SonicWALL TZ 190 manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation SonicWALL TZ 190. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel SonicWALL TZ 190 ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation SonicWALL TZ 190 décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation SonicWALL TZ 190 devrait contenir:
- informations sur les caractéristiques techniques du dispositif SonicWALL TZ 190
- nom du fabricant et année de fabrication SonicWALL TZ 190
- instructions d'utilisation, de réglage et d’entretien de l'équipement SonicWALL TZ 190
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage SonicWALL TZ 190 ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles SonicWALL TZ 190 et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service SonicWALL en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées SonicWALL TZ 190, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif SonicWALL TZ 190, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation SonicWALL TZ 190. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    C OM P REHENSIVE INTERN ET S ECURI T Y SonicOS 4.0 Enhanced Administrator’s Guide SonicWALL Internet Security Appliances For the SonicWALL TZ 180 and TZ 190[...]

  • Page 2

    [...]

  • Page 3

    iii SonicOS Enhanced 4.0 Administrator Guide Table of Contents Table of Contents ..... ............................................... ..................................... iii Part 1: Introduction Chapter 1: Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Preface . . . . . . . . . . . . . . . . . [...]

  • Page 4

    iv SonicOS Enhanced 4.0 Administrator Guide Part 2: System Chapter 4: Viewing the Soni cWALL Security Dashboard . . . . . . . . . . . 47 System > Security Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 SonicWALL Security Dashboard Overview . . . . . . . . . . . . . . . . . . . . 47 Using the SonicWALL Security Dashb[...]

  • Page 5

    v SonicOS Enhanced 4.0 Administrator Guide Chapter 8: Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 System > Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Digital Certificates Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Cert[...]

  • Page 6

    vi SonicOS Enhanced 4.0 Administrator Guide Chapter 13: Using Diagnos tic Tools & Restarting th e Appliance . . . . 125 System > Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Tech Support Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Diagnostic Tools . . . . .[...]

  • Page 7

    vii SonicOS Enhanced 4.0 Administrator Guide Configuring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Configuring the LAN and OPT Interfaces (Static) . . . . . . . . . . . . . . . 141 Configuring Advanced Settings for the Inte rface . . . . . . . . . . . . . . . 142 Configuring Interfaces in Transparent[...]

  • Page 8

    viii SonicOS Enhanced 4.0 Administrator Guide Chapter 17: Configuring Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Network > Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 How Zones Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Predefin[...]

  • Page 9

    ix SonicOS Enhanced 4.0 Administrator Guide Chapter 21: Configuring NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Network > NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 NAT Policies Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 NAT Policy[...]

  • Page 10

    x SonicOS Enhanced 4.0 Administrator Guide Chapter 25: Setting Up Web Proxy Forwarding . . . . . . . . . . . . . . . . . . 305 Network > Web Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Configuring Automatic Pr oxy Forwarding (Web Onl y) . . . . . . . . . . 305 Bypass Proxy Servers Upon Proxy Failure . . . [...]

  • Page 11

    xi SonicOS Enhanced 4.0 Administrator Guide Chapter 30: Configuring Advanced Wireless Settings . . . . . . . . . . . . . 339 Wireless > Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Beaconing & SSID Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Wireless Client Communic[...]

  • Page 12

    xii SonicOS Enhanced 4.0 Administrator Guide Part 5: WWAN Chapter 34: Configuring Wireless WAN (TZ 190 only) . . . . . . . . . . . . . 371 WWAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Wireless WAN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Wireless WAN[...]

  • Page 13

    xiii SonicOS Enhanced 4.0 Administrator Guide Chapter 40: Configuring Advanced Access Ru le Settings . . . . . . . . . . 433 Firewall > Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 Detection Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Dynamic Ports . . . . .[...]

  • Page 14

    xiv SonicOS Enhanced 4.0 Administrator Guide Chapter 45: Managing Quality of Service . . . . . . . . . . . . . . . . . . . . . . . 467 Firewall > QoS Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Marking . [...]

  • Page 15

    xv SonicOS Enhanced 4.0 Administrator Guide Chapter 50: Configuring DHCP Over VPN . . . . . . . . . . . . . . . . . . . . . . . 587 VPN > DHCP over VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 DHCP Relay Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 Configuring the Centr[...]

  • Page 16

    xvi SonicOS Enhanced 4.0 Administrator Guide Part 11: Security Services Chapter 54: Managing SonicWALL Security Services . . . . . . . . . . . . . 687 SonicWALL Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687 Security Services Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688 Managing Securi[...]

  • Page 17

    xvii SonicOS Enhanced 4.0 Administrator Guide Chapter 57: Managing SonicWALL Gatew ay Anti-Virus Service . . . . . 715 Security Services > Gateway Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . . 715 SonicWALL GAV Multi- Layered Approach . . . . . . . . . . . . . . . . . . . . 716 HTTP File Downloads . . . . . . . . . . . . . . . . . .[...]

  • Page 18

    xviii SonicOS Enhanced 4.0 Administrator Guide Chapter 59: Activating Anti-Spyware Service . . . . . . . . . . . . . . . . . . . . 745 Security Services > Anti-Spyware Service . . . . . . . . . . . . . . . . . . . . . . 745 SonicWALL Gateway Anti-Virus, Anti -Spyware, and IPS Activation 746 Creating a mySonicWALL.com Account . . . . . . . . . . [...]

  • Page 19

    xix SonicOS Enhanced 4.0 Administrator Guide Chapter 64: Configuring Syslog Settin gs . . . . . . . . . . . . . . . . . . . . . . . . 775 Log > Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775 Syslog Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776 [...]

  • Page 20

    xx SonicOS Enhanced 4.0 Administrator Guide Chapter 72: Configuring VPN Policies with the VPN Policy Wizard . . 827 Wizards > VPN Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827 Using the VPN Policy Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828 Connecting the Global VPN Clients . . . . [...]

  • Page 21

    S ONIC WALL S ONIC OS E NHANCED 4.0 A DMINISTRATOR ’ S G UIDE 21 PART 1 Introduction[...]

  • Page 22

    22 S ONIC WALL S ONIC OS E NHANCED 4.0 A DMIN ISTRATOR ’ S G UIDE[...]

  • Page 23

    23 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 1 Chapter 1: Preface Preface Copyright Notice © 2007 SonicWALL, Inc. All rights reserved. Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written consent of t he manufacturer, except in the normal use of the software to make[...]

  • Page 24

    About this Guide 24 SonicOS Enhanced 4.0 Administrator Guide Limited Warranty SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, th at the product will be free from defects[...]

  • Page 25

    About this Guide 25 SonicOS Enhanced 4.0 Administrator Guide Note Always check <http//: www.sonicwall.co m/se rvices/documentation.html> for the latest version of this manual as well as other SonicWALL products and se rvices documentation. Organization of this Guide The SonicWALL SonicOS Enhanced 4.0 Administrator’s Guide organization is st[...]

  • Page 26

    About this Guide 26 SonicOS Enhanced 4.0 Administrator Guide • Dynamic DN S - configure the SonicWALL to dynamical ly register its WAN IP address with a DDNS service provider. Part 4 SonicPoint The part covers the configuration o f the S onicWALL security appliance for provisioning and managing SonicWALL SonicPoints as part of a SonicWALL Distri [...]

  • Page 27

    About this Guide 27 SonicOS Enhanced 4.0 Administrator Guide Part 12 Log This part covers managing the SonicWALL secu rity appliance’s enhanced logging, alerting, and reporting features. The Soni cWALL security appliance’s logging features provide a comprehensive set of log categories for m onitoring security and network activities. Part 13 Wiz[...]

  • Page 28

    About this Guide 28 SonicOS Enhanced 4.0 Administrator Guide Tip Useful information about security features and configurations on your SonicWALL. Note Important information on a feature that requires callout for special attention. SonicWALL Technical Support For timely resolution of technical support ques tions, visit SonicWALL on the Internet at h[...]

  • Page 29

    About this Guide 29 SonicOS Enhanced 4.0 Administrator Guide Current Documentation Check the SonicWALL documentation Web si te for that latest versions of this manual and all other SonicWALL product documentation. http://www.sonicwall. com/us /Support.html[...]

  • Page 30

    About this Guide 30 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 31

    31 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 2 Chapter 2: Common Criteria Guide Common Criteria The purpose of this chapter is to define the Common Criteria-compliant operation of SonicWALL Internet Se curity Appliances. Common Criteria is an information technology (IT) validation scheme adopted by the National Information Assurance Partners[...]

  • Page 32

    Common Criteria 32 SonicOS Enhanced 4.0 Administrator Guide • GMS Remote Management • Syslog Logging • SonicPoint • Hardware Failover Before installing the SonicWALL Internet Security Appliance, the device should be examined for evidence of tampering. Each device includes a tamper-evident seal to prevent access to the inside of the unit. Ve[...]

  • Page 33

    Common Criteria 33 SonicOS Enhanced 4.0 Administrator Guide Related Documents Several other SonicWALL documents provide in formation relating to the Common Criter ia evaluated configuration of Soni cWALL Internet Secur ity Appliances. Those documents are described here. SonicOS Log Events Reference Guide During the operation of a SonicWALL security[...]

  • Page 34

    Common Criteria 34 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 35

    35 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 3 Chapter 3: Introduction Introduction SonicOS Enhanced 4.0 is the most powerful SonicOS operating s ystem designed for the SonicWALL PRO 4060, and the PRO 5060. What’s New in SonicOS Enhanced 4.0 SonicOS Enhanced 4.0 introduc es these new features: • Strong SSL and TLS Encryption - The intern[...]

  • Page 36

    Introduction 36 SonicOS Enhanced 4.0 Administrator Guide appliances have been associated as a hardware failover pair on mysoni cwall.com, you can enable this feature by selecting Enable Stateful Synchronization in the Hardware Failover > Advanced page. • Application Firewall - SonicOS Enhanced 4.0 introduces Application Firewall, which provide[...]

  • Page 37

    Introduction 37 SonicOS Enhanced 4.0 Administrator Guide CLI (SSH or serial console). For instance, if a CLI session go es to the config level, it will ask you if you want to preempt an administrator who is at conf ig level in the GUI or an SSH session. • Multiple and Read-only Administrator Login - SonicOS Enhanced 4.0 introduces Multiple Admini[...]

  • Page 38

    Introduction 38 SonicOS Enhanced 4.0 Administrator Guide – Ad-Hoc station – Unassociated station – Wellenreiter attack – NetStumbler attack – EAPOL packet flood – Weak WEP IV • SMTP Authentication - SonicOS Enhanced 4.0 supports RFC 2554, which defines an SMTP service extension that allows the SMTP client to indicate an authentication[...]

  • Page 39

    Introduction 39 SonicOS Enhanced 4.0 Administrator Guide In SonicOS Enhanced 4.0, VAPs allow the network administrator to control wireless user access and security settings by setting up multiple custom config urations on a single physical interface. Each of these custom confi gurations acts as a s eparate (virtual) access point, and can be grouped[...]

  • Page 40

    Introduction 40 SonicOS Enhanced 4.0 Administrator Guide • BWM Rate Limiting - SonicOS Enhanced 4.0 enhances the Bandwidth Management feature to provide rate limiti ng functionality. You can now creat e traffic policies that specify maximum rates for Layer 2, 3, or 4 network traffic. This enables bandwidth management in cases where the primary WA[...]

  • Page 41

    Introduction 41 SonicOS Enhanced 4.0 Administrator Guide Navigating the Ma nagement Interface Navigating the SonicWALL management interface includes a hierarchy of menu buttons on the navigation bar (left si de of your browser window). When you click a menu button, related management functions are displayed as submenu items in the na vigation bar. [...]

  • Page 42

    Introduction 42 SonicOS Enhanced 4.0 Administrator Guide If the settings are contained in a secondary window within the management interface, when you click OK , the settings are automatically appli ed to the SonicWALL security appliance. Navigating Tables Navigate tables in the management interface with large number of entries by using the navigat[...]

  • Page 43

    Introduction 43 SonicOS Enhanced 4.0 Administrator Guide • Clicking on the edit icon displays a window for editing the settings. • Clicking on the delete icon deletes a table entry • Moving the pointer over the comment icon displays text from a Comment field entry. Getting Help Each SonicWALL security appliance includes Web-based on-line help[...]

  • Page 44

    Introduction 44 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 45

    S ONIC WALL S ONIC OS E NHANCED 4.0 A DMINISTRATOR ’ S G UIDE 45 PART 2 System[...]

  • Page 46

    46 S ONIC WALL S ONIC OS E NHANCED 4.0 A DMIN ISTRATOR ’ S G UIDE[...]

  • Page 47

    47 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 4 Chapter 4: Viewing the SonicWALL Security Dashboard System > Security Dashboard This chapter describes how to us e the SonicWALL Security Dashboard featur e on a SonicWALL security appliance. This chapter contains the following sections: • “SonicWALL Security Dashboard Overview” on page[...]

  • Page 48

    System > Security Dashboard 48 SonicOS Enhanced 4.0 Administrator Guide What is the Security Dashboard? The SonicWALL Security Dashboard provides reports of the latest threat protection data fr om a single SonicWALL appliance and aggregated threat protection data from SonicWALL security appliances deployed globally. T he SonicWALL Security Dashb[...]

  • Page 49

    System > Security Dashboard 49 SonicOS Enhanced 4.0 Administrator Guide Benefits The Security Dashboard provides the latest threat protection information to keep you informed about potential threats being block ed by SonicWALL security appliances. If you subscribe to SonicWALL’s security services, including Ga teway Anti-Virus, Gateway Anti-Sp[...]

  • Page 50

    System > Security Dashboard 50 SonicOS Enhanced 4.0 Administrator Guide How Does the Security Dashboard Work? The SonicWALL Security Dashboard provides global and appliance-level threat protection statistics. At the appliance level, threat pr otection data from your SonicWALL security appliance is displayed. At t he global level, the SonicWALL S[...]

  • Page 51

    System > Security Dashboard 51 SonicOS Enhanced 4.0 Administrator Guide SonicWALL Security Dashboa rd Configuration Overview The SonicWALL Security Dashboard can be conf igured to display global or appliance-level statistics, to display statistics for different time periods, and to generate a custom PDF file. For information about purchasing Son[...]

  • Page 52

    System > Security Dashboard 52 SonicOS Enhanced 4.0 Administrator Guide Selecting Custom Time Interval The SonicWALL Security Dashboard reports defaul t to a view of reports from the “Last 14 Days,” providing an aggregate view of threats blocked during that time period. You can configure each report to one of four optional ti me periods. Eac[...]

  • Page 53

    System > Security Dashboard 53 SonicOS Enhanced 4.0 Administrator Guide Note Your SonicWALL security appliance must be c onfigured for Internet connectivity and must be connected to the Internet to use the Registration & License Wizard.[...]

  • Page 54

    System > Security Dashboard 54 SonicOS Enhanced 4.0 Administrator Guide To purchase SonicWALL security services using the SonicWALL Registration & License Wizard, perform the following steps: Step 1 Log in to the SonicWALL appliance management interface. Step 2 In the left-navigation menu, click Wizards . The Configuration Wizard displays. S[...]

  • Page 55

    System > Security Dashboard 55 SonicOS Enhanced 4.0 Administrator Guide Step 5 If you have a mysonicwall.com account, enter your username and password in the Username and Password fields. If you do not have a mysonicwal l.com account, select the radio button next to Create a sonicwall.com account . Click Next . Step 6 If you selected Create a so[...]

  • Page 56

    System > Security Dashboard 56 SonicOS Enhanced 4.0 Administrator Guide Note If you used an existing mysonicwall.com account by providing your username and password, you will not see this page. Skip to the next step. Step 7 Select the checkbox next to the se rvice you want to purchase and click Next . Step 8 A notice displays that a separate bro[...]

  • Page 57

    System > Security Dashboard 57 SonicOS Enhanced 4.0 Administrator Guide Step 9 The mysonicwall.com page is launched in a separate browser window. Follow the on-screen instructions to complete the purchas e of So nicWALL security services. Step 10 After you have purchased the security ser vices , return to the wizard window. The License Synchroni[...]

  • Page 58

    System > Security Dashboard 58 SonicOS Enhanced 4.0 Administrator Guide Step 11 The Congratulations page disp lays. You have successfu lly pur chased and synchronized your security services . Click Close to close the wizard. To verify that the security services are licensed, navigate to Securit y Services > Summary in the left-hand menu and v[...]

  • Page 59

    System > Security Dashboard 59 SonicOS Enhanced 4.0 Administrator Guide Related Features SonicWALL Registration & License Wizard - Use the SonicWALL R egistration & License Wizard to purchase SonicWALL security servic es directly from your SonicWALL security appliance management interface. SonicWALL Security Services - SonicWALL provides[...]

  • Page 60

    System > Security Dashboard 60 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 61

    61 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 5 Chapter 5: Viewing Status Information System > Status The System > Status page provides a comprehensive collec tion of information an d links to help you manage your SonicWALL security appl iance and SonicWALL Security Services licenses. It includes status information about your SonicWALL [...]

  • Page 62

    System > Status 62 SonicOS Enhanced 4.0 Administrator Guide • Setup Wizard - This wizard helps you quickly configure the SonicWALL security appliance to secure your Internet (WAN) and LAN connections. • Public Server Wizard - This wizard helps you quickly configure the SonicWALL security appliance to provide public access to an internal ser [...]

  • Page 63

    System > Status 63 SonicOS Enhanced 4.0 Administrator Guide Latest Alerts Any messages relating to system errors or atta cks a re displayed in this section. Attack messages include AV Alerts, forbidden e-mail atta chments, fraudulent certif icates, etc. System errors include WAN IP changed and encryption err o rs. Clicking the blue arrow display[...]

  • Page 64

    System > Status 64 SonicOS Enhanced 4.0 Administrator Guide Registering Your SonicWALL Security Appliance Once you have established your Internet c onnection, it is recommended you register your SonicWALL security appliance. Registering your SonicWALL se curity appliance provides the following benefits: • Try a FREE 30-day trial of SonicWALL I[...]

  • Page 65

    System > Status 65 SonicOS Enhanced 4.0 Administrator Guide To create a mySonicWALL.co m account from the SonicWAL L management interface: Step 1 In the Security Services section on the System > Status page, click the Register link in Your SonicWALL is not registered. Click here to Register your SonicWALL . Step 2 Click the here link in If yo[...]

  • Page 66

    System > Status 66 SonicOS Enhanced 4.0 Administrator Guide Registering Your SonicW ALL Security Appliance If you already have a mySonicWALL.com account, follow these steps to register your security appliance: Step 1 In the Security Services section on the System > Status page, click the Register link in Your SonicWALL is not registered. Clic[...]

  • Page 67

    67 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 6 Chapter 6: Managing SonicWALL Licenses System > Licenses The System > Licenses page provides links to activa te, upgrade, or renew SonicWAL L Security Services licenses. Fr om this page in the SonicWALL Management Interface, you can manage all the SonicWALL Security Services lic ensed for [...]

  • Page 68

    System > Licenses 68 SonicOS Enhanced 4.0 Administrator Guide Excluding a Node When you exclude a node, you block it from c onnecting to your network through the security appliance. Excluding a node creates an address object for that IP addr ess and assigns it to the Node License Exclusion List address group. To exclude a node: Step 1 Select the[...]

  • Page 69

    System > Licenses 69 SonicOS Enhanced 4.0 Administrator Guide Manage Security Services Online To activate, upgrade, or renew services, click the link in To Activate, Upgrade, or Renew services, click here . Click the link in To synchronize licenses with mySonicWALL.com click here to synchronize your mySoni cWALL.com account with the Security Ser[...]

  • Page 70

    System > Licenses 70 SonicOS Enhanced 4.0 Administrator Guide Manual Upgrade Manual Upgrade allows you to activate your servic es by typing the service activation key supplied with the service subscription not acti vate d on mySonicWALL.co m. Type the activation key from the product into the Enter upgrade key field and click Submit . Manual Upgr[...]

  • Page 71

    System > Licenses 71 SonicOS Enhanced 4.0 Administrator Guide From the Management In terface of your SonicWALL Security Appliance Step 1 Make sure your SonicWALL security appliance is running SonicOS Standard or Enhanced 2.1 (or higher). Step 2 Paste (or type) the Keyset (fr om the step 3) into the Keyset field in the Manual Upgrade section of t[...]

  • Page 72

    System > Licenses 72 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 73

    73 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 7 Chapter 7: Configuring Administration Settings System > Administration The System Administration page prov ides settings for the configur ation of SonicWALL security appliance for secure and remote management. You can manage the SonicWALL using a variety of methods, including HTTPS, SNMP or S[...]

  • Page 74

    System > Administration 74 SonicOS Enhanced 4.0 Administrator Guide Changing the Administrator Password To set a new password for SonicWALL Management Interface access, type the old password in the Old Password field, and the new password in the New Password field . Type the new password again in the Confirm New Password field and click Apply . [...]

  • Page 75

    System > Administration 75 SonicOS Enhanced 4.0 Administrator Guide The Password must be changed every (days) setting requires users to change their passwords after the designated num ber of days has elapsed. When a user attempts to login with an expired password, a pop-up window will pr ompt the user to enter a new password. The User Login Stat[...]

  • Page 76

    System > Administration 76 SonicOS Enhanced 4.0 Administrator Guide Multiple Administrators SonicOS Enhanced provides the ability for mult iple administrators to access the SonicOS Management Interface simultaneously. For more information on Multiple Administrators, see the “Multiple Administrator Support Overview” section on page 590 . The [...]

  • Page 77

    System > Administration 77 SonicOS Enhanced 4.0 Administrator Guide Web Management Settings The SonicWALL security appliance can be managed using HTTP or HTTPS and a Web browser. Both HTTP and HTTPS are enabled by default. The default port for HTTP is port 80, but you can configure access through another por t. Type the number of the desired por[...]

  • Page 78

    System > Administration 78 SonicOS Enhanced 4.0 Administrator Guide SSH Management Settings If you use SSH to manage the Son icWALL appliance, you can change the SSH port for additional security. T he default SSH port is 22 . Advanced Management You can manage the SonicWALL security app liance using SNMP or SonicWALL Global Management System. Th[...]

  • Page 79

    System > Administration 79 SonicOS Enhanced 4.0 Administrator Guide To enable SNMP on the SonicWALL security app liance, log into the Management interface and click System , then Administration. Select the Enab le SNMP checkbox, and then click Configure . The Configure SNMP window is displayed. Step 1 Type the host name of the SonicW ALL securit[...]

  • Page 80

    System > Administration 80 SonicOS Enhanced 4.0 Administrator Guide Enable GMS Management You can configure the SonicW ALL security appliance to be managed by SonicWALL Global Management System (SonicWALL GMS). To confi gure the SonicWALL security appliance for GMS management: Step 1 Select the Enable Management using GMS checkbox, then click Co[...]

  • Page 81

    System > Administration 81 SonicOS Enhanced 4.0 Administrator Guide the GMS installation, and enter the IP address in the NAT Device IP Address field. The default VPN policy settings are di splayed at the bottom of the Configure GMS Settings window. • Existing Tunnel - If this option is selected, the GM S server and the SonicWALL security appl[...]

  • Page 82

    System > Administration 82 SonicOS Enhanced 4.0 Administrator Guide • HTTPS - If this option is selected, HTTPS m anagement is allowed from two IP addresses: the GMS Primary Agent and the Standby Agent IP address. The SonicWALL security appliance also sends encrypted syslog packe ts and SNMP traps using 3DES and the SonicWALL security applianc[...]

  • Page 83

    System > Administration 83 SonicOS Enhanced 4.0 Administrator Guide The default URL http://help.m ysonicwall.com/application s/vpnc lient displays the SonicWALL Global VPN Client download site. You can point to any URL where you provide the SonicWALL Global VPN Client application. Selecting UI Language If your firmware contains other languages b[...]

  • Page 84

    System > Administration 84 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 85

    85 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 8 Chapter 8: Managing Certificates System > Certificates To implement the use of certific ates for VPN policies, you must locate a source for a valid CA certificate from a third party CA service. Once you have a valid CA cert ificate, you can import it into the SonicWALL security appliance to v[...]

  • Page 86

    System > Certificates 86 SonicOS Enhanced 4.0 Administrator Guide • OpenSSL • VeriSign Certificates and Ce rtificate Requests The Certificate and Certificate Requests section provides all the settings for managing CA and Local Certificates. The View Style menu allows you to display your certificates in the Certificates and Certificate Reques[...]

  • Page 87

    System > Certificates 87 SonicOS Enhanced 4.0 Administrator Guide Certificate Details Clicking on the icon in the Details column of the Cert ificates and Certificate Requests table lists information about the certificate, which may include the following, depending on th e type of certificate: • Certificate Issuer • Subject Distinguished Name[...]

  • Page 88

    System > Certificates 88 SonicOS Enhanced 4.0 Administrator Guide Importing a Certificate Authority Certificate To import a certificate from a certif icate authority, perform these steps: Step 1 Click Import . The Import Certificate window is displayed. Step 1 Select Import a CA certificate from a PKCS#7 (*.p 7b) or DER (.der or .cer) encoded fi[...]

  • Page 89

    System > Certificates 89 SonicOS Enhanced 4.0 Administrator Guide Importing a Local Certificate To import a local certificate, perform these steps: Step 1 Click Import . The Import Certificate window is displayed. Step 2 Enter a certificate name in the Certificate Name field. Step 3 Enter the password used by your Certificate Au thority to encry[...]

  • Page 90

    System > Certificates 90 SonicOS Enhanced 4.0 Administrator Guide Importing a CRL You can import the CRL by manually downloadi ng the CRL and then importing it into the SonicWALL security appliance. Step 1 Click on the Import certificate revocation list icon. The Import CRL window is displayed. Step 2 You can import the CRL from the certificate [...]

  • Page 91

    System > Certificates 91 SonicOS Enhanced 4.0 Administrator Guide To generate a local certificate, follow these steps: Step 1 Click the New Signing Request button. The Certificate Signing Request window is displayed. Step 2 In the Generate Certificate Signing Request section, enter an alias name for the certificate in the Certificate Alias field[...]

  • Page 92

    System > Certificates 92 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 93

    93 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 9 Chapter 9: Configuring Time Settings System > Time The System > Time page defines the time and date setti ngs to time stamp log events, to automatically update SonicWALL Security Se rvices, and for other internal purposes. By default, the SonicWALL securi ty appliance uses an internal list[...]

  • Page 94

    System > Time 94 SonicOS Enhanced 4.0 Administrator Guide If you want to set your time manually, uncheck Set time automatical ly usi ng NTP . Select the time in the 24-hour format using the Time (h h:mm:ss) menus and the date from the Date menus. Selecting Display UTC in logs (instead of local time) specifies the u se universal time (UTC) rather[...]

  • Page 95

    95 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 10 Chapter 10: Setting Schedules System > Schedules The System > Schedules page allows you to create and manage schedule objects for enforcing schedule times for a variety of SonicWALL security appliance features.[...]

  • Page 96

    System > Schedules 96 SonicOS Enhanced 4.0 Administrator Guide The Schedules table displays all your predef ine d and custom schedules. In the Schedules table, there are th ree default schedules: Work Hours , Aft er Hours , and Weekend Hours . You can modify these schedul es by clicking on the edit icon in the Configure column to display the Edi[...]

  • Page 97

    System > Sche dules 97 SonicOS Enhanced 4.0 Administrator Guide Adding a Schedule To create schedules, click Add . The Add Schedule window is displayed. Step 1 Enter a name for the schedule in the Name field. Step 2 Select the days of the week to apply to the schedule or select All . Step 3 Enter the time of day for the schedule to begin in the [...]

  • Page 98

    System > Schedules 98 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 99

    99 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 11 Chapter 11: Managing SonicWALL Security Appliance Firmware System > Settings This System > Settings page allows you to manage your SonicWALL security appliance’s SonicOS versions and preferences.[...]

  • Page 100

    System > Settings 100 SonicOS Enhanced 4.0 Administrator Guide Settings Import Settings To import a previously saved preferences file into the SonicWALL secu rity appliance, follow these instructions: Step 1 Click Import Settings to import a previously exported pr eferences file into the SonicWALL security appliance. The Import Settings window i[...]

  • Page 101

    System > Settings 101 SonicOS Enhanced 4.0 Administrator Guide • Boot to your choice of firmware and system settings. • Manage system backups. • Easily return your SonicWALL security appliance to the previous system state. Note SonicWALL security appliance SafeMode , which uses the same settings used Firmware Management , provides quick re[...]

  • Page 102

    System > Settings 102 SonicOS Enhanced 4.0 Administrator Guide – Uploaded Firmware - the latest uploaded version from mySonicWALL.com. – Uploaded Firmware with Factory Default Settings - the latest version uploaded with factory default settings. – Uploaded Firmware with Backup Settings - a firmware image created by clicking Create Backup .[...]

  • Page 103

    System > Settings 103 SonicOS Enhanced 4.0 Administrator Guide SafeMode - Rebooting the So nicWALL Security Appliance SafeMode allows easy firmware and preferences management as well as quick recovery from uncertain configuration states. It is no longer necessary to reset the firmware by pressing and holding the Reset button on the appliance. Pr[...]

  • Page 104

    System > Settings 104 SonicOS Enhanced 4.0 Administrator Guide Note Clicking Boot next to any firmware image overwrit es the existing current firmware image making it the Current Firmware image. Click Boot in the firmware row of your choice to restart the SonicWALL security appliance. FIPS When operating in FIPS (Federal Information Processin g [...]

  • Page 105

    105 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 12 Chapter 12: Using SonicWALL Packet Capture System > Packet Capture This chapter contains the following sections: • “Packet Capture Overview” on page 105 • “Using Packet Capture” on page 107 • “Verifying Packet C apture Activity” on page 120 • “Related Information” on[...]

  • Page 106

    System > Packet Capture 106 SonicOS Enhanced 4.0 Administrator Guide • PPP negotiations details You can configure the packet capture feature in the SonicOS Enhanced user interface (UI). The UI provides a way to configure the capture criteria, display settings, and file export settings, and displays the captured packets. Benefits The SonicOS En[...]

  • Page 107

    System > Packet C apture 107 SonicOS Enhanced 4.0 Administrator Guide Refer to the figure below to see a high level vi ew of the packet capture subsystem. This shows the different filters and how they are applied. Figure 12:1 High level packet c apture on subsy stem view Using Packet Capture This section contains the following subsections: • ?[...]

  • Page 108

    System > Packet Capture 108 SonicOS Enhanced 4.0 Administrator Guide Accessing Packet Capture in the UI This section describes how to access the packet capture tool in the S onicOS UI. Ther e are two ways to access the Packet Capture screen. Step 1 Log in to the SonicOS UI as admin. Step 2 To go directly to the Packet C apture screen, in the lef[...]

  • Page 109

    System > Packet C apture 109 SonicOS Enhanced 4.0 Administrator Guide Starting packet capture Step 1 Navigate to the Packet Capture page in the UI. See “Accessing Packet Capture in the UI” on page 108 . Step 2 Under Packet Capture , optionally click Reset . The Packet Capture page displays several lines of statistics above the Start and Stop[...]

  • Page 110

    System > Packet Capture 110 SonicOS Enhanced 4.0 Administrator Guide • Egress - The SonicWALL appliance interface on which the packet was captured when sent out – The subsystem type abbreviation is shown in parentheses. See th e table above for definitions of subs ystem type abbreviations • Source IP - The source IP address of the packet ?[...]

  • Page 111

    System > Packet C apture 111 SonicOS Enhanced 4.0 Administrator Guide About the Packet Detail Window When you click on a packet in the Captured Packets window, the packet header fields ar e displayed in the Packet Detail window. The di splay will vary depending on the type of packet that you select. About the Hex Dump Window When you click on a [...]

  • Page 112

    System > Packet Capture 112 SonicOS Enhanced 4.0 Administrator Guide • “Configuring Advanc ed Settings” on page 119 • “Restarting FTP logging” on page 120 Configuring General Settings This section describes how to configure packe t capture general se ttings, including the number of bytes to capture per packet and the buffer wr ap opt[...]

  • Page 113

    System > Packet C apture 113 SonicOS Enhanced 4.0 Administrator Guide You can specify up to ten Ethernet types s eparated by commas. Currently, the following Ethernet types are supported: ARP, IP, PPPoE-SES, and PPPoE-DIS. The latter two can be specified by PPPoE alone. This option is no t case-sensitive. For example, to capture all supported ty[...]

  • Page 114

    System > Packet Capture 114 SonicOS Enhanced 4.0 Administrator Guide To configure Packet Capture complete the following steps: Step 1 Navigate to the Packet Capture page in the UI. See “Accessing Packet Capture in the UI” on page 108 . Step 2 Under Packet Capture , click Configure . Step 3 In the Packet Capture Configuration window, click th[...]

  • Page 115

    System > Packet C apture 115 SonicOS Enhanced 4.0 Administrator Guide Configuring Display Filter Settings This section describes how to c onfigure packet capture display filt er settings. The values that you provide here are compared to corresponding fi elds in the captured packets, and only those packets that match are displayed. Displa y filte[...]

