Manuale d’uso / di manutenzione del prodotto 5.8.1 del fabbricante SonicWALL
Vai alla pagina of 1490
PROTECTION A T THE SPEED OF BUSINESS ™ SonicOS 5.8.1 Administ rator’s Guide.
.
iii SonicOS 5.8.1 Administrator Guide Table of Contents Table of Contents .................................................................................. ...................iii Part 1: Introduction Chapter 1: Preface . . . . . . . . . . . . . . . .
iv SonicOS 5.8.1 Administrator Guide Packet Rate Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Packet Size Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
v SonicOS 5.8.1 Administrator Guide Chapter 8: Configuring Administration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 System > Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vi SonicOS 5.8.1 Administrator Guide Chapter 14: Using Diagnostic Tools & Restart ing the Appliance . . . . . . . . . . . . . . . . . 165 System > Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vii SonicOS 5.8.1 Administrator Guide Chapter 17: Setting Up Failover and Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Network > Failover & Load B alancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
viii SonicOS 5.8.1 Administrator Guide Creating NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Using NAT Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ix SonicOS 5.8.1 Administrator Guide Chapter 29: Configurin g Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 Network > Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
x SonicOS 5.8.1 Administrator Guide Chapter 35: Co nfiguring Wirele ss Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Wireless > Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xi SonicOS 5.8.1 Administrator Guide VAP Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 35 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xii SonicOS 5.8.1 Administrator Guide Chapter 49: C onfigurin g Applicat ion C ontrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xiii SonicOS 5.8.1 Administrator Guide Enabling Multicast on LAN-Dedicated Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 748 Enabling Multicast Through a VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749 Chapter 54: Managing Quality of Service .
xiv SonicOS 5.8.1 Administrator Guide How Does the Anti-Spam Service Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 Purchasing an Anti-Spam License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xv SonicOS 5.8.1 Administrator Guide Part 14: SSL VPN Chapter 64: SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 1 SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xvi SonicOS 5.8.1 Administrator Guide Users > Guest Stat us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1129 Logging Accounts off the Applianc e . . . . . . . . . . . . . . . . . . . . . . . . .
xvii SonicOS 5.8.1 Administrator Guide Chapter 73: Managing SonicWALL Gateway Anti-Virus Service . . . . . . . . . . . . . . . . . 1223 Security Services > Ga teway Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1223 SonicWALL GAV Multi-Layere d Approach .
xviii SonicOS 5.8.1 Administrator Guide Chapter 76: C onfigurin g SonicWAL L Real-Time Blacklist . . . . . . . . . . . . . . . . . . . . . 1259 SMTP Real-Time Black List Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xix SonicOS 5.8.1 Administrator Guide Part 20: Log Chapter 79: Managing Log Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1349 Log > View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xx SonicOS 5.8.1 Administrator Guide Chapter 85: Generating Log Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1389 Log > Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xxi SonicOS 5.8.1 Administrator Guide Part 22: Appendices Appendix A: CLI Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1431 Input Data Format Specif ication . . . . . . . . . . . . . . . . . . .
xxii SonicOS 5.8.1 Administrator Guide.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 23 PART 1 Part 1: Introduction.
24 SonicOS 5.8.1 Administrator Guide.
25 SonicOS 5.8.1 Administrator Guide CHAPTER 1 Chapter 1: Preface Preface Copyright Notice © 201 1 SonicW ALL, Inc. All rights reserved. Under the copyright laws, this manual or the so ftware describ.
Preface 26 SonicOS 5.8.1 Administrator Guide Limited Warranty SonicW ALL, Inc. warrants th at commencing from t he delivery date to Customer (but in any case commencing not more than ninety (90) days .
About this Guide 27 SonicOS 5.8.1 Administrator Guide About this Guide Welcome to the SonicOS Enhanced 5.8 Administrator’s Guide . This manual provides the information you need to successfully activa te , configure, and administer SonicOS Enhanced 5.
About this Guide 28 SonicOS 5.8.1 Administrator Guide • W AN Failo ver and Load Balancing - configure one of the use r-defined interfaces to act as a secondary W AN port for backup or load balancing. • Zones - configure security zones on your netwo rk.
About this Guide 29 SonicOS 5.8.1 Administrator Guide Part 10 DPI-SSL This part describes the Deep Packet Inspection Secure Socket Layer (DPI-SSL) feature t o a l lo w for the inspect ion of encrypte d HTTPS traffic and other SSLba sed traffic.
About this Guide 30 SonicOS 5.8.1 Administrator Guide Part 18 Security Services This part includes an over view of available SonicW ALL Security Services as well as instructions for activating the service, including FREE tria ls.
About this Guide 31 SonicOS 5.8.1 Administrator Guide Icons Used in this Manual These special messages refer to noteworthy information, and include a symbol for quick identification: Caution Important information that cautions about featur es affecting firewall performance, security features, or causing potential problems with your SonicW ALL.
About this Guide 32 SonicOS 5.8.1 Administrator Guide Switzerland : +44 193.257.3929 UK : +44 193.257.3929 More Information on SonicWALL Products Contact SonicW ALL, Inc. for information about SonicW ALL products and services at: Web: http://www .sonicwall.
33 SonicOS 5.8.1 Administrator Guide CHAPTER 2 Chapter 2 : Introduction Introduction SonicOS Enhanced 5.8.1 is the most power fu l SonicOS operating system for SonicW ALL security appliances. This chapter contains the following sections: • “Key Features in SonicOS Enhanced 5.
Introduction 34 SonicOS 5.8.1 Administrator Guide Although the entire SonicOS interface is avai lable in dif ferent languages, sometimes the administrator does not want to change the entire UI language to a specific local one.
Introduction 35 SonicOS 5.8.1 Administrator Guide Anti-virus exclusions which existed befor e the upgrade a nd which apply to hosts residing in custom zones will not be det ected. IP address ranges not fa lling into the supported zones will default to the LAN zone.
Introduction 36 SonicOS 5.8.1 Administrator Guide • Wire/T ap Mod e - Wire Mode is a deployment option where the SonicWAL L appliance can be deployed as a "Bump in the Wire." It prov ides a least-intrusive way to deploy the appliance in a network.
Introduction 37 SonicOS 5.8.1 Administrator Guide Appliances newly registered and upgraded to So nicOS 5.8.0.0 or higher will receive a 30- day free trial license of App V isualization by default. Navigate to the Log > Flow Reporting p age to manually Enab le Flow Reporting and Visualization feature.
Introduction 38 SonicOS 5.8.1 Administrator Guide capable of utilizing DPI-SSL: Gateway Anti-V irus, Gateway Anti-S pyware, Intrusion Prevention, Content Filt ering, Application Control, Pack et Monitor and Packet Mirror . DPI- SSL is supported on SonicW ALL NSA models 240 and higher .
Introduction 39 SonicOS 5.8.1 Administrator Guide increases the efficiency of your SonicW ALL secu rity appliance by providing you the ability to configure user view settings and filter junk messages before users see it in their inboxes. The following enhancements are now available with CASS 2.
Introduction 40 SonicOS 5.8.1 Administrator Guide • DHCP Scalability Enhancement s - The DHCP server in S onicW ALL appliances has been enhanced to provide between 2 to 4 times the num ber of leases previously suppor ted.
Introduction 41 SonicOS 5.8.1 Administrator Guide features are capab le of utilizing DPI-SSL: Gateway Anti-V irus, Gateway Anti-S pyware, Intrusion Prevention, Content Filtering, Appl ication Firewall, Packet Capture and Packet Mirror . DPI-SSL is initially avail able on NSA-3500 and above hardware platforms.
Introduction 42 SonicOS 5.8.1 Administrator Guide • Virtual Access Point s for SonicW ALL TZ W ireless Plat forms - The SonicW ALL TZ 100w , TZ 200w and TZ 210w platforms now support V irtual Access Point s (V APs). V APs enable users to segment different wireless groups by creating logical segmentation on a single wireless radio.
Introduction 43 SonicOS 5.8.1 Administrator Guide – Fully Customizable Block Page - The web p age that is displayed when a user attempts to access a blocked site can now be fully customized. This enab les organizations to brand the block page and display any organization-specific information.
Introduction 44 SonicOS 5.8.1 Administrator Guide connections. Once the primary and backup appl iances have been associated as a high availability pair on mysonicwall.com, you can enable th is feature by selecting Enable S t ateful Synchronization in the High A vailability > Advanced page.
Introduction 45 SonicOS 5.8.1 Administrator Guide • Multiple and Read-only Administrator Login - Multiple Administrator Login provides a way for multiple users to be given administrat ion right s, either full or read-only , for the SonicOS security appliance.
Introduction 46 SonicOS 5.8.1 Administrator Guide – EAPOL packe t flood – Weak WEP IV • SMTP A uth en tic at ion - SonicOS Enhanced supports RFC 2554, which defines an SMTP service extension tha.
Introduction 47 SonicOS 5.8.1 Administrator Guide L2 Bridge Mode employs a secure learning bridge architecture, enabling it to pass and inspect traffic types that c annot be handled by many other methods of transp arent security appliance integration.
Introduction 48 SonicOS 5.8.1 Administrator Guide – Disabled : (Default) when the appliance reboot s, the DHCP client performs a DHCP DISCOVERY query .
Introduction 49 SonicOS 5.8.1 Administrator Guide new page, you first click on the heading, and then click on the sub-folder page you want. This eliminates the delay and redundant page loading that occurred in previous versions of SonicOS when clicking on a heading automatically loaded the first sub-folder page.
Introduction 50 SonicOS 5.8.1 Administrator Guide Applying Changes Click the Accept button at the top right corner of t he SonicW ALL management interface to save any configuration changes you made on the p age.
Introduction 51 SonicOS 5.8.1 Administrator Guide The behavior of the T oolti ps can be configured on the System > Administrat ion page. T ooltips are enabled b y default.
Introduction 52 SonicOS 5.8.1 Administrator Guide A number of tables now include an option to s pecify the number of it ems displayed per page. Many tables can now be r e-sor ted by clicking on the headings for the various columns. On tables that are sort able, a tooltip will pop-up when you mouseover headings that st ates Click to sort by .
Introduction 53 SonicOS 5.8.1 Administrator Guide Several tables include a tooltip tha t displa ys the maximum number of entries that the SonicW ALL security appliance supports . For ex ample, the following image shows the maximum number of address groups the appliance support s.
Introduction 54 SonicOS 5.8.1 Administrator Guide.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 55 PART 2 Part 2: Dashboard.
56 SonicOS 5.8.1 Administrator Guide.
57 SonicOS 5.8.1 Administrator Guide CHAPTER 4 Chapter 4: Using the SonicOS Visualization Dashboard Visualization Dashboard The SonicW ALL Visua lization Dashboard offers administr ators an effective .
Visualization Dashboard 58 SonicOS 5.8.1 Administrator Guide Note Several of the SonicW ALL Visualization Dashboard pages now cont ain a blue pop-up button that will display the dashboard in a st andalone browser window that allows for a wider display .
Visualization Dashboard 59 SonicOS 5.8.1 Administrator Guide Ste p 3 Navigate to the Network > Interfaces page.Click the Configure icon for th e interface you wish to enable flow reporting on. Ste p 4 In the Advanced tab, ensure that the Enable flow reporting checkbox is sel ected.
Dashboard > Real-Time Monito r 60 SonicOS 5.8.1 Administrator Guide Dashboard > Real-Time Monitor The Real-T ime Monitor provides administrators an inclusive, multi-f unctional display with information about applications, bandwidth usage, p acket rate, p acket size, connection rate, connection count, multi-core monitoring, and memory usage.
Dashbo ar d > Re al - Ti m e Mon i to r 61 SonicOS 5.8.1 Administrator Guide This section contains t he following subsections: • “Using the T oolbar” section on page 62 • “Applications Mo.
Dashboard > Real-Time Monito r 62 SonicOS 5.8.1 Administrator Guide Using the Toolbar The Real-T ime Monitor T oolbar contains features to specify the refresh rate, export details, configure color palettes, change the amount of dat a displa yed, and pause or play the data flow .
Dashbo ar d > Re al - Ti m e Mon i to r 63 SonicOS 5.8.1 Administrator Guide Applications Monitor The Applications data flow provides a visual representation of the current applications accessing the network. Options are available to Display , Scal e, and View the Application interface.
Dashboard > Real-Time Monito r 64 SonicOS 5.8.1 Administrator Guide Available Formats Administrators are able to view the Application flow chart s in a bar graph format or flow chart format. The bar graph format displays applications individually , allowing administrators to compare applications.
Dashbo ar d > Re al - Ti m e Mon i to r 65 SonicOS 5.8.1 Administrator Guide The flow chart format displays over lapping applicat ion data. In this graph, the x-axis displays the current time and the y-axis displays the tr af fic for each application.
Dashboard > Real-Time Monito r 66 SonicOS 5.8.1 Administrator Guide Ingress and Egress Bandwidth Flow The Ingress and Egress Bandwidth dat a flow pr ovides a visual repres ent ation of incoming and outgoing bandwidth traf fic.
Dashbo ar d > Re al - Ti m e Mon i to r 67 SonicOS 5.8.1 Administrator Guide Options are available to custom ize the Display , Scale, and Vi ew of the Ingress and Egress Bandwidth interface. Tooltips Rolling over the interfaces provides tooltips with informati on about the interface assigned zone , IP address, and current port st atus.
Dashboard > Real-Time Monito r 68 SonicOS 5.8.1 Administrator Guide Note The Bandwidth flow chart s have no direct co rrelation to the Application flow chart s. Packet Rate Monitor The Packet Rate Monitor provides the administ rator with information on the ingress and egress packet rate in p acket p er second (pp s ).
Dashbo ar d > Re al - Ti m e Mon i to r 69 SonicOS 5.8.1 Administrator Guide Packet Size Monitor The Packet Size Monitor provides the administrator with information on the ingress and egress packet rate in kilobytes per second (Kps). This can be configured to show packet size by network interface.
Dashboard > AppFlow Mon itor 70 SonicOS 5.8.1 Administrator Guide Connection Count Monitor The Connection Count data flow pr ovides the administrator a vis ual represent ation of “curre nt” total number of connections, “peak” number of connec tions, and maximum.
Dashboard > AppFlow Monitor 71 SonicOS 5.8.1 Administrator Guide This section contains t he following subsections: • “Filter Options” section on page 71 • “AppFlow Monitor T abs” sectio.
Dashboard > AppFlow Mon itor 72 SonicOS 5.8.1 Administrator Guide AppFlow Monitor Tabs The AppFlow Monitor T abs contains details about incoming and outg oing ne twor k tr af fic.
Dashboard > AppFlow Monitor 73 SonicOS 5.8.1 Administrator Guide AppFlow Monitor Toolbar The AppFlow T oolbar allows for customization of the AppFlow Monitor interface. The ability to create rules and add items to filters allows for more application and user control.
Dashboard > AppFlow Mon itor 74 SonicOS 5.8.1 Administrator Guide Group Options The Group option sorts data based on the specified group. Each t ab contains different grouping options. • The Applications tab can be grouped by: – Application: Displays all traffic gene rated by individual applications.
Dashboard > AppFlow Monitor 75 SonicOS 5.8.1 Administrator Guide • The Vo I P tab can be grouped according to: – Media T ype: Groups V oIP flows according to media type.
Dashboard > AppFlow Mon itor 76 SonicOS 5.8.1 Administrator Guide AppFlow Monitor Views Three views are available for the AppFlow Monito r: Detailed, Pie Chart, and Flow Chart View . Each view provides the administrator a unique display of incoming, real-time data.
Dashboard > AppFlow Monitor 77 SonicOS 5.8.1 Administrator Guide • Information pertaining to the category , threat le vel, type of technology the item falls under , and other additional information. • Application details are p articularly useful wh en an Administ rator does not recognize the name of an Application.
Dashboard > AppFlow Mon itor 78 SonicOS 5.8.1 Administrator Guide Using Filtering Options Using filtering options allow administrators to reduce the amount of dat a seen in the AppFlow Monitor . By doing so, administrators can focus on points of interest without distraction from other applications.
Dashboard > Threat Reports 79 SonicOS 5.8.1 Administrator Guide Dashboard > Threat Reports This section describes how to use the SonicWALL Threat Reports feature on a SonicW ALL security appliance.
Dashboard > Threat Reports 80 SonicOS 5.8.1 Administrator Guide What Are Threat Reports? The SonicW ALL Threat Report s provides reports of the latest thr eat protection dat a from a single SonicW ALL appliance and aggregate d threat protectio n data from SonicW ALL security appliances deployed globally .
Dashboard > Threat Reports 81 SonicOS 5.8.1 Administrator Guide Each report includes a graph of threats blocked over time and a table of the top blocked threats. Reports, which are updated hour ly , can be customized to display data for the last 12 hours, 14 days, 21 days, or 6 months.
Dashboard > Threat Reports 82 SonicOS 5.8.1 Administrator Guide The SonicW ALL Threat Report s displays automatically upon successful login to a SonicW ALL security appliance. Y ou can access the SonicW A LL Threat Reports at any time by navigating to Dashboard > Threat Report s in the left- hand menu.
Dashboard > Threat Reports 83 SonicOS 5.8.1 Administrator Guide Switching to Global or Appliance-Level View T o view SonicW ALL Threat Report s global report s, select the radio button next to Global in the top of the Dashboard > Threat Report s screen.
Dashboard > User Monitor 84 SonicOS 5.8.1 Administrator Guide Dashboard > User Monitor The Dashboard > User Monitor page displays details on all user connections to the SonicW ALL security appliance.
Dashboard > BWM Monitor 85 SonicOS 5.8.1 Administrator Guide Dashboard > BWM Monitor The Dashboard > BWM Monitor p age displays pe r-interface bandwidth management for ingress and egress network traf fic. The BWM monitor graphs are available for real -time, highest, high, medium high, medium, medium low , low and lo west policy settings.
Dashboard > Connectio ns Monitor 86 SonicOS 5.8.1 Administrator Guide Viewing Connections The connections are listed in the Connections Monitor table. Filtering Connections Viewed Y ou can filter the results to display only connecti ons matching cert ain criteria.
Dashboard > Packet Monitor 87 SonicOS 5.8.1 Administrator Guide Dashboard > Packet Monitor Note For increased convenience and accessibility , the Packet Monitor p age can be accessed either from Dashboard > Packet Monitor or S ystem > Packet Monitor .
Dashboard > Packet Monitor 88 SonicOS 5.8.1 Administrator Guide The Dashboard > Packet Monitor p age is shown below: For an explanation of the status indi cators near the top of the p age, see “Underst anding S t atus Indicators” on page 159 .
Dashboard > Packet Monitor 89 SonicOS 5.8.1 Administrator Guide Ste p 5 T o stop the packet capture, click Stop Capture . Y ou can view the captured pack et s in the Captured Packet s, Packet Det ail, and Hex Dump sections of the screen. See “Viewing Captured Packet s” on page 89 .
Dashboard > Packet Monitor 90 SonicOS 5.8.1 Administrator Guide • Egress - The SonicW ALL appliance inter face on which the p acket was captured when sent out – The subsystem type abbreviation is shown in p arentheses.
Dashboard > Log Monitor 91 SonicOS 5.8.1 Administrator Guide About the Packet De tail Window When you click on a packet in the Captured Packets window , the packet header fields are displayed in the Packet Det ail window . The di splay will vary depending on the type of packet that you select.
Dashboard > Log Monitor 92 SonicOS 5.8.1 Administrator Guide.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 93 PART 3 Part 3: System.
94 SonicOS 5.8.1 Administrator Guide.
95 SonicOS 5.8.1 Administrator Guide CHAPTER 5 Chapter 5: Viewing Status Information System > Status The System > St atus p age provides a comprehensive colle ction of information and links to help you manage your SonicW ALL security appliance and SonicW ALL Security Services licenses.
System > Status 96 SonicOS 5.8.1 Administrator Guide Wizards The Wizards button on the Sy stem > St atus p age provides access to the SonicW ALL Configuration Wizard , which allows you to easily.
System > Status 97 SonicOS 5.8.1 Administrator Guide • Connections - Displays the maximum number of network connections the So nicW ALL security appliance can suppor t, the peak number of c onncurent connections, and the current number of connections.
System > Status 98 SonicOS 5.8.1 Administrator Guide the Arrow icon displays the System > Licenses pa ge in the SonicW ALL W eb-based management interface. SonicW ALL Security Services and SonicW ALL security appliance registration is managed by mysonicwall.
System > Status 99 SonicOS 5.8.1 Administrator Guide Note mysonicwall.com registration information is not sold or shared with any other comp any . Y ou can also register your security appliance at the https://www .mysonicwall.com site by using the Serial Number and Authentication Code displayed in the Security Services section.
System > Status 100 SonicOS 5.8.1 Administrator Guide Registering Your SonicW ALL Security Appliance If you already have a mysonicwall.com account, fo llow these steps to register your security appliance: Ste p 1 In the Security Services section on the System > S t atus p age, click the Register link in Y our SonicW ALL is not registered.
101 SonicOS 5.8.1 Administrator Guide CHAPTER 6 Chapter 6: Managing SonicWALL Licenses System > Licenses The System > Licenses page provides links to activa te, upgrade, or renew SonicW ALL Security Services licenses.
System > Licenses 102 SonicOS 5.8.1 Administrator Guide Excluding a Node When you exclude a node, you block it from c onnecting to your network through the security appliance. Excluding a node creates an address object for that IP addr ess and assigns it to the Node License Exclusion List address group.
System > Licenses 103 SonicOS 5.8.1 Administrator Guide Manage Security Services Online T o activate, upgrade, or renew services, click the link in T o Activate, Upgrade, or Renew services, click here . Click the link in T o synchronize licenses with mysonicwall.
System > Licenses 104 SonicOS 5.8.1 Administrator Guide Manual Upgrade for Closed Environments If your SonicW ALL security appliance is deploy ed in a high security envir onment th at does no t allow direct Internet connectivity from the SonicW ALL security appliance, you can enter the encrypted license key information from http://www .
105 SonicOS 5.8.1 Administrator Guide CHAPTER 7 Chapter 7: Viewing Support Services System > Support Services The System > Support Services page displays a summary of the current st atus of support services for the SonicW A LL security appliance.
System > Support Services 106 SonicOS 5.8.1 Administrator Guide.
107 SonicOS 5.8.1 Administrator Guide CHAPTER 8 Chapter 8: Configuring Administration Settings System > Administration The System Administration page pr ovides settings for the confi guration of SonicW ALL security appliance for secure and remote manag ement.
System > Administration 108 SonicOS 5.8.1 Administrator Guide Changing the Administrator Password T o set a new password for SonicW ALL Management Interface access, type the old password in the Old Password field, and the new password in the New Password field.
System > Administration 109 SonicOS 5.8.1 Administrator Guide Internet Explorer , go to T ools > Internet Options , click on the Advanced tab, and scroll to the bottom of the Settings menu. In Firefox, go to T ools > Options , click on the Advanced tab, and then click on the Encryption t ab.
System > Administration 110 SonicOS 5.8.1 Administrator Guide Tip If the Administrator Inactivity T imeout is extended beyond five minutes, you should end every management session by clicking Logout to prevent unauthorized access to the SonicW ALL security appliance’ s Management Interface.
System > Administration 111 SonicOS 5.8.1 Administrator Guide Web Management Settings The SonicW ALL security appliance can be managed using HTTP or HTTPS and a W eb browser . HTTP web-based managem ent is disabled by default. Use HTTPS to log into the SonicOS management interface wi th factory default settings.
System > Administration 112 SonicOS 5.8.1 Administrator Guide Changing the Default Size for Soni cWALL Management Interface Tables The SonicW ALL Management Interface allows you to control the display of large t ables of information across all tables in the management Interface.
System > Administration 113 SonicOS 5.8.1 Administrator Guide The behavior of the T oolti ps can be configured on the System > Administrat ion page.
System > Administration 114 SonicOS 5.8.1 Administrator Guide Enabling SNMP Management SNMP (Simple Network Management Protocol) is a network protocol used over User Dat agram Protocol (UDP) that a.
System > Administration 115 SonicOS 5.8.1 Administrator Guide Configuring SNMP as a Service and Adding Rules By default, SNMP is disabled on the SonicW ALL security appliance. T o enable SNMP you must first enable SNMP on the System > Administration page, and then enable it for individual interfaces.
System > Administration 116 SonicOS 5.8.1 Administrator Guide the GMS installation, and e nter the IP address in the NA T Device IP Address field. The default VPN policy settings are di splayed at the bottom of the Configure GMS Sett ings window .
System > Administration 117 SonicOS 5.8.1 Administrator Guide • HTTPS - If this option is selected, HTTPS m anagement is allowed from two IP addresses: the GMS Primary Agent and th e S t andby Agent IP address.
System > Administration 118 SonicOS 5.8.1 Administrator Guide not have Internet access, or has a ccess only through a proxy server , you must manually specify a U R L f o r t h e S o n i c P o i n t f i r m w a r e . Y ou do not need to include the http:// prefix, but you do need to include the filename at the end of the URL.
119 SonicOS 5.8.1 Administrator Guide CHAPTER 9 Chapter 9: Managing Certificates System > Certificates T o implement the use of certificates for VPN polic ies, you must locate a source for a valid CA certificate from a third par ty CA service.
System > Certificates 120 SonicOS 5.8.1 Administrator Guide (DN), validation period for the certificate, and opti onal information such as the t arget use of the certificate. The signature section includes the cryptographic algorithm used by the issuing CA, and the CA digital signature.
System > Certificates 121 SonicOS 5.8.1 Administrator Guide • Details - the det ails of the certificat e. Moving the pointer over the icon displays the details of the certificate. • Configure - Displays the edit and delete icons for editing or deleting a certificate entry .
System > Certificates 122 SonicOS 5.8.1 Administrator Guide Importing a Certificate Authority Certificate T o import a certificate from a certificate authority , perform these steps: Ste p 1 Click Import . The Import Certificate window is displayed.
System > Certificates 123 SonicOS 5.8.1 Administrator Guide Importing a Local Certificate T o import a local certificate, perform these step s: Ste p 1 Click Import . The Import Certificate window is displayed. Ste p 2 Enter a certificate name in the Certificate Name field.
System > Certificates 124 SonicOS 5.8.1 Administrator Guide T o generate a local certificate, follow these steps: Ste p 1 Click the New Signing Request button. The Certificate Signing Request window is displayed. Ste p 2 In the Generate Certificate Signing Request section, enter an alias name for the certificate in the Certificate Alias field.
System > Certificates 125 SonicOS 5.8.1 Administrator Guide Configuring Simple Certificate Enrollment Protocol The Simple Certificate Enrollm ent Protocol (SCEP) is designed to support the secure issuance of certificates to network dev ices in a scalable manner .
System > Certificates 126 SonicOS 5.8.1 Administrator Guide.
127 SonicOS 5.8.1 Administrator Guide CHAPTER 10 Chapter 10: Configuring Time Settings System > Time The System > Time p age defines the time and date settings to time st amp log event s, to automatically update SonicW ALL Security Services, and for other internal purposes.
System > Time 128 SonicOS 5.8.1 Administrator Guide If you want to set your time manually , uncheck Set time automatically using NTP . Select the time in the 24-hour format using the Time (hh:mm:ss) menus and the date from the Date menus.
129 SonicOS 5.8.1 Administrator Guide CHAPTER 11 Chapter 11: Setting Schedules System > Schedules The System > Schedules page allows you to create and manage schedule objects for enforcing schedule times for a variety of SonicW ALL security applian ce features.
System > Schedules 130 SonicOS 5.8.1 Administrator Guide The Schedules table displays all your predef ined and custom schedules. In the Schedules table, there are three default schedules: Work Hours , Af ter Hours , and Weekend Hours .
System > Sche dules 131 SonicOS 5.8.1 Administrator Guide Adding a Schedule T o create schedules, click Add . The Add Schedule window is displayed. Ste p 1 Enter a descriptive name for the schedule in the Name field.
System > Schedules 132 SonicOS 5.8.1 Administrator Guide Ste p 6 Under Recurring , type in the time of day for the schedule to begin in the Start field. The tim e must be in 24-hour format, for example, 17:00 for 5 p.m. Ste p 7 Under Recurring , type in the time of day for the schedule to stop in the Sto p field.
133 SonicOS 5.8.1 Administrator Guide CHAPTER 12 Chapter 12: Managing SonicWALL Security Appliance Firmware System > Settings This System > Settings page allows yo u to manage your SonicW ALL security appliance’ s SonicOS versions and preferences.
System > Settings 134 SonicOS 5.8.1 Administrator Guide Settings Import Settings T o import a previously saved preferences file in to the SonicW ALL secu rity appliance, follow these instructions: Ste p 1 Click Import Settings to import a previously exported pr eferences file into the SonicW ALL security appliance.
System > Settings 135 SonicOS 5.8.1 Administrator Guide Firmware Management The Firmware Management section provides settings that allow for easy firmware upgrade and preferences management. The Firmware Management section allows you to: • Upload and download firmware im ages and system settings.
System > Settings 136 SonicOS 5.8.1 Administrator Guide • Size - the size of the firmware file in Mebibytes (MiB). • Download - clicking the icon saves the firmware file to a new location on your computer or network. Only uploaded firmware can be saved to a dif ferent location.
System > Settings 137 SonicOS 5.8.1 Administrator Guide After the SonicW ALL security appliance reboot s, open your Web br owser and enter the current IP address of the SonicW ALL security appliance or the default IP address: 192.
System > Settings 138 SonicOS 5.8.1 Administrator Guide Caution Only select the Boot with firmware diagnostics enabled (if available) option if instructed to by SonicW ALL technical support.
139 SonicOS 5.8.1 Administrator Guide CHAPTER 13 Chapter 13: Using the Packet Monitor System > Packet Monitor Note For increased convenience and accessibility , the Packet Monitor p age can be accessed either from Dashboard > Packet Monitor or S ystem > Packet Monitor .
System > Packet Monitor 140 SonicOS 5.8.1 Administrator Guide • Interface identification • MAC addresses • Ethernet type • Internet Protocol (IP) type • Source and destination IP addresse.
System > Packet Monitor 141 SonicOS 5.8.1 Administrator Guide Default settings are provided so that you can st art using p acket monitor without configuring it first.
System > Packet Monitor 142 SonicOS 5.8.1 Administrator Guide Refer to the figure below to see a high level view of the p acket monito r subsystem. This shows the different filters and how they are applied.
System > Packet Monitor 143 SonicOS 5.8.1 Administrator Guide • Encapsulate the p acket and send it to a remote SonicW ALL appliance. • Send a copy to a physical port with a VLAN configured. Classification is performed on the Mo nitor Filter and Advanced Monitor Filter tab of the Packet Monitor Configuration window .
System > Packet Monitor 144 SonicOS 5.8.1 Administrator Guide Ste p 2 In the Packet Monitor Configuration window , click the Settings tab. Ste p 3 Under General Settings in the Number of Bytes T o Capture (per p acket) box, type the number of bytes to capture from each p acket.
System > Packet Monitor 145 SonicOS 5.8.1 Administrator Guide T o configure the general settings , perform the following steps: Ste p 1 Navigate to the Firewall > Access Rules p age and click Configure icon for the rule(s) you wish to enable packet monitoring or flow repor ting on.
System > Packet Monitor 146 SonicOS 5.8.1 Administrator Guide Ste p 2 In the Packet Monitor Configuration window , click the Monitor Filter tab. Ste p 3 Choose to Enable filter based on the firewall/app rule if you are using firewall rules to capture specif ic traf fic.
System > Packet Monitor 147 SonicOS 5.8.1 Administrator Guide specified; for example: !TCP , !UDP . Y ou can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for exam ple: TCP , 0x1, 0x6. See “Supported Packet T ypes” on page 162 .
System > Packet Monitor 148 SonicOS 5.8.1 Administrator Guide T o configure Packet Monitor display filt er settings, complete the following steps: Ste p 1 Navigate to the Dashboard > Packet Monitor page and click Configure . Ste p 2 In the Packet Monitor Configuration window , click the Display Filter tab.
System > Packet Monitor 149 SonicOS 5.8.1 Administrator Guide Ste p 7 In the Source Port(s) box, type the port numbers from which you want to display packet s, or use the negative format (!25) to display p ackets c aptured from all source port s except those specified.
System > Packet Monitor 150 SonicOS 5.8.1 Administrator Guide Ste p 2 In the Packet Monitor Configuration window , click the Logging tab. Ste p 3 In the FTP Server IP Address box, type the IP address of the FTP server . Note Make sure that the FTP server IP address is reachable by the SonicWALL appliance.
System > Packet Monitor 151 SonicOS 5.8.1 Administrator Guide Restarting FTP Logging If automatic FTP logging is off, either because of a failed connection or simply disabled, you can restart it in Configure > Logging . Ste p 1 Navigate to the Dashboard > Packet Monitor page and click Configure .
System > Packet Monitor 152 SonicOS 5.8.1 Administrator Guide Even when other monitor filters do not match, this option ensures that packet s generated by the SonicW ALL appliance are captured. This include s packe ts generated by HTTP(S), L2TP , DHCP servers, PPP , PPPOE, and routing protocol s.
System > Packet Monitor 153 SonicOS 5.8.1 Administrator Guide Configuring Mirror Settings This section describes how to c onfigure Packet Monitor mirror se ttings. Mirror settings provide a way to send packet s to a diff erent physical port of the same firewall or to send p ackets to, or receive them from, a remote SonicW ALL firewall.
System > Packet Monitor 154 SonicOS 5.8.1 Administrator Guide Ste p 7 In the Encrypt remote mirrored p acket s via IPSec (preshared key-IKE) field, type the pre- shared key to be used to encrypt traf fic w hen sending mirrored p ackets to the remote SonicW ALL.
