be compliant with NDPP mode requirement. TIP: Leave the checklist dialog open while you make the configuration changes. If you click OK before all required changes are complete, Enable NDPP Mode is cleared automatically upon closing the checklist dialog. Select the checkbox again to see what configuration changes are still needed for NDPP compliance. 5 Click OK or Cancel.

Configuring SNMP This describes how to configure Simple Network Management Protocol (SNMP) settings for one or more SonicWall appliances. This images in this section display the SonicOS 6.2.7 management interface. To configure the SNMP feature, refer to the following: • • • •

SNMP Views Search Users and Groups Search Accesses Search

SNMP

To configure SNMP, complete the following steps: 1 Expand the System tree and click SNMP. The SNMP page displays. 2 Select Enable SNMP. 3 Click the Configure link.

4 5 6 7 8

Enter a name for the System Name field. Enter the name of the administrator responsible for the SNMP server in the System Contact field. Enter the location of the SNMP server in the System Location field. Enter the asset number in the Asset Number text-field. Enter the community name from which the SNMP server responds to Get requests in the Get Community Name field. 9 Enter the name of administrator group that can view SNMP traps in the Trap Community Name field 10 Enter the SNMP server IP addresses or hostnames in the Hosts 1-4 fields. 11 Click the Advanced tab. 12 If you wish to require SNMPv3 for your configuration, click Mandatorily Require SNMPv3. This disables SNMPv1/v2 and only allows access using SNMPv3, maximizing security for SNMP management. 13 Enter the Engine ID using hexadecimal characters. 14 When you are finished, click Update. A task gets spooled and after it is executed successfully, the information is updated for each selected SonicWall appliances.

VIEWS SEARCH

To search for and configure views, complete the following steps: 1 Click the Search drop-down list and select the search filters from the following: • Name • OID • Equals • Starts with • Ends with • Contains 2 Enter the criteria you wish to search for in the Views Search text-field. 3 Click Search. The results display in the Views Search list. 4 Click Add New View.

5 Enter a name for the new view in the View Name text-field. 6 Enter the OID that is associated with the new view in the text-field, then click Add OID. The new OID populates in the OID list. To delete an OID, select it in list and click Delete. 7 Click OK. The new View is added to the Views list. 8 Select or deselect Views from the list and edit them by clicking the Configure icon for the desired View. You can also delete views by selecting them from the list and then clicking the Delete Views link.

USERS AND GROUPS SEARCH

To search for and configure Users and Groups, complete the following steps: 1 Click the Search drop-down list and select the search filters from the following: • Name • Equals • Starts with • Ends with • Contains 2 Enter the criteria you wish to search for in the User Groups Search text-field. 3 Click Search. The results display in the User Groups Search list. 4 Click the Add New Group link.

5 Enter a group name in the Group Name text-field. 6 Click OK. The new group is populated in the User/Group list. 7 Click the Add New User link.

8 Enter a new user name in the User Name text-field 9 Select the desired security level from the Security Level drop-down menu: • None • Authentication Only • Authentication and Privacy 10 Select the group type form the Group drop-down menu. There is a user group called “No Group”, this is not a physical group rather it's a logical group that is just used to display the users in the management interface. This group cannot be considered for any operations like searching and sorting. 11 Click OK. The new user is populated in the User/Group list. 12 Select or deselect users/groups from the list and edit them by clicking the Configure icon for the desired users/groups. You can also delete users/views by selecting them from the list and then clicking the Delete Group(s) link.

ACCESSES SEARCH

To search for and configure Accesses, complete the following steps: 1 Click the Search drop-down list and select the search filters from the following: • Name • Read View • Master Group • Security Level • Equals • Starts with • Ends with • Contains 2 Enter the criteria you wish to search for in the Accesses Search text-field. 3 Click Search. The results display in the Accesses Search list. 4 Click the Add New Access link.

5 6 7 8

Enter a name for the new accesses in the Access Name text-field. Click the Read View drop-down menu and select a view. Click the Master SNMPv3 Group drop-down menu and select a group. Click the Access Security Level drop-down menu and select the desired level: • None • Authentication Only • Authentication and Privacy 9 Click OK. The new SNMP Access is populated in the Accesses list. 10 Select or deselect accesses from the list and edit them by clicking the Configure icon for the desired accesses. You can also delete accesses by selecting them from the list and then clicking the Delete Access(s) link.

Configuring Certificates The Certificates dialog box displays details for Certificate Authority (CA) Certificates and local certificates that you have imported or configured on your SonicWall appliance.

This section contains the following sub-sections: • • • • • •

Navigating the System > Certificates Page About Certificates Configuring CA Certificates Importing New Local and CA Certificates Generating a Certificate Signing Request Configuring SCEP

NAVIGATING THE SYSTEM > CERTIFICATES PAGE The Certificate and Certificate Requests section provides all the settings for managing CA and Local Certificates.

View Style The View Style menu allows you to choose which certificates are displayed.

Options include: • • • •

All Certificates - displays all certificates and certificate requests. Imported certificates and requests - displays all imported certificates and generated certificate requests. Built-in certificates - displays all certificates included with the SonicWall security appliance. Include expired and built-in certificates - displays all expired and built-in certificates.

Certificates and Certificate Requests The Certificates and Certificate Requests table displays information about your certificates.

Information and options include: • • • • •

Name - the name of the certificate. Type - the type of certificate, which can include CA or Local. Validated - the validation information. Expires - the date and time the certificate expires. Details - the details of the certificate. Moving the pointer over the MAGNIFYING GLASS icon displays the details of the certificate. Configure - Allows configuration with the following options: • Edit icon to make changes to the certificate • Delete icon to remove a certificate • Import icon to import either certificate revocation lists (for CA certificates) or signed certificates (for Pending requests). Import Certificate(s) - Import local end-user and CA certificates from specifically encoded files. New Signing Request - Create a new signing request directly from the GMS user interface SCEP - Manage certificates using the Simple Certificate Enrollment Protocol (SCEP) standard



• • •

ABOUT CERTIFICATES

A digital certificate is an electronic means to verify identity by using a trusted third-party known as a Certificate Authority (CA). SonicWall now supports third-party certificates in addition to the existing Authentication Service. SonicWall security appliances interoperate with any X.509v3-compliant provider of Certificates. However, SonicWall security appliances have been tested with the following vendors of Certificate Authority Certificates: • • • • •

Entrust Microsoft OpenCA OpenSSL and TLS VeriSign

CONFIGURING CA CERTIFICATES To configure CA Certificates in this dialog box, complete the following steps: 1 From the Name list box, click on a certificate. 2 Note the details, including the certificate name and subject in the Details region. 3 Click on Email Certificate if you want to send the certificate to a location by email. 4 Click Delete Certificate if you want to remove the certificate. 5 Specify a URL of the location of the Certificate Revocation List (CRL) in the CRL URL field. Then click CRL URL to launch the CRL. 6 To import a CRL, click Browse for the Import CRL field and navigate to the CRL. Then click Import CRL to import the CRL. 7 Click Invalidate Certificates and Security Association if CRL import or processing fails to ensure safe cleanup of half-imported certificates if when trying to import a CRL, the process is interrupted.

IMPORTING NEW LOCAL AND CA CERTIFICATES This option allows you to import pre-existing certificates stored locally.

To import a certificate: 1 Click the Import Certificate link. 2 Choose between a local end-user certificate or a CA certificate. 3 (local only) Enter a name in the Certificate Name field. 4 (local only) Enter the password used to encrypt the certificate in the Certificate Management Password field. 5 Browse to the certificate location and Open the file. 6 Click Import to complete the process.

GENERATING A CERTIFICATE SIGNING REQUEST NOTE: This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN. To obtain a certificate, complete the following steps: 1 On the System > Certificates page, click the New Signing Request link.

2 Complete the information in the Generate Certificate Request section and click Generate Request. The request displays in the Current Certificate Requests section. 3 Click Export. You are prompted to save the file. It is saved in the PKCS 10 format. 4 Obtain a certificate from one of the approved certificate authorities using the PKCS 10 file. 5 After you receive the certificate file, locate and import the file by clicking Browse in the Import Certificate With Private Key section. Then click Import. The certificate appears in the Current Local Certificates section.

CONFIGURING SCEP

NOTE: SCEP configuration is supported at the appliance level. The Simple Certificate Enrollment Protocol (SCEP) simplifies the process of issuing large numbers of certificates using an automatic enrollment technique. SCEP is supported for appliances running SonicOS Enhanced 5.5 or higher. To configure SCEP, complete the following steps: 1 On the System > Certificates page, click the SCEP link. The SCEP Configuration window displays.

2 Configure the following options for the SCEP configuration: • CSR list - Select a certificate signing request (CSR) list if one has been uploaded. • Challenge Password - (optional) Enter the password that is used to authenticate the enrollment request. • CA URL - Enter the URL of the certificate authority. • Request Count - The default is 256. • Polling Interval(S) - The default is 30. • Max Polling Time(S) - The default is 28800. 3 Click SCEP to apply the SCEP configuration.

Configuring Time Settings The Global Management System (GMS) user interface (UI) is similar to the standard SonicWall appliance UI. However, GMS offers the ability to push configuration settings to a single SonicWall appliance, a group of SonicWall appliances, or all SonicWall appliances being managed by the GMS. To change time settings on one or more SonicWall appliances, complete the following steps: 1 Expand the System tree and click Time. The Set Time page displays.

2 Select the Time Zone of the appliance(s) from the Time Zone field. 3 To configure the SonicWall(s) to automatically adjust their clocks for Daylight Savings Time, select Automatically Adjust Clock for Daylight Savings Changes. 4 To configure the SonicWall(s) to use Universal Time Coordinated (UTC) or Greenwich Mean Time (GMT) instead of local time, select Display UTC in Logs Instead of Local Time. 5 To configure the SonicWall(s) to display the time in the international time format, select Display Time in International Format. 6 To configure the SonicWall(s) to only use custom NTP servers, select Only use custom NTP servers. 7 Select from the following: • To manually configure the time and date, make sure Use NTP to set time automatically is deselected. The SonicWall appliance(s) automatically uses the time settings of the GMS agent. • To configure the SonicWall(s) to automatically set the local time using Network Time Protocol (NTP), select Use NTP to set time automatically, then set the update interval. 8 When you are finished, click Update. A task gets scheduled to apply the new settings for each selected appliance. 9 To clear all screen settings and start over, click Reset. NOTE: If you are not using NTP for the appliance, then GMS configures the time of the appliance to be identical to the time of the GMS Agent pushing the configuration to the appliance (after adjusting for any time zone differences). 10 If you do not want to use the SonicWall appliance's internal NTP list, you can add your own NTP list. To add an NTP server, click the Add NTP Server link. A pop-up window displays:

11 Enter the IP address or FQDN of the remote NTP server. A task gets scheduled to add the NTP server to each selected SonicWall appliance. 12 From the NTP Server drop-down menu, select No Auth or MD5, depending on your deployment. If you selected an auth type, enter the trust key number, key number, and password. 13 Click OK, the newly added server is populated in the NTP Servers list. Multiple servers can be added by clicking Add NTP Server. 14 A search function is available for NTP Servers. Select your search criteria in the NTP Server Search section, then click Search. A list of servers that match your criteria will display. From here you can edit the server settings or delete unwanted servers from the list.

Configuring Schedules You can configure schedule groups on the Policies panel, in System > Schedules. Schedule Groups are groups of schedules to which you can apply firewall rules. For example, you might want to block access to auction sites during business hours, but allow employees to access the sites after hours. You can apply rules to specific schedule times or all schedules within a Schedule Group. For example, you might create an Engineering Work Hours group that runs from 11:00 AM to 9:00 PM, Monday through Friday and 12:00 PM to 5:00 PM, Saturday and Sunday. After configured, you can apply specific firewall rules to the entire Engineering Work Hours Schedule Group or only to the weekday schedule. To create a Schedule Group, complete the following steps: 1 Expand the System tree and click Schedules. The Schedules page displays.

2 To add a Schedule Group, click Add Schedule Group.

3 Enter the name of the Schedule Group in the Name field. 4 In the Schedule Type section, select if the schedule will occur Once, Recurring, or Mixed. NOTE: The one-time and mixed schedule types are only available for systems running SonicOS Enhanced 5.5 and newer. 5 For a schedule that occurs only once, select the year, month, date, hour, and minutes for the Start and End fields. 6 For recurring schedules, select the check boxes for each day the schedule applies. 7 Enter the start time for the recurring schedule in the Start Time field. Make sure to use the 24-hour format. 8 Enter the end time for the recurring schedule in the Stop Time field. Make sure to use the 24-hour format. 9 Click Add. 10 Repeat Step 4 through Step 9 for each schedule to add. 11 To delete a schedule, select the schedule and click Delete. 12 Click OK. The Schedule Group is added and configured. 13 To edit a Schedule Group, click its Edit icon ( ). The Edit Schedule Group dialog box displays. Edit the Schedule Group details and click OK.

Using Configuration Tools This chapter describes how to use SonicWall tools to restart SonicWall appliances, request diagnostics, inherit settings from the group, and more. The following sections describe the options available in the GMS tools menu: • • • • • • •

Restarting SonicWall Appliances Requesting Diagnostics for SonicWall Inheriting Settings Synchronizing Appliances Synchronizing Appliances Synchronizing with MySonicWall.com Manually Uploading Signature Updates

RESTARTING SONICWALL APPLIANCES Some GMS changes require the SonicWall appliance(s) to automatically be restarted after changes are applied. However, there might be instances when you want to restart the SonicWall appliance(s) manually. To restart one or more SonicWall appliances, complete the following steps: 1 Expand the System tree and click Tools. The Tools page displays.

2 To restart the selected SonicWall appliance(s), click Restart SonicWall. NOTE: We recommend restarting the SonicWall appliance(s) when network activity is low.

REQUESTING DIAGNOSTICS FOR SONICWALL To request diagnostics for SonicWall appliances, complete the following steps: 1 Expand the System tree and click Tools. The Tools page displays. 2 To request diagnostics for the selected SonicWall appliance(s), click Request Diagnostics. GMS schedules a task to request diagnostics for the selected SonicWall appliances. 3 To view the diagnostics, navigate to Diagnostics > Snapshot Status on the Console tab. 4 In the Diagnostics Requested pull-down list, select the diagnostics that you want to review. 5 Click View SnapShot Data.

INHERITING SETTINGS

On the Policies panel, in the System > Tools screen, you can apply inheritance filters at a global, group, or appliance level. You can select an existing inheritance filter and customize which of its rules are actually inherited. You can do this on the fly, without the need to create an entirely separate filter. For more information on inheritance, refer to Configuring Inheritance Filters. To apply the inheritance filters, complete the following steps: 1 Expand the System tree and click Tools. The Tools page displays.

2 Select the appropriate radio button for either forward or reverse inheritance. Use the Filter drop down menu to select the desired filter to apply. Click Preview to proceed to the “Preview of Inheritance Settings” window. NOTE: When configuring forward inheritance at the group level, all selected settings are pushed to all units in the group.

3 Review the settings to be inherited. You can continue with all of the default screens selected for inheritance or select only specific screens for inheritance by checking boxes next to the desired settings. NOTE: The Preview panel footer states, “All referring objects should also be selected as part of the settings picked, to avoid any dependency errors while inheriting.” If the user deselects dependent screen data, the settings will not inherit properly. 4 If the user is attempting forward inheritance, they might click “Update” to proceed. If the user is attempting to reverse inherit settings, an additional selection must be made at the bottom of the Preview panel. The user must select either to update the chosen settings to only the target parent node, or to update the target parent node along with all unit nodes under it. After the user makes this selection, they might click “Update” to proceed, or “Reset” to edit previous selections.

5 If the user selects to update the target parent node and all unit nodes, a “Modify Task Description and Schedule” panel opens in place of the Preview panel (This panel does not appear if the user selects “Update only target parent node”). If the “Modify Task Description and Schedule” panel opens, the user can edit the task description in the “Description” field. They might also adjust the schedule for inheritance, or continue with the default scheduling. If the user chooses to edit the timing by clicking on the arrow next to “Schedule,” a calendar expands allowing the user to click on a radio button for “Immediate” execution, or to select an alternate day and time for inheritance to occur. 6 After the user has completed any edits, they select either “Accept” or “Cancel” to execute or cancel the scheduled inheritance, respectively.

After the inheritance operation begins, a progress bar appears, along with text stating the operation might take a few minutes, depending on the volume of data to be inherited. After the inheritance operation is complete, the desired settings from the unit or group node should now be updated and reflected in the parent node’s settings, as well as in the settings of all other units, if selected. NOTE: For the Access/Services and Access/Rules pages, by default, inheriting group settings overwrites the values at the unit level with the group values. If you wish for SonicWall GMS to append the group settings to the values at the unit level, you need to enable the Append Group Settings option on the General/GMS Settings page on the Console tab. For more information on inheritance, refer to Configuring Inheritance Filters (/Support/TechnicalDocumentation/GMS-8-3-Admin-Guide/Console#1030578).

SYNCHRONIZING APPLIANCES If a change is made to the SonicWall appliance through any means other than through GMS, GMS is notified of the change through the syslog data stream. You can configure an alert through the Granular Event Management framework to send email notification when a local administrator makes changes to a SonicWall appliance through the local user interface rather than through GMS. After the syslog notification is received, GMS schedules a task to synchronize its database with the local change. After the task successfully executes, the current configuration (prefs) file is read from the SonicWall appliance and loaded into the database. Auto-synchronization automatically occurs whenever GMS receives a local change notification status syslog message from a SonicWall appliance. You can also force an auto-synchronization at any time for a SonicWall appliance or a group of SonicWall appliances. To do this, complete the following steps: 1 Expand the System tree and click Tools. The Tools page displays. 2 To synchronize the selected SonicWall appliance(s), click Synchronize Now. GMS schedules a task to synchronize the selected SonicWall appliances. NOTE: The auto-synchronization feature can be disabled on the Console/Management Settings screen and by unchecking Enable Auto Synchronization.

SYNCHRONIZING WITH MYSONICWALL.COM SonicWall appliances check their licenses/subscriptions with MySonicWall.com (www.MySonicWall.com) once very 24 hours. Using Synchronize with mysonicwall.com Now, a user can have an appliance synchronize this information with mysonicwall.com without waiting for the 24-hour schedule. To force the SonicWall to synchronize with mysonicwall.com now, complete the following steps: 1 Expand the System tree and click Tools. The Tools page displays. 2 To synchronize the selected SonicWall appliance(s), click Synchronize with mysonicwall.com Now. GMS schedules a task to synchronize the selected SonicWall appliances’ license information into GMS.

MANUALLY UPLOADING SIGNATURE UPDATES

For SonicWall appliances that do not have direct access to the Internet (for example, appliances in high-security environments) you can manually upload updates to security service signatures. To instruct GMS to download updates to security service signatures, complete the following steps: 1 Click on the Console tab, expand the Management tree, and click on Settings. 2 Select the check boxes for the Manage Signature Upload settings. Refer to Configuring Management Settings for more information. 3 Click on the Policies tab, expand the System tree, and click Tools. 4 When there are updates signatures to upload, Upload Signatures Now is displayed. Click this button to manually upload the signatures. NOTE: Upload Signatures Now is displayed only when the GMS has downloaded updated signature files that are ready to be uploaded.

Configuring Contact Information The System > Info page contains contact information for the SonicWall appliance. These settings are for informational purposes only and do not affect the operation of SonicWall appliances. To change informational settings on one or more SonicWall appliances, complete the following steps: 1 Expand the System tree and click Info. The Info page displays.

2 Enter appliance contact information for the SonicWall appliance(s). 3 After entering the street address, city, state, zip code, and country appliance contact information, click Locate Geocode. This populates the GeoLocation field with the SonicWall appliance latitude and longitude coordinates. Similarly, you can enter the latitude or longitude coordinates, and click Locate Address to populate the address information fields. The location information enables your SonicWall appliance to display on the Dashboard Geographic Map. For more information on using the Dashboard Geographic Map to drag and drop the location of your unit, refer to Using the Universal Dashboard. 4 When you are finished, click Update. A task gets spooled and after it is executed successfully, the information is updated for the selected SonicWall appliances. 5 To reset all screen settings and start over, click Reset.

Configuring System Settings GMS enables you to save SonicWall appliance settings to the GMS database that can be used for restoration purposes. GMS can automatically take back ups of the appliance configuration files at regular schedules and store them in the database. The schedule is configured in the Console > Management > GMS Settings screen Automatically save... Here you can specify that a back up should never be taken or back ups should be taken on a daily or weekly schedule. If the schedules are set for daily or weekly, then the back ups are done for all appliances for which Enable Prefs File Backup is selected in this screen. To purge older back ups, you can specify how many of the latest prefs files should be stored in the database. The listbox here displays all the Prefs files backed up, along with the firmware version. In addition to automatic back ups, you can manually force a Prefs back up by selecting Store settings... To save or apply SonicWall appliance settings, complete the following steps: 1 Expand the System tree and click Settings. The Settings page displays.

2 To apply settings to the SonicWall appliance directly from GMS database, select the saved settings and click Restore the settings to the unit. NOTE: The Restore the settings to the unit option is available only at the unit level, and not at the group and global levels. This option previously was available at the group and global levels. GMS now does not display the option at both the group and global levels to minimize risk of you writing a non-compatible prefs file to an incorrect firmware version running on a SonicWall appliance. 3 To store an external Prefs file into the database, enter the path to the file and click Store settings from local file. The Store settings from local file button is used to store the prefs file from the local hard disk into the GMS database so that it displays in the list box of the Settings page. After stored in the database (when it will display in the list box), you can then click Restore the settings to the unit. 4 To delete the saved settings, click the Delete the settings link. 5 To save the settings of a SonicWall appliance to the GMS database, enter a name for the settings in the Name field and click Store settings read from unit. Then, if you want to save these settings to a local file, click Store the settings from local file. You can save multiple version of settings for each SonicWall appliance to the GMS database and to different local files. 6 To automatically backup the preferences for the selected SonicWall appliance, select Enable Settings File Backup and click Update. NOTE: The backed up prefs file contains the configuration settings and the firmware version of the security appliance you are backing up. 7 Go to the Console > Management > GMS Settings page and update the values in the Automatically save prefs file section. This enables you to specify when and how frequently GMS backs up the prefs files. 8 If you want to automatically purge older backups, select the number of newer backup files you want to keep in the Number of newest Prefs Files to be preserved field. Enter 0 to prevent purging of older backups. Click Update. 9 Set the value in the Missed Reports Threshold field to the number of heartbeat messages GMS can miss before considering the unit to be down. Click Update. GMS relies on special syslogs called heartbeat messages to determine if an appliance is up and running. By default, if GMS does not receive three successive heartbeat messages, it makes the appliance as “down”. You can customize this threshold to any number. If you set the value to “0”, then GMS will not mark this node as down. 10 To delete settings from the GMS database, select the saved settings and click Delete the settings.

Configuring Firewall Network Settings This describes how to configure network settings for SonicWall appliances. It is divided into sections for SonicWall security appliances running SonicOS Enhanced and SonicOS Standard. • Overview of Interfaces • Configuring Network Settings in SonicOS Enhanced • Configuring Network Settings in SonicOS Standard

Overview of Interfaces You can configure the LAN interface in five different modes: • Static IP—Uses a static IP address and acts as a gateway for devices on the LAN. • Transparent Mode—Allows you to assign a single IP address to two physical interfaces, where each interface accesses an exclusive range of IP addresses in the shared subnet. Behaves as a proxy at Layer 3, intercepting ARPs and changing source MAC addresses of packets traversing the interface pair. • Layer 2 Bridged Mode—Similar to Transparent Mode, but dynamically learns IP addresses on both interfaces so that you do not need to subdivide the subnet that is being bridged. Provides deep-packet inspection and application of policies before forwarding packets. Places the bridged interfaces into promiscuous mode and passes traffic between them with source and destination MAC addresses intact. • Wired Mode—Adding to the broad collection of traditional modes of SonicOS interface operation, including all LAN modes (Static, NAT, Transparent Mode, L2 Bridge Mode, Portshield Switch Mode), and all WAN modes (Static, DHCP, PPPoE, PPTP, and L2TP), SonicOS 5.8 introduces Wire-Mode, which provides four new methods nondisruptive, incremental insertion into networks. • Tap Mode—Provides the same visibility as Inspect Mode, but differs from the latter in that it ingests a mirrored packet stream by a single switch port on the SonicWall security appliance, eliminating the need for physically intermediated insertion. Tap Mode is designed for use in environments employing network taps, smart taps, port mirrors, or SPAN ports to deliver packets to external devices for inspection or collection. Like all other forms of Wire Mode, Tap Mode can operate on multiple concurrent port instances, supporting discrete streams from multiple taps. Interfaces shows the basic interfaces for a SonicWall appliance. The WAN interface can use a static or dynamic IP address and can connect to the Internet through Transmission Control Protocol (TCP), Point-to-Point Protocol over Ethernet (PPPoE), Level 2 Tunneling Protocol (L2TP), or Point-to-Point Tunneling Protocol (PPTP). A SonicWall appliance might have one, many, or no optional interfaces. Optional interfaces can be configured for LAN, WAN, DMZ, WLAN, or Multicast connections, or they can be disabled. Interfaces

VIRTUAL INTERFACES (VLAN) On the SonicWall NSA Series and SonicWall PRO 2040/3060/4060/4100/5060 security appliances, virtual Interfaces are sub-interfaces assigned to a physical interface. Virtual interfaces allow you to have more than one interface on one physical connection. Virtual interfaces provide many of the same features as physical interfaces, including Zone assignment, DHCP Server, and NAT and Access Rule controls. Selecting Layer 2 Bridged mode is not possible for a VLAN interface. VLAN support on SonicOS Enhanced is achieved by means of sub-interfaces, which are logical interfaces nested beneath a physical interface. Every unique VLAN ID requires its own sub-interface. For reasons of security and control, SonicOS does not participate in any VLAN trunking protocols, but instead requires that each VLAN that is to be supported be configured and assigned appropriate security characteristics. VLAN Interfaces

SonicOS Enhanced 4.0 and higher can apply bandwidth management to both egress (outbound) and ingress (inbound) traffic on the WAN interface. Outbound bandwidth management is done using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK delay algorithm that uses TCP’s intrinsic behavior to control the traffic. Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service (QoS) for the SonicWall security appliance. Every packet destined to the WAN interface is queued in the corresponding priority queue. The scheduler then dequeues the packets and transmits it on the link depending on the guaranteed bandwidth for the flow and the available link bandwidth.

Configuring Network Settings in SonicOS Enhanced The following sections describe how to configure network settings in SonicOS Enhanced: • • • • • • • • • • • • • • • •

Configuring Interface Settings WAN Failover and Load Balancing Configuring Zones Configuring the WLAN Zone Configuring DNS Configuring Dynamic DNS Configuring NAT Policies Configuring Web Proxy Forwarding Settings Configuring Routing in SonicOS Enhanced Configuring RIP in SonicOS Enhanced Configuring IP Helper Configuring ARP Configuring SwitchPorts Configuring PortShield Groups Configuring MAC-IP Anti-Spoof Configuring Network Monitor

CONFIGURING INTERFACE SETTINGS Interface settings define the networks associated with the LAN, WAN, optional (OPT), and WWAN interfaces. This includes protocols, gateways, DNS servers, Virtual LANs, and management settings. NOTE: Group level interface edits are only available for SonicWall firewall appliances.For a WWAN interface, GMS navigates directly to the Network > WWAN > Settings screen. For configuration information, refer to Configuring WWAN Settings. IPv4 and IPv6 IP addresses are accepted/displayed in the Network > Interfaces screens. To configure the network interface general settings for one or more SonicWall appliance, select the desired configuration from the following: • • • • • • • • • • • • • •

Static Mode Transparent Mode Layer 2 Bridge Mode Layer 2 Bridge Bypass Relay Control Wired Mode (2-Port Wire) Tap Mode (1-Port Tap) Configuring WAN Settings Advanced Settings Configuring Link Aggregation (SonicOS 5.9 or higher) Port Redundancy (SonicOS 5.9 or higher) Configuring VLAN Sub-Interfaces WAN Connection Model Managing WWAN Connections Configuring MGMT Interfaces

Static Mode Static means that you assign a fixed IP address to the interface. 1 Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface window is displayed. • If you want to create a new zone, select Create new zone. The Add Zone window is displayed. See the Network > Zones page for instructions on adding a zone. 2 Select a zone to assign to the interface. You can select LAN, WAN, DMZ, WLAN, or a custom zone. 3 Select Static from the IP Assignment menu. 4 Enter the IP Address (Primary), and the IP Address (Secondary) if high availability is enabled, and the Subnet Mask of the zone in the IP Address (Primary), IP Address (Secondary), and Subnet Mask fields. NOTE: You cannot enter an IP address that is in the same subnet as another zone. 5 Enter an IP address for a Default Gateway (optional). This feature is not supported for WLAN and VPN zones. 6 Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table. 7 If you want to enable remote management of the SonicWall appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. 8 If you want to allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login. 9 Click OK.

Transparent Mode The following options are available when configuring an interface in Transparent Mode:

For LAN, DMZ, or Multicast interfaces, configure the following settings: • For IP Assignment, select Static, Transparent Mode, or Layer 2 Bridged Mode. The display changes according to your selection. Configure the resulting field as follows: • Static—For static IP addresses, enter the IP Address for the interface and Subnet Mask for the network. • Transparent Mode—For transparent mode, select an address object that contains the range of IP addresses you want to have access through this interface in the Transparent Range menu. • PortShield Switch Mode—For SonicWall TZ 210, TZ 210W and NSA 240 appliances, you can configure interfaces for PortShield switch mode that manually groups ports together to share a common network subnet as well as common zone settings. For more information, refer to Configuring PortShield Groups.

Layer 2 Bridge Mode NOTE: When configuring a zone for Layer 2 Bridge Mode, the only access rule automatically added is an allow rule between the bridge pair. Other necessary access rules must be added manually. The following options are available when configuring an interface in Layer 2 Bridge Mode:

• Layer 2 Bridged Mode—On appliances running SonicOS Enhanced 3.5 and 4.0 or higher, you can select Layer 2 Bridged Mode for physical interfaces in either the LAN or the DMZ zone. On appliances running SonicOS Enhanced 5.5 or higher, you can select Layer 2 Bridge Mode for the WLAN zone. • In the Bridged-to field, select a WAN, LAN, or DMZ interface with a static IP address. • Select Block all non-IPv4 traffic to allow only IPv4 traffic on this bridge-pair. • Select Never route traffic on this bridge-pair to prevent traffic from being routed to another interface. • Select Only sniff traffic on this bridge-pair to allow the bridged interface to be connected to a mirrored port on a switch in a one-arm mode to do intrusion detection by examining traffic going through the switch. • Select Disable stateful-inspection on this bridge-pair to enable asymmetric routing on this interface.

Layer 2 Bridge Bypass Relay Control The Engage physical bypass on malfunction option enables Layer 2 Bridge Bypass Relay Control, also known as “Fail to Wire.” The bypass relay option provides the user the choice of avoiding disruption of network traffic by bypassing the firewall in the event of a malfunction. The bypass relay is closed for any unexpected anomaly (power failure, watchdog exception, fallback to safe-mode). NOTE: The Engage physical bypass on malfunction option is available only for SonicWall E7500 appliances running SonicOS Enhanced version 5.5 or higher and only when the X0 interface is bridged to the X1 interface. Selecting the Engage physical bypass on malfunction option automatically configures the other Layer 2 Bridge mode options as follows: • • • • • •

Block all non-IPv4 traffic - Disabled Never route traffic - Enabled Only sniff traffic - Disabled Disable stateful-inspection - Not modified Comment—Enter any comments regarding the interface. Management—Select one or more of the following management options: • HTTP—Allows HTTP management over the interface. • HTTPS—Allows HTTPS management over the interface. • Ping—The interface responds to ping requests. • SNMP—The interface supports Simple Network Management Protocol (SNMP). • SSH—The interface supports Secure Shell (SSH) for CLI-based administration. • User Login—Select from the following user login options: • HTTP—When selected, you are able to login using HTTP. • HTTPS—When selected, you are able to login using HTTPS. • Add rule to enable redirect from HTTP to HTTPS—Redirects you to HTTPS when they attempt to access the device using HTTP. This option is only applicable when HTTPS access is enabled and HTTP access is not.

Wired Mode (2-Port Wire) NOTE: The Wire Mode feature is supported only on NSA and SuperMassive platforms. Wire Mode 2.0 can be configured on any zone (except wireless zones). Wire Mode is a simplified form of Layer 2 Bridge Mode, and is configured as a pair of interfaces. In Wire Mode, the destination zone is the Paired Interface Zone. Access rules are applied to the Wire Mode pair based on the direction of traffic between the source Zone and its Paired Interface Zone. For example, if the source Zone is WAN and the Paired Interface Zone is LAN, then WAN to LAN and LAN to WAN rules are applied, depending on the direction of the traffic. In Wire Mode, administrators can enable Link State Propagation, which propagates the link status of an interface to its paired interface. If an interface goes down, its paired interface is forced down to mirror the link status of the first interface. Both interfaces in a Wired Mode pair always have the same link status. In Wire Mode, administrators can Disable Stateful Inspection. When Disable Stateful Inspection is selected, Stateful Packet Inspection (SPI) is turned off. When Disable Stateful Inspection is not selected, new connections can be established without enforcing a 3-way TCP handshake. Disable Stateful Inspection must be selected if asymmetrical routes are deployed. When the Bypass when SonicOS is restarting or down option is selected, and the Wire Mode Type is set to Secure, traffic continues to flow even when the SonicWall Security Appliance is rebooting or is down. The Bypass when SonicOS is restarting or down option is always enabled and is not editable when Disable Stateful Inspection is selected. To configure Wire Mode 2.0: 1 Navigate to Network > Interfaces. 2 Click Add Interface. or Click Configure for the interface you want to configure. 3 Under the General tab, in the IP Assignment list, select Wire Mode (2-Port Wire). 4 In the Zone list, select WAN. 5 In the Paired Interface Zone list, select LAN.

6 7 8 9

Select Enable Link State Propagation. Select Disable Stateful Inspection. Select Bypass when SonicOS is restarting or down. Click OK.

Tap Mode (1-Port Tap) To configure an interface for Tap Mode, complete the following steps: 1 On the Network > Interfaces page, click Configure for the interface you want to configure for Wire Mode. 2 In the Zone pull-down menu, select LAN. 3 To configure the Interface for Tap Mode, in the Mode / IP Assignment pull-down menu, select Tap Mode (1Port Tap) and click OK.

4 To configure the Interface for Wire Mode, in the Mode / IP Assignment pull-down menu, select Wire Mode (2Port Wire). 5 Click OK.

Configuring WAN Settings To configure the WAN settings for the SonicWall appliance, complete the following steps:

1 Select how the WAN connects to the Internet from the IP Assignment list box: • Static—Configure the following settings for static IP address interfaces: • IP Address—Enter the IP address of the interface. • Subnet Mask—Enter the subnet mask for the network. • Default Gateway—IP address of the WAN gateway. • DNS Server 1-3—IP addresses of the DNS Servers. • Comment—Enter any comments regarding the interface. • DHCP—Configure the following settings if the WAN IP address will use DHCP: • Host Name—Specifies the host name of the SonicWall device on the WAN interface. • Comment—Enter any comments regarding the interface. • IP Address, Subnet Mask, Gateway (Router) Address, and DNS Server 1-3—These settings are automatically filled in by DHCP. • PPPoE—Configure the following client settings if the WAN interface uses PPPoE:

• Schedule—Select the schedule for when the interface is enabled. The default value is Always on. The available options can be customized in the System > Schedule page. The default choices are: Always On Work Hours or M-T-W-TH-F 08:00-17:00 (these two options are the same schedules) M-T-W-TH-F 00:00-08:00 After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same schedules) Weekend Hours or SA-SU 00:00-24:00 (these two options are the same schedules) AppFlow Report Hours or SU-M-T-W-TH-F-S 00:00-24:00 TSR Report Hours • User Name—Enter username provided by the ISP. • User Password—Enter the password used to authenticate the username with the ISP. This field is case-sensitive. • Comment—Enter any comments regarding the interface. • Service Name—Enter the name of a service that must be supported by PPPoE servers that respond to a client connection request. The service name can be up to 50 characters. Many installations use the system name as a service name, for example “sonicwall-server” or “redbackserver.” If the service name is left blank the client connects to any service. • Select from the following: To configure the SonicWall appliance(s) to dynamically obtain an IP address, select Obtain IP Address automatically. To configure the SonicWall appliance(s) to use a fixed IP address, select Specify IP Address and enter the IP address. To configure an unnumbered PPPoE interface, • Select from the following: To configure the SonicWall appliance(s) to obtain the DNS server information automatically, select Obtain DNS Server Address Automatically. To specify DNS servers, select Specify DNS Servers and enter the DNS Server IP addresses. NOTE: For PPPoE interfaces, a Protocol tab appears that displays the acquired IP address, subnet mask, gateway address, and DNS server addresses. To configure an Unnumbered PPPoE Interface, complete the following steps: 1 Click the Protocol tab. 2 For Zone, select LAN, DMZ, or create a new zone. 3 For Mode / IP Assignment, select IP Unnumbered. 4 For IP Address, enter the address provided by your ISP. Usually it is the second IP address assigned by the provider. The subnet mask is also assigned by the ISP. NOTE: The default MTU of PPPoE is 1492. NOTE: To change X3 to another mode when X2 unnumbered to X3 is configured, first terminate the relationship with X2 by changing X2 to another mode. Otherwise, if you change the IP address or mask of interface X3, it causes X3 to reconnect to the PPPoE server. NOTE: If X3 is set as unnumbered interface, other interfaces cannot connect to X3 using an L2 Bridge. • View the settings for the acquired IP address, subnet mask, gateway address, and DNS server addresses. • Inactivity Disconnect—Specify how long (in minutes) the SonicWall appliance waits before disconnecting from the Internet, and select the check box. • Strictly use LCP echo packets for server keep-alive—This check box is enabled when the client recognizes that the server relies on Link Control Protocol (LCP) echo requests for keeping the PPPoE connection alive. • Disconnect the PPPoE client if the server does not send traffic for __ minutes—Select this check box and enter the number of minutes to wait without traffic before the connection is ended. When enabled, the PPPoE client monitors traffic from the server on the tunnel and disconnects when no traffic is seen for the specified time period. 5 If High Availability is enabled, High Availability > Settings is configured with Unnumbered PPPoE. A sample network topology is as follows:

In this topology, X2 is the PPPoE unnumbered interface and X3 is an unnumbered interface.

GMS adds two routes:

GMS also adds two NAT policies:

A manually added NAT policy would have settings such as:

• PPTP—Configure the following settings if the WAN IP address will use PPTP: • Schedule—Select the schedule for when the interface is enabled. The default value is Always on. The available options can be customized in the System > Schedules page. The default choices are: Always on Work Hours or M-T-W-TH-F 08:00-17:00 (these two options are the same schedules) M-T-W-TH-F 00:00-08:00 After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same schedules) Weekend Hours or SA-SU 00:00-24:00 (these two options are the same schedules) • User Name—Enter username provided by the ISP. • User Password—Enter the password used to authenticate the username with the ISP. This field is case-sensitive. • PPTP Server IP Address—this information is provided by your ISP. • PPTP (Client) Host Name—this information is provided by your ISP. • Comment—Enter any comments regarding the interface. • Inactivity Disconnect—Specify how long (in minutes) the SonicWall appliance waits before disconnecting from the Internet. • Select from the following from the PPTP IP Assignment list box: • To configure the SonicWall appliance(s) to dynamically obtain an IP address, select DHCP. • To configure the SonicWall appliance(s) to use a fixed IP address, select Static and enter the IP address, subnet mask, and gateway IP address. NOTE: For PPTP interfaces, a Protocol tab appears that displays the acquired IP address, subnet mask, gateway address, and DNS server addresses. • L2TP—Configure the following settings if the WAN IP address uses L2TP: • Schedule—Select the schedule for when the interface is enabled. The default value is Always on. The available options can be customized in the System > Schedules page. The default choices are: Always on Work Hours or M-T-W-TH-F 08:00-17:00 (these two options are the same schedules) M-T-W-TH-F 00:00-08:00 After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same schedules) Weekend Hours or SA-SU 00:00-24:00 (these two options are the same schedules) • User Name—Enter username provided by the ISP. • User Password—Enter the password used to authenticate the username with the ISP. This field is case-sensitive. • L2TP Server IP Address—this information is provided by your ISP. • L2TP (Client) Host Name—this information is provided by your ISP. • Comment—Enter any comments regarding the interface. • Inactivity Disconnect—Specify how long (in minutes) the SonicWall appliance waits before disconnecting from the Internet. • Select from the following from the L2TP IP Assignment list box: To configure the SonicWall appliance(s) to dynamically obtain an IP address, select DHCP. To configure the SonicWall appliance(s) to use a fixed IP address, select Static and enter the IP address, subnet mask, and gateway IP address. NOTE: For L2TP interfaces, a Protocol tab appears that displays the acquired IP address, subnet mask, gateway address, and DNS server addresses. 6 Select one or more of the following management options: • HTTP—When selected, allows HTTP management from the interface. • HTTPS—When selected, allows HTTPS management from the interface. • Ping—When selected, the interface responds to ping requests. • SNMP—When selected, the interface supports Simple Network Management Protocol (SNMP). 7 User Login—Select from the following user login options: • HTTP—When selected, you are able to login using HTTP. • HTTPS—When selected, you are able to login using HTTPS. • Add rule to enable redirect from HTTP to HTTPS—Redirects you to HTTPS when they attempt to access the device using HTTP. This option is only applicable when HTTPS access is enabled and HTTP access is not. 8 Click Update. The settings are saved. To clear any changes and start over, click Reset.

Advanced Settings 1 Click the Advanced tab and configure the following Ethernet settings: • Link Speed—To configure the interface to automatically negotiate Ethernet settings, select Auto Negotiate. If you want to specify the forced Ethernet speed and duplex, select the appropriate setting. • Use Default MAC Address—Select to use the default MAC address. • Override Default MAC Address—Select to manually enter the MAC address. • Shutdown Port—Select to temporarily take this interface offline for maintenance or other reasons. If connected, the link will go down. • Enable flow reporting—Select to enable flow reporting on flows created for this interface. This check box is available on SonicWall appliances running 5.9 and higher firmware. • Enable Multicast Support—Select to enable multicast on the interface. • Interface MTU—Specify the size of the Maximum Transmission Unit (MTU) in octets (default: 1500). • Enable 802.1p tagging—QoS Marking is controlled per Access Rule from the Firewall > Access Rules page. Packets sent out this interface are tagged with VLAN id=0 and carry 802.1p priority information. Devices connected to this interface should support priority frames. This check box is available on SonicWall appliances running 5.9 and higher firmware. • Optionally, to exclude the interface from Route Advertisement, select Exclude from Route Advertisement (NSM, OSPF, BGP, RIP). This option is not selected by default. • Optionally, select Management Traffic Only to restrict traffic to only SonicWall management traffic and routing protocols. This option is not selected by default. • Optionally, enable Asymmetric Route Support on the interface by selecting Enable Asymmetric Route Support. If enabled, the traffic initialized from this interface supports asymmetric routes, that is, the initial packet or response packet can pass through from other interfaces. This check box is not selected by default. • Secondary IP Address—This can be used, for example, to have the firewall device reply for a secondary IP address on a particular interface by adding the address of the firewall. • Secondary Subnet Mask—Allows for secondary subnets to be added on other interfaces, and without the addition of automatic NAT rules. • To shutdown the port, click Shutdown Port. A warning pop-up window displays, asking if you wish to administratively want to shut down the port. This check box is only available for SuperMassive series appliances running SonicOS 6.1 and higher firmware images. • To fragment packets that are larger than this MTU, select Fragment non-VPN outbound packets larger than this Interface's MTU. • To block notifications that this interface can receive fragmented packets, select Do not send ICMP Fragmentation Needed for outbound packets over the Interface MTU. NOTE: If the maximum transmission unit (MTU) size is too large for a remote router, it might require more transmissions. If the packet size is too small, this could result in more packet header overhead and more acknowledgements that have to be processed. • To ignore Don’t Fragment (DF) bits from routers connected to the SonicWall appliance, select Ignore Don't Fragment (DF) Bit. Expert Mode 2 Under the Expert Mode Settings heading, select Use Routed Mode - Add NAT Policy to prevent outbound\inbound translation to enable Routed Mode for the interface. Routed Mode provides an alternative for NAT for routing traffic between separate public IP address ranges. NAT translations are automatically disabled for the interface, and all inbound and outbound traffic is routed to the WAN interface • In the Set NAT Policy's outbound\inbound interface to pull-down menu, select the WAN interface that is to be used to route traffic for the interface. The firewall then creates “no-NAT” policies for both the configured interface and the selected WAN interface. These policies override any more general M21 NAT policies that might be configured for the interfaces. 3 Click OK. 4 The firewall then creates “no-NAT” policies for both the configured interface and the selected WAN interface. These policies override any more general M21 NAT policies that might be configured for the interfaces. The availability of Expert Mode depends on the zone and IP address assignment configuration of the interface, as follows: • LAN & DMZ – Expert Mode is available for interfaces that are assigned a static IP address. • WAN – Expert Mode is not available. • WLAN - Expert Mode is available for all WLAN interfaces, regardless of IP assignment. Bandwidth Management Bandwidth Management (BWM) allows you to guarantee minimum bandwidth and prioritize traffic. BWM is enabled in the Firewall Settings > BWM page. By controlling the amount of bandwidth to an application or user, you can prevent a small number of applications or users from consuming all available bandwidth. Various types of bandwidth management can be enabled on the Firewall > BWM page: • Advanced—Enables you to configure maximum egress and ingress bandwidth limitations per interface, by configuring bandwidth objects, access rules, and application policies. • Global—Allows you to enable BWM settings globally and apply them to any interfaces. • None (default)—Disables BWM. GMS can apply bandwidth management to both egress (outbound) and ingress (inbound) traffic on the interfaces in the WAN zone. Outbound bandwidth management is done using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK delay algorithm that uses TCP’s intrinsic behavior to control the traffic. Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service (QoS) for the SonicWall security appliance. Every packet destined to the WAN interface is queued in the corresponding priority queue. The scheduler then dequeues the packets and transmits it on the link depending on the guaranteed bandwidth for the flow and the available link bandwidth. Balancing the bandwidth allocated to different network traffic and then assigning priorities to traffic improves network performance. Use the Bandwidth Management section of the Edit Interface screen to enable or disable the ingress and egress bandwidth management. Egress and Ingress available link bandwidth can be used to configure the upstream and downstream connection speeds in kilobits per second. NOTE: The Bandwidth Management settings are applied to all interfaces in the WAN zone, not just to the interface being configured. Enabling Bandwidth Management To enable or disable ingress and egress BWM: 1 Click the Edit icon of an interface. The Add/Edit Interface dialog displays. 2 Click the Advanced tab.

NOTE: Advanced Settings could differ, depending on your firewall model.



3 Scroll to the Bandwidth Management section. 4 Select Enable Interface Egress Bandwidth Limitation. This option is not selected by default. When this option is: • Selected, the maximum available egress BWM is defined, but as advanced BWM is policy based, the limitation is not enforced unless there is a corresponding Access Rule or App Rule. • Not selected, no bandwidth limitation is set at the interface level, but egress traffic can still be shaped using other options. In the Maximum Interface Egress Bandwidth (kbps) field, enter the maximum egress bandwidth for the interface (in kilobytes per second). The default is 384.000000 Kbps. Select Enable Interface Ingress Bandwidth Limitation. This option is not selected by default. Click OK. • Enable Egress Bandwidth Management - Enables outbound bandwidth management. • Available Interface Egress Bandwidth (Kbps) - Specifies the available bandwidth for WAN interfaces in Kbps. • Enable Ingress Bandwidth Management - Enables inbound bandwidth management. Available Interface Ingress Bandwidth (Kbps) - Specifies the available bandwidth for WAN interfaces in Kbps Click Update. The settings are saved. To clear any changes and start over, click Reset.

5 6 7

8 9

Configuring Link Aggregation (SonicOS 5.9 or higher) NOTE: The Link Aggregation features are supported only on NSA and SuperMassive platforms. Link Aggregation groups up to four Ethernet interfaces together forming a single logical link to support greater throughput than a single physical interface could support, this is referred to as a Link Aggregation Group (LAG). This provides the ability to send multi-gigabit traffic between two Ethernet domains. All ports in an aggregate link must be connected to the same switch. The firewall uses a round-robin algorithm for load balancing traffic across the interfaces in a Link Aggregation Group. Link Aggregation also provides a measure of redundancy, in that if one interface in the LAG goes down, the other interfaces remain connected. Link Aggregation is referred to using different terminology by different vendors, including Port Channel, Ether Channel, Trunk, and Port Grouping. Link Aggregation failover SonicWall provides multiple methods for protecting against loss of connectivity in the case of a link failure, including High Availability (HA), Load Balancing Groups (LB Groups), and now Link Aggregation. If all three of these features are configured on a firewall, the following order of precedence is followed in the case of a link failure: 1 High Availability 2 Link Aggregation 3 Load Balancing Groups HA takes precedence over Link Aggregation. Because each link in the LAG carries an equal share of the load, the loss of a link on the Active firewall forces a failover to the Idle firewall (if all of its links remain connected). Physical monitoring needs to be configured only on the primary aggregate port. When Link Aggregation is used with a LB Group, Link Aggregation takes precedence. LB takes over only if all the ports in the aggregate link are down. Link Aggregation Configuration To configure Link Aggregation, complete the following steps: 1 On the Network > Interfaces page, click the configure icon for the interface that is to be designated the master of the Link Aggregation Group. The Edit Interface window displays. 2 In the General tab, select a zone from the Zone pull-down menu. 3 Click on the Advanced tab.

4 In the Redundant/Aggregate Ports pull-down menu, select Link Aggregation. 5 The Aggregate Port option is displayed with a check box for each of the currently unassigned interfaces on the firewall. Select up to three other interfaces to assign to the LAG. 6 (Wire Mode only) The Paired Interface Aggregate Port option is displayed, select up to three paired interfaces. NOTE: After an interface is assigned to a Link Aggregation Group, its configuration is governed by the Link Aggregation master interface and it cannot be configured independently. In the Interface Settings table, the interface's zone is displayed as “Aggregate Port” and the configuration icon is removed. 7 Set the Link Speed for the interface to Auto-Negotiate. 8 Click OK. NOTE: Link Aggregation requires a matching configuration on the Switch. The switch's method of load balancing will very depending on the vendor. Consult the documentation for the switch for information on configuring Link Aggregation. Remember that it might be referred to as Port Channel, Ether Channel, Trunk, or Port Grouping.

Port Redundancy (SonicOS 5.9 or higher) NOTE: The Port Redundancy features are supported only on NSA and SuperMassive platforms. Port Redundancy provides a simple method for configuring a redundant port for a physical Ethernet port. This is a valuable feature, particularly in high-end deployments, to protect against switch failures being a single point of failure. When the primary interface is active, it processes all traffic to and from the interface. If the primary interface goes down, the secondary interface takes over all outgoing and incoming traffic. The secondary interface assumes the MAC address of the primary interface and sends the appropriate gratuitous ARP on a failover event. When the primary interface comes up again, it resumes responsibility for all traffic handling duties from the secondary interface. In a typical Port Redundancy configuration, the primary and secondary interfaces are connected to different switches. This provides for a failover path in case the primary switch goes down. Both switches must be on the same Ethernet domain. Port Redundancy can also be configured with both interfaces connected to the same switch. Port Redundancy Failover SonicWall provides multiple methods for protecting against loss of connectivity in the case of a link failure, including High Availability (HA), Load Balancing Groups (LB Groups), and now Port Redundancy. If all three of these features are configured on a firewall, the following order of precedence is followed in the case of a link failure: 1 Port Redundancy 2 HA 3 LB Group When Port Redundancy is used with HA, Port Redundancy takes precedence. Typically an interface failover causes an HA failover to occur, but if a redundant port is available for that interface, then an interface failover occurs but not an HA failover. If both the primary and secondary redundant ports go down, then an HA failover occurs (assuming the secondary firewall has the corresponding port active). When Port Redundancy is used with a LB Group, Port Redundancy again takes precedence. Any single port (primary or secondary) failures are handled by Port Redundancy just like with HA. When both the ports are down then LB kicks in and tries to find an alternate interface. Port Redundancy Configuration To configure Port Redundancy, complete the following steps: 1 On the Network > Interfaces page, click the configure icon for the interface that is to be designated the master of the Link Aggregation Group. The Edit Interface window displays. 2 In the General tab, select a zone from the Zone pull-down menu. 3 Click on the Advanced tab.

4 In the Redundant/Aggregate Ports pull-down menu, select Port Redundancy. 5 The Redundant Port pull-down menu is displayed, with all of the currently unassigned interfaces available. Select one of the interfaces. NOTE: After an interface is selected as a Redundant Port, its configuration is governed by the primary interface and it cannot be configured independently. In the Interface Settings table, the interface's zone is displayed as “Redundant Port” and the configuration icon is removed. 6 Set the Link Speed for the interface to Auto-Negotiate. 7 Click OK.

Configuring VLAN Sub-Interfaces When you add a VLAN sub-interface, you need to assign it to a Zone, assign it a VLAN Tag, and assign it to a physical interface. Based on your zone assignment, you configure the VLAN sub-interface the same way you configure a physical interface for the same zone. 1 At the bottom of the Network > Interfaces page, click Add VLAN Interface. The Add Interface window displays.

2 Select a Zone to assign to the interface. You can select LAN, DMZ, WLAN, or unassigned. The zone assignment does not have to be the same as the parent (physical) interface. 3 Enter a Portshield Interface Name for the sub-interface. 4 Declare the parent (physical) interface to which this sub-interface belongs. There is no per-interface limit to the number of sub-interfaces you can assign – you might assign sub-interfaces up to the system limit (in the hundreds). 5 For LAN and DMZ, select Static or Transparent for the IP Assignment. WLAN interfaces use static IP addresses: • For static IP addresses, enter the IP Address for the interface and Subnet Mask for the network. • For transparent mode, select an address object that contains the range of IP addresses you want to have access through this interface in the Transparent Range menu. 6 Management—Select from the following management options: • HTTP—When selected, allows HTTP management from the interface. • HTTPS—When selected, allows HTTPS management from the interface. • Ping—When selected, the interface responds to ping requests. • SNMP—When selected, the interface supports Simple Network Management Protocol (SNMP). 7 User Login—Select from the following user login options: • HTTP—When selected, you are able to login using HTTP. • HTTPS—When selected, you are able to login using HTTPS. • Add rule to enable redirect from HTTP to HTTPS—Redirects you to HTTPS when they attempt to access the device using HTTP. This option is only applicable when HTTPS access is enabled and HTTP access is not. 8 Check Create Default DHCP Lease Scope to indicate that the amount of time allowed for an IP address issued by DHCP will be the default. 9 Click OK. The Virtual interface displays in the VLAN Interfaces table below the Interfaces table.

WAN Connection Model To configure the WAN connection model for a SonicWall appliance with WWAN capability running SonicOS Enhanced 3.6 or higher, navigate to the Network > Interfaces page and select one of the following options in the WAN Connection Model pull-down menu: • WWAN only—The WAN interface is disabled and the WWAN interface is used exclusively. • Ethernet only—The WWAN interface is disabled and the WAN interface is used exclusively. • Ethernet with WWAN Failover—The WAN interface is used as the primary interface and the WWAN interface is disabled. If the WAN connection fails, the WWAN interface is enabled and a WWAN connection is automatically initiated. NOTE: The Wan Connection Model option does not apply to TZ200 through NSA240 units running SonicOS Enhanced 5.6 and above. For these devices, any WWAN interfaces are treated as a regular WAN interface and failover to the WWAN is configured as a secondary WAN interface. See Configuring Multiple WAN Interfaces on page 177 for more information.



Managing WWAN Connections To initiate a WWAN connection, complete the following steps: 1 In the Interface Settings table, in the WWAN row, click Connect. The SonicWall appliance attempts to connect to the WWAN service provider. 2 To disconnect a WWAN connection, click Disconnect.

Configuring MGMT Interfaces To configure an interface for Management (MGMT) mode, complete the following steps: 1 Click on the Configure icon in the Configure column for the Interface you want to configure. The Edit Interface window is displayed. NOTE: A MGMT interface cannot be added, it is a default interface present on the firewall, and can only be edited. MGMT interfaces are only supported on select SonicWall firewalls, check the SonicOS Release Notes for support information. 2 Enter the IP Address (Primary), and the IP Address (Secondary) if high availability is enabled, and the Subnet Mask of the zone in the IP Address (Primary), IP Address (Secondary), and Subnet Mask fields. NOTE: If Active/Active Clustering is enabled and the firewall is running SonicOS 6.1 or higher firmware, IP Address text-fields for multiple nodes are available.

NOTE: You cannot enter an IP address that is in the same subnet as another zone. 3 Enter an IP address for a Default Gateway (optional). 4 Enter any optional comment text in the Comment field. This text is displayed in the Comment column of the Interface table. 5 If you want to enable remote management of the SonicWall appliance from this interface, select the supported management protocol(s): HTTP, HTTPS, SSH, Ping, SNMP, and/or SSH. 6 If you want to allow selected users with limited management rights to log in to the security appliance, select HTTP and/or HTTPS in User Login. 7 To add a rule to redirect from HTTP to HTTPS, click Add rule to enable redirect from HTTP to HTTPS. This option is only visible if Allow management via HTTP is enabled on the System > Administration page. 8 Click OK.

WAN FAILOVER AND LOAD BALANCING

WAN Failover enables you to configure one of the user-defined interfaces as a secondary WAN port. The secondary WAN port can be used in a simple “active/passive” setup to allow traffic to be only routed through the secondary WAN port if the Primary WAN port is unavailable. This allows the SonicWall to maintain a persistent connection for WAN port traffic by “failing over” to the secondary WAN port. For a SonicWall appliance with a WWAN interface, such as a TZ 190, you can configure failover using the WWAN interface. Failover between the Ethernet WAN (the WAN port, OPT port, or both) and the WWAN is supported through the WAN Connection Model setting. This feature also allows you to do simple load balancing for the WAN traffic on the SonicWall. You can select a method of dividing the outbound WAN traffic between the two WAN ports and balance network traffic. Loadbalancing is currently only supported on Ethernet WAN interfaces, but not on WWAN interfaces. The SonicWall can monitor WAN traffic using Physical Monitoring that detects if the link is unplugged or disconnected, or Physical and Logical Monitoring that monitors traffic at a higher level, such as upstream connectivity interruptions. NOTE: Before you begin, be sure you have configured a user-defined interface to mirror the WAN port settings. To configure the WAN Failover for a SonicWall appliance, complete the following steps: 1 Expand the Network tree and click Failover & LB. The Failover & LB page displays. 2 Select Enable Load Balancing. This option must be enabled for the user to access the LB Groups and LB Statistics section of the Failover & Load Balancing configuration. If disabled, no options for Failover & Load Balancing are available to be configured. 3 Select Respond to Probes. When enabled, the appliance can reply to probe request packets that arrive on any of the appliance’s interfaces. 4 Select Any TCP-SYN to Port. This option is only available when the Respond to Probes option is enabled. When selected, the appliance only responds to TCP probe request packets having the same packet destination address TCP port number as the configured value. 5 Click Update. To access the WAN Failover & Load Balancing Settings: 1 Click Configure and select the secondary interface(s) from the Secondary WAN Interface pull-down menu. If this is not configured, you need to configure a WAN interface from the Network > Interfaces page. Appliances running SonicOS Enhanced 5.5 can support up to three alternate WAN interfaces. For these appliances, the Secondary WAN Interface pull-down menu is replaced with up to three Alternate WAN pulldown menus. The pull-down menu contains all interfaces configured as WAN interfaces. 2 Specify how often the SonicWall appliance checks the interface (5-300 seconds) in the Check interface every field (default: 5 seconds). 3 Specify the number of times the SonicWall appliance tests the interface as inactive before failing over in the Deactive interface after field (default: 3). For example, if the SonicWall appliance tests the interface every five seconds and finds the interface inactive after three successive attempts, it fails over to the secondary interface after 15 seconds. 4 Specify the number of times the SonicWall appliance tests the interface as active before failing back to the primary interface in the Deactive interface after field (default: 3). For example, if the SonicWall appliance tests the interface every five seconds and finds the interface active after three successive attempts, it fails back to the primary interface after 15 seconds.

General tab To configure the Group settings, complete the following steps: 1 Click Configure on the Group you wish to configure on the Network > Failover & LB page. The Edit LB Group dialog displays.

2 On the General tab, edit the display name of the Group in the Name field. The name of the default group cannot be changed. 3 From the Type drop-down menu, choose the type (or method) of LB; options change depending on the type selected: • Basic Failover—The four WAN interfaces use rank to determine the order of preemption when Preempt has been enabled. Only a higher-ranked interface can preempt an Active WAN interface. This is selected by default. • Round Robin—This option now allows you to re-order the WAN interfaces for Round Robin selection. The default order is: • Primary WAN • Alternate WAN #1 • Alternate WAN #2 • Alternate WAN #3 The Round Robin then returns to the Primary WAN to continue the order. • Spill-over—The bandwidth threshold applies to the Primary WAN. When the threshold is exceeded, new traffic flows are allocated to the Alternates in a Round Robin manner. If the Primary WAN bandwidth goes below the configured threshold, Round Robin stops, and outbound new flows will again be sent out only through the Primary WAN. NOTE: Existing flows remain associated with the Alternates (as they are already cached) until they time out normally. • Ratio—A percentages can be set for each WAN in the LB group. To avoid problems associated with configuration errors, ensure that the percentage corresponds correctly to the WAN interface it indicates. 4 Depending on what you selected from the Type drop-down menu, one of these options display: Type drop-down options

Type selection

Option

Basic Failover

Preempt and failback to preferred interfaces when possible Select to enable rank to determine the order of preemption. Selected by default.

Spill-over

When bandwidth exceeds BandwidthLimit Kbit/s on PrimaryInterface, new flows will go to the alternate group members in Round Robin manner Specify the bandwidth for the Primary in the field. If this value is exceeded, new flows are then sent to alternate group members according to the order listed in the Selected column. The default value is 0.

Round Robin, Spillover, and Ratio

Use Source and Destination IP Address binding The option is especially useful when using HTTP/HTTPS redirection or in a similar situation. For example, connection A and connection B need to be on the same WAN interface, the source and destination IP addresses in Connection A are the same as those for connection B, but a different service is being used. In this case, source and destination IP address binding is required to keep both the connections on the same WAN interface so that the transactions do not fail. This option is not selected by default

5 Add, delete, and order member interfaces in the Group Members: Select here:/Selected lists. The use of the selected members in the Selected list depends on the Type selected: • Basic Failover: Interface Ordering: • Round Robin: Interface Pool: • Spill-over: Primary/Alt. Pool: • Ratio: Interface Distribution: 6 Add members by selecting a displayed interface from the Group Members: column, and then clicking Add>>. 7 You can order the entries in the Selected column by: a Selecting an entry b Clicking Up/Down. If you selected Ratio, instead of ordering the entries, you can specify the ratio of bandwidth for each interface. See Configuring Bandwidth as a Ratio. IMPORTANT: To avoid problems associated with configuration errors, ensure that the percentage corresponds correctly to the WAN interface it indicates. a Enter a percentage of bandwidth to be assigned to an interface in the percent (%) field. The total bandwidth for all interfaces should add up to 100%. The total percentage of bandwidth allocated is displayed. You can modify the ratio by clicking Modify Ratio or have the ratios adjusted automatically by clicking Auto Adjust. Delete members from the Selected: column by: a Selecting the displayed interface, b Clicking <
Configuring Bandwidth as a Ratio If Ratio is selected, the Add >> button is replaced by a percent (%) field and a Double Right Arrow button, and the Up/Down Arrow buttons are replaced with the Auto Adjust button. Enter a percentage of bandwidth to be assigned to the interface. The total percentage of bandwidth allocated is displayed. IMPORTANT: To avoid problems associated with configuration errors, ensure that the percentage corresponds correctly to the WAN interface it indicates. If multiple interfaces are selected, you can either: • Click Auto Adjust to distribute the bandwidth equally among the interfaces. • Enter a percentage of bandwidth to be assigned to each interface. To modify the bandwidth percentage for an interface: 1 Select the interface in the Selected column. 2 Click Modify Ratio. 3 Enter a new percentage in the percent (%) field. 4 Click Modify Ratio again. The percentage for the bandwidth and the total bandwidth allocated are updated.

Probing tab When Logical probing is enabled, test packets can be sent to remote probe targets to verify WAN path availability. A new option has been provided to allow probing through the additional WAN interfaces: Alternate WAN #3 and Alternate WAN #4.

NOTE: VLANs for alternate WANs do not support QoS or VPN termination. To configure the probing options for a specific group, complete the following steps: 1 Click the Configure icon of the Group you wish to configure on the Network > Failover & LB page. The Edit LB Group dialog displays.

2 Click the Probing tab.

3 Modify the following settings: • Check Interface every: n sec —The interval of health checks in units of seconds. The default value is 5 seconds. • Deactivate Interface after: n missed intervals—The number of failed health checks after which the interface sets to Failover. The default value is 6 seconds. • Reactivate Interface after: n successful intervals—The number of successful health checks after which the interface sets to Available. The default value is 3 seconds. • Probe responder.global.sonicwall.com on all interfaces in this group—Enable this check box to automatically set Logical/Probe Monitoring on all interfaces in the Group. When enabled, TCP probe packets are sent to the global SNWL host that responds to SNWL TCP packets, responder.global.sonicwall.com, using a target probe destination address of 204.212.170.23:50000. When this check box is selected, the rest of the probe configuration enables built-in settings automatically. The same probe will be applied to all four WAN Ethernet interfaces. NOTE: The Dialup WAN probe setting also defaults to the built-in settings. 4 Click OK.

Configuring Probe Settings To configure the Group Member settings: 1 Click the Configure icon of the Group member you wish to configure on the Network > Failover & LB page. The Probe Settings dialog displays.

2 Select the type of probing to be done: • Physical Monitoring Only (default; all other options are dimmed). • Logical/Probe Monitoring enabled – all other options become available. 3 From the Logical/Probe Monitoring enabled drop-down menu, select when the probe succeeds: • Probe succeeds when either Main Target or Alternate Target responds. • Probe succeeds when both Main Target and Alternate Target respond. • Probe succeeds when Main Target responds. • Succeeds Always (no probing). – Default; all other options are dimmed. 4 4From the Main Target drop-down menu, select: • Ping (ICMP) • TCP (default) a In the Main Target Host field, enter the host name. The default is responder.global.sonicwall.com. b In the Main Target Port field, enter the applicable port. The default is 50000. 5 From the Alternate Target drop-down menu, select: NOTE: The Alternate Target options are available only when Probe succeeds when either Main Target or Alternate Target responds or Probe succeeds when both Main Target and Alternate Target respond is selected for Logical/Probe Monitoring enabled. • Ping (ICMP) • TCP (default) a In the Alternate Target Host field, enter the host name. The default is responder.global.sonicwall.com. b In the Alternate Target Port field, enter the applicable port. The default is 50000. 6 In the Default Target IP field, enter the IP address of the default target. NOTE: This option is dimmed if Succeeds Always (no probing) is selected for Logical/Probe Monitoring enabled. An IP Address of 0.0.0.0 or a DNS resolution failure uses the configured Default Target IP. 7 Click OK.

Configuring Multiple WAN Interfaces The Multiple WAN (MWAN) feature allows the administrator to configure all but one of the appliance's interface for WAN network routing (one interface must remain configured for the LAN zone for local administration). All of the WAN interfaces can be probed using the SNWL Global Responder host. Multiple WAN is configured across the following sections of the UI. Configuring Network Interfaces for Multiple WAN The Network > Interfaces page allows more than two WAN interfaces to be configured for routing. It is possible to configure WAN interfaces in the Network Interfaces page, but not include them in the Failover & LB. Only the Primary WAN Ethernet Interface is required to be part of the LB group whenever LB has been enabled. Any WAN interface that does not belong to the LB group is not included in the LB function, but does normal WAN routing functions. NOTE: A virtual WAN interface might belong to the LB group. However, prior to using within the LB group, ensure that the virtual WAN network is fully routable like that of a physical WAN. Routing the Default & Secondary Default Gateways for Multiple WAN Because the gateway address objects previously associated with the Primary WAN and Secondary WAN are now deprecated, user-configured Static Routes need to be re-created in order to use the correct gateway address objects associated with the WAN interfaces. This must be configured manually as part of the firmware upgrade procedure on the Network > Routing page. The old address object, Default Gateway, corresponds to the default gateway associated with the Primary WAN in the LB group. The Secondary Default Gateway address object corresponds to the default gateway associated with Alternate WAN #1. NOTE: After re-adding the routes, delete the old ones referring to the Default and Secondary Default Gateways. Configuring DNS for Multiple WAN If DNS name resolution issues are encountered with multiple WAN interfaces, you might need to select the Specify DNS Servers Manually option on the Network > DNS page and set the servers to Public DNS Servers (ICANN or non-ICANN). Depending on your location, some DNS Servers might respond faster than others. Verify that these servers work correctly from your installation prior to using your SonicWall appliance.

CONFIGURING ZONES A Zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following a strict physical interface scheme. There are four fixed Zone types: Trusted, Untrusted, Public, and Encrypted. Trusted is associated with LAN Zones. These fixed Zone types cannot be modified or deleted. A Zone instance is created from a Zone type and named accordingly, such as Sales, Finance, and so on. Only the number of interfaces limits the number of Zone instances for Trusted and Untrusted Zone types. The Untrusted Zone type (such as the WAN) is restricted to two Zone instances. The Encrypted Zone type is a special system Zone comprising all VPN traffic and does not have any associated interfaces. Trusted and Public Zone types offer an option, Interface Trust, to automate the creation of Access Rules to allow traffic to flow between the Interfaces of a Zone instance. For example, if the LAN Zone has interfaces X0, X3, and X5 assigned to it, checking Allow Interface Trust on the LAN Zone creates the necessary Access Rules to allow hosts on these Interfaces to communicate with each other. To add or edit a Zone, complete the following steps: 1 Select the global icon, a group, or a SonicWall appliance. 2 Expand the Network tree and click Zones. The Zones page displays.

3 Click the Edit Icon ( ) for a Zone or click Add New Zone. The Edit Zone or Add Zone dialog box displays.

4 If this is a new Zone, enter a name for the Zone. 5 Select the Security Type. 6 To configure the SonicWall appliance to automatically create the rules that allow data to freely flow between interfaces in the same Zone, select Allow Interface Trust. 7 To enforce content filtering on multiple interfaces in the same Trusted or Public Zones, select Enforce Content Filtering Service. 8 For appliances running SonicOS Enhanced 4.0 or above, if the selected node is a group or global node, or if the selected appliance is licensed for SonicWall CFS Premium, select a predefined CFS policy or the default policy from the CFS Policy pull-down list. The pull-down list is only populated if Enforce Content Filtering Service is enabled. It is not available for the WAN zone. 9 To enforce network anti-virus protection on multiple interfaces in the same Trusted or Public Zones, select Enforce Network Anti-Virus Service. 10 To enforce gateway anti-virus protection on multiple interfaces in the same Trusted or Public Zones, select Enable Gateway Anti-Virus Service. 11 To enforce Intrusion Prevention Services (IPS) on multiple interfaces in the same Trusted or Public Zones, select Enable IPS. 12 To enable Anti-Spyware on the zone, select Enable Anti-Spyware Service. 13 To enforce security policies for Global Security Clients on multiple interfaces in the same Trusted or Public Zones, select Enforce Global Security Clients. 14 To automatically create a GroupVPN policy for this zone, select Create Group VPN. 15 For appliances running SonicOS Enhanced 4.0 or above, select Enable SSL Control to allow SSL Control in this zone. This check box is not active for the VPN or Multicast zones. 16 For WLAN zones, see for information about configuring settings on the other tabs. For all other zones, click Update when you are finished. The Zone is modified or added for selected SonicWall appliance. To clear all settings and start over, click Reset.

Configuring Guest Services on Non-Wireless Zones Trusted and Public Zone types offer the ability to configure guest services. To configure Guest Services on a non-wireless zone, complete the following steps: 1 When the Security Type for a zone is selected as either Trusted or Public, the Guest Services tab displays.

2 Select Enable Guest Services. 3 Configure any of the following options: – Enforce Guest Login over HTTPS—Requires guests to use HTTPS instead of HTTP to access the guest services. – Enable inter-guest communication—Allows guests connecting to SonicPoints in this Zone to communicate directly and wirelessly with each other. – Bypass AV Check for Guests—Allows guest traffic to bypass Anti-Virus protection. – Enable External Guest Authentication—Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access. NOTE: Refer to the SonicWall Lightweight Hotspot Messaging tech note available at the SonicWall documentation Web site http://support.sonicwall.com/search?k=5447759 (http://support.sonicwall.com/search?k=5447759) for complete configuration of the Enable External Guest Authentication feature. – Custom Authentication Page—Redirects you to a custom authentication page when you first connect to the zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK. – Post Authentication Page—Directs you to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the field. – Bypass Guest Authentication—Allows the appliance to integrate into environments already using some form of user-level authentication. This feature automates the Guest Services authentication process, allowing you to reach Guest Services resources without requiring authentication. This feature should only be used when unrestricted Guest Services access is desired, or when another device upstream of the appliance is enforcing authentication. – Redirect SMTP traffic to—Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object from which to redirect traffic. – Deny Networks—Blocks traffic from the networks you name. Select the subnet, address group, or IP address from which to block traffic. – Pass Networks—Automatically allows traffic through the zone from the networks you select. – Max Guests—Specifies the maximum number of guest users allowed to connect to the zone. The default is 10. 4 Click OK to apply these settings to the zone.

CONFIGURING THE WLAN ZONE The Add Zone or Edit Zone screens for WLAN zones contain two tabs that are not available for other zones. This section describes the settings on the Wireless and Guest Services tabs of the Add or Edit Zone screens. For instructions about WLAN configuration settings on the General tab, see Configuring Zones. To configure specific wireless-zone settings: 1 Select the global icon, a group, or a SonicWall appliance. 2 In the Network > Zones pages, click the Add New Zone or the Edit icon for the WLAN zone. 3 Configure the settings on the General tab as described for other zones. To expose the wireless-only tabs when adding a new zone, select Wireless for the Security Type. 4 Click the Wireless tab.

5 On the Wireless tab, select Only allow traffic generated by a SonicPoint to allow only traffic from SonicWall SonicPoints to enter the WLAN Zone interface. This allows maximum security of your WLAN. Uncheck this option if you want to allow any traffic on your WLAN Zone regardless of whether or not it is from a wireless connection. TIP: Uncheck Only allow traffic generated by a SonicPoint and use the zone on a wired interface to allow guest services on that interface. 6 Select SMA Enforcement to require that all traffic that enters into the WLAN Zone be authenticated through a SonicWall SMA appliance. If you select both SMA Enforcement, and WiFiSec Enforcement, the Wireless zone will allow traffic authenticated by either a SMA or an IPsec VPN. 7 In the SMA Server list, select an address object to direct traffic to the SonicWall SMA appliance. 8 In the SMA Service list, select the service or group of services you want to allow for clients authenticated through the SMA. 9 Select WiFiSec Enforcement to require that all traffic that enters into the WLAN Zone interface be either IPsec traffic, WPA traffic, or both. With WiFiSec Enforcement enabled, all non-guest wireless clients connected to SonicPoints attached to an interface belonging to a Zone on which WiFiSec is enforced are required to use the strong security of IPsec. The VPN connection inherent in WiFiSec terminates at the “WLAN GroupVPN”, which you can configure independently of “WAN GroupVPN” or other Zone GroupVPN instances. If you select both WiFiSec Enforcement, and SMA Enforcement, the Wireless zone allows traffic authenticated by either a SMA or an IPsec VPN. 10 If you have enabled WiFiSec Enforcement, you can specify services that are allowed to bypass the WiFiSec enforcement by checking WiFiSec Exception Service and then selecting the service you want to exempt from WiFiSec enforcement. 11 If you have enabled WiFiSec Enforcement, you can select Require WiFiSec for Site-to-Site VPN Tunnel Traversal to require WiFiSec security for all wireless connections through the WLAN zone that are part of a site-to-site VPN. 12 Select Trust WPA traffic as WiFiSec to accept WPA as an allowable alternative to IPsec. Both WPA-PSK (Pre-shared key) and WPA-EAP (Extensible Authentication Protocol using an external 802.1x/EAP capable RADIUS server) will be supported on SonicPoints. 13 Under the SonicPoint Settings heading, select the SonicPoint Provisioning Profile you want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it will automatically be provisioned by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings. 14 Click the Guest Services tab. You can choose from the following configuration options for Wireless Guest Services:

– Enable Wireless Guest Services—Enables guest services on the WLAN zone. – Enforce Guest Login over HTTPS—Requires guests to use HTTPS instead of HTTP to access the guest services. – Enable inter-guest communication—Allows guests connecting to SonicPoints in this WLAN Zone to communicate directly and wirelessly with each other. – Bypass AV Check for Guests—Allows guest traffic to bypass Anti-Virus protection. – Enable External Guest Authentication—Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access. NOTE: Refer to the SonicWall Lightweight Hotspot Messaging tech note available at the SonicWall documentation Web site http://support.sonicwall.com/search?k=5447759 (http://support.sonicwall.com/search?k=5447759) for complete configuration of the Enable External Guest Authentication feature. – Custom Authentication Page—Redirects you to a custom authentication page when you first connect to a SonicPoint in the WLAN zone. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK. – Post Authentication Page—Directs you to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the field. – Bypass Guest Authentication—Allows a SonicPoint running WGS to integrate into environments already using some form of user-level authentication. This feature automates the WGS authentication process, allowing wireless users to reach WGS resources without requiring authentication. This feature should only be used when unrestricted WGS access is desired, or when another device upstream of the SonicPoint is enforcing authentication. – Redirect SMTP traffic to—Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to. – Deny Networks—Blocks traffic from the networks you name. Select the subnet, address group, or IP address to block traffic from. – Pass Networks—Automatically allows traffic through the WLAN zone from the networks you select. – Max Guests—Specifies the maximum number of guest users allowed to connect to the WLAN zone. The default is 10. – Enable Dynamic Address Translation (DAT)—Wireless Guest Services (WGS) provides spur of the moment “hotspot” access to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless users to authenticate and associate, obtain IP settings from the SonicWall appliance Wireless DHCP services, and authenticate using any Web-browser. Without DAT, if a WGS user is not a DHCP client, but instead has static IP settings incompatible with the Wireless WLAN network settings, network connectivity is prevented until the user’s settings change to compatible values. Dynamic Address Translation (DAT) is a form of Network Address Translation (NAT) that allows the SonicWall Wireless to support any IP addressing scheme for WGS users. For example, the SonicWall Wireless WLAN interface is configured with an address of 172.16.31.1, and one WGS client has a static IP Address of 192.168.0.10 and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10 and a gateway of 10.1.1.1, and DAT enables network communication for both of these clients. 15 Click OK to apply these settings to the WLAN zone.

CONFIGURING DNS

Domain Name System (DNS) is the Internet standard for locating domain names and translating them into IP addresses. By default, the SonicWall appliance inherits its DNS settings from the WAN Zone. To configure DNS, complete the following steps: NOTE: Network > DNS is only available in appliances running SonicOS Enhanced. 1 Expand the Network tree and click DNS. The DNS page displays.

2 Select the View IP Version: • To view the IPv4 DNS settings, click IPv4. • To view the IPv6 DNS settings, click IPv6. 3 Select from the following: • To specific IP addresses manually, select Specify DNS Servers Manually and enter the IP addresses of the servers. • To inherit the DNS settings from the WAN Zone configuration, select Inherit DNS Settings Dynamically from WAN Zone. 4 When you are finished, click Update. The settings are changed for the selected SonicWall appliance. To clear all screen settings and start over, click Reset.

DNS Rebinding Attack Prevention DNS rebinding is a DNS-based attack on code embedded in web pages. Normally requests from code embedded in web pages (JavaScript, Java and Flash) are bound to the web-site they are originating from.DNS rebinding attackers register a domain which is delegated to a DNS server they control. The domains exploit very short TTL parameters to scan the attacked network and do other malicious activities. To configure DNS, complete the following steps: 1 Select Enable DNS Rebinding Attack Prevention. 2 From the Action pull-down menu, select an action to do when a DNS rebinding attack is detected: • Log Attack • Log Attack & Return a Query Refused Reply • Log Attack & Drop DNS Reply 3 (Optional) For the Allowed Domains pull-down menu, select an FQDN Address Object/Group containing allowed domain-names (for example, *.sonicwall.com) for which locally connected/routed subnets should be considered legal responses.

CONFIGURING DYNAMIC DNS

Dynamic DNS (DDNS) is a service provided by various companies and organizations that dynamically changes IP addresses to automatically update DNS records without manual intervention. This service allows for network access using domain names rather than IP addresses, even when the target’s IP addresses change. DDNS is supported for IPv6 as well as IPv4. To configure Dynamic DNS on the SonicWall security appliance, complete these steps: 1 Expand the Network tree and click Dynamic DNS. The Dynamic DNS page displays.

2 Click Add Dynamic DNS Profile. The Add Dynamic DNS Profile window is displayed.

3 Select the Provider from the drop-down menu at the top of the page. DynDNS.org and changeip.com use HTTPS, while yi.org and no-ip.com use HTTP. This example uses DynDNS.org. DynDNS.org requires the selection of a service. This example assumes you have created a dynamic service record with dyndns.org. 4 Enter a name to assign to the DDNS entry in the Profile Name field. This can be any value used to identify the entry in the Dynamic DNS Settings table. The minimum length is 1 character, and the maximum length is 63 characters. 5 If Enable this profile is checked, the profile is administratively enabled, and the SonicWall security appliance takes the actions defined in the Online Settings section on the Advanced tab. This option is selected by default 6 If Use Online Settings is checked, the profile is administratively online. This option is selected by default. 7 Enter your dyndns.org username and password in the User Name and Password fields. For user names, the minimum length is 1 character, and the maximum length is 63 characters. For passwords, the minimum length is 1 character, and the maximum length is 31 characters. 8 Enter the fully qualified domain name (FQDN) of the hostname you registered with dyndns.org in the Domain Name field. Make sure you provide the same hostname and domain as you configured. The minimum length is 1 character, and the maximum length is 63 characters. 9 Optionally, select a WAN interface in the Bound to pull-down menu to assign this DDNS profile to that specific WAN interface. This allows administrators who are configuring multiple-WAN load balancing to advertise a predictable IP address to the DDNS service. By default, this is set to ANY, which means the profile is free to use any of the WAN interfaces on the appliance. 10 When using dyndns.org, select the Service Type from the pull-down list that corresponds to your type of service through dyndns.org. The options are: • Dynamic—A free Dynamic DNS service. • Custom—A managed primary DNS solution that provides a unified primary/secondary DNS service and a web-based interface. Supports both dynamic and static IP addresses. • Static—A free DNS service for static IP addresses. 11 When using DynsDNS.org, you might optionally select Enable Wildcard and/or configure an MX entry in the Mail Exchanger field. Check Enable Backup MX if your DDNS provider allows for the specification of an alternative IP address for the MX record. 12 Click the Advanced tab. You can typically leave the default settings on this page.

13 The On-line Settings section provides control over what address is registered with the dynamic DNS provider. The options are: • Let the server detect IP Address—The dynamic DNS provider determines the IP address based upon the source address of the connection. This is the most common setting. • Automatically set IP Address to the Primary WAN Interface IP Address—This causes the SonicWall device to assert its WAN IP address as the registered IP address, overriding auto-detection by the dynamic DNS server. Useful if detection is not working correctly. • Specify IP Address manually—Allows for the IP address to be registered to be manually specified and asserted. 14 The Off-line Settings section controls what IP Address is registered with the dynamic DNS service provider if the dynamic DNS entry is taken off-line locally (disabled) on the SonicWall. The options are: • Do nothing—the default setting. This allows the previously registered address to remain current with the dynamic DNS provider. • Use the Off-Line IP Address previously configured at Providers site—if your provider supports manual configuration of Off-Line Settings, you can select this option to use those settings when this profile is taken administratively offline. • Make Host Unknown—Unregisters the entry. • Specify IP Address manually—Manually specify the IP address. 15 When you are finished, click Update. The settings are changed for the selected SonicWall appliance. To clear all screen settings and start over, click Reset.

CONFIGURING NAT POLICIES

NOTE: The NAT policies page is only supported in SonicOS Enhanced. Topics: • Network > NAT Policies • About NAT in GMS • NAT Policies Tab on page 477 • NAT Policy Settings on page 479 • NAT Load Balancing Overview on page 481 • Creating NAT Policies: Examples on page 485 • Using NAT Load Balancing on page 506

Network > NAT Policies

About NAT in GMS IMPORTANT: Before configuring NAT Policies, be sure to create all Address Objects associated with the policy. For instance, if you are creating a One-to-One NAT policy, be sure you have Address Objects for your public and private IP addresses.



TIP: By default, LAN to WAN has a NAT policy predefined on the firewall. The Network Address Translation (NAT) engine in SonicOS allows you to define granular NAT polices for your incoming and outgoing traffic. By default, the firewall has a preconfigured NAT policy to allow all systems connected to the X0 interface to perform Many-to-One NAT using the IP address of the X1 interface, and a policy to not perform NAT when traffic crosses between the other interfaces. This section explains how to set up the most common NAT policies. Understanding how to use NAT policies starts with an the construction of an IP packet. Every packet contains addressing information that allows the packet to get to its destination, and for the destination to respond to the original requester. The packet contains (among other things) the requester’s IP address, the protocol information of the requestor, and the destination’s IP address. The NAT Policies engine in SonicOS can inspect the relevant portions of the packet and can dynamically rewrite the information in specified fields for incoming, as well as outgoing traffic. You can add up to 512 NAT Policies on a SonicWall Security Appliance running SonicOS, and they can be as granular as you need. It is also possible to create multiple NAT policies for the same object. for instance, you can specify that an internal server use one IP address when accessing Telnet servers, and to use a totally different IP address for all other protocols. Because the NAT engine in SonicOS supports inbound port forwarding, it is possible to hide multiple internal servers off the WAN IP address of the firewall. The more granular the NAT Policy, the more precedence it takes. Below, the Maximum routes and NAT policies allowed per firewall model table shows the maximum number of routes and NAT policies allowed for each network security appliance model. Maximum routes and NAT policies allowed per firewall model

Routes

Routes

NAT Model Policies

Model Static

Dynamic

SM 9600

3072

4096

2048

TZ600

SM 9400

3072

4096

SM 9200

3072

NSA 6600

NAT Policies

Static

Dynamic

256

1024

512

2048

TZ500/TZ500 256 W

1024

512

4096

2048

TZ400/TZ400 256 W

1024

512

2048

4096

2048

TZ300/TZ300 256 W

1024

512

NSA 5600

2048

4096

2048









NSA 4600

1088

2048

1024

SOHO W

256

1024

512

NSA 3600

1088

2048

1024









NSA 2600

1088

2048

1024









Topics: • About NAT64 • Pref64::/n • Glossary

About NAT64 Beginning with GMS 8.3, GMS supports the NAT64 feature that enables an IPv6-only client to contact an IPv4-only server through an IPv6-to-IPv4 translation device known as a NAT64 translator. NAT64 provides the ability to access legacy IPv4-only servers from IPv6 networks; a SonicWall with NAT64 is placed as the intermediary router. As a NAT64 translator, GMS allows an IPv6-only client from any zone to initiate communication to an IPv4-only server with proper route configuration. GMS maps IPv6 addresses to IPv4 addresses so IPv6 traffic changes to IPv4 traffic and vice versa. IPv6 address pools (represented as Address Objects) and IPv4 address pools are created to allow mapping by translating packet headers between IPv6 and IPv4. The IPv4 addresses of IPv4 hosts are translated to and from IPv6 addresses by using an IPv6 prefix configured in GMS. The DNS64 translator enables NAT64. Either an IPv6 client must configure a DNS64 server or the DNS server address the IPv6 client gets automatically from the gateway must be a DNS64 server. The DNS64 server of an IPv6-only client creates AAAA (IPv6) records with A (IPv4) records. GMS does not act as a DNS64 server. IMPORTANT: Currently, NAT64: • Only translates Unicast packets carrying TCP, UDP, and ICMP traffic. • Supports FTP and TFTP application-layer protocol streams, but does not support H.323, MSN, Oracle, PPTP, RTSP, and RealAudio applicationlayer protocol streams. • Does not support IPv4-initiated communications to a subset of the IPv6 hosts. • Does not support High Availability. For NAT64 traffic matches, two mixed connection caches are created. Thus, the capacity for NAT64 connection caches is half that for pure IPv4 or IPv6 connections.



Pref64::/n The DNS64 server uses Pref64::/n to judge if an IPv6 address is an IPv4-converted IPv6 address by comparing the first n bits with pref64::. DNS64 creates IPv4-converted IPv6 addresses by synthesizing pref64:: with IPv4 addresses records and sending a DNS response to IPv6-only clients. Pref64::/n defines a source network that can go from an IPv6-only client through NAT64 to an IPv4-only client. In GMS, an Address Object of the Network can be configured to represent all addresses with pref64::/n to represent all IPv6 clients that can do NAT64. For configuring a Pref64::/n Address Object, see Default Pref64 Network Address Object on page 408.

Glossary DNS64

DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers

IPv4-converted IPv6 addresses

IPv6 addresses used to represent IPv4 nodes in an IPv6 network

IPv4-embedded IPv6 addresses

IPv6 addresses in which 32 bits contain an IPv4 address

NAT

Network Address Translation

NAT64

Stateful Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers

NATPT

Network Address Translation - Protocol Translation

PMTUD

Path MTU discovery

XLATs

IP/ICMP translators

NAT POLICIES TAB The NAT Policies tab allows you to view and manage your NAT Policies.

VIEWING NAT POLICY ENTRIES Topics: • Changing the Display • Filtering the Display • Displaying Information about Policies • Deleting Entries on page 466

Changing the Display You can change the display of your route policies in the NAT Policies tab by selecting one of the Select radio buttons: Displays all the routing policies including Custom Policies and Default Policies. Initially, before you create NAT policies, only the Default Policies.

All Types

Default Policies

Displays only Default Policies.

Custom Policies

Displays only those NAT policies you configure.

Filtering the Display You can enter the policy number (the number listed in the # column) in the Search field to display a specific VPN policy. You can also enter alphanumeric search patterns, such as WLAN, X1 IP, or Private, to display only those policies of interest.

Displaying Information about Policies Moving your pointer over the Comment icon in the Configure column of NAT Policies table displays the comments entered in the Comments field of the Add NAT Policy dialog for custom policies. Default policies have a brief description of the type of NAT policy, such as IKE NAT Policy or NAT Management Policy.

Moving your pointer over the Statistics icon in the Configure column of NAT Policies table displays traffic statistics for the NAT policy.

Deleting Entries Clicking the Delete icon deletes the NAT Policy entry. If the icon is dimmed, the NAT Policy is a default entry, and you cannot delete it. Selecting the checkboxes of specific custom policies makes the Delete button available. Clicking the button deletes the selected policies. Clicking Delete All deletes all custom policies. SonicWall appliances support Network Address Translation (NAT). NAT is the automated translation of IP addresses between different networks. For example, a company might use private IP addresses on a LAN that are represented by a single IP address on the WAN side of the SonicWall appliance. SonicWall appliances support two types of NAT: • Address-to-Address Translation—local addresses are matched to public IP addresses. For example, the private IP address 10.50.42.112 might be mapped to the public IP address 132.22.3.2. • Port Translation or Network Address Port Translation (NAPT)—local addresses are dynamically matched to public IP address/port combinations (standard TCP ports). For example, the private IP address 192.168.102.12 might be mapped to the public IP address 48.12.11.1 using port 2302. NOTE: IP address/port combinations are dynamic and not preserved for new connections. For example, the first connection for IP address might use port 2302, but the second connection might use 2832. IPv6 address objects display in the Original Source, Original Destination, Translated Source, and Translated Destination columns of the Nat Polices table. To add a NAT Policy, click the Add NAT Policy link. To edit an existing policy, click the Configure icon for the policy you want to edit. The procedures for adding and editing NAT policies in IPv6 is configured in the same method as for IPv4.