  • Page 116

    System > Packet Capture 116 SonicOS Enhanced 4.0 Administrator Guide SonicOS Enhanced adds one of four possibl e packet status values to each captured packet: forwarded, generated, consumed, a nd dropped. You can select one or more of these status values to match when displaying packets. The status val ue shows the state of the packet with respe[...]

  • Page 117

    System > Packet C apture 117 SonicOS Enhanced 4.0 Administrator Guide Step 4 In the Interface Name(s) box, type the Son icWALL appliance interfaces for which to display packets, or use the negative format (!X0) to display packets captured from all interfaces except those specified. To display packets captured on all interfaces, leave blank. Step[...]

  • Page 118

    System > Packet Capture 118 SonicOS Enhanced 4.0 Administrator Guide If you configure automatic loggi ng, this supersedes the setting for wrapping the buffer when full. With automatic FTP logging, the capture buffer is effectively wrapped when full, but you also retain all the data rather than o verwriting it each time the buffer wrap s. Step 1 [...]

  • Page 119

    System > Packet C apture 119 SonicOS Enhanced 4.0 Administrator Guide month, day, and year. For example, packet-log--3- 22-08292006.cap. For HTML format, file names are in the form: “packet-log_h-<>.html”. An example of an HTML file name is: packet- log_h-3-22-08292006.html. Step 8 To enable automatic transfer of the capture file to th[...]

  • Page 120

    System > Packet Capture 120 SonicOS Enhanced 4.0 Administrator Guide Even when interfaces specified in the capture fi lters do not match, this option ensures that packets generated by the SonicWALL appliance are captured. This includes packets generated by HTTP(S), L2TP, DHCP servers, PPP, PPPOE, and routing protocols. Captured packets are marke[...]

  • Page 121

    System > Packet C apture 121 SonicOS Enhanced 4.0 Administrator Guide • Red: Capture is stopped • Green: Capture is running and the buffer is not full • Orange: Capture is running, but the buffer is full The UI also displays the buffer size, the number of packets captured, the percentage of buffer space used, and how much of the buffer has[...]

  • Page 122

    System > Packet Capture 122 SonicOS Enhanced 4.0 Administrator Guide Resetting the Status Information You can reset the displayed statistics for the capture buffer and FTP logging. If a capture is in progress, it is not interrupted w hen you reset the statistics displa y. Step 1 Navigate to the Packet Capture page in the UI. Step 2 Under Packet [...]

  • Page 123

    System > Packet C apture 123 SonicOS Enhanced 4.0 Administrator Guide HTML Format You can view the HTML format in a browser. The following is an example showing the header and part of the data for the first packet in the buffer.[...]

  • Page 124

    System > Packet Capture 124 SonicOS Enhanced 4.0 Administrator Guide Text File Format You can view the text format output in a text editor. The following is an example showing the header and part of the data for the first packet in the buffer.[...]

  • Page 125

    125 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 13 Chapter 13: Using Diagnostic Tools & Restarting the Appliance System > Diagnostics The System > Diagnostics page provides several diagnostic tools which help troubleshoot network problems as well as Active Connections, CPU and Process Monitors.[...]

  • Page 126

    System > Diagnostics 126 SonicOS Enhanced 4.0 Administrator Guide Tech Support Report The Tech Support Report generates a detailed report of the SonicWALL security appliance configuration and status, and saves it to the local hard disk using the Download Report button. This file can then be e-mailed to SonicWALL Te chnical Support to help assist[...]

  • Page 127

    System > Diagnostics 127 SonicOS Enhanced 4.0 Administrator Guide • “Active Connections Monitor” on page 127 • “CPU Monitor” on page 128 • “DNS Name Lookup” on page 129 • “Find Network Path” on page 129 • “Packet Capture” on page 130 • “Ping” on page 131 • “Process Monitor” on page 132 • “Real-Time B[...]

  • Page 128

    System > Diagnostics 128 SonicOS Enhanced 4.0 Administrator Guide The fields you enter values into are comb ined into a search string with a logical AND . For example, if you enter values for Source IP and Destination IP , the search string will look for connections matching: Source IP AND Destination IP Check the Group box next to any two or mo[...]

  • Page 129

    System > Diagnostics 129 SonicOS Enhanced 4.0 Administrator Guide DNS Name Lookup The SonicWALL security appliance has a DNS l ookup tool that return s the IP address of a domain name. Or, if you enter an IP address, it returns the domain name for that a ddress. Step 1 Enter the host name or IP address in the Look up name field. Do not add http [...]

  • Page 130

    System > Diagnostics 130 SonicOS Enhanced 4.0 Administrator Guide Packet Capture The Packet Capture tool tracks the status of a communications stream as it moves from source to destination. This is a useful tool to det ermine if a communications stream is being stopped at the SonicWALL security applianc e, or is lost on the Internet. To interpre[...]

  • Page 131

    System > Diagnostics 131 SonicOS Enhanced 4.0 Administrator Guide Client sends a final ACK, and wa its for start of data transfer. Step 6 TCP sent on WAN [ACK] From 207.88.211.116 / 1937 (00:40:10:0c:01:4e To 204.71.200.74 / 80 (02:00:cf:58:d3:6a) The SonicWALL security appliance forwards the client ACK to the remote host and waits for the data [...]

  • Page 132

    System > Diagnostics 132 SonicOS Enhanced 4.0 Administrator Guide Process Monitor Process Monitor shows individual system pr ocesses, their CPU utilization, and their system time. Real-Time Black List Lookup The Real-Time Black List Lookup tool allows you to test SMTP IP addre sses, RBL services, or DNS servers. Enter an IP address in the IP Add[...]

  • Page 133

    System > Diagnostics 133 SonicOS Enhanced 4.0 Administrator Guide Trace Route Trace Route is a diagnostic utility to assist in diagnosing and trouble shooting router connections on the Internet. By using Internet Connect M essage Protocol (ICMP) echo packets similar to Ping packets, Trace Route can test interconnectivity with r outers and other [...]

  • Page 134

    System > Restart 134 SonicOS Enhanced 4.0 Administrator Guide System > Restart The SonicWALL security applianc e can be restarted from the Web Management interface. Click System > Restart to display the Restar t page. Click Restart... and then click Yes to confirm the restart. The SonicWALL security appliance takes approxim ately 60 second[...]

  • Page 135

    S ONIC WALL S ONIC OS E NHANCED 4.0 A DMINISTRATOR ’ S G UIDE 135 PART 3 Network[...]

  • Page 136

    136 S ONIC WALL S ONIC OS E NHANCED 4.0 A DMIN ISTRATOR ’ S G UIDE[...]

  • Page 137

    137 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 14 Chapter 14: Configuring Interfaces Network > Interfaces The Network > Interfaces page includes interface objects that are directly linked to physical interfaces. The SonicOS Enhanc ed scheme of interface addressi ng works in conjunction with network zones and address objects. Physical in[...]

  • Page 138

    Network > Interfaces 138 SonicOS Enhanced 4.0 Administrator Guide Setup Wizard The Setup Wizard button accesses the Setup Wizard . The Setup Wizard walks you through the configuration of the Soni cWALL se curity appliance for In ternet connectivity. For Setup Wizard instruction s, see “Wizards > Setup Wizard” section on pa ge 793 . Interf[...]

  • Page 139

    Network > Interfaces 139 SonicOS Enhanced 4.0 Administrator Guide Caution You cannot change the Zones in the Edit Interface window for the LAN , WAN , Modem , and WLAN interfaces. Interface Traffic Statistics The Interface Traffic Statistics table lists received and transmitted information for all configured interfaces. The following information[...]

  • Page 140

    Network > Interfaces 140 SonicOS Enhanced 4.0 Administrator Guide Physical Interfaces Physical interfaces must be assigned to a Zone to allow for configuration of Access Rules to govern inbound and outbound traffic. Security z ones are bound to each physical interface where it acts as a conduit for inbound and outbound traffic. If there is no in[...]

  • Page 141

    Configuring Interfaces 141 SonicOS Enhanced 4.0 Administrator Guide Transparent Mode Transparent Mode in SonicOS Enhanced uses inte rfaces as the top level of th e management hierarchy. Transparent Mode supports unique addressing an d interface routing. Configuring Interfaces This section is divided into: • “Configuring the LAN and OPT Interfac[...]

  • Page 142

    Configuring Interface s 142 SonicOS Enhanced 4.0 Administrator Guide Note The administrator password is required to regenerate encryption ke ys after changing the SonicWALL security appliance’s address. Configuring Advanced Settings for the Interface If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Et[...]

  • Page 143

    Configuring Interfaces 143 SonicOS Enhanced 4.0 Administrator Guide Configuring Interfaces in Transparent Mode Transparent Mode enables the Soni cWALL security appliance to bridge the WAN subnet onto an internal interface. You can configure the following interfaces in Transparent Mode: • TZ family and PRO 1260: Lan and Opt • PRO family: X0 , X2[...]

  • Page 144

    Configuring Interface s 144 SonicOS Enhanced 4.0 Administrator Guide • Range to specify a range of IP addres ses by entering beginning and ending value of the range. • Network to specify a subnet by enteri ng the beginning value and the subnet mask. The subnet must be within the WAN address range and cannot include the WAN interface IP address.[...]

  • Page 145

    Configuring Interfaces 145 SonicOS Enhanced 4.0 Administrator Guide Configuring Wireless Interfaces A Wireless interface is an interface that has been assigned to a Wireless zone and is used to support SonicWALL SonicPoint secure access points. Step 1 Click on the Configure icon in the Configure column for the Interface you want to configure. The E[...]

  • Page 146

    Configuring Interface s 146 SonicOS Enhanced 4.0 Administrator Guide Note The above table depicts t he maximum subnet mask sizes allowed. You can still use class- full subnetting (class A, cl ass B, or class C) or any variabl e length subnet mask that you wish on WLAN interfaces. You are encouraged to us e a smaller subnet mask (e.g. 24bit class C [...]

  • Page 147

    Configuring Interfaces 147 SonicOS Enhanced 4.0 Administrator Guide Caution If you select a specific Ethernet speed and duplex, you must force the connection speed and duplex from the Ethernet card to the SonicWALL security appliance as well. You can choose to override the Default MAC Address for the Interface by selecting Override Default MAC Addr[...]

  • Page 148

    Configuring Interface s 148 SonicOS Enhanced 4.0 Administrator Guide • DHCP - configures the SonicWALL to reque st IP settings from a DHCP server on the Internet. NAT with DHCP Client is a typi cal network addressing mode for cable and DSL customers. • PPPoE - uses Point to Point Protocol over Ethernet (PPPoE) to connect to the Internet. If des[...]

  • Page 149

    Configuring Interfaces 149 SonicOS Enhanced 4.0 Administrator Guide Ethernet Settings If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Set tings section allows you to manage the Et hernet settings of links connected to the SonicWALL. Auto Negotiate is selected by defau lt as the Link S peed bec[...]

  • Page 150

    Configuring Interface s 150 SonicOS Enhanced 4.0 Administrator Guide Use the Bandwidth Management section of the Edit Interface screen to enable or disable the ingress and egress bandwidth management. Egress and Ingre ss available link bandwidth can be used to configure the upstream and downstr eam connection speeds. The Bandwidth Management sectio[...]

  • Page 151

    Configuring Interfaces 151 SonicOS Enhanced 4.0 Administrator Guide • Subnet Mask : 255.255.255.0 is the default Step 3 In the Switch Ports tab, chose which ports to add to the PortShield interface.[...]

  • Page 152

    Configuring Interface s 152 SonicOS Enhanced 4.0 Administrator Guide Configuring the Wireless WAN Interface The SonicWALL TZ 190 security appliance in troduces support for 3G (third generation) Wireless WAN connections that utilize data connections over 3G cellular networks. The Wireless WAN (WWAN) can be used for: • WAN Failover to a connection [...]

  • Page 153

    Configuring Interfaces 153 SonicOS Enhanced 4.0 Administrator Guide Managing WWAN Connections To initiate a WWAN connection, on the Network > Interfaces page, click on the Manage button in the WWAN interface line. The WWAN Connection window displays. Click the Connect button. The SonicWALL TZ 190 attempts to connect to the WWAN ser vice provider[...]

  • Page 154

    Configuring Interface s 154 SonicOS Enhanced 4.0 Administrator Guide For a detailed explanation of the behavior of the Ethernet with WWAN Failover setting refer to “Understanding Wireless WA N Connection Models” on page 274. Configuring Basic Wireless WAN Settings To configure basic WWAN interface settings, perform the following steps: Step 1 C[...]

  • Page 155

    Configuring Interfaces 155 SonicOS Enhanced 4.0 Administrator Guide Note To configure the SonicWALL TZ 190 for C onnect on Data operation, you must select Dial on Data as the Dial Type for the Connectio n Profile. See “Configuring WWAN Connection Profiles” on page 283 in Chapter 32, Configuring Wireless WAN for more details. Step 3 Select which[...]

  • Page 156

    Configuring Interface s 156 SonicOS Enhanced 4.0 Administrator Guide Configuring Remotely Trigge red Dial-Out on the WWAN Before configuring the Remotely Triggered Dial-O ut feature, ensure that your configuration meets the following prerequisites: • The WWAN profile is configured for dial-on-data . • The SonicWALL Security Appliance is configu[...]

  • Page 157

    Configuring Interfaces 157 SonicOS Enhanced 4.0 Administrator Guide Configuring the Maximum Allowed WWAN Connections To configure the maximum number of nodes allowed to connect to the WWAN interface, enter the maximum number of nodes in the Max Host field. Entering 0 in the Max Host fields allows any number of nodes to connect. Creating a WLAN Subn[...]

  • Page 158

    Configuring Interface s 158 SonicOS Enhanced 4.0 Administrator Guide • SonicPoint Limit : The maximum number of allow ed SonicPoints is configured automatically. • Comment : Optionally enter a comment about the subnet. • Management : Select the appropriate protocols to allow remote mangement of the SonicWALL security appli ance from this subn[...]

  • Page 159

    159 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 15 Chapter 15: Configuring PortShield Interfaces SonicWALL PortShield Interfaces SonicWALL PortShield is a feature of the SonicWALL TZ 180 and TZ 190 secur ity appliances running SonicOS Enhanced 3.8 or newer. PortShield architecture enables you to con figure some or all of the LAN switch por ts [...]

  • Page 160

    SonicWALL PortShield Interfaces 160 SonicOS Enhanced 4.0 Administrator Guide Network > SwitchPorts The Network > SwitchPorts page allows you to manage the assignments of ports to PortShield interfaces. Overview A PortShield interface is a virtual interface with a set of ports assigned to it. There are two IP assignment methods you can deploy [...]

  • Page 161

    SonicWALL PortShield Interfaces 161 SonicOS Enhanced 4.0 Administrator Guide When you create a PortShield interface in Transparent Mode, you create a r ange of addresses to be applied to the PortShield interface. You include these addresses in one entity called an Address Object. Address Objects allow for entit ies to be defined one time and to be [...]

  • Page 162

    SonicWALL PortShield Interfaces 162 SonicOS Enhanced 4.0 Administrator Guide Creating a PortShield Interface from the Interfaces Area Before creating and adding a PortShield interfac e, think about why you are creating it and what role it will play in your netwo rk. To create and add a PortShield interface to the list of interfaces, perform the fol[...]

  • Page 163

    SonicWALL PortShield Interfaces 163 SonicOS Enhanced 4.0 Administrator Guide 6. Click the Add PortShield Interface button. The Add Port Shield dialog box displays. 7. Click the Zone list box and click on a zone type option to which you want to map the interface. Default zones are: – LAN – DMZ – WLAN – Unassigned If you want to create anothe[...]

  • Page 164

    SonicWALL PortShield Interfaces 164 SonicOS Enhanced 4.0 Administrator Guide 8. After you select a zone option, the m anagement software displays a more expanded version of the PortShield Interface Settings dialog b ox. 9. Type a string in the PortShield Interface Name field. 10. Click on the I P Assignment list box and select eithe r Static or Tra[...]

  • Page 165

    SonicWALL PortShield Interfaces 165 SonicOS Enhanced 4.0 Administrator Guide Note This option only appears when creating a PortShie ld interface, not wh en editing an existing PortShield interface. You can make changes to the interface’s DHCP settings after creating an interface from the DHCP Server environment ( Network > DHCP Server ). 16. C[...]

  • Page 166

    SonicWALL PortShield Interfaces 166 SonicOS Enhanced 4.0 Administrator Guide Creating a New Zone for the PortShield Interface You may want to create a zone for a PortShield inte rface that has differ ent attributes to it than any of the default zones provide. To create a new zone for a PortShield interface, perform the following: 1. In the Add Port[...]

  • Page 167

    SonicWALL PortShield Interfaces 167 SonicOS Enhanced 4.0 Administrator Guide 4. After selecting the security level for the Port Shield interface, click on one of the following checkboxes that enables a se curity service for the zone: 5. Click OK . Refining the PortShield Interface You can refine a PortShield interface group in th e Switch Ports env[...]

  • Page 168

    SonicWALL PortShield Interfaces 168 SonicOS Enhanced 4.0 Administrator Guide 4. Click the Configure button. The management software displays the Edit Multiple Switch Ports dialog box. You can refine your settings in this dialog box. The name of the PortShield interface group will be assigned by default. 5. Click on the Port Enable list box and clic[...]

  • Page 169

    SonicWALL PortShield Interfaces 169 SonicOS Enhanced 4.0 Administrator Guide Creating Transparent Mode PortShield Interfaces You may find it useful to create address objects to bundle addresses into address objects and reference these objects when creating a PortShield interface. Address objects allow for entities to be defined one time and to be r[...]

  • Page 170

    SonicWALL PortShield Interfaces 170 SonicOS Enhanced 4.0 Administrator Guide 7. Click on the Transparent Range list box and click on the Create new address object option. The management software displays the Add Address Object dialog box. 8. Fill out the fields as detailed in the next three sections to create the three different types of address ob[...]

  • Page 171

    SonicWALL PortShield Interfaces 171 SonicOS Enhanced 4.0 Administrator Guide Creating a PortShield Using an Address Object Containing an Address Range To assign a Range Address Object with addresses extending from 67.115.118.100 to 67.115.118.102 to portshield2, perform the following steps: 1. Type the name portshield2 in the Name field to identify[...]

  • Page 172

    SonicWALL PortShield Interfaces 172 SonicOS Enhanced 4.0 Administrator Guide 2. Click on the Add button in the Address Objects list in the window. SonicOS displays the Add Address Object dialog box as shown in the following figure: . 3. Enter the name portshield3 in the Name field. 4. Select Network from the Type menu. 5. Enter 67.115.118.200 in th[...]

  • Page 173

    SonicWALL PortShield Interfaces 173 SonicOS Enhanced 4.0 Administrator Guide To select ports and apply them to a previously configured interface, per form the following steps: 1. Create a PortShield interface following the steps in “Overview” on page 160 , but do not map ports to it by going into the Switch Ports tab. 2. Click the Networks opti[...]

  • Page 174

    PortShield Deployment Scenario 174 SonicOS Enhanced 4.0 Administrator Guide 6. Click on the PortShield Interface list box as shown in the following figure. Note the list contains called the entry called Accounting . This is the host address object you created. 7. Click on the Accounting entry. By selecting this entry, you mapped ports 3, 4, and 5 t[...]

  • Page 175

    PortShield Deployment Scenario 175 SonicOS Enhanced 4.0 Administrator Guide Note The easiest way to configure this example is to use the PortShield Wizard. Configure it to have two PortShield interfaces, with three and two ports respectively. For more details on the PortShield Wizard, see Chapter 23, Configuring PortShield Interfaces Using the Setu[...]

  • Page 176

    PortShield Deployment Scenario 176 SonicOS Enhanced 4.0 Administrator Guide PortShield Interfaces The small business example uses two PortShield interfaces. • LAN: for office use – LAN zone – Ports 1 - 3. These ports are assigned to LAN by not assigning them to another PortShield interface. – 2 desktop workstations – 1 web and mail server[...]

  • Page 177

    PortShield Deployment Scenario 177 SonicOS Enhanced 4.0 Administrator Guide – Name : Residents – Security Type : Wireless. Select Wireless so you can use the same context for the both the individual wired connec tions and the SonicPoints. – Allow Interface Trust : Checked – Enforce Content Filtering Service : Checked – Enforce Client An t[...]

  • Page 178

    PortShield Deployment Scenario 178 SonicOS Enhanced 4.0 Administrator Guide – SonicPoint Provisioning Profile : Select the SonicPoint profile you configured. The settings in this profile will automatically be applied to the SonicPoints you set up for wireless access. • Guest Services tab settings: – Enable Wireless Guest Services : Check this[...]

  • Page 179

    PortShield Deployment Scenario 179 SonicOS Enhanced 4.0 Administrator Guide Configure the PortShield Interf aces with the PortShield Wizard In this example, two ports are assigned to a Wire less PortShield interface for the SonicPoints and three ports are assigned to the LAN interface for the Office. The easiest way to configure this is to use the [...]

  • Page 180

    PortShield Deployment Scenario 180 SonicOS Enhanced 4.0 Administrator Guide 4. Uncheck the Enable Interface Trust for new PortShield Interface segments checkbox to prevent communication between the wireless segment and the office segment. If this level of security is not necessary, leave t he checkbox checked. You can modify these settings on the F[...]

  • Page 181

    181 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 16 Chapter 16: Setting Up WAN Failover and Load Balancing Network > WAN Failover & Load Balancing WAN Failover and Load Balancing allows you to designate the one of the user-assigned interfaces as a Secondary or backup WAN por t. The secondary WAN port can be used in a simple active/passiv[...]

  • Page 182

    Network > WAN Failover & L oad Balancing 182 SonicOS Enhanced 4.0 Administrator Guide About Source and Destination IP Address Binding When you establish a connection wi th a WAN, you can create mult iple interfaces, dividing up the task load over these interfaces. There are both Primary and Secondary WAN interfaces. This task distribution mo[...]

  • Page 183

    Network > WAN Failover & Load Balancing 183 SonicOS Enhanced 4.0 Administrator Guide Creating a NAT Policy for the Secondary WAN Port You need to create a NAT policy on your SonicWA LL for WAN Failover. Follow these steps to create a NAT policy on your SonicWALL using the OPT interface: Step 1 Select Network > NAT Policies . Step 2 Click [...]

  • Page 184

    Network > WAN Failover & L oad Balancing 184 SonicOS Enhanced 4.0 Administrator Guide Activating WAN Failover and Selecting the Load Balancing Method To configure the SonicWALL fo r WAN failover and load balanci ng, follow the steps below: Step 1 On Network > WAN Failover & LB page, select Enable Load Balancing . Step 2 If there are m[...]

  • Page 185

    Network > WAN Failover & Load Balancing 185 SonicOS Enhanced 4.0 Administrator Guide – Basic Active/Passive Failover : When this setting is selected, the SonicWALL security appliance only sends traffic through the Secondary WAN interface if the Primary WAN interface has been marked inactive. The Soni cWALL security appliance is set to use [...]

  • Page 186

    Network > WAN Failover & L oad Balancing 186 SonicOS Enhanced 4.0 Administrator Guide entry box is required (percentage for Primary WAN) The management interface automatically populates the non-user-editable entry box with the remaining percentage assigned to the Secondary WAN interface. Pl ease note this feature will be overridden by specif[...]

  • Page 187

    Network > WAN Failover & Load Balancing 187 SonicOS Enhanced 4.0 Administrator Guide upstream. If your ISP is experiencing problems in its routing infrastructure, a successful ICMP ping of their router causes the SonicWALL security a ppliance to believe the line is usable, when in fact it may not be able to pass traffic to and from the publi[...]

  • Page 188

    Network > WAN Failover & L oad Balancing 188 SonicOS Enhanced 4.0 Administrator Guide Note If there is a NAT device between the two dev ices sending and receiving TCP probes, the Any TCP-SYN to Port box must be checked, an d the sa me port number must be configured here and in the Configure WAN Probe Monitoring window. Step 4 Click on the Co[...]

  • Page 189

    Network > WAN Failover & Load Balancing 189 SonicOS Enhanced 4.0 Administrator Guide Caution Before you begin, be sure you have configured a user-defined interface to mirror the WAN port settings. Note If the Probe Target is unable to contact the target device, the inte rface is deactivated and traffic is no longer sent to the primary WAN. W[...]

  • Page 190

    Network > WAN Failover & L oad Balancing 190 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 191

    191 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 17 Chapter 17: Configuring Zones Network > Zones A Zone is a logical grouping of one or more in terfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following strict physical interface scheme. Zone-based secur i[...]

  • Page 192

    Network > Zones 192 SonicOS Enhanced 4.0 Administrator Guide tunnels, which is a feature that users have l ong requested. SonicWALL se curity appliances can also drive VPN traffic through the NAT policy and zone policy, since VP Ns are now logically grouped into their own VPN zone. How Zones Work An easy way to visualize how se curity zones wor [...]

  • Page 193

    Network > Zones 193 SonicOS Enhanced 4.0 Administrator Guide Predefined Zones The predefined zones on your the SonicWALL security appliance dep end on the device. The following are all the SonicWALL security appliance’s pre defined security zones: The predefined security zones on the SonicWALL security appli ance are not modifiable and are def[...]

  • Page 194

    Network > Zones 194 SonicOS Enhanced 4.0 Administrator Guide • Trusted : Trusted is a security type that provi des the highest level of trust—meaning that the least amount of scru tiny is applied to traf fic coming from trusted zones. Trusted security can be thought of as being on the LAN (pr otected) side of the security appliance. The LAN [...]

  • Page 195

    Network > Zones 195 SonicOS Enhanced 4.0 Administrator Guide • Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones. • Enforce Global Security Clients - Enforces security policie s for Global Security Clients on multiple interfaces in the same Trusted, P[...]

  • Page 196

    Network > Zones 196 SonicOS Enhanced 4.0 Administrator Guide • Configure : Clicking the Notepad icon displays the Edit Z one window. Clicking the Trashcan icon deletes the zone. The Trashcan icon is dimmed for the predefined zones. You cannot delete these zones. Adding a New Zone To add a new Zone, click Add und er the Zone Settings table. The[...]

  • Page 197

    Network > Zones 197 SonicOS Enhanced 4.0 Administrator Guide – Enable Gateway Anti-Virus Service - Enforces gateway anti- virus protection on your SonicWALL security appliance for all clients connecting to this zone. SonicWALL Gateway Anti-Virus manages the anti-virus ser vice on the SonicWALL appliance. – SonicWALL Intrusion Protection Serv[...]

  • Page 198

    Network > Zones 198 SonicOS Enhanced 4.0 Administrator Guide – Enforce Global Security Clients - Enforces security pol icies for Global Security Clients on multiple interfaces in the same Trusted, Public or WLAN zones. – Create Group VPN - creates a GroupVPN policy for the Zone, which is displayed in the VPN Policies table on the VPN > Se[...]

  • Page 199

    Network > Zones 199 SonicOS Enhanced 4.0 Administrator Guide – X5 IP Step 8 In the SSL-VPN Servi ce list, select the service or group of services you want to allow for clients authenticated through the SSL-VPN. Step 9 Select WiFiSec Enforcement to require that all tr affic that enters into the WLAN Zone interface be either IPsec traffic, WPA t[...]

  • Page 200

    Network > Zones 200 SonicOS Enhanced 4.0 Administrator Guide – Enable Dynamic Address Translation (DAT) - Wireless Guest Services (WGS) provides spur of the moment “hotspot” a ccess to wireless-capable guests and visitors. For easy connectivity, WGS allows wireless us ers to authenticate and associate, obtain IP settings from the TZ 170 Wi[...]

  • Page 201

    201 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 18 Chapter 18: Configuring DNS Settings Network > DNS The Domain Name System (DNS) is a distributed, hier archical system that provides a method for identifying hosts on the Internet usi ng alphanumeric names called fully qualified domain names (FQDNs) instead of using difficul t to remember n[...]

  • Page 202

    Network > DNS 202 SonicOS Enhanced 4.0 Administrator Guide To use the DNS Settings configured for the WAN zone, select Inherit DNS Sett ings Dynamically from the WAN Zone . Clic k Apply to save your changes.[...]

  • Page 203

    203 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 19 Chapter 19: Configuring Address Objects Network > Address Objects Address Objects are one of four object classes (Address, User, Service, and Schedule) in SonicOS Enhanced. These Address Objects allo w for entities to be defined one time, and to be re-used in multiple referential instances [...]

  • Page 204

    Network > Address Objects 204 SonicOS Enhanced 4.0 Administrator Guide • MAC Address – MAC Address Objects allow for the i dentification of a host by its hardware address or MAC (Media Access Control) addr ess. MAC Addresses are uniquely assigned to every piece of wired or wireless network ing device by their hardwar e manufacturers, and are[...]

  • Page 205

    Network > Address Objects 205 SonicOS Enhanced 4.0 Administrator Guide • All Address Objects - displays all configured Address Objects. • Custom Address Objects - displays Address Objects with custom properties. • Default Address Objects - displays Address Objects configured by default on the SonicWALL security appliance. Sorting Address O[...]

  • Page 206

    Network > Address Objects 206 SonicOS Enhanced 4.0 Administrator Guide Default Address Objects and Groups The Default Address Objects view displays the default Address Objects and Address Groups for your SonicWALL security appliance. The Default Address Objects entries cannot be modified or deleted. Therefore, the Notepad (Edit) and Trashcan (de[...]

  • Page 207

    Network > Address Objects 207 SonicOS Enhanced 4.0 Administrator Guide Default Address Groups • LAN Subnets • Firewalled Subnets • LAN Interface IP • WAN Subnets • WAN Interface IP • DMZ Subnets • DMZ Interface IP • ALL WAN IP • All Interface IP • All X0 Management IP • All X1 Management IP • Custom Subnets • Custom Int[...]

  • Page 208

    Network > Address Objects 208 SonicOS Enhanced 4.0 Administrator Guide • X4 Subnet • X5 IP • X5 Subnet • Default Gateway • Secondary Default Gateway • WAN Remote Access Networks • VPN DHCP Clients • LAN Remote Access Networks • SonicPoint Default Address Groups • LAN Subnets • Firewalled Subnets • WAN Subnets • DMZ Subn[...]

  • Page 209

    Network > Address Objects 209 SonicOS Enhanced 4.0 Administrator Guide Adding an Address Object To add an Address Object , click Add button under the Address Objects table in the All Address Objects or Custom Address Objects views to display the Add Address Object window. Step 1 Enter a name for the Network Object in the Name field. Step 2 Selec[...]

  • Page 210

    Network > Address Objects 210 SonicOS Enhanced 4.0 Administrator Guide – If you selected MAC , enter the MAC address and netmask in the Network and MAC Address field. – If you selected FQDN , enter the domain name for the individual site or range of sites (with a wildcard) in the FQDN field. Step 3 Select the zone to assign to the Address Ob[...]

  • Page 211

    Network > Address Objects 211 SonicOS Enhanced 4.0 Administrator Guide Creating Group Address Objects As more and more Address Objects are added to the SonicWALL securi ty appliance, you can simplify managing the addresses and access policies by creating gr oups of addresses. Changes made to the group are applied to each address in the group. To[...]

  • Page 212

    Network > Address Objects 212 SonicOS Enhanced 4.0 Administrator Guide Public Server Wizard SonicOS Enhanced includes the Public Server Wizard to automate the process of configuring the SonicWALL security appliance for handling public servers. For example, if you have an e- mail and Web server on your network fo r access from users on the Intern[...]

  • Page 213

    Network > Address Objects 213 SonicOS Enhanced 4.0 Administrator Guide SonicOS Enhanced 3.5 redefined the operation of MAC AOs, and introdu ces Fully Qualified Domain Name (FQDN) AOs: • MAC – SonicOS Enhanced 3.5. and higher will resolve MAC AOs to an IP address by referring to the ARP ca che on the SonicWALL. • FQDN – Fully Qualified Do[...]

  • Page 214

    Network > Address Objects 214 SonicOS Enhanced 4.0 Administrator Guide Feature Benefit FQDN wildcard support FQDN Address Objects support wildcard entries , such as “*.somedomainname.com”, by first resolving the base domain name to all its defi ned host IP addresses, and then by constantly actively gleaning DNS responses as they pass through[...]

  • Page 215

    Network > Address Objects 215 SonicOS Enhanced 4.0 Administrator Guide Enforcing the use of sancti oned servers on the network Although not a requirement, it is recommended to enforce the use of authorized or sanctioned servers on the network. This practice can help to reduce illicit network activity, and will also serve to ensure the reli abili[...]

  • Page 216

    Network > Address Objects 216 SonicOS Enhanced 4.0 Administrator Guide • Create Address Object Groups of sancti oned servers (e.g. SMTP, DNS, etc.) • Create Access Rules in the relevant Zones allowing only authorized SMTP ser vers on your network to communicate outbound SMTP; block all other outbound SMTP traffic to prevent intentional or un[...]