System > Packet Monitor 155 SonicOS 5.8.1 Administrator Guide The Dashboard > Packet Monitor page is shown below: For an explanation of the status indi cators near the top of the p age, see “Underst anding S t atus Indicators” on page 159 .
System > Packet Monitor 156 SonicOS 5.8.1 Administrator Guide Ste p 5 T o stop the packet capture, click Stop Capture . Y ou can view the captured packets in the C aptured Packet s, Packet Det ail, and Hex Dump sections of the screen. See “Viewing Captured Packet s” on page 156 .
System > Packet Monitor 157 SonicOS 5.8.1 Administrator Guide • Egress - The SonicW ALL appliance inter face on which the p acket was captured when sent out – The subsystem type abbreviation is show n in p arentheses.
System > Packet Monitor 158 SonicOS 5.8.1 Administrator Guide About the Packet De tail Window When you click on a packet in the Captured Packets window , the packet header fields are displayed in the Packet Det ail window . The display will vary depending on the type of packet that you select.
System > Packet Monitor 159 SonicOS 5.8.1 Administrator Guide Verifying Packet Monitor Activity This section describes how to tell if your packet monitor , mirror ing, or FTP logging is working correctly according to the configuration.
System > Packet Monitor 160 SonicOS 5.8.1 Administrator Guide Mirroring Status There are three status indicators for packet mir roring: Local mirroring – Packets sent to anothe r physical interfa.
System > Packet Monitor 161 SonicOS 5.8.1 Administrator Guide FTP Logging Status The FTP logging status indicator shows one of the following three conditions: • Red – Automatic FTP logging is o.
System > Packet Monitor 162 SonicOS 5.8.1 Administrator Guide Related Information This section contains the following: • “Supported Packet T ypes” on page 162 • “File Formats for Expo rt .
System > Packet Monitor 163 SonicOS 5.8.1 Administrator Guide Examples of the Html and T ext formats are shown in the following sections: • “HTML Format” on page 163 • “T ext File Format” on page 164 HTML Format Y ou can view the HTM L format in a browser .
System > Packet Monitor 164 SonicOS 5.8.1 Administrator Guide Text File Format Y ou can view the text format output in a text editor . The following is an example showing the header and part of the data for the first p acket in the buffer .
165 SonicOS 5.8.1 Administrator Guide CHAPTER 14 Chapter 14: Using Diagnostic Tools & Restarting the Appliance System > Diagnostics The System > Diagnostics page provides several diagnostic tools which help troubleshoot network problems as well as Active Connections, CPU and Process Monitors.
System > Diagnostics 166 SonicOS 5.8.1 Administrator Guide Tech Support Report The T ech Support Report generates a det ailed report of the SonicW ALL security appliance configuration and status, a nd saves it to the local hard disk using the Download Report button.
System > Diagnostics 167 SonicOS 5.8.1 Administrator Guide Diagnostic Tools Y ou select the diagnostic tool from the Diagnostic T ool drop-down list in the Diagnostic T ool section of the System > Diagnostics p age.
System > Diagnostics 168 SonicOS 5.8.1 Administrator Guide Check Network Settings Check Network Settings is a diagnostic tool which aut omatically checks the network connectivity and service availa.
System > Diagnostics 169 SonicOS 5.8.1 Administrator Guide The Check Network Setti ngs tool is dependent on the Network Monitor feature available on the Network > Network Monitor page of the SonicOS management interface.
System > Diagnostics 170 SonicOS 5.8.1 Administrator Guide Active Connections Monitor Settings Y ou can filter the results to display only connecti ons matching cert ain criteria. Y ou can filter by Source IP , Destination IP , Destination Port , Protocol , Src Interface , and Dst Interface .
System > Diagnostics 171 SonicOS 5.8.1 Administrator Guide Multi-Core Monitor The Multi-Core Monitor displays dynamically updat ed st atistics on utilizat ion of the individual cores of the SonicW ALL security appliances. Core 0 handles the control plane.
System > Diagnostics 172 SonicOS 5.8.1 Administrator Guide Core Monitor The Core Monitor displays dynamically updated st atistics on the utilization of a single specified core on the SonicW ALL NSA E-Class series security appliances. The Vi ew St y l e provides a wide range of time intervals that can be displayed to review core usage.
System > Diagnostics 173 SonicOS 5.8.1 Administrator Guide CPU Monitor The CPU Monit or diagnostic tool shows real-time CPU ut ilization in second, minute, hour , and day intervals (historical dat a does not persist across reboots). The CPU Monitor is only included on single core SonicW ALL security appliances.
System > Diagnostics 174 SonicOS 5.8.1 Administrator Guide Link Monitor The Link Monitor displays bandwidth utilization for the in terfaces on the SonicW ALL security appliance.
System > Diagnostics 175 SonicOS 5.8.1 Administrator Guide DNS Name Lookup The SonicW ALL security appliance has a DNS l ookup tool that returns the IP address of a domain name. Or , if you enter an IP address, it returns the domain name for that address.
System > Diagnostics 176 SonicOS 5.8.1 Administrator Guide Core 0 Process Monitor The Core 0 Process Monitor shows the individual system pr ocesses on core 0, their CPU utilization, and their syst em time. The Core 0 process monitor is only available on the multi-core NSA E-Class appliances.
System > Diagnostics 177 SonicOS 5.8.1 Administrator Guide Reverse Name Resolution The Reverse Name Resolution tool is similar to the DNS name lookup tool, except that it looks up a server name, given an IP address.
System > Diagnostics 178 SonicOS 5.8.1 Administrator Guide the output is displayed under Result . The results in clude the domain name or IP address that you entered, the DNS server from your list .
System > Diagnostics 179 SonicOS 5.8.1 Administrator Guide User Monitor The User Monitor tool displays details on all user connections to the SonicW ALL security appliance.
System > Restart 180 SonicOS 5.8.1 Administrator Guide • Show – Select whether to show All Users , Remote Users with GVC/L2TP Client, or Users Authenticated by Web Login . System > Restart The SonicW ALL security appliance can be rest ar ted from the Web Management interface.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 181 PART 4 Part 4: Network.
182 SonicOS 5.8.1 Administrator Guide.
183 SonicOS 5.8.1 Administrator Guide CHAPTER 15 Chapter 15: Configuring Interfaces Network > Interfaces The Network > Interfaces p age includes interface object s that are directly linked to physical interfaces. The SonicOS Enhanc ed scheme of interface addressi ng works in conjunction with network zones and address objects.
Network > Interfaces 184 SonicOS 5.8.1 Administrator Guide • “IPS Sniffer Mode” on page 214 • “Configuring Interfaces” on page 219 • “Configuring Layer 2 Bridge Mode” on p age 247.
Network > Interfaces 185 SonicOS 5.8.1 Administrator Guide • Configure - click the Configure icon to display the Edit Interface window , which allows you to configure the setti ngs for the specified interface.
Network > Interfaces 186 SonicOS 5.8.1 Administrator Guide Physical Interfaces Physical interfaces must be assigned to a zone to allow for configuration of Access Rules to govern inbound and outbound traffic. Secur ity z ones are bound to each physical interface where it acts as a conduit for inbound and outbound traf fic.
Network > Interfaces 187 SonicOS 5.8.1 Administrator Guide Subinterfaces VLAN support on SonicOS Enhanced is achieved by means of subint erfaces, which are logical interfaces nested beneath a physical interfa c e. Every unique VLAN ID requires its own subinterface.
Network > Interfaces 188 SonicOS 5.8.1 Administrator Guide Zones are the hierarchical apex of SonicOS E nhanced’ s secure obje ct s architecture. SonicOS Enhanced includes predefined zones as well as al low you to define your own zones. Predefined zones include LAN, DMZ, W AN, WLAN, and Cust om.
Network > Interfaces 189 SonicOS 5.8.1 Administrator Guide Y ou can also use L2 Bridge Mode in a High Avail ability deployment. This scenario is explained in the “Layer 2 Bridge Mode with High A v ailability” section on p age 209 .
Network > Interfaces 190 SonicOS 5.8.1 Administrator Guide Key Concepts to Configuring L2 Bridge Mode and Transparent Mode The following terms will be used when referring to the operation and confi.
Network > Interfaces 191 SonicOS 5.8.1 Administrator Guide does not preclude an interface from conventional behavior; for example, if X1 is configured as a Primary Bridge Interface p aired to X3 as.
Network > Interfaces 192 SonicOS 5.8.1 Administrator Guide – Wireless services with SonicPoints, w here communications will occur between wireless clients and host s on the Bridge-Pair .
Network > Interfaces 193 SonicOS 5.8.1 Administrator Guide interface or through a reboot. Once th e router ’s ARP cache is cleared, it can then send a new ARP request for 192.168.0.100, to which the SonicW ALL will res pond with its X1 MAC 00:06:B1:10:10:1 1.
Network > Interfaces 194 SonicOS 5.8.1 Administrator Guide Simple Transparent Mode Topology ARP in L2 Bridge Mode L2 Bridge Mode employs a learning bridge design where it will dynamically determine which hosts are on which interface of an L2 Bridge (ref erred to as a Bridge-Pair).
Network > Interfaces 195 SonicOS 5.8.1 Administrator Guide VLAN Support in L2 Bridge Mode On SonicW ALL NSA series appliances, L2 Bridge Mode provides fine contr ol over 802.1Q VLAN traffic traversing an L2 Br idge. The default handling of VLANs is to allow and preserve all 802.
Network > Interfaces 196 SonicOS 5.8.1 Administrator Guide – If the VLAN ID is allowed, the pa cket is de-capsulated , the VLAN ID is stored, and the inner packet (including the IP header) is p assed through the full p acket handler .
Network > Interfaces 197 SonicOS 5.8.1 Administrator Guide Multiple Subnets in L2 Bridge Mode L2 Bridge Mode is cap able of handling any number of subnet s across the b ridge, a s de scribed above. The default behavior is to allow all subnets, but Access Rules can be applied to contr ol traffic as needed.
Network > Interfaces 198 SonicOS 5.8.1 Administrator Guide Subnets supported Any number of subnets is supported. Firewall Access Rules can be written to control traffic to /from any of the subnet s as needed.
Network > Interfaces 199 SonicOS 5.8.1 Administrator Guide Benefits of Transparent Mode over L2 Bridge Mode The following are circumst ances in which T ransp arent Mode might be preferable over L2 Bridge Mode : • T wo interfaces are the maximum allowed in an L2 Bridge Pair .
Network > Interfaces 200 SonicOS 5.8.1 Administrator Guide L2 Bridge Path Determination Packets received by the SonicW ALL on Bridge-P air interfaces must be forwarded along to the appropriate and optimal p ath toward their destinat ion, whether that p ath is the Bridge-Partner , some other physical or sub interface, or a VP N tunnel.
Network > Interfaces 201 SonicOS 5.8.1 Administrator Guide L2 Bridge Interface Zone Selection Bridge-Pair interface zone assignm ent should be done according to your network’s traf fic flow requirements.
Network > Interfaces 202 SonicOS 5.8.1 Administrator Guide Based on the source and destinatio n, the packet’ s directionality is categorized as either Incoming or Outgoing, (not to be confused with Inbound and Outbound) where the following criteria is used to make the determination: T able data is subject to change.
Network > Interfaces 203 SonicOS 5.8.1 Administrator Guide Access Rule Defaults Default, zone-to-zone Access Rules. The defaul t Access Rules should be considered, although they can be modified as needed.
Network > Interfaces 204 SonicOS 5.8.1 Administrator Guide See the following sections: • “Wireless Layer 2 Bridge” on page 204 • “Inline Layer 2 Bridge Mode” on page 205 • “Perimete.
Network > Interfaces 205 SonicOS 5.8.1 Administrator Guide T o configure a WLAN to LAN Layer 2 interface b ridge: Ste p 1 Navigate to the Network > Interfaces page in the SonicOS management interface. Ste p 2 Click the Configure icon for the wireless interface you wish to bridge.
Network > Interfaces 206 SonicOS 5.8.1 Administrator Guide HP’s ProCurve Manager Plus (PCM+) and HP Network Immunity Manager (NIM) server software p ackages can be used to manage the sw itches as well as some aspects of the SonicW ALL UTM appliance.
Network > Interfaces 207 SonicOS 5.8.1 Administrator Guide Perimeter Security The following diagram depicts a network where the SonicW ALL is added to the perimeter for the purpose of providing security services (the network may or may not have an existing firewall between the SonicW ALL and the router).
Network > Interfaces 208 SonicOS 5.8.1 Administrator Guide Internal Security This diagram depict s a network wher e the SonicW ALL will act as the perimeter security device and secure wireless plat form.
Network > Interfaces 209 SonicOS 5.8.1 Administrator Guide b. Security services directiona lity would be classified as Outgoing for traf fic from the Workst ations to the Server since the tr af fic would have a T rusted source zone and a Public destination zone.
Network > Interfaces 210 SonicOS 5.8.1 Administrator Guide When setting up this scenario, there are several th ings to take note of on both the SonicW ALLs and the switches. On the SonicW ALL appliances: • Do not enable the Virtual MAC opt ion when configuring High Availability .
Network > Interfaces 211 SonicOS 5.8.1 Administrator Guide On the Firewall > Access Rules page, click the Configure icon for the intersection of W AN to LAN traffic. Click the Configure icon next to the default rule that implicitly blocks uninitiated traffic from the W AN to the LAN.
Network > Interfaces 212 SonicOS 5.8.1 Administrator Guide For the Management setting, select the HTTPS and Ping check boxes. Click OK to save and activate the changes. T o configure the LAN interfac e settings, navigate to the Network > Interfaces p age and click the Configure icon for the LAN interface.
Network > Interfaces 213 SonicOS 5.8.1 Administrator Guide Click OK to save and activate the change. Y ou ma y be automatically disconnected from the UTM appliance’s management interfa ce.
Network > Interfaces 214 SonicOS 5.8.1 Administrator Guide Configure or verify settings From a management station inside your netwo rk, you should now be able to access the management interface on the UTM appliance using it s W AN IP address. Make sure that all security services fo r the SonicW ALL UTM appliance are enabled.
Network > Interfaces 215 SonicOS 5.8.1 Administrator Guide The W AN interface of the SonicW ALL is used to connect to the SonicW ALL Dat a Center for signature updates or other dat a. In IPS Sniffer Mode, a Layer 2 Bridge is configured between two inter faces in the same zone on the SonicW ALL, such as LAN-LAN or DMZ-DMZ.
Network > Interfaces 216 SonicOS 5.8.1 Administrator Guide checkbox should also be selected for IPS Snif fe r Mode to ensure that the traf fic from the mirrored switch port is not s ent back out onto the network. (The Never route traffic on this bridge-p air setting is known as Captive-Bridge Mode.
Network > Interfaces 217 SonicOS 5.8.1 Administrator Guide Sample IPS Sniffer Mode Topology This section provides an example topology that uses SonicW ALL IPS Snif fer Mode in a Hewlitt Packard ProCurve switching environment.
Network > Interfaces 218 SonicOS 5.8.1 Administrator Guide T o configure this deploy ment, navigate to the Net work > Interfaces page and click on the configure icon for the X2 interface. On the X2 Settings p age, set the IP Assignment to ‘Layer 2 Bridged Mode’ and set the Bridged T o: interface to ‘X0’.
Network > Interfaces 219 SonicOS 5.8.1 Administrator Guide Configuring Interfaces This section is divided into: • “Configuring the S t atic Interfaces” on p age 219 • “Configuring Interfa.
Network > Interfaces 220 SonicOS 5.8.1 Administrator Guide Note The administrator password is required to regenerate encryption keys after changing the SonicW ALL security appliance’ s address. Configuring Advanced Sett ings for the Interface If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab.
Network > Interfaces 221 SonicOS 5.8.1 Administrator Guide Configuring Interfaces in Transparent Mode T ranspar ent Mode enables the SonicW ALL securi ty appliance to bridge the W AN subnet onto an internal interface.
Network > Interfaces 222 SonicOS 5.8.1 Administrator Guide c. Enter the IP address of the host, the begi nning and ending address of the range, or the IP address and subnet mask of the network. d. Click OK to create the address object and return to the Edit Interf ace window .
Network > Interfaces 223 SonicOS 5.8.1 Administrator Guide Configuring Wireless Interfaces A Wireless interface is an interface that has been assigned to a Wireless zone and is used to support SonicW ALL SonicPoint secure access point s. Ste p 1 Click on the Configure icon in the Configure column for the Interface you want to configure.
Network > Interfaces 224 SonicOS 5.8.1 Administrator Guide Note The above table depict s the maximum subnet mask sizes allowed. Y ou can still use class- full subnetting (class A, cl ass B, or class C) or any variabl e length subnet mask that you wish on WLAN interfaces.
Network > Interfaces 225 SonicOS 5.8.1 Administrator Guide On SonicW ALL NSA series appliances, select the Enable 802.1p t agging checkb ox to tag information passing through this inter face with 802.1p priority information for Quality of Service (QoS) management.
Network > Interfaces 226 SonicOS 5.8.1 Administrator Guide • L2TP - uses IPsec to connect a L2TP (Layer 2 T u nneling Protocol) server and encrypt s all data transmitted from the client to the ser ver . However , it does not encrypt network traf fic to other destinations.
Network > Interfaces 227 SonicOS 5.8.1 Administrator Guide Ethernet Settings If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Set tings section allows you to manage the Et hernet settings of links connected to the SonicW ALL.
Network > Interfaces 228 SonicOS 5.8.1 Administrator Guide Use the Bandwid th Management section of the Edit Interface screen to enable or disable the ingress and egress bandwidth management. Egress and Ingress available link bandwidth can be used to configure the up stream and downstr eam connection speeds in kilobit s per second.
Network > Interfaces 229 SonicOS 5.8.1 Administrator Guide If you are using PPPoE, a Client Settings section displays in the Protocol t ab: Ste p 3 If you want PPPoE to disconnect after a specific time period, Click the Inactivity Disconnect checkbox and enter the time period (in minutes).
Network > Interfaces 230 SonicOS 5.8.1 Administrator Guide Configuring the ADSL Expansion Module ADSL is an acronym for Asymmetric Digital Subs criber Line (or Loop). The line is asymmetric because, when connected to the ISP , the upstream and downstream speeds of transmission are different.
Network > Interfaces 231 SonicOS 5.8.1 Administrator Guide The ADSL interface never unassigned. When plugge d in, it is always present in the W A N zone and zone assignment cannot be modi fied by the administrator Click on the Configure icon to the right of the interface entry .
Network > Interfaces 232 SonicOS 5.8.1 Administrator Guide When the ADSL module is first plu gged in, it should be added to the W AN Load Balancing default group so that the ADSL module can be us ed to handle default route traffic. Go to the Failover and LB screen and click the Configure icon to edit the settings.
Network > Interfaces 233 SonicOS 5.8.1 Administrator Guide On the General menu, add the ADSL interfac e to the Load Balancing group. If the default primary W AN, X1, is unused or unconfigure d, it can be removed for a clea ner interface configuration.
Network > Interfaces 234 SonicOS 5.8.1 Administrator Guide T o configure the T1/E1 Module, perform the following tasks: Ste p 1 Click on the Edit icon in the Configure column for the Interface of the exp ansion module you want to configure. The E dit Interface window is displayed.
Network > Interfaces 235 SonicOS 5.8.1 Administrator Guide If you want to enable remote management of t he SonicW ALL security appliance from this interface, select the suppor ted management protocol(s): HTTP , HTTPS , SSH , Ping , SNMP , and/or SSH .
Network > Interfaces 236 SonicOS 5.8.1 Administrator Guide Ste p 9 Line Build Out is available with T1. The opti ons are: 0.0 dB, -7.5 dB, -15 dB, -22.5 dB. CRC is configured with an enable/ disable check-box. When T1 is selected, the check-box is labeled CRC6, when E1 is selected the check-box is labeled CRC4.
Network > Interfaces 237 SonicOS 5.8.1 Administrator Guide Configuring the 2 Port SFP or 4 Port Gigabit Ethernet Modules (NSA 2400MX and NSA 250M) Ste p 1 Click on the Edit icon in the Configure column for the Interface of the exp ansion module you want to configure.
Network > Interfaces 238 SonicOS 5.8.1 Administrator Guide Configuring the Advanced Settin gs for the Modu le Interface The Advanced tab includes settings for forcing an Ethernet speed and dupl ex, overriding the Default MAC address, enabling multicast s upport on the interface, and enabling 802.
Network > Interfaces 239 SonicOS 5.8.1 Administrator Guide Link Aggregation Link Aggregation is used to increase the availa ble bandwid th between the firewall and a switch by aggregating up to four interfaces into a single aggregate link, referred to as a Link Aggregation Group (LAG).
Network > Interfaces 240 SonicOS 5.8.1 Administrator Guide 2. Click on the Advanced tab. 3. In the Redundant/Aggregate Port s pulldown menu, select Link Aggregation . 4. The Aggregate Port option is displayed with a chec kbox for each of the currently unassigned interfaces on the firewall.
Network > Interfaces 241 SonicOS 5.8.1 Administrator Guide Port Redundancy Failover SonicW ALL provides multiple methods for protecting against loss of connectivity in the case of a link failure, including High Availability (HA), Load Balancing Groups (LB Group s), and now Port Redundancy .
Network > Interfaces 242 SonicOS 5.8.1 Administrator Guide Configuring Routed Mode Routed Mode provides an alternative for NA T fo r routing traffic between sep arate public IP address ranges. Consider the following topology wher e the firewall is rout ing traf fic across two public IP address ranges: • 10.
Network > Interfaces 243 SonicOS 5.8.1 Administrator Guide 3. Under the Expert Mode Settings heading, select the Use Routed Mode - Add NA T Policy to prevent outboundinbound translation checkbox to enable Routed Mode for the interface.
Network > Interfaces 244 SonicOS 5.8.1 Administrator Guide Configuring SonicWALL PortShield Interfaces PortShield architecture enables you to configure some or all of the LAN ports into sep arate security contexts, providing protection not only from the W A N and DMZ, but between devices inside your network as well.
Network > Interfaces 245 SonicOS 5.8.1 Administrator Guide T o configure a PortShield inte rface, perform the following step s: Ste p 1 Click on the Network > Interfaces page. Ste p 2 Click the Configure button for the interface you want to configure.
Network > Interfaces 246 SonicOS 5.8.1 Administrator Guide Note Y ou can add Por tShield interfaces only to T rusted, Public, and Wireless zones. Ste p 4 In the IP Assignment pulldown menu, select PortShield Switch Mode . Ste p 5 In the PortShield to pulldown menu, select the inte rface you want to map this port to.
Network > Interfaces 247 SonicOS 5.8.1 Administrator Guide Ste p 6 Configure the subinterface netw ork settings based on the zone y ou selected. See the interface configuration instructions earlier.
Network > Interfaces 248 SonicOS 5.8.1 Administrator Guide • Apply security services to the appropriate zones Configuring the Common Settings for L2 Bridge Mode Deployments The following settings need to be configured on your SonicW ALL UTM appliance prior to using it in most of the Layer 2 Bridge Mode topologies.
Network > Interfaces 249 SonicOS 5.8.1 Administrator Guide Then, click the Configure button. On the SNMP Settings p age, enter all the relevant information for your UTM appliance : the GE T and TRAP SNMP communi ty names that the SNMP server expects, and the IP address of the SNMP server .
Network > Interfaces 250 SonicOS 5.8.1 Administrator Guide Enabling Syslog On the Log > Syslog page, click on the Add button and create an entry for the syslog server .
Network > Interfaces 251 SonicOS 5.8.1 Administrator Guide An example of the Intrusion Prev ention settings is shown below: An example of the Anti-S pyware settings is shown below:.
Network > Interfaces 252 SonicOS 5.8.1 Administrator Guide Creating Firewall Access Rules If you plan to manage the appliance from a different zone, or if you will be using a server such as the HP PCM+/NIM server for m anagement, SN MP , or syslog services, create access rules for traffic between the zon es.
Network > Interfaces 253 SonicOS 5.8.1 Administrator Guide Configuring Wireless Zone Settings In the case where you are using a HP PCM+/NIM system, if it will be managing a HP ProCurve switch on an interface assigned to a WLAN/Wir eless zone, you will need to deactivate two features, otherwise you will not be able to manage the switch.
Network > Interfaces 254 SonicOS 5.8.1 Administrator Guide Configuring the Primar y Bridge Interface Ste p 1 Select the Network tab, Interfaces folder from the navigation p anel. Ste p 2 Click the Configure icon in the right column of the X1 (W AN) interface.
Network > Interfaces 255 SonicOS 5.8.1 Administrator Guide Configuring the Seconda ry Bridge Interface Ste p 1 On the Network > Interfaces page, click the Co nfigure icon in the right column of the X0 (LAN) interface. Ste p 2 In the IP Assignment drop-down list, select Layer 2 Bridged Mode .
Network > Interfaces 256 SonicOS 5.8.1 Administrator Guide – T ransformations and flow analysis (on SonicWALL NSA series appli ances): H.323, SIP , RTSP , ILS/LDAP , FTP , Oracle, NetBIOS, Real Audio, TFTP – IPS and GA V At this point, if the packet has been validated as accept able tr affic, it is forwarded to its destination.
Network > Interfaces 257 SonicOS 5.8.1 Administrator Guide When creating a zone (either as p art of general administration, or as a step in creating a subinterface), a checkbox will be presented on the zone creation p age to control the auto- creation of a GroupVPN for that zone.
Network > Interfaces 258 SonicOS 5.8.1 Administrator Guide VPN Integration with Layer 2 Bridge Mode When configuring a VPN on an interface that is also configured for Layer 2 Bridge mode, you must configure an additi onal route to ensur e that incoming VPN traffic properly traverses the SonicW ALL security appl iance.
Network > Interfaces 259 SonicOS 5.8.1 Administrator Guide • Connect the mirrored port on the switch to eit her one of the interfaces in the Bridge-Pair • Connect and configure the W AN to allo.
Network > Interfaces 260 SonicOS 5.8.1 Administrator Guide Ste p 3 In the Edit Interface dialog box on the General t ab, select LAN from the Zone drop-down list. Note that you do not need to configure settings on the Advanced or VLAN Filtering tabs.
Network > Interfaces 261 SonicOS 5.8.1 Administrator Guide T o determine the traps that are possible when us ing IPS Snif fer Mode with Intrusion Prevention enabled, search for Intrusion in the table found in the Index of Log Event Messages section in the SonicOS Log Event Reference Guide .
Network > Interfaces 262 SonicOS 5.8.1 Administrator Guide Configuring Security Services (Unified Threat Management) The settings that you enable in th is section will control what ty pe of malicious traf fic you detect in IPS Sniffer Mode.
Network > Interfaces 263 SonicOS 5.8.1 Administrator Guide T able 1 Wire Mode S ettings Wire Mode Setting Descript ion Bypass Mode Bypass Mode allows for the quick and relatively non-interruptive introduction of Wire Mode into a network. Upon selecting a point of insertion into a network (e.
Network > Interfaces 264 SonicOS 5.8.1 Administrator Guide Secure Mode Secure Mode is the progression of Inspect Mode, actively interposing the SonicW ALL security ap pliance’s multi-core processors into the packet processing p ath.
Network > Interfaces 265 SonicOS 5.8.1 Administrator Guide T o summarize the key functional dif ferences between modes of inte rface configuration: Note When operating in Wire-Mode, the Soni cW ALL security appliance’ s dedicated “Management” interface will be used for local management.
Network > Interfaces 266 SonicOS 5.8.1 Administrator Guide 3. T o configure the Interface for T ap Mode, in the Mode / IP Assig nment pulldown menu, select T ap Mode (1-Port T ap ) and click OK . 4. T o configure the Interface for Wire Mode, in the Mode / IP Assignment pulldown menu, select Wire Mode (2-Port Wire ).
267 SonicOS 5.8.1 Administrator Guide CHAPTER 16 Chapter 16: Configuring PortShield Interfaces Network > PortShield Groups PortShield architecture enables you to configure some or all of the LAN ports into sep arate security contexts, providing protection not only from the W A N and DMZ, but between devices inside your network as well.
Network > PortShield Groups 268 SonicOS 5.8.1 Administrator Guide The Network > PortShield Group s p age allows you to manage the assignment s of ports to PortShield interfaces. Static Mode and Transparent Mode A PortShield interface is a virt ual interface with a set of ports assigned to it.
Network > PortShield Groups 269 SonicOS 5.8.1 Administrator Guide Note Make sure the IP address you assign to th e PortShield interface is within the W AN subnetwork. When you create a PortShield interface in Tr ansp arent Mode, you create a range of addresses to be applied to the PortShield interface.
Network > PortShield Groups 270 SonicOS 5.8.1 Administrator Guide 2. Click the Configure button for the interface you want to configure. The Edit Interface window displays. 3. In the Zone pulldown menu, select on a zone type option to which you want to map the interface.
Network > PortShield Groups 271 SonicOS 5.8.1 Administrator Guide • Interfaces that are the same color (other than black or yellow) are part of a PortShield group, with the master interface having a white outline around the color . • Interfaces that are greyed out cannot be added to a PortShield group.
Network > PortShield Groups 272 SonicOS 5.8.1 Administrator Guide Configuring PortShield Interfac es with the PortShield Wizard The PortShield Wizard quickly and easily guides you through several common PortShield group configurations. T o use the PortShield wizard, perfor m the following steps: 1.
Network > PortShield Groups 273 SonicOS 5.8.1 Administrator Guide • W AN/OP T/LAN Switch • W AN/LAN/HA Note In the WA N/LAN/HA scenario, when High Ava ilability is not enabled, the X6 port is assigned to the LAN zone. • W AN/LAN/LAN2 Swit ch 3.
Network > PortShield Groups 274 SonicOS 5.8.1 Administrator Guide.
275 SonicOS 5.8.1 Administrator Guide CHAPTER 17 Chapter 17: Setting Up Failover and Load Balancing Network > Failover & Load Balancing This chapter contains the following sections: • “Fail.
Network > Failover & Load Balancin g 276 SonicOS 5.8.1 Administrator Guide • Any TCP-SYN to Port —This option is available when the Respond to Probes option is enabled. When selected, the app liance will only respond to TCP probe request packet s having the same packet desti nation address TCP port number as the configured value.
Network > Failover & Load Bal ancing 277 SonicOS 5.8.1 Administrator Guide General Tab T o configure the Group Member Rank settings, click the Configure icon of the Group you wish to configure on the Network > Failover & LB p age. The General tab scr een displays.
Network > Failover & Load Balancin g 278 SonicOS 5.8.1 Administrator Guide Note The Interface Rank does not specify the operat ion that will be performed on the individual member . The operation that will be perfo rmed is specified by the Group T ype.
Network > Failover & Load Bal ancing 279 SonicOS 5.8.1 Administrator Guide • Tx Unicast • Tx Bytes • Throughput (KB/s) • Throughput (Kbits/s) In the Display S t atistics for pulldown menu, select which LB group you want to view st atistics for .
Network > Failover & Load Balancin g 280 SonicOS 5.8.1 Administrator Guide Routing the Default & Se condary Default Gateways Because the gateway address objects previ ously associated with .
Network > Failover & Load Bal ancing 281 SonicOS 5.8.1 Administrator Guide DNS When DNS name resolution issues are encountered with this firmware, you may need to select the S pecify DNS Servers Manually option and set the servers to Public DNS Servers (ICANN or non-ICANN).
Network > Failover & Load Balancin g 282 SonicOS 5.8.1 Administrator Guide.
283 SonicOS 5.8.1 Administrator Guide CHAPTER 18 Chapter 18: Configuring Zones Network > Zones This section contains t he following subsections: • “How Zones W ork” on page 284 • “The Zon.
Network > Zones 284 SonicOS 5.8.1 Administrator Guide tunnels, which is a feature that users have long requested. SonicW ALL secu rity appliances can also drive VPN traffic thr ough the NA T policy and zone policy , since VP Ns are now logically grouped into their own VPN zone.
Network > Zones 285 SonicOS 5.8.1 Administrator Guide doorperson can also elect to force people to put on a costume before traveling to another room, or to exit, or to another remote office. This hides the true identity of the person, masquerading the person as someone else.
Network > Zones 286 SonicOS 5.8.1 Administrator Guide • Public : A Public security type of fers a higher le vel of trust than an Untrusted zone, but a lower level of trust than a T rusted zone. Pub lic zones can be thought of as being a secure area between the LAN (protected) side of the security appliance and the W AN (unprotected) side.
Network > Zones 287 SonicOS 5.8.1 Administrator Guide • Enable SSL Control – Requires inspection of all new SS L connections initiated from the zone. Note that SSL Control mu st first be enabled globally on the Firewall > SSL Control page. For more information, see “Firewall Settings > SSL Control” on p age 777 .
Network > Zones 288 SonicOS 5.8.1 Administrator Guide • Enforce Global Security Client s – A check mark indicates us ers on this zone are required to use the Global Security client for desktop security . • Enable SSL Control – A check mar k indicates inspec tion of all new SSL connections initiated from the zone is required.
Network > Zones 289 SonicOS 5.8.1 Administrator Guide T o configure the zone, perform the following step s: Ste p 1 T ype a name for the new zone in the Name field. Ste p 2 Select a security type Tr u s t e d , Pub lic or Wireless from the Security T ype menu.
Network > Zones 290 SonicOS 5.8.1 Administrator Guide Configuring a Zone for Guest Access SonicW ALL User Guest Services providesd network administrators with an easy solution for creating wired and wireless guest passes and/or locked-down Internet-only network access for visitors or untrusted network nodes.
Network > Zones 291 SonicOS 5.8.1 Administrator Guide Ste p 3 Click the Guest Services tab. Ste p 4 Choose from the following configuration options for Guest Services: – Enable Guest Services - Enables guest services on the WLAN zone.