Common Types of Mapping SonicWall supports several types of address mapping. These include • One-to-One Mapping—one local IP address is mapped to one public IP address using Address-to-Address translation. • Many-to-One Mapping—many local IP addresses are mapped to a single public IP address using NAPT. • Many-to-Many Mapping—many local IP addresses are mapped to many public IP addresses. If the number of public IP addresses are greater than or equal to the number of local IP addresses, the SonicWall appliance uses Address-to-Address translation. If the number of public IP addresses is less than the number of local IP addresses, the SonicWall appliance uses NAPT. For example. If there are 10 private IP addresses and 5 public IP addresses, two private IP addresses will be assigned to each public IP address using NAPT.

SonicWall NAT Policy Fields When configuring a NAT Policy, you will configure a group of settings that specifies how the IP address originates and how it will be translated. Additionally, you can apply a group of filters that allow you to apply different policies to specific services and interfaces. • Original Source—used to remap IP addresses based on the source address, this field specifies an Address Object that can consist of an IP address or IP address range. NOTE: This field can also be used as a filter.



• Translated Source—specifies the IP address or IP address range to which the original source will be mapped. This drop-down menu setting is what the specified Original Source is translated to, as it exits the firewall, whether it is to another interface, or into/out-of VPN tunnels. You can: • Specify predefined Address Objects • Select Original • Create your own Address Objects entries. These entries can be single host entries, address ranges, or IP subnets. • Original Destination—used to remap IP addresses based on the destination address, this field specifies an Address Object that can consist of an IP address or IP address range. NOTE: This field can also be used as a filter. This drop-down menu setting is used to identify the Destination IP address(es) in the packet crossing the firewall, whether it be across interfaces, or into/out-of VPN tunnels. When creating outbound NAT polices, this entry is usually set to Any as the destination of the packet is not being changed, but the source is being changed. However, these Address Object entries can be single host entries, address ranges, or IP subnets. • Translated Destination—specifies the IP address or IP address range to which the original source will be mapped. This drop-down menu setting is what the firewall translates the specified Original Destination to as it exits the firewall, whether it is to another interface, or into/out-of VPN tunnels. When creating outbound NAT polices, this entry is usually set to Original, as the destination of the packet is not being changed, but the source is being changed. However, these Address Objects entries can be single host entries, address ranges, or IP subnets. • Original Service—used to filter destination addresses by service, this field specifies a Service Object that can be a single service or group of services. This drop-down menu setting is used to identify the IP service in the packet crossing the firewall, whether it is across interfaces, or into/out-of VPN tunnels. You can use the predefined services on the firewall, or you can create your own entries. For many NAT policies, this field is set to Any, as the policy is only altering source or destination IP addresses. • Translated Service—specifies the service or port to which the original service is remapped. This drop-down menu setting is what the firewall translates the Original Service to as it exits the firewall, whether it be to another interface, or into/out-of VPN tunnels. You can use the predefined services in the firewall, or you can create your own entries. For many NAT Policies, this field is set to Original, as the policy is only altering source or destination IP addresses. • Inbound Interface—filters source addresses by interface. This drop-down menu setting is used to specify the entry interface of the packet. When dealing with VPNs, this is usually set to Any, as VPN tunnels are not really interfaces. • Outbound Interface—filters destination addresses by interface. This drop-down is used to specify the exit interface of the packet after the NAT policy has been applied. This field is mainly used for specifying to which WAN interface to apply the translation. IMPORTANT: Of all fields in NAT policy, this one has the most potential for confusion. • Enable NAT Policy—By default, this box is checked, meaning the new NAT policy is activated the moment it is saved. To create a NAT policy entry but not activate it immediately, clear this box. • Comment—This field can be used to describe your NAT policy entry. The field has a 32-character limit, and once saved, can be viewed in the main Network > NAT Policies page by running the mouse over the text balloon next to the NAT policy entry. Your comment appears in a pop-up window as long as the mouse is over the text balloon.

Common NAT Configuration Types The following sections describe common NAT configuration types: • One-to-One Mapping • Many-to-One Mapping • Many-to-Many Mapping One-to-One Mapping To configure one-to-one mapping from the private network to the public network, select the Address Object that corresponds to the private network IP address in the Original Source field and the public IP address that is used to reach the Internet in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface. NOTE: If you map more than one private IP address to the same public IP address, the private IP addresses will automatically be configured for port mapping or NAPT. To configure one-to-one mapping from the public network to the private network, select the Address Object that corresponds to the public network IP address in the Original Destination field and the private IP address that is used to reach the server in the Translated Destination field. Leave the other fields alone, unless you want to filter by service or interface. NOTE: If you map one public IP address to more than one private IP address, the public IP addresses is mapped to the first private IP address. Load balancing is not supported. Additionally, you must set the Original Source to Any. Many-to-One Mapping To configure many-to-one mapping from the private network to the public network, select the select the Address Object that corresponds to the private network IP addresses in the Original Source field and the public IP address that is used to reach the Internet in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface. NOTE: You can also specify Any in the Original Source field and the Address Object of the LAN interface in the Translated Source field. Many-to-Many Mapping To configure many-to-many mapping from the private network to the public network, select the select the Address Object that corresponds to the private network IP addresses in the Original Source field and the public IP addresses to which they are mapped in the Translated Source field. Leave the other fields alone, unless you want to filter by service or interface. NOTE: If the IP address range specified in the Original Source is larger than the Translated Source, the SonicWall appliance uses port mapping or NAPT. If the Translated Source is equal to or larger than the Original Source, addresses are individually mapped. To configure many-to-many mapping from the public network to the private network, select the Address Object that corresponds to the public network IP addresses in the Original Destination field and the IP addresses on the private network in the Translated Destination field. Leave the other fields alone, unless you want to filter by service or interface. NOTE: If the IP address range specified in the Original Destination is smaller than the Translated Destination, the SonicWall appliance will be individually mapped to the first translated IP addresses in the translated range. If the Translated Destination is equal to or smaller than the Original Destination, addresses are individually mapped.



NAT Load Balancing and Probing NAT load balancing provides the ability to balance incoming traffic across multiple, similar network resources. Load Balancing distributes traffic among similar network resources so that no single server becomes overwhelmed, allowing for reliability and redundancy. If one server becomes unavailable, traffic is routed to available resources, providing maximum uptime. With probing enabled, the SonicWall uses one of two methods to probe the addresses in the load-balancing group, using either a simple ICMP ping query to determine if the resource is alive, or a TCP socket open query to determine if the resource is alive. Per the configurable intervals, the SonicWall can direct traffic away from a nonresponding resource, and return traffic to the resource after it has begun to respond again. NAT Load Balancing Methods NAT load balancing is configured on the Advanced tab of a NAT policy. SonicOS offers the following NAT methods: • Sticky IP—Source IP always connects to the same Destination IP (assuming it is alive). This method is best for publicly hosted sites requiring connection persistence, such as Web applications, Web forms, or shopping cart applications. This is the default mechanism, and is recommended for most deployments. • Round Robin—Source IP cycles through each live load-balanced resource for each connection. This method is best for equal load distribution when persistence is not required. • Block Remap/Symmetrical Remap—These two methods are useful when you know the source IP addresses/networks (for example, when you want to precisely control how traffic from one subnet is translated to another). • Random Distribution—Source IP connects to Destination IP randomly. This method is useful when you wish to randomly spread traffic across internal resources. For more information about NAT Load Balancing, see the SonicOS Enhanced 4.0 Administration Guide.

Configuring NAT Policies To configure NAT Policies on a unit running SonicOS Enhanced, complete the following steps: 1 Expand the Network tree and click NAT Policies. The NAT Policies page displays.

2 To edit an existing policy, click its Edit icon ( ). To add a new policy, click Add NAT Policy.

3 Configure the following: • Original Source—used to remap IP addresses based on the source address, this field specifies an Address Object that can consist of an IP address or IP address range. • Translated Source—specifies the IP address or IP address range to which the original source will be mapped. • Original Destination—used to remap IP addresses based on the destination address, this field specifies an Address Object that can consist of an IP address or IP address range. • Translated Destination—specifies the IP address or IP address range to which the original source will be mapped. • Original Service—used to filter source addresses by service, this field specifies a Service Object that can be a single service or group of services. • Translated Service—used to filter destination addresses by service, this field specifies a Service Object that can be a single service or group of services. • Inbound Interface: This drop-down menu setting specifies the entry interface of the packet. The default is Any. When dealing with VPNs, this is usually set to Any (the default), as VPN tunnels are not really interfaces. • Outbound Interface: This drop-down menu specifies the exit interface of the packet after the NAT policy has been applied. This field is mainly used for specifying to which WAN interface to apply the translation. IMPORTANT: Of all fields in NAT policy, this one has the most potential for confusion. When dealing with VPNs, this is usually set to Any (the default), as VPN tunnels are not really interfaces. Also, as noted in Configuring NAT Policies, when creating inbound 1-2-1 NAT Policies where the destination is being remapped from a public IP address to a private IP address, this field must be set to Any. 4 To enable the NAT policy, select Enable. 5 Add any comments to the Comments field. 6 If you selected an Address Group Object for any of the pull-down lists on the General tab, you can make changes on the Advanced tab. Click the Advanced tab.

NOTE: Except for Disable Source Port Remap, the options on this tab can only be activated when a group is specified in one of the drop-down menus on the General tab. Otherwise, the NAT policy defaults to Sticky IP as the NAT method. 7 Select the NAT method from the NAT Method pull-down list. For information on the available methods, see NAT Load Balancing Methods. 8 Optionally, force the appliance to only do IP address translation and no port translation for the NAT policy, select Disable Source Port Remap. GMS preserves the source port of the connection while executing other NAT mapping. This option is available when adding or editing a NAT policy if the source IP address is being translated. This option is not selected by default. NOTE: This option is unavailable and dimmed if the Translated Source (on the General tab) is set to Original. You can select this option to temporarily take the interface offline for maintenance or other reasons. If connected, the link goes down. Clear the check box to activate the interface and allow the link to come back up. 9 Optionally select Enable Probing and make desired changes to the following fields: • Probe host every ... seconds—indicates how often to probe the addresses in the load-balancing group • Probe Type—specifies to use either Ping (ICMP) or TCP (checks that a socket is opened) for probing • Port—specifies the port that the probe uses, such as TCP port 80 for a Web server • Reply time out—specifies the number of seconds to wait for a reply to the probe • Deactivate host after ... missed intervals—specifies the number of reply time outs before deciding that the host is unreachable • Reactivate host after ... successful intervals—specifies the number of replies received before deciding that the host is available for load balancing again 10 RST Response Counts as Miss – Select to count RST responses as misses. The option is selected by default if Enable Port Probing is selected. 11 Enable Port Probing – Select to enable port probing for TCP. Selecting this option enhances NAT to also consider the port while load balancing. This option is disabled by default. 12 When you are finished, click Update. The policy is added and you are returned to the NAT Policies screen.

CONFIGURING WEB PROXY FORWARDING SETTINGS

A Web proxy server intercepts HTTP requests and determines if it has stored copies of the requested Web pages. If it does not, the proxy completes the request to the server on the Internet, returning the requested information to the user and also saving it locally for future requests. Setting up a Web proxy server on a network can be cumbersome, because each computer on the network must be configured to direct Web requests to the server. If there is a proxy server on the SonicWall appliance’s network, you can move the SonicWall appliance between the network and the proxy server, and enable Web Proxy Forwarding. This forwards all WAN requests to the proxy server without requiring the computers to be individually configured.

Configuring Automatic Proxy Forwarding (Web Only) NOTE: The proxy server must be located on the WAN or DMZ; it cannot be located on the LAN. To configure a Proxy Web sever, select the Network > Web Proxy page. 1 Connect your Web proxy server to a hub, and connect the hub to the SonicWall appliance’s WAN or DMZ port. 2 Type the name or IP address of the proxy server in the Proxy Web Server (name or IP address) field. 3 Type the proxy IP port in the Proxy Web Server Port field. 4 To bypass the Proxy Servers if a failure occurs, select Bypass Proxy Servers Upon Proxy Server Failure. 5 Select Forward DMZ Client Requests to Proxy Server if you have clients configured on the DMZ. 6 Select Divert traffic to the WXA series appliance’s Web Cache if you would like to divert web traffic to a WXA series appliance. 7 For Client Inclusion Address Object, specify the appropriate client inclusion option from the pull-down. Select the Address Object or Group that represents those local subnets with web traffic that should be delivered through the WXA Web Cache. Alternatively, choose Any and traffic from any source IP address is forwarded to the WXA. 8 For Server Exclusion Address Object, specify the appropriate server exclusion option from the pull-down. Select the Address Object or Group that contains the destination addresses of web servers for which traffic should not be diverted through the WXA Web Cache. By selecting None, no web server is excluded and all appropriate traffic is sent through the WXA. 9 Click Update. 10 Confirm the Description and Schedule and click Accept. 11 After the SonicWall appliance has been updated, a message confirming the update is displayed at the bottom of the browser window.

Bypass Proxy Servers Upon Proxy Failure If a Web proxy server is specified on the Firewall > Web Proxy page, selecting Bypass Proxy Servers Upon Proxy Server Failure allows clients behind the SonicWall appliance to bypass the Web proxy server in the event it becomes unavailable. Instead, the client’s browser accesses the Internet directly as if a Web proxy server is not specified.

Adding a Proxy Server To add a Web Proxy server through which users’ web request might come, complete the following steps: 1 In the User Proxy Settings sections, click Add. 2 Enter a proxy server host name or IP address in the text-field, and then click OK. The new proxy server populates in the User Proxy Servers list. This list if full configurable and includes edit, remove, and delete actions. 3 Click Update.

CONFIGURING ROUTING IN SONICOS ENHANCED If you have routers on your interfaces, you can configure the SonicWall appliance to route network traffic to specific predefined destinations. Static routes must be defined if the network connected to an interface is segmented into subnets, either for size or practical considerations. For example, a subnet can be created to isolate a section of a company, such as finance, from network traffic on the rest of the LAN, DMZ, or WAN. To add static routes, complete the following steps: 1 Expand the Network tree and click Routing. The Routing page displays. 2 Click Add Route Policy.

3 Select the source address object from the Source list box. 4 Select the destination address object from the Destination list box. 5 Specify the type of service that is routed from the Service list box. 6 Select the address object that acts as a gateway for packets matching these settings. 7 Select the interface through which these packets are routed from the Interface list box. 8 Specify the RIP metric in the Metric field. 9 Type a descriptive comment into the Comment field. 10 For appliances running SonicOS Enhanced 4.0 and above, optionally select Disable route when the interface is disconnected. 11 For appliances running SonicOS Enhanced 4.0 and above, select Allow VPN path to take precedence to allow a matching VPN network to take precedence over the static route when the VPN tunnel is up. 12 For appliances running SonicOS Enhanced 6.1 and above, select Permit TCP Acceleration to allow accelerated TCP traffic to pass through the SonicWall appliance. 13 Click the Probe drop-down menu and select a probe type. 14 Click Disable route when probe succeeds. 15 Click Probe default state is UP. 16 To configure the routing policy advanced settings, click the Advanced tab. 17 Enter the ToS hexadecimal value in the TOS text-field. 18 Enter the ToS Mask hexadecimal value in the TOS Mask text-field. 19 Enter a value for the Admin Distance, or select Auto for an automatically created Admin Distance. 20 When you are finished, click Update. The route settings are configured for the selected SonicWall appliance(s). To clear all screen settings and start over, click Reset.

Probe-Enabled Policy Based Routing Configuration For appliances running SonicOS Enhanced 5.5 and above, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy. Policy Based Routing is fully supported for IPv6 by selecting IPv6 address objects and gateways for route policies on the Network > Routing page. IPv6 address objects are listed in the Source, Destination, and Gateway columns of the Route Policies table. Configuring routing polices for IPv6 is nearly identical to IPv4. To configure a policy based route, complete the following steps: 1 In the Probe pull-down menu select the appropriate Network Monitor object or select Create New Network Monitor object... to dynamically create a new object. For more information, see Configuring Network Monitor. 2 Typical configurations do not have Disable route when probe succeeds checked because typically administrators will want to disable a route when a probe to the route’s destination fails. This option is provided to give administrators added flexibility for defining routes and probes. 3 Select the Probe default state is UP to have the route consider the probe to be successful (such as in the “UP” state) when the attached Network Monitor policy is in the “UNKNOWN” state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from “IDLE” to “ACTIVE,” because this transition sets all Network Monitor policy states to “UNKNOWN.” 4 Click Update to apply the configuration.

Configuring RIP in SonicOS Enhanced Routing Information Protocol (RIP) is a distance-vector routing protocol that is commonly used in small homogeneous networks. Using RIP, a router periodically sends its entire routing table to its closest neighbor, which passes the information to its next neighbor, and so on. Eventually, all routers within the network has the information about the routing paths. When attempting to route packets, a router checks the routing table and selects the path that requires the fewest hops. SonicWall appliances support RIPv1 or RIPv2 to advertise its static and dynamic routes to other routers on the network. Changes in the status of VPN tunnels between the SonicWall and remote VPN gateways are also reflected in the RIPv2 advertisements. Choose between RIPv1 or RIPv2 based on your router’s capabilities or configuration. RIPv1 is an earlier version of the protocol that has fewer features, and it also sends packets through broadcast instead of multicast. RIPv2 packets are backwards-compatible and can be accepted by some RIPv1 implementations that provide an option of listening for multicast packets. The RIPv2 Enabled (broadcast) selection broadcasts packets instead of multicasting packets, and is for heterogeneous networks with a mixture of RIPv1 and RIPv2 routers. The images in this section are displaying management interfaces running SonicOS 5.9 and higher firmware versions. To configure RIP, refer to the following subsections: • • • •

Route Advertisement Advanced Routing Services Global RIP Configuration Global OSPFv2 Configuration

ROUTE ADVERTISEMENT To configure the Route Advertisement for RIP, complete the following steps: 1 Expand the Network tree and click RIP (ENH). The RIP (ENH) page displays. This screen displays both IPv4 and IPv6 interfaces for both RIP and OSPF

2 Click the Edit Icon ( ) for an interface. The Edit Route Advertising Settings dialog box displays.

3 Select the RIP type from the RIP drop-down menu: • Disabled • Send and Receive • Send Only • Receive Only • Passive 4 Select the Receive type from the Receive drop-down menu: • RIPv1 Enabled • RIPv2 Enabled 5 Select a Send type from the Send drop-down menu: • RIPv1 • RIPv2 - v1 Compatible • RIPv2 6 Select or Deselect the check boxes for Split Horizon, Poisoned Reverse, and (or) Use Password to meet your configuration requirements. If Use Password is clicked, enter a password in the Password text-field. 7 Click Update. 8 Click the Edit icon for the OSPF status.

9 Click the OSPFv2 drop-down menu, and select Disable, Enable, or Passive. 10 Enter numeric value for the OSPF Area. 11 Click the OSPFv2 Area Type drop-down menu, then select Normal, Stub Area, Totally Stubby Area, Not-soStubby Area, or Totally Stubby NSSA 12 Enter the Dead Interval (1-65535). 13 Enter the Hello Interval (1-65535). 14 If desired for your configuration, enable Auto Cost. Configure the Auto Cost settings a Enter the Interface Cost. b Enter the Router Priority. c Click the Authentication drop-down menu and select Disable, Simple Password, or Message Digest. d Provide a password.

ADVANCED ROUTING SERVICES For appliances running SonicOS versions 5.6 and higher, VPN Tunnel Interfaces can be configured for advanced routing. To do so, you must enable advanced routing for the tunnel interface on the Advanced tab of its configuration. See Generic VPN Configuration in SonicOS Enhanced for more information. After you have enabled advanced routing for a Tunnel Interface, it is displayed in the list with the other interfaces in the Advanced Routing table on the Network > RIP page. The RIP configurations for Tunnel Interfaces are very similar to the configurations for traditional interfaces with the addition of two new options that are listed at the bottom of the RIP configuration window under a new Global Unnumbered Configuration heading. When running SonicOS version 5.9 or higher, a BGP drop-down menu is available under the Advanced Routing Services heading. This menu gives you the options to enable or disable the BGP feature and is only available if Use Advanced Routing is clicked.

Global Unnumbered Configuration Because Tunnel Interfaces are not physical interfaces and have no inherent IP address, they must “borrow” the IP address of another interface. Therefore, the advanced routing configuration for a Tunnel Interface includes the following options for specifying the source and destination IP addresses for the tunnel: • IP Address Borrowed From - The interface whose IP address is used as the source IP address for the Tunnel Interface. NOTE: The borrowed IP address must be a static IP address.



• Remote IP Address - The IP address of the remote peer to which the Tunnel Interface is connected. In the case of a SonicWall-to-SonicWall configuration with another Tunnel Interface, this should be the IP address of the borrowed interface of the Tunnel Interface on the remote peer. NOTE: The IP Address Borrowed From and Remote IP Address values apply to both RIP for the Tunnel Interface.



Guidelines for Configuring Tunnel Interfaces for Advanced Routing The following guidelines ensure success when configuring Tunnel Interfaces for advanced routing: • The borrowed interface must have a static IP address assignment. • The borrowed interface cannot have RIP enabled on its configuration. TIP: SonicWall recommends creating a VLAN interface that is dedicated solely for use as the borrowed interface. This avoids conflicts when using wired connected interfaces. • The IP address of the borrowed interface should be from a private address space, and should have a unique IP address in respect to any remote Tunnel Interface endpoints. • The Remote IP Address of the endpoint of the Tunnel Interface should be in the same network subnet as the borrowed interface. • The same borrowed interface might be used for multiple Tunnel Interfaces, provided that the Tunnel interfaces are all connected to different remote devices. • When more than one Tunnel Interface on an appliance is connected to the same remote device, each Tunnel Interface must use a unique borrowed interface. Depending on the specific circumstances of your network configuration, these guidelines might not be essential to ensure that the Tunnel Interface functions properly. But these guidelines are SonicWall best practices that will avoid potential network connectivity issues.

GLOBAL RIP CONFIGURATION To configure the Global RIP settings, complete the following steps: 1 Select IPv4 or IPv6.

2 Enter a Default Metric (1-15).

3 Enter an Administrative Distance (1-255) 4 Select or deselect the desired check boxes and enter metrics for the following: • Originate Default Route • Redistribute Static Routs • Redistribute Connected Networks • Redistribute OSPF Routs • Redistribute Remote VPN Networks 5 Click Update.

GLOBAL OSPFV2 CONFIGURATION To configure the Global OSPFv2 for RIP, complete the following steps: 1 Select IPv4 or IPv6.

2 Enter the OSPF Router ID in the text-field.

3 4 5 6 7

Enter the Default Metric in the text-field (1-16777214) Click the ABR Type drop-down menu, select Standard, Cisco, IBM, or Shortcut. Enter the Auto-Cost Reference BW in Mb per second (1-4294967) In the Originate Default Route menu, select Never, or When WAN is up, or Always. Select or deselect the check boxes and enter the Metric, Metric Type, and Tag for the Global OSPFv2 configuration: • Redistribute Static Routes • Redistribute Connected Networks • Redistribute RIP Routes • Redistribute Remote VPN Networks 8 When you are finished, click Update. The settings are changed for the SonicWall appliance. To clear all screen settings and start over, click Reset.

Configuring IP Helper The IP Helper allows the SonicWall to forward DHCP requests originating from the interfaces on a SonicWall to a centralized DHCP server on the behalf of the requesting client. IP Helper is used extensively in routed VLAN environments where a DHCP server is not available for each interface, or where the layer three routing mechanism is not capable of acting as a DHCP server itself. The IP Helper also allows NetBIOS broadcasts to be forwarded with DHCP client requests.

NOTE: IP Helper is only supported in SonicOS Enhanced. To enable IP Helper and add an IP Helper policy, complete the following steps: 1 Expand the Network tree and click IP Helper. The IP Helper page displays.

2 Select Enable IP Helper. For appliances running SonicOS Enhanced versions lower than 5.5, you can also configure DHCP and NetBIOS support: 3 To enable DHCP support, select Enable DHCP Support. 4 To enable NetBIOS support, select Enable NetBIOS Support.

Configuring Relay Protocols Appliances running SonicOS Enhanced versions 5.5 and higher support Enhanced IP Helper that offers configurable Relay Protocols. Appliances running SonicOS Enhanced 6.1 and higher have default Relay Protocols available. The following built-in applications are included: • DHCP—UDP port number 67/68 • Net-Bios NS—UDP port number 137 • Net-Bios Datagram—UDP port number 138 • DNS—UDP port number 53 • Time Service—UDP port number 37 • Wake on LAN (WOL) • mDNS—UDP port number 5353; multicast address 224.0.0.251 To enable any of these protocols, select Enable and click Update. To configure additional protocols, complete the following steps: 1 Click Add Relay Protocol. The Add IP Helper Application window displays.

2 Configure the following options: • Name—The name of the protocols. Note that these are case sensitive and must be unique. • Port 1/2—The unique UDP port number. • Translate IP—Translation of the source IP while forwarding a packet. • Timeout—IP Helper cache timeout in seconds at an increment of 10. • Raw Mode—Unidirectional forwarding that does not create an IP Helper cache. This is suitable for most of the user-defined protocols that are used for discovery, for example WOL/mDNS. 3 Click Update.

Configuring IP Helper Policies 1 To add an IP Helper Policy, click Add IP Helper Policy. The Add IP Helper dialog box displays.

2 The policy is enabled by default. To configure the policy without enabling it, clear Enabled. 3 Click the Protocol drop-down menu and select one of the following: • DHCP • NetBIOS • DNS • TIME • WOL • mDNS • ss 4 Select a source Interface or Zone from the From menu. 5 Select a destination IP address or subnet from the To menu. 6 Enter an optional comment in the Comment field. 7 Click OK to add the policy to the IP Helper Policies table. 8 Repeat this procedure for each policy to add. To delete a policy, click the trash can icon next to the policy. 9 When you are finished, click Update. The settings are changed for the selected SonicWall appliance. To clear all screen settings and start over, click Reset.

CONFIGURING ARP

ARP (Address Resolution Protocol) maps layer three (IP addresses) to layer two (physical or MAC addresses) to enable communications between hosts residing on the same subnet. ARP is a broadcast protocol that can create excessive amounts of network traffic on your network. To minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously learned ARP information. To configure ARP, complete the following steps: 1 Expand the Network tree and click ARP. The ARP page displays.

Static ARP Entries The Static ARP feature allows for static mappings to be created between layer two MAC addresses and layer three IP addresses, but also provides the following capabilities:

• Publish Entry—Enabling the Publish Entry option in the Add Static ARP window causes the SonicWall device to respond to ARP queries for the specified IP address with the specified MAC address. This can be used, for example, to have the SonicWall device reply for a secondary IP address on a particular interface by adding the MAC address of the SonicWall. See the Secondary Subnet section that follows. • Bind MAC Address—Enabling the Bind MAC Address option in the Add Static ARP window binds the MAC address specified to the designated IP address and interface. This can be used to ensure that a particular workstation (as recognized by the network card's unique MAC address) can only be used on a specified interface on the SonicWall. After the MAC address is bound to an interface, the SonicWall will not respond to that MAC address on any other interface. It also removes any dynamically cached references to that MAC address that might have been present, and it prohibits additional (non-unique) static mappings of that MAC address. • Update IP Address Dynamically—The Update IP Address Dynamically setting in the Add Static ARP window is a sub-feature of the Bind MAC Address option. This allows for a MAC address to be bound to an interface when DHCP is being used to dynamically allocate IP addressing. Enabling this option blurs the IP Address field, and populates the ARP Cache with the IP Address allocated by the SonicWall's internal DHCP server, or by the external DHCP server if IP Helper is in use.

Secondary Subnets with Static ARP The Static ARP feature allows for secondary subnets to be added on other interfaces, and without the addition of automatic NAT rules. Adding a Secondary Subnet using the Static ARP Method 1 Add a 'published' static ARP entry for the gateway address that is used for the secondary subnet, assigning it the MAC address of the SonicWall interface to which it is connected. 2 Add a static route for that subnet, so that the SonicWall regards it as valid traffic, and knows to which interface to route that subnet's traffic. 3 Add Access Rules to allow traffic destined for that subnet to traverse the correct network interface. 4 Optional: Add a static route on upstream device(s) so that they know which gateway IP to use to reach the secondary subnet.

Flushing the ARP Cache It is sometimes necessary to flush the ARP cache if the IP address has changed for a device on the network. Because the IP address is linked to a physical address, the IP address can change but still be associated with the physical address in the ARP Cache. Flushing the ARP Cache allows new information to be gathered and stored in the ARP Cache. Click Flush ARP Cache to clear the information. To configure a specific length of time for the entry to time out, enter a value in minutes in the ARP Cache entry time out (minutes) field.

Navigating and Sorting the ARP Cache Table Entries To view ARP cache information, click Request ARP Cache display from unit(s). The ARP Cache table provides easy pagination for viewing a large number of ARP entries. You can navigate a large number of ARP entries listed in the ARP Cache table by using the navigation control bar located at the top right of the ARP Cache table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively. You can enter the policy number (the number listed before the policy name in the # Name column) in the Items field to move to a specific ARP entry. The default table configuration displays 50 entries per page. You can change this default number of entries for tables on the System > Administration page. You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.

CONFIGURING NEIGHBOR DISCOVERY The Neighbor Discovery Protocol (NDP) is a messaging protocol that was created as part of IPv6 to complete a number of the tasks that ICMP and ARP accomplish in IPv4. Just like ARP, Neighbor Discovery builds a cache of dynamic entries, and the administrator can configure static Neighbor Discovery entries. The following table shows the IPv6 neighbor messages and functions that are analogous to the traditional IPv4 neighbor messages. IPv6 neighbor messages and functions

IPv4 Neighbor message

IPv6 Neighbor message

ARP request message

Neighbor solicitation message

ARP relay message

Neighbor advertisement message

ARP cache

Neighbor cache

Gratuitous ARP

Duplicate address detection

Router solicitation message (optional)

Router solicitation (required)

Router advertisement message (optional)

Router advertisement (required)

Redirect Message

Redirect Message

NDP objects Use the NDP Object Search tool to find existing NDP objects. The search results display in the NDP Objects table. Each entry details the IP Address, MAC Address, and Interface of the NDP object. From this table you can add, edit, or delete NDP objects by click the ADD New NDP object or Delete NDP Object(s) links, or clicking Configure for an existing object.

NDP Cache Request an NDP cache list by clicking the Request NDP Cache List from Firewall link located in the “Request NDP Cache List” section. The requested list displays in the NDP Cache Objects table, where information about the IP Address, Type, MAC Address, Interface, Timeout, and Flush is shown. To search for particular NDP cache lists, use the NDP Cache Search tool. The filtered results display in the NDP Cache Objects table. To flush the NDP cache, click the Flush NDP Cache link.

CONFIGURING SWITCHPORTS The SwitchPorts page allows you to manage the assignments of ports to PortShield interfaces. A PortShield interface is a virtual interface with a set of ports assigned to it. To configure a SwitchPort, complete the following steps: 1 Expand the Network tree and click SwitchPorts. The SwitchPorts page displays.

2 Click the Edit icon ( ) for the SwitchPort you want to configure. The SwitchPort Configuration window displays. The name of the PortShield interface group is assigned by default.

3 Click the Port Enable list box and click either Enable or Disable to either activate or deactivate the interfaces in the PortShield interface group. 4 Click the PortShield interface list box and click the PortShield interface you created in the previous procedure. 5 Click the Link Speed list box and click a throughput speed you want to assign the interface. The choices are: • Auto negotiate • 100Mbps Full Duplex • 100Mbps Half Duplex • 10Mbps Full Duplex • 10Mbps Half Duplex NOTE: Do not change this setting from the default of Auto negotiate unless your system requires you to do so. Also, note that for any setting involving the Full Duplex feature to work properly, be sure to configure Full Duplex on both ends of the link. By not having Full Duplex configured on both ends, a duplex mismatch occurs, causing throughput loss. 6 Click on the Rate Limit option and Select on a value. The rate limit value enables you to throttle traffic coming into the switch. Remember, these values apply to inbound traffic only. 7 Click Ok. Wait for a few seconds. The system then incorporates the changes you made to the PortShield interface Group and adds it back to the switch ports list.

CONFIGURING PORTSHIELD GROUPS

NOTE: TZ series firewalls supported Dell Networking X-Series switches and the Dell Networking X-Series Solution, which expand the capability of the firewalls, especially for portshielding interfaces. Beginning in Release 8.3, SM and NSA series firewalls also support X-Series switches and the X-Series Solution. See Configuring PortShield Interfaces for Dell Networking X-Series Switches. NOTE: The NSA2600 firewall does not support PortShield, and the SM 9800 and SOHO W firewalls do not support the X-Series Solution. A PortShield interface is a virtual interface with a set of ports, including ports on Dell Networking X-Series, or extended, switches, assigned to it. PortShield architecture enables you to configure some or all of the LAN ports into separate security contexts, providing protection not only from the WAN and DMZ, but between devices inside your network as well. In effect, each context has its own wire-speed PortShield that enjoys the protection of a dedicated, deep packet inspection firewall. On the Network > PortShield Groups page, you can manually group ports together that allow them to share a common network subnet as well as common zone settings. TIP: Zones can always be applied to multiple interfaces in the Network > Interfaces page, even without the use of PortShield groupings. These interfaces, however, do not share the same network subnet unless they are grouped using PortShield. You can assign any combination of ports to a PortShield interface. All ports not assigned to a PortShield interface are assigned to the LAN interface. NOTE: The PortShield Groups page is supported on appliances running SonicOS Enhanced versions 5.5 or higher.



To assign an interface to a PortShield group, complete the following steps: 1 Navigate to the Network > PortShield Groups page. 2 Click on the Configure icon for the interface you want to assign to a PortShield group. The Edit Switch Port window displays. NOTE: Interfaces must be configured before being grouped with PortShield.

3 In the Port Enabled pull-down menu, select whether you want to enabled or disable the interface. 4 In the PortShield Interface pull-down menu, select which interface you want to assign as the master interface for the PortShield interface. 5 In the Link Speed pull-down menu, select the link speed for the interfaces. 6 Click OK.

CONFIGURING PORTSHIELD INTERFACES FOR DELL NETWORKING X-SERIES SWITCHES NOTE: TZ series appliances support Dell Networking X-Series switches, which expand the capability of the appliances, especially for portshielding interfaces. IMPORTANT: When an extended switch has been powered off and then the firewall is restarted (rebooted), it could take up to five minutes before the firewall discovers the extended switch and reports the Status of the switch as Connected.





When configuring extended switches in a PortShield group, it could take up to five minutes for the configuration to be displayed on the Network > PortShield Groups page.

CONFIGURING MAC-IP ANTI-SPOOF MAC and IP address-based attacks are increasingly common in today’s network security environment. These types of attacks often target a Local Area Network (LAN) and can originate from either outside or inside a network. In fact, anywhere internal LANs are somewhat exposed, such as in office conference rooms, schools, or libraries, could provide an opening to these types of attacks. These attacks also go by various names: man-in-the-middle attacks, ARP poisoning, SPITS. The MAC-IP Anti-Spoof feature lowers the risk of these attacks by providing administrators with different ways to control access to a network, and by eliminating spoofing attacks at OSI Layer 2/3. The effectiveness of the MAC-IP Anti-Spoof feature focuses on two areas. The first is admission control which allows administrators the ability to select which devices gain access to the network. The second area is the elimination of spoofing attacks, such as denial-of-service attacks, at Layer 2. To achieve these goals, two caches of information must be built: the MAC-IP Anti-Spoof Cache, and the ARP Cache. The MAC-IP Anti-Spoof cache validates incoming packets and determines whether they are to be allowed inside the network. An incoming packet’s source MAC and IP addresses are looked up in this cache. If they are found, the packet is allowed through. The MAC-IP Anti-Spoof cache is built through one or more of the following sub-systems: • DHCP Server-based leases (SonicWall’s - DHCP Server) • DHCP relay-based leases (SonicWall’s - IP Helper) • Static ARP entries • User created static entries The ARP Cache is built through the following subsystems: • ARP packets; both ARP requests and responses • Static ARP entries from user-created entries • MAC-IP Anti-Spoof Cache The MAC-IP Anti-Spoof subsystem achieves egress control by locking the ARP cache, so egress packets (packets exiting the network) are not spoofed by a bad device or by unwanted ARP packets. This prevents a firewall from routing a packet to the unintended device, based on mapping. This also prevents man-in-the-middle attacks by refreshing a client’s own MAC address inside its ARP cache. The following sections describe how to configure MAC-IP Anti-Spoof: • Interface Settings • Anti-Spoof Cache • Spoof Detect List

Interface Settings To edit MAC-IP Anti-Spoof settings within the Network Security Appliance management interface, go to the Network > MAC-IP Anti-spoof page.

To configure settings for a particular interface, click the pencil icon in the Configure column for the desired interface. The Settings window is displayed for the selected interface.

In this window, the following settings can be enabled or disabled by clicking on the corresponding check box. After your setting selections for this interface are complete, click OK. The following options are available: • Enable: To enable the MAC-IP Anti-Spoof subsystem on traffic through this interface • Static ARP: Allows the Anti-Spoof cache to be built from static ARP entries • DHCP Server: Allows the Anti-Spoof cache to be built from active DHCP leases from the SonicWall DHCP server • DHCP Relay: Allows the Anti-Spoof cache to be built from active DHCP leases, from the DHCP relay, based on IP Helper • ARP Lock: Locks ARP entries for devices listed in the MAC-IP Anti-Spoof cache. This applies egress control for an interface through the MAC-IP Anti-Spoof configuration, and adds MAC-IP cache entries as permanent entries in the ARP cache. This controls ARP poisoning attacks, as the ARP cache is not altered by illegitimate ARP packets. • ARP Watch: Enables generation of unsolicited unicast ARP responses towards the client’s machine for every MAC-IP cache entry on the interface. This process helps prevent man-in-the-middle attacks. • Enforce: Enables ingress control on the interface, blocking traffic from devices not listed in the MAC-IP AntiSpoof cache. • Spoof Detection: Logs all devices that fail to pass Anti-spoof cache and lists them in the Spoof Detected List. • Allow Management: Allows through all packets destined for the appliance’s IP address, even if coming from devices currently not listed in the Anti-Spoof cache. After the settings have been adjusted, the interface’s listing is updated on the MAC-IP Anti-Spoof panel. The green circle with white check mark icons denote which settings have been enabled. NOTE: The following interfaces are excluded from the MAC-IP Anti-Spoof list: Non-ethernet interfaces, port-shield member interfaces, Layer 2 bridge pair interfaces, high availability interfaces, and high availability data interfaces.



Anti-Spoof Cache The MAC-IP Anti-Spoof Cache lists all the devices presently listed as “authorized” to access the network, and all devices marked as “blacklisted” (denied access) from the network. To add a device to the list, complete the following steps: 1 Click Add Anti-Spoof Cache.

2 Enter the IP address for the device. 3 Enter the MAC addresses for the device. Enter the information in the provided fields. 4 Check the a router setting to allow traffic coming from behind this device. 5 Check the a blacklisted device setting to block packets from this device, irrespective of its IP address. 6 Click OK. If you need to edit a static Anti-Spoof cache entry, click the pencil icon, under the Configure column, on the same line. Single, or multiple, static anti-spoof cache entries can be deleted. To do this, select the “delete check box” next to each entry, then click Delete Anti-Spoof Cache(s). To clear cache statistics, select the desired devices, then click Clear Stats. Some packet types are bypassed even though the MAC-IP Anti-Spoof feature is enabled: 1) Non-IP packets, 2) DHCP packets with source IP as 0, 3) Packets from a VPN tunnel, 4) Packets with invalid unicast IPs as their source IPs, and 5) Packets from interfaces where the Management status is not enabled under anti-spoof settings. The Anti-Spoof Cache Search section provides the ability to search the entries in the cache. To search the MAC-IP Anti-Spoof Cache, complete the following steps: 7 In the search pull-down menu, select whether you want to search by IP address or Interface. 8 Select what type of search: Equals, Starts with, Ends with, or Contains. 9 Enter a search string in the text box. 10 Click Search. Matching entries in the MAC-IP Anti-Spoof cache are displayed.

Spoof Detect List NOTE: Spoof Detected List display is available only at the Unit level. The Spoof Detect List displays devices that failed to pass the ingress anti-spoof cache check. Entries on this list can be added as a static anti-spoof entry. To view the Spoof Detect List, click the Request Spoof Detected List from Firewall link.

To add an entry to the static anti-spoof list, click on the pencil icon under the “Add” column for the desired device. An alert message window opens, asking if you wish to add this static entry. Click OK to proceed. Entries can be flushed from the list by clicking Flush. The name of each device can also be resolved using NetBios, by clicking Resolve.

CONFIGURING NETWORK MONITOR This section describes how to configure the Network Monitor feature, which provides a flexible mechanism for monitoring network path viability. The results and status of this monitoring are displayed on the Network Monitor page, and are also provided to affected client components and logged in the system log. Each custom NM policy defines a destination Address Object to be probed. This Address Object might be a Host, Group, Range, or FQDN. When the destination Address Object is a Group, Range or FQDN with multiple resolved addresses, Network Monitor probes each probe target and derives the NM Policy state based on the results. GMS monitors any remote host status in the local or remote network. GMS now checks the availability of the traffic between the appliance and the target host in real time, thus ensuring the target host can receive network traffic. GMS also displays the status of the monitored host on the Network > Network Monitor page.

To add a network monitor policy on the SonicWall security appliance, complete these steps: 1 From the Network > Network Monitor page, click Add. The Add Network Monitor Policy window is displayed.

2 Enter the following information to define the network monitor policy: • Name - Enter a description of the Network Monitor policy. • Probe Target - Select the Address Object or Address Group to be the target of the policy. Address Objects might be Hosts, Groups, Ranges, or FQDNs object. Objects within a Group object might be Host, Range, or FQDN Address Objects. You can dynamically create a new address object by selecting Create New Address Object. • Next Hop Gateway - Manually specifies the next hop that is used from the outbound interface to reach the probe target. This option must be configured for Explicit Route policies. For non-Explicit Route policies, the probe uses the appliance’s route table to determine the egress interface to reach the probe target. If a Next Hop Gateway is not specified, the probe assumes that the targets are directly connected to the Outbound Interface's network. • Local IP Address - Select the local IP address from the drop-down menu. • Outbound Interface - Manually specifies which interface is used to send the probe. This option must be configured for Explicit Route policies. For non-Explicit Route policies, the probe uses the appliance’s route table to determine the egress interface to reach the probe target. • Probe Type - Select the appropriate type of probe for the network monitor policy: • Ping (ICMP) - This probe uses the route table to find the egress interface and next-hop for the defined probe targets. A Ping echo-request is sent out the egress interface with the source IP address of the egress interface. An echo response must return on the same interface within the specified Response Timeout time limit for the ping to be counted as successful. • TCP - This probe uses the route table to find the egress interface and next-hop for the defined probe targets. A TCP SYN packet is sent to the probe target with the source IP address of the egress interface. A successful response is counted independently for each probe target when the target responds with either a SYN/ACK or RST through the same interface within the Response Timeout time window. When a SYN/ACK is received, a RST is sent to close the connection. If a RST is received, no response is returned. • Ping (ICMP) - Explicit Route - This probe bypasses the route table and uses the source IP address of the interface specified in the Outbound Interface pull-down menu to send a Ping to the targets. If a Next Hop Gateway is not specified, the probe assumes that the targets are directly connected to the Outbound Interface's network. • TCP - Explicit Route - This probe bypasses the route table and uses the source IP address of the interface specified in the Outbound Interface pull-down menu to send a TCP SYN packet to the targets. If a Next Hop Gateway is not specified, the probe assumes that the targets are directly connected to the Outbound Interface's network. When a SYN/ACK is received, a RST is sent to close the connection. If a RST is received, no response is returned. • Port - Specifies the destination port of target hosts for TCP probes. A port is not specified for Ping probes. 3 Optionally, you can adjust the following thresholds for the probes: • Probe hosts every - The number of seconds between each probe. This number cannot be less than the Reply time out field. • Reply time out - The number of seconds the Network Monitor waits for a response for each individual probe before a missed-probe is counted for the specific probe target. The Reply time out cannot exceed the Probe hosts every field. • Probe state is set to DOWN after - The number of consecutive missed probes that triggers a host state transition to DOWN. • Probe state is set to UP after - The number of consecutive successful probes that triggers a host state transition to UP. • All Hosts Must Respond - Selecting this check box specifies that all of the probe target Host States must be UP before the Policy State can transition to UP. If not checked, the Policy State is set to UP when any of the Host States are UP. • RST Response Counts As Miss - Selecting this check box specifies that an RST response counts as a missed response. 4 Optionally, you can enter a descriptive comment about the policy in the Comment field. 5 Click Update to submit the Network Monitor policy. Then click Update on the Network > Network Monitor page.

CONFIGURING PROBE-ENABLED POLICY BASED ROUTING

When configuring a static route, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy. For more information, see Probe-Enabled Policy Based Routing Configuration.

Configuring Network Settings in SonicOS Standard The following sections describe how to configure network settings in SonicOS Standard: • • • • • • • •

Configuring Basic Network Settings in SonicOS Standard Configuring Web Proxy Forwarding Configuring Intranet Settings Configuring Routing in SonicOS Standard Configuring RIP in SonicOS Standard Configuring One-to-One NAT Configuring Ethernet Settings Configuring ARP

CONFIGURING BASIC NETWORK SETTINGS IN SONICOS STANDARD The Network settings page is used to configure the network addressing mode, LAN settings, WAN settings, DMZ settings, and the DNS server address(es). SonicOS Standard supports six network addressing modes. For all of these modes, first configure the universal settings: • LAN Settings for all Network Addressing Modes

LAN Settings for all Network Addressing Modes For all six of the network addressing modes supported in SonicOS Standard, complete the following basic network settings: 1 Enter the IP address assigned to the LAN interface in the SonicWall LAN IP Address field and the subnet the IP address belongs to in the LAN Subnet Mask field. 2 To add an additional subnet, enter the IP address and subnet in the Network Gateway and Subnet Mask fields and click Add Subnet. 3 Enter the IP address of the router that provides Internet access to SonicWall appliance in the WAN Gateway (Router) Address field. The SonicWall WAN IP Address and WAN Subnet Mask are automatically set to the SonicWall LAN IP Address. and LAN Subnet Mask, respectively.

CONFIGURING DYNAMIC DNS

NOTE: Dynamic DNS forwarding settings are identical in SonicOS Standard and Enhanced. For configuration information, refer to Configuring Dynamic DNS in the SonicOS Enhanced section of this chapter.



CONFIGURING WEB PROXY FORWARDING NOTE: Web proxy forwarding settings are identical in SonicOS Standard and Enhanced. For configuration information, refer to Configuring Web Proxy Forwarding Settings in the SonicOS Enhanced section of this chapter.



CONFIGURING INTRANET SETTINGS SonicWalls can be installed between LAN segments of intranets to prevent unauthorized access to certain resources. For example, if the administrative offices of a school are on the same network as the student computer lab, they can be separated by a SonicWall. Figure shows how a SonicWall appliance can be installed between two network segments on an Intranet. SonicWall Intranet Configuration

NOTE: Devices connected to the WAN port do not have firewall or content filter protection. To protect these units, install another SonicWall appliance between the Internet and devices connected to the WAN port of the other SonicWall appliance. Although the systems on the WAN and LAN links are separated, they are still on the same subnet. Consequentially, you must make the systems on the larger network aware of the systems on the smaller network. To do this, complete the following steps: 1 Expand the Network tree and click Intranet. The Intranet page displays.

2 Select from the following: • If the SonicWall is not used to separate LAN segments on the intranet, select SonicWall’s WAN link is connected to the Internet Router. • If the smaller network is connected to the LAN, select Specified addresses are attached to the LAN link. • If the smaller network is connected to the WAN, select Specified addresses are attached to the WAN link. 3 Enter the IP address or IP address range of a system or group of systems on the smaller network: • To enter a single IP address, enter the IP address in the Addr Range Begin field. • To enter a range of IP addresses, enter the starting IP address in the Addr Range Begin field and the ending IP address in the Addr Range End field. • Click Add Range. 4 Repeat Step 3 for each IP address or IP address range on the smaller network. 5 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset. 6 To define which services can be accessed from outside the restricted network segment, refer to Configuring Firewall Settings in SonicOS Standard.

CONFIGURING ROUTING IN SONICOS STANDARD

If the LAN(s) have internal routers, their addresses and network information must be entered into the SonicWall(s). To add an internal router, complete the following steps: 1 Expand the Network tree and click Routing. The Routing page displays.

2 3 4 5 6

Select whether the router is connected to the LAN (WorkPort), WAN, or OPT interface from the Link list box. Enter the destination network IP addresses in the Destination Network and Subnet Mask fields. Enter the IP address of the router in the Gateway field. Click Add Route. Repeat Step 2 through Step 4 for each route that you want to add. When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

CONFIGURING RIP IN SONICOS STANDARD

RIP is a distance-vector routing protocol that is commonly used in small homogeneous networks. Using RIP, a router periodically sends its entire routing table to its closest neighbor that passes the information to its next neighbor, and so on. Eventually, all routers within the network will have the information about the routing paths. When attempting to route packets, a router checks the routing table and selects the path that requires the fewest hops. RIP is not supported by all SonicWall appliances. To configure RIP, complete the following steps: 1 Expand the Network tree and click RIP. The RIP page displays.

2 Select the RIP version from the RIP Advertisements list box: • RIPv1 Enabled—first version of RIP. • RIPv2 Enabled (multicast)—sends route advertisements using multicasting (a single data packet to specific nodes on the network). • RIPv2 Enabled (broadcast)—sends route advertisements using broadcasting (a single data packet to all nodes on the network). 3 To advertise static routes that you specified on the Routing page, select Advertise Static Routes. 4 To set the amount of time between a VPN tunnel state change and the time the change is advertised, enter a value in the Route Change Damp Time field (default: 30 seconds). 5 To specify the number of advertisements that are sent after a route is deleted, enter a value in the Deleted Route Advertisements field (default: 5 advertisements). 6 By default, the connection between this router and its neighbor counts as one hop. However, there are cases where you want to discourage or reduce the use of this route by adding additional hops. To change the hop count of this route, enter the number of hops in the Route Metric field. 7 Optional. If RIPv2 is selected from the Route Advertisements list box, you can enter a value in the RIPv2 Route Tag field. This value is implementation-dependent and provides a mechanism for routers to classify the originators of RIPv2 advertisements. 8 Optional. Select from the following RIPv2 Authentication options: • User Defined—Enter four hex digits in the Authentication Type field and 32 hex digits in the Authentication Data field. • Cleartext Password—Enter a password (16 characters or less) in the Authentication Password field. • MD5 Digest—Enter a numerical value from 0-255 in the Authentication Key-Id field. Enter a 32 hex digit value for the Authentication Key field, or use the generated key. 9 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

CONFIGURING OPT ADDRESSES

SonicWall appliances protect users by preventing Internet users from accessing systems within the LAN (WorkPort). However, this security also prevents users from reaching servers intended for public access, such as Web and mail servers. To allow these services, many SonicWall models have a special Demilitarized Zone (DMZ) port (also known as the HomePort) which is used for public servers. The DMZ sits between the LAN (WorkPort) and the Internet. Servers on the DMZ are publicly accessible, but are protected from denial of service attacks such as SYN Flood and Ping of Death. Although the DMZ port is optional, it is strongly recommended for public servers or when connecting the servers directly to the Internet where they are not protected. NOTE: Some newer SonicWall appliances have one or more OPT ports that can be configured as a DMZ port. For more information, refer to Overview of Interfaces. Each server on the DMZ port or HomePort requires a unique, publishable Internet IP address. The ISP that provides your Internet connection should be able to provide these addresses. To add OPT IP addresses, complete the following steps: 1 Expand the Network tree and click DMZ Addresses or HomePort Addresses. 2 The DMZ/HomePort Addresses page displays.

3 Select from the following: • If the devices on the DMZ uses fixed IP addresses, select OPT in Standard Mode. Then, enter the starting IP address in the Addr Range Begin field, the ending IP address in the Addr Range End field, and click Add Range. Repeat this step for each range of IP addresses. • To enter a single IP address, enter the IP address in the Addr Range Begin field. • If the devices on the DMZ or HomePort will use NAT, select OPT in NAT Mode and complete the following steps: • Enter the private internal IP address assigned to the DMZ or HomePort interface in the OPT Private Address field. • Assign a subnet mask in the DMZ or HomePort Subnet Mask field. The LAN (WorkPort) and OPT can have the same subnet mask, but the subnets must be different. For instance, the LAN subnet can be 192.168.0.1 with a subnet mask of 255.255.255.0, and the DMZ subnet can be 172.16.18.1 with a subnet mask of 255.255.255.0. • To define a DMZ or HomePort public IP address that is used to access devices on the DMZ interface, enter an IP address in the OPT NAT Many to One Public Address field (Optional). 4 Select from the following: • Enter a single IP address in the Addr Range Begin field. • Enter a range of IP addresses in the Addr Range Begin field and the ending IP address in the Addr Range End field. 5 Click Add Range. 6 To enter additional IP addresses and IP address ranges, repeat Steps 3 and 4 7 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

CONFIGURING ONE-TO-ONE NAT

One-to-One NAT maps valid external IP addresses to internal addresses hidden by NAT. This enables you to hide most of your network by using internal IP addresses. However, some machines might require access. This enables you to allow direct access when necessary. To do this, assign a range of internal IP addresses to a range of external IP addresses of equal size. The first internal IP address corresponds to the first external IP address, the second internal IP address to the second external IP address, and so on. For example, if an ISP has assigned IP addresses 209.19.28.16 through 209.19.28.31 with 209.19.28.16 as the NAT public address and the address range 192.168.168.1 through 192.168.168.255 is used on the LAN (WorkPort), the following table shows how the IP addresses are assigned. One-to-One NAT Example

LAN Address

WAN Address

Accessed Via

192.168.168.1

209.19.28.16

Inaccessible, NAT public IP address

192.168.168.2

209.19.28.17

209.19.28.17

192.168.168.3

209.19.28.18

209.19.28.18

[...]

[...]

[...]

192.168.168.16

209.19.28.31

209.19.28.31

192.168.168.16

No corresponding No corresponding IP address IP address

[...]

[...]

192.168.168.16

No corresponding No corresponding IP address IP address

[...]

To configure One-to-One NAT, complete the following steps: 1 Expand the Network tree and click One-to-One NAT. The One-to-One NAT page displays. One-to-One NAT Page

2 Select Enable One-to-One NAT. 3 Enter the first IP address of the internal IP address range in the Private Range Begin field. 4 Enter the first corresponding external IP address in the Public Range Begin field. NOTE: Do not include the NAT Public IP Address in a range.



5 Enter the number of IP addresses in the range in the Range Length field. 6 Click Add Range. 7 To add additional IP address ranges, repeat Step 3 through 6 for each range. When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

CONFIGURING ETHERNET SETTINGS

This section describes how to configure Ethernet settings on each port of the SonicWall appliance(s). The Ethernet Settings screen is only available on SonicWall 6.x.x.x firmware versions and SonicOS Standard firmware versions. To configure Ethernet settings, complete the following steps: 1 Expand the Network tree and click Ethernet. The Ethernet page displays.

2 Select from the following WAN Link Settings: • To configure the WAN link to automatically negotiate Ethernet settings, select Auto Negotiate. • To specify WAN link settings, select Force and select the speed and duplex settings. 3 Select from the following OPT Link Settings: • To configure the OPT to automatically negotiate Ethernet settings, select Auto Negotiate. • To specify OPT link settings, select Force and select the speed and duplex settings. 4 Select from the following LAN Link Settings: • To configure the LAN link to automatically negotiate Ethernet settings, select Auto Negotiate. • To specify LAN link settings, select Force and select the speed and duplex settings. 5 If you are managing the Ethernet connection from the LAN (WorkPort) side of your network, select Proxy Management Workstation Ethernet Address on WAN. The SonicWall appliance will take the Ethernet address of the computer that is managing the SonicWall appliance and will proxy the address on the WAN port of the SonicWall. If you are not managing the SonicWall appliance from the LAN side of your network, the firmware looks for a random computer on the LAN which can be a lengthy search process. 6 To limit the size of packets sent over the Ethernet WAN interface, select Fragment Outbound Packets Larger than the WAN MTU and enter the maximum size in the WAN MTU field. If the maximum transmission unit (MTU) size is too large for a remote router, it might require more transmissions. If the packet size is too small, this could result in more packet header overhead and more acknowledgements that have to be processed. The default size is 1,500 MTU. 7 To enable bandwidth management, select Enable and enter the bandwidth of the connection in the Available Bandwidth field. 8 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

CONFIGURING ARP

ARP settings are identical in SonicOS Standard and Enhanced. For configuration information, refer to Configuring ARP in the SonicOS Enhanced section of this chapter.

Configuring PortShield Interfaces for Dell Networking X-Series Switches NOTE: TZ series firewalls supported Dell Networking X-Series switches and the Dell Networking X-Series Solution, which expand the capability of the firewalls, especially for portshielding interfaces. SuperMassive and NSA series firewalls also support X-Series switches and the X-Series Solution. IMPORTANT: When an extended switch has been powered off and then the firewall is restarted (rebooted), it could take up to five minutes before the firewall discovers the extended switch and reports the Status of the switch as Connected.





When configuring extended switches in a PortShield group, it could take up to five minutes for the configuration to be displayed on the Network > PortShield Groups page. NOTE: The NSA2600 firewall does not support PortShield, and the SM 9800 and SOHO W firewalls do not support the X-Series Solution. Topics: • About the Dell Networking X-Series Solution • GMS Support of X-Series Switches

About the Dell Networking X-Series Solution NOTE: The X-Series Solution is not supported on the SM 9800, NSA 2600, or SOHO W firewalls. Critical network elements, such as a firewall and switch, need to be managed, usually individually. GMS allows unified management of both the firewall and a Dell Networking X-Series switch using the firewall management interface (UI) and GMS.

GMS Support of X-Series Switches The maximum number of interfaces available on the SonicWall firewalls vary depending on the model, as shown in the Interfaces per firewall table. Interfaces per firewall

Firewall model

Available interfaces

SM 9600

20 (4 10 GbE SFP+, 8 1 GbE SFP, 8 1GE copper), 1 GbE Management, and 1 Console

SM 9400 20 (4 10 GbE SFP+, 8 1 GbE SFP, 8 1GE copper), 1 GbE Management, and 1 Console

SM 9200

20 (4 10 GbE SFP+, 8 1 GbE SFP, 8 1GE copper), 1 GbE Management, and 1 Console NSA 6600

20 (4 10 GbE SFP+, 8 1 GbE SFP, 8 1GE copper), 1 GbE Management, and 1 Console

NSA 5600 18 (2 10 GbE SFP+, 4 1 GbE SFP, 12 1GE copper) and 1 Management

NSA 4600

18 (2 10 GbE SFP+, 4 1 GbE SFP, 12 1GE copper) and 1 Management

NSA 3600

18 (2 10 GbE SFP+, 4 1 GbE SFP, 12 1GE copper) and 1 Management TZ600

10 GbE

TZ500 Series

8 GbE 7 GbE

TZ400 Series

5 GbE

TZ300 Series In certain deployments, the number of ports required might easily exceed the maximum number of interfaces available on a firewall. With the X-Series Solution, ports on a Dell Networking X-Series switch are viewed as extended interfaces of the firewall, thereby increasing the number of interfaces available for use up to 192, depending on the X-Series switch. These extended ports can be portshielded and/or configured for high availability and treated as any other interface on the firewall. NOTE: X-Series switch, X-Switch, external switch, and extended switch are used interchangeably. Previously, the TZ Series firewalls supported a maximum of two X-Series switches. The SonicWall firewalls shown in X-Series switches supported by SonicWall firewalls support up to four of the listed X-Series switches. X-Series Switches supported by SonicWall firewalls

These SonicWall firewalls • SuperMassive 9600 • SuperMassive 9400 • SuperMassive 9200

• • • •

NSA 6600 NSA 5600 NSA 4600 NSA 3600

• • • •

TZ600 TZ500/TZ500W TZ400/TZ400W TZ300/TZ300W

Support these X-Series switches (ports) • X1008 (8 10/100/1000Base-T GbE) • X1008P (8 10/100/1000Base-T GbE, 2 1GbE SFP fiber, 8 PoE up to 123 W total) • X1018 (16 10/100/1000Base-T GbE, 2 1GbE SFP fiber) • X1018P (16 10/100/1000Base-T GbE, 2 1GbE SFP fiber, 16 PoE up to 246W total) • X1026 (24 10/100/1000Base-T GbE, 2 1GbE SFP fiber) • X1026P (24 10/100/1000Base-T GbE, 2 1GbE SFP fiber, 24 PoE/12 PoE+ up to 369W total) • X1052 (48 10/100/1000Base-T GbE, 2 10GbE SFP/SFP+ fiber) • X1052P (48 10/100/1000Base-T GbE, 24 PoE/12 PoE+ up to 369W total) • X4012 (12 10GbE SFP/SFP+ fiber) Topics: • Overview • Supported Topologies • Managing PortShield Groups with X-Series Switches

OVERVIEW

In certain deployments, the number of ports required might easily exceed the maximum number of interfaces available on the appliance. With the X-Series solution, ports on the Dell Networking X-Series switch can be viewed as extended interfaces of the firewall, thereby increasing the number of interfaces available for use up to 96 depending on the X-Series switch. These extended ports can be portshielded and treated as any other interface on the firewall. NOTE: For complete information about X-Series switches and configuring them, see the Dell™ X-Series Solution Deployment Guide, the Dell™ Networking™ X1000 and X4000 Series Switches User Guide, and the Dell™ Networking™ X1000 and X4000 Series Switches Getting Started Guide. Key features supported with X-Series switches are: • • • • • • • • • • •

Provisioning of an X-Series Switch as an extended switch PortShield functionality Configuration of Extended Switch Interface settings Manageability of basic Extended Switch Global Parameters Manageability of Extended Switch using GMS High Availability (HA) with PortShield functionality Diagnostics support for extended switch Support for VLANs in a common uplink with SPM configuration Support for VLANs in a dedicated uplink configuration PoE/PoE+ and SFP/SFP+ functionality for SonicWall firewalls by certain Dell Networking X-Series switches Batching configuration messages - To facilitate support of the X-Series switches, configuration messages can be batched before being sent to an X-Series switch. Topics: • PortShield Functionality and X-Series Switches • Managing Extended Switches using GMS • About Links • About Uplink Interfaces • Logging and Syslog Support • Performance Requirements

PortShield Functionality and X-Series Switches PortShield architecture allows configuration of firewall ports into separate security zones, thereby allowing protection of a deep-packet inspection firewall for traffic between devices across zones. For more information about PortShield functionality, see Configuring PortShield Groups. The Dell Networking X-Series Solution allows support for portshielding interfaces on the extended switch to firewall interfaces. X-Series switches are L2 switches, and by default, all ports on the extended switch are configured as access ports of the default VLAN 1. When ports of the extended switch are portshielded to firewall interfaces, the ports are reconfigured as access ports of the VLAN corresponding to the PortShield VLAN, also known as the IDV VLAN of the PortShield host interface. Topics: • Different Traffic Scenarios with PortShield • Prerequisites for Portshielding X-Series Switches

Different Traffic Scenarios with PortShield

• Traffic between network devices connected to the ports on the extended switch that are part of the same PortShield group are switched automatically by the extended switch. • Traffic between network devices connected to the ports on the extended switch and devices connected to ports on the firewall that are part of the same PortShield group are switched by the internal switch on the firewall. • Traffic between network devices connected to the ports on the extended switch destined to firewall interfaces are handled by the data path in software. Such traffic may be subjected to firewall security services such as access rules, deep packet inspection, and intrusion prevention. • Traffic between network devices connected to the ports on the extended switch and devices connected to ports on the firewall that are part of a different zone or part of a different PortShield group are forwarded by the data path in software. Such traffic is subjected to firewall security services in software.

Prerequisites for Portshielding X-Series Switches

IMPORTANT: If the topology has two or more X-Series switches, all X-Series switches must be connected directly to the firewall and not cascaded or daisy chained, that is, one X-Series switch cannot be connected to another X-Series switch that is connected to the firewall. • X-Series switches (excluding X1052/X1052P models) are delivered from the factory in unmanaged mode to avoid unauthorized access to the switch. You need to put the switch into Managed mode by pressing the Mode button, near the power plug, for at least seven seconds. X1052/X1052P models delivered from the factory are by default in Managed mode. For further details, see the Dell Networking X1000 and X4000 Series Switches User Guide and the Dell X-Series Solution Deployment Guide. During the initial set up of the switch, to ensure the X-Series switch’s IP does not change dynamically when the DHCP server is enabled on the firewall interfaces, choose Static IP instead of Dynamic IP. For further information, see the Dell X-Series Solution Deployment Guide. • Apart from the initial IP address, username/password configuration, which can be found on the switch, no other configuration is recommended to be performed on the X-Series switch directly via the switch’s GUI/console. To do so results in the firewall being out-of-sync with the configuration state of the X-Series switch. • To manage the X-Series switch from the firewall, one of the interfaces of the firewall must be in the same subnet as the X-Series switch. For example, to manage an X-Series switch with a default IP 192.168.2.1, an interface of the firewall needs to be configured in the 192.168.2.0/24 subnet and connected to the X-Series switch. • Ensure the firewall can reach the X-Series switch by pinging the X-Series switch from the firewall before provisioning/managing the switch from the firewall. • VLAN support: • Support for VLANs is available on shared and common uplinks. For example, VLANs can be configured under the firewall interface, which is provisioned as the shared uplink for the X-Series switch. • For details on VLAN support, see the SonicWall X-Series Solution Deployment Guide. • Overlapping VLANs cannot exist under firewall interfaces configured as dedicated uplinks. For example, if X3 and X5 are configured for dedicated uplinks, VLAN 100 cannot be present under both X3 and X5. Such a configuration is rejected.

PoE/PoE+ and SFP/SFP+ Support

SonicWall firewalls do not support PoE/PoE+, but this functionality can be added with certain X-Series switches, as shown in X-Series switch PoE/PoE+ and SFP/SFP+ support. This additional functionality enhances SonicPoint usage by SonicWall firewalls, especially for new SonicPoints supporting 802.11ac (supports up to 30W maximum power; 802.11a/b/g/h supports up to 15.4 W maximum power). Some X-Series switches also support SFP/SFP+, as shown in X-Series switch PoE/PoE+ and SFP/SFP+ support. NOTE: Configuration of the PoE/PoE+ ports on the X-Series switch is managed from the UI of the X-Series switch and not the Network > PortShield Groups page on the SonicWall firewall.



X-Series switch PoE/PoE+ and SFP/SFP+ support

This X-Series switch

Supports

X1008

1 PoE PD port; by default, port 8 is the PD port

X1008P

8 PoE ports, up to 123W total; by default, ports 1 through 8 support PoE

X1018

2 1GbE SFP ports; by default, ports 17 and 18 support SFP

X1018P

16 PoE ports, up to 246W total; by default, ports 1 through 16 support PoE 2 1GbE SFP ports; by default, ports 17 and 18 support SFP

X1026

2 1GbE SFP ports; by default, ports 25 and 26 support SFP

X1026P

24 PoE/12 PoE+ ports, up to 369W total; by default: • Ports 1 through 12 support PoE+ • Ports 13 through 24 support PoE 2 1GbE SFP ports; by default, ports 25 and 26 support SFP

X1052

4 10GbE SFP+ ports; by default, ports 49 through 52 support SFP+

X1052P

24 PoE/12 PoE+ ports, up to 369W total; by default: • Ports 1 through 12 support PoE+ • Ports 13 through 24 support PoE • Ports 25 through 48 support neither PoE nor PoE+ 4 10GbE SFP+ ports; by default, ports 49 through 52 support SFP+

X4012

12 10GbE SFP+ ports; by default, ports 1 through 12 support SFP+

IMPORTANT: A SonicPoint AC without an external power source must be portshielded through ports 1 through 12 on an X1026P or X1052P X-Series switch. Any SonicPoint non-AC model without an external power source can be portshielded through ports 1 through 8 (X1008P), 1 through 16 (X1018P), or 1 through 24 (X1026P and X1052P).



Any SonicPoint with an external power source can be portshielded to any ethernet port.

X-Series Solution and SonicPoints Ports on an extended switch can be portshielded to the WLAN zone of the firewall, and SonicPoints can be connected to these ports. When connecting SonicPoints to an X-Series switch, it is important to consider the SonicPoint's power requirements. A SonicPoint ACe/ACi/N2 requires a minimum of 25.5 watts. If your X-Series switch model does not support PoE+, you must use a SonicPoint power injector. For which switches support, see PoE/PoE+ and SFP/SFP+ Support. For more information about managing SonicPoints, see the Knowledge Base article, SonicWall TZ Series and SonicWall X-Series Solution managing SonicPoint ACe/ACi/N2 access points (SW13970) (http://support.sonicwall.com/kb/SW13970).

Managing Extended Switches using GMS The X-Series switch integration feature allows unified management of both the firewall and the switch using the SonicOS management interface and SonicWall GMS. GMS supports all configuration operations, such as provisioning of an extended switch, configuration of extended switch interface settings, and manageability of extended switch global parameters.

Extended Switch Global Parameters The following global parameters are available on the extended switch: NOTE: For more information on these parameters, see Adding/Deleting an Extended Switch. • STP Mode – By default, STP mode is set to Rapid on the Extended Switch. • STP State – By default, STP is Enabled globally on the Extended Switch. NOTE: The following PoE options are available only on PoE-model extended switches. • PoE Alert Usage Threshold – By default, the threshold is set to 95% on the Extended Switch. • PoE Traps – By default, traps are disabled globally on the Extended Switch. • PoE Power Limit Mode – By default, the mode is set to Port limit (default).

About Links Management (MGMT) links carry only management traffic and cannot be portshielded. Data links carry all PortShield traffic. If all they carry are data, the links are called common links. In a few topologies, data links also carry management traffic, in which case they are called shared links. Common or shared links can carry all the portshielded groups. Dedicated links can carry only one portshielded group, and that group must be portshielded to the dedicated port on the firewall.

About Uplink Interfaces Uplink interfaces can be viewed as “trunk” ports set up to carry tagged/untagged traffic. When an extended switch is added with firewall uplink and X-Switch uplink options, the port on the firewall configured as the firewall uplink and the port on the extended switch configured as the switch uplink are set up automatically to receive/send tagged traffic for all IDV VLANs. The IDV VLAN of the tagged traffic allows the firmware to derive the PortShield host interface for the traffic.

Criteria for Configuring an Uplink Interface • The interface must be a physical interface; virtual interfaces are not allowed. • The interface must be a switch interface. (On some platforms, some firewall interfaces are not connected to the switch. Such interfaces are not allowed.) • The interface cannot be a PortShield host (some other firewall interface cannot be portshielded to it) or a PortShield group member (cannot be portshielded to another firewall interface). • The interface cannot be a bridge primary or bridge secondary interface. • The interface cannot have any children (it cannot be a parent interface for other child interfaces).

Logging and Syslog Support Support for logging critical configuration events such as addition/deletion of a switch, configuration of portshield on an extended switch port, and network events such as port coming up/going down is available.

Performance Requirements X-Series switch integration functionality has been extended from just TZ Series firewalls to also include both SM Series and NSA Series firewalls. A SonicWall firewall can now: • Be provisioned for a maximum of four X-Series switches. • Manage an increased number of ports. If multiple switches are provisioned, they must be connected directly to the firewall; they cannot be cascaded or daisy chained, that is, one switch connected to another switch, which is then connected to the firewall.

SUPPORTED TOPOLOGIES IMPORTANT: Before setting up the interface between the firewall and the XSeries switch, set up the switch as described in the SonicWall™ X-Series Solution Deployment Guide. NOTE: For details about provisioning and configuring these topologies, see the SonicWall™ X-Series Solution Deployment Guide. The key supported topologies for X-Series switch support are: • Common uplink configuration • Dedicated uplink configuration IMPORTANT: SonicPoints must be portshielded through the port that is part of the dedicated link. • Hybrid configuration with common and dedicated uplink(s) • Shared link configuration for both management and data traffic • Isolated links for management and data uplinks • HA and PortShield configurations with dedicated uplink(s) • HA and PortShield configurations with a common uplink • VLAN(s) with common uplinks through SPM configuration • VLAN(s) with dedicated uplink(s) configuration • Dedicated link for SonicPoint access

Managing Ports IMPORTANT: The SM 9800 and SOHO W firewalls do not support the X-Series Solution. Although all firewall ports are managed the same, the Network > PortShield Groups page is different for these firewalls; see Managing Ports on the SM 9800 or SOHO W Firewall.



The Network > PortShield Groups page allows you to manage the assignments of ports to PortShield interfaces through these tabs: • Port Graphics • Port Configuration • External Switch Configuration • External Switch Diagnostics Topics: • Viewing Interfaces (Ports) on the Port Graphics Tab • Viewing Status of and Editing PortShield Interfaces on the Port Configuration Tab • Viewing and Managing the External Switch Configuration • Monitoring External Switch Diagnostics and Managing Firmware • Managing Ports on the SM 9800 or SOHO W Firewall

VIEWING INTERFACES (PORTS) ON THE PORT GRAPHICS TAB

The Port Graphics tab displays the PortShield interfaces (ports) for the firewall. The large graphic represents the firewall’s interfaces. The interfaces are color coded to reflect their configuration: Color code for interface configuration

This color

Designates this type of interface

Black

Unassigned, that is, not part of a PortShield group

Yellow

Selected to be configured

Same color (other than black, yellow, or grey)

Part of a PortShield group, with the master interface having a white outline around the color

Greyed out

Cannot be assigned, that is, added to a PortShield group

Grey interfaces with a person graphic

Switch MGMT

Any (other than black, Uplink yellow, or grey) with an up arrow Each port graphic is labeled with its associated port name: X0 - Xn. When you select an interface or interfaces, you can configure them as described in Configuring PortShield Groups.

When an Extended Switch is Configured

When one or more extended switches are provisioned, the Port Graphics tab displays the PortShield interfaces (ports) for both the firewall and the switch(es): • The first graphic displays the firewall’s ports and is not labelled. • The next graphic displays the ports for the first external switch, External Switch 1, which is labeled SwitchModel External Switch 1, for example, X1018P External Switch 1. • If more external switches are provisioned, subsequent graphics display the ports for the other external switches in order of their ID, that is, External Switch 2, External Switch 3, and External Switch 4. The color coding for external interfaces is the same as for the firewall; see Color code for interface configuration.

VIEWING STATUS OF AND EDITING PORTSHIELD INTERFACES ON THE PORT CONFIGURATION TAB Without an extended switch

With extended switches

The Port Configuration tab consists of a table that lists information about the PortShield interfaces: Port Configuration tab

Name

Port name associated with the PortShield interface, such as X0 or X15. Ports for any external switches are shown in the format ESs:n, where s is the switch ID and n is the port number, as appropriate.

PortShield Interface Color-coded graphic reflecting the PortShield interface’s assignment and to which PortShield group it belongs. This graphic is a smaller version of the larger graphic(s) on the Port Graphics tab. Type

Type of port: • Copper • Wireless

Link Settings

Link speed: • • • • • •

Link Status

Auto Negotiate 1000 Mbps – Full Duplex 100 Mbps – Full Duplex 100 Mbps – Half Duplex 10 Mbps – Full Duplex 10 Mbps – Half Duplex

Displays either: • The current link speed, in green, for example, 1000 Mbps – Full Duplex. • No link.

Enabled

A checkmark graphic that is: • Green if the interface is enabled. • Dimmed grey if the interface is disabled.

Comment

Any comment entered when the interface was configured.

Configure

Contains two icons: • Statistics - When clicked, displays a pop-up summary containing statistics about the interface:

NOTE: To clear all statistics, click Clear Statistics at the top of the Network > PortShield Groups page. • Edit – When clicked, displays the Edit Switch Port dialog. For more information about this dialog, see the procedure in Configuring PortShield Interfaces on Network > Interfaces.

VIEWING AND MANAGING THE EXTERNAL SWITCH CONFIGURATION

NOTE: This table displays No Entries if external switches have not been provisioned.



External Switch Configuration tab

ID

ID number of the external switch: 1, 2, 3, or 4.

Model

Model number of the extended switch. This column also contains a Comment icon for each switch that displays a popup summary with product details.

Status

Status of the switch: A green Enabled icon indicates the switch is up and available. NOTE: When an extended switch has been powered off and then the firewall is restarted (rebooted), it may take up to five minutes before the firewall discovers the extended switch and reports the Status of the switch as up and available.

IP Address

IP address of the extended switch.

Switch Management

Switch port used for management traffic.

Firewall Uplink

Port on the firewall configured as the firewall uplink. If no firewall port has been configured as the firewall uplink, the column displays None.

Switch Uplink

Port on the extended switch configured as the switch uplink. If no switch port has been configured as the switch uplink, the column displays None.

Configure

Contains the: • Edit icon – Click to display the Edit External Switch dialog. • Delete icon – Click to delete the switch entry.

The External Switch Configuration tab provides information about the external switches provisioned on the firewall and allows you to manage the switch. You can also configure or delete an extended switch. To configure an extended switch, see Configuring PortShield Groups; to delete an extended switch, see the SonicWall X-Series Solution Deployment Guide.

MONITORING EXTERNAL SWITCH DIAGNOSTICS AND MANAGING FIRMWARE

NOTE: The tables display No Entries if external switches have not been provisioned. The External Switch Diagnostics tab allows you to: • Monitor statistics for the extended switch(es) • Upload the firmware image and/or the boot image • Restart the extended switch(es) Topics: • Changing the Display • Monitoring Statistics • Restarting the External Switch(es) • Managing External Switch Firmware

Changing the Display The External Switch Diagnostics tab displays statistics and other information about only one switch at a time. By default, the data for External Switch 1, ES1, is displayed. If you have two or more external switches, to display data about a different external switch, choose ES2, ES3, or ES4 from the Switch Name drop-down menu:

Monitoring Statistics

The Statistics table displays a running tally of all statistics. To restart statistics collection, click Clear to reset the counters. Statistics

Name

Port name, 1 – n.

Status

Whether the port is Up or Down.

Rx Unicast Packets

Number of Unicast packets received on the port.

Rx Multicast Packets

Number of Multicast packets received on the port.

Rx Broadcast Packets Number of Broadcast packets received on the port. Rx Bytes

Number of bytes received on the port.

Rx Errors

Number of packets with errors received on the port.

Tx Unicast Packets

Number of Unicast packets transmitted on the port.

Tx Multicast Packets

Number of Multicast packets transmitted on the port.

Tx Broadcast Packets

Number of Broadcast packets transmitted on the port.

Tx Bytes

Number of bytes transmitted on the port.

FCS Errors

Number of packets with FCS (frame check sequence) errors received on the port.

Single Collision Frames

Number of frame collisions detected on the port.

Late Collisions

Number of frame collisions detected after the last frame bit was sent on the port.

Excessive Collisions

Number of frame collisions detected that exceeded the number of retries on the port.

Internal MAC Transmit Number of non-collision transmission errors detected on the Errors port. Oversized packets

Number of received packets larger than the port was expecting.

Rx Pause Frames

Number of pause frames received by the port.

Tx Pause Frames

Number of pause frames sent by the port.

Restarting the External Switch(es)

IMPORTANT: When an extended switch has been powered off and then the firewall is restarted (rebooted), it could take up to five minutes before the firewall discovers the extended switch and reports the Status of the switch as Connected. To restart an external switch: 1 Navigate to Network > PortShield Groups. 2 Click the External Switch Diagnostics tab. 3 Select which external switch to restart from the Switch Name drop-down menu. 4 Scroll to the Restart: External Switch section. 5 Click Restart.

Managing External Switch Firmware

The Firmware Management: External Switch table displays information about the external switch’s firmware and boot code: Firmware Management: External Switch

Type

Either Firmware or Boot Code.

Version

Version of firmware or boot code on the external switch.

Date Created

Date the firmware or boot code was created.

Time Created

Time the firmware or boot code was created.

Upload

Upload icon.

To upload firmware or boot code: 1 Click Upload for either Firmware or Boot Code. The Upload External Switch Firmware or Upload External Switch Boot Code dialog displays.

2 Click Browse. The File Upload dialog displays. 3 Select the file. 4 Click Upload.

MANAGING PORTS ON THE SM 9800 OR SOHO W FIREWALL The Network > PortShield Groups page for the SM 9800 or SOHO W firewall has a different look. The information on this page combines the information on the Port Graphics tab (see Viewing Interfaces (Ports) on the Port Graphics Tab) and Port Configuration tab (Viewing Status of and Editing PortShield Interfaces on the Port Configuration Tab).

You configure firewall interfaces as described in Configuring PortShield Groups.

Configuring PortShield Groups PortShield groups can be configured on several different pages in the GMS management interface: • • • •

Configuring PortShield Interfaces on Network > Interfaces Configuring PortShield Interfaces with the PortShield Interface Guide Configuring PortShield Interfaces on Network > PortShield Groups Configuring External Switch PortShield Groups from the Port Graphics Tab

CONFIGURING PORTSHIELD INTERFACES ON NETWORK > INTERFACES IMPORTANT: For a port to be an interface, it must be configured with an IP address. Otherwise, the port is not listed in the PortShield Interface drop-down menu. To configure a PortShield interface: 1 Navigate to the Network > Interfaces page. 2 In the Interface Settings table, click the Configure icon for the interface you want to configure. The Edit Interface dialog displays.

3 In the Zone drop-down menu, select on a zone type option to which you want to map the interface. More options display. NOTE: You can add PortShield interfaces only to Trusted, Public, and Wireless zones.

4 In the Mode / IP Assignment drop-down menu, select PortShield Switch Mode. The options change again.

5 From the PortShield to drop-down menu, select the interface to which you want to map this port. Only ports that match the zone you have selected are displayed. 6 Click OK.

Configuring PortShield Interfaces with the PortShield Interface Guide You can configure PortShield interfaces through the PortShield Interface Guide. You can access the PortShield Interface Guide in these ways: • Clicking Wizards in the upper right-hand corner of any UI page. The Configuration Guide displays; select the PortShield Interface Guide. • On the Network > Interfaces page on a TZ Series or SOHO W firewall, click the PortShield Wizard button to display the PortShield Interface Guide.

Configuring PortShield Interfaces on Network > PortShield Groups The Port Graphics tab (section for the SOHO W and SM 9800 firewalls) of the Network > PortShield Groups page displays a graphical representation of the current configuration of PortShield interfaces. For a description of the graphic display, see Viewing Interfaces (Ports) on the Port Graphics Tab.

You can manually group ports using the graphical PortShield Groups interface by clicking on the ports you want to group. Grouping ports allows them to share a common network subnet as well as common zone settings.

NOTE: Interfaces must be configured before being grouped with PortShield. To configure PortShield groups: 1 In the port graphic, select the interface(s) you want to configure as part of a PortShield group. The interfaces turn yellow.

2 Click the Configure button. The Edit Switch Port dialog displays.

3 From the Port Enable drop-down menu, select whether you want to enable or disable the interfaces. The default is Enabled. 4 From the PortShield Interface drop-down menu, select which interface you want to assign as the master interface for these PortShield interfaces. The default is Unassigned. 5 From the Link Speed drop-down menu, select the link speed for the interfaces: • Auto Negotiate (default) • 1000 Mbps — Full Duplex • 100 Mbps — Full Duplex • 100 Mbps — Half Duplex • 10 Mbps — Full Duplex • 10 Mbps — Half Duplex 6 Click OK.

Configuring External Switch PortShield Groups from the Port Graphics Tab IMPORTANT: When an extended switch has been powered off and then the firewall is restarted (rebooted), it could take up to five minutes before the firewall discovers the extended switch and reports the Status of the switch as Connected.

When configuring extended switches in a PortShield group, it could take up to five minutes for the configuration to be displayed on the Network > PortShield Groups page. IMPORTANT: Interfaces must be configured before being grouped with PortShield. NOTE: For how to configure PortShield groups for various topographies, see the SonicWall X-Series Solution Deployment Guide. NOTE: Extended switches are not supported on the SM 9800 or SOHO W firewall. The Network > PortShield Groups page displays a graphical representation of the current configuration of PortShield interfaces on both the firewall and the extended (external) switch(es). If there is one external switch, there are two graphics; for two external switches, there are three graphics, and so on. The switch graphics are labeled with the switch model and the external switch ID: 1, 2, 3, 4.

You can manually group ports on the firewall and switch(es) together using the graphical PortShield Groups interface by clicking on the ports you want to group. Grouping ports allows them to share a common network subnet as well as common zone settings. To configure PortShield groups with external switches: 1 Configure the ports on the firewall by following the procedure in Configuring PortShield Interfaces on Network > Interfaces. 2 In the port graphic for the external switch, select the interface(s) you want to configure as part of the PortShield group. The interfaces turn yellow. 3 Click the Configure button. The Edit Multiple Switch Ports dialog displays.

The Name field is dimmed and cannot be modified. It displays the names of both the firewall’s and external switch’s ports you selected (n is the selected port): • Firewall ports are named Xn. • External switch 1 ports are named ES1 : n. • External switch 2 ports are named ES2 : n. • External switch 3 ports are named ES3 : n. • External switch 4 ports are named ES4 : n. 4 From the Port Enable drop-down menu, select: • Disabled • Enabled • — Keep Current Settings — (default) — By default, all ports on the extended switch are enabled. 5 From the PortShield Interface drop-down menu, select which interface you want to assign as the master interface for these PortShield interfaces: • Unassigned • Port name IMPORTANT: For a port to be an interface, it must be configured with an IP address. Otherwise, the port is not listed in the PortShield Interface drop-down menu. • —Keep Current Settings— (default) NOTE: PortShield options could be disabled for external switch ports. Ports that are portshielded here are configured automatically as access VLANs for the corresponding PortShield VLAN. 6 From the Link Speed drop-down menu, select the link speed for the interfaces: • Auto Negotiate • 1000 Mbps — Full Duplex • 100 Mbps — Full Duplex • 100 Mbps — Half Duplex • 10 Mbps — Full Duplex • 10 Mbps — Half Duplex • — Keep Current Settings — (default) — By default, the link speed for all ports on the extended switch are set to Auto Negotiate. 7 Click OK.

MANAGING PORTSHIELD GROUPS WITH XSERIES SWITCHES IMPORTANT: When an extended switch has been powered off and then the firewall is restarted (rebooted), it could take up to five minutes before the firewall discovers the extended switch and reports the Status of the switch as Connected.

When configuring extended switches in a PortShield group, it may take up to five minutes for the configuration to be displayed on the Network > PortShield Groups page. The Network > PortShield Groups page displays two tabs: • Port Config • Switch Config Topics: • Viewing Status of and Editing PortShield Interfaces on the Port Config Tab • Viewing and Managing the Switch Config Tab

Viewing Status of and Editing PortShield Interfaces on the Port Config Tab

Viewing status of and editing the PortShield interfaces for TZ series appliances with an X-Series switch is the same as for an NSA series or SM series appliance. The only difference is the ports for the extended switch(es) are displayed also, with the port names for the first extended switch prefixed with ES1: and those for the second switch (if present) prefixed with ES2:.

Viewing and Managing the Switch Config Tab

Topics: • External Switch Config Table • Adding/Deleting an Extended Switch

External Switch Config Table • • • • •

ID – The ID number of the external switch: 1 or 2. Model – The model number of the extended switch. IP Address – The IP address of the extended switch. Switch Management – The switch port used for management traffic. Firewall Uplink – The port on the firewall configured as the firewall uplink. If no firewall port has been configured as the firewall uplink, the column displays None. • Switch Uplink – The port on the extended switch configured as the switch uplink. If no switch port has been configured as the switch uplink, the column displays None. • Configure – Contains the: • Edit icon – Click to display the Edit External Switch dialog. • Delete icon – Click to delete the switch entry.

Adding/Deleting an Extended Switch

See the SonicWall X-Series Solution Deployment Guide.

Configuring Firewall Dynamic Host Configuration Protocol This describes how to use the SonicWall™ Global Management System (GMS) to configure SonicWall appliances as DHCP servers. Dynamic Host Configuration Protocol (DHCP) enables network administrators to automate the assignment of IP addresses from a centralized DHCP server. This conserves IP addresses and make it easy for mobile users to move among different segments of the network without having to manually enter new IP addresses. This includes the following: • • • • • • •

Configuring DHCP Settings Configuring DHCP Over VPN Configuring Dynamic DHCP IP Address Ranges Configuring Static IP Addresses Configuring DHCP Option Objects Configuring DHCP Option Groups Configuring General DHCP Settings

DHCP Server Options Overview For SonicWall appliances running SonicOS Enhanced 4.0 and above, the SonicWall DHCP server options feature provides support for DHCP options, also known as vendor extensions, as defined primarily in RFCs 2131 and 2132. DHCP options allow you to specify additional DHCP parameters in the form of pre-defined, vendor-specific information that is stored in the options field of a DHCP message. When the DHCP message is sent to clients on the network, it provides vendor-specific configuration and service information. The SonicOS Enhanced Administration Guide provides a list of DHCP options by RFC-assigned option number. SonicWall GMS provides a way to define DHCP options using a drop down list based on RFC-defined option numbers, allowing administrators to easily create DHCP objects and object groups, and configure DHCP generic options for dynamic and static DHCP lease scopes. After defined, the DHCP option is included in the options field of the DHCP message, which is then passed to DHCP clients on the network, describing the network configuration and service(s) available.

Configuring DHCP Over VPN NOTE: This screen is available at the unit/appliance level only. DHCP over VPN enables clients of the SonicWall appliance to obtain IP addresses from a DHCP server at the other end of the VPN tunnel or a local DHCP server. To configure DHCP over VPN, complete the following steps: 1 Select the global icon, a group, or a SonicWall appliance. 2 Expand the DHCP tree and click DHCP over VPN. The DHCP over VPN page displays 3 Select from the following: • To configure the SonicWall appliance to forward DHCP requests through a VPN tunnel, select Remote Gateway from the DHCP Relay Mode list box and complete the following steps:

• Select the security association (SA) through which the DHCP server resides from the Obtain using DHCP through this SA list box. • Enter the IP address that is inserted by the SonicWall appliance as the IP address of the DHCP Relay Agent in the Relay IP Address field. • To manage this SonicWall appliance remotely through the VPN tunnel from behind the Central Gateway, enter the management IP address in the Remote Management IP Address field. • If you enable Block traffic through tunnel when IP spoof detected, the SonicWall blocks any traffic across the VPN tunnel that is spoofing an authenticated user’s IP address. If you have any static devices, however, you must ensure that the correct Ethernet address is entered for the device. • If the VPN tunnel is disrupted, temporary DHCP leases can be obtained from the local SonicWall appliance. After the tunnel is active, it stops issuing leases. To enable this option, select Obtain temporary lease from local DHCP server if tunnel is down. When you enable this option, clients will be able to obtain IP addresses if the tunnel is unavailable. To ensure that clients use the remote DHCP server shortly after it becomes available, enter a short lease time in the Temporary Lease Time field. The default value is two minutes. Make sure to enable DHCP and enter an IP address range on the DHCP Setup page. Otherwise, the SonicWall appliance will be unable to act as a DHCP server. • To specify static IP addresses on the LAN (WorkPort), enter the IP address and MAC address and click Add. Repeat this step for each device that uses a static IP address. • To specify a device that is not allowed to obtain an IP address through the SA, enter its MAC address and click Add. Repeat this step for each device that will not be allowed to obtain an IP address through the SA. • To configure the SonicWall appliance to forward DHCP requests to local servers, select Central Gateway from the DHCP Relay Mode list box and complete the following steps:

• To configure the SonicWall appliance to send DHCP requests to specific DHCP servers, select Send DHCP requests to the server addresses listed below. Then, enter the IP address of a DHCP server and click Add. Repeat this step for DHCP server that you want to add. • To configure the SonicWall appliance to broadcast DHCP requests, deselect Send DHCP requests to the server addresses listed below and leave the DHCP Servers field blank. • To use the DHCP server built into the SonicWall appliance for some clients, select Use Internal DHCP Server. To use the internal DHCP server for Global VPN clients, select For Global VPN Client. To use the internal DHCP server for remote firewalls, select For Remote Firewalls. 4 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

Configuring DHCP Settings To configure the DHCP Server Settings, complete the following steps: 1 The DHCP > Settings page displays IPv4 and IPv6 radio buttons. Select a button to view the desired IP version. 2 Click Enable DHCP Server to enable the DHCP server. Or, if IPv6 is selected, click Enable DHCPv6 Server.