  • Page 217

    Network > Address Objects 217 SonicOS Enhanced 4.0 Administrator Guide Blocking All Protocol Access to a Domain using FQDN DAOs There might be instances where you wish to block all protocol access to a p articular destination IP because of non-standard ports of operations, unknown protocol use, or intentional traffic obscuration through encrypti[...]

  • Page 218

    Network > Address Objects 218 SonicOS Enhanced 4.0 Administrator Guide Step 2 – Create the Firewall Access Rule • From the Firewall > Access Rules page, LAN->WAN Zone intersection, Add an Access Rule as follows: Note Rather than specifying ‘LAN Subnets’ as t he source, a more specific source could be specified, as appropriate, so t[...]

  • Page 219

    Network > Address Objects 219 SonicOS Enhanced 4.0 Administrator Guide The following illustrates a packet dissection of a typical DNS dynamic update process, showing the dynamically configured host 10.50.165.249 registering its full hostname bohuymuth.moosifer.com with the (DHCP provided) DNS server 10.50.165.3 : In such environments, it coul d [...]

  • Page 220

    Network > Address Objects 220 SonicOS Enhanced 4.0 Administrator Guide Step 1 – Create the MAC Address Objects • From Network > Address Objects , select Add and create the following Address Object (multi-homing optional, as needed): • Once created, if the hosts were present in the SonicWALL’s ARP cache, they will be resolved immediate[...]

  • Page 221

    Network > Address Objects 221 SonicOS Enhanced 4.0 Administrator Guide Bandwidth Managing Access to an Entire Domain Streaming media is one of the most profligate consumers of net wor k bandwidth. But trying to control access, or manage bandwidth allotted to these sites is difficult bec ause most sites that serve streaming media tend to do so of[...]

  • Page 222

    Network > Address Objects 222 SonicOS Enhanced 4.0 Administrator Guide Step 2 – Create the Firewall Access Rule • From the Firewall > Access Rules page, LAN->WAN Zone intersection, add an Access Rule as follows: Note If you do not see the Bandwidth tab, you can enable bandwidth management by declaring the bandwidth on your WAN interfac[...]

  • Page 223

    Network > Address Objects 223 SonicOS Enhanced 4.0 Administrator Guide • The BWM icon will appear within the Access Rule table indicating that BWM is active, and providing statistics: • Access to all *.youtube.com hosts, using any protocol, will now be cumulatively limited to 2% of your total available bandw idth for all user sessions.[...]

  • Page 224

    Network > Address Objects 224 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 225

    225 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 20 Chapter 20: Configuring Routes Network > Routing If you have routers on your interfaces, you can configure static routes on the SonicWALL security appliance on the Network > Routing page. You can create static r outing policies that create static routing entries that make decisions based[...]

  • Page 226

    Network > Routing 226 SonicOS Enhanced 4.0 Administrator Guide Route Advertisement The SonicWALL security applianc e uses RIPv1 or RIPv2 to adv ertise its static and dynamic routes to other routers on the network. Changes in the status of VPN tunnels between the SonicWALL security appliance and remote VPN gateways are also reflected in the RIPv2[...]

  • Page 227

    Network > Routing 227 SonicOS Enhanced 4.0 Administrator Guide • RIPv2 Enabled (broadcast) - To send route advertisement s using broadcasting (a single data packet to all nodes on the network). Step 3 In the Advertise Default Route menu, select Never , or When WAN is up , or Always . Step 4 Enable Advertise Static Routes if you have static rou[...]

  • Page 228

    Network > Routing 228 SonicOS Enhanced 4.0 Administrator Guide A metric is a weighted cost assigned to st atic and dynamic routes . Metrics have a value between 0 and 255. Lower metrics are consi dered bette r and take precedence over higher costs. SonicOS Enhanced adheres to Cisco defi ned metric values for directly connected interfaces, static[...]

  • Page 229

    Network > Routing 229 SonicOS Enhanced 4.0 Administrator Guide You can enter the policy number (the num ber listed before the policy name in the # Name column) in the Items field to move to a specific routi ng policy. The default table co nfiguration displays 50 entries per page. You can change th is default number of entries for tables on the S[...]

  • Page 230

    Network > Routing 230 SonicOS Enhanced 4.0 Administrator Guide To test the Telnet policy-based route, telnet to route-serv er.exodus.net and when logged in, issue the who command. It displays the IP address (or resolved FQDN) of the WAN IP address of the secondary WAN interface and not the primary WAN interface. Advanced Routing Services (OSPF a[...]

  • Page 231

    Network > Routing 231 SonicOS Enhanced 4.0 Administrator Guide • Protocol Type – Distance Vector protocols such as RIP base routing metrics exclusively on hop counts, while Link state protocols such as OSPF consider the st ate of the link when determining metrics. For example, OSPF determines interface metrics by dividing its reference bandw[...]

  • Page 232

    Network > Routing 232 SonicOS Enhanced 4.0 Administrator Guide OSPF does not have to impose a hop count li mit because it does not advertise entire routing tables, rather it generally only sends link state update s when changes occur. This is a significant advantage in larger net wor ks in that it converges more quickly, produces less update tra[...]

  • Page 233

    Network > Routing 233 SonicOS Enhanced 4.0 Administrator Guide For example, if you had 8 class C networks: 192.168.0.0/24 through 192.168.7.0/ 24, rather than having to have a separate r oute statement to each of them, it would be possible to provide a single route to 192.168.0.0/21 which would encompass them all. This ability, in addition to pr[...]

  • Page 234

    Network > Routing 234 SonicOS Enhanced 4.0 Administrator Guide used, which is generally discouraged). Area assi gnment is interface s pecific on an OSPF router; in other words, a router with multiple interfaces can have thos e interfaces configured for the same or different areas. • Neighbors – OSPF routers on a common ne twork segment have [...]

  • Page 235

    Network > Routing 235 SonicOS Enhanced 4.0 Administrator Guide LSA’s are then exchanged within LSU’s across these adjac encies rather than between each possible pairing combination of routers on the segment. Link state updates are sent by non-DR routers to the multicast address 224.0.0.6, the RFC 1583 assigned ‘OSPFIGP Designated Routers?[...]

  • Page 236

    Network > Routing 236 SonicOS Enhanced 4.0 Administrator Guide – Type 4 (AS Summary Link Advertisements) – Sent across areas by ABR’s to describe networks within a different AS. Type 4 LSA’s ar e not sent to Stub Areas. – Type 5 (AS External Link Advertisements) – Sent by ASBR (Autonomous System Boundary Routers) to describe routes t[...]

  • Page 237

    Network > Routing 237 SonicOS Enhanced 4.0 Administrator Guide • Router Types – OSPF recognizes 4 ty pes of routers, based on their roles: • IR (Internal Router) - A router whose interfac es are all contained within the same area. An internal router’s LSDB only cont ains information about its own area. • ABR (Area Border Router) – A [...]

  • Page 238

    Network > Routing 238 SonicOS Enhanced 4.0 Administrator Guide By default, Advanced Routing Services are disabled, and must be enabled to be made available. At the top of the Network > Routing page, is a checkbox Use Advanced Routing . Toggling the state of this chec kbox will require a reboot for t he changes to take effect. When the SonicWA[...]

  • Page 239

    Network > Routing 239 SonicOS Enhanced 4.0 Administrator Guide RIP Modes • Disabled – RIP is disabled on this interface • Send and Receive – The RIP router on this interface will s end updates and process received updates. • Send Only – The RIP router on this interface will only send updates, and will not process received updates. Th[...]

  • Page 240

    Network > Routing 240 SonicOS Enhanced 4.0 Administrator Guide Redistribute Connected Networks - Enables or disables the advertising of locally connected networks into the RIP system. The metric can be explicitly set for this redistribution, or it can use the value (default) specifi ed in the ‘Default Metric’ setting. Redistribute OSPF Route[...]

  • Page 241

    Network > Routing 241 SonicOS Enhanced 4.0 Administrator Guide The diagram illustrates an OSPF network where the backbone (area 0.0.0.0) comprises the X0 interface on the SonicWALL and the int1 interfac e o n Router A. Two additional areas, 0.0.0.1 and 100.100.100.100 are connected, re spectively, to the backbone via interface int2 on ABR Router[...]

  • Page 242

    Network > Routing 242 SonicOS Enhanced 4.0 Administrator Guide • Message Digest – An MD5 hash is use d to se curely identify the OSPF router on this interface. OSPF Area – The OSPF Area can be represe nted in eit her IP or decimal notation. For example, you may represent the area connected to X4:10 0 as either 100.100.100.100 o r 168430090[...]

  • Page 243

    Network > Routing 243 SonicOS Enhanced 4.0 Administrator Guide Redistribute Static Routes – Enables or disables the adver tising of static (Policy Based Routing) routes into the OSPF system. Redistribute Connected Networks - Enables or disables the advertising of locally connected networks into the OSPF sy stem. Redistribute RIP Routes - Enabl[...]

  • Page 244

    Network > Routing 244 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 245

    245 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 21 Chapter 21: Configuring NAT Policies Network > NAT Policies • “NAT Policies Table” on page 246 • “NAT Policy Settings Explained” on page 248 • “NAT Policies Q&A” on page 249 The Network Address Translation (NAT) engine in SonicOS Enhanced allows users to define granula[...]

  • Page 246

    Network > NAT Policies 246 SonicOS Enhanced 4.0 Administrator Guide NAT Policies Table The NAT Policies table allows you to view your NAT Policies by Custom Policies , Default Policies , or All Policies .[...]

  • Page 247

    Network > NAT Policies 247 SonicOS Enhanced 4.0 Administrator Guide Tip Before configuring NAT Policies, be sure to create all Address Objects associated with the policy. For instance, if you are creating a One-to-One NAT policy, be sure you have Address Objects for your public and private IP addresses. Tip By default, LAN to WAN has a NAT polic[...]

  • Page 248

    Network > NAT Policies 248 SonicOS Enhanced 4.0 Administrator Guide NAT Policy Settings Explained The following explains the settings us ed to create a NAT policy entry in the Add NAT Policy or Edit NAT Policy windows. Click the Add button in the Network > NAT Policies page to display the Add NAT Policy window to create a new NAT policy or cl[...]

  • Page 249

    Network > NAT Policies 249 SonicOS Enhanced 4.0 Administrator Guide • Translated Service : This drop-down menu setting is what the SonicWALL security appliance translates the Original Service to as it exits the SonicWALL security appliance, whether it be to another interface, or into /out-of VPN tunnels. You can use the default services in the[...]

  • Page 250

    Network > NAT Policies 250 SonicOS Enhanced 4.0 Administrator Guide to translate all LAN systems to the WAN IP Address, then create a policy saying that a specific system on that LAN use a diff erent IP address, and additionally , create a policy saying that specific use another IP address when using HTTP. Can I have multiple NAT pol icies for t[...]

  • Page 251

    Network > NAT Policies 251 SonicOS Enhanced 4.0 Administrator Guide This document details how to configure the nec essary NAT, load balancing, health check, logging, and firewall rules to allow systems from the public Internet to a ccess a Virtual IP (VIP) that maps to one or more internal systems, su ch as Web servers, FTP servers, or Son icWAL[...]

  • Page 252

    Network > NAT Policies 252 SonicOS Enhanced 4.0 Administrator Guide • Round Robin – Source IP cycles through each live load-balanced resource for ea ch connection. This method is best for equal load di stribution when persistence is not required. • Block Remap/Symmetrical Remap – These two methods are useful when you know the source IP a[...]

  • Page 253

    Network > NAT Policies 253 SonicOS Enhanced 4.0 Administrator Guide Details of Load Balancing Algorithms This appendix describes how the SonicWALL se curity appliance applies the load balancing algorithms: • Round Robin - Source IP connects to Destination IP alternately • Random Distribution - Source IP connects to Destination IP randomly ?[...]

  • Page 254

    Network > NAT Policies 254 SonicOS Enhanced 4.0 Administrator Guide Creating NAT Policies NAT policies allow you the flexibi lity to cont rol Network Address Translation based on matching combinations of Source IP addr ess, Destination IP address, and Destination Services. Policy- based NAT allows you to deploy different types of NAT simult aneo[...]

  • Page 255

    Network > NAT Policies 255 SonicOS Enhanced 4.0 Administrator Guide • Original Service : Any • Translated Service : Original • Inbound Interface : Opt • Outbound Interface : WAN • Comment : Enter a short description • Enable NAT Policy : Checked • Create a reflective policy : Unchecked When done, click on the OK button to add and a[...]

  • Page 256

    Network > NAT Policies 256 SonicOS Enhanced 4.0 Administrator Guide You can test the dynamic mappi ng by installing several system s on the LAN interface at a spread-out range of addresses (for example, 19 2.168.10.10, 192.168.10.100, and 192.168.10.200) and accessing the public website http://www.whatismyip.com from each system. Each system sho[...]

  • Page 257

    Network > NAT Policies 257 SonicOS Enhanced 4.0 Administrator Guide Creating a One-to-One NAT Policy for Inbound Traffic (Reflective) This is the mirror policy for the one creat ed in the previous section when you check Create a reflective policy . It allows you to translate an external public IP addresses into an internal private IP address. Th[...]

  • Page 258

    Network > NAT Policies 258 SonicOS Enhanced 4.0 Administrator Guide Figure 21:1 One-to-Many NAT Load Balancing Topolog y a nd Conf ig ura tion To configure One-to-Many NAT load balancing, first go to the Firewall > Access Rules page and choose the policy for WAN to LAN . Click on the Add … button to bring up the pop-up access policy screen.[...]

  • Page 259

    Network > NAT Policies 259 SonicOS Enhanced 4.0 Administrator Guide – IP Address : The network IP address for the devices to be load balanced (in the topology shown in Figure 18.1, this is 192.168.200.1) • Original Service : HTTPS • Translated Service : HTTPS • Inbound Interface : Any • Outbound Interface : Any • Comment : Descriptiv[...]

  • Page 260

    Network > NAT Policies 260 SonicOS Enhanced 4.0 Administrator Guide Note Make sure you chose Any as the destination interface, and not the interface that the server is on. This may seem counter-int uitive, but it’s actual ly the correct thing to do (if you try to specify the interface, you get an error). Step 3 When finished, click on the OK b[...]

  • Page 261

    Network > NAT Policies 261 SonicOS Enhanced 4.0 Administrator Guide 3. Create two NAT entries to allow the two servers to initiate traffic to the public Internet. 4. Create two NAT entries to map the custom ports to the actual listening ports, and to map the private IP addresses to the Son icWALL’s WAN IP address. 5. Create two access rule ent[...]

  • Page 262

    Network > NAT Policies 262 SonicOS Enhanced 4.0 Administrator Guide When finished, click on the OK button to add and activate the NA T policies. With these policies in place, the SonicWALL security appliance trans lates the servers’ private IP addresses to the public IP address when it initiate s traffic out the WAN interface. Step 4 Go to the[...]

  • Page 263

    Network > NAT Policies 263 SonicOS Enhanced 4.0 Administrator Guide Note With previous versions of fi rmware, it was necessary to wr ite rules to the private IP address. This has been changed as of SonicOS 2.0 Enhan ced. If you write a rule to the private IP address, the rule does not wo rk. Go to the Firewall > Access Rules page and choose t[...]

  • Page 264

    Network > NAT Policies 264 SonicOS Enhanced 4.0 Administrator Guide Figure 1 NAT Load Balancing To po logy Prerequisit es The examples shown in the Tasklist section on the next few pages utilize IP addressing information from a demo setup – please make su re and replace any IP addressing information shown in the examples with the correct addre[...]

  • Page 265

    Network > NAT Policies 265 SonicOS Enhanced 4.0 Administrator Guide and activate the changes. For an example, see the screenshot below. Debug logs should only be used for initial configuration and troubles hooting, and it is advis ed that once setup is complete, you set the logging level to a more appropriate level for your networ k environment.[...]

  • Page 266

    Network > NAT Policies 266 SonicOS Enhanced 4.0 Administrator Guide Step 2 Create Address Group -- Now create a n addr ess group named www_group and add the two internal server address objects you just created.[...]

  • Page 267

    Network > NAT Policies 267 SonicOS Enhanced 4.0 Administrator Guide Step 3 Create Inbound NAT Rule for Group -- Now create a NAT rule to allow anyone attempting to access the VIP to get translated to t he address group you just created, using Sticky IP as the NAT method. For an example see the scr eenshot below. Note Do not save the NAT rule jus[...]

  • Page 268

    Network > NAT Policies 268 SonicOS Enhanced 4.0 Administrator Guide Note Before you go any further, check the logs and t he status page to see if the resources have been detected and have been logged as on line. If you do not see the two messages below (with your IP addresses), check the steps above. Step 5 Create Outbound NAT Rule for LB Group [...]

  • Page 269

    Network > NAT Policies 269 SonicOS Enhanced 4.0 Administrator Guide Step 6 Create Firewall Rule for VIP -- Write a firewall rule to allow tr affic from the out side to access the internal Web servers via the VIP. Step 7 Test Your Work – From a laptop outside the WAN, connec t via HTTP to the VIP using a Web browser. Note If you wish to load ba[...]

  • Page 270

    Network > NAT Policies 270 SonicOS Enhanced 4.0 Administrator Guide You can also check the Firewall > NAT Policies page and mouse-over the Statistics icon. If the policy is configured incorrectly y ou will not see any Rx or TX Bytes; if it is working, you will see these increment with each successful ex ternal access of the load balanced reso[...]

  • Page 271

    271 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 22 Chapter 22: Managing ARP Traffic Network > ARP[...]

  • Page 272

    Network > ARP 272 SonicOS Enhanced 4.0 Administrator Guide ARP (Address Resolution Protocol) maps layer 3 (IP addresses) to layer 2 (physical or MAC addresses) to enable communications between hos ts residing on the same subnet. ARP is a broadcast protocol that can create excessive amounts of network traffi c on your network. To minimize the bro[...]

  • Page 273

    Network > ARP 273 SonicOS Enhanced 4.0 Administrator Guide address on any other interface. It will also remove any dynam ically cached references to that MAC address that might have been presen t, and it will prohibit additional (non-unique) static mappings of that MAC address. • Update IP Address Dynamically - The Update IP Address Dynamical [...]

  • Page 274

    Network > ARP 274 SonicOS Enhanced 4.0 Administrator Guide To support the above configuration, first create a published stat ic ARP entry for 192.168.50.1, the address which will serve as the gateway for the secondary subnet, and associate it with the DMZ/OPT interface. From the Network > ARP page, select the Add button in the Static ARP Entr[...]

  • Page 275

    Network > ARP 275 SonicOS Enhanced 4.0 Administrator Guide To allow the traffic to reach the 192.168 .50.0/24 subnet, and to allow the 192.168.50.0/24 subnet to reach the hosts on the LAN, navigate to the Firewall > Access Rules page, and add the following Access Rule: Navigating and Sorting the ARP Cache Table The ARP Cache table provides ea[...]

  • Page 276

    Network > ARP 276 SonicOS Enhanced 4.0 Administrator Guide Navigating and Sorting the ARP Cache Table Entries The ARP Cache table provides easy pagination for view ing a large number of ARP entries. You can navigate a large number of ARP entries listed in the ARP Cache table by using the navigation control bar located at the top right of the ARP[...]

  • Page 277

    277 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 23 Chapter 23: Setting Up the DHCP Server Network > DHCP Server This chapter contains the following sections: • “DHCP Server Options Overview” on page 278 • “DHCP Server Persistence Overview” on page 279 • “Enabling the DHCP Server” on page 280 • “DHCP Server Lease Scopes[...]

  • Page 278

    Network > DHCP Server 278 SonicOS Enhanced 4.0 Administrator Guide The SonicWALL security appliance includes a DH CP (Dynamic Host Co nfiguration Protocol) server to distribute IP addresses, subnet masks, gateway addresses, and DNS server addresses to your network clie nts. The Network > DHCP Server page includes settings for configuring the [...]

  • Page 279

    Network > DHCP Server 279 SonicOS Enhanced 4.0 Administrator Guide clients on the network, it provides vendor-specific configurat ion and service information. The “DHCP Option Numbers” on page 294 provides a list of DHCP options by RFC-assigned option number. Benefits The SonicWALL DHCP server opti ons feature provides a simple interface for[...]

  • Page 280

    Network > DHCP Server 280 SonicOS Enhanced 4.0 Administrator Guide How Does DHCP Server Persistence Work? DHCP server persistence works by storing DHC P lease information per iodically to flash memory. This ensures that users have predicabl e IP addresses and minimizes the risk of IP addressing conflicts after a reboot. Enabling the DHCP Server [...]

  • Page 281

    Network > DHCP Server 281 SonicOS Enhanced 4.0 Administrator Guide Configuring DHCP Server for Dynamic Ranges To configure DHCP server fo r dynamic IP address ranges, follow these instructions: Step 1 In the Network > DHCP Server page, at the bottom of the DHCP Server Lease Scopes table, click Add Dynamic . The Dynamic Ranges Configuration wi[...]

  • Page 282

    Network > DHCP Server 282 SonicOS Enhanced 4.0 Administrator Guide DNS/WINS Settings Step 9 Click the DNS/WINS tab to continue configuring the DHCP Server feature. Step 10 If you have a domain name for the DNS server, type it in the Domain Name field. Step 11 Inherit DNS Settings Dynamically using SonicWALL’s DNS Settings automatically populat[...]

  • Page 283

    Network > DHCP Server 283 SonicOS Enhanced 4.0 Administrator Guide VoIP Settings Step 14 Click on the VoIP Settings tab. The VoIP Settings tab allows you to c onfigure the SonicWALL DHCP server to send Cisco Call Manager in formation to VoIP clients on the network. Step 15 Enter the IP address or FQDN of your VoIP Call Manager in the Call Manage[...]

  • Page 284

    Network > DHCP Server 284 SonicOS Enhanced 4.0 Administrator Guide General Settings Step 2 In the General tab, make sure the Enable this DHCP Entry is checked, if you want to enable this range. Step 3 Select the interface from the Interface menu. The IP addresses are in the same private subnet as the selected interface. Step 4 Enter a name for t[...]

  • Page 285

    Network > DHCP Server 285 SonicOS Enhanced 4.0 Administrator Guide VoIP Settings Step 15 Click on the VoIP Settings tab. The VoIP Settings tab allows you to c onfigure the SonicWALL DHCP server to send Cisco Call Manager in formation to VoIP clients on the network. Step 16 Enter the IP address or FQDN of your VoIP Call Manager in the Call Manage[...]

  • Page 286

    Network > DHCP Server 286 SonicOS Enhanced 4.0 Administrator Guide Configuring DHCP Option Objects To configure DHCP option objec ts, perform the following steps: Step 1 In the left-hand navigation panel, navigate to Network > DHCP Server . Step 2 Under DHCP Server Lease Scopes, click the Option Objects button. The Option Objects page display[...]

  • Page 287

    Network > DHCP Server 287 SonicOS Enhanced 4.0 Administrator Guide Step 4 Type a name for the option in the Option Name field. Step 5 From the Option Number drop-down list, select the option number that corresponds to your DHCP option. For a list of option numbers and names, refer to “DHCP Option Numbers” on page 294 .[...]

  • Page 288

    Network > DHCP Server 288 SonicOS Enhanced 4.0 Administrator Guide Step 6 Optionally check the Option Array box to allow entry of multiple option values in the Option Value field.[...]

  • Page 289

    Network > DHCP Server 289 SonicOS Enhanced 4.0 Administrator Guide Step 7 The option type displays in the Option Type drop-down menu. If only one option type is available, for example, for Option Number 2 (Time Offset) , the drop-down menu will be greyed out. If there are multiple option types av ailable, for example, for Option Number 77 (User [...]

  • Page 290

    Network > DHCP Server 290 SonicOS Enhanced 4.0 Administrator Guide Configuring DHCP Option Groups To configure DHCP option groups, perform the following steps: Step 1 In the left-hand navigation panel, navigate to Network > DHCP Server . Step 2 Under DHCP Server Lease Scopes, click Option Groups . The Option Groups page displays. Step 3 Click[...]

  • Page 291

    Network > DHCP Server 291 SonicOS Enhanced 4.0 Administrator Guide Step 4 Enter a name for the group in the Name field. Step 5 Select an option object from the left column and c lick the -> button to add it to the grou p. To select multiple option objects at the same time, hold the Ctrl key while selecting the option objects. Step 6 Click OK [...]

  • Page 292

    Network > DHCP Server 292 SonicOS Enhanced 4.0 Administrator Guide Configuring DHCP Generic Options for DHCP Lease Scopes Note Before generic options for a DHCP lease scope can be configured, a static or dynamic DHCP server lease scope must be created. To configure DHCP generic options for DHCP se rver lease scopes, perform the following tasks: [...]

  • Page 293

    Network > DHCP Server 293 SonicOS Enhanced 4.0 Administrator Guide Step 2 Select a DHCP option or option group in the DHCP Generic Option Group drop-down menu. Step 3 To always use DHCP options for this DHCP server lease scope, check the box next to Send Generic options always . Step 4 Click OK .[...]

  • Page 294

    Network > DHCP Server 294 SonicOS Enhanced 4.0 Administrator Guide Current DHCP Leases The current DHCP lease info rmation is displayed in the Current DHCP Leases table. Each binding entry displays the IP Address , the Ethernet Address , and the Type of binding (Dynamic, Dynamic BOOTP, or Static BOOTP). To delete a binding, which frees th e IP a[...]

  • Page 295

    Network > DHCP Server 295 SonicOS Enhanced 4.0 Administrator Guide 23 Default IP TTL Default IP time-to-live 24 Path MTU Aging Timeout Path MTU aging timeout 25 MTU Plateau Path M TU plateau table 26 Interface MTU Size Interface MTU size 27 All Subnets Are Local All subnets are local 28 Broadcast Address Broadcast address 29 Perform Mask Discove[...]

  • Page 296

    Network > DHCP Server 296 SonicOS Enhanced 4.0 Administrator Guide 55 Parameter Request List Parameter request list 56 Message DHCP error message 57 DHCP Maximum Message Size DHCP maximum m essage size 58 Renew Time Value DHCP renewal (T1) time 59 Rebinding Time Value DHCP rebinding (T2) time 60 Client Identifier Client identifier 61 Client Iden[...]

  • Page 297

    Network > DHCP Server 297 SonicOS Enhanced 4.0 Administrator Guide 84 Undefined N/A 85 Novell Directory Servers Novell Directory Services servers 86 Novell Directory Server Tree Name Novell Directory Services server tree name 87 Novell Directory Server Context Novell Directory Services server context 88 BCMCS Controller Domain Name List CMCS con[...]

  • Page 298

    Network > DHCP Server 298 SonicOS Enhanced 4.0 Administrator Guide 115 Undefined N/A 116 Auto Configure DHCP auto-configuration 117 Name Service Search Name service search 118 Subnet Collection Subnet selection 119 DNS Domain Search List DNS domain search list 120 SIP Servers DHCP Option SIP servers DHCP opt ion 121 Classless Static Route Option[...]

  • Page 299

    Network > DHCP Server 299 SonicOS Enhanced 4.0 Administrator Guide 147 Undefined N/A 148 Undefined N/A 149 Undefined N/A 150 TFTP Ser ver Address, Etherboot, GRUB Config TFTP server address, Etherboot, GRUB configuration 151 Undefined 152 Undefined N/A 153 Undefined N/A 154 Undefined N/A 155 Undefined N/A 156 Undefined N/A 157 Undefined N/A 158 [...]

  • Page 300

    Network > DHCP Server 300 SonicOS Enhanced 4.0 Administrator Guide 183 Undefined N/A 184 Undefined N/A 185 Undefined N/A 186 Undefined N/A 187 Undefined N/A 188 Undefined N/A 189 Undefined N/A 190 Undefined N/A 191 Undefined N/A 192 Undefined N/A 193 Undefined N/A 194 Undefined N/A 195 Undefined N/A 196 Undefined N/A 197 Undefined N/A 198 Undefi[...]

  • Page 301

    Network > DHCP Server 301 SonicOS Enhanced 4.0 Administrator Guide 220 Subnet Allocation Subnet allocation 221 Virtual Subnet Allocation Virtual subnet selection 222 Undefined N/A 223 Undefined N/A 224 Private Use Private use 225 Private Use Private use 226 Private Use Private use 227 Private Use Private use 228 Private Use Private use 229 Priva[...]

  • Page 302

    Network > DHCP Server 302 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 303

    303 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 24 Chapter 24: Using IP Helper Network > IP Helper The IP Helper allows the SonicWALL security appliance to forward DHCP requests originating from the interfaces on a Soni cWALL security appliance to a centralized DHCP server on the behalf of the requesting client. IP Helper is used extensivel[...]

  • Page 304

    Network > IP Helper 304 SonicOS Enhanced 4.0 Administrator Guide • Enable NetBIOS Support - enables NetBIOS broadcast forwarding with the DHCP requests. NetBIOS is requir ed to allow Window s operating systems to browse for resources on a network. IP Helper Policies IP Helper Policies allow you to forward DHCP and NetBIO S broadcasts from one [...]

  • Page 305

    305 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 25 Chapter 25: Setting Up Web Proxy Forwarding Network > Web Proxy A Web proxy server intercepts HTTP requests and determines if it has stored copies of the requested Web pages. If it does not, the pro xy co mpletes the request to the server on the Internet, returning the requested information[...]

  • Page 306

    Network > Web Proxy 306 SonicOS Enhanced 4.0 Administrator Guide To configure a Proxy Web sever, select the Network > Web Proxy page. Step 1 Connect your Web proxy server to a hub, and connect the hub to the SonicWALL security appliance WAN port. Step 2 Type the name or IP address of the proxy serve r in the Proxy Web Server (name or IP addre[...]

  • Page 307

    307 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 26 Chapter 26: Configuring Dynamic DNS Network > Dynamic DNS Dynamic DNS (DDNS) is a service provided by various companies and organizations that allows for dynamic changing IP addresses to aut omatically update DNS records without manual intervention. This service allows for network access us[...]

  • Page 308

    Network > Dynamic DNS 308 SonicOS Enhanced 4.0 Administrator Guide • Dyndns.org http://www.dyndns.org - Soni cOS requires a username, password, Mail Exchanger, and Backup MX to configure DDNS from Dyndns.org. • Changeip.com http://www.changeip.com - A si ngle, traditional Dynamic DNS service requiring only username, password, and dom ain nam[...]

  • Page 309

    Network > Dynamic DNS 309 SonicOS Enhanced 4.0 Administrator Guide To configure Dynamic DNS on the Son icWA LL security appliance, perform these steps: Step 1 From the Network > Dynamic DNS page, click the Add button. The Add DDNS Profile window is displayed. Step 2 If Enable this DDNS Profile is checked, the profile is administra tively enab[...]

  • Page 310

    Network > Dynamic DNS 310 SonicOS Enhanced 4.0 Administrator Guide – Static - A free DNS service for static IP addresses. Step 9 When using DynDNS.org , you may optionally select Enable Wildcard and/or configure an MX entry in the Mail Exchanger field. Check Backup MX if this is the backup mail exchanger. Step 10 Click the Advanced tab. You ca[...]

  • Page 311

    Network > Dynamic DNS 311 SonicOS Enhanced 4.0 Administrator Guide Dynamic DNS Settings Table The Dynamic DNS Settings table provides a table view of configur ed DDNS profiles. Dynamic DN S Settings table includes the following columns: • Profile Name - The name assigned to the DDNS entry during its creation. This can be any value, and is used[...]

  • Page 312

    Network > Dynamic DNS 312 SonicOS Enhanced 4.0 Administrator Guide • Online - When selected, this profile is adminis tratively online. The setting can also be controlled using the Use Onli ne Settings checkbox on the entry's Profil e tab. Deselecting this checkbox while the profil e is enabled will take the profil e offline, and the Sonic[...]

  • Page 313

    S ONIC WALL S ONIC OS E NHANCED 4.0 A DMINISTRATOR ’ S G UIDE 313 PART 4 Wireless •[...]

  • Page 314

    314 S ONIC WALL S ONIC OS E NHANCED 4.0 A DMIN ISTRATOR ’ S G UIDE[...]

  • Page 315

    315 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 27 Chapter 27: Viewing WLAN Settings, Statistics, and Station Status Wireless Overview The SonicWALL Wireless securi ty appliances support two wire less protocols called IEEE 802.11b and 802.11g, commonly known as Wi-Fi, and send data via radio transmissions. The SonicWALL wireless security appli[...]

  • Page 316

    Wireless Overview 316 SonicOS Enhanced 4.0 Administrator Guide • VPN tunnel Considerations for Using Wireless Connections • Mobility - if the majority of your network is lapt op computers, wireless is more portable than wired connections. • Convenience - wireless networks do not require cabling of individual computers or opening computer case[...]

  • Page 317

    Wireless Overview 317 SonicOS Enhanced 4.0 Administrator Guide • Try to place the wireless security appliance in a direct line with other wireless components. Best performance is achieved when wireless co mponents are in direct line of sight with each other. • Building construction can make a difference on wireless performance. Avoid placing th[...]