Network > Zones 292 SonicOS 5.8.1 Administrator Guide – Enable External Guest Authentication - Requires guest s connecting from the device or network you select to authenticate bef ore gaining access.
Network > Zones 293 SonicOS 5.8.1 Administrator Guide Configuring the WLAN Zone Ste p 1 Click the Edit icon for the WLAN zone. The Ed it Zone window is displayed. Ste p 2 In the General tab, sele ct the Allow Interface T rust setting to automate t he creation of Access Rules to allow traffic to flow between the interfac es of a zone instance.
Network > Zones 294 SonicOS 5.8.1 Administrator Guide – Enable Anti-Spyware Service - Enforces anti-spyware d etection and prevention on multiple interfaces in the same T rusted, Public or WLAN zones. – Create Group VPN - creates a GroupVPN policy for t he zone, which is displayed in the VPN Policies table on the VPN > Settings page.
Network > Zones 295 SonicOS 5.8.1 Administrator Guide Tip Uncheck Only allow traffic generated by a SonicPoint and use the zone on a wired interface to allow guest services on that inte rface. Ste p 6 Select SSL VPN Enforcement to require that all traf fic t hat enters into the WLAN zone be authenticated through a SonicW ALL SSL VPN appliance.
Network > Zones 296 SonicOS 5.8.1 Administrator Guide Ste p 7 In the SSL VPN Server list, select an address object to di rect traffic to the SonicW ALL SSL VPN appliance.
297 SonicOS 5.8.1 Administrator Guide CHAPTER 19 Chapter 19: Configuring DNS Settings Network > DNS The Domain Name System (DNS) is a distributed, hier archical system that provides a method for id.
Network > DNS 298 SonicOS 5.8.1 Administrator Guide In the DNS Settings secti on, select S pecify DNS Servers Manually and enter the IP address(es) into the DNS Server fields. Click Accept to save your changes. T o use the DNS Settings configured for the W AN zone, select Inherit DNS Settings Dynamically from the W AN Zone .
299 SonicOS 5.8.1 Administrator Guide CHAPTER 20 Chapter 20: Configuring Address Objects Network > Address Objects Address Objects are one of four object clas ses (Address, User , Service, and Schedule) in SonicOS Enhanced.
Network > Address Objects 300 SonicOS 5.8.1 Administrator Guide • MAC Address – MAC Address Objects allow for the i dentification of a host by its hardware address or MAC (Media Access Control) address.
Network > Address Objects 301 SonicOS 5.8.1 Administrator Guide Y ou can view Address Objects in the following ways using the Vie w St y le menu: • All Address Objects - displays all configured Address Objects. • Custom Address Object s - displays Address Objects with custom pr operties.
Network > Address Objects 302 SonicOS 5.8.1 Administrator Guide Adding an Address Object T o add an Address Object , click Add button under the Address Object s t able in the All Address Objects or Custom Address Object s views to display the Add Address Object window .
Network > Address Objects 303 SonicOS 5.8.1 Administrator Guide – If you selected MAC , enter the MAC address and netmask in the Network and MAC Address field. – If you selected FQDN , enter the domain name for the individual site or range of sites (with a wildcard) in the FQDN field.
Network > Address Objects 304 SonicOS 5.8.1 Administrator Guide Creating Group Address Objects As more and more Address Objects are added to the SonicW ALL security appliance, you can simplify managing the addresses and access po licies by creating groups of addresses.
Network > Address Objects 305 SonicOS 5.8.1 Administrator Guide See Part 21, Wizards for more information on configuri ng the SonicW ALL security appliance using wizards. Working with Dynamic Addresses From its inception, SonicO S Enhanced has used Addr ess Obje cts ( AOs) to represent IP addresses in most areas throughout the user interf ace.
Network > Address Objects 306 SonicOS 5.8.1 Administrator Guide Key Features of Dynamic Address Objects The term Dynamic Address Object (DAO) des cribes the underlying framework enabling MAC and FQDN AOs. By transforming AOs from static to dynamic structures Firewall > Access Rules can automatically respond to changes in the network.
Network > Address Objects 307 SonicOS 5.8.1 Administrator Guide FQDN wildcard support FQDN Address Objects suppor t wildcard entries , such as “*.somedomainname.com”, by first resolving the base domain name to all its defined host IP addresses, and then by constantly actively gleaning DNS responses as they pass through the firewall.
Network > Address Objects 308 SonicOS 5.8.1 Administrator Guide Enforcing the use of sancti oned servers on the network Although not a requirement, it is recommended to en force the use of author ized or sanctioned servers on the network.
Network > Address Objects 309 SonicOS 5.8.1 Administrator Guide • Create Access Rules in the relevant zones allowing only authorized SMTP servers on your network to communicate outbound SMTP; block all other outbound SMTP traf fic to prevent intentional or unintentional outbound spamming.
Network > Address Objects 310 SonicOS 5.8.1 Administrator Guide Using MAC and FQDN Dynamic Address Objects MAC and FQDN DAOs provide ex tensive Access Rule construc tion flexibility . MAC and FQDN AOs are configured in the same fashion as st atic Address Objects, that is from the Ne twork > Address Objects p age.
Network > Address Objects 311 SonicOS 5.8.1 Administrator Guide Step 1 – Create the FQDN Address Object • From Network > Address Object s , select Add and create the following Address Object: • When first created, this entry will resolve only to the address for dyndns.
Network > Address Objects 312 SonicOS 5.8.1 Administrator Guide Using an Interna l DNS Server for FQDN-bas ed Access Rule s It is common for dynamically configured (DHCP) network environments to wo.
Network > Address Objects 313 SonicOS 5.8.1 Administrator Guide to the 10.50.165.2 server , but to no other LAN resources. All other wireless client s should not be able to access the 10.50.165.2 server , but should have unrestricted access everywhere else.
Network > Address Objects 314 SonicOS 5.8.1 Administrator Guide Step 2 – Create the Firewall Access Rules • T o create access rules, navigate to the Firewall > Access Rules page, click on the All Rules radio button, and scroll to t he bottom of the page and click the Add button.
Network > Address Objects 315 SonicOS 5.8.1 Administrator Guide Step 2 – Create the Firewall Access Rule • From the Firewall > Access Rules p age, LAN->W AN zone intersection, add an Access Rule as follows: Note If you do not see the Bandwidth tab, you can enable bandwidth management by declaring the bandwidth on your W AN interfa ces.
Network > Address Objects 316 SonicOS 5.8.1 Administrator Guide.
317 SonicOS 5.8.1 Administrator Guide CHAPTER 21 Chapter 21: Configuring Firewall Services Network > Services SonicOS Enhanced supports an exp anded IP protocol support to allow users to create services and access rules based on t hese protocols. See “Supported Protocols” on page 318 for a complete listing of support IP protocols.
Network > Services 318 SonicOS 5.8.1 Administrator Guide Default Services Overview The Default Services view displays the SonicW ALL securi ty a ppliance default services in the Services table and Service Group s t able. The Service Group s table displays clusters of multiple default services as a single service object.
Network > Servi ces 319 SonicOS 5.8.1 Administrator Guide • ESP ( 50 )—(Encapsulated Security Payload) A method of encapsulating an IP datagram inside of another datagram employed as a fle xible method of data transport ation by IPsec.
Network > Services 320 SonicOS 5.8.1 Administrator Guide All custom services you create are listed in the Custom Services table. Y ou can group custom services by creating a Custom Services Group for easy policy enforcement.
Network > Servi ces 321 SonicOS 5.8.1 Administrator Guide Note The generic service Any will not handle Custom IP T ype Service Objects. In other words, simply defining a Custom IP T ype Ser vice Object for IP T ype 126 will not allow IP T ype 126 traffic to p ass through the default LAN > W AN Allow rule.
Network > Services 322 SonicOS 5.8.1 Administrator Guide Ste p 8 Add a Service Group composed of t he Custom IP T ypes Services. Ste p 9 From Firewall > Access Rules > WLAN > LAN , select Add . Step 10 Define an Access Rules allowing myServices from WLAN Subnet s to the 10.
Network > Servi ces 323 SonicOS 5.8.1 Administrator Guide Adding a Custom Services Group Y ou can add custom services and then create groups of services, including default services, to apply the same policies to them.
Network > Services 324 SonicOS 5.8.1 Administrator Guide.
325 SonicOS 5.8.1 Administrator Guide CHAPTER 22 Chapter 22: Configuring Routes Network > Routing If you have routers on your interfaces, you can c onfigure st atic rout es on the SonicW ALL security appliance on the Network > Routing page.
Network > Routing 326 SonicOS 5.8.1 Administrator Guide Route Advertisement The SonicW ALL security appliance uses RIPv1 or RIPv2 to advertise it s static and dynamic routes to other routers on the network.
Network > Routing 327 SonicOS 5.8.1 Administrator Guide Ste p 3 In the Advertise Default Route menu, select Never , or When W AN is up , or Always . Ste p 4 Enable Advertise St atic Routes if you have static r outes configured on the SonicW ALL security appliance, enable this feature to exclude them from Route Advertisement.
Network > Routing 328 SonicOS 5.8.1 Administrator Guide Policy Based Routing A simple static routing entry specifies how to handl e traf fic that matches s pecific criteria, such as destination address, destination mask, gateway to forwar d traffi c, the interface that gateway is located, and the route metric.
Network > Routing 329 SonicOS 5.8.1 Administrator Guide All Policies displays all the routing policies including Custom Policies and Default Policies . Initially , only the Default Policies are displayed in the Route Policie s table when you select All Policies from the View Style menu.
Network > Routing 330 SonicOS 5.8.1 Administrator Guide Ste p 7 Enter the Metric for the route. The default metric for st atic routes is one. For more information on metrics, see the “Policy Base.
Network > Routing 331 SonicOS 5.8.1 Administrator Guide Network > W AN Failover & LB page. For this example, choose Per Connection Round- Robin as the load balancing method in the Network > W A N Failover & LB page. Click Accept to save your changes on the Network > W AN Failover & LB page.
Network > Routing 332 SonicOS 5.8.1 Administrator Guide Advanced Routing Services (OSPF and RIP) In addition to Policy Based Routing and RIP advertising, SonicOS E nhanced offers the option of enabling Advanced Routing Se r vices (ARS).
Network > Routing 333 SonicOS 5.8.1 Administrator Guide • Protocol T ype – Distance V ector protocols such as RIP base routing metrics exclusively on hop counts, while Link state protocols such as OSPF consider the st ate of the link when determining metrics.
Network > Routing 334 SonicOS 5.8.1 Administrator Guide OSPF does not have to impose a hop count li mit because it does not advertise entire routing tables, rather it generally only s ends link st ate updates when changes occur .
Network > Routing 335 SonicOS 5.8.1 Administrator Guide For example, if you had 8 class C networks: 192.168.0.0/24 through 192.168.7.0/ 24, rather than having to have a sep arate r oute statement to each of them, it would be possible to provide a single route to 192.
Network > Routing 336 SonicOS 5.8.1 Administrator Guide used, which is generally discouraged). Area assi gnment is interface s pecific on an OSPF router; in other words, a router with multiple interfaces can have thos e interfaces configured for the same or dif ferent areas.
Network > Routing 337 SonicOS 5.8.1 Administrator Guide LSA ’s are then exchanged within LSU’ s across these adjacencies rather than between each possible pairing combination of routers on the segment. Link state updates are sent by non-DR routers to the multicast address 225.
Network > Routing 338 SonicOS 5.8.1 Administrator Guide – T ype 5 (AS External Link Advertisements) – Sent by ASBR (Autonomous System Boundary Routers) to describe routes to net works in a different AS. T ype 5 LSA ’s ar e net sent to S tub Areas.
Network > Routing 339 SonicOS 5.8.1 Administrator Guide • ABR (Area Border Router) – A router with inte rfaces in multiple areas. An ABR maint ains LSDB’s for each area to which it is connecte d, one of which is typically the backbone. • Backbone Router – A router with an inte rface connected to area 0, the backbone.
Network > Routing 340 SonicOS 5.8.1 Administrator Guide The operation of the RIP and OS PF routing protocols is interface dependent. Each interface and virtual subinterface can have RIP and OSPF settings configured sep arately , and each interface can run both RIP and OSPF routers.
Network > Routing 341 SonicOS 5.8.1 Administrator Guide Note Be sure the device sending RI Pv2 updates uses multicast mode, or the updates will not be processed by the ars-rip router . Send (Available in ‘Send and Rece ive’ and ‘Send Only’ modes) • RIPv1 – Send broadcast RIPv1 packet s.
Network > Routing 342 SonicOS 5.8.1 Administrator Guide Consider the following simple example network: The diagram illustrates an OSPF network where the backbone (area 0.0.0.0) comprises the X0 interface on the SonicW ALL and the int1 interf ace on Router A.
Network > Routing 343 SonicOS 5.8.1 Administrator Guide OSPFv2 Setting • Disabled – OSPF Router is disabled on this interface • Enabled – OSPF Router is enabled on this interface • Passiv.
Network > Routing 344 SonicOS 5.8.1 Administrator Guide • IBM – For interoperating with IBM’ s ABR be havior , which expects the backbone to be configured before se ttings the ABR flag.
Network > Routing 345 SonicOS 5.8.1 Administrator Guide Configuring Advanced Routing for Tunnel Interfaces In SonicOS versions 5.6 and higher , VPN T unne l Interfaces can be configured for advanced routing. T o do so, you must enable advanced r outing for the tunnel interface on the Advanced tab of it s configuration.
Network > Routing 346 SonicOS 5.8.1 Administrator Guide Guidelines for Configuring Tunnel In terfaces for Advanced Routing The following guidelines will ensure success w hen configuring T unnel Interfaces for advanced routing: • The borrowed interface must have a st atic IP address assignment.
347 SonicOS 5.8.1 Administrator Guide CHAPTER 23 Chapter 23: Configuring NAT Policies Network > NAT Policies This chapter contains the following sections: • “NA T Policies T able” on page 348.
Network > NAT Policies 348 SonicOS 5.8.1 Administrator Guide NAT Policies Table The NA T Policies table allows you to view your NA T Policies by Custom Policies , Default Policies , or All Policies . Tip Before configuring NA T Policies, be sure to create all Address Objects associated with the policy .
Network > NAT Polic ies 349 SonicOS 5.8.1 Administrator Guide NAT Policy Settings Explained The following explains the settings us ed to create a NA T policy entry in the Add NA T Policy or Edit NA T Po licy windows.
Network > NAT Policies 350 SonicOS 5.8.1 Administrator Guide • T ranslated Service : This drop-down menu setting is what the SonicWALL security appliance translates the Original Service to as it exits the So ni cW ALL security ap pliance, whether it be to another interface, or into /ou t-of VPN tunnels.
Network > NAT Polic ies 351 SonicOS 5.8.1 Administrator Guide NAT Policies Q&A Why is it necessary to specify ‘Any’ as the destination inte rface for inbound 1-2-1 NAT policies? It may seem.
Network > NAT Policies 352 SonicOS 5.8.1 Administrator Guide Why Do I Have to Write Two Policies for 1-2-1 Traffic? With the new NA T engine, it is necessary to wr ite two policies – one to allow.
Network > NAT Polic ies 353 SonicOS 5.8.1 Administrator Guide NAT LB Mechanisms NA T load balancing is configured on the Advanced t ab of a NA T policy . Note This tab can only be activated when a g roup is specified in one of the drop-do wn fields on the General tab of a NA T Policy .
Network > NAT Policies 354 SonicOS 5.8.1 Administrator Guide Which NAT LB Method Should I Use? Caveats • The NA T Load Balancing Feature is only av ailable in SonicOS Enhanced 4.0 and higher . • Only two health-check mechanisms at pr esent (ICMP ping and TCP socket open).
Network > NAT Polic ies 355 SonicOS 5.8.1 Administrator Guide Example one - Mapping to a network: 192.168.0.2 to 192.168.0.4 T ranslated Destination = 10.
Network > NAT Policies 356 SonicOS 5.8.1 Administrator Guide Creating NAT Policies NA T policies allow you the flexibility to cont rol Network Address T ranslation based on matching combinations of Source IP addr ess, Destination IP address, and Destination Services.
Network > NAT Polic ies 357 SonicOS 5.8.1 Administrator Guide • Original Service : Any • T ranslated Service : Original • Inbound Interface : X2 • Outbound Interface : X1 • Comment : Ente.
Network > NAT Policies 358 SonicOS 5.8.1 Administrator Guide Y ou can test the dynamic mapping by insta lling several systems on the LAN interface (by default, the X0 interface) at a spread-out r ange of addresses (for example, 192.168.10 .10, 192.
Network > NAT Polic ies 359 SonicOS 5.8.1 Administrator Guide Creating a One-to-One NAT Policy for Inbound Traffic (Reflective) Note If “T ranslated Destination: Original” is select ed in the NA T Policy Settings, this section does not apply because the “Create a reflective policy” checkbox is greyed out.
Network > NAT Policies 360 SonicOS 5.8.1 Administrator Guide Configuring One-to-Many NAT Load Balancing One-to-Many NA T policies can be used to persist ently load balance th e translated destination using the original source IP address as the key to persist ence.
Network > NAT Polic ies 361 SonicOS 5.8.1 Administrator Guide • T ranslated Destination : Select Create new address object... to bring up the Add Address Object screen.
Network > NAT Policies 362 SonicOS 5.8.1 Administrator Guide Note Make sure you chose Any as the destination interface, and not the interface that the server is on. This may seem counter-intuitive, but it is actually the co rrect thing to do (if you try to specify the interface, you get an error).
Network > NAT Polic ies 363 SonicOS 5.8.1 Administrator Guide In this section, we have five t asks to complete: 1. Create two custom service objects for t he unique public port s the servers respond on. 2. Create two address object s for the servers’ pr ivate IP addresses.
Network > NAT Policies 364 SonicOS 5.8.1 Administrator Guide • Enable NA T Policy : Checked • Create a reflective policy : Unchecked When finished, click on the OK button to a dd and activate the NA T policies.
Network > NAT Polic ies 365 SonicOS 5.8.1 Administrator Guide Note With previous versions of fi rmware, it was necessary to wr ite rules to the private IP address. This has been changed as of SonicOS 2.0 Enhan ced. If you write a rule to the private IP address, the rule does not wo rk.
Network > NAT Policies 366 SonicOS 5.8.1 Administrator Guide Using NAT Load Balancing This section contains t he following subsections: • “NA T Load Balancing T opology” on page 366 • “Pr.
Network > NAT Polic ies 367 SonicOS 5.8.1 Administrator Guide Configuring NAT Load Balancing T o configure NA T load balancing, you must complete the following tasks: 1. Create address objects. 2. Create address group. 3. Create inbound NA T LB Policy .
Network > NAT Policies 368 SonicOS 5.8.1 Administrator Guide Troubleshooting NAT Load Balancing If the Web servers do not seem to be accessible, go to the Firewall > Access Rules p age and mouseover the St atistics icon.
369 SonicOS 5.8.1 Administrator Guide CHAPTER 24 Chapter 24: Managing ARP Traffic Network > ARP ARP (Address Resolution Protocol) maps layer 3 (IP addresses) to layer 2 (physical or MAC addresses) to enable communications between host s residing on the same subnet.
Network > ARP 370 SonicOS 5.8.1 Administrator Guide Static ARP Entries The S t atic ARP feature allows for static mappings to be created between layer 2 MAC addresses and layer 3 IP addresses, but .
Network > ARP 371 SonicOS 5.8.1 Administrator Guide Adding a Secondary Subnet us ing the Static ARP Method Ste p 1 Add a 'published' static ARP entry for the gateway address that will be used for the secondary subnet, assigning it the MAC address of the SonicW ALL interface to which it will be connected.
Network > ARP 372 SonicOS 5.8.1 Administrator Guide The entry will appear in the table. Navigate to the Network > Routing page, and add a static route for the 192.168.50.0/24 network, with the 255. 255.255.0 subnet mask on the X3 Interface. T o allow the traffic to reach the 192.
Network > ARP 373 SonicOS 5.8.1 Administrator Guide Y ou can enter the policy number (the number listed before the policy name in the # Name column) in the Items field to move to a specific ARP entry . The default table configura tion displays 50 entries per page.
Network > ARP 374 SonicOS 5.8.1 Administrator Guide.
375 SonicOS 5.8.1 Administrator Guide CHAPTER 25 Chapter 25: Configuring MAC-IP Anti-Spoof Network > MAC-IP Anti-Spoof This chapter describes how to plan, design, implement, and MAC- IP Anti-Spo of protection in SonicW ALL SonicOS Enhanced.
Network > MAC-IP Anti-Spo of 376 SonicOS 5.8.1 Administrator Guide • ARP packet s; both ARP requests and responses • S t atic ARP entries from user-created entries • MAC-IP Anti-S poof Cache .
Network > MAC-IP Anti-Spoof 377 SonicOS 5.8.1 Administrator Guide T o configure settings for a p a rticular interface, click Configure icon for the desired interface. The Settings window is now displayed for the selected interface. In this window , the following settings can be enabled or disabled by clicking on the co rresponding checkbox.
Network > MAC-IP Anti-Spo of 378 SonicOS 5.8.1 Administrator Guide Once the settings have been adjusted, the in terface’ s listing will be updated on the MAC-IP Anti-S poof p anel. The green circle with white check mark icons denote which settings have been enabled.
Network > MAC-IP Anti-Spoof 379 SonicOS 5.8.1 Administrator Guide If you need to edit a static Anti-S poof cache entry , select the checkbbox to the left of the IP address, then click the pencil icon, under t he “Configure” column, on the same line.
Network > MAC-IP Anti-Spo of 380 SonicOS 5.8.1 Administrator Guide Spoof Detect List The S poof Detect List displays devices that fail ed to pass the ingress anti-spoof cache check. Entries on this list can be added as a static anti- spoof entry . T o do this, click on the pencil icon, under the “Add” column, for the desired device.
Network > MAC-IP Anti-Spoof 381 SonicOS 5.8.1 Administrator Guide Operator Synt ax Options V alue with a type • Ip=1.1.1.1 or ip=1.1. 1.0/24 • Mac=00:01:02:03:04:05 • Iface=x1 St r i n g • X1 • 00:01 • T st-mc • 1.1. AND • Ip=1.1.1.
Network > MAC-IP Anti-Spo of 382 SonicOS 5.8.1 Administrator Guide Extension to IP Helper In order to support leases from the DHCP rela y subsystem of IP Helper , the following changes have been ma.
383 SonicOS 5.8.1 Administrator Guide CHAPTER 26 Chapter 26: Setting Up the DHCP Server Network > DHCP Server This chapter contains the following sections: • “DHCP Server Options Overview” on.
Network > DHCP Server 384 SonicOS 5.8.1 Administrator Guide The SonicW ALL security appliance includes a D HCP (Dynamic Host C onfiguration Protocol) server to distribute IP addresses, subnet masks, gateway addresses, and DNS server addresses to your network clie nts.
Network > DHCP Server 385 SonicOS 5.8.1 Administrator Guide clients on the network, it provides vendor-specific configuration and service information. The “DHCP Option Numbers” on p age 400 provides a list of DHCP options by RFC-assigned option number .
Network > DHCP Server 386 SonicOS 5.8.1 Administrator Guide Multiple Scopes for Group VPN – When using an internal D HCP server , a SonicW ALL GVC client could be configured using scope ranges t hat differ from the LAN/DMZ subnet.
Network > DHCP Server 387 SonicOS 5.8.1 Administrator Guide Figure 26:2 Trusted DHCP Relay Agents Configuring the DHCP Server If you want to use the SonicW ALL security appliance’s DHCP server , select Enable DHCP Server on the Network > DHCP Server page.
Network > DHCP Server 388 SonicOS 5.8.1 Administrator Guide T o configure Option Objects, Option Group s, and T rusted Agents, click the Advanced button. For detailed information on configuring these features, see “Configuring Advanced DHCP Server Options” on page 3 89 .
Network > DHCP Server 389 SonicOS 5.8.1 Administrator Guide Configuring Advanced DHCP Server Options • “Configuring DHCP Option Objects” on page 389 • “Configuring DHCP Option Groups” o.
Network > DHCP Server 390 SonicOS 5.8.1 Administrator Guide Ste p 5 From the Option Number drop-down list, select the option number that corresponds to your DHCP option. For a list of option numbers and names, refer to “DHCP Option Numbers” on page 400 .
Network > DHCP Server 391 SonicOS 5.8.1 Administrator Guide Ste p 5 Enter a name for the group in the Name field. Ste p 6 Select an option object from the lef t column and click the -> button to add it to the group. T o select multiple option objects a t the same time, hold the Ctrl key while selecting the option objects.
Network > DHCP Server 392 SonicOS 5.8.1 Administrator Guide Enabling Trusted DHCP Relay Agents In the DHCP Advanced Settings page, you can enable the T rusted Relay Agent List option using the Default T rusted Relay Agent List Address Group or create another Address Group using existing Address Objects.
Network > DHCP Server 393 SonicOS 5.8.1 Administrator Guide Configuring DHCP Server for Dynamic Ranges Because SonicOS Enhanced allows multiple DHCP scopes per interface, ther e is no requirement that the subnet range is attached to the interface when configuring DHCP scopes.
Network > DHCP Server 394 SonicOS 5.8.1 Administrator Guide BOOTP stands for boot strap protocol, which is a TCP/IP protocol and service that allows diskless workstations to obt ai n their IP address, other TCP/IP configuratio n information, and their boot image file from a BOOTP server .
Network > DHCP Server 395 SonicOS 5.8.1 Administrator Guide Advanced Settings Step 14 Click on the Advanced tab. The Advanced t ab allows you to co nfigure the SonicW ALL DHCP server to send Cisco Call Manager informa tion to V oIP clients on the network.
Network > DHCP Server 396 SonicOS 5.8.1 Administrator Guide Configuring Static DHCP Entries S t atic entries are IP addresses assigned to se rvers requiring permanent IP settings.
Network > DHCP Server 397 SonicOS 5.8.1 Administrator Guide Ste p 7 T o populate the Default Gateway and Subnet Mask fields with default values for a cert ain interface, select the Interface Pre-Populate checkbox near the bottom of the page and choose the interface from the drop- down list.
Network > DHCP Server 398 SonicOS 5.8.1 Administrator Guide Advanced Settings Step 15 Click on the Advanced tab. The Advanced tab allows you to co nfigure the SonicW ALL DHCP server to send Cisco Call Manager informa tion to V oIP clients on the network.
Network > DHCP Server 399 SonicOS 5.8.1 Administrator Guide Configuring DHCP Generic Options for DHCP Lease Scopes This section provides conf iguration tasks for DHCP generic options for lease scopes. Note Before generic options for a DHCP lease scope can be configured, a static or dynamic DHCP server lease scope must be created.
Network > DHCP Server 400 SonicOS 5.8.1 Administrator Guide DHCP Option Numbers This section provides a list of RFC- defined DHCP option numbers and de scriptions: Option Number Name Description 2 .
Network > DHCP Server 401 SonicOS 5.8.1 Administrator Guide 33 S tatic Routing T able S t atic routing t able 34 T railer Encap sulation Trailer encaps ulation 35 ARP Cache T imeout ARP cache timeo.
Network > DHCP Server 402 SonicOS 5.8.1 Administrator Guide 65 NIS+ V3 Server Address NIS+ V3 server address 66 TFTP Server Name TFTP server name 67 Boot File Name Boot file name 68 Home Agent Addr.
Network > DHCP Server 403 SonicOS 5.8.1 Administrator Guide 94 Client Network Device Interface Client network device interface 95 LDAP Use Lightweight Directory Access Protocol 96 Undefined N/A 97 .
Network > DHCP Server 404 SonicOS 5.8.1 Administrator Guide 124 V endor-Identifying V endor Class V endor-identifying vendor cla ss 125 V endor Identifying V endor Specific V endor-identifying vend.
Network > DHCP Server 405 SonicOS 5.8.1 Administrator Guide 157 Undefined N/A 158 Undefined N/A 159 Undefined N/A 160 Undefined N/A 161 Undefined N/A 162 Undefined N/A 163 Undefined N/A 164 Undefin.
Network > DHCP Server 406 SonicOS 5.8.1 Administrator Guide 194 Undefined N/A 195 Undefined N/A 196 Undefined N/A 197 Undefined N/A 198 Undefined N/A 199 Undefined N/A 200 Undefined N/A 201 Undefined N/A 202 Undefined N/A 203 Undefined N/A 204 Undefined N/A 205 Undefined N/A 206 Undefined N/A 207 Undefined N/A 208 pxelinux.
Network > DHCP Server 407 SonicOS 5.8.1 Administrator Guide 230 Private Use Private use 231 Private Use Private use 232 Private Use Private use 233 Private Use Private use 234 Private Use Private u.
Network > DHCP Server 408 SonicOS 5.8.1 Administrator Guide.
409 SonicOS 5.8.1 Administrator Guide CHAPTER 27 Chapter 27: Using IP Helper Network > IP Helper Many User Datagram Protocols (UDP) rely on broadcaset/multicast to find it s respective server , usually requiring their server s to be present on the same broadcast subnet.
Network > IP Helper 410 SonicOS 5.8.1 Administrator Guide Caution The SonicW ALL DHCP Server feature mu st be disabled before you can enable DHCP Support on the IP Helper . The Enable DHCP Support checkbox is greyed out until the DHCP Server setting is disabled.
Network > IP Helper 411 SonicOS 5.8.1 Administrator Guide Adding an IP Helper Policy for NetBIOS Ste p 1 Click the Add button under the IP Helper Policies table. The Add IP Helper Policy window is displayed. Ste p 2 The policy is enabled by default.
Network > IP Helper 412 SonicOS 5.8.1 Administrator Guide • Raw Mode —Unidirectional forwarding t hat does not create an IP Helper cache. This is suitable for most of the user- defined protocol s that are used for discovery , for exa mple WOL/mDNS.
Network > IP Helper 413 SonicOS 5.8.1 Administrator Guide Adding User-Defined Protocols Click the Add button on the lower lef t side of the protocol list table. The following fields must be configured in order to add a protocol. • Name —Create a unique case-sensitive name.
Network > IP Helper 414 SonicOS 5.8.1 Administrator Guide Displaying IP Helper Cache from TSR The TSR will show all the IP Helper caches, current policies, and protocols: #IP_HELPER_START IP Helper.
Network > IP Helper 415 SonicOS 5.8.1 Administrator Guide mDNS Forwarding In order to enable Apple support for iRemote, iT unes, and Apple TV , the mDNS protocol must be enabled.
Network > IP Helper 416 SonicOS 5.8.1 Administrator Guide T o configure SonicOS to support mDNS, perform the following steps: Ste p 1 Navigate to the Network > IP Helper page. Ste p 2 Select the Enable IP Helper checkbox. Ste p 3 In the Relay Protocols section, click the Enable checkbox for mDNS.
417 SonicOS 5.8.1 Administrator Guide CHAPTER 28 Chapter 28: Setting Up Web Proxy Forwarding Network > Web Proxy A Web proxy server intercept s HTTP requests a nd determines if it has stored copies of the requested Web p ages.
Network > Web Proxy 418 SonicOS 5.8.1 Administrator Guide Configuring Automatic Prox y Forwarding (Web Only) Note The proxy server must be located on the W AN or DMZ; it can not be located on the LAN. T o configure a Proxy W eb sever , select the Network > Web Proxy p age.
419 SonicOS 5.8.1 Administrator Guide CHAPTER 29 Chapter 29: Configuring Dynamic DNS Network > Dynamic DNS Dynamic DNS (DDNS) is a service provided by various comp anies and organizations that allows for dynamic changing IP addresses to aut omatically update DNS records without manual intervention.
Network > Dynamic DNS 420 SonicOS 5.8.1 Administrator Guide Supported DDNS Providers Not all services and features from all prov ider s are supported, and the list of supported providers is subject to change. SonicOS currently supports the following services from four Dynamic DNS providers: • Dyndns.
Network > Dynamic DNS 421 SonicOS 5.8.1 Administrator Guide T o configure Dynamic DNS on the SonicW ALL security appliance , perform these step s: Ste p 1 From the Network > Dynamic DNS page, click the Add button. The Add DDNS Profile window is displayed.
Network > Dynamic DNS 422 SonicOS 5.8.1 Administrator Guide – Stat i c - A free DNS service for st atic IP addresses. Step 10 When using DynDNS.org , you may optionally select Enable W ildcard and/or configure an MX entry in the Mail Exchanger field.
Network > Dynamic DNS 423 SonicOS 5.8.1 Administrator Guide Dynamic DNS Settings Table The Dynamic DNS Settings table provides a t able view of configured DDNS profiles. Dynamic DN S Settings t able includes the following columns: • Profile Name - The name assigned to the DDNS entry during it s creation.
Network > Dynamic DNS 424 SonicOS 5.8.1 Administrator Guide.
425 SonicOS 5.8.1 Administrator Guide CHAPTER 30 Chapter 30: Configuring Network Monitor Network > Network Monitor The Network > Network Monitor page pr ovides a flexible mechanism for monitoring network path viability .
Network > Network Monitor 426 SonicOS 5.8.1 Administrator Guide Y ou can view details of the probe st atus by hover ing your mouse over the green, red, or yellow light for a policy . The following information is displayed in the probe status: • The percent of successful probes.
Network > Network Monitor 427 SonicOS 5.8.1 Administrator Guide Adding a Network Monitor Policy T o add a network monitor policy on the SonicW ALL secur ity appliance, perform these steps: Ste p 1 From the Network > Network Monitor page, click the Add button.
Network > Network Monitor 428 SonicOS 5.8.1 Administrator Guide same interface within the Response T i meout time window . When a SYN/ACK is received, a RST is sent to close the connec tion.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 429 PART 5 Part 5: 3G/Modem.