3 Select from the following options: • To enable conflict detection, click Enable Conflict Detection. • To enable DHCP server persistence, click Enable DHCP Server Persistence. When DHCP Server is enabled, this setting allows the current state of the DHCP leases in the network to be periodically written to flash. Upon reboot, the system restores the previous DHCP server network DHCP IP allocation knowledge, based upon the IP/Lease times stored in Flash. • Enter a value (in minutes) for DHCP Server Persistence Monitoring Interval. This setting controls how often changes in the network are examined, and if necessary, written to flash. 4 Click Update when finished.

Configuring Dynamic DHCP IP Address Ranges NOTE: This screen is available at the unit/appliance level only. The images and steps that follow reflect the management interface of SonicWall appliances running SonicOS 5.9 and above firmware versions. To configure one or more dynamic IP address ranges, complete the following steps: 1 Select a SonicWall appliance. 2 Expand the DHCP tree and click Dynamic Ranges. The Dynamic Ranges page displays.

3 To add or edit a dynamic range, do one of the following: • To add a dynamic range, click Add Dynamic Range. • To edit an existing dynamic range, click the icon in the Configure button in the Edit Dynamic Range column. The DHCP Setup dialog for Dynamic Ranges is displayed.

4 In the DHCP Setup dialog box, on the General tab, complete the following fields: • Select IPv4 or IPv6 from the IP Version from the drop-down list. The configuration procedure for IPv4 and IPv6 are nearly identical. • Select Enable this DHCP Scope to enable the DHCP range. Deselect it to disable the range. • Enter the start of the range in the Range Start field. • Enter the end of the range in the Range End field. • In the Lease Time field, type the number of minutes that an IP address is used before another IP address is issued (or the same one is re-issued). 1440 minutes (24 hours) is the default value. • Specify the IP address and subnet mask of the default gateway for this IP address range in the Default Gateway and Subnet Mask fields. By default, these fields will use the settings on the Network Settings page. • Select Interface Pre-Populate, and then select an interface from the drop-down menu. NOTE: This check box is only available when adding a new DHCP Dynamic Range. • Select Allow BootP clients to use range if you have BootP clients on this network. BootP stands for bootstrap protocol, which is a TCP/IP protocol and service that allows diskless workstations to obtain their IP address, other TCP/IP configuration information, and their boot image file from a BootP server. 5 Click the DNS/WINS tab.

6 In the DHCP Setup dialog box, on the DNS/WINS tab, complete the following fields: • Optionally enter the domain name associated with this IP address range in the Domain Name field. • To configure one or more DNS servers for this range, do one of the following: • To use the DNS servers specified on the Network Settings page, select Set DNS Servers using SonicWalls Network settings. • To specify the DNS servers manually for this IP address range, select Specify Manually and then type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers. • If you have WINS running on your network, type the WINS server IP address in the WINS Server 1 field. You can add an additional WINS server. 7 For units running SonicOS Enhanced 4.0 and above, click the Advanced tab. This tab allows you to configure the SonicWall DHCP server to send Cisco Call Manager information to VoIP clients on the network, and to configure DHCP generic options for lease scopes.

8 Enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You can add two additional VoIP Call Manager addresses. For more information about configuring VoIP, refer to Configuring Voice over IP Settings. 9 To configure a DHCP lease scope, select a DHCP option or option group in the DHCP Generic Option Group pull-down menu. 10 To always use DHCP options for this DHCP server lease scope, select Send Generic options always. 11 When you are finished, click OK. The settings are saved. To clear all screen settings and start over, click Cancel.

Configuring Static IP Addresses Static entries are IP addresses assigned to servers requiring permanent IP settings. The DHCP > Static Entries page displays IPv4 and IPv6 addresses. The configuration procedures for IPv6 are nearly identical to those for IPv4.

NOTE: This screen is available at the unit/appliance level only. To configure one or more static IP addresses, complete the following steps: 1 Select a SonicWall appliance. 2 Expand the DHCP tree and click Static Entries. The Static Entries page displays

3 Click the check box for the static entry you wish to enable, then click Update. 4 To add or edit a static entry, do one of the following: • To add a static entry, click Add Static Entry. • To edit an existing static entry, click the icon in the Edit Static Entry column. The DHCP Setup dialog for Static Entries is displayed.

5 In the DHCP Setup dialog box, on the General tab, complete the following fields: • Select IPv4 or IPv6 from the IP Version drop-down menu. • Select Enable this DHCP Scope to enable this static DHCP scope. Deselect it to disable the scope. • Type a descriptive name for this static DHCP entry in the Entry Name field. • Type the IP address of the device in the Static IP Address field. • Enter the Ethernet (MAC) address of the device in the Ethernet Address field. • In the Lease Time field, type the number of minutes that an IP address is used before it is re-issued. 1440 minutes (24 hours) is the default value. • Specify the IP address and subnet mask of the default gateway for this IP address in the Default Gateway and Subnet Mask fields. By default, these fields will use the settings on the Network Settings page. • Select Interface Pre-Populate, and then select an interface from the drop-down menu. NOTE: This check box is only available when adding a new DHCP Static Entry. 6 To add a static IP address, click Add Static Entry and complete the following fields: • Specify the IP address and subnet mask of the default gateway for this IP address in the Default Gateway and Subnet Mask fields. By default, these fields will use the settings on the Network Settings page. • Enter the lease time for this IP address in the Lease Time field. 7 Click the DNS/WINS tab.

8 In the DHCP Setup dialog box, on the DNS/WINS tab, complete the following fields: • If you have a domain name associated with this IP address, enter it in the Domain Name field. • To configure one or more DNS servers for this range, do one of the following: • To inherit DNS settings dynamically from the SonicWall appliance’s DNS settings, click Inherit DNS Settings Dynamically from the SonicWall’s DNS settings. • To specify the DNS servers manually for this IP address, select Specify Manually and then type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers. • If you have WINS running on your network, type the WINS server IP address in the WINS Server 1 field. You can add an additional WINS server. 9 For units running SonicOS Enhanced 4.0 and above, click the Advanced tab. This tab allows you to configure the SonicWall DHCP server to send Cisco Call Manager information to VoIP clients on the network, and to configure DHCP generic options for lease scopes.

10 Enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You can add two additional VoIP Call Manager addresses. For more information about configuring VoIP, refer to Configuring Voice over IP Settings. 11 Under Network Boot Settings, in the Next Server field, enter the IP address of the PXE boot server (TFTP server) that a PXE client uses during the next stage of the boot process. The fields under Network Boot Settings are used in a Pre-boot Execution Environment (PXE), in which the client boots up using files obtained over a network interface. The PXE client obtains the IP address and name of the PXE boot server, and the boot file name, from the DHCP server. When using these options, select PXE under DHCP Generic Options. 12 In the Boot File field, type in the name of the boot file that the PXE client can get over TFTP from the PXE boot server. 13 To configure a DHCP lease scope, select a DHCP option or option group in the DHCP Generic Option Group pull-down menu. 14 To always use DHCP options for this DHCP server lease scope, select Send Generic options always. 15 When you are finished, click OK. The settings are saved. To clear all screen settings and start over, click Cancel.

Configuring DHCP Option Objects NOTE: This screen is available at the unit/appliance level only for units running SonicOS Enhanced 4.0 and above. This section describes how to configure DHCP Option Objects. DHCP Option Objects can be used when setting DHCP Generic Options for DHCP Dynamic Ranges or Static Entries.

To configure DHCP Option Objects: 1 Expand the DHCP tree and click Option Objects. 2 Click Add New Object or the Configure icon for an existing object. The Add/Edit DHCP Option Objects page displays. 3 Type a name for the option in the Option Name field. 4 From the Option Number pull-down list, select the option number that corresponds to your DHCP option. 5 Optionally check Option Array to allow entry of multiple option values in the Option Value field. 6 The option type displays in the Option Type pull-down menu. The pull-down menu will be functional only if multiple option numbers are available. 7 Type the option value, for example, an IP address, in the Option Value field. If Option Array is checked, multiple values might be entered, separated by a semi-colon (;). 8 Click OK. The object displays in the DHCP Option Object Settings list.

Configuring DHCP Option Groups NOTE: This screen is available at the unit/appliance level only for units running SonicOS Enhanced 4.0 and above. This section describes how to configure DHCP Option Groups. To configure DHCP Option Groups: 1 Expand the DHCP tree and click Option Groups. 2 Click Add New Group or the Configure icon for an existing group. The Add/Edit DHCP Option Group page displays. 3 Type a name for the group in the Name field. 4 To add DHCP Option Objects to the group, select one or more objects on the left side and click the arrow to move them to the right. 5 To remove DHCP Option Objects from the group, select one or more objects on the right side and click the arrow to move them to the left. Or, click Remove All to remove all objects from the group. 6 When finished, click OK.

Configuring General DHCP Settings NOTE: This screen is available at the Group level only. This section describes how to configure general DHCP settings for a group of appliances. The settings in the Policies > DHCP > Settings page apply to all appliances in the selected group, depending on their inheritance settings. To configure general IP, complete the following steps: 1 Select the global icon or a group name. 2 Expand the DHCP tree and click Settings. The DHCP Server Settings page displays.

3 Select from the following: • To enable the DHCP server, select Enable DHCP Server. • To disable the DHCP server, deselect Enable DHCP Server. • To enable conflict detection, select Enable Conflict Detection. • To disable conflict detections, deselect Enable Conflict Detection. • To disable the DHCP server and configure computers on the LAN (WorkPort) to use a DHCP server outside the firewall, deselect Enable DHCP Server and select Allow DHCP Pass Through. • When the Enable DCHP Server Persistence is selected, the setting allows the current state of the DCHP leases in the network to be periodically written to Flash. Upon reboot, the system restores the previous DHCP Server network DHCP IP allocation knowledge based upon the IP/Lease times stored in Flash. 4 When you are finished, click Update. The settings are saved. To clear all screen settings and start over, click Reset.

Configuring Trusted DHCP Relay Agents This section describes how to configure trusted DHCP relay agents. The settings for this feature are configured in the Policies > DHCP > Trusted Agents page. To configure a trusted DHCP relay agent, complete the following steps: 1 Navigate to the Policies > DHCP > Trusted Agents screen in the SonicWall GMS user interface.

2 Click Enable Trusted DHCP Relay Agent List to enable this feature. 3 Choose a Trusted Relay Agent List from the pull-down menu. NOTE: The default selection for the trusted agent list is the “Default Trusted Relay Agent List” address group. The entries for this address group are defined in the Firewall > Address Objects page. 4 Click Update to confirm your changes.

Configuring Switching This describes how to configure advanced switching on a SonicWall appliance, which is different from managing a SonicWall X-Series switch from a TZ appliance. For SonicWall™ Global Management System (GMS), switching is supported only on appliances running SonicOS 5.9 or higher. For an overview of switching and configuration procedures, refer to the following: • • • • • • • • •

Overview of Switching Configuring VLAN Trunking Configuring Rapid Spanning Tree Configuring Link Aggregation Configuring Port Mirroring Configuring Layer 2 QoS Configuring Rate Control Configuring Port Security Switching Glossary

Overview of Switching NOTE: Switching is available on all products except the NSA 2600, TZ series, and SOHO W appliances. NOTE: This section describes advanced switching in SonicOS, which is different from managing a SonicWall X-Series switch from a TZ appliance. Select SonicWall appliances provide combined security and switching solutions. Layer 2 switching features enhance the deployment and interoperability of SonicWall devices within existing Layer-2 networks. Flexible, intelligent switching capabilities with this unique PortShield architecture, increase port density with 26 interfaces, and advanced switching features. NOTE: The advanced switching features are supported only on NSA and SuperMassive platforms. The advanced switching features on a network security appliance provide the following benefits: • Increased port density – With one appliance providing 26 interfaces, including 24 switch ports, you can decrease the number of devices on your internal network. • Increased security across multiple switch ports – The PortShield architecture provides the flexibility to configure all 26 LAN switch ports into separate security zones such as LANs, WLANs and DMZs, providing protection not only from the WAN and DMZ, but also between devices inside the LAN. Effectively, each security zone has its own wire-speed ‘mini-switch’ that benefits from the protection of a dedicated deep packet inspection firewall. The switching features have their own menu group in the left navigation pane of the SonicOS management interface.

Some switching features operate on PortShield Groups and require preliminary configuration on the Network > PortShield Groups page. Some operate on existing Network > Interface configurations. The Port Security feature uses MAC address objects. For more information about configuring these related features in SonicOS, see the corresponding sections: • Configuring Interface Settings • Configuring PortShield Groups

Configuring VLAN Trunking VLAN Trunking simplifies VLAN management and configuration by reducing the need to configure VLAN information on every switch. Unassigned switch ports can function as VLAN trunk ports.

You can enable or disable VLANs on the trunk ports, allowing the existing VLANs to be bridged to respective VLANs on another switch connected through the trunk port. 802.1Q encapsulation is supported on the trunk ports. A maximum of 25 VLANs can be enabled on each trunk port. The VLAN trunking feature provides the following functions: • Change VLAN ID’s of existing PortShield groups • Add/delete VLAN trunk ports • Enable/disable VLANs on the trunk ports The allowed VLAN ID range is 1-4094. Some VLAN IDs are reserved for PortShield use. The reserved range is displayed in the management interface. You can mark certain PortShield groups as “Trunked”. After the PortShield group is dismantled, the associated VLAN is automatically disabled on the trunk ports. VLANs can exist locally in the form of PortShield groups or can be totally remote VLANs. You can change the VLAN ID of PortShield groups on the SonicWall appliance. This allows easy integration with existing VLAN numbering. Unlike traditional Layer 2 switches, SonicWall appliances do not allow changing port VLAN membership in an adhoc manner. VLAN membership of a port must be configured through PortShield configuration. For more information about configuring PortShield groups, see Configuring PortShield Groups. A virtual interface (called the VLAN Trunk Interface) is automatically created for remote VLANs. When the same remote VLAN is enabled on another trunk port, no new interface is created. All packets with the same VLAN tag ingressing on different trunk ports are handled by the same virtual interface. This is a key difference between VLAN sub-interfaces and VLAN trunk interfaces. The Network > Interfaces page displays the VLAN Trunk Interfaces for the VLAN trunks.

You can enable any VLAN, local or remote, on a VLAN trunk to allow bridging to respective VLANs on another switch.

The VLAN Table on the Switching > VLAN Trunking page displays the trunk port, after the VLAN is enabled on the VLAN trunk.

The diagram illustrates a VLAN trunk with two trunk ports, bridging the Sales, Engineering, QA, and Finance VLANs through an NSA 2400MX. Each remote VLAN was enabled on VLAN trunk port X20 initially, causing the creation of four virtual VLAN trunk interfaces. When these VLANs were also enabled on trunk port X21, no new virtual interfaces were created. VLAN trunk with two trunk ports

VLAN trunking interoperates with Rapid Spanning Tree Protocol (RSTP), Link Aggregation and Port Mirroring features. A VLAN trunk port can be mirrored, but cannot act as a mirror port itself. You cannot enable Static port security on the VLAN trunk port. Ports configured as VLAN trunks cannot be used for any other function and are reserved for use in Layer 2 only. For example, you cannot configure an IP Address for the trunk ports. When a Trunk VLAN interface has been configured on a particular trunk port, that trunk port cannot be deleted until the VLAN interface is removed, even though the VLAN is enabled on multiple trunk ports. This is an implementation limitation and will be addressed in a future release. Refer to the following for configuration procedures: • • • •

Editing VLANs Adding a VLAN Trunk Port Deleting a VLAN Trunk Port Enabling a VLAN on a Trunk Port

EDITING VLANS

To edit a VLAN, complete the following steps: 1 On the Switching > VLAN Trunking page, click the Configure icon in the VLAN Table row for the VLAN ID you want to edit. 2 In the Edit Vlan for PortShield window, do one of the following: • Type a different VLAN ID into the Vlan ID field. You can enter any VLAN ID except the original systemspecified VLAN ID or any others in the Reserved VLAN IDs. • Use the VLAN ID number in the Vlan ID field that matches the one for which you clicked the Configure icon.

3 To enable trunking for this VLAN, select Trunked. To disable trunking for this VLAN, clear the check box. 4 Click OK.

ADDING A VLAN TRUNK PORT

To add a VLAN trunk port, complete the following steps: 1 On the Switching > VLAN Trunking page under VLAN Trunks, click Add. 2 In the Add VLAN Truck Port window, select the port to add from the Trunk Port drop-down list. NOTE: This port cannot be a mirror port.



3 Click OK.

DELETING A VLAN TRUNK PORT To delete one or more VLAN trunk ports, complete the following steps: 1 On the Switching > VLAN Trunking page under VLAN Trunks, select one or more check boxes for the VLAN trunk ports you want to delete.

2 Click the Delete link. You can also click the Trash icon to delete a single VLAN trunk port. 3 Click OK in the confirmation dialog box.

ENABLING A VLAN ON A TRUNK PORT To enable a custom VLAN ID on a specific trunk port, complete the following steps: 1 On the Switching > VLAN Trunking page under VLAN Trunks, click Enable VLAN. 2 In the Enable VLAN window, select a trunked port from the Trunked Port drop-down list. This is the port that you want to use to trunk the VLAN ID indicated in the next field.

3 In the VLAN ID field, type in the VLAN ID to be trunked. This can be a VLAN ID on another switch. 4 Click OK.

Configuring Rapid Spanning Tree Rapid Spanning Tree Protocol allows for redundancy in case a connection goes down, while preventing loops from being formed when switches or bridges are interconnected through multiple paths.

The Rapid Spanning Tree Protocol (RSTP) is implemented to support Layer 2 network designs with redundant paths. SonicWall’s RSTP implementation conforms to the IEEE 802.1D-2004 specification. The 802.1D specification is VLAN unaware and creates a common spanning tree (CST) that is applied to all VLANs present in the network. The RSTP implementation is backward compatible with the original 802.1D standard (STP). RSTP supports configuration of the following objects: • Bridge Priority • Trunk ports on which RSTP is enabled/disabled • Port Priority • Port Cost • Hello Time • Forward Delay Auto detection of non-edge ports is not supported. A non-edge port is one that is connected directly to an end-user computer such as a PC or laptop. You can enable/disable RSTP on VLAN trunk ports only. By default, RSTP is disabled on trunk ports. You should enable the RSTP before completing physical network connectivity between the SonicWall appliance and another switch. When the SonicWall appliance is booting up, ports are disabled until Spanning Tree configuration is applied. The appliance automatically soft-bridges the STP Bridge Protocol Data Units (BPDUs) between the ports to prevent loops when ports in the same VLAN (PortShield group or L2 Bridge mode) are connected to another switch. This allows the remote switch to detect that its ports are connected to another switch and it can automatically block certain ports.

You can view the following: • Current port status (forwarding, discarding, blocking) • Roles (root, designated, alternate, backup, disabled) • Current Root Bridge ID, priority, and other information • BPDU Rx/Tx counters You can configure the following: • Port Cost – Can be left in auto-mode, in which case the port cost is determined based on link speed. • Port Priority – Defaults to interface number unless configured otherwise. A lower number means higher priority. Port priority is only important when ports are connected to the same switch and there is a possible loop. The port with the lower priority is blocked. Refer to the following configuration procedures: • Configuring Bridge Settings • Configuring Port Settings

CONFIGURING BRIDGE SETTINGS To configure the Bridge Settings on the Switching > Rapid Spanning Tree page, complete the following steps: 1 To specify the spanning tree protocol version to use, select one of the following from the Force Version dropdown list: • RSTP Operation – Use Rapid Spanning Tree Protocol. • STP Only – Use the original Spanning Tree Protocol. 2 To specify the priority of the root bridge, type the desired priority into the Bridge Priority field. The bridge priority has a maximum value of 61440, with the default value being 32768. 3 To specify the Hello time, type the desired number of seconds to allow into the Hello Time (secs) field. The Hello time is the time interval between transmission of BPDUs by the root bridge. The default is 3 and the range is 1 to 10 seconds. The Hello time is communicated to other switches by including it in the BPDU. 4 To specify the forward delay, type the desired number of seconds into the Forward Delay (secs) field. The forward delay is the time allowed for the listening and learning state. The default is 15 and the range is 4 to 30 seconds. The forward delay setting is communicated to other switches by including it in the BPDU. 5 When finished, click Apply.

CONFIGURING PORT SETTINGS

When port settings have been specified for an interface, the Port Settings table on the Switching > Rapid Spanning Tree page contains a row for that interface. A Configure icon is enabled for it unless Link Aggregation is enabled for the interface. To configure the Port Settings on the Switching > Rapid Spanning Tree page, complete the following steps: 1 Under Port Settings, click the Configure icon in the row for the interface you want to edit. 2 In the Edit RSTP Settings window, select Enable RSTP to enable Rapid Spanning Tree Protocol for this interface. Clear the check box to disable RSTP on this interface.

3 To specify the path cost for the port, type the desired cost value (1-20000000) into the Port Path Cost field. If left in auto-mode, the port cost will be 200000. You can also assign an arbitrary cost value or base the cost on guidelines provided by the RSTP or STP specification. The cost is higher for lower bandwidth connections. According to some guidelines, the cost of a 1Gbps bandwidth connection would be 2, compared to the cost of 100 for a 10Mbps connection. 4 To specify the port priority, type the desired priority (0-15) into the Port Priority field. Your input is automatically multiplied by 16 when the settings are applied. A lower number indicates higher priority. Port priority is important when multiple ports are connected to the same switch and there is a possible loop. The port with the lower priority is blocked.

Configuring Link Aggregation Aggregated ports provide increased performance through load balancing when connected to a switch that supports aggregation, and provide redundancy when connected to a switch or server that supports aggregation.

Link Aggregation allows port redundancy and load balancing in Layer 2 networks. Load balancing is controlled by the hardware, based on source and destination MAC address pairs. The Switching > Link Aggregation page provides information and statistics, and allows configuration of interfaces for aggregation. Static and Dynamic Link Aggregation are supported. Dynamic Link Aggregation is supported with the use of LACP (IEEE 802.1AX). Ports that are in the same VLAN (same PortShield Group) or are VLAN trunk ports are eligible for link aggregation. Up to four ports can be aggregated in a logical group and there can be four Logical Links (LAGs) configured. Two main types of usage are enabled by this feature: • Firewall to Server – This is implemented by enabling Link Aggregation on ports within the same VLAN (same PortShield Group). This configuration allows port redundancy, but does not support load balancing in the Firewall-to-Server direction because of a hardware limitation. • Firewall to Switch – This is allowed by enabling Link Aggregation on VLAN trunk ports. Load balancing is automatically done by the hardware. The Firewall supports one load balancing algorithm based on source and destination MAC address pairs. The diagram shows LAGs to a server and to a switch.

Similarly to PortShield configuration, you select an interface that represents the aggregated group. This port is called an aggregator. The aggregator port must be assigned a unique key. By default, the aggregator port key is the same as its interface number. Non-aggregator ports can be optionally configured with a key that can help prevent an erroneous LAG if the switch connections are wired incorrectly. Ports bond together if connected to the same link partner and their keys match. If there is no key configured for a port (if the port is in auto mode), it bonds with an aggregator that is connected to the same link partner. The link partner is discovered through LACP messages. A link partner cannot be discovered for Static link aggregation. In this case, ports aggregate based on keys alone. Like a PortShield host, the aggregator port cannot be removed from the LAG because it represents the LAG in the system. NOTE: After link aggregation has been enabled on VLAN trunk ports, additional VLANs cannot be added or deleted on the LAG. NOTE: If you need to enable RSTP on the LAG, first enable RSTP on the individual members and then enable link aggregation.



CREATING A LOGICAL LINK (LAG) To create a Logical Link (LAG), complete the following steps: 1 On the Switching > Link Aggregation page, click Add. 2 In the Add LAG Port window, select the interface from the Port drop-down list.

3 To specify a key, clear Key and type the desired key into the text-field. 4 If this interface is the aggregator for the LAG, select Aggregator. Only one interface can be an aggregator for a LAG. 5 To enable LACP, select LACP Enable. Dynamic Link Aggregation is supported with the use of LACP. The link partner is discovered through LACP messages. 6 Click OK. 7 On the Switching > Link Aggregation page, click Add again. 8 In the Add LAG Port window, select the interface for the link partner from the Port drop-down list.

9 If you specified a key for the first interface (the aggregator), clear Key and type the same key into the text-field. If Auto-Detect was left enabled for the first interface, leave it enabled for this one as well. 10 Clear Aggregator. Only one interface can be an aggregator for a LAG. 11 Select LACP Enable. 12 Click OK.

Configuring Port Mirroring Port Mirroring allows the administrator to easily monitor and inspect network traffic on one or more ports.

You can configure Port Mirroring on the SonicWall appliance to send a copy of network packets seen on one or more switch ports (or on a VLAN) to another switch port called the mirror port. By connecting to the mirror port, you can monitor the traffic passing through the mirrored port(s). A VLAN trunk port can be mirrored, but cannot act as a mirror port itself. The Switching > Port Mirroring page allows the administrator to assign mirror ports to mirror ingress, egress or bidirectional packets coming from a group of ports. Refer to the following configuration procedures: • Configuring a Port Mirroring Group • Deleting a Port Mirroring Group

CONFIGURING A PORT MIRRORING GROUP To create a new port mirroring group, complete the following steps: 1 On the Switching > Port Mirroring page, click New Group. 2 In the Add Mirror Group window, type a descriptive name for the group into the Interface Group Name field.

3 For the Direction, select one of the following: • ingress – Select ingress to monitor traffic arriving on the mirrored port(s). • egress – Select egress to monitor traffic being sent out on the mirrored port(s). • both – Select both to monitor traffic in both directions on the mirrored port(s). 4 Select Enable to enable the port mirror. 5 In the All Interfaces list, select the port to mirror the traffic to and click the top right-arrow button to move it to the Mirror Port field. You must use an unassigned port as the mirror port. 6 In the All Interfaces list, select one or more ports to be monitored, and click the lower right-arrow button to move it/them to the Mirrored Ports field. You will be able to monitor traffic on the mirrored port(s) by connecting to the mirror port. 7 Click OK.

DELETING A PORT MIRRORING GROUP

To remove a port mirroring group, complete the following steps: 1 On the Switching > Port Mirroring page, select the check box next to the port mirroring group that you want to delete. 2 Click Ungroup. You can also click the Trash icon to delete a single group. 3 Click OK in the confirmation dialog box.

Configuring Layer 2 QoS Layer 2 Quality of Service (QoS) allows for traffic prioritization and bandwidth management to minimize network delay using Cost of Service (CoS) classification, and DSCP marking.

A SonicWall appliance can be configured to trust Class of Service (CoS) (IEEE 802.1p) and/or trust Differentiated Services Code Point (DSCP) per port and treat the frames appropriately. The Switching > Layer 2 QoS page allows the administrator to configure QoS settings per interface. The X1 interface on the NSA 2400MX cannot be configured for switching. Four queues with different priority levels (low, normal, high, highest) are supported. These are mapped to the eight levels defined in IEEE 802.1p and cannot be changed: Supported queues with different priority levels

User Priority

Traffic Type

Queue Priority

0

Best Effort

Normal

1

Background

Low

2

Spare

Low

3

Excellent Effort

Normal

4

Controlled Load

High

5

Video

High

6

Voice

Highest

7

Network Control

Highest

The DSCP mapping can be configured. Frames received on ports configured to trust CoS or DSCP are queued appropriately according to the mapping table. An option is provided to select the field to use when both the 802.1p tag field and the DSCP field are present in ingressing frames. For QoS settings, ports can be assigned a default priority. The default priority is used when Trust CoS or Trust DSCP is enabled, but the information is absent. When Fixed Priority is enabled, the 802.1p tag field and DSCP field are ignored and the default priority is used. Refer to the following configuration procedures: • Configuring the Scheduling Mechanism • Configuring DSCP Mapping • Configuring QoS Settings

CONFIGURING THE SCHEDULING MECHANISM To configure Weighted Round-Robin or Strict Priority Queue as the output scheduling mechanism, complete the following steps: 1 On the Switching > Layer 2 QoS page, select one of the following from the Output Scheduling Mechanism drop-down list: • Weighted Round-Robin – When Weighted Round-Robin is selected, the weighting factors are 8:4:2:1. • Strict Priority Queue – When Strict Priority Queue is used, the 802.1p tag field and DSCP field are ignored and the default priority is used. 2 Click Apply.

CONFIGURING DSCP MAPPING

You can configure the DSCP mapping by setting the priority levels for DSCP values 0 through 63. The Switching > Layer 2 QoS page also provides a Reset DSCP Remap button to reset the priority levels back to the default, which is “Normal.” To configure DSCP mapping, complete the following steps: 1 To show the DSCP Remap table, click Hide/Show next to the DSCP Remap Table heading. The priority settings for all DSCP values, 0 - 63, are displayed.

2 For each DSCP value (0 - 63) that you want to change, select one of the following from the Priority drop-down list: • Low • Normal • High • Highest 3 Click Apply. The DSCP Remap table is hidden, but if you show it again you will see the updated priority settings. 4 To reset all DSCP mapping back to the default, Normal, click Reset DSCP Remap and then click OK in the confirmation dialog box.

CONFIGURING QOS SETTINGS

The QoS Settings table on the Switching > Layer 2 QoS page lists all interfaces on the SonicWall appliance. You can configure the QoS settings for each interface individually or for multiple interfaces at the same time.

See the following procedures: • Configuring QoS Settings for an Individual Interface • Configuring QoS Settings for Multiple Interfaces

Configuring QoS Settings for an Individual Interface To configure QoS settings for frames received on an individual interface, complete the following steps: 1 On the Switching > Layer 2 QoS page under QoS Settings, click the Configure icon in the row for the interface you want to configure. The Edit QoS Settings window opens.

2 In the Edit QoS Settings window, to enable fixed priority for frames arriving on this interface, select Fixed Priority. By default, Fixed Priority is deselected and all other check boxes are selected. When Fixed Priority is selected, the remaining check boxes are cleared and disabled (greyed out). The CoS 802.1p tag field and DSCP field are ignored and the ingress port’s default priority is always used. 3 To enable the use of the CoS 802.1p tag field settings for Quality of Service on this interface, select Trust CoS. Fixed Priority must be cleared before you can select any other check box. 4 To enable the use of the DSCP field settings for Quality of Service on this interface, select Trust DSCP. Fixed Priority must be cleared before you can select any other check box. 5 If both Trust CoS and Trust DSCP are selected, do one of the following: • Select Prefer CoS to give preference to the CoS 802.1p tag field settings when both the 802.1p tag field and the DSCP field are present in ingressing frames. • Clear Prefer CoS to give preference to the DSCP field settings when both the 802.1p tag field and the DSCP field are present in ingressing frames. 6 Select one of the following priority levels from the Default Priority drop-down list: • Low • Normal — this is the default setting • High • Highest If ingressing frames do not contain either a CoS 802.1p tag field or a DSCP field, the default priority is used. 7 Click OK.

Configuring QoS Settings for Multiple Interfaces To configure QoS settings for frames received on any of several interfaces, complete the following steps: 1 On the Switching > Layer 2 QoS page under QoS Settings, select the check boxes next to the interfaces you want to configure, and then click Configure at the bottom of the page. The Edit QoS Settings window opens.

2 Keep original QoS mode of each port is selected by default. When this check box is selected, each individual port’s QoS mode remains unchanged, and only the Default Priority setting is changed to the configured value (Step 7) for each port being configured. To activate the other check boxes in this window and make changes to the QoS settings of the selected interfaces, clear Keep original QoS mode of each port. 3 To enable fixed priority for frames arriving on these interfaces, select Fixed Priority. When Fixed Priority is selected, the subsequent check boxes are cleared and disabled (greyed out). The CoS 802.1p tag field and DSCP field are ignored and the ingress port’s default priority is always used. 4 To enable the use of the CoS 802.1p tag field settings for Quality of Service on these interfaces, select Trust CoS. Fixed Priority must be cleared before you can select this check box. 5 To enable the use of the DSCP field settings for Quality of Service on these interfaces, select Trust DSCP. Fixed Priority must be cleared before you can select this check box. 6 If both Trust CoS and Trust DSCP are selected, do one of the following: • Select Prefer CoS to give preference to the CoS 802.1p tag field settings when both the 802.1p tag field and the DSCP field are present in ingressing frames. • Clear Prefer CoS to give preference to the DSCP field settings when both the 802.1p tag field and the DSCP field are present in ingressing frames. 7 Select one of the following priority levels from the Default Priority drop-down list: • Keep Original Settings – Choose this setting to allow each interface to default to its original individual QoS settings. • Low • Normal • High • Highest If ingressing frames do not contain either a CoS 802.1p tag field or a DSCP field, the default priority is used. 8 Click OK.

Configuring Rate Control The Switching > Rate Control page provides information and configuration of per-interface flow control.

Both the Rate Control and Flow Control features are controlled on a per port basis. The bandwidth of ingress frames can be tuned in four modes: • Limit All Frames • Limit just multicast and flooded unicast frames (including broadcast) • Limit just multicast (including broadcast) • Limit just broadcast frames The rate limiting for egress frames can only be enabled or disabled, no mode can be selected. The ingress rate limit is rounded to the nearest increment, depending on the granularity available for that rate. The granularities are different depending on the range of rates: • 128kbps ~ 1Mbps – increments of 64kbps • 1Mbps ~ 100Mbps – increments of 1Mbps • 100Mbps ~ 1000Mbps – increments of 10Mbps (for gigabit ports) Back-pressure flow control on half-duplex ports and pause frame-based flow control on full-duplex ports are provided to support zero packet loss under temporary traffic congestion. Full-duplex flow control requires support from the peer end station. Full-duplex flow control works as follows: when a port’s free buffer space is almost empty, the devices send out a PAUSE frame with the maximum pause time to stop the remote node from sending more frames into the switch. The devices also respond to the pause command. After the PAUSE frame is detected, the port will stop transmission of new data for the amount of time defined in the pause time field of the received PAUSE frame. Half-duplex flow control is used to throttle the throughput rate of an end station to avoid dropping packets during network congestion.

RATE CONTROL SEARCH FUNCTION The Switching > Rate Control page offer a Rate Control search function that can search for interfaces based on rate control features.

To complete a search, complete the following steps: 1 Click the Search drop-down, then select a rate control feature to search for: • Ingress Mode • Egress Mode • Ingress Limit Mode • Flow Control 2 Select a search operator: • Equals • Starts with • Ends with • Contains 3 Enter the search criteria in the text-field. 4 Click Search. The search results will populate below. To clear the search criteria, click Clear.

CONFIGURING RATE CONTROL SETTINGS FOR AN INTERFACE To configure rate control settings or to enable flow control, complete the following steps: 1 On the Switching > Rate Control page, click the Configure icon in the row for the interface you want to configure. The Edit Rate Control Settings window opens.

2 To enable flow control on this interface, select Enable Flow Control. This check box is deselected by default. 3 To set the mode for limiting the bandwidth of ingressing frames, select one of the following from the Ingress Mode drop-down list: • Limit All • Limit Broadcast, Multicast and Flooded Unicast — this is the default mode • Limit Broadcast and Multicast • Limit Only Broadcast 4 Type the desired ingress rate limit in kilobits per second into the Ingress Rate field. The default ingress rate limit is 256Kbps. To turn off the ingress rate limit and allow unlimited traffic, type 0 (zero). The value you type will be rounded to the nearest increment, depending on the granularity available for that rate. The granularities are different depending on the range of rates: • 128kbps ~ 1Mbps – increments of 64kbps • 1Mbps ~ 100Mbps – increments of 1Mbps • 100Mbps ~ 1000Mbps – increments of 10Mbps (for gigabit ports) 5 Type the desired egress rate limit in kilobits per second into the Egress Rate field. The default egress rate limit is 0Kbps. To turn off the egress rate limit and allow unlimited traffic, type 0 (zero). The value you type is rounded to the nearest increment, depending on the granularity available for that rate. The granularities are the same as for the ingress rate. 6 Click OK.

Configuring Port Security Port Security allows administrators to bind a trusted MAC address or multiple MAC addresses to a specific port to decrease unauthorized access on that port.

To configure secure ports, create MAC address objects for the trusted MAC addresses and bind them to specific ports. Frames whose source addresses are not contained in the table are dropped.

NOTE: Only static Port Security is supported.



NOTE: A secure port is meant to receive untagged frames. If a frame has a tag, even when its Security Association (SA) is trusted, are discarded. A LACP Port or VLAN trunk port cannot also be a Secure Port at the same time. Each port can be configured to enable or disable the Discard Tagged option. When it is enabled, all frames with a LLDP 802.1AB tag are discarded. This prevents a non-trunk port from connecting to a trunk port. Refer to the following configuration procedures: • Adding MAC Addresses to an Interface • Editing MAC Address Objects • Deleting MAC Address Objects

ADDING MAC ADDRESSES TO AN INTERFACE You must use a MAC address object to bind MAC address(es) to an interface. To add MAC addresses to an interface, complete the following steps: 1 On the Switching > Port Security page, click Add at the bottom of the page. The Add Static MAC Address window opens.

2 Select the desired interface from the Port drop-down list. 3 If the address object that contains the desired MAC addresses already exists, select it from the MAC Address drop-down list. If the MAC address object does not exist, create one, then select it from the drop-down list.

EDITING MAC ADDRESS OBJECTS

To edit a MAC address object for a secure port, complete the following steps: 1 Click the Configure icon in the row for the MAC address object you want to edit. The Edit Static MAC Address window opens.

2 Select a different address object or select Create new address object from the MAC Address drop-down list. 3 When finished, click OK.

DELETING MAC ADDRESS OBJECTS

To delete one or more MAC address objects, complete the following steps: 1 To delete a single MAC address object, click the Delete icon in the row for the MAC address object you want to delete. 2 To delete multiple MAC address objects, select the check boxes next to the MAC address objects you want to delete and then click Delete Static Mac Address(s) at the bottom of the page. 3 Click OK in the confirmation dialog box.

Switching Glossary Switching glossary

BPDU

Bridge Protocol Data Unit – Used in RSTP, BPDUs are special data frames used to exchange information about bridge IDs and root path costs. BPDUs are exchanged every few seconds to allow switches to keep track of network topology and start or stop port forwarding.

CoS

Class Of Service – Cos (IEEE 802.1p) defines eight different classes of service that are indicated in a 3-bit user_priority field in an IEEE 802.1Q header added to an Ethernet frame when using tagged frames on an 802.1 network.

DSCP

Differentiated Services Code Point – Also known as DiffServ, DSCP is a networking architecture that defines a simple, coarse-grained, classbased mechanism for classifying and managing network traffic and providing Quality of Service (QoS) guarantees on IP networks. RFC 2475, published in 1998 by the IETF, defines DSCP. DSCP operates by marking an 8-bit field in the IP packet header.

IETF

Internet Engineering Task Force – The IETF is an open standards organization that develops and promotes Internet standards.

L2

OSI Layer 2 (Ethernet) – Layer 2 of the seven layer OSI model is the Data Link Layer, on which the Ethernet protocol runs. Layer 2 is used to transfer data among network entities.

LACP

Link Aggregation Control Protocol – LACP is an IEEE specification that provides a way to combine multiple physical ports together to form a single logical channel. LACP allows load balancing by the connected devices.

LLDP

Link Layer Discovery Protocol (IEEE 802.1AB) – LLDP is a Layer 2 protocol used by network devices to communicate their identity, capabilities, and interconnections. This information is stored in a MIB database on each host, which can be queried with SNMP to determine the network topology. The information includes system name, port name, VLAN name, IP address, system capabilities (switching, routing), MAC address, link aggregation, and more.

LLTD

Link Layer Topology Discovery (Microsoft Standard) – LLTD is a Microsoft proprietary protocol with functionality similar to LLDP. It operates on wired or wireless networks (Ethernet 802.3 or wireless 802.11). LLTD is included on Windows Vista and Windows 7, and can be installed on Windows XP.

PDU

Protocol Data Unit – In the context of the Switching feature, the Layer 2 PDU is the frame. It contains the link layer header followed by the packet.

RSTP

Rapid Spanning Tree Protocol (IEEE 802.1D-2004) – RSTP was defined in 1998 as an improvement to Spanning Tree Protocol. It provides faster spanning tree convergence after a topology change.



Viewing Firewall Diagnostic Information SonicWall appliances store information about all devices with which they have communicated. When you generate diagnostic information, only one report can be generated at a time and the information is only maintained during the current session. For example, if you run a firewall log report and then log off or generate another report, the firewall log report data is lost until you run the report again. This includes the following: • • • • •

Viewing Network Diagnostic Settings Viewing Connections Monitor Viewing CPU Monitor Viewing Process Monitor What is Packet Monitor?

Viewing Network Diagnostic Settings To view network settings, complete the following steps: 1 In the left pane, select the global icon, a group, or a SonicWall appliance. 2 Click the Policies tab. In the center pane, navigate to Diagnostics > Network.

3 4 5 6 7

To refresh the diagnostic data, click Refresh Diagnostic Data display. To delete the diagnostic data, click Delete Diagnostic Data display. The Diagnostic Data section populates the data requests and is capable of displaying IPv4 and IPv6 data. To view the log file for the selected SonicWall appliance(s), click Request Log file display from unit(s). To test the RADIUS server, enter the username and password of a valid user in the User and Password fields and click Radius Client Test. 8 To complete a DNS lookup from the SonicWall appliance(s), enter a hostname or IP address in the Host field and click DNS Lookup. 9 To find a network path from the SonicWall appliance(s), enter an IP address in the Host field and click Find Network Path. 10 To ping a host from the SonicWall appliance(s), enter a hostname or IP address in the Host field. This can be an IPv4 or IPv6 address. Click the Interface drop-down list, then select Any or one of the listed interfaces. If you want to select an IPv6 address, click Prefer IPv6 networking. 11 To complete a Traceroute from the SonicWall appliance(s), enter a hostname or IP address in the Host field and click TraceRoute Lookup. 12 To view dynamic routing information, click Fetch Default Route Policies (SonicOS 2.5 Enhanced or later). 13 To complete a reverse name resolution, enter an IP address in the Reverse Lookup the IP Address field and click Reverse Name Resolution. 14 To complete a real-time black list lookup, enter an IP address in the IP Address field, a FQDN for the RBL in the RBL Domain field, and DNS server information in the DNS Server field. Click Real-time Black List Lookup. 15 Enable Path MTU Discovery. 16 Check Geo Location and Botnet Server Lookup allows administrators to block connections to or from a geographic location based on IP address, and to or from Botnet command and control servers. Additional functionality for this feature is available on the Security Services > Geo-IP and Botnet Filter page. 17 Enabling MX Lookup and Banner Check allows you to look up a domain or IP address. Your configured DNS servers are displayed in the Log Resolution DNS Server 1/2/3 fields, but are not editable. After you type a domain name, such as google.com into the Lookup Name or IP field and click Go, the output is displayed under Result. The results include the domain name or IP address that you entered, the DNS server from your list that was used, the resolved email server domain name and/or IP address, and the banner received from the domain server or a message that the connection was refused. The contents of the banner depends on the server you are looking up. 18 To generate a Tech Support Report, select any of the following report options: • Sensitive Keys—Saves shared secrets, encryption, and authentication keys to the report. • ARP Cache—Saves a table relating IP addresses to the corresponding MAC or physical addresses. • DHCP Bindings—Saves entries from the SonicWall security appliance DHCP server. • IKE Info—Saves current information about active IKE configurations. • SonicPointN Diagnostics—A SonicPoint can collect critical runtime data and save it into persistent storage in the global SonicPoint Peer List. If the SonicPoint experiences a failure, the diagnostic enhancement feature allows the firewall managing appliance to retrieve the log data when the SonicPoint reboots. Then, this log data is incorporated into the Tech Support Report (TSR). • List of current users—lists all currently logged in active local and remote users. Selected by default. NOTE: For reporting maximum user information, select both List of current users and Detail of users checkboxes. • Inactive users—lists the users with inactive sessions. Selected by default. • IPv6 NDP—This option is not selected by default. • IPv6 DHCP—This option is not selected by default. • Debug information in report—specifies whether the downloaded TSR is to contain debug information. Selected by default. The TSR is organized in an easy-to-read format. You control whether to include debug information as a category, enclosed by the #Debug Information_START and #Debug Information_END tags, at the end of the report. Debug information contains miscellaneous information that is not used by the average support engineer, but can be useful in certain circumstances. • Geo-IP/Botnet Cache—saves the currently cached Geo-IP and Botnet information. This option is not selected by default. • IP Stack Info—This option is not selected by default. 19 Click Fetch Tech Support Report. A report is generated with the options you selected. 20 Click Email Tech Support Report. A report is generated with the options you selected and sent to Tech Support. 21 To send the TSR, select Send TechSupport Report by FTP. This feature allows you to send configuration settings (prefs) and a tech support report (TSR) to a specified FTP server. You can configure a schedule for periodic backup of this information to the FTP server. An additional page opens. • Select Send Settings by FTP to send prefs. • Enter the required information for the FTP server. • Click Set Schedule to define a start schedule. • Click Apply. 22 To request a packet trace, enter the IP address of the remote host in the Host field, and click Start. You must enter an IP address in the Host field; do not enter a host name, such as “www.yahoo.com”. Click Stop to terminate the packet trace and Query to query the trace. To reset a host, enter the IP address in the Host field and click Reset.

Viewing Connections Monitor The Connections Monitor displays real-time, configurable views of all connections to and through a SonicWall security appliance. To view connections monitor data, complete the following steps: 1 In the left pane, select the global icon, a group, or a SonicWall appliance. 2 Click the Policies tab. In the center pane, navigate to Diagnostics > Connections Monitor.

3 Select the filters values to sort by. You can filter the results to display only connections matching certain criteria. You can filter by Source IP, Destination IP, Destination Port, Protocol, Source Interface, and Destination Interface. Enter your filter criteria in the Active Connections Monitor Settings table. The fields you enter values into are combined into a search string with a logical AND. For example, if you enter values for Source IP and Destination IP, the search string looks for connections matching: Source IP AND Destination IP Check the Group Filters box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group Filter next to Source IP and Destination IP, the search string looks for connections matching: (Source IP OR Destination IP) AND Protocol 4 Click Fetch Active Connections Monitor to apply the filter immediately to the Active Connections Monitor table. The scheduler displays. 5 Expand Schedule by clicking the plus icon. 6 Select Immediate or specify a future date and time. 7 Click Accept. The updated Connections Monitor page displays.

Viewing CPU Monitor For GMS managed SonicWall firewall appliances running SonicOS 3.0 and higher, the CPU Monitor displays realtime CPU utilization in second, minute, hour, and day intervals. To view CPU utilization data, complete the following steps: 1 In the left pane, select the global icon, a group, or a SonicWall appliance. 2 Click the Policies tab. In the center pane, navigate to Diagnostics > CPU Monitor.

3 To refresh the CPU diagnostic display, click Refresh Diagnostic Data display. 4 To delete the CPU diagnostic display, click Delete Diagnostic Data display. 5 To modify the time period for the CPU data, select one of the following periods from the Chart for pull-down menu: • CPU History for the last 60 seconds—Displays CPU history for the last minute. • CPU History for the last 60 minutes—Displays CPU history for the last hour. • CPU History for the last 24 hours—Displays CPU history for the last day. • CPU History for the last 30 days—Displays CPU history for the last 30 days. 6 Click Fetch CPU Information to display CPU information from the SonicWall appliance. The scheduler displays. 7 Expand Schedule by clicking the plus icon. 8 Select Immediate or specify a future date and time. 9 Click Accept.

Viewing Process Monitor For GMS managed SonicWall firewall appliances running SonicOS 3.0 and higher, the Process Monitor displays individual system processes, their CPU utilization, and their system time. To view diagnostic data, complete the following steps: 1 Select the global icon, a group, or a SonicWall appliance. 2 Expand the Diagnostics tree and click Process Monitor. The Process Monitor page displays.

3 4 5 6 7 8

To refresh the process diagnostic display, click Refresh Diagnostic Data display. To delete the process diagnostic display, click Delete Diagnostic Data display. Click Fetch Process Information to display Process Monitor information. The scheduler displays. Expand Schedule by clicking the plus icon. Select Immediate or specify a future date and time. Click Accept.

What is Packet Monitor? The Packet Monitor is a mechanism that allows you to monitor individual data packets that traverse your SonicWall firewall appliance. Packets can be either monitored or mirrored. The monitored packets contain both data and addressing information. Addressing information from the packet header includes the following: • Interface identification • MAC addresses • Ethernet type • Internet Protocol (IP) type • Source and destination IP addresses • Port numbers • L2TP payload details • PPP negotiations details You can configure the packet monitor feature in the GMS Enhanced management interface. The management interface provides a way to configure the monitor criteria, display settings, mirror settings, and file export settings, and displays the captured packets. Current configurations are displayed on this page, hover over the tool tips to view the details.

Benefits of Packet Monitor The GMS packet monitor feature provides the functionality and flexibility that you need to examine network traffic without the use of external utilities, such as Wireshark (formerly known as Ethereal). Packet monitor includes the following features: • • • •

Control mechanism with improved granularity for custom filtering (Monitor Filter) Display filter settings independent from monitor filter settings Packet status indicates if the packet was dropped, forwarded, generated, or consumed by the firewall Three output displays in the management interface: • List of packets • Decoded output of selected packet • Hexadecimal dump of selected packet Export capabilities include text or HTML format with hex dump of packets, plus CAP file formats, pcap and pcapNG Automatic export to FTP server when the buffer is full Bidirectional packet monitor based on IP address and port Configurable wrap-around of packet monitor buffer when full

• • • •

How Does Packet Monitor Work? As an administrator, you can configure the general settings, monitor filter, display filter, advanced filter settings, and FTP settings of the packet monitor tool. As network packets enter the packet monitor subsystem, the monitor filter settings are applied and the resulting packets are written to the capture buffer. The display filter settings are applied as you view the buffer contents in the management interface. You can log the capture buffer to view in the management interface, or you can configure automatic transfer to the FTP server when the buffer is full. Default settings are provided so that you can start using packet monitor without configuring it first. The basic functionality are listed in Packets: Basic functionality. Packets: Basic Functionality

Start:

Click Start Capture to begin capturing all packets except those used for communication between the firewall and the management interface on your console system.

Stop:

Click Stop Capture to stop the packet capture.

Clear:

Click Clear to clear the status counters that are displayed at the top of the Packet Monitor page.

Refresh:

Click Refresh to display new buffer data in the Captured Packets window. You can then click any packet in the window to display its header information and data in the Packet Detail and Hex Dump windows.

Export As:

Display or save a snapshot of the current buffer in the file format that you select from the drop-down menu. Exported files are placed on your local management system (where the management interface is running). • PcapNG - Select to export a pcapNG (pcap Next Generation) file. A pcapNG file can be opened directly by Wireshark, which displays a new Packet comment section that contains useful diagnostic information. Selecting PcapNG simplifies generating a pcap file for diagnostics by eliminating the need to export HTML and text files along with the pcap file to determine the line number, in-interface, out-interface, and function name that acted on the packet. • Libpcap -Select if you want to view the data with the Wireshark (formerly Ethereal) network protocol analyzer. This is also known as libcap or pcap format. A dialog allows you to open the buffer file with Wireshark or save it to your local hard drive with the extension .pcap. • Html - Select to view the data with a browser. You can use File > Save As to save a copy of the buffer to your hard drive. • Text - Select to view the data in a text editor. A dialog allows you to open the buffer file with the registered text editor, or save it to your local hard drive with the extension .wri. • App Data - Select to view only application data contained in the packet. Packets containing no application data are skipped during the capture. Application data = captured packet minus L2, L3, and L4 headers.

Refer to Packet monitor subsystem showing filters for a high-level view of the packet monitor subsystem that shows the different filters and how they are applied. Packet monitor subsystem showing filters

Configuring Packet Monitor You can access the packet monitor tool on the Diagnostics > Packet Monitor page of the GMS management interface. There are six main areas of configuration for packet monitor, one of which is specifically for packet mirror. The following sections describe the configuration options, and provide procedures for accessing and configuring the filter settings, log settings, and mirror settings: • • • • • • •

Configuring General Settings Configuring the Monitor Filter Configuring Display Filter Settings Configuring Logging Settings Configuring Advanced Monitor Filter Settings Configuring Mirror Settings Using Packet Monitor and Packet Mirror

CONFIGURING GENERAL SETTINGS This section describes how to configure packet monitor general settings, including the number of bytes to capture per packet and the buffer wrap option. You can specify the number of bytes using either decimal or hexadecimal, with a minimum value of 64. The buffer wrap option enables the packet capture to continue even when the buffer becomes full, by overwriting the buffer from the beginning. To configure the general settings, complete the following steps: 1 Navigate to the Diagnostics > Packet Monitor page and click Configure. 2 In the Packet Monitor Configuration window, click the Settings tab.

3 Under General Settings in the Number of Bytes To Capture (per packet) box, type the number of bytes to capture from each packet. The minimum value is 64 and the maximum value is 65535. 4 To continue capturing packets after the buffer fills up, select Wrap Capture Buffer Once Full. Selecting this option will cause packet capture to start writing captured packets at the beginning of the buffer again after the buffer fills. This option has no effect if FTP server logging is enabled on the Logging tab, because the buffer is automatically wrapped when FTP is enabled. 5 Under Exclude Filter, select Exclude encrypted GMS traffic to prevent capturing or mirroring of encrypted management or syslog traffic to or from SonicWall GMS. This setting only affects encrypted traffic within a configured primary or secondary GMS tunnel. GMS management traffic is not excluded if it is sent through a separate tunnel. 6 Use the Exclude Management Traffic settings to prevent capturing or mirroring of management traffic to the appliance. Select the check box for each type of traffic (HTTP/HTTPS, SNMP, or SSH) to exclude. If management traffic is sent through a tunnel, the packets are not excluded. 7 Use the Exclude Syslog Traffic to settings to prevent capturing or mirroring of syslog traffic to the logging servers. Select the check box for each type of server (Syslog Servers or GMS Server) to exclude. If syslog traffic is sent through a tunnel, the packets are not excluded. 8 Use the Exclude Internal Traffic for settings to prevent capturing or mirroring of internal traffic between the SonicWall appliance and its High Availability partner or a connected SonicPoint. Select the check box for each type of traffic (HA or SonicPoint) to exclude. 9 To save your settings and exit the configuration window, click OK.

CONFIGURING THE MONITOR FILTER All filters set on this page are applied to both packet capture and packet mirroring. To configure Monitor Filter settings, complete the following steps: 1 Navigate to the Diagnostics > Packet Monitor page and click Configure. 2 In the Packet Monitor Configuration window, click the Monitor Filter tab.

3 Choose to Enable filter based on the firewall/app rule if you are using firewall rules to capture specific traffic. NOTE: Before the Enable filter based on the firewall rule option is selected, be certain you have selected one or more access rules on which to monitor packet traffic. This configuration is done from the Firewall > Access Rules page. 4 Specify how Packet Monitor will filter packets using these options: • Interface Name(s) - You can specify up to ten interfaces separated by commas. Refer to the Network > Interfaces screen in the management interface for the available interface names. You can use a negative value to configure all interfaces except the one(s) specified; for example: !X0, or !LAN. • Ether Type(s) - You can specify up to ten Ethernet types separated by commas. Currently, the following Ethernet types are supported: ARP, IP, PPPoE-SES, and PPPoE-DIS. The latter two can be specified by PPPoE alone. This option is not case-sensitive. For example, to capture all supported types, you could enter: ARP, IP, PPPOE. You can use one or more negative values to capture all Ethernet types except those specified; for example: !ARP, !PPPoE. You can also use hexadecimal values to represent the Ethernet types, or mix hex values with the standard representations; for example: ARP, 0x800, IP. Normally you would only use hex values for Ethernet types that are not supported by acronym in SonicOS Enhanced. See “Supported Packet Types” on page 1090. • IP Type(s) - You can specify up to ten IP types separated by commas. The following IP types are supported: TCP, UDP, ICMP, GRE, IGMP, AH, ESP. This option is not case-sensitive. You can use one or more negative values to capture all IP types except those specified; for example: !TCP, !UDP. You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. See “Supported Packet Types” on page 1090. • Source IP Address(es) - You can specify up to ten IP addresses separated by commas; for example: 10.1.1.1, 192.2.2.2. You can use one or more negative values to capture packets from all but the specified addresses; for example: !10.3.3.3, !10.4.4.4. • Source Port(s) - You can specify up to ten TCP or UDP port numbers separated by commas; for example: 20, 21, 22, 25. You can use one or more negative values to capture packets from all but the specified ports; for example: !80, !8080. • Destination IP Address(es) - You can specify up to ten IP addresses separated by commas; for example: 10.1.1.1, 192.2.2.2. You can use one or more negative values to capture packets destined for all but the specified addresses; for example: !10.3.3.3, !10.4.4.4. • Destination Port(s) - You can specify up to ten TCP or UDP port numbers separated by commas; for example: 20, 21, 22, 25. You can use one or more negative values to capture packets destined for all but the specified ports; for example: !80, !8080. • Bidirectional Address and Port Matching - When this option is selected, IP addresses and ports specified in the Source or Destination fields on this page is matched against both the source and destination fields in each packet. • Forwarded packets only - Select this option to monitor any packets that are forwarded by the firewall. • Consumed packets only - Select this option to monitor all packets that are consumed by internal sources within the firewall. • Dropped packets only - Select this option to monitor all packets that are dropped at the perimeter. NOTE: If a field is left blank, no filtering is done on that field. Packets are captured or mirrored without regard to the value contained in that field of their headers. 5 To save your settings and exit the configuration window, click OK.

CONFIGURING DISPLAY FILTER SETTINGS

This section describes how to configure packet monitor display filter settings. The values that you provide here are compared to corresponding fields in the captured packets, and only those packets that match are displayed. These settings apply only to the display of captured packets on the management interface, and do not affect packet mirroring. If a field is left blank, no filtering is done on that field. Packets are displayed without regard to the value contained in that field of their headers. To configure Packet Monitor display filter settings, complete the following steps: 1 Navigate to the Diagnostics > Packet Monitor page and click Configure. 2 In the Packet Monitor Configuration window, click the Display Filter tab.

3 In the Interface Name(s) box, type the SonicWall appliance interfaces for which to display packets, or use the negative format (!X0) to display packets captured from all interfaces except those specified. You can specify up to ten interfaces separated by commas. Refer to the Network > Interfaces screen in the management interface for the available interface names. 4 In the Ether Type(s) box, enter the Ethernet types for which you want to display packets, or use the negative format (!ARP) to display packets of all Ethernet types except those specified. You can specify up to ten Ethernet types separated by commas. Currently, the following Ethernet types are supported: ARP, IP, PPPoE-SES, and PPPoE-DIS. The latter two can be specified by PPPoE alone. You can also use hexadecimal values to represent the Ethernet types, or mix hex values with the standard representations; for example: ARP, 0x800, IP. Normally you would only use hex values for Ethernet types that are not supported by acronym in SonicOS Enhanced. See “Supported Packet Types” on page 1090. 5 In the IP Type(s) box, enter the IP packet types for which you want to display packets, or use the negative format (!UDP) to display packets of all IP types except those specified. You can specify up to ten IP types separated by commas. The following IP types are supported: TCP, UDP, ICMP, GRE, IGMP, AH, ESP. You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. See “Supported Packet Types” on page 1090. To display all IP types, leave blank. 6 In the Source IP Address(es) box, type the IP addresses from which you want to display packets, or use the negative format (!10.1.2.3) to display packets captured from all source addresses except those specified. 7 In the Source Port(s) box, type the port numbers from which you want to display packets, or use the negative format (!25) to display packets captured from all source ports except those specified. 8 In the Destination IP Address(es) box, type the IP addresses for which you want to display packets, or use the negative format (!10.1.2.3) to display packets with all destination addresses except those specified. 9 In the Destination Port(s) box, type the port numbers for which you want to display packets, or use the negative format (!80) to display packets with all destination ports except those specified. 10 To match the values in the source and destination fields against either the source or destination information in each captured packet, select Enable Bidirectional Address and Port Matching. 11 To display captured packets that the SonicWall appliance forwarded, select Forwarded. 12 To display captured packets that the SonicWall appliance generated, select Generated. 13 To display captured packets that the SonicWall appliance consumed, select Consumed. 14 To display captured packets that the SonicWall appliance dropped, select Dropped. 15 To save your settings and exit the configuration window, click OK.

CONFIGURING LOGGING SETTINGS

This section describes how to configure Packet Monitor logging settings. These settings provide a way to configure automatic logging of the capture buffer to an external FTP server. When the buffer fills up, the packets are transferred to the FTP server. The capture continues without interruption. If you configure automatic FTP logging, this supersedes the setting for wrapping the buffer when full. With automatic FTP logging, the capture buffer is effectively wrapped when full, but you also retain all the data rather than overwriting it each time the buffer wraps. To configure logging settings, complete the following steps: 1 Navigate to the Diagnostics > Packet Monitor page and click Configure. 2 In the Packet Monitor Configuration window, click the Logging tab.

3 In the FTP Server IP Address box, type the IP address of the FTP server. NOTE: Make sure that the FTP server IP address is reachable by the SonicWall appliance. An IP address that is reachable only through a VPN tunnel is not supported. 4 In the Login ID box, type the login name that the SonicWall appliance should use to connect to the FTP server. 5 In the Password box, type the password that the SonicWall appliance should use to connect to the FTP server. 6 In the Directory Path box, type the directory location for the transferred files. The files are written to this location relative to the default FTP root directory. For libcap format, files are named “packet-log--<>.cap”, where the <> contains a run number and date including hour, month, day, and year. For example, packet-log--3-22-08292006.cap. For HTML format, file names are in the form “packet-log_h-<>.html”. For example, an HTML file name is: packet-log_h-3-22-08292006.html. 7 To enable automatic transfer of the capture file to the FTP server when the buffer is full, select Log To FTP Server Automatically. Files are transferred in both libcap and HTML format. 8 To enable transfer of the file in HTML format as well as libcap format, select Log HTML File Along With .cap File (FTP). 9 To test the connection to the FTP server and transfer the capture buffer contents to it, click Log Now. In this case the file name contains an ‘F’. For example, packet-log-F-3-22-08292006.cap or packet-log_h-F-3-22-08292006.html. 10 To save your settings and exit the configuration window, click OK.

CONFIGURING ADVANCED MONITOR FILTER SETTINGS This section describes how to configure monitoring for packets generated by the SonicWall appliance and for intermediate traffic. 1 Navigate to the Diagnostics > Packet Monitor page and click Configure. 2 In the Packet Monitor Configuration window, click the Advanced Monitor Filter tab.

3 To monitor packets generated by the SonicWall appliance, select Monitor Firewall Generated Packets. Even when other monitor filters do not match, this option ensures that packets generated by the SonicWall appliance are captured. This includes packets generated by HTTP(S), L2TP, DHCP servers, PPP, PPPOE, and routing protocols. Captured packets are marked with ‘s’ in the incoming interface area when they are from the system stack. Otherwise, the incoming interface is not specified. 4 To monitor intermediate packets generated by the SonicWall appliance, select Monitor Intermediate Packets. Selecting this check box enables, but does not select, the subsequent check boxes for monitoring specific types of intermediate traffic. Select the check box for any of the following options to monitor that type of intermediate traffic: • Monitor intermediate multicast traffic – Capture or mirror replicated multicast traffic. • Monitor intermediate IP helper traffic – Capture or mirror replicated IP Helper packets. • Monitor intermediate reassembled traffic – Capture or mirror reassembled IP packets. • Monitor intermediate fragmented traffic – Capture or mirror packets fragmented by the firewall. • Monitor intermediate remote mirrored traffic – Capture or mirror remote mirrored packets after deencapsulation. • Monitor intermediate IPsec traffic – Capture or mirror IPSec packets after encryption and decryption. • Monitor intermediate SSL decrypted traffic – Capture or mirror decrypted SSL packets. Certain IP and TCP header fields might not be accurate in the monitored packets, including IP and TCP checksums and TCP port numbers (remapped to port 80). DPI-SSL must be enabled to decrypt the packets. • Monitor intermediate decrypted LDAP over TLS packets – Capture or mirror decrypted LDAPS packets. The packets are marked with “(ldp)” in the ingress/egress interface fields and has dummy Ethernet, IP, and TCP headers with some inaccurate fields. The LDAP server is set to 389. Passwords in captured LDAP bind requests are obfuscated. • Monitor intermediate decrypted Single Sign On agent messages – Capture or mirror decrypted messages to or from the SSO Agent. The packets are marked with “(sso)” in the ingress/egress interface fields and has dummy Ethernet, IP, and TCP headers with some inaccurate fields. NOTE: Monitor filters are still applied to all selected intermediate traffic types. 5 To save your settings and exit the configuration window, click OK.

CONFIGURING MIRROR SETTINGS

This section describes how to configure Packet Monitor mirror settings. Mirror settings provide a way to send packets to a different physical port of the same firewall or to send packets to, or receive them from, a remote SonicWall firewall. To configure mirror settings, complete the following steps: 1 Navigate to the Diagnostics > Packet Monitor page and click Configure. 2 In the Packet Monitor Configuration window, click the Mirror tab.









3 Under Mirror Settings, type the desired maximum mirror rate into the Maximum mirror rate (in kilobits per second) field. If this rate is exceeded during mirroring, the excess packets will not be mirrored and will be counted as skipped packets. This rate applies to both local and remote mirroring. The default and minimum value is 100kbps, and the maximum is 1Gbps. 4 Select Mirror only IP packets to prevent mirroring of other Ether type packets, such as ARP or PPPoE. If selected, this option overrides any non-IP Ether types selected on the Monitor Filter tab. 5 Under Local Mirror Settings, select the destination interface for locally mirrored packets in the Mirror filtered packets to Interface (NSA platforms only) drop-down list. 6 Under Remote Mirror Settings (Sender), in the Mirror filtered packets to remote SonicWall firewall (IP Address) field, type the IP address of the remote SonicWall to which mirrored packets are sent. NOTE: The remote SonicWall must be configured to receive the mirrored packets. 7 In the Encrypt remote mirrored packets via IPSec (preshared key-IKE) field, type the pre-shared key to be used to encrypt traffic when sending mirrored packets to the remote SonicWall. Configuring this field enables an IPSec transport mode tunnel between this appliance and the remote SonicWall. This pre-shared key is used by IKE to negotiate the IPSec keys. NOTE: The Encrypt remote mirrored packets through IPSec (preshared key-IKE) option is inactive in SonicOS Enhanced 5.6. 8 Under Remote Mirror Settings (Receiver), in the Receive mirrored packets from remote SonicWall firewall (IP Address) field, type the IP address of the remote SonicWall from which mirrored packets are received. NOTE: The remote SonicWall must be configured to send the mirrored packets. 9 In the Decrypt remote mirrored packets via IPSec (preshared key-IKE) field, type the pre-shared key to be used to decrypt traffic when receiving mirrored packets from the remote SonicWall. Configuring this field enables an IPSec transport mode tunnel between this appliance and the remote SonicWall. This pre-shared key is used by IKE to negotiate the IPSec keys. NOTE: The Decrypt remote mirrored packets through IPSec (preshared key-IKE) option is inactive in SonicOS Enhanced 5.6. 10 To mirror received packets to another interface on the local SonicWall, select the interface from the Send received remote mirrored packets to Interface (NSA platforms only) drop-down list. 11 To save received packets in the local capture buffer, select Send received remote mirrored packets to capture buffer. This option is independent of sending received packets to another interface, and both can be enabled. 12 To save your settings and exit the configuration window, click OK.

USING PACKET MONITOR AND PACKET MIRROR

In addition to Configure, the Packet Monitor page provides several buttons for general control of the packet monitor feature and display.

• Monitor All – Resets current monitor filter settings and advanced page settings so that traffic on all local interfaces is monitored. A confirmation dialog box displays when you click this button. • Monitor Default – Resets current monitor filter settings and advanced page settings to factory default settings. A confirmation dialog box displays when you click this button. • Clear – Clears the packet monitor queue and the displayed statistics for the capture buffer, mirroring, and FTP logging. A confirmation dialog box displays when you click this button. The other buttons and displays on this page are described in the following sections: • Starting and Stopping Packet Capture • Starting and Stopping Packet Mirror

Starting and Stopping Packet Capture You can start a packet capture that uses default settings without configuring specific criteria for packet capture, display, FTP export, and other settings. If you start a default packet capture, the SonicWall appliance captures all packets except those for internal communication, and stops when the buffer is full or when you click Stop Capture. 1 (optional) Click Clear to set the statistics back to zero. 2 Under Packet Monitor, click Start Capture. 3 To stop the packet capture, click Stop Capture.

Starting and Stopping Packet Mirror You can start packet mirroring that uses your configured mirror settings by clicking Start Mirror. It is not necessary to first configure specific criteria for display, logging, FTP export, and other settings. Packet mirroring stops when you click Stop Mirror. 1 Under Packet Monitor, click Start Mirror to start mirroring packets according to your configured settings. 2 To stop mirroring packets, click Stop Mirror.

Configuring Firewall 3G/4G/Modem Options NOTE: For information on configuring wireless WAN (WWAN) settings, see Configuring Firewall 3G/4G/Modem Options. This chapter describes how to configure the dialup settings for SonicWall SmartPath (SP) and SmartPath ISDN (SPi) appliances. SonicWall SP appliances have a WAN Failover feature that enables automatic use of a built-in modem to establish Internet connectivity when the primary broadband connection becomes unavailable. This is ideal when the SonicWall appliance must remain connected to the Internet, regardless of network speed. This chapter contains the following subsections: • Configuring the Modem Profile • Configuring Modem Settings • Configuring Advanced Modem Settings

Configuring the Modem Profile NOTE: For information on configuring WWAN connection profiles, see Configuring the Modem Profile. A profile is a list of dialup connection settings that can be used by a SonicWall SP or SonicWall SPi appliance. To configure a profile, complete the following steps: 1 In the left pane, select the SonicWall appliance to manage. 2 Click the Policies tab. 3 In the center pane, navigate to Modem > Connection Profiles. The profile configuration page displays.

4 To create a new profile, enter the name of the profile in the Profile Name field under ISP User Settings. To edit an existing profile or use an existing profile as a template, select a profile from the Current Profile pulldown menu. NOTE: If you are editing an existing profile, the name in the Current Profile field must match the existing profile name. If there are no existing profiles, the Current Profile displays the static message No profiles available. 5 Enter the primary ISP phone number in the Primary Phone number field. 6 Enter the backup ISP phone number in the Secondary Phone number field. 7 Enter the user name associated with the account in the User Name field. 8 Enter the password associated with the account in the User Password and Confirm User Password fields. 9 Enter a chat script (optional). 10 Select one of the following IP address options: • If the account obtains an IP address dynamically, select Obtain an IP Address Automatically. • If the account uses a fixed IP address, select Use the following IP Address and type the IP address in the field. 11 Select from the following DNS server options: • If the account obtains DNS server information from the ISP, select Obtain an IP Address Automatically. • If the account uses a specific DNS servers, select Use the following IP Address and type the IP address in the field. 12 For SPi appliances, you can configure MSN/EAZ and bandwidth on demand. To configure MSN/EAZ, enter a phone number in the MSN/EAZ field. To enable bandwidth on demand, click Bandwidth on Demand. 13 Select from the following connection options: • If the SonicWall appliance(s) remains connected to the Internet until the broadband connection is restored, select Persistent Connection. • If the SonicWall appliance(s) only connects to the Internet when data is being sent, select Dial On Data. • If the SonicWall appliance(s) connects to the Internet manually, select Manual Dial. 14 To enable the modem to disconnect after a period of inactivity, check Inactivity Disconnect and specify how long (in minutes) the modem waits before disconnecting from the Internet in the Inactivity Timeout field. 15 For SP appliances, specify a maximum connection speed by selecting the speed from the Max connection speed pull-down menu. The default is Auto. 16 To specify the maximum connection time, check the Max Connection Time box and enter the maximum connection time (in minutes) in the Max Connection Time field. To configure the SonicWall device to allow indefinite connections, enter ‘0’. 17 To specify a time (in minutes) before the connection reconnects, enter the number of minutes in the Delay Before Reconnect fields. 18 For SP appliances, disable call waiting by checking the Disable Call Waiting box and select the radio button next to the touch tone disabling code. To enter a custom touch done disabling code, select the radio button next to Other and specify the code. 19 To allow the modem to attempt a connection multiple times, check the Dial Retries per Phone Number box and specify the number of retries. 20 To specify how long the modem waits between retries, check Delay Between Retries and specify the delay (in seconds). 21 To disable VPN when dialed, check Disable VPN when dialed. 22 For SP appliances, enable the network modem by checking Enable Network Modem. 23 To specify the time periods when the modem can connect, check Limit Times for Dialup Profile and click Configure. The Edit Schedule String pop-up displays.

24 In the Edit Schedule String pop-up, check the box next to the day(s) you want to allow dial-up connections. Next to the day(s) you select, enter the start and end times between which dial-up connections are allowed. Enter the hour and minute in 24-hour format. 25 Click Apply. 26 When you are finished, click Add Profile. The profile is added. To clear all screen settings and start over, click Reset.

Configuring Modem Settings Select SonicWall appliances are equipped to use analog modem, and/or wireless WAN (WWAN) devices for alternative or primary Internet connectivity. NOTE: For information on configuring WWAN settings, see Configuring Advanced Settings, page 306. To configure the modem settings for one or more SonicWall SP or SonicWall SPi appliances, complete the following steps: 1 In the left pane, select the SonicWall appliance to manage. 2 Click the Policies tab. 3 In the center pane, navigate to Modem > Settings.

4 For SP appliances, select the Speaker volume pull-down box to configure the speaker volume On or Off. 5 For SP appliances, modem initialization has two options: • To initialize the modem for use in a specific country, select the radio button next to Initialize Modem for use in and select the country in the pull-down menu. • To initialize the modem using AT commands, select the radio button next to Initialize Modem using AT Command and enter the AT command(s) the modem needs to establish a connection in the text box. 6 For SPi appliances, you can specify the ISDN protocol by selecting the protocol from the ISDN Protocol pulldown menu. To connect immediately, click Connect/Disconnect and schedule the connection. 7 For appliances running SonicOS Enhanced, select the check boxes for any combination of the following dial on data categories: • NTP packets • GMS Heartbeats • System log emails • AV Profile Updates • SNMP Traps • Licensed Updates • Firmware Update requests • Syslog traffic 8 For appliances running SonicOS Enhanced, select the check boxes for any combination of the following Management methods: • HTTP • HTTPS • Ping • SNMP • SSH 9 For appliances running SonicOS Enhanced, select the check boxes for any combination of the following User Login methods: • HTTP • HTTPS • For HTTPS, check the box next to Add rule to enable redirect from HTTP to HTTPs to redirect an HTTP address to HTTPS. 10 Select a primary profile from the Primary Profile pull-down menu. Optionally, select alternate profiles from Alternate Profile 1 and, for SP appliances, Alternate Profile 2. NOTE: To configure modem profiles, navigate to Modem > Dialup Profiles.



11 For non-SonicOS Enhanced appliances, you can configure the following modem failover settings: • To enable dialup WAN failover, check Enable Dialup WAN Failover. • To enable preempt mode, check Enable Preempt Mode. • To enable probing, check Enable Probing. • Select a method for probing using the Probe through pull-down menu. • Enter the IP address that the SonicWall appliance uses to test Internet connectivity in the Probe Target (IP Address) field. We recommend using the IP address of the WAN Gateway. • Select the Probe Type, either ICMP Probing or TCP Probing. • Enter the TCP port for probing in the TCP Port for Probing field. • Specify how often the IP address is tested (in seconds) in the Probe Interval field. • Specify how many times the probe target must be unavailable before the SonicWall appliance fails over to the modem in the Failover Trigger Level field. • Specify how many times the SonicWall appliance must successfully reach the probe target to reactivate the broadband connection in the Successful probes to reactivate Primary field. 12 When you are finished, click Update.

Configuring Advanced Modem Settings To configure advanced modem settings, complete the following steps: 1 In the left pane, select the SonicWall appliance to manage. 2 Click the Policies tab. 3 In the center pane, navigate to Modem > Advanced.

4 To enable remotely triggered dial-out, check Enable Remotely Triggered Dial-out. 5 If your remotely triggered dial-out requires authentication, check Requires Authentication and enter your password in the Password and Confirm Password fields. 6 To enable RIP advertisements through the modem, check Enable LAN to WAN RIP during dialup. 7 When you are finished, click Update. NOTE: For information on configuring WWAN settings, see Configuring Advanced Settings.

Configuring Firewall Wireless WAN Options This describes how to configure the Wireless Wide Area Network (WWAN) settings for SonicWall security appliances that use 3G and other Wireless WAN functionality to utilize data connections over cellular networks. For information about Wireless WAN configuration, see the following: • • • •

About Wireless WAN Configuring the Connection Profile Configuring WWAN Settings Configuring Advanced Settings

About Wireless WAN SonicWall appliances such as the TZ 190, TZ 200, and TZ 210 have a WWAN capability that can be used for the following: • WAN Failover to a connection that is not dependent on wire or cable. • Temporary networks where a pre-configured connection might not be available, such as trade-shows and kiosks. • Mobile networks, where the SonicWall appliance is based in a vehicle. • Primary WAN connection where wire-based connections are not available and cellular is. Wireless WAN support requires a wireless card and a contract with a wireless network provider. See the SonicWall documentation that comes with the security appliance for more information. GMS provides for complete management of SonicWall security appliances that are WWAN/3G-capable, and running SonicOS Enhanced 3.6 and above.

Configuring the Connection Profile A profile is a list of connection settings that can be used by a SonicWall appliance. To configure a connection profile, complete the following steps: 1 In the TreeControl pane, select a group view or a SonicWall appliance to manage. The appliance must be running SonicOS Enhanced 3.6 or higher, and must support WWAN functionality. 2 Click the Policies tab. 3 In the center pane, navigate to the 3G/4G/Modem > Connection Profiles. The profile configuration page displays. For a group view, the page is slightly different to accommodate both Modem and WWAN settings. 4 Complete the following procedures to configure the Connection Configuration, General Settings, IP Address Settings, Parameters, and Data Usage Limiting sections in the 3G/Modem > Connection Profiles screen. See the following procedures: • To Configure the Connection Configuration and General settings:. • To Configure the IP Address Settings: • To Configure Parameters: • To Configure Data Usage Limiting: 5 Click Delete Profile to delete the profile specified in the Profile Name field. 6 Click RESET to clear all fields and start over. 7 Click UPDATE to save the settings to the specified connection profile.

To Configure the Connection Configuration and General settings: 1 To edit an existing profile or use an existing profile as a template, select a profile from the Current Profile pulldown menu.

NOTE: If you are editing an existing profile, the name in the Current Profile field must match the existing profile name. If there are no existing profiles, the Current Profile displays the static message No profiles available. 2 To create a new profile, enter the name of the profile in the Profile Name field. 3 In the Country pull-down list, select the country where the SonicWall TZ 190 appliance is deployed. 4 In the Service Provider pull-down list, select the service provider that you have a cellular account with. Note that only service providers supported in the country you selected are displayed in the pull-down list. 5 In the Plan Type window, select the WWAN plan you have subscribed to with the service provider, or select Other. If your specific plan type is listed in the pull-down menu, the rest of the fields in the General section are automatically provisioned. Verify that these fields are correct and continue in the Parameters section. 6 Verify that the appropriate Connection Type is selected. Note that this field is automatically provisioned for most service providers. 7 Verify that the Dialed Number is correct. Note that the dialed number is *99# for most service providers. 8 Enter your username and password in the User Name, User Password, and Confirm User Password fields, respectively. 9 Enter the Access Point Name in the APN field. APNs are required only by GPRS devices and will be provided by the service provider.

To Configure the IP Address Settings: 1 Under IP Address Settings, select one of the following IP Address options: • If the account obtains an IP address dynamically, select Obtain an IP Address Automatically. By default, WWAN connection profiles are configured to obtain IP addresses automatically. • To specify a static IP address, select Use the following IP Address and type the IP address in the field. 2 Select from the following DNS Server options: • If the account obtains DNS server information from the ISP, select Obtain an IP Address Automatically. By default, WWAN connection profiles are configured to obtain DNS server addresses automatically. • If the account uses a specific DNS servers, select Use the following IP Address and type the IP addresses of the primary and secondary DNS servers in the fields.

To Configure Parameters: 1 Select from the following Dial Type options: • If the SonicWall appliance(s) continuously uses the WWAN to stay connected to the Internet, select Persistent Connection. • If the SonicWall appliance(s) only connects to the Internet when data is being sent, select Dial On Data. To configure the SonicWall appliance for remotely triggered dial-out, the Dial Type must be Dial on Data. Refer to Configuring Advanced Settings • If the SonicWall appliance(s) connects to the Internet manually, select Manual Dial. 2 Select Enable Inactivity Disconnect and enter the number of minutes of inactivity during which the WWAN connection stays alive before disconnecting from the Internet. Note that this option is not available if the Dial Type is Persistent Connection. 3 Select Enable Max Connection Time and enter the number of minutes after which the WWAN connection disconnects, regardless of whether the session is inactive or not. Enter a value in the Delay Before Reconnect to have the SonicWall appliance automatically reconnect after the specified number of minutes. 4 Select Dial Retries per Phone Number and enter a number in the field to specify the number of times the SonicWall appliance can attempt to reconnect. 5 Select Delay Between Retries and enter a number in the field to specify the number of seconds between retry attempts. 6 Select Disable VPN when Dialed to disable VPN connections over the WWAN interface. 7 Select Force PAP Authentication to force users to enter a password when authenticating.

To Configure Data Usage Limiting: 1 Select Enable Data Usage Limiting to have the WWAN interface become automatically disabled when the specified data or time limit has been reached for the month. TIP: If your WWAN account has a monthly data or time limit, it is strongly recommended that you enable Data Usage Limiting. 2 Select the day of the month to start tracking the monthly data or time usage in the Billing Cycle Start Date pull-down menu. 3 Enter a value in the Limit field and select the appropriate limiting factor: either GB, MB, KB, or Minutes.

Configuring WWAN Settings To configure the WWAN settings for one or more SonicWall appliances, complete the following steps: 1 In the left pane, select the SonicWall appliance to manage. The appliance must be running SonicOS Enhanced 3.6 or higher, and must support WWAN functionality. 2 Click the Policies tab. 3 In the center pane, navigate to 3G/Modem > Settings.

4 In the Dial on Data Categories section, select the check boxes for any combination of the following dial on data categories: • NTP packets • GMS Heartbeats • System log emails • AV Profile Updates • SNMP Traps • Licensed Updates • Firmware Update requests • Syslog traffic These settings allow you to configure the WWAN interface to automatically connect to the WWAN service provider when the SonicWall appliance detects specific types of traffic. To configure the SonicWall appliance for Connect on Data operation, you must select Dial on Data as the Dial Type for the Connection Profile. Refer to To Configure Parameters:. 5 In the Management/User Login section, select the check boxes for any combination of the following Management methods: • HTTP • HTTPS • Ping • SNMP • SSH 6 Select the check boxes for any combination of the following User Login methods: • HTTP • HTTPS • Select Add rule to enable redirect from HTTP to HTTPS to have the SonicWall automatically convert HTTP requests to HTTPS requests for added security. 7 Under Profile Settings, select a primary profile from the Primary Profile pull-down menu. Optionally, select alternate profiles from Alternate Profile 1 and Alternate Profile 2. NOTE: To set up WWAN Interface Monitoring for this unit, go to the Network > Failover & LB screen. 8 To return all fields to their default settings and start over, click RESET. 9 To save settings, click UPDATE.

Configuring Advanced Settings The 3G/Modem > Advanced page is used to configure the Remotely Triggered Dial-Out feature on the SonicWall appliance. The Remotely Triggered Dial-Out feature enables network administrators to remotely initiate a WWAN connection to a SonicWall appliance. Before configuring the Remotely Triggered Dial-Out feature, ensure that your configuration meets the following prerequisites: • The WWAN profile is configured for dial-on-data. • The SonicWall Security Appliance is configured to be managed using HTTPS, so that the device can be accessed remotely. • It is recommended that you enter a value in the Enable Max Connection Time field. This field is located in the 3G/Modem > Connection Profiles screen in the Parameters section. Refer to To Configure Parameters: for more information. If you do not enter a value in this field, dial-out calls will remain connected indefinitely, and you will have to manually terminate sessions by clicking Disconnect. To configure advanced WWAN settings, complete the following steps: 1 In the left pane, select the SonicWall appliance to manage. The appliance must be running SonicOS Enhanced 3.6 or higher, and must support WWAN functionality. 2 Click the Policies tab. 3 In the center pane, navigate to 3G/Modem > Advanced.

4 To enable remotely triggered dial-out, check Enable Remotely Triggered Dial-out. 5 If your remotely triggered dial-out requires authentication, check Requires Authentication and enter your password in the Password and Confirm Password fields. 6 Under WWAN Connection Limit, type the number of simultaneous connections that are allowed, or enter zero for no limit in the Max Hosts field. 7 To return all fields to their default settings and start over, click RESET. 8 When you are finished, click UPDATE.

Configuring Firewall SonicPoints This describes how to configure SonicPoint managed secure wireless access points.

Wi-Fi Alliance Certification NOTE: SonicPoint Dual Radio (SonicPoint NDR and SonicPoint ACe/ACi/N2) devices are Wi-Fi Certified by the Wi-Fi Alliance, which is designated by the Wi-Fi Certified logo. The Wi-Fi CERTIFIED Logo is a certification mark of the Wi-Fi Alliance, and indicates that the product has undergone rigorous testing by the Wi-Fi Alliance and has demonstrated interoperability with other products, including those from other companies that bear the Wi-Fi CERTIFIED Logo:

FCC U-NII New Rule Compliance Beginning in SonicOS 6.2.5.1, FCC U-NII (Unlicensed –National Information Infrastructure) New Rule (Report and Order ET Docket No. 13-49) is supported on SonicPoint ACe/ACi/N2 running firmware version 9.0.1.0-2 or higher. To comply with FCC New Rules for Dynamic Frequency Selection (DFS), a SonicPoint detects and avoids interfering with radar signals in DFS bands.

NOTE: SonicPoint ACe/ACi/N2 wireless access points manufactured with FCC New Rule-compliant firmware are only supported with SonicOS 6.2.5.1 and higher. Older SonicPoint ACe/ACi/N2 access points are automatically updated to the FCC New Rule-compliant firmware when connected to a firewall running SonicOS 6.2.5.1 or higher. Topics: • • • • • •

Managing SonicPoints Viewing Station Status Using and Configuring SonicPoint IDS Using and Configuring Virtual Access Points Configuring the RF Monitor Configuring FairNet

Managing SonicPoints The SonicPoint section of GMS allows you to manage the SonicPoints connected to your managed firewalls.

BEFORE MANAGING SONICPOINTS Before you can manage SonicPoints in GMS, you must first: • Configure your SonicPoint Provisioning Profiles, or use the defaults • Configure a Wireless zone • Assign profiles to wireless zones This step is optional. If you do not assign a default profile for a zone, SonicPoints in that zone uses the first profile in the list. • Assign an interface to the Wireless zone • Attach the SonicPoints to the interfaces in the Wireless zone • Test SonicPoints

SONICPOINT PROVISIONING PROFILES

When a SonicPoint unit is first connected and powered up, it has a factory default configuration (IP address 192.168.1.20, username: admin, password: password). Upon initializing, it attempts to find a SonicWall firewall with which to peer. If it is unable to find a peer device, it enters into a standalone mode of operation with a separate standalone configuration allowing it to operate as a standard Access Point. If the SonicPoint does locate, or is located by a peer firewall through the SonicWall Discovery Protocol, an encrypted exchange between the two units occurs, and the profile assigned to the relevant Wireless zone is used to automatically configure (provision) the newly added SonicPoint unit.

As part of the provisioning process, SonicOS on the peer firewall assigns the discovered SonicPoint device a unique name, and records its MAC address and the interface and zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS then uses the profile associated with the relevant zone to configure the 2.4GHz and 5GHz radio settings. SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture. SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint, such as radio settings for the 2.4GHz and 5GHz radios, SSID’s, and channels of operation. When a SonicPoint is initially connected to an interface, the firewall uses the provisioning profile associated with the zone of the interface to create a SonicPoint entry. It can take up to 5 minutes for the entry to be created. You can modify the SonicPoint entry to configure the access point name, radio frequency mode, authentication type, and other settings specific to the SonicPoint. For deployments of multiple SonicPoints that need the same provisioning settings, you can create a custom provisioning profile in the upper section of the SonicPoint > SonicPoints page. In the Network > Zones page, you can edit the WLAN zone and specify this profile on the Wireless tab. Any SonicPoints connecting to an interface in the WLAN zone will then be provisioned with the assigned profile. Each Wireless zone can be configured with one SonicPoint profile. Any profile can apply to any number of zones. SonicOS includes default provisioning profiles for SonicPoint AC, SonicPoint N, and SonicPoint NDR. You can modify these profiles or create new ones. Modifications to profiles do not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways: • Via manual configuration changes to the SonicPoint entry—Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone. • Via un-provisioning—Deleting a SonicPoint unit effectively un-provisions the unit, or clears its configuration and places it into a state where it automatically engages the provisioning process anew with its peer GMS device. This technique is useful when the profile for a zone is updated or changed, and the change is set for propagation. It can be used to update firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled fashion, rather than changing all peered SonicPoints at the same time that can cause service disruptions. To configure SonicPoint profiles, see Configuring a SonicPoint Profile Default SonicPoint N Profile

802.11a Radio

802.11g Radio

802.11n Radio

Enable 802.11a Radio

Yes - Always Enable on 802.11g Radio

Yes - Always Enable on 802.11n Radio

Yes - Always on

SSID

sonicwall

SSID

sonicwall

SSID

sonicwallD790 (where D790 is an example; this is determined by the hardware address)

Radio Mode

54Mbps 802.11a

Radio Mode

2.4 GHz 54Mbps 802.11g

Radio Mode

2.4 GHz 802.11n/g/b Mixed

Channel

AutoChannel Channel

AutoChannel Channel

AutoChannel

ACL Enforcement

Disabled

Disabled

Disabled

ACL Enforcement

ACL Enforcement

Authentication WEP - Both Type Open System & Shared Key

Authentication WEP - Both Type Open System & Shared Key

Authentication WEP - Both Type Open System & Shared Key

Schedule IDS Disabled Scan

Schedule IDS Disabled Scan

Schedule IDS Disabled Scan

Data Rate

Best

Data Rate

Best

Data Rate

Best

Antenna Diversity

Best

Antenna Diversity

Best

Antenna Diversity

Best

CONFIGURING A SONICPOINT PROFILE You can add any number of SonicPoint profiles. The SonicPoint profile configuration process varies slightly, depending on whether you are configuring a single-radio (SonicPoint N) or a Dual Radio (SonicPoint NDR and SonicPoint AC). The following sections describe how to configure SonicPoint profiles: • • • •

Configuring a SonicPoint ACe, ACi, or N2 Profile Configuring a SonicPoint NDR Profile Configuring a SonicPointN Profile for 802.11n Configuring a SonicPoint Profile for 802.11a or 802.11g

Configuring a SonicPoint ACe, ACi, or N2 Profile NOTE: SonicPoint ACi and N2 require 802.3at compliant Power over Ethernet (PoE/PoE+). SonicPoint ACe can also be powered by 802.3at compliant PoE/PoE+, or with the included power adaptor (input 120V-240V AC to output 12V DC). You can add any number of SonicPoint AC profiles. The specifics of the configuration vary slightly depending on which protocols you select. To configure a SonicPoint AC provisioning profile, complete the following steps: 1 Navigate to SonicPoint > SonicPoints page. 2 To add a new SonicPoint AC profile, click Add a new SonicPoint ACe/ACi/N2 Profile. or To edit an existing AC profile, click the Configure icon on the same row as the profile you want to edit. The Add/Edit SonicPoint Profile dialog appears. You can configure the SonicPoint AC through options on these tabs: • • • •

General Tab Radio 0 Basic and Radio 1 Basic Tabs Radio 0 Advanced and Radio 1 Advanced Tabs Sensor Tab

General Tab

The Add/Edit SonicPoint Profile General tab.