  • Page 318

    Wireless > Status 318 SonicOS Enhanced 4.0 Administrator Guide WiFiSec uses the easy provisioni ng capabilities of the SonicWA LL Global VPN client making it easy for experienced and inexperienced administrat ors to implement on the network. The level of interaction between the Global VPN Client and the user depends on the WiFiSec options select[...]

  • Page 319

    Wireless > Status 319 SonicOS Enhanced 4.0 Administrator Guide WLAN Settings The WLAN Settings table lists the configuration info rmation for the built-in radio. All configurable settings in the WLAN Settings table are hyper links to their respective pages for configuration. Enabled features are displayed in green, and disabled features a re dis[...]

  • Page 320

    Wireless > Status 320 SonicOS Enhanced 4.0 Administrator Guide WLAN Statistics The WLAN Statistics table lists all of the tr affic s ent and received through the WLAN. The Wireless Statistics column lists the kinds of traffic recor ded, the Rx column lists r eceived traffic, and the Tx column lists t ransmitted traffic. WLAN Activities The WLAN [...]

  • Page 321

    Wireless > Status 321 SonicOS Enhanced 4.0 Administrator Guide Station Status The Station Status table displays information about wireless conne ctions associated with the wireless security appliance. • Station - the name of the connec tion used by the MAC address • MAC Address - the wireless network card MAC address • Authenticated - stat[...]

  • Page 322

    Wireless > Status 322 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 323

    323 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 28 Chapter 28: Configuring Wireless Settings Wireless > Settings The Wireless > Settings page allows you to configur e your wireless settings. On the Wireless>Settings page, you can enable or disable t he WLAN port by selecting or clearing the Enable WLAN che ckbox. Wireless Radio Mode S[...]

  • Page 324

    Wireless > Settings 324 SonicOS Enhanced 4.0 Administrator Guide Wireless Settings Enable WLAN Radio : Check this checkbox to turn the radio on, and enable wireless networking. Click Apply in the top right corner of the management interface to have this setting take effect. Schedule : The schedule determines when the radio is on to send an d rec[...]

  • Page 325

    Wireless > Settings 325 SonicOS Enhanced 4.0 Administrator Guide mode. Operating in Wireless Bridge mode, the wireless security appliance connects to another wireless security appliance acting as an acce ss point, and allows communications between the connected networks via the wireless bridge. Secure Wireless Bridging employs a WiFiSe c VPN pol[...]

  • Page 326

    Wireless > Settings 326 SonicOS Enhanced 4.0 Administrator Guide Configuring a Secure Wireless Bridge When switching from Access Point mode to Wireless Bridge mode, all clients are disconnected, and the navigation panel on t he left changes to reflect the new mode of operation. To configure a secure wirele ss bridge, follow these steps: Step 1 C[...]

  • Page 327

    Wireless > Settings 327 SonicOS Enhanced 4.0 Administrator Guide For example, in the previous network diagram, the wireless security appliance are con figured as follows: • SSID on all three wireless security appliance are set to “myWLAN”. • WLAN addressing for all the wireless securi ty appliance's connect ed via Wireless Bridge mu[...]

  • Page 328

    Wireless > Settings 328 SonicOS Enhanced 4.0 Administrator Guide • Static routes must be entered on the Access Point TZ 170 Wireless to route b ack to the LAN subnets of the Bridge Mode TZ 170 Wireless. Referring to the example ne twor k, TZ 170 Wirele ss1 must have st atic routes t o 10.20.20.x /24 via 172.16.31.2 and to 10.3 0.30.x/24 v ia 1[...]

  • Page 329

    Wireless > Settings 329 SonicOS Enhanced 4.0 Administrator Guide • One policy to the Site_B address object at 10.30.30.0:[...]

  • Page 330

    Wireless > Settings 330 SonicOS Enhanced 4.0 Administrator Guide Configuration for VPN Policies Step 1 Click Network . Step 2 Under Local Networks , select Choose local network from list and select LAN Interface IP . Step 3 Under Destination Networks , select Choose destination network from list and select or create an address object for the des[...]

  • Page 331

    Wireless > Settings 331 SonicOS Enhanced 4.0 Administrator Guide Wireless Bridg e VPN Policy Configuration The Wireless Bridge VPN Policy is configured as follows: Step 1 Click VPN , then Co nfigure . Step 2 Select IKE using Preshared Secret from the IPsec Keying Mode menu. Step 3 Enter a name for the SA in the Name field. Step 4 Type the IP add[...]

  • Page 332

    Wireless > Settings 332 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 333

    333 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 29 Chapter 29: Configuring WEP and WPA Security Wireless > WEP/WPA Security Note When the SonicWALL wireless secu rity appliance is configured in Access Point mode, this page is called Security . When the appliance is configured in Wireless Bridge mode, this page is called WEP Encryption . Wir[...]

  • Page 334

    Wireless > WEP/WPA Security 334 SonicOS Enhanced 4.0 Administrator Guide Authentication Overview Below is a list of available authentication types with descripti ve features and uses for each: WEP • Lower security • For use with older legacy devices, PDAs, wireless printe rs WPA • Good security (uses TKIP) • For use with trusted corporat[...]

  • Page 335

    Wireless > WEP/WPA S ecurity 335 SonicOS Enhanced 4.0 Administrator Guide WEP Encryption Keys Step 1 Select the key number, 1,2,3, or 4, from the Default Key menu. Step 2 Select the key type to be either Alphanumeric or Hexadecimal . Step 3 Type your keys into each field. Step 4 Click Apply . WPA Encryption Settings Both WPA and WPA2 support two[...]

  • Page 336

    Wireless > WEP/WPA Security 336 SonicOS Enhanced 4.0 Administrator Guide WPA Settings • Cyphe r Type : s elect TKIP. Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis. • Group Key Update : Specifies when the SonicWALL Secure Anti-Virus Router 80 Wireless updates the key. Select By Timeout [...]

  • Page 337

    Wireless > WEP/WPA S ecurity 337 SonicOS Enhanced 4.0 Administrator Guide • Radius Server 2 IP and Port : Enter the IP address and port number for your seco ndary RADIUS server, if you have one. • Radius Server 2 Secret : Enter the password for access to Radius Server Click Apply in the top right corner to apply your WPA settings. WPA/WPA2 E[...]

  • Page 338

    Wireless > WEP/WPA Security 338 SonicOS Enhanced 4.0 Administrator Guide Preshared Key Settings (PSK) • Passphrase : Enter the passphrase from which the key is generated. Click Apply in the top right corner to apply your WPA2 settings. WPA2-EAP Settings Encryption Mode : In the Authentication Type field, select WPA-EAP . WPA Settings • Cyphe[...]

  • Page 339

    339 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 30 Chapter 30: Configuring Advanced Wireless Settings Wireless > Advanced To access Advanced configuration settings for the SonicWALL wireless security appliance, log into the SonicWALL, click Wireless , and then Advanced . The Wireless > Advanced page is only available when the SonicWALL i[...]

  • Page 340

    Wireless > Advanced 340 SonicOS Enhanced 4.0 Administrator Guide Beaconing & SSID Controls 1. Select Hide SSID in Beacon . Suppresses broadcasting of the SSID name and disables responses to probe requests. Checking this option helps prevent your wireless SSID from being seen by unauthoriz ed wireless clients. 2. Type a value in milliseconds [...]

  • Page 341

    Wireless > Advanced 341 SonicOS Enhanced 4.0 Administrator Guide • 2 : Select 2 to restrict the wireless security app liance to use antenna 2 only. Facing the rear of the SonicPoint, ant enna 2 is on the right, closest to t he power supply. You can disconnect antenna 1 when using only antenna 2. Antenna 1 Antenna 2[...]

  • Page 342

    Wireless > Advanced 342 SonicOS Enhanced 4.0 Administrator Guide Advanced Radio Settings The following other advanced settings can be configured. Step 1 Enable Short Slot Time : Select Enable Short Slot Time to increase performance if you only expect 802.11g traffic. 802.11b is not compatible with short slot time. Step 2 Select High from the Tra[...]

  • Page 343

    Wireless > Advanced 343 SonicOS Enhanced 4.0 Administrator Guide overlapping SonicPoints. However, it can slow down performance. Auto is probably the best setting, as it will engage only in th e case of over lapping SonicPoints. Step 11 Protection Rate : The protection rate determines the data rate when protection is on. The slowest rate offers [...]

  • Page 344

    Wireless > Advanced 344 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 345

    345 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 31 Chapter 31: Configuring MAC Filter List Wireless > MAC Filter List Wireless networking provides native MAC filter ing capabilities which pr events wireless clients from authenticating and associating with the wir eless security appliance. If you enforce MAC filtering on the WLAN, wireless c[...]

  • Page 346

    Wireless > MAC Filter List 346 SonicOS Enhanced 4.0 Administrator Guide The items in the list are address object groups, defined groups of objec ts that represent specific IP addresses or ranges of addresses that can be used throughout the management interface to specify network resources. An address object group can contai n other address objec[...]

  • Page 347

    347 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 32 Chapter 32: Configuring Wireless IDS Wireless > IDS Wireless Intrusion Detection Services (IDS) gr eatly increase the securi ty capabilities of the SonicWALL wireless security appliances by enabling them to recognize and even take countermeasures against the most common types of illicit wir[...]

  • Page 348

    Wireless > IDS 348 SonicOS Enhanced 4.0 Administrator Guide Access Point IDS When the Radio Role of the wireless security appliance is set to Access Point mode, all three types of WIDS services are available, but R ogue Access Point detection, by default, acts in a passive mode (passively listening to other Ac cess Point Beacon frames only on th[...]

  • Page 349

    Wireless > IDS 349 SonicOS Enhanced 4.0 Administrator Guide Enable Association Flood Detection is selected by default. The Association Flood Threshold is set to 5 Association attempts within 5 seconds by default. Intrusion Detection Settings Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. I[...]

  • Page 350

    Wireless > IDS 350 SonicOS Enhanced 4.0 Administrator Guide Scanning for Access Points Active scanning occurs when the wireless secu ri ty appliance starts up, and at any time Scan Now is clicked at the bottom of the Discovered Access Points table. When the wireless security appliance is operat ing in a Bridge Mode, the Scan Now feature does not[...]

  • Page 351

    351 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 33 Chapter 33: Configuring Virtual Access Points Wireless > Virtual Access Point This chapter describes the Virtual Access Poin t feature and includes the following sections: • “SonicPoint VAP Over view” section on page 352 – “What Is a Virtual Access Point?” section on page 352 ?[...]

  • Page 352

    Wireless > Virtual Access Point 352 SonicOS Enhanced 4.0 Administrator Guide SonicPoint VAP Overview This section provides an introducti on to the Virtual Access Point feature. This section contains the following subsections: • “What Is a Virtual Access Point?” section on page 352 • “What Is an SSID?” section on page 352 • “Wirel[...]

  • Page 353

    Wireless > Virtual Ac cess Point 353 SonicOS Enhanced 4.0 Administrator Guide Wireless Roaming with ESSID An ESSID (Extended Service Set IDentifier) is a co llection of Access Poin ts (or Virtual Access Points) sharing the same SSID. A typical wirele ss network comprises more than one AP for the purpose of covering geographic areas larger than c[...]

  • Page 354

    Wireless > Virtual Access Point 354 SonicOS Enhanced 4.0 Administrator Guide • “Virtual Access Points” section on page 363 • “Virtual Access Point Groups” section on page 364 VAP Configurat ion Overview The following are required areas of configurat ion for VAP deployment. This sequence of steps is designed specifically to honor depe[...]

  • Page 355

    Wireless > Virtual Ac cess Point 355 SonicOS Enhanced 4.0 Administrator Guide A network security zone is a logical method of grouping one or more inter faces with friendly, user-configurable names, and applyi ng security rules as traffic passes from one zone to another zone. With the zone-based security, the adm inistrator can group similar inte[...]

  • Page 356

    Wireless > Virtual Access Point 356 SonicOS Enhanced 4.0 Administrator Guide General Feature Description Name Create a name for your custom Zone Security Type Select Wireless in order to enable and access wireless security options. Allow Interface Trust Select this option to automatically create ac cess rules to allow traffic to flow between the[...]

  • Page 357

    Wireless > Virtual Ac cess Point 357 SonicOS Enhanced 4.0 Administrator Guide Wireless Feature Description Only allow traffic generated by a SonicPoint Restricts traffic on this zone to SonicPoint-generated traffic only. SSL-VPN Enforcement Redirects all traffic entering the Wireless Zone to a defined SonicWALL SSL-VPN appliance. This allows all[...]

  • Page 358

    Wireless > Virtual Access Point 358 SonicOS Enhanced 4.0 Administrator Guide Guest Services The Enable Wireless Guest Services option allows the following guest services to be applied to a zone: Feature Description Enable inter-guest communication Allows guests connecting to SonicP oints in this Wireless Zone to communicate directly and wi reles[...]

  • Page 359

    Wireless > Virtual Ac cess Point 359 SonicOS Enhanced 4.0 Administrator Guide WLAN Subnets WLAN subnets are used to segment IP address spac e for use by Vir tual Access Points (VAP). Each VAP must have a separate WLAN subnet, and you must create t he WLAN subnet before creating the VAP. To create a WLAN subnet, complete the following steps. Step[...]

  • Page 360

    Wireless > Virtual Access Point 360 SonicOS Enhanced 4.0 Administrator Guide • Subnet Name : The name of the interface. • IP Address : The first IP address in the subnet. Ma ke sure that the IP address subnet does not conflict with another address range. • Subnet Mask : 255.255.255.0 is the default • SonicPoint Limit: The maximum number [...]

  • Page 361

    Wireless > Virtual Ac cess Point 361 SonicOS Enhanced 4.0 Administrator Guide Virtual Access Points Profiles A Virtual Access Point Profile allows the administrator to pre-configure and save access point settings in a profile. VAP Profiles allows sett ings to be easily applied to new Virtual Access Points. Virtual Access Point Prof iles are crea[...]

  • Page 362

    Wireless > Virtual Access Point 362 SonicOS Enhanced 4.0 Administrator Guide WPA-PSK / WPA2-PSK Encryption Settings Pre-Shared Key (PSK) is available when using WPA or WPA2. This solution utilizes a shared key. WPA-EAP / WPA2-EAP Encryption Settings Extensible Authentication Protoc ol (EAP) is available when usi ng WPA or WPA2. This solution uti[...]

  • Page 363

    Wireless > Virtual Ac cess Point 363 SonicOS Enhanced 4.0 Administrator Guide Virtual Access Points Virtual Access Points are configured fro m the Wireless > Virtual Access Point page by clicking the Add... button in the Virtual Access Points section. General VAP Settings Advanced VAP Settings Advanced settings allows the administrator to con[...]

  • Page 364

    Wireless > Virtual Access Point 364 SonicOS Enhanced 4.0 Administrator Guide Virtual Access Point Groups The VAP Group feature allows for grouping of multiple VAP objects to be simultaneously applied to the integrated wireless radio of the SonicWALL securi ty appliance. Vi rtual Access Point Groups are configured from the Wireless > Virtual A[...]

  • Page 365

    Thinking Critically About VAPs 365 SonicOS Enhanced 4.0 Administrator Guide Thinking Critically About VAPs This section provides content to help dete rmine what your VAP requirements are and how to apply these requirements to a usef ul VAP configuration. This section contains the following sub-sections: • “Determining Your VAP Needs” section [...]

  • Page 366

    Thinking Critically About VAPs 366 SonicOS Enhanced 4.0 Administrator Guide Determining Security Configurations Understanding these requirements, you can then define the Zones (and interfaces) and VAPs that will provide wireless services to these users: • Corp Wireless – Highly trusted wireless Zone. Employs WPA2-AUTO-EAP security. WiFiSec (WPA[...]

  • Page 367

    Thinking Critically About VAPs 367 SonicOS Enhanced 4.0 Administrator Guide Questions Examples Solutions How many different types of users will I need to support? Corporate wireless, guest access, visiting partners, wireless devices are all common user types, each requiring their own VAP Plan out the number of different VAPs needed. Configure a Zon[...]

  • Page 368

    Thinking Critically About VAPs 368 SonicOS Enhanced 4.0 Administrator Guide What security services to I wish to apply to my users? Corporate users who you want protected by the full SonicWALL security suite. Enable all SonicWALL security services. Guest users who have no LAN access. Disable all SonicWALL security services. Your Configurations: Ques[...]

  • Page 369

    S ONIC WALL S ONIC OS E NHANCED 4.0 A DMINISTRATOR ’ S G UIDE 369 PART 5 WWAN[...]

  • Page 370

    370 S ONIC WALL S ONIC OS E NHANCED 4.0 A DMIN ISTRATOR ’ S G UIDE[...]

  • Page 371

    371 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 34 Chapter 34: Configuring Wireless WAN (TZ 190 only) WWAN This chapter describes how to configure the Wireless WAN interface on the SonicWALL TZ 190 appliance. It contains the following sections: • “Wireless WAN Overview” on page 371 • “Wireless WAN Prerequisites” on page 376 • “[...]

  • Page 372

    WWAN 372 SonicOS Enhanced 4.0 Administrator Guide • Primary WAN connection where wire-based connecti ons are not available and 3G Cellular is. Wireless Wide Area Networks provide untethered remote network access through the use of mobile or cellular data networks. While legacy ce llular networks, such as GSM, were only able to provide data rates [...]

  • Page 373

    WWAN 373 SonicOS Enhanced 4.0 Administrator Guide Understanding WWAN Failover When the WAN Connection Model is s et to Ethernet with WWAN Failover , the WAN (Ethernet) interface is the primary connection. If the WAN interface fa ils, the SonicWALL TZ 190 fails over to the WWAN interface. Note It is important to note that the WAN-to- WWA N failover [...]

  • Page 374

    WWAN 374 SonicOS Enhanced 4.0 Administrator Guide If a secondary Ethernet WAN (the OPT port) is configured, the TZ190 will fir st failover to the secondary Ethernet WAN before failing over to the WWAN. In this situation, WWAN failover will only occur when both the WAN and OPT paths are unavailable. 3. Reestablishing Primary Ethernet Connectivity Af[...]

  • Page 375

    WWAN 375 SonicOS Enhanced 4.0 Administrator Guide Caution It is not recommended to configure a polic y-based route that uses the WWAN connection when the WAN Connection Model is s et for Ethernet with WWAN Failover . If a policy- based route is configured to use the WWAN connection, the connection will remain up until the Maximum Connection Time (i[...]

  • Page 376

    WWAN 376 SonicOS Enhanced 4.0 Administrator Guide Wireless WAN PC Card Support To use the wireless WAN interface you must hav e a wireless WAN PC card and a contract with a wireless service provider. Because both GSM and CDMA provide virtually the same performance, a WWAN service provider should be selected based pr imarily on the availability of s[...]

  • Page 377

    WWAN 377 SonicOS Enhanced 4.0 Administrator Guide Viewing the WWAN Status The WWAN > Stat us page displays the current status of WWAN on the SonicWALL TZ190. It indicates the status of the WWAN connection, the current active WAN interface, or the current backup WAN interface. It also displays IP address information, DNS server addresses, the cur[...]

  • Page 378

    WWAN 378 SonicOS Enhanced 4.0 Administrator Guide • “Management/User Login” on page 379 • “WWAN Probe Settings” on page 379 Connect on Data The Connect on Data Categories settings allow you to conf igure the WWAN inter face to automatically connect to the WWAN service provider when the SonicWAL L TZ 190 detects specific types of traffic[...]

  • Page 379

    WWAN 379 SonicOS Enhanced 4.0 Administrator Guide Management/User Login The Management/User Login section must be configure to enable remote management of the SonicWALL TZ 190 appliance over the WWAN interface. You can select any of the supported management protocol(s): HTTPS , Ping , and/or SNMP . You can also select HTTP for management traffic. H[...]

  • Page 380

    WWAN 380 SonicOS Enhanced 4.0 Administrator Guide Configuring WWAN Advanced Settings The WWAN > Advan ced page is used to configure the Remotely Triggered Dial-Out feature on the SonicWALL TZ 190. The Remotely Trig gered Dial-Out feature enables network administrators to remotely initiate a WWAN connection from a SonicWALL TZ 190. Configuring Re[...]

  • Page 381

    WWAN 381 SonicOS Enhanced 4.0 Administrator Guide Configuring WWAN Connection Profiles Use the WWAN > Connection Profiles to configure WWAN connec tion profiles and set the primary and alternate profiles. Select the Primary WWAN connection profile in the Primary Profile pulldown menu. Optio nally, you can select up to two alternate WWAN profiles[...]

  • Page 382

    WWAN 382 SonicOS Enhanced 4.0 Administrator Guide 3. Select the Service Provider that you have created an account with. Note that only service providers supported in the coun try you selected are displayed. 4. In the Plan Type window, select the WWAN plan you hav e subscribed to with the service provider. If your specific plan type is listed in the[...]

  • Page 383

    WWAN 383 SonicOS Enhanced 4.0 Administrator Guide 13. Select the Enable Inactivity Disconnect (minutes) checkbox and enter a number in the field to have the WWAN connec tion disconnected after the specified number of minutes of inactivity. N ote that this opt ion is not available if the Dial Type is Persistent Connection . 14. Select the Enable Max[...]

  • Page 384

    WWAN 384 SonicOS Enhanced 4.0 Administrator Guide 19. Click on the Data Limiting tab. Tip If your WWAN account has a monthly data or time limit, it is str ongly recommended that you enable Data Usage Limiting. 20. Select the Enable Data Usage Limiting checkbox to have the WWAN interface become automatically disabled when t he specified data or time[...]

  • Page 385

    WWAN 385 SonicOS Enhanced 4.0 Administrator Guide To disconnect a WWAN connec tion, click on the Manage button. The WWAN Connection window displays. Click Disconnect . See “Configuring the Wireless WAN Inte rface” on page 152 for more information. Specifying the WAN Connection Model To configure the WAN connection model, navigate to the Network[...]

  • Page 386

    WWAN 386 SonicOS Enhanced 4.0 Administrator Guide Note The Data Usage table is only estimate of the curren t usage and should not be used to calculate actual charges. Contact your Service Provider for accurate billing information. The Session History table displays a summary of informat ion about WWAN sessions. To view additional details about a sp[...]

  • Page 387

    WWAN 387 SonicOS Enhanced 4.0 Administrator Guide GPRS has an additional advantage over GSM in that it is a packet-switched technology, meaning that stations only send data when there is data to send (rather than reserving the entire channel as occurs in GSM's circuit-sw itch ed networks) thus making more efficient use of available bandwidth. [...]

  • Page 388

    WWAN 388 SonicOS Enhanced 4.0 Administrator Guide • W-CDMA - Wideband Code Division Multiple Access - The technology underlying UMTS, W-CDMA is an evolution of the GS M protocol. Referred to a Wideband because its carrier channels are four times wider than then original CDMA standard (5 MHz versus 1.25 MHz).[...]

  • Page 389

    S ONIC WALL S ONIC OS E NHANCED 4.0 A DMINISTRATOR ’ S G UIDE 389 PART 6 SonicPoint[...]

  • Page 390

    390 S ONIC WALL S ONIC OS E NHANCED 4.0 A DMIN ISTRATOR ’ S G UIDE[...]

  • Page 391

    391 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 35 Chapter 35: Managing SonicPoints SonicPoint > SonicPoints SonicWALL SonicPoints are wireless access points specially engineered to work with SonicWALL security appliances to provide wireless access throughout your enterprise. The SonicPoint section of the Management Interface lets you manag[...]

  • Page 392

    SonicPoint > SonicPoints 392 SonicOS Enhanced 4.0 Administrator Guide • Attach the SonicPoints to the interfaces in the Wireless zone. • Test SonicPoints SonicPoint Provisioning Profiles SonicPoint Provisioning Profiles provide a scalable and highly automated method of configuring and provisioning multiple SonicPoint s across a Distributed W[...]

  • Page 393

    SonicPoint > SonicPoints 393 SonicOS Enhanced 4.0 Administrator Guide Configuring a SonicPoint Profile You can add any number of SonicPoint profiles. To configure a SonicPoint provisioning profile: Step 1 To add a new profile click Add below the list of SonicPoint provisioning profiles. To edit an existing profile, select the profile and click t[...]

  • Page 394

    SonicPoint > SonicPoints 394 SonicOS Enhanced 4.0 Administrator Guide – Country Code : Select the country where you ar e operating the SonicPoints. The country code determines which regulator y domain the ra dio operation falls under. Step 3 In the 802.11g tab, Configure the radio settings for the 802.11g (2.4GHz band) radio: – Enable 802.11[...]

  • Page 395

    SonicPoint > SonicPoints 395 SonicOS Enhanced 4.0 Administrator Guide – Default Key : Select which key in the list below is the default key, which will be tried first when trying to authenticate a user. – Key Entry : Select whether the key is alphanumeric or hexadecimal. – Key 1 - Key 4 : Enter the encryptions keys for WEP encryption. Ente[...]

  • Page 396

    SonicPoint > SonicPoints 396 SonicOS Enhanced 4.0 Administrator Guide – DTIM Interval : Enter the interval in milliseconds. – Fragmentation Threshold (bytes) : Enter the number of by tes of fragmented data you want the network to allow. – RTS Threshold (bytes) : Enter the number of bytes. – Maximum Client Associations : Enter the maximum[...]

  • Page 397

    SonicPoint > SonicPoints 397 SonicOS Enhanced 4.0 Administrator Guide that the SonicPoint can comm unicate with an authentication server for WPA-EAP support. SonicOS will then use the profil e associated with the relevant Zone to configure the 2.4GHz and 5GHz radio settings. Modifications to profiles will not affect units that have al ready been[...]

  • Page 398

    SonicPoint > SonicPoints 398 SonicOS Enhanced 4.0 Administrator Guide The options on these tabs are the same as the Add SonicPoint Profile screen. See Configuring a SonicPoint Pro file for instructions on conf iguring these settings. Step 3 Click OK to apply these settings. Synchronize SonicPoints Click Synchronize SonicPo ints at the top of the[...]

  • Page 399

    SonicPoint > SonicPoints 399 SonicOS Enhanced 4.0 Administrator Guide Step 6 Click Apply . Caution It is imperative that you download the co rresponding SonicPoint image for the SonicOS firmware version that is running on your S onicWALL. The mysoni cwall.com Web site provides information about the correspondi ng versions. When upgr ading your S[...]

  • Page 400

    SonicPoint > SonicPoints 400 SonicOS Enhanced 4.0 Administrator Guide • Operational – Once the SonicPoi nt has peered with a SonicOS device and has its configuration validated, it will enter into a operational state, and will be ready for clients. • Provisioning – If the SonicPoint configuration requires an update, the SonicOS device wil[...]

  • Page 401

    401 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 36 Chapter 36: Viewing Station Status SonicPoint > Station Status The SonicPoint > Station Status page reports on the statis tics of each SonicPoint. The table lists entries for each wireless client connected to each SonicPoint. The sections of the table are divided by S onicPoint. Under ea[...]

  • Page 402

    SonicPoint > St ation Status 402 SonicOS Enhanced 4.0 Administrator Guide Click on the Statistics icon to see a detailed report for an indivi dual station. Ea ch SonicPoint device reports for both radios, and for each stati on, the following information to its SonicOS peer: • MAC Address – The client’s (Station’s) hardware address. • S[...]

  • Page 403

    SonicPoint > Station Status 403 SonicOS Enhanced 4.0 Administrator Guide – Re-association request – Re-association response – Probe request – Probe response – Beacon frame – ATIM message – Disassociation – Authentication – De-authentication • Management Frames Transmitted – Total number of Management frames transmitted. •[...]

  • Page 404

    SonicPoint > St ation Status 404 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 405

    405 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 37 Chapter 37: Using and Configuring IDS SonicPoint > IDS You can have many wireless access points within reach of the si gnal of the Soni cPoints on your network. The SonicPoint > IDS page reports on all access p oints the SonicWALL security appliance can find by scanning the 802.11a and 8[...]

  • Page 406

    SonicPoint > I DS 406 SonicOS Enhanced 4.0 Administrator Guide Intrusion Detection Settings Rogue Access Points have emerged as one of the most serious and insidious threats to wireless security. In general terms, an access point is considered rogue when it has not been authorized for use on a network. The convenience, affordability and availabi[...]

  • Page 407

    SonicPoint > IDS 407 SonicOS Enhanced 4.0 Administrator Guide Discovered Access Points The Discovered Access points displays informati on on every access point that can b e detected by the SonicPoint radio: • SonicPoint : The SonicPoint that det ected the access point. • MAC Address (BSSID) : The MAC address of the radio in terface of the de[...]

  • Page 408

    SonicPoint > I DS 408 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 409

    409 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 38 Chapter 38: Configuring RF Monitoring SonicPoint > RF Monitoring This chapter describes how to plan, design, implement, and maintain the RF Monitoring feature in SonicWALL SonicOS 4.0 En hanced. This chapter contai ns the following sections: • “RF Monitoring Overview” section on page [...]

  • Page 410

    SonicPoint > R F Monitoring 410 SonicOS Enhanced 4.0 Administrator Guide Why RF Monitoring? Radio Frequency (RF) technology used in today’s 802.11-based wireless networking devices poses an attractive target for intruders. If le ft un-managed, RF devices can leave your wireless (and wired) network open to a variety of outside threats, from Den[...]

  • Page 411

    SonicPoint > RF Monitoring 411 SonicOS Enhanced 4.0 Administrator Guide Enabling RF Monitoring on SonicPoint(s) In order for RF Monitoring to be enforced, you must enable the RF Monitoring option on all available SonicPoint devices. The following section provides instructions to re-provisio n all available SonicPoints wi th RF Monitoring enabled[...]

  • Page 412

    SonicPoint > R F Monitoring 412 SonicOS Enhanced 4.0 Administrator Guide RF Monitoring Interface Overview The top portion of the RF Monitoring interface allows you t o : • View the number of threats logged for each group/signature • Select which RF signature types your SonicWALL looks for The bottom (Discovered RF Threat Stations) portion of[...]

  • Page 413

    SonicPoint > RF Monitoring 413 SonicOS Enhanced 4.0 Administrator Guide Tip For a complete list of RF Threat types and their descriptions, see the “Types of RF Threat Detection” section on page 414 of this document. Viewing Discovered RF Threat Stations The RF Monitoring Discovered Threat Stations list allows you to view, sort and manage a l[...]

  • Page 414

    SonicPoint > RF Monitoring 414 SonicOS Enhanced 4.0 Administrator Guide To add a station to the watch list: Step 1 In the SonicPoint > RF Monitoring page, navigate to the Discovered RF threat stations section. Step 2 Click the icon that corresponds to the threat stat ion you wish to add to the watch list. Step 3 A confirmation screen will app[...]

  • Page 415

    SonicPoint > RF Monitoring 415 SonicOS Enhanced 4.0 Administrator Guide • Ad-Hoc Station Detection - Ad-Hoc stations are nodes which provide access to wireless clients by acting as a bridge between th e act ual acce ss point and the user. Wirele ss users are often tricked into connecting to an Ad-Hoc station instead of the actual access point,[...]

  • Page 416

    SonicPoint > R F Monitoring 416 SonicOS Enhanced 4.0 Administrator Guide Timesaver For this section in particular (and as a good habi t in general), you may find it helpful to keep a record of the locations and MAC addr esses of your SonicPoint devices. Step 1 Navigate to the SonicPoint > RF Monitoring page in the SonicWALL Management Interfa[...]

  • Page 417

    SonicPoint > RF Monitoring 417 SonicOS Enhanced 4.0 Administrator Guide Using RSSI to Determine RF Threat Proximity This section builds on what was learned in the “Using Sensor ID to Determine RF Threat Location” section on page 415 . In the Discover ed RF Threat Stations list, the Rssi field indicates the signal strength at which a particul[...]

  • Page 418

    SonicPoint > R F Monitoring 418 SonicOS Enhanced 4.0 Administrator Guide A high Rssi usually indicates an RF threat that is closer to the So ni cPoint. A low Rssi can indicate obstructions or a more distant RF threat. 20 PRO 3060 rssi - Identifies signal strength of the RF threat, allowing for approximate distance gauging . rssi: 12 Weak signal [...]

  • Page 419

    S ONIC WALL S ONIC OS E NHANCED 4.0 A DMINISTRATOR ’ S G UIDE 419 PART 7 Firewall[...]

  • Page 420

    420 S ONIC WALL S ONIC OS E NHANCED 4.0 A DMIN ISTRATOR ’ S G UIDE[...]

  • Page 421

    421 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 39 Chapter 39: Configuring Access Rules Firewall > Access Rules This chapter provides an overview on your SonicWALL security appl iance stateful packet inspection default access rules and configuration ex amples to customize your access rules to meet your business requirements. Access rules ar[...]

  • Page 422

    Firewall > Access Rules 422 SonicOS Enhanced 4.0 Administrator Guide Stateful Packet Inspection Default Access Rules Overview By default, the SonicWALL security applianc e’s stateful packet inspection allows all communication from the LAN to the Internet, and bloc ks all traffic to the LAN from the Internet. The following behaviors are defi ne[...]