430 SonicOS 5.8.1 Administrator Guide.
431 SonicOS 5.8.1 Administrator Guide CHAPTER 31 Chapter 31: 3G/Modem Selection 3G/Modem SonicW ALL UTM appliances with a USB extensi on port can support either an external 3G interface or analog modem interface. When the app liance does not dete ct an external interface, a 3G/Modem tab is displayed in th e left-side navigation bar .
3G/Modem 432 SonicOS 5.8.1 Administrator Guide Selecting the 3G/Modem Status By default, the SonicW ALL UTM appliance will attempt to auto-detect whether a connected external device is a 3G interface or an anal og modem interface. Y ou can manually specify which type of interface you want to configure on the 3G/Modem > Settings page.
433 SonicOS 5.8.1 Administrator Guide CHAPTER 32 Chapter 32: Configuring 3G 3G This chapter describes how to configure the 3G wireless W AN interfa ce on the SonicW ALL UTM appliance.
3G 434 SonicOS 5.8.1 Administrator Guide • T emporary networks where a pre-configured connection may not be av ailable, such as trade-shows and kiosks. • Mobile networks, where the SonicW ALL appliance is based in a vehicle. • Primary W AN connection where wire-based connections are not available and 3G Cellular is.
3G 435 SonicOS 5.8.1 Administrator Guide Understanding 3G Failover When the W AN Connection Model is set to Ethernet with 3G Failover , the WA N (Ethernet) interface is the primary connection. If the W AN interface fails, the SonicW ALL appliance fails over to the 3G interface.
3G 436 SonicOS 5.8.1 Administrator Guide Persistent Connection 3G Failover The following diagram depicts the sequence of event s that occur when the W AN ethernet connection fails and the 3G Connect ion Profile is configured for Persistent Connection .
3G 437 SonicOS 5.8.1 Administrator Guide Dial on Data 3G Failover The following diagram depicts the sequence of event s that occur when the W A N ethernet connection fails and the 3G Connect ion Profile is configur ed for Dial on Dat a .
3G 438 SonicOS 5.8.1 Administrator Guide Manual Dial 3G Failover The following diagram depicts the sequence of event s that occur when the W AN ethernet connection fails and the 3G Connect ion Profile is configured for Manual Dial .
3G 439 SonicOS 5.8.1 Administrator Guide 3G Wireless WAN Service Provider Support SonicOS Enhanced supports the following 3G Wireless network providers (this list is subject to change): • Cingular W.
3G 440 SonicOS 5.8.1 Administrator Guide 3G > Status The 3G > St atus page displays the current status of 3G on the SonicW AL L appliance. It indicates the status of the 3G connection, the current active W AN interface, or the current backup W AN interface.
3G 441 SonicOS 5.8.1 Administrator Guide • Syslog traffic T o configure the SonicW ALL appliance for Connect on Dat a operation, you must select Dial on Data as the Dial T ype for the Connection Profile. See “3G > Connection Profiles” on page 444 for more deta ils.
3G 442 SonicOS 5.8.1 Administrator Guide 3. In the Probe T ype menu, select one of the following options: – Probe succeeds when either Main T arget or Alternate T arget responds – Probe succeeds when both Main T arget and Alternative T arget respond – Probe succeeds when Main T arget responds – Succeeds Always (no probing) 4.
3G 443 SonicOS 5.8.1 Administrator Guide • The SonicW ALL Security Applianc e is configured to be managed using HTTPS , so that the device can be accessed remotely . • It is recommended that you enter a value in the Enable Max Connection Time ( minutes) field.
3G 444 SonicOS 5.8.1 Administrator Guide 3G_profiles 3G > Connection Profiles Use the 3G > Connection Profiles to configure 3G connection pr ofiles and set the primary and alternate profiles. Select the Primary 3G connection profile in the Primary Profile pulldown menu.
3G 445 SonicOS 5.8.1 Administrator Guide General Tab The General tab allows the administrator to config ure general connection settings for the 3G service provider . After selecting your country , service provider , and plan type , the rest of the fields are automatically field for most service providers.
3G 446 SonicOS 5.8.1 Administrator Guide Parameters Tab The Parameters t ab allows the administrator to confi gure under what conditions the 3G service connects.
3G 447 SonicOS 5.8.1 Administrator Guide 7. Select the Disable VPN when Dialed checkbox to disable VPN connections over the 3G interface. IP Addresses Tab The IP Addresses tab allows the administrator to confi gure dynamic or st atic IP addressing for this interface.
3G 448 SonicOS 5.8.1 Administrator Guide Note When this feature is enabled, if a the checkbox for a day is not selected, 3G access will be denied for that entire day . 1. Click on the Schedule tab. 2. Select the Limit Times for Connection Profile checkb ox to enable the scheduling feature for this interface.
3G 449 SonicOS 5.8.1 Administrator Guide 2. Select the Enable Data Usage Limiting checkbox to have the 3G interface become automatically disabled when t he specified dat a or time limit has been reached for the month. 3. Select the day of the month to start tracking the monthly dat a or time usage in the Bill ing Cycle St art Date pulldown menu.
3G 450 SonicOS 5.8.1 Administrator Guide 3G_data 3G > Data Usage On the 3G > Dat a Usage p age, you can monitor the amount of dat a transferred over the 3G interface in the Dat a Usage table and view det ails of 3G sessions in the Session History table.
3G 451 SonicOS 5.8.1 Administrator Guide Managing 3G Connections T o initiate a 3G connection, perform the following step s, click on the Manage button in the 3G interface line on the Network > Interfaces page. The 3G Connection window displays. Click the Connect button.
3G 452 SonicOS 5.8.1 Administrator Guide • Generation - WW AN protocols are divided by generation, such as 2G , 2.5G , and 3G , where 1G would be the original analog cellular networks. Gene rations advanced is usually characterized by improvements in speed and capacity .
3G 453 SonicOS 5.8.1 Administrator Guide allow for a subscriber's identity to move from one GSM device to another . Many operator s lock their devices to prevent the use of ot her operator's SIM cards, but operators will sometimes unlock their devices if certain co nditions are met.
3G 454 SonicOS 5.8.1 Administrator Guide.
455 SonicOS 5.8.1 Administrator Guide CHAPTER 33 Chapter 33: Configuring Modem modem Modem The following sections describe how to c onfigure and use the modem functionality on a SonicW ALL UTM applian.
Modem 456 SonicOS 5.8.1 Admin istrator Guide If the modem is inactive, the Stat u s page displays a list of possi ble reasons that your modem is inactive.
Modem 457 SonicOS 5. 8 . 1 A dm in is tr a to r Gui de The Connect on Dat a Categories include: • NTP packets • GMS Heartbeats • System log e-mails • A V Profile Updates • SNMP T rap s • L.
Modem 458 SonicOS 5.8.1 Admin istrator Guide 3. The SonicW ALL then initiates a modem con nection to its dial-up ISP , based on the configured dial profile. 4. The network administrator accesses the S onicW ALL web management interface to perform the required tasks.
Modem 459 SonicOS 5. 8 . 1 A dm in is tr a to r Gui de 2. Click the Enable Ingress Bandwidth Management checkbox to enable bandwid th management policy enforcement on inbound traf fic.
Modem 460 SonicOS 5.8.1 Admin istrator Guide Configuring a Profile 1. In the Modem > Connection Profiles page, click the Add button. The Modem Profile Configuration window is displayed for c onfiguring a dialup profile. Once you create your profiles, you can then co n figure specify which profiles to use for W AN failover or Internet access.
Modem 461 SonicOS 5. 8 . 1 A dm in is tr a to r Gui de 8. Click the ISP Address tab. 9. In the ISP Address Set ting section, select Obtain an IP Address Automatically if you do not have a permanent dialup IP address from y our ISP .
Modem 462 SonicOS 5.8.1 Admin istrator Guide applications such as AutoUpdate an d Anti-Virus. If Enable WAN Failover is selected on the Modem > Failover page, the pin gs generated by the probe can trigger the modem to dial when no WAN Ethernet connection is detected.
Modem 463 SonicOS 5. 8 . 1 A dm in is tr a to r Gui de 21. Click the Schedule tab. 22. If you want to specify scheduled ti mes the modem can connect, select Limit T imes for Dialup Profile . Enter times for each day in 24-hour format that you want the modem to be able to make a connection.
Modem 464 SonicOS 5.8.1 Admin istrator Guide The next line has OK as the expected string, and the interpreters wait s for OK to be returned in response to the previous command, AT V 1 , before continuing the script. If OK is no t returned within the default time period of 50 seconds, t he chat interpreter aborts the script and the connection fails.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 465 PART 6 Part 6: W i reless.
466 SonicOS 5.8.1 Administrator Guide.
467 SonicOS 5.8.1 Administrator Guide CHAPTER 34 Chapter 34: Viewing WLAN Settings, Statistics, and Station Status Wireless Overview Note The wireless features descr ibed apply only to SonicW ALL app liances equipped with internal wireless hardware, such as the TZ ser ies, the NSA 220W , and the NSA 250MW .
Wireless Overview 468 SonicOS 5.8.1 Administrator Guide • VPN tunnel Considerations for Using Wireless Connections • Mobility - if the majority of your network is lapt op computers, wireless is more port able than wired connections.
Wireless Overview 469 SonicOS 5.8.1 Administrator Guide • T ry to place the wireless security appliance in a direct line with other wireless component s. Best performance is achieved when wireless co mponents are in direct line of sight with each other .
Wireless > Status 470 SonicOS 5.8.1 Administrator Guide Wireless > Status The Wireless > St atus page provides st atus information for wireless network, including WLAN Settings , WLAN St atistics , WLAN Activities and S t ation S t atus .
Wireless > Status 471 SonicOS 5.8.1 Administrator Guide WLAN Settings The WLAN Settings table list s the configuration info rmation for the built-in radio. All configurable settings in the WLAN Settings tab le are hyperlinks to t heir respective pages for configuration.
Wireless > Status 472 SonicOS 5.8.1 Administrator Guide WLAN Statistics The WLAN St atistics t able list s all of the traffic sen t and received through the WLAN. The Wireless St a tistics column lists the kinds of traf fic recorded, the Rx column lists received traffic, and the Tx column list s transmitted traffic.
Wireless > Status 473 SonicOS 5.8.1 Administrator Guide Station Status The St ati o n Stat u s table displays information about wire less connections associated with the wireless security appliance.
Wireless > Status 474 SonicOS 5.8.1 Administrator Guide.
475 SonicOS 5.8.1 Administrator Guide CHAPTER 35 Chapter 35: Configuring Wireless Settings Wireless > Settings The Wireless > Settings p age allows you to configure setti ngs for the 802.
Wireless > Settings 476 SonicOS 5.8.1 Administrator Guide Wireless Radio Mode The Radio Role allows you to configur e the SonicW ALL TZ wireless for one of two modes: Note Be aware that when switching between radio ro les, the SonicW ALL may require a rest art.
Wireless > Settings 477 SonicOS 5.8.1 Administrator Guide Wireless Settings Enable WLAN Radio : Check this checkbox to turn the radio on, and enable wireless networking. Click Apply in the top right corner of the management interface to have this setting tak e e ff e c t .
Wireless > Settings 478 SonicOS 5.8.1 Administrator Guide – St andard Channel - This pulldown menu only disp lays when the 20 MHz channel is selected. By default, this is set to Auto , which allows the appli ance to set the optimal channel based on signal strength and integrity .
479 SonicOS 5.8.1 Administrator Guide CHAPTER 36 Chapter 36: Configuring Wireless Security Wireless > Security Note When the SonicW ALL wireless secu rity appliance is configured in Access Point mode, this page is called Securit y . When the appliance is configured in Wireless Bridge mode, this page is called WE P Encryption .
Wireless > Security 480 SonicOS 5.8.1 Administrator Guide • T ransparent authentication with Windows log-in • No client software needed in most cases WP A2 • Best security (uses AES) • For .
Wireless > Security 481 SonicOS 5.8.1 Administrator Guide WPA2 and WPA PSK Settings Encryption Mode : In the Authentication T ype field, select either WP A-PSK , WP A2-PSK , or WP A2-Auto-PSK . WPA Settings • Cypher T ype : select TKIP . T emporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis.
Wireless > Security 482 SonicOS 5.8.1 Administrator Guide WPA2 and WPA EAP Settings Encryption Mode : In the Authentication T ype field, select either WP A-EAP , WP A2-EAP , or WP A2-AUTO-EAP . WPA Settings • Cypher T ype : Select TKIP . T emporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on a per-packet basis.
Wireless > Security 483 SonicOS 5.8.1 Administrator Guide • Both (Open System & Shared Key) : The Default Key assignments are not important as long as the identical keys ar e used in e ach field. If Shared Key is selected, then the key assignment is important.
Wireless > Security 484 SonicOS 5.8.1 Administrator Guide.
485 SonicOS 5.8.1 Administrator Guide CHAPTER 37 Chapter 37: Configuring Advanced Wireless Settings Wireless > Advanced T o access Advanced configuratio n settings fo r the SonicW ALL wire less security appliance, log into the SonicW ALL, click Wireless , an d then Advanced .
Wireless > Advanced 486 SonicOS 5.8.1 Administrator Guide Beaconing & SSID Controls 1. Select Hide SSID in Beacon . Suppresses broadcasting of the SSID name and disables responses to probe request s. Checking this optio n helps prevent your wireless SSID from being seen by unauthoriz ed wireless clients.
Wireless > Advanced 487 SonicOS 5.8.1 Administrator Guide Ste p 8 The Association Timeout (seconds) is 300 seconds by default, and the allowed range is from 60 to 36000 seconds. If your network is very busy , you can incr ease the timeout by increasing the number of seconds in the Association Timeout (seconds) field.
Wireless > Advanced 488 SonicOS 5.8.1 Administrator Guide.
489 SonicOS 5.8.1 Administrator Guide CHAPTER 38 Chapter 38: Configuring MAC Filter List Wireless > MAC Filter List Wireless networking provides nat ive MAC filtering capabilities which prevent s wireless client s from authenticating and associating with the wir eless security appliance.
Wireless > MAC Filter List 490 SonicOS 5.8.1 Administrator Guide The items in the list are address object group s, defined groups of objects th at represent specific IP addresses or ranges of addresses that can be used throughout the management interface to specify network resources.
491 SonicOS 5.8.1 Administrator Guide CHAPTER 39 Chapter 39: Configuring Wireless IDS Wireless > IDS Wireless Intrusion Detection Services (IDS) gr eatly increase the security capabilities of the S.
Wireless > IDS 492 SonicOS 5.8.1 Administrator Guide connectivity for associated wi reless clients. While in Access Point mode, the Scan Now function should only be used if no cli ent s are actively associated, or if the possibility of client interruption is acceptable.
Wireless > IDS 493 SonicOS 5.8.1 Administrator Guide Discovered Access Points The Discovered Access Point s table displays informatio n on every access point that can be detected by all your SonicPoint s or on a individual SonicPoint basis: • MAC Address (BSSID) : The MAC address of the radio in terface of the detected access point.
Wireless > IDS 494 SonicOS 5.8.1 Administrator Guide.
495 SonicOS 5.8.1 Administrator Guide CHAPTER 40 Chapter 40: Configuring Virtual Access Points with Internal Wireless Radio Wireless > Virtual Access Point This chapter describes the V irtual Acces.
Wireless > Virtual Access Point 496 SonicOS 5.8.1 Administrator Guide to scale their existing wireless LA N infrastructure to provide diff erentiated levels of service. With the Virtual APs (V AP) feature, multiple V APs can exist within a single physical AP in compliance with the IEEE 802.
Wireless > Virtual Ac cess Point 497 SonicOS 5.8.1 Administrator Guide Wireless VAP Conf iguration Overview The following are required areas of con figuration for V AP deployment: Ste p 1 Zone - The zone is the backbone of your V AP confi guration.
Wireless > Virtual Access Point 498 SonicOS 5.8.1 Administrator Guide Network Zones This section contains t he following subsections: • “The Wireless Zone” section on p age 498 • “Custom .
Wireless > Virtual Ac cess Point 499 SonicOS 5.8.1 Administrator Guide General Feature Description Name Create a name for your custom zone Security T ype Select Wireless in order to enable and access wireless security options.
Wireless > Virtual Access Point 500 SonicOS 5.8.1 Administrator Guide Wireless Feature Description Only allow traf fic generated by a SonicPoint Restricts traf fic on this zone to internally-generated traf fic only . SSL VPN Enforcement Redirects all traffic entering the Wireless zone to a defined SonicW ALL SSL VPN appliance.
Wireless > Virtual Ac cess Point 501 SonicOS 5.8.1 Administrator Guide Guest Services The Enable Guest Services option allows the following guest services to be applied to a zone: Feature Descripti.
Wireless > Virtual Access Point 502 SonicOS 5.8.1 Administrator Guide Wireless LAN Subnets A Wireless LAN (WLAN) subnet allows you to sp lit a single wireless radio interface (W0) into many virtual network connections, each carryin g its own set of configurations.
Wireless > Virtual Ac cess Point 503 SonicOS 5.8.1 Administrator Guide DHCP Server Scope The DHCP server assigns leased IP addresses to users within sp ecified ranges, known as “Scopes”.
Wireless > Virtual Access Point 504 SonicOS 5.8.1 Administrator Guide Virtual Access Poin t Profile Settings The table below list s configurat ion p arameters and descriptions fo r V irtual Access Point Profile Settings: Feature Description Name Choose a friendly name for this V AP Pr ofile.
Wireless > Virtual Ac cess Point 505 SonicOS 5.8.1 Administrator Guide WPA-PSK / WPA2-PSK Encryption Settings Pre-Shared Key (PSK) is available when using WP A or WP A2. This solution utilizes a shared key . WPA-EAP / WPA2-EAP Encryption Settings Extensible Authentication Protocol (EAP) is available when using WP A or WP A2.
Wireless > Virtual Access Point 506 SonicOS 5.8.1 Administrator Guide General VAP Settings Advanced VAP Settings Advanced settings allows the administrator to configure authentication and encryption settings for this connection. Choose a Profile Name to inher it these settings fr om a user created profile.
Wireless > Virtual Ac cess Point 507 SonicOS 5.8.1 Administrator Guide Enabling the Virtual Access Point Group After your V APs are configured and added to a V A P group, that group must be specified in the Wireless > Settings page in order for the V APs to be available through your internal wireless radio.
Wireless > Virtual Access Point 508 SonicOS 5.8.1 Administrator Guide General Settings Tab Ste p 1 In the General tab, enter a friendly name such as “WLAN_Faculty” in the Name field. Ste p 2 Select Wireless from the Security T ype drop-down menu.
Wireless > Virtual Ac cess Point 509 SonicOS 5.8.1 Administrator Guide Y our new zone now appears at the bottom of the Network > Zones page, although you may notice it is not yet linked to a Member Interface.
Wireless > Virtual Access Point 510 SonicOS 5.8.1 Administrator Guide Creating the Wireless V AP In this section, you will create and configure a new V irtual Access Point and a ssociate it with the wireless subnet you created in “Cr eating a New Wireless Subnet” section on p age 509 .
Wireless > Virtual Ac cess Point 511 SonicOS 5.8.1 Administrator Guide Deploying VAPs to the Wireless Radio In the following section you will group and deploy your new V APs, associating them with the internal wireless radio.
Wireless > Virtual Access Point 512 SonicOS 5.8.1 Administrator Guide.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 513 PART 7 Part 7: SonicPoint.
514 S ONIC OS 5.8.1 A DMINISTRATOR G UIDE.
515 SonicOS 5.8.1 Administrator Guide CHAPTER 41 Chapter 41: Managing SonicPoints SonicPoint > SonicPoints SonicW ALL SonicPoints are wireless acce ss points specially engineered to work with SonicW ALL security appliances to provide wi reless access throughout your enterprise.
SonicPoint > SonicPoints 516 SonicOS 5.8.1 Administrator Guide Before Managing SonicPoints Before you can manage SonicPoint s in t he Management Interface, you must first: • V erify that the SonicPoint image is downloaded to your SonicW ALL security appliance.
SonicPoint > SonicPoints 517 SonicOS 5.8.1 Administrator Guide Configuring a SonicPoint Profile The SonicPoint profile configur ation process for 802.1 1n slightly different than for 802.1 1a or 802.1 1g. The following sectio ns describe how to configure SonicPoint profiles: • “Configuring a SonicPointN Profile for 802.
SonicPoint > SonicPoints 518 SonicOS 5.8.1 Administrator Guide – 802.1 1n Virtual AP Group : (optional; on SonicW ALL NSA onl y) Select a Virtual Access Point (V AP) group to assign these SonicPoint Ns to a V AP . This pulldown menu allows you to create a new V AP group.
SonicPoint > SonicPoints 519 SonicOS 5.8.1 Administrator Guide • 5 GHz 802.1 1a Only - Select this mode if only 802.1 1a clients access your wireless network. – SSID : Enter a recognizable string for the SSID of each SonicPoint using this profile.
SonicPoint > SonicPoints 520 SonicOS 5.8.1 Administrator Guide Ste p 4 In the Wireless Security section of the 802.1 1n Radio tab, configure the following settings: – Authentication T ype : Select the method of authenticat ion for your wireless network.
SonicPoint > SonicPoints 521 SonicOS 5.8.1 Administrator Guide – Schedule IDS Scan : Select a time when there are fewer demands on the wireless network to schedule an Intrusion Detecti on Service (IDS) scan to minimize the inconvenience of dropped wireless connections.
SonicPoint > SonicPoints 522 SonicOS 5.8.1 Administrator Guide Modifications to profiles will not af fect units that have already been provisione d and are in an operational state.
SonicPoint > SonicPoints 523 SonicOS 5.8.1 Administrator Guide – 802.1 1g Virtual AP Group and 802.1 1a Virtual AP Group : (optional; on SonicW ALL NSA only) Select a V irtual Access Point (V AP) group to assign these SonicPoints to a V AP . This pulldown menu allows you to create a new V AP group.
SonicPoint > SonicPoints 524 SonicOS 5.8.1 Administrator Guide – WEP Key Mode : Select the size of the encryption key . – Default Key : Select which key in the list below is the default key , which will be tried first when trying to authenticate a user .
SonicPoint > SonicPoints 525 SonicOS 5.8.1 Administrator Guide The SonicPoint-N wireless security appliance employs three antennas. The Antenna Diversity is set to Best by default, this is the only setting available for this appliance. • 1 : Select 1 to restrict the SonicPoint to us e antenna 1 only .
SonicPoint > SonicPoints 526 SonicOS 5.8.1 Administrator Guide If the SonicPoint does locate, or is located by a peer So ni cOS device, via the SonicW ALL Discovery Protocol, an encrypted exchange .
SonicPoint > SonicPoints 527 SonicOS 5.8.1 Administrator Guide Edit SonicPoint Settings T o edit the settings of an individual SonicPoint: Ste p 1 Under SonicPoint Settings , click the Edit icon in the same line as the SonicPoint you want to edit. Ste p 2 In Edit SonicPoint screen, ma ke the changes you want.
SonicPoint > SonicPoints 528 SonicOS 5.8.1 Administrator Guide Y ou can change the file name of the SonicPoi nt image, but you shoul d keep the extension in tact (ex: .bin.sig). Ste p 3 In the SonicOS user interface on your SonicW ALL appliance, in the navigation pane, click System and then click Administration .
SonicPoint Deployment Best Practices 529 SonicOS 5.8.1 Administrator Guide • Safemode – Safemode can be engaged by depressing the reset button, or from the SonicOS peer device. Placing a SonicPoint into Safemode returns its configuration to defaults, disables the radios, and disables SDP .
SonicPoint Deployment Best Practices 530 SonicOS 5.8.1 Administrator Guide http://h20195.www2.hp.com/v2/GetPDF .aspx/4AA1-9147ENUC.pdf Best practices information is pr ovided in the following sections.
SonicPoint Deployment Best Practices 531 SonicOS 5.8.1 Administrator Guide Layer 2 and Layer 3 Consid erations for SonicPoints SonicW ALL uses two proprietary protocol s (SDP and SSPP) and both *canno t* be routed across any layer 3 device.
SonicPoint Deployment Best Practices 532 SonicOS 5.8.1 Administrator Guide (microwaves, CA T Scan equipment, etc…) In area’ s were a lot of elec trical equipment is placed, also take a look at th e cabling being use d. In areas with a lot of electrical equipment UTP should not be used, FTP or STP is required.
SonicPoint Deployment Best Practices 533 SonicOS 5.8.1 Administrator Guide • Intel PRO/Wireless 2200BG Network Connection • Intel PRO/Wireless 2915ABG Network Connection • Intel PRO/Wireless 394.
SonicPoint Deployment Best Practices 534 SonicOS 5.8.1 Administrator Guide • Because of this, make sure each port can ge t 10 Watt s guaranteed if possible, and set the PoE priority to critical or high. • One thing to be particu larly careful to plan for is that not all PoE switches can provide the full 15.
SonicPoint Deployment Best Practices 535 SonicOS 5.8.1 Administrator Guide Troubleshooting Old er SonicPoints If you have an older SonicPoint and it’s consist ently port flapping, or doesn’t power.
SonicPoint Deployment Best Practices 536 SonicOS 5.8.1 Administrator Guide • Note that SonicPoints have a ‘S tandalone Mode’ wh ich they will transition to if they can’t find a SonicW ALL UTM appliance. If you have more than one SonicPoint, you may have issues as all of the SonicPoi nts will revert to the same def ault IP address of 192.
SonicPoint Deployment Best Practices 537 SonicOS 5.8.1 Administrator Guide Sample Cisco Catalyst switch configuration Any Cisco POE Switch: On the connecting interface/port, issue the command ‘Power inline static 10000’.
SonicPoint Deployment Best Practices 538 SonicOS 5.8.1 Administrator Guide • no lldp enable • mdix on • mdix auto • no port storm-control broadcast enable Sample D-Link switch co nfiguration The D-Link PoE switches do not have a CLI, so you will need to use their web GUI.
539 SonicOS 5.8.1 Administrator Guide CHAPTER 42 Chapter 42: Viewing Station Status SonicPoint > Station Status The SonicPoint > St ation S t atus p age reports on the st at istics of each SonicPoint. . The table lists entries for each wireless clie nt connected to each SonicPoint.
SonicPoint > Station Stat us 540 SonicOS 5.8.1 Administrator Guide Click on the S tatistics icon to see a det ailed r eport for an individual stat ion. Each SonicPoint device reports for both radios, and for each st at ion, the following information to its SonicOS peer: • MAC Address – The client’ s (S tation’s) hardware address.
SonicPoint > Station Status 541 SonicOS 5.8.1 Administrator Guide • Management Frames Received – T otal number of Management frames received. Management Frames include: – Association request .
SonicPoint > Station Stat us 542 SonicOS 5.8.1 Administrator Guide.
543 SonicOS 5.8.1 Administrator Guide CHAPTER 43 Chapter 43: Using and Configuring IDS SonicPoint > IDS Y ou can have many wireless access points within reach of the signal of the SonicPoint s on your network. The SonicPoint > IDS page repor ts on all access poi nt s the SonicW ALL secur ity appliance can find by scanning the 802.
SonicPoint > IDS 544 SonicOS 5.8.1 Administrator Guide Intrusion Detection Settings Rogue Access Points have emerge d as one of the most serious and insidious threat s to wireless security . In general terms, an access point is considered rogue when it has not been authorized for use on a network.
SonicPoint > IDS 545 SonicOS 5.8.1 Administrator Guide Discovered Access Points The Discovered Access points displays informati on on every access point that can be detected by the SonicPoint radio: • SonicPoint : The SonicPoint that det ected the access point.
SonicPoint > IDS 546 SonicOS 5.8.1 Administrator Guide.
547 SonicOS 5.8.1 Administrator Guide CHAPTER 44 Chapter 44: Configuring Virtual Access Points SonicPoint > Virtual Access Point This chapter describes the V irtual Access Poin t feature and includ.
SonicPoint > Virtual Access Point 548 SonicOS 5.8.1 Administrator Guide What Is a Virt ual Access Point? A Virtual Access Point is a multiplexed instantiat ion of a sing le physical Access Point (AP) so that it presents it self as multiple discrete Access Point s.
SonicPoint > Virtual Access Point 549 SonicOS 5.8.1 Administrator Guide What Is an SSID? A Service Set IDentifier (SSID) is the name as signed to a wireless network. Wireless client s must use this same, case-sensitive SSID to comm unicate to the SonicPoi nt.
SonicPoint > Virtual Access Point 550 SonicOS 5.8.1 Administrator Guide Benefits of Using Virtual APs This section includes a list of benefit s in using the Virtual AP feature: • Radio Channel Co.
SonicPoint > Virtual Access Point 551 SonicOS 5.8.1 Administrator Guide Deployment Restrictions When configuring your V AP setup, be aware of the following deployment restrictions: • Maximum SonicPoint restrictions apply and dif fer based on your SonicW ALL security appliance.
SonicPoint > Virtual Access Point 552 SonicOS 5.8.1 Administrator Guide must use the same set of WEP keys. Up to 4 keys can be defined per-SonicPoint, and WEP- enabled V APs can use these 4 keys independently . WEP keys are confi gured on individual SonicPoints or on SonicPoint Profiles from the Soni cPoint > SonicPoints p age.
SonicPoint > Virtual Access Point 553 SonicOS 5.8.1 Administrator Guide A network security zone is a logical method of grouping one or more interfaces with friendly , user-configurable names, and applying security rules as traf fic passes from one zone to another zone.
SonicPoint > Virtual Access Point 554 SonicOS 5.8.1 Administrator Guide General Feature Description Name Create a name for your custom zone Security T ype Select Wireless in order to enable and access wireless security options.
SonicPoint > Virtual Access Point 555 SonicOS 5.8.1 Administrator Guide Wireless Feature Description Only allow traf fic generated by a SonicPoint Restricts traf fic on this zone to SonicPoint-generated traffic only . SSL VPN Enforcement Redirects all traffic entering the Wireless zone to a defined SonicW ALL SSL VPN appliance.
SonicPoint > Virtual Access Point 556 SonicOS 5.8.1 Administrator Guide Guest Services The Enable Guest Services option allows the following guest services to be applied to a zone: Feature Descript.
SonicPoint > Virtual Access Point 557 SonicOS 5.8.1 Administrator Guide VLAN Subinterfaces A Virtual Local Area Network (VLAN) allows you to split your physical network connections (X2, X3, etc...) into many virtual network connection, each carrying its own set of configura tions.
SonicPoint > Virtual Access Point 558 SonicOS 5.8.1 Administrator Guide DHCP Server Scope The DHCP server assigns leased IP addresses to users within specified ranges, known as “Scopes”.
SonicPoint > Virtual Access Point 559 SonicOS 5.8.1 Administrator Guide Virtual Access Poin t Profile Settings The table below list s configurat ion p arameters and descriptions fo r V irtual Access Point Profile Settings: Feature Description Name Choose a friendly name for this V A P Profile.
SonicPoint > Virtual Access Point 560 SonicOS 5.8.1 Administrator Guide WPA-PSK / WPA2-PSK Encryption Settings Pre-Shared Key (PSK) is available when using WP A or WP A2. This solution utilizes a shared key . WPA-EAP / WPA2-EAP Encryption Settings Extensible Authentication Protoc ol (EAP) is available when usi ng WP A or WP A2.
SonicPoint > Virtual Access Point 561 SonicOS 5.8.1 Administrator Guide Virtual Access Points The V AP Settings feature allows for setup of general V AP settings. SSID and VLAN ID are configured through V AP Settings. V irtual Ac cess Points are configur ed from the SonicPoint > Virtual Access Point page.
SonicPoint > Virtual Access Point 562 SonicOS 5.8.1 Administrator Guide Virtual Access Point Groups The Virtual Access Point Groups feature is av ailable on SonicW ALL NSA appliances. It allows for grouping of multiple V AP object s to be simult aneo usly applied to your SonicPoint(s).
SonicPoint > Virtual Access Point 563 SonicOS 5.8.1 Administrator Guide A Sample Network The following is a sample V AP network conf iguration, describing four separate V APs: • V AP #1, Corporat.
SonicPoint > Virtual Access Point 564 SonicOS 5.8.1 Administrator Guide How many users will each V AP need to support? A corporate campus has 100 employees, all of whom have wireless capabilities T.
SonicPoint > Virtual Access Point 565 SonicOS 5.8.1 Administrator Guide VAP Sample Configurations This section provides configur ation examples based on real-world wireless needs.
SonicPoint > Virtual Access Point 566 SonicOS 5.8.1 Administrator Guide General Settings Tab Ste p 1 In the General tab, enter a friendly name such as “V AP-Guest” in the Nam e field. Ste p 2 Select Wireless from the Security T ype drop-down menu.
SonicPoint > Virtual Access Point 567 SonicOS 5.8.1 Administrator Guide Guest Services Tab Ste p 1 In the Guest Services tab , check the Enable Guest Services checkbox. Note In the following example, steps 2 thr ough 7 ar e optional, th ey only r epresent a typical guest V AP configuration using gu est services.
SonicPoint > Virtual Access Point 568 SonicOS 5.8.1 Administrator Guide Y our new zone now appears at the bottom of the Network > Zones page, although you may notice it is not yet linked to a Member Interface.
SonicPoint > Virtual Access Point 569 SonicOS 5.8.1 Administrator Guide Creating a VLAN Subi nterface on th e WLAN In this section you will create and configure a new VLAN subinterface on your current WLAN. This VLAN will be linked to the zone you created in the “Configuring a Zone” section on page 565 .