In the General tab, configure the desired settings: • SonicPoint Settings • Virtual Access Point Settings • L3 SSL VPN Tunnel Settings SonicPoint Settings 1 Select Enable SonicPoint to enable each SonicPoint AC automatically when it is provisioned with this profile. This option is selected by default. 2 Optionally, select Retain Settings to have the SonicPoint ACs provisioned by this profile retain customized settings until system restart or reboot. This option is not selected by default. If you select this option, Edit becomes active and the Retain Settings window displays. To specify the settings to retain: a If you are editing an existing SonicPoint AC profile, click Edit. The Retain Settings window displays.

b Do one of the following: • Click Retain All Settings; all the other options become dimmed. • Click the checkboxes of the individual settings to be retained. c Click OK. 3 Optionally, select Enable RF Monitoring to enable wireless RF Threat Real Time Monitoring and Management. This option is not selected by default. 4 If you are configuring a: • SonicPoint NDR profile, go to Step 5. • SonicPoint AC profile, optionally, check Enable LED (Ni/Ne) to enable/disable SonicPoint AC LEDs. This option is not selected by default (LEDs are disabled). 5 Enter a prefix for the names of all SonicPoint ACs connected to this zone in the Name Prefix field. This prefix assists in identifying SonicPoint AC on a zone. When each SonicPoint AC is provisioned, it is given a name that consists of the name prefix and a unique number, for example: SonicPoint AC 126008. 6 Select the country where you are operating the SonicPoint ACs from the Country Code drop-down menu. The country code determines which regulatory domain the radio operation falls under. 7 From the EAPOL Version drop-down menu, select the version of EAPoL (Extensible Authentication Protocol over LAN) to use: v1 or v2. The default is v1, but v2 provides better security. Virtual Access Point Settings 1 Optionally, select an 802.11n Virtual Access Point (VAP) group to assign these SonicPoint ACs to a VAP from the Radio 0 Basic Virtual AP Group and Radio 1 Basic Virtual AP Group drop-down menus. The dropdown menus allow you to create a new VAP group. For more information on VAPs, see Using and Configuring Virtual Access Points. L3 SSL VPN Tunnel Settings 1 In the SSL VPN Server field, enter the IP address of the SSL VPN server. 2 In the User Name field, enter the User Name of the SSL VPN server. 3 In the Password field, enter the Password for the SSL VPN server. 4 In the Domain field, enter the domain that the SSL VPN server is located in. 5 Click Auto-Reconnect for the SonicPoint to auto-reconnect to the SSL VPN server. NOTE: To Configure L3 SSL VPN, refer to the SonicOS Administrator Guide.



Radio 0 Basic and Radio 1 Basic Tabs The Radio 0 Basic and Radio 1 Basic tabs are similar and have only a few differences that are noted in the steps. NOTE: The sections and options displayed on the Radio 0 Basic/1 tabs change depending on whether you selected a VAP group in the Radio 0 Basic/1 Virtual AP Group drop-down menus on the General tab and the mode you select in the Mode drop-down menu. These choices apply only to the radio for which they were selected. 1 Click the Radio 0 Basic or Radio 1 Basic tab.

2 Configure the settings for the 5GHz (Radio 0) and 2.4GHz (Radio 1) band radios: • 802.11n Radio 0 Settings and 802.11n Radio 1 Settings • Wireless Security • Virtual Access Point Encryption Settings • ACL Enforcement Radio 0 Basic Settings and Radio 1 Basic Settings NOTE: The options change depending on the mode you select.



1 Select Enable Radio to automatically enable the 802.11ac radio bands on all SonicPoint ACs provisioned with this profile. This option is selected by default. • From the Enable Radio drop-down menu, select a schedule for when the 802.11n radio is on or create a new schedule; default is Always on. You can create a new schedule by selecting Create new schedule. 2 Select your preferred radio mode from the Mode drop-down menu. The wireless security appliance supports the following modes: Radio mode choices

Radio 0 Basic

Radio 1 Basic

Definition

5GHz 802.11n Only 2.4GHz 802.11n Only

Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.

5GHz 802.11n/a Mixed

Supports 802.11a and 802.11n (Radio 0) or 802.11b, 802.11g, and 802.11n (Radio 1) clients simultaneously. If your wireless network comprises multiple types of clients, select this mode. This is the default.

2.4GHz 802.11n/g/b Mixed SonicPoint AC/NDR default

5GHz 802.11a Only SonicPoint NDR default.

Select this mode if only 802.11a clients access your wireless network.



2.4GHz 802.11g Only

If your wireless network consists only of 802.11g clients, you might select this mode for increased 802.11g performance. You might also select this mode if you wish to prevent 802.11b clients from associating.

5GHz 802.11ac Only



Allows only 802.11ac clients access to your wireless network. Other clients are unable to connect under this restricted radio mode.

5GHz 802.11ac/n/a Mixed SonicPoint AC default.

Supports 802.11ac, 802.11a, and 802.11n (Radio 0) clients simultaneously. If your wireless network comprises multiple types of clients, select this mode. This is the default.

TIP: For 802.11n clients only, for optimal throughput speed solely, SonicWall recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility.











For optimal throughput speed solely for 802.11ac clients, SonicWall recommends the 802.11ac Only radio mode. Use the 802.11ac/n/a Mixed radio mode for multiple wireless client authentication compatibility. NOTE: The available 802.11n Radio 0/1 Settings options change depending on the mode selected. If the wireless radio is configured for a mode that: • Supports 802.11n, the following options are displayed: Radio Band, Primary Channel, Secondary Channel, Enable Short Guard Interval, and Enable Aggregation. • Does not support 802.11n, only the Channel option is displayed. 3 If you are configuring a: • SonicPoint AC or a SonicPoint NDR without VAP, go to Step 4. • SonicPoint NDR with VAP selected on the General tab, optionally, select Enable DFS Channels to enable the use of Dynamic Frequency Selection (DFS) that allows wireless devices to share the same spectrum with existing radar systems within the 5GHz band. TIP: If you select this option, choose either Standard - 20MHz Channel or Wide - 40MHz Channel as the Radio Band. The Primary Channel and Standard Channel drop-down menus then display a choice of available sensitive channels. NOTE: This option only appears on the 802.11n Radio 0 tab as the 802.11n Radio 1 does not have a wireless speed connection mode of at least 5GHz. 4 If you are configuring a: • SonicPoint with VAP, go to Step 5. • SonicPoint without a VAP group, in the SSID field, enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that appears in clients’ lists of available wireless connections. TIP: If all SonicPoint ACs or NDRs in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint AC/NDR to another. 5 If the Mode you selected was: • 5GHz 80211a Only, go to Step 6. • Any other mode, select a radio band from the Radio Band drop-down menu: • Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. Both the Primary Channel and Secondary Channel are set to Auto also. This is the default setting. • Standard - 20MHz Channel—Specifies that Radio 0 uses only the standard 20MHz channel. When this option is selected, the Standard Channel drop-down menu is displayed instead of the Primary Channel and Secondary Channel options. • Wide - 40MHz Channel—Available only when 5GHz 802.11ac/n/a or 5GHz 802.11ac is selected for the Radio Band, specifies that Radio 0 uses only the wide 80MHz channel. When this option is selected, only the Channel drop-down menu is active In the SSID field, enter a recognizable string for the SSID of each SonicPoint AC using this profile. This is the name that appears in clients’ lists of available wireless connections. NOTE: If all SonicPoint ACs in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint AC to another. 6 Select a channel from the Standard/Primary Channel drop-down menu. Depending on the Mode and Radio Band selections, a Secondary Channel drop-down menu displays. • Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting for the Standard/Primary Channels. The Secondary Channel Is set to Auto regardless of the setting of Primary Channel. • Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels depend on which Radio you are configuring. If you select Wide – 40 MHz Channel for Radio Band, a Secondary Channel displays and is selected automatically by the selection of the Primary Channel.

Channel selecting

Radio 0: 802.11a Only

Radio 1: 802.11g Only

Auto

Auto

Channel 36 (5180MHz)

Channel 1 (2412MHz)

Channel 40 (5200MHz)

Channel 2 (2417MHz)

Channel 44 (5220MHz)

Channel 3 (2422MHz)

Channel 48 (5240MHz)

Channel 4 (2427MHz)

Channel 149 (5745MHz)

Channel 5 (2432MHz)

Channel 153 (5765MHz)

Channel 6 (2437MHz)

Channel 157 (5785MHz)

Channel 7 (2442MHz)

Channel 161 (5805MHz)

Channel 8 (2447MHz) Channel 8 (2452MHz) Channel 10 (2457MHz) Channel 11 (2462MHz)

7 Go to Step . NOTE: When the wireless radio is configured for a mode that supports 802.11n, the following options are displayed. 8 For (802.11n only): from the Radio Band drop-down menu, select the band for the 802.11n radio: • Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. Both the Primary Channel and Secondary Channel are set to Auto also. This is the default setting. • Standard - 20MHz Channel—Specifies that the 802.11n radio uses only the standard 20MHz channel. When this option is selected, the Standard Channel drop-down menu is displayed instead of the Primary Channel and Secondary Channel options. • Standard Channel—This drop-down menu only displays when the 20MHz channel is selected. By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity. Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels depend on which Radio you are configuring: Available channels

Radio 0

Same as for 802.11a in Table

Radio 1

Same as for 802.11g in Table

• Wide - 40MHz Channel—Specifies that the 802.11n radio uses only the wide 40MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are active: • Primary Channel—By default this is set to Auto. Optionally, you can specify a specific primary channel. The available channels are the same as for 802.11a in Table . • Secondary Channel—Is set to Auto regardless of the setting of Primary Channel. 9 Enable Short Guard Interval—Specifies the short guard interval of 400ns (as opposed to the standard guard interval of 800ns). NOTE: This option is not available if 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected. IMPORTANT: To avoid compatibility issues, ensure the wireless client also supports a short guard interval. A guard interval is a set amount of time between transmissions that is designed to ensure distinct transmissions do not interfere with one another. The guard interval introduces immunity to propagation delays, echoes, and reflections. An access point identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays. The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long). Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each access point. A short guard interval of 400 nanoseconds (ns) works in most office environments as distances between points of reflection, as well as between clients, are short. Most reflections are received quickly. The shorter the guard interval, the more efficiency there is in the channel usage, but a shorter guard interval also increases the risk of interference. Some outdoor deployments might, however, require a longer guard interval. The need for a long guard interval of 800 ns becomes more important as areas become larger, such as in warehouses and in outdoor environments, as reflections and echoes become more likely to continue after the short guard interval would be over. The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays and increase 802.11n data rate. Ensure the wireless client also can support a short guard interval to avoid compatibility issues. TIP: The Enable Short Guard Interval and Enable Aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, and so on), these options could introduce transmission errors that eliminate any efficiency gains in throughput. 10 Select Enable Aggregation to enable 802.11n frame aggregation that combines multiple data frames in a single transmission to reduce overhead and increase throughput. NOTE: This option is not available if 5GHz 802.11a Only or the 2.4GHz 802.11g Only mode is selected. IMPORTANT: To avoid compatibility issues, ensure the wireless client also supports aggregation. Data over wireless networks are sent as a stream of packets known as data frames. Frame aggregation takes these packets and combines them into fewer, larger packets, thereby allowing an increase in overall performance. Frame aggregation was added to the 802.11n specification to allow for an additional increase in performance. Frame aggregation is a feature that only 802.11n clients can take advantage of, as legacy systems are not able to understand the new format of the larger packets. 11 If you are configuring: • SonicPoint AC: • Without VAP, go to Wireless Security. • With VAP, go to Virtual Access Point Encryption Settings. • SonicPoint NDR, optionally select Enable MIMO. This option is selected by default. The Enable MIMO option enables/disables MIMO (multiple-input multiple output). Enabling this option increases 802.11n throughput by using multiple-input/multiple-output antennas. This option is enabled by default for all 802.11n modes and is dimmed to ensure it is not disabled. The option is activated and selected by default if 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected. NOTE: Ensure the wireless client also can support these antennas to avoid compatibility issues. If the 802.11a or 502.11g client cannot support these antennas, disable the option by deselecting it. Wireless Security NOTE: If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available. Instead, the Virtual Access Point Encryption Settings section is displayed. Go to Virtual Access Point Encryption Settings.

The options change depending on the authentication type you select. The Wireless Security sections of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the Wireless Security settings, see Wireless Security. Radius Server Settings 1 In Radius Server Settings, click Configure. The SonicPoint Radius Server Global Settings dialog displays.

2 In the appropriate fields, enter the RADIUS server settings that you want. See Table . WPA-EAP/WPA2-EAP encryption settings

Option

Description

Radius Server Retries

The number of times GMS will attempt to contact the RADIUS server. If the RADIUS server does not respond within the specified number of retries, the connection is dropped.

Retry Interval (seconds)

The time, from 0 to 60 seconds, to wait between retries. The number 0 means no wait between retries.

Radius Server 1 IP

The name/location of your RADIUS authentication server.

Radius Server 1 Port

The port on which your RADIUS authentication server communicates with clients and network devices. The default port is 1812.

Radius Server 1 Secret

The secret passcode for your RADIUS authentication server.

Radius Server 2

The name/location of your backup RADIUS authentication server.

Radius Server 2 Port

The port on which your backup RADIUS authentication server communicates with clients and network devices. The default port is 1812.

Radius Server 2 Secret

The secret passcode for your backup RADIUS authentication server.

3 Click OK. Virtual Access Point Encryption Settings NOTE: This section displays only if a VAP was selected from the Radio 0 Basic/1 Virtual AP Group drop-down menus in the Virtual Access Point Settings section of the General tab. The Virtual Access Point Encryption Settings section of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the Virtual Access Point Encryption Settings settings, see Virtual Access Point Encryption Settings. ACL Enforcement The ACL Enforcement section of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the ACL Enforcement settings, see ACL Enforcement. Remote MAC Address Access Control Settings Enforce 802.11n wireless access control based on a MAC-based authentication policy in a remote Radius server. NOTE: If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available; go to Radio 0 Advanced and Radio 1 Advanced Tabs.



The Remote MAC Address Access Control Settings section of both 802.11n Radio 0 and 802.11n Radio 1 tabs are the same as for the SonicPoint N 802.11n Radio tab. IMPORTANT: You cannot enable the Remote MAC address access control option at the same time that IEEE 802.11i EAP is enabled. If you try to do so, you could receive the following error message: Remote MAC address access control can not be set when IEEE 802.11i EAP is enabled. 1 Select Enable Remote MAC Access Control. This option enforces radio wireless access control according to the MAC-based authentication policy in the remote Radius server. The Configure button becomes active. 2 Click Configure. The SonicPoint Radius Server Global Settings dialog displays.

3 In the appropriate fields, enter the RADIUS server settings that you want. See Table . 4 Click OK.

Radio 0 Advanced and Radio 1 Advanced Tabs

These settings affect the operation of the Radio 1 Basic radio bands. The SonicPoint has two separate radios built in. Therefore, it can send and receive on both bands at the same time. 1 The Radio 0 Advanced and Radio 1 Advanced tabs are quite similar.

The options on the Radio 0 Advanced and Radio 1 Advanced tabs are the same except that Radio 0 Advanced has the Fragmentation Threshold (bytes) field. To configure the Radio 0 Advanced and Radio 1 Advanced setting: 1 Select Hide SSID in Beacon to have the SSID send null SSID beacons in place of advertising the wireless SSID name. Sending null SSID beacons forces wireless clients to know the SSID before connecting. By default, this option is unchecked. 2 From the Schedule IDS Scan drop-down menu, select a schedule for the IDS (Intrusion Detection Service) scan. Select a time when there are fewer demands on the wireless network to minimize the inconvenience of dropped wireless connections. You can disable the feature by selecting Disabled, the default. NOTE: IDS offers a wide selection of intrusion detection features to protect the network against wireless threats. This feature detects attacks against the WLAN Infrastructure that consists of authorized access points, the RF medium, and the wired network. An authorized or valid-AP is defined as an access point that belongs to the WLAN infrastructure. The access point is either a Sonicpoint or a third-party access point. 3 From the Data Rate drop-down menu, select the speed at which the data is transmitted and received. Best (default) automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate, from a minimum of 1 Mbps to a maximum of 54 Mbps. 4 From the Transmit Power drop-down menu, select the transmission power. Transmission power effects the range of the SonicPoint. • Full Power (default) • Half (-3 dB) • Quarter (-6 dB) • Eighth (-9 dB) • Minimum 5 From the Antenna Diversity drop-down menu, select the method that determines which antenna the SonicPoint uses to send and receive data. • Best: This is the default setting. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting. • 1: Select 1 to restrict the SonicPoint to use antenna 1 only. Facing the rear of the SonicPoint, antenna 1 is on the left, closest to the power supply. • 2: Select 2 to restrict the SonicPoint to use antenna 2 only. Facing the rear of the SonicPoint, antenna 2 is on the right, closest to the console port. 6 In the Beacon Interval (milliseconds) field, enter the number of milliseconds between sending wireless SSID beacons. The minimum interval is 100 milliseconds, the maximum is 1000 milliseconds, and the default is 100 milliseconds. 7 In the DTIM Interval field, enter the DTIM interval in milliseconds. The minimum number of frames is 1, the maximum is 255, and the default is 1. For 802.11 power-save mode clients of incoming multicast packets, the Delivery Traffic Indication Message (DTIM) interval specifies the number of beacon frames to wait before sending a DTIM. 8 In the Fragmentation Threshold (bytes) field, enter the number of bytes of fragmented data you want the network to allow. Fragment wireless frames to increase reliability and throughput in areas with RF interference or poor wireless coverage. Lower threshold numbers produce more fragments. The minimum threshold is 256 bytes, the maximum is 2346 bytes, and the default is 2346 bytes. 9 In the RTS Threshold (bytes) field, enter the threshold for a packet size, in bytes, at which a request to send (RTS) is sent before packet transmission. Sending an RTS ensures that wireless collisions do not take place in situations where clients are in range of the same access point, but might not be in range of each other. The minimum threshold is 256 bytes, the maximum is 2346 bytes, and the default is 2346 byes. 10 In the Maximum Client Associations field, enter the maximum number of clients you want each SonicPoint using this profile to support on this radio at one time. The minimum number of clients is 1, the maximum number is 128, and the default number is 32. 11 In the Station Inactivity Timeout (seconds) field, enter the maximum length of wireless client inactivity before Access Points age out the wireless client, in seconds. The minimum period is 60 seconds, the maximum is 36000 seconds, and the default is 300 seconds. 12 From the WMM (Wi-Fi Multimedia) drop-down menu, select whether a WMM profile is to be associated with this profile: • Disabled (default) • Create new WMM profile. If you select Create new WMM profile, the Add Wlan WMM Profile window displays. • Custom WLAN WMM profile 13 Select Enable Short Slot Time to allow clients to disassociate and reassociate more quickly. Specifying this option increases throughput on the 802.11n/g wireless band by shortening the time an access point waits before relaying packets to the LAN. By default, this option is not selected. 14 Select Does not allow Only 802.11b Clients to Connect if you are using Turbo G mode and, therefore, are not allowing 802.11b clients to connect. Specifying this option limits wireless connections to 802.11g clients only. By default, this option is not selected. 15 Select Enable Green AP to allow the SonicPoint ACe/ACi/N2 radio to go into sleep mode. This saves power when no clients are actively connected to the SonicPoint. The SonicPoint immediately goes into full power mode when any client attempts to connect to it. Green AP can be set on each radio independently, Radio 0 (5GHz) and Radio 1 (2.4GHz). 16 In the Green AP Timeout(s) field, enter the timeout value in seconds that the access point waits while it has no active connections before it goes into sleep mode. The timeout values can range from 10 seconds to 600 seconds. The default value is 20 seconds.

Sensor Tab

In the Sensor tab, enable or disable Wireless Intrusion Detection and Prevention (WIDP) mode. NOTE: If this option is selected, Access Point or Virtual Access Point(s) functionality is disabled automatically.



1 Select Enable WIDF sensor to have the SonicPoint operate as a dedicated WIDP sensor. This option is not selected by default. 2 From the drop-down menu, select the schedule for when the SonicPoint operates as a WIDP sensor or select Create new schedule… to specify a different time; default is Always on.

Configuring a SonicPoint NDR Profile For a SonicPoint overview, see Configuring Firewall SonicPoints. You can add any number of SonicPoint NDR profiles. The specifics of the configuration vary slightly depending on which 802.11 protocols you select. To configure a SonicPoint NDR provisioning profile, complete the following steps: 1 Navigate to the SonicPoint > SonicPoints page. 2 To add a new SonicPoint NDR profile, click Add a new SonicPoint NDR Profile in the SonicPoint N Provisioning Profiles table. or To edit an existing NDR profile, select the profile and click Configure in the same line as the profile you want to edit. The Add/Edit SonicPoint NDR Profile window displays. Configure the SonicPoint NDR with the options on these tabs: • • • • •

General Tab 802.11n Radio 0 and 802.11n Radio 1 Tabs Radio 0 Advanced and Radio 1 Advanced Tabs Radio 0 and Radio 1 Advanced Tabs Sensor Tab

General Tab

The Add/Edit SonicPoint Profile General tab.

In the General tab, configure the desired settings: • SonicPoint Settings • Virtual Access Point Settings • L3 SSL VPN Tunnel Settings SonicPoint Settings 1 Check Enable SonicPoint this to automatically enable each SonicPoint NDR when it is provisioned with this profile. This option is selected by default. 2 Optionally, check Retain Settings to have the SonicPoint NDRs provisioned by this profile retain customized settings until system restart or reboot. This option is not selected by default. If you select this option, Edit becomes active and the Retain Settings window displays. To specify the settings to retain: a If you are editing an existing SonicPoint NDR profile, click Edit. The Retain Settings window displays:

b Do one of the following: • Click Retain All Settings; all the other options become dimmed. • Click the checkboxes of the individual settings to be retained. c Click OK. 3 Optionally, check Enable RF Monitoring to enable wireless RF Threat Real Time Monitoring and Management. This option is not selected by default. • Enter a prefix for the names of all SonicPoint NDRs connected to this zone in the Name Prefix field. This prefix assists in identifying a SonicPoint NDR on a zone. When each SonicPoint NDR is provisioned, it is given a name that consists of the name prefix and a unique number, for example: SonicPoint NDR 126008. • Select the country where you are operating the SonicPoint NDRs from the Country Code drop-down menu. The country code determines which regulatory domain the radio operation falls under. 4 From the EAPOL Version drop-down menu, select the version of EAPoL (Extensible Authentication Protocol over LAN) to use: v1 or v2. The default is v1, but v2 provides better security. Virtual Access Point Settings 1 Optionally, select an 802.11n Virtual Access Point (VAP) group to assign these SonicPoint NDRs to a VAP from the 802.11n Radio 0 Virtual AP Group and 802.11n Radio 1 Virtual AP Group drop-down menus. The drop-down menus allow you to create a new VAP group. For more information on VAPs, see Using and Configuring Virtual Access Points. L3 SSL VPN Tunnel Settings • In the SSL VPN Server field, enter the IP address of the SSL VPN server. • In the User Name field, enter the User Name of the SSL VPN server. • In the Password field, enter the Password for the SSL VPN server. • In the Domain field, enter the domain that the SSL VPN server is located in. • Click Auto-Reconnect for the SonicPoint to auto-reconnect to the SSL VPN server.

802.11n Radio 0 and 802.11n Radio 1 Tabs

The 802.11n Radio 0 and 802.11n Radio 1 tabs are similar and have only a few differences that are noted in the steps. NOTE: The sections and options displayed on the 802.11n Radio 0/1 tabs change depending on whether you selected a VAP group in the 802.11n Radio 0/1 Virtual AP Group drop-down menus on the General tab and the mode you select in the Mode drop-down menu. These choices apply only to the radio for which they were selected. 1 Click the Radio 0/1 Basic tab .

2 Configure the settings for the 802.11 5GHz (Radio 0) and 2.4GHz (Radio 1) band radios: • 802.11n Radio 0 Settings and 802.11n Radio 1 Settings • Wireless Security • Virtual Access Point Encryption Settings • ACL Enforcement • Remote MAC Address Access Control Settings 802.11n Radio 0 Settings and 802.11n Radio 1 Settings NOTE: The options change depending on the mode selected.



1 Check Enable Radio to automatically enable the 802.11n radio bands on all SonicPoint NDRs provisioned with this profile. • From the Enable Radio drop-down menu, select a schedule for when the 802.11n radio is on or create a new schedule; default is Always on. You can create a new schedule by selecting Create new schedule. 2 Select your preferred radio mode from the Mode drop-down menu. The wireless security appliance supports the following modes: Supported modes

Radio 0 Basic

Radio 1 Basic



5GHz 802.11n Only

2.4GHz 802.11n Only

Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.

5GHz 802.11n/a 2.4GHz Mixed 802.11n/g/b Mixed

Supports 802.11a and 802.11n (Radio 0) or 802.11b, 802.11g, and 802.11n (Radio 1) clients simultaneously. If your wireless network comprises multiple types of clients, select this mode. This is the default.

5GHz 802.11a Only



Select this mode if only 802.11a clients access your wireless network.



2.4GHz 802.11g Only

If your wireless network consists only of 802.11g clients, you might select this mode for increased 802.11g performance. You might also select this mode if you wish to prevent 802.11b clients from associating.











TIP: For 802.11n clients only, for optimal throughput speed solely, SonicWall recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility. NOTE: The available Radio 0/1 Settings options change depending on the mode selected. If the wireless radio is configured for a mode that:• Supports 802.11n, the following options are displayed: Radio Band, Primary Channel, Secondary Channel, Enable Short Guard Interval, and Enable Aggregation.• Does not support 802.11n, only the Channel option is displayed. 3 Optionally, select Enable DFS Channels to enable the use of Dynamic Frequency Selection (DFS) that allows wireless devices to share the same spectrum with existing radar systems within the 5GHz band. NOTE: If you select this option, choose either Standard - 2MHz Channel or Wide - 40MHz Channel as the Radio Band. The Primary Channel and Standard Channel drop-down menus then display a choice of available sensitive channels. NOTE: This option only appears on the 802.11n Radio 0 tab as the 802.11n Radio 1 does not have a wireless speed connection mode of at least 5GHz. • In the SSID field, enter a recognizable string for the SSID of each SonicPoint NDR using this profile. This is the name that appears in clients’ lists of available wireless connections. NOTE: If all SonicPoint NDRs in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint NDR to another. 4 If you selected a mode that • Supports 802.11n, go to 7. • Does not support 802.11n, select a channel from the Channel drop-down menu. • Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting. Use Auto unless you have a specific reason to use or avoid specific channels. • Specific channel – You can select a single channel within the range of your regulatory domain. Selecting a specific channel also can help with avoiding interference with other wireless networks in the area.

Channel selection

Radio 0: 802.11a Only

Radio 1: 802.11g Only

Channel 36 (5180MHz)

Channel 1 (2412MHz)

Channel 40 (5200MHz)

Channel 2 (2417MHz)

Channel 44 (5220MHz)

Channel 3 (2422MHz)

Channel 48 (5240MHz)

Channel 4 (2427MHz)

Channel 149 (5745MHz)

Channel 5 (2432MHz)

Channel 153 (5765MHz)

Channel 6 (2437MHz)

Channel 157 (5785MHz)

Channel 7 (2442MHz)

Channel 161 (5805MHz)

Channel 8 (2447MHz) Channel 8 (2452MHz) Channel 10 (2457MHz) Channel 11 (2462MHz)

5 Go to Step 7. NOTE: When the wireless radio is configured for a mode that supports 802.11n, the following options are displayed. • For (802.11n only): from the Radio Band drop-down menu, select the band for the 802.11n radio: • Auto—Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. Both the Primary Channel and Secondary Channel are set to Auto also. This is the default setting. • Standard - 20MHz Channel—Specifies that the 802.11n radio uses only the standard 20MHz channel. When this option is selected, the Standard Channel drop-down menu is displayed instead of the Primary Channel and Secondary Channel options. • Standard Channel—This drop-down menu only displays when the 20MHz channel is selected. By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity. Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels depend on which Radio you are configuring: Available channels

Radio 0

Same as for 802.11a in Table

Radio 1

Same as for 802.11g in Table

• Wide - 40MHz Channel—Specifies that the 802.11n radio uses only the wide 40MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are active: • Primary Channel—By default this is set to Auto. Optionally, you can specify a specific primary channel. The available channels are the same as for 802.11a in 4. • Secondary Channel—Is set to Auto regardless of the setting of Primary Channel.: 6 Enable Short Guard Interval—Specifies the short guard interval of 400ns (as opposed to the standard guard interval of 800ns). NOTE: This option is not available if 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected. A guard interval is a set amount of time between transmissions that is designed to ensure distinct transmissions do not interfere with one another. The guard interval introduces immunity to propagation delays, echoes, and reflections. An AP identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays. The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long). Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each AP. A short guard interval of 400 nanoseconds (ns) works in most office environments as distances between points of reflection, as well as between clients, are short. Most reflections are received quickly. The shorter the guard interval, the more efficiency there is in the channel usage, but a shorter guard interval also increases the risk of interference. Some outdoor deployments might, however, require a longer guard interval. The need for a long guard interval of 800 ns becomes more important as areas become larger, such as in warehouses and in outdoor environments, as reflections and echoes become more likely to continue after the short guard interval would be over. The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays and increase 802.11n data rate. Ensure the wireless client also can support a short guard interval to avoid compatibility issues. • Select Enable Aggregation to enable 802.11n frame aggregation that combines multiple data frames in a single transmission to reduce overhead and increase throughput. NOTE: This option is not available if 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected. Data over wireless networks are sent as a stream of packets known as data frames. Frame aggregation takes these packets and combines them into fewer, larger packets, thereby allowing an increase in overall performance. Frame aggregation was added to the 802.11n specification to allow for an additional increase in performance. Frame aggregation is a feature of which only 802.11n clients can take advantage, as legacy systems are not able to understand the new format of the larger packets. Ensure the wireless client can also support aggregation to avoid compatibility issues. TIP: The Enable Short Guard Interval and Enable Aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, and so on), these options might introduce transmission errors that eliminate any efficiency gains in throughput. 7 The Enable MIMO option enables/disables MIMO (multiple-input multiple output). Enabling this option increases 802.11n throughput by using multiple-input/multiple-output antennas. This option is enabled by default for all 802.11n modes and is dimmed to ensure it is not disabled. The option is activated and selected by default if 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected. NOTE: Ensure the wireless client also can support these antennas to avoid compatibility issues. If the 802.11a or 502.11g client cannot support these antennas, disable the option by deselecting it. Wireless Security NOTE: If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available. Instead, the Virtual Access Point Encryption Settings section is displayed. Go to Virtual Access Point Encryption Settings on page 321. The options change depending on the authentication type you select. The Wireless Security sections of both 802.11n Radio 0 and 802.11n Radio 1 tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the Wireless Security settings, see Wireless Security. Virtual Access Point Encryption Settings The Enable Remote MAC Access Control option has also been added to the Add/Edit Virtual Access Point dialog and the Add/Edit Virtual Access Point Profile dialog, under the Remote MAC Address Access Control Settings panel, accessed from the SonicPoint > Virtual Access Point page. This section displays only if a VAP was selected from the Radio 0 Basic/1 Virtual AP Group drop-down menus in the Virtual Access Point Settings section of the General tab. The Virtual Access Point Encryption Settings section of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the Virtual Access Point Encryption Settings settings, see Virtual Access Point Encryption Settings. ACL Enforcement

The ACL Enforcement section of both Radio 0 Basic and Radio 1 Basic tabs are the same as for the SonicPoint N 802.11n Radio tab. For how to configure the ACL Enforcement settings, see ACL Enforcement. Remote MAC Address Access Control Settings Enable Remote MAC Access Control has been added to the Add SonicPoint N Profile window and the Add SonicPoint NDR Profile window, accessed from the SonicPoint > SonicPoints page. For information about selecting this option, see 802.11n Radio 0 and 802.11n Radio 1 Tabs. If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available. Go to Radio 0 Advanced and Radio 1 Advanced Tabs

The Remote MAC Address Access Control Settings section of both 802.11n Radio 0 and 802.11n Radio 1 tabs are the same as for the SonicPoint N 802.11n Radio tab. CAUTION: You cannot enable the Remote MAC address access control option at the same time that the IEEE 802.11i EAP is enabled. If you try to enable the Remote MAC address access control option at the same time that the IEEE 802.11i EAP is enabled, you could receive the following error message: Remote MAC address access control can not be set whenIEEE 802.11i EAP is enabled. Radio 0 Advanced and Radio 1 Advanced Tabs

In the 802.11n Advanced tab, configure the performance settings for the 802.11n radio. For most 802.11n advanced options, the default settings give optimum performance. • Hide SSID in Beacon: Check this option to have the SSID broadcast as part of the wireless beacon, rather than as a separate broadcast. • Schedule IDS Scan: Select a time when there are fewer demands on the wireless network to schedule an Intrusion Detection Service (IDS) scan to minimize the inconvenience of dropped wireless connections. • Data Rate: Select the speed at which the data is transmitted and received. Best automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate. • Transmit Power: Select the transmission power. Transmission power effects the range of the SonicPoint. You can select: Full Power, Half (-3 dB), Quarter (-6 dB), Eighth (-9 dB), or Minimum. • Antenna Diversity: The Antenna Diversity setting determines which antenna the SonicPoint uses to send and receive data. You can select: • Best: This is the default setting. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting. • 1: Select 1 to restrict the SonicPoint to use antenna 1 only. Facing the rear of the SonicPoint, antenna 1 is on the left, closest to the power supply. • 2: Select 2 to restrict the SonicPoint to use antenna 2 only. Facing the rear of the SonicPoint, antenna 2 is on the right, closest to the console port. • Beacon Interval (milliseconds): Enter the number of milliseconds between sending out wireless beacons. The minimum interval is 100 milliseconds, the maximum is 1000 milliseconds, and the default is 100 milliseconds. • DTIM Interval: Enter to alert 802.11 power-save-mode clients of incoming multicast packets. The Delivery Traffic Indication Message (DTIM) interval specifies the number of beacon frames to wait before sending a DTIM. The minimum is 1 frame, the maximum is 255 frames, and the default is 1 frame. • Fragmentation Threshold (bytes): Enter the number of bytes of fragmented data, in bytes, you want the network to allow. Fragmented wireless frames increase the reliability and throughput in areas with RF interference or poor wireless coverage. Lower threshold numbers produce more fragments. The minimum number is 256 bytes, the maximum is 2346 bytes, and the default is 2346 bytes. • RTS Threshold (bytes): Enter the threshold, in bytes, for a packet size at which a request to send (RTS) is sent before packet transmission. Sending an RTS ensures that wireless collisions do not take place in situations where clients are in range of the same access point, but might not be in range of each other. The minimum is 256 bytes, the maximum is 2346 bytes, and the default is 2346 bytes. • Maximum Client Associations: Enter the maximum number of clients you want the SonicPoint to support on this radio at one time. The minimum number is 1, the maximum number is 128, and the default number is 32. • Station Inactivity Timeout (seconds)—The number of seconds the station can be inactive before it times out. The minimum time is 60 seconds, the maximum time is 36000 seconds, and the default time is 300 seconds. • Preamble Length: Select the length of the preamble--the initial wireless communication send when associating with a wireless host. You can select Long or Short. • WMM (Wi-Fi Multimedia)—Select whether a WMM profile is to be associated with this profile: Disabled (default) or Create new WMM profile. If you select Create new WMM profile, the Add Wlan WMM Profile window displays.

Radio 0 and Radio 1 Advanced Tabs

These settings affect the operation of the Radio 1 Basic radio bands. The SonicPoint has two separate radios built in. Therefore, it can send and receive on both bands at the same time. The Radio 0 Advanced and Radio 1 Advanced tabs are quite similar; the difference is that the Radio 1 Advanced tab has more options.

Sensor Tab

In the Sensor tab, you enable or disable Wireless Intrusion Detection and Prevention (WIDP) mode. NOTE: If this option is selected, Access Point or Virtual Access Point(s) functionality is automatically disabled. 1 Select Enable WIDF sensor to have the SonicPoint NDR operate as a dedicated WIDP sensor. 2 From the drop-down menu, select the schedule for when the SonicPoint NDR operates as a WIDP sensor or select Create new schedule… to specify a different time; default is Always on.

Configuring a SonicPointN Profile for 802.11n You can add any number of SonicPoint profiles. The specifics of the configuration varies slightly depending on which 802.11 protocols you select. To configure a SonicPointN provisioning profile, complete the following tasks: 1 To add a new profile click Add SonicPointN below the list of SonicPoint 802.11n provisioning profiles. To edit an existing profile, select the profile and click the Configure icon in the same line as the profile you are editing.

2 In the Settings tab of the Add Profile window, specify: • Enable SonicPointN: Check this to automatically enable each SonicPoint when it is provisioned with this profile. • Retain Settings: Check this to have the SonicPointNs provisioned by this profile retain these settings after they are deleted and re-synchronized. Click Edit to specify the categories of settings that will be retained.

• Optionally, check Enable RF Monitoring to enable wireless RF Threat Real Time Monitoring and Management. This option is not selected by default. • Optionally, check Enable LED (Ni/Ne) to turn SonicPointN LEDs on/off. NOTE: This option applies only to the SonicPoint N model that has controllable LED hardware support. • Name Prefix: Enter a prefix for the names of all SonicPointNs connected to this zone. When each SonicPointN is provisioned it is given a name that consists of the name prefix and a unique number, for example: “SonicPoint 126008.” • Country Code: Select the country where you are operating the SonicPointNs. The country code determines which regulatory domain the radio operation falls under. • Virtual Access Point Group: (optional; on SonicWall NSA only) Select a Virtual Access Point (VAP) group to assign these SonicPointNs to a VAP. This pull-down menu allows you to create a new VAP group. For more information on VAPs, refer to Using and Configuring Virtual Access Points. L3 SSL VPN Tunnel Settings 1 In the SSL VPN Server field, enter the IP address of the SSL VPN server. 2 In the User Name field, enter the User Name of the SSL VPN server. 3 In the Password field, enter the Password for the SSL VPN server. 4 In the Domain field, enter the domain that the SSL VPN server is located in. 5 Click Auto-Reconnect for the SonicPoint to auto-reconnect to the SSL VPN server. NOTE: To Configure L3 SSL VPN, refer to the SonicOS Administrator Guide. SonicPoint Administrator Settings

1 In the User Name field, enter the user name for the network administrator. 2 In the Password field, enter the password for the network administrator.

802.11n Radio Tab

NOTE: The sections and options displayed on the 802.11n Radio tab change depending on whether you selected a VAP group in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab and the mode you selected from the Mode drop-down menu. 1 In the 802.11n Radio tab, configure the radio settings for the 802.11n radio:

1 Enable Radio: Check this to automatically enable the 802.11n radio bands on all SonicPoints provisioned with this profile. This option is selected by default. • From the Enable Radio drop-down menu, select the schedule for when the 802.11n radio is on. The default schedule is Always on. 2 Mode: Select your preferred radio mode from the Mode drop-down menu. The wireless security appliance supports the modes shown in Table . NOTE: The available 801.11n Radio Settings options change depending on the mode selected. If the wireless radio is configured for a mode that: • Supports 802.11n Only, the following options are displayed: Radio Band, Primary Channel, Secondary Channel. • Does not support 802.11n, only the Channel option is displayed. • Supports 5GHz 802.11n/a, the Enable DFS Channels option is displayed. TIP: For optimal throughput speed solely for 802.11n clients, SonicWall recommends the 802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless client authentication compatibility. Radio mode choices

2.4Ghz

5Ghz

Definition

2.4GHz 802.11n Only

5GHz 802.11n Only

Allows only 802.11n clients access to your wireless network. 802.11a/b/g clients are unable to connect under this restricted radio mode.

2.4GHz 802.11n/g/b Mixed This is the default.

5GHz 802.11n/a Mixed

Supports 802.11b, 802.11g, and 802.11n clients simultaneously. If your wireless network comprises multiple types of clients, select this mode.

2.4GHz 802.11g Only



If your wireless network consists only of 802.11g clients, you might select this mode for increased 802.11g performance. You might also select this mode if you wish to prevent 802.11b clients from associating.

2.4GHz 802.11g/b Mixed

If your wireless network consists of both 802.11b and 802.11g clients, you might select this mode for increased performance.



5GHz 802.11a Only

Select this mode if only 802.11a clients access your wireless network.



5GHz 802.11n/a/ac Mixed

Supports 802.11a, 802.11ac, and 802.11n clients simultaneously. If your wireless network comprises multiple types of clients, select this mode.



5GHz 802.11ac Only

Select this mode if only 802.11ac clients access your wireless network.

3 If you chose 5GHz 802.11n Only, 5GHz 802.11a/n Mixed, or 5GHz 802.11a Only for Mode, optionally check Enable DFS Channels. Enabling Dynamic Frequency Selection (DFS) allows wireless devices to share spectrum with existing radar systems in the 5GHz band. This setting is not selected by default. 4 If you did not specify a VAP group on the Settings tab, in the SSID field, enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that appears in clients’ lists of available wireless connections. NOTE: If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another. 5 If the mode you selected supports: • 802.11g only or 802.11a only, go to Step 6 • 802.11n only or 802.11n mixed, go to Step 8 6 Only for 802.11a/g: Select the channel for the radio from the Channel drop-down menu: • Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting. Use Auto unless you have a specific reason to use or avoid specific channels. • Specific channel: Select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. 802.11g/802.11a channels

802.11g Channels

802.11a Channels

Channel 1 (2412 MHz)

Channel 36 (5180 MHz)

Channel 2 (2417 MHz)

Channel 40 (5200 Mhz)

Channel 3(2422 MHz)

Channel 44 (5220 Mhz)

Channel 4 (2427 MHz)

Channel 48 (5240 Mhz)

Channel 5 (2432 MHz)

Channel 149 (5745 Mhz)

Channel 6 (2437 MHz)

Channel 153 (5765 Mhz)

Channel 7 (2442 MHz)

Channel 157 (5785 Mhz)

Channel 8 (2447MHz)

Channel 161 (5805 Mhz)

Channel 9 (2452 MHz)



Channel 10 (2457 MHz)



Channel 11 (2462 MHz)



7 If you selected 5GHz 802.11a Only or 2.4GHz 802.11g Only mode, go to Step 11. 8 For 802.11n only or 802.11n mixed: From the Radio Band drop-down menu, select the band for the 802.11n radio: • Auto - Allows the appliance to automatically detect and set the optimal channel for wireless operation based on signal strength and integrity. This is the default setting. • The Primary Channel and Secondary Channel drop-down menus are set to Auto and cannot be changed. • Standard - 20 MHz Channel - Specifies that the 802.11n radio will use only the standard 20 MHz channel. When this option is selected, the Channel drop-down menu is displayed instead of the Primary Channel and Secondary Channel drop-down menus. • Channel - By default, this is set to Auto, which allows the appliance to set the optimal channel based on signal strength and integrity. Optionally, you can select a single channel within the range of your regulatory domain. Selecting a specific a channel can also help with avoiding interference with other wireless networks in the area. The available channels are the same as for 802.11g in Step 6. • Wide - 40 MHz Channel - Specifies that the 802.11n radio will use only the wide 40 MHz channel. When this option is selected, the Primary Channel and Secondary Channel drop-down menus are displayed: • Primary Channel - By default, this is set to Auto. Optionally, you can specify a specific primary channel. The available channels are the same as for 802.11a in Step 6. • Secondary Channel - The configuration of this drop-down menu is set to Auto regardless of the primary channel setting. 9 Optionally, select Enable Short Guard Interval to specify a short guard interval of 400ns as opposed to the standard guard interval of 800ns. This setting is not selected by default. NOTE: This option is not available if the 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected. A guard interval is a set amount of time between transmissions that is designed to ensure distinct transmissions do not interfere with one another. The guard interval introduces immunity to propagation delays, echoes, and reflections. An AP identifies any signal content received inside this interval as unwanted inter-symbol interference, and rejects that data. The guard interval is a pause in transmission intended to avoid data loss from interference or multipath delays. The 802.11n standard specifies two guard intervals: 400ns (short) and 800ns (long). Enabling a short guard interval can decrease network overhead by reducing unnecessary idle time on each AP. A short guard interval of 400 nanoseconds (ns) will work in most office environments as distances between points of reflection, as well as between clients, are short. Most reflections will be received quickly. The shorter the guard interval, the more efficiency there is in the channel usage, but a shorter guard interval also increases the risk of interference. Some outdoor deployments, may, however, require a longer guard interval. The need for a long guard interval of 800 ns becomes more important as areas become larger, such as in warehouses and in outdoor environments, as reflections and echoes become more likely to continue after the short guard interval would be over. 10 Optionally, to enable 802.11ac or 802.11n frame aggregation, which combines multiple frames to reduce overhead and increase throughput, select Enable Aggregation. NOTE: This option is not available if the 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected. Data over wireless networks are sent as a stream of packets known as data frames. Frame aggregation takes these packets and combines them into fewer, larger packets, thereby allowing an increase in overall performance. Frame aggregation was added to the 802.11n specification to allow for an additional increase in performance. Frame aggregation is a feature that only 802.11n clients can take advantage of as legacy systems will not be able to understand the new format of the larger packets. TIP: The Enable Short Guard Interval and Enable aggregation options can slightly improve throughput. They both function best in optimum network conditions where users have strong signals with little interference. In networks that experience less than optimum conditions (interference, weak signals, and so on), these options may introduce transmission errors that eliminate any efficiency gains in throughput. 11 Select Enable MIMO to enable MIMO (multiple-input multiple output). Enabling this option increases 802.11n throughput by using multiple-input/multiple-output antennas. This option is enabled by default for all 802.11n modes and is dimmed to ensure it is not disabled. The option is activated and selected by default if the 5GHz 802.11a Only or 2.4GHz 802.11g Only mode is selected. IMPORTANT: To avoid compatibility issues, ensure the 802.11a or 802.11g wireless client also can support these antennas. If the client cannot support these antennas, disable the option by deselecting it.

Disabling MIMO may cause weaker signal strength and lower throughput for some wireless clients. If you do disable MIMO for compatibility, a confirmation message displays. Click OK to continue. 12 If you: • Did not select a VAP, go to Wireless Security. • Selected a VAP from the 802.11n Radio Virtual AP Group drop-down menu in the Virtual Access Point Settings section of the Settings tab, go to Virtual Access Point Encryption Settings on page 685. Wireless Security NOTE: If a VAP was selected in the 802.11n Radio Virtual AP Group drop-down menu on the Settings tab, this section is not available. Instead, the Virtual Access Point Encryption Settings section is displayed. Go to Virtual Access Point Encryption Settings on page 667.

1 In the Wireless Security section, select the method of authentication for your wireless network from the Authentication Type drop-down menu: NOTE: The options available change with the type of configuration you select. Table 1.

WEP1

WPA2

WPA 22

WEP - Both (Open System & Shared Key) WPA – default PSK

WPA2-PSK

WEP - Open System3

WPA EAP

WPA2-EAP

WEP - Shared Key



WPA2-AUTOPSK WPA2-AUTOEAP

1. For WEP - Both (Open System & Shared Key) and WEP - Shared Key, go to WEP Configuration. 2. For WPA and WPA 2 options, go to WPA or WPA2 Configuration:. 3. All options are dimmed; go to ACL Enforcement. WEP Configuration WEP (Wired Equivalent Privacy) is a standard for Wi-Fi wireless network security. A WEP key is a security code system for Wi-Fi networks. WEP keys allow a group of devices on a local network (such as a home network) to exchange encoded messages with each other while hiding the contents of the messages from easy viewing by outsiders. You choose the WEP keys. When WEP security is enabled on a network, matching WEP keys must be set on WiFi routers and each device connecting over Wi-Fi, for them all to communicate with each other. 1 Select the size of the encryption key from the WEP Key Mode drop-down menu: • None – Default for WEP - Both (Open System & Shared Key). If selected, the rest of the options in this section remain dimmed; go to ACL Enforcement on page 686. • 64 bit • 128 bit • 152 bit - default for WEP - Shared Key 2 From the Default Key drop-down menu, select which key is the default key, that is, the key that is tried first when trying to authenticate a user: • Key 1 (default) • Key 2 • Key 3 • Key 4 3 From the Key Entry drop-down menu, select whether the key is: • Alphanumeric (default) • Hexadecimal (0-9, A-F) 4 In the Key 1 - Key 4 fields, enter up to four possible WEP encryptions keys used when transferring encrypted wireless traffic. Enter the most likely to be used in the field you selected as the default key: NOTE: The length of each key is based on the selected key type (alphanumeric or hexadecimal) and WEP strength (WEP Key Mode): 64, 128, or 152 bits. • Key 1: First static WEP key associated with the key index. • Key 2: Second static WEP key associated with the key index. • Key 3: Third static WEP key associated with the key index. • Key 4: Fourth static WEP key associated with the key index. 5 Go to ACL Enforcement. WPA or WPA2 Configuration: NOTE: The options change depending on the authentication type selected.



1 From the EAPOL Version drop-down menu, select the version of EAPoL (Extensible Authentication Protocol over LAN) to use: v1 or v2. The default is v1, but v2 provides better security. 2 From the Cipher Type drop-down menu, select the cipher to encrypt your wireless data: • TKIP (older, more compatible): TKIP (Temporary Key Integrity Protocol) is not actually a cipher, but a set of security algorithms meant to improve the overall safety of WEP (wired equivalent privacy networks). WEP is widely known to have a host of serious security vulnerabilities. TKIP adds a few extra layers of protection to WEP. • AES (newer, more secure; default): AES (Advanced Encryption Standard) is a set of ciphers designed to prevent attacks on wireless networks. AES is available in block ciphers of either 128, 192 or 256 bits depending on the hardware you intend to use with it. In the networking field, AES is considered to be among the most secure of all commonly installed encryption packages. • Auto: the appliance chooses the cipher type automatically. 3 In the Group Key Interval (seconds) field, enter the period for which a Group Key is valid, that is, the time interval before the encryption key is changed automatically for added security. The default value is 86400 seconds (24 hours). Setting too low of a value can cause connection issues. 4 If, from the Authentication Type drop-down menu, you selected: • PSK authentication types, go to Step 5. • EAP authentication types, go to Radius Server Settings. 5 For PSK authentication types only, in the Passphrase field, enter the passphrase your network users must enter to gain network access. NOTE: This option displays only if you configure WPA-PSK, WPA2-PSK, or WPA2-AUTO-PSK for your authentication type. 6 Go to ACL Enforcement. Radius Server Settings NOTE: This option displays only if you selected WPA-EAP, WPA2-EAP, or WPA2-AUTO-EAP for your authentication type. Extensible Authentication Protocol (EAP) is available when using WPA or WPA2. This solution uses an external 802.1x/EAP-capable RADIUS server for key generation. An EAP-compliant RADIUS server provides 802.1X authentication. The RADIUS server must be configured to support this authentication and all communications with the SonicWall. 1 In Radius Server Settings, click Configure. The SonicPoint Radius Server Global Settings dialog displays.

In the appropriate fields, enter the RADIUS server settings that you want. See Table .

Advanced tab 1 In the Advanced tab, configure the performance settings for the 802.11n radio. For most 802.11n advanced options, the default settings give optimum performance. NOTE: Except for two settings, the advanced settings are the same for both VAP and non-VAP profiles. The differences are noted in the procedure.

2 If you: • Selected a VAP on the Settings tab, go to Step 3. • Did not select a VAP on the Settings tab, optionally select Hide SSID in Beacon to have the SSID send null SSID beacons in place of advertising the wireless SSID name. Sending null SSID beacons forces wireless clients to know the SSID to connect. This option is unchecked by default. 3 From the Schedule IDS Scan drop-down menu, select a schedule for the IDS (Intrusion Detection Service) scan. Select a time when there are fewer demands on the wireless network to schedule an IDS scan to minimize the inconvenience of dropped wireless connections. You can create your own schedule by selecting Create new schedule or disable the feature by selecting Disabled (default). NOTE: IDS offers a wide selection of intrusion detection features to protect the network against wireless threats. This feature detects attacks against the WLAN Infrastructure, which consists of authorized APs, the RF medium, and the wired network. An authorized or valid-AP is defined as an AP that belongs to the WLAN infrastructure. The AP is either a SonicPoint or a third party AP. 4 From the Data Rate: drop-down menu, select the speed at which the data is transmitted and received. Table 2.

Best (default)

9 Mbps

18 Mbps

36 Mbps

54 Mbps

6 Mbps

12 Mbps

24 Mbps

48 Mbps



Best automatically selects the best rate available in your area given interference and other factors. Best is the default and is the only choice if you selected a VAP on the Settings tab. 5 From the Transmit Power drop-down menu, select the transmission power, which affects the range of the SonicPoint: • Full Power (default) • Half (-3 dB) • Quarter (-6 dB) • Eighth (-9 dB) • Minimum 6 From the Antenna Diversity drop-down menu, select Best, the default. The Antenna Diversity setting determines which antenna the SonicPoint uses to send and receive data. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal. 7 In the Beacon Interval (milliseconds) field, enter the number of milliseconds between sending out wireless SSID beacons. This interval represents the amount of time between beacon transmissions. Before a station enters power-save mode, the station needs the beacon interval to know when to wake up to receive the beacon (and learn whether there are buffered frames at the access point). The minimum interval is 20 milliseconds, the maximum is 1000, milliseconds, and the default is 100 milliseconds. 8 In the DTIM Interval field, enter the interval, in milliseconds, between the sending of Delivery Traffic Indication Messages (DTIMs) in the beacon. This interval is the maximum number of beacon cycles before unacknowledged network broadcasts are flushed. When using wireless clients that use power management features to sleep, the client must revive at least once during the DTIM period to receive broadcasts. 802.11 power-save mode clients are alerted of incoming multicast packets. The minimum interval is 1 millisecond, the maximum is 255 milliseconds, and the default is 1 millisecond. 9 In the Fragmentation Threshold (bytes) field, enter the number of bytes of fragmented data you want the network to allow. The fragmentation threshold limits the maximum frame size. This reduces the time required to transmit the frame, and therefore reduces the probability that the frame will be corrupted (at the cost of more data overhead). Fragmented wireless frames increase reliability and throughput in areas with RF interference or poor wireless coverage. Lower threshold numbers produce more fragments. The minimum is 256 bytes, the maximum is 2346 bytes, and the default is 2346 bytes. 10 In the RTS Threshold (bytes) field, enter the number of bytes of the Request to Send (RTS) threshold. The RTS threshold specifies the frame size the transmitter must use. Fragmented wireless frames increase reliability and throughput in areas with RF interference or poor wireless coverage. Wireless clients transmitting frames larger than this threshold must issue Request to Send (RTS) and wait for the AP to respond with Clear to Send (CTS). This option also not only can be used to avoid hidden node problems, but also helps prevent mid-air collisions for wireless clients that are not within wireless peer range and cannot detect when other wireless clients are transmitting or in range of the same access point, but may not in range of each other. The minimum value is 256 bytes, the maximum is 2346 bytes, and the default is 2346 bytes. The default value used by many vendors is 2346 bytes. Lower threshold numbers produce more fragments. 11 In the Maximum Client Associations field, enter the maximum number of clients you want each SonicPoint using this profile to support on this radio at one time. The minimum number is 1 client, the maximum is 128 clients, and the default is 32 clients. 12 In the Station Inactivity Timeout (seconds) field, enter the maximum length of wireless client inactivity, in seconds, before access points age out the wireless client. The minimum period is 60 seconds, the maximum is 36000 seconds, and the default number is 300 seconds. 13 If you: • Did not select a VAP on the Settings tab, go to Step 14. • Selected a VAP on the Settings tab, from the Preamble Length drop-down menu, select the length of the preamble—the initial wireless communication sent when associating with a wireless host: Long or Short. 14 From the WMM (Wi-Fi Multimedia) drop-down menu, select whether a WMM profile is associated with this profile: • Disabled (default) • Create new WMM profile. The Add Wlan WMM Profile window displays. • Configured WMM profile • When a SonicPoint unit is first connected and powered up, it has a factory default configuration (IP address 192.168.1.20, username: admin, password: password). Upon initializing, it attempts to find a SonicOS device with which to peer. If it is unable to find a peer SonicOS device, it will enter into a stand-alone mode of operation with a separate stand-alone configuration allowing it to operate as a standard Access Point. If the SonicPoint does locate, or is located by a peer SonicOS device, through the SonicWall Discovery Protocol, an encrypted exchange between the two units ensues wherein the profile assigned to the relevant Wireless zone is used to automatically configure (provision) the newly added SonicPoint unit. As part of the provisioning process, SonicOS assigns the discovered SonicPoint device a unique name, and it records its MAC address and the interface and zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS then uses the profile associated with the relevant zone to configure the 2.4GHz and 5GHz radio settings. Modifications to profiles do not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways: • Via manual configuration changes – Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone. • Via un-provisioning – Deleting a SonicPoint unit effectively un-provisions the unit, or clears its configuration and places it into a state where it automatically engages the provisioning process anew with its peer SonicOS device. This technique is useful when the profile for a zone is updated or changed, and the change is set for propagation. It can be used to update firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled fashion, rather than changing all peered SonicPoints at once, which can cause service disruptions. Configuring a SonicPoint Profile for 802.11a or 802.11g You can add any number of SonicPoint profiles. To configure a SonicPoint provisioning profile: 1 To add a new profile click Add below the list of SonicPoint provisioning profiles. To edit an existing profile, select the profile and click the edit icon in the same line as the profile you are editing. 2 In the General tab of the Add Profile window, specify: • Enable SonicPoint: Check this to automatically enable each SonicPoint when it is provisioned with this profile. • Retain Settings: Check this to have the SonicPointNs provisioned by this profile retain these settings after they are deleted and re-synchronized. Click Edit to specify the categories of settings that are retained.

• Enable RF Monitoring: Check this to enable RF monitoring on the SonicPoints. • Name Prefix: Enter a prefix for the names of all SonicPoints connected to this zone. When each SonicPoint is provisioned it is given a name that consists of the name prefix and a unique number, for example: “SonicPoint 126008.” • Country Code: Select the country where you are operating the SonicPoints. The country code determines which regulatory domain the radio operation falls under. • 802.11g Virtual AP Group and 802.11a Virtual AP Group: (optional; on SonicWall NSA only) Select a Virtual Access Point (VAP) group to assign these SonicPoints to a VAP. This pull-down menu allows you to create a new VAP group. For more information on VAPs, see Using and Configuring Virtual Access Points. 3 In the 802.11g tab, Configure the radio settings for the 802.11g (2.4GHz band) radio: • Enable 802.11g Radio: Check this to automatically enable the 802.11g radio bands on all SonicPoints provisioned with this profile. • SSID: Enter a recognizable string for the SSID of each SonicPoint using this profile. This is the name that appears in clients’ lists of available wireless connections. NOTE: If all SonicPoints in your organization share the same SSID, it is easier for users to maintain their wireless connection when roaming from one SonicPoint to another. • Radio Mode: Select the speed of the wireless connection. You can choose 11Mbps - 802.11b, 54Mbps 802.11g, or 108Mbps - Turbo G mode. If you choose Turbo mode, all users in your company must use wireless access cards that support turbo mode. • Channel: Select the channel the radio operates on. The default is AutoChannel, which automatically selects the channel with the least interference. Use AutoChannel unless you have a specific reason to use or avoid specific channels. • ACL Enforcement: Select this to enforce Access Control by allowing or denying traffic from specific devices. Select a MAC address group from the Allow List to automatically allow traffic from all devices with MAC address in the group. Select a MAC address group from the Deny List to automatically deny traffic from all devices with MAC address in the group. The deny list is enforced before the Allow list. • Authentication Type: Select the method of authentication for your wireless network. You can select WEP - Both (Open System & Shared Key), WEP - Open System, WEP - Shared Key, WPA - PSK, WPA - EAP, WPA2-PSK, WPA2-EAP, WPA2-AUTO-PSK, and WPA2-AUTO-EAP. • WEP Key Mode: Select the size of the encryption key. • Default Key: Select which key in the list that follows is the default key that is tried first when trying to authenticate a user. • Key Entry: Select whether the key is alphanumeric or hexadecimal. • Key 1 - Key 4: Enter the encryptions keys for WEP encryption. Enter the most likely to be used in the field you selected as the default key. 4 In the 802.11g Advanced tab, configure the performance settings for the 802.11g radio. For most 802.11g advanced options, the default settings give optimum performance. • Hide SSID in Beacon: Check this option to have the SSID broadcast as part of the wireless beacon, rather than as a separate broadcast. • Schedule IDS Scan: Select a time when there are fewer demands on the wireless network to schedule an Intrusion Detection Service (IDS) scan to minimize the inconvenience of dropped wireless connections. • Data Rate: Select the speed at which the data is transmitted and received. Best automatically selects the best rate available in your area given interference and other factors. Or you can manually select a data rate. • Transmit Power: Select the transmission power. Transmission power effects the range of the SonicPoint. You can select: Full Power, Half (-3 dB), Quarter (-6 dB), Eighth (-9 dB), or Minimum. • Antenna Diversity: The Antenna Diversity setting determines which antenna the SonicPoint uses to send and receive data. You can select: • Best: This is the default setting. When Best is selected, the SonicPoint automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting. • 1: Select 1 to restrict the SonicPoint to use antenna 1 only. Facing the rear of the SonicPoint, antenna 1 is on the left, closest to the power supply. • 2: Select 2 to restrict the SonicPoint to use antenna 2 only. Facing the rear of the SonicPoint, antenna 2 is on the right, closest to the console port. • Beacon Interval (milliseconds): Enter the number of milliseconds between sending out a wireless beacon. • DTIM Interval: Enter the interval in milliseconds. • Fragmentation Threshold (bytes): Enter the number of bytes of fragmented data you want the network to allow. • RTS Threshold (bytes): Enter the number of bytes. • Maximum Client Associations: Enter the maximum number of clients you want the SonicPoint to support on this radio at one time. • Preamble Length: Select the length of the preamble--the initial wireless communication send when associating with a wireless host. You can select Long or Short. • Protection Mode: Select the CTS or RTS protection. Select None, Always, or Auto. None is the default. • Protection Rate: Select the speed for the CTS or RTS protection, 1 Mbps, 2 Mbps, 5 Mbps, or 11 Mbps. • Protection Type: Select the type of protection, CTS-only or RTS-CTS. • CCK OFDM Power Delta: Select the difference in radio transmit power you will allow between the 802.11b and 802.11g modes: 0 dBm, 1 dBm, or 2 dBm. • Enable Short Slot Time: Allow clients to disassociate and reassociate more quickly. • Allow Only 802.11g Clients to Connect: Use this if you are using Turbo G mode and therefore are not allowing 802.11b clients to connect. 5 Configure the settings in the 802.11a Radio and 802.11a Advanced tabs. These settings affect the operation of the 802.11a radio bands. The SonicPoint has two separate radios built in. Therefore, it can send and receive on both the 802.11a and 802.11g bands at the same time. The settings in the 802.11a Radio and 802.11a Advanced tabs are similar to the settings in the 802.11g Radio and 802.11g Advanced tabs. Follow the instructions in step 3 and step 4 in this procedure to configure the 802.11a radio. When a SonicPoint unit is first connected and powered up, it has a factory default configuration (IP address 192.168.1.20, username: admin, password: password). Upon initializing, it attempts to find a SonicOS device with which to peer. If it is unable to find a peer SonicOS device, it enters into a stand-alone mode of operation with a separate stand-alone configuration allowing it to operate as a standard Access Point. If the SonicPoint does locate, or is located by a peer SonicOS device, through the SonicWall Discovery Protocol, an encrypted exchange between the two units ensues wherein the profile assigned to the relevant Wireless zone is used to automatically configure (provision) the newly added SonicPoint unit. As part of the provisioning process, SonicOS assigns the discovered SonicPoint device a unique name, and it records its MAC address and the interface and zone on which it was discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so that the SonicPoint can communicate with an authentication server for WPA-EAP support. SonicOS then uses the profile associated with the relevant zone to configure the 2.4GHz and 5GHz radio settings. Modifications to profiles do not affect units that have already been provisioned and are in an operational state. Configuration changes to operational SonicPoint devices can occur in two ways: • Through manual configuration changes – Appropriate when a single, or a small set of changes are to be affected, particularly when that individual SonicPoint requires settings that are different from the profile assigned to its zone. • Through un-provisioning – Deleting a SonicPoint unit effectively un-provisions the unit, or clears its configuration and places it into a state where it automatically engages the provisioning process anew with its peer SonicOS device. This technique is useful when the profile for a zone is updated or changed, and the change is set for propagation. It can be used to update firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled fashion, rather than changing all peered SonicPoints at once, which can cause service disruptions.

MANAGING SONICPOINTS This section contains the following subsections: • • • • • •

Modifying a SonicPoint Profile Updating SonicPoint Settings Updating SonicPoint Firmware SonicPoint N, SonicPoint NDR, SonicPoint AC States Automatic Provisioning (SDP & SSPP) Remote MAC Access Control for SonicPoints

Modifying a SonicPoint Profile To modify (edit) a SonicPoint profile: 1 Navigate to the SonicPoint > SonicPoints page. 2 Click Edit for the SonicPoint N or SonicPoint NDR profile that you want to modify. 3 In the SonicPoint Profile Settings dialog, edit the profile settings as you wish. 4 Click OK. The following warning message is displayed, informing you that all SonicPoint devices in the same zone are autoprovisioned.

5 Click OK. 6 After you click OK, all linked SonicPoint N devices are reprovisioned and rebooted.

Updating SonicPoint Settings You can change the settings of any individual SonicPoint list on the SonicPoint > SonicPoints page. Topics: • Synchronize SonicPoints • Edit SonicPoint settings • Enable and Disable Individual SonicPoints • Disable All SonicPoints

Synchronize SonicPoints

Click Synchronize SonicPoints at the top of the SonicPoint > SonicPoints page to update the settings for each SonicPoint reported on the page. When you click Synchronize SonicPoints, GMS polls all connected SonicPoints and displays updated settings on the page. GMS also attempts to locate the presence of newly connected SonicPoints that have not yet registered with the firewall.

Edit SonicPoint settings To edit the settings of an individual SonicPoint: 1 Under SonicPoint Settings, click Edit in the same line as the SonicPoint you want to edit. • In the Edit SonicPoint window, make the changes you want. For instructions on configuring these settings, see Configuring a SonicPoint ACe, ACi, or N2 Profile Configuring a SonicPoint NDR Profile or Configuring a SonicPointN Profile for 802.11n. 2 Click OK to apply these settings.

Enable and Disable Individual SonicPoints

You can enable or disable individual SonicPoints on the SonicPoint > SonicPoints page: 1 Check Enable to enable the SonicPoint, uncheck the box to disable it. 2 Click Apply at the top of the SonicPoint > SonicPoints page to apply this setting to the SonicPoint. 3 Click the SonicPoints option. GMS displays the SonicPoints dialog box. 4 Click Add. GMS displays the Add SonicPoint Profile dialog box containing a series of tabs.

Disable All SonicPoints

• Click Delete All above or below the table.

SONICPOINT WLAN SCHEDULING GMS now supports scheduling activation of both 802.11a Radio and 802.11g Radio devices. To schedule these devices, complete the following steps: 1 Navigate to the Policies panel. 2 Select either a SonicPoint G or SonicPoint A device in the unit list. 3 In the Navigation Bar, click the SonicPoint menu to display SonicPoint options. 4 Click the SonicPoints option. GMS displays the SonicPoints dialog box. 5 Click on an existing SonicPoint device in the device list or click Add. GMS displays the SonicPoint Profile dialog box containing a series of tabs. 6 Click either the 802.11g Radio or 802.11a Radio Tab, depending on which device you want to schedule. 7 Click on the Schedule list box at the top of the screen to the right of Enable. The following figure is an example of a scheduling list box (for 802.11g).

UPDATING SONICPOINT FIRMWARE Not all GMS firmware contains an image of the SonicPoint firmware. To check, scroll to the bottom of the SonicPoint > SonicPoints page and look for the Synchronize link. If your SonicWall appliance has Internet connectivity, it automatically downloads the correct version of the SonicPoint image from the SonicWall server when you connect a SonicPoint device. If your SonicWall appliance does not have Internet access, or has access only through a proxy server, you must complete the following steps: 1 Download the SonicPoint image from http://www.mySonicWall.com (http://www.mysonicwall.com) to a local system with Internet access. You can download the SonicPoint image from one of the following locations: • On the same page where you can download the GMS firmware • On the Download Center page, by selecting SonicPoint in the Type drop-down menu 2 Load the SonicPoint image onto a local Web server that is reachable by your SonicWall appliance. You can change the file name of the SonicPoint image, but you should keep the extension intact (ex: .bin.sig). 3 In the GMS user interface on your SonicWall appliance, in the navigation pane, click System and then click Administration. 4 In the System > Administration screen, under Download URL, click Manually specify SonicPoint image URL to enable it. 5 In the text box, type the URL for the SonicPoint image file on your local Web server. NOTE: When typing the URL for the SonicPoint image file, do NOT include “http://” in the text box. 6 Click Accept.

SonicPoint N, SonicPoint NDR, SonicPoint AC States SonicPoint N, SonicPoint NDR, and SonicPoint AC devices can function in and report the following states (in all states listed as follows, SonicPoint refers to SonicPoint N, SonicPoint NDR, and SonicPoint AC devices): • Initializing—The state when a SonicPoint starts up and advertises itself through SDP prior to it entering into an operational or stand-alone mode. • Operational—After the SonicPoint has peered with a SonicOS device and has its configuration validated, it enters into a operational state, and is ready for clients. • Provisioning—If the SonicPoint configuration requires an update, the SonicOS device engages an SSPP channel to update the SonicPoint. During this brief process it enters the provisioning state. • Safemode—Safemode can be engaged by depressing the reset button, or from the SonicOS peer device. Placing a SonicPoint into Safemode returns its configuration to defaults, disables the radios, and disables SDP. The SonicPoint must then be rebooted to enter either a stand-alone, or some other functional state. • Non-Responsive—If a SonicOS device loses communications with a previously peered SonicPoint, it reports its state as non-responsive. It remains in this state until either communications are restored, or the SonicPoint is deleted from the SonicOS device’s table. • Updating Firmware—If the SonicOS device detects that it has a firmware update available for a SonicPoint, it uses SSPP to update the SonicPoint’s firmware. • Downloading Firmware—The SonicWall appliance is downloading new SonicPoint firmware from the configured URL that can be customized by the administrator. • Downloading Failed—The SonicWall appliance cannot download the SonicPoint firmware from the configured URL. • Writing Firmware—While the SonicPoint is writing new firmware to its flash, the progress is displayed as a percentage in the SonicOS management interface in the SonicPoint status field. • Over-Limit—By default, up to two SonicPoint devices can be attached to the Wireless zone interface. If more than two units are detected, the over-limit devices reports an over-limit state, and does not enter an operational mode. The number can be reduced from two as needed. • Rebooting—After a firmware or configuration update, the SonicPoint announces that it is about to reboot, and then does so. • Firmware failed—If a firmware update fails, the SonicPoint reports the failure, and then reboots. • Provision failed—In the unlikely event that a provision attempt from a SonicOS device fails, the SonicPoint reports the failure. So as not to enter into an endless loop, it can then be manually rebooted, manually reconfigured, or deleted and re-provisioned. • Stand-alone Mode (not reported)—If a SonicPoint device cannot find or be found by a SonicOS device to peer with, it enters a standalone mode of operation. This engages the SonicPoint’s internal GUI (which is otherwise disabled) and allows it to be configured as a conventional Access Point. If at any time it is placed on the same layer 2 segment as a SonicOS device that is sending Discovery packets, it leaves standalone mode, and enters into a managed mode. The stand-alone configuration is retained.

SONICPOINT AUTO PROVISIONING Topics: • Automatic Provisioning (SDP & SSPP) • Enabling Auto Provisioning • Enabling SonicPoint Auto-Provisioning for a WLAN Zone

Automatic Provisioning (SDP & SSPP) The SonicWall Discovery Protocol (SDP) is a layer 2 protocol employed by SonicPoints and devices running SonicOS. SDP is the foundation for the automatic provisioning of SonicPoint units through the following messages: • Advertisement—SonicPoint devices without a peer periodically and on startup announce or advertise themselves through a broadcast. The advertisement includes information that is used by the receiving SonicOS device to ascertain the state of the SonicPoint. The SonicOS device then reports the state of all peered SonicPoints, and takes configuration actions as needed. • Discovery—SonicOS devices periodically send discovery request broadcasts to elicit responses from L2 connected SonicPoint units. • Configure Directive—A unicast message from a SonicOS device to a specific SonicPoint unit to establish encryption keys for provisioning, and to set the parameters for and to engage configuration mode. • Configure Acknowledgement—A unicast message from a SonicPoint to its peered SonicOS device acknowledging a Configure Directive. • Keepalive—A unicast message from a SonicPoint to its peered SonicOS device used to validate the state of the SonicPoint. If through the SDP exchange the SonicOS device ascertains that the SonicPoint requires provisioning or a configuration update (such as on calculating a checksum mismatch, or when a firmware update is available), the Configure directive engages a 3DES encrypted, reliable TCP based SonicWall Simple Provisioning Protocol (SSPP) channel. The SonicOS device then sends the update to the SonicPoint through this channel, and the SonicPoint restarts with the updated configuration. State information is provided by the SonicPoint, and is viewable on the SonicOS device throughout the entire discovery and provisioning process.

Enabling Auto Provisioning SonicPoint Auto Provisioning can be enabled to automatically provision the following wireless SonicPoint provisioning profiles: • SonicPoint • SonicPoint N • SonicPoint NDR • SonicPoint AC Initial configuration of a wireless SonicPoint is provisioned from a SonicPoint profile that is attached to the wireless LAN managing zone. After a wireless SonicPoint is provisioned, the profile remains an offline configuration template that is not directly associated with any SonicPoint. So, modifying a profile does not automatically trigger a SonicPoint for reprovisioning. Before SonicPoint Auto Provisioning was introduced, administrators had to manually delete all SonicPoints, and then synchronize new SonicPoints to the profile that was time consuming. To simplify configuration and ease management overhead, SonicPoint Auto Provisioning was introduced. Checkboxes to enable Auto Provisioning for each of the SonicPoint Provisioning Profiles are provided in the Network > Zones > Configure > Wireless configuration window. When the checkbox for a provisioning profile is checked and that profile is changed, all SonicPoint devices linked to that profile are reprovisioned and rebooted to the new operational state. Topics: • Enabling SonicPoint Auto-Provisioning for a WLAN Zone • Remote MAC Access Control for SonicPoints

Enabling SonicPoint Auto-Provisioning for a WLAN Zone To enable SonicPoint Auto Provisioning: 1 On the SonicWall Security Appliance, go to Network > Zones. 2 Click the Edit icon for a WLAN (or any other wireless) SonicPoint profile. The Edit Zone window displays. 3 Select the Wireless tab.

4 Under SonicPoint Settings, select Auto Provisioning for each of the SonicPoint Provisioning Profiles that you want to be auto provisioned. 5 Click OK.

Remote MAC Access Control for SonicPoints CAUTION: You cannot enable the Remote MAC address access control option at the same time that the IEEE 802.11i EAP is enabled. If you try to enable the Remote MAC address access control option at the same time that the IEEE 802.11i EAP is enabled, you receive the following error message: Remote MAC address access control can not be set whenIEEE 802.11i EAP is enabled. Enable Remote MAC Access Control has been added for SonicPoints and for VAPs:

NOTE: Remote MAC Access Control is also supported for VAPs. See Remote MAC Access Control for SonicPoints. To enable Remote MAC Access Control on a SonicPoint: 1 Go to the SonicPoint > SonicPoints page. 2 Click one of the following buttons: • Add a new SonicPoint N Profile • Add a new SonicPoint NDR Profile • Add a new SonicPoint ACe/ACi/N2 Profile The Add/Edit SonicPoint Profile dialog appears. The Remote MAC Address Access Control Settings panel appears at the bottom of the dialog. SonicPoint N Profile Dialog

SonicPoint NDR and SonicPoint ACe/ACi/N2 Radio 0 Profile Dialog

SonicPoint NDR and SonicPoint ACe/ACi/N2 Radio 1 Profile Dialog

3 For SonicPoint N, click the 802.11n Radio tab. For SonicPoint NDR or SonicPoint ACe/ACi/N2, click the Radio 0 or Radio 1 tabs. 4 Select Enable Remote MAC Access Control. 5 Click Configure. The Radius Server Settings appear.

6 In the appropriate fields, enter the RADIUS server settings that you want. For information on configuring the RADIUS server settings, see the SonicOS Administration Guide. 7 Click OK. CAUTION: You cannot enable the Remote MAC address access control option at the same time that the IEEE 802.11i EAP is enabled. If you do, the following error message appears: Remote MAC address access control can not be set whenIEEE 802.11i EAP is enabled.

Provisioning SSL VPN Server Information to SonicPoint N To provision SSL VPN Server information to a SonicPoint N device: 1 Go to the SonicPoint > SonicPoints page. 2 Click one of the following buttons: • Add a new SonicPoint N Profile • Add a new SonicPoint NDR Profile • Add a new SonicPoint ACe/ACi/N2 Profile 3 Under L3 SSLVPN Tunnel Settings, enter the SSL VPH Server, User Name, Password, and Domain. 4 Select the Auto Reconnect option.

To push the settings to the SonicPoint device, connect the SonicPoint device to SSL VPN Server through a Layer 2 connection.

Establishing an SSL VPN Tunnel to a Remote Network If the remote network site supports DHCP, set the SonicPoint to the factory default settings and connect it to the network. The SonicPoint automatically gets the IP address and the Gateway from DHCP. The SSL VPN server information is saved when the factory default settings are in place. After the SonicPoint gets its DHCP lease, it connects to the remote SonicWall Gateway. If the remote network site does not support DHCP, set the SonicPoint to the factory default settings and set the network parameters. Then the SonicPoint automatically connects to the remote SonicWall Gateway.

Viewing Station Status Station Status allows the administrator to view status and individual statistics for all SonicPoint devices connected to the currently selected SonicWall firewall appliance.

EVENT AND STATISTICS REPORTING The SonicPoint > Station Status page reports on the statistics of each SonicPoint. The table lists entries for each wireless client connected to each SonicPoint. The sections of the table are divided by SonicPoint. Under each SonicPoint, is the list of all clients currently connected to it. Click Refresh in the top right corner to refresh the list. By default, the page displays the first 50 entries found. Click the First Page , Previous Page , Next Page , and Last Page icons to navigate if you need to view more than 50 entries. Each SonicPoint device reports for both radios, and for each station, the following information to its SonicOS peer: • MAC Address – The client’s (Station’s) hardware address • Station State – The state of the station. States can include: • None – No state information yet exists for the station • Authenticated – The station has successfully authenticated. • Associated – The station is associated. • Joined – The station has joined the ESSID. • Connected – The station is connected (joined, authenticated or associated). • Up – An Access Point state, indicating that the Access Point is up and running. • Down – An Access Point state, indicating that the Access Point is not running. • Associations – Total number of Associations since power up. • Dis-Associations – Total number of Dis-Associations. • Re-Associations – Total number of Re-Associations. • Authentications – Number of Authentications. • De-Authentications – Number of De-Authentications. • Good Frames Received – Total number of good frames received. • Good Frames Transmitted – Total number of good frames transmitted. • Error in Receive Frames – Total number of error frames received. • Error in Transmit Frames – Total number of error frames transmitted. • Discarded Frames – Total number of frames discarded. Discarded frames are generally a sign of network congestion. • Total Bytes received – Total number of bytes received. • Total Bytes Transmitted – Total number of bytes transmitted. • Management Frames Received – Total number of Management frames received. Management Frames include: • Association request • Association response • Re-association request • Re-association response • Probe request • Probe response • Beacon frame • ATIM message • Disassociation • Authentication • De-authentication • Management Frames Transmitted – Total number of Management frames transmitted. • Control Frames Received – Total number of Control frames received. Control frames include: • RTS – Request to Send • CTS – Clear to Send • ACK – Positive Acknowledgement • Control Frames Transmitted – Total number of Control frames transmitted. • Data Frames Received – Total number of Data frames received. • Data Frames Transmitted – Total number of Data frames transmitted.

Using and Configuring SonicPoint IDS Intrusion Detection Services should be configured before using wireless access points.

DETECTING SONICPOINT ACCESS POINTS You can have many wireless access points within reach of the signal of the SonicPoints on your network. The SonicPoint > IDS page reports on all access points the SonicWall security appliance can find by scanning the 802.11a and 802.11g radio bands.

WIRELESS INTRUSION DETECTION SERVICES Intrusion Detection Services (IDS) greatly increase the security capabilities of the SonicWall security appliance with SonicOS Enhanced by enabling it to recognize and even take countermeasures against the most common types of illicit wireless activity. IDS consists of three types of services, namely, Sequence Number Analysis, Association Flood Detection, and Rogue Access Point Detection. IDS logging and notification can be enabled under Log > Log Settings by selecting WLAN IDS under Log Categories and Alerts.

Intrusion Detection Settings Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates a easy environment for introducing rogue access points. Specifically, the real threat emerges in a number of different ways, including unintentional and unwitting connections to the rogue device, transmission of sensitive data over non-secure channels, and unwanted access to LAN resources. So while this doesn't represent a deficiency in the security of a specific wireless device, it is a weakness to the overall security of wireless networks. The security appliance can alleviate this weakness by recognizing rogue access points potentially attempting to gain access to your network. It accomplishes this in two ways: active scanning for access points on all 802.11a and 802.11g channels, and passive scanning (while in Access Point mode) for beaconing access points on a single channel of operation.

Scanning for Access Points Active scanning occurs when the security appliance starts up, and at any time Scan Now is clicked on the SonicPoint > IDS page. When the security appliance executes a scan, a temporary interruption of wireless clients occurs for no more than a few seconds. This interruption manifests itself as follows: • Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects. • Persistent connections (protocols such as FTP) are impaired or severed. • WiFiSec connections should automatically re-establish and resume with no noticeable interruption to the client. WARNING: If service disruption is a concern, it is recommended that the Scan Now feature not be used while the SonicWall security appliance is in Access Point mode until such a time that no clients are active, or the potential for disruption becomes acceptable.

Discovered Access Points The Discovered Access points displays information on every access point that can be detected by the SonicPoint radio:

NOTE: This feature is only supported on SonicOS 5.8 or higher.

• • • • • •

SonicPoint: The SonicPoint that detected the access point. MAC Address (BSSID): The MAC address of the radio interface of the detected access point. SSID: The radio SSID of the access point. Type: The range of radio bands used by the access point, 2.4 GHz or 5 GHz. Channel: The radio channel used by the access point. Manufacturer: The manufacturer of the access point. SonicPoints will show a manufacturer of either SonicWall or Senao. • Signal Strength: The strength of the detected radio signal • Max Rate: The fastest allowable data rate for the access point radio, typically 54 Mbps. • Authorize: Click the Authorize icon to add the access point to the address object group of authorized access points. If you have more than one SonicPoint, you can select an individual device from the SonicPoint list to limit the Discovered Access Points table to display only scan results from that SonicPoint. Select All SonicPoints to display scan results from all SonicPoints.

Authorizing Access Points on Your Network Access Points detected by the security appliance are regarded as rogues until they are identified to the security appliance as authorized for operation. To authorize an access point, it can be manually added to the Discovered Access Points list by clicking the Edit icon in the Authorize column and specifying its MAC address (BSSID) along with an optional comment. Alternatively, if an access point is discovered by the security appliance scanning feature, it can be added to the list by clicking the Authorize icon. When a SonicPoint detects a non-SonicPoint access point, a table with the following information displays: Discovered Access Points

Column

Description

SonicPoint

The SonicPoint that detected the access point.

MAC Address (BSSID)

The MAC address of the radio interface of the detected access point.

SSID

The radio SSID of the access point.

Type

The range of radio bands used by the access point, 2.4GHz or 5GHz

Channel

The radio channel used by the access point.

Manufacturer

The manufacturer of the access point. SonicPoints will show a manufacturer of either SonicWall or Senao.

Signal Strength

The strength of the detected radio signal.

Max Rate

The strength of the detected radio signal.

Authorize

Adds the access point to the address object group of authorized access points.

Using and Configuring Virtual Access Points A Virtual Access Point (VAP) is a multiplexed instantiation of a single physical Access Point (AP) so that it presents itself as multiple discrete Access Points. To wireless LAN clients, each Virtual AP appears to be an independent physical AP, when there is actually only a single physical AP. Before Virtual AP feature support, wireless networks were relegated to a one-to-one relationship between physical Access Points and wireless network security characteristics, such as authentication and encryption. For example, an Access Point providing WPA-PSK security could not simultaneously offer Open or WPA-EAP connectivity to clients. If Open or WPA-EAP were required, they would need to have been provided by a separate, distinctly configured APs. This forced WLAN network administrators to find a solution to scale their existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual APs (VAP) feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11 standard for the media access control (MAC) protocol layer that includes a unique Basic Service Set Identifier (BSSID) and Service Set Identifier (SSID). This allows segmenting wireless network services within a single radio frequency footprint of a single physical access point device. In SonicOS Enhanced 3.5, VAPs allow the network administrator to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point, and can be grouped and enforced on single or multiple physical SonicPoint access points simultaneously. In GMS, you can configure VAPs on the Policies panel, SonicPoint > Virtual Access Point screen.

CONFIGURING VIRTUAL ACCESS POINT GROUPS To add or configure VAP Groups: 1 On the Policies panel, navigate to the SonicPoint > Virtual Access Point screen. 2 Click Add Group. The Add Virtual Access Point Group dialog box displays.

3 Enter the VAP group name in the Virtual AP Group Name field. 4 In Available Virtual AP Objects, select the objects that should be in the VAP group, and then click the arrow button to move them to Member of Virtual AP Group. 5 To remove objects from the group, select them in the Member of Virtual AP Group field and then click the left arrow button to move back to the Available list. 6 Click OK. 7 In the SonicPoint > Virtual Access Point screen, click Update.

CONFIGURING VIRTUAL ACCESS POINTS To add or configure Virtual Access Points: 1 On the Policies panel, navigate to the SonicPoint > Virtual Access Point screen. 2 Click Add Virtual Access Point. The Add Virtual Access Point dialog box displays.

3 On the General tab, enter the SSID associated with the VAP. You can create a service set identifier (SSID) when creating a SonicPoint profile. Refer to SonicPoint Provisioning Profiles. 4 Select Enable Virtual Access Point. You can also deselect this check box to disable the VAP without deleting it completely. 5 To suppress the SSID, select Enable SSID Suppress. 6 Click the Advanced tab. 7 On the Advanced tab, configure the following: • Profile Name: Select the VAP profile from the pull-down list. • Radio Type: Select the radio type from the pull-down list. • Authentication Type: Select the authentication type from the pull-down list. • Unicast Cipher: Select the unicast cipher from the pull-down list. • Multicast Cipher: Select the multicast cipher from the pull-down list. • Maximum Clients: Enter the maximum number of clients. 8 Click OK. 9 In the SonicPoint > Virtual Access Point screen, click Update.

CONFIGURING VIRTUAL ACCESS POINT PROFILES To add or configure VAP profiles:

1 On the Policies panel, navigate to the SonicPoint > Virtual Access Point screen. 2 Click Add Virtual Access Point Profile. The Add Virtual Access Point Profile dialog box displays.

3 Configure the following: • Radio Type: Select the radio type from the pull-down list. • Profile Name: Select the VAP profile from the pull-down list. • Authentication Type: Select the authentication type from the pull-down list. • Unicast Cipher: Select the unicast cipher from the pull-down list. • Multicast Cipher: Select the multicast cipher from the pull-down list. • Maximum Clients: Enter the maximum number of clients. 4 Click OK. 5 In the SonicPoint > Virtual Access Point screen, click Update.

Configuring the RF Monitor Radio Frequency (RF) technology used in today’s 802.11-based wireless networking devices poses an attractive target for intruders. If left un-managed, RF devices can leave your wireless (and wired) network open to a variety of outside threats, from Denial of Service (DoS) to network security breaches. In order to help secure your SonicPoint Wireless Access Point (AP) stations, SonicWall takes a closer look at these threats. By using direct RF monitoring, SonicWall helps detect threats without interrupting the current operation of your wireless or wired network. SonicWall RF Monitoring provides real-time threat monitoring and management of SonicPoint radio frequency traffic. In addition to its real-time threat monitoring capabilities, SonicWall RF monitoring provides network administrators a system for centralized collection of RF threats and traffic statistics; offering a way to easily manage RF capabilities directly from the SonicWall security appliance gateway

To configure the RF Monitor, complete the following steps: 1 Navigate to SonicPoint > RF Monitoring page. 2 Enter an interval (in seconds) in the Management Interval text-field. 3 In the General Frame Settings, click Long Duration if a long monitoring duration is desired. 4 RF threat types are displayed, with a check box next to each. Click the check box next to the RF threat to enable/disable management of that threat: Management Frame Settings Clicking the check boxes enables/disables the following monitors. Management Frame settings

Name

Description

Total Management Threats

Displays the total number of management threats.

Management Frame Flood

This variation on the DoS attack attempts to flood wireless access points with management frames (such as association or authentication requests) filling the management table with bogus requests.

Null Probe Response

When a wireless client sends out a probe request, the attacker sends back a response with a Null SSID. This response causes many popular wireless cards and devices to stop responding.

Broadcasting Deauthentication

This DoS variation sends a flood of spoofed deauthentication frames to wireless clients, forcing them to constantly de-authenticate and subsequently re-authenticate with an access point.

Valid Station With Invalid SSID

In this attack, a rouge access point attempts to broadcast a trusted station ID (ESSID). Although the BSSID is often invalid, the station can still appear to clients as though it is a trusted access point. The goal of this attack is often to gain authentication information from a trusted client.

Wellenreiter Detection

Wellenreiter and NetStumbler are two popular software applications used by attackers to retrieve information from surrounding wireless networks.

Ad-Hoc Station Detection

Ad-Hoc stations are nodes which provide access to wireless clients by acting as a bridge between the actual access point and the user. Wireless users are often tricked into connecting to an Ad-Hoc station instead of the actual access point, as they might have the same SSID. This allows the Ad-Hoc station to intercept any wireless traffic that connected clients send to or receive from the access point.

Data Frame Settings Clicking the check boxes enables/disables the following monitors. Data Frame settings

Name

Description

Total Data Threats

Displays the total number of data threats.