  • Page 423

    Firewall > Access R ules 423 SonicOS Enhanced 4.0 Administrator Guide The outbound SMTP traffic is guaranteed 20 percent of available bandwidth available to it and can get as much as 40 percent of available bandwidth. If this is the only access rule using bandwidth management, it has priority over all ot her access rules on the SonicWALL securit[...]

  • Page 424

    Firewall > Access Rules 424 SonicOS Enhanced 4.0 Administrator Guide Tip You can also view access rules by Z ones. Use the Option checkboxes in the From Zone and To Zone column. Select LAN , WA N , VPN , ALL from the From Zone column. And then select LAN, WAN, VPN, ALL from the To Zone column. Click OK to display t he access rules. Each view dis[...]

  • Page 425

    Firewall > Access R ules 425 SonicOS Enhanced 4.0 Administrator Guide You can change the priority ranking of an access rule by clicking the Arrows icon in the Priority column. The Change Priority window is displayed. Enter the new priority number (1-10) in the Priority field, and click OK . Tip If the Trashcan or Notepad icons are dimmed (unavai[...]

  • Page 426

    Firewall > Access Rules 426 SonicOS Enhanced 4.0 Administrator Guide Adding Access Rules To add access rules to the SonicWALL se curity appliance, perform the following steps: Step 1 Click Add at the bottom of the Access Rules table. The Add Rule window is displayed. Step 2 In the General tab, select Allow | Deny | Discard from the Action list t[...]

  • Page 427

    Firewall > Access R ules 427 SonicOS Enhanced 4.0 Administrator Guide Step 13 If you would like for the access rule to timeout after a period of TCP inactivity, set the amount of time, in minutes, in the TCP Connection Inactivity Timeout (minutes) field. The default value is 5 minutes. Step 14 If you would like for the access rule to timeout aft[...]

  • Page 428

    Firewall > Access Rules 428 SonicOS Enhanced 4.0 Administrator Guide – None : DSCP values in packets are reset to 0. – Preserve : DSCP values in packets will remain unaltered. – Explicit : Set the DSCP value to the value you se lect in the Expli cit DSCP Value field. This is a numeric value between 0 and 63. Some of the standard values are[...]

  • Page 429

    Firewall > Access R ules 429 SonicOS Enhanced 4.0 Administrator Guide • 6 - Voice (<10ms latency) • 7 - Network control – Map : The QoS mapping settings on the Firewall > QoS Mapping page will be used. See “Firewall > QoS Mapping” section on pag e 467 for instructions on configuring the QoS Mapping. Step 20 Click OK to add the[...]

  • Page 430

    Firewall > Access Rules 430 SonicOS Enhanced 4.0 Administrator Guide Coupled with IPS, this can be used to mitigate the spread of a certain class of malware as exemplified by Sasser, Blaste r, and Nimda. These worms propagat e by initiating conn ections to random addresses at atypically high rates. For example, each host infected with Nimda atte[...]

  • Page 431

    Firewall > Access R ules 431 SonicOS Enhanced 4.0 Administrator Guide Enabling Ping This sections provides a configuration example for an access rule to allow devices on the DMZ to send ping requests and receive ping responses from devices on the LAN. By default your SonicWALL security appliance does not allow traffi c initiated from the DMZ to [...]

  • Page 432

    Firewall > Access Rules 432 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 433

    433 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 40 Chapter 40: Configuring Advanced Access Rule Settings Firewall > Advanced To configure advanced access rule options, select Firewall > Advanced under Firewall. The Advanced Rule Options page is displayed. The Advanced Rule Options includes the following firewa ll configuration option gro[...]

  • Page 434

    Firewall > Advanced 434 SonicOS Enhanced 4.0 Administrator Guide • UDP Detection Prevention • Enable Stealth Mode - By default, the security appl iance responds to incoming connection requests as either “blocked” or “open.” If yo u enable Ste alth Mode, yo ur security appliance does not respond to blocked inbound connection requests [...]

  • Page 435

    Firewall > Advanced 435 SonicOS Enhanced 4.0 Administrator Guide Access Rule Service Options Force inbound and outbound FTP data connections to use default port 20 - The default configuration allows FTP connections from por t 20 but remaps outbound traffic to a port such as 1024. If the check box is selected, any FTP data connection through the [...]

  • Page 436

    Firewall > Advanced 436 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 437

    437 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 41 Chapter 41: Configuring TCP Settings Firewall > TCP Settings The TCP Settings lets you view statistics on TCP Traffic through the security appliance and manage TCP traffic settings. The page is divided into three sections • TCP Traffic Statistics • TCP Settings • SYN/RST/FIN Flood Pro[...]

  • Page 438

    Firewall > TCP Settings 438 SonicOS Enhanced 4.0 Administrator Guide – When the TCP SACK Permitted (Selective Acknowledgement, see RFC1072) option is encountered, but the calculated option length is incorrect. – When the TCP MSS (Maximum Segment Size) option is encountered, but the calculated option length is incorrect. – When the TCP SACK[...]

  • Page 439

    Firewall > TCP Settings 439 SonicOS Enhanced 4.0 Administrator Guide The TCP Settings section allows you to: • Enable TCP Stateful Inspection – Enabling TCP stateful inspection requires that all TCP connections rigidly adhere to the fo llowing TCP setup requirements: – TCP session establishment involves a three-way handshake between two ho[...]

  • Page 440

    Firewall > TCP Settings 440 SonicOS Enhanced 4.0 Administrator Guide A SYN Flood attack is considered to be in progress if the number of unanswered SYN/ACK packets sent by the SonicWA LL (half-opened TCP connections) e xceeds the threshold set in the “Flood rate until attack logged (unanswer ed SYN/ACK packets per second)” field. The default[...]

  • Page 441

    Firewall > TCP Settings 441 SonicOS Enhanced 4.0 Administrator Guide • SYN Blacklisting (Layer 2) – This mechanism blocks specific devices from generating or forwarding SYN flood attacks. You can enable SYN Blacklisting on any interface. Understanding SYN Watchlists The internal architecture of both SYN Flood pr otection mechanisms is bas ed[...]

  • Page 442

    Firewall > TCP Settings 442 SonicOS Enhanced 4.0 Administrator Guide Each contains various types of SYN Flood Prot ection. The following se ctions describe these features. Working with SYN Flood Protection Modes A SYN Flood Protection mode is the level of pr otection that you can select to defend against half-opened TCP sessions and high-frequen[...]

  • Page 443

    Firewall > TCP Settings 443 SonicOS Enhanced 4.0 Administrator Guide To provide more control over the options sent to WAN clients when in SYN Proxy mode, you can configure the fo llowing two objects: SACK ( Selective Acknowledgment) – This parameter c ontrols whether or not Selective ACK is enabled. With SACK enabled, a packe t or series of pa[...]

  • Page 444

    Firewall > TCP Settings 444 SonicOS Enhanced 4.0 Administrator Guide Never blacklist WAN machines – This checkbox ensures that syste ms on the WAN are never added to the SYN Blacklist. This option is recommended as leaving it unchecked may interrupt traffic to and from the firewall’s WAN ports. Always allow SonicWALL management traffic – T[...]

  • Page 445

    Firewall > TCP Settings 445 SonicOS Enhanced 4.0 Administrator Guide The following are SY N Flood statistics. Column Description Max Incomplete WAN Connections / sec The maximum number of pending embryonic half-open connections recorded since the firewall has been up (or since the last time the TCP statistics were cleared). Average Incomplete WA[...]

  • Page 446

    Firewall > TCP Settings 446 SonicOS Enhanced 4.0 Administrator Guide Total FIN Blacklist Pack ets Rejected The total number of packets dropped because of the FIN blacklist. Invalid SYN Flood Cookies Received The total number of invali d SYN flood cookies received. Column Description[...]

  • Page 447

    447 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 42 Chapter 42: Configuring Firewall Services Firewall > Services SonicOS Enhanced supports an expanded IP protocol support to allow users to create services and access rules based on these protocols. See “Supported Protocols” on page 449 for a complete listing of support IP protocols. Serv[...]

  • Page 448

    Firewall > Services 448 SonicOS Enhanced 4.0 Administrator Guide Selecting All Services from View Style displays both Custom Services and Default Services . Default Services Overview The Defaul t Services view displays the SonicWALL securi ty appliance default services in the Services table and Service Groups table. The Service Groups table disp[...]

  • Page 449

    Firewall > Se rvices 449 SonicOS Enhanced 4.0 Administrator Guide Supported Protocols The following IP protocols are available for custom services: • ICMP ( 1 )—(Internet Control Message Protocol) A TCP/IP protocol used to send error and control messages. • IGMP ( 2 )—(In ternet Group Management Protocol) The protocol that governs the ma[...]

  • Page 450

    Firewall > Services 450 SonicOS Enhanced 4.0 Administrator Guide All custom services you create are listed in the Custom Services table. You can group custom services by creating a Custom Services Group for easy policy enforcement. If a protocol is not listed in the Default Services table, you can add it to the Cu stom Services table by clicking[...]

  • Page 451

    Firewall > Se rvices 451 SonicOS Enhanced 4.0 Administrator Guide Click the Enable Logging checkbox to disable or enable the logging of the serv ice activities. Adding Custom IP Type Services Using only the predefined IP types, if the security appliance encount ers traffic of a ny other IP Protocol type it drops it as unrecognized . However, the[...]

  • Page 452

    Firewall > Services 452 SonicOS Enhanced 4.0 Administrator Guide Note Attempts to define a Custom IP Type Service Object for a pre-define d IP type will not be permitted, and will result in an error message. Step 5 Click OK Step 6 From the Firewall > Service Objects page, Service Group section, select Add Group . Step 7 Add a Service Group co[...]

  • Page 453

    Firewall > Se rvices 453 SonicOS Enhanced 4.0 Administrator Guide Note Select your Zones, Services and Address Obje cts accordingly. It may be necessary to create an Access Rule for bidirectional traffic; for example, an additional Access Rule from the LAN > WLAN allowing myServices from 10.50.165.26 to WLAN Subnets. Step 10 Click OK IP proto[...]

  • Page 454

    Firewall > Services 454 SonicOS Enhanced 4.0 Administrator Guide Adding a Custom Services Group You can add custom services and then create groups of services, including default services, to apply the same policies to them. For instance, you can allow SMTP and POP3 traffic only during certain hours or days of the week by adding the tw o services[...]

  • Page 455

    Firewall > Se rvices 455 SonicOS Enhanced 4.0 Administrator Guide Deleting Custom Services Groups Click the Trashcan icon to delete the individual cust om service group entry. You can delete all custom service groups by clicking the Delete button.[...]

  • Page 456

    Firewall > Services 456 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 457

    457 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 43 Chapter 43: Configuring Multicast Settings Firewall > Multicast Multicasting, also called IP mu lticasting, is a method for sending one Internet Protocol (IP) packet simultaneously to multiple hosts. Multicas t is suited to the rapidly growing segment of Internet traffic - multimedia presen[...]

  • Page 458

    Firewall > Multicast 458 SonicOS Enhanced 4.0 Administrator Guide Multicast Snooping This section provides configur ation tasks for Multicast Snooping. • Enable Multicast - This checkbox is disabled by defaul t. Select this checkbox to support multicast traffic. • Require IGMP Membership reports for multicast data forwarding - This checkbox [...]

  • Page 459

    Firewall > Multicast 459 SonicOS Enhanced 4.0 Administrator Guide To create a multicast address object: Step 1 In the Enable reception for the following multicast addresses list, select Create new multicast object . Step 2 In the Add Address Object window, configure: – Name : The name of the address object. – Zone Assignment : Select MULTICA[...]

  • Page 460

    Firewall > Multicast 460 SonicOS Enhanced 4.0 Administrator Guide Enabling Multicast on LA N-Dedicated Interfaces Perform the following steps to enable mu lticast support on LAN- dedicated interfaces. Step 1 Enable multicast support on your Soni cWALL security appliance. In the Firewall > Multicast setting, click on the Enable Multicast check[...]

  • Page 461

    Firewall > Multicast 461 SonicOS Enhanced 4.0 Administrator Guide Enabling Multicast Through a VPN To enable multicast across the WAN through a VPN, follow: Step 1 Enable multicast globally. On the Firewall > Multicast page, check the Enable Multicast checkbox, and click the Apply button for each security appliance. Step 2 Enable multicast su[...]

  • Page 462

    Firewall > Multicast 462 SonicOS Enhanced 4.0 Administrator Guide Note Notice that the default WLAN'MULTICAST access rule for IGMP traffic is set to 'DENY'. This will need to be changed to 'ALLOW' on all partici pating appliances to enable multicast, if they have multicast cli ents on their WLAN zones. Step 5 Make sure t[...]

  • Page 463

    463 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 44 Chapter 44: Monitoring Active Connections Firewall > Connections Monitor The Firewall > Connections Monitor page displays details on all active connections to the security appliance.[...]

  • Page 464

    Firewall > Connections Monit or 464 SonicOS Enhanced 4.0 Administrator Guide Viewing Connections The connections are listed in the Active Connections Monitor table. The table lists: • Source IP • Source Port • Destination IP • Destination Port • Protocol • Src Interface • Dst Interface • Tx Bytes • Rx Bytes Click on a column he[...]

  • Page 465

    Firewall > Connections Monitor 465 SonicOS Enhanced 4.0 Administrator Guide Check the Group box next to any two or more criter ia to combine them with a logical OR . For example, if you enter values for Source IP , Destination IP , and Protocol , and check Group next to Source IP and Destination IP , the search string will l ook for connections [...]

  • Page 466

    Firewall > Connections Monit or 466 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 467

    467 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 45 Chapter 45: Managing Quality of Service Firewall > QoS Mapping Quality of Service (QoS) refers to a divers ity of methods intended to provide predictable network behavior and performance. Th is sort of predictability is vital to certain typ es of applications, such as Voice over IP (VoIP), [...]

  • Page 468

    Firewall > QoS Mapping 468 SonicOS Enhanced 4.0 Administrator Guide But all is not lost. Once SonicOS Enhanc ed classifies the traffic, it can tag the traffic to communicate this classification to certain exte rnal systems that are capable of abiding by CoS tags; thus they too can par ticipate in provid ing QoS. Note Many service providers do no[...]

  • Page 469

    Firewall > QoS Mapping 469 SonicOS Enhanced 4.0 Administrator Guide section on page 479 . SonicOS’s BWM is a perfectly ef fective solution for fully autonomous private networks with sufficient bandwidth, but c an become somewhat less effective as more unknown external network elements and bandwidth contention are introduced. Refer to the Examp[...]

  • Page 470

    Firewall > QoS Mapping 470 SonicOS Enhanced 4.0 Administrator Guide Enabling 802.1p SonicOS Enhanced supports layer 2 and layer 3 Co S methods for broad interoperability with external systems parti cipating in QoS enabled environments. The layer 2 method is the IEEE 802.1p standard wherein 3 bits of an additional 16 bits inserted into the header[...]

  • Page 471

    Firewall > QoS Mapping 471 SonicOS Enhanced 4.0 Administrator Guide Although Enable 802.1p tagging does not appear as an option on VLAN sub-interfaces on the PRO 4060 and PRO 5060, the 802.1p field is already present within the 802. 1q tags of VLAN sub-interfaces. The behavior of the 802.1p field wi thin these tags can be controlled by Access Ru[...]

  • Page 472

    Firewall > QoS Mapping 472 SonicOS Enhanced 4.0 Administrator Guide Example Scenario In the scenario above, we have Remote Site 1 connected to ‘Main Site’ by an IPsec VPN. The company uses an internal 802. 1p/DSCP capable VoIP phone system, with a private VoIP signaling server hosted at the Main Site. The Main Site has a mixed gigabit and Fa[...]

  • Page 473

    Firewall > QoS Mapping 473 SonicOS Enhanced 4.0 Administrator Guide QoS Mapping is a feature which converts layer 2 802.1p tags to layer 3 DSCP tags so that they can safely traverse ( in mapped form) 802.1p-incapable links; when the packet arrives for delivery to the next 802.1p-capable segmen t, QoS Mapping converts from DSCP back to 802.1p tag[...]

  • Page 474

    Firewall > QoS Mapping 474 SonicOS Enhanced 4.0 Administrator Guide DSCP marking can be performed on tr affic to/from any interface and to/fr om any zone type, without exception. DSCP marki ng is controlled by Access Rule s, from the QoS tab, and can be used in conjunction with 802.1p marking, as well as with SonicOS’ internal bandwidth manage[...]

  • Page 475

    Firewall > QoS Mapping 475 SonicOS Enhanced 4.0 Administrator Guide Configure for 802. 1p CoS 4 – Controlled load If you want to change the inbound mapping of DSCP tag 15 from its defaul t 802.1p mapping of 1 to an 802.1p mapping of 2 , it would have to be done in two steps because mapping ranges cannot overlap. Attempting to assign an overlap[...]

  • Page 476

    Firewall > QoS Mapping 476 SonicOS Enhanced 4.0 Administrator Guide Each of these mappings can be reco nfigured. If you wanted to change the outbound mapping of 802.1p tag 4 from its default DSCP value of 32 to a DSCP value of 43 , you can click the Configure icon for 4 – Controlled load and select the new To DSCP value from the d rop-down box[...]

  • Page 477

    Firewall > QoS Mapping 477 SonicOS Enhanced 4.0 Administrator Guide For example, refer to the following figure wh ich provides a bi-direc tional DSCP tag action. HTTP access from a web-browser on 192.168. 168.100 to the web-server on 10.50.165.2 will result in the tagging of the inner (payload) pac ket and the outer (encapsulating ESP) packets w[...]

  • Page 478

    Firewall > QoS Mapping 478 SonicOS Enhanced 4.0 Administrator Guide One practical application for this behavior woul d be configuring an 80 2.1p marking rule for traffic destined for the VPN Zone. Although 802.1p tags cannot be sent ac ross the VPN, reply packets coming back across the VPN can be 802.1p tagged on egress from the tunnel. This req[...]

  • Page 479

    Firewall > QoS Mapping 479 SonicOS Enhanced 4.0 Administrator Guide To examine the effects of the se cond Access Rule (VPN>LAN), we ’ll look at the Access Rules configured at the Main Site: VoIP traffic (as defined by t he Service Group) ar riving from Remote Site 1 Subnets across the VPN destined to LAN Subnets on the LAN zone at the Main [...]

  • Page 480

    Firewall > QoS Mapping 480 SonicOS Enhanced 4.0 Administrator Guide configure BWM and QoS (i.e. layer 2 and/or layer 3 marking) settings on a single Access Rule. This allows those external systems to benefit from the classification performed on the SonicWALL even after it has already shaped the traffic. BWM configurations begin by enabling BWM o[...]

  • Page 481

    Firewall > QoS Mapping 481 SonicOS Enhanced 4.0 Administrator Guide Once one or both BWM settings are enabled on t he WAN interface and the available bandwidth has been declared, a Ethernet BWM tab will appear on Access Rules. The Bandwidth tab will present either Inbound settings, Outbound settings, or both, depending on what was ena bled on th[...]

  • Page 482

    Firewall > QoS Mapping 482 SonicOS Enhanced 4.0 Administrator Guide Outbound Bandwidth Management Bandwidth Management as employed by Soni cOS Enhanced is based on an amalgamation of queue management and congestion avoidance techniques, but in empirical practice it most closely resembles Class Base Queuing (CBQ), as defined by Sally Floyd and Va[...]

  • Page 483

    Firewall > QoS Mapping 483 SonicOS Enhanced 4.0 Administrator Guide to be processed. When Guaranteed queue credits are depleted, the next queue in that priority ring is processed. The same process is r epeated for the remaining priority rin gs, and upon completing priority ring 7 begins again with priority ring 0. The scheduling for excess bandw[...]

  • Page 484

    Firewall > QoS Mapping 484 SonicOS Enhanced 4.0 Administrator Guide Outbound BWM Packet Processing Path a. Determine that the packet is bound for the WAN Zone. b. Determine that the packet is clas sifiable as a Firewa ll packet. c. Match the packet to an Access Rule to determine BWM setting. d. Queue the packet in the appropriate rule queue. Gua[...]

  • Page 485

    Firewall > QoS Mapping 485 SonicOS Enhanced 4.0 Administrator Guide Example of Outbound BWM The above diagram shows 4 policies are configured for OBWM with a link capacity of 100 Kbps. This means that the link capacity is 12800 Bytes/ sec. Below table gives the BWM values for each rule in Bytes per second. a. For GBW processing, we start with th[...]

  • Page 486

    Firewall > QoS Mapping 486 SonicOS Enhanced 4.0 Administrator Guide f. Start off with the highest priority ring 0 and process all queues in this priority in a round robin fashion. H323 has Pkt3 of 500B which is sent since it can use up to max = 2560 (MBW-GBW). Now Link credit = 7500 and max = 2060. g. Move to the next queue in this priority ri n[...]

  • Page 487

    Firewall > QoS Mapping 487 SonicOS Enhanced 4.0 Administrator Guide Algorithm for Inbound Bandwidth Management IBWM maintains eight priority rings, where eac h priority ring has one queue for a rule that has IBWM enabled. The IBWM pool is processed from the highest to lowest priority ring further shaping the traffic. IBWM employs three key algor[...]

  • Page 488

    Firewall > QoS Mapping 488 SonicOS Enhanced 4.0 Administrator Guide e. Record class credit as remaining credi t. f. If remaining credit is gr eater than or e qual to average rate, process the ACK packet and deduct average rate from remaining credit. g. Repeat g until remaining credit is not enough or the ingress ACK queue is empty. h. Repeat ste[...]

  • Page 489

    Firewall > QoS Mapping 489 SonicOS Enhanced 4.0 Administrator Guide Glossary • 802.1p – IEEE 802.1p is a Layer 2 (MAC layer) Cl ass of Service mec hanism that tags packets by using 3 priority bits (for a total of 8 priority levels ) within the additional 16 bits of an 802.1q header. 802.1p processing requires compatible equipment for tag gen[...]

  • Page 490

    Firewall > QoS Mapping 490 SonicOS Enhanced 4.0 Administrator Guide – Weighted Random Early Detection (WRED) – An implementation of RED that factors DSCP markings into its discard decision process. • DSCP – (Differentiate Services Code Points) – The repurposing of the ToS field of an IP header as described by RFC27 47. DSCP uses 64 Cod[...]

  • Page 491

    Firewall > QoS Mapping 491 SonicOS Enhanced 4.0 Administrator Guide • Marking – Also known as tagging or coloring – The act of applying layer 2 (802.1p) or layer 3 (DSCP) information to a packet for the purpose of differentiation, so that it can be properly classified (recognized) and prior itiz ed by network devices along the path to its [...]

  • Page 492

    Firewall > QoS Mapping 492 SonicOS Enhanced 4.0 Administrator Guide • Shaping – An attempt by a QoS system to modify the rate of traffic flow, usua lly by employing some feedback mechanism to the sender . The most common example of this is TCP rate manipulation, where acknowledgement s (ACKs) sent back to a TCP sender are queued and delayed [...]

  • Page 493

    493 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 46 Chapter 46: Configuring SSL Control Firewall > SSL Control This chapter describes how to plan, design, im plement, and maintain the SSL Control feature. This chapter contains the following sections: • “Overview of SSL Control” section on page 493 – “Key Features of SSL Control” [...]

  • Page 494

    Firewall > SSL Control 494 SonicOS Enhanced 4.0 Administrator Guide of TCP based network communica tions, with its most common and well-known application being HTTPS (HTTP over SSL). SSL provides di gital certificate-based endpoint identification, and cryptographic and digest-based confidentia lity to network communications. An effect of the sec[...]

  • Page 495

    Firewall > SSL Control 495 SonicOS Enhanced 4.0 Administrator Guide Key Features of SSL Control Feature Benefit Common-Name based White and Black Lists The administrator can define lists of explicitly allowed or denied certificate subject common names (described in Key Concepts). Entries will be matched on substrings, for example, a blacklist en[...]

  • Page 496

    Firewall > SSL Control 496 SonicOS Enhanced 4.0 Administrator Guide Key Concepts to SSL Control • SSL - Secure Sockets Layer (SSL) is a network security mechanism introduced by Netscape in 1995. SSL was designed “to pr ovide privacy between two communicating applications (a client and a server) and also to authenticate the serv er, and optio[...]

  • Page 497

    Firewall > SSL Control 497 SonicOS Enhanced 4.0 Administrator Guide SSL is not limited to securing HTTP, but can also be used to secure other TCP protocols such as SMTP, POP3, IMAP, and LDAP. F or more information, see http://w p.netscape.com/ eng/security/SSL_2.htm l . SSL session establishment occurs as follows: • SSLv2 – The earliest vers[...]

  • Page 498

    Firewall > SSL Control 498 SonicOS Enhanced 4.0 Administrator Guide – TLS – Transport Layer Security (version 1.0), also known as SSLv3.1, is very similar to SSLv3, but improves upon SSLv3 in the following wa ys: • MAC – A MAC (Message Authentication Code) is calculated by applying an algorithm (such as MD5 or SHA1) to data. The MAC is a[...]

  • Page 499

    Firewall > SSL Control 499 SonicOS Enhanced 4.0 Administrator Guide mismatch elicits a browser alert, it is not always a sure sign of deception. For example, if a client browses to https://my sonicwall.com, which resolves to the same IP address as www.mysonicwall.com, the serv er will present its certificat e bearing the subject CN of www.mysoni[...]

  • Page 500

    Firewall > SSL Control 500 SonicOS Enhanced 4.0 Administrator Guide Caveats and Advisories 1. Self-signed and Untrusted CA enforcement – If enf orcing either of thes e two options, it is strongly advised that you add the common names of any SSL secured network appliances within your organization to the whitelist to ens ure that connectivity to[...]

  • Page 501

    Firewall > SSL Control 501 SonicOS Enhanced 4.0 Administrator Guide SSL Control Configuration SSL Control is located on Firewall panel, under the SSL Control Folder. SSL Control has a global setting, as well as a per-zone setting. By default, SSL Control is not enabled at the global or zone level. The individual page controls ar e as follows (re[...]

  • Page 502

    Firewall > SSL Control 502 SonicOS Enhanced 4.0 Administrator Guide • Detect Self-signed certificates – Contr ols the detection of certificates where both the issuer and the subject have the same common name. • Detect Certificates signed by an Untrusted CA – Controls the detection of certificates where the issuer’s certificat e is not [...]

  • Page 503

    Firewall > SSL Control 503 SonicOS Enhanced 4.0 Administrator Guide To configure the Whitelis t and Blacklist, click the Configure button to bring up the following window. Entries can be added, edited and deleted with the buttons beneath each list window. Note List matching will be based on the subject co mmon name in the certificate presented i[...]

  • Page 504

    Firewall > SSL Control 504 SonicOS Enhanced 4.0 Administrator Guide sent in response for evaluation against the conf igured policy. Enabling SSL Control on the LAN Zone, for example, will inspect al l SSL traffic initiated by cli ents on the LAN to any destination zone. Note If you are activating SSL Control on a zone (for example, the LAN zone)[...]

  • Page 505

    Firewall > SSL Control 505 SonicOS Enhanced 4.0 Administrator Guide Log events will include the client’s username in the notes sect ion (not shown) if the user logged in manually, or was identified through CIA/Single Sign On. If the user’s ident ity is not available, the note will indicate that the user is Unidentified.[...]

  • Page 506

    Firewall > SSL Control 506 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 507

    S ONIC WALL S ONIC OS E NHANCED 4.0 A DMINISTRATOR ’ S G UIDE 507 PART 8 VoIP[...]

  • Page 508

    508 S ONIC WALL S ONIC OS E NHANCED 4.0 A DMIN ISTRATOR ’ S G UIDE[...]

  • Page 509

    509 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 47 Chapter 47: Configuring VoIP Support VoIP This chapter contains the following sections: • “VoIP Overview” on page 509 • “SonicWALL’s VoIP Capabilities” on page 512 • “Configuring SonicWALL VoIP Features” on page 520 • “VoIP Deployment Scenarios” on page 531 VoIP Overv[...]

  • Page 510

    VoIP 510 SonicOS Enhanced 4.0 Administrator Guide VoIP Security Companies implementing VoIP te chnologies in an effort to cut communication costs and extend corporate voice services to a distributed workfo rce face security risk s associated with the convergence of voice and data net works. VoIP security and network integrity are an essential part [...]

  • Page 511

    VoIP 511 SonicOS Enhanced 4.0 Administrator Guide VoIP Protocols VoIP technologies are built on tw o primary protocols, H.323 and SIP. H.323 H.323 is a standard developed by the International Telecommunications Union (ITU). It’s a comprehensive suite of protocols for vo ice, video, and data communications between computers, terminals, network dev[...]

  • Page 512

    VoIP 512 SonicOS Enhanced 4.0 Administrator Guide • Redirect Server - Responds to request but does not forward requests. • Registration Server - Handles UA authentication and registration. SonicWALL’s VoIP Capabilities The following sections describe SonicWALL’s integrated VoIP service: • “VoIP Security” on page 512 • “VoIP Networ[...]

  • Page 513

    VoIP 513 SonicOS Enhanced 4.0 Administrator Guide also provides proactive defense against newly discovered application and protocol vulnerabilities. Signature granularity allows SonicWALL IPS to detect and pre vent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives. VoIP Networ[...]

  • Page 514

    VoIP 514 SonicOS Enhanced 4.0 Administrator Guide • Validation of headers for all media packets - SonicOS examines and monitors the headers within media packets to allow detection and discar ding of out-of-sequence and retransmitted packets (beyond window). Also, by ensuring that a valid header exists, invalid media packets are detected and disca[...]

  • Page 515

    VoIP 515 SonicOS Enhanced 4.0 Administrator Guide SIP SonicOS provides the following support for SIP: – Base SIP standard (both RFC 2543 and RFC 3261) – SIP INFO method (RFC 2976) – Reliability of pr ovisional responses in SIP (RFC 3262) – SIP specific event notification (RFC 3265) – SIP UPDATE method (RFC 3311) – DHCP option for SI P s[...]

  • Page 516

    VoIP 516 SonicOS Enhanced 4.0 Administrator Guide SonicWALL VoIP Vendor Interoperability The following is a partial list of devices from leading manufacturers with which SonicWALL VoIP interoperates. CODECs SonicOS supports media streams from any CODEC - Media streams carry audio and video signals that have been processed by a hardware/ software CO[...]

  • Page 517

    VoIP 517 SonicOS Enhanced 4.0 Administrator Guide • H.264, H.263, and H.261 for video • MPEG4, G.711, G.722, G. 723, G.728, G.729 for audio VoIP Protocols that SonicOS Does No t Perform Deep Packet Inspect ion on SonicWALL security appliances do not currently support deep packet inspection for the following protocols; therefore, these protoc ol[...]

  • Page 518

    VoIP 518 SonicOS Enhanced 4.0 Administrator Guide 1. Phone B registers with VoIP server - The SonicWALL security appliance builds a database of the accessible IP phones behind it by monitoring the outgoing VoIP registration requests. SonicOS translates between phone B’ s private IP address and the firewall’s public IP address used in registrati[...]

  • Page 519

    VoIP 519 SonicOS Enhanced 4.0 Administrator Guide Figure 47:2 Local VoIP Call Flow The following describes the sequenc e of events shown in Figure 42.2: 1. Phones A and B register with VoIP server - The SonicWALL security appliance b uilds a database of the accessible IP phones behind it by monitoring the outgoing VoIP registration requests. SonicO[...]

  • Page 520

    VoIP 520 SonicOS Enhanced 4.0 Administrator Guide Configuring SonicWALL VoIP Features Configuring the SonicWALL security appliance for VoIP depl oyments builds on your basic network configuration in the SonicWALL management interface. This chapter assumes the SonicWALL security appli ance is configured for y our network environment. Supported Inter[...]

  • Page 521

    VoIP 521 SonicOS Enhanced 4.0 Administrator Guide General VoIP Configuration SonicOS includes the VoIP c onfiguration settings on the VoIP > Settings page. This page is divided into three configur ation settings sections: General Settings , SIP Setting s , and H.323 Settings . Configuring Consistent Networ k Address Translation (NAT) Consistent [...]

  • Page 522

    VoIP 522 SonicOS Enhanced 4.0 Administrator Guide Configuring SIP Settings By default, SIP clients use their private IP address in the SIP Se ssion Definition Protocol (SDP) messages that are sent to the SIP proxy. If y our SIP proxy is located on the public (WAN) side of the SonicWALL security appliance and SIP c lients are on the private (LAN) si[...]

  • Page 523

    VoIP 523 SonicOS Enhanced 4.0 Administrator Guide The Additional SIP signaling port (UDP) for transformations setting allows you to specify a non-standard UDP port used to carry SIP signaling tr affic. Normally, SIP signaling traffic is carried on UDP port 5060. However, a number of co mmercial VOIP services use different ports, such as 1560. Using[...]