SonicPoint > Virtual Access Point 570 SonicOS 5.8.1 Administrator Guide Note If the interface you created does not appear on the Network > DHCP Server p age, it is possible that you have already exceeded the number of allowed DHCP leases for your SonicW ALL.
SonicPoint > Virtual Access Point 571 SonicOS 5.8.1 Administrator Guide Creating the SonicPoint VAP In this section, you will create and configure a new V irtual Access Point and a ssociate it with the VLAN you created in “Creating a VLAN Subinterface on the WLAN” section on page 569 .
SonicPoint > Virtual Access Point 572 SonicOS 5.8.1 Administrator Guide Configuring a VAP for Corporate LAN Access Y ou can use a Corporate LAN V AP for a set of users who are commonly in th e office, and to whom should be given full access to all network resources, providing t hat the connection is authenticated and secure.
SonicPoint > Virtual Access Point 573 SonicOS 5.8.1 Administrator Guide Wireless Settings Tab Ste p 1 In the Wireless t ab, check the Only allow traffic generated by a SonicPoint checkbox. Ste p 2 Select the checkbox for WiFiSec Enforcement to enable WiFiSec secu rity on this connection.
SonicPoint > Virtual Access Point 574 SonicOS 5.8.1 Administrator Guide Creating a VLAN Subi nterface on th e WLAN In this section you will create and configure a new VLAN subinterface on your current WLAN. This VLAN will be linked to the zone you created in the “Configuring a Zone” section on page 572 .
SonicPoint > Virtual Access Point 575 SonicOS 5.8.1 Administrator Guide Note If the interface you created does not appear on the Network > DHCP Server p age, it is possible that you have already exceeded the number of allowed DHCP leases for your SonicW ALL.
SonicPoint > Virtual Access Point 576 SonicOS 5.8.1 Administrator Guide Creating the SonicPoint VAP In this section, you will create and configure a new V irtual Access Point and a ssociate it with the VLAN you created in “Creating a VLAN Subinterface on the WLAN” section on page 574 .
SonicPoint > Virtual Access Point 577 SonicOS 5.8.1 Administrator Guide Tip Remember that more V APs can always be added at a later time. New V APs can then be deployed simultaneously to all of your So ni cPoints by following the step s in the “Deploying V APs to a SonicPoint” section on p age 577 .
SonicPoint > Virtual Access Point 578 SonicOS 5.8.1 Administrator Guide Creating a SonicPoint Provisioning Profile In this section, you will associate the group you created in the “Grouping Multiple V APs” section on page 577 with a SonicPoint by crea ti ng a provisioning profile.
SonicPoint > Virtual Access Point 579 SonicOS 5.8.1 Administrator Guide Associating a VAP Group with your SonicPoint If you did not create a SonicPoi nt Provisioning Pr ofile, you c an provision your SonicPoint(s) manually . Y ou may want to use this method if y ou have only one SonicPoint to provision.
SonicPoint > Virtual Access Point 580 SonicOS 5.8.1 Administrator Guide.
581 SonicOS 5.8.1 Administrator Guide CHAPTER 45 Chapter 45: Configuring RF Management SonicPoint > RF Management This chapter describes how to plan, design, implement, and maintain the RF Management feature in SonicW ALL SonicOS Enhanced.
SonicPoint > RF Management 582 SonicOS 5.8.1 Administrator Guide RF Management Overview The following section provides a brief over view of the RF Management feature found o n SonicW ALL security appliances running Soni cOS Enhanced 5.0 or higher .
SonicPoint > RF Management 583 SonicOS 5.8.1 Administrator Guide Enabling RF Management on SonicPoint(s) In order for RF Management to be enforced, you must enable the RF Management option on all available SonicPoint devices. The following se ction provides instructi ons to re-provision all available SonicPoints with RF Management enabled.
SonicPoint > RF Management 584 SonicOS 5.8.1 Administrator Guide Using The RF Management Interface The RF Management interface ( SonicPoint > RF Management ) provides a central location fo r selecting RF signature types, viewing discov ered RF threat statio ns, and adding discovered threat stations to a watch list.
SonicPoint > RF Management 585 SonicOS 5.8.1 Administrator Guide Selecting RF Signature Types The RF Management interface allows you to select which types of RF threat s your SonicW ALL monitors and logs. Ste p 1 Navigate to SonicPoint > RF Management in the SonicW ALL secu rity appliance management interface.
SonicPoint > RF Management 586 SonicOS 5.8.1 Administrator Guide Tip Did you know? It is possible to find approximate loca tions of RF Threat devices by using logged threat statistics.
SonicPoint > RF Management 587 SonicOS 5.8.1 Administrator Guide • Null Probe Response - When a wireless client sends out a probe request, the attacker sends back a response with a Null SSID. This response causes many popular wireless cards and devices to stop responding.
SonicPoint > RF Management 588 SonicOS 5.8.1 Administrator Guide Before Reading this Section When using RF data to locate threat s, keep in mi nd that wireless signals are af fected by many factors.
SonicPoint > RF Management 589 SonicOS 5.8.1 Administrator Guide Using RSSI to Determine RF Threat Proximity This section builds on what was learned in the “Using Sensor ID to Determine RF Threat Location” section on page 588 .
SonicPoint > RF Management 590 SonicOS 5.8.1 Administrator Guide.
591 SonicOS 5.8.1 Administrator Guide CHAPTER 46 Chapter 46: Using RF Analysis SonicPoint > RF Analysis This chapter describes how to use the RF Analysis featur e in SonicW ALL SonicOS Enhanced to help best utilize the wireless bandwid th with SonicPoint and SonicPoint -N appliances.
SonicPoint > RF Analys is 592 SonicOS 5.8.1 Administrator Guide The RF Environment The IEEE 802.1 1maintains that devices use ISM 2.4 GHz and 5GHz bands, with most of the current deployed wireless devices using the 2. 4 GHz band. Because each channel occupies 20MHz wide spectrum, only three channels out of th e 1 1 available are not overlapping.
SonicPoint > RF Analysis 593 SonicOS 5.8.1 Administrator Guide Channel Utilization Graphs and Information In searching a way to show how channel is util ized for all connected SonicPoints, we resulted in displaying such a channel utilization graph.
SonicPoint > RF Analys is 594 SonicOS 5.8.1 Administrator Guide Making Sense of the RF Score RF Score is a calculated number on a scale of 1-10 which is used to represent the overall condition for a channel. The higher the score, the better the RF envir onment is.
SonicPoint > RF Analysis 595 SonicOS 5.8.1 Administrator Guide RFA Highly Interfered Channels Not only APs working in the same channel will create interference, APs working in adjacent channels (channel number less than 5 ap art) will also interfere with each other .
SonicPoint > RF Analys is 596 SonicOS 5.8.1 Administrator Guide.
597 SonicOS 5.8.1 Administrator Guide CHAPTER 47 Chapter 47: SonicPoint FairNet SonicPoint > FairNet This chapter describes how to plan, design, implement, and Soni cPoint FairNet policies in SonicW ALL SonicOS Enhanced to configure bandwidth limits for WLAN client s.
SonicPoi nt > FairNe t 598 SonicOS 5.8.1 Administrator Guide Configuring SonicPoint Fair Net Bandwidth Limit Policies T o configure SonicPoint FairNe t, perform the following t asks: 1. Navigate to the SonicPoint > FairNet page. 2. Select the Enable FairN et checkbox 3.
SonicPoint > FairNet 599 SonicOS 5.8.1 Administrator Guide 8. In the Min Rate(kbp s) field, enter the minimum bandwid th that clients will be guaranteed. 9. In the Max Rate(kbp s) field, enter the maximum bandwidth that client s wi ll be allowed. 10.
SonicPoi nt > FairNe t 600 SonicOS 5.8.1 Administrator Guide.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 601 PART 8 Part 8: Firewall.
602 SonicOS 5.8.1 Administrator Guide.
603 SonicOS 5.8.1 Administrator Guide CHAPTER 48 Chapter 48: Configuring Access Rules Firewall > Access Rules This chapter provides an overview on your SonicW ALL security appl iance stateful packet inspection default access rules and configuration ex amples to customize your access rules to meet your business requirement s.
Firewall > Access Rules 604 SonicOS 5.8.1 Administrator Guide Stateful Packet Inspection Default Access Rules Overview By default, the SonicW ALL security applianc e’ s stateful p acket inspection allows all communication from the LAN to the Internet, and bloc ks all traffic to the LAN from the Internet.
Firewall > Access R ules 605 SonicOS 5.8.1 Administrator Guide Using Bandwidth Management with Access Rules Overview Bandwidth management (BWM) allows you to assign guaranteed and maximum bandwidth to services and prioritize traffic on all BWM-enabl ed interfaces.
Firewall > Access Rules 606 SonicOS 5.8.1 Administrator Guide Tip Y ou must configure Bandwidth Management individually for ea ch interface on the Network > Interfaces page. Click the Configure icon for the interface, and select the Advanced tab.
Firewall > Access R ules 607 SonicOS 5.8.1 Administrator Guide Each view displays a table of defined netwo rk access rules. Fo r example, selecting All Rules displays all the network access rules for all zone s.
Firewall > Access Rules 608 SonicOS 5.8.1 Administrator Guide Tip If the Delete or Edit icons are dimmed (unavailable), the access ru le cannot be changed or deleted from the list.
Firewall > Access R ules 609 SonicOS 5.8.1 Administrator Guide Ste p 8 From the Users Allowed menu, add the user or user group af fected by the access rule. Ste p 9 Select a schedule from the Schedule menu. The default schedule is Always on . Step 10 Enter any comment s to help ident ify the access rule in the Comment s field.
Firewall > Access Rules 610 SonicOS 5.8.1 Administrator Guide Step 16 Select Create a reflexive rule if you want to create a matching access rule to this one in the opposite direction--from your destination zone or address objec t to your source zone or address object.
Firewall > Access R ules 611 SonicOS 5.8.1 Administrator Guide • 27 - Class 3, Silver (AF32) • 30 - Class 3, Bronze (AF33) • 32 - Class 4 • 34 - Class 4, Gold (AF41) • 36 - Class 4, Silve.
Firewall > Access Rules 612 SonicOS 5.8.1 Administrator Guide Editing an Access Rule T o display the Edit Rule window (includes the same settings as the Add Rule window), click the Edit icon. Deleting an Access Rule T o delete the individual ac cess rule, click on the Delete icon.
Firewall > Access R ules 613 SonicOS 5.8.1 Administrator Guide Note The maximum number of connections a S onicW ALL security appliance can support depends on the specific configuration, incl uding .
Firewall > Access Rules 614 SonicOS 5.8.1 Administrator Guide Access Rule Configuration Examples This section provides c onfiguration examples on adding network access rules: • “Enabling Ping.
Firewall > Access R ules 615 SonicOS 5.8.1 Administrator Guide Allowing WAN Primary IP Ac cess from the LAN Zone By creating an access rule, it is possible to allow access to a management IP address in one zone from a diff erent zone on the same SonicW ALL appliance.
Firewall > Access Rules 616 SonicOS 5.8.1 Administrator Guide Enabling Bandwidth Manage ment on an Access Rule Bandwidth management can be applied on both ingr e ss and egress traf fic using access rules. Access rules displaying the Funnel icon are configured for bandwid th management.
617 SonicOS 5.8.1 Administrator Guide CHAPTER 49 Chapter 49: Configuring Application Control Application Control This chapter describes how to configure an d manage the Application Control feature in SonicOS.
Application Control 618 SonicOS 5.8.1 Administrator Guide What is Application Control? Application Control provides a solution for setting policy r u les for application signatures. Application Control policies in clude global App Control policies, and App Rules policies that are more targeted.
Application Control 619 SonicOS 5.8.1 Administrator Guide external network access based on various criteria. Y ou can use Packet Monitor to take a deeper look at application traf fic, and can select among various bandwid th management settings to reduce network bandw idth usage by an application.
Application Control 620 SonicOS 5.8.1 Administrator Guide • Administrators can use the Create Rule button to quickly apply bandwid th management or packet monitoring to an applicati on that they notice while vi ewing the App Flow Monitor page, or can completely block the application.
Application Control 621 SonicOS 5.8.1 Administrator Guide • “App Rules Policy Creation” on p age 630 • “Match Objects” on p age 634 • “Application List Objects” on page 640 • “Ac.
Application Control 622 SonicOS 5.8.1 Administrator Guide bandwidth management provide a link to the Fire wall Settings > BWM page so that you can easily configure global bandwid th management settings for the type and the guaranteed a nd maximum percentages allowed for each priority level.
Application Control 623 SonicOS 5.8.1 Administrator Guide your custom BWM action af ter a change from T ype W AN to Global or back again. The values you set for Guaranteed Bandwidth and Maximum Bandwidth are converted in the action object to the guaranteed and maximum values set in the Global Priority Queue table for the selected priority level.
Application Control 624 SonicOS 5.8.1 Administrator Guide Figure 49:8 Bandwidth Management T y pe Gl obal on F irewall Settings > BWM Figure 49:9 shows the Bandwidth Priority selections in the Add/Edit Action Object s screen when the global Bandwidth Management T ype is se t to Global on the Firewall Settings > BWM page.
Application Control 625 SonicOS 5.8.1 Administrator Guide When the Bandwid th M anagement T ype is set to WA N as in Figure 49:10 , the Add/Edit Action Object screen provides Per Action or Per Policy Bandwid th Aggregation Method options and you can specify values for Guaranteed B andwid th, Maximum Bandwidth, and Bandwid th Priority .
Application Control 626 SonicOS 5.8.1 Administrator Guide • Using the Per Action aggregation method, the dow nloads of exe cutable files and traffic from P2P applications combined ca nnot exceed 500 Kbit/sec.
Application Control 627 SonicOS 5.8.1 Administrator Guide Figure 49:12 Packet Monitor - Monitor Filter Tab T o set up mirroring, go to the Mi rror tab and pick an interface to which to send the mirrored traffic in the Mirror filtered p acket s to Interface (NSA plat forms only) field under Local Mirroring Settings.
Application Control 628 SonicOS 5.8.1 Administrator Guide Figure 49:13 shows the Create Rule window displayed over the Dashboard > App Flow Monitor page. Figure 49:13 Dashboard > App Fl ow Monitor Page with Create Rule Window The Create Rule feature is available from App Flow Monitor on the list view page setting.
Application Control 629 SonicOS 5.8.1 Administrator Guide BWM page, see the “Actio ns Using Bandwidth Management” section on p age 621 . The Bandwidth Manage options you see in the Create Rule window reflect the options that are enabled in the Global Priority Queue.
Application Control 630 SonicOS 5.8.1 Administrator Guide App Rules Policy Creat ion Y ou can use Application Control to create custom App Rules policies to control specific aspects of traffic on your network. A policy is a set of match object s, properties, and specific prevention actions.
Application Control 631 SonicOS 5.8.1 Administrator Guide The following table describes the characterist ics of the available App Rules policy types. Policy Ty p e D e s c r i p t i o n V alid Source .
Application Control 632 SonicOS 5.8.1 Administrator Guide FTP Client File Download Request An attempt to download a file over FTP (RETR command) Any / Any FTP Control / FTP Control Filename, file exte.
Application Control 633 SonicOS 5.8.1 Administrator Guide IPS Content Policy using dynamic Intrusion Prevention related objects for any application layer protocol N/A N/A IPS Signature Category List, .
Application Control 634 SonicOS 5.8.1 Administrator Guide Match Objects Match objects represent the set of conditions wh ich must be matched in order for actio ns to take place. This includes the object type, the ma tch type (exact, p artial, prefix, or suf fix), the input representation (text or hexadecimal), and the actual content to match.
Application Control 635 SonicOS 5.8.1 Administrator Guide CFS Category List Allows selection of one or more Content Filtering categories N/A No A list of 64 categories is provided to choose from Custom Object Allo ws specification of an IPS-style custom set of conditions.
Application Control 636 SonicOS 5.8.1 Administrator Guide File Content Allows specification of a pattern to match in the content of a file. The pattern will be matched even if the file is compressed. Partial No ‘Disable attachment’ action should never be applied to this object.
Application Control 637 SonicOS 5.8.1 Administrator Guide HTTP Host Header Content found inside of the HTTP Host header . Represents hostname of the destination server in the HTTP request, such as www .
Application Control 638 SonicOS 5.8.1 Administrator Guide Y ou can see the available types of match obje cts in a drop-down list in the Match Object Settings screen. In the Match Object screen, you can add multiple entr ies to create a list of content elements to match.
Application Control 639 SonicOS 5.8.1 Administrator Guide Y ou can use the Load From File button to import content from predefined text files that contain multiple entries for a match object to match.
Application Control 640 SonicOS 5.8.1 Administrator Guide Application List Objects The Firewall > Match Objects p age also cont ains the Add Application List Object button, which opens the Create Match Object screen. This screen provides two t abs: • Application – Y ou can create an application filter object on this tab.
Application Control 641 SonicOS 5.8.1 Administrator Guide As you select the applications fo r your filter , they appear in the Application Group field on the right. Y ou can edit the list in this field by deleting indi vidual items or by clicking the eraser to delete all items.
Application Control 642 SonicOS 5.8.1 Administrator Guide Category Filters The Category tab pr ovides a list of application cate gories for selection. Y ou can select any combination of categories and then save your se lections as a category filter object with a custom name.
Application Control 643 SonicOS 5.8.1 Administrator Guide levels of BWM are available. If the Bandwid th Management T ype is set to W AN, the predefined actions list includes three levels of W AN BWM. For more information about BWM actions, see the “Actions Using Bandwidth Management” section on p age 621 .
Application Control 644 SonicOS 5.8.1 Administrator Guide The following table describes the availabl e action types. Action T ype Description Predefined or Custom BWM Global-Realtime Manages inbound a.
Application Control 645 SonicOS 5.8.1 Administrator Guide Bypass DPI Byp asses Deep Packet Inspection components IPS, GA V , Anti-Spyware and Appl ication Control. This action persists for the duration of the entire connection as soon as it is triggered.
Application Control 646 SonicOS 5.8.1 Administrator Guide A priority setting of zero is the highest priority . Guaranteed bandwidth for all levels of BWM combined must not exceed 100%.
Application Control 647 SonicOS 5.8.1 Administrator Guide In the screenshot below , the settings exclude the support group from a policy that prevents executable files from being att ached to outgoing email. Y ou can use t he email address object in either the MAIL FROM or RC P T TO fields of the SMTP cli ent policy .
Application Control 648 SonicOS 5.8.1 Administrator Guide Note Upon registration on MySonicW ALL, or when you load Soni cOS 5.8 onto a registered SonicW ALL device, supported SonicW ALL appl iances begin an automatic 30-day trial license for App Visualization and App Cont rol, and application signatures are downloaded to the appliance.
Application Control 649 SonicOS 5.8.1 Administrator Guide T o begin using App Control, you must enable it on the Firewall > App Control Advanced page. See the screenshot below . T o create policies using App Rules (included with the App Control license), select Enable App Rules on the Firewall > App Rule s page .
Firewall > App Control Advance d 650 SonicOS 5.8.1 Administrator Guide Note If you disable Visualizati on in the SonicOS management in terface, application signature updates are discontinued until the feature is enabled again.
Firewall > App Control Advanced 651 SonicOS 5.8.1 Administrator Guide App Control is a licensed service, and you must also enable it to activate the functionality . T o enable App Control and configure the global settings: Ste p 1 T o globally enable App C ontrol, select the Enable App Control checkbox.
Firewall > App Control Advance d 652 SonicOS 5.8.1 Administrator Guide The Network > Zones page displays a green indicator in the App Control column for any zones that have the App Control service enabled. Ste p 4 Y ou can configure a global exclusion list for App Cont rol policies on the Firewa ll > App Control Advanced page.
Firewall > App Control Advanced 653 SonicOS 5.8.1 Administrator Guide Ste p 6 T o use an address object for t he exclusion list, select the Use Application Control Exclusion Address Object radio button, and then select an address object from the drop-down list.
Firewall > App Control Advance d 654 SonicOS 5.8.1 Administrator Guide Ste p 2 Under App Control Advanced , select an application category from the Category drop-down list. A Configure button appears to the right of the field as soon as a category is selected.
Firewall > App Control Advanced 655 SonicOS 5.8.1 Administrator Guide • SU-S 00:00 to 24:00 – Enable the p olicy at all ti mes (Sunday through Satur day , 24 hours a day). • Weekend Hours – Enable the policy Friday at 5:00 PM through Monday at 8:00 AM.
Firewall > App Control Advance d 656 SonicOS 5.8.1 Administrator Guide default to the current settings of the category to which the application belongs. T o retain this connection to the category settings for one or more fields, leave this selection in place for those fields.
Firewall > App Control Advanced 657 SonicOS 5.8.1 Administrator Guide • Weekend Hours – Enable the policy Friday at 5:00 PM through Monday at 8:00 AM. Step 12 T o specify a delay between log ent ries for repetitive ev ent s, type the number of seconds for the delay into the Log Redundancy Filter field.
Firewall > App Control Advance d 658 SonicOS 5.8.1 Administrator Guide The default policy settings for the signature are set to the current settings for the application to which the signature belongs. T o retain this c onnection to the applicati on settings for one or more fields, leave this select ion in place for those fields.
Firewall > App Rules 659 SonicOS 5.8.1 Administrator Guide • M-T -W-T -F 00:00 to 08:00 – Enable the policy Monday th rough Friday , midnight to 8:00 AM. • M-T -W-T -F 17:00 to 24:00 – Enable the policy Monday through Friday , 5:00 PM to midnight.
Firewall > App Rules 660 SonicOS 5.8.1 Administrator Guide Y ou m ust enable App Rules to activate the functi onality . App Rules is li censed as part of App Control, which is licensed on www .mysonicwall.com on the Service Management - Associated Products p age under GA TEW A Y SERVICES.
Firewall > App Rules 661 SonicOS 5.8.1 Administrator Guide For information about policies and policy types, see “App Rules Policy Creation” on page 630 . 603 T o configure an App Rules policy , perform the following steps: Ste p 1 In the navigation pane on the left side, click Firewall , and then click App Rules .
Firewall > App Rules 662 SonicOS 5.8.1 Administrator Guide Step 10 For Users/Group s , select from the dr op-down lists for both Included and Excluded .
Firewall > App Rules 663 SonicOS 5.8.1 Administrator Guide Using the Application Control Wizard The Application Control wizard provides safe configuration o f App Control policies for many common use cases, but not for everything.
Firewall > App Rules 664 SonicOS 5.8.1 Administrator Guide • Do one of the following: Note If you selected a choice with the words except t he ones specified in the previous step, content that you enter here will be the only content th at does not cause the action to occur .
Firewall > Match Obj ects 665 SonicOS 5.8.1 Administrator Guide The second Application Control Action Settings screen is only displayed when you selected an action in the previous step that requires additional text.
Firewall > Match Objects 666 SonicOS 5.8.1 Administrator Guide Ste p 3 In the Match Object Settings window , in the Object Name text box, type a descriptive name for the object. Ste p 4 Select an Match Object T ype from the drop-down list. Y our selection here will af fect available options in this screen.
Firewall > Match Obj ects 667 SonicOS 5.8.1 Administrator Guide Ste p 2 Near the bottom of the page, click the Add Application List Object button. The Create Match Object pa ge opens. Y ou can control which applications are displa yed by selecting one or more application categories, threat levels, and technologies.
Firewall > Action Objects 668 SonicOS 5.8.1 Administrator Guide Ste p 7 Click the plus sign next to each application you wa n t to add to your filter object.
Firewall > Ac tio n Ob je ct s 669 SonicOS 5.8.1 Administrator Guide Ste p 6 If HTTP Block Page was selected as the action, a Color drop-down list is displayed. Choose a background color for the block page from the Color drop-down list. Color choices are white, yellow , red, or blue.
Firewall > Action Objects 670 SonicOS 5.8.1 Administrator Guide Ste p 4 Do one or both of the following: • Under Bandwidth Management, to manage outbound bandwid th, select the Enable Egress Bandwidth Management checkbox, and optionally set the A vailable Interface Egres s Bandwi d th (Kbp s) field to the maximum for the interface.
Firewall > Ac tio n Ob je ct s 671 SonicOS 5.8.1 Administrator Guide Ste p 5 In the Bandwid th Aggregation Method dro p-down list, select one of the following: • Per Policy – When multiple poli.
Firewall > Address Objects 672 SonicOS 5.8.1 Administrator Guide Firewall > Address Objects Note For increased convenience and accessibility , the Address Object s p age can be accessed either from Network > Address Objects or Fire wall > Address Objects.
Verifying App Control Configuration 673 SonicOS 5.8.1 Administrator Guide Ste p 5 In the Content text box, type the content to match and then click Add .
Verifying App Control Co nfiguration 674 SonicOS 5.8.1 Administrator Guide Wireshark Wireshark is a network protocol analyzer that y ou can use to capture packet s from applications on your network.
Verifying App Control Configuration 675 SonicOS 5.8.1 Administrator Guide Ste p 3 In the captured output, locate and click the HTTP GET command in the top pane, and view the source for it in the center pane. In th e source code, locate the line beginning with User-Agent .
Verifying App Control Co nfiguration 676 SonicOS 5.8.1 Administrator Guide Ste p 5 T ype the identifier into the Content text box in the Match Object s Settings scree n and click OK to create a match object that you can use in a policy .
Verifying App Control Configuration 677 SonicOS 5.8.1 Administrator Guide Using the SonicW ALL graphic as an exampl e, you would take the following steps: Ste p 1 St a r t XVI32 and click File > Open to open the graphic image GIF file.
Verifying App Control Co nfiguration 678 SonicOS 5.8.1 Administrator Guide When the block is marked, it changes to red font. T o unmark a block of characters, press Ctrl+U . Ste p 3 After you mark the block, click Edit > Clipboard > Copy As Hex S tring .
Verifying App Control Configuration 679 SonicOS 5.8.1 Administrator Guide Step 12 Click Add . Step 13 Click OK . Y ou now have an Match Object containing a unique identifier for the image. Y ou can create an App Rules policy to block or log traf fic that cont ains the image matched by this Match Object.
App Control Use Cases 680 SonicOS 5.8.1 Administrator Guide App Control Use Cases Application Control provides t he functionality to handle several ty pes of access control very efficiently .
App Control Use Cases 681 SonicOS 5.8.1 Administrator Guide The example below shows a match object targeted at LimeWire and Napster Peer to Peer sharing applications.
App Control Use Cases 682 SonicOS 5.8.1 Administrator Guide After creating a signature-based match object, create a new App Rules policy of type App Control Content that uses the match object. The example below shows a policy which uses the newly created “Nap ster/LimeWire P2P” match objec t to drop all Napster and LimeWire traf fic.
App Control Use Cases 683 SonicOS 5.8.1 Administrator Guide When you configure the policy or policies for this purpose, you can select Direction > Basic > Outgoing to specifically apply your file trans fer restr ictions to outbound traffic.
App Control Use Cases 684 SonicOS 5.8.1 Administrator Guide Hosted Email Environments A hosted email environment is one in which email is available on a user ’s Internet Service Provider (ISP). T ypically , POP3 is the protocol used for email transfer in this environment.
App Control Use Cases 685 SonicOS 5.8.1 Administrator Guide Web Browser Control Y ou can also use Application Control to prot ect your Web servers from undesirable browsers. Application Control supplies ma tch object types for Netscape, MSIE, Firefox, Safari, and Chrome.
App Control Use Cases 686 SonicOS 5.8.1 Administrator Guide Y ou can use this match object in a policy to block browsers that are not MSIE 6.0. For information about using Wireshark to find a Web browser identifier , see “Wireshark” on page 674 . For information about negative matching, see “Negative Matching” on p age 639 .
App Control Use Cases 687 SonicOS 5.8.1 Administrator Guide Wireshark will jump to the first frame that contains the requested dat a. Y ou should see something like the screen shown below .
App Control Use Cases 688 SonicOS 5.8.1 Administrator Guide Next, navigate to Firewall > App Rules and click Add New Policy . Create a policy like the one shown below . T o test, use a browser to open the Post.htm document you created earlier . T ype in your name and then click Submit .
App Control Use Cases 689 SonicOS 5.8.1 Administrator Guide Navigate to Firewall > Match Objects and click Add New Match Object . Create an object like the one shown below . Next, navigate to Firewall > Action Objects and click Add New Action Object .
App Control Use Cases 690 SonicOS 5.8.1 Administrator Guide T o create a policy that uses this object and ac tion, navigate to Firewall > App Rules and click Add New Policy .
App Control Use Cases 691 SonicOS 5.8.1 Administrator Guide Some ActiveX types and their classid’ s are shown in the following table. The screenshot below shows an ActiveX type match object that is using the Macromedia Shockwave class ID.
App Control Use Cases 692 SonicOS 5.8.1 Administrator Guide Y ou can look up the class ID for these Active X controls on the Internet, or you can view the source in your browser to find it. For example, the screenshot below show s a source file with the class ID for Macromedia Shockwave or Flash.
App Control Use Cases 693 SonicOS 5.8.1 Administrator Guide First, you would create a match obj ect of type File Content that matches on keywords in files. Optionally , you can create a customized FTP not ification action that sends a message to the client.
App Control Use Cases 694 SonicOS 5.8.1 Administrator Guide Blocking Outbound UTF-8 / UTF-16 Encoded Files Native Unicode UTF-8 and UTF-16 support by App lication Control allows encoded multi-byte characters, such as Chinese or Japanese c haracters, to be entered as match object content keywords using the alphanumeric input type.
App Control Use Cases 695 SonicOS 5.8.1 Administrator Guide Next, create a policy that references the match object, as shown below . This policy blocks the file transfer and resets the connection. Enable Logging is se lected so that any attempt to transfer a file containing the UTF-16 encoded keyword is logged.
App Control Use Cases 696 SonicOS 5.8.1 Administrator Guide The first step is to create a match object that matches on the pu t command. Because the mput command is a variation of the put command, a match object that matches on the put command will also match on the mput command.
App Control Use Cases 697 SonicOS 5.8.1 Administrator Guide Next, you would create a policy that references this match object and action. If you prefer to simply block the put command and reset the connection, you can select the Reset/Drop action when you create the policy .
App Control Use Cases 698 SonicOS 5.8.1 Administrator Guide The first step is to enable bandwid th management on the interface that will handle the traffic. Y ou can access this setting on the Network > Interfaces screen of the SonicOS management interface, shown below .
App Control Use Cases 699 SonicOS 5.8.1 Administrator Guide Next, you can create an application layer bandw id th management action that limits inbound transfers to 400 kbps. The Bandwid th Management T ype on Firewall Settings > BWM must be set to WA N in order to do this in the Action Object Settings screen.
App Control Use Cases 700 SonicOS 5.8.1 Administrator Guide Now you are ready to create a policy that app lies the bandwid th management action to the MP3 file extension object. Bypass DPI Y ou can use the Bypass DPI action to increase per formance over the network if you know that the content being accessed is safe.
App Control Use Cases 701 SonicOS 5.8.1 Administrator Guide Only two steps are needed to create the policy . First, you can define a match object for the corporate video using a match object type of H.
App Control Use Cases 702 SonicOS 5.8.1 Administrator Guide Custom Signature Y ou can create a custom match object that matches any part of a packet if you want to control traffic that does not have a predef ined object type in Application C ontrol. This allows you to create a custom signature for any network protocol.
App Control Use Cases 703 SonicOS 5.8.1 Administrator Guide the first byte in the packet is counted as number one (not zero). Decimal numbers are used rather than hexadecimal to calculate of fset and depth.
App Control Use Cases 704 SonicOS 5.8.1 Administrator Guide action or a default action such as Reset/Drop . For the Connection Side , select Client Side . Y ou can also modify other settings. For more information about creating a policy , see “Configuring an App Rules Policy” on p age 660 .
App Control Use Cases 705 SonicOS 5.8.1 Administrator Guide Note Networks using unencrypted T elnet service mu st configure policie s that exclude those servers’ IP addresses.
App Control Use Cases 706 SonicOS 5.8.1 Administrator Guide The hexadecimal data can be exported to a te xt file for trimming of f the p acket header , unneeded or variable par ts and sp aces. The relev ant portion here is “Microsoft… reserved.” Y ou can use the Wireshark hexadecimal payload export capability for this.
App Control Use Cases 707 SonicOS 5.8.1 Administrator Guide Defining the Policy After creating the match object s, you can def ine a policy that uses the m. The image below shows the other policy settings. This exampl e as shown is spe cific for reverse shells in both the Policy Name and the Direction settings.
App Control Use Cases 708 SonicOS 5.8.1 Administrator Guide Glossary Application layer: The seventh level of the 7-layer OSI model; examples of application layer protocols are AIM, DNS, FTP , HTTP , I.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 709 PART 9 Part 9: Firewall Settings.
710 SonicOS 5.8.1 Administrator Guide.
711 SonicOS 5.8.1 Administrator Guide CHAPTER 50 Chapter 50: Configuring Advanced Access Rule Settings Firewall Settings > Advanced T o configure advanced access rule options, select Fi rewall Settings > Advanced under Firewall.
Firewall Settings > Advanced 712 SonicOS 5.8.1 Administrator Guide The Firewall Settings > Adva nced page includ es the following firewall configuration option groups: • “Detection Preventio.
Firewall Settings > Advanced 713 SonicOS 5.8.1 Administrator Guide b. On the Network > Services page, create a custom Service for the FTP Server with the following values: • Name: FTP Custom Port Control • Protocol: TCP(6) • Port Range: 2121 - 2121 c.
Firewall Settings > Advanced 714 SonicOS 5.8.1 Administrator Guide Connections The Connections section provides the ability to fine-tune the perfor mance of the appliance to prioritize either optimal performance or support for an increased number of simultaneous connections that are inspected by UTM services.