Unassociated Station

A wireless station attempts to authenticate prior to associating with an access point, the unassociated station can create a DoS by sending a flood of authentication requests to the access point while still unassociated.

NetStumbler Detection Typically is used to locate both free Internet access as well as interesting networks. Netstumbler interfaces with a GPS receiver and mapping software to automatically map out locations of wireless networks. EAPOL Packet Flood

Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication mechanisms. Because these packets, like other authentication request packets, are received openly by wireless access points, a flood of these packets can result in DoS to your wireless network.

Weak WEP IV

WEP security mechanism uses your WEP key along with a randomly chosen 24-bit number known as an Initialization Vector (IV) to encrypt data. Network attackers often target this type of encryption because some of the random IV numbers are weaker than others, making it easier to decrypt your WEP key.

5 Click Update after you are finished configuring the RF Monitor settings.

Configuring FairNet The following sections describe SonicPoint FairNet policies in SonicWall SonicOS Enhanced to configure bandwidth limits for WLAN clients: • SonicPoint FairNet Overview • Configuring SonicPoint FairNet Bandwidth Limit Policies

SONICPOINT FAIRNET OVERVIEW IEEE 802.11 wireless LAN is a half-duplex broadcast system, in which all wireless clients compete for the shared bandwidth. Ideally, wireless networks should provide fairness in bandwidth distribution to create a better user experience and maintain productivity and flexibility for all wireless traffic. With 802.11n technology, wireless LAN throughput can reach up to 300 Mbps to meet the high demand of performance and diversified timing sensitive services. However in 802.11n wireless LAN networks wireless users still confront bandwidth issues when multiple users are coexisting. For example because all bandwidth is shared by all associated wireless clients, some “bandwidth hog” (such as a VoIP or P2P user) might use most of the bandwidth and cause delays or network interruptions for low-bandwidth, HTTP users. Given this fact, SonicPoint FairNet feature is designed to provide an easy-to-use method for network administrators to control the bandwidth of associated wireless clients and make sure the fairness among everyone of them. Administrator can configure SonicPoint FairNet bandwidth limits for all wireless users, for specific IP address ranges, or for individual clients to provide fairness as well as network efficiency. SonicPoint Fairnet is available for appliances running SonicOS 5.6 and higher.

CONFIGURING SONICPOINT FAIRNET BANDWIDTH LIMIT POLICIES To configure SonicPoint FairNet, complete the following steps: 1 Navigate to the SonicPoint > FairNet page.

2 Select Enable FairNet. 3 Click Update at the left of the page. 4 Click Add New FairNet Policy to add a SonicPoint FairNet policy for an IP address or range of addresses. The Add FairNet Policy window displays.

5 By default the Enable Policy option is checked. Disable this check box to disable the FairNet policy. 6 In the Direction pull-down menu, select whether the bandwidth limits for the policy applies to clients uploading content, downloading content, or both directions: • Both Directions • Downlink (AP to Client) • Uplink (Client to AP) 7 In the Start IP and End IP fields, specify the IP address range to which that the policy applies. TIP: The IP address range must be on a subnet that is configured for a WLAN interface. 8 In the Min Rate(kbps) field, enter the minimum bandwidth that clients are guaranteed. 9 In the Max Rate(kbps) field, enter the maximum bandwidth that clients are allowed. 10 In the Interface pull-down menu, select the WLAN interface that corresponds to the IP address range you configured. The menu lists all interfaces configured for the WLAN zone, except for W0. 11 Click OK.

Searching FairNet Policies To search the configured FairNet policies, complete the following steps: 1 On the SonicPoint > FairNet page, go to the FairNet Policy Search section. 2 Select whether to search for the Start IP in the policy (the first IP address in the IP address range) or the End IP. 3 Select the type of search to complete: Equals, Starts with, Ends with, or contains. 4 Enter an IP address or portion of an IP address to search for. 5 Click Search. FairNet policies that match the search are displayed.

Configuring Firewall Wireless Options This describes how to configure wireless connectivity options for wireless SonicWall appliances. Included in this are the following sections: • • • • • •

Configuring General Wireless Settings Configuring Wireless Security Settings Configuring Advanced Wireless Settings Configuring MAC Filter List Settings Configuring Intrusion Detection Settings Configuring Wireless Virtual Access Points

Configuring General Wireless Settings The Wireless > Settings page provides different options for SonicOS Enhanced and SonicOS Standard. The page for SonicOS Standard is shown in the following figure:

The page for SonicOS Enhanced is shown in the following figure:

The following sections describe how to configure general wireless settings: • Configuring Access Point Radio Mode • Configuring Wireless Client Bridge Radio Mode • Wireless Radio Operating Schedule

CONFIGURING ACCESS POINT RADIO MODE CAUTION: Changing the radio role from Access Point mode to Wireless Client Bridge mode disconnects any existing wireless clients. To configure wireless settings for Access Point mode, complete the following steps: 1 Select a wireless SonicWall appliance. 2 Expand the Wireless tree and click Settings. The Settings page displays. 3 Select whether the SonicWall appliance will act as an Access Point or a Wireless Bridge from the Radio Role list box. 4 To enable Wireless networking on this device, select Enable WLAN Radio. 5 For SonicOS Standard, configure Use Time Constraints to set hours of operation for this wireless device. For SonicOS Enhanced, select the schedule from the Schedule list box. 6 For SonicOS Standard only, optionally select SMA Enforcement and configure the Server Address and Server Port fields to add SMA enforcement to this wireless device. 7 For SonicOS Standard only, select WiFiSec Enforcement to enable WiFiSec security over this wireless device. 8 For SonicOS Standard only, if using WiFiSec Enforcement, you can choose to Require WiFiSec for Site-toSite VPN Tunnel Traversal. This option is selected by default when enabling both SMA and WiFiSec simultaneously. 9 For SonicOS Standard only, if using WPA encryption, you can choose to Trust WPA traffic as WiFiSec. 10 For SonicOS Standard only, if using WiFiSec enforcement, you can choose Enable WiFiSec Service Exception List. With this check box selected, select a service from the list and click Add. 11 Enter the IP address and subnet mask of the Wireless LAN port in the WLAN IP Address and WLAN Subnet Mask fields. 12 Enter the Service Set Identifier (SSID) or wireless network name in the SSID field (maximum: 32 characters). 13 Select an applicable wireless Radio Mode from the list-box. 14 Select an applicable Country Code from the list-box. 15 Select a wireless channel to use from the Channel list box. 16 When you are finished, click Update. The settings are changed for the selected SonicWall appliance. To clear all screen settings and start over, click Reset.

CONFIGURING WIRELESS CLIENT BRIDGE RADIO MODE

CAUTION: Changing the radio role from Access Point mode to Wireless Client Bridge mode disconnects any existing wireless clients. To configure wireless settings for Wireless Client Bridge mode for SonicOS Standard, complete the following steps: 1 To enable Wireless networking on this device, select Enable WLAN Radio. 2 For SonicOS Standard, configure Use Time Constraints to set hours of operation for this wireless device. For SonicOS Enhanced, select the schedule from the Schedule list box. 3 For SonicOS Standard only, select WiFiSec Enforcement to enable WiFiSec security over this wireless device. 4 Enter the Service Set Identifier (SSID) or wireless network name in the SSID field (maximum: 32 characters). 802.11d compliance is a regulatory domain update wherein physical and MAC layer signaling automatically behaves in accordance with geographic requirements for such settings as channels of operation and power. Access Points and wireless clients implement 802.11d differently; the Access Point can be thought of as the 802.11d provider, wherein it either provides the 802.11d capability or not – the Access Point remains agnostic to the 802.11d capabilities of associated clients. The wireless client is in turn the 802.11d consumer – if the client is not 802.11d capable, it can associate with an Access Point regardless of its 802.11d capabilities. If the client is 802.11d capable, it can generally operate in one of three 802.11d modes, which you can select from the 802.11d Compliance menu. 5 When you are finished, click Update. The settings are changed for the selected SonicWall appliance. To clear all screen settings and start over, click Reset. To configure wireless settings for Wireless Client Bridge mode in SonicOS Enhanced, complete the following steps: 1 Click the Radio Role drop-down menu, then select Wireless Client Bridge.

2 3 4 5

To enable Wireless networking on this device, select Enable WLAN Radio. Enter your Service Set Identification (SSID) in the SSID text-field. Click the Channel drop-down menu, then select the desired channel. Select Enable Short Guard Interval to enable a higher Tx/Rx rate (if the client supports it). This option only applies for 802.11n mode. 6 Select Enable Aggregation to aggregate the wireless packets on L2 to earn higher performance (if the client supports it). This option only applies for 802.11n mode 7 Select Enable Wireless Client Connectivity Check and Auto Reconnect to periodically check the wireless client connectivity by pinging a user defined IP address. In case of connection lost, complete an auto reconnection. Enter the target remote IP address to ping in the text-field. 8 Click the Antenna Diversity drop-down menu, then select one of the following: • Best • Antenna 1 — antenna closest to the power supply • Antenna 2 9 Click the Transmit Power drop-down menu, then select one of the following: • High • Medium • Low • Lowest 10 Enter the desired fragmentation threshold (in bytes) in the Fragmentation Threshold text-field. 11 Enter the desired Request-to-Send (RTS) threshold (in bytes) in the RTS Threshold text-field.

WIRELESS RADIO OPERATING SCHEDULE Wireless Schedule allows you to specify time periods of operation for the WLAN. This feature is available in the Wireless > Settings screen. In SonicOS Standard, it is available under the section Use Time Constraints, and in SonicOS Enhanced, it is available as Schedule pull-down list and at unit Level this section is displayed depending on whether it is SonicOS Standard or Enhanced. At group level, both options are shown with text in italics indicating which section applies to SonicOS Standard and SonicOS Enhanced.

Configuring Wireless Security Settings This section describes how to configure wireless security settings. To configure the security settings, complete the following steps: 1 Select a wireless SonicWall appliance. 2 Expand the Wireless tree and click Security. The fields on this screen change depending on the Authentication Type you select.

WEP ENCRYPTION SETTINGS Open-system authentication is the only method required by 802.11b. In open-system authentication, the SonicWall allows the wireless client access without verifying its identity. Shared-key authentication uses Wired Equivalent Privacy (WEP) and requires a shared key to be distributed to wireless clients before authentication is allowed. The SonicWall wireless security appliances provide the option of using Open System, Shared Key, or both when WEP is used to encrypt data. If Both Open System & Shared Key is selected, the Default Key assignments are not important as long as the identical keys are used each field. If Shared Key is selected, then the key assignment is important. To configure WEP on the SonicWall, complete the following steps: 1 On the Policies panel, click Wireless, then Security. 2 Select a WEP authentication type from the Authentication Type list. Shared Key is selected by default.

WEP ENCRYPTION KEYS

If you selected Both (Open System & Shared Key) or Shared Key above, you must configure one or more keys and select the default. SonicOS supports the 802.11a and 802.11g standards, which includes 64-bit, 128-bit, and 152bit encryption for WEP. 1 Select the default key to use, 1,2,3, or 4, from the Default Key pull-down list 2 Select the key type to be either Alphanumeric or Hexadecimal. The number of characters you enter is different for each because an alphanumeric (or ASCII) character contains 8 bits, and a hexadecimal character contains only 4 bits. WEP Encryption Key Types

WEP - 64-bit

WEP - 128-bit

WEP - 152-bit

Alphanumeric - 5 characters (0-9, A-Z)

Alphanumeric - 13 characters (0-9, A-Z)

Alphanumeric - 16 characters (0-9, A-Z)

Hexadecimal - 10 characters (0-9, A-F)

Hexadecimal - 26 characters (0-9, A-F)

Hexadecimal - 32 characters (0-9, A-F)

3 Type your keys into each field. 4 For each key, select 64-bit, 128-bit, or 152-bit from the pull-down list next to the Key field. 152-bit is the most secure. 5 Click Update.

WPA AND WPA2 ENCRYPTION SETTINGS

You can configure Wi-Fi Protected Access as WPA or WPA2 in GMS. Either of these provides better security than WEP. WPA and WPA2 support two protocols for storing and generating keys: • Extensible Authentication Protocol (EAP): EAP allows WPA/WPA2 to synchronize keys with an external RADIUS server. The keys are updated periodically based on time or number of packets. Use EAP in larger, enterprise-like deployments where you have an existing RADIUS framework. • Pre-Shared Key (PSK): PSK allows WPA/WPA2 to generate keys from a pre-shared passphrase that you configure. The keys are updated periodically based on time or number of packets. Use PSK in smaller deployments where you do not have a RADIUS server. WPA EAP and WPA2 EAP support is only available in Access Point Mode. Bridge Mode supports WPA PSK and WPA2 PSK.

To configure WPA or WPA2 security on the SonicWall, complete the following steps: 1 On the Policies panel, click Wireless, then Security. 2 Under Encryption Mode, select a WPA or WPA2 authentication type from the Authentication Type list. You can choose from the following authentication types: • WPA-PSK • WPA-EAP • WPA2-PSK • WPA2-EAP • WPA2-AUTO-PSK • WPA2-AUTO-EAP The screen changes to display the configurable fields. The same configuration fields are displayed for all authentication types that employ PSK, and the same configuration fields are displayed for all authentication types that employ EAP.

WPA AND WPA2 SETTINGS For both PSK and EAP authentication types, the fields under WPA Settings are the same. To configure the WPA Settings fields: 1 Select which EAPOL Version to support. EAPOL is Extensible Authentication Protocol EAP over LAN. EAPOL Version v2 provides better security, but might not be supported by some wireless clients. 2 Select one of the following in the Cipher Type pull-down list: • TKIP - Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis. • AES - Advanced Encryption Standard (AES) is a block cipher adopted as an encryption standard in 2002. It is widely used in symmetric key cryptography. • Auto - Allows the SonicWall to automatically select either TKIP or AES. 3 Select one of the following to determine when to update the key in the Group Key Update pull-down list: • By Timeout - Generates a new group key after an interval specified in seconds. • Disabled - Uses a static key that is never regenerated. 4 If you selected By Timeout, enter the number of seconds before WPA or WAP2 automatically generates a new group key into the Interval field.

PRESHARED KEY SETTINGS (PSK) For all authentication types involving PSK, complete the following steps: 1 Type the passphrase from which the key is generated into the Passphrase field. 2 Do one of the following: • To apply the settings, click Update. • To clear all screen settings and start over, click Reset.

EXTENSIBLE AUTHENTICATION PROTOCOL (EAP) SETTINGS For all authentication types involving EAP, the lower part of the screen displays fields for RADIUS configuration.

For all authentication types involving EAP, complete the following steps: 1 Enter the desired amount of radius server retries in the Radius Server Retries text-field. 2 Enter the retry interval (in seconds) in the Retry Interval text-field. 3 Type the IP address of the primary RADIUS server into the Radius Server 1 IP field. 4 Type the port number used to communicate with the primary RADIUS server into the Port field. 5 Type the password for access to the primary Radius Server into the Radius Server 1 Secret field. 6 Type the IP address of the secondary RADIUS server into the Radius Server 2 IP field. 7 Type the port number used to communicate with the secondary RADIUS server into the Port field. 8 Type the password for access to the secondary Radius Server into the Radius Server 2 Secret field. 9 Do one of the following: • To apply the settings, click Update. • To clear all screen settings and start over, click Reset.

Configuring Advanced Wireless Settings NOTE: When the appliance is configured for Wireless Client Bridge mode, only a subset of the options on the Wireless > Advanced page are applicable. The other settings are inherited from the access point to which you are bridging. This section describes how to configure advanced wireless settings for both SonicOS Standard and SonicOS Enhanced. To do this, complete the following steps: 1 Select a wireless SonicWall appliance. 2 Expand the Wireless tree and click Advanced. The Advanced screen displays. NOTE: The Wireless > Advanced page provides different options for SonicOS Standard and SonicOS Enhanced. Also, SonicOS Standard 3.8 displays six more fields than earlier versions of SonicOS Standard. SonicOS Standard:

The SonicOS Enhanced page has different fields than those in SonicOS Standard.

3 Select Hide SSID in Beacon. If you select Hide SSID in Beacon, your wireless network is invisible to anyone who does not know your SSID. This is a good way to prevent “drive by hackers” from seeing your wireless connection. NOTE: This provides marginal security as Probe Responses and other 802.11 frames contain the SSID. 4 Enter how often (in milliseconds) a beacon will be sent in the Beacon Interval field. Decreasing the interval time makes passive scanning more reliable and faster because Beacon frames announce the network to the wireless connection more frequently. 5 To specify the maximum number of wireless clients, enter the limit in the Maximum Client Associations field. Wireless clients are devices that attempt to access the wireless SonicWall appliance. 6 Select the following Advanced Radio Settings: • The Antenna Diversity setting determines which antenna the SonicWall Wireless uses to send and receive data. You can select: • Best: This is the default setting. When Best is selected, the SonicWall Wireless automatically selects the antenna with the strongest, clearest signal. In most cases, Best is the optimal setting. • 1: Select 1 to restrict the SonicWall Wireless to use antenna 1 only. Facing the rear of the SonicWall, antenna 1 is on the left, closest to the console port. You can disconnect antenna 2 when using only antenna 1. • 2: Select 2 to restrict the SonicWall Wireless to use antenna 2 only. Facing the rear of the SonicWall, antenna 2 is on the right, closest to the power supply. You can disconnect antenna 1 when using only antenna 2. • Select Full Power from the Transmit Power menu to send the strongest signal on the WLAN. For example, select Full Power if the signal is going from building to building. Half is recommended for office to office within a building, and Quarter or Eighth is recommended for shorter distance communications. • Select Short or Long from the Preamble Length menu. Short is recommended for efficiency and improved throughput on the wireless network. • The Fragmentation Threshold (bytes) is 2346 by default. Increasing the value means that frames are delivered with less overhead but a lost or damaged frame must be discarded and retransmitted. • The RTS Threshold (bytes) is 2432 by default. If network throughput is slow or a large number of frame retransmissions is occurring, decrease the RTS threshold to enable RTS clearing. • The default value for the DTIM Interval is three. Increasing the DTIM Interval value allows you to conserve power more effectively. • The Association/Station Timeout (seconds) is 300 seconds by default. If your network is very busy, you can increase the timeout by increasing the number of seconds in this field. • For SonicOS Standard 3.8 and above, select the wireless transmission rate from the Data Rate pulldown list. You can select Best or a value between 1 and 54 megabits per second (Mbps). The default is Best. • For SonicOS Standard 3.8 and above, in the Protection Mode pull-down list, select None, Always or Auto. Use Always or Auto to prevent transmission frame collisions when you have multiple wireless nodes. • For SonicOS Standard 3.8 and above, in the Protection Rate pull-down list, select 1Mbps, 2Mbps, 5Mbps or 11Mbps. The Protection Rate specifies the transmission rate for the Request-To-Send (RTS) and Clear-To-Send (CTS) frames. The default is 11 Mbps. • For SonicOS Standard 3.8 and above, in the Protection Type pull-down list, select RTS-CTS or CTSonly. RTS-CTS is the mechanism used by the 802.11 wireless networking protocol to reduce frame collisions. The node wishing to transmit data sends an RTS frame. The destination node replies with a CTS frame. Other wireless nodes within range refrain from sending data for a specified time to avoid collisions. The default is CTS-only. • For SonicOS Standard 3.8 and above, select Enable Short Slot Time to minimize the time to wait before transmitting. Slot time is the time required for a transmission to reach the destination. The default is to enable a short slot time. 7 When you are finished, click Update. The settings are changed for the selected SonicWall appliance. To clear all screen settings and start over, click Reset.

Configuring MAC Filter List Settings Wireless SonicWall appliances can allow or block wireless devices based on their MAC addresses. To configure the MAC filter list, complete the following steps: 1 Select a wireless SonicWall appliance, a group, or the global icon. 2 Expand the Wireless tree and click MAC Filter List. The MAC Filter List screen displays. NOTE: The MAC Filter List provides different options in SonicOS Standard and SonicOS Enhanced.

SonicOS Enhanced provides pull-down lists for the Allow and Deny lists.

3 To enable the MAC filter list for the selected device(s), select Enable MAC Filter List. 4 For SonicOS Standard, to add a MAC address to the filter list, enter the address in the MAC Address List field, check either Allow or Block, add any comments to the Comment field. 5 Click Add MAC Address. The scheduler displays. 6 Expand Schedule by clicking the plus icon. 7 Select Immediate or specify a future date and time. 8 Click Accept. 9 Repeat these step for each MAC address that you want to add in SonicOS Standard. 10 When you are finished, click Update. The settings are changed for the selected SonicWall appliance(s). To clear all screen settings and start over, click Reset. 11 For SonicOS Enhanced only, select one of the options from the Allow List and Deny List list boxes. 12 Click Update. The scheduler displays. 13 Expand Schedule by clicking the plus icon. 14 Select Immediate or specify a future date and time. 15 Click Accept.

Configuring Intrusion Detection Settings The Intrusion Detection System (IDS) greatly increase the security capabilities of the SonicWall security appliance by enabling it to recognize and even take countermeasures against the most common types of illicit wireless activity. IDS consists of three types of services, namely, Sequence Number Analysis, Association Flood Detection, and Rogue Access Point Detection. This section describes how to configure group level and unit level intrusion detection settings (IDS) for wireless SonicWall appliances.

VIEWING THE WIRELESS > IDS PAGE The Wireless > IDS page can be viewed at a group or unit level, depending on the model or appliance selected in the left navigational management interface. Group Level View This view does not display the detected wireless access points, but offers a link to schedule a Rouge Access Point report. To access the group level view, select a group of appliances from the list.

Unit Level View This view displays all the wireless access points detected by the SonicWall security appliance and information about each discovered access point. To access the unit level view, select an appliance from the Model View list.

CONFIGURING WIRELESS INTRUSION DETECTION SYSTEM SETTINGS To configure the Wireless > IDS settings, complete the following steps: At Group level 1 Navigate to the Wireless > IDS page. 2 Select an appliance Group from the Model View list.

3 Select Enable Client Null Probing Detection to enable client null probe detection. 4 Select Enable Association Flood Detection. Hackers can cause a Denial-of-Service (DoS) attack by flooding a wireless network with association requests. The Enable Association Flood Detection option combats this. a The default association flood threshold is 10 association attempts within five seconds. To change this setting, enter new flood threshold values. b To block the MAC address of a computer or device attempting this attack, select the Block station's MAC address in response to an association flood field. At Unit level 1 Navigate to the Wireless > IDS page. 2 Select a Unit from the Model View list.

To access a network, hackers can set up a rogue access point that will intercept communications with legitimate users attempting to access a legitimate access point. This “man-in-the-middle” attack can expose passwords and other network resources. 3 To enable detection of Rogue Access Points, select Enable Rogue Access Point Detection. 4 Click the Authorized Access Points pull-down and select a access point from the list. 5 Click Update. To put the IDS settings back to default, click Reset. NOTE: IDS logging and notification can be enabled under Log > Log Settings by selecting the WLAN IDS check boxes under the Categories section.

AUTHORIZED ACCESS POINTS In the Group level view, you can specify authorized access points for SonicOS Standard and Enhanced. To enter authorized access points, complete the following steps:

SonicOS Standard In SonicOS Standard only, to prevent rogue access points, you must specify each authorized access point within the network. 1 Enter the MAC address of an access point in the MAC Address (BSSID) field. 2 Enter a comment about the access point. 3 Click Add. The Modify Task Description and Schedule pop-up window displays.

4 Enter a Description. 5 Select a Schedule: • Default • Immediate • At: (select a custom date and time) 6 Click Update. To clear all screen settings and start over, click Reset. SonicOS Enhanced For SonicOS Enhanced only, to authorize access points: 1 Select one of the options from the Authorized Access Points pull-down list. 2 Click Update. To clear all screen settings and start over, click Reset.

DISCOVERING ACCESS POINTS

You can have many wireless access points within reach of the signal of the wireless appliance on your network. The Wireless > IDS page reports on all access points the SonicWall security appliance can find by scanning the 802.11a, 802.11g, and 802.11n radio bands. This section details the steps to configure your Discovered Access Point settings. NOTE: Wireless Discovered Access Points is supported on SonicOS Enhanced 5.6 or higher firmware.



Requesting Discovered Access Points You can use a wireless appliance to discover information about access points. 1 Navigate to the Wireless > IDS page.

2 Click the link for Request Discovered Access Points Information from Firewall. The Modify Task Description and Schedule pop-up window displays.

3 Enter a Description. 4 Select a Schedule: • Default • Immediate • At: (select a custom date and time) 5 Click Accept. The discovered access points populate in the Discovered Access Points list.

Searching for Discovered Access Points The Wireless > IDS page offers a search feature to filter the list of discovered access points. To search for a discovered access point, complete the following steps: NOTE: The search feature is only available at unit level.



1 Navigate to the Wireless > IDS page. 2 In the Discovered Access Points Search panel, complete the following steps:

a b c d e

Click the Search pull-down lists. Select MAC Address (BSSID), SSID, or Manufacture. Select Equals, Starts With, Ends With, or Contains. Enter a value in the text-box. Click Search.

Scanning Access Points Active scanning occurs when the security appliance starts up, and at any time Scan Now is clicked on the Wireless > IDS page. When the security appliance executes a scan, a temporary interruption of wireless clients occurs for no more than a few seconds. This interruption manifests itself as follows: • Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects. • Persistent connections (protocols such as FTP) are impaired or severed. • WiFiSec connections should automatically re-establish and resume with no noticeable interruption to the client. WARNING: If service disruption is a concern, it is recommended that the Scan Now feature not be used while the SonicWall security appliance is in Access Point mode until such a time that no clients are active, or the potential for disruption becomes acceptable. Scanning for Access Points 1 Navigate to the Wireless > IDS page.

2 Click Scan Now... A warning message displays.

3 Click OK. The Modify Task Description and Schedule pop-up window displays.

4 Enter a Description. 5 Select a Schedule: • Default • Immediate • At: (select a custom date and time) 6 Click Accept. Viewing the Discovered Access Points List The Discovered Access points displays information on every access point that is detected by the Wireless radio:

Discovered Access Points

Column

Description

MAC Address (BSSID)

The MAC address of the radio interface of the detected access point.

SSID

The radio SSID of the access point.

Channel

The radio channel used by the access point.

Manufacturer

The manufacturer of the access point. SonicPoints will show a manufacturer of either SonicWall or Senao.

Signal Strength

The strength of the detected radio signal.

Secure

This lock icon shows if the connection from the access point is secured or not. If the locked icon is present, the access point has a secured connection.

Max Rate

The strength of the detected radio signal.

Authorize

Adds the access point to the address object group of authorized access points.

Authorizing Access Points on Your Network Access Points detected by the security appliance are regarded as rogues until they are identified to the security appliance as authorized for operation. To authorize an access point, complete the following steps: 1 In the Discovered Access Points list, locate the desired Rogue Access Point and click the Edit icon in the Authorize column.

The Edit pop-up window displays.

2 Click OK. NOTE: To unauthorize an access point, remove it from the “Address Object Group of Authorized Access Points.”

SCHEDULING ROGUE ACCESS POINTS REPORTING Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availability of non-secure access points, and the ease with which they can be added to a network creates a easy environment for introducing rogue access points. Specifically, the real threat emerges in a number of different ways, including unintentional and unwitting connections to the rogue device, transmission of sensitive data over non-secure channels, and unwanted access to LAN resources. So while this does not represent a deficiency in the security of a specific wireless device, it is a weakness to the overall security of wireless networks. The security appliance can alleviate this weakness by recognizing rogue access points potentially attempting to gain access to your network. It accomplishes this in two ways: active scanning for access points on all 802.11a, 802.11g, and 802.11n channels, and passive scanning (while in Access Point mode) for beaconing access points on a single channel of operation. To schedule a Rogue Access Point report, click the Schedule Rouge Access Point Report link located at the bottom of the Wireless > IDS page. This redirects you to the Universal Scheduled Reports > Configuration Manager page, where you can schedule the Rogue Access point report in the Policies tab. Rouge Access Point reporting is not supported at Global level, only Group and Unit levels. Refer to Using the Universal Scheduled Reports Application for details on configuring Universal Scheduled Reports. NOTE: Wireless Rogue Access Point Reporting is supported on SonicOS Enhanced 5.6 or higher firmware.



Configuring Wireless Virtual Access Points A Virtual Access Point is a multiplexed instantiation of a single physical Access Point (AP) so that it presents itself as multiple discrete Access Points. To wireless LAN clients, each Virtual AP appears to be an independent physical AP, when in actuality there is only a single physical AP. The following are required areas of configuration for VAP deployment: 1 Zone - The zone is the backbone of your VAP configuration. Each zone you create has its own security and access control settings and you can create and apply multiple zones to a single physical interface by way of Wireless Subnets. 2 Wireless Interface - The W0 interface (and its WLAN subnets) represent the physical connections between the SonicWall firewall appliance and the internal wireless radio. Individual zone settings are applied to these interfaces and forwarded to the wireless radio. 3 DHCP Server - The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes.” The default ranges for DHCP scopes are often excessive for the needs of most wireless deployments, for instance, a scope of 200 addresses for an interface that will only use 30. Because of this, DHCP ranges must be set carefully in order to ensure the available lease scope is not exhausted. 4 Virtual Access Point Profile - The VAP Profile feature allows for creation of wireless configuration profiles which can be easily applied to new wireless Virtual Access Points as needed. 5 Virtual Access Point - The VAP Objects feature allows for setup of general VAP settings. SSID and wireless subnet name are configured through VAP Settings. 6 Virtual Access Point Group - The VAP Group feature allows for grouping of multiple VAP objects to be simultaneously applied to a single internal wireless radio. 7 Assign VAP Group to Internal Wireless Radio- The VAP Group is applied to the internal wireless radio and made available to users through multiple SSIDs.

SEARCHING FOR VIRTUAL ACCESS POINT OBJECTS You can search the configured Virtual Access Point Objects in GMS using several attributes of the VAP configuration. To do so, complete the following steps: 1 Navigate to the Wireless > Virtual Access Points page. 2 In the Virtual Access Objects Search section, select the attribute for which you want to search: Attributes

Attribute

Search types

Name/SSID

Equals, Starts with, Ends with, Contains

Authentication

Equals

Cipher

Equals

Max Clients

=, >, >=, <, <=, !=

SSID Suppress?

= yes, = no

Enabled?

= yes, = no

3 Click Search. Any matching VAPs on the appliance are displayed.

CONFIGURING VIRTUAL ACCESS POINT GROUPS The Virtual Access Point Groups feature is available on SonicWall NSA appliances. It allows for grouping of multiple VAP objects to be simultaneously applied to your internal wireless radio. Virtual Access Point Groups are configured from the Wireless > Virtual Access Point page. After your VAPs are configured and added to a VAP group, that group must be specified in the Wireless > Settings page in order for the VAPs to be available through your internal wireless radio. The default group is called Internal AP Group.

CONFIGURING VIRTUAL ACCESS POINTS To configure a Virtual Access Point, complete the following steps: 1 Navigate to the Wireless > Virtual Access Points page.

2 Click Add Virtual Access Point.

3 For the SSID, enter a friendly name for your VAP. 4 Select a Subnet Name to associate this VAP with. Settings for this VAP will be inherited from the subnet you select from this list. 5 Select Enable Virtual Access Point to enable the VAP. 6 Select Enable SSID Suppress to suppress broadcasting of the SSID name and disables responses to probe requests. Check this option if you do not wish for your SSID to be seen by unauthorized wireless clients. Clients have to know the SSID name ahead of time and manually enter it to connect to the VAP. 7 Click on the Advanced tab to configure additional options.

8 Select the VAP Schedule Name to configure when the VAP is enabled. 9 The Radio Type is set to Wireless-Internal-Radio by default. Retain this default setting if using the internal radio for VAP access (currently the only supported radio type) 10 Enter a Profile Name to set a friendly name for this VAP Profile. Choose something descriptive and easy to remember as you will later apply this profile to new VAPs. 11 Select an Authentication Type. Below is a list available authentication types with descriptive features and uses for each: • Open: In open-system authentication, the SonicWall allows the wireless client access without verifying its identity. • Shared: Uses WEP and requires a shared key to be distributed to wireless clients before authentication is allowed. • Both: (Open System & Shared Key.) The Default Key assignments are not important as long as the identical keys are used in each field. If Shared Key is selected, then the key assignment is important. • WPA-PSK: WPA is more secure than an open network, but not as secure as WPA2. PSK allows WPA to generate keys from a pre-shared passphrase that you configure. The keys are updated periodically based on time or number of packets. Use PSK in smaller deployments where you do not have a RADIUS server. • WPA-EAP: EAP allows WPA to synchronize keys with an external RADIUS server. The keys are updated periodically based on time or number of packets. Use EAP in larger, enterprise-like deployments where you have an existing RADIUS framework. • WPA2-PSK: WPA2 is the strongest security. • WPA2-EAP: WPA2 with EAP. • WPA2-Auto-PSK: First attempts to connect using WPA2-PSK security, but default back to WPA-PSK if the client is not WPA2 capable. • WPA2-AUTO-EAP: First attempts to connect using WPA2-EAP security, but default back to WPA-PSK if the client is not WPA2 capable. 12 The Unicast Cipher is automatically chosen based on the authentication type. 13 The Multicast Cipher is automatically chosen based on the authentication type. 14 Enter a value for Maximum Clients to set the maximum number of concurrent client connections permissible for this virtual access point. 15 Select whether to Allow 802.11b Clients to connect. 16 Select Enable MAC Filter List to filter which MAC addresses are or are not allowed to connect to the VAP. You have two options for configuring the MAC filter list: • Select Use Global ACL Settings, or • Select an Address Object Group for the Allow List and/or the Deny List. 17 Click OK.

Virtual Access Point Profiles A Virtual Access Point Profile allows the administrator to pre-configure and save access point settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Access Points. This feature is especially useful for quick setup in situations where multiple virtual access points share the same authentication methods. To configure a Virtual Access Point Profile, complete the following steps: 1 Navigate to the Wireless > Virtual Access Points page. 2 Click Add Virtual Access Point Profile.

3 Select the VAP Schedule Name to configure when the VAP is enabled. 4 The Radio Type is set to Wireless-Internal-Radio by default. Retain this default setting if using the internal radio for VAP access (currently the only supported radio type) 5 Enter a Profile Name to set a friendly name for this VAP Profile. Choose something descriptive and easy to remember as you will later apply this profile to new VAPs. 6 Select an Authentication Type. The following is a list of available authentication types with descriptive features and uses for each: • Open: In open-system authentication, the SonicWall allows the wireless client access without verifying its identity. • Shared: Uses WEP and requires a shared key to be distributed to wireless clients before authentication is allowed. • Both: (Open System & Shared Key.) The Default Key assignments are not important as long as the identical keys are used in each field. If Shared Key is selected, then the key assignment is important. • WPA-PSK: WPA is more secure than an open network, but not as secure as WPA2. PSK allows WPA to generate keys from a pre-shared passphrase that you configure. The keys are updated periodically based on time or number of packets. Use PSK in smaller deployments where you do not have a RADIUS server. • WPA-EAP: EAP allows WPA to synchronize keys with an external RADIUS server. The keys are updated periodically based on time or number of packets. Use EAP in larger, enterprise-like deployments where you have an existing RADIUS framework. • WPA2-PSK: WPA2 is the strongest security. • WPA2-EAP: WPA2 with EAP. • WPA2-Auto-PSK: First attempts to connect using WPA2-PSK security, but defaults back to WPA-PSK if the client is not WPA2 capable. • WPA2-AUTO-EAP: First attempts to connect using WPA2-EAP security, but defaults back to WPA-PSK if the client is not WPA2 capable. 7 The Unicast Cipher is automatically chosen based on the authentication type. 8 The Multicast Cipher is automatically chosen based on the authentication type. 9 Enter a value for Maximum Clients to set the maximum number of concurrent client connections permissible for this virtual access point. 10 Select whether to Allow 802.11b Clients to connect. 11 Select Enable MAC Filter List to filter which MAC addresses are or are not allowed to connect to the VAP. You have two options for configuring the MAC filter list: • Select Use Global ACL Settings, or • Select an Address Object Group for the Allow List and/or the Deny List. 12 Click OK.

Configuring Firewall Access Rules This describes how to configure Access Rules and App Control policies for SonicWall firewalls from SonicWall™ Global Management System (GMS). This includes the following: • • • • • • • • • • • •

Configuring Access Rules App Control Overview Configuring App Rules Configuring App Control Advanced Policies Configuring Address Objects Configuring Match Objects Configuring Action Objects Configuring Service Objects Configuring Bandwidth Objects Configuring Email Address Objects Configuring Content Filter Objects Use Cases

Configuring Access Rules To configure rules for SonicOS Enhanced, the service or service group that the rule applies to must first be defined. If it is not, you can define the service or service group and then create one or more rules for it. The following procedure describes how to add, modify, reset to defaults, or delete firewall rules for GMS firewall appliances running SonicOS Enhanced. For appliances running SonicOS Enhanced, GMS supports paginated navigation and sorting by column header on the Access Rules screen. In the Access Rules table, you can click the column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table. By hovering your mouse over entries on the Access Rules screen, you can display information about an object, such as an Address Object or Service. IPv6 is supported for Access Rules. Search for IPv6 Access Rules in the Access Rules Search section. A list of results displays in a table.

From there you can click the Configure icon for the Access Rule you want to edit. The IPv6 configuration for Access Rules is almost identical to IPv4. To configure an access rule, complete the following steps: 1 Select the global icon, a group, or a GMS appliance. 2 Expand the Firewall tree and click Access Rules. The Access Rules page displays. The Firewall > Access Rules page enables you to select multiple views of Access Rules. 3 From the Access Rules View, click the Edit icon ( ) for the source and destination interfaces for which you will configure a rule. The Access Rules table for that interface pair displays. 4 From the Access Rules table, click Add. The Add Policy dialog box displays.

5 Click the Action tab. 6 Select whether access to this service is allowed or denied. NOTE: If a policy has a “No-Edit” policy action, the Action radio buttons are not editable. 7 Click the Zone tab. 8 Select the Source and Destination zones from the Source and Destination menus. 9 Click the Service tab. 10 Select a service object from the from the Service list box. If the service does not exist, refer to Configuring Service Objects. 11 Click the Address tab. 12 Select the source network Address Object from the Source list box. 13 Select the destination network Address Object from the Destination list box. 14 Click the User tab. 15 Specify if this rule applies to all users or to an individual user or group in the Users Included list box. 16 Click the Schedule tab. 17 Specify when the rule will be applied by selecting a schedule or Schedule Group from the Schedule list box. If the rule is always applied, select Always on. If the schedule does not exist, refer to Configuring Schedules. 18 Click the Action tab. 19 To enable logging for this rule, select Enable Logging. 20 Check Allow Fragmented Packets to allow fragmented packets. 21 Check Enable flow reporting to allow flow reporting. 22 Check Enable packet monitor to allow packets to be monitored. 23 (optional) Click Enable Management. If this option is enabled, both management and non-management traffic is allowed. CAUTION: Fragmented packets are used in certain types of Denial of Service attacks and, by default, are blocked. You should only enable Allow Fragmented Packets if users are experiencing problems accessing certain applications and the SonicWall logs show many dropped fragmented packets. 24 Add any comments to the Comment field. 25 Click the Advanced tab.

26 Specify how long (in minutes) TCP connections might remain idle before the connection is terminated in the TCP Connectivity Inactivity Timeout (minutes) field. 27 Specify how long (in seconds) UDP connections might remain idle before the connection is terminated in the UDP Connectivity Inactivity Timeout (seconds) field. 28 Specify the percentage of the maximum connections this rule is to allow in the Number of connections allowed (% of maximum connections) field. 29 Set a limit for the maximum number of connections allowed per source IP Address by selecting Enable connection limit for each Source IP Address and entering the value in the Threshold field. (Only available for Allow rules). 30 To disable Deep Packet Inspection (DPI) scanning on a per-rule basis, select Disable DPI. This option is not selected by default. 31 Click the QoS tab. For information on configuring the QoS tab, refer to Configuring Quality of Service Mapping. 32 Click the Bandwidth tab. The Bandwidth page displays.

33 GMS appliances can manage inbound and outbound traffic on the primary WAN interface using bandwidth management. 34 To enable outbound bandwidth management for this service, select Enable Outbound Bandwidth Management. a Enter the amount of bandwidth that is always available to this service in the Guaranteed Bandwidth field, and select either % or Kbps in the pull-down list. Keep in mind that this bandwidth is permanently assigned to this service and not available to other services, regardless of the amount of bandwidth this service does or does not use. b Enter the maximum amount of bandwidth that is available to this service in the Maximum Bandwidth field. c Select the priority of this service from the Bandwidth Priority list box. Select a priority from 0 (highest) to 7 (lowest). 35 To enable inbound bandwidth management for this service, select Enable Inbound Bandwidth Management. a Enter the amount of bandwidth that is always available to this service in the Guaranteed Bandwidth field, and select either % or Kbps in the pull-down list. Keep in mind that this bandwidth is permanently assigned to this service and not available to other services, regardless of the amount of bandwidth this service does or does not use. b Enter the maximum amount of bandwidth that is available to this service in the Maximum Bandwidth field. c Select the priority of this service from the Bandwidth Priority list box. Select a priority from 0 (highest) to 7 (lowest). NOTE: In order to configure bandwidth management for this service, bandwidth management must be enabled on the GMS appliance. For information on configuring bandwidth management in SonicOS Standard, refer to Configuring Ethernet Settings. For SonicOS Enhanced, refer to Overview of Interfaces. 36 To track bandwidth usage for this service, select Enable Tracking Bandwidth Usage. 37 To add this rule to the rule list, click OK. You are returned to the Access Rules page. 38 If the network access rules have been modified or deleted, you can restore the Default Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP traffic and allow all outbound IP traffic. To restore the network access rules to their default settings, click Restore Rules to Defaults and then click Update. A task is scheduled to update the rules page for each selected GMS appliance. 39 To modify a rule, click its Edit icon ( ). The Add/Modify Rule dialog box displays. When you are finished making changes, click OK. GMS creates a task that modifies the rule for each selected GMS appliance. 40 To enable logging for a rule, select Logging. 41 To disable a rule without deleting it, deselect Enable. 42 To delete a rule, click its trash can icon. GMS creates a task that deletes the rule for each selected GMS appliance.

App Control Overview App Control utilizes SonicOS Deep Packet Inspection to scan application layer network traffic as it passes through the gateway and locate content that matches configured applications. When a match is found, App Control does the configured action. App Control allows you to set policy rules for application signatures. As a set of application-specific policies, App Control gives you granular control over network traffic on the level of users, email users, schedules, and IPsubnets. The primary functionality of this application-layer access control feature is to block, log, or manage bandwidth consumption of Web based applications, Web browsing, file transfer, email, and email attachments. There are two ways to create App Control policies using SonicWall GMS. You can configure App Control policies on the Firewall > App Rules page or on Firewall > App Control Advanced. • Firewall > App Rules – The App Rules page provides a way to create a targeted App Control policy using match objects, action objects, or email address objects. These objects allow you to be very specific about what to look for in the traffic and provide a number of ways to control it, including bandwidth management and custom actions. App Rules policies can define the type of applications to scan, the traffic direction, the content or keywords to match, the user or domain to match, and the action to complete. For ease of use, you can create App Rules policies for any of the categories, applications, or signatures that are also available on the Firewall > App Control Advanced page. • Firewall > App Control Advanced – The Advanced page provides a simple and direct way of configuring global App Control policies. An Firewall > App Control Advanced policy defines whether to block or log an application, which users, groups, or IP address ranges to include or exclude, and a schedule for enforcement. You can quickly enable blocking or logging for a whole category of applications, or can just as easily locate and do the same for an individual application or individual signature. After enabled, the category, application, or signature is blocked or logged globally without the need to create a policy on the App Rules page. App Control is licensed together in a bundle with other security services, including SonicWall Gateway Anti-Virus (GAV), Anti-Spyware, and Intrusion Prevention Service (IPS). You must enable App Control before you can use it. Firewall > App Rules and Firewall > App Control Advanced are both enabled with global settings, and App Control must also be enabled on each network zone that you want to control. SonicWall GMS supports App Control on SonicWall firewall appliances that are running SonicOS 5.9 firmware or higher. The units must be licensed for Gateway Anti-Virus. App Control is supported for Firewalls at the group level and unit level in SonicWall GMS. When a unit is selected that is running a version of SonicOS lower than 5.9, the App Control menu group is not visible in the middle panel. However, when the group level is selected, the App Control menu group is available and you can configure objects and policies, even if the group does not yet contain a unit running 5.9 or higher. This allows you to prepare the policy configuration prior to bringing a unit with 5.9 under GMS management. Inheritance is supported for App Control policies and configurations. Inheritance in SonicWall GMS allows a node’s settings to be inherited to and from unit, group and parent nodes. For more information about inheritance, see Configuring Inheritance Filters (/Support/Technical-Documentation/GMS-8-3-AdminGuide/Console#1030578). On SonicWall TZ 100 and 200 series appliances, the Security Services > Application Control screen in the SonicOS interface corresponds to the Firewall > App Control Advanced screen in SonicWall GMS. TZ 100 and 200 boxes do not support App Rules policies. This means that the App Rules, Match Objects, Action Objects, and Email Address Objects screens do not appear for these models. For related information and use case configurations, see Use Cases.

Configuring App Rules The Firewall > App Rules page provides global settings, search functions, a policies view filter, and the list of App Rules policies. From here, you can add a new policy or delete a policy.

NOTE: Changing the Bandwidth Management Type on the Firewall > BWM page from Global to WAN, or from WAN to Global, automatically sets the Medium priority action object for any policies using predefined Global or WAN BWM action objects. If Bandwidth Management Type is set to None on the Firewall > BWM page, you have to change the action object of the policy manually to replace the predefined Global or WAN BWM action objects. See Configuring Application Layer Bandwidth Management for more information. See the following sections for configuration information about the settings on this page: • • • • • • • • •

Configuring App Rules Global Settings Searching App Rules Policies Filtering the Policies View Sorting App Rules Policies Viewing Tooltips for App Rules Policies Adding or Editing App Rules Policies Enabling or Disabling App Rules Policies Deleting App Rules Policies Policy Type Reference

CONFIGURING APP RULES GLOBAL SETTINGS The App Rules page provides global settings to enable use of App Rules policies and to control logging behavior.

To configure App Rules global settings: 1 In the TreeControl, select the unit or group to configure. 2 On the Policies tab, on the Firewall > App Rules page, select Enable App Rules to enable App Control on this unit or group. 3 Enter the minimum number of seconds between log entries for multiple matches of the same policy in the Global Log Redundancy Filter field. If set to zero, a log entry is created for each policy match. This global setting applies to all App Rules policies. You can also set custom log redundancy for an individual policy in the Add/Edit Policy screen. Per-policy settings override the global setting. 4 Click Update to apply changes in the global settings. Click Reset to clear all changes on the page and return fields to their default values.

SEARCHING APP RULES POLICIES

You can search the list of App Rules policies using several different filters, each combined with one of several operators and a target value that you provide.

To complete a filtered search of App Rules policies: 1 In the TreeControl, select the unit or group on which to search. 2 On the Policies tab, on the Firewall > App Rules page, select one of the following search objects from the first Search pull-down list: • Name – the full or partial name of the policy • Object – the full or partial name of the match object in the policy • Action – the full or partial name of the action object used in the policy 3 Select one of the following operators from the next pull-down list: • Equals – search for any policy in which the search object exactly matches the target value • Starts with – search for any policy in which the search object begins with the target value • Ends with – search for any policy in which the search object ends with the target value • Contains – search for any policy in which the search object contains the target value 4 In the text box, type in the target value that you are searching for in the Name, Object, or Action search object. 5 Click Search to search your policies for one or more matches. Click Clear to set the search fields back to defaults. The App Rules Policies list changes to display only the policies found by your search.

FILTERING THE POLICIES VIEW The App Rules Policies View Style area provides two ways to filter the policies that are displayed on the Firewall > App Rules page. You can choose to display policies by the type of policy or by the type of action used in the policy. These filters can be combined, allowing you to display only policies of a specific type that use a particular type of action. Policies that do not match the selected filter settings are removed from the display. To filter the display by a specific type of policy, select the desired type from the Policy Type pull-down list. The available selections include the same policy types that are available when creating a policy.

For example, after selecting App Control Content as the Policy Type, the display changes to show only policies of the App Control Content type.

To filter the display by a specific type of action used in the policy, select the desired type from the Action Type pulldown list.

For example, after selecting App Control Content as the Policy Type, you could select Reset/Drop as the Action Type. The display changes to show only App Control Content type policies that use a Reset/Drop action type.

To change the display back to the default showing all policies, either select All for both Policy Type and Action Type, or simply navigate away from the page and then back to it.

SORTING APP RULES POLICIES You can sort the list of App Rules policies by clicking on any of the underlined column headings, including Name, Object, Action, and Enable. The first time you click one of these headings the policy list is sorted in descending alphabetical order from top to bottom, according to the first letter or symbol of the items in that column. For example, clicking the Name heading sorts the policies alphabetically by the first letter of the policy name, from ‘A’ at the top to ‘Z’ at the bottom. A small upward-pointing arrow is displayed next to the Name heading, indicating that, if the heading is clicked, it causes the list to be sorted in ascending order by name (Z to A).

To resort the list in ascending order, click the heading a second time. Names beginning with a symbol or number come before names beginning with any alphabetical character. When sorting by Object name, automatically created objects beginning with tilde (~) come before objects beginning with any alphabetical character. The same holds true if you use a symbol or number as the first letter when naming an object, action, or policy. When sorting by the Enable heading, the first click places all enabled policies at the top of the list. Clicking again puts disabled policies at the top.

VIEWING TOOLTIPS FOR APP RULES POLICIES The App Rules main page provides mouse-over tooltips for the policy values. These tooltips display a number of details about the values. To display the tooltips, move your mouse pointer slowly over the elements within each policy. The tooltip automatically pops up with the available information. Table lists some of the information that can be displayed for the elements under each heading. The type of information varies depending on the object type. Tooltip Displays

Heading

Potential Settings Information in Tooltip

Name

Status – Enabled or Disabled

Policy Type

N/A

Object

Object Properties – Type, Match Type, Input Type, Negative Matching, Content

Action

Action Properties – Type, Content, BWM Inbound/Outbound Parameters

Direction

N/A

Comments

Comments – Source/Destination Address, To/From Service, Log, Log Redundancy Filter, Included/Excluded Users, Email Users, Schedule

Enable

N/A

The actual information displayed depends on the settings configured for the policy or object.

ADDING OR EDITING APP RULES POLICIES When you have created a match object, and optionally, an action or an email address object, you are ready to create a policy that uses them. Only a limited number of App Rules policies are allowed, depending on the SonicOS appliance model. You can use App Control to create custom App Rules policies to control specific aspects of traffic on your network. A policy is a set of match objects, properties, and specific prevention actions. To create a policy, complete the following steps: • Create a match object • Select and optionally customize an action object • Reference the match object and action when you create the policy When you create a policy, you select a policy type. Each policy type specifies the values or value types that are valid for the source, destination, match object type, and action fields in the policy. You can further define the policy to include or exclude specific users or groups, select a schedule, turn on logging, and specify the connection side as well as basic or advanced direction types. A basic direction type simply indicates inbound or outbound. An advanced direction type allows zone to zone direction configuration, such as from the LAN to the WAN. To configure an App Rules policy, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > App Rules page on the Policies tab. 3 To edit an existing policy, click the pencil icon under Configure for it. To add a new policy, click Add New Policy. The App Control Policy Settings window displays.

4 In the App Control Policies Settings window, type a descriptive name into the Policy Name field. 5 Select a Policy Type from the pull-down list. Your selection here affects available options in the window. For information about available policy types, see Policy Type Reference. 6 Select a source and destination Address Group or Address Object from the Address pull-down lists. Only a single Address field is available for IPS Content, App Control Content, or CFS policy types. 7 Select the source or destination service from the Service pull-down lists. Some policy types do not provide a choice of service. 8 For Exclusion Address, optionally select an Address Group or Address Object from the pull-down list. This address is not affected by the policy. 9 For Match Object, select match objects to include and exclude from the drop-down menus. The menus contain the defined match objects that are applicable to the policy type. 10 For Action, select an action from the pull-down list. The list contains actions that are applicable to the policy type and the match object, and can include the predefined actions, plus any customized actions. For a logonly policy, select No Action. 11 For Users/Groups, select from the pull-down lists for both Included and Excluded. The selected users or groups under Excluded are not affected by the policy. 12 If the policy type is SMTP Client, select from the pull-down lists for MAIL FROM and RCPT TO, for both Included and Excluded. The selected users or groups under Excluded are not affected by the policy. 13 For Schedule, select from the pull-down list. The list provides a variety of schedules for the policy to be in effect. 14 Select Enable Flow Reporting to enable internal and external flow reporting based on data flows, connection related flows, non-connection related flows regarding applications, viruses, spyware, intrusions, and other information. 15 If you want the policy to create a log entry when a match is found, select Enable Logging. 16 To record more details in the log, select Log individual object content. 17 If the policy type is IPS Content, select Log using IPS message format to display the category in the log entry as “Intrusion Prevention” rather than “Application Control,” and to use a prefix such as “IPS Detection Alert” in the log message rather than “Application Control Alert.” This is useful if you want to use log filters to search for IPS alerts. 18 If the policy type is App Control Content, select Log using App Control message format to display the category in the log entry as “Application Control,” and to use a prefix such as “Application Control Detection Alert” in the log message. This is useful if you want to use log filters to search for Application Control alerts. 19 If the policy type is CFS, select Log using CFS message format to display the category in the log entry as “Network Access,” and to use a log message such as “Web site access denied” in the log message rather than no prefix. This is useful if you want to use log filters to search for content filtering alerts. 20 For Log Redundancy Filter, you can either select Global Settings to use the global value set on the Firewall > App Rules page, or you can enter a number of seconds to delay between each log entry for this policy. The local setting overrides the global setting only for this policy; other policies are not affected. 21 For Connection Side, select from the pull-down list. The available choices depend on the policy type and can include Client Side, Server Side, or Both, referring to the side where the traffic originates. IPS Content, App Control Content, or CFS policy types do not provide this configuration option. 22 For Direction, click either Basic or Advanced and select a direction from the pull-down list. Basic allows you to select Incoming, Outgoing, or Both. Advanced allows you to select between zones, such as LAN to WAN. IPS Content, App Control Content, or CFS policy types do not provide this configuration option. 23 If the policy type is IPS Content, App Control Content, or CFS, select a zone from the Zone pull-down list. The policy is applied to this zone. 24 If the policy type is CFS, select an entry from the CFS Allow List pull-down list. The list contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry are not affected by the policy. 25 If the policy type is CFS, select an entry from the CFS Forbidden List pull-down list. The list contains any defined CFS Allow/Forbidden List type of match objects, and also provides None as a selection. The domains in the selected entry are denied access to matching content, instead of having the defined action applied. 26 If the policy type is CFS, select Enable Safe Search Enforcement to prevent safe search enforcement from being disabled on search engines such as Google, Yahoo, Bing, and others. 27 Click OK. The Modify Task Description and Schedule window displays.

28 A description is automatically added in the Description field. Optionally change the description. 29 For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Activate this policy immediately • At – Select the exact time to activate this policy using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 30 Click Accept to save the policy with this schedule. Click Cancel to exit without saving the policy. At the unit level, you might need to refresh the Firewall > App Rules page to see your new policy in the list.

ENABLING OR DISABLING APP RULES POLICIES You can enable or disable existing App Rules policies directly on the Firewall > App Rules page. To enable or disable a policy, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > App Rules page on the Policies tab. 3 To enable a policy, select the check box in the Enable column for that policy. To disable the policy, clear the check box. 4 Click Update. The Modify Task Description and Schedule window displays. 5 Select the Schedule settings, then click Accept to save the policy with this schedule. Click Cancel to exit without saving the policy.

DELETING APP RULES POLICIES To delete one or more App Rules policies, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > App Rules page on the Policies tab. 3 To delete a single policy, click the trash can icon

under Configure for it, and then click OK in the confirmation dialog. 4 To delete one or more policies, select the check boxes for the ones to delete and click Delete Policy(s), and then click OK in the confirmation dialog.

POLICY TYPE REFERENCE

The following tableTable describes the characteristics of the available App Rules policy types. Policy Types

Valid Valid Source Destination Description Service / Service / Default Default

Valid Match Object Type

App Control Content

Policy using N/A dynamic Application Control related objects for any application layer protocol

N/A

Application Category List, Application List, Application Signature List

Reset/Drop, N/A No Action, Bypass DPI, Packet Monitor, BWM Global-*, WAN BWM *

CFS

Policy for content filtering

N/A

CFS Category List, CFS Allow / Forbidden List

CFS Block N/A Page, Packet Monitor, No Action, BWM Global-*, WAN BWM *

Custom Policy

Policy using Any / Any custom objects for any application layer protocol; can be used to create IPS-style custom signatures

Any / Any

Custom Object

Reset/Drop, Bypass DPI, Packet Monitor, No Action, BWM Global-*, WAN BWM *

FTP Client

Any FTP Any / Any command transferred over the FTP control channel

FTP Control / FTP FTP Control Command, FTP Command + Value, Custom Object

Reset/Drop, Client Side Bypass DPI, Packet Monitor, No Action

FTP An attempt Any / Any Client File to upload a Upload file over FTP (STOR command)

FTP Control / Filename, FTP Control file extension

Reset/Drop, Client Side Bypass DPI, Packet Monitor, No Action, BWM Global-*, WAN BWM *

FTP An attempt Any / Any Client File to download Download a file over FTP (RETR command)

FTP Control / Filename, FTP Control file extension

Reset/Drop, Client Side Bypass DPI, Packet Monitor, No Action, BWM Global-*, WAN BWM *

FTP Data Data Transfer transferred over the FTP Data channel

Any / Any

Reset/Drop, Both Bypass DPI, Packet Monitor, No Action

Policy Type

N/A

Any / Any

Valid Connection Action Type Side

File Content Object

Any / HTTP HTTP (configurable) Host, HTTP Cookie, HTTP Referrer, HTTP Request Custom Header, HTTP URI Content, HTTP User Agent, Web Browser, File Name, File Extension Custom Object

Client Side, Server Side, Both

HTTP Client

Policy Any / Any which is applicable to Web browser traffic or any HTTP request that originates on the client

Reset/Drop, Client Side Bypass DPI, Packet Monitor1, No Action, BWM Global-*, WAN BWM *

HTTP Server

Response Any / HTTP Any / Any originated (configurable) by an HTTP Server

ActiveX Class ID, HTTP Set Cookie, HTTP Response, File Content Object, Custom Header, Custom Object

Reset/Drop, Server Bypass Side DPI, Packet Monitor, No Action, BWM Global-*, WAN BWM *

IPS Content

Policy using N/A dynamic Intrusion Prevention related objects for any application layer protocol

N/A

IPS Signature Category List, IPS Signature List

Reset/Drop, N/A Bypass DPI, Packet Monitor, No Action, BWM Global-*, WAN BWM *

POP3 Client

Policy to inspect traffic generated by a POP3 client; typically useful for a POP3 server admin

Any / Any

POP3 (Retrieve Email) / POP3 (Retrieve Email)

Custom Object

Reset/Drop, Client Side Bypass DPI, Packet Monitor, No Action

POP3 Server

Policy to inspect email downloaded from a POP3 server to a POP3 client; used for email filtering

POP3 (Retrieve Email) / POP3 (Retrieve Email)

Any / Any

Email Body, Email CC, Email From, Email To, Email Subject, File Name, File Extension, MIME Custom Header

Reset/Drop, Server Disable Side attachment, Bypass DPI, No action

SMTP Client

Policy Any / Any applies to SMTP traffic that originates on the client

SMTP (Send Email)/ SMTP (Send Email)

Email Body, Email CC, Email From, Email To, Email Size, Email Subject, Custom Object, File Content, File Name, File Extension, MIME Custom Header,

Reset/Drop, Client Side Block SMTP EMail Without Reply, Bypass DPI, Packet Monitor, No Action

Packet Monitor action not supported for File Name or File Extension Custom Object

1

Configuring App Control Advanced Policies The Firewall > App Control Advanced page provides an alternate method of adding App Control policies. The configuration method on the Firewall > App Control Advanced page allows granular control of specific categories, applications, or signatures. This includes granular logging control, granular inclusion and exclusion of users, groups, or IP address ranges, and schedule configuration. The settings here are global policies and independent from any custom App Rules policy, and do not need to be added to an App Rules policy to take effect. You can configure the following settings on this page: • Select a category, an application, or a signature. • Select blocking, logging, or both as the action. • Specify users, groups, or IP address ranges to include in or exclude from the action. • Set a schedule for enforcing the controls. The Firewall > App Control Advanced screen provides application signatures management for all supported firewalls running SonicOS 5.9 or higher firmware. Only 50 rows can be displayed in this page. To view additional rows, use the pagination controls to the right of the Items field.

The Firewall > App Control Advanced page provides an App Control View Style section. When you select Application or Signature in the Viewed By field in this section, the listed items are displayed as links in the App Control Advanced section. You can click these links for more details about the application or signature. A summary is provided, as well as information from Wikipedia, if available. NOTE: When All is selected in the Category pull-down list while Viewed By is set to Category, and then one of the category links is clicked, the View Style settings are changed to select that category in the Category pull-down list and set Viewed By to Application, displaying all the applications in that category. See the following sections: • • • • •

Viewing App Control Advanced Status Enabling App Control on Network Zones Configuring App Control Advanced Global Settings Configuring Policies on Firewall > App Control Advanced Sorting App Control Advanced Items

VIEWING APP CONTROL ADVANCED STATUS The App Control Status section at the top of the page displays the date of the most recent signature database available in MySonicWall.com (www.MySonicWall.com). This database contains thousands of signatures for application viruses and other malware being tracked by SonicWall. SonicWall appliances periodically synchronize with MySonicWall to download updates to the database.

The Status section also displays the expiration date of the App Control Service license. If the service expires, no new signatures are downloaded to the appliance from MySonicWall. A link to the Network > Zones page is provided next, for convenient navigation. You must enable App Control on each zone where you want it to inspect network traffic. If App Control is not enabled on any zones, a warning is displayed here. See Enabling App Control on Network Zones for a description of enabling App Control on a network zone.

ENABLING APP CONTROL ON NETWORK ZONES You must enable App Control on each zone where you want to use App Control Advanced policies to inspect network traffic. A link to the Network > Zones page is provided on the Firewall > App Control Advanced page for convenient navigation. NOTE: App Control policies are applied to traffic within a network zone only if you enable the App Control Service for that zone. App Rules policies are independent, and not affected by the App Control setting for network zones. To enable App Control on a network zone: 1 In the TreeControl, select the unit or group to configure. 2 On the Policies tab, on the Firewall > App Control Advanced page, click Network > Zones in the App Control Status section at the top of the page. 3 On the Network > Zones page, click the Edit icon for the desired zone. The Edit Network Zone screen displays.

4 5 6 7

Select Enable App Control Service. Click OK. The Modify Task Description and Schedule window displays. A description is automatically added in the Description field. Optionally change the description. For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Enable the configuration immediately • At – Select the exact time to enable the configuration by using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 8 Click Accept to enable the configuration on this schedule. Click Cancel to exit without saving the configuration.

CONFIGURING APP CONTROL ADVANCED GLOBAL SETTINGS

App Control is a licensed service, and you must also enable it to activate the functionality. The Firewall > App Control Advanced page provides the following global settings: Enable App Control – Globally enable App Control Configure App Control Settings – Configure a global exclusion list for App Control Update App Control Signature Database – Synchronize signatures with MySonicWall Reset App Control Settings & Policies – Delete all App Control configuration and policies for the selected unit or for all units in the selected group

• • • •

See the following sections: • • • •

Enabling App Control Globally Configuring an App Control Advanced Exclusion List Synchronizing the Signature Database Resetting App Control to Factory Defaults

Enabling App Control Globally To globally enable App Control Advanced policies: 1 In the TreeControl, select the unit or group to configure. 2 On the Policies tab, navigate to the Firewall > App Control Advanced page. 3 In the App Control Global Settings area, select Enable App Control to globally enable App Control. App Control policies are applied to traffic within a network zone only if you enable the App Control Service for that zone. See Enabling App Control on Network Zones for a description of enabling App Control on a network zone. 4 Click Update. The Modify Task Description and Schedule window displays. 5 A description is automatically added in the Description field. Optionally change the description. 6 For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Enable App Control Advanced policies immediately • At – Select the exact time to enable App Control Advanced policies by using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 7 Click Accept to enable App Control Advanced policies on this schedule. Click Cancel to exit without saving the configuration.

Configuring an App Control Advanced Exclusion List To configure a exclusion list for App Control Advanced policies: 1 In the TreeControl, select the unit or group to configure. 2 On the Policies tab, navigate to the Firewall > App Control Advanced page. 3 In the App Control Global Settings area, click Configure App Control Settings to bring up the App Control Exclusion List window.

4 Select the Enable Application Control Exclusion List to activate the exclusion options in the window. 5 To use the IPS exclusion list, which can be configured from the Security Services > Intrusion Prevention page, and select Use IPS Exclusion List. 6 To use an address object for the exclusion list, select Use Application Control Exclusion Address Object, and then select an address object from the pull-down list.

7 Click OK. The Modify Task Description and Schedule window displays. 8 A description is automatically added in the Description field. Optionally change the description. 9 For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Enable the exclusion list immediately • At – Select the exact time to enable the exclusion list by using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 10 Click Accept to enable the exclusion list on this schedule. Click Cancel to exit without saving the configuration.

Synchronizing the Signature Database To synchronize the signature database with MySonicWall: 1 In the TreeControl, select the unit or group to configure. 2 On the Policies tab, navigate to the Firewall > App Control Advanced page. 3 In the App Control Global Settings area, click Update App Control Signature Database. The Modify Task Description and Schedule window displays. 4 A description is automatically added in the Description field. Optionally change the description. 5 For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Synchronize the database immediately • At – Select the exact time to synchronize the database using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 6 Click Accept to synchronize the database on this schedule. Click Cancel to exit without saving the configuration.

Resetting App Control to Factory Defaults To reset App Control settings and policy configuration to the factory default values for the selected unit or for all units in the selected group: 1 2 3 4 5 6

In the TreeControl, select the unit or group to configure. On the Policies tab, navigate to the Firewall > App Control Advanced page. In the App Control Global Settings area, click Reset App Control Settings & Policies. Click OK in the confirmation dialog box. The Modify Task Description and Schedule window displays. A description is automatically added in the Description field. Optionally change the description. For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Complete the reset immediately • At – Select the exact time to do the reset using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 7 Click Accept to complete the reset on this schedule. Click Cancel to exit without saving the configuration.

CONFIGURING POLICIES ON FIREWALL > APP CONTROL ADVANCED

The Firewall > App Control Advanced page provides a way to configure global App Control policies to block or log categories, applications, and signatures. Policies configured on this page are independent from policies created on Firewall > App Rules, and do not need to be added to an App Rules policy to take effect. You can configure the following settings on this page: • Select a category, an application, or a signature. • Select blocking, logging, or both as the action. • Specify users, groups, or IP address ranges to include in or exclude from the action. • Set a schedule for enforcing the controls. While these application control settings are independent from App Rules policies, you can also create application match objects for any of the categories, applications, or signatures available here, and use those match objects in an App Rules policy. See the following sections: • Configuring App Control by Category • Configuring App Control by Application • Configuring App Control by Signature

Configuring App Control by Category Category based configuration is the most broadly based method of policy configuration on the Firewall > App Control Advanced page. The list of categories is available in the Category pull-down list in the App Control View Style section.

To configure an App Control policy for an application category: 1 In the TreeControl, select the unit or group on which to search. 2 On the Policies tab, on the Firewall > App Control Advanced page in the App Control View Style section, select Category from the Viewed By pull-down list. The list of available categories is displayed in the App Control Advanced section. Each category has a Configure button in its row. 3 Click Configure in the row for the category you want to work with. The App Control Category Settings window opens. 4 Alternatively, select an application category from the Category pull-down list in the View Style area. Configure appears to the right of the field as soon as a category is selected. Click Configure to open up the App Control Category Settings window for the selected category.

5 To block applications in this category, select Enable in the Block pull-down list. 6 To create a log entry when applications in this category are detected, select Enable in the Log pull-down list. 7 To target the selected block or log actions to a specific user or group of users, select a user group or individual user from the Included Users/Groups pull-down list. Select All to apply the policy to all users. 8 To exclude a specific user or group of users from the selected block or log actions, select a user group or individual user from the Excluded Users/Groups pull-down list. Select None to apply the policy to all users. 9 To target the selected block or log actions to a specific IP address or address range, select an Address Group or Address Object from the Included IP Address Range pull-down list. Select All to apply the policy to all IP addresses. 10 To exclude a specific IP address or address range from the selected block or log actions, select an Address Group or Address Object from the Excluded IP Address Range pull-down list. Select None to apply the policy to all IP addresses. 11 To enable this policy during specific days of the week and hours of the day, select one of the schedules from the Schedule pull-down list. 12 To specify a delay between log entries for repetitive events, type the number of seconds for the delay into the Log Redundancy Filter field. 13 Click OK. The Modify Task Description and Schedule window displays, for GMS scheduling. 14 A description is automatically added in the Description field. Optionally change the description. 15 For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Enable the policy immediately • At – Select the exact time to enable the policy by using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 16 Click Accept to save the configuration. Click Cancel to exit without saving the configuration.

Configuring App Control by Application Application based configuration is the middle level of policy configuration on the Firewall > App Control Advanced page, between the category based and signature based levels. The list of applications is available in the Application pull-down list in the App Control View Style section. With a category selected, the list contains applications within that category. If the category is set to All, applications for all categories are listed.

This configuration method allows you to create policy rules specific to a single application if you want to enforce the policy settings only on the signatures of this application without affecting other applications in the same category. To configure an App Control policy for a specific application: 1 In the TreeControl, select the unit or group on which to search. 2 On the Policies tab, on the Firewall > App Control Advanced page in the App Control View Style area, first select a category from the Category pull-down list. 3 Next, select Application in the Viewed By pull-down list. The list of available applications in the selected category is displayed in the App Control Advanced section. Each application has a Configure button in its row. 4 Click Configure in the row for the application you want to work with. The App Control App Settings window opens. 5 Alternatively, select an application in this category from the Application pull-down list. Configure appears to the right of the field as soon as an application is selected. Click Configure to open up the App Control App Settings window for the selected application.

6 The fields at the top of the window display the values for the App Category Name and App Name, and are not editable. In the other fields, the application configuration parameters default to the current settings of the category to which the application belongs. To retain this connection to the category settings for one or more fields, leave the selection in place for those fields.

7 To block this application, select Enable in the Block pull-down list. 8 To create a log entry when this application is detected, select Enable in the Log pull-down list. 9 To target the selected block or log actions to a specific user or group of users, select a user group or individual user from the Included Users/Groups pull-down list. Select All to apply the policy to all users. 10 To exclude a specific user or group of users from the selected block or log actions, select a user group or individual user from the Excluded Users/Groups pull-down list. Select None to apply the policy to all users. 11 To target the selected block or log actions to a specific IP address or address range, select an Address Group or Address Object from the Included IP Address Range pull-down list. Select All to apply the policy to all IP addresses. 12 To exclude a specific IP address or address range from the selected block or log actions, select an Address Group or Address Object from the Excluded IP Address Range pull-down list. Select None to apply the policy to all IP addresses. 13 To enable this policy during specific days of the week and hours of the day, select one of the schedules from the Schedule pull-down list. 14 To use the same Log Redundancy Filter settings that are set for the entire category, leave Use Category Settings selected. To specify a different delay between log entries for repetitive events, clear Use Category Settings and type the number of seconds for the delay into the Log Redundancy Filter field. 15 Click OK. The Modify Task Description and Schedule window displays, for GMS scheduling. 16 A description is automatically added in the Description field. Optionally change the description. 17 For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Enable the policy immediately • At – Select the exact time to enable the policy by using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 18 Click Accept to save the configuration. Click Cancel to exit without saving the configuration.

Configuring App Control by Signature Signature based configuration is the lowest, most specific, level of policy configuration on the Firewall > App Control Advanced page. Setting a policy based on a specific signature allows you to configure policy settings for the individual signature without influence on other signatures of the same application. To configure an App Control policy for a specific signature: 1 In the TreeControl, select the unit or group on which to search. 2 On the Policies tab, on the Firewall > App Control Advanced page, first select a category from the Category pull-down list. 3 Next, select an application in this category from the Application pull-down list. 4 To display the specific signatures for this application, select Signature in the Viewed by pull-down list. The Farmville gaming application has three signatures.

5 Click Configure in the row for the signature you want to work with. The App Control Signature Settings window opens. 6 Alternatively, enter the Signature ID, shown in the ID column, into the Lookup Signature ID field and click Configure next to the field to open the App Control Signature Settings window. 7 In the App Control Signature Settings window, several fields at the top of the window are not editable. These fields display the values for the Signature Category, Signature Name, Signature ID, Application ID, Priority, and Direction of the traffic in which this signature can be detected. In the other fields, the default policy settings for the signature are set to the current settings for the application to which the signature belongs. To retain this connection to the application settings for one or more fields, leave the selection in place for those fields.

8 To block this signature, select Enable in the Block pull-down list. 9 To create a log entry when this signature is detected, select Enable in the Log pull-down list. 10 To target the selected block or log actions to a specific user or group of users, select a user group or individual user from the Included Users/Groups pull-down list. Select All to apply the policy to all users. 11 To exclude a specific user or group of users from the selected block or log actions, select a user group or individual user from the Excluded Users/Groups pull-down list. Select None to apply the policy to all users. 12 To target the selected block or log actions to a specific IP address or address range, select an Address Group or Address Object from the Included IP Address Range pull-down list. Select All to apply the policy to all IP addresses. 13 To exclude a specific IP address or address range from the selected block or log actions, select an Address Group or Address Object from the Excluded IP Address Range pull-down list. Select None to apply the policy to all IP addresses. 14 To enable this policy during specific days of the week and hours of the day, select one of the schedules from the Schedule pull-down list. 15 To use the same Log Redundancy Filter settings that are set for all signatures in the application, leave Use App Settings selected. To specify a different delay between log entries for repetitive events, clear Use App Settings and type the number of seconds for the delay into the Log Redundancy Filter field. 16 To view more details about the signature, click the Note: Click here for comprehensive information regarding this signature. The SonicWall Security Center page for the signature is displayed. 17 Click OK. The Modify Task Description and Schedule window displays, for GMS scheduling. 18 A description is automatically added in the Description field. Optionally change the description. 19 For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Enable the policy immediately • At – Select the exact time to enable the policy by using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 20 Click Accept to save the configuration. Click Cancel to exit without saving the configuration. If you have configured any settings for Users/Groups, IP Address Range, or Schedule fields, icons are displayed in the Comments column for the entry on the Firewall > App Control Advanced page. You can hover your mouse pointer over the icons to display a tooltip with the configured settings.

SORTING APP CONTROL ADVANCED ITEMS You can sort the list of App Control Advanced items by clicking on several of the headings, including Category, Application, Name, and ID. The first time you click one of these headings the list is sorted in descending alphabetical order from top to bottom, according to the first letter or symbol of the items in that column.

For example, clicking the Application heading sorts all rows alphabetically by the first letter of the application name, from numbers at the top to ‘Z’ at the bottom. Names beginning with a symbol or number come before names beginning with any alphabetical character.

To resort the list in ascending order, click the heading a second time.

Configuring Address Objects NOTE: Address objects are only supported in SonicOS Enhanced. SonicOS Enhanced supports Address Objects, which can be a host, network, MAC or IP address range. An Address Object Group is a group of Address Objects or other Address Object Groups. After defined, you can quickly establish NAT Policies, VPN Security Associations (SAs), firewall rules, and DHCP settings between Address Objects and Address Object Groups without individual configuration. All SonicWall appliances come with a group of pre-defined default network objects. These include subnets for each interface, interface IP addresses for each interface, management IP addresses, and more. For appliances running SonicOS Enhanced, GMS supports paginated navigation and sorting by column header on the Address Objects screen. In either of the tables, you can click a column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table. IPv6 Address Objects and Address Object Groups can be viewed and configured on the Firewall > Address Objects page. The configuration of IPv6 Address Objects is nearly identical to the of IPv4 Address Objects. You can complete the following tasks from the Address Objects page: • Creating an Address Object Group • Creating an Address Object • Deleting a Network Address Group or Object

CREATING AN ADDRESS OBJECT GROUP To create an Address Object Group, complete the following steps: 1 Expand the Firewall tree and click Address Objects. The Address Objects page displays.

2 Scroll down and click Add New Group.

3 Enter a name for the Address Object Group in the Name field. 4 Select an object or group that is a part of the Address Object Group and click the right arrow. Repeat for each object or group to add. 5 When you are finished, click OK.

CREATING AN ADDRESS OBJECT

The Firewall > Address Objects page allows you to create address objects. You can create various kinds of address objects, including Host, Range, and Network. For a SonicWall appliance running SonicOS Enhanced 3.5 or 4.0(or higher), you can create Fully Qualified Domain Name (FQDN) or MAC dynamic address objects. The FQDN and MAC address objects are available in the Address Objects pull-down lists in a number of other configuration screens, including Zones, SonicPoints, and Access Rules. These dynamic address objects are resolved to an IP address when used, either by the ARP cache or the DNS server of the SonicWall. To create an address object, complete the following steps: 1 Scroll to the bottom of the Address Objects page and click Add New Address Object.

2 Enter a name for the Address Object in the Name field. 3 Select the zone to which this Address Object is assigned from the Zone Assignment list box. 4 Select from the following: • To specify an individual IP address, select Host from the Type pull-down menu and enter the IP address. • To specify an IP address range, select Range from the Type pull-down menu and enter the starting and ending IP addresses. • To specify a network, select Network from the Type pull-down menu and enter the IP address and subnet mask. • To specify a MAC address, select MAC from the Type pull-down menu and enter the MAC address. • To specify a FQDN, select FQDN from the Type pull-down menu and enter the host name. NOTE: IPv6 addresses can be entered for Firewalls that support IPv6.



5 When you are finished, click OK. 6 Repeat this procedure for each Address Object to add.

MODIFYING A NETWORK ADDRESS GROUP OR OBJECT To modify a network address group or object, complete the following steps: 1 Go to the Firewall > Address Objects page. 2 Click the Edit icon ( ) next to the selected address group or object. 3 Modify the settings and click OK.

DELETING A NETWORK ADDRESS GROUP OR OBJECT GMS now enables you to delete a single address group or object more conveniently as well as select multiple objects at a time. To delete network address group objects, complete the following steps: 1 Go to the Firewall > Address Objects page. 2 Click on the Trash can icon of the selected address group or object. 3 Address

Configuring Match Objects This section describes match objects and includes procedures for searching match objects and for adding, editing, or deleting a match object on the Firewall > Match Objects page. A limited number of match objects are allowed, depending on the appliance model.

See the following sections for configuration steps and information: • Searching Match Objects • Adding or Editing Match Objects • Adding Application List Objects • Sorting Match Objects • Deleting Match Objects • Match Object Type Reference Match objects represent the set of conditions which must be matched in order for actions to take place. This includes the object type, the match type (exact, partial, prefix, or suffix), the input representation (text or hexadecimal), and the actual content to match. Hexadecimal input representation is used to match binary content such as executable files, while text input representation is used to match things like file or email content. You can also use hexadecimal input representation for binary content found in a graphic image. Text input representation could be used to match the same graphic if it contains a certain string in one of its properties fields. The maximum size for a match object is 8192 (8K) bytes. Match objects do not provide matching for regular expressions on appliances running SonicOS 5.8.1.x. You can use a proxy server for this functionality. The File Content match object type provides a way to match a pattern or keyword within a compressed (zip/gzip) file. This type of match object can only be used with FTP Data Transfer, HTTP Server, or SMTP Client policies. NOTE: The Firewall > Match Objects page might not contain values in all columns for some types of match objects, when those fields are not applicable to those particular match object types.



SEARCHING MATCH OBJECTS You can search the list of match objects using several different filters, each combined with an operator and a target value.

To complete a filtered search of match objects: 1 In the TreeControl, select the unit or group on which to search. 2 On the Policies tab, on the Firewall > Match Objects page, select one of the following search objects from the first Search pull-down list: • Name – the full or partial name of the match object • Object Type – the object type of the match object; see Match Object Types for the list of match object types • Match Type – the match type, one of Exact, Partial, Prefix, Suffix, used in the match object 3 Select one of the following operators from the next pull-down list: • Equals – search for any match object in which the name exactly matches the target value • Starts with – search for any match object in which the name begins with the target value • Ends with – search for any match object in which the name ends with the target value • Contains – search for any match object in which the name contains the target value • = (Equals sign) – search for any match object in which the object type or match type exactly matches the selected target value 4 When searching for a Name, a text box is displayed to the right of the operator. In the text box, type the target value that you are searching for in the match object name. 5 When searching for an Object Type or Match Type, select the target value from the pull-down list to the right of the operator. 6 Click Search to search your objects for one or more matches. Click Clear to set the search fields back to defaults. The Match Objects list changes to display only the match objects found by your search.

ADDING OR EDITING MATCH OBJECTS To configure a match object, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > Match Objects page on the Policies tab. 3 To edit an existing match object, click the pencil icon under Configure for it. To add a new match object, click Add New Match Object. The Match Object Settings window displays.

4 In the Match Object Settings window, in the Object Name text box, type a descriptive name for the object. 5 Select a Match Object Type from the pull-down list. Your selection here affects available options in this screen. See Match Object Types for a description of Match Object Types. 6 Select a Match Type from the pull-down list. The available selections depend on the Match Object Type. 7 See the Extra Properties column in Match Object Types for a description of the additional fields and options that might appear on the page for different Match Object Types. Select the desired values for any additional fields or options. 8 For the Input Representation, click Alphanumeric to match a text pattern, or click Hexadecimal if you want to match binary content. You can use a hex editor or a network protocol analyzer like Wireshark to obtain hex format for binary files. 9 Enable Negative Matching might be available, depending on the Match Type. Select the check box to match anything except the pattern in the Content text box. See Negative Matching for more information about using this option. 10 In the Content text box, type the pattern to match, and then click Add. The content appears in the List text box. Repeat to add another element to match. You can add multiple entries to create a list of content elements to match. All content that you provide in a match object is case-insensitive for matching purposes. List entries are matched using the logical OR, so if any item in the list is matched, the action for the policy is executed. 11 Alternatively, you can click Load From File to import a list of elements from a text file. Each element in the file must be on a line by itself. The maximum file size is limited to 8192 bytes. 12 To remove an element from the list, select the element in the List box and then click Remove. To remove all elements, click Remove All. 13 Click OK. The Modify Task Description and Schedule window displays.

14 A description is automatically added in the Description field. Optionally change the description. 15 For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Create the object immediately • At – Select the exact time to activate this object using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 16 Click Accept to save the match object with this schedule. Click Cancel to exit without saving the match object. At the unit level, you might need to refresh the Firewall > Match Objects page to see your new match object in the list.

Negative Matching Negative matching provides an alternate way to specify which content to block. You can enable negative matching in a match object when you want to block everything except a particular type of content. When you use the object in a policy, the policy executes actions based on absence of the content specified in the match object. Multiple list entries in a negative matching object are matched using the logical AND, meaning that the policy action is executed only when all specified negative matching entries are matched. Although all App Rules policies are DENY policies, you can simulate an ALLOW policy by using negative matching. For instance, you can allow email .txt attachments and block attachments of all other file types. Or you can allow a few types, and block all others. Not all match object types can utilize negative matching. For those who can, you will see Enable Negative Matching on the Match Object Settings screen.

ADDING APPLICATION LIST OBJECTS The Firewall > Match Objects page also contains Add Application List Object that opens the Add Application List Object screen. This screen provides another interface for creating an application list object and an application category list object, both of which are specific types of match objects. Two tabs are available: • Application – You can create an application list object on this tab. This screen allows selection of the application category, threat level, and type of technology. After selections are made, the list of applications matching those criteria is displayed, and you can select one or more for the object. • Category – You can create a category list object on this tab. A list of application categories and their descriptions are provided.

Application Tab The Application tab provides a list of applications for selection. Each application includes one or more signatures. You can control which applications are displayed by selecting one or more application categories, threat levels, and technologies. To select all application categories, threat levels, and technologies, click the green check mark below the Search button near the top right of the display. To search for a keyword in all application names and signatures, type it into the Search field and click Search. For example, type “bittorrent” into the Search field and click Search to find multiple applications with “bittorrent” (not case-sensitive) in the application name or in the name of a signature under the application. To display the signatures included by an application, click the arrow next to the application name to expand the details for it. When the application list is reduced to a list that is focussed on your preferences, you can select the individual applications for your filter by clicking the Plus icon next to them, and then save your selections as an application filter object with a custom name or an automatically generated name.

To configure an application list object: 1 On the Firewall > Match Objects page, click Add Application List Object. The Add Application List Object screen displays. 2 On the Application tab, to name this object, clear Auto-generate match object name and then type a name for the object in the Match Object Name field. To use automatic naming, leave the field blank and leave Autogenerate match object name selected. 3 Clear specific category check boxes or clear Category to clear all category check boxes, then select the check boxes for the desired categories. Use the scroll bar in this section to view the entire category list. The list of applications in the lower panel changes as you clear and select categories. 4 Clear specific threat level check boxes or clear Threat Level to clear all threat level check boxes, then select the check boxes for the desired threat levels. The list of applications in the lower panel changes as you clear and select threat levels. 5 Clear specific technology check boxes or clear Technology to clear all technology check boxes, then select the check boxes for the desired technologies. The list of applications in the lower panel changes as you clear and select technologies. 6 In the application list, click the Plus to select the desired applications for your object. The Plus changes to a green check mark, and the application is added to the Application Group field on the right. You can edit the list in this field by deleting individual items or by clicking the X at the top to delete all items. 7 Click OK. The Modify Task Description and Schedule window displays. 8 A description is automatically added in the Description field. Optionally change the description. 9 For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Create the object immediately • At – Select the exact time to activate this object using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 10 Click Accept to save the match object with this schedule. Click Cancel to exit without saving the match object. You will see the object name listed on the Firewall > Match Objects page with an object type of Application List. This object can then be selected when creating an App Rules policy. Match Objects created using the Auto-generate match object name option display a tilde (~) as the first character of the object name.

Category Tab The Category tab provides a list of application categories for selection. You can select any combination of categories and then save your selections as an application category list object with a custom or automatic name. By hovering your mouse pointer over a category in the list, you can see a description of it.

To configure an application category list object: 1 On the Firewall > Match Objects page, click Add Application List Object. The Add Application List Object screen displays. 2 Click the Category tab. 3 To name this object, clear Auto-generate match object name and then type a name for the object in the Match Object Name field. To use automatic naming, leave the field blank and leave Auto-generate match object name selected. 4 Clear specific category check boxes or clear Category to clear all category check boxes, then select the check boxes for the desired categories. Use the scrollbar in this section to view the entire category list. 5 Click OK. The Modify Task Description and Schedule window displays. 6 A description is automatically added in the Description field. Optionally change the description. 7 For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Create the object immediately • At – Select the exact time to activate this object using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 8 Click Accept to save the match object with this schedule. Click Cancel to exit without saving the match object. You will see the object name listed on the Firewall > Match Objects page with an object type of Application Category List. This object can then be selected when creating an App Rules policy. Match Objects created using the Auto-generate match object name option display a tilde (~) as the first character of the object name.

SORTING MATCH OBJECTS You can sort the list of match objects by clicking on the Name column heading. The first time you click the heading, the match objects list is sorted in descending alphabetical order from top to bottom, according to the first letter or symbol of the items in that column. A small upward-pointing arrow is displayed next to the Name heading, indicating that, if the heading is clicked again, it causes the list to be sorted in ascending order by name (Z to A). Names beginning with a symbol or number come before names beginning with any alphabetical character. In descending order, automatically created objects beginning with tilde (~) are displayed before objects beginning with any alphabetical character. The same holds true if you use a symbol or number as the first letter when naming an object.

DELETING MATCH OBJECTS Match objects can be deleted unless they are in use by an App Rules policy. To delete one or more match objects, complete the following steps: 1 In the TreeControl select the unit or group to configure. 2 Navigate to the Firewall > Match Objects page on the Policies tab. 3 Do one of the following: • To delete one or more match objects, select the check boxes for the ones to delete and click Delete Match Object(s). • To delete a single match object, click the trash can icon under Configure for it, and then click OK in the confirmation dialog. If any of the selected objects is currently in use by an App Rules policy, a popup message notifies you that it cannot be deleted. Click OK in the dialog box. If multiple objects were selected for deletion and one of them is in use by a policy, none are deleted when Delete Match Object(s) is clicked. 4 In the confirmation dialog box, click OK. 5 In the Modify Task Description and Schedule window, select the Schedule settings for this task and then click Accept.

MATCH OBJECT TYPE REFERENCE The following table describes the supported match object types. Match Object Types

Negative Matching

Extra Properties

Class ID of an Exact Active-X component. For example, ClassID of Gator Active-X component is “c1fb8842-528145ce-a2718fd5f117ba5f”

No

None

Application Category List

Allows specification of application categories, such as Multimedia., P2P, or Social Networking

N/A

No

Application Categories – select the category from a pull-down list of application categories

Application List

Allows specification of individual applications within the application category that you select

N/A

No

Application Categories – see above;

Allows specification of individual signatures for the application and category that you select

N/A

Object Type

Description

ActiveX ClassID

Application Signature List

Match Types

Application – select the specific application from the pull-down list No

Application Categories – see above; Application – see above; Application Signature – select the specific signature from the pull-down list

CFS Allow/Forbidden List

Allows specification of allowed and forbidden domains for Content Filtering

CFS Category List Allows selection of one or more Content Filtering categories

Exact, Partial, Prefix, Suffix

No

None

N/A

No

A list of 64 categories is provided to choose from

Custom Object

Allows Exact specification of an IPS-style custom set of conditions.

No

There are 4 additional, optional parameters that can be set: Offset (describes from what byte in packet payload we should start matching the pattern – starts with 1; helps minimize false positives in matching), Depth (describes at what byte in the packet payload we should stop matching the pattern – starts with 1), Payload Size – Minimum and Maximum size of data in a packet.

Email Body

Any content in the Partial body of an email.

No

None

Email CC (MIME Header)

Any content in the Exact, CC MIME Header. Partial, Prefix, Suffix

Yes

None

Email From (MIME Header)

Any content in the Exact, From MIME Partial, Header. Prefix, Suffix

Yes

None

Email Size

Allows specification of the maximum email size that can be sent.

No

Email Size – the number of bytes in the email

Email Subject (MIME Header)

Any content in the Exact, Subject MIME Partial, Header. Prefix, Suffix

Yes

None

Email To (MIME Header)

Any content in the Exact, To MIME Header. Partial, Prefix, Suffix

Yes

None

MIME Custom Header

Allows for creation Exact, of MIME custom Partial, headers. Prefix, Suffix

Yes

A Custom header name needs to be specified.

File Content

Allows Partial specification of a pattern to match in the content of a file. The pattern will be matched even if the file is compressed.

No

‘Disable attachment’ action should never be applied to this object.

Filename

In cases of email, Exact, this is an Partial, attachment name. Prefix, Suffix In cases of HTTP, this is a filename of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename of an uploaded or downloaded file.

Yes

None

Filename Extension

In cases of email, Exact this is an attachment filename extension. In cases of HTTP, this is a filename extension of an uploaded attachment to the Web mail account. In cases of FTP, this is a filename extension of an uploaded or downloaded file.

Yes

None

FTP Command

Allows selection of specific FTP commands.

N/A

No

Command – the FTP command, such as ABORT, DELETE, GET, PASSWORD, RESTART, QUIT, SIZE. Type HELP for the complete list of commands.

FTP Command + Value

Allows selection of specific FTP commands and specification of their values.