  • Page 524

    VoIP 524 SonicOS Enhanced 4.0 Administrator Guide Bandwidth Management SonicOS offers an integrated traffic shapi ng mechanism through its Egress (outbound) and Ingress (inbound) management interfaces. Outboun d BWM can be applied to traffic sourced from Trusted and Public Zones (such as LA N and DMZ) destined to Untrusted and Encrypted Zones (such[...]

  • Page 525

    VoIP 525 SonicOS Enhanced 4.0 Administrator Guide Configuring Bandwidth on the WAN Interface BWM configurations begin by enabling BWM on the relevant WAN interface, and specifying the interface’s available bandwidth in Kbps. This is performed from the Network > Interfaces page by selecting the Configure icon for the WAN interface, a nd navigat[...]

  • Page 526

    VoIP 526 SonicOS Enhanced 4.0 Administrator Guide If you are defining VoIP access for client to use a VoIP service provi der from the WAN, you configure network acce ss rules between source and destinat ion interface or zones to enable clients behind the firewall to send and receive VoIP calls. If your SIP Proxy or H.323 Gateway is locat ed behind [...]

  • Page 527

    VoIP 527 SonicOS Enhanced 4.0 Administrator Guide • For SIP, select SIP Step 6 Select the source of the traffic affected by the access rule from the Source list. Selecting Create New Network displays the Add Address Object window. Step 7 If you want to define the source IP addresses th at are affected by the access rule, such as restricting certa[...]

  • Page 528

    VoIP 528 SonicOS Enhanced 4.0 Administrator Guide Tip Rules using Bandwidth Management take priority over rules with out bandwidth management. Using the Public Server Wizard The SonicWALL Public Server Wizard provides an easy method for configuring firewall access rules for a SIP Proxy or H.323 Gatekeeper running on your network behind the firewall[...]

  • Page 529

    VoIP 529 SonicOS Enhanced 4.0 Administrator Guide Note SonicWALL recommends NOT selecting VoIP from the Services menu. Selecting this option opens up more TCP/UDP ports than is required, potentially opening up unnecessary security vulnerabilities. Step 5 Enter the name of the server in the Server Name field. Step 6 Enter the private IP address of t[...]

  • Page 530

    VoIP 530 SonicOS Enhanced 4.0 Administrator Guide Step 10 The Summary page displays a summary of all the configuration you have performed in the wizard. It should show: • Server Address Objects - The wizard creates the address object for the new server. Because the IP address of the server added in the example is in the IP ad dress range assigned[...]

  • Page 531

    VoIP 531 SonicOS Enhanced 4.0 Administrator Guide Configuring VoIP Logging You can enable the logging of VoIP events in t he SonicWALL security appliance log in the Log > Categories page. Log entries are displayed on the Log > View page. To enable logging: Step 1 Select Log > Categories . Step 2 Select Expanded Categories from the View Sty[...]

  • Page 532

    VoIP 532 SonicOS Enhanced 4.0 Administrator Guide Figure 47:3 Point-to-Point VoIP Service Topology This deployment does not require a VoIP server . The Public IP a ddress of the SonicWALL security appliance is used as the main VoIP number for hosts on the network. This requires a static Public IP address or the use of a Dy namic DNS service to make[...]

  • Page 533

    VoIP 533 SonicOS Enhanced 4.0 Administrator Guide Figure 47:4 Public VoIP Service Topolog y For VoIP clients that register with a server from the WAN, the SonicWALL security appliance automatically manages NAT polic ies and access rules. The S onicWALL security appliance performs stateful monitoring of registration and permits incoming calls fo r c[...]

  • Page 534

    VoIP 534 SonicOS Enhanced 4.0 Administrator Guide Figure 47:5 Trusted VoIP Servi ce T opology For VoIP clients that register with a server on the DMZ or LAN, the SonicWALL security appliance automatically manages NAT policies and access rules. The SonicWALL security appliance performs stateful moni toring of registration and permi ts incoming ca ll[...]

  • Page 535

    S ONIC WALL S ONIC OS E NHANCED 4.0 A DMINISTRATOR ’ S G UIDE 535 PART 9 VPN[...]

  • Page 536

    536 S ONIC WALL S ONIC OS E NHANCED 4.0 A DMIN ISTRATOR ’ S G UIDE[...]

  • Page 537

    537 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 48 Chapter 48: Configuring VPN Policies VPN > Settings The VPN > Settings page provides the SonicWA LL features for configuring your VPN policies. You configure site-to-site VPN policies and GroupVPN p olicies from this page. VPN Overview A Virtual Private Network (VPN) provides a secure co[...]

  • Page 538

    VPN > Settings 538 SonicOS Enhanced 4.0 Administrator Guide Prior to the invention of Internet Protocol Se curity (IPsec) and Secure Socket Layer (SSL), secure connections between remote computers or networks required a dedicated line or satellite link. This was both inflexible and expensive. A VPN creates a connection with si milar reliability [...]

  • Page 539

    VPN > Settings 539 SonicOS Enhanced 4.0 Administrator Guide One advantage of SSL VPN is that SSL is built into most Web Browsers. No special VPN client software or hardware is r equired. Note SonicWALL makes SSL-VPN devic es that you can use in c oncert with or independently of a SonicWALL UTM appliance running SonicOS. For information on SonicW[...]

  • Page 540

    VPN > Settings 540 SonicOS Enhanced 4.0 Administrator Guide Aggressive Mode : To reduce the number of messages exchanged during authentication by half, the negotiation of which cryptographic algor ithm to use is eliminated. The initiato r proposes one algorithm and the responder r eplies if it supports that algorithm: 1. The initiator proposes a[...]

  • Page 541

    VPN > Settings 541 SonicOS Enhanced 4.0 Administrator Guide Note There is no restriction on nesti ng IKE v1 tunnels within an IKE v2 tunnel and visa-versa. For example, if you are connecting to a wireless device using WiFiSec, which uses an IKE v1 tunnel, you can then connect over the internet to a corporate network using a site-to-site VPN tunn[...]

  • Page 542

    VPN > Settings 542 SonicOS Enhanced 4.0 Administrator Guide • “VPN Auto-Added Access Rule Control” section on page 578 Configuring VPNs in SonicOS Enhanced SonicWALL VPN, based on the i ndustry-standard IPsec VPN implem entation, provides a easy- to-setup, secure solution for connecting mobi le users, telecommuters, remote offices and part[...]

  • Page 543

    VPN > Settings 543 SonicOS Enhanced 4.0 Administrator Guide E-Mail ID Domain name. • Peer ID Filter if using 3rd party certificates. • IKE (Phase 1) Proposal : – DH Group : – Group 1 – Group 2 – Group 5 Note The Windows 2000 L2TP client and Windows XP L2T P client can only work with DH Group 2. They are incompatible with DH Groups 1 [...]

  • Page 544

    VPN > Settings 544 SonicOS Enhanced 4.0 Administrator Guide Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5. – Life Time (seconds): (default 28800) • Enable Windows Networking (NetBIOS) Broadcast • Enable Multicast • Management via this SA : HTTP HTT[...]

  • Page 545

    VPN > Settings 545 SonicOS Enhanced 4.0 Administrator Guide GSC only (Require Global Security Cl ient checked on security appliance) • Shared secret, if select ed on security appliance: • Certificate, if selected on security appliance : • User’s user name and password if XAUTH is required on the security appliance. Site-to-Site VPN Plann[...]

  • Page 546

    VPN > Settings 546 SonicOS Enhanced 4.0 Administrator Guide Choose local network from list (select an address object): Local network obtains IP addresses using DHCP through this VPN Tunnel (not used with IKEv2) Any address • Destination Networks Use this VPN Tunnel as default route for all Internet traffic Destination network obtains IP addr e[...]

  • Page 547

    VPN > Settings 547 SonicOS Enhanced 4.0 Administrator Guide – AES-192 – AES-256 – Authentication: – MD5 – SHA1 – Enable Perfect Forward Secrecy – DH Group (if perfect forward secrecy is enabled): – Group 1 – Group 2 – Group 5 Note The Windows 2000 L2TP client and Windows XP L2T P client can only work with DH Group 2. They are[...]

  • Page 548

    VPN > Settings 548 SonicOS Enhanced 4.0 Administrator Guide On the Responder The settings on the responder must be t he same as on the initiator except: • Name of this VPN: • IPsec Primary Gateway Name or Address : not required on the responder • IPsec Secondary Gateway Name or Address : not required on the responder • IKE Authentication[...]

  • Page 549

    VPN > Settings 549 SonicOS Enhanced 4.0 Administrator Guide VPN Policy Wizard The VPN Policy Wizard walks you step-by-step through the c onfiguration of GroupVPN or site- to-site VPN policies on the SonicW ALL security appliance. After completing the configuration, the wizard creates the necessa ry VPN settings for the sele cted policy. You can [...]

  • Page 550

    VPN > Settings 550 SonicOS Enhanced 4.0 Administrator Guide VPN Policies All existing VPN policies are displayed in the VPN Policies table. Each entry displays the following information: • Name : Displays the default name or user-defined VPN policy name. • Gateway : Displays the IP address of the r emote S onicWALL. If 0.0.0.0 is used, no Ga[...]

  • Page 551

    VPN > Settings 551 SonicOS Enhanced 4.0 Administrator Guide You can enter the policy number (the num ber listed before the policy name in the # Name column) in the Items field to move to a specific VPN policy. The default table configuration displays 50 entries per page. You can change this defau lt number of entries for tables on the System >[...]

  • Page 552

    VPN > Settings 552 SonicOS Enhanced 4.0 Administrator Guide • “Creating Site-to-Site VPN Policies” section on page 562 • “VPN Auto-Added Access Rule Control” section on page 578 Configuring GroupVPN Policies SonicWALL GroupVPN facilitates the set up and deployment of multiple SonicWALL Global VPN Clients by the SonicWALL se curity ap[...]

  • Page 553

    VPN > Settings 553 SonicOS Enhanced 4.0 Administrator Guide Configuring GroupVPN with IKE usin g Preshared Secret on the WAN Zone To configure the WAN GroupVPN, follow these step s: Step 1 Click the edit icon for the WAN GroupVPN entry. The VPN Policy window is displayed. Step 2 In the General tab, IKE using Preshared Secret is the default setti[...]

  • Page 554

    VPN > Settings 554 SonicOS Enhanced 4.0 Administrator Guide – Select the DH Group from the DH Group menu. Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5. – Select 3DES , AES-128 , or AES-256 f rom the Encryption menu. – Select the desired authenticati[...]

  • Page 555

    VPN > Settings 555 SonicOS Enhanced 4.0 Administrator Guide – Management via this SA : - If using the VPN policy to manage the SonicWALL security appliance, select the m anagement method, either HTTP or HTTPS . – Default Gateway - Allows the network administrator to specify the IP address of the default network route for incoming IPsec packe[...]

  • Page 556

    VPN > Settings 556 SonicOS Enhanced 4.0 Administrator Guide • Always - Global VPN Client us er prompted for username and password only once when connection is enabled. Wh en prompted, the user will be gi ven the option of caching th e username and p assword. – Virtual Adapter Settings - The use of the Virtual Adapter by the Global VPN Client[...]

  • Page 557

    VPN > Settings 557 SonicOS Enhanced 4.0 Administrator Guide Configuring GroupVPN with IKE using 3rd Party Certificates To configure GroupVPN with IKE using 3rd Party Certific ates, follow these steps: Caution Before configuring GroupVPN with IKE using 3rd Party Certificat es, your certificates must be installed on the SonicWALL. Step 1 In the VP[...]

  • Page 558

    VPN > Settings 558 SonicOS Enhanced 4.0 Administrator Guide – Distinguished Name - based on the certificates Subj ect Distinguished Name field, which is contained in all cert ificates by default. Valid entries for this field are based on country (c=), organization (o=), organization unit (ou=), and /or commonName (cn=). Up to three organizatio[...]

  • Page 559

    VPN > Settings 559 SonicOS Enhanced 4.0 Administrator Guide traffic. For packets received via an IPse c tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packe t is routed through the gateway. Otherwise, the packet is dropped. – En[...]

  • Page 560

    VPN > Settings 560 SonicOS Enhanced 4.0 Administrator Guide • This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the poli cy of the gateway is sent throu gh the VPN tunnel. If thi s option is se lected along w ith Set Defa ult Route as th is Gateway, th en the I[...]

  • Page 561

    VPN > Settings 561 SonicOS Enhanced 4.0 Administrator Guide Caution The GroupVPN SA must be enabled on the Soni cWALL to export a configuration file. Step 1 Click the Disk icon in the Configure column for the GroupVPN entry in the VPN Policies table. The Export VPN Client Polic y window appears. Step 2 rcf format is required for SonicWALL Global[...]

  • Page 562

    VPN > Settings 562 SonicOS Enhanced 4.0 Administrator Guide • Hub and Spoke Design - All SonicWALL VPN gateways are configured to connect to a central SonicWALL (hub), such as a corporat e SonicWALL. The hub must have a static IP address, but the spokes can have dyna mic IP addresses. If the spokes are dynamic, the hub must be a SonicWALL. •[...]

  • Page 563

    VPN > Settings 563 SonicOS Enhanced 4.0 Administrator Guide Configuring a VPN Policy with IKE using Preshared Secret To configure a VPN Policy using Internet Key Exchange (IKE) , follow the steps below: Step 1 Click Add on the VPN > Settings page. The VPN Policy window is displayed. Step 2 In the General tab, select IKE using Preshared Secret[...]

  • Page 564

    VPN > Settings 564 SonicOS Enhanced 4.0 Administrator Guide Optionally, specify a Local IKE ID (optional) and Peer IKE ID (optional) for this Policy. By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the SonicWALL Identifier (ID_USER_FQDN) is used for Aggressive Mode. Step 7 Click the Network tab. Step 8 Under Loc[...]

  • Page 565

    VPN > Settings 565 SonicOS Enhanced 4.0 Administrator Guide Destination network obtains IP addresses using DHCP server through this tunnel . Alternatively, select Choose Destination network from list , and select the address object or group. Step 10 Click Proposals . Step 11 Under IKE (Phase 1) Proposal , select either Main Mode , Aggressive Mod[...]

  • Page 566

    VPN > Settings 566 SonicOS Enhanced 4.0 Administrator Guide – If you selected Main Mode or Aggressive Mode in the Proposals tab: • Select Enable Ke ep Alive to use heartbea t messages between peers on this VPN tunnel . If one end of the tunnel fails, using Ke epalives wi ll allow for the au tomatic renegotiation of the tu nnel once both side[...]

  • Page 567

    VPN > Settings 567 SonicOS Enhanced 4.0 Administrator Guide – If you selected IKEv2 in the Proposals tab: • Select Enable Ke ep Alive to use heartbea t messages between peers on th is VPN tunnel . If one end of the tunnel fails, using Ke epalives wi ll allow for the au tomatic renegotiation of the tu nnel once both sides become available aga[...]

  • Page 568

    VPN > Settings 568 SonicOS Enhanced 4.0 Administrator Guide The term Trigger Packet refers to the use of initial Traffic Selector payloads populated with the IP addresses from the packet t hat caused SA negotiation to begin. It is recommended practice to include Trigger Packets to assist th e IKEv2 Responder in selecting the correct protected IP[...]

  • Page 569

    VPN > Settings 569 SonicOS Enhanced 4.0 Administrator Guide Configuring the Local Soni cWALL Security Appliance Step 1 Click Add on the VPN > Settings page. The VPN Policy window is displayed. Step 2 In the General tab of the VPN Policy window, select Manual Key from the IPsec Keying Mode menu. The VPN Policy window displays the manual key op[...]

  • Page 570

    VPN > Settings 570 SonicOS Enhanced 4.0 Administrator Guide Destination network from list , and select the address object or group. Step 7 Click on the Proposals tab. Step 8 Define an Incoming SPI and an Outgoing SPI . The SPIs are hexadecimal (0123456789abcedf) and can range from 3 to 8 characters in length. Caution Each Security Association mu[...]

  • Page 571

    VPN > Settings 571 SonicOS Enhanced 4.0 Administrator Guide Tip Valid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption key. If you enter an incorrect encryption key, an error message is displayed at the bottom of the browser window. Step 12 Clic[...]

  • Page 572

    VPN > Settings 572 SonicOS Enhanced 4.0 Administrator Guide Configuring the Remote SonicWALL Security Appliance Step 1 Click Add on the VPN > Settings page. The VPN Policy window is displayed. Step 2 In the General tab, select Manual Key from the IPsec Keying Mode menu. Step 3 Enter a name for the SA in the Name field. Step 4 Enter the host n[...]

  • Page 573

    VPN > Settings 573 SonicOS Enhanced 4.0 Administrator Guide – Select Apply NAT Policies if you want the SonicWALL to translate the Local, Remote or both networks communicating via this VPN tunnel. To perform Network Address Translation on the Local Network, sele ct or create an Address Object in the Translated Local Network drop-down box. To t[...]

  • Page 574

    VPN > Settings 574 SonicOS Enhanced 4.0 Administrator Guide To create a VPN SA using IKE and third par ty certificates, fo llow these steps: Step 1 In the VPN > Settings page, click Add . The VPN Policy window is displayed. Step 2 In the Authentication Method list in th e General tab, select IKE using 3rd Party Certificates .The VPN Poli cy w[...]

  • Page 575

    VPN > Settings 575 SonicOS Enhanced 4.0 Administrator Guide Up to three organizational units can be specified. The usage is c=*;o=*;ou=*;ou=*;ou=*;cn=*. The final ent ry does not need to c ontain a semi-colon. You must enter at least one entry, i.e. c=us. Step 7 Type an ID string in the Peer IKE ID field. Step 8 Click on the Network tab. Step 9 [...]

  • Page 576

    VPN > Settings 576 SonicOS Enhanced 4.0 Administrator Guide Destination network obtains IP addresses using DHCP server through this tunnel . Alternatively, select Choose Destination network from list , and select the address object or group. Step 11 Click the Proposals tab. Step 12 In the IKE (Phase 1) Proposal section, select the following sett[...]

  • Page 577

    VPN > Settings 577 SonicOS Enhanced 4.0 Administrator Guide – Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours. Step 14 Click the Advanced tab. Select any optional configuration options you want to apply to your VPN policy: – Select Enable Keep Alive[...]

  • Page 578

    VPN > Settings 578 SonicOS Enhanced 4.0 Administrator Guide – If you wish to use a router on the LAN fo r traffic entering this tunnel destined for an unknown subnet, for example, if y ou configur ed the other side to Use this VPN Tunnel as default route for all Internet traffic , you should enter the IP address of your router into the Default[...]

  • Page 579

    VPN > Settings 579 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 580

    VPN > Settings 580 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 581

    581 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 49 Chapter 49: Configuring Advanced VPN Settings VPN > Advanced The VPN > Advanced page includes optional settings that affect all VPN policies. Advanced VPN Settings • Enable IKE Dead Peer Detection - Select if you want i nactive VPN tunnels to be dropped by the SonicWALL.[...]

  • Page 582

    VPN > Advanced 582 SonicOS Enhanced 4.0 Administrator Guide – Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.” The default value is 60 seconds. – Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats. The default value is 3. If the trigger leve l is reached, the VPN connection i[...]

  • Page 583

    VPN > Advanced 583 SonicOS Enhanced 4.0 Administrator Guide • IKEv2 Dynamic Client Proposal - SonicOS Enhanced 4.0 introduces IKEv2 Dynamic Client Support, which provides a way to configure the Inter net Key Exchange (IKE) attributes rather than using t he default settings. Clicking the Configure button launches the Configure IKEv2 Dynamic Cli[...]

  • Page 584

    VPN > Advanced 584 SonicOS Enhanced 4.0 Administrator Guide Online Certificate Status Protocol determines the current status of a digital certificate without using a CRL. OCSP enables the c lient or application to direct ly determine the status of an identified digital certificate. This provides more timely infor mation about the certificate tha[...]

  • Page 585

    VPN > Advanced 585 SonicOS Enhanced 4.0 Administrator Guide Using OCSP with VPN Policies The SonicWALL OCSP settings can be configured on a policy leve l or globally. To configure OCSP checking for individual VPN policies, use the Advanced tab of the VPN Policy configuration page. Step 1 Select the radio button next to Enable OCSP Check ing . St[...]

  • Page 586

    VPN > Advanced 586 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 587

    587 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 50 Chapter 50: Configuring DHCP Over VPN VPN > DHCP over VPN The VPN > DHCP over VPN page allows you to configure a SonicWALL security appliance to obtain an IP address lease from a DHCP ser ver at the other end of a VPN tunnel. In some network deployments, it is des irable to have all VPN [...]

  • Page 588

    VPN > DHCP over VPN 588 SonicOS Enhanced 4.0 Administrator Guide Configuring the Central Gateway for DHCP Over VPN To configure DHCP over VPN for the Central Gateway , use the following steps: 1. Select VPN > DHCP over VPN . 2. Select Central Gateway from the DHCP Relay Mode menu. 3. Click Configure . The DHCP over VPN Configuration window is[...]

  • Page 589

    VPN > DHCP over VPN 589 SonicOS Enhanced 4.0 Administrator Guide 2. Click Configure . The DHCP over VPN Configuration window is displayed. 3. In the General tab, the VPN policy name is automatic ally displayed in the Relay DHCP through this VPN Tunnel filed if the VPN policy has the setting Local network obtains IP addresses using DHCP through t[...]

  • Page 590

    VPN > DHCP over VPN 590 SonicOS Enhanced 4.0 Administrator Guide Devices 9. To configure devices on your LAN, click the Devices tab. 10. To configure Static Devices on the LAN , cl ick Add to display the Add LAN Device Entry window, and type the IP address of the device in the IP Address field and then type the Ethernet address of the device in [...]

  • Page 591

    VPN > DHCP over VPN 591 SonicOS Enhanced 4.0 Administrator Guide Note You must configure the local DHCP server on th e remote SonicWALL security appliance to assign IP leases to these computers. Note If a remote site has trouble connecting to a cent ral gateway and obtaining a lease, verify that Deterministic Network Enhancer (DNE) is not enable[...]

  • Page 592

    VPN > DHCP over VPN 592 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 593

    593 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 51 Chapter 51: Configuring L2TP Server VPN > L2TP Server The SonicWALL security appliance can terminat e L2TP-over-IPsec connections from incoming Microsoft Windows 2000 and Windows XP clients. In situations where running the SonicWALL Global VPN Client is not possible, you can use the SonicWA[...]

  • Page 594

    VPN > L2TP Server 594 SonicOS Enhanced 4.0 Administrator Guide Configuring the L2TP Server The VPN > L2TP Server page provides the settings for conf iguring the SonicWALL security appliance as a LT2P Server. To configure the L2TP Server, follow these steps: 1. To enable L2TP Server functionality on the SonicWALL security appliance, select Ena[...]

  • Page 595

    VPN > L2TP Server 595 SonicOS Enhanced 4.0 Administrator Guide 6. If the L2TP Server provides IP addresses, select Use the Local L2TP IP pool. Enter the range of private IP addresses in the St art IP and End IP fields. The private IP addresses should be a range of IP addresses on the LAN. 7. If you have configured a specific user group defined f[...]

  • Page 596

    VPN > L2TP Server 596 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 597

    S ONIC WALL S ONIC OS E NHANCED 4.0 A DMINISTRATOR ’ S G UIDE 597 PART 10 User Management[...]

  • Page 598

    598 S ONIC WALL S ONIC OS E NHANCED 4.0 A DMIN ISTRATOR ’ S G UIDE[...]

  • Page 599

    599 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 52 Chapter 52: Managing Users and Authentication Settings User Management This chapter describes the user management capabilities of your SonicWALL security appliance for locally and remotely authenticated us ers. This chapter c ontains the following sections: • “Introduction to User Manageme[...]

  • Page 600

    User Management 600 SonicOS Enhanced 4.0 Administrator Guide encrypted connection. The SonicWALL authenticates all users as soon a s they attempt to access network resources in a different zone (s uch as WAN, VPN, WLAN , etc), which causes the network traffic to pass thr ough the SonicWALL. Users who log into a computer on the LAN, but perform only[...]

  • Page 601

    User Management 601 SonicOS Enhanced 4.0 Administrator Guide Figure 52:2 Local Gr oups Authentication Flow Diagram To apply Content Filtering Service (CFS) policies to users, the users must be members of local groups and the CFS policies are then applied to t he groups. To use CFS, you cannot use LDAP or RADIUS without combining that method with lo[...]

  • Page 602

    User Management 602 SonicOS Enhanced 4.0 Administrator Guide Using RADIUS for Authentication Remote Authentication Dial In User Service (RADIUS) is a protocol used by SonicWALL security appliances to authentic ate users who are attempting to access the network. The RADIUS server contains a database with user information, and checks a user ’s cred[...]

  • Page 603

    User Management 603 SonicOS Enhanced 4.0 Administrator Guide Figure 52:4 LDAP User Gr ou p Auth entication Flow Diagram In addition to RADIUS and the local user database, SonicOS Enhanced supports LDAP, Microsoft Active Directory (AD), and Novell eDirectory di rectory services for user authentication. Microsoft Active Directory works with SonicWALL[...]

  • Page 604

    User Management 604 SonicOS Enhanced 4.0 Administrator Guide LDAP Terms The following terms are useful when working with LDAP and its variants: • Schema – The schema is the set of rules or the st ructure that defines th e types of data that can be stored in a directory, and how that data can be stored. Data is stored in the form of ‘entries?[...]

  • Page 605

    User Management 605 SonicOS Enhanced 4.0 Administrator Guide • Samba SMB : Development information is avail able at http://us5.samba.org/samba/ • Novell eDirectory : LDAP integration info rmation is available at http:/ /www.novell.com/ documentation/edir873/index.html?page=/documentation/edir873/edir873/data/ h0000007.html • User-defined sche[...]

  • Page 606

    User Management 606 SonicOS Enhanced 4.0 Administrator Guide Users that are identified but lack the group mem berships required by the configured policy rules are redirected to the Access Barred page. Benefits SonicWALL SSO is a reliable and time-saving f eature that utilizes a single login to provide access to multiple network resources based on a[...]

  • Page 607

    User Management 607 SonicOS Enhanced 4.0 Administrator Guide • Net API or WMI How Does Single Sign-On Work? SonicWALL SSO requires minimal administrator configuration and is a transparent to the user. There are six steps involved in SonicWA LL SSO authentication, as illustrated in Figure 52:5 . Figure 52:5 SonicWALL Sin gle Sign-On Process The So[...]

  • Page 608

    User Management 608 SonicOS Enhanced 4.0 Administrator Guide User names are returned from the authorization agent ru nning the SSO Agent in the format <domain>/<user-name>. For locally configured user groups, the user name can be configured to be the full name returned from the author iz ation agent running the SSO Agent ( configuring t[...]

  • Page 609

    User Management 609 SonicOS Enhanced 4.0 Administrator Guide Figure 52:6 SonicWALL SSO Agent Process The SonicWALL security appliance queries the SonicWALL SSO Agent over the default port 2258. The SSO Agent then communicates between the client and the SonicWALL security appliance to determine the cl ient’s user ID. The S onicWALL SSO Agent is po[...]

  • Page 610

    User Management 610 SonicOS Enhanced 4.0 Administrator Guide • User login denied - SSO Agent agent name reso lution failed: The SonicWALL SSO Agent is unable to resolve the user name. • SSO Agent returned user name too long : The user name is too long. • SSO Agent returned domain name too long: The domain name is too long. Note The notes fiel[...]

  • Page 611

    User Management 611 SonicOS Enhanced 4.0 Administrator Guide • “User Groups” section on page 612 • “Priority for Preempting Administrators” section on page 612 • “GMS and Multiple Administrator Support” section on page 613 Configuration Modes In order to allow multiple concurrent administrators, while also preventing potential con[...]

  • Page 612

    User Management 612 SonicOS Enhanced 4.0 Administrator Guide User Groups The Multiple Administrators Support feat ure introduces two new default user groups: • Sonic WALL Admini strators - Members of this gr oup have full administrator access to edit the configuration. • SonicWALL Read-Only Admins - Members of this group have read-only access t[...]

  • Page 613

    User Management 613 SonicOS Enhanced 4.0 Administrator Guide GMS and Multiple Administrator Support When using SonicWALL GMS to manage a Soni cWALL security appliance, GMS frequently logs in to the appliance (for such activiti es as ensuring that GMS management IPSec tunnels have been created correctly). These frequent GMS log-ins can make local ad[...]

  • Page 614

    User Management 614 SonicOS Enhanced 4.0 Administrator Guide Configuring Settings on Users > Settings On this page, you can configure the authentic ation method required, global user settings, and an acceptable user policy that is display ed to users when logging onto your network. Configuration instructions for the settings on this page are pro[...]

  • Page 615

    User Management 615 SonicOS Enhanced 4.0 Administrator Guide User Login Settings In the Authentication method for login drop-down list, select the type of user account management your network uses: • Select Local Users to configure users in the local database in the SonicWALL applian ce using the Users > Local Users and Users > Local Groups[...]

  • Page 616

    User Management 616 SonicOS Enhanced 4.0 Administrator Guide Select Enf orce login uniqueness to prevent the same user name from being used to log into the network from more than one location at a ti me. This setting applies to both local users and RADIUS/LDAP users. However the login un iqueness setting does not apply to the default administrator [...]

  • Page 617

    User Management 617 SonicOS Enhanced 4.0 Administrator Guide • Enable disconnected user detection : Causes the SonicWALL to detect when a user’s connection is no longer valid and end the session. • Timeout on heartbeat from user's login status window (min utes) : Sets the time needed without a reply from the heartbeat before ending the u[...]

  • Page 618

    User Management 618 SonicOS Enhanced 4.0 Administrator Guide Acceptable use policy page content - Enter your Accep table Use Policy text in the text box. You can include HTML formatting. The page that is displayed to the use r includes an I Ac cept button or Cancel button for user confirmation. Click the Example Template button to populate the cont[...]

  • Page 619

    User Management 619 SonicOS Enhanced 4.0 Administrator Guide See the following sections for configuration instructi ons: • “Viewing, Editing and Deleting Local Users” on p age 619 • “Adding Local Users” on page 620 • “Editing Local Users” on page 621 Viewing, Editing and Deleting Local Users You can view all the groups to which a [...]

  • Page 620

    User Management 620 SonicOS Enhanced 4.0 Administrator Guide Adding Local Users You can add local users to the internal databas e on the SonicWALL securi ty appliance from the Users > Local Users page. To add local users to th e database: Step 1 Click Add User . The Add User configuration window displays. Step 2 On the Settings tab, type the use[...]

  • Page 621

    User Management 621 SonicOS Enhanced 4.0 Administrator Guide Step 9 Click OK to complete the user configuration. Editing Local Users You can edit local users from the Users > Local Users screen. To edit a local user: Step 1 In the list of users, click the edit icon in same line as the user you want to edit. Step 2 Configure the Settings , Groups[...]

  • Page 622

    User Management 622 SonicOS Enhanced 4.0 Administrator Guide A default group, Everyone , is listed in the first row of the table. Click the Note pad icon in the Configure column to review or change the settings for Everyone . See the following sections for configuration instructi ons: • “Creating a Local Group” on page 623 • “Importing Lo[...]

  • Page 623

    User Management 623 SonicOS Enhanced 4.0 Administrator Guide Creating a Local Group Step 1 Click the Add Group button to display the Add Group window. Step 2 On the Settings tab, type a user name into the Name field. Step 3 On the Members tab, to add users and other groups to th is group, select the user or group from the Non-Members Users and Grou[...]

  • Page 624

    User Management 624 SonicOS Enhanced 4.0 Administrator Guide Note You can create custom Content F iltering Service policies in the Security Services > Content Filter page. See “Security Services > Cont ent Filter” section on page 69 5 . Step 6 Click OK . Importing Local Groups from LDAP You can configure local user groups on the So nicWAL[...]

  • Page 625

    User Management 625 SonicOS Enhanced 4.0 Administrator Guide Configuring RADIUS Authentication If you selected RADIUS or RADIUS + Local Users fro m the Authentication method for login drop-down list, the Configure button becomes available. Step 1 Click Configure to set up your RADIUS server settings on the SonicWAL L. The RADIUS Configuration windo[...]

  • Page 626

    User Management 626 SonicOS Enhanced 4.0 Administrator Guide RADIUS Servers In the RADIUS Servers section, you can designate the pr imary and optionally, the second ary RADIUS server. An optional se condary RADIUS server can be defined if a backup RADIUS server exists on the network. Step 4 In the Primary Server section, type the host name or IP ad[...]

  • Page 627

    User Management 627 SonicOS Enhanced 4.0 Administrator Guide RADIUS Users Settings To configure the RADI US user settings: Step 10 On the RADIUS Users tab, select Allow only users listed locally if only the users listed in the SonicWALL database are aut henticated using RADIUS. Step 11 Select the mechanism used for setting user group memberships fo[...]

  • Page 628

    User Management 628 SonicOS Enhanced 4.0 Administrator Guide Creating a New User Group for RADIUS Users In the RADIUS User Settings screen, you can create a new grou p by choosing Create a new user group... from the Default user group to which all RADIUS users belong drop-down list: Step 1 Select Create a new user group... The Add Group window disp[...]