Firewall Settings > Advanced 715 SonicOS 5.8.1 Administrator Guide Apply firewall rules for intra-LAN traffic to/from the same interf ace - Appl ies fi rew all r u les that is received on a LAN interface and that is destined for the same LAN interface.
Firewall Settings > Advanced 716 SonicOS 5.8.1 Administrator Guide.
717 SonicOS 5.8.1 Administrator Guide CHAPTER 51 Chapter 51: Configuring Bandwidth Management Firewall Settings > BWM Bandwidth management (BWM) is a means of allocating bandwid th resources to critical applications on a network.
Firewall Settings > BWM 718 SonicOS 5.8.1 Administrator Guide Understanding Bandwidth Ma nagement BWM is controlled by the SonicW ALL Security Appliance on ingress and egress traf fic.
Firewall Settings > BWM 719 SonicOS 5.8.1 Administrator Guide Configuring the Firewall Settings > BWM Page BWM works by first confi guring the BWM type on the Firewall Settings > BWM page, then enabling BWM on an interface, and then allocating the available bandwidth for that interface on the ingress and egress traf fic.
Firewall Settings > BWM 720 SonicOS 5.8.1 Administrator Guide Note When you change the Bandwidth Management T ype from Global to W AN, the default BWM actions that are in use in any App Rules policies will be automatic ally converted to WA N BWM Medium , no matter what level they wer e set to before the change.
Firewall Settings > BWM 721 SonicOS 5.8.1 Administrator Guide Configuring Interfaces T o configure BWM per interface, perform the following step s: Ste p 1 Navigate to the Firewall Settings > BWM page. Ste p 2 Select Bandwidth Management T ype: Global , WAN, or none, and then click Accept .
Firewall Settings > BWM 722 SonicOS 5.8.1 Administrator Guide Ste p 4 Click the Configure icon in the Configure column for the interface for which you want to set BWM. The Edit Interface dialog is displayed. Note If using Bandwidth Management T ype WA N, y ou can only enable BWM on a W AN interface.
Firewall Settings > BWM 723 SonicOS 5.8.1 Administrator Guide Ste p 1 Navigate to the Firewall > Access Rules page. Ste p 2 Click the Configure icon for the rule you want to edit. The Edit Rule General tab dialog is displayed. Ste p 3 Click the Ethernet BWM tab.
Firewall Settings > BWM 724 SonicOS 5.8.1 Administrator Guide Configuring Application Rules Application layer BWM allows you to create pol icies that regulate bandw idth consumption by specific file types within a protocol, while allowing other file types to use unlimited bandwid th.
Firewall Settings > BWM 725 SonicOS 5.8.1 Administrator Guide T o configure BWM for a specific app lication, perform the following step s: Ste p 1 Navigate to the Firewall > App Rules page. Ste p 2 Under App Rules Policies, select the Action T ype: Bandwidth Management .
Firewall Settings > BWM 726 SonicOS 5.8.1 Administrator Guide Ste p 4 Change the Action Object to the desired BWM setting, and then click OK . Note All priorities will be displayed (Realtime – Lowest) regardless if all have been configured. Refer to the Firewall Settings > BWM page to determine which prioriti es are enabled.
Firewall Settings > BWM 727 SonicOS 5.8.1 Administrator Guide The following table list s the predefined default actions that are available when adding a policy . Creating a New BWM Action or Policy If you do not want to use the predefined BWM ac tions or policies, you have the option to create a new one that fit s your needs.
Firewall Settings > BWM 728 SonicOS 5.8.1 Administrator Guide T o create a new BWM action or policy , perform the following steps: Ste p 1 Navigate to the Firewall > Action Objects page. Ste p 2 Click Add New Action Object at the bottom of the page.
Firewall Settings > BWM 729 SonicOS 5.8.1 Administrator Guide In case of a BWM type of W AN, the configuratio n of these options is included in the following steps. Note All priorities will be displayed (0 –7) regardl ess if all have been configured.
Firewall Settings > BWM 730 SonicOS 5.8.1 Administrator Guide If you plan to use this custom action for ra te limiting rather than guaranteeing bandwid th, you do not need to change the Guaranteed Bandwidth field. Ste p 7 T o specify the Maximum Bandwid th , optionally enter a value either as a percent age or as kilobits per second.
Firewall Settings > BWM 731 SonicOS 5.8.1 Administrator Guide T o configure BWM using the App Flow Monitor , perform the following step s: Ste p 1 Navigate to the Dashboard > App Flow Monitor page. Ste p 2 Check the service-based applicati ons or signature-based applicati ons to which you want to apply global BWM.
Firewall Settings > BWM 732 SonicOS 5.8.1 Administrator Guide Note Create rule for service-based applications will result in creating a firewall access rule and create rule for signature-based applications will create an applic ation control policy .
Firewall Settings > BWM 733 SonicOS 5.8.1 Administrator Guide Ste p 6 Click OK . Ste p 7 Navigate to Firewall > Access Rules page (for service-based applications) and Firewall > App Rules (for signature-based applications) to verify that the rule was created.
Firewall Settings > BWM 734 SonicOS 5.8.1 Administrator Guide Guaranteed Bandwid th: A declared percentage of the total available bandwidth on an interface which will always be gran ted to a certai n class of traf fic. A pplicable to both inbound and outbound BWM.
735 SonicOS 5.8.1 Administrator Guide CHAPTER 52 Chapter 52: Configuring Flood Protection Firewall Settings > Flood Protection The Firewall Settings > Flood Protection page let s you view statistics on TCP T raf fic through the security appliance and manage TCP traf fic setti ngs.
Firewall Settings > Flood Protection 736 SonicOS 5.8.1 Administrator Guide TCP Settings The TCP Settings section allows you to: • Enforce strict TCP compliance with RFC 793 and RFC 1 122 – Select to ensure strict compliance with several TCP timeout rules.
Firewall Settings > Flood Protection 737 SonicOS 5.8.1 Administrator Guide – Maximum value: 60 seconds SYN Flood Protection Methods SYN/RST/FIN Flood protection helps to protec t hosts behind the.
Firewall Settings > Flood Protection 738 SonicOS 5.8.1 Administrator Guide Each watchlist entry c ontains a value called a hit count . The hit count value increments when the device receives the an initial SYN packe t fr om a corresponding device. The hit count decrements when the TCP three-way handshake comp letes.
Firewall Settings > Flood Protection 739 SonicOS 5.8.1 Administrator Guide A SYN Flood Protection mode is the level of protection that you can select to defend against half-opened TCP sessions and high-frequency SYN p a cket transmissions.
Firewall Settings > Flood Protection 740 SonicOS 5.8.1 Administrator Guide • SACK (Selective Acknowledgment) – This p arame ter controls whether or not Selective ACK is enabled.
Firewall Settings > Flood Protection 741 SonicOS 5.8.1 Administrator Guide The SYN/RST/FIN Blacklisting region contains the following options: • Threshold for SYN/RST/FIN fl ood blacklisting (SYNs / Sec) – The maximum number of SYN, RST , and FIN packet s allowed per sec ond.
Firewall Settings > Flood Protection 742 SonicOS 5.8.1 Administrator Guide • Invalid Flag Packets Dropped - Incremented under the following conditions: – When a non-SYN packet is received that cannot be located in the connection-cache (while SYN Flood protection is disabled).
Firewall Settings > Flood Protection 743 SonicOS 5.8.1 Administrator Guide T otal SYN, RST , or FIN Floods Detected The total number of events in which a forwarding device has exceeded the lower of either t he SYN att ack threshold or the SYN/RST/FIN flood blacklisting threshold.
Firewall Settings > Flood Protection 744 SonicOS 5.8.1 Administrator Guide.
745 SonicOS 5.8.1 Administrator Guide CHAPTER 53 Chapter 53: Configuring Multicast Settings Firewall Settings > Multicast Multicasting, also called IP mu lticasting, is a method for sending one Internet Protocol (IP) packet simult aneously to multiple hosts .
Firewall Settings > Multicast 746 SonicOS 5.8.1 Administrator Guide Multicast Snooping This section provides configurat ion tasks for Multicast Snooping. • Enable Multicast - This checkbox is disabled by defaul t. Select this checkbox to support multicast traffic.
Firewall Settings > Multicast 747 SonicOS 5.8.1 Administrator Guide T o create a multicast address object: Ste p 1 In the Enable reception for the following multicast addresses list, select Create new multicast object . Ste p 2 In the Add Address Object window , configure: – Name : The name of the address object.
Firewall Settings > Multicast 748 SonicOS 5.8.1 Administrator Guide Enabling Multicast on LA N-Dedicated Interfaces Perform the following steps to enable mult icast support on LAN-dedicated interfaces. Ste p 1 Enable multicast support on your Soni cW ALL security appliance.
Firewall Settings > Multicast 749 SonicOS 5.8.1 Administrator Guide Enabling Multicast Through a VPN T o enable multicast across the W AN through a VPN, follow: Ste p 1 Enable multicast globally . On the Firewall Settings > Multic ast p age, check the Enable Multicast checkbox, and click the Apply button for each security appliance.
Firewall Settings > Multicast 750 SonicOS 5.8.1 Administrator Guide Note Notice that the default WLAN'MUL TI CAST access rule for IGMP traffic is set to 'DENY'. This will need to be changed to 'ALLOW' on all particip ating appliances to enable multicast, if they have multicast cli ents on their WLAN zones.
751 SonicOS 5.8.1 Administrator Guide CHAPTER 54 Chapter 54: Managing Quality of Service Firewall Settings > QoS Mapping Quality of Service (QoS) refers to a divers ity of methods intended to provide predictable network behavior and performance.
Firewall Settings > QoS Mapping 752 SonicOS 5.8.1 Administrator Guide But all is not lost. Once SonicOS Enhanc ed classifies the traffic, it can tag the traffic to communicate this classification to certain exter nal systems that are capable of abiding by CoS tags; thus they too can p a rticipate in provid ing QoS.
Firewall Settings > QoS Mapping 753 SonicOS 5.8.1 Administrator Guide Conditioning The traffic can be conditioned ( or managed) using any of the many policing, queuing, and shaping methods available.
Firewall Settings > QoS Mapping 754 SonicOS 5.8.1 Administrator Guide such as DSCP . SonicOS Enhanced has the ability to DSCP mark traf fic afte r classification, as well as the ability to map 802.1p t ags to DSCP tags for external networ k traversal and CoS preservation.
Firewall Settings > QoS Mapping 755 SonicOS 5.8.1 Administrator Guide The behavior of the 802.1p field within these t ags can be controlled by Access Rules. The default 802.1p Access Rule action of None will reset existing 802.1p tags to 0 , unless othe rwise configured (see “Managing QoS Marking” section on page 760 for det ails).
Firewall Settings > QoS Mapping 756 SonicOS 5.8.1 Administrator Guide Example Scenario In the scenario above, we have Remote Site 1 connected to ‘Main Site’ by an IPsec VPN. The company uses an internal 802.1p/DSCP ca pabl e V oIP phone system, with a private V oIP signaling server hosted at the Main Site.
Firewall Settings > QoS Mapping 757 SonicOS 5.8.1 Administrator Guide prioritize the traffic. The Remot e Site switch would treat the V oIP traffic the same as the lower-priority file transfer because of the link saturation, introducing delay—maybe even dropped packet s—to the V oIP flow , r esu lting in call quality degradation.
Firewall Settings > QoS Mapping 758 SonicOS 5.8.1 Administrator Guide The following t able shows the commonly used c ode poin ts, as well as their mapping to the legacy Precedence and T oS settings. DSCP marking can be performed on tr affic to/from a ny interface and to/from any zone type, without exception.
Firewall Settings > QoS Mapping 759 SonicOS 5.8.1 Administrator Guide If symptoms of such a scenario emerge (e.g. excess ive retran smissions of low-priority traffic), it is recommended that you create a sep arate VP N policy for the high-prio rity and low-priority classes of traffic.
Firewall Settings > QoS Mapping 760 SonicOS 5.8.1 Administrator Guide Note Mapping will not occur until you assign Map as an action of the QoS tab of an Access Rule. The mapping table only defines the corres pondence that will be employed by an Access Rule’s Map action.
Firewall Settings > QoS Mapping 761 SonicOS 5.8.1 Administrator Guide The following table describes the behavior of each action on both methods of marking: Action 802.1p (layer 2 CoS) DSCP (layer 3) Notes None When packets match- ing this class of traffic (as defined by the Access Rule) are sent out the egress inter- face, no 802.
Firewall Settings > QoS Mapping 762 SonicOS 5.8.1 Administrator Guide For example, refer to the following figure wh ich provides a bi-directional DSCP tag action.
Firewall Settings > QoS Mapping 763 SonicOS 5.8.1 Administrator Guide The first Access Rule (governing LAN>VPN ) would have the following effect s: • Vo I P traffic (as defined by the Service Group) from LAN Primary Subnet destined to be sent across the VPN to Main Site Subnet s would be evaluated fo r both DSCP and 802.
Firewall Settings > QoS Mapping 764 SonicOS 5.8.1 Administrator Guide T o examine the effect s of the second Access Rule (VPN>LAN), we’ll look at the Access Rules configured at the Main Site.
Firewall Settings > QoS Mapping 765 SonicOS 5.8.1 Administrator Guide Bandwidth Management Although bandwidth management (BWM) is a fu lly integrated QoS service, wherein classification and shaping.
Firewall Settings > QoS Mapping 766 SonicOS 5.8.1 Administrator Guide Queue processing utilizes a ti me division scheme of approxim ately 1/256th of a second per time-slice.
Firewall Settings > QoS Mapping 767 SonicOS 5.8.1 Administrator Guide • Web Sense • Syslog • NTP • Security Services (A V , signature updates, license manager) Outbound BWM Packet Processing Path a. Determine that the packet is bound for the W AN zone.
Firewall Settings > QoS Mapping 768 SonicOS 5.8.1 Administrator Guide Example of Outbound BWM The above diagram shows 4 policies are configured for OBWM with a link capacity of 100 Kbps . This means that the link capacity is 12800 Byte s/sec. Below t able give s the BWM values for each rule in Bytes per second.
Firewall Settings > QoS Mapping 769 SonicOS 5.8.1 Administrator Guide e. Since all the queues have been processed for GBW we now move onto use up the left over link credit of 8000. f. S tart of f with the highest priority 0 and process all queues in this priority in a round robin fashion.
Firewall Settings > QoS Mapping 770 SonicOS 5.8.1 Administrator Guide An ingress module monitors and reco rds the ingress rate fo r each traf fic class. It also monitors the egress ACKs and queues them if the ingress rate has to be reduced. Accord ing to ingress BW availability and average rate , the ACKs will be released.
Firewall Settings > QoS Mapping 771 SonicOS 5.8.1 Administrator Guide Process ACKs This algorithm is used to update the BW parame ters per class according to the amount of BW usage in the previous time slic e. Amount of BW usage is given by the total number of bytes received for the class in the prev ious time slice.
Firewall Settings > QoS Mapping 772 SonicOS 5.8.1 Administrator Guide b. Row 2a shows an egress ACK for the class. Sinc e class credit is less than the rate this packet is queued in the approp riate ingress que ue. And it will not be processed until class credit is at least equal to the rate.
Firewall Settings > QoS Mapping 773 SonicOS 5.8.1 Administrator Guide include at a minimum Default , Assured Forwarding , and Expedited Forwarding . DiffSe rv is supported on SonicW ALL NSA platforms. Refer to the “DSCP Marking” section on page 757 for more information.
Firewall Settings > QoS Mapping 774 SonicOS 5.8.1 Administrator Guide limiting functionality . Y ou c an now create traffic policies that specify maximum rates for Layer 2, 3, or 4 network traffic. This enables bandwidth management in cases where the primary W AN link fails over to a sec ondary connection th at cannot handle as much traffic.
Firewall Settings > QoS Mapping 775 SonicOS 5.8.1 Administrator Guide – T oken Based CBQ – An enhancement to CBQ that empl oys a token, or a credit-based system that helps to smooth or normalize link utilization, avoiding burstiness as well as under-utilization.
Firewall Settings > QoS Mapping 776 SonicOS 5.8.1 Administrator Guide.
777 SonicOS 5.8.1 Administrator Guide CHAPTER 55 Chapter 55: Configuring SSL Control Firewall Settings > SSL Control This chapter describes how to plan, design, implement, and maint ain the SSL Control feature.
Firewall Settings > SSL Control 778 SonicOS 5.8.1 Administrator Guide well-known application being HTTPS (HTTP over SSL). SSL provides digital certificate-based endpoint identification, an d cryptographic and digest-based confidentiality to network communications.
Firewall Settings > SSL Control 779 SonicOS 5.8.1 Administrator Guide simple Web-search. The challenge is not the ev er-increasing number of such services, but rather their unpredictable natu re. Since these services are often hosted on home networks using dynamically addressed DSL and cable modem connections, the target s are constantly moving.
Firewall Settings > SSL Control 780 SonicOS 5.8.1 Administrator Guide Key Concepts to SSL Control • SSL - Secure Sockets Layer (SSL) is a net work security mechanism introduced by Netscape in 1995.
Firewall Settings > SSL Control 781 SonicOS 5.8.1 Administrator Guide SSL is not limited to securing HTTP , but can also be used to secure other TCP protocols such as SMTP , POP3, IM AP , and LDAP . For more information, see http://www .mozilla.org/ projects/security/pki/ nss/ssl/dra f t02.
Firewall Settings > SSL Control 782 SonicOS 5.8.1 Administrator Guide – TLS – T ransport Layer Security (version 1.0), also known as SSLv3.1, is very similar to SSLv3, but improves upon SSLv3 in the following wa ys: • MAC – A MAC (Message Authentication Code) is calculated by applying an algorithm (such as MD5 or SHA1) to data.
Firewall Settings > SSL Control 783 SonicOS 5.8.1 Administrator Guide mismatch elicits a browser alert, it is not always a sure sign of deception. For example, if a client browses to https://my sonicwall.com, which resolves to the same IP address as www .
Firewall Settings > SSL Control 784 SonicOS 5.8.1 Administrator Guide Caveats and Advisories 1. Self-signed and Untrusted CA enforcement – If enf orcing either of thes e two options, it is strong.
Firewall Settings > SSL Control 785 SonicOS 5.8.1 Administrator Guide SSL Control Configuration SSL Control is located on Firewall panel, under the SSL Control Folder . SSL Control has a global setting, as well as a per-zone setting. By default, SSL Control is not enabled at the global or zone level.
Firewall Settings > SSL Control 786 SonicOS 5.8.1 Administrator Guide • Detect Weak Ciphers (<64 bit s) – Controls the detection of SSL sessions negotiated with symmetric ciphers less than 64 bits, commonly indicating export cipher usage. • Detect MD5 Digest – Controls the detection of certificates that were created using an MD5 Hash.
Firewall Settings > SSL Control 787 SonicOS 5.8.1 Administrator Guide Entries can be added, edited and deleted with the buttons beneath each list window . Note List matching will be based on the subject co mmon name in the certificate presented in the SSL exchange, not in the URL (resource) r equested by the client.
Firewall Settings > SSL Control 788 SonicOS 5.8.1 Administrator Guide 3 SSL Control: Self-signed certificate Th e certificate is self-signed (the CN of the issuer and the subject match). 4 SSL Control: Untrusted CA The certificate has been issued by a CA that is not in the System > Ce rtificates store of the SonicW ALL.
Firewall Settings > SSL Control 789 SonicOS 5.8.1 Administrator Guide.
Firewall Settings > SSL Control 790 SonicOS 5.8.1 Administrator Guide.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 791 PART 10 Part 10: DPI-SSL.
792 SonicOS 5.8.1 Administrator Guide.
793 SonicOS 5.8.1 Administrator Guide CHAPTER 56 Chapter 56: Configuring Client DPI-SSL Settings DPI-SSL > Client SSL This chapter contains the following sections: • “DPI-SSL Overview” on pag.
DPI-SSL > Client SSL 794 SonicOS 5.8.1 Administrator Guide The DPI-SSL feature is available in Soni cOS Enhanced 5.6 and higher . The following table shows which platforms support DPI-SSL and the maximum number of concurrent connections on which the appliance can perform DPI-SSL inspection.
DPI-SSL > Client S SL 795 SonicOS 5.8.1 Administrator Guide T o enable Client DPI-SSL inspecti on, perform the following step s: 1. Navigate to the DPI-SSL > Client SSL page.
DPI-SSL > Client SSL 796 SonicOS 5.8.1 Administrator Guide Common Name Exclusions The Common Name Exclusions section is used to add domain nam es to the exclusion list. T o add a domain name, type it in the text box and click Add . Cl i ck Apply at the top of the pa ge to confirm the configuration.
DPI-SSL > Client S SL 797 SonicOS 5.8.1 Administrator Guide Creating PKCS-12 Formatt ed Certificate File PKCS12 formatted certificate file can be created using Linux system with OpenSSL. In order to create a PKCS-12 formatted cert ificate file, one needs to have two main components of the certificate: • Private key (typically a file with .
DPI-SSL > Client SSL 798 SonicOS 5.8.1 Administrator Guide Application Firewall Enable Application Firewall c heckbox on the Client DPI-SS L screen and enable Application Firewall on the Application Firewall >Policies screen. 1. Navigate to the DPI-SSL > Client SSL page 2.
799 SonicOS 5.8.1 Administrator Guide CHAPTER 57 Chapter 57: Configuring Server DPI-SSL Settings DPI-SSL > Server SSL This chapter contains the following sections: • “DPI-SSL Overview” on pag.
DPI-SSL > Serv er SSL 800 SonicOS 5.8.1 Administrator Guide The DPI-SSL feature is avail able in SonicOS Enhanced 5.6. T he following table shows which platforms support DPI-SSL and the maximum number of concurrent connections on which the appliance can perform DPI-SSL inspection.
DPI-SSL > Server SS L 801 SonicOS 5.8.1 Administrator Guide Configuring General Se rver DPI-SSL Settings T o enable Server DPI-SSL inspection, p erform the following steps: 1. Navigate to the DPI-SSL > Server SSL page. 2. Select the Enable SSL Inspection checkbox.
DPI-SSL > Serv er SSL 802 SonicOS 5.8.1 Administrator Guide • On the User Object/Group line, select a user object or group from the Exclude pulldown menu to exempt it from DPI-SSL inspection . Note The Include pulldown menu can be used to fine tune the specified e xclusion list.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 803 PART 11 Part 11: Vo I P.
804 SonicOS 5.8.1 Administrator Guide A NTI -S PAM FO R UTM.
805 SonicOS 5.8.1 Administrator Guide CHAPTER 58 Chapter 58: Configuring VoIP Support VoIP Overview This section provides an overview of V o IP . It contains the following sections: • “What is V o.
VoIP Overview 806 SonicOS 5.8.1 Administrator Guide The same security threats that plague data networks tod ay are inherited by V oIP but the addition of V oIP as an application on the netwo rk makes those threats even more dangerous. By adding V oIP components to your network, y ou’re also adding new se curity requirements.
VoIP Overview 807 SonicOS 5.8.1 Administrator Guide H.323 H.323 is a standard developed by the Internati onal T elecommunications Union (ITU). It is a comprehensive suite of protocols for vo ice, video, and data co mmunications between computers, terminals, network devices, and network services.
VoIP Overview 808 SonicOS 5.8.1 Administrator Guide SonicWALL’s VoIP Capabilities The following sections describe SonicW ALL ’s integrated V oIP service: • “V oIP Security” on page 808 • .
VoIP Overview 809 SonicOS 5.8.1 Administrator Guide VoIP Network • V oIP over Wireless LAN (WLAN) - Son icW ALL extends complete V oIP security to attached wireless networks with it s Distributed Wireless Solution.
VoIP Overview 810 SonicOS 5.8.1 Administrator Guide • Configurable inactivity timeouts for signaling and me dia - In order to ensure that dropped V oIP connections do not stay open indef initely , SonicOS m onitors the usage of signaling and media streams associ ated with a V oIP session.
VoIP Overview 811 SonicOS 5.8.1 Administrator Guide – SIP INFO method (RFC 2976) – Reliability of pr ovisional responses in SIP (RFC 3262) – SIP specific event notification (RFC 3265) – SIP UP.
VoIP Overview 812 SonicOS 5.8.1 Administrator Guide CODECs SonicOS supports media streams f rom any CODEC - Media streams carry audio and video signals that have been processed by a hardware/ sof tware CODEC (COder/DECoder) within the V oIP device.
VoIP Overview 813 SonicOS 5.8.1 Administrator Guide How SonicOS Handles VoIP Calls SonicOS provides an efficient and secure solution for all V oIP call scenarios. The following are examples of how SonicOS handles V oIP call flows. Incoming Calls The following figure shows the sequence of event s that occurs dur ing an incoming call.
VoIP Overview 814 SonicOS 5.8.1 Administrator Guide 11 . V oIP server returns phone B media IP information to phone A - Phone A now has enough information to begin exchanging media with Phone B. Phone A does not know that Phone B is behind a firewall, as it was given t he public address of the firewall by the V oIP Server .
VoIP Settings 815 SonicOS 5.8.1 Administrator Guide 6. Phone A and phone B directly exchang e audio/video/data - The SonicW ALL security appliance routes traffic direct ly between the two phones over the LAN.
VoIP Settings 816 SonicOS 5.8.1 Administrator Guide General VoIP Configuration SonicOS includes the V oIP conf iguration settings on the V oIP > S ettings page. This page is divided into three configur ation settings sections: General Settings , SIP Settings , and H.
VoIP Settings 817 SonicOS 5.8.1 Administrator Guide Configuring SIP Settings By default, SIP clients use their private IP address in the SIP Se ssion Definition Protocol (SDP) messages that are sent to the SIP proxy .
VoIP Settings 818 SonicOS 5.8.1 Administrator Guide The Addit ional SIP signaling port (UDP) for transformations setting allows you to specify a non-standard UDP port used to carry SIP signaling tr affic. Normally , SIP signaling traf fic is carried on UDP port 5060.
VoIP Settings 819 SonicOS 5.8.1 Administrator Guide Bandwidth Management SonicOS offers an integrated traffic shaping mechanism through it s Egress (outbound) and Ingress (inbound) management interfaces.
VoIP Settings 820 SonicOS 5.8.1 Administrator Guide Configuring Bandwidth on the WAN Interface BWM configurations begin by enabling BWM on th e relevant W AN interface, and specifying the available bandwidth on the interfa ce in Kbps.
VoIP Settings 821 SonicOS 5.8.1 Administrator Guide T o configure Bandwidth Management on the SonicW ALL security appliance: Ste p 1 Select Network > Interfaces . Ste p 2 Click the Edit icon in the Configure column in the WA N ( X1 ) line of the Interfaces table .
VoIP Settings 822 SonicOS 5.8.1 Administrator Guide Note Y ou must select Bandwidth Management on the Network > Interfaces page for the WA N interface before you can configure bandwid th management for network access rules.
VoIP Settings 823 SonicOS 5.8.1 Administrator Guide Step 13 Select Bandwid th Management , and enter the Guaranteed Bandwidt h in Kbps. Step 14 Enter the maximum amount of bandwidth ava ilable to the Rule at any time in the Maximum Bandwidth field. Step 15 Assign a priority from 0 (hi ghest) to 7 (lowest) in the Bandwidth Priority list.
VoIP Settings 824 SonicOS 5.8.1 Administrator Guide Note SonicW ALL recommends NOT selecting Vo I P from the Services menu. Selecting this option opens up more TCP/UDP ports than is required, pot entially opening up unnecessary security vulnerabilities.
VoIP Settings 825 SonicOS 5.8.1 Administrator Guide • Server Address Objects - The wizard creates the addr ess object for the new server . Because the IP address of the server added in the example is in the IP ad dress range assigned to the LAN zone, the wizard bi nds the address object to the LAN zone.
VoIP Settings 826 SonicOS 5.8.1 Administrator Guide Generic Deployment Scenario All three of the follow deployment scen arios begin with the followi ng basic configuration procedure: Ste p 1 Enable bandwidth management on the W AN interface on Network > Inte rfaces .
VoIP Settings 827 SonicOS 5.8.1 Administrator Guide See the “ Using the Public Server Wizard ” section for information on configuring this deployment. Deployment Scenario 2: Public VoIP Service The Public V oIP Service deployment uses a V oIP service provider , which maintains the V oIP server (either a SIP Proxy Server or H.
VoIP Call Status 828 SonicOS 5.8.1 Administrator Guide Deployment Scenario 3: Trusted VoIP Service The organization deploys its own V oIP server on a DMZ or LAN to provide in-house V oIP services that are accessible to V oIP client s on the Internet or from local network users behind the security gateway .
VoIP Call Status 829 SonicOS 5.8.1 Administrator Guide • Called IP • Caller-ID • Protocol • Bandwidth • T ime S tarted Click Flush All to remove all V oIP call entries.
VoIP Call Status 830 SonicOS 5.8.1 Administrator Guide.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 831 PART 12 Part 12: Anti-S p am.
832 SonicOS 5.8.1 Administrator Guide.
833 SonicOS 5.8.1 Administrator Guide CHAPTER 59 Chapter 59: Configuring Anti-Spam Anti-Spam This chapter describes how to activate, configure, and manage the Comprehensive Anti-S pam Service on a SonicW ALL UTM appliance.
Anti-Spam 834 SonicOS 5.8.1 Administrator Guide What is Anti-Spam? The Anti-S p am feature provides a quick, effi cient, and ef fective way to add anti-sp am, anti- phishing, and anti-virus capabilities to your existing Soni cW ALL UTM appliance.
Anti-Spam 835 SonicOS 5.8.1 Administrator Guide • Better protection for users from phishing att acks How Does the Anti-Spam Service Work? This section describes the Anti-S pam feature, including the SonicW ALL GRID Network, and how it interacts with SonicOS as a whole.
Anti-Spam 836 SonicOS 5.8.1 Administrator Guide Only if the IP address passes all of these test s does the Soni cW ALL UTM appliance allow that server to make a connection and transfer mail. If the IP address does not p ass the tests, there is a message from SonicOS to the requesting serv er indicating that there is no SMTP server .
Anti-Spam 837 SonicOS 5.8.1 Administrator Guide Objects Created W hen the An ti-Spam Service Is Enabled This section provides an example of the type of rules and objects generated automatically as Firewall Access Rules, NA T Policies and Ser vic e Objects.
Purchasing an Anti-Spam Licen se 838 SonicOS 5.8.1 Administrator Guide Figure 59:16 Generated NA T Polici es The rows outlined in red are the policies gener ated when Anti-S pam is activated. The row outlined in green is the default poli cy that Anti- S p am creates if t here are no existing mail server policies.
Purchasing an Anti-Spam License 839 SonicOS 5.8.1 Administrator Guide • Anti-S p am License for the UTM • One of the following Microsoft Windows Servers: – Windows Server 2003 (32-bit) – Windo.
Anti-Spam > Status 840 SonicOS 5.8.1 Administrator Guide Purchasing an Anti-S p am license for the firewall be done directly through mySonicW ALL.com or through your reseller . Note Y our UTM appliance must be registered with mySonicWALL.com before use.
Anti-Spam > Status 841 SonicOS 5.8.1 Administrator Guide The status page also includes the Email St ream Diagnostics Capture section. S tart the capture to create an application-formatted report on the SMTP-related traffic passing throu gh your SonicW ALL UTM appliance.
Anti-Spam > Settings 842 SonicOS 5.8.1 Administrator Guide Anti-Spam > Settings Once you have registered Anti-S pam for UTM, activate it to start you r UTM appliance-level protection from spam, phishing, and virus messages. Ste p 1 Navigate to the Anti-Sp am menu item in the navigation bar .
Anti-Spam > Settings 843 SonicOS 5.8.1 Administrator Guide If you are using more than one domain, choos e the Multiple Domains option and cont act SonicW ALL or your SonicW ALL reselle r for more information. User-defined Access Lists designat e which clients are allowed to connect to deliver email.
Anti-Spam > Settings 844 SonicOS 5.8.1 Administrator Guide Installing the Junk Store Anti-S p am for UTM can create a Junk S tore on your Microsoft Exchange Server . The Junk S tore quarantines messages for end-user analysis and provides statistics.
Anti-Spam > Statistics 845 SonicOS 5.8.1 Administrator Guide Ste p 7 Navigate to the Anti-Sp am > St atus p age and verify that the SonicW ALL Junk S tore is Operational . It typically takes about 15 minutes fo r the Junk S tore to become operational.
Anti-Spam > Real-Time Bla ck List Filter 846 SonicOS 5.8.1 Administrator Guide RBL list providers publish their list s usi ng DNS. Blacklisted IP addresses appear in the database of the list provider's DNS domain using inverted IP notation of the SMTP server in question as a prefix to the domain name.
Anti-Spam > Real-Time Black Li st Filter 847 SonicOS 5.8.1 Administrator Guide When Enable Real-time Black List Blocking is enabled on the Anti-S pam > RBL Filter page, inbound connections from .
Anti-Spam > Real-Time Bla ck List Filter 848 SonicOS 5.8.1 Administrator Guide Adding RBL Services Y ou can add additional RBL services in the Real-time Black List Services section.
Anti-Spam > Junk Box Summary 849 SonicOS 5.8.1 Administrator Guide Anti-Spam > Junk Box Summary The Junk S t ore sends an email message to users listing all the messages that have been placed in their Junk Box.
Anti-Spam > Junk Box View 850 SonicOS 5.8.1 Administrator Guide Anti-Spam > Junk Box View On the Anti-S p am > Junk Box View page, you can view , search, and manage all email messages that are currently in the Junk S tore on the Exchange or SMTP server .
Anti-Spam > Junk Box View 851 SonicOS 5.8.1 Administrator Guide Click the Go button to perform the search. The results are displayed in the bottom section of the page.