Exact, Partial, Prefix, Suffix

Yes

Command (see above);

HTTP Cookie Header

Allows specification of a Cookie sent by a browser.

Exact, Partial, Prefix, Suffix

Yes

None

HTTP Host Header

Content found Exact, inside of the Partial, HTTP Host Prefix, Suffix header. Represents hostname of the destination server in the HTTP request, such as www.google.com.

Yes

None

HTTP Referrer Header

Allows Exact, specification of Partial, content of a Prefix, Suffix Referrer header sent by a browser – this can be useful to control or keep stats of which Web sites redirected a user to customer’s Web site.

Yes

None

HTTP Request Custom Header

Allows handling of Exact, custom HTTP Partial, Request headers. Prefix, Suffix

Yes

Custom Header Name – Specify a custom header name.

HTTP Response Custom Header

Allows handling of Exact, custom HTTP Partial, Response Prefix, Suffix headers.

Yes

Custom Header Name – Specify a custom header name.

HTTP Set Cookie Set-Cookie Exact, headers. Provides Partial, a way to disallow Prefix, Suffix certain cookies to be set in a browser.

Yes

None

HTTP URI Content

Any content found Exact, inside of the URI Partial, in the HTTP Prefix, Suffix request.

No

None

HTTP URL

Any HTTP URL that needs to be matched.

Partial, No Regex, Exact, Prefix, Suffix

None

N/A

Argument – a value you type in, such as the filename to GET/PUT or the directory name used with MKDIR

HTTP User-Agent Any content inside Exact, of a User-Agent Partial, header. For Prefix, Suffix example: UserAgent: Skype.

Yes

None

MIME Custom Header

Yes

Custom Header Name – Specify the MIME header name to match.

Any content inside Exact, of a MIME header. Partial, Prefix, Suffix

Web Browser

Allows selection N/A of specific Web browsers (MSIE, Netscape, Firefox, Safari, Chrome).

Yes

Browser – Specify the browser type; choose from MSIE, Netscape, Firefox, Safari, Chrome

IPS Signature Category List

Allows selection of one or more IPS signature groups. Each group contains multiple predefined IPS signatures.

N/A

No

IDP Categories – choose from the a pull-down list of IPS attack categories, including ACTIVEX, EXPLOIT, JAVA, LDAP, MEDIAPLAYERS, SQLINJECTION, WEB-ATTACKS, and others

IPS Signature List Allows selection of one or more specific IPS signatures for enhanced granularity.

N/A

No

IDP Category – (see above); IDP Signature – choose signatures from any IDP Category

Configuring Action Objects Action Objects define how the App Rules policy reacts to matching events. You can choose a customizable action or select one of the predefined actions. The predefined actions have no configurable settings and are displayed in the Firewall > Action Objects page. A number of BWM (bandwidth management) action options are available in the predefined action list. The BWM action options change depending on the Bandwidth Management Type setting on the Firewall > BWM page. If the Bandwidth Management Type is set to Global, all eight levels of BWM are available. If the Bandwidth Management Type is set to WAN, the predefined actions list includes three levels of WAN BWM. If the Bandwidth Management Type is set to None, the predefined actions list does not include any BWM actions. You can view the settings by mousing over the Content column of a BWM action on the Firewall > Action Objects page. For more information about BWM actions, see Configuring Application Layer Bandwidth Management. Table lists the predefined actions available on the Firewall > Action Objects page. If BWM Type = None, no additional predefined BWM actions are available. Predefined Actions

Always Available

If BWM Type = Global

If BWM Type = WAN

Block SMTP E-Mail Without Reply

BWM Global-High

WAN BWM High

BWM Global-Highest

WAN BWM Medium

BWM Global-Low

WAN BWM Low

Bypass DPI CFS Block Page BWM Global-Lowest No Action BWM Global-Medium Packet Monitor BWM Global-Medium High Reset/Drop BWM Global-Medium Low BWM Global-Realtime See the following sections: • • • • •

Searching Action Objects Adding or Editing Action Objects Configuring Application Layer Bandwidth Management Deleting Action Objects Action Type Reference

SEARCHING ACTION OBJECTS You can search the list of action objects using different filters, each combined with an operator and a target value.

To complete a filtered search of action objects: 1 In the TreeControl, select the unit or group on which to search. 2 On the Policies tab, on the Firewall > Action Objects page, select one of the following search objects from the first Search pull-down list: • Name – the full or partial name of the action object • Action Type – the action type of the action object; see Action Types for the list of action types 3 Select one of the following operators from the next pull-down list: • Equals – search for any action object in which the name exactly matches the target value • Starts with – search for any action object in which the name begins with the target value • Ends with – search for any action object in which the name ends with the target value • Contains – search for any action object in which the name contains the target value • = (Equals sign) – search for any action object in which the action type exactly matches the selected target value 4 When searching for a Name, a text box is displayed to the right of the operator. In the text box, type the target value that you are searching for in the action object name. 5 When searching for an Action Type, select the target value from the pull-down list to the right of the operator. 6 Click Search to search your policies for one or more matches. Click Clear to set the search fields back to defaults. The Action Objects list changes to display only the action objects found by your search.

ADDING OR EDITING ACTION OBJECTS If you do not want one of the predefined actions, you can add an action object that uses one of the configurable actions. The Actions Objects Settings window provides a way to customize a configurable action with text or a URL, or custom bandwidth management settings if BWM Type is set to WAN on the Firewall > BWM page. The predefined actions plus any configurable actions that you have created are available for selection when you create an App Rules policy. A limited number of action objects are allowed, depending on the appliance model. To configure an action object, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > Action Objects page on the Policies tab. 3 To edit an existing action object, click the pencil icon under Configure for it. To add a new action object, click Add New Action Object. The Action Object Settings window displays.

4 5 6 7

In the Action Name field, type a descriptive name for the action. In the Action pull-down list, select the action that you want. In the Content text box, type the text or URL to be used in the action. If HTTP Block Page is selected as the action, a Color pull-down list is displayed. Choose a background color for the block page from the Color pull-down list. Color choices are white, yellow, red, or blue. 8 If Bandwidth Management is selected as the action, additional fields are displayed. Bandwidth management has some prerequisites; see Configuring Application Layer Bandwidth Management for configuration information. 9 Click OK. The Modify Task Description and Schedule window displays.

10 A description is automatically added in the Description field. Optionally change the description. 11 For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Create the object immediately • At – Select the exact time to activate this object using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 12 Click Accept to save the action object with this schedule. Click Cancel to exit without saving the action object. At the unit level, you might need to refresh the Firewall > Action Objects page to see your new action object in the list.

CONFIGURING APPLICATION LAYER BANDWIDTH MANAGEMENT Application layer bandwidth management (BWM) allows you to create policies that regulate bandwidth consumption by specific file types within a protocol, while allowing other file types to use unlimited bandwidth. This enables you to distinguish between desirable and undesirable traffic within the same protocol. Application layer bandwidth management is supported for all Application matches, as well as custom App Rules policies using HTTP client, HTTP Server, Custom, and FTP file transfer types. For details about policy types, see Policy Types. If the Bandwidth Management Type on the Firewall > BWM page is set to Global, application layer bandwidth management functionality is supported with eight predefined, default BWM priority levels, available for selection on the Firewall > Action Objects page. There is also a customizable Bandwidth Management type action, available when adding a new action object. NOTE: The maximum action objects allowed is the total of 17 default action objects plus the allowed number of custom action objects. Of the default action objects, 14 are Global type default actions and 3 are WAN type default actions. All application bandwidth management is tied in with global bandwidth management, which is configured on the Firewall > BWM page. Two types of bandwidth management are available: WAN and Global. The None option allows you to specify no bandwidth management. When the type is set to WAN, bandwidth management is allowed only on interfaces in the WAN zone. With a type of Global, interfaces in all zones can be configured with bandwidth management. All App Control screens that offer an option for bandwidth management provide a link to the Firewall > BWM page so that you can easily configure global bandwidth management settings for the type and configure the guaranteed and maximum percentages allowed for each priority level. The Firewall > BWM page is shown in the following figure.

It is a best practice to configure global bandwidth management settings before configuring App Control policies that use BWM. Changing the Bandwidth Management Type on the Firewall > BWM page between WAN and Global causes BWM to be disabled in all Firewall Access Rules, while default BWM action objects in App Rules policies convert accordingly to correspond to the new bandwidth management type. When you change the Bandwidth Management Type from Global to WAN, the default BWM actions that are in use in any App Rules policies are automatically converted to WAN BWM Medium, no matter what level they were set to before the change. When you change the Type from WAN to Global, the default BWM actions are converted to BWM Global-Medium. The firewall does not store your previous action priority levels when you switch the Type back and forth. You can view the conversions on the Firewall > App Rules page. Custom bandwidth management actions behave differently than the default BWM actions. Custom BWM actions are configured by adding a new action object from the Firewall > Action Objects page and selecting the Bandwidth Management action type. Custom bandwidth management actions and policies using them retain their priority level setting when the Bandwidth Management Type is changed from Global to WAN, and from WAN to Global. When the Bandwidth Management Type is set to Global, the Add/Edit Action Object screen provides the Bandwidth Priority option, but uses the values that are specified in the Priority table on the Firewall > BWM page for Guaranteed Bandwidth and Maximum Bandwidth. The Per Action or Per Policy Bandwidth Aggregation Method options are not available for Action Objects when Bandwidth Management Type is set to Global. NOTE: All priorities are displayed (Realtime through Lowest), regardless if all have been configured. Refer to the Firewall > BWM page to determine which priorities are enabled. If the Bandwidth Management Type is set to Global and you select a Bandwidth Priority that is not enabled, the traffic is automatically mapped to the level 4 priority (Medium). For a BWM Type of WAN, the default priority is level 7 (Low). When the Bandwidth Management Type is set to WAN, the Add/Edit Action Object screen provides Per Action or Per Policy Bandwidth Aggregation Method options and you can specify values for Guaranteed Bandwidth, Maximum Bandwidth, and Bandwidth Priority. When configuring a Bandwidth Management action, you can select either Per Action or Per Policy. Per Policy means that when you create a limit of 10Mbps in an Action Object, and three different policies use the Action Object, then each policy can consume up to 10Mbps of bandwidth. Per Action means that the three policies combined can only use 10Mbps. When using Per Action, multiple policies are subject to a single aggregate bandwidth management setting when they share the same action. For example, consider the following two App Rules policies: • One manages the bandwidth for downloading executable files • Another manages the bandwidth for P2P applications traffic If these two policies share the same bandwidth management Action (500Kbit/sec max bandwidth): • Using the Per Action aggregation method, the downloads of executable files and traffic from P2P applications combined cannot exceed 500Kbit/sec. • Using the Per Policy bandwidth aggregation method, a bandwidth of 500Kbit/sec is allowed for executable file downloads while concurrent P2P traffic is also allowed a bandwidth of 500Kbit/sec. The predefined BWM High, BWM Medium, and BWM Low actions are all Per Action. Application layer bandwidth management configuration is handled in the same way as the Ethernet bandwidth management configuration associated with Firewall > Access Rules. Both are tied in with the global bandwidth management settings. However, with App Control you can specify all content type, which you cannot do with access rules. When the Bandwidth Management Type on the Firewall > BWM page is set to WAN, bandwidth management policies defined with Firewall > Access Rules always have priority over application layer bandwidth management policies. Thus, if an access rule bandwidth management policy is applied to a certain connection, then an application layer bandwidth management policy are never applied to that connection. When the Bandwidth Management Type is set to Global, the reverse is true, giving App Control bandwidth management policies priority over Firewall Access Rule bandwidth management policies.

Configuring Bandwidth Management Actions To use application layer bandwidth management, you must first enable bandwidth management on the interface that will handle the traffic. After enabled, you can select Bandwidth Management in the Action pull-down list when creating an action object. If the global bandwidth management settings have the Bandwidth Management Type set to WAN on the Firewall > BWM page, then only interfaces in WAN zones can have assigned guaranteed and maximum bandwidth settings and have prioritized traffic. If the Bandwidth Management Type is set to Global, then all zones can have assigned guaranteed and maximum bandwidth settings and have prioritized traffic. See the following sections for configuration details: • Configuring Bandwidth Management on an Interface • Configuring a Bandwidth Management Action

Configuring Bandwidth Management on an Interface To enable bandwidth management on an interface, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Network > Interfaces page on the Policies tab. 3 In the Interface Settings table, click the icon under Edit for the desired interface. 4 In the Edit Interface window, click the Advanced tab.

5 Do one or both of the following: • Under Bandwidth Management, to manage outbound bandwidth, select Enable Egress Bandwidth Management, and optionally set the Available Interface Egress Bandwidth (Kbps) field to the maximum for the interface. See Table . • Under Bandwidth Management, to manage inbound bandwidth, select Enable Ingress Bandwidth Management and optionally set the Available Interface Ingress Bandwidth (Kbps) field to the maximum for the interface. See Table . Maximum Interface Bandwidth Settings

Interface Rating

Max Bandwidth in Kilobits/second

100 Megabits per second

100,000

1 Gigabit per second

1,000,000

6 Click OK.

Configuring a Bandwidth Management Action After bandwidth management is enabled on the interface, you can configure Bandwidth Management for an action object in App Control. To configure Bandwidth Management in an action object: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > Action Objects page on the Policies tab. 3 To edit an existing action object, click the pencil icon under Configure for it. To add a new action object, click Add New Action Object. The Action Object Settings window displays. 4 In the Action Name field, type a descriptive name for the action. In the Action pull-down list, select Bandwidth Management.

If the Bandwidth Management Type is set to WAN on the Firewall > BWM page, the screen displays the following options that are not displayed if Bandwidth Management Type is set to Global: • Bandwidth Aggregation Method • Guaranteed Bandwidth • Maximum Bandwidth • Bandwidth Priority • Enable Tracking Bandwidth Usage When the BWM type is Global, the global values for these options are used for the action. In case of a BWM type of WAN, the configuration of these options is included in the following steps. 5 In the Bandwidth Aggregation Method pull-down list, select one of the following: • Per Policy – When multiple policies are using the same Bandwidth Management action, each policy can consume up to the configured bandwidth even when the policies are active at the same time. • Per Action – When multiple policies are using the same Bandwidth Management action, the total bandwidth is limited as configured for all policies combined if they are active at the same time. 6 To manage outbound bandwidth, select Enable Outbound Bandwidth Management. 7 To specify the Guaranteed Bandwidth, optionally enter a value either as a percentage or as kilobits per second. In the pull-down list, select either % or Kbps. If you plan to use this custom action for rate limiting rather than guaranteeing bandwidth, you do not need to change the Guaranteed Bandwidth field. 8 To specify the Maximum Bandwidth, optionally enter a value either as a percentage or as kilobits per second. In the pull-down list, select either % or Kbps. If you plan to use this custom action for guaranteeing bandwidth rather than rate limiting, you do not need to change the Maximum Bandwidth field. 9 For Bandwidth Priority, select a priority level from the pull-down list, where 0 is the highest and 7 is the lowest. 10 Optionally select Enable Tracking Bandwidth Usage to track the usage. When bandwidth usage tracking is enabled, you can view the usage in the Action Properties tooltip by mousing over the Action of a policy on the Firewall > App Rules page. 11 Click OK. The Modify Task Description and Schedule window displays. 12 A description is automatically added in the Description field. Optionally change the description. 13 For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Activate the configuration immediately • At – Select the exact time to activate this configuration using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 14 Click Accept to configure bandwidth settings with this schedule. Click Cancel to exit without saving the action object. You can see the resulting action in the Action Objects screen.

SORTING ACTION OBJECTS You can sort the list of action objects by clicking on the Name column heading. The first time you click the heading, the action objects list is sorted in descending alphabetical order from top to bottom, according to the first letter or symbol of the items in that column. The list of predefined action objects is sorted separately from the list of custom, configurable action objects. The sorted list of predefined action objects always appears on the first page, followed by the sorted list of configurable action objects. A small upward-pointing arrow is displayed next to the Name heading, indicating that, if the heading is clicked again, it will cause the predefined and configurable action object lists to be sorted in ascending order by name (Z to A). In descending order, names beginning with a symbol or number come before names beginning with any alphabetical character.

DELETING ACTION OBJECTS Action objects created from one of the configurable actions can be deleted, unless they are in use by an App Rules policy. The predefined action objects cannot be deleted or edited. To delete one or more action objects, complete the following steps: 1 In the TreeControl select the unit or group to configure. 2 Navigate to the Firewall > Action Objects page on the Policies tab. 3 Do one of the following: • To delete one or more action objects, select the check boxes for the ones to delete and click Delete Action Object(s). The check boxes cannot be selected for predefined action objects. • To delete a single action object, click the trash can icon under Configure for it, and then click OK in the confirmation dialog. The trash can icon is not enabled for predefined action objects. If any of the selected objects is currently in use by an App Rules policy, a popup message notifies you that it cannot be deleted. Click OK in the dialog box. If multiple objects were selected for deletion and one of them is in use by a policy, none are deleted when Delete Match Object(s) is clicked. 4 In the confirmation dialog box, click OK. 5 In the Modify Task Description and Schedule window, select the Schedule settings for this task and then click Accept.

ACTION TYPE REFERENCE

Table describes the available action types. You can view the settings by mousing over the Content column of a BWM action on the Firewall > Action Objects page. Action Types

Action Type

Predefined or Custom

Description

BWM Global-Realtime Manages inbound and outbound bandwidth, Predefined can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of zero. BWM Global-Highest

Manages inbound and outbound bandwidth, Predefined can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of one.

BWM Global-High

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 30 percent) and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of two.

Predefined

BWM Global-Medium Manages inbound and outbound bandwidth, Predefined High can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of three. BWM Global-Medium Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 50 percent) and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of four.

Predefined

BWM Global-Medium Manages inbound and outbound bandwidth, Predefined Low can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of five. BWM Global-Low

Manages inbound and outbound bandwidth, can be configured for guaranteed bandwidth in varying amounts (default is 20 percent) and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of six.

Predefined

BWM Global-Lowest

Manages inbound and outbound bandwidth, Predefined can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth, sets a priority of seven.

Block SMTP E-Mail Without Reply

Blocks SMTP email and do not notify the sender.

Bypass DPI

Bypasses Deep Packet Inspection components Predefined IPS, GAV, Anti-Spyware and Application Control. This action persists for the duration of the entire connection as soon as it is triggered. Special handling is applied to FTP control channels that are never bypassed for Application Control inspection. This action supports proper handling of the FTP data channel. Note that Bypass DPI does not stop filters that are enabled on the Firewall > SSL Control page.

WAN BWM High

Manages inbound and outbound bandwidth, Predefined can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth.

WAN BWM Medium

Manages inbound and outbound bandwidth, Predefined can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth.

WAN BWM Low

Manages inbound and outbound bandwidth, Predefined can be configured for guaranteed bandwidth in varying amounts and maximum/burst bandwidth usage up to 100 percent of total available bandwidth.

Block SMTP Email Send Error Reply

Blocks SMTP email and notifies the sender with Custom a customized error message.

Predefined

Disable Email Disables attachment inside of an email and Attachment - Add Text adds customized text.

Custom

Email - Add Text

Appends custom text at the end of the email.

Custom

FTP Notification Reply

Sends text back to the client over the FTP control channel without terminating the connection.

Custom

HTTP Block Page

Allows a custom HTTP block page configuration with a choice of colors.

Custom

HTTP Redirect

Provides HTTP Redirect functionality. For Custom example, if someone would like to redirect people to the Google Web site, the customizable part will look like: http://www.google.com If an HTTP Redirect is sent from Application Control to a browser that has a form open, the information in the form will be lost.

Bandwidth Management

Allows definition of bandwidth management constraints with same semantics as Access Rule BWM policy definition.

Custom

Configuring Service Objects A Service Object is a protocol/port range combination that defines a service. A Service Group is a group of services that, after defined, enable you to quickly establish firewall rules without manually configuring each service. By default, a large number of services are pre-defined. GMS supports paginated navigation and sorting by column header in the Service Objects screen. In any of the tables, you can click the column header to use for sorting. An arrow is displayed to the right of the selected column header. You can click the arrow to reverse the sorting order of the entries in the table. To add a service, complete the following steps: 1 Select the global icon, a group, or a SonicWall appliance running SonicOS Enhanced. 2 Expand the Firewall tree and click Service Objects.

3 To add a service in the Custom Services section, click Add Service.

4 Enter the name of the service in the Name field. 5 Select the type of protocol from the Protocol pull-down list. 6 Enter the starting and ending port for the service in the Port Range fields. For a service that uses a single port, type the port number into the first field. 7 Click OK. The service is added and appears in the Custom Services section. NOTE: Although most default services cannot be edited or deleted, you can edit or delete custom services by clicking the editor delete buttons that correspond to the desired custom service.

EDITING CUSTOM SERVICES Click the Edit icon under Configure to edit the service in the Edit Service window that includes the same configuration settings as the Add Service window.

DELETING CUSTOM SERVICES Click the Trashcan icon to delete an individual custom service. You can delete all custom services by selecting the check boxes on the left side of the rows under Custom Services, and then clicking UPDATE.

ADDING A SERVICE GROUP A Service Group is a group of services that can be used to quickly apply rules to large numbers of services without individually configuring each service. By default, many Service Groups are pre-defined. To add a new Service Group, complete the following steps: 1 To add a service group, click Add Group on the Service Objects page. The Add Service Group dialog box displays.

2 Enter a name for the service group in the Name field. 3 To add a service, select it and click the right arrow button. 4 To remove a service, select it and click the left arrow button. 5 Click OK. The service group is added. NOTE: Service Groups can be edited or deleted by clicking the Editor Trashcan icons that correspond to the desired Service Group.

Editing Custom Services Groups Click the Edit icon under Configure to edit the custom service group in the Edit Service Group window that includes the same configuration settings as the Add Service Group window.

Deleting Custom Services Groups Click the Trashcan icon to delete the individual custom service group entry. You can delete all custom service groups by selecting the check boxes on the left side of the rows under Custom Service Groups, and then clicking UPDATE.

Configuring Email Address Objects App Control allows the creation of custom email address lists as email address objects. These email address objects can be used in an SMTP client policy configuration. Email address objects can represent either individual users or the entire domain. You can also create an email address object that represents a group by adding a list of individual addresses to the object. This provides a way to easily include or exclude a group of users when creating an App Rules policy of type SMTP Client. A limited number of email address objects are allowed, depending on the appliance model.

See the following sections: • • • •

Searching Email Address Objects Adding or Editing Email Address Objects Sorting Email Address Objects Deleting Email Address Objects

SEARCHING EMAIL ADDRESS OBJECTS You can search the list of email address objects using several different filters, each combined with an operator and a target value.

To complete a filtered search of email address objects: 1 In the TreeControl, select the unit or group on which to search. 2 On the Policies tab, on the Firewall > Email Address Objects page, select one of the following search objects from the first Search pull-down list: • Name – the full or partial name of the email address object • Match Type – the match type of the email address object, which can be either Exact Match or Partial Match 3 Select one of the following operators from the next pull-down list: • Equals – search for any email address object in which the name exactly matches the target value • Starts with – search for any email address object in which the name begins with the target value • Ends with – search for any email address object in which the name ends with the target value • Contains – search for any email address object in which the name contains the target value • = (Equals sign) – search for any email address object in which the match type exactly matches the selected target value, which can be either Exact Match or Partial Match 4 When searching for a Name, a text box is displayed to the right of the operator. In the text box, type the target value that you are searching for in the match object name. 5 When searching for a Match Type, select the target value from the pull-down list to the right of the operator. 6 Click Search to search your policies for one or more matches. Click Clear to set the search fields back to defaults. The Email Address Objects list changes to display only the email address objects found by your search.

ADDING OR EDITING EMAIL ADDRESS OBJECTS You can create email address objects for use with SMTP Client policies. An email address object can be a list of user email addresses or an entire domain.

To configure email address object settings, complete the following steps: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > Email Address Objects page on the Policies tab. 3 To edit an existing email address object, click the pencil icon under Configure for it. To add a new email address object, click Add New Email Address Object. The Email Address Object Settings window displays. 4 In the Email Address Object Name field, type a descriptive name for the action. 5 Select one of the following from the Match Type pull-down list: • Exact Match – To match the email address exactly • Partial Match – To match any part of the email address 6 In the Content text box, type the content to match and then click Add. Repeat this step until you have added as many elements as you want. For example, to match on a domain, select Partial Match in the previous step and then type @ followed by the domain name in the Content field, for example, type: @sonicwall.com. To match on an individual user, select Exact Match in the previous step and then type the full email address in the Content field, for example: [email protected] Alternatively, you can click Load From File to import a list of elements from a text file. Each element in the file must be on a line by itself. The maximum file size is 2048 bytes. Although existing user groups cannot be specified during configuration, by defining an email address object with a list of users, you can use App Control to simulate groups. 7 Click OK. The Modify Task Description and Schedule window displays.

8 A description is automatically added in the Description field. Optionally change the description. 9 For Schedule, select one of the following radio buttons and set any associated fields: • Default – Use the default schedule configured for the Agent that manages this unit • Immediate – Create the object immediately • At – Select the exact time to activate this object using the pull-down lists for the hour, minute, time zone, month, and year. If your GMS deployment includes Agents in different time zones, you can select among them in the time zone pull-down list. Select the date from the calendar. 10 Click Accept to save the email address object with the selected schedule. Click Cancel to exit without saving the email address object. At the unit level, you might need to refresh the Firewall > Email Address Objects page to see your new email address object in the list.

SORTING EMAIL ADDRESS OBJECTS You can sort the list of email address objects by clicking on the Name or Match Type column heading. The first time you click the Name heading, the email address objects list is sorted in descending alphabetical order (A to Z) from top to bottom, according to the first letter or symbol of the items in that column. Names beginning with a symbol or number come before names beginning with any alphabetical character. The first time you click the Match Type heading, the email address objects list is sorted to display objects using Exact Match at the top of the list, following by those using Partial Match. This is descending order. A small upward-pointing arrow is displayed next to the heading, indicating that, if the heading is clicked again, it causes the list to be sorted in ascending order.

DELETING EMAIL ADDRESS OBJECTS Email address objects can be deleted unless they are in use by an App Rules policy. To delete one or more email address objects, complete the following steps: 1 In the TreeControl select the unit or group to configure. 2 Navigate to the Firewall > Email Address Objects page on the Policies tab. 3 Do one of the following: • To delete one or more email address objects, select the check boxes for the ones to delete and click Delete Email Address Object(s). • To delete a single email address object, click the trash can icon under Configure for it, and then click OK in the confirmation dialog. If any of the selected objects is currently in use by an App Rules policy, a popup message notifies you that it cannot be deleted. Click OK in the dialog box. If multiple objects were selected for deletion and one of them is in use by a policy, none are deleted when Delete Match Object(s) is clicked. 4 In the confirmation dialog box, click OK. 5 In the Modify Task Description and Schedule window, select the Schedule settings for this task and then click Accept.

Configuring Bandwidth Objects NOTE: CFS Action Bandwidth Objects created on the Firewall > Content Filter Objects page are similar to, but not the same as, bandwidth objects. CFS Action BWM objects do not appear on the Firewall > Bandwidth Objects page, and BWM bandwidth objects do not appear on the Firewall > Content Filter Objects page. Bandwidth management configuration is based on policies that specify bandwidth limitations for traffic classes. A complete bandwidth management policy consists of two parts: a classifier and a bandwidth rule. A classifier specifies the actual parameters, such as priority, guaranteed bandwidth, and maximum bandwidth, and is configured in a bandwidth object. Classifiers identify and organize packets into traffic classes by matching specific criteria. For information on using Bandwidth Objects in Access Rules, App Rules, and Action Objects, see Firewall Settings > BWM on page 908. This feature is available in SonicOS 6.1 and above. The following configuration options are available in the Bandwidth Objects list: • Select bandwidth objects using the check boxes next to the name of the objects. You can also select all objects by clicking the check box in the header. • Edit bandwidth objects by clicking the Edit icon for that object. • Delete bandwidth object by clicking Delete for that object. You can also select multiple objects, then click Delete Bandwidth Object(s). • Hover the pointer over the Comment icon to display comments about the bandwidth object.

This section contains the following subsections: • Search for a Bandwidth Object • Adding a Bandwidth Object

SEARCH FOR A BANDWIDTH OBJECT 1 Click the Search drop-down menus and select from the following search filters: Search filters

Menu 1

Menu 2

Name

Equals

Violation Action

Starts With

Per-IP

Ends With

Comment

Contains

2 Enter the search criteria (for the filters you selected) in the text-field, and then click Search.

ADDING A BANDWIDTH OBJECT 1 Click the Add New Bandwidth Object link.

2 Enter a name for the new bandwidth object. 3 In the Guaranteed Bandwidth box, enter the amount of bandwidth that this bandwidth object will guarantee to provide for a traffic class (in kbps or Mbps). 4 In the Maximum Bandwidth box, enter the maximum amount of bandwidth that this bandwidth object provides for a traffic class. 5 The actual allocated bandwidth might be less than this value when multiple traffic classes compete for a shared bandwidth. 6 In the Traffic Priority box, enter the priority that this bandwidth object provides for a traffic class. The highest priority is 0. The lowest priority is 7. 7 When multiple traffic classes compete for shared bandwidth, classes with the highest priority are given precedence. 8 In the Violation Action box, enter the action that this bandwidth object provides (delay or drop) when traffic exceeds the maximum bandwidth setting. 9 Delay specifies that excess traffic packets are queued and sent when possible. 10 Drop specifies that excess traffic packets are dropped immediately. 11 In the Comment box, enter a text comment or description for this bandwidth object. 12 Click the Elemental tab.

13 If you want each individual IP address under its parent rule to be applied to the bandwidth management setting, click Enable Per-IP Bandwidth Management. 14 Enter the desired Maximum Bandwidth in Kbps or Mbps.

Configuring Content Filter Objects • Firewall > Content Filter Objects • About Content Filter Objects • Managing URI List Objects • Managing CFS Action Objects • Managing CFS Profile Objects • Applying Content Filter Objects

FIREWALL > CONTENT FILTER OBJECTS

The SonicWall™ Content Filtering Service (CFS) release 4.0 is supported in GMS 8.2 and above. CFS 4.0 delivers content filtering enforcement for educational institutions, businesses, libraries, and government agencies. With content filter objects, you can control the websites students and employees can access using their IT-issued computers while behind the organization’s firewall. NOTE: For more a detailed description of the CFS release 4.0 as well as how to license and install it, see the SonicWall™ SonicOS 6.2.6.0 Release Notes, the SonicWall™ Content Filtering Service (CFS) 4.0 Feature Guide, and the SonicWall™ Content Filtering Service Upgrade Guide. Also, for applying these objects in CFS policies, see Configuring Content Filtering Service. Topics: • • • • •

About Content Filter Objects Managing URI List Objects Managing CFS Action Objects Managing CFS Profile Objects Applying Content Filter Objects

About Content Filter Objects CFS uses secure objects for filtering content. CFS uses these objects for content filtering: • URI List Objects; see About URI List Objects • CFS Action Objects; see About CFS Action Objects • CFS Profile Objects; see About CFS Profile Objects You can add or edit any object except the default CFS Action Object and CFS Profile Object created by GMS.

About URI List Objects A URI List Object defines the list of URIs or domains that can be marked as allowed or forbidden. Topics: • Importing URI List Objects • Matching URI List Objects • Using URI List Objects

Importing URI List Objects You can import a file containing a list of URIs. The file can be created manually.

Matching URI List Objects The matching process for URI List Objects is based on tokens. A valid token sequence is composed of one or more tokens, joined by a specific character, like “.” or “/”. A URI represents a token sequence. For example, the URI www.example.com is a token sequence consisting of www, example, and com, joined by a “.”. Generally, if a URI contains one of the URIs in a URI List Object, then the URI List Object matches that URI. Topics: • Normal matching • Wildcard matching • IPv6 Address Matching • IPv6 Wildcard Matching Normal matching If a list object contains a URI such as example.com, then that object matches URIs defined as: [(.|/)]example.com[(.|/)] For example, the URI List Object matches any of the following URIs: • example.com • www.example.com • example.com.uk • www.example.com.uk • example.com/path The URI List Object does not match the URI, specialexample.com, because specialexample is identified as a different token than example. Wildcard matching Wildcard matching is supported. An asterisk (*) is used as the wildcard character, and represents a valid sequence of tokens. If a list object contains a URI such as example.*.com, then that list object matches URIs defined as: [(.|/)]example..com[(.|/)] For example, the URI List Object matches any of the following URIs: • example.exam1.com • example.exam1.exam2.com • www.example.exam1.com/path The URI List Object does not match the URI: • example.com This is because the wildcard character (*) represents a valid token sequence that is not present in example.com. IPv6 Address Matching IPv6 address string matching is also supported. While an IPv4 address can be handled as a normal token sequence, an IPv6 address string needs to be handled specially. If a URI List Object contains a URI such as [2001:2002::2008], then that URI List Object matches URIs defined as: [2001:2002::2008][/] For example, the URI list object matches any of the following URIs: • [2001:2002::2008] • [2001:2002::2008]/path • [2001:2002::2008]/path/abc.txt IPv6 Wildcard Matching Wildcard matching in the IPv6 address string is supported. If a list object contains a URI such as [2001:2002:*:2008]/*/abc.mp3, then that list object matches URIs defined as: [2001:2002::2008]//abc.mp3 For example, the URI list object matches any of the following URIs: • [2001:2002:2003::2007:2008]/path/abc.txt • [2001:2002:2003:2004:2005:2006:2007:2008]/path/path2/abc.txt Using URI List Objects Currently, URI List Objects can be used in these fields: • Allowed URI List of a CFS profile • Forbidden URI List of a CFS profile • Web Excluded Domains of Websense CFS URI List Objects are used in these fields differently. When used in an Allowed or URI Forbidden List of a CFS profile, the CFS URI List Object acts normally. For example, if the URI List Object contains a URI such as example.com/path/abc.txt, then that list object matches URIs defined as: [(.|/)] example.com/path/abc.txt[(.|/)] When used by the Web Excluded Domains of Websense, only the host portion of the URI takes effect. For example, if the URI list object contains the same URI as above, example.com/path/abc.txt, then that list object matches all domains containing the token sequence example.com. The path portion in the URI is ignored.

About CFS Action Objects The CFS Action Object defines what happens after a packet is filtered by CFS and used by CFS Policy.

About CFS Profile Objects A CFS Profile Object defines the action triggered for each HTTP/HTTPS connection.

About the Passphrase Feature The passphrase feature, in conjunction with the Confirm feature, restricts web access based on a passphrase or password. You need to configure the passphrase operation for special URI categories or domains in the Forbidden URI List. To access the forbidden URIs, users have to submit the correct password or web access is blocked. IMPORTANT: Passphrase only works for HTTP requests. HTTPS requests cannot be redirected to a Passphrase page. How the Passphrase operation works: 1 2 3 4

The user attempts to access a restricted website. A Passphrase page displays on the user’s browser. The user must enter the passphrase or password and then submit it. CFS validates the submitted passphrase/password with the website’s password: • If the passphrase/password matches, web access is allowed. No further confirmations are needed, and users can continue to access websites of the same category for the Active Time period is set for the Confirm feature. The default is 60 minutes. • If the passphrase/password does not match, access is blocked, and a Block page is sent to the user. NOTE: Users have three chances to enter the passphrase/password. The site is blocked if all chances fail. If the user selects Cancel, the site is blocked immediately.

About the Confirm Feature The Confirm feature restricts web access by requiring a confirmation from the user before allowing access. You need to configure the Confirm operation for special URL categories or domains, and the users need to confirm the web request when they first visit the sites. IMPORTANT: Confirm only works for HTTP requests. HTTPS requests cannot be redirected to a Confirm page. How the Confirm operation works: 1 The user attempts to access a blocked website. 2 A popup dialog appears, requesting confirmation. 3 Users must select Continue or Close. • If a user confirms that he will access this category of websites, he is redirected to the first confirmed website. No further confirmations are needed, and users can continue to access websites of the same category for the Active Time period that is set for the Confirm feature. The default is 60 minutes. • If a user chooses Close, he is shown the Block page and is blocked from that category of website for the period of the Active Time setting.

MANAGING URI LIST OBJECTS

TIP: To display only the part of the Firewall > Content Filter Object page that is of interest, click the Collapse icon for those tables not of interest. To redisplay a table, click its Expand icon. Topics: • • • •

About the URI List Objects Table Configuring URI List Objects Editing a URI List Object Deleting URI List Objects

About the URI List Objects Table

Table 1.

Name

Name of the URI List Object.

URL List

Specifies the URIs in the URI List Object.

Configure

Contains the Edit and Delete icons for each entry in the table.

Configuring URI List Objects To configure URI List Objects: 1 Navigate to Firewall > Content Filter Objects.

2 Under URI List Objects, click Add URI List Object. The Add CFS URI List Object dialog displays.

3 Enter a descriptive name for the URI List Object in the Name field. 4 You can either add the URIs or import them from a file. To: • Add URIs, go to Step 5. • Import URIs, go to Step 10. 5 Click Add. The Add URI dialog displays.

6 Enter a URI that follows these conditions: • Up to 128 URI List Objects are allowed. • Each URI List Object supports up to 5000 URIs. The minimum number is 1. • Each URI can be up to 255 characters. • The maximum combined length of all URIs in one URI list object is 131,072 (1024*128) characters, including one character for each new line (carriage return) between the URIs. • By definition, a URI is a string containing host and path. Port and other content are currently not supported. • The host portion of a URI can be an IPv4 or IPv6 address string. • Each URI can contain up to 16 tokens. A token in a URI is a string composed of the characters: 0 through 9 a through z A through Z $ - _ + ! ' ( ) , . • Each token can be up to 64 characters, including one character for each separator (. or /) surrounding the token. • An asterisk (*) can be used as a wildcard representing a sequence of one or more valid tokens, not one or more characters. Table 2.

Examples of valid URIs • • • • • • • •

Examples of invalid URIs

news.example.com Using the wildcard character (*) news.example.com/path incorrectly can result in invalid news.example.com/path/abc.txt URIs such as: news.*.com/*.txt 10.10.10.10 10.10.10.10/path • example*.com [2001:2002::2003]/path • exa*ple.com [2001:2002::2003:*:2004]/path/*.txt • example.*.*.com Note: The wildcard character represents a sequence of one or more tokens, not one or more characters.

7 Click Save. 8 Repeat Step 6 and Step 7 until you have added all the URIs for the list. 9 Go to Step 14. 10 Click Import. A confirmation message displays.

IMPORTANT: The file must follow the conditions stated in Step 6. URIs in the file can be separated by any of the following separators:

Table 3.

Separator Style \r\n

Windows style, new line separator

\r

MAC OS style, new line separator

\n

UNIX style, new line separator

Only the first 2000 valid URIs in the file are imported. Invalid URIs are skipped and do not count toward the maximum of 2000 URIs per URI List Object. 11 Click OK. 12 The File Upload dialog displays. 13 Select the file and click Open. The URI List table is populated.

14 Click Add URI List Object. The URI List Objects table is populated.

Editing a URI List Object To edit a URI List Object: 1 Click the Configure icon for the list object to be edited.

2 The Edit URI List Object dialog displays. You can: • Edit an entry by clicking the Configure icon. The Edit URI dialog displays.

a) Make changes to the URI. b) Click Save. The URI List table is updated. c) Repeat Step 2 for each change. 3 Click OK.

Deleting URI List Objects To delete URI List Objects: 1 Do one of these: • Click the Delete icon for the list object to be deleted. • Click the checkbox for one or more list objects to be deleted. The Delete URI List Object(s) button becomes active; click it. To delete all URI List Objects: 1 Select all List Objects and click the Delete URI List Object(s) button.

MANAGING CFS ACTION OBJECTS Topics: • • • •

About the CFS Action Objects Table Configuring CFS Action Objects Editing a CFS Action Objects Deleting CFS Action Objects

About the CFS Action Objects Table

Table 4.

Name

Name of the CFS Action Object; the name of the default CFS Action Object is CFS Default Action. The default object can be edited, but not deleted.

Safe Search

Indicates whether the Enable Safe Search Enforcement option has been selected. This option is used specifically for HTTPS sites, and only when the Client DPI-SSL Content Filter is enabled does the feature take effect.

Block

Indicates whether a block page has been Configured or Unconfigured.

Passphrase

Indicates whether a passphrase page has been Configured or Unconfigured.

Confirm

Indicates whether a confirm page has been Configured or Unconfigured.

BWM

Indicates whether a BWM has been Configured or Unconfigured.

Configure

Contains the Edit and Delete icons for each entry in the table.

Configuring CFS Action Objects A default CFS Action Object, CFS Default Action, is created by GMS. You can configure and edit this CFS Action Object, but you cannot delete it. To configure CFS Action Objects: 1 Navigate to Firewall > Content Filter Objects.

2 Click the Add button for the CFS Action Objects table. The Add CFS Action Object dialog displays.

3 Enter the name of the CFS Action Object in the Name field. 4 To have cookies removed automatically to protect privacy, select Wipe Cookies. When enabled and Client DPI-SSL Content Filter is also enabled, cookies for HTTPS sites are removed. This option is not selected by default. IMPORTANT: Enabling this option may break the Safe Search Enforcement function of some search engines. 5 To send URI information to the AppFlow Monitor, select Enable Flow Reporting. This option is selected by default. 6 You can configure these pages, which display when a site is blocked: NOTE: A default version of each of these pages has been created. You can use the default, modify it to meet your needs, or create a new page. • Blocked site per company policy, go to Block Tab. • Password-protected web page, go to Passphrase Tab. • Restricted web page that requires confirmation before a user can view it, go to Confirm Tab. 7 You can allocate bandwidth resources as part of CFS Action Objects; go to the BWM Tab. 8 Click Add. The new CFS Action Object is added to the CFS Action Object table.

Block Tab To create a page that displays when a site is blocked: 1 Click the Block tab.

A default page is defined already, but you can fully customize the web page that is displayed to the user when access to a blocked site is attempted. Or, you can create your own page. 2 To see a preview of the display, click Preview. IMPORTANT: Due to potential vulnerability issues, scripting code (Javascript) and HTML inline event attributes that invoke scripting code are not evaluated and/or might be disabled. Some of your preview pages may not render properly because of this limitation. If you have not modified the provided code, clicking Preview displays the default web page. The Block policy, Client IP address, and the reason for the block are shown:

To remove all content from the Block Page field, click the Clear button. To revert to the default blocked page message, click the Default button.

Passphrase Tab NOTE: For information about the Passphrase feature, see About the Passphrase Feature. To create a password-protected web page: 1 Click the Passphrase tab.

2 In the Enter Password field, enter the passphrase/password for the web site. The password can be up to 64 characters. 3 Enter it again in the Confirm Password field. 4 To have the password masked, select Mask Password. This option is selected by default. IMPORTANT: If the option is deselected, the password is displayed in plain text and the entry in the Confirm Password field is invalid. 5 Enter the time, in minutes, of the effective duration for a passphrase based on category or domain in the Active Time (minutes) field. The minimum time is 1 minute, the maximum is 9999, and the default is 60 minutes. 6 A default page is defined already, but you can fully customize the web page that is displayed to the user when access to a blocked site is attempted. Or, you can create your own page. To create the page that displays when a site is blocked: • To see a preview of the display, click Preview. IMPORTANT: Due to potential vulnerability issues, scripting code (Javascript) and HTML inline event attributes that invoke scripting code are not evaluated and/or might be disabled. Some of your preview pages may not render properly because of this limitation. If you have not modified the provided code, clicking Preview displays the default web page. The web site URL, Client IP address, block policy, and the reason for the block are shown along with a field for entering the password:

• To remove all content from the Passphrase Page field, click Clear. • To revert to the default blocked page message, click Default.

Confirm Tab

NOTE: Requiring confirmation (consent) only works for HTTP requests. HTTPS requests cannot be redirected to a Confirm page. To create a restricted web page that requires confirmation before a user can view it: 1 Click the Confirm tab.

2 Enter the time, in minutes, of the effective duration for a confirmed user, based on category or domain in the Active Time (minutes) field. The minimum time is 1 minute, the maximum is 9999, and the default is 60 minutes. 3 A default page is defined already, but you can fully customize the web page that is displayed to the user when access to a confirm site is attempted. Or, you can create your own page. To create the page that displays when a site is blocked: • To see a preview of the display, click Preview. IMPORTANT: Due to potential vulnerability issues, scripting code (Javascript) and HTML inline event attributes that invoke scripting code are not evaluated and/or might be disabled. Some of your preview pages may not render properly because of this limitation. If you have not modified the provided code, clicking Preview displays the default web page. The web site URL, Client IP address, block policy, and the reason for the block are shown along with a field for entering the confirmation:

• To remove all content from the Confirm Page field, click Clear. • To revert to the default blocked page message, click Default.

BWM Tab

IMPORTANT: CFS Action bandwidth Objects are similar to, but not the same as, bandwidth objects created on the Firewall > Bandwidth Objects page. CFS Action BWM objects do not appear on the Firewall > Bandwidth Objects page, and BWM bandwidth objects do not appear on the Firewall > Content Filter Objects page. NOTE: For information about bandwidth management, see Configuring Bandwidth Management Actions. For information about BWM objects, see Configuring Bandwidth Objects.





IMPORTANT: To create a CFS Action BWM object, BWM must be enabled. To allocate bandwidth resources for content filtering: 1 Click the BWM tab.

2 From the Bandwidth Aggregation Method drop-down menu, choose how the BWM object is to be applied: • Per Policy (default) • Per Action 3 To enable BWM on outbound traffic, select Enable Egress Bandwidth Management. This option is not selected by default. The Bandwidth Object drop-down menu and Enable Tracking Bandwidth Usage become active. 4 From the Bandwidth Object drop-down menu, choose either: • An existing BWM object. • Create new Bandwidth Object. The Add Bandwidth Object dialog displays. For information on creating a new bandwidth object, see Configuring Bandwidth Objects. 5 To enable BWM on inbound traffic, select Enable Ingress Bandwidth Management. This option is not selected by default. The Bandwidth Object drop-down menu becomes active and, if Enable Egress Bandwidth Management has not been selected, so does Enable Tracking Bandwidth Usage. 6 From the Bandwidth Object drop-down menu, choose either: • An existing BWM object. • Create new Bandwidth Object. The Add Bandwidth Object dialog displays. For information on creating a new bandwidth object, see CConfiguring Bandwidth Objects. 7 To track bandwidth usage, select Enable Tracking Bandwidth Usage. This option is not selected by default. NOTE: Enable Egress Bandwidth Management and/or Enable Ingress Bandwidth Management must be selected also.

Editing a CFS Action Objects To edit a CFS Action Object: 1 Click the Edit icon for the CFS Action Object to be edited. The Edit CFS Action Object dialog displays. This dialog is the same as the Add CFS Action Object dialog. 2 To make your changes, follow the appropriate procedures in Configuring Action Objects.

Deleting CFS Action Objects To delete CFS Action Objects: 1 Do one of these: • Click the Delete icon for the action object to be deleted. • Click the checkbox for one or more action objects to be deleted. The Delete button becomes active; click it. To delete all CFS Action Objects: 1 Click all the checkboxes and then click the Delete Action Object(s) button. All CFS Action Objects are deleted except for the default object, CFS Default Action.

MANAGING CFS PROFILE OBJECTS Topics: • • • •

About the CFS Profile Objects Table Configuring CFS Profile Objects Editing a CFS Profile Object Deleting CFS Profile Objects

About the CFS Profile Objects Table

Table 5.

Name

Name of the CFS Profile Object; the name of the default CFS Profile Object is CFS Default Profile. The default object can be edited, but not deleted.

Allowed URI List Name of the URI List Object listed in the Allowed List. Forbidden URI List

Name of the URI List Object listed in the Forbidden List.

Block Categories Names of all the categories blocked by the CFS Profile Object. Passphrase Categories

Names of all the categories requiring a passphrase by this CFS Profile Object.

Confirm Categories

Names of all the categories requiring confirmation by this CFS Profile Object.

BWM Categories Names of all the categories governed by bandwidth management by this CFS Profile Object. Allowed Categories

Names of all the categories allowed by the CFS Profile Object.

Configure

Contains the Edit and Delete icons for each entry in the table.

Configuring CFS Profile Objects A default CFS Profile Object, CFS Default Profile, is created by GMS. You can configure and edit this CFS Profile Object, but you cannot delete it. To configure CFS Action Objects: 1 Navigate to Firewall > Content Filter Objects.

2 Click Add Profile Object for the CFS Profile Objects table.The Add CFS Profile Object dialog displays.

3 Enter the name of the CFS Profile Object in the Name field. 4 From the Allowed URI List drop-down menu, choose the URI List Object that contains URIs for which unrestricted access is allowed; treat this list as a white list: • None (default). • Name of a URI Expression. Accessing all URIs in this expression is allowed. 5 From the Forbidden URI List drop-down menu, choose the URI List Object that contains URIs for which access is not allowed at all; treat this list as a black list: • None (default). • Name of a URI Expression. Accessing all URIs in this expression is forbidden. 6 From the URI Searching Order drop-down menu, choose which URI list is searched first during filtering: • Allowed URI List First (default) • Forbidden URI List First 7 From the Operation for Forbidden URI drop-down menu, choose the action to be taken when a URI on the Forbidden List is encountered: Table 6.

Block (default)

The block page configured for the CFS Action Object is displayed to the user accessing the site.

Confirm

The confirm page configured for the CFS Action Object is displayed to the user accessing the site. The user must confirm access permission.

Passphrase The passphrase page configured for the CFS Action Object is displayed to the user accessing the site. The user must enter a valid password to enter the site. 8 The Category Configuration table lists all the categories of URIs, such as Arts & Entertainment, Business, Education, Travel, Weapons, and Shopping. You can configure the action to be taken for all URIs in each category instead of individually. As you scroll down the list, choose the action from the drop-down menu for each category: Table 7.

Allow

Block

BWN

Confirm

Passphrase

NOTE: By default, Categories 1-12 and 59 are blocked; the remaining categories are allowed. • To change all categories to the same action: a) Click Allow All or Block All. • To reset all the categories to its default action, click Default. 9 To enable Smart Filtering and Safe Search options, click the Advanced tab. For how to configure this tab, go to Advanced tab. 10 To set up web usage consent, click the Consent tab. For how to configure this tab, go to Consent tab. 11 Click OK. The CFS Profile Objects table is updated.

Advanced tab















1 To detect the embedded URL inside Google Translate (http://translate.google.com) and filter the embedded URI, select Enable Smart Filtering for Embedded URI. This option is not selected by default. IMPORTANT: This feature requires enabling Client DPI-SSL with content filter. NOTE: This feature takes effect only on Google Translate, which works on currently rated embedded web sites. 2 To enforce Safe Search when searching on any of the following websites, select Enable Safe Search Enforcement (these options are not selected by default): • www.yahoo.com • www.ask.com • www.dogpile.com • www.lycos.com NOTE: This enforcement cannot be configured at the policy level as the function employs DNS redirection to HTTPS sites. For HTTPS sites, client DPI-SSL with content filter must be enabled. 3 To override the Safe Search option for Google inside each CFS Policy and its corresponding CFS Action, select Enable Google Force Safe Search. This option is not selected by default. NOTE: Typically, Safe Search happens automatically and is powered by Google, but when this option is enabled, GMS rewrites the Google domain in the DNS response to the Google Safe Search virtual IP address. NOTE: This feature takes effect only after the DNS cache of the client host is refreshed. 4 To access YouTube in Safety mode, select Enable YouTube Restrict Mode. This option is not selected by default. NOTE: YouTube provides a new feature to screen videos that may contain inappropriate content flagged by users and other signals. When this feature is enabled, GMS rewrites the DNS response for the YouTube domain to its Safe Search virtual IP address. NOTE: This feature takes effect only after the DNS cache of the client host is refreshed. 5 To override the Safe Search option for Bing inside each CFS Policy and its corresponding CFS Action, select Enable Bing Force Safe Search. This option is not selected by default. NOTE: When this feature is enabled, GMS rewrites the DNS response for the Bing domain to its Safe Search virtual IP address. NOTE: This feature takes effect only after the DNS cache of the client host is refreshed.

Consent tab NOTE: Consent only works for HTTP requests. HTTPS requests cannot be redirected to a Confirm (consent) page.



1 To enable consent, which displays the Consent (Confirm) page when a user visits a site requiring consent before access, check Enable Consent. This option is not selected by default. When this option is selected, the other options become available. 2 To remind users that their time has expired by displaying the Consent page, enter the idle-time duration in the User Idle Timeout (minutes) field. The minimum idle time is 1 minute, the maximum is 9999 minutes, and the default is 15 minutes. 3 In the Consent Page URL (optional filtering) field, enter the URL of the website where a user is redirected if they go to a website requiring consent. The Consent page must: • Reside on a web server and be accessible as a URI by users on the network. • Contain links to the following two pages in the SonicWall appliance, which, when selected, tell the firewall the type of access the user wishes to have: • Unfiltered access: /iAccept.html • Filtered access: /iAcceptFilter.html 4 In the Consent Page URL (mandator filtering) field, enter the website URL where the user is redirected if they go to a website requiring mandatory filtering. The Consent page must: • Reside on a web server and be accessible as a URI by users on the network. • Contain a link to the /iAcceptFilter.html page in the SonicWall appliance, which tells the firewall that the user accepts filtered access. 5 From the Mandatory Filtering Address drop-down menu, choose an Address Object that contains the configured IP addresses requiring mandatory filtering.

Editing a CFS Profile Object To edit a CFS Profile Object: 1 Click the Edit icon for the CFS Profile Object to be edited. The Edit CFS Profile Object dialog displays. This dialog is the same as the Add CFS Profile Object dialog. 2 To make your changes, follow the appropriate procedures in Configuring CFS Profile Objects.

Deleting CFS Profile Objects To delete CFS Profile Objects: 1 Do one of these: • Click the Delete icon for the Profile object to be deleted. • Click the checkbox for one or more Profile objects to be deleted. The Delete button becomes active; click it. To delete all CFS Profile Objects: 1 Select all CFS Profile Objects. Click Delete Profile Object(s). All CFS Profile Objects are deleted except for the default object, CFS Default Profile.

Applying Content Filter Objects After you finish configuring your Content Filter Objects, you need to apply them to Content Filter polices. Configuring Content Filters is done on the Security Services > Content Filter page (see Configuring the SonicWall Content Filter Service). For quick access to this page, there is a link below the CFS Profile Objects table.

Use Cases The following use cases are presented in this section: • Controlling Email Attachments • Controlling Risky Applications

CONTROLLING EMAIL ATTACHMENTS App Control can be very effective for certain types of email control, especially when a blanket policy is desired. For example, you can prevent sending attachments of a given type, such as .exe, on a per-user basis, or for an entire domain. However, because the file name extension is being matched in this case, changing the extension before sending the attachment bypasses filtering. Note that you can also prevent attachments in this way on your email server if you have one. If not, then App Control provides the functionality. Another way to control attachments is by creating a match object that scans for file content matching strings such as “confidential,” “internal use only,” and “proprietary.” A policy using such a match object implements basic controls over the transfer of proprietary data. You can also create a policy that prevents email to or from a specific domain or a specific user. You can use App Control to limit email file size, but not to limit the number of attachments. App Control can also block files based on MIME type. App Control can scan email attachments that are text-based or are compressed to one level, but not encrypted. In this example, we create a policy that blocks executable attachments except when they are sent by a member of the Support team. To do this we define an email address object containing the email addresses of the Support team, then define a match object to match file name extensions of executable files, then define an action object to strip the attachment and give the user a message, and finally define an App Rules policy that uses all these objects. See the following sections for the necessary procedures: • • • •

Creating a Support Team Email Address Object Creating a Match Object for Executable File Extensions Creating an Action Object for Blocking the Email Creating an SMTP Client App Rules Policy

Creating a Support Team Email Address Object First, create an email address object for the Support team: 1 On the Firewall > Email Address Objects page, click Add New Email Address Object.

2 In the Email Address Object page, type a descriptive name for the object into the Email Address Object Name field, such as “Support team.”

3 Select Exact Match from the Match Type pull-down list. For an exact match, you must provide both the username and the domain parts of the email addresses to include in the object. 4 In the Content field, type in the first email address or alias used by the Support team, then click Add. The address is copied into the List box. 5 If more than one email address is used by the Support team, repeat Step 4 until all desired email addresses are included in the List box. 6 Click OK. The Modify Task Description and Schedule window displays.

7 To view all the options for Schedule, click the arrow to its right.

8 For this example, select Immediate to create the object immediately. 9 Click Accept to save the email address object with the selected schedule. The new object is listed on the Firewall > Email Address Objects page.

Creating a Match Object for Executable File Extensions Next, create a match object that matches file names with extensions such as .exe, indicating that they are executable: 1 On the Firewall > Match Objects page, click Add New Match Object. 2 In the Match Object Settings window, in the Object Name text box, type a descriptive name for the object, such as “Executable Files.” 3 Using the Match Object Type pull-down list, select File Extension. 4 The Match Type field is set to Exact Match; there are no other choices in this case. 5 For the Input Representation, click Alphanumeric. 6 Leave Enable Negative Matching cleared. 7 In the Content text box, type the executable file name extensions to match, and then click Add after each one. For this case, we add exe, vbs, bat, awk, and cgi, The extensions appear in the List text box.

8 Click OK. The Modify Task Description and Schedule window displays. 9 For the Schedule, select Immediate to create the object immediately. 10 Click Accept to save the match object with the selected schedule. The new object is listed on the Firewall > Match Objects page.

Creating an Action Object for Blocking the Email Now we need to create an action object that blocks the email when executable attachments are found. We could use the predefined Block SMTP E-Mail Without Reply action, but we will create a custom action object that provides an explanation of why the attachment was blocked. However, it would be more secure to use the predefined action in most situations. To create the action object: 1 On the Firewall > Action Objects page, click Add New Action Object. 2 In the Action Object Settings window, in the Action Name text box, type a descriptive name for the object, such as “Block email with executable.” 3 In the Action pull-down list, select Disable E-Mail Attachment - Add Text. 4 In the Content text box, type the explanation that you want users to see, such as “Executable attachments are not allowed.”

5 Click OK. The Modify Task Description and Schedule window displays. 6 For the Schedule, select Immediate to create the object immediately. 7 Click Accept to save the action object with the selected schedule. The new object is listed on the Firewall > Action Objects page.

Creating an SMTP Client App Rules Policy The next step is to create an App Rules policy that uses our email address object and match object, and combines them with an action object to block executable attachments except in email from members of the Support team. To create the App Rules policy: 1 On the Firewall > App Rules page, click Add New Policy. 2 In the App Control Policies Settings window, type a descriptive name such as “Block Executable Attachments” into the Policy Name field.

3 Select SMTP Client from the Policy Type pull-down list. 4 Leave Any as the source and destination in the Address pull-down lists. 5 The Service pull-down lists do not provide a choice of service. The Source is Any, and the Destination is SMTP (send E-Mail). 6 For Exclusion Address, select None from the pull-down list. 7 In the Match Object pull-down list, select the Executable Files match object that was just created. 8 In the Action pull-down list., select the Block email with executable action that was just created. 9 For Users/Groups, select All from the pull-down list under Included and select None in the Excluded pulldown list. 10 For MAIL FROM, select Any from the pull-down list under Included and select the Support team email address object in the Excluded pull-down list. The Support team email addresses are not affected by the policy. 11 For RCPT TO, select Any from the pull-down list under Included and select None in the Excluded pull-down list. 12 For Schedule, select Always on from the pull-down list. 13 Leave Enable Flow Reporting cleared. 14 If you want the policy to create a log entry when a match is found, select Enable Logging. 15 To record more details in the log, select Log individual object content. 16 For Log Redundancy Filter, select Use Global Settings to use the global value set on the Firewall > App Rules page. 17 For Connection Side, only Client Side is available in the pull-down list. 18 For Direction, select the Basic radio button and select Both in the pull-down list. 19 Click OK. The Modify Task Description and Schedule window displays. 20 For the Schedule, select Immediate to create the policy immediately. 21 Click Accept to save the policy with the selected schedule. The new policy is listed on the Firewall > App Rules page.

CONTROLLING RISKY APPLICATIONS The SonicWall application signature databases are part of the App Control feature, allowing very granular control over policy configuration and actions relating to them. These signature databases are used to protect users from application vulnerabilities as well as worms, Trojans, peer-to-peer transfers, spyware, and backdoor exploits. The extensible signature language used in the SonicWall Reassembly Free Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities. App Control provides two ways to create policies for controlling applications. On the Firewall > App Control Advanced page, you can quickly create a policy for a specific category, application, or signature. You can select blocking, logging, or both to control the traffic. While a category includes many applications, this method does not allow you to control applications belonging to more than one category with a single policy. Similarly, while an application can include multiple signatures, you cannot include signatures from different applications in a policy, unless you create a policy for the whole category. By using the Add Application List Object feature on the Firewall > Match Objects page, you can achieve more granularity and select specific applications from different categories. Then, this object can be used in an App Rules policy. To include signatures from different applications in a single policy, you need to use the Add New Match Object feature with a Match Object Type of Application Signature List. This allows you to select any signature from the same database that is used for Firewall > App Control Advanced, no matter what category or application the signature belongs to, and add them into a single match object. You can then create an App Rules policy using this match object to control those specific signatures. Our example in this use case uses the Add Application List Object feature to create an object containing the riskiest applications in the database. We then create an App Rules policy using this object, and block the application traffic using the predefined Reset/Drop action. See the following sections: • Creating the Application List Object • Creating an App Control Content App Rules Policy

Creating the Application List Object This procedure shows how to select the riskiest applications in the database, and create a single object containing them. To create the application list object: 1 In the TreeControl, select the unit or group to configure. 2 Navigate to the Firewall > Match Objects page on the Policies tab. 3 Click Add Application List Object. The Add Application List Object screen displays.

4 On the Application tab, to name this object, clear Auto-generate match object name and then type a name such as “Riskiest apps” for the object in the Match Object Name field. 5 Leave all category check boxes selected under Category at the top left. 6 Under Threat Level, clear all threat level check boxes except for the one next to SEVERE. The list of applications in the lower panel changes as you clear the threat level check boxes. 7 Leave all technology check boxes selected under Technology. The screen now shows all applications that have a threat level of SEVERE.

If you want to see the signatures included by any of the applications, click the arrow next to the application name to expand the details for it.

8 In the application list where you see the names of all the SEVERE rated applications, click the Plus sign next to Name to select all of the listed applications for your object. A dialog box pops up to warn you that selecting the entire list might take awhile. In our case, it will not take too long because there are only a dozen or so applications in the list.

9 Click OK in the warning dialog box. All of the Plus signs change to green check marks, and the applications that are added to the Application Group field are on the right.

10 Click OK. The Modify Task Description and Schedule window displays. 11 For the Schedule, select Immediate to create the object immediately. 12 Click Accept to save the object with the selected schedule. The new object is listed on the Firewall > Match Objects page.

Creating an App Control Content App Rules Policy The next step is to create an App Rules policy that uses our application list object and combines it with an action object to block these risky applications. To create the App Rules policy: 1 On the Firewall > App Rules page, click Add New Policy. 2 In the App Control Policies Settings window, type a descriptive name such as “Block Risky Apps” into the Policy Name field. 3 Select App Control Content from the Policy Type pull-down list.

4 5 6 7 8

Leave Any in the Address pull-down list. Leave None in the Exclusion Address pull-down list. In the Match Object pull-down list, select the Riskiest apps match object that was just created. In the Action pull-down list, select the Reset/Drop predefined action. For Users/Groups, select All from the pull-down list under Included and select None in the Excluded pulldown list. 9 For Schedule, select Always on from the pull-down list. 10 Optionally select Enable Flow Reporting to enable internal and external flow reporting based on data flows, connection related flows, non-connection related flows regarding applications, viruses, spyware, intrusions, and other information. 11 Select Enable Logging. This causes the policy to create a log entry when a match is found. 12 Optionally, to record more details in the log, select Log individual object content. 13 Select Log using App Control message format. This changes logging to display the category in the log entry as “Application Control,” and to use a prefix such as “Application Control Detection Alert” in the log message. This is useful if you want to use log filters to search for Application Control alerts. 14 For Log Redundancy Filter, select Global Settings. This uses the global value set on the Firewall > App Rules page. Alternatively, you can enter a number of seconds to delay between each log entry for this policy. The local setting overrides the global setting only for this policy; other policies are not affected. 15 Select Any from the Zone pull-down list to apply this policy to all zones. 16 Click OK. The Modify Task Description and Schedule window displays. 17 For the Schedule, select Immediate to create the policy immediately. 18 Click Accept to save the policy with the selected schedule. The new policy is listed on the Firewall > App Rules page.



Configuring Firewall Appliance Settings The Firewall settings in SonicWall™ Global Management System (GMS) are different for SonicWall security appliances running SonicOS Enhanced and Standard. The following describe how to configure Firewall settings for each of the operating systems: • Understanding the Network Access Rules Hierarchy • Configuring Firewall Settings in SonicOS Enhanced • Configuring Firewall Settings in SonicOS Standard

Understanding the Network Access Rules Hierarchy To determine whether packets are allowed through the SonicWall firewall appliance, each SonicWall checks the destination IP address, source IP address, and port against the firewall rules. NOTE: Firewall rules take precedence over the default Firewall functions. Because it is possible to disable all protection or block all access to the Internet, use caution when creating or deleting network access rules. Network access rules do not disable protection from Denial of Service attacks such as SYN Flood, Ping of Death, LAND, and so on. However, it is possible to create vulnerabilities to attacks that exploit application weaknesses. It is important to consider the purpose and ramifications of a rule before adding it to the firewall rule list. Use the following guidelines to determine the rule logic: • What is the purpose of the rule? For example, “This rule will restrict all Internet Relay Chat (IRC) access from the LAN (WorkPort) to the Internet.” Or, “This rule will allow a remote Lotus Notes server to synchronize with our internal Notes server through the Internet. • Does the rule allow or deny traffic? • What is the flow of the traffic: LAN (WorkPort) to Internet or Internet to LAN (WorkPort)? • Which IP services are affected? • Which computers on the LAN (WorkPort) are affected? • Which computers on the Internet are affected? Be as specific as possible. For example, if traffic is being allowed from the Internet to the LAN (WorkPort), it is better to only allow specific computers to access the LAN or WorkPort. After determining the logic of the rule, consider the ramifications: • Does this rule stop LAN (WorkPort) users from accessing important resources on the Internet? For example, if IRC is blocked, are there users who require this service? • Can the rule be modified to be more specific? For example, if IRC is blocked for all users, is a rule that only blocks certain users more effective? • Does this rule allow Internet users to access LAN or WorkPort resources in a way that makes the LAN vulnerable? For example, if NetBIOS ports (UDP 137,138, 139) are allowed from the Internet to the LAN, Internet users might be able to connect to PCs that have file sharing enabled. • Does this rule conflict with other rules? The rule hierarchy uses two basic concepts: • Specific rules override general rules. • Equally specific Deny rules override Allow rules. For example: a rule defining a specific service is more specific than the Default rule; a defined Ethernet link, such as LAN (WorkPort), or WAN, is more specific than * (all); and a single IP address is more specific than an IP address range. Rules are listed in the LAN (WorkPort) Interface window from most specific to the least specific, and rules at the top override rules listed below. To illustrate this, consider the rules shown below: Sample Rules.

#

Action Service

Source

Destination

1

Deny

Chat (IRC)

206.18.25.4 (LAN)

148.178.90.55 (WAN)

2

Allow

Ping

199.2.23.0 - 199.2.23.255 (WAN)

206.18.25.4 (LAN)

3

Deny

Web (HTTP) 216.37.125.0 - 216.37.125.255 * (WAN)

4

Allow

Lotus Notes WAN

LAN (WorkPort)

5

Deny

News (NNTP)

LAN (WorkPort)

*

6

Deny

Default

*

LAN (WorkPort)

7

Allow

Default

LAN (WorkPort)

*

The Default Allow Rule (#7) at the bottom of the page allows all traffic from the LAN (WorkPort) out to the WAN. However, Rule #5 blocks all NNTP traffic from the LAN (WorkPort). The Default Deny Rule (#6) blocks traffic from the WAN to the LAN (WorkPort). However, Rule #4 overrides part of this rule by allowing Lotus Notes into the LAN (WorkPort) from the WAN.

Configuring Firewall Settings in SonicOS Enhanced The following sections describe how to configure Firewall settings in SonicOS Enhanced: • • • • • •

Configuring Advanced Firewall Settings Configuring Bandwidth Management Flood Protection Settings Configuring Multicast Settings Configuring Quality of Service Mapping Configuring SSL Control

Configuring Advanced Firewall Settings To configure advanced access settings, complete the following steps: 1 Select the global icon, a group, or a SonicWall appliance running SonicOS Enhanced. 2 Expand the Firewall tree and click Advanced. The Advanced page displays.

3 To enable stealth mode, select Enable Stealth Mode. During normal operation, SonicWall appliances respond to incoming connection requests as either “blocked” or “open.” During stealth operation, SonicWall appliances do not respond to inbound requests, making the appliances “invisible” to potential hackers. 4 To configure the SonicWall appliance(s) to generate random IP IDs, select Randomize IP ID. This prevents hackers from using various detection tools to “fingerprint” IP IDs and detect the presence of a SonicWall appliance. 5 Select Decrement IP TTL for forwarded traffic to decrease the Time-to-live (TTL) value for packets that have been forwarded and therefore have already been in the network for some time. TTL is a value in an IP packet that tells a network router whether or not the packet has been in the network too long and should be discarded. 6 Select Never generate ICMP Time-Exceeded packets if you do not want the SonicWall appliance to generate these reporting packets. The SonicWall appliance generates Time-Exceeded packets to report when it has dropped a packet because its TTL value has decreased to zero. 7 Select the dynamic ports that are supported from the Dynamic Ports area: • Enable support for Oracle (SQLNet)—Select if you have Oracle applications on your network. • Enable support for Windows Messenger—Select this option to support special SIP messaging used in Windows Messenger on Windows XP. • Enable RTSP Transformations—Select this option to support on-demand delivery of real-time data, such as audio and video. Real Time Streaming Protocol (RTSP) is an application-level protocol for control over delivery of data with real-time properties. 8 Drop Source Routed Packets is selected by default. Clear the check box if you are testing traffic between two specific hosts and you are using source routing. Connections Settings

9 The Connections section provides the ability to fine-tune the performance of the appliance to prioritize either optimal performance or support for an increased number of simultaneous connections that are inspected by Firewall services. For appliances running SonicOS 5.6.0 and above, select one of the following options: • Maximum SPI Connections (DPI services disabled) - This option does not provide SonicWall DPI Security Services protection and optimizes the firewall for maximum number of connections with only stateful packet inspection enabled. This option should be used by networks that require only stateful packet inspection, which is not recommended for most SonicWall network security appliance deployments. • Maximum DPI Connections (DPI services enabled) - This is the default and recommended setting for most SonicWall network security appliance deployments. • DPI Connections (DPI services enabled with additional performance optimization) - This option is intended for performance critical deployments. This option trades off the number of maximum DPI connections for an increased firewall DPI inspection throughput. NOTE: When changing any Connections setting, the SonicWall security appliance must be restarted for the change to be implemented. • Disable Anti-Spyware, Gateway AV and IPS Engine (increases maximum SPI connections) —This option ensures that the appliance performance is not degraded under high-traffic conditions. Firewall connections might be dropped to preserve performance. • Enable ICMP Redirect LAN zone — Enables an Internet Control Message Protocol to redirect LAN zone error and control messages. The field is available for the firewall in versions 6.2.4.3 and above at the group level. This field is supported in both the types of inheritance and when selected, the appliance generates ICMP redirect packets on the LAN zone. 10 To specify how long the SonicWall appliance(s) wait before closing inactive TCP connections outside the LAN, enter the amount of time in the Default Connection Timeout field (default: 25 minutes). The Connection Inactivity Timeout option disables connections outside the LAN if they are idle for a specified period of time. Without this timeout, connections can stay open indefinitely and create potential security holes. 11 Select Force inbound and outbound FTP data connections to use default port 20 to specify that any FTP data connection through the SonicWall must come from port 20 or the connection is dropped and logged. By default, FTP connections from port 20 are allowed, but remapped to outbound traffic ports such as 1024. 12 Select Apply firewall rules for intra-LAN traffic to/from the same interface - Applies firewall rules that are received on a LAN interface and that are destined for the same LAN interface. Typically, this only necessary when secondary LAN subnets are configured. 13 Under IP, UDP Checksum Enforcement, select one or both check boxes to force the SonicWall to complete checksums on IP packet headers and on UDP packets. Packets with invalid checksums are dropped. This helps to prevent attacks that involve falsification of header fields that define important characteristics of the packet. 14 To specify how long the SonicWall appliance(s) wait before closing inactive UDP connections outside the LAN, enter the amount of time in the Default UDP Connection Timeout field. 15 Set a limit for the maximum number of connections allowed per source IP Address by selecting Enable connection limit for each Source IP Address and entering the value in the Threshold field. (Only available for Allow rules). 16 Set a limit for the maximum number of connections allowed per destination IP Address by selecting Enable connection limit for each Destination IP Address field and entering the value in the Threshold field. (Only available for Allow rules). 17 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

ADVANCED FIREWALL SETTINGS AND IPV6 IPv6 advanced configurations are available in the Firewall Settings > Advanced page.

• Drop IPv6 Routing Header type 0 packets – Select this to prevent a potential DoS attack that exploits IPv6 Routing Header type 0 (RH0) packets. When this setting is enabled, RH0 packets are dropped unless their destination is the SonicWall security appliance and their Segments Left value is 0. Segments Left specifies the number of route segments remaining before reaching the final destination. Enabled by default. For more information, see http://tools.ietf.org/html/rfc5095. • Decrement IPv6 hop limit for forwarded traffic – Similar to IPv4 TTL, when selected, the packet is dropped when the hop limit has been decremented to 0. Disabled by default. • Drop and log network packets whose source or destination address is reserved by RFC – Select this option to reject and log network packets that have a source or destination address of the network packet defined as an address reserved for future definition and use as specified in RFC 4921 for IPv6. Disabled by default. • Never generate IPv6 ICMP Time-Exceeded packets – By default, the SonicWall appliance generates IPv6 ICMP Time-Exceeded Packets that report when the appliance drops packets due to the hop limit decrementing to 0. Select this option to disable this function; the SonicWall appliance will not generate these packets. This option is selected by default. • Never generate IPv6 ICMP destination unreachable packets – By default, the SonicWall appliance generates IPv6 ICMP destination unreachable packets. Select this option to disable this function; the SonicWall appliance will not generate these packets. This option is selected by default. • Never generate IPv6 ICMP redirect packets – By default, the SonicWall appliance generates redirect packets. Select this option to disable this function; the SonicWall appliance will not generate redirect packets. This option is selected by default. • Never generate IPv6 ICMP parameter problem packets – By default, the SonicWall appliance generates IPv6 ICMP parameter problem packets. Select this option to disable this function; the SonicWall appliance will not generate these packets. This option is selected by default. • Allow to use Site-Local-Unicast Address – By default, the SonicWall appliance allows Site-Local Unicast (SLU) address and this checkbox is selected. As currently defined, SLU addresses are ambiguous and can present multiple sites. The use of SLU addresses may adversely affect network security through leaks, ambiguity, and potential misrouting. To avoid the issue, deselect the checkbox to prevent he appliance from using SLU addresses. • Enforce IPv6 Extension Header Validation – Select this option if you want the SonicWall appliance to check the validity of IPv6 extension headers. By default, this option is disabled. When both this option and the Decrement IPv6 hop limit for forwarded traffic option are selected, the Enforce IPv6 Extension Header Order Check option becomes available. (You may need to refresh the page.) • Enforce IPv6 Extension Header Order Check – Select this option to have the SonicWall appliance check the order of IPv6 Extension Headers. By default, this option is disabled. • Enable NetBIOS name query response for ISATAP – Select this option if you want the SonicWall appliance to generate a NetBIOS name in response to a broadcast ISATAP query. By default, this option is disabled. NOTE: Select this option only when one ISATAP tunnel interface is configured.

CONFIGURING BANDWIDTH MANAGEMENT Bandwidth management (BWM) is a means of allocating bandwidth resources to critical applications on a network. GMS offers an integrated traffic shaping mechanism through its outbound (Egress) and inbound (Ingress) BWM interfaces. Egress BWM can be applied to traffic sourced from Trusted and Public zones travelling to Untrusted and Encrypted zones. Ingress BWM can be applied to traffic sourced from Untrusted and Encrypted zones travelling to Trusted and Public zones. The following sections describe SonicWall’s implementation of Bandwidth Management (BWM): • Understanding Bandwidth Management • Configuring Bandwidth Management TIP: For more information on SonicWall Bandwidth Management, including configuration examples, see the SonicOS Administrator Guide.

Understanding Bandwidth Management BWM is controlled by the SonicWall security appliance on ingress and egress traffic. It allows network administrators to guarantee minimum bandwidth and prioritize traffic based on access rules created in the Firewall > Access Rules page on the SonicWall management interface. By controlling the amount of bandwidth to an application or user, the network administrator can prevent a small number of applications or users to consume all available bandwidth. Balancing the bandwidth allocated to different network traffic and then assigning priorities to traffic can improve network performance. Anti-Spam provides eight priority queues (0 – 7 or Realtime – Lowest). Three types of bandwidth management are available: Bandwidth management types

BWM Type

Description

Advanced

Enables Advanced Bandwidth Management. Maximum egress and ingress bandwidth limitations can be configured on any interface, per interface, by configuring bandwidth objects, access rules, and application policies and attaching them to the interface.

Global

(Default) All zones can have assigned guaranteed and maximum bandwidth to services and have prioritized traffic. When global BWM is enabled on an interface, all of the traffic to and from that interface is bandwidth managed. Default Global BWM queues: 2 — High 4 — Medium: Default priority for all traffic that is not managed by a BWM enabled Firewall Access rule or Application Control Policy. 6 — Low

None

Disables BWM.

When global BWM is enabled on an interface, all of the traffic to and from that interface is bandwidth managed. For example, with bandwidth management type none, if there are three traffic types (1, 2, and 3) that are using an interface with the link capability of 100Mbps, the cumulative capacity for all three types is 100Mbps. Then when bandwidth management type Global is enabled on that interface and the available ingress and egress traffic are configured to 10Mbps, the following occurs: By default, the traffic types are sent to the Medium (4) Priority queue. This queue has, by default, a Guaranteed percentage of 50 and a Maximum percentage of 100. These values mean that the cumulative link capability is 10Mbps with no global BWM enabled policies configured. Packet Queuing BWM rules each consume memory for packet queuing, so the number of allowed queued packets and rules on SonicOS Enhanced is limited by platform (values are subject to change): Memory for packet queuing

Platform

Max Queued Packets

Max Total BWM Rules

TZ 170 Family

220

40

PRO 1260

220

40

PRO 2040

520

50

PRO 3060

2080

200

PRO 4060

2080

200

PRO 5060

6240

200

NSA 3500

2080

100

NSA 4500

2080

100

NSA 5000

2080

100

NSA E5500

6420

100

NSA E6500

6420

100

NSA E7500

6420

100

Configuring Bandwidth Management BWM works by first enabling bandwidth management in the Firewall Settings > BWM page, enabling BWM on an interface/firewall/app rule, and then allocating the available bandwidth for that interface on the ingress and egress traffic. It then assigns individual limits for each class of network traffic. By assigning priorities to network traffic, applications requiring a quick response time, such as Telnet, can take precedence over traffic requiring less response time, such as FTP. Configuring BWM is a three step process: 1 Enable bandwidth management on the Firewall > BWM page. 2 Enable BWM on an interface/firewall/app rule 3 Allocate the available bandwidth for that interface on the ingress and egress traffic. It then assigns individual limits for each class of network traffic. By assigning priorities to network traffic, applications requiring a quick response time, such as Telnet, can take precedence over traffic requiring less response time, such as FTP. To configure bandwidth management, navigate to the Firewall > BWM page.

This page consists of the following entities: NOTE: The defaults are set by SonicWall to provide BWM ease-of-use. It is recommended that you review the specific bandwidth needs and enter the values on this page accordingly. • Bandwidth Management Type Option: • Advanced — Any zone can have guaranteed and maximum bandwidth and prioritized traffic assigned per interface. • Global — All zones can have assigned guaranteed and maximum bandwidth to services and have prioritized traffic. • None — (Default) Disables BWM. NOTE: When you change the Bandwidth Management Type from Global to WAN, the default BWM actions that are in use in any App Rules policies are automatically converted to WAN BWM Medium, no matter what level they were set to before the change.When you change the Type from WAN to Global, the default BWM actions are converted to BWM Global-Medium. The firewall does not store your previous action priority levels when you switch the Type back and forth. You can view the conversions on the Firewall > App Rules page. • Priority Column — Displays the priority number and name. • Enable check box — When checked, the priority queue is enabled. • Guaranteed Text Field — Enables the guaranteed rate, as a percentage, for the enabled priority. The configured bandwidth on an interface is used in calculating the absolute value. The corresponding Enable checkbox must be checked for the rate to take effect. By default, only these priorities and their guaranteed percentages are enabled: • 2 High 30% • 4 Medium 50% • 6 Low 20% NOTE: You cannot disable priority 4 Medium, but you can change its percentage. The sum of all guaranteed bandwidth must not exceed 100%. If the bandwidth exceeds 100%, the Total number becomes red. Also, the guaranteed bandwidth must not be greater than the maximum bandwidth per queue. • Maximum\Burst — Enables the maximum/burst rate, as a percentage, for the enabled priority. The corresponding Enable checkbox must be checked for the rate to take effect.

FLOOD PROTECTION SETTINGS

This section details the configuration procedures for the Flood Protection page and includes the following subsections: • Configuring Flood Protection Settings • UDP and UDPv6 Flood Protection • ICMP Flood Protection

Configuring Flood Protection Settings To configure Flood Protection settings, complete the following steps: 1 Select the global icon, a group, or a SonicWall appliance. At unit level, the TCP Settings screen is available only for SonicWall firewall appliances with SonicOS Enhanced firmware version 3.0 and higher. 2 Expand the Firewall tree and click Firewall Settings >Flood Protection. The TCP Settings page displays.

3 Select Enforce strict TCP compliance with RFC 793 and RFC 1122 to force VoIP traffic to comply with RFC 793 (TCP) and RFC 1122 (Internet Hosts, including Link and IP layers) standards. Ensures strict compliance with several TCP timeout rules. This setting maximizes TCP security, but it may cause problems with the Window Scaling feature for Windows Vista users. This option is not selected by default. 4 Select TCP handshake enforcement to require a successful three-way TCP handshake for all TCP connections. This option, available only if the Enforce strict TCP compliance with RFC 793 and RFC 1122, is not selected by default. 5 Select Enable TCP Checksum enforcement to drop any packets with invalid TCP checksums. This option is not selected by default. 6 Select Enable TCP handshake timeout to indicate the timeout period (in seconds) for a three-way TCP handshake to complete its connection. If the three-way TCP handshake does not complete in the timeout period, it is dropped. 7 For the TCP Handshake Timeout (seconds), enter the maximum time a TCP handshake has to complete the connection. The default is 30 seconds. 8 Enter a value for the Default TCP Connection Timeout. This is the default time assigned to Access Rules for TCP traffic. If a TCP session is active for a period in excess of this setting, the TCP connection is cleared by SonicWall. NOTE: Setting excessively long connection time-outs slows the reclamation of stale resources, and in extreme cases, could lead to exhaustion of the connection cache. 9 Specify the Maximum Segment Lifetime to set the number of seconds that any TCP packet is valid before it expires. This setting is also used to determine the amount of time (calculated as twice the Maximum Segment Lifetime, or 2MSL) that an actively closed TCP connection remains in the TIME_WAIT state to ensure that the proper FIN / ACK exchange has occurred to cleanly close the TCP connection. • Enable Half Open TCP Connections Threshold to deny new TCP connections when the high-water mark of TCP half-open connections has been reached. By default, the half-open TCP connection is not monitored, so this option is not selected by default. • Enter the Maximum Half Open TCP Connections to specify the maximum number of half-open TCP connections. The default maximum is half the number of maximum connection caches. 10 From the SYN Flood Protection Mode drop-down menu, select the type of protection mode: • Watch and report possible SYN floods – Enables the device to monitor SYN traffic on all interfaces on the device and to log suspected SYN flood activity that exceeds a packet count threshold. The feature does not turn on the SYN Proxy on the device so the device forwards the TCP three-way handshake without modification. This is the least invasive level of SYN Flood protection. Select this option if your network is not in a high-risk environment. • Proxy WAN client connections when attack is suspected – Enables the device to enable the SYN Proxy feature on WAN interfaces when the number of incomplete connection attempts per second surpasses a specified threshold. This method ensures the device continues to process valid traffic during the attack and that performance does not degrade. Proxy mode remains enabled until all WAN SYN flood attacks stop occurring or until the device blacklists all of them using the SYN Blacklisting feature. This is the intermediate level of SYN Flood protection. Select this option if your network experiences SYN Flood attacks from internal or external sources. • Always proxy WAN client connections – Sets the device to always use SYN Proxy. This method blocks all spoofed SYN packets from passing through the device. This is an extreme security measure that directs the device to respond to port scans on all TCP ports because the SYN Proxy feature forces the device to respond to all TCP SYN connection attempts. This can degrade performance and can generate a false positive. Select this option only if your network is in a high-risk environment. 11 Select the SYN Attack Threshold configuration options to provide limits for SYN Flood activity before the device drops packets. The device gathers statistics on WAN TCP connections, keeping track of the maximum and average maximum and incomplete WAN connections per second. Out of these statistics, the device suggests a value for the SYN flood threshold. • Suggested value calculated from gathered statistics – The suggested attack threshold based on WAN TCP connection statistics. • Attack Threshold (Incomplete Connection Attempts/Second) – Enables you to set the threshold for the number of incomplete connection attempts per second before the device drops packets at any value between 5 and 200,000. The default is the Suggested value calculated from gathered statistics. 12 Select the SYN-Proxy options to provide more control over the options sent to WAN clients when in SYN Proxy mode. NOTE: The options in this section are not selectable if Watch and report possible SYN floods is selected for SYN Flood Protection Mode. 13 When the device applies a SYN Proxy to a TCP connection, it responds to the initial SYN packet with a manufactured SYN/ACK reply, waiting for the ACK in response before forwarding the connection request to the server. Devices attacking with SYN Flood packets do not respond to the SYN/ACK reply. The firewall identifies them by their lack of this type of response and blocks their spoofed connection attempts. SYN Proxy forces the firewall to manufacture a SYN/ACK response without knowing how the server will respond to the TCP options normally provided on SYN/ACK packets. • All LAN/DMZ servers support the TCP SACK option – Enables SACK (Selective Acknowledgment) where a packet can be dropped and the receiving device indicates which packets it received. This option is not enabled by default. Enable this check box only when you know that all servers covered by the firewall accessed from the WAN support the SACK option. • Limit MSS sent to WAN clients (when connections are proxied) – Enables you to enter the maximum MSS (Minimum Segment Size) value. This sets the threshold for the size of TCP segments, preventing a segment that is too large to be sent to the targeted server. For example, if the server is an IPsec gateway, it may need to limit the MSS it received to provide space for IPsec headers when tunneling traffic. The firewall cannot predict the MSS value sent to the server when it responds to the SYN manufactured packet during the proxy sequence. Being able to control the size of a segment, enables you to control the manufactured MSS value sent to WAN clients. This option is not selected by default. If you specify an override value for the default of 1460, a segment of that size or smaller is sent to the client in the SYN/ACK cookie. Setting this value too low can decrease performance when the SYN Proxy is always enabled. Setting this value too high can break connections if the server responds with a smaller MSS value. • Maximum TCP MSS sent to WAN clients. The value of the MSS. The default is 1460, the minimum value is 32, and the maximum is 1460. NOTE: When using Proxy WAN client connections, remember to set these options conservatively as they only affect connections when a SYN Flood takes place. This ensures that legitimate connections can proceed during an attack. • Always log SYN packets received—Logs all SYN packets received.



14 Configure the Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting options to configure how the appliance deals with devices that exceeded the SYN, RST, and FIN Blacklist attack threshold: • Threshold for SYN/RST/FIN flood blacklisting (SYNs / Sec)—Specifies he maximum number of SYN, RST, FIN, and TCP packets allowed per second. The minimum is 10, the maximum is 800000, and default is 1,000. This value should be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local attacks or severe attacks from a WAN network. NOTE: This option cannot be modified unless Enable SYN/RST/FIN/TCP flood blacklisting on all interfaces is enabled. • Enable SYN/RST/FIN flood blacklisting on all interfaces—Enables the blacklisting feature on all interfaces on the firewall. This option is not selected by default. When it is selected, these options become available: • Never blacklist WAN machines—This check box ensures that systems on the WAN are never added to the SYN Blacklist. This option is recommended as leaving it cleared may interrupt traffic to and from the firewall’s WAN ports. This option is not selected by default. • Always allow SonicWall management traffic—This check box causes IP traffic from a blacklisted device targeting the firewall’s WAN IP addresses to not be filtered. This allows management traffic and routing protocols to maintain connectivity through a blacklisted device. This option is not selected by default.

WAN DDOS Protection (Non-TCP Floods) The WAN DDOS Protection (Non-TCP Floods) section is a deprecated feature that has been replaced by UDP and UDPv6 Flood Protection and ICMP Flood Protection. NOTE: SonicWall recommends that you do not use the WAN DDOS Protection feature, but that you use UDP Flood Protection and ICMP Flood Protection instead.



UDP and UDPv6 Flood Protection UDP/UDPv6 Flood Attacks are a type of denial-of-service (DoS) attack. They are initiated by sending a large number of UDP/UDPv6 packets to random ports on a remote host. As a result, the victimized system’s resources are consumed with handling the attacking packets that eventually causes the system to be unreachable by other clients. SonicWall UDP/UDPv6 Flood Protection defends against these attacks by using a “watch and block” method. The appliance monitors UDP/UDPv6 traffic to a specified destination. If the rate of UDP/UDPv6 packets per second exceeds the allowed threshold for a specified duration of time, the appliance drops subsequent UDP/UDPv6 packets to protect against a flood attack. UDP/UDPv6 packets that are DNS query or responses to or from a DNS server configured by the appliance are allowed to pass, regardless of the state of UDP/UDPv6 Flood Protection. The following settings configure UDP/UDPv6 Flood Protection: • Enable UDP/UDPv6 Flood Protection – Enables UDP/UDPv6 Flood Protection. • UDP/UDPv6 Flood Attack Threshold (UDP Packets / Sec) – The maximum number of UDP/UDPv6 packets allowed per second to be sent to a host, range, or subnet that triggers UDP/UDPv6 Flood Protection. Exceeding this threshold triggers ICMP Flood Protection.The minimum value is 50, the maximum value is 1000000, and the default value is 1000. • UDP/UDPv6 Flood Attack Blocking Time (Sec) – After the appliance detects the rate of UDP/UDPv6 packets exceeding the attack threshold for this duration of time, UDP/UDPv6 Flood Protection is activated and the appliance begins dropping subsequent UDP/UDPv6 packets. The minimum time is 1 second, the maximum time is 120 seconds, and the default time is 2 seconds. • UDP/UDPv6 Flood Attack Protected Destination List – The destination address object or address group that is protected from the UDP/UDPv6 Flood Attack. The default value is Any. TIP: Select Any to apply the Attack Threshold to the sum of UDP/UDPv6 packets passing through the firewall.