  • Page 629

    User Management 629 SonicOS Enhanced 4.0 Administrator Guide Note You can add any group as a member of another group except Everybody and All RADI US Users . Be aware of the membership of the grou ps you add as members of another group. Step 4 In the VPN Access tab, select the network resources to which this group will have VPN Access by default. S[...]

  • Page 630

    User Management 630 SonicOS Enhanced 4.0 Administrator Guide When Use LDAP to retrieve user group information is selected, after authenticating a user via RADIUS, his/her user group membership information will be looked up via LDAP in the directory on the LDAP/AD server. Clicking the Configure button launches the LD AP configuration window. Note th[...]

  • Page 631

    User Management 631 SonicOS Enhanced 4.0 Administrator Guide • MSCHAPv2 : Select this to use the Microsof t version 2 implementation of CHAP. MSCHAPv2 works for Windows 2000 and later versions of Windows. Step 9 Click the Test button. If the validat ion is successful, the Status messages ch anges to Success . If the validation fails, the Status m[...]

  • Page 632

    User Management 632 SonicOS Enhanced 4.0 Administrator Guide http://support.microsoft.com/kb/931125 . Step 6 Launch the Domain Security Policy application: Navigate to Start > Run and run the command: dompol.msc . Step 7 Open Security Settings > Public Key Policies . Step 8 Right click Automatic Certificate Request Settings . Step 9 Select Ne[...]

  • Page 633

    User Management 633 SonicOS Enhanced 4.0 Administrator Guide Configuring the SonicWALL Appliance for LDAP The Users > Settings page in the administrative interface provides the settings for managing your LDAP integration: Step 1 In the SonicOS administra tive interface, open the Users > Settings page. Step 2 In the Authentication method for l[...]

  • Page 634

    User Management 634 SonicOS Enhanced 4.0 Administrator Guide • Port Number – The default LDAP over TLS port number is TCP 636. The default LDAP (unencrypted) port number is TCP 389. If you are using a custom listening port on your LDAP server, specify it here. • Server timeout – The amount of time, in secon ds, that the SonicWALL will wait [...]

  • Page 635

    User Management 635 SonicOS Enhanced 4.0 Administrator Guide and location in the directory) as the login to the primary server. This may entail creating a special user in the dir ectory for the SonicWA LL login. Note that onl y r ead access to the directory is required. Step 6 On the Schema tab, configure t he following fields: • LDAP Schema – [...]

  • Page 636

    User Management 636 SonicOS Enhanced 4.0 Administrator Guide • User group membership attribute – Select the attribute that contains information about the groups to which the us er object belongs. This is memberOf in Microsoft Active Directory. The other pre-defined schemas store group membership information in the group object rather than the u[...]

  • Page 637

    User Management 637 SonicOS Enhanced 4.0 Administrator Guide Note AD has some built-in contai ners that do not conform (e.g. the DN for the top level Users container is formatted as “cn=Users,dc=…”, using ‘cn’ rather than ‘ou’) but the SonicWALL knows about and deals with these, so they can be entered in the simpler URL format. Orderi[...]

  • Page 638

    User Management 638 SonicOS Enhanced 4.0 Administrator Guide If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing the Domain to search value accordingly and selecting Append to existing trees on each subsequent run. Step 8 On the LDAP Users tab, configure t he following fields: • Allow only users list[...]

  • Page 639

    User Management 639 SonicOS Enhanced 4.0 Administrator Guide • Import user groups – You can click this button to configure user groups on the SonicWALL by retrieving the user group names from your LDAP server. The Import user groups button launches a dialog box containing the list of user group names available for import to the SonicWALL. In th[...]

  • Page 640

    User Management 640 SonicOS Enhanced 4.0 Administrator Guide The SonicWALL appliance can retrieve group member ships efficiently in the case of Active Directory by taking advantage of its unique trai t of returning a ‘memberOf’ attribute for a user. Step 9 On the LDAP Relay tab, configure t he following fields: The RADIUS to LDAP Relay feature [...]

  • Page 641

    User Management 641 SonicOS Enhanced 4.0 Administrator Guide Note The ‘Bypass filters’ and ‘Limited management ca pabilities’ privileges are returned based o n membership to user groups named ‘Content Filt ering Bypass’ and ‘Lim ited Administrators’ – these are not configurable. Step 10 Select the Test tab to test the configured L[...]

  • Page 642

    User Management 642 SonicOS Enhanced 4.0 Administrator Guide – “Configuring User Settings” section on page 669[...]

  • Page 643

    User Management 643 SonicOS Enhanced 4.0 Administrator Guide Installing the SonicWALL SSO Agent The SonicWALL SSO Agent is part of the S onicWALL Directory Connec tor. The SonicWALL SSO Agent must be installed on a workstation or server in the Windows domain that is accessible using VPN or IP. T he SonicWALL SSO Agent must hav e access to your Soni[...]

  • Page 644

    User Management 644 SonicOS Enhanced 4.0 Administrator Guide Step 4 On the Customer Information page, enter your name in the User Name field and your organization name in the Organization field. Select to inst all the application for Anyone who uses this computer (all users) or Onl y for me . Click Next to continue. Step 5 Select the destination fo[...]

  • Page 645

    User Management 645 SonicOS Enhanced 4.0 Administrator Guide SonicWALL SSO Agent feature. Click Next . Step 7 Click Install to install SSO Agent. Step 8 To configure a common service ac count that the SSO Agent will use to log into a specified Windows domain, enter the username of an acc ount with administrativ e privileges in the Username field, t[...]

  • Page 646

    User Management 646 SonicOS Enhanced 4.0 Administrator Guide Note This section can be configured at a later time . To skip this step and configure it later, click Skip . Step 9 Enter the IP address of your SonicWALL secu rity appliance running SonicOS Enhanced 4.0 in the SonicWALL Appliance IP field. Type the port number for the same appliance in t[...]

  • Page 647

    User Management 647 SonicOS Enhanced 4.0 Administrator Guide The SonicWALL SSO Agent installs. The status bar displays. Step 10 When installation is comple te, optionally check the Launch SonicWALL Directory Connector box to launch the SonicWALL Directory Connector, and click Finish .[...]

  • Page 648

    User Management 648 SonicOS Enhanced 4.0 Administrator Guide If you checked the Launch SonicWALL Directory Connector box, the SonicW ALL Directory Connector will display. Configuring the SonicWALL SSO Agent The SonicWALL SSO Agent communicates with workstations using NetAPI or WMI, which both provide information about users that are logged in to a [...]

  • Page 649

    User Management 649 SonicOS Enhanced 4.0 Administrator Guide To configure the communication properties of the SonicWALL SSO Agent, perform the following tasks: Step 1 Launch the SonicWALL Configuration Tool by double-clicking the desktop shortcut or by navigating to Start > All Programs > SonicWALL > SonicWALL Directory Connector > Soni[...]

  • Page 650

    User Management 650 SonicOS Enhanced 4.0 Administrator Guide If the message SonicWALL SSO Agent service is not running. Please check t he configuration and start the service displays, the SSO Agent se rvice will be disabled by default. To enable the service, expand the Soni cWALL Dire ctory Connector Configuration Tool in the left navigation panel [...]

  • Page 651

    User Management 651 SonicOS Enhanced 4.0 Administrator Guide Note When Logging Level 2 is selected, the SSO Ag ent service will terminate if the Windows event log reaches its maximum capacity. Step 4 In the Refresh Time field, enter the frequency, in seconds, that the SSO Agent will refresh user log in status. The default is 60 seconds. Step 5 From[...]

  • Page 652

    User Management 652 SonicOS Enhanced 4.0 Administrator Guide Note NetAPI will provide faster, though possibly sl ightly less accurate, performance. WMI will provide slower, though possibly more accurate, performance. WMI is pre-installed on Windows Server 2003, Windows XP, Windows Me, and Windows 2000. Both NetAPI and WMI can be manually downloaded[...]

  • Page 653

    User Management 653 SonicOS Enhanced 4.0 Administrator Guide Adding a SonicWALL Security Appliance Use these instructions to manually add a Soni cWALL security applianc e if you did not add one during installation, or to add additi onal SonicWALL security appliances. To add a SonicWALL security app liance, perform the following steps: Step 1 Launch[...]

  • Page 654

    User Management 654 SonicOS Enhanced 4.0 Administrator Guide Your appliance will display in the left-hand navigation panel under the SonicWALL Appliances tree. Editing Appliances in SonicWALL SSO Agent You can edit all settings on Soni cWALL security app liances pr eviously added in SonicWALL SSO Agent, including IP address, port number, friendly n[...]

  • Page 655

    User Management 655 SonicOS Enhanced 4.0 Administrator Guide Modifying Services in SonicWALL SSO Agent You can start, stop, and pause SonicWALL SSO Agent services to SonicWAL L security appliances. To pause services for an appliance, select the appliance from the left-hand navigation panel and click the pause button . To stop services for an applia[...]

  • Page 656

    User Management 656 SonicOS Enhanced 4.0 Administrator Guide Step 4 Click Configure .The Authentication Agent Settings page displays. Step 5 In the Name or IP Address field, enter the name or IP Addr ess of the workstation on which SonicWALL SSO Agent is installed. Step 6 In Port Number , enter the p ort number of the workstation on which SonicWALL[...]

  • Page 657

    User Management 657 SonicOS Enhanced 4.0 Administrator Guide Step 11 Check the box next to Allow only users listed locally to allow only users listed locally to be authenticated. Step 12 Check the box next to Simple user names in local database to use simple user names. This setting ignores the domain component of a user nam e. If this box is not c[...]

  • Page 658

    User Management 658 SonicOS Enhanced 4.0 Administrator Guide Note The Content Filter tab is only displayed if Premium CFS is enabled on the SonicWALL security appliance. Step 19 To bypass SSO for content filter ing traffic and apply the default content f iltering po licy to the traffic, select the appropriate address obj ect or address group from t[...]

  • Page 659

    User Management 659 SonicOS Enhanced 4.0 Administrator Guide This setting should be used where traffic that w ould be subject to content filtering can emanate from a device other than a user's workstation (suc h as an internal proxy w eb server). It prevents the SonicWALL from attempting to identify such a device as a network user in order to [...]

  • Page 660

    User Management 660 SonicOS Enhanced 4.0 Administrator Guide Step 22 Select the Check user radio button, enter the IP addre ss of a workstation in the Workstation IP address field, then click Test . This will test if the agent is pr operty configured to identify the user logged into a workstation. Note Performing tests on this page applies any chan[...]

  • Page 661

    User Management 661 SonicOS Enhanced 4.0 Administrator Guide Advanced LDAP Configuration If you selected Use LDAP to retrieve user group information in step 14 of “Configuring Your SonicWALL Security Appliance” section on page 655 , you must configure your LDAP settings. To configure LDAP settings, perform the following steps: Step 1 The Settin[...]

  • Page 662

    User Management 662 SonicOS Enhanced 4.0 Administrator Guide Note Use the user’s name in the Login user name field, not a username or login ID. For example, John Doe would login as John Doe, not jdoe. Step 6 Select the LDAP version from the Protocol version drop-down menu, either LDAP version 2 I (LDAPv2) or LDAP version 3 (LDAPv3). Most implemen[...]

  • Page 663

    User Management 663 SonicOS Enhanced 4.0 Administrator Guide Note Only check the Send LDAP ‘Start TLS’ request box if your LDAP server uses the same port number for TLS and non-TLS. Step 9 Check the Require valid certificate from server to require a valid certificate from the server. Validates the certificate present e d by the server d uring t[...]

  • Page 664

    User Management 664 SonicOS Enhanced 4.0 Administrator Guide Step 14 The Object class field defines which attribute represents the individual user account to which the next two fields apply. This will not be modifiable unless you select User defined. Step 15 The Login n ame attribute field defines which attribute is us ed for login authentication. [...]

  • Page 665

    User Management 665 SonicOS Enhanced 4.0 Administrator Guide Step 23 In the User tree for login to serve r field, specify the tree in wh ich the user specified in the ‘Settings’ tab resides. For example, in AD the ‘administrator’ acc ount’s default tree is the same as the user tree. Step 24 In the Trees containing users field, specify the[...]

  • Page 666

    User Management 666 SonicOS Enhanced 4.0 Administrator Guide If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing the ‘Domain to search’ accordingl y and selecting ‘Append to existing trees’ on each subsequent run. Step 27 Select the LDAP Users tab. Step 28 Check the Allow only users listed loca[...]

  • Page 667

    User Management 667 SonicOS Enhanced 4.0 Administrator Guide The SonicWALL security appliance can retrieve group memberships more efficiently in the case of Active Directory by taking advantage of its unique trait of returning a ‘memberOf’ attribute for a user. Step 31 Click the Import user groups button to import user groups from the LDAP serv[...]

  • Page 668

    User Management 668 SonicOS Enhanced 4.0 Administrator Guide – VPN Zone Step 35 In the RADIUS shared secret field, enter a shared secret common to all remote SonicWALL security appliances. Step 36 In the User groups for legacy users fields, define the user gr oups that correspond to the legacy ‘VPN users,’ ‘VPN client users,’ ‘L2TP user[...]

  • Page 669

    User Management 669 SonicOS Enhanced 4.0 Administrator Guide Configuring Firewall Access Rules Firewall access rules provide the administrator with the ability to control user access. Rules set under Firewall > Access Rules are checked against the user gr oup memberships returned from a SSO LDAP query, and are applied automatically. Access rules[...]

  • Page 670

    User Management 670 SonicOS Enhanced 4.0 Administrator Guide The Enable login session limit and corr esponding Login session limit (minutes) s ettings under User Session Settings appl y to users logged in using SS O. SSO users will be logged out according to session limit settings, but will be automatically and transparently logged back in when the[...]

  • Page 671

    User Management 671 SonicOS Enhanced 4.0 Administrator Guide Configuring Additional Admi nistrator User Profiles To configure additional admin istrator user pr ofiles, perform the following steps: Step 1 While logged in as admin , navigate to the Users > Local Users page. Step 2 Click the Add User button. Step 3 Enter a Name and Password for the[...]

  • Page 672

    User Management 672 SonicOS Enhanced 4.0 Administrator Guide When using RADIUS or LDAP aut hentication, if you want to keep the configuration of administrative users local to the appliance whilst having those users authenticated by RADIUS/ LDAP, perform these steps: Step 1 Navigate to the Users > Settings page. Step 2 Select either the RADIUS + [...]

  • Page 673

    User Management 673 SonicOS Enhanced 4.0 Administrator Guide Activating Configuration Mode When logging in as a user with full administrator rights (that is not the admin user), the User Login Status window is displayed. To go to the SonicWALL us er interface, click the Manage button. You will be prompted to enter your password again. This is a saf[...]

  • Page 674

    User Management 674 SonicOS Enhanced 4.0 Administrator Guide To switch from non-config mode to full conf iguration mode, perform the following steps: Step 1 Navigate to the System > Administration page. Step 2 In the Web Management Settings section, click on the Configuration mode button. If there is not currently an administrator in configurat [...]

  • Page 675

    User Management 675 SonicOS Enhanced 4.0 Administrator Guide Verifying Multiple Administra tors Support Configuration User accounts with administrator and re ad-only administrators can be viewed on the Users > Local Groups page. Administrators can determine which configuration mode they are in by looking at either the top right corner of the man[...]

  • Page 676

    User Management 676 SonicOS Enhanced 4.0 Administrator Guide When the administrator is in read-only mode, the top right corner of the interface displays Read-Only Mode . The status bar displays Read-only mode - no changes can be made . When the administrator is in non-config mode, the top r ight of the interface displays Non- Config Mode . Clicking[...]

  • Page 677

    677 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 53 Chapter 53: Managing Guest Services and Guest Accounts Users > Guest Services Guest accounts are temporary accounts set up fo r users to log into your network. You can create these accounts manually, as needed or g enerate them in batches. SonicOS includes profiles you can configure in adva[...]

  • Page 678

    Users > Guest Services 678 SonicOS Enhanced 4.0 Administrator Guide Global Guest Settings Check Show guest login status window wit h logout button to display a user login window on the users’s workstation whenever the user is logged in. Users must keep this window open during their login session. The wi ndow displays the time remaini ng in the[...]

  • Page 679

    Users > Guest Accounts 679 SonicOS Enhanced 4.0 Administrator Guide – Auto-Prune Account : Check this to have the account removed from the database after its lifetime expires. – Enforce login uniqueness : Check this to allow only a si ngle instance of an account to be used at any one time. By default, this feature is enabled when creating a [...]

  • Page 680

    Users > Guest Accounts 680 SonicOS Enhanced 4.0 Administrator Guide Viewing Guest Account Statistics To view statistics on a guest account, hover your mouse over the Statistics icon in the line of the guest account. The stat istics window will display the cu mulative total bytes and packets sent and received for all completed sessions. Cu rrentl[...]

  • Page 681

    Users > Guest Accounts 681 SonicOS Enhanced 4.0 Administrator Guide – Enable Guest Services Privilege : Check this for the account to be enabled upon creation. – Enforce login uniqueness : Check this to allow only one in stance of this account to log into the security appliance at one time. Leave it unchecked to allow multiple users to use t[...]

  • Page 682

    Users > Guest Accounts 682 SonicOS Enhanced 4.0 Administrator Guide – Comment : Enter a descriptive comment. Step 3 In the Guest Services tab, configure: – Enable Guest Services Privilege : Check this for the accounts to be enabled upon creation. – Enforce login uniqueness : Check this to allow only one instance of each generated account t[...]

  • Page 683

    Users > Guest Status 683 SonicOS Enhanced 4.0 Administrator Guide Printing Account Details. You can print a summary of a guest account. Click the print icon to launch a summary account report page and send that page to an active printer. Users > Guest Status The Guest Status page reports on all the guest accounts currently logged in to the se[...]

  • Page 684

    Users > Guest Status 684 SonicOS Enhanced 4.0 Administrator Guide • Session Expiration : The time when the current session expires. • Statistics: hover your mouse over the Statistics icon to view statistics for total received and sent bytes and packets for this guest user’s current session. • Logout : Click the Logout icon to log the gue[...]

  • Page 685

    S ONIC WALL S ONIC OS E NHANCED 4.0 A DMINISTRATOR ’ S G UIDE 685 PART 11 Security Services[...]

  • Page 686

    686 S ONIC WALL S ONIC OS E NHANCED 4.0 A DMIN ISTRATOR ’ S G UIDE[...]

  • Page 687

    687 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 54 Chapter 54: Managing SonicWALL Security Services SonicWALL Security Services SonicWALL, Inc. offers a vari ety of subscription-based security services to provide layered security for your network. SonicWALL security services are designed to integrate seamlessly into your network to provide com[...]

  • Page 688

    SonicWALL Security Services 688 SonicOS Enhanced 4.0 Administrator Guide Note For more information on SonicWALL security services, please visit http:/ / www.sonicwall.com . Note Complete product documentation for SonicWALL security services are available o n the SonicWALL documentation Web site http://www.sonicwal l.com/us/Support.html . Security S[...]

  • Page 689

    SonicWALL Security Services 689 SonicOS Enhanced 4.0 Administrator Guide If your SonicWALL security appliance is not registered, the Security Services > Summary page does not include the Services Summary table. Your SonicWALL security appliance must be registered to display the Services Summary table. mySonicWALL.com To activate SonicWALL Securi[...]

  • Page 690

    SonicWALL Security Services 690 SonicOS Enhanced 4.0 Administrator Guide Managing Security Services Online Clicking the Manage Licenses button displays the mySonicWALL.com Login page for accessing your MySonicWALL.com account licensing information. Enter your mySonicWALL.com username and password in the User Name an d Password fields, and then clic[...]

  • Page 691

    SonicWALL Security Services 691 SonicOS Enhanced 4.0 Administrator Guide Security Services Information This section includes a brief overview of serv ices available for your SonicWALL security appliance. Update Signature Manually The Manual Signature Update feature is intended for networks where reliable, broadband Internet connectivity is either n[...]

  • Page 692

    SonicWALL Security Services 692 SonicOS Enhanced 4.0 Administrator Guide To manually update signature files, complete the following steps: Step 1 On the Security Services > Summary page, scroll to the Up date Signatures Manually heading at the bottom of the page. Note the Signature File ID for the device. Step 2 Log on to http://www.mysonicwall.[...]

  • Page 693

    SonicWALL Security Services 693 SonicOS Enhanced 4.0 Administrator Guide Note The signature file can only be used on SonicWA LL security appliances that are registered to the mysonicwall.com account that downloaded th e signature file. Step 3 Click on Download Signatures under the Downloads heading. Step 4 In the pull down window next to Signature [...]

  • Page 694

    SonicWALL Security Services 694 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 695

    695 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 55 Chapter 55: Configuring SonicWALL Content Filtering Service Security Services > Content Filter The Security Services > Content Filter page allows you to configur e the SonicWALL Restrict Web Features and Trusted Domains settings, which are included with SonicOS Enhanced. You can activate[...]

  • Page 696

    Security Services > Content Filter 696 SonicOS Enhanced 4.0 Administrator Guide SonicWALL Content Filtering Service SonicWALL Content Filt ering Service (CFS) enforces protec tion and productivity policies for businesses, schools and libraries to reduce legal and privacy ri sks while minimizing administration overhead. SonicWALL CFS utilizes a d[...]

  • Page 697

    Security Services > Content Filter 697 SonicOS Enhanced 4.0 Administrator Guide You can also access the SonicWALL CFS URL Rating Review Request form by clicking on the here link in If you believe that a Web site is rated incorrectly or you wish to sub mit a new URL, click here . If SonicWALL CFS is not activat ed, you must activate it. If you do[...]

  • Page 698

    Security Services > Content Filter 698 SonicOS Enhanced 4.0 Administrator Guide • Sonic WALL CFS - Selecting SonicWALL CFS as the Content Filter Type allow s you to use the SonicWALL Content Filtering Servic e that is available as an upgrade. You can obtain more information about SonicW ALL Content Filtering Service at http://www.sonicwall. co[...]

  • Page 699

    Security Services > Content Filter 699 SonicOS Enhanced 4.0 Administrator Guide Trusted Domains Trusted Domains can be added to enable content from specific domains to be exempt from Restrict Web Features . If you trust content on specific domains and w ant them exempt from Restrict Web Features , follow these steps to add them: Step 1 Check the[...]

  • Page 700

    Security Services > Content Filter 700 SonicOS Enhanced 4.0 Administrator Guide Message to Display when Blocking You can enter your customized text to display to the user when access to a blocked site is attempted. The default message is This site is bloc ked by the SonicWALL Content Filter Service . Any message, including embedded HTML, up to 2[...]

  • Page 701

    Security Services > Content Filter 701 SonicOS Enhanced 4.0 Administrator Guide Warning Do not include the prefix “http://” in either the Allowed Domains or Forbidden Domains the fields. All subdomain s are a ffected. For example, entering “yahoo.com” applies to “mail.yahoo.com” and “my.yahoo.com”. To remove a trusted or forbidde[...]

  • Page 702

    Security Services > Content Filter 702 SonicOS Enhanced 4.0 Administrator Guide the page defined in the Consent page URL field. Enter the time limit, in minutes, in the Maximum Web usage field. When the default value of zero (0) is entered , this feature is disabled. • User Idle Timeout (minutes) - After a period of Web brow ser inactivity, th[...]

  • Page 703

    Security Services > Content Filter 703 SonicOS Enhanced 4.0 Administrator Guide Configuring N2H2 Internet Filtering N2H2 is a third party Internet filtering package t hat allows you to use In ternet content filtering through the SonicWALL. Step 1 Select N2H2 from the Content Filter Type list. Step 2 Click Configure to display the N2H2 Properties[...]

  • Page 704

    Security Services > Content Filter 704 SonicOS Enhanced 4.0 Administrator Guide URL Cache • Cache Size (KB) - Configure the size of the URL Cache in KB for the SonicWALL. Tip Tip! A larger URL Cache size can provide not iceable improvements in Internet browsing response times. Configuring SonicWAL L Blocking Features Once you configure your se[...]

  • Page 705

    Security Services > Content Filter 705 SonicOS Enhanced 4.0 Administrator Guide Message to Display when Blocking You can enter your customized text in the Message to Display when Blocking text box that displays to the user when access to a block ed site is attempted. The default message is The site is blocked by the SonicWALL Content Filter Serv[...]

  • Page 706

    Security Services > Content Filter 706 SonicOS Enhanced 4.0 Administrator Guide – Block traffic to all Web sites - Selecting this option blocks traffic to all Web sites except Allowed Domains until t he N2H2 server is available. – Allow traffic to all Web sites - Selecting this option allows traffic to all Web sites without Websense Enterpri[...]

  • Page 707

    Security Services > Content Filter 707 SonicOS Enhanced 4.0 Administrator Guide Trusted Domains Trusted Domains can be added in the Restrict Web Features section. If you trust co ntent on specific domains, you can select Don’t block Java/ActiveX/Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL by clicking on Add . T[...]

  • Page 708

    Security Services > Content Filter 708 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 709

    709 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 56 Chapter 56: Activating SonicWALL Client Anti-Virus Security Services > Anti-Virus By their nature, anti-virus products typically require regular, active maintenance on every PC. When a new virus is discovered, all anti-virus software deployed within an organization must be updated with the [...]

  • Page 710

    Security Services > Anti-Virus 710 SonicOS Enhanced 4.0 Administrator Guide Activating SonicWALL Client Anti-Virus If Sonic WALL Client Anti-Virus is not activa ted, you must activate it. If you do not have an Activation Ke y, you must purchase SonicWAL L Client Anti-Virus from a SonicWALL reseller or from your mySonicWALL. com account (limited [...]

  • Page 711

    Security Services > Anti-Virus 711 SonicOS Enhanced 4.0 Administrator Guide Note You must have a mySonicWALL.com account and your SonicWALL must be registered to activate SonicWALL Client Anti-Virus. Step 1 Click the SonicWALL Client Anti-Virus Subscription link on the Security Services > Anti- Virus page. The mySo nicWAL L.com L ogin page is[...]

  • Page 712

    Security Services > Anti-Virus 712 SonicOS Enhanced 4.0 Administrator Guide Activating a SonicWALL Client Anti-Virus FREE TRIAL You can try a FREE TRIAL of SonicWALL Cli ent Anti-Virus by fo llowing these steps: Step 1 Click the FREE TRIAL link. The mySonicWALL.com Login page is displayed. Step 2 Enter your mySonicWALL.com acc ount username and [...]

  • Page 713

    Security Services > Anti-Virus 713 SonicOS Enhanced 4.0 Administrator Guide – Low Risk - A virus that is not reported in the field and is considered unlikely to be found in the field in the future has a low risk. Ev en if such a virus includes a very serious or unforeseeable damage payload, it s risk is still low. – Medium Risk - If a virus [...]

  • Page 714

    Security Services > E-mail Filter 714 SonicOS Enhanced 4.0 Administrator Guide Security Services > E-mail Filter The E-Mail Filter allows the admin istrator to sele ctively delete or disable inbound e-mail attachments as they pass thr ough the SonicWALL security appli ance. This feature pro vides control over executable files and scripts, and[...]

  • Page 715

    715 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 57 Chapter 57: Managing SonicWALL Gateway Anti- Virus Service Security Services > Gateway Anti-Virus SonicWALL GAV delivers real-time virus prot ection directly on the SonicWALL security appliance by using SonicWALL’s IP S-Deep Packet Inspection v2.0 en gine to inspect all traffic that trave[...]

  • Page 716

    Security Services > Gateway Anti-Virus 716 SonicOS Enhanced 4.0 Administrator Guide SonicWALL GAV delivers threat protection directly on the SonicWALL security appliance by matching downloaded or e-mailed files against an extensive and dynamically u pdated database of threat virus signatures. Virus attacks ar e caught and suppressed before they [...]

  • Page 717

    Security Services > Gateway Anti-Virus 717 SonicOS Enhanced 4.0 Administrator Guide Remote Site Protection Step 1 Users send typical e-mail and files between remote sites and the corporate office. Step 2 SonicWALL GAV scans and analyses files and e- mail messages on the SonicWALL security appliance. Step 3 Viruses are found and blocked befor e i[...]

  • Page 718

    Security Services > Gateway Anti-Virus 718 SonicOS Enhanced 4.0 Administrator Guide HTTP File Downloads Step 1 Client makes a request to download a file from the Web. Step 2 File is downloaded through the Internet. Step 3 File is analyzed the S onicWALL GAV engine for malicious code and viruses. Step 4 If virus found, file discarded. Step 5 Viru[...]

  • Page 719

    Security Services > Gateway Anti-Virus 719 SonicOS Enhanced 4.0 Administrator Guide single-pass, per-packet basis. Reassembly free virus scanning functionality of the SonicWALL GAV engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without ever buffering any of the bytes within the stream. Building o[...]

  • Page 720

    Security Services > Gateway Anti-Virus 720 SonicOS Enhanced 4.0 Administrator Guide Note If you already have a mysonicWALL.com account, go to “Registering You r SonicWALL Security Appliance” on page 721 . Step 1 Log into the SonicWALL security appliance management inter face. Step 2 If the System > Status page is not displayed in the mana[...]

  • Page 721

    Security Services > Gateway Anti-Virus 721 SonicOS Enhanced 4.0 Administrator Guide Registering Your SonicWALL Security Appliance Step 1 Log into the SonicWALL security appliance management interface. Step 2 If the System > Status page is not displaying in t he management interface, click System in the left-navigation menu, and then click Sta[...]

  • Page 722

    Security Services > Gateway Anti-Virus 722 SonicOS Enhanced 4.0 Administrator Guide If you have an Activation Key for SonicWALL Ga teway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, perform these steps to activate the combined services: Step 1 On the Security Services > Gateway Anti--Virus page, click the SonicWALL Gateway Anti[...]

  • Page 723

    Security Services > Gateway Anti-Virus 723 SonicOS Enhanced 4.0 Administrator Guide Activating FREE TRIALs You can try FREE TRIAL versions of SonicWALL Gateway Anti-Virus, SonicWALL Anti- Spyware, and SonicWALL Intrusion Prevention Service. You must activate each service separately from the Manage Services Online table o n the System > Licens[...]

  • Page 724

    Security Services > Gateway Anti-Virus 724 SonicOS Enhanced 4.0 Administrator Guide The Security Services > Gateway Anti-Virus page provides the sett ings for configuring SonicWALL GAV on your SonicWALL security appliance. Enabling SonicWALL GAV You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings sect[...]

  • Page 725

    Security Services > Gateway Anti-Virus 725 SonicOS Enhanced 4.0 Administrator Guide Applying SonicWALL GAV Protection on Zones You can enforce SonicWALL GAV not only bet ween each network zone and the WAN, but also between internal zones. For example, enab ling SonicWALL GAV on the LAN zone enforces anti-virus protection on all in coming and out[...]

  • Page 726

    Security Services > Gateway Anti-Virus 726 SonicOS Enhanced 4.0 Administrator Guide Note You also enable SonicWALL GAV protecti on for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit Zone window. Viewing SonicWALL GAV Status Information The Ga[...]

  • Page 727

    Security Services > Gateway Anti-Virus 727 SonicOS Enhanced 4.0 Administrator Guide Updating SonicWALL GAV Signatures By default, the SonicWALL security appliance running SonicWALL GAV aut omatically checks the SonicWALL signature serv ers once an hour. There is no need for an administrator to constantly check for new si gnature updates. You can[...]

  • Page 728

    Security Services > Gateway Anti-Virus 728 SonicOS Enhanced 4.0 Administrator Guide The Enable Inbound Inspection protocol traffic handling represented as a table: Enabling Outbound SMTP Inspection The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that might be hosted on the DMZ. Enabl ing outbound i[...]

  • Page 729

    Security Services > Gateway Anti-Virus 729 SonicOS Enhanced 4.0 Administrator Guide • Restrict Transfer of password-protected Zip files - Disables the tra nsfer of password protected ZIP files over any enabled protocol. This option only functions on protoco ls (e.g. HTTP, FTP, SMTP) that are enabled for inspection. • Restrict Transfer of MS-[...]

  • Page 730

    Security Services > Gateway Anti-Virus 730 SonicOS Enhanced 4.0 Administrator Guide If you want to suppress the sending of e-ma il messages (SMTP) to cl ients from SonicWALL GAV when a virus is detected in an e-mail or attachment, check the Disable SMTP Responses box. Configuring HTTP Clientless Notification The HTTP Clientless Notification feat[...]

  • Page 731

    Security Services > Gateway Anti-Virus 731 SonicOS Enhanced 4.0 Administrator Guide Optionally, you can configure the timeout for the HTTP Clientless Notification on the Security Services > Summary page under the Security Services Summary heading. Configuring a SonicWALL GAV Exclusion List Any IP addresses listed in the exclusion list by pass[...]