Anti-Spam > Junk Box Setting s 852 SonicOS 5.8.1 Administrator Guide Anti-Spam > Junk Box Settings The Junk Box Settings page allows the Administra tor to set the length of time that messages are stored in the Junk Box before being delet ed and the number of Junk Box messages to be displayed per page.
Anti-Spam > Address Books 853 SonicOS 5.8.1 Administrator Guide Address Book T o allow users to see their own Address B ook in the navigation toolbar , select the Address Books toolbar from the User View Setup section.
Anti-Spam > Address Books 854 SonicOS 5.8.1 Administrator Guide Allowed List s T o add a sender to the Corporate Allowed List, navigate to the Allow ed tab, then click the Add button. A dialog box will display where you will need to select the list type between People , Companies , or List s .
Anti-Spam > Address Books 855 SonicOS 5.8.1 Administrator Guide Blocked List s T o add a sender to the Corporat e Blocked List, navigate to the Blocked t ab, then click the Add button. A dialog box will display where you will need to select the list type between People and Companies .
Anti-Spam > Manage Users 856 SonicOS 5.8.1 Administrator Guide Anti-Spam > Manage Users The Users page allows the Administrator to add, remove, and manage all users, both on the Global and LDAP servers. For more information regarding LDAP Configuration, refer to “Anti- S p am > LDAP Configuration” section on p age 857 .
Anti-S pam > LDAP C onfig uratio n 857 SonicOS 5.8.1 Administrator Guide Adding Users T o add a user to the Global or LDAP Server , click the Add button. Enter the Primary Address of the user , select which server the user belongs to from the Using Source dropdown menu, then enter any Aliases .
Anti-Spam > LDAP Confi guration 858 SonicOS 5.8.1 Administrator Guide • Port Number —The port number of the LDAP Server . The default port number is 389. • LDAP Server T ype —Choose from the dropdown list of servers: Active Directory , Lotus Domino, Exchange 5.
Anti-S pam > LDAP C onfig uratio n 859 SonicOS 5.8.1 Administrator Guide • Directory Node to Begin Search —S pecify a full LDAP directory path that points toward s a node containing the information for all group s in the directory . • Filter —S pecify an LDAP filter to easily find and identify users and mailing lists on the server .
Anti-Spam > LDAP Confi guration 860 SonicOS 5.8.1 Administrator Guide 5. Add the NetBIOS domain name(s) to the Domains section, sep arating multiple domains with a comma. 6. Click Save Changes to finish. Conversion Rules On certain LDAP ser vers, such as Lotus Domino, some valid email addresses do not appear in the LDAP .
Anti-Spam > Advanced 861 SonicOS 5.8.1 Administrator Guide Anti-Spam > Advanced The Advanced page allows the Administrator to download system or log files, as well as configure the log level. Download System/Log Files Y ou can download log files or syst em configuration files from y our SonicW ALL Email Security server .
Anti-Spam > Downloads 862 SonicOS 5.8.1 Administrator Guide Anti-Spam > Downloads The Downloads page allows the Admin istrato r to download and install one of SonicW ALL ’s latest spam-blocking buttons on your desktop.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 863 PART 13 Part 13: VPN.
864 SonicOS 5.8.1 Administrator Guide.
865 SonicOS 5.8.1 Administrator Guide CHAPTER 60 Chapter 60: Configuring VPN Policies VPN > Settings The VPN > Settings p age provides the SonicW ALL features for configuring your VPN policies. Y ou can configure site-to- site VPN policies and GroupVPN policies from this page.
VPN > Settings 866 SonicOS 5.8.1 Administrator Guide Prior to the invention of Internet Protocol Se curity (IPsec) and Secure Socket Layer (SSL), secure connections between remote computers or networks required a dedicated line or satellite link. This was both inflexible and expensive.
VPN > Settings 867 SonicOS 5.8.1 Administrator Guide One advantage of SSL VPN is that SSL is built into most W eb Browser s. No special VPN client software or hardware is required. Note SonicWALL makes SSL VPN devices that you can use in concert with or independently of a SonicW ALL UTM ap pliance running SonicO S.
VPN > Settings 868 SonicOS 5.8.1 Administrator Guide Aggressive Mode : T o reduce the number of messages exchanged during authentication by half, the negotiation of which cryptographic algor ithm to use is eliminated. The initiator proposes one algorithm and the responder r eplies if it support s that algorithm: 1.
VPN > Settings 869 SonicOS 5.8.1 Administrator Guide Initialization and Authentication in IKE v2 IKE v2 initializes a VPN tunnel with a pair of message exchanges (two message/response pai r s) .
VPN > Settings 870 SonicOS 5.8.1 Administrator Guide (DSL or cable) or dialup Internet access can securely and easily access your network resources with the SonicW ALL Global VPN Client and SonicW ALL Gr oupVPN on your SonicW ALL.
VPN > Settings 871 SonicOS 5.8.1 Administrator Guide – E-Mail ID – Domain name. • Peer ID Filter if using 3rd p a rty certificates. • IKE (Phase 1) Proposal : – DH Group : • Group 1 • Group 2 • Group 5 Note The Windows 2000 L2TP client and Windows XP L2T P client can only work with DH Group 2.
VPN > Settings 872 SonicOS 5.8.1 Administrator Guide Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2. They are incompatible with DH Groups 1 and 5.
VPN > Settings 873 SonicOS 5.8.1 Administrator Guide • Certificate, if selected on security appliance : • User ’s user name and p assword if XAUT H is required on the security appliance. Site-to-Site VPN Planning Checklist On the Initiator T ypically , the request for an IKE VPN SA is made from the remote site.
VPN > Settings 874 SonicOS 5.8.1 Administrator Guide • Domain name • IP Address (IPV4) – Peer IKE ID : • Local Networks Choose local network from list (select an address object): Local netw.
VPN > Settings 875 SonicOS 5.8.1 Administrator Guide • AH – Encryption : • DES • 3DES • AES-128 • AES-192 • AES-256 • None – Authen ticat ion : • MD5 • SHA1 • None – Enabl.
VPN > Settings 876 SonicOS 5.8.1 Administrator Guide • Name of this VPN: • IPsec Primary Gateway Name or Address : not required on the responder • IPsec Secondary Gateway Name or Address : no.
VPN > Settings 877 SonicOS 5.8.1 Administrator Guide VPN Policy Wizard The VPN Policy Wizard walks you step-by-step through the c onfiguration of GroupVPN or site- to-site VPN policies on the SonicW ALL secur ity appliance. After completi ng the configuration, the wizard creates the necessa ry VPN settings for the selected policy .
VPN > Settings 878 SonicOS 5.8.1 Administrator Guide • Configure : Clicking the Edit icon allows you to edit the VPN policy . Clicking the Delete icon allows you to delete the VPN policy . The predefined GroupVPN policies cannot be deleted, so the Delete icons are dimm ed.
VPN > Settings 879 SonicOS 5.8.1 Administrator Guide • Packet s Out : The number of p ackets sent out from this tunnel. • Bytes In : The number of bytes received from this tunnel. • Bytes Out : The number of bytes sent out from this tunnel. • Fragmented Packet s In : The number of fragmented packets received from this tunnel.
VPN > Settings 880 SonicOS 5.8.1 Administrator Guide Configuring GroupVPN with IKE usin g Preshared Secret on the WAN Zone T o configure the W AN GroupVPN, follow these step s: Ste p 1 Click the edit icon for the WA N Grou pVPN entry . The VPN Poli cy window is displayed.
VPN > Settings 881 SonicOS 5.8.1 Administrator Guide Ste p 4 In the IKE (Phase 1) Proposal section, use the following settings: – Select the DH Group from the DH Group menu. Note The Windows 2000 L2TP client and Windows XP L2TP client can only work with DH Group 2.
VPN > Settings 882 SonicOS 5.8.1 Administrator Guide – Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
VPN > Settings 883 SonicOS 5.8.1 Administrator Guide – Allow Unauthenticated VPN Client Access - Allows you to enable unauthenticated VPN client access. If you uncheck Require Authentication of VPN Client s via XAUTH , the Allow Unauthenticated VPN Client Access menu is activated.
VPN > Settings 884 SonicOS 5.8.1 Administrator Guide • DHCP Lease - The Virtual Adapter will obt ain it s IP configuration from the DHCP Server only , as configure in the VPN > DHCP over VPN page.
VPN > Settings 885 SonicOS 5.8.1 Administrator Guide Configuring GroupVPN with IKE using 3rd Party Certificates T o configure GroupVPN with IKE using 3r d Party Certificates, follow these steps: Caution Before configuring GroupVPN with IKE using 3rd Party Certificat es, your certificates must be installed on the SonicW ALL.
VPN > Settings 886 SonicOS 5.8.1 Administrator Guide (L=), and vary with the issuing Certificate Authority . The actual Subject Distinguished Name field in an X.509 Certificate is a binary object which must be converted to a string for matching purposes.
VPN > Settings 887 SonicOS 5.8.1 Administrator Guide compared to st atic routes configured in the SonicW ALL. Since packets can have any IP address destination, it is impossible to configure enough st atic routes to handle the traffic. For packet s received via an IPsec tunnel, the SonicW ALL looks up a route for the LAN.
VPN > Settings 888 SonicOS 5.8.1 Administrator Guide – Allow Connections to - Client network traffic matchi ng destination networks of each gateway is sent through the VPN t unnel of that specific gateway . • This Gateway Only - Allows a single connection to be enabled at a time.
VPN > Settings 889 SonicOS 5.8.1 Administrator Guide Exporting a VPN Client Policy If you want to export the Global VPN Client conf iguration settings to a file for user s to import into their Global VPN Clients, follow these instructions: Caution The GroupVPN SA must be enabled on the Soni cW ALL to export a configuration file.
VPN > Settings 890 SonicOS 5.8.1 Administrator Guide Site-to-Site VPN Configurations When designing VPN connections, be sure to docum ent all pertinent IP addressing information and create a network diagram to u se as a refe rence. A sample planning sheet is provided on the next page.
VPN > Settings 891 SonicOS 5.8.1 Administrator Guide Configuring a VPN Policy with IKE using Preshared Secret T o configure a VPN Policy using Internet Key Exchange (IKE), follow the step s below: Ste p 1 Click Add on the VPN > Settings page. The VP N Policy window is displayed.
VPN > Settings 892 SonicOS 5.8.1 Administrator Guide Optionally , specify a Local IKE ID (optional) and Peer IKE ID (option al) for this Policy . By default, the IP Address (ID_IPv4_ADDR) is used fo r Main Mode negotiations, and the SonicW ALL Identifier (ID_USER_FQDN) is used for Aggressive Mode.
VPN > Settings 893 SonicOS 5.8.1 Administrator Guide Destination network obtains IP addresses using DHCP server through this tunnel . Alternatively , select Choose Destination network from list , and select the address object or group. Step 10 Click Proposals .
VPN > Settings 894 SonicOS 5.8.1 Administrator Guide – If you selected Main Mode or Aggressive Mode in the Proposals tab: • Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel.
VPN > Settings 895 SonicOS 5.8.1 Administrator Guide • If you wish to use a router on the LAN for traffic entering this tunnel destined for an unknown subnet, for example, if y ou configured the .
VPN > Settings 896 SonicOS 5.8.1 Administrator Guide • T o manage the local SonicW ALL through the VPN tunnel, select HTTP , HTTPS , or both from Management via this SA . Select HTTP , HTTPS , or both in the User login via this SA to allow user s to login using the SA.
VPN > Settings 897 SonicOS 5.8.1 Administrator Guide Ste p 5 Click the Network tab. Ste p 6 Select a local network from Choose local network from list if a specific local network can access the VPN tunnel. If traffic can or iginate from any local network, select Any Address .
VPN > Settings 898 SonicOS 5.8.1 Administrator Guide Note The values for Protocol , Phase 2 Encryption , and Ph ase 2 Authentication must match the values on the re mote SonicW ALL. Step 10 Enter a 16 character hexadecim al encryption key in the Encryption Key field or use the default value.
VPN > Settings 899 SonicOS 5.8.1 Administrator Guide – If you have an IP address for a gateway , enter it into the Default LAN Gateway (optional) field. – Select an interface from the VPN Policy bound to menu. Step 13 Click OK . Step 14 Click Accept on the VPN > Settings p age to update the VPN Policies.
VPN > Settings 900 SonicOS 5.8.1 Administrator Guide Tip V alid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, and f. 1234567890abcdef is an example of a valid DES or ARCFour encryption key . If you enter an incorrect encryption key , an error message is displayed at the bot tom of the browser window .
VPN > Settings 901 SonicOS 5.8.1 Administrator Guide Configuring a VPN Policy with IKE using a Third Party Certificate Wa r n i n g Y ou must have a valid certificate from a third p arty Certificate Authority inst alled on your SonicW ALL before you can configure your VPN policy with IKE using a third p arty certificate.
VPN > Settings 902 SonicOS 5.8.1 Administrator Guide – Distinguished Name - Based on the certificates S ubject Distinguished Name field, which is contained in all certificates b y defaul t.
VPN > Settings 903 SonicOS 5.8.1 Administrator Guide Ste p 11 Click the Proposals tab. Step 12 In the IKE (Phase 1) Proposal section, select the following settings: – Select Main Mode or Aggressive Mode from the Exchange menu. – Select the desired DH Group from the DH Group menu.
VPN > Settings 904 SonicOS 5.8.1 Administrator Guide – Enter a value in the Life Time (seconds) field. The default setting of 28800 forces the tunnel to renegotiate and exchange keys every 8 hours.
VPN > Settings 905 SonicOS 5.8.1 Administrator Guide – T o manage the remote SonicW ALL through the VPN tunnel, select HTTP , HTTPS , or both from Management via this SA . Select HTTP , HTTPS , or both in the User login via this SA to allow user s to login using the SA.
VPN > Settings 906 SonicOS 5.8.1 Administrator Guide Not only does Route Based VPN make configuri ng and maint aining the VPN policy easier , a major advantage of the Route Based VPN feature is that it provides flex ibility on how traffic is routed.
VPN > Settings 907 SonicOS 5.8.1 Administrator Guide Ste p 3 Next, navigate to the Proposal tab and configure the IKE and IPSec proposals for the tunnel negotiation. Ste p 4 Navigate to the Advanced tab to configure the advanced proper ties for the T unnel Inter face.
VPN > Settings 908 SonicOS 5.8.1 Administrator Guide • Enable T ran sport Mode - Forces the IPsec negotiation to use Transport mode instead of T unnel Mode.
VPN > Settings 909 SonicOS 5.8.1 Administrator Guide Route Entries for Different Network Segments After a tunnel interface is created, multiple r oute entries can be confi gured to use the same tunnel interface for diff erent net works. This provides a mechanism to modify the n etwork topology without making any c hanges to the tunnel interface.
VPN > Settings 910 SonicOS 5.8.1 Administrator Guide Creating a Static Route for Drop Tunnel Interface T o add a static route for drop tunnel interface, navigate to Network > Routing > Routing Policies .
VPN > Settings 911 SonicOS 5.8.1 Administrator Guide are addresses using address spaces that can eas ily be supernetted. For example, assume we wanted to provide access to/from the LAN and DMZ at the hub site to one sub net at each of 2,000 remote sites, addressed as follows: remoteSubnet0=Network 10.
VPN > Settings 912 SonicOS 5.8.1 Administrator Guide.
913 SonicOS 5.8.1 Administrator Guide CHAPTER 61 Chapter 61: Configuring Advanced VPN Settings VPN > Advanced The VPN > Advanced page includes optional settin gs that affect all VPN policies.
VPN > Advanced 914 SonicOS 5.8.1 Administrator Guide Advanced VPN Settings • Enable IKE Dead Peer Detection - Select if you want inac tive VPN tunne ls to be dropped by the SonicW ALL. – Dead Peer Detection Interval - Enter the number of seconds between “heartbeat s.
VPN > Advanced 915 SonicOS 5.8.1 Administrator Guide Note Password updates can only be done by LDAP w hen using Active Directory with TLS and binding to it using an administrative ac count, or when using Novell eDirectory . • IKEv2 Dynamic Client Proposal - SonicOS Enhanced firmwar e versions 4.
VPN > Advanced 916 SonicOS 5.8.1 Administrator Guide Online Certificate S t atus Protocol determines the current status of a digital certificate without using a CRL. OCSP enables the c lient or application to direct ly determine the status of an identified digital certific ate.
VPN > Advanced 917 SonicOS 5.8.1 Administrator Guide Using OCSP with VPN Policies The SonicW ALL OCSP settings can be configur ed on a policy level or globally . T o configure OCSP checking for individual VPN policies, use the Advanced t ab of the VPN Poli cy configuration page.
VPN > Advanced 918 SonicOS 5.8.1 Administrator Guide.
919 SonicOS 5.8.1 Administrator Guide CHAPTER 62 Chapter 62: Configuring DHCP Over VPN VPN > DHCP over VPN The VPN > DHC P over VPN p age allows you to configure a SonicW ALL security appliance to obtain an IP address lease from a DHCP server at the o ther end of a VPN tunnel.
VPN > DHCP over VPN 920 SonicOS 5.8.1 Administrator Guide Configuring the Central Gateway for DHCP Over VPN T o configure DHCP over VPN for the Central Gat eway , use the following steps: 1. Select VPN > DHCP over VPN . 2. Select Central Gateway from the DHCP Relay Mode menu.
VPN > DHCP over VPN 921 SonicOS 5.8.1 Administrator Guide Configuring DHCP over VPN Remote Gateway 1. Select Remote Gateway fr om the DHCP Relay Mode menu.
VPN > DHCP over VPN 922 SonicOS 5.8.1 Administrator Guide Devices 9. T o configure devices on your LAN, click the Devices tab. 10. T o configure S t atic Devices on the LAN , click Add to display t.
VPN > DHCP over VPN 923 SonicOS 5.8.1 Administrator Guide Tip If a static LAN IP address is out side of the DHCP scope, routing is possible to this IP , i.
VPN > DHCP over VPN 924 SonicOS 5.8.1 Administrator Guide.
925 SonicOS 5.8.1 Administrator Guide CHAPTER 63 Chapter 63: Configuring L2TP Server VPN > L2TP Server The SonicW ALL security appliance can terminat e L2TP-over- IPsec connections from incoming Microsoft Windows 2000 and Windows XP clients.
VPN > L2TP Server 926 SonicOS 5.8.1 Administrator Guide Configuring the L2TP Server The VPN > L2TP Server page provides the settings for c onfiguring the SonicW ALL security appliance as a L T2P Server . T o configure the L2TP Server , follow these steps: 1.
VPN > L2TP Server 927 SonicOS 5.8.1 Administrator Guide Currently Active L2TP Sessions • User Name - The user name assigned in the loca l user database or the RADIUS user database. • PPP IP - The source IP address of the connection. • Zone - The zone used by the L T2P client.
VPN > L2TP Server 928 SonicOS 5.8.1 Administrator Guide.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 929 PART 14 Part 14: SSL VPN.
930 SonicOS 5.8.1 Administrator Guide.
931 SonicOS 5.8.1 Administrator Guide CHAPTER 64 Chapter 64: SSL VPN SSL VPN This chapter provides information on how to c onfigure the SSL VPN features on the SonicW ALL security appliance. SonicW ALL ’s SSL VPN feat ures provide secure remote access to the network using the NetExtender client.
SSL VPN 932 SonicOS 5.8.1 Administrator Guide SSL VPN NetExtender Overview This section provides an introduction to the SonicOS Enhanced SSL VPN NetExtender feature.
SSL VPN 933 SonicOS 5.8.1 Administrator Guide Once the NetExtender st and-alone client has been installed, Win dows users can launch NetExtender from their PC’ s S t art > Programs menu and configure NetExtender to launch when Windows boots.
SSL VPN 934 SonicOS 5.8.1 Administrator Guide NetExtender provides three options for configuring proxy settings: • Automatically detect settings - T o use this setting, the proxy server must support W eb Proxy Auto Discovery Protocol (WP AD)), whic h can push the proxy settings script to the client automatically .
SSL VPN 935 SonicOS 5.8.1 Administrator Guide Configuring Users for SSL VPN Access In order for users to be able to access SS L VPN services, they must be assigned to the SSL VPN Services group. Users who attempt to login through the Virtual Of fice who do not belong to the SSL VPN Services group will be denied access.
SSL VPN 936 SonicOS 5.8.1 Administrator Guide Configuring SSL VPN Ac cess for RADIUS Users T o configure RADIUS users for SSL VPN access, you must add the users to the SSL VPN Services user group. T o do so, perform the following steps: Ste p 1 Navigate to the Users > Settings p age.
SSL VPN > Stat us 937 SonicOS 5.8.1 Administrator Guide SSL VPN > Status The SSL VPN > St atus page displays a summary of active NetExtender sessions, including the name, the PPP IP address, the physical IP address, login time , length of time logged in and logout time.
SSL VPN > Server Settings 938 SonicOS 5.8.1 Administrator Guide SSL VPN > Server Settings The SSL VPN > Server Settings p age is used to configure details of the SonicW ALL security appliance’s behavior as an SSL VPN server . The following options can be configured on the SSL VPN > Server Settings p age.
SSL VPN > Portal Settings 939 SonicOS 5.8.1 Administrator Guide SSL VPN > Portal Settings The SSL VPN > Port al Set tings page is used to configure the appearance and functionality of the SSL VPN Virtual Of fice web port al. The V irtual Office portal is the website that uses log in to launch NetExtender .
SSL VPN > Client Settings 940 SonicOS 5.8.1 Administrator Guide The Customized Logo field is used to display a logo other than the SonicWALL logo at the top of the Virtual Of fice portal. Enter the URL of the logo in the Customized Logo field. The logo must be in GIF format of size 155 x 36, and a transparent or light background is recommended.
SSL VPN > Client Settings 941 SonicOS 5.8.1 Administrator Guide Configuring the SSL VP N Client Address Range The SSL VPN Client Address Range defines t he IP address pool from which addresses will be assigned to remote users during NetExtender sessio ns.
SSL VPN > Client Settings 942 SonicOS 5.8.1 Administrator Guide Configuring NetExtender Client Settings NetExtender client settings are configu red on the bottom of the SSL VPN > Client Settings page. The following settings to customize the behavior of NetExtender when users connect and disconnect.
SSL VPN > Client Routes 943 SonicOS 5.8.1 Administrator Guide SSL VPN > Client Routes The SSL VPN > Client Routes page allows the administrator to control the net work access allowed for SSL VPN users.
SSL VPN > Client Routes 944 SonicOS 5.8.1 Administrator Guide T o configure SSL VPN NetEextender users and gr oups for T unnel All Mode, perform the following steps. Ste p 1 Navigate to the Users > Local Users or Users > Local Group s p age. Ste p 2 Click on the Configure button for an SSL VPN NetExtender user or group.
SSL VPN > Virtual O ffice 945 SonicOS 5.8.1 Administrator Guide SSL VPN > Virtual Office The SSL VPN > Virtual Office page displays the V irtual Offi ce web port al inside of the SonicOS UI.
SSL VPN > Virtual Office 946 SonicOS 5.8.1 Administrator Guide • One of the following browsers: – Internet Explorer 6.0 and higher – Mozilla Firefox 1.5 and higher • T o initially install the NetExtender client, the user must be logged in to the PC with administrative privileges.
SSL VPN > Virtual O ffice 947 SonicOS 5.8.1 Administrator Guide • “Uninstalling NetExtender ” section on page 963 • “V erifying NetExtender Operation from the System Tray” section on pa.
SSL VPN > Virtual Office 948 SonicOS 5.8.1 Administrator Guide Installing NetExtender Using the Mozilla Firefox Browser T o use NetExtender for the first time using the Mozilla Firefox browser , pe rform the following: Ste p 1 Navigate to the IP address of the SonicW ALL security appliance.
SSL VPN > Virtual O ffice 949 SonicOS 5.8.1 Administrator Guide Ste p 8 When NetExtender completes inst alling, the NetExtender S t atus window displays, indicating that NetExtender successfully connected.
SSL VPN > Virtual Office 950 SonicOS 5.8.1 Administrator Guide Note It may be necessary to restart your computer when installing NetExte nder on Windows Vis ta . Internet Explorer Prerequisites It is recommended that you add the URL or domain name of your SonicW ALL security appliance to Internet Explorer ’s trusted sites list .
SSL VPN > Virtual O ffice 951 SonicOS 5.8.1 Administrator Guide Installing NetExtender from Internet Explo rer T o install and launch NetExtender for the fir st time using the Internet Explorer browser , perform the following: Ste p 1 Navigate to the IP address of the SonicW ALL security appliance.
SSL VPN > Virtual Office 952 SonicOS 5.8.1 Administrator Guide Ste p 4 Click Instructions to add SSL VPN server address into trusted sites for help. Ste p 5 In Internet Explorer , go to T ools > Internet Options . Ste p 6 Click on the Security tab.
SSL VPN > Virtual O ffice 953 SonicOS 5.8.1 Administrator Guide Ste p 8 Enter the URL or domain name of your SonicW ALL security appliance in the Add this Web site to the zone field and click Ad d . Ste p 9 Click OK in the T rusted Sites and Internet Options windows.
SSL VPN > Virtual Office 954 SonicOS 5.8.1 Administrator Guide Step 12 If a warning message that NetExtender has not passed Windows Logo testing is displa yed, click Continue Anyway . SonicWALL testing has verified that NetExtender is fully compatib le with Windows V i s t a, XP , 2000, and 2003.
SSL VPN > Virtual O ffice 955 SonicOS 5.8.1 Administrator Guide Launch ing N etE xten der Dire ct ly fr om Your Co mput er After the first access and inst allation of NetExt ender , you can launch NetE xtender directly from your computer without first navigating to the SSL VPN port al.
SSL VPN > Virtual Office 956 SonicOS 5.8.1 Administrator Guide Configuring NetExtender Preferences Complete the following procedure to configure NetExtender preferences: Ste p 1 Right click on the icon in the system tray and click on Prefere nces..
SSL VPN > Virtual O ffice 957 SonicOS 5.8.1 Administrator Guide Ste p 5 T o have NetExtender automatic ally connect when you start your computer , check the Automatically connect with Connection Profile checkbox and select the appr opriate connection profile from the pulldown menu.
SSL VPN > Virtual Office 958 SonicOS 5.8.1 Administrator Guide Configuring NetExtende r Connection Scripts SonicW ALL SSL VPN provides users with the abi lity to run batch file script s when NetExtender connects and disconnect s.
SSL VPN > Virtual O ffice 959 SonicOS 5.8.1 Administrator Guide Configuring Batch File Commands NetExtender Connection Script s can support any valid batch file commands. For mor e information on batch files, s ee the following Wikipedia entry: http://en.
SSL VPN > Virtual Office 960 SonicOS 5.8.1 Administrator Guide Configuring Proxy Settings SonicW ALL SSL VPN supports NetExtender sessi ons using proxy configurations.
SSL VPN > Virtual O ffice 961 SonicOS 5.8.1 Administrator Guide – Use proxy server - Select this option to enter the Address and Port of the proxy server . Optionally , you can enter an IP address or domain in the Byp assProxy field to allow direct connections to those addresses t hat byp ass the proxy server .
SSL VPN > Virtual Office 962 SonicOS 5.8.1 Administrator Guide T o save the log, either click the Export icon or go to Log > Export . T o filter the log to display entries fr om a specific duration of time, go to the Filter menu and select the cutoff threshold.
SSL VPN > Virtual O ffice 963 SonicOS 5.8.1 Administrator Guide Disconnecting N etExt ender T o disconnect NetExtender , perform the following steps: Ste p 1 Right click on the NetExtender icon in the syst em tray to display the NetExtender icon menu and click Disconnect .
SSL VPN > Virtual Office 964 SonicOS 5.8.1 Administrator Guide Verifying NetExtender Operat ion from the System Tray T o view options in the NetExtender system tr ay , right click on the NetExtender icon in the system tray . The following are some task s you can perform with the system tray .
SSL VPN > Virtual O ffice 965 SonicOS 5.8.1 Administrator Guide Installing NetExtender on MacOS SonicW ALL SSL VPN supports NetExtender on Ma cOS. T o use NetExtender on your MacOS system, your system must meet the following prerequisites: • MacOS 10.
SSL VPN > Virtual Office 966 SonicOS 5.8.1 Administrator Guide Ste p 5 When NetExtender is successfully inst alled and connected, the NetExtender status window displays. Using NetExtender on MacOS Ste p 1 T o launch NetExtender , go the Ap plications folder in the Finder and double click on NetExtender .
SSL VPN > Virtual O ffice 967 SonicOS 5.8.1 Administrator Guide Ste p 7 When NetExtender is connected, the NetExtender icon is displayed in the st atus bar at the top right of your display . Click on t he icon to display NetExtender options. Ste p 8 T o display a summary of your NetExtender session, click Connection St atus.
SSL VPN > Virtual Office 968 SonicOS 5.8.1 Administrator Guide Ste p 11 T o generate a diagnostic report with det ailed information on NetExtender performance, go to Help > Generate diagnostic report . Step 12 Click Save to save the diagnostic report using the default nx diag.
SSL VPN > Virtual O ffice 969 SonicOS 5.8.1 Administrator Guide T o install NetExtender on your Linux system, perform the following tasks: Ste p 1 Navigate to the IP address of the SonicW ALL security appliance. Click the link at the botto m of the Login page that says “Click here for sslvpn login.
SSL VPN > Virtual Office 970 SonicOS 5.8.1 Administrator Guide Ste p 6 Launch the NetExtender .tgz file and follow the instructions in the NetExtender installer . The new netExtender directory contains a NetExt ender shortcut that can be dragged to your desktop or toolbar .
SSL VPN > Virtual O ffice 971 SonicOS 5.8.1 Administrator Guide Note Y ou must be logged in as root to install NetE xtender , although many Linux systems will allow the sudo ./inst all command to be used if you are not logged in as root. Step 10 T o view the NetExtender routes, go to the NetExtender menu and select Routes .
SSL VPN > Virtual Office 972 SonicOS 5.8.1 Administrator Guide Step 14 Click Add Bookmark . The Add Bookmark window displays. When user bookmarks are defined, the user will see the defined bookmarks from the SonicW ALL SSL VPN Virtual Office home p age.
SSL VPN > Virtual O ffice 973 SonicOS 5.8.1 Administrator Guide Ste p 3 For the specific service you select from the Service drop-down list, additional field s may appear .
SSL VPN > Virtual Office 974 SonicOS 5.8.1 Administrator Guide the RDP Java client on Window s is a native RDP client t hat supports Plugin DLLs by default. The Enable plugin DLLs option is not availabl e for RDP - Java. See “Enabling Plugin DLLs” section on p age 974 .
SSL VPN > Virtual O ffice 975 SonicOS 5.8.1 Administrator Guide Creating Bookmarks with Custom SSO Credentials The administrator can configure custom Single Sign On (SSO) credentials for each user , group , or globally in RDP bookm arks.
SSL VPN > Virtual Office 976 SonicOS 5.8.1 Administrator Guide • Themes • Bitmap caching If the Java client application is RDP 6, it also support s: • Dual monitors • Font smoothing • Desktop composition Note RDP bookmarks can use a port designation if t he service is not running on the default port.
SSL VPN > Virtual O ffice 977 SonicOS 5.8.1 Administrator Guide Ste p 3 A window is displayed indicating that the Remo te Desktop Client is loading. The remote desktop then loads in it s own windows. Y ou can now access all of the applications and files on the remote computer .
SSL VPN > Virtual Office 978 SonicOS 5.8.1 Administrator Guide Ste p 2 When the VNC client has loaded, you will be pr ompted to enter your p assword in the VNC Authentication window . Ste p 3 T o configure VNC options, click the Options button. The Options window is displayed.
SSL VPN > Virtual O ffice 979 SonicOS 5.8.1 Administrator Guide Using Telnet Bookmarks Ste p 1 Click on the T elnet bookmark. Note T elnet bookmarks can use a port designation for servers not running on the default por t.
SSL VPN > Virtual Office 980 SonicOS 5.8.1 Administrator Guide Ste p 2 Click OK to any warning messages that are displa yed. A Java-based T e lnet window launches. Ste p 3 If the device you are T elnetting to is configured for authentication, enter your user name and password.
SSL VPN > Virtual O ffice 981 SonicOS 5.8.1 Administrator Guide Tip Some versions of the JRE may cause the SSH authentication window to pop up behind the SSH window . Using SSHv2 Bookmarks Note SSH bookmarks can use a port designation fo r servers not r unning on the default port.
SSL VPN > Virtual Office 982 SonicOS 5.8.1 Administrator Guide Ste p 3 Enter your password and click OK . Ste p 4 The SSH terminal launches in a new screen.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 983 PART 15 Part 15: V irtual Assist •.
984 SonicOS 5.8.1 Administrator Guide.
985 SonicOS 5.8.1 Administrator Guide CHAPTER 65 Chapter 65: Configuring Virtual Assist Virtual Assist This chapter contains the following sections: • “Virtual Assist Overview” on page 985 • .
Virtual Assist > Settings 986 SonicOS 5.8.1 Administrator Guide The status of each customer includes whether the customer is currently receiving Virtu al Assist support, or their positi on in the queue to receive support. The st atus screen can also provide a summary of each customer ’s issue, and the name of the assi gned technician.
Virtual Assist > Settings 987 SonicOS 5.8.1 Administrator Guide By setting a global assistance code for customer s, you can restrict who enters the system to request help. The code can be a maximum of ei ght (8) characters, and can be entered in the Assistance Code field.
Virtual Assist > Settings 988 SonicOS 5.8.1 Administrator Guide These variables can also be used in the “Invit ation Message” field, w here users can further customize the body of the invitation email, by enter ing the desired text. The message can be a maximum length of 800 characters.
Virtual Assist > Settings 989 SonicOS 5.8.1 Administrator Guide In the “Request Settings” screen section, on the Virtual Assist > Settings screen , you can configure various settings re lated to support request limits .
Using Virtual Assist 990 SonicOS 5.8.1 Administrator Guide Enter the “Source Address T ype” and “IP Address” that you wish to deny suppo rt requests fr om . Click “OK” to submit the information. The ne wly blocked address will now appear in the “Deny Request From Defined Address” screen section.
Using Virtual Assist 991 SonicOS 5.8.1 Administrator Guide The customer can download and inst all the V ASAC from the customer login p age if the option, “Enable Support without Invita tion,” has been previously enabl ed by the administrator .
Using Virtual Assist 992 SonicOS 5.8.1 Administrator Guide Once the technician has install ed the V ASAC, they can proceed to login to Virtual Assist. The technician selects the “T echnician” tab, fills in the required login parameters, and clicks the “Login” button.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 993 PART 16 Part 16: User Management.
994 SonicOS 5.8.1 Administrator Guide.
995 SonicOS 5.8.1 Administrator Guide CHAPTER 66 Chapter 66: Managing Users and Authentication Settings User Management This chapter describes the user management cap abilities of your SonicW ALL security appliance for locally and remotely authenticated us ers.
User Management 996 SonicOS 5.8.1 Administrator Guide SonicW ALL security appliances provide a mechanism for user level authentication that gives users access to the LAN from remote locations on the Internet as well as a means to enforce or bypass content filtering policies for LAN user s attempting to access the Internet.
User Management 997 SonicOS 5.8.1 Administrator Guide Creating entries for dozens of users and group s takes time, a lthough once the entries are in place they are not dif ficult to maintain. For networks with larg er numbers of users, user authentication using LDAP or RADIUS servers can be more efficient.
User Management 998 SonicOS 5.8.1 Administrator Guide Y ou can also add or edit local groups. The configur able settings for group s include the following: • Group settings - For administrator group s, you can configure SonicOS to allow login to the management interface without activa ting the login st atus popup window .
User Management 999 SonicOS 5.8.1 Administrator Guide Using LDAP / Active Director y / eDirectory Authentication Lightweight Directory Access Prot ocol (LDAP) defines a directory services structure for storing and managing information about elements in your netwo rk, such as user account s, user groups, hosts, and ser vers.
User Management 1000 SonicOS 5.8.1 Administrator Guide SonicOS Enhanced provides support for directory servers running the following protocols: • LDAPv2 (RFC3494) • LDAPv3 (RFC2251-2256, RFC3377) .
User Management 1001 SonicOS 5.8.1 Administrator Guide Further Information on LDAP Schemas • Microsof t Active Directory : Schema information is available at http://msdn.microsoft.com/ library/default.asp?url=/libra ry/en-us/adschema/adschema/ active_directory_schema.
User Management 1002 SonicOS 5.8.1 Administrator Guide Single Sign-On Overview This section provides an introduction to t he SonicWALL SonicOS Enhanced Single Sign-On feature.
User Management 1003 SonicOS 5.8.1 Administrator Guide Benefits of SonicWALL SSO SonicW ALL SSO is a reliable and time-saving f eature that utilizes a si ngle login to provide access to multiple network resources bas ed on administrator-configured group memberships and policy matching.
User Management 1004 SonicOS 5.8.1 Administrator Guide The SonicW ALL SSO feature supports LDAP and local database protocols. SonicW ALL SSO supports SonicW ALL Director y Connector . SonicW ALL SSO can also interwork with ADConnector in an installation that includes a SonicW ALL CSM, but Directory Connector is recommended.
User Management 1005 SonicOS 5.8.1 Administrator Guide How Does Single Sign-On Work? SonicW ALL SSO requires minimal administrator configuration and is transp arent to the user .
User Management 1006 SonicOS 5.8.1 Administrator Guide SonicWALL SSO Authenticat ion Using the SSO Agent For users on individual Windows workstations, the SSO Agent (on the SSO workst ation) handles the authentication request s from the SonicW ALL appliance.
User Management 1007 SonicOS 5.8.1 Administrator Guide SonicWALL SSO Authentication Using the Terminal Services Agent For users logged in from a T erminal Services or Citrix server , the SonicW ALL TSA takes the place of the SSO Agent in the authentication proces s.
User Management 1008 SonicOS 5.8.1 Administrator Guide SonicWALL SSO Authentication Usin g Browser NTLM Authentication For users who are browsing using Mozilla-based brow sers (including Internet Explorer , Firefox, Chrome and Safari) the SonicW ALL appliance supports identifying them via NTLM (NT LAN Manager) authentication.
User Management 1009 SonicOS 5.8.1 Administrator Guide Note The shared key is generated in the SSO Agent and the key entered in the Son icW ALL security appliance during SS O configuration must match the SSO Agent-generated key exactly . The SonicW ALL security appliance queries the SonicW ALL SSO Agent over the default port 2258.
User Management 1010 SonicOS 5.8.1 Administrator Guide • User login denied - SSO Agent agent timeout – Attempts to cont act the SonicWALL SSO Agent have timed out. • User login denied - SSO Agent configuration error – The SSO Agent is not properly configured to allow access for this user .
User Management 1011 SonicOS 5.8.1 Administrator Guide How Does So nicWALL Termin al Services Agent Work? The SonicW ALL TSA can be installed on any Windo ws Serve r machine with T erminal Services or Citrix installed.
User Management 1012 SonicOS 5.8.1 Administrator Guide Multiple TSA Support T o accommodate large inst allations with thous ands of users, SonicW ALL network security appliances are configurable for operation with multiple terminal services agents (one per terminal server).
User Management 1013 SonicOS 5.8.1 Administrator Guide Connections to Local Subnets The TSA dynamically learns network topol ogy based on information returned from the appliance and, once learned, it will not send notifications to the appliance for subsequent user connections that do not go through the appliance.
User Management 1014 SonicOS 5.8.1 Administrator Guide • User group memberships can be set locally by duplicating LDAP user names (set in the LDAP configuration and applicable when t he user group m.
User Management 1015 SonicOS 5.8.1 Administrator Guide • Browsers on Non-PC Platf orms – Non-PC platfo rms such as Linux and Mac can access resources in a Windows domain through Samba, but do not have the concept of “logging the PC into the domain” as Windows PCs do.
User Management 1016 SonicOS 5.8.1 Administrator Guide How Does Multiple Admini strators Support Work? The following sections describe how the Mult iple Administrators Support feature works: • “Co.
User Management 1017 SonicOS 5.8.1 Administrator Guide User Groups The Multiple Administrators Support feat ure introduces two new default user gr oups: • SonicW ALL Administrators - Members of this group have full administrator access to edit the configuration.
User Management 1018 SonicOS 5.8.1 Administrator Guide 3. A user that is a member of the Li mited Administrators user group can only preempt other members of the Limited Administrators group.
User Management 1019 SonicOS 5.8.1 Administrator Guide Configuring Settings on Users > Settings On this page, you can configure the authenticat ion method required, global user settings, and an acceptable user po licy that is displayed to users when loggi ng onto your network.
User Management 1020 SonicOS 5.8.1 Administrator Guide Configuration instructions for the settings on this page are prov ided in the following sections: • “User Login Settings” on p age 1020 •.
User Management 1021 SonicOS 5.8.1 Administrator Guide • Select Browser NTLM authentication only if you want to authenticate W eb users without using the SonicW ALL SS O Agent or TSA.
User Management 1022 SonicOS 5.8.1 Administrator Guide • Enable login session limit : you can limit the time a user is logged into the SonicW ALL by selecting the check box and typing t he amount of time, in minutes, in the Login session limit (minutes) field.
User Management 1023 SonicOS 5.8.1 Administrator Guide Auto-Configuration of URLs to Bypass User Authent ication Y ou can use the Auto-Configure utility to tempor arily allow traffic from a single specified IP address to bypass authentication.
User Management 1024 SonicOS 5.8.1 Administrator Guide Tip Windows Updates access some destinations via HTTPS, and t hose can only be tracked by IP address.
User Management 1025 SonicOS 5.8.1 Administrator Guide Acceptable use policy p age content - Ente r your Acceptabl e Use Policy text in the text box. Y ou can include HTML formatting. The page that is displayed to the user includes an I Accept button or Cancel button for user confirmation.
User Management 1026 SonicOS 5.8.1 Administrator Guide Customize Login Pages SonicOS now provides the ability to customize the text of t he login authenticat ion p ages that are presented to users. Admini strators can translate the login-related p ages with their own wording and apply the changes so that they t ake ef fect without rebooting.
User Management 1027 SonicOS 5.8.1 Administrator Guide Note The "var strXXX =" lines in the template pages are customized JavaScript S trings. Y ou can change them into your preferring wonrding. M odifications should foll ow the JavaScript syntax.
User Management 1028 SonicOS 5.8.1 Administrator Guide • “Editing Local Users” on page 1031 • “Importing Local Users from LDAP” on page 1031 Configuring Local User Settings The following g.
User Management 1029 SonicOS 5.8.1 Administrator Guide • In the exp anded view , click the remove icon under Configure to remove the user from a group. • Click the edit icon under Configure to edit the user . • Click the delete icon under Configure to delete the user or group in that row .
User Management 1030 SonicOS 5.8.1 Administrator Guide • If you select a limited lifetime, select the Prune account upon expiration checkbox to have the user account deleted afte r the lifetime expires. Disable this checkbox to have the account simply be disabled afte r the lifetime expires.
User Management 1031 SonicOS 5.8.1 Administrator Guide Note Users must be members of the SSL VPN Services group before you can configure Bookmarks for them. Step 12 Click OK to complete the user configuration. Editing Local Users Y ou can edit local users from the Users > Local Users screen.
User Management 1032 SonicOS 5.8.1 Administrator Guide T o import users from the LDAP server: Ste p 1 In the Users > Settings page, set the Authentication Method to LDAP or LDAP + Local Users . Ste p 2 In the Users > Local Users page, click Import from LDAP .
User Management 1033 SonicOS 5.8.1 Administrator Guide Ste p 3 In the LDAP Import Users dialog box, you can sele ct individual users or select all use rs. T o select all users in the list, select the Select/deselect a ll checkbox at the top of the list.
User Management 1034 SonicOS 5.8.1 Administrator Guide • T o remove certain users from the list on the bas is of their location in the LDAP directory , select the All users <field1> <field2> radio button. In the firs t field, select either at or at or under from the drop-down list.
User Management 1035 SonicOS 5.8.1 Administrator Guide A default group, Everyone , is listed in the table. Click the edit icon in the Configure column to review or change the settings for Everyone .
User Management 1036 SonicOS 5.8.1 Administrator Guide Note For one-time password capability , remote user s can be controlled at the group level. LDAP users’ email addresses are retrieved from the server when original authe ntication is done.
User Management 1037 SonicOS 5.8.1 Administrator Guide Note Y ou can config ure SSL VPN Access List s for num er ous users at the group level. T o do this, build an Address Object on the Network > Address Objects management interface, such as for a public file server that all users of a group need access to.
User Management 1038 SonicOS 5.8.1 Administrator Guide Importing Local Groups from LDAP Y ou can configure local user groups on the SonicWALL by retrie ving the user group names from your LDAP server . The Import from LDAP ... button launches a dialog box containing the list of user group names available for impor t to the SonicW ALL.
User Management 1039 SonicOS 5.8.1 Administrator Guide Ste p 3 In the LDAP Import User Group s dialog box, optionally select the checkbox for groups that you do not want to import, and then click Remove from list . Ste p 4 T o undo all changes made to the list of groups, click Undo and then click OK in the confirmation dialog box.
User Management 1040 SonicOS 5.8.1 Administrator Guide • With L2TP , the relevant RADIUS protocol is automatically selected according to the PPP protocol being used. • With VPN including Global VPN Client, RA DIUS MSCHAP/MSCHAPv2 mode can be forced to allow password updating.
User Management 1041 SonicOS 5.8.1 Administrator Guide RADIUS Servers In the RADIUS Servers section, you can designate the primary and optionally , the secondary RADIUS server . An optional secondary RADIUS server can be defined if a backup RADIUS server exists on the network.
User Management 1042 SonicOS 5.8.1 Administrator Guide RADIUS Users Settings T o configure the RADIUS user settings: Ste p 1 On the RADIUS Users t ab, select Allow only users listed locally if only the users listed in the SonicW ALL database are aut henticated using RADIUS.
User Management 1043 SonicOS 5.8.1 Administrator Guide Ste p 3 In the Members tab, select the members of the group. Select the users or group s you want to add in the left column and click the -> button. Click Add All to add all users and group s. Note Y ou can add any group as a member of another group except Everybody and All R ADIUS Users .
User Management 1044 SonicOS 5.8.1 Administrator Guide RADIUS with LDAP for user groups When RADIUS is used for user authentication, there is an option on the RADIUS Users page in the RADIUS configura.
User Management 1045 SonicOS 5.8.1 Administrator Guide RADIUS Client Test In the RADIUS Configuration dialog box, you can test your RADIUS Client user name, password and other settings by typing in a valid user name and p assword and selecting one of the authentication choices for T est .
User Management 1046 SonicOS 5.8.1 Administrator Guide Configuring LDAP Integrat ion in SonicOS Enhanced Integrating your SonicW ALL appliance with an LDAP directory service requires configuring your .
User Management 1047 SonicOS 5.8.1 Administrator Guide Exporting the CA Certificate fr om the Active Direc tory Serve r T o export the CA certificate from the AD server: Ste p 1 Launch the Certification Autho rity application: St art > Run > cert srv .
User Management 1048 SonicOS 5.8.1 Administrator Guide Ste p 5 On the Settings tab of the LDAP Configuration wi ndow , configure the following fields: • Name or IP Address – The FQDN or the IP address of the LDAP server against which you wish to authenticate.
User Management 1049 SonicOS 5.8.1 Administrator Guide • The domain components all use “dc=” If the “User tree for login to se rver” field is given as a dn, y ou can also select this option if the bind dn conforms to the first bullet above, but not to the second and/or the third bullet.
User Management 1050 SonicOS 5.8.1 Administrator Guide • Local certificate for TLS – Optional, to be used only if t he LDAP server requires a client certificate for connections. Useful for LDAP server implementat ions that return p asswords to ensure the identity of the LDAP client (Active Directory does not return p asswords).
User Management 1051 SonicOS 5.8.1 Administrator Guide • Login name attribute – Select one of the following to de fine the attribute that is used for login authentication: – sAMAccountName for M.
User Management 1052 SonicOS 5.8.1 Administrator Guide Ste p 7 On the Directory tab, configure the following fields: • Primary Domain – The user domain used by your LDAP implementation. For AD, this will be the Active Directory domain name, e.g. yourADdomain.
User Management 1053 SonicOS 5.8.1 Administrator Guide Note AD has some built-in containers that do not conform (e.g. the DN for the top level Users container is formatted as “cn=Users,dc =…”, using ‘cn’ rat her than ‘o u’) but the SonicW ALL knows about and deals with these, so they can be entered in the simpler URL format.
User Management 1054 SonicOS 5.8.1 Administrator Guide If using multiple LDAP/AD servers with referrals, this process can be repeated for each, replacing the Domain to search value accordingly and selecting Append to existing trees on each subsequent run.
User Management 1055 SonicOS 5.8.1 Administrator Guide Ste p 9 On the LDAP Users tab, configure the following fields: • Allow only users listed locally – Requires that LDAP users also be present in the SonicW ALL local user dat abase for logins to be allowed.
User Management 1056 SonicOS 5.8.1 Administrator Guide • Import users – Y ou can click this button to conf igure local users on the SonicW ALL by retrieving the user names from your LDAP server . The Import users button launches a window containing the list of user names available fo r impor t to the SonicW ALL.
User Management 1057 SonicOS 5.8.1 Administrator Guide • Import user groups – Y ou can click th is button to conf igure user groups on the SonicWAL L by retrieving the user group names from your LDAP server . The Import user group s button launches a window containing the list of user group names available for import to the SonicW ALL.
User Management 1058 SonicOS 5.8.1 Administrator Guide Step 10 On the LDAP Relay tab, configure the following fields: The RADIUS to LDAP Relay feature is designed for use in a topology where there is .
User Management 1059 SonicOS 5.8.1 Administrator Guide • User groups f or legacy users with Internet access – Defines the user group that corresponds to the legacy ‘Allow Internet ac cess (when access is restricted)’ privileges.
User Management 1060 SonicOS 5.8.1 Administrator Guide This change in default authentication protocol order , combined with the iOS behavior of accepting the first supported aut hentication protocol will defaul t to SonicOS and iOS devices using RADIUS authenticat ion (because Active Directory does not support CHAP , MS-CHAP , or MS-CHAPv2).
User Management 1061 SonicOS 5.8.1 Administrator Guide The following sections describe how to configure SSO: • “Installing the SonicW ALL SSO Agent” on p age 1062 • “Installing the SonicW AL.
User Management 1062 SonicOS 5.8.1 Administrator Guide Installing the SonicWALL SSO Agent The SonicW ALL SSO Agent is part of the S onicW ALL Directory Connector .
User Management 1063 SonicOS 5.8.1 Administrator Guide Ste p 5 Select the destination folder . T o use the def ault folder , C:Program FilesSonicWALLDCON, click Next .
User Management 1064 SonicOS 5.8.1 Administrator Guide Note This section can be configured at a later time . T o skip this step and configure it later , click Skip . Ste p 9 Enter the IP address of your SonicW ALL security appliance in the SonicW ALL Appliance IP field.
User Management 1065 SonicOS 5.8.1 Administrator Guide If you checked the Launch SonicW ALL Directory Connector box, the SonicW ALL Directory Connector will display . Installing the SonicWALL Terminal Services Agent Install the SonicW ALL TSA on one or more te rminal servers on your network within the Windows domain.
User Management 1066 SonicOS 5.8.1 Administrator Guide Ste p 5 On the Select Installation Folder window , select the destinatio n folder . T o use the default folder , C:Program FilesSonicW ALLSonicW ALL T erminal Services Agent, click Next . T o specify a custom location, clic k Browse, select the folder , and click Next .
User Management 1067 SonicOS 5.8.1 Administrator Guide Configuring the SonicWALL SSO Agent The SonicW ALL SSO Agent communicates with wo rkstations using NetA PI or WMI, which both provide information about users that are logged in to a workst ation, in cluding domain users, local users, and Windows services.
User Management 1068 SonicOS 5.8.1 Administrator Guide If you clicked Ye s , the message Successfully restored the old configuration will display . Click OK . If you clicked No , or if you clicked Ye s but the default configurati on is incorrect, the message SonicW ALL SSO Agent service is not running.
User Management 1069 SonicOS 5.8.1 Administrator Guide Note When Logging Level 2 is selected, the SSO Ag ent service will terminate if the Windows event log reaches its maximum cap acity . Ste p 4 In the Refresh Ti me field, enter the frequency , in seconds, that the SSO Agent will refresh user log in status.
User Management 1070 SonicOS 5.8.1 Administrator Guide Ste p 5 From the Query Source pull-down menu, select the protocol that the SSO Agent will use to communicate with workstations, either NET API or WMI . Note NetAPI will provide faster , though possibly sl ightly less accurate, performance.
User Management 1071 SonicOS 5.8.1 Administrator Guide Ste p 6 In the Configuration File field, enter the path fo r the configuration file . The default path is C:Program FilesSonicW A LLDCON SSOCIAConfig.xml . Ste p 7 Click Accept . Ste p 8 Click OK .
User Management 1072 SonicOS 5.8.1 Administrator Guide Adding a SonicWALL Security Appliance Use these instructions to manually add a Soni cW ALL security appliance if you did not add one during installation, or to add additional SonicW ALL security appliances.
User Management 1073 SonicOS 5.8.1 Administrator Guide Ste p 3 Enter the appliance IP address for your SonicW ALL security appliance in the Appliance IP field. Enter the port for the same appliance in the Appliance Port field. The default port is 2258.
User Management 1074 SonicOS 5.8.1 Administrator Guide Deleting Appliances in SonicWALL SSO Agent T o delete a SonicW ALL security appliance y ou previously added in SonicW ALL SSO Agent, select the appliance from the left-hand navigation p anel and click the delete icon above the left-hand navigation p anel.
User Management 1075 SonicOS 5.8.1 Administrator Guide Adding a SonicWALL Network Security Appliance to SonicWALL TSA Settings Perform the following steps to add a SonicW ALL appliance to the SonicW ALL TSA: Ste p 1 Double-click the Soni cW ALL TSA desktop icon.
User Management 1076 SonicOS 5.8.1 Administrator Guide Perform the following steps to create a TSR for the SonicW ALL TSA: Ste p 1 Double-click the Soni cW ALL TSA desktop icon. Ste p 2 The SonicW ALL T erminal Services Agent window displays. Click the Reports t ab.
User Management 1077 SonicOS 5.8.1 Administrator Guide Configuring Your SonicWALL Security Appliance for SonicWALL SSO Agent T o use single sign-on, your S onicW ALL secur ity appliance must be configured to use either SonicW ALL SSO Agent or Browser NTLM authentication only as the SSO method.
User Management 1078 SonicOS 5.8.1 Administrator Guide Ste p 4 On the Authentication Agent Settings page, click the Add button to add an agent. The page is updated to display a new row in the table at the top, and two new tabs and their input fields in the lower half of the page.
User Management 1079 SonicOS 5.8.1 Administrator Guide Step 12 Click the Users tab. The User Settings page displays. Step 13 Check the box next to Allow only users listed locally to allow only users listed locally on the appliance to be authenticated.
User Management 1080 SonicOS 5.8.1 Administrator Guide network may be blocking them. For example, if yo u have an Access Control List set on a r outer in your network to allow NetAPI from the agent’ s IP address only , that ACL will block the probes to the NetAPI port from the appliance.
User Management 1081 SonicOS 5.8.1 Administrator Guide T o edit a service account nam e, select the name, click Edit , make the desired changes in the Service User name dialog box, and then click OK . T o remove service account names, sele ct one or more names and then click Remove .
User Management 1082 SonicOS 5.8.1 Administrator Guide The second setting is appropriate for user traffic that does not need to be authenticated, and triggering SSO might cause an unaccept able delay for the service. SSO bypass settings do not apply when SSO is tri ggered by firewall access rules requiring user authentication.
User Management 1083 SonicOS 5.8.1 Administrator Guide As you type in values for the fields, the row at the top is updated in red to highlight the new information. Step 30 In the Port field, enter the port number of the workstation on which S onicW ALL TSA is installed.
User Management 1084 SonicOS 5.8.1 Administrator Guide Step 35 Select one of the following choices from the Use NTLM to authenticate HTTP traffic pulldown list: • Never – Never use NTML authentication. • Before attempting SSO via the agent – T ry to authen ticate users with NTLM before using the SonicW ALL SSO agent.
User Management 1085 SonicOS 5.8.1 Administrator Guide Step 41 Click the T est tab. The T est Authentication Agent Sett ings page displays. Y ou can test the connectivity between the appliance and an SSO age nt or TSA. Y ou can also test whether the SSO agent is properly configured to ident ify a user logged into a workst ation.
User Management 1086 SonicOS 5.8.1 Administrator Guide Step 43 Select the Check agent connectivity radio button and then click the T est button. This will test communication with the authentic ation agent. If the SonicWALL security appliance can connect to the SSO agent, you will see the message Agent is ready .
User Management 1087 SonicOS 5.8.1 Administrator Guide Configuring Your SonicW ALL Appliance for Browser NTLM Authentication T o use single sign-on, your S onicW ALL secur ity appliance must be configured to use either SonicW ALL SSO Agent or Browser NTLM authentication only as the SSO method.
User Management 1088 SonicOS 5.8.1 Administrator Guide Ste p 8 T o use locally configured user group se ttings, select the Local configuration radio button.
User Management 1089 SonicOS 5.8.1 Administrator Guide T o configure a Windows 7 or V ista machine to use NTLMv2 Session Security , perform the following steps: Ste p 1 T o open Windows Group Policy , open the Control Panel and select Administrative T ools .
User Management 1090 SonicOS 5.8.1 Administrator Guide Advanced LDAP Configuration If you selected Use LDAP to retrieve user group information on the Users t ab in step 19 of “Configuring Y our SonicWALL Security A ppliance for SonicW ALL SSO Agent” on page 1077 , you must configure your LDAP settings.
User Management 1091 SonicOS 5.8.1 Administrator Guide Select Give bind distinguished name to access the tree with the distinguished name. Ste p 7 T o log in with a user ’s name and p assword, enter the user ’s name in the Login user name field and the password in the Login p assword field.
User Management 1092 SonicOS 5.8.1 Administrator Guide Step 14 Click the Schema tab. Step 15 From the LDAP Schema drop-down menu, select one of the following LDAP schemas. Selecting any of the predefined schemas will aut omatically populate the fields used by that schema with their correct values.
User Management 1093 SonicOS 5.8.1 Administrator Guide Step 19 The User group membership attribute field contains the informat ion in the user object of which groups it belongs to.
User Management 1094 SonicOS 5.8.1 Administrator Guide Step 25 Select the Directory tab. Step 26 In the Primary Domain field, specify t he user domain used by your LDAP implementation. For AD, this will be the Active Directory domain name, such as yourADdomain.
User Management 1095 SonicOS 5.8.1 Administrator Guide Note AD has some built-in containers that do not conf or m (for example, the DN for the top level Users container is formatted as “ cn=Users,dc =…”, using ‘cn’ rather than ‘ou’) but the SonicW ALL knows about and deals with these, so they can be entered in the simpler URL format.
User Management 1096 SonicOS 5.8.1 Administrator Guide Step 31 Select the Referrals tab. Step 32 If multiple LDAP servers are in use in your network, LDAP referrals may be necessary . Select one or more of the following check boxes: • Allow referrals – Select when use r information is located on an LDAP server other than the primary one.
User Management 1097 SonicOS 5.8.1 Administrator Guide Step 33 Select the LDAP Users tab. Step 34 Check the Allow only users listed locally box to require that LDAP users also be present in the SonicW ALL security appliance local user dat abase for logins to be allowed.
User Management 1098 SonicOS 5.8.1 Administrator Guide Step 38 Select the LDAP Relay tab. Step 39 Select the Enable RADIUS to LDAP Relay checkbox to enable RADIUS to LDAP relay .
User Management 1099 SonicOS 5.8.1 Administrator Guide Step 42 In the User group s for legacy users fields, define the user groups that correspond to the legacy ‘VPN users,’ ‘VPN client users,’ ‘L2TP users’ and ‘users with In ternet a ccess’ privileges.
User Management 1100 SonicOS 5.8.1 Administrator Guide Tuning Single Sign-On Advanced Settings This section provides detailed information to help you tune the advanced SSO settings on your SonicW ALL appliance.
User Management 1101 SonicOS 5.8.1 Administrator Guide S t atistics in the TSR” on p age 1 103 and “Viewing SSO Mouseover S t atistics and T ooltips” on page 1 101 ). Requests waiting on the ring buffer for t oo long cou ld lead to slow resp onse times in SSO authentication.
User Management 1102 SonicOS 5.8.1 Administrator Guide T o view the st atistics for all SSO activity on the appliance, hover your mouse pointer over the statistics icon at the bottom of the table, in the same row as the Add button. T o close the statistics display , click close .
User Management 1103 SonicOS 5.8.1 Administrator Guide Using the Single Sign-On Statistics in the TSR A rich set of SSO performance and error st atisti cs is included in the trouble shooting report (TSR). These can be used to gauge how well SSO is performing in your installation.
User Management 1104 SonicOS 5.8.1 Administrator Guide 6. If using multiple agents, then also under SSO agent st atistics look at the error and timeout rates reported for the different agent s, and also their response times.
User Management 1105 SonicOS 5.8.1 Administrator Guide Configuring Firewall Access Rules Enabling SonicW ALL SSO af fects policies o n the Firewall > Access Rules page of the SonicOS Enhanced management interface.
User Management 1106 SonicOS 5.8.1 Administrator Guide • T o use SonicW ALL SSO with L inux/Mac us ers, the SonicW ALL SSO Agent must be configured to use NetAPI rather than WMI to get the user login information from the u ser's machine.
User Management 1107 SonicOS 5.8.1 Administrator Guide unauthenticated HTTP connections that match it w ill be directed straight to the login p age. T ypically , the Source field would be set to an address object containing th e IP addresses of Mac and Linux systems.
User Management 1108 SonicOS 5.8.1 Administrator Guide White Listing IP Addresses to Bypass SSO and Authentication If you have IP addresses that should always be allowed ac cess without re quiring user authentication, they can be white-listed.
User Management 1109 SonicOS 5.8.1 Administrator Guide That can be done in one of two ways. The source zone is shown as LAN here, but can be any applicable zone(s): 1. Change Users Allowed in the default LAN -> W AN rule to Everyone or Tr u s t e d Users .
User Management 1110 SonicOS 5.8.1 Administrator Guide About Firewall Access Rules Firewall access rules provide the administrator with the ability to control us er access. Rules set under Firewall > Access Rules are checked against the user gr oup memberships returned from a SSO LDAP query , and are applied automat ically .
User Management 1111 SonicOS 5.8.1 Administrator Guide • On a failure to identify a user due to co mmunication problems with the TSA, an HTTP browser session is not redirected to the W eb login p age (as happens on a failure in the SSO case).
User Management 1112 SonicOS 5.8.1 Administrator Guide Viewing SSO and LDAP Messages with Pack et Monit or In SonicOS Enhanced 5.6 and above, the Pa cket Monitor feature available on System > Packet Monitor provides two checkboxes to enable capture of decrypted messages to and from the SSO agent, and decrypted LDAP over TLS (LDAPS) messages.
User Management 1113 SonicOS 5.8.1 Administrator Guide Captured SSO messages are displayed fully decoded on the System > Packet Monitor screen. Capturing LDAP Over TLS Messages T o capture decrypte.
User Management 1114 SonicOS 5.8.1 Administrator Guide The packet s will be marked with (ld p) in the ingress/egress interface field. They will have dummy Ethernet, TCP , and IP headers, so some val ues in these fields may not be cor rect.
User Management 1115 SonicOS 5.8.1 Administrator Guide Configuring Additional Admi nistrator User Profiles T o configure additional administrator us er profiles, perform the following steps: Ste p 1 While logged in as admin , navigate to the Users > Local Users page.
User Management 1116 SonicOS 5.8.1 Administrator Guide When using RADIUS or LDAP aut hentication, if you want to keep the configuration of administrative users local to the appliance whilst having those users authenticated by RADIUS/ LDAP , perform these steps: Ste p 1 Navigate to the Users > Settings p age.
User Management 1117 SonicOS 5.8.1 Administrator Guide Activating Configuration Mode When logging in as a user with administrator rights (that is not the admin user), the User Login Stat u s popup window is displayed. T o go to the SonicW ALL user interface, click the Manage button.
User Management 1118 SonicOS 5.8.1 Administrator Guide If you want some user account s to be administr ative only , while other users need to log in for privileged access through the applianc e, but a.
User Management 1119 SonicOS 5.8.1 Administrator Guide T o switch from non-config mode to full c onfiguration mode, perfo rm the following step s: Ste p 1 Navigate to the System > Administration page. Ste p 2 In the Web Management Settings section, click on the Configuration mode button.
User Management 1120 SonicOS 5.8.1 Administrator Guide Verifying Multiple Administrators Support Configuration User accounts with administrator and r ead-only administrators can be viewed on the Users > Local Groups p age.
User Management 1121 SonicOS 5.8.1 Administrator Guide The status bar displays Read-only mode - no changes can be made . When the administrator is in non-config mode, the top right of the interface displays Non- Config Mode . Clicking on this text links to the System > Administration page where you can enter full configuration mode.
User Management 1122 SonicOS 5.8.1 Administrator Guide.
1123 SonicOS 5.8.1 Administrator Guide CHAPTER 67 Chapter 67: Managing Guest Services and Guest Accounts Users > Guest Services Guest accounts are temporary account s set up fo r users to log into your network. Y ou can create these accounts manually , as needed or gener ate them in batches.
Users > Guest Services 1124 SonicOS 5.8.1 Administrator Guide Global Guest Settings Check Show guest login st atus window with logout button to display a user login window on the users’ s workstation whenever the user is logged in. Users must keep this window open during their login session.
Users > Guest Accounts 1125 SonicOS 5.8.1 Administrator Guide – Account Lifetime : This setting defines how long an account remains on the security appliance before the ac count expires. If Auto-Prune is enabled, the account is deleted when it expires.
Users > Guest Accounts 1126 SonicOS 5.8.1 Administrator Guide Adding Guest Accounts Y ou can add guest accounts individually or generate multiple guest account s automatically . To Add an Individual Account: Ste p 1 Under the list of accounts, click Add Guest .
Users > Guest Accounts 1127 SonicOS 5.8.1 Administrator Guide – Session Lifetime : Defines how long a guest login sess ion remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account.
Users > Guest Accounts 1128 SonicOS 5.8.1 Administrator Guide – Session Lifetime : Defines how long a guest login sess ion remains active after it has been activated. By default, activation occurs the first time a guest user logs into an account.
Users > Guest Status 1129 SonicOS 5.8.1 Administrator Guide Users > Guest Status The Guest S t atus p age reports on all the guest accounts curr ently logged in to the security appliance. The page list s: • Name : The name of the guest account.
Users > Guest Status 1130 SonicOS 5.8.1 Administrator Guide.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 1131 PART 17 Part 17: High A vailability.
1132 SonicOS 5.8.1 Administrator Guide.
1133 SonicOS 5.8.1 Administrator Guide CHAPTER 68 Chapter 68: Setting Up High Availability High Availability This chapter describes how to configure and manage the High Availability