ICMP Flood Protection ICMP Flood Protection functions identically to UDP Flood Protection, except it monitors for ICMP Flood Attacks. The only difference is that there are no DNS queries that are allowed to bypass ICMP Flood Protection. The following settings configure ICMP Flood Protection: • Enable ICMP Flood Protection – Enables ICMP Flood Protection. • ICMP Flood Attack Threshold (ICMP Packets / Sec) – The rate of ICMP packets per second sent to a host, range or subnet that triggers ICMP Flood Protection. • ICMP Flood Attack Blocking Time (Sec) – After the appliance detects the rate of ICMP packets exceeding the attack threshold for this duration of time, ICMP Flood Protection is activated, and the appliance begins dropping subsequent ICMP packets. • ICMP Flood Attack Protected Destination List – The destination address object or address group that is protected from the ICMP Flood Attack. TIP: Select Any to apply the Attack Threshold to the sum of ICMP packets passing through the firewall.

ICMPv6 Flood Protection ICMPv6 Flood Protection functions identically to UDP Flood Protection, except it monitors for ICMPv6 Flood Attacks. The only difference is that there are no DNS queries that are allowed to bypass ICMPv6 Flood Protection. The following settings configure ICMPv6 Flood Protection: • Enable ICMPv6 Flood Protection – Enables ICMPv6 Flood Protection. • ICMPv6 Flood Attack Threshold (ICMP Packets / Sec) – The rate of ICMPv6 packets per second sent to a host, range or subnet that triggers ICMPv6 Flood Protection. • ICMPv6 Flood Attack Blocking Time (Sec) – After the appliance detects the rate of ICMPv6 packets exceeding the attack threshold for this duration of time, ICMPv6 Flood Protection is activated, and the appliance begins dropping subsequent ICMPv6 packets. • ICMPv6 Flood Attack Protected Destination List – The destination address object or address group that is protected from the ICMPv6 Flood Attack. TIP: Select Any to apply the Attack Threshold to the sum of ICMPv6 packets passing through the firewall.

Control Plane Flood Protection When the Enable Control Plane Flood Protection option is enabled, if traffic on the Control Plane (Core 0) exceeds the threshold specified in Control Plane Flood Protection threshold (CPU %), the firewall forwards only control traffic destined to the firewall to the system Control Plane core. To give precedence to legitimate control traffic, excess data traffic is dropped. This restriction prevents too much data traffic from reaching the Control Plane core, which can cause slow system response and potential network connection drops. The percentage configured for control traffic is guaranteed. To configure Control Plane Flood Protection: 1 Go to the Control Plane Flood Protection section of the Firewall Settings > Flood Protection page.

2 To enable Control Plane Flood Protection, select the Enable Control Plane Flood Protection check box. This option is not selected by default. 3 In the Control Plane Flood Protection Threshold (CPU %) field, specify the flood protection threshold as a percentage of the CPU, for activating Control Plane Flood Protection. The minimum percentage is five percent of CPU, the maximum is 95 percent of CPU, and the default is 75 percent of CPU. IMPORTANT: Adjust the Control Plane Flood Protection Threshold from its optimized default value only when control-plane packet drops are observed.

CONFIGURING MULTICAST SETTINGS To configure multicast settings, complete the following steps: 1 Select the global icon, a group, or a SonicWall appliance. At unit level, the Multicast screen is available only for SonicWall firewall appliances with SonicOS Enhanced firmware version 2.5 and higher. 2 Expand the Firewall tree and click Multicast. The Multicast page displays.

3 To enable multicast, select Enable Multicast. 4 Configure the following options: • Require IGMP Membership reports for multicast data forwarding—This check box is enabled by default. Select this check box to improve performance by regulating muliticast data to be forwarded to only interfaces belonging to an enabled multicast group address. • Multicast state table entry timeout (minutes)—This field has a default of 5. The value range for this field is five to 60 (minutes). Increase the value if you have a client that is not sending reports periodically. 5 Select from the following: • To receive all (class D) multicast addresses, select Enable reception of all multicast addresses. Receiving all multicast addresses might cause your network to experience performance degradation. • Default. To enable reception for the following multicast addresses, select Enable reception for the following multicast addresses and select Create a new multicast object or Create new multicast group from the list box. 6 To view the IGMP State Information, click Request IGMP State Information. The following information displays: • Multicast Group Address—Provides the multicast group address the interface is joined to. • Interface / VPN Tunnel—Provides the interface (such as X0) or the VPN policy. • IGMP Version—Provides the IGMP version (such as V2 or V3). • Time Remaining—Provides the remaining time left for the multicast session. This is calculated by subtracting the “Multicast state table entry timeout (minutes)” value that has the default value of five minutes, and the elapsed time since the multicast address was added. 7 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

CONFIGURING QUALITY OF SERVICE MAPPING

Quality of Service (QoS) adds the ability to recognize, map, modify, and generate the industry-standard 802.1p and Differentiated Services Code Points (DSCP) Class of Service (CoS) designators. When used in combination with a QoS capable network infrastructure, SonicOS QoS features provide predictability that is vital for certain types of applications, such as Voice over IP (VoIP), multimedia content, or business-critical applications such as credit card processing. To centrally manage the 802.1p-DSCP Mappings Table, GMS now provides a new configuration found under the path Policies > Firewalls > QoS Mapping. Even the highest amounts of bandwidth ultimately are used to capacity at some point by users on the network. Being able to manage bandwidth to obtain the most efficient use from it is essential. Only QoS, when configured and implemented correctly, properly manages traffic and guarantees the desired levels of network service. Three concepts are central to the traffic management provided by QoS: • Classification • Marking • Conditioning The following sections describe how to understand and configure QoS: • • • • • • • •

Working with Classification Working with Conditioning Working with 802.1p and DSCP QoS Working with DSCP Marking Configuring QoS Enabling 802.1p Tagging Creating a QoS Rule Configuring QoS Settings

Working with Classification Classification is necessary as a first step to identify traffic that needs to be prioritized for optimal use. GMS uses access rules as the interface to classification of traffic. This provides fine control using combination of Address Object, Service Object, and Schedule Object elements, allowing for classification criteria as general as all HTTP traffic and as specific as SSH traffic from HostA to ServerB on Wednesdays at 2:12am. GMS provides the ability to recognize, map, modify, and generate the industry-standard external CoS designators, DSCP and 802.1p protocols. After identified, or classified, it can be managed. Management can be done internally by SonicWall BWM that is effective as long as the network is a fully contained autonomous system. After external or intermediate elements are introduced, for example, foreign network infrastructures with unknown configurations, or other hosts contending for bandwidth (for example, the endpoints of the network and all entities in between are within your management. BWM works exactly as configured. After external entities are introduced, the precision and efficacy of BWM configurations can begin to degrade. After GMS classifies the traffic, it then tags it to communicate this classification to certain external systems that are capable of abiding by CoS tags. The external systems then can participate in providing QoS to traffic passing through them. NOTE: Many service providers do not support CoS tags such as 802.1p or DSCP. Also, most network equipment with standard configurations is not able to recognize 802.1p tags, and could drop tagged traffic. NOTE: If you wish to use 802.1p or DSCP marking on your network or your service provider’s network, you must first establish that these methods are supported. Verify that your internal network equipment can support CoS priority marking, and that it is correctly configured to do so. Check with your service provider - some offer fee-based support for QoS using these CoS methods.





Working with Marking After the traffic has been classified, if it is to be handled by QoS capable external systems, it must be tagged to enable external systems to make use of the classification, and provide correct handling and Per Hop Behaviors (PHB). An example of a QoS capable external system is a CoS-aware switch or router that might be available on a premium service provider’s infrastructure, or on a private WAN. Originally, this was attempted at the IP layer (layer 3) with RFC 791’s three precedence bits and RFC 1394 ToS (type of service) field, but this was not widely used. Its successor, RFC 2474, introduced the more widely used DSCP (Differentiated Services Code Point) which offers up to 64 classifications, in addition to user-definable classes. DSCP was further enhanced by RFC 2598 (Expedited Forwarding, intended to provide leased-line behaviors) and RFC 2697 (Assured Forwarding levels within classes, also known as Gold, Silver, and Bronze levels). DSCP is a safe marking method for traffic that traverses public networks because there is no risk of incompatibility. At the very worst, a hop along the path might disregard or strip the DSCP tag, but it rarely mistreats or discards the packet. The other prevalent method of CoS marking is IEEE 802.1p which occurs at the MAC layer (layer 3) and is closely related to IEEE 802.1Q VLAN marking, sharing the same 16-bit field, although it is actually defined in the IEEE 802.1D standard. Unlike DSCP, 802.1p only works with 802.1p capable equipment, and is not universally interoperable. Additionally, 802.1p, because of its different packet structure, can rarely traverse wide area networks, even private WANs. Nonetheless, 802.1p is gaining wide support among Voice and Video over IP vendors, so a solution for supporting 802.1p across network boundaries (such as WAN links) was introduced in the form of 802.1p to DSCP mapping. 802.1p to DSCP mapping allows 802.1p tags from one LAN to be mapped to DSCP values by GMS, allowing the packets to safely traverse WAN links. When the packets arrive on the other side of the WAN or VPN, the receiving GMS appliance can then map the DSCP tags back to 802.1p tags for use on that LAN.

Working with Conditioning Finally, the traffic can be conditioned or managed using any of the many policing, queueing, and shaping methods available. GMS provides internal conditioning capabilities with its Egress and Ingress Bandwidth Management (BWM). SonicWall BWM is a perfectly effective solution for fully autonomous private networks with sufficient bandwidth, but can become somewhat less effective as more unknown external network elements and bandwidth, but can become somewhat less effective as more unknown external network elements and bandwidth contention are introduced. To provide end-to-end QoS, business-class service providers are increasingly offering traffic conditioning services on their IP networks. These services typically depend on the customer premise equipment to classify and tag the traffic, generally using a standard marking method such as DSCP. GMS has the ability to DSCP mark traffic after classification, as well as the ability to map 802.1p tags to DSCP tags for external network traversal and CoS preservation. For VPN traffic, GMS can DSCP mark not only the internal (payload) packets, but the external (encapsulating) packets as well so that QoS capable service providers can offer QoS even on encrypted VPN traffic. The actual conditioning method employed by service providers varies from one to the next, but it generally involves a class-based queueing method such as Weighted Fair Queuing for prioritizing traffic, in addition to a congestion avoidance method, such as tail-drop or Random Early Detection.

Working with 802.1p and DSCP QoS The following sections detail the 802.1p standards and DSCP QoS. GMS supports layer 2 and layer 3 CoS methods for broad interoperability with external systems participating in QoS enabled environments. The layer 2 method is the IEEE 802.1p standard wherein 3 bits of an additional 16 bits. inserted into the header of the Ethernet frame can be used to designate the priority of the fame, as illustrated in the following figure.

• TPID: Tag Protocol Identifier begins at byte 12 (after the 6-byte destination and source fields), is 2 bytes long, and has an Ethertype of 0x8100 for tagged traffic. • 802.1p: The first three bits of the TCI (Tag Control Information - beginning at byte 14, and spanning 2 bytes) define user priority, giving eight (2^3) priority levels. IEEE 802.1p defines the operation for these three user priority bits. • CFI: Canonical Format Indicator is a single-bit flag, always set to zero for Ethernet switches. CFI is used for compatibility reasons between Ethernet networks and Token Ring networks. If a frame received at an Ethernet port has a CFI set to 1, then that frame should not be forwarded as it is to an untagged port. • VLAN ID: VLAN ID (starts at bit 5 of byte 14) is the identification of the VLAN. It has 12 bits and allows for the identification of 4,096 (2^12) unique VLAN IDs. Of the 4,096 possible IDs, an ID of 0 is used to identify priority frames, and an ID of 4,095 (FFF) is reserved, so the maximum possible VLAN configurations are 4,094. 802.1p support begins by enabling 802.1p marking on the interfaces which you wish to have process 802.1p tags. 802.1p can be enabled on any Ethernet interface on any SonicWall appliance that supports VLANs, including the SonicWall NSA Series and PRO 2040, PRO 3060, PRO 4060, PRO 4100, and PRO 5060. NOTE: 802.1p tagging is not currently supported on the SonicWall TZ Series or PRO 1260. Although Enable 802.1p tagging does not appear as an option on VLAN sub-interfaces, it is related to the 802.1q tags of VLAN subinterfaces. The behavior of the 802.1p field within these tags can be controlled by firewall access rules. The default 802.1p capable network Access Rule action of None resets existing 802.1p tags to 0, unless otherwise configured. Enabling 802.1p marking allows the target interface to recognize incoming 802.1p tags generated by 802.1p capable network devices, and it also allows the target interface to generate 802.1p tags, as controlled by Access Rules. Frames that have 802.1p tags inserted by GMS bear VLAN ID 0. 802.1p tags are inserted according to access rules, so enabling 802.1p marking on an interface will not, at its default setting, disrupt communications with 802.1p-incapable devices. 802.1p requires the specific support by the networking devices with which you wish to use this method of prioritization. Many voice and video over IP devices provide support for 802.1p, but the feature must be enabled. Check your equipment’s documentation for information on 802.1p support if you are unsure. Similarly, many server and host network cards (NICs) have the ability to support 802.1p, but the feature is usually disabled by default.

Working with DSCP Marking DSCP (Differentiated Services Code Point) marking uses six bits of the eight bit ToS field in the IP header to provide up to 64 classes (or code points) for traffic. Because DSCP is a layer 3 marking method, there is no concern about compatibility as there is with 802.1p marking. Devices that do not support DSCP simply ignore the tags, or at worst, they reset the tag value to 0.

The above diagram depicts an IP packet, with a close-up on the ToS portion of the header. The ToS bits were originally used for Precedence and ToS (delay, throughput, reliability, and cost) settings, but were later reused by the RFC 2474 for the more versatile DSCP settings. The following table shows the commonly used code point as well as their mapping to the legacy Precedence and ToS settings. Code Points

DSCP

DSCP Description

Legacy IP Precedence

Legacy IP ToS (D, T, R)

0

Best Effort

0 (Routine - 000)

-

8

Class 1

1 (Priority - 001)

-

10

Class 1, Gold AF11

1 (Priority - 001)

T

12

Class 1, Silver AF12

1 (Priority - 001)

D

14

Class 1, Bronze AF13

1 (Priority - 001)

D, T

16

Class 2

2 (Immediate - 010)

-

18

Class 2, Gold AF21

2 (Immediate - 010)

T

20

Class 2, Silver AF22

2 (Immediate - 010)

D

22

Class 2, Bronze AF23

2 (Immediate - 010)

D, T

24

Class 3

3 (Flash - 011)

-

26

Class 3, Gold AF31

3 (Flash - 011)

T

27

Class 3, Silver AF32

3 (Flash - 011)

D

30

Class 3, Bronze AF33

3 (Flash - 011)

D, T

32

Class 4

4 (Flash Override - 100) -

34

Class 4, Gold AF41

4 (Flash Override - 100) T

36

Class 4, Silver AF42

4 (Flash Override - 100) D

38

Class 4, Bronze AF43

4 (Flash Override - 100) D, T

40

Express Forwarding

5 (CRITIC/ECP - 101)

-

46

Expedited Forwarding (EF)

5 (CRITIC/ECP - 101)

D, T

48

Control

6 (Internet Control - 110) -

56

Control

7 (Internet Control - 111) -

DSCP marking can be done on traffic to and from any interface and to and from any zone type, without exception. DSCP marking is controlled by Access Rules, from the QoS tab, and can be used in conjunction with 802.1p marking, as well as with SonicOS internal bandwidth management. DSCP Marking and Mixed VPN Traffic Among the security measures and characteristics pertaining to them, IPSec VPNs employ anti-replay mechanisms based upon monotonically incrementing sequence numbers added to the ESP header. Packets with duplicate sequence numbers are dropped, as are packets that do not adhere to sequence criteria. One criterion governs the handling of out-of-order packets. GMS provides a replay window of 64 packets, such as if an ESP packet for a Security Association (SA) is delayed by more than 64 packets, the packet is dropped. This should be considered when using DSCP marking to provide layer 3 QoS to traffic traversing a VPN. If you have a VPN tunnel transporting a variety of traffic, some that is being DSCP tagged high priority (for example, VoIP), and some that is DSCP tagged low-priority, or untagged/best-effort packets over the best-effort ESP packets. Under certain traffic conditions, this can result in the best-effort packets being delayed for more than 64 packets, causing them to be dropped by the receiving SonicWall’s anti-replay defenses. If symptoms of such a scenario emerge (for example, excessive retransmissions of low-priority traffic), it is recommended that you create a separate VPN policy for the high-priority and low-priority classes of traffic. This is most easily accomplished by placing the high-priority hosts (for example, the VoIP network) on their own subnet.

Configuring QoS To configure QoS, refer to the following sections to complete the following steps: • Enabling 802.1p Tagging • Creating a QoS Rule • Configuring QoS Settings • Adding a Service • Creating Rules

Enabling 802.1p Tagging Before you begin to complete any QoS configuration tasks, you first need to enable your device to accept QoS values. To do that you have to enable the IEEE 802.1p tagging protocol. You enable protocols at the WAN interface level. To enable 802.1p tagging, complete the following steps: 1 Click on the Interfaces option in the Network menu. GMS displays the Interfaces list.

2 3 4 5

Click on the Configuration icon for the WAN interface. GMS displays the Edit Interface dialog box. Click on the Advanced Tab. GMS displays the Advanced Tab. Click on Enable 802.1p tagging to place a check mark in the check box. Click Update.

Creating a QoS Rule The next step you must complete is you need to create a QoS rule for the WAN interface in the Access Rules dialog box. To configure a QoS rule, complete the following steps: 1 From the Firewall menu, click Access Rules. GMS displays the Access Rules dialog box that contains various interfaces for which you can create an access rule. 2 Select the LAN > WAN rule and click Add Rule. GMS displays the Add Rule dialog box. 3 Click the QoS tab. The QoS page displays.

4 Under DSCP Marking Settings select the DSCP Marking Action. You can select None, Preserve, Explicit, or Map. Preserve is the default. • None: DSCP values in packets are reset to 0. • Preserve: DSCP values in packets remains unaltered. • Explicit: Set the DSCP value to the value you select in the Explicit DSCP Value field. This is a numeric value between 0 and 63. 5 Under 802.1p Marking Settings select the 802.1p Marking Action. You can select None, Preserve, Explicit, or Map. None is the default. 6 Click Ok. GMS configures your WAN interface to accept traffic shaping values.

Configuring QoS Settings Now that you have enabled the 802.1p protocol and created a specific QoS rule, you can create your QoS settings. To create QoS settings, complete the following steps: 1 Click on the QoS Settings option in the Firewall Settings menu. GMS displays the QoS Mapping dialog box:

2 Click on the Configuration icon for any of the 802.1p Class of Service objects. GMS displays the class of service Edit QoS Mapping dialog box.

3 Configure the following 802.1p to DSCP conversion settings: • To DSCP: Indicates the value of the DSCP marking value that indicates the priority of the traffic. • From DSCP Begin: The lower limit of the range of values for marking that indicates the priority assigned to a packet traveling across the network. • From DSCP End: The upper limit of the range of values for marking that indicates the priority assigned to a packet traveling across the network.

CONFIGURING SSL CONTROL

SonicWall appliances running SonicOS Enhanced 4.0 and higher allow SSL Control, a system for providing visibility into the handshake of SSL sessions, and a method for constructing policies to control the establishment of SSL connections. SSL (Secure Sockets Layer) is the dominant standard for the encryption of TCP based network communications, with its most common and well-known application being HTTPS (HTTP over SSL). SSL provides digital certificate-based endpoint identification, and cryptographic and digest-based confidentiality to network communications.

An effect of the security provided by SSL is the obscuration of all payload, including the URL (Uniform Resource Locator, for example, MySonicWall.com (www.MySonicWall.com)) being requested by a client when establishing an HTTPS session. This is because HTTP is transported within the encrypted SSL when using HTTPS. It is not until the SSL session is established (step 14) that the actual target resource (MySonicWall.com (www.MySonicWall.com)) is requested by the client, but because the SSL session is already established, no inspection of the session data by the SonicWall firewall appliance or any other intermediate device is possible. As a result, URL based content filtering systems cannot consider the request to determine permissibility in any way other than by IP address. While IP address based filtering does not work well for unencrypted HTTP because of the efficiency and popularity of Host-header based virtual hosting (defined in Key Concepts below), IP filtering can work effectively for HTTPS because of the rarity of Host-header based HTTPS sites. But this trust relies on the integrity of the HTTPS server operator, and assumes that SSL is not being used for deceptive purposes. For the most part, SSL is employed legitimately, being used to secure sensitive communications, such as online shopping or banking, or any session where there is an exchange of personal or valuable information. The ever decreasing cost and complexity of SSL, however, has also spurred the growth of more dubious applications of SSL, designed primarily for the purposes of obfuscation or concealment rather than security. An increasingly common camouflage is the use of SSL encrypted Web-based proxy servers for the purpose of hiding browsing details, and bypassing content filters. While it is simple to block well known HTTPS proxy services of this sort by their IP address, it is virtually impossible to block the thousands of privately-hosted proxy servers that are readily available through a simple Web-search. The challenge is not the ever-increasing number of such services, but rather their unpredictable nature. Because these services are often hosted on home networks using dynamically addressed DSL and cable modem connections, the targets are constantly moving. Trying to block an unknown SSL target would require blocking all SSL traffic, which is practically infeasible. SSL Control provides a number of methods to address this challenge by arming the security administrator with the ability to dissect and apply policy based controls to SSL session establishment. While the current implementation does not decode the SSL application data, it does allow for gateway-based identification and disallowance of suspicious SSL traffic. For more information about SSL Control, see the SonicOS Enhanced 4.0 Administration Guide. To configure SSL Control, complete the following steps: 1 Select the global icon, a group, or a SonicWall appliance running SonicOS Enhanced 4.0 or higher. 2 Expand the Firewall tree and click SSL Control. The SSL Control page displays.

3 Under General Settings, select Enable SSL Control to enable SSL Control for the selected group or appliance. 4 Under Action, select one of the following: • Log the event—If an SSL policy violation, as defined within the Configuration section below, is detected, the event is logged, but the SSL connection is allowed to continue. • Block the connection and log the event—In the event of a policy violation, the connection is blocked and the event is logged. 5 Under Configuration, select one or more of the following: • Enable Blacklist—Controls detection of the entries in the blacklist, as configured in the Custom Lists section below. • Enable Whitelist—Controls detection of the entries in the whitelist, as configured in the Custom Lists section below. Whitelisted entries take precedence over all other SSL control settings. • Detect Expired Certificates—Controls detection of certificates whose start date is before the current system time, or whose end date is beyond the current system time. Date validation depends on the SonicWall’s System Time. Make sure your System Time is set correctly, preferably synchronized with NTP, on the System > Time page. • Detect SSLv2—Controls detection of SSLv2 exchanges. SSLv2 is known to be susceptible to cipher downgrade attacks because it does not do integrity checking on the handshake. Best practices recommend using SSLv3 or TLS instead of SSLv2. • Detect Self-Signed Certificates—Controls the detection of certificates where both the issuer and the subject have the same common name. • Detect Certificate signed by an Untrusted CA—Controls the detection of certificates where the issuer’s certificate is not in the SonicWall’s System > Certificates trusted store. • Detect Weak Ciphers(< 64bits)—Controls the detection of SSL sessions negotiated with symmetric ciphers less than 64 bits, commonly indicating export cipher usage. 6 Under Custom Lists, configure the Blacklist and Whitelist by defining strings for matching common names in SSL certificates. Entries are case-sensitive and are used with pattern-matching. For example, “sonicwall.com” matches “http://www.sonicwall.com” and “http://mysonicwall.com,” but not “http://www.sonicwall.de.” a To add an entry to the Blacklist, type it into the Black List field and then click Add. b To add an entry to the Whitelist, type it into the White List field and then click Add. 7 When finished, click Update. To return to default values and start over, click Reset.

Configuring Firewall Settings in SonicOS Standard The following sections describe how to configure firewall settings in SonicOS Standard: • Configuring Rules in SonicOS Standard • Configuring Advanced Firewall Settings in SonicOS Standard • Configuring Voice over IP Settings

CONFIGURING RULES IN SONICOS STANDARD To configure rules for SonicOS Standard, complete the following steps: 1 Determine whether the service for which you want to create a rule is defined. If not, define the service. Refer to Adding a Service. 2 Create one or more rules for the service. Refer to Creating Rules. 3 Repeat this procedure for each service for which you would like to define rules.

Adding a Service By default, a large number of services are pre-defined. This section describes how to add a new or custom service. To add a service, complete the following steps: 1 Select the global icon, a group, or a SonicWall appliance. 2 Expand the Firewall tree and click Services. The Services page displays.

3 To add a known service (e.g., HTTP, FTP, News), select the service from the Service Name list box and click Add Known Service. Repeat this step for each service that you would like to add. A task is scheduled for each service for each selected SonicWall appliance. NOTE: Features and services vary widely depending on the managed appliance’s firmware type and version. Some options, including Add Known Service are only available when managing a Non-SonicOS device (such as a SonicWall TELE3 TZX). 4 To add a custom service, enter its name in the Service Name field, enter the port range it uses in the Port Begin and Port End fields, select the appropriate protocol check boxes, and click Add Custom Service. Repeat this step for each service that you would like to add. A task gets scheduled for each service for each selected SonicWall appliance. 5 To remove a service from the list, select its trash can check box and click Update. A task gets scheduled to update the services page for each selected SonicWall appliance. 6 To clear all screen settings and start over, click Reset.

Creating Rules This section describes how to define rules for defined services in SonicOS Standard. To create a rule, complete the following steps: 1 Select the global icon, a group, or a SonicWall appliance. 2 Expand the Firewall tree and click Rules. The Rules page displays.

3 Click Add Rule. The Add Rule dialog box displays. 4 Select a service from the from the Service Name list box. If the service does not exist, refer to Adding a Service. 5 Select whether access to this service is allowed or denied. 6 Select the SonicWall interface to which this rule applies from the Source list box. 7 To apply the rule to a range of IP addresses, enter the first and last IP addresses of the range in the Addr. begin field and Addr. End fields, respectively. The rule applies to requests originating from IP addresses within this range. For all IP addresses, enter an asterisk (*). 8 Specify when the rule will be applied. By default, it is Always. To specify a time, enter the time of day (in 24hour format) to begin and end enforcement. Then, enter the days of the week to begin and end rule enforcement. 9 Specify how long (in minutes) the connection might remain idle before the connection is terminated in the Inactivity Timeout field. CAUTION: Fragmented packets are used in certain types of Denial of Service attacks and, by default, are blocked. You should only enable Allow Fragmented Packets if users are experiencing problems accessing certain applications and the SonicWall logs show many dropped fragmented packets. 10 SonicWall appliances can manage outbound traffic using bandwidth management. To enable bandwidth management for this service, select Enable Outbound Bandwidth Management. a Enter the amount of bandwidth that is always be available to this service in the Guaranteed Bandwidth field. Keep in mind that this bandwidth is permanently assigned to this service and not available to other services, regardless of the amount of bandwidth this service does or does not use. b Enter the maximum amount of bandwidth that is available to this service in the Maximum Bandwidth field. c Select the priority of this service from the Bandwidth Priority list box. Select a priority from 0 (highest) to 7 (lowest). NOTE: In order to configure bandwidth management for this service, bandwidth management must be enabled on the SonicWall appliance. To configure bandwidth management in SonicOS Standard, refer to Configuring Ethernet Settings on page 234. For SonicOS Enhanced, refer to Overview of Interfaces on page 155. 11 To add this rule to the rule list, click Update. Repeat Step 3 through Step 11 for each rule that you want to add. 12 If the network access rules have been modified or deleted, you can restore the Default Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP traffic and allow all outbound IP traffic. To restore the network access rules to their default settings, click Restore Rules to Defaults and click Update. A task is scheduled to update the rules page for each selected SonicWall appliance. 13 If the network access rules for a SonicWall appliance need to be uniform with access rules for other SonicWall appliances in the same group, you can restore the group rules. To do this, click Restore Rules to Group Settings and click Update. A task is scheduled to overwrite the rules page for each selected SonicWall appliance. If you want to append the group rules to the current rules, make sure Append Services and Rules inherited from group is selected on the GMS Settings page of the Console tab. NOTE: This option is not available at the group or global level.



14 To modify a rule, select its notepad icon. The Add/Modify Rule dialog box displays. When you are finished making changes, click Update. GMS creates a task that modifies the rule for each selected SonicWall appliance. 15 To disable a rule without deleting it, deselect Enable Rule. 16 To delete a rule, select its trash can icon and click Update. GMS creates a task that deletes the rule for each selected SonicWall appliance.

CONFIGURING ADVANCED FIREWALL SETTINGS IN SONICOS STANDARD

To configure advanced access settings, complete the following steps: 1 Select the global icon, a group, or a SonicWall appliance. 2 Expand the Firewall tree and click Advanced. The Advanced page displays. 3 Computers running Microsoft Windows communicate with each other through NetBIOS broadcast packets. By default, SonicWall appliances block these broadcasts. To allow NetBIOS packets to pass among the interfaces select the appropriate check box in the Windows Networking (NetBIOS) Broadcast Pass Through section. 4 Detection prevention helps hide SonicWall appliances from potential hackers. Select from the following Detection Prevention options: • To enable stealth mode, select Enable Stealth Mode. During normal operation, SonicWall appliances respond to incoming connection requests as either “blocked” or “open.” During stealth operation, SonicWall appliances do not respond to inbound requests, making the appliances “invisible” to potential hackers. • Hackers can use various detection tools to “fingerprint” IP IDs and detect the presence of a SonicWall appliance. To configure the SonicWall appliance(s) to generate random IP IDs, select Randomize IP ID. 5 Select the dynamic ports that are supported from the Dynamic Ports area: • Enable support for Oracle (SQLNet)—Select if you have Oracle applications on your network. • Enable support for Windows Messenger—Select this option to support special SIP messaging used in Windows Messenger on the Windows XP. • Enable RTSP Transformations—Select this option to support on-demand delivery of real-time data, such as audio and video. Real Time Streaming Protocol (RTSP) is an application-level protocol for control over delivery of data with real-time properties. 6 Drop Source Routed Packets is selected by default. Clear the check box if you are testing traffic between two specific hosts and you are using source routing. 7 Select Disable Anti-Spyware, Gateway AV and IPS Engine if you want to enable more connections at the expense of the Gateway Anti-Virus and Intrusion Prevention services. This is generally not recommended because it opens the SonicWall security appliance to possible threats. 8 The Connection Inactivity Timeout option disables connections outside the LAN if they are idle for a specified period of time. Without this timeout, connections can stay open indefinitely and create potential security holes. To specify how long the SonicWall appliance(s) wait before closing inactive connections outside the LAN, enter the amount of time in the Default Connection Timeout field (default: 25 minutes). 9 By default, FTP connections from port 20 are allowed, but remapped to outbound traffic ports such as 1024. If you select Force inbound and outbound FTP data connections to use default port 20, any FTP data connection through the SonicWall must come from port 20 or the connection is dropped and logged. NOTE: To enforce IP Header, UDP, TCP, or ICMP checksums, select the appropriate option from the IP, UDP, TCP, ICMP Checksum Enforcement section. 10 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

CONFIGURING VOICE OVER IP SETTINGS

VoIP settings are identical in SonicOS Enhanced and SonicOS Standard. To configure VoIP, refer to Configuring Voice over IP Settings.

Configuring Firewall DPI-SSL Settings This describes the Deep Packet Inspection Secure Socket Layer (DPI-SSL) feature to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. Client DPI-SSL is used to inspect HTTPS traffic when clients on the SonicWall firewall appliance’s LAN access content located on the WAN. Server DPI-SSL is used to inspect HTTPS traffic when remote clients connect over the WAN to access content located on the SonicWall firewall appliance’s LAN. This contains the following: • DPI-SSL Overview • Configuring Client SSL • Configuring Server SSL

DPI-SSL Overview NOTE: DPI-SSL is a separate, licensed feature that provides inspection of encrypted HTTPS traffic and other SSL-based traffic. This section provides an introduction to the SonicOS Enhanced DPI-SSL feature as managed within GMS. Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall’s Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic. Topics: • Functionality • Deployment Scenarios • Customizing DPI-SSL

FUNCTIONALITY Topics: • Supported Features • Security Services • Proxy Deployment • Connections per Appliance Model

Supported Features Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends GMS’s Deep Packet Inspection technology to the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted (intercepted) transparently, scanned for threats, and then re-encrypted and, if no threats or vulnerabilities are found, sent along to its destination. DPI-SSL provides additional security, application control, and data-leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic. DPI-SSL supports: • Transport Layer Security (TLS) Handshake Protocol 1.2 and earlier versions – The TLS 1.2 communication protocol is supported during SSL inspection/decryption between the firewall and the server in DPI-SSL deployments (previously, TLS 1.2 was only supported between client and firewall). GMS also supports TLS 1.2 in other areas as well. • SHA-256 – All re-signed server certificates are signed with the SHA-256 hash algorithm. • Perfect Forward Secrecy (PFS) – Perfect Forward Secrecy-based ciphers and other stronger ciphers are prioritized over weak ciphers in the advertised cipher suite. As a result, the client or server is not expected to negotiate a weak cipher unless the client or server does not support a strong cipher. DPI-SSL also supports application-level Bandwidth Management over SSL tunnels. App Rules HTTP bandwidth management policies also applies to content that is accessed over HTTPS when DPI-SSL is enabled for App Rules.

Security Services The following security services and features are capable of utilizing DPI-SSL: • • • • • • •

Gateway Anti-Virus Gateway Anti-Spyware Intrusion Prevention Content Filtering Application Firewall Packet Capture Packet Mirror

DEPLOYMENT SCENARIOS DPI-SSL has two main deployment scenarios: • Client DPI-SSL: Used to inspect HTTPS traffic when clients on the SonicWall security appliance’s LAN access content located on the WAN.Exclusions to DPI-SSL can be made on a common-name or category basis. • Server DPI-SSL: Used to inspect HTTPS traffic when remote clients connect over the WAN to access content located on the SonicWall security appliance’s LAN. The DPI-SSL feature is available in SonicOS Enhanced 5.6 and higher.

Proxy Deployment DPI-SSL supports proxy deployment, where all client browsers are configured to redirect to a proxy server, but an appliance sits between the client browsers and the proxy server. All DPI-SSL features are supported in this scenario, including supporting domain exclusions when the domain is part of a virtual hosting server, or in some cloud deployments, wherein the same server IP can be used by multiple domains. Additionally, typical data center server farms are fronted with a load balancer and/or reverse SSL Proxy to off load SSL processing on the servers. For a load balancer fronting the servers and doing decryption, the appliance usually only sees the IP of the load balancer, and the load balancer decrypts the content and determines the specific server to assign this connection to. DPI-SSL now has a global policy option to disable an IP-based exclusion cache. The exclusions continues to work even if the IP-based exclusion cache is off.

CUSTOMIZING DPI-SSL IMPORTANT: Add the NetExtender SSL VPN gateway to the DPI SSL IPaddress exclusion list. As NetExtender traffic is PPP-encapsulated, having SSL VPN decrypt such traffic does not produce meaningful results. In general, the policy of DPI-SSL is to secure any and all traffic that flows through the appliance. This might or might not meet your security needs, so DPI-SSL allows you to customize what is processed. DPI-SSL comes with a list (database) of built-in (default) domains excluded from DPI processing. You can add to this list at any time, remove any entries you have added, and/or toggle built-in entries between exclusion from and inclusion in DPI processing. DPI-SSL also allows you to exclude or include domains by common name or category (for example, banking or health care). Excluded sites, whether by common name or category, however, can become a security risk that can be exploited in the future by exploit kits that circumvent the appliance and are downloaded to client machines or by a man-inthe-middle hijacker presenting a fake server site/certificate to an unsuspecting client. To prevent such risks, DPISSL allows excluded sites to be authenticated before exclusion. As the percentage of HTTPS connections increase in your network and new https sites appear, it is improbable for even the latest SonicOS version to contain a complete list of built-in/default exclusions. Some HTTPS connections fail when DPI-SSL interception occurs due to the inherent implementation of a new client app or the server implementation, and these sites may need to be excluded on the appliance to provide a seamless user experience. SonicOS keeps a log of these failed connections that you can troubleshoot and use to add any trusted entries to the exclusion list. In addition to excluding/including sites, DPI-SSL provides both global authentication policy and a granular exception policy to the global one. For example, with a global policy to authenticate connection, some connections may be blocked that are in essence safe, such as new trusted CA certificates or a a self-signed server certificate of a private (or local-to-enterprise deployment) secure cloud solution. The granular option allows you to exclude individual domains from the global authentication policy. You can configure exclusions for a domain that is part of a list of domains supported by the same server (certificate). That is, some server certificates contain multiple domain names, but you want to exclude just one of these domains without having to exclude all of the domains served by a single server certificate. For example, you can exclude youtube.com without having to exclude any other domain, such as google.com, even though *.google.com is the common name of the server certificate that has youtube.com listed as an alternate domain under Subject Alternate-Name extension.

Connections per Appliance Model Table shows each platform and the maximum number of concurrent connections on which the appliance can perform Client DPI-SSL inspection. Maximum concurrent connections per platform supported by Client DPI-SSL

Hardware Model

Max Concurrent DPI-SSL Connections

Hardware Model

Max Concurrent DPI-SSL Connections

SM 9600

12,000

TZ600

250

SM 9400

10,000

TZ500

250

SM 9200

8,000

TZ500W

250

NSA 6600

6,000

TZ400

250

NSA 5600

4,000

TZ400W

250

NSA 4600

3,000

TZ300

250

NSA 3600

2,000

TZ300W

250

NSA 2600

1,000

SOHO W

100

Configuring Client SSL The Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN. In the Client DPI-SSL scenario, the SonicWall firewall appliance typically does not own the certificates and private keys for the content it is inspecting. After the appliance completes a DPISSL inspection, it rewrites the certificate sent by the remote server and signs this newly generated certificate with the certificate specified in the Client DPI-SSL configuration. By default, this is the SonicWall certificate authority (CA) certificate, or a different certificate can be specified. Users should be instructed to add the certificate to their browser’s trusted list to avoid certificate trust errors. The following sections describe how to configure Client DPI-SSL: • • • •

Configuring General Client DPI-SSL Settings Selecting the Re-Signing Certificate Authority Configuring the Inclusion/Exclusion List Application Firewall

SELECTING THE RE-SIGNING CERTIFICATE AUTHORITY By default, DPI-SSL uses the Default SonicWall DPI-SSL CA Certificate to re-sign traffic that has been inspected. Optionally, users can specify that another certificate will be used. To use a custom certificate, you must first import the certificate to the SonicWall firewall appliance: 1 Navigate to the System > Certificates page. 2 Click Manage Certificates. 3 Click Import. 4 Select Import a local end-user certificate with private key from a PKCS#12 (.p12 or .pfx) encoded file. 5 Choose password and click Import. After the certificate has been imported, you must configure it on the Client DPI-SSL page: 1 Navigate to the DPI-SSL > Client SSL page. 2 Scroll down to the Certificate Re-Signing Authority section and select the certificate from the pull-down menu.

3 Click Update. For help with creating PKCS-12 formatted files, see Creating PKCS-12 Formatted Certificate File.

CONFIGURING THE INCLUSION/EXCLUSION LIST By default, the DPI-SSL applies to all traffic on the appliance when it is enabled. You can configure an Inclusion/Exclusion list to customize to which traffic DPI-SSL inspection applies. • Exclusion/Inclusion lists exclude/include specified objects and groups • Common Name exclusions excludes specified host names • CFS Category-based Exclusion/Inclusion excludes or includes specified categories based on CFS categories This customization allows individual exclusion/inclusion of alternate names for a domain that is part of a list of domains supported by the same server (certificate). In deployments that process a large amount of traffic, to reduce the CPU impact of DPI-SSL and to prevent the appliance from reaching the maximum number of concurrent DPISSL inspected connections, it can be useful to exclude trusted sources. NOTE: If DPI-SSL is enabled on the firewall when using Google Drive, Apple iTunes, or any other application with pinned certificates, the application may fail to connect to the server. To allow the application to connect, exclude the associated domains from DPI-SSL; for example, to allow Google Drive to work, exclude: • .google.com • .googleapis.com • .gstatic.com As Google uses one certificate for all its applications, excluding these domains allows Google applications to bypass DPI-SSL. Alternatively, exclude the client machines from DPI-SSL.



Topics: • Excluding/Including Objects/Groups • Excluding/Including by Common Name • Specifying CFS Category-based Exclusions/Inclusions • Adding Trust to the Browser • Creating PKCS-12 Formatted Certificate File • Application Firewall • Application Firewall

Excluding/Including Objects/Groups To customize DPI-SSL client inspection: 1 Click the Inclusion/Exclusion drop-downs on the DPI-SSL > Client SSL page.

2 From the Address Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All. TIP: The Include drop-down menu can be used to fine tune the specified exclusion list. For example, by selecting the Remote-office-California address object in the Exclude drop-down menu and the Remote-officeOakland address object in the Include drop-down menu. 3 From the Service Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All. 4 From the User Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All. 5 Click Update.

Excluding/Including by Common Name You can add trusted domain names to the exclusion list. Adding trusted domains to the Built-in exclusion database reduces the CPU effect of DPI-SSL and prevents he appliance from reaching the maximum number of concurrent DPI-SSL inspected connections. Topics: • Excluding/Including Common Names • Removing Custom Common Names • Showing Connection Failures

Excluding/Including Common Names To exclude/include entities by common name: 1 On the DPI-SSL > Client SSL page, scroll down to the Common Name: Exclusions/Inclusions section.

2 Select from the following options: • The Common Name Exclusions section is used to add domain names to the exclusion list. To add a domain name, type it in the text box and click Add. • The Common Name Inclusions section is used to add domain names to the inclusion list. To add a domain name, type it in the text box and click Add. • Click Update to confirm the configuration.

Removing Custom Common Names

To remove custom common names: 1 Do one of the following: • Clicking a custom common name’s Remove icon in the Configure column. • Selecting the name in the Exclusions, and then clicking Remove. • Clicking Remove All to delete all custom common names. A confirmation message displays. Click OK. 2 Click Update.

Showing Connection Failures

GMS keeps a list of recent DPI-SSL client-related connection failures. This is a powerful feature that: • Lists DPI-SSL failed connections. • Allows you to audit the failed connections. • Provide a mechanism to automatically exclude some failing domains. The dialog displays the run-time connection failures. The connection failures could be any of the following reasons: • Failure to handshake with the Client • Failure to handshake with the Server • Failed to validate the domain name in the Client Hello • Failure to authenticate the server (the server certificate issuer is not trusted) The failure list is only available at run-time. The number logged for each failure is limited to ensure a single failure type does not overrun the entire buffer. To use the connection failure list: 1 Click Show Connection Failures. Each entry in this lists displays the: • Client Address • Server Address • Common Name – The common name of the failed connection’s domain. You can edit this entry inline before adding it to the automatic exclusion list. • Error Message – Provides contextual information associated with the connection that enables you to make appropriate choices about excluding this connection. To add an entry to the exclusion list: a Select the entry. b Make any edits to the entry. c Click Exclude. To delete an entry: a Select it. b Click Clear. To delete all entries, click Clear All. When you have finished, click Close.

2

3

4 5

Specifying CFS Category-based Exclusions/Inclusions You can exclude/include entities by content filter categories.

Content Filtering To do SonicWall Content Filtering on HTTPS and SSL-based traffic using DPI-SSL, complete the following steps: 1 Navigate to the DPI-SSL > Client SSL page. 2 Select Enable SSL Client Inspection and Content Filter. 3 Click Update. 4 Navigate to the Content Filter Category Inclusions/Exclusions page.

The status of the list is shown at the top of the tab. 5 Select the appropriate categories to be blocked. 6 Click Update. 7 Navigate to a blocked site using the HTTPS protocol to verify that it is properly blocked. NOTE: For content filtering over DPI-SSL, the first time HTTPS access is blocked resulting in a blank page being displayed. If the page is refreshed, the SonicWall block page appears. 8 Select whether you want to include or exclude the selected categories by clicking either the Include (default) or Exclude radio button. By default, all categories are deselected. 9 Select the categories to be included/excluded. To select all categories, click Select all Categories. 10 Optionally, repeat Step 8 and Step 9 to create the opposite list. 11 Optionally, to exclude a connection if the content filter category information for a domain is not available to DPI-SSL, select Exclude connection if Content Filter Category is not available. This option is not selected by default. 12 In most cases, category information for a HTPS domain is available locally in the firewall cache. When the category information is not locally available, DPI-SSL obtains the category information from the cloud without blocking the client or server communication. In rare cases, the category information is not available for DPISSL to make a decision. By default, such sites are inspected in DPI-SSL. 13 Click Update.

Adding Trust to the Browser In the previous section we described how to configure a re-signing certificate authority. In order for re-signing certificate authority to successfully re-sign certificates browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list. • Internet Explorer: Go to Tools > Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard guides you through importing the certificate. • Firefox: Go to Tools > Options, click the Advanced tab and then the Encryption tab. Click View Certificates, select the Authorities tab, and click Import. Select the certificate file, make sure Trust this CA to identify websites is selected, and click OK. • Mac: Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.

Creating PKCS-12 Formatted Certificate File PKCS12 formatted certificate file can be created using Linux system with OpenSSL. In order to create a PKCS-12 formatted certificate file, you need to have two main components of the certificate: • A private key (typically a file with a .key extension or the word key in the filename) • A certificate with a public key (typically a file with a .crt extension or the word cert as part of filename). For example, the Apache HTTP server on Linux has its private key and certificate in the following locations: • /etc/httpd/conf/ssl.key/server.key • /etc/httpd/conf/ssl.crt/server.crt With these two files available, run the following command: openssl pkcs12 -export -out out.p12 -inkey server.key -in server.crt In this example, out.p12 becomes the PKCS-12 formatted certificate file and server.key and server.crt are the PEM formatted private key and certificate file respectively. After running the previous command, you are prompted for the password to protect/encrypt the file. After the password is chosen, the creation of the PKCS-12 formatted certificate file is complete and it can be imported into the SonicWall firewall appliance.

CLIENT DPI-SSL EXAMPLES The following sections provide configuration examples: • Application Firewall

Application Firewall NOTE: Application Firewall is supported for appliances running SonicOS 5.8 and higher. Enable Application Firewall on the Client DPI-SSL screen and Application Firewall on the Application Firewall > Policies screen. 1 Navigate to the DPI-SSL > Client SSL page. 2 Select Enable SSL Inspection and Application Firewall. 3 Click Update. 4 Navigate to the App Control > App Rules page. 5 Enable Application App Rules. 6 Configure an HTTP Client policy to block Microsoft Internet Explorer browser. 7 Select block page as an action for the policy. Click Apply. 8 Access any website using the HTTPS protocol with Internet Explorer and verify that it is blocked. DPI-SSL also supports Application Level Bandwidth Management over SSL. Application Firewall HTTP bandwidth management policies also applies to content that is accessed over HTTPS when DPI-SSL is enabled for Application Firewall.

Configuring Server SSL The Server DPI-SSL deployment scenario is typically used to inspect HTTPS traffic when remote clients connect over the WAN to access content located on the SonicWall security appliance’s LAN. Server DPI-SSL allows the user to configure pairings of an address object and certificate. When the appliance detects SSL connections to the address object, it presents the paired certificate and negotiates SSL with the connecting client. Afterward, if the pairing defines the server to be cleartext, then a standard TCP connection is made to the server on the original (post NAT remapping) port. If the pairing is not defined to be cleartext, then an SSL connection to the server is negotiated. This allows for end-to-end encryption of the connection. In this deployment scenario, the owner of the SonicWall firewall appliance also owns the certificates and private keys of the original content servers. The administrator would have to import the server's original certificate onto the SonicWall firewall appliance and create an appropriate server IP address linked to server certificate mappings in the Server DPI-SSL UI. The following sections describe how to configure Server DPI-SSL: • • • •

Configuring General Server DPI-SSL Settings Configuring the Exclusion List Configuring Server-to-Certificate Pairings SSL Offloading

CONFIGURING GENERAL SERVER DPI-SSL SETTINGS To enable Server DPI-SSL inspection, complete the following steps: 1 Navigate to the DPI-SSL > Server SSL page.

2 The DPI-SSL Status section displays the status of the DPI-SSL license for the appliance. 3 Select Enable SSL Server Inspection. 4 Select which of the following services with which to complete the inspection: Intrusion Prevent, Gateway AntiVirus, Gateway Anti-Spyware, and Application Firewall. 5 Click Update. 6 Scroll down to the SSL Servers section to configure the server or servers to which DPI-SSL inspection is applied. See Configuring Server-to-Certificate Pairings. NOTE: The SSL Servers section is available only at the unit level.



CONFIGURING THE EXCLUSION LIST By default, the DPI-SSL applies to all traffic on the appliance when it is enabled. You can configure an Inclusion/Exclusion list to customize to which traffic DPI-SSL inspection applies. The Inclusion/Exclusion list provides the ability to specify certain objects, groups, or hostnames. In deployments that are processing a large amount of traffic, it can be useful to exclude trusted sources in order to reduce the CPU impact of DPI-SSL and to prevent the appliance from reaching the maximum number of concurrent DPI-SSL inspected connections.

The Inclusion/Exclusion section of the Server SSL page contains two options for specifying the inclusion list: • On the Address Object/Group line, select an address object or group from the Exclude pull-down menu to exempt it from DPI-SSL inspection. • On the User Object/Group line, select a user object or group from the Exclude pull-down menu to exempt it from DPI-SSL inspection. NOTE: The Include pull-down menu can be used to fine-tune the specified exclusion list. For example, by selecting the Remote-office California address object in the Exclude pull-down and the Remoteoffice-Oakland address object in the Include pull-down.

CONFIGURING SERVER-TO-CERTIFICATE PAIRINGS Server DPI-SSL inspection requires that you specify which certificate is used to sign traffic for each server that has DPI-SSL inspection done on its traffic. To configure a server-to-certificate pairing, complete the following steps: 1 Navigate to the DPI-SSL > Server SSL page and scroll down to the SSL Servers section. NOTE: The SSL Servers section is available only at the unit level, not at the group level. 2 Click Add.

3 In the Address Object/Group pull-down menu, select the address object or group for the server or servers that you want to apply DPI-SSL inspection to. 4 In the SSL Certificate pull-down menu, select the certificate that is used to sign the traffic for the server. For more information on importing a new certificate to the appliance, see Selecting the Re-Signing Certificate Authority. For information on creating a certificate, see Creating PKCS-12 Formatted Certificate File. 5 Select Cleartext to enable SSL offloading. See SSL Offloading for more information. 6 Click Add.

SSL OFFLOADING

When adding server-to-certificate pairs, a cleartext option is available. This option indicates that the portion of the TCP connection between the SonicWall firewall appliance and the local server is in the clear without the SSL layer, thus allowing SSL processing to be offloaded from the server by the appliance. Note that in order for such configuration to work properly, a NAT policy needs to be created on the Network > NAT Policies page to map traffic destined for the offload server from an SSL port to a non-SSL port. For example, in case of HTTPS traffic being used with SSL offloading, an inbound NAT policy remapping traffic from port 443 to port 80 needs to be created in order for things to work properly.

Configuring Capture ATP About Capture ATP Capture Advanced Threat Protection (ATP) is sold as an add-on security service to the firewall, similar to Gateway Anti-Virus (GAV). Capture ATP helps a firewall identify whether a file is malicious or not by transmitting the file to the cloud where the SonicWall Capture ATP service analyzes the file to determine if it contains a virus or other malicious elements. Capture ATP then sends the results to the firewall. This is done in real time while the file is being processed by the firewall. The firewall is located at the customer premises, while the Capture ATP server and database are located at a SonicWall facility. The firewall creates a secure connection with the Capture ATP cloud service before transmitting data. Before you can enable Capture ATP you must first get a license, and you must enable the Gateway Anti-Virus (GAV) service. You can choose the settings for GAV, such as protocols to scan for files, or IPs to exclude from scanning, and they will also apply to the Capture ATP service. All files that are submitted to Capture ATP for analysis are first subjected to preprocessing. Files can be rejected or passed based on preprocessing. If preprocessing determines a file to be malicious or benign, the file will not be analyzed by Capture ATP. If a file is not determined to be malicious or benign by the GAV service during the Capture preprocessing process, the file is submitted to Capture ATP for analysis. The Block file download until a verdict is returned option ensures that no packets get through until the file is completely analyzed and it is determined to be either malicious or benign. This option only applies to HTTP/HTTPS downloads. The file is held until the last packet is analyzed. If the file has malware, the last packet is dropped, and the file is blocked permanently. Once a file is blocked permanently, there is no way to recover it or analyze it again. Capture ATP provides a file analysis report (threat report) with detailed threat behavior information. If the Block file download until a verdict is returned option is not enabled, the threat report provides information necessary to respond to a threat or infection. When a file is determined to be malicious, threat intelligence is incorporated into the other SonicWall security services, such as GAV and Cloud Anti-Virus, so that other firewalls will benefit within 48 hours. All files are sent to the Capture ATP cloud over an encrypted connection. SonicWall does not keep the files. All file types, whether they are malicious or benign are removed from the Capture ATP server after they are analyzed, except for executable files that contain malware. Executable files that are determined to be malicious are sent to the SonicWall threat research facility for further analysis, but they are also removed after a certain time period. The SonicWall privacy policy can be accessed at: http://www.mysonicwall.com/privacypolicy.aspx (http://www.mysonicwall.com/privacypolicy.aspx) NOTE: For App Rules policies, a new Bypass Capture ATP option is available as an Action Object. This option provides a way to skip the Capture ATP analysis in specific cases when you know the file is free of malware. This option does not prevent GAV and Cloud Anti-Virus from examining the file. Capture ATP must be configured on each firewall individually. After the Capture ATP service license is activated, you can enable Capture ATP on the Capture ATP > Settings page. Topics: • Licensing Capture ATP • Configuring Capture ATP settings • Uploading a file for analysis

LICENSING CAPTURE ATP This section describes how to license and activate the Capture ATP feature on your SonicWall appliance. The Capture ATP license requires that the Gateway Anti-Virus service is also licensed. You must enable Gateway Anti-Virus before you can enable Capture ATP. Topics: • Activating a Capture ATP license • Enabling GMS services • Disabling Gateway Anti-Virus or Cloud Anti-Viruss

Activating a Capture ATP license When the Capture ATP service license is activated, Capture ATP appears in the GMS left navigation panel below DPI-SSL. If Capture ATP is not licensed, it does not appear in the left nav at all. You can activate the license from the Register/Upgrades > Services Licenses page. NOTE: Capture ATP requires the Gateway Anti-Virus service, which must also be licensed on the firewall. There are several ways you can activate the Capture ATP service license. See the following sections: • Activating the license from the firewall • Licensing on MySonicWall directly • Enabling GMS services

Activating the license from the firewall You can activate the license from the firewall SonicOS System > License page. To activate a Capture ATP license on your firewall: 1 Log in to the firewall SonicOS System > License page. 2 Click Manage Licenses, to log in to MySonicWall.com (www.MySonicWall.com) to Activate, Upgrade, or Renew services with the click here link.

3 Enter your MySonicWall credentials in the login page that displays.

4 In MySonicWall on the Service Management page, scroll down to the Applicable Services section, locate the Capture Advanced Threat Protection service or a combined service that includes it, and click one of the following: • Try - Click Try to get a 30-day free trial. • Activate - Click Activate if you already have a license key from your SonicWall distributor or a previous transaction.

• Enter your license key in the Capture Advanced Threat Protection Activation Key field. • Select the nearest location from the Data Center nearest to you drop-down list. • Click Submit. Upon completion, you are returned to the firewall SonicOS System > License page. The System > Status page also displays the updated license status. 5 The Capture ATP menu heading appears in the left navigation pane under DPI-SSL. Clicking on it displays a message to enable the service.

You are now ready to enable and use the Capture ATP service.

Licensing on MySonicWall directly You can also purchase a Capture ATP service license from MySonicWall directly, without logging into your firewall first. To purchase a Capture ATP service license from MySonicWall: 1 In a browser, go to MySonicWall.com (www.MySonicWall.com) and enter your credentials to log in. 2 In the left navigation pane, click My Products. 3 Click the name of the firewall that you want to license for Capture ATP. 4 In the Service Management page, scroll down to the Applicable Services section and locate the Capture Advanced Threat Protection service or a combined service that includes it. 5 In the Action column for that row, click one of the following: • Buy - Click Buy to purchase the service. • Try - Click Try to get a 30-day free trial. • Activate - Click Activate if you already have a license key from your SonicWall distributor or a previous transaction. 6 Follow the prompts to complete the transaction and license activation. Your firewall will synchronize licenses with MySonicWall. NOTE: Click Synchronize on the Console > Licenses > Product Licenses page if Capture ATP does not appear in the GMS left nav pane after the Capture ATP service license is activated.



Enabling GMS services Before you can enable Capture ATP, the Gateway Anti-Virus service must be enabled in GMS. To enable the Gateway Anti-Virus and Cloud Anti-Virus Database services: 1 In GMS, go to the Security Services > Gateway Anti-Virus page.

2 Ensure that the checkboxes for Enable Gateway Anti-Virus and Enable Cloud Anti-Virus Database are selected. You can also choose the protocols that are used to scan for malicious files. The GAV protocol settings will apply to both GAV and Capture ATP services. GAV settings are also used to select or define address objects to exclude from GAV and Capture ATP scanning. If a file is not determined to be either malicious or benign by GAV during preprocessing, the file is submitted to Capture ATP for analysis, and if Capture ATP successfully analyzes the file, it creates a detailed threat analysis report that can be accessed from the Capture ATP > Status page. 3 (Optional) To configure the GAV protocol inspection settings, click Configure Gateway AV Settings and select the settings you want in the Gateway AV Settings dialog.

4 (Optional) If you want to use an exclusion list to prevent certain items from being scanned, select the checkbox for Enable Gateway AV Exclusion List. 5 To exclude certain address objects from scanning, select the Use Address Object radio button and click on the drop-down menu to select the address objects you want to add to the Gateway AV Exclusion List. 6 (Optional) To exclude any items from Cloud Anti-Virus filtering, click Cloud AV DB Exclusion Settings in the main Gateway Anti-Virus page.

a In the Cloud AV Exclusions List dialog, type or paste each signature ID to be excluded into the Cloud AV Signature ID field and then click Add to add it to the List. b Optionally adjust the List by using Update, Remove, or Remove All. c When finished, click OK.

Disabling Gateway Anti-Virus or Cloud Anti-Virus You can disable the Gateway Anti-Virus or Cloud Anti-Virus services by clearing the checkboxes for them on the Security Services > Gateway Anti-Virus page. If you disable either service while Capture ATP is enabled, a popup message is displayed warning you that Capture ATP is also disabled.

Capture ATP stops working when either Gateway Anti-Virus or Cloud Anti-Virus is disabled. For example, if Gateway Anti-Virus is not enabled, the Capture ATP > Settings page shows You must enable Gateway AntiVirus for Capture ATP to function, along with a manage settings link that takes you to the Security Services > Gateway Anti-Virus page where you can enable GAV.

CONFIGURING CAPTURE ATP SETTINGS Topics: • Basic setup checklist • Bandwidth management • Custom blocking behavior

Basic setup checklist The Capture ATP > Settings page can appear in either enabled or disabled mode. When Capture ATP is enabled, the Capture ATP > Settings page appears in enabled mode.

The Capture ATP > Settings page has three main sections: • Basic Setup Checklist • Bandwidth Management • Custom Blocking Behavior (aka: Block file download until a verdict is returned) When Capture ATP is disabled, the Capture ATP > Settings page appears in disabled mode. In disabled mode, the Basic Setup Checklist is visible, but the other sections are dimmed. The Basic Setup Checklist lists the setup tasks and displays any error states that may be present.

The Basic Setup Checklist is always visible and displays four setup tasks: • Service Status • Gateway Anti-Virus status • Cloud Anti-Virus Database status • Inspected protocols If there are any red warning icons, Capture ATP does not run properly, and the Capture ATP > Settings page appears in disabled mode.

Service Status The first line in the Basic Setup Checklist is the Service Status, which indicates the overall state of the service. The following table describes the messages that can appear in the Basic Setup Checklist.

Table 1.

Icon

Message

Link

Action

Green check

Capture ATP service disable it is enabled until renewal_date.

Clicking the disable it link turns off Capture ATP and changes the page to disabled mode. This action does not require that the user press the Accept button to apply this change.

Red warning

Capture ATP enable it subscription is valid until renewal_date but the service is not currently enabled.

Clicking the enable it link turns on Capture ATP and changes the page to enabled mode. This action does not require that the user press the Accept button to apply this change.

Red warning

Capture ATP renew it subscription expired on renewal_date.

Clicking the renew it link takes the user to MySonicWall to renew the service.

Gateway Anti-Virus status The second line in the Basic Setup Checklist is the Gateway Anti-Virus Status, which indicates the state of the Gateway Anti-Virus service.

Table 2.

Icon

Message

Link

Action

Green check

Gateway Anti-Virus is enabled.

manage settings

Clicking manage settings takes the user to the Security Services > Gateway Anti-Virus page.

Red warning

You must enable Gateway Anti-Virus for Capture ATP to function.

manage settings

Clicking manage settings takes the user to the Security Services > Gateway Anti-Virus page.

Cloud Anti-Virus Database status Table 3.

Icon

Message

Link

Action

Green check

Cloud Anti-Virus Database is enabled.

manage settings

Clicking manage settings takes the user to the Security Services > Gateway Anti-Virus page.

Red warning

You must enable Cloud Anti-Virus Database for Capture ATP to function.

manage settings

Clicking manage settings takes the user to the Security Services > Gateway Anti-Virus page.

Inspected protocols The Inspected Protocols element also provides a manage settings link that takes you to the Security Services > Gateway Anti-Virus page. There, you can enable or disable inspection of specific network traffic protocols, including HTTP, FTP, IMAP, SMTP, POP, CIFS, and TCP Stream. Each protocol can be managed separately for inbound and outbound traffic. The table below Inspected protocols shows the direction and the type of protocol being inspected. • A green checkmark icon indicates that the protocol is being inspected. • A red X icon indicates that the protocol is not being inspected. • N/A indicates that inspection is not applicable to this protocol in this direction.

Bandwidth management The Bandwidth Management section enables you to select the types of files that can be submitted to Capture ATP and to specify the maximum file size that can be submitted to Capture ATP.

The default option for the maximum file size is Use the default file size specified by the Capture Service (10240 KB). This specifies a file size limit of 10 megabytes (10 MB). If you select Restrict to KB, you can enter your own custom value. This value must be a non-zero value and must not be greater than the default limit. For Choose an Address Object to exclude from Capture ATP, optionally select an address object from the dropdown list, or select the option to create a new address object. Members of the selected address object will be excluded from inspection by the Capture ATP service. You can also specify an address object to be excluded from inspection.

For Choose an Address Object to exclude from Capture ATP, optionally select an address object from the drop-down list, or select the option to create a new address object. Members of the selected address object are excluded from inspection by the Capture ATP service.

Custom blocking behavior The Custom Blocking Behavior section allows you to select either the Allow all files by default or the Block all files until a verdict is returned feature. NOTE: The Block file download until a verdict is returned option only applies to HTTP and HTTPS downloads.



The default option is Allow file download while awaiting a verdict. This setting allows files to be downloaded without delay. The Block file download until a verdict is returned option should only be enabled if the strictest controls are desired. You can set email alerts or check the firewall logs to find out if the Capture service analysis determines that the file is malicious. A warning message appears when the blocking behavior is changed from Allow file download while awaiting a verdict to Block file download until a verdict is returned.

Clicking I agree, apply the setting enables the Block file download until a verdict is returned option. You also must click Accept for the change to take effect. Clicking the Never mind, do not apply link closes the dialog and leaves Allow file download while awaiting a verdict selected.

Viewing Capture ATP Status The Capture Advance Threat Protection (ATP) reports provide details on whether a file is malicious or not by transmitting the file to the cloud where the SonicWall Capture ATP service analyzes the file to determine if it contains a virus or other malicious elements. NOTE: A Capture ATP service license is required to use the Capture ATP features. Before you can enable Capture ATP, the Gateway Anti-Virus and Cloud Anti-Virus Database services must be enabled in Analyzer. Topics: • Viewing the graph and log table • Filtering the log table

VIEWING THE GRAPH AND LOG TABLE The Capture ATP > Status page displays a graph and a log table that provide information for each file that has been scanned. Files can be uploaded to Capture ATP for scanning from this page by clicking Upload a file. If GMS is managing your firewalls from the WAN side, then files uploaded from this screen are sent directly to the Capture ATP server for scanning. The table a the bottom of this page shows (uploaded) in the Submitted by column for the files that were manually uploaded and scanned and shows the firewall serial number in the Submitted by column for files sent by managed firewalls. Note that other pages under Capture ATP only show results for scanned files uploaded by managed firewalls.

The graph shows the number of files scanned for each day. The X axis represents time and shows only the last 30 days. Each tick is one day. The Y axis represents the number of files scanned. The percentage of malicious files found is represented by the color of each bar in the graph. The key shows the percentage that each color represents. Zero means no malicious files were found. Below the graph, the log table shows information for each file that has been scanned. You can customize what is displayed in the log table, by clicking the Add filter… link. The graph, log table, and filters are bound, and any interactions on one will affect the others.

When you hover over a bar, a popup shows the actual numbers of files scanned and malicious files found.

You can click on a single bar in the graph to set the filter for the log table to show the details of that bar only.

The log table allows you to scroll through the list of scanned files. If a scan fails, that row is dimmed. If a malicious file is found, that row is bolded. Clicking on any row opens the threat report. For more information about threat reports, see Viewing Threat Reports. The heading for this page is dynamic and may appear in two states: • When no filters are applied - Viewing n files scanned. • When filters are applied - Viewing n files of n total scanned. The columns for the log table are: • The STATUS column displays these states: • scan pending - the scan is still in progress • clean - the scan has completed, but no judgment is confirmed yet • scan failed - the scan has failed • MALICIOUS - the scan has completed, and the judgment is malicious (the word MALICIOUS is displayed in small caps in a red tag with a warning symbol) • The Filename column displays the name of the file. • The Date column displays the date that the file was scanned. • The Submitted by column displays the serial number of the firewall that submitted the file to Capture ATP. • The Src column displays the source IP address where the file originated. • The Dest column displays the destination IP address where the file was sent. The columns can be sorted as follows: • • • • •

Currently, the Date column can be sorted in ascending or descending order. The default sort order is reverse chronological order with the most recent items on top. The heading for a sorted column has a black background with an arrow indicating the direction of the sort. Clicking the column heading sorts that column and toggles it in ascending or descending order. The selected sort order is persistent as filters are added or removed.

FILTERING THE LOG TABLE

You can filter the entries in the log table by adding a filter that only displays certain criteria for a certain column, such as the status, date, or src, and so on. To add a filter to the log table: 1 On the Capture ATP > Status page, click the Add filter... link. The filter builder bar appears.

2 Select the criteria you want from the drop-down menus: a From the first drop-down menu, select the column name, such as Status. b From the second drop-down menu, select the operator: is or is not. c From the third drop-down menu, select the appropriate criteria for the selected column. 3 Click Add. The filter builder bar disappears, and a filter tag is created.

NOTE: Only one type of filter can be applied to the log table at a time. The Add Filter... link reappears after the filter is added and the table results are updated immediately. If you press X, the filter tag disappears and the filter is not applied to the log table.

UPLOADING A FILE FOR ANALYSIS You can upload files to be scanned using Upload File on the Capture ATP > Upload FIles page. To upload a file for scanning: 1 On the Reports | Capture ATP > Status. Click Upload a file. The Upload a file to be scanned dialog appears.

2 Click Browse, locate, and select the file you want to scan. If the upload completes successfully, this message is shown:

If upload fails, an error message is displayed. If it fails because of file size limitations, an error message similar to this is shown:

VIEWING THREAT REPORTS When you click on any row in the logs table on the Capture ATP > Status page, the Capture ATP threat report appears in a new browser window. The report format varies depending on whether a full analysis was performed or the judgment was based on preprocessing. Topics: • • • • • •

Launching the threat report from the logs table Viewing the threat report header Viewing the threat report footer Viewing the static file information Viewing threat reports from preprocessing Viewing threat reports from a full analysis

Launching the threat report from the logs table You can launch a threat report by clicking on any row in the logs table on the Capture ATP > Status page. Hovering your mouse pointer over a row highlights it, and you can click anywhere in the row to launch the threat report in a new browser window. An exception exists for archives which do not contain any supported file types. In this case, no threat report is launched.

Viewing the threat report header The report header is very similar among the various threat reports. This section describes the header components and variations.

Colored banner: • The colored banner is red for a malicious file, and blue for a clean file. • The top entry displays the date and time that the file was submitted to Capture ATP for analysis. • Below the date and time, a summary of the result is displayed. Lower banner: • The lower part of the banner contains the connection information. • On the left is the IP address (IPv4) and port number of the connection source. This is the address from which the file was sent. • In the middle is the firewall identified by its serial number or friendly name. • On the right is the IP address (IPv4) and port number of the connection destination. This is the address to which the file is being sent.

Viewing the threat report footer The report footer is very similar among the various threat reports.

The File Identifiers are displayed at the left side of the footer. The following file identifiers are displayed, one per line: • MD5 • SHA1 • SHA256 On the right side of the footer, the following information is displayed: • Serial Number - This is the serial number of the firewall that sent the file. This is not displayed if the file was manually uploaded. • Capture ATP Version - This is the software version number of the Capture ATP service running in the cloud. • Report Generated - This is the timestamp in UTC format of when the report was generated.

Viewing the static file information The static file information is displayed on the left side of the threat report, and is similar across all types of reports.

The file information includes: • File size in kilobits (kb) • File type • File name as it was intercepted by the firewall

Viewing threat reports from preprocessing There are varying amounts of data on a preprocessor threat report, based on whether the file was found to be malicious or clean. Preprocessor threat report for a malicious file:

The above threat report format is seen when the virus scans reveal malware in the file. Preprocessor threat report for a clean file:

A clean threat report like the one shown above is seen in either of the following two cases: Case one: • Virus scans are inconclusive or all good. • The file matches domain or vendor allow lists. Case two: • Virus scans are inconclusive or all good. • No embedded code is present in the file. See the following topics for more information about preprocessor reports: • Analysis summary and status boxes in preprocessor reports • Malware names in preprocessor reports

Analysis summary and status boxes in preprocessor reports Preprocessor threat reports contain an Analysis Summary section on the left side, which summarizes the findings based on the four phases of analysis during preprocessing.

The results from the four phases of preprocessing are displayed in the status boxes.

Each phase results in a true or false outcome. The following table shows what happens in the process depending on the result of each phase of the preprocessing. Four areas of preprocessor analysis

Preprocessor phase result

Virus scanners Vendor detect reputation - on malware? Allow list?

Domain reputation - on Allow list?

Embedded code found in the file?

True

Malicious

Non-malicious

Non-malicious

Continue analysis

False

Continue analysis

Continue analysis

Continue analysis

Non-malicious

Some phase results trigger an immediate judgment of either Malicious or Non-malicious, as indicated in the above table. Otherwise, that phase ends with the “Continue analysis” state. If all phases of preprocessing result in the “Continue analysis” state, the file is sent to the cloud for full analysis by Capture ATP. NOTE: The vendor reputation filter is only applicable to PE files, and the domain reputation might not be available for files delivered over SMTP. In these cases, the “Continue analysis” state is the phase result.



Malware names in preprocessor reports If the virus scanners detect known malware in the file, all virus names are listed in the content area of the report.

Viewing threat reports from a full analysis Full analysis threat reports provide the same set of information for both malicious and non-malicious files, although the banner color is different.

This Threat Report format is used when the following conditions occur: • Virus scans are inconclusive or all good. • Embedded code is present in the file. • The file does not match domain or vendor allow lists. See the following topics for more information about full analysis reports: • Why live detonations were needed • Status boxes in a full analysis threat report • Analysis engine results tables

Why live detonations were needed The left side of the full analysis threat report displays a summary of the preprocessing results as an explanation of why live detonations were needed. The term live detonations is used to indicate that one or more analysis engines and multiple environments were used to analyze the file in the cloud servers. The set of preprocessing results which lead to full analysis of the file is shown below:

Status boxes in a full analysis threat report The status boxes in full analysis threat reports display status from preprocessing results as well as information about the analysis performed in the cloud servers.

Virus scanners: • This is the number of Anti-Virus vendors used, regardless of the judgment from each. • SonicWall Gateway Anti-Virus and Cloud Anti-Virus each count as one. • Additional virus scanners from many AV products and online scan engines are included in the total. Reputation databases: • One is the vendors allowed list. • One is the domains allowed list. Detonation engines: • This is the number of analysis engines used to analyze the file. • One is the SonicWall analysis engine. • Additional analysis engines from third-party vendors are included in the count. Live detonations: • This is the total number of environments used across all analysis engines. • The environment is comprised of the analysis engine and the operating system on which it was run.

Analysis engine results tables Under the status boxes, the full analysis threat report displays multiple tables showing the results from each analysis engine.

The engines are designated by names from the Greek alphabet, such as Alpha, Beta, Gamma, and so on. Each row represents a separate environment, and indicates the operating system in which the engine was executed. The overall score from the analysis in each environment is displayed in a highlighted box to the left of the operating system. The color of the box indicates whether the score triggered a malicious or non-malicious judgment: • A score in a red box indicates a malicious judgment • A score in a grey box indicates a non-malicious judgment For each environment, the columns provide the analysis duration and a summary of actions once detonated: • Time - The time taken by the analysis, using 's' for seconds, 'm' for minutes, and timeout if the analysis did not complete. • Libraries - Cumulative count of malware libraries that were read during the analysis. • Files - Cumulative count of files that were created, read, updated or deleted during the analysis. • Registries - Cumulative count of OS registries that were read during the analysis. • Processes - Cumulative count of processes that were created during the analysis. • Mutexes - Cumulative count of mutual exclusion objects that were used during the analysis to lock a resource for exclusive access. • Functions - Cumulative count of functions executed during the analysis. • Connection - Cumulative count of network connections that were created during the analysis. You can click any cell in the Summary of actions table to jump to the full data available further down in the report. Blank cells are not clickable. The last column provides access to the full details of the analysis by the different engines: • XML - Clicking here lets you open or save an XML file which contains all the detailed data behind the above counts. • Screenshots - Clicking here lets you open or save a zip file of all the screenshots produced by the analysis. • PCAP - A packet capture file in pcapNG or libpcap format with details about the connections opened during the analysis.

Configuring the Firewall VoIP This chapter includes the following sections: • Configuring Voice over IP Settings

Configuring Voice over IP Settings To configure Voice over IP (VoIP) settings, complete the following steps: 1 Select the global icon, a group, or a SonicWall appliance. 2 Expand the Firewall tree and click VoIP. The VoIP page displays.

3 To enable secure NAT, select Use secure NAT. 4 Select Enable SIP Transformations to support translation of Session Initiation Protocol (SIP) messages. TIP: By default, NAT translates Layer 3 addresses, but does not translate Layer 5 SIP/SDP addresses. Unless there is another NAT traversal solution that requires this feature to be turned off, it is highly recommended to enable SIP transformations. After enabling SIP transformations, configure the following options: a Select Permit non-SIP packets on signaling port to enable applications such as Apple iChat and MSN Messenger, which use the SIP signaling port for additional proprietary messages. Enabling this check box might open your network to malicious attacks caused by malformed or invalid SIP traffic. This check box is disabled by default. b (SonicOS Enhanced only) Select Enable SIP Back-to-Back User Agent (B2BUA) support when the SonicWall security appliance can see both legs of a voice call (for example, when a phone on the LAN calls another phone on the LAN). This setting should only be enabled when the SIP Proxy Server is being used as a B2BUA. TIP: If there is not the possibility of the SonicWall security appliance seeing both legs of voice calls (for example, when calls are only made to and received from phones on the WAN), the Enable SIP Back-to-Back User Agent (B2BUA) support setting should be disabled to avoid unnecessary CPU usage. • SIP Signaling inactivity time out (seconds)—Specifies the period of time that must elapse before timing out an inactive SIP session if no SIP signaling occurs (default: 1800 seconds or 30 minutes). • SIP Media inactivity time out (seconds)—Specifies the period of time that must elapse before timing out an inactive SIP session if no media transfer activity occurs (default: 120 seconds or two minutes). • The Additional SIP signaling port (UDP) for transformations setting allows you to specify a nonstandard UDP port used to carry SIP signaling traffic. Normally, SIP signaling traffic is carried on UDP port 5060. However, a number of commercial VoIP services use different ports, such as 1560. Using this setting, the security appliance executes SIP transformation on these non-standard ports.



TIP: Tip: Vonage’s VoIP service uses UDP port 5061.



5 Select Enable H.323 Transformations to allow stateful H.323 protocol-aware packet content inspection and modification by the SonicWall. The SonicWall executes any dynamic IP address and transport port mapping within the H.323 packets, which is necessary for communication between H.323 parties in trusted and untrusted networks/zones. Clear this check box to bypass the H.323 specific processing done by SonicWall. After enabling H.323 transformations, configure the following options: • Only accept incoming calls from Gatekeeper—when selected, only incoming calls from specified Gatekeeper IP address are accepted. • Enable LDAP ILS Support— when selected, the SonicWall appliance supports Lightweight Directory Access Protocol (LDAP) and Microsoft Netmeeting’s Internet Locator Service (ILS) • H.323 Signaling/Media inactivity time out (seconds)—specifies how long the SonicWall appliance waits before closing a connection when no activity is occurring. • Default WAN/DMZ Gatekeeper IP Address—specifies the IP address of the H.323 Gatekeeper that acts as a proxy server between clients on the private network and the Internet. 6 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

Configuring Firewall Anti-Spam Settings This provides a quick, efficient, and effective way to add anti-spam, anti-phishing, and anti-virus capabilities to your SonicWall firewall appliance. There are two primary ways inbound messages are analyzed by the Anti-Spam feature - Advanced IP Reputation Management and Cloud-based Advanced Content Management. IP Address Reputation uses the GRID Network to identify the IP addresses of known spammers, and reject any mail from those senders without even allowing a connection. GRID Network Sender IP Reputation Management checks the IP address of incoming connecting requests against a series of lists and statistics to ensure that the connection has a probability of delivering valuable email. The lists are compiled using the collaborative intelligence of the SonicWall GRID Network. Known spammers are prevented from connecting to the SonicWall firewall appliance, and their junk email payloads never consume system resources on the targeted systems. This includes the following: • Activating Anti-Spam • Configuring Anti-Spam Settings • Configuring Anti-Spam Real-Time Black List Filtering

Activating Anti-Spam To activate the Comprehensive Anti-Spam Service, complete the following steps: 1 Navigate to the Policies > Anti-Spam > Settings page.

2 Select Enable Anti-Spam Service to activate the Anti-Spam service. The Comprehensive Anti-Spam Service is now activated.

Configuring Anti-Spam Settings You can configure the Comprehensive Anti-Spam Service on the Anti-Spam > Settings page, including installing the Junk Store and configuring email threat categories. See the following sections: • • • •

Configuring the Email Threat Categories Configuring Email Domains Configuring User Defined Access Lists Configuring Advanced Options

CONFIGURING THE EMAIL THREAT CATEGORIES The Email Threat Categories section enables you to configure the settings for users’ messages. Choose settings for messages that contain spam, phishing, and virus issues. The default settings are: • • • • • •

Likely Spam – Store in Junk Box Definite Spam – Permanently Delete Likely Phishing – Tag with [LIKELY PHISHING] Definite Phishing – Store in Junk Box Likely Virus – Store in Junk Box Definite Virus – Permanently Delete

Use the pull-down options to choose how to handle messages in each threat category. Your options are: Message handling options

Response

Effect

Filtering off

SonicWall Anti-Spam service does not scan and filter any email, so all email messages in this category are delivered to the recipients without modification.

Tag With

The email is tagged with a term in the subject line, for example, [JUNK] or [Possible Junk?]. Selecting this option allows the user to have control of the email and junk it if it is unwanted.

Store in Junk Box

The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions.

Reject Mail

The email message is returned to sender with a message indicating that it was not deliverable.

Permanently Delete

The email message is permanently deleted. CAUTION: If you select this option, your organization risks losing wanted email.

CONFIGURING USER DEFINED ACCESS LISTS User-defined Access Lists designate which clients are allowed to connect to deliver email. You can also set clients to be automatically rejected.

CONFIGURING ADVANCED OPTIONS Click the down-arrow next to Advanced Options to expand this section.

Advanced options allow you to set the following: Advanced options

Setting

Description

Allow / Reject delivery of unprocessed mails when Comprehensive Anti-Spam Service is unavailable

If the Anti-Spam service is not enabled or unavailable for some other reason, you can choose Allow to let all unprocessed emails go through. Spam messages are delivered to users, as well as good email. If the setting is Reject, no email is delivered until the Anti-Spam service is re-enabled.

Tag and Deliver / Reject / Delete emails when SonicWall Junk Store is unavailable

If the SonicWall Junk Store cannot accept spam messages, you can choose to delete them, reject them, or deliver them with cautionary subject lines such as “[Phishing] Please renew your account”

Probe Interval

Set the number of minutes between messages to the monitoring service.

Probe Timeout

Set the number of seconds that the monitoring service probe will timeout.

Success Count Threshold

Set the number of successes required to report a success to the monitoring service.

Failure Count Threshold

Set the number of failures required to report a failure to the monitoring service.

Server Public IP Address

The IP address of the server that is available for external connections.

Server Private IP Address

The IP address of the server for internal traffic.

Inbound Email Port

The port your SonicWall firewall appliance has open to receive email from outside sources.

Enable Email System Enables the detection of other anti-spam solutions in the Detection network perimeter. Use Destination Mail Click this check box to use the destination mail server’s Server Private private IP address as the Junk Store IP address. Address as Junk Store Address Junk Store IP Address Manually specify the Junk Store IP address by entering the desired IP address in the text-field.

Configuring Anti-Spam Real-Time Black List Filtering The Policies > Anti-Spam > RBL Filter page only allows configuration of Real-Time Black List filtering if the AntiSpam Service is not enabled.

SMTP Real-Time Black List (RBL) is a mechanism for publishing the IP addresses of SMTP spammers use. There are a number of organizations that compile this information both for free: http://www.spamhaus.org (http://www.spamhaus.org), and for profit: http://www.mail-abuse.com (http://www.mail-abuse.com). A wellmaintained list of RBL services and their efficacy can be found at: http://www.sdsc.edu/~jeff/spam/cbc.htm (http://www.sdsc.edu/~jeff/spam/cbc.html)l NOTE: SMTP RBL is an aggressive spam filtering technique that can be prone to false-positives because it is based on lists compiled from reported spam activity. The SonicOS implementation of SMTP RBL filtering provides a number of finetuning mechanisms to help ensure filtering accuracy. RBL list providers publish their lists using DNS. Blacklisted IP addresses appear in the database of the list provider's DNS domain using inverted IP notation of the SMTP server in question as a prefix to the domain name. A response code from 127.0.0.2 to 127.0.0.9 indicates some type of undesirability: • 127.0.0.2 - Open Relay • 127.0.0.3 - Dialup Spam Source • 127.0.0.4 - Spam Source • 127.0.0.5 - Smart Host • 127.0.0.6 - Spamware Site • 127.0.0.7 - Bad List Server • 127.0.0.8 - Insecure Script • 127.0.0.9 - Open Proxy Server For example, if an SMTP server with IP address 1.2.3.4 has been blacklisted by RBL list provider sblxbl.spamhaus.org, then a DNS query to 4.3.2.1.sbl-xbl.spamhaus.org provides a 127.0.0.4 response, indicating that the server is a known source of spam, and the connection is dropped. NOTE: Most spam today is known to be sent from hijacked or zombie machines running a thin SMTP server implementation.Unlike legitimate SMTP servers, these zombie machines rarely attempt to retry failed delivery attempts. After the delivery attempt is blocked by the SonicWall RBL filter, no subsequent delivery attempts for that same piece of spam are made. When Enable Real-time Black List Blocking is enabled on the Anti-Spam > RBL Filter page, inbound connections from hosts on the WAN, or outbound connections to hosts on the WAN are checked against each enabled RBL service with a DNS request to the DNS servers configured under RBL DNS Servers. The RBL DNS Servers menu allows you to specify the DNS servers. You can choose Inherit Settings from WAN Zone or Specify DNS Servers Manually. If you select Specify DNS Servers Manually, enter the DNS server addresses in the DNS Server fields. The DNS responses are collected and cached. If any of the queries result in a blacklisted response, the server is filtered. Responses are cached using TTL values, and non-blacklisted responses are assigned a cache TTL of two hours. If the cache fills up, then cache entries are discarded in a FIFO (first-in-first-out) fashion. The IP address check uses the cache to determine if a connection should be dropped. Initially, IP addresses are not in the cache and a DNS request must be made. In this case the IP address is assumed innocent until proven guilty, and the check results in the allowing of the connection. A DNS request is made and results are cached in a separate task. When subsequent packets from this IP address are checked, if the IP address is blacklisted, the connection is dropped.

ADDING RBL SERVICES You can add additional RBL services in the Real-time Black List Services section. To add an RBL service, click Add. In the Add RBL Domain window, you specify the RBL domain to be queried, enable it for use, and specify its expected response codes. Most RBL services list the responses they provide on their Web site, although selecting Block All Responses is generally acceptable. Statistics are maintained for each RBL Service in the RBL Service table, and can be viewed with a mouseover of the (statistics) icon to the right on the service entry.

USER-DEFINED SMTP SERVER LISTS The User Defined SMTP Server Lists section allows for Address Objects to be used to construct a white-list (explicit allow) or black-list (explicit deny) of SMTP servers. Entries in this list bypass the RBL querying procedure. For example, to ensure that you always receive SMTP connections from a partner site's SMTP server, create an Address Object for the server using Add, click the edit icon in the Configure column of the RBL User White List row, and add the Address Object. The table will be updated, and that server will always be allowed to make SMTP exchanges. The System > Diagnostics page also provides a Real-time Black List Lookup feature that allows for SMTP IP addresses (or RBL services, or DNS servers) to be specifically tested.

Configuring Firewall Virtual Private Networking A Virtual Private Network (VPN) is a private data network that uses encryption technologies to operate over public networks. This contains the following: • • • • • • • • •

Viewing the VPN Summary Configuring VPN Settings Configuring VPNs in SonicOS Enhanced Configuring VPNs in SonicOS Standard Setting up the L2TP Server Monitoring VPN Connections Management of VPN Client Users VPN Terms and Concepts Using OCSP with SonicWall Security Appliances

VPN SA Management Overview Each node in a network can exchange data by establishing a VPN tunnel or a Security Association (SA) with one or more other nodes. After a tunnel is established, the SA uses encryption and authentication keys to ensure data security and integrity. A security key string is an encryption key that is used to encrypt and decrypt secure data. Both nodes must have the key to exchange data. For example, the announcer of the Little Orphan Show used the same key to encode the secret messages that the kids used to decode the messages. Although an encrypted message cannot be read, it can be tampered with externally. Using an authentication key prevents external tampering. An authentication key is a hash function that is applied to the message content and is checked by the message recipient to verify the message was not modified in transit. In order to ensure message security, it is very important that the security and authentication keys are not discovered by outside parties. Otherwise, the messages could be read in transit.

DEPLOYMENT CAVEATS When managing one or more VPNs through GMS, be aware of the following caveats: • Because of the individual nature of deployment, VPN SA configurations are not inheritable. • If updates are completed at the group node, separate tasks must be created for each individual unit within that node.

AUTHENTICATION METHODS

SonicWall appliances can use the following methods to exchange security and authentication keys: • SonicWall certificates—each SonicWall appliance obtains a certificate from the SonicWall Certificate Authority (CA). Security and authentication keys are exchanged using public-key cryptography and authenticity of each node is verified by the SonicWall CA. After the SA expires, the SonicWall appliances reestablish an SA using the same public keys, but the security and authentication keys are different. If one set of security and authentication keys is compromised by an outside party, that party is unable to compromise the next set of keys. • Third-party certificates—the SonicWall appliance and peer device obtain certificates from the third-party certificate authorities. Security and authentication keys are exchanged using public-key cryptography and authenticity of each node is verified by the third-party CA. After the SA expires, the peers reestablish an SA using the same public keys, but do not use the same security and authentication keys. • Pre-shared secret—each SonicWall appliance has a shared secret that is used to establish an SA. After the SA expires, the SonicWall appliances reestablish an SA using the same public keys, but do not use the same security and authentication keys. • Pre-exchanged security and authentication keys—keys are exchanged in advance. The SA always uses the same encryption and authentication keys. If the keys are compromised by an outside party, they remain compromised until the keys are changed. NOTE: For an explanation of VPN terms, refer to VPN Terms and Concepts.

NUMBERED VPN TUNNEL INTERFACES Routing protocols can use a numbered tunnel interface to establish routing sessions. After a numbered tunnel interface is added to the interface list, a static route policy can use it as the interface in a static route policy configuration for a static route based VPN. Routing protocols (OSPF, RIP, and BGP) can use it for dynamic routebased VPN.

Viewing the VPN Summary To view the VPN summary, complete the following steps: 1 Expand the VPN tree and click Summary. The VPN Summary page displays. NOTE: If VPN is already configured for the SonicWall appliance, a list of current SAs displays. The unique firewall identifier also displays. 2 Note the improved navigation for managing VPNs through use of page navigation arrows within the Current IPSec Security Associations. To navigate through the pages, click on the navigation arrow buttons in the upper right corner of the VPN Summary Page as shown in the following figure.

When managing VPNs, the VPN Summary Window sometimes can have too many VPNs listed for you to easily find the VPN entry you want to view. To make VPN searching and viewing more easy, GMS now provides a pagination feature in the VPN Summary screen which breaks the list of VPNs into multiple pages. Each page can display up to 50 VPNs. To display the next page of VPNs, simply click Next. GMS displays the succeeding page of the VPN Summary Window.

Configuring VPN Settings To configure VPN settings, complete the following steps: 1 Expand the VPN tree and click Settings. The VPN Settings page displays.

2 Under Global IPSec Settings, select Enable VPN. 3 To disable all NetBIOS broadcasts, select Disable all VPN Windows Networking (NetBIOS) broadcast. 4 To improve interoperability with other VPN gateways and applications that use a large data packet size, select Enable Fragmented Packet Handling. Packet fragmentation overburdens a network router by resending data packets and causes network traffic to slow down between networks. The Enable Fragmented Packet Handling option configures the SonicWall appliance to listen to the intermediate router and, if necessary, send Internet Control Message Protocol (ICMP) messages to the router to decrease the size of the data packets. Enabling this option is recommended if the VPN tunnel logs contain many “Fragmented IPSec packets dropped” messages. 5 To ignore Don’t Fragment (DF) bits from routers connected to the SonicWall appliance, select Ignore DF Bit. 6 NAT Traversal is an Internet Engineering Task Force (IETF) draft standard that wraps an IPsec packet into a UDP/IP header, allowing NAT devices to change IP addresses without affecting the integrity of the IPsec packet. To enable NAT traversal, select Enable NAT Traversal. 7 Specify how often the SonicWall appliance issues a Keepalive in the Keep alive time field. 8 To enable detection of a dead peer, select Enable IKE Dead peer detection. Then, specify how often the SonicWall appliance attempt to detect a peer in the Dead peer detection Interval field and specify the number of failed attempts that must occur before closing the VPN tunnel in the Failure Trigger Level field. 9 Select Enable Dead Peer Detection for Idle vpn sessions if you want idle VPN connections to be dropped by the SonicWall security appliance after the time value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field. 10 Select VPN Single Armed mode to use single armed mode, allowing the appliance to act as a stand-alone VPN gateway, using the WAN port as the VPN tunnel termination point. 11 Select Clean up Active Tunnels when Peer Gateway DNS names resolves to a different IP address to break down SAs associated with old IP addresses and reconnect to the peer gateway. 12 Select Preserve IKE Port for Pass-Through Connections to preserve UDP 500/4500 source port and IP address information for pass-through VPN connections. 13 Select Enable OCSP Checking and enter the OCSP Responder URL to enable use of Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to check certificate status. 14 Select Send vpn tunnel traps only when tunnel status changes to send tunnel traps when the tunnel status changes. By default, the firewall sends traps for VPN up/down status. To minimize email alerts based on VPN traps, check this box. 15 Select Use RADIUS in and then select either MSCHAP or MSCHAPv2 mode for XAUTH to allow VPN client users to change expired passwords at login time. 16 Under IKEv2 Settings, select Send IKEv2 Cookie Notify to send cookies to IKEv2 peers as an authentication tool.

17 Use the IKEv2 Dynamic Client Proposal settings to configure the Internet Key Exchange (IKE) attributes rather than using the default settings. Previously, only the default settings were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication method. Appliances running SonicOS Enhanced 4.0 and higher can now be configured with the following IKE Proposal settings: • DH Group—Select Group 1, Group 2, Group 5, Group 14, 256-Bit Random ECP Group, 384-Bit Random ECP Group, 521-Bit Random ECP Group, 192-Bit Random ECP Group, or 224-Bit Random ECP Group from the pull-down list. This sets DH group in the global IPsec policy for a zero (0.0.0.0) gateway, IKEv2 mode tunnel with dynamic peer gateways. • Encryption—Select DES, 3DES, AES-128, AES-192, or AES-256 from the pull-down list. This sets the encryption algorithm in the global IPsec policy for a zero (0.0.0.0) gateway, IKEv2 mode tunnel with dynamic peer gateways whose IP addresses are not static. • Authentication—Select MD5, SHA1, SHA256, SHA384 or SHA512 from the pull-down list. This sets the authentication algorithm in the global IPsec policy for a zero (0.0.0.0) gateway, IKEv2 mode tunnel with dynamic peer gateways whose IP addresses are not static. If a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPSec gateway is defined, you cannot configure these IKE Proposal settings on an individual policy basis. The VPN policy on the remote gateway must also be configured with the same settings. 18 When you are finished, click Update. To clear all screen settings and start over, click Reset.

Configuring VPNs in SonicOS Enhanced SonicOS uses Address Objects and Address Object Groups to simplify network configuration and interconnection. Address objects are network addresses or hosts. Address object groups are groups of address objects and/or address object groups. When you configure VPN between Address Object Groups on two SonicWall appliances, GMS automatically establishes VPN connections between every network within those groups. This saves a lot of configuration time and dramatically simplifies VPN configuration. Configuring VPNs is supported with IPv6. The configuration procedures for IPv6 and IPv4 are nearly identical, just enter IPv6 addresses in place of IPv4 addresses. Select from the following: • Configuring VPNs in Interconnected Mode—For VPNs between two SonicWall appliances. • Configuring VPNs in Non-Interconnected Mode—For VPN between a SonicWall appliance and another device. When you have completed the interconnected or non-interconnected configuration procedure, continue on to the following section: • Generic VPN Configuration in SonicOS Enhanced

CONFIGURING VPNS IN INTERCONNECTED MODE Establishing a VPN between two SonicWall appliances that are being managed by GMS is easy. Because GMS is aware of the configuration settings, it automatically configures most of the VPN settings without any user intervention. To establish VPNs between two SonicWall appliances that are being managed by GMS, complete the following steps: 1 Expand the VPN tree and click Configure. The VPN Configure page displays with the General tab selected.

2 To establish a new SA, select Add New SA from the Security Association list box. 3 Select Interconnected. 4 To configure SonicWall GMS to convert the SAs to non-interconnected mode VPN tunnels, select Make SAs viewable in Non-Interconnected Mode. NOTE: Making an SA viewable in Non-Interconnected mode is not reversible. 5 Select the destination SonicWall appliance by clicking Select Destination Node and selecting the node from the dialog box that displays. 6 To initially disable the SA upon creation, select Disable SA. This option can always be unchecked at a later time. 7 Select from the following keying modes from the IPSec Keying Mode list box: NOTE: SonicWall GMS automatically creates a pre-shared key, SPI, encryption key, authentication key, or certificate information as applicable, for each mode described as follows. • Manual Key—keys are exchanged in advance. The SA always uses the same encryption and authentication keys. If the keys are compromised by an outside party, they remain compromised until the keys are changed. • IKE Using Pre-Shared Secret—each SonicWall appliance has a shared secret that is used to establish an SA. After the SA expires, the SonicWall appliance reestablishes an SA using the same public keys, but does not use the same security and authentication keys. Configure the following: • Local IKE ID—specifies whether the IP address or SonicWall Identifier is used as the IKE ID for the local SonicWall appliance. • Peer IKE ID—specifies whether the IP address or SonicWall Identifier is used as the IKE ID for the peer SonicWall appliance. • IKE Using 3rd Party Certificates—the SonicWall appliance and peer device obtain certificates from the third-party certificate authorities. Security and authentication keys are exchanged using public-key cryptography and authenticity of each node is verified by the third-party CA. After the SA expires, the peers reestablish an SA using the same public keys, but do not use the same security and authentication keys. 8 Continue to Generic VPN Configuration in SonicOS Enhanced.

CONFIGURING VPNS IN NONINTERCONNECTED MODE

To establish VPNs between two SonicWall appliances that are being managed by GMS, complete the following steps: 1 Expand the VPN tree and click Configure. The VPN Configure page displays with the General tab selected.

2 3 4 5

To establish a new SA, select Add New SA from the Security Association list box. Deselect Interconnected. Select Disable SA to initially disable the SA upon creation. This option can be unchecked at a later time. Select from the following keying modes from the IPSec Keying Mode list box: • Manual Key—keys are exchanged in advance. The SA always uses the same encryption and authentication keys. If the keys are compromised by an outside party, they remain compromised until the keys are changed. If you select this option, configure the following: • Name—specifies the name of the SA. • IPSec Gateway Name or Address—specifies the name or IP address of the gateway. • IKE Using Pre-Shared Secret—each SonicWall appliance has a shared secret that is used to establish an SA. After the SA expires, the SonicWall appliances reestablishes an SA using the same public keys, but does not use the same security and authentication keys. Configure the following: • Name—specifies the name of the SA. • IPSec Primary Gateway Name or Address—specifies the name or IP address of the primary gateway. • IPSec Secondary Gateway Name or Address—specifies the name or IP address of the secondary gateway. • Shared Secret—specifies the shared secret used to negotiate the VPN tunnel. • Local IKE ID—specifies the whether the IP address or SonicWall Identifier is used as the IKE ID for the local SonicWall appliance. • Peer IKE ID—specifies the whether the IP address or SonicWall Identifier is used as the IKE ID for the peer SonicWall appliance. • IKE Using 3rd Party Certificates—the SonicWall appliance and peer device obtain certificates from the third-party certificate authorities. Security and authentication keys are exchanged using public-key cryptography and authenticity of each node is verified by the third-party CA. After the SA expires, the peers will reestablish an SA using the same public keys, but will not use the same security and authentication keys. If you select this option, configure the following: • Name—specifies the name of the SA. • IPSec Primary Gateway Name or Address—specifies the name or IP address of the primary gateway. • IPSec Secondary Gateway Name or Address—specifies the name or IP address of the secondary gateway. • Third-Party Certificate—specifies the certificate used to establish the SAs. • Peer Certificate's ID Type—specifies the ID type of the peer certificate. • ID string to match—specifies the string used to establish the SAs.

GENERIC VPN CONFIGURATION IN SONICOS ENHANCED

To configure the additional options for VPNs in SonicOS Enhanced, complete the following steps: 1 Click the Network tab. Select which local networks are establishing VPN connections with the destination networks: • Choose local network from list—specifies an Address Object that contains one or more networks. For information on creating address objects, refer to the documentation that accompanied the SonicWall appliance. • Local network obtains IP addresses using DHCP through this VPN Tunnel—indicates that the computers on the local network obtain their IP addresses from the destination network. • Any address—configures all networks to establish VPN connections with the specified destination networks. 2 Select the destination networks with which the local network connects: • Use this VPN Tunnel as default route for all Internet traffic—configures all networks on the destination network to use this VPN for all Internet traffic. • Destination network obtains IP addresses using DHCP through this VPN Tunnel—indicates that the computers on the destination network obtain their IP addresses from the local network. • Choose destination network from list—specifies an Address Object that contains one or more networks. For information on creating address objects, refer to the documentation that accompanied the SonicWall appliance. 3 (Optional) Click the Proposals tab. 4 Select the IKE Phase 1 Proposal Options (Certificates and Pre-Shared Secret only): • Exchange—Select the exchange mode from the Exchange list box. Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. Otherwise, select Main Mode. • DH Group—specifies the Diffie-Hellman group to use when the VPN devices are negotiating encryption and authentication keys. NOTE: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. • Encryption—specifies the type of encryption key to use when the VPN devices are negotiating encryption keys. • Authentication—specifies the type of authentication key to use when the VPN devices are negotiating authentication keys. • MD5 • SHA1 • SHA256 • SHA384 • SHA512 • Life Time (seconds)—specifies how long a tunnel remains active before being renegotiated. We recommend a value of 28,800 seconds (eight hours). 5 Select the IKE Phase 2 Proposal Options: • Protocol—specifies the type of protocol to use for VPN communications (AH or ESP). • Encryption—specifies the type of encryption key to use when the VPN devices after negotiating encryption keys. • Authentication—specifies the type of authentication key to use when the VPN devices after negotiating authentication keys. • MD5 • SHA1 • SHA256 • SHA384 • SHA512 • AES-XCBC • Enable Perfect Forward Secrecy—when selected, this option prevents repeated compromises of the same security key when reestablishing a tunnel. • DH Group—specifies the Diffie-Hellman group to use when the VPN devices after negotiating encryption and authentication keys. • Life Time (seconds)—specifies how long a tunnel remains active before being renegotiated. We recommend a value of 28,800 seconds (eight hours). 6 (Optional) Click the Advanced tab. 7 Configure the following Advanced settings: • Enable Keep Alive—configures the VPN tunnel to remain open as long as there is network traffic on the SA. NOTE: The Allow Advanced Routing, Enable Transport Mode, and Enable Multicast options are available for VPN policies that are configured as follows: Policy Type: Tunnel InterfaceIPSec Keying Mode: IKE using Preshared Secret or IKE using third-party certs • Allow Advanced Routing - Adds this Tunnel Interface to the list of interfaces in the Advanced Routing table on the Network > Routing page. By making this an optional setting, this avoids adding all Tunnel Interfaces to the Advanced Routing table, which helps streamline the routing configuration. (This option is supported for SonicOS versions 5.6 and higher.) • Enable Transport Mode - Forces the IPsec negotiation to use Transport mode instead of Tunnel Mode. This has been introduced for compatibility with Nortel. When this option is enabled on the local firewall, it MUST be enabled on the remote firewall as well for the negotiation to succeed. (This option is supported for SonicOS versions 5.6 and higher.) • Enable Windows Networking (NetBIOS) Broadcast—enables NetBIOS broadcasts across the SA. • Enable Multicast - Allows multicast traffic through the VPN tunnel. • Permit Acceleration - Dedicates WXA clustered groups to a VPN and BPR policy. • Accept Multiple Proposals for Clients—enables the system to accept multiple proposals for clients. (This option is supported for SonicOS versions 6.1 and higher.) • Enable IKE Mode Configuration— enables you to configure the IKE Mode feature. (This option is supported for SonicOS versions 6.1 and higher.) • IP Pool for Clients—select an IP pool type from the drop-down menu. • Address Expiry Time—enter an expiration time (in seconds) for the address. • Apply NAT Policies—enables NAT for the selected networks. • Enable Phase2 Dead Peer Detection—Select if you want inactive VPN tunnels to be dropped by the SonicWall. • Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The default value is 60 seconds. • Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the SonicWall appliance. The SonicWall appliance uses a UDP packet protected by Encryption as the heartbeat. • Management via this SA—specifies which protocols can be used to manage the SonicWall appliance through this SA. In addition to HTTP, HTTPS, and SNMP, you can enable the SSH management of the device through the IPsec tunnel. When SSH is selected in an IPsec Policy, an SSH session can be initiated to the device using the IPsec tunnel for the policy. • User login via this SA—specifies the protocols that users can use to login to the SonicWall appliance through this SA. • Default LAN Gateway—specifies the default gateway when routing all traffic through this tunnel (required for Enhanced-to-Standard configuration, optional for Enhanced-to-Enhanced). • Enable OCSP Checking—enables checking of the Online Certificate Status Protocol. (This option is supported for SonicOS versions 6.1 and higher.) • OCSP Responder URL—enter the URL for the Online Certificate Status Protocol responder. • VPN Policy bound to—specifies the zone or interface to which the VPN tunnel terminates. • Preempt Secondary Gateway— enables preemption of a secondary gateway to the primary gateway in the IPsec policy. If a secondary gateway is configured in the IPsec Policy, an IPsec tunnel is established with the secondary gateway when the primary gateway is unreachable. If this option is enabled in the policy, a periodic discovery is attempted for the primary gateway and if discovered successfully, tunnels are switched back to the primary gateway from the secondary gateway. • Primary Gateway Detection Interval— specifies the time interval in seconds for the discovery of the primary IPsec gateway if it is unreachable. The minimum value is 120 and the maximum value is 28800. • Enable Windows Networking Broadcast—enables NetBIOS broadcasts across the SA. 8 Click the Client tab (Group VPNs only). 9 Configure the following Client settings (This option is supported for SonicOS versions 6.1 and higher): • Username and Password—select the settings for the username and password by clicking the dropdown menu and selecting Never, Single Session, or Always. • Virtual Adapter Settings—select the virtual adapter settings from the drop-down menu (None, DHCP Lease, DHCP Lease or Manual Configuration). • Allow Connections to—selects the allowed connections by Split Tunnels, This Gateway Only, or All Secure Gateways. • Select Default Route as this Gateway—select to set the default route as this gateway. • Apply VPN Access Control List—select to apply the VPN Access Control list. • Client Initial Provisioning—select to use the default key for simple client provisioning. 10 When you are finished, click OK. GMS begins establishing VPN tunnels between all specified networks.

Configuring VPNs in SonicOS Standard This section describes how to configure VPN version 1.0 for SonicOS Standard. To configure VPN for SonicOS Enhanced, refer to Configuring VPNs in SonicOS Enhanced. GMS supports several methods for establishing and maintaining security associations (SAs). These include: • • • •

IKE Using SonicWall Certificates IKE Using Third-Party Certificates IKE Using Pre-Shared Secret Manual Keying

IKE USING SONICWALL CERTIFICATES The following sections describe how to configure SAs for Internet Key Exchange (IKE) using SonicWall certificates: • When All Appliances are Managed by GMS • When One Appliance Is Not Managed by GMS NOTE: This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN. A digital certificate is an electronic means to verify identity by using a trusted third-party known as a Certificate Authority (CA). SonicWall certificates are the easiest certificate solution for establishing the identity of peer VPN devices and users. Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital signatures to authenticate peer devices before setting up security associations. Without digital signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices using digital signatures do not require configuration changes every time a new device is added to the network. NOTE: Although SAs can be established with most IPSec-compliant devices, SonicWall Certificates can only be used between SonicWall appliances. This section describes how to establish SAs between SonicWall appliances that are managed by GMS and SonicWall appliances that are not managed by GMS. NOTE: Before establishing SAs using SonicWall certificates, you must obtain a Public Key Infrastructure (PKI) administrator certificate and apply it to each SonicWall appliance.



When All Appliances are Managed by GMS To enable VPN using certificates, complete the following steps: 1 Expand the VPN tree and click Configure. The VPN Configure page displays.

2 Select Use Interconnected Mode. 3 For the IPSec Keying Mode, Select IKE using SonicWall Certificates. 4 Select from the following: • To add a new SA, select Add a new Security Association. • To delete an existing SA, select Delete an existing Security Association. • To edit an existing SA, select Modify an existing Security Association. 5 Click Select Destination. A dialog box that contains all SonicWall appliances managed by this GMS displays. 6 Select the SonicWall appliance or group to which you will establish SAs and click Select. The name of the target displays in the Target SonicWall Group/Node field. 7 Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. 8 Select the Diffie-Hellman (DH) group that will be used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. NOTE: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. 9 Select the Diffie-Hellman group that is used when the VPN devices have established an SA from the Phase 2 DH Group list box. 10 Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box. 11 Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box. 12 To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through this destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming Internet Protocol Security (IPSec) packets for this SA. Incoming packets are decoded by the SonicWall and compared to static routes configured in the SonicWall. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWall looks up a route for the LAN. If no route is found, the SonicWall checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 13 To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (eight hours). 14 To prevent repeated compromises of the same security key when reestablishing a tunnel, select Enable Perfect Forward Secrecy. 15 To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select Enable Keep Alive. 16 To configure the SonicWall appliance to establish the VPN tunnel before users generate any VPN traffic, select Try to bring up all possible SAs. 17 To disable this SA, select Disable This SA. 18 Select Enable Wireless Secure Bridging Mode to enable wireless secure bridging mode, a feature that allows two or more physically separated networks to be joined using a secure wireless connection. 19 To enable NetBIOS broadcasts across the SA, select Enable Windows Networking Broadcast. 20 To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs. Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (refer to Configuring Routing in SonicOS Enhanced). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices through the corporate office. NOTE: To create a “hub and spoke” network, make sure to select Forward Packets to Remote VPNs for each SA. 21 To force all network traffic to the WAN through a VPN to a central site, select Route all Internet traffic through destination unit. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN. NOTE: Only one SA can have this option enabled.



22 Select one the following VPN termination options: • To configure the VPN tunnel to terminate at the LAN or WorkPort, select LAN. Users on the other side of the SA are able to access the LAN, but not the OPT. • To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA are able to access the OPT, but not the LAN. • To allow users on the other side of the SA to access both the LAN and DMZ, select LAN/OPT. 23 Select from the following NAT and Firewall Rules: • To disable NAT and not apply firewall rules to traffic coming through this SA, select Disabled. • To enable NAT and firewall rules for the selected SonicWall appliance, select Source. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and network firewall rules are applied to all traffic on this SA. • To enable NAT and firewall rules for the selected SonicWall appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and all traffic originating from its peer appears to originate from a single IP address. Network firewall rules are applied to all traffic on this SA. NOTE: Applying firewall rules can dramatically affect services that run between the networks. For more information, refer to Understanding the Network Access Rules Hierarchy. 24 Select how local users are authenticated: • To disable authentication for local users, select Disabled. • To configure local users to be authenticated locally, either through the SonicWall device or the RADIUS server, select Source. • To configure local users to be authenticated on the destination network, either through the SonicWall device or the RADIUS server, select Destination. • To authenticate local users both locally and on the destination network, select Source and Destination. 25 Similarly, select how remote users are authenticated. 26 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

When One Appliance Is Not Managed by GMS Although SAs can be established with most IPSec-compliant devices, certificates can only be used between SonicWall appliances. This section describes how to establish SonicWall certificate-based SAs between SonicWall appliances that are managed by GMS and SonicWall appliances that are not managed by GMS. To create SAs using certificates, complete the following steps: 1 Expand the VPN tree and click Configure. The VPN Configure page displays.

2 3 4 5

Deselect Use Interconnected Mode. Select IKE using SonicWall Certificates. Select the appropriate option to add, delete or modify a Security Association. Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address. 6 Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and will be the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches. 7 To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (eight hours). 8 To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWall and compared to static routes configured in the SonicWall. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWall looks up a route for the LAN. If no route is found, the SonicWall checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 9 To disable this SA, select Disable This SA. 10 To prevent repeated compromises of the same security key when reestablishing a tunnel, select Enable Perfect Forward Secrecy. 11 Select Enable Wireless Secure Bridging Mode to enable wireless secure bridging mode, a feature that allows two or more physically separated networks to be joined using a secure wireless connection. 12 To enable NetBIOS broadcasts across the SA, select Enable Windows Networking Broadcast. 13 To apply NAT and firewall rules to all traffic coming through this SA, select Apply NAT and firewall rules. This feature is useful for hiding the LAN subnet from the corporate site. All traffic appears to originate from a single IP address. 14 To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs. This enables the SonicWall appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs. 15 To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select Enable Keep Alive. 16 To configure the SonicWall appliance to establish the VPN tunnel before users generate any VPN traffic, select Try to bring up all possible SAs. 17 To require local users to authenticate locally before accessing the SA, select Require authentication of local users. 18 To require remote users to authenticate with this SonicWall appliance or the local RADIUS server before accessing resources, select Require authentication of remote users. 19 Enter the serial number of the target SonicWall appliance in the Peer SonicWall Serial # field. 20 Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. 21 Select the Diffie-Hellman group that is used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. NOTE: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. 22 Select the Diffie-Hellman group that is used when the VPN devices have established an SA from the Phase 2 DH Group list box. 23 Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box. 24 Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box. 25 Specify the destination networks by selecting from the following: • To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic. • If the destination network receives its IP addresses on this network using DHCP, select Destination network obtains IP addresses using DHCP. • To specify destination networks, select Specify destination networks below. Then, click Add Networks and enter the destination network IP addresses and subnet masks. 26 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

IKE USING THIRD-PARTY CERTIFICATES

NOTE: This section assumes that you are familiar with Public Key Infrastructure (PKI) and the implementation of digital certificates with VPN. A digital certificate is an electronic means to verify identity by using a trusted third-party known as a Certificate Authority (CA). SonicWall now supports third-party certificates in addition to the existing Authentication Service. The difference between third-party certificates and the SonicWall Authentication Service is the ability to select the source for your CA certificate. Using Certificate Authority Certificates and Local Certificates is a more manual process than using the SonicWall Authentication Service; therefore, experience with implementing Public Key Infrastructure (PKI) is necessary to understand the key components of digital certificates. Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital signatures to authenticate peer devices before setting up security associations. Without digital signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices using digital signatures do not require configuration changes every time a new device is added to the network. SonicWall has implemented X.509v3 as its certificate form and CRLv2 for its certificate revocation list. SonicWall supports the following two vendors of Certificate Authority Certificates: • VeriSign • Entrust

Obtaining a Certificate To obtain a certificate, refer to Generating a Certificate Signing Request. After you have obtained certificates for both devices, continue to configure the VPN. • When All Appliances are Managed by GMS • When One Appliance Is Not Managed by GMS

When All Appliances are Managed by GMS Setting up a VPN tunnel between appliances requires you to configure several parameters on both appliances. When setting up VPN tunnels between SonicWall appliances managed by GMS, all selected appliances are automatically configured based on the settings that you entered. To enable VPN using third-party certificates when both devices are managed by GMS, complete the following steps: 1 Expand the VPN tree and click Configure. The VPN Configure page displays.

2 Select Use Interconnected Mode. 3 Select IKE using 3rd Party Certificates. NOTE: SonicWall GMS automatically creates a pre-shared key, SPI, encryption key, authentication key, or certificate information as applicable. 4 Select the appropriate option to add, delete, or modify a security association. 5 Click Select Destination. A dialog box that contains all SonicWall appliances managed by this GMS displays. 6 Select the SonicWall appliance or group to which you will establish SAs and click Select. The name of the target displays in the Target SonicWall Group/Node field. 7 Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. 8 Select the Diffie-Hellman (DH) group that is used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. NOTE: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. 9 Select the Diffie-Hellman group that will be used when the VPN devices have established an SA from the Phase 2 DH Group list box. 10 Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box. 11 Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box. 12 To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through this destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming Internet Protocol Security (IPSec) packets for this SA. Incoming packets are decoded by the SonicWall and compared to static routes configured in the SonicWall. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWall looks up a route for the LAN. If no route is found, the SonicWall checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 13 To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (eight hours). 14 To prevent repeated compromises of the same security key when reestablishing a tunnel, select Enable Perfect Forward Secrecy. 15 To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select Enable Keep Alive. 16 To configure the SonicWall appliance to establish the VPN tunnel before users generate any VPN traffic, select Try to bring up all possible SAs. 17 To enable wireless secure bridging, select Wireless Secure Bridging Mode. 18 To enable NetBIOS broadcasts across the SA, select Enable Windows Networking Broadcast. 19 To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs. Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (refer to Configuring Routing in SonicOS Enhanced). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices through the corporate office. NOTE: To create a “hub and spoke” network, make sure to select Forward Packets to Remote VPNs for each SA. 20 To force all network traffic to the WAN through a VPN to a central site, select Route all Internet traffic through destination unit. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN. NOTE: Only one SA can have this option enabled.



21 If the remote side of this VPN connection is to obtain its addressing from a DHCP server on this side of the tunnel, select Enable “Destination network obtains IP addresses using DHCP through this SA” on Target. 22 Select one the following VPN termination options: • To configure the VPN tunnel to terminate at the LAN, select LAN. Users on the other side of the SA are able to access the LAN, but not the DMZ. • To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA are able to access the OPT, but not the LAN. • To allow users on the other side of the SA to access both the LAN and OPT, select LAN/OPT. 23 Select from the following NAT and Firewall Rules: • To disable NAT and not apply firewall rules to traffic coming through this SA, select Disabled. • To enable NAT and firewall rules for the selected SonicWall appliance, select Source. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and network firewall rules are applied to all traffic on this SA. • To enable NAT and firewall rules for the selected SonicWall appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and all traffic originating from its peer appears to originate from a single IP address. Network firewall rules are applied to all traffic on this SA. NOTE: Applying firewall rules can dramatically affect services that run between the networks. For more information, refer to Understanding the Network Access Rules Hierarchy. 24 Select how local users are authenticated: • To disable authentication for local users, select Disabled. • To configure local users to be authenticated locally, either through the SonicWall device or the RADIUS server, select Source. • To configure local users to be authenticated on the destination network, either through the SonicWall device or the RADIUS server, select Destination. • To authenticate local users both locally and on the destination network, select Source and Destination. 25 Similarly, select how remote users are authenticated. 26 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

When One Appliance Is Not Managed by GMS This section describes how to configure VPN when the target appliance is not managed by GMS. To create SAs using third-party certificates, complete the following steps: 1 Expand the VPN tree and click Configure. The VPN Configure page displays.

2 3 4 5

Deselect Use Interconnected Mode. Select IKE using 3rd Party Certificates. Select the appropriate option to add, delete or modify a security association. Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address. Select the certificate to use from the Select Certificate list box. Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and is the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches. Optionally, you can specify a IPSec Secondary Gateway Name or Address. To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (eight hours). To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field.

6 7

8 9

A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWall and compared to static routes configured in the SonicWall. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWall looks up a route for the LAN. If no route is found, the SonicWall checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 10 To prevent repeated compromises of the same security key when reestablishing a tunnel, select Enable Perfect Forward Secrecy. 11 To enable wireless secure bridging, select Wireless Secure Bridging Mode. 12 To enable NetBIOS broadcasts across the SA, select Enable Windows Networking Broadcast. 13 To apply NAT and firewall rules to all traffic coming through this SA, select Apply NAT and firewall rules. This feature is useful for hiding the LAN subnet from the corporate site. All traffic appears to originate from a single IP address. 14 To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs. This enables the SonicWall appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs. 15 To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select Enable Keep Alive. 16 To configure the SonicWall appliance to establish the VPN tunnel before users generate any VPN traffic, select Try to bring up all possible SAs. 17 To require local users to authenticate locally before accessing the SA, select Require authentication of local users. 18 To require remote users to authenticate with this SonicWall appliance or the local RADIUS server before accessing resources, select Require authentication of remote users. 19 Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. 20 Select the Diffie-Hellman group that is used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. NOTE: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. 21 Select the Diffie-Hellman group that is used when the VPN devices have established an SA from the Phase 2 DH Group list box. 22 Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box. 23 Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box. 24 Select whether the peer device uses a distinguished name, email ID, or domain name as its certificate ID from the Peer Certificate’s ID list box. 25 Enter the peer device’s certificate ID in the Peer Certificate’s ID field. 26 Select from the following: • To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic. • If the destination network receives its IP addresses on this network using DHCP, select Destination network obtains IP addresses using DHCP. • To specify destination networks, select Specify destination networks below. Then, click Add Networks and enter the destination network IP addresses and subnet masks. 27 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset. NOTE: To disable this SA without deleting it, select Disable this SA and click Update.

IKE USING PRE-SHARED SECRET When using IKE with a pre-shared secret, two VPN devices establish encryption and authentication keys using a shared secret. After the SA expires, the SonicWall appliances reestablishes an SA using the same shared secret, but does not use the same security and authentication keys. • When All Appliances are Managed by GMS • When One Appliance Is Not Managed by GMS

When All Appliances are Managed by GMS Setting up a VPN tunnel between appliances requires you to configure several parameters on both appliances. When setting up VPN tunnels between SonicWall appliances managed by GMS, all selected appliances are automatically configured based on the settings that you entered. To configure an SA using IKE with pre-shared secrets, complete the following steps: 1 Expand the VPN tree and click Configure. The VPN Configure page displays.

2 3 4 5 6

Select Use Interconnected Mode. Select IKE using Pre-shared Secret. Select the appropriate option to add, delete, or modify a security association. Click Select Destination. A dialog box that contains all SonicWall appliances managed by this GMS displays. Select the SonicWall appliance or group to which you will establish SAs and click Select. The name of the target displays in the Target SonicWall Group/Node field. 7 Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. 8 Select the Diffie-Hellman group that is used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. NOTE: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. 9 Select the Diffie-Hellman group that is used when the VPN devices have established an SA from the Phase 2 DH Group list box. 10 Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box. 11 Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box. 12 To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWall and compared to static routes configured in the SonicWall. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWall looks up a route for the LAN. If no route is found, the SonicWall checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 13 To specify how long the tunnel is active before being renegotiated, enter a value in the SA Lifetime field. We recommend a value of 28,800 seconds (eight hours). 14 To prevent repeated compromises of the same security key when reestablishing a tunnel, select Enable Perfect Forward Secrecy. 15 To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select Enable Keep Alive. 16 To configure the SonicWall appliance to establish the VPN tunnel before users generate any VPN traffic, select Try to bring up all possible SAs. 17 To enable wireless secure bridging, select Wireless Secure Bridging Mode. 18 To enable NetBIOS broadcasts across the SA, select Enable Windows Networking Broadcast. 19 To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs. Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (refer to Configuring Routing in SonicOS Enhanced). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices through the corporate office. NOTE: To create a “hub and spoke” network, make sure to select Forward Packets to Remote VPNs for each SA. 20 To force all network traffic to the WAN through a VPN to a central site, select Route all Internet traffic through destination unit. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN. NOTE: Only one SA can have this option enabled.



21 If the remote side of this VPN connection is to obtain its addressing from a DHCP server on this side of the tunnel, select Enable “Destination network obtains IP addresses using DHCP through this SA” on Target. 22 Select one the following VPN termination options: • To configure the VPN tunnel to terminate at the LAN or WorkPort, select LAN. Users on the other side of the SA will be able to access the LAN, but not the OPT. • To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA are able to access the OPT, but not the LAN. • To allow users on the other side of the SA to access both the LAN and OPT, select LAN/OPT. 23 Select from the following NAT and Firewall Rules: • To disable NAT and not apply firewall rules to traffic coming through this SA, select Disabled. • To enable NAT and firewall rules for the selected SonicWall appliance, select Source. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and network firewall rules are applied to all traffic on this SA. • To enable NAT and firewall rules for the selected SonicWall appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and all traffic originating from its peer appears to originate from a single IP address. Network firewall rules are applied to all traffic on this SA. NOTE: Applying firewall rules can dramatically affect services that run between the networks. For more information, refer to Understanding the Network Access Rules Hierarchy. 24 Select how local users are authenticated: • To disable authentication for local users, select Disabled. • To configure local users to be authenticated locally, either through the SonicWall device or the RADIUS server, select Source. • To configure local users to be authenticated on the destination network, either through the SonicWall device or the RADIUS server, select Destination. • To authenticate local users both locally and on the destination network, select Source and Destination. 25 Similarly, select how remote users are authenticated. 26 Select either Remote users behind VPN gateway or Remote VPN clients with XAUTH. 27 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset. NOTE: To disable this SA, select Disable this SA and click Update.



When One Appliance Is Not Managed by GMS This section describes how to configure VPN when the target appliance is not managed by GMS. To enable VPN using IKE with a pre-shared secret, complete the following steps: 1 Expand the VPN tree and click Configure. The VPN Configure page displays.

2 3 4 5

Deselect Use Interconnected Mode. Select IKE using Pre-Shared Secret in the IPSec Keying mode section. Select the appropriate option to add, delete, or modify a security association. Enter the name of the remote firewall/VPN gateway in the Security Association Name field. This name must match exactly if the device has a dynamic IP address. 6 Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address field. This address must be valid and is the public IP address if the remote LAN has NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left blank if the name matches. 7 Enter the amount of time before an IKE SA is automatically negotiated (120 to 2,499,999 seconds) in SA Lifetime. 8 To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWall and compared to static routes configured in the SonicWall. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWall looks up a route for the LAN. If no route is found, the SonicWall checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 9 To prevent repeated compromises of the same security key when reestablishing a tunnel, select Enable Perfect Forward Secrecy. 10 To enable wireless secure bridging, select Wireless Secure Bridging Mode. 11 To access remote resources within the Windows Network Neighborhood, select Enable Windows Networking (NetBIOS) Broadcast. 12 To apply NAT and firewall rules to all traffic coming through this SA, select Apply NAT and firewall rules. This feature is useful for hiding the LAN subnet from the corporate site. All traffic appears to originate from a single IP address. 13 To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs. This enables the SonicWall appliance to receive VPN traffic, decrypt it, and forward it to another VPN tunnel. This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, make sure to enable this option for all SAs. 14 To configure the VPN tunnel to remain open as long as there is network traffic on the SA, select Enable Keep Alive. 15 To configure the SonicWall appliance to establish the VPN tunnel before users generate any VPN traffic, select Try to bring up all possible SAs. 16 To require local users to authenticate locally before accessing the SA, select Require authentication of local users. 17 To require remote users to authenticate with this SonicWall appliance or the local RADIUS server before accessing resources, select Require authentication of remote users. 18 Select either Remote users behind VPN gateway or Remote VPN clients with XAUTH. NOTE: Only SonicWall VPN clients can authenticate to a RADIUS server. Users tunneling from another VPN gateway is not able to complete the VPN tunnel if this check box is selected. 19 Enter the shared secret in the Shared Secret field. 20 Aggressive mode improves the performance of IKE SA negotiation by only requiring three packet exchanges. However, it provides no identity protection. To enable aggressive mode, select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode. 21 Select the Diffie-Hellman group that is used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 DH Group list box. NOTE: Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit Diffie-Hellman value. 22 Select the Diffie-Hellman group that is used when the VPN devices have established an SA from the Phase 2 DH Group list box. 23 Select the type of encryption and authentication keys used when the VPN devices are negotiating encryption and authentication keys from the Phase 1 Encryption/Authentication list box. 24 Select the type of encryption and authentication keys used for the SAs from the Phase 2 Encryption/Authentication list box. 25 Select from the following: • To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic. • If the destination network receives its IP addresses on this network using DHCP, select Destination network obtains IP addresses using DHCP. • To specify destination networks, select Specify destination networks below. Then, click Add Network and enter the destination network IP addresses and subnet masks. 26 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset. 27 Create an SA in the remote VPN device for each SonicWall appliance that you have configured. NOTE: To disable this SA without deleting it, select Disable this SA and click Update.

MANUAL KEYING Manual keying involves exchanging keys in encryption and authentication keys in advance. Although this is the simplest method of establishing an SA between two VPN devices, the SA will always use the same encryption and authentication keys. If the keys are compromised by an outside party, they remains compromised until the keys are changed. • When All Appliances are Managed by GMS • When One Appliance Is Not Managed by GMS

When All Appliances are Managed by GMS Setting up a VPN tunnel between appliances requires you to configure several parameters on both appliances. When setting up VPN tunnels between SonicWall appliances managed by GMS, all selected appliances are automatically configured based on the settings that you entered. To enable VPN using manual keying, complete the following steps: 1 Expand the VPN tree and click Configure. The VPN Configure page displays.

2 3 4 5 6

Select Use Interconnected Mode. Select Manual Key. Select the appropriate option to add, delete, or modify a security association. Click Select Destination. A dialog box that contains all SonicWall appliances managed by this GMS displays. Select the SonicWall appliance or group to which you will establish SAs and click Select. The name of the target displays in the Target SonicWall Group/Node field. 7 Select one of the encryption methods from the Encryption Method list box. 8 To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWall and compared to static routes configured in the SonicWall. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWall looks up a route for the LAN. If no route is found, the SonicWall checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 9 To enable wireless secure bridging, select Wireless Secure Bridging Mode. 10 To enable NetBIOS broadcasts across the SA, select Enable Windows Networking (NetBIOS) Broadcast. 11 To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs. Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually specified route (refer to Configuring Routing in SonicOS Enhanced). This option enables you to create a “hub and spoke” network configuration where all traffic is routed among branch offices through the corporate office. NOTE: To create a “hub and spoke” network, make sure to select Forward Packets to Remote VPNs for each SA. 12 To force all network traffic to the WAN through a VPN to a central site, select Route all Internet traffic through destination unit. When this option is selected, all traffic that is not destined for another SA is forwarded through this VPN tunnel. If this option is not specified and the destination does not match any SA, the packet is forwarded unencrypted to the WAN. 13 Select one the following VPN termination options: • To configure the VPN tunnel to terminate at the LAN, select LAN. Users on the other side of the SA are able to access the LAN, but not the DMZ. • To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the other side of the SA are able to access the OPT, but not the LAN. • To allow users on the other side of the SA to access both the LAN and OPT, select LAN/OPT. 14 Select from the following NAT and Firewall Rules: • To disable NAT and not apply firewall rules to traffic coming through this SA, select Disabled. • To enable NAT and firewall rules for the selected SonicWall appliance, select Source. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and network firewall rules are applied to all traffic on this SA. • To enable NAT and firewall rules for the selected SonicWall appliance and its peer, select Source and Destination. If NAT is enabled, all traffic originating from this appliance appears to originate from a single IP address and all traffic originating from its peer appears to originate from a single IP address. Network firewall rules are applied to all traffic on this SA. NOTE: Applying firewall rules can dramatically affect services that run between the networks. For more information, refer to Understanding the Network Access Rules Hierarchy. 15 Select how local users are authenticated: • To disable authentication for local users, select Disabled. • To configure local users to be authenticated locally, either through the SonicWall device or the RADIUS server, select Source. • To configure local users to be authenticated on the destination network, either through the SonicWall device or the RADIUS server, select Destination. • To authenticate local users both locally and on the destination network, select Source and Destination. 16 Similarly, select how remote users are authenticated. 17 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset.

When One Appliance Is Not Managed by GMS This section describes how to configure VPN when the target appliance is not managed by GMS. To enable VPN using manual keying, complete the following steps: 1 Expand the VPN tree and click Configure. The VPN Configure page displays.

2 3 4 5 6

Deselect Use Interconnected Mode. Select Manual Key in the IPSec Keying mode section. Select the appropriate option to add, delete or modify a security association. Enter a descriptive name for the SA in the Security Association Name field. Enter the IP address of the remote firewall in the IPSec Gateway Address field. This address must be valid and is the public IP address if the remote LAN has NAT enabled. 7 To specify the default LAN gateway, enter the IP address of the gateway in the Default LAN Gateway field. A Default LAN Gateway is used at a central site in conjunction with a remote site using Route all Internet traffic through destination unit. The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA. Incoming packets are decoded by the SonicWall and compared to static routes configured in the SonicWall. Because packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received through an IPSec tunnel, the SonicWall looks up a route for the LAN. If no route is found, the SonicWall checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. 8 To enable wireless secure bridging, select Wireless Secure Bridging Mode. 9 To access remote resources within the Windows Network Neighborhood, select Enable Windows Networking (NetBIOS) Broadcast. 10 To apply NAT and firewall rules to all traffic coming through this SA, select Apply NAT and firewall rules. This feature is useful for hiding the LAN subnet from the corporate site. All traffic appears to originate from a single IP address. 11 To allow the remote VPN tunnel to be included in the routing table, select Forward Packets to Remote VPNs. This enables the SonicWall appliance to receive VPN traffic, decrypt and forward it to another VPN tunnel. This feature can be used to create a “hub and spoke” network configuration by routing traffic among SAs. To do this, be sure to enable this option for all SAs. 12 To require local users to authenticate locally before accessing the SA, select Require authentication of local users. 13 To require remote users to authenticate with this SonicWall appliance or the local RADIUS server before accessing resources, select Require authentication of remote users. 14 Select one of the encryption methods from the Encryption Method list box. 15 Enter the key used for encryption in the Encryption Key field. The DES and ARCFour Keys must be exactly 16 characters long and be composed of hexadecimal characters. Encryption keys less than 16 characters are not accepted; keys longer than 16 characters are truncated. Valid hexadecimal characters are “0” to “9”, and “a” to “f” (such as 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.” This key must match the encryption key of the remote VPN gateway or client. If encryption is not used, this field is ignored. 16 Enter the key used for authentication in the Authentication Key field. The authentication key must be exactly 32 characters long and be composed of hexadecimal characters. Authentication keys less than 32 characters will not be accepted; keys longer than 32 characters are truncated. Valid hexadecimal characters are “0” to “9”, and “a” to “f” (such as 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef1234567890abcdef.” This key must match the authentication key of the remote VPN gateway or client. If authentication is not used, this field is ignored. 17 Enter the Security Parameter Index (SPI) that the remote location sends to identify the Security Association used for the VPN Tunnel in the Incoming SPI field. The SPI might be up to eight characters long and be composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9”, and “a” to “f” (such as, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). The hexadecimal characters “0” to “ff” inclusive are reserved by the Internet Engineering Task Force (IETF) and are not allowed for use as an SPI. For example, a valid SPI would be “1234abcd.” The SPI for an SA must be unique when compared to SPIs for other SAs. However, the Incoming SPI can be the same as the Outgoing SPI on the same SA. 18 Enter the Security Parameter Index (SPI) that the local SonicWall VPN transmits to identify the Security Association used for the VPN Tunnel in the Outgoing SPI field. 19 Select from the following: • To allow this SA to be used as the default route for all Internet traffic, select Use this SA as default route for all Internet traffic. • To specify destination networks, select Specify destination networks below. Then, click Modify and enter the destination network IP addresses and subnet masks. 20 When you are finished, click Update. The settings are changed for each selected SonicWall appliance. To clear all screen settings and start over, click Reset. 21 Create an SA in the remote VPN device for each SonicWall appliance that you have configured.

Setting up the L2TP Server To support secure LT2P connections from remote clients, complete the following steps: 1 Expand the VPN tree and click L2TP. The L2TP page displays.

2 3 4 5 6

Select Enable L2TP Server. Specify how often the SonicWall appliance issues a Keepalive in the Keep alive time (secs) field. Enter the IP addresses of the DNS Servers in the DNS Server fields. Enter the IP addresses of the WINS Servers in the WINS Server fields. Select from the following: • To assign IP addresses to L2TP clients that are provided by the RADIUS server, select IP address provided by RADIUS Server. • To use IP addresses from a local L2TP IP address pool, select Use the Local L2TP IP pool and enter the starting and ending IP addresses in the Start IP and End IP fields. 7 Assign appropriate groups with the User group for L2TP users pull-down. 8 Enter PPP Settings, by clicking Add to input allowed authentication protocols. Use the arrows to reorder the protocols as you prefer. Click Remove to remove any unnecessary protocols. 9 When you are finished, click Update. To clear all screen settings and start over, click Reset.

Monitoring VPN Connections To monitor VPN connections, complete the following steps: 1 Expand the VPN tree and click Monitor. The Monitor page displays.

2 Select the category of tunnels to display the Display Options section and click Refresh. You can select Show Up Tunnels, Show Down Tunnels, or Show All Tunnels. 3 To synchronize the tunnel status information, click Synchronize Tunnel Status Information. 4 To refresh the statistics, click Refresh Selected Tunnel Statistics. 5 To view the tunnel statistics, select one or more tunnels and click View Selected Tunnel Statistics. 6 To renegotiate selected tunnels, select one or more tunnels and click Renegotiate Selected Tunnels.

Management of VPN Client Users To configure VPN Clients on SonicWall appliances, see the following sections: • Upgrading Licenses • Enabling the VPN Client

ENABLING THE VPN CLIENT After applying a VPN Client license to one or more SonicWall appliances, complete the following steps: 1 Navigate to Policies > VPN > Summary. 2 Click Export next to the SA.

3 To email the SPD file to the SonicWall GMS administrator or the VPN Client user, click Email SPD file. The file is attached to the email. A task is scheduled for each email. NOTE: A copy of the SPD file is also stored in the SonicWall Agent's \etc directory from (www.MySonicWall.com)www.MySonicWall.com.

DOWNLOADING VPN CLIENT SOFTWARE To download the VPN Client software from mysonicwall.com, complete the following steps: 1 Click the Console tab at the top of the SonicWall GMS UI. 2 Expand the Licenses tree and click GMS License. 3 Click Login in a new window. This opens a new browser into the GMS account on www.MySonicWall.com (www.MySonicWall.com). 4 Download the VPN Client software from mysonicwall.com to a local directory. 5 Copy the VPN Client software to SonicWall Agent's \etc directory. 6 Rename the file to SWVpnClient.zip.

VPN Terms and Concepts Before installing and SonicWall VPN, it is important to understand the following basic terms and concepts. • Asymmetric vs. Symmetric Cryptography—Asymmetric and symmetric cryptography refer to the keys used to authenticate, or encrypt and decrypt the data. Asymmetric cryptography, or public key cryptography, uses two keys for verification. Organizations such as RSA Data Security and VeriSign support asymmetric cryptography. With symmetric cryptography, the same key is used to authenticate on both ends of the VPN. Symmetric cryptography, or secret key cryptography, is usually faster than asymmetric cryptography. Therefore symmetric algorithms are often used when large quantities of data need to be exchanged. SonicWall VPN uses symmetric cryptography. As a result, the key on both ends of the VPN tunnel must match exactly. • ARCFour—ARCFour is used for communications with secure Web sites using the SSL protocol. Many banks use a 40-bit key ARCFour for online banking, while others use a 128-bit key. SonicWall VPN uses a 56-bit key for ARCFour. The ARCFour key must be exactly 16 characters long and is composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9,” and “a” to “f” (such as 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.” • Authentication Header (AH)—The authentication header is a mechanism for providing strong integrity and authentication for IP packets. The Authentication Header does not offer confidentiality and protection from traffic analysis. The IP authentication header provides security by adding authentication information to an IP packet. This authentication information is calculated using all header and payload data in the IP packet. This provides significantly more security than is currently present in IP. Use of an AH increases the processing requirements of SonicWall VPN and also increases the communications latency. The increased latency is primarily because of the calculation of the authentication data by the sender and the calculation and comparison of the authentication data by the receiver for each IP packet. • Data Encryption Standard (DES)—When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to generate and verify a message authentication code. The SonicWall DES encryption algorithm uses a 56-bit key. The DES Key must be exactly 16 characters long and is composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9,” and “a” to “f” inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.” • Encapsulating Security Payload (ESP)—ESP provides confidentiality and integrity of data by encrypting the data and encapsulating it into IP packets. Encryption might be in the form of ARCFour (similar to the popular RC4 encryption method), DES, and so on. The use of ESP typically increases the processing requirements and communications latency. The increased latency is primarily because of the encryption and decryption required for each IP packet containing an ESP. ESP typically involves encryption of the packet payload using standard encryption mechanisms, such as RC4, ARCFour, DES, or 3DES. ESP has no mechanism for providing strong integrity and authentication of the data. Encryption—Encryption is a mathematical operation that transforms data from “clear text” (something that a human or a program can interpret) to “cipher text” (something that cannot be interpreted). Usually the mathematical operation requires that an alphanumeric “key” be supplied along with the clear text. The key and clear text are processed by the encryption operation that leads to the data scrambling that makes encryption secure. Decryption is the opposite of encryption: it is a mathematical operation that transforms cipher text to clear text. Decryption also requires a key. Shared Secret—A shared secret is a predefined field that the two endpoints of a VPN tunnel use to set up an IKE SA. This field can be any combination of alphanumeric characters with a minimum length of four characters and a maximum of 128 characters. Precautions should be taken when delivering/exchanging this shared secret to assure that a third-party cannot compromise the security of a VPN tunnel. Internet Key Exchange (IKE)—IKE is a negotiation and key exchange protocol specified by the Internet Engineering Task Force (IETF). An IKE SA automatically negotiates encryption and authentication keys. With IKE, an initial exchange authenticates the VPN session and automatically negotiates keys that are used to pass IP traffic. Key—A key is an alphanumeric string that is used by the encryption operation to transform clear text into cipher text. A key is composed of hexadecimal characters (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). A valid key would be 1234567890abcdef. Keys used in VPN communications can vary in length, but are typically 16 or 32 characters. The longer the key, the more difficult it is to break the encryption. The reason for this is that most methods used to break encryption involve trying every possible combination of characters, similar to trying to find someone’s telephone number by dialing every possible combination of phone numbers. Manual Key—Manual keying allows the SonicWall administrator to specify the encryption and authentication keys. SonicWall VPN supports the ability to manually set up a security association as well as the ability to automatically negotiate an SA using IKE. Security Association (SA)—An SA is the group of security settings needed to create a VPN tunnel. All SAs require an encryption method, an IPSec gateway address, and a destination network address. IKE includes a shared secret. manual keying includes two SPIs and an encryption and authentication key.









• •

SonicWall PRO appliances supports up to 100 SAs. SonicWall SOHO2 and SonicWall XPRS2 appliances support 10 and 25 SAs, respectively. Different SAs might be created to connect branch offices, allow secure remote management, and pass unsupported traffic. • Security Parameter Index (SPI)—The SPI is used to establish a VPN tunnel. The SPI is transmitted from the remote VPN gateway to the local VPN gateway. The local VPN gateway then uses the network, encryption, and key values that the administrator associated with the SPI to establish the tunnel. The SPI must be unique, is from one to eight characters long, and is composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9,” and “a” to “f” (such as 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, valid SPIs would be 999 or “1234abcd.” • Triple Data Encryption Standard (3DES)—3DES is the same as DES, except that it applies three DES keys in succession and is significantly more secure. However, 3DES has significantly more processing requirements than DES. The 3DES Key must be exactly 16 characters long and is composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9,” and “a” to “f” inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.” • VPN Tunnel—Tunneling is the encapsulation of point-to-point transmissions inside IP packets. A VPN Tunnel is a term that is used to describe a connection between two or more private nodes or LANs over a public network, typically the Internet. Encryption is often used to maintain the confidentiality of private data when traveling over the Internet.

Using OCSP with SonicWall Security Appliances Online Certificate Status Protocol (OCSP) allows you to check VPN certificate status without CRLs. This allows timely updates regarding the status of the certificates used on your SonicWall. OCSP is designed to augment or replace Certificate Revocation Lists (CRL) in your Public Key Infrastructure (PKI) or digital certificate system. The CRL is used to validate the digital certificates comprised by the PKI. This allows the Certificate Authority (CA) to revoke certificates before their scheduled expiration date and is useful in protecting the PKI system against stolen or invalid certificates. Certificate Revocation Lists main disadvantage is the need for frequent updates to keep the CRL of every client current. These frequent updates greatly increase network traffic when the complete CRL is downloaded by every client. Depending on the frequency of the CRL updates, a period of time can exist when a certificate is revoked by the CRL but the client has not received the CRL update and permits the certificate to be used. Online Certificate Status Protocol determines the current status of a digital certificate without using a CRL. OCSP enables the client or application to directly determine the status of an identified digital certificate. This provides more timely information about the certificate than is possible with CRLs. In addition, each client typically only checks a few certificates and does not incur the overhead of downloading an entire CRL for only a few entries. This greatly reduces the network traffic associated with certificate validation. OCSP transports messages over HTTP for maximum compatibility with existing networks. This requires careful configuration of any caching servers in the network to avoid receiving a cached copy of an OCSP response that might be out of date. The OCSP client communicates an OCSP responder. The OCSP responder can be a CA server or another server that communicates with the CA server to determine the certificate status. The OCSP client issues a status request to an OCSP responder and suspends the acceptance of the certificate until the responder provides a response. The client request includes data such as protocol version, service request, target certificate identification and optional extensions. These optional extensions might or might not be acknowledged by the OCSP responder. The OCSP responder receives the request from the client and checks that the message is properly formed and if the responder is able to respond to the service request. Then it checks if the request contains the correct information needed for the service desired. If all conditions are satisfied, the responder returns a definitive response to the OCSP client. The OCSP responder is required to provide a basic response of GOOD, REVOKED, or UNKNOWN. If both the OCSP client and responder support the optional extensions, other responses are possible. The GOOD state is the desired response as it indicates the certificate has not been revoked. The REVOKED state indicates that the certificate has been revoked. The UNKNOWN state indicates the responder does not have information about the certificate in question. OCSP servers typically work with a CA server in push or pull setup. The CA server can be configured to push a CRL list (revocation list) to the OCSP server. Additionally the OCSP server can be configured to periodically download (pull) the CRL from the CA server. The OCSP server must also be configured with an OCSP response signing certificate issued by the CA server. The signing certificate must be properly formatted or the OCSP client does not accept the response from the OSCP server.

OPENCA OCSP RESPONDER Using OCSP requires the OpenCA (OpenSource Certificate Authority) OpenCA OCSP Responder as it is the only supported OCSP responder. OpenCA OCSP Responder is available at (http://www.openca.org/ocspd/). The OpenCA OCSP Responder is an rfc2560 compliant OCSP responder that runs on a default port of 2560 in homage to being based on rfc2560. NOTE: For SonicOS to act as an OCSP client to a responder, the CA certificate must be loaded onto the SonicWall system.



USING OCSP WITH VPN POLICIES The SonicWall OCSP settings can be configured on a policy level or globally. To configure OCSP checking for individual VPN policies. Then click on the VPNs page. 1 Select the radio button next to Enable OCSP Check 2 Specify the OCSP Responder URL of the OCSP server, for example where 192.168.168.220 is the IP address of your OCSP server and 2560 is the default port of operation for the OpenCA OCSP responder service.

Configuring Firewall SSL VPN Settings This chapter provides information on how to configure the SSL VPN features on the SonicWall SMA appliances. SonicWall’s SSL VPN features provide secure, seamless, remote access to resources on your local network using the NetExtender client. This chapter contains the following sections: • • • • • • •

SSL VPN NetExtender Overview SSL VPN > Server Settings SSL VPN > Portal Settings SSL VPN > Client Settings SSL VPN > Client Routes Configuring Virtual Office Remote Access EPC

SSL VPN NetExtender Overview This section provides an introduction to the SonicOS SSL VPN NetExtender feature as managed within SonicWall™ Global Management System (GMS). This section contains the following subsections: • What is SSL VPN NetExtender? • Benefits • NetExtender Concepts

WHAT IS SSL VPN NETEXTENDER? SonicWall’s SSL VPN NetExtender feature is a transparent software application for Windows, Mac, and Linux users that enables remote users to securely connect to the remote network. With NetExtender, remote users can securely run any application on the remote network. Users can upload and download files, mount network drives, and access resources as if they were on the local network. The NetExtender connection uses a Point-to-Point Protocol (PPP) connection.

BENEFITS NetExtender provides remote users with full access to your protected internal network. The experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender does not require any manual client installation. Instead, the NetExtender Windows client is automatically installed on a remote user’s PC by an ActiveX control when using the Internet Explorer browser, or with the XPCOM plug-in when using Firefox. On MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal. Linux systems can also install and use the NetExtender client. After installation, NetExtender automatically launches and connects a virtual adapter for secure SSL VPN point-topoint access to permitted hosts and subnets on the internal network.

NETEXTENDER CONCEPTS The following sections describe advanced NetExtender concepts: • • • • •

Stand-Alone Client Client Routes Tunnel All Mode Connection Scripts Proxy Configuration

Stand-Alone Client NetExtender is a browser-installed lightweight application that provides comprehensive remote access without requiring users to manually download and install the application. The first time a user launches NetExtender, the NetExtender stand-alone client is automatically installed on the user’s PC or Mac. The installer creates a profile based on the user’s login information. The installer window then closes and automatically launches NetExtender. If the user has a legacy version of NetExtender installed, the installer first uninstalls the old NetExtender and installs the new version. After the NetExtender stand-alone client has been installed, Windows users can launch NetExtender from their PC’s Start > Programs menu and configure NetExtender to launch when Windows boots. Mac users can launch NetExtender from their system Applications folder, or drag the icon to the dock for quick access. On Linux systems, the installer creates a desktop shortcut in /usr/share/NetExtender. This can be dragged to the shortcut bar in environments like Gnome and KDE.

Client Routes NetExtender client routes are used to allow and deny access for SSL VPN users to various network resources. Address objects are used to easily and dynamically configure access to network resources.

Tunnel All Mode Tunnel All mode routes all traffic to and from the remote user over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table: Tunnel All mode routes

IP Address

Subnet mask

0.0.0.0

0.0.0.0

0.0.0.0

128.0.0.0

128.0.0.0

128.0.0.0

NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel. Tunnel All mode is configured on the SSL VPN > Client Routes page.

Connection Scripts SonicWall SSL VPN provides users with the ability to run batch file scripts when NetExtender connects and disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or Web sites. NetExtender Connection Scripts can support any valid batch file commands.

Proxy Configuration SonicWall SSL VPN supports NetExtender sessions using proxy configurations. Currently, only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your browser is already configured for proxy access, NetExtender automatically inherits the proxy settings. The proxy settings can also be manually configured in the NetExtender client preferences. NetExtender can automatically detect proxy settings for proxy servers that support the Web Proxy Auto Discovery (WPAD) Protocol. NetExtender provides three options for configuring proxy settings: • Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD)) that can push the proxy settings script to the client automatically. • Use automatic configuration script - If you know the location of the proxy settings script, you can select this option and provide the URL of the script. • Use proxy server - You can use this option to specify the IP address and port of the proxy server. Optionally, you can enter an IP address or domain in the BypassProxy field to allow direct connections to those addresses and bypass the proxy server. If required, you can enter a user name and password for the proxy server. If the proxy server requires a username and password, but you do not specify them, a NetExtender pop-up window prompts you to enter them when you first connect. When NetExtender connects using proxy settings, it establishes an HTTPS connection to the proxy server instead of connecting to the SonicWall security appliance. server directly. The proxy server then forwards traffic to the SSL VPN server. All traffic is encrypted by SSL with the certificate negotiated by NetExtender, of which the proxy server has no knowledge. The connecting process is identical for proxy and non-proxy users.

SSL VPN > Server Settings The SSL VPN > Server Settings page is used to configure details of the SonicWall security appliance’s behavior as an SSL VPN server. The server settings are configurable with IPv4 and IPv6 addresses. The configurations for both is nearly identical.

. The following options can be configured on the SSL VPN > Server Settings page. • SSL VPN Status on Zones: This displays the SSL VPN Access status on each Zone. Green indicates active SSL VPN status, while red indicates inactive SSL VPN status. To enable or disable SSL VPN access on a zone, click on the Network > Zones link to jump to the Edit Zone window. • SSL VPN Port: Set the SSL VPN port for the appliance. The default is 4433. • Certificate Selection: Select the certificate that is used to authenticate SSL VPN users. All imported local certificates are available to be selected in the pull-down menu. To manage certificates, go to the System > Certificates page. NOTE: The Certificate Selection option is only available at the unit level, not at the group level. • Enable Server Cipher Preference: Select to configure a preferred cipher method. The available ciphers are RC4_MD5, 3DES_SHA1, and AES256_SHA1. • RADIUS User Settings: This option is only available when either RADIUS or LDAP is configured to authenticate SSL VPN users. Select Use RADIUS in to have RADIUS use MSCHAP (or MSCHAPv2) mode. Enabling MSCHAP-mode RADIUS allows users to change expired passwords at login time. In LDAP, password updates can only be done when using either Novell eDirectory or Active Directory with TLS and binding to it using an administrative account. If LDAP is not configured as such, password updates for SSL VPN users are completed using MSCHAP-mode RADIUS, after using LDAP to authenticate the user. NOTE: RADIUS must be enabled on the Users > RADIUS page. Click the link at the bottom of the SSL VPN > Server Settings page to go to Users > RADIUS to modify the configuration.



SSL VPN > Portal Settings The Policies > SSL VPN > Portal Settings page is used to configure the appearance and functionality of the SSL VPN Virtual Office web portal. The Virtual Office portal is the website that uses log in to launch NetExtender. It can be customized to match any existing company website or design style IPv4 and IPv6 IP addresses are accepted/displayed in the Portal Settings screen.

. The following settings configure the appearance of the Virtual Office portal: • • • • •

Portal Site Title - The text displayed in the top title of the web browser. Portal Banner Title - The the text displayed next to the logo at the top of the page. Home Page Message - The HTML code that is displayed above the NetExtender icon. Login Message - The HTML code that is displayed when users are prompted to log in to the Virtual Office. Example Template - Resets the Home Page Message and Login Message fields to the default example template. • Preview - Launch a pop-up window that displays the HTML code. The following options customize the functionality of the Virtual Office portal: • Launch NetExtender after login - Automatically launches NetExtender after a user logs in. • Display Import Certificate - Displays Import Certificate on the Virtual Office page. This initiates the process of importing the SonicWall security appliance’s self-signed certificate onto the web browser. This option only applies to the Internet Explorer browser on PCs running Windows 2000 or Windows XP. • Enable HTTP meta tags for cache control - Inserts HTTP tags into the browser that instruct the web browser not to cache the Virtual Office page. SonicWall recommends enabling this option. The Customized Logo field is used to display a logo other than the SonicWall logo at the top of the Virtual Office portal. Enter the URL of the logo in the Customized Logo field. The logo must be in GIF format of size 155 x 36, and a transparent or light background is recommended.

SSL VPN > Client Settings The Policies > SSL VPN > Client Settings page allows the administrator to enable SSL VPN access on zones and configure the client address range information and NetExtender client settings. It also displays which zones have SSL VPN access enabled.

The following tasks are configured on the SSL VPN > Client Settings page: • Configuring Zones for SSL VPN Access • Configuring the SSL VPN Client Address Range • Configuring NetExtender Client Settings

CONFIGURING ZONES FOR SSL VPN ACCESS All of the zones on the SonicWall security appliance are displayed in the SSL VPN Status on Zones section of the SSL VPN > Client Settings page. SSL VPN access must be enabled on a zone before users can access the Virtual Office web portal. A green button to the left of the name of the zone indicates that SSL VPN access is enabled. A red button indicates that SSL VPN access is disabled. To change the SSL VPN access for a zone, simply click the name of the zone on the SSL VPN > Client Settings page. SSL VPN Access can also be configured on the Network > Zones page by clicking the configure icon for the zone. NOTE: WAN management must be enabled on the zone to terminate SSL VPN sessions. Even though the zone has SSL VPN enabled, if the management interface is disabled, SSL VPN does not work correctly.



CONFIGURING THE SSL VPN CLIENT ADDRESS RANGE The SSL VPN Client Address Range defines the IP address pool from which addresses are assigned to remote users during NetExtender sessions. The range needs to be large enough to accommodate the maximum number of concurrent NetExtender users you wish to support plus one (for example, the range for 15 users requires 16 addresses, such as 192.168.200.100 to 192.168.200.115). NOTE: The range must fall within the same subnet as the interface to which the SMA appliance is connected, and in cases where there are other hosts on the same segment as the SMA appliance, it must not overlap or collide with any assigned addresses. To configure the SSL VPN Client Address Range, complete the following steps: 1 Navigate to the SSL VPN > Client Settings page. 2 In the NetExtender Start IP field, enter the first IP address in the client address range. 3 In the NetExtender End IP field, enter the last IP address in the client address range. 4 In the DNS Server 1 field, enter the IP address of the primary DNS server, or click the Default DNS Settings to use the default settings. 5 (Optional) In the DNS Server 2 field, enter the IP address of the backup DNS server. 6 (Optional) In the DNS Domain field, enter the domain name for the DNS servers. 7 In the User Domain field, enter the domain name for the users. The value of this field must match the domain field in the NetExtender client. 8 (Optional) In the WINS Server 1 field, enter the IP address of the primary WINS server. 9 (Optional) In the WINS Server 2 field, enter the IP address of the backup WINS server. 10 In the Interface pull-down menu, select the interface to be used for SSL VPN services. NOTE: The IP address range must be on the same subnet as the interface used for SSL VPN services. 11 Click the Zone name at the top of the page to enable SSL VPN access on it with these settings. The indicator should be green for the Zone you want to enable. 12 Click Accept.

CONFIGURING NETEXTENDER CLIENT SETTINGS

NetExtender client settings are configured on the bottom of the SSL VPN > Client Settings page. The following settings to customize the behavior of NetExtender when users connect and disconnect. • Default Session Timeout (minutes)—The default timeout value for client inactivity, after which the client’s session is terminated. • Enable Web Management over SSLVPN—Allows NetExtender clients to execute web management tasks over the SSLVPN. This option is available in SonicOS 6.1 and above. • Enable SSH Management over SSLVPN—Allows NetExtender clients to execute Secure Shell (SSH) management tasks over the SSLVPN. This option is available in SonicOS 6.1 and above. • Enable NetBIOS Over SSLVPN—Allows NetExtender clients to broadcast NetBIOS to the SSL VPN subnet. • Enable Client Autoupdate—The NetExtender client checks for updates every time it is launched. • Exit Client After Disconnect—The NetExtender client exits when it becomes disconnected from the SSL VPN server. To reconnect, users must either return to the SSL VPN portal or launch NetExtender from their Programs menu. • Uninstall Client After Disconnect—The NetExtender client automatically uninstalls when it becomes disconnected from the SSL VPN server. To reconnect, users must return to the SSL VPN portal. • Create Client Connection Profile—The NetExtender client creates a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password. • Communication Between Clients—Enables NetExtender clients that are connected to the same server to communicate. • User Name & Password Caching—Provide flexibility in allowing users to cache their usernames and passwords in the NetExtender client. The three options are Allow saving of user name only, Allow saving of user name & password, and Prohibit saving of user name & password. These options enable administrators to balance security needs against ease of use for users.

SSL VPN > Client Routes The Policies > SSL VPN > Client Routes page allows the administrator to control the network access allowed for SSL VPN users. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access through the SSL VPN connection.

The following tasks are configured on the SSL VPN > Client Routes page: • Configuring Tunnel All Mode • Adding Client Routes

CONFIGURING TUNNEL ALL MODE Select Enabled from the Tunnel All Mode pull-down list to force all traffic for NetExtender users over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table: Additional routes

IP Address

Subnet mask

0.0.0.0

0.0.0.0

0.0.0.0

128.0.0.0

128.0.0.0

128.0.0.0

NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel.

ADDING CLIENT ROUTES The Add Client Routes pull-down menu is used to configure access to network resources for SSL VPN users. Select the address object to which you want to allow SSL VPN access. Select Create new address object to create a new address object. Creating client routes causes access rules to automatically be created to allow this access. Alternatively, you can manually configure access rules for the SSL VPN zone on the Firewall > Access Rules page. For more information, see Configuring Access Rules.

Configuring Virtual Office To configure the SSL VPN > Virtual Office page, complete the following steps: 1 Click Add Bookmark. The Add Bookmark window displays. When user bookmarks are defined, you will see the defined bookmarks from the SonicWall SSL VPN Virtual Office home page. Individual members are not able to delete or modify bookmarks created by the administrator. 2 Type a descriptive name for the bookmark in the Bookmark Name field. 3 Enter the fully qualified domain name (FQDN) or the IPv4 address of a host machine on the LAN in the Name or IP Address field. In some environments you can enter the host name only, such as when creating a VNC bookmark in a Windows local network. Some services can run on non-standard ports, and some expect a path when connecting. Depending on the choice in the Service field, format the Name or IP Address field like one of the examples shown in the following table: Name or IT Address field examples

Service Type

Format

Example for Name or IP Address Field

RDP - ActiveX IP Address

10.20.30.4

RDP - Java

IP:Port (non-standard)

10.20.30.4:6818

FQDN

JBJONES-PC.sv.us.sonicwall.com

Host name

JBJONES-PC

IP Address

10.20.30.4

IP:Port (mapped to session)

10.20.30.4:5901 (mapped to session 1)

VNC

JBJONES-PC.sv.us.sonicwall.com FQDN JBJONES-PC Host name Note: Do not use 10.20.30.4:1 Note: Do not use session or display number Tip: For a bookmark to a Linux server, instead of port. see the Tip below this table. Telnet

IP Address

10.20.30.4

IP:Port (non-standard)

10.20.30.4:6818

FQDN

JBJONES-PC.sv.us.sonicwall.com

Host name

JBJONES-PC

SSHv1

IP Address

10.20.30.4

SSHv2

IP:Port (non-standard)

10.20.30.4:6818

FQDN

JBJONES-PC.sv.us.sonicwall.com

Host name

JBJONES-PC

TIP: When creating a Virtual Network Computing (VNC) bookmark to a Linux server, you must specify the port number and server number in addition to the Linux server IP the Name or IP Address field in the form of ipaddress:port:server. For example, if the Linux server IP address is 192.168.2.2, the port number is 5901, and the server number is 1, the value for the Name or IP Address field would be 192.168.2.2:5901:1. 4 For the specific service you select from the Service drop-down list, additional fields could appear. Fill in the information for the service you selected. Select one of the following service types from the Service drop-down list: • Terminal Services (RDP - ActiveX) or Terminal Services (RDP - Java) NOTE: If you select Terminal Services (RDP - ActiveX) while using a browser other than Internet Explorer, the selection is automatically switched to Terminal Services (RDP - Java). A popup dialog box notifies you of the switch. • In the Screen Size drop-down list, select the default terminal services screen size to be used when users execute this bookmark. Because different computers support different screen sizes, when you use a remote desktop application, you should select the size of the screen on the computer from which you are running a remote desktop session. Additionally, you might want to provide a path to where your application resides on your remote computer by typing the path in the Application Path field. • In the Colors drop-down list, select the default color depth for the terminal service screen when users execute this bookmark. • Optionally enter the local path for this application in the Application and Path (optional) field. • In the Start in the following folder field, optionally enter the local folder in which to execute application commands. • Select Login as console/admin session to allow login as console or admin. Login as admin replaces login as console in RDC 6.1 and newer. • For RDP - Java on Windows clients, or on Mac clients running Mac OS X 10.5 or above with RDC installed, expand Show advance Windows options and select the check boxes for any of the following redirect options: Redirect Printers, Redirect Drives, Redirect Ports, Redirect SmartCards, Redirect clipboard, or Redirect plug and play devices to redirect those devices or features on the local network for use in this bookmark session. You can hover your mouse pointer over the Help icon next to certain options to display tooltips that indicate requirements. To see local printers show up on your remote machine (Start > Settings > Control Panel > Printers and Faxes), select Redirect Ports as well as Redirect Printers. Select the check boxes for any of the following additional features for use in this bookmark session: Display connection bar, Auto reconnection, Desktop background, Window drag, Menu/window animation, Themes, or Bitmap caching. If the client application is RDP 6 (Java), you can select any of the following options as well: Dual monitors, Font smoothing, Desktop composition, or Remote Application. Remote Application monitors server and client connection activity; to use it, you need to register remote applications in the Windows 2008 RemoteApp list. If Remote Application is selected, the Java Console displays messages regarding connectivity with the Terminal Server. • For RDP - ActiveX on Windows clients, optionally select Enable plugin DLLs and enter the name(s) of client DLLs that need to be accessed by the remote desktop or terminal service. Multiple entries are separated by a comma with no spaces. Note that the RDP Java client on Windows is a native RDP client that supports Plugin DLLs by default. The Enable plugin DLLs option is not available for RDP - Java. See Enabling Plugin DLLs. • Optionally select Automatically log in and select Use SSL VPN account credentials to forward credentials from the current SSL VPN session for login to the RDP server. Select Use custom credentials to enter a custom username, password, and domain for this bookmark. For more information about custom credentials, see Creating Bookmarks with Custom SSO Credentials. • Virtual Network Computing (VNC) • No additional fields • Telnet • No additional fields • Secure Shell version 1 (SSHv1) • No additional fields • Secure Shell version 2 (SSHv2) • Optionally select Automatically accept host key. • If using an SSHv2 server without authentication, such as a SonicWall firewall, you can select Bypass username. 5 Click Add to update the configuration.

Enabling Plugin DLLs The plugin DLLs feature is available for RDP (ActiveX or Java), and allows for the use of certain third-party programs such as print drivers, on a remote machine. This feature requires RDP Client Control version 5 or higher. NOTE: The RDP Java client on Windows is a native RDP client that supports Plugin DLLs by default. No action (or check box) is necessary. To enable plugin DLLs for the RDP ActiveX client: 1 2 3 4

Navigate to Users > Local Users. Click the configure icon corresponding to the user bookmark you wish to edit. In the Bookmarks tab, click Add Bookmark. Select Terminal Services (RDP - ActiveX) as the Service and configure as described in the section Configuring Virtual Office. 5 Enter the name(s) of client DLLs that need to be accessed by the remote desktop or terminal service. Multiple entries are separated by a comma with no spaces. 6 Ensure that any necessary DLLs are located on the individual client systems in %SYSTEMROOT% (for example: C:\Windows\system32 ). NOTE: Ensure that your Windows system and RDP client are up-to-date prior to using the Plugin DLLs feature. This feature requires RDP 5 Client Control or higher.

Creating Bookmarks with Custom SSO Credentials The administrator can configure custom Single Sign On (SSO) credentials for each user, group, or globally in RDP bookmarks. This feature is used to access resources that need a domain prefix for SSO authentication. Users can log in to SonicWall SSL VPN as username, and click a customized bookmark to access a server with domain\username. Either straight textual parameters or variables can be used for login credentials. To configure custom SSO credentials, complete the following steps: 1 Create or edit an RDP bookmark as described in Configuring Virtual Office. 2 In the Bookmarks tab, select Use Custom Credentials. 3 Enter the appropriate username and password, or use dynamic variables as follows: Examples

Text Usage

Variable

Example Usage

Login Name

%USERNAME%

US\%USERNAME%

Domain Name

%USERDOMAIN%

%USERDOMAIN\%USERNAME%

Group Name %USERGROUP%

%USERGROUP%\%USERNAME%

4 Click Add.

Remote Access EPC Traditional VPN solutions typically provide access only from the relative safety of a corporate laptop. These VPNs are primarily designed to prevent unauthorized network access, and they typically are not designed to verify that the user’s computer is secure. Corporate IT departments configure computers under their control with antivirus software, firewalls, and other safeguards designed to protect them from malicious software. Because SSL VPN solutions can provide network access from any web-enabled device—such as public computers at cafes, airports, or hotels—extra care must be taken to verify that the user’s environment is secure. These unmanaged computers can easily be infected by keystroke recorders, viruses, Trojan horses, and other hazards that can compromise your network. Remote Access End Point Control (EPC) verifies that remote user’s computers are secure before allowing network access. To configure Remote Access EPC, complete to the following: 1 Navigate to the SSL VPN > Remote Access EPC page of the SonicWall GUI.

2 Select Enable Remote Access EPC. When EPC is disabled, only the Default Device Profile can be configured, but without the Security Attribute settings. The Remote Access EPC page is divided into the following sections: • General Settings • Device Profiles • Device Profile Search • Deny Device Profiles • Allow Devices Profiles • Device Profile failback options • Quarantine Device Profile • Default Device Profile 3 SonicWall recommends beginning by configuring the Default Device Profile. Scroll to the bottom of the Remote Access EPC page and click the Configure icon. See Configuring Remote Access EPC Device Profiles for full instructions on configuring the Device Profile. 4 Click Add to configure additional Device Profiles. See Configuring Remote Access EPC Device Profiles for full instructions. 5 If you are supporting SSL VPN sessions from Linux or MacOS devices, click the appropriate button in the OS Type menu. 6 Click Configure to configure the Default Device Profile for Linux and/or MacOS. NOTE: SonicOS currently does not support Remote Access EPC Security Attributes for Linux or MacOS; but in order to support Linux and MacOS users, you must configure the network address and client routes for the Linux and MacOS Default Device Profile. 7 In the Device Profile Fallback options section, select how you want to treat users who do not match any of the Deny or Allow Device profiles: • Place into default device profile – Users are granted network access as defined in the Default Device Profile. • Place into quarantine device profile – Users are not granted network access. A pop-up window displays a administrator-configurable message. 8 To configure the message that is displayed to quarantined users, click the configure icon for the Quarantine Device Profile. 9 Click the Example Template to auto-populate the Quarantine Message with formatted HTML text. The quarantine pop-up message is displayed in a window that is 500 pixels wide. Edit the text of the message and click Preview to view how it is displayed to quarantined users.

CONFIGURING REMOTE ACCESS EPC DEVICE PROFILES Configuring a Remote Access EPC Device Profile is a four-part process: 1 2 3 4

Configuring Device Profile Settings (for all Device Profiles) Configuring Security Attributes (for all Device Profiles) Configuring Client Routes (only for Allow Device Profiles) Configuring Client Settings (only for Allow Device Profiles)

Configuring Device Profile Settings 1 On the SSL VPN > Remote Access EPC page, click Add. The Edit Device Profile window displays.

Enter the following information on the Settings tab: • • • •

Name – A brief name for the Device Profile. Description – (Optional) A description of the Device Profile. Action – Select whether it is an Allow Device Profile or Deny Device Profile. Zone – (Only for Allow Device Profiles) Select the zone that clients are assigned to when matching this Device Profile. Only zones with type “SSL VPN” can be selected. • Network Address – (Only for Allow Device Profiles) Select the Address Object for the IP address pool for this device profile. Clients that match this profile are assigned an IP address from the pool. Only Address Objects for the zone selected above can be used for the Device Profile. Each Device Profile must use a unique Address Object. • Select Create net network to create a new Address Object. For the Zone Assignment, select the same zone you selected above. For Type, select Range. • Deny Message – (Only for Deny Device Profiles) Enter the HTML text for the message that is displayed to users who are denied access. Click the Example Template to auto-populate the Quarantine Message with formatted HTML text. The pop-up message is displayed in a window that is 500 pixels wide. Edit the text of the message and click Preview to view how it is displayed to users.

Configuring Security Attributes 1 Click on the Security Attributes tab. 2 In the Select Attribute(s) pulldown menu, select the appropriate type of attribute. 3 Complete the attribute-specific configuration (described in the following sections) and click Add to current attributes. 4 Repeat as needed to configure multiple attributes. When more than one Security Attribute is configured, the device must match all of them in order for it to match the Device Profile. 5 When finished click the Client Routes tab and continue to Configuring Client Routes.

Configuring Client Routes The Client Routes tab is used to govern the network access that is granted to SSL VPN users. Select Enabled from the Tunnel All Mode drop-down list to force all traffic for NetExtender users over the SSL VPN NetExtender tunnel—including traffic destined for the remote user’s local network. This is accomplished by adding the following routes to the remote client’s route table: Added Routes

IP Address

Subnet mask

0.0.0.0

0.0.0.0

0.0.0.0

128.0.0.0

128.0.0.0

128.0.0.0

NetExtender also adds routes for the local networks of all connected Network Connections. These routes are configured with higher metrics than any existing routes to force traffic destined for the local network over the SSL VPN tunnel instead. For example, if a remote user is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is added to route traffic through the SSL VPN tunnel. NOTE: In addition to configuring Tunnel All Mode, you must also configure the individual SSL VPN user accounts. See Configuring Users and Groups for Client Routes and Tunnel All Mode. To configure client routes to grant SSL VPN users network access, complete the following steps: 1 Select the appropriate Address Object in the Networks list. 2 Click > to add it to the Client Routes list. 3 Repeat for any additional Address Objects. 4 When finished, click the Client Settings tab. When you are finished with configuring the Device Profile, see the following section on how to configure SSL VPN users and groups for SSL VPN access. Configuring Users and Groups for Client Routes and Tunnel All Mode NOTE: After completing the Client Routes configuration in the Device Profile, you must also assign all SSL VPN users and groups access to these routes on the Users > Local Users or Users > Local Groups pages. To configure SSL VPN NetExtender users and groups to access Client Routes, complete the following steps: 1 Navigate to the Users > Local Users or Users > Local Groups page. 2 Click Configure for the SSL VPN NetExtender user or group. 3 Click the VPN Access tab. 4 Select the address object for the Client Route, and click the right arrow (>) button. 5 Click OK. 6 Repeat steps 1 through 5 for all local users and groups that use SSL VPN NetExtender. To configure SSL VPN users and groups for Tunnel All Mode, complete the following steps: 1 Navigate to the Users > Local Users or Users > Local Groups page. 2 Click Configure for an SSL VPN NetExtender user or group. 3 Click the VPN Access tab. 4 Select the WAN RemoteAccess Networks address object and click the right arrow (>) button. 5 Click OK. 6 Repeat steps 1 through 5 for all local users and groups that use SSL VPN NetExtender.

Configuring Client Settings The Client Settings tab is used to configure the DNS settings for SSL VPN clients as well as several options for the NetExtender client. To configure Client Settings, complete the following steps: 1 Click the Default DNS Settings to use the default DNS settings of the SonicWall security appliance. The DNS and WINS configuration is auto-propagated. 2 Or you can manually configure the DNS information. In the DNS Server 1 field, enter the IP address of the primary DNS server, or click the Default DNS Settings to use the default settings. 3 (Optional) In the DNS Server 2 field, enter the IP address of the backup DNS server. 4 DNS Search List 5 (Optional) In the WINS Server 1 field, enter the IP address of the primary WINS server. 6 (Optional) In the WINS Server 2 field, enter the IP address of the backup WINS server. 7 Configure the following NetExtender client settings to customize the behavior of NetExtender when users connect and disconnect: • Enable Client Autoupdate - The NetExtender client checks for updates every time it is launched. • Exit Client After Disconnect - The NetExtender client exits when it becomes disconnected from the SSL VPN server. To reconnect, users must either return to the SSL VPN portal or launch NetExtender from their Programs menu. • Uninstall Client After Disconnect - The NetExtender client automatically uninstalls when it becomes disconnected from the SSL VPN server. To reconnect, users must return to the SSL VPN portal. • Create Client Connection Profile - The NetExtender client creates a connection profile recording the SSL VPN Server name, the Domain name, and optionally the username and password. • User Name & Password Caching - Provide flexibility in allowing users to cache their usernames and passwords in the NetExtender client. The three options are Allow saving of user name only, Allow saving of user name & password, and Prohibit saving of user name & password. These options enable administrators to balance security needs against ease of use for users. Click OK to complete the Device Profile configuration process.

Configuring Virtual Assist Virtual Assist allows users to support customer technical issues without having to be on-site with the customer. This capability serves as an immense time-saver for support personnel, while adding flexibility in how they can respond to support needs. Users can allow or invite customers to join a “queue” to receive support, then virtually assist each customer by remotely taking control of a customer’s computer to diagnose and remedy technical issues. The chapter includes the following sections: • Configuring Virtual Assist Settings

Configuring Virtual Assist Settings Users wishing to maximize the flexibility of the Virtual Assist feature should take the time to properly adjust all of the available settings. To configure settings within the SonicWall™ Global Management System (GMS) management interface, go to the Firewall > Virtual Assist > Settings screen. General Settings The first decision you need to make is how to provide access for customers to gain support through Virtual Assist. There are two options: 1) provide an “Assistance Code” for customers to enter when accessing the portal after receiving an invitation, or, 2) enable virtual assist support without the need for an invitation. By setting a global assistance code for customers, you can restrict who enters the system to request help. The code can be a maximum of eight (8) characters, and can be entered in the Assistance Code field. Customers receive the code through an email provided by the technician or administrator. To allow customers to request Virtual Assist support without needing to provide a code, leave the Assistance Code field blank, and select Enable Support without Invitation.

The Disclaimer field allows administrators to set a written message that customers must read and agree to prior to receiving support. If a disclaimer is set, it must be accepted by each customer before they can enter the Virtual Assist queue. The Customer Access Link field allows users to set a URL for customer access to your SSL-VPN appliance, from outside your network. If no URL is entered, the support invitation to customers uses the same URL the technician uses to access the appliance. NOTE: You should configure this URL if the SSL-VPN appliance is accessed through a different URL from outside your network. If customers navigate to the technician login page, you have the option to display a link there to redirect them to the support login page. To do this, enable Display Virtual Assist link from Portal Login. Support without invitation should be enabled, if you want customers to be able to request help from the login page. Notification Settings Under the “Notification Settings” screen section, you can customize various aspects of the invitation and technician notification settings. All email address entries in the “Technician Email List” field receives a notification email when a customer enters the support queue (uninvited). A maximum of 10 emails can be added to this list, with each separated by a semicolon.

Users can customize the subject line of support invitation emails by entering the desired text in the “Subject of Invitation” field. The following variables can be used within the “Subject of Invitation” field: • Technician Name: %EXPERTNAME% • Customer Message in the Invitation: %CUSTOMERMSG% • Link for Support: %SUPPORTLINK% • Link to SSL-VPN: %ACCESSLINK% These variables can also be used in the “Invitation Message” field, where users can further customize the body of the invitation email, by entering the desired text. The message can be a maximum length of 800 characters. To utilize the email invitation capabilities of Virtual Assist, you must configure the appropriate Mail Server and Mail from Address settings on the Log > Automation screen within the SonicOS management interface:

Request Settings In the “Request Settings” screen section, on the Virtual Assist > Settings screen, you can configure various settings related to support request limits. The “Maximum Requests” field allows you to limit the number of customers that can be awaiting assistance in the queue at one time. The “Limit Message” field allows you to enter text to be displayed as a message to customers, when there are currently no available spots in the queue, as the maximum requests limit has been reached. You can also limit the number of requests coming from a single IP. This prevents the same customer from requesting Virtual Assist support multiple times at once. Enter the desired amount limit in the “Maximum Requests from One IP” field. Enter “0” for no limitation. To avoid customers waiting indefinitely for Virtual Assist support during high-volume periods, you can set a time limit (in minutes) for how long a customer can remain in the queue without receiving support. Set this limit by entering the desired number of minutes in the “Pending Request Expired” field. Enter “0” if you do not wish to set a limit.

Restriction Settings If you encounter requests from unwanted or illegitimate sources, you can block requests from defined IP addresses. This can be done in the “Restriction Settings” screen section.

Click Add to add a source IP address to block. A new window displays.

Enter the Source Address Type and IP Address from which you wish to deny support requests. Click OK to submit the information. The newly blocked address now appears in the “Deny Request From Defined Address” screen section.

Configuring Firewall User Settings This chapter describes how to use the SonicWall™ Global Management System (GMS) to configure user and user access settings. Included in this chapter are the following sections: • Configuring Users in SonicOS Enhanced • Configuring Users in SonicOS Standard

Configuring Users in SonicOS Enhanced The following sections describe how to configure user settings in SonicOS Enhanced: • • • • • • • • •

Configuring Users Status Configuring User Settings Configuring LDAP and Active Directory Configuring Local Users Configuring Local Groups Configuring RADIUS for SonicOS Enhanced Configuring Single Sign-On Configuring Guest Services Configuring Guest Accounts

CONFIGURING USERS STATUS The Users > Status page displays the Active User Sessions on the firewall. The Active User Sessions panel lists the User Name, IP Address, Session Time, Time Remaining, Inactivity Remaining, Settings, and Logout. To log a user out, click the Logout icon at the end of the line for that user. You can search for active user sessions by selecting search options in the Active User Sessions Search section, then clicking Search. IPv4 and IPv6 IP addresses are accepted/displayed in the Users > Status screen.

CONFIGURING USER SETTINGS In addition to the authentication methods available in SonicOS Standard, SonicOS Enhanced allows you to use Lightweight Directory Access Protocol (LDAP) to authenticate users. LDAP is compatible with Microsoft’s Active Directory. For SonicWall appliances running SonicOS Enhanced 4.0 and higher, you can select the SonicWall Single SignOn Agent to provide Single Sign-On functionality. Single Sign-On (SSO) is a transparent user authentication mechanism that provides privileged access to multiple network resources with a single workstation login. SonicWall PRO and TZ series security appliances running SonicOS Enhanced 4.0 and higher provide SSO functionality using the SonicWall Single Sign-On Agent (SSO Agent) to identify user activity based on workstation IP address when Active Directory is being used for authentication. The SonicWall SSO Agent must be installed on a computer in the same domain as Active Directory. Refer to the following to configure user settings: • • • • • •

User Login Settings One-Time Password Settings User Session Settings Acceptable Use Policy Other Global User Settings Customize Login Pages

User Login Settings To configure the user login settings, complete the following steps: 1 Navigate to the Users > Settings page. NOTE: The screen displayed below is from a SonicOS appliance running 5.9 or higher firmware. Depending on the firmware you are running, this screen might look different.

2 Select one of the following authentication methods from the Authentication method for login pull-down list: • Local Users—To configure users in the local database using the Users > Local Users and Users > Local Groups pages. For information on configuring local users and groups, refer to Configuring Local Users and Configuring Local Groups. • RADIUS—If you have more than 1,000 users or want to add an extra layer of security for authenticating the user to the SonicWall. If you select Use RADIUS for user authentication, users must log into the SonicWall using HTTPS in order to encrypt the password sent to the SonicWall. If a user attempts to log into the SonicWall using HTTP, the browser is automatically redirected to HTTPS. For information on configuring RADIUS, refer to Configuring RADIUS for SonicOS Enhanced. • RADIUS + Local Users—If you want to use both RADIUS and the SonicWall local user database for authentication. For information on configuring RADIUS, refer to Configuring RADIUS for SonicOS Enhanced. • LDAP—If you use a Lightweight Directory Access Protocol (LDAP) server or Microsoft Active Directory (AD) server to maintain all your user account data. For information about configuring LDAP, refer to Configuring LDAP and Active Directory. • LDAP + Local Users—If you want to use both LDAP and the SonicWall local user database for authentication. For information about configuring LDAP, refer to Configuring LDAP and Active Directory. 3 The Single-sign-on method (s) field displays the status of the available method(s). You can enable/disable methods, or click the configure button to configure a single-sign-on method. The following methods are available: • SSO Agent — Configure the SSO Agent if you are using Active Directory for authentication and the SonicWall SSO Agent is installed on a computer in the same domain. • Terminal Services Agent — Configure the SSO Agent if you are using Terminal Services and the SonicWall Terminal Services Agent (TSA) is installed on a terminal server in the same domain. • Browser NTLM Authentication — Configure Browser NTLM Authentication if you want to authenticate Web users without using the SonicWall SSO Agent or TSA. Users are identified as soon as they send HTTP traffic. NTLM requires RADIUS to be configured (in addition to LDAP, if using LDAP), for access to MSCHAP authentication. • RADIUS Accounting — Configure RADIUS Accounting if you want a network access server (NAS) to send user login session accounting messages to an accounting server. Refer to Configuring Single Sign-On for details. 4 To require that user names are treated as case-sensitive, select Case-sensitive user names. 5 To prevent a user from logging in from more than one location at a time, select Enforce login uniqueness. 6 In the Show user authentication page for (minutes) field, enter the number of minutes that users have to log in with their username and password before the login page times out. If it times out, a message displays informing them what they must do before attempting to log in again. The default time is 1 minute. While the login authentication page is displayed, it uses system resources. By setting a limit on how long a login can take before the login page is closed, you free up those resources. 7 From the Redirect the browser to this appliance via radio buttons, select one of the following options to determine how a user’s browser is initially redirected to the SonicWall appliance’s Web server: • The interface IP address – Select this to redirect the browser to the IP address of the appliance Web server interface. This option is selected by default. • Its domain name from a reverse DNS lookup of the interface IP address – Enables the Show Cache button which, when clicked, displays the appliance Web server’s Interface, IP Address, DNS Name, and TTL (in seconds). This option is not selected by default. • Its configured domain name – Select to enable redirecting to a domain name configured on the System > Administration page. NOTE: This option is available only if a domain name has been specified on the System > Administration page. Otherwise, this option is dimmed. • The name from the administration certificate – Select to enable redirecting to a configured domain name with a properly signed certificate. Redirecting to the name from this administration certificate is allowed when an imported certificate has been selected for HTTP