  • Page 732

    Security Services > Gateway Anti-Virus 732 SonicOS Enhanced 4.0 Administrator Guide Viewing SonicWALL GAV Signatures The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL GAV signature database. A ll the entr ies displayed in the Gateway Anti-Vi rus Signatures table are from the SonicWALL GAV signature databa[...]

  • Page 733

    Security Services > Gateway Anti-Virus 733 SonicOS Enhanced 4.0 Administrator Guide Searching the Gateway Anti -Virus Signature Database You can search the signature database by entering a search string in the Lookup Signatures Containing String field, then clicking t he edit (Notepad) icon. The signatures that match the specified string are dis[...]

  • Page 734

    Security Services > Gateway Anti-Virus 734 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 735

    735 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 58 Chapter 58: Activating Intrusion Prevention Service Security Services > Intrusion Prevention Service SonicWALL Intrusion Preventi on Service (SonicWALL IPS) del ivers a configurable , high performance Deep Packet Inspection engine for extended protection of key network services such as Web,[...]

  • Page 736

    Security Services > Intrusion Prevention Service 736 SonicOS Enhanced 4.0 Administrator Guide How SonicWALL’s Deep Packet Inspection Works Deep Packet Inspection technology enables the firewall to investigat e farther into the protocol to examine information at the application laye r and defend against attack s targeting application vulnerabil[...]

  • Page 737

    Security Services > Intr usion Prevention Service 737 SonicOS Enhanced 4.0 Administrator Guide • Deep Packet Inspection - looking at the data portion of t he packet. Enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. •[...]

  • Page 738

    Security Services > Intrusion Prevention Service 738 SonicOS Enhanced 4.0 Administrator Guide Tip If your SonicWALL security appliance is connected to the Internet and registered at mySonicWALL.com, you can ac tivate a 30-day FREE TRIAL of SonicWALL Gateway Anti- Virus, SonicWALL Anti-Spyware, and SonicWA LL Intrusion Prevention Service separate[...]

  • Page 739

    Security Services > Intr usion Prevention Service 739 SonicOS Enhanced 4.0 Administrator Guide Note Remember your username and password to access your mySoni cWALL.com account. Step 6 Click Submit after completing the MySonicWALL Account form. Step 7 When the mySonicWALL.com server has finished processing your account, you will see a page saying[...]

  • Page 740

    Security Services > Intrusion Prevention Service 740 SonicOS Enhanced 4.0 Administrator Guide Note Clicking on the Continue button does not activate the FR EE TRIAL versions of these SonicWALL Security Services. Step 6 At the top of the Product Survey page, Enter a “friendly name” for your SonicWALL content security appliance in the Friendly[...]

  • Page 741

    Security Services > Intr usion Prevention Service 741 SonicOS Enhanced 4.0 Administrator Guide If you have an Activation Key for SonicWALL Ga teway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, perform these steps to activate the combined services: Step 1 On the Security Services > Intrusion Prevention page, click the SonicWALL [...]

  • Page 742

    Security Services > Intrusion Prevention Service 742 SonicOS Enhanced 4.0 Administrator Guide Setting Up SonicWALL Intrusion Prevention Service Protection Activating the SonicWALL Intrusion Prevention Service license on yo ur SonicWALL security appliance does not automatically enable the pr ot ection. To configure SonicWALL Intrusion Prevention [...]

  • Page 743

    Security Services > Intr usion Prevention Service 743 SonicOS Enhanced 4.0 Administrator Guide information on configuring global signature groups, refer to “Configuring Global Signature Groups” in the SonicWALL Intrusion Prevention Service Administrator’s Guide available on the SonicWALL Resource CD or at <www.sonicwall.com/supp ort/doc[...]

  • Page 744

    Security Services > Intrusion Prevention Service 744 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 745

    745 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 59 Chapter 59: Activating Anti-Spyware Service Security Services > Anti-Spyware Service SonicWALL Anti-Spyware is part of the SonicWALL Gateway Anti-Virus, Anti-Virus and Intrusion Prevention Service solution that prov ides comprehensive, real-time protection against viruses, worms, Trojans, s[...]

  • Page 746

    Security Services > Anti-Spyware Service 746 SonicOS Enhanced 4.0 Administrator Guide Note Refer to the SonicWALL Anti-Spyware Ad ministrator’s Guide on the So nicWALL Web site: http://www.sonicwall.com/us/ Support.html for co mplete product d ocumentation. SonicWALL Deep Packet Inspection SonicWALL Gateway Anti-Virus, Anti-Spyware, and IPS Ac[...]

  • Page 747

    Security Servi ces > Anti-Spyware Service 747 SonicOS Enhanced 4.0 Administrator Guide Creating a mySonicWALL.com Account Creating a mySonicWALL.com account is fast, simple, and FREE. Simply complete an online registration form in the SonicWALL security appliance management interface. Note If you already have a mysonicWALL.com account, go to “[...]

  • Page 748

    Security Services > Anti-Spyware Service 748 SonicOS Enhanced 4.0 Administrator Guide Registering Your SonicWALL Security Appliance Step 1 Log into the SonicWALL security appliance management interface. Step 2 If the System > Status page is not displaying in t he management interface, click System in the left-navigation menu, and then click S[...]

  • Page 749

    Security Servi ces > Anti-Spyware Service 749 SonicOS Enhanced 4.0 Administrator Guide To try a FREE TRIAL of SonicWALL Gateway Anti-Virus, SonicWALL Anti-Spyware, or SonicWALL Intrusion Prevention Service, perfor m these steps: Step 1 Click the FREE TRIAL link on the Security Services > Gateway Anti-Virus, Security Services > Anti-Spyware[...]

  • Page 750

    Security Services > Anti-Spyware Service 750 SonicOS Enhanced 4.0 Administrator Guide If you have an Activation Key for SonicWALL Ga teway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, perform these steps to activate the combined services: Step 1 On the Security Services > Intrusion Prevention page, click the SonicWALL Intrusion[...]

  • Page 751

    Security Servi ces > Anti-Spyware Serv ice 751 SonicOS Enhanced 4.0 Administrator Guide Refer to the SonicWALL Anti-Spyware Administrator’s Guide on the SonicWALL Web site: http://www.sonicwall. com/us/Support.html for complete configuration instructions. Applying SonicWALL Anti-S pyware Protection on Zones If your SonicWALL security appliance[...]

  • Page 752

    Security Services > Anti-Spyware Service 752 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 753

    753 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 60 Chapter 60: Configuring SonicWALL Real-Time Blacklist SMTP Real-Time Black List Filtering SMTP Real-time Black List (RBL) is a mec hanism for publishing the IP addresses of SMTP servers from which or through which spammers operate. There are a number of organizations that compile this informat[...]

  • Page 754

    Security Services > RBL Filter 754 SonicOS Enhanced 4.0 Administrator Guide Note Most spam today is known to be sent from hijacked or zombie machines running a thin SMTP server implementation, unbeknownst to the hosts operator. These zombie machines rarely attempt to retry failed delivery attemp ts, as would be the behavior of a legitimate SMTP [...]

  • Page 755

    Security Services > RBL Filter 755 SonicOS Enhanced 4.0 Administrator Guide To add an RBL services, click the Add button. In the Add RBL Domain window, you specify the RBL domain to be queried, enable it for use, and specify its expected response codes. Most RBL services list the responses they provide on their Web site, although selecting Block[...]

  • Page 756

    Security Services > RBL Filter 756 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 757

    757 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 61 Chapter 61: Configuring SonicWALL Global Security Client Security Services > Global Security Client The SonicWALL Global Security Client combi nes gateway enforcement, central management, configuration flexibility and software deployment to deliver comprehensive desktop security for remote/[...]

  • Page 758

    Security Services > Global Security Client 758 SonicOS Enhanced 4.0 Administrator Guide gateway administrator automatically updates the Glo bal Security Client with the latest security policies and software updates. No prompting or in tervention is necessary by the administrator or the remote user - it’s co mpletely seamless and transparent. G[...]

  • Page 759

    Security Services > Global Security Client 759 SonicOS Enhanced 4.0 Administrator Guide • Policy Management - enables network administrator’s to create, distribute and manage global security policies for remote and mobile users from a central locatio n. Once a new policy is created, it is seam lessly distributed to ever y system on the netwo[...]

  • Page 760

    Security Services > Global Security Client 760 SonicOS Enhanced 4.0 Administrator Guide SonicWALL’s Distributed Enforc ement Architecture (DEA) technology enables the policy enforcement capabilities that pr ovide the framework for the Global Security Client’s complete security solution for all remote and network desktops. SonicWALL’s DEA t[...]

  • Page 761

    Security Services > Global Security Client 761 SonicOS Enhanced 4.0 Administrator Guide Configuring Security Policies for Global Security Clients The Security Services > Global Security Client page provides the settings for configuring the security policies for Gl obal Security Clients.[...]

  • Page 762

    Security Services > Global Security Client 762 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 763

    S ONIC WALL S ONIC OS E NHANCED 4.0 A DMINISTRATOR ’ S G UIDE 763 PART 12 Log[...]

  • Page 764

    764 S ONIC WALL S ONIC OS E NHANCED 4.0 A DMIN ISTRATOR ’ S G UIDE[...]

  • Page 765

    765 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 62 Chapter 62: Managing Log Events Log > View The SonicWALL security appliance maintains an Event log for tracking potential security threats. This log can be viewed in the Log > View page, or it can be automatically sent to an e-mail address for convenience and archiving. The log is displa[...]

  • Page 766

    Log > View 766 SonicOS Enhanced 4.0 Administrator Guide Log View Table The log is displayed in a table and is sort able by column. The log table columns include: • Time - the date and time of the eve nt. • Priority - the level of priority as sociated with your log event. Syslog uses eight categories to characterize messages – in descending[...]

  • Page 767

    Log > View 767 SonicOS Enhanced 4.0 Administrator Guide Clear Log To delete the contents of the log, click the Clear Log button near the top right corner of the page. Export Log To export the contents of the log to a defined destination, click the Export Log button below the filter table.You can export log content to two formats: • Plain text [...]

  • Page 768

    Log > View 768 SonicOS Enhanced 4.0 Administrator Guide Source interface AND Destination in terface Step 3 Check the Group box next to any two or more criteria to combine them with a logical OR . For example, if you enter values for Source IP , Destination IP , and Protocol , and check Group next to Source IP and Destination IP , the search stri[...]

  • Page 769

    769 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 63 Chapter 63: Configuring Log Categories Log > Categories This chapter provides confi guration tasks to enable you to ca tegorize and customize the logging functions on your SonicWALL security appliance for troubleshooting and diagnostics. Note You can extend your SonicWALL security appliance[...]

  • Page 770

    Log > Categories 770 SonicOS Enhanced 4.0 Administrator Guide Log Priority This section provides information on configuring the level of pr iority log messages are captured and corresponding alert messages are sent through e-mail for notification. Logging Level The Logging Level control filters events by priority. Ev ents of equal of great er pr[...]

  • Page 771

    Log > Categories 771 SonicOS Enhanced 4.0 Administrator Guide Log Categories SonicWALL security appliances provide automatic attack pr otection against well known exploits. The majority of these legacy attacks were identified by te lltale IP or TCP/UDP characteristics, and recognition was limited to a se t of fixed layer 3 and layer 4 values. As[...]

  • Page 772

    Log > Categories 772 SonicOS Enhanced 4.0 Administrator Guide Firewall Logging Extended Logs general events and errors Firewall Rule Extended Logs firewall rule modifications GMS Extended Logs GM S status event High Availability Extended Logs High Availability activity IPcomp Extended Logs IP compression activity Intrusion Prevention Extended Lo[...]

  • Page 773

    Log > Categories 773 SonicOS Enhanced 4.0 Administrator Guide Managing Log Categories The Log Categories table displays log category inform ation organized into the following columns: • Category - Displays log category name. • Description - Provides description of the log category activity type. • Log - Provides checkbox for enabling/disab[...]

  • Page 774

    Log > Categories 774 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 775

    775 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 64 Chapter 64: Configuring Syslog Settings Log > Syslog In addition to the standard event log, the So nicW ALL security appliance can send a detailed log to an external Syslog server. The SonicWALL Sysl og captures all log acti vity and includes every connection source and destination IP addre[...]

  • Page 776

    Log > Syslog 776 SonicOS Enhanced 4.0 Administrator Guide Syslog Settings Syslog Facility • Syslog Facility - Allows you to select the faciliti es and severities of the messages based on the syslog protocol. Note See RCF 3164 - The BSD Syslog Protocol for more information. • Override Syslog Settings with ViewPoint Settings - Check this box t[...]

  • Page 777

    Log > Syslog 777 SonicOS Enhanced 4.0 Administrator Guide Syslog Servers Adding a Syslog Server To add syslog servers to the SonicWALL security appliance Step 1 Click Add . The Add Syslog Server window is displayed. Step 2 Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL security appliance ar[...]

  • Page 778

    Log > Syslog 778 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 779

    779 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 65 Chapter 65: Configuring Log Automation Log > Automation The Log > Automation page includes settings for configuring the SonicWALL to send log files using e-mail and configuring mail server settings.[...]

  • Page 780

    Log > Automation 780 SonicOS Enhanced 4.0 Administrator Guide E-mail Log Automation • Send Log to E-mail address - Enter your e-mail address (username@mydomain.com) in this field to receive the event log via e-ma il. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed. • Send Alerts t[...]

  • Page 781

    781 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 66 Chapter 66: Configuring Name Resolution Log > Name Resolution The Log > Name Resolution page includes settings for confi guring the name servers used to resolve IP addresses and server names in the log r eports. The security appliance uses a DNS server or NetB IOS to resolve all IP addre[...]

  • Page 782

    Log > Name Resolution 782 SonicOS Enhanced 4.0 Administrator Guide • None : The security appliance will not attempt to resolve IP addresses and Names in the log reports. • DNS : The security appliance will use the DNS server you specify to resolve addresses and names. • NetBios : The security appliance will use NetBio s to resolve addresse[...]

  • Page 783

    783 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 67 Chapter 67: Generating Log Reports Log > Reports The SonicWALL security appliance can perform a rolling analysis of the ev ent log to show the top 25 most frequently accessed Web sites, t he top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwid th. You [...]

  • Page 784

    Log > Reports 784 SonicOS Enhanced 4.0 Administrator Guide Data Collection The Reports window includes the following functions and commands: • Start Data Collection Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection . • Reset Data Click Reset Data to clear the rep[...]

  • Page 785

    Log > Reports 785 SonicOS Enhanced 4.0 Administrator Guide Bandwidth Usage by IP Address Selecting Bandwidth Usage by IP Address from the Report to view menu displays a table showing the IP Address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period. Bandwidth Usage by Service Select[...]

  • Page 786

    Log > Reports 786 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 787

    787 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 68 Chapter 68: Activating SonicWALL ViewPoint Log > ViewPoint SonicWALL ViewPoint is a Web-based graphica l reporting to ol that provides unprecedented security awareness and control over your network environment through detailed and comprehensive reports of your security and net work activiti[...]

  • Page 788

    Log > ViewPoint 788 SonicOS Enhanced 4.0 Administrator Guide Activating ViewPoint The Log > ViewPoint page allows you to activate the Vi ewPoint license directly from the SonicWALL Management Interf ace using two methods. If you received a license activation key, enter the activation key in the Enter upgrade key fie ld, and click Apply . Warn[...]

  • Page 789

    Log > ViewPoint 789 SonicOS Enhanced 4.0 Administrator Guide 3. Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit . 4. If you activated SonicWALL ViewPoint at mySonicWALL.co m, the SonicWALL ViewPoint activation is automatically enabl[...]

  • Page 790

    Log > ViewPoint 790 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 791

    S ONIC WALL S ONIC OS E NHANCED 4.0 A DMINISTRATOR ’ S G UIDE 791 PART 13 Wizards[...]

  • Page 792

    792 S ONIC WALL S ONIC OS E NHANCED 4.0 A DMIN ISTRATOR ’ S G UIDE[...]

  • Page 793

    793 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 69 Chapter 69: Configuring Internet Connectivity Using the Setup Wizard Wizards > Setup Wizard The first time you log in to the SonicWALL, the Set up Wizard is launched automatically. To launch the Setup Wizard at any from the Management Interfac e, log into the SonicWALL. Click Wizards and se[...]

  • Page 794

    Wizards > Setup Wizard 794 SonicOS Enhanced 4.0 Administrator Guide The Setup Wizard screens change depending on the choices you make. For example, if you choose Guest Internet Gateway, The Setup Wizard will display the screens for Modem, WAN, WLAN, and Wireless Guest Services setup. It will not displa y the screens for LAN and WiFiSec setup, be[...]

  • Page 795

    Wizards > Setup W izard 795 SonicOS Enhanced 4.0 Administrator Guide Configuring a Static IP Address with NAT Enabled Using NAT to set up your SonicWALL eliminat es the need for public IP addresses for all computers on your LAN. It is a way to conserve IP addresses available from the pool of IPv4 addresses for the Internet. NAT also allows you t[...]

  • Page 796

    Wizards > Setup Wizard 796 SonicOS Enhanced 4.0 Administrator Guide Note Your Web browser must be Java-enabled a nd support HTTP uploads in order to fully manage SonicWALL. Internet Explorer 5.0 and above as well as Netscape Navigator 4.0 and above meet these criteria. 1. Click the Setup Wizard button on the Network > Settings page. Read the [...]

  • Page 797

    Wizards > Setup W izard 797 SonicOS Enhanced 4.0 Administrator Guide Change Time Zone 3. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Networ k Time Server on the Internet. Click Next . WAN Network Mode 4. Confirm that you have the proper network information ne cessary to configu[...]

  • Page 798

    Wizards > Setup Wizard 798 SonicOS Enhanced 4.0 Administrator Guide WAN Network Mode: NAT Enabled 6. Enter the public IP address pr ovided by your ISP in the SonicWALL WAN IP Address , then fill in the rest of the fields: WAN/OPT/DMZ Subnet Mask , WAN Gateway (Router) Address , and DNS Server Addresses . Click Next . LAN Settings 7. The LAN page[...]

  • Page 799

    Wizards > Setup W izard 799 SonicOS Enhanced 4.0 Administrator Guide LAN DHCP Settings 8. The Optional-SonicWALL DHCP Server window configures the SonicWALL DHCP Server. If enabled, the SonicWALL auto matically configures the IP settings of computers on the LAN. To enable the DHCP server, select Enable DHCP Server , and specify the range of IP a[...]

  • Page 800

    Wizards > Setup Wizard 800 SonicOS Enhanced 4.0 Administrator Guide Setup Wizard Complete 10. The SonicWALL stores the network settings. 11. Click Close to return to the SonicWALL Management Interface. Configuring DHCP Networking Mode DHCP is a networking mode that allows you to obtai n an IP address for a specific length of time from a DHCP ser[...]

  • Page 801

    Wizards > Setup W izard 801 SonicOS Enhanced 4.0 Administrator Guide Change Password 3. To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next . Tip It is very important to choose a password which cannot be easily guessed by others. Change Time Zone 4. Select the appropriate Time Zone from the T[...]

  • Page 802

    Wizards > Setup Wizard 802 SonicOS Enhanced 4.0 Administrator Guide WAN Network Mode 5. Select DHCP , the Obtain an IP address automatically window is displayed. Click Next . WAN Network Mode: NAT with DHCP Client 6. The Obtain an IP address automatically window states that the ISP dynamically assigns an IP address to the SonicWA LL. To confirm [...]

  • Page 803

    Wizards > Setup W izard 803 SonicOS Enhanced 4.0 Administrator Guide LAN Settings 7. The Fill in information about your LAN page allows the configuration of SonicWALL LAN IP Addresses and Subnet Masks. SonicWALL LAN IP Addresses are the private IP addresses assigned to the LAN of the SonicWALL. The LAN Subnet Mask defines the range of IP address[...]

  • Page 804

    Wizards > Setup Wizard 804 SonicOS Enhanced 4.0 Administrator Guide SonicWALL Configuration Summary 9. The Configuration Summary window displays the conf iguration defined using the Installation Wizard. To modify any of the settings, click Back to retur n to the Connecting to the Internet window. If the configurat ion is correct, click Next . Se[...]

  • Page 805

    Wizards > Setup W izard 805 SonicOS Enhanced 4.0 Administrator Guide Configuring NAT Enabled with PPPoE NAT with PPPoE Client is a network protocol that uses Point to Point Protocol over Ethernet to connect with a remote site using various Remote Access Service products. This protocol is typically found when using a DSL modem with an ISP requiri[...]

  • Page 806

    Wizards > Setup Wizard 806 SonicOS Enhanced 4.0 Administrator Guide Change Password 3. To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next . Tip It is very important to choose a password which cannot be easily guessed by others. Change Time Zone 4. Select the appropriate Time Zone from the Ti[...]

  • Page 807

    Wizards > Setup W izard 807 SonicOS Enhanced 4.0 Administrator Guide WAN Network Mode 5. The SonicWALL automatically detects the pres ence of a PPPoE server on the WAN. If not, then select PPPoE: Your ISP provided you with desktop software, a user name and password . Click Next . WAN Network Mode: NAT with PPPoE Client 6. Select whether to use a[...]

  • Page 808

    Wizards > Setup Wizard 808 SonicOS Enhanced 4.0 Administrator Guide LAN Settings 7. The LAN Settings page allows the con figuration of SonicWALL LAN IP Addresses and LAN Subnet Mask.The SonicWALL LAN IP Address is the pr ivate IP address assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN. [...]

  • Page 809

    Wizards > Setup W izard 809 SonicOS Enhanced 4.0 Administrator Guide SonicWALL Configuration Summary 9. The Configuration Summary window displays the conf iguration defined using the Installation Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet window. If the configurat ion is correct, click Next . Se[...]

  • Page 810

    Wizards > Setup Wizard 810 SonicOS Enhanced 4.0 Administrator Guide Configuring PPTP Network Mode NAT with PPTP Client mode uses Point to Point Tunneling Protocol (PPTP) to connect to a remote server. It supports older Microsoft implementations requiri ng tunneling connectivity. 1. Click the Setup Wizard button on the Network > Settings page.[...]

  • Page 811

    Wizards > Setup W izard 811 SonicOS Enhanced 4.0 Administrator Guide Change Password 3. To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next . Tip It is very important to choose a password which cannot be easily guessed by others. Change Time Zone Select the appropriate Time Zone from the Time[...]

  • Page 812

    Wizards > Setup Wizard 812 SonicOS Enhanced 4.0 Administrator Guide WAN Network Mode 4. Select PPTP: Provided you with a server IP address, a user name and password. Click Next . WAN Network Mode: NAT with PPTP Client 5. Enter the user name and password pr ovided by your ISP into the User Name and Password fields. Click Next .[...]

  • Page 813

    Wizards > Setup W izard 813 SonicOS Enhanced 4.0 Administrator Guide LAN Settings 6. The LAN Settings page allows the con figuration of SonicWALL LAN IP Addresses and LAN Subnet Mask.The SonicWALL LAN IP Address is the pr ivate IP address assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN.[...]

  • Page 814

    Wizards > Setup Wizard 814 SonicOS Enhanced 4.0 Administrator Guide SonicWALL Configuration Summary 8. The Configuration Summary window displays the conf iguration defined using the Installation Wizard. To modify any of the settings, click Back to retur n to the Connecting to the Internet window. If the configurat ion is correct, click Next . Se[...]

  • Page 815

    815 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 70 Chapter 70: Using the Registration & License Wizard Wizards > Registration & License Wizard The SonicWALL Registration and Li cense Wizar d simplifies the process of registering your SonicWALL security appliance and obtaining licenses for additional security services. To use the Reg[...]

  • Page 816

    Wizards > Registration & Licen se Wiza rd 816 SonicOS Enhanced 4.0 Administrator Guide Step 2 Select Registration and License Wizard and click Next . Step 3 A screen displays confirming that you are us ing the Registration and License Wizard. Click Next . Step 4 If you already have a mysonicwall.com acc ount, enter your user name and passwor[...]

  • Page 817

    Wizards > Registration & License Wizard 817 SonicOS Enhanced 4.0 Administrator Guide Step 5 On the Choose security services page, select the security se rvices you would like to purchase and click Next . Step 6 The Registration and License Wizard launches your mysonicwall.com shop ping cart. Make sure that your pop-up blocker is turned off.[...]

  • Page 818

    Wizards > Registration & Licen se Wiza rd 818 SonicOS Enhanced 4.0 Administrator Guide Step 7 Verify that the services you want to purc hase are listed in the sh opping cart. When you are finished selecting security services, click Checkout . Step 8 The mysonicwall.com checkout page displays. Enter your credit card and billing information an[...]

  • Page 819

    Wizards > Registration & License Wizard 819 SonicOS Enhanced 4.0 Administrator Guide Step 9 The Confirm page displays. Verify that your order is correct and click Confirm . You can now print a copy of your completed order. Step 10 Close the mysonicwall.com window and return to the Registrati on and License Wizard. Step 11 Click Next to synch[...]

  • Page 820

    Wizards > Registration & Licen se Wiza rd 820 SonicOS Enhanced 4.0 Administrator Guide Step 12 Your new security services ar e now available on the SonicW ALL security appliance. Click Close to close the wizard.[...]

  • Page 821

    821 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 71 Chapter 71: Configuring a Public Server with the Wizard Wizards > Public Server Wizard 1. Start the wizard: In the navigator, click Wizards .[...]

  • Page 822

    Wizards > Public Server Wizard 822 SonicOS Enhanced 4.0 Administrator Guide 2. Select Public Server Wizard and click Next . 3. Select the type of server from the Server Type list. Depending on the type you select, the available services change. Check the box for the services you are enabling on this server. Click Next 4. Enter the name of the se[...]

  • Page 823

    Wizards > Public Server Wizard 823 SonicOS Enhanced 4.0 Administrator Guide 6. Click Next . 7. Enter the public IP address of the server. The default is the WAN public IP address. If you enter a different IP, the Public Server Wizard will cr eate an address object for that IP address and bind the address object to the WAN zone. 8. Click Next .[...]

  • Page 824

    Wizards > Public Server Wizard 824 SonicOS Enhanced 4.0 Administrator Guide 9. The Summary page displays a summary of all the configuration you have performed in the wizard. It should show: • Server Address Objects The wizard creates the address object for the new server. Because the IP address of the server added in the example is in the IP a[...]

  • Page 825

    Wizards > Public Server Wizard 825 SonicOS Enhanced 4.0 Administrator Guide 10. Click Apply in the Public Server Configuration Summary page to complete the wizard and apply the configuration to your SonicWALL. Tip The new IP address used to access the new server , internally and externally is displayed in the URL field of the Congratulations win[...]

  • Page 826

    Wizards > Public Server Wizard 826 SonicOS Enhanced 4.0 Administrator Guide[...]

  • Page 827

    827 SonicOS Enhanced 4.0 Administrator Guide CHAPTER 72 Chapter 72: Configuring VPN Policies with the VPN Policy Wizard Wizards > VPN Wizard The VPN Policy Wizard walks you step-by-step through the configuration of GroupVPN on the SonicWALL. After the configur ation is completed, the wiza rd creates the necessary VPN settings for the selected VP[...]

  • Page 828

    Wizards > VPN Wizard 828 SonicOS Enhanced 4.0 Administrator Guide Using the VPN Policy Wizard Step 1 In the top right corner of the VPN > Settings page, click on VPN Policy Wizard . Step 2 Click Next . Step 3 In the VPN Policy Type page, sele ct WAN GroupVPN and click Next . Step 4 In the IKE Phase 1 Key Method page, you select the authentica[...]

  • Page 829

    Wizards > VPN Wizard 829 SonicOS Enhanced 4.0 Administrator Guide – Default Key : If you choose the default key, a ll your Global VPN Clients and Global Security Clients will automatically use t he default key generated by the SonicWALL to authenticate with the SonicWALL. – Use this Key : If you choose a custom preshared ke y, you must distr[...]

  • Page 830

    Wizards > VPN Wizard 830 SonicOS Enhanced 4.0 Administrator Guide – Encryption : This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security. DE S is the least secure and the and takes the least amount of time to encry pt and decrypt. AES-256 is the most secure and takes the longest time to encryp[...]

  • Page 831

    Wizards > VPN Wizard 831 SonicOS Enhanced 4.0 Administrator Guide Note If you enable user authentication, the use rs must be entered in the SonicWALL database for authentication. Users are entered into the SonicWALL database on the Users > Local Users page, and then added to groups in the Users > Local Groups page. Step 9 Click Next . Step[...]

  • Page 832

    Wizards > VPN Wizard 832 SonicOS Enhanced 4.0 Administrator Guide • The shared secret if you selected a cust om preshared secret in the VPN Wizard. • The authentication username and password. Configuring a Site-to-Site VPN using the VPN Wizard You use the VPN Policy Wiza rd to create the site-to-site VPN policy.[...]

  • Page 833

    Wizards > VPN Wizard 833 SonicOS Enhanced 4.0 Administrator Guide Using the VPN Wizard to Configure Preshared Secret Step 1 On the System > Status page, click on Wizards . Step 2 In the Welcome to the SonicWALL Configuration Wizard page select VPN Wizard and click Next . Step 3 In the VPN Policy Type page, sele ct Site-to-Site and click Next [...]

  • Page 834

    Wizards > VPN Wizard 834 SonicOS Enhanced 4.0 Administrator Guide – Policy Name : Enter a name you can use to refer to the policy. For example, Boston Office. – Preshared Key : Enter a character string to use to authenticate traffic during IKE Phase 1 negotiation. You can use the defaul t SonicWALL generated Preshared Key. – I know my Remo[...]

  • Page 835

    Wizards > VPN Wizard 835 SonicOS Enhanced 4.0 Administrator Guide If the object or group you want has not been created yet, select Create Object or Create Group . Create the new object or group in the dial og box that pops up. Then select the new object or group. For this example, select LAN Subnets . – Destination Networks : Select the networ[...]

  • Page 836

    Wizards > VPN Wizard 836 SonicOS Enhanced 4.0 Administrator Guide – Encryption : This is the method for encrypting data through the VPN Tunnel. The methods are listed in order of security. DE S is the least secure and the and takes the least amount of time to encry pt and decrypt. AES-256 is the most secure and takes the longest time to encryp[...]

  • Page 837

    837 SonicOS Enhanced 4.0 Administrator Guide Index Symbols 401 , 793 , 796 – 797 , 800 – 803 , 805 – 808 , 811 – 813 , 815 , 821 , 827 – 828 Numerics 802.11a 394 802.11g 315 , 394 A acceptable us e policy 617 access points SonicPoints 391 access rules advanced options 430 bandwidth man agement 422 examples 430 public server wizard 824 vie[...]

  • Page 838

    838 SonicOS Enhanced 4.0 Administrator Guide D deep packet inspection 718 DF bit 582 DH group 829 VPN policy wizard 835 DHCP relay mode 587 setup wizard 797 VPN central gateway 588 VPN remote gatew ay 588 DHCP over VPN leases 591 DHCP server 278 current leases 294 dynamic r anges 281 static entries 283 VoIP settings 285 diagnostics 125 active conne[...]

  • Page 839

    839 SonicOS Enhanced 4.0 Administrator Guide I IDS 405 authorizing access points 407 rogue access points 406 IEEE 802.11b 315 IEEE 802.11g 315 IKE DH gr ou p 829 phase 2 835 VPN policy wizard 835 IKE dead peer detection 581 inbound insp ection 727 interclient communications 340 interface Ethernet settings 144 Internet traffic statistics 138 physica[...]

  • Page 840

    840 SonicOS Enhanced 4.0 Administrator Guide settings 248 translated destination 248 translated service 249 translated source 248 NAT policy loopback policy 824 outbound interface 249 public server wizard 824 reflective policy 249 NAT traversal 582 network an ti-virus 709 activating 710 network set tings setup wizard 796 O objects service group 82 [...]

  • Page 841

    841 SonicOS Enhanced 4.0 Administrator Guide LAN settings 798 – 799 , 803 – 804 , 808 , 813 – 814 NAT with DHCP client 802 NAT with PPPoE 805 NAT with PPPoE client 807 NAT with PPTP 810 NAT with PPTP client 812 static IP address with NAT enabled 795 WAN Network mode 812 WAN network mode 797 , 802 , 807 shared key 334 signatures 727 manually u[...]

  • Page 842

    842 SonicOS Enhanced 4.0 Administrator Guide authenti cation 830 , 836 configuration summary 836 connecting Global VPN Clients 831 destination ne tw or ks 835 DH group 829 , 835 encryption 830 , 836 IKE phase 1 key method 828 IKE security settings 829 , 835 life time 836 local networks 834 peer IP address 834 policy name 834 preshared key 834 site-[...]

  • Page 843

    © 2 0 0 8S o n i c W A L L ,I n c .i sar e g i s t e r e dt r a d e m a r ko fS o n i c W A L L ,I n c .O t h e rp r o d u c tn a m e sm e n t i o n e dh e r e i nm a yb et r a d e m a r k sa n d / o rr e g i s t e r e dt r a d e m a r k so ft h e i rr e s p e c t i v ec o m p a n i e s . Specications and descriptions subject to change without [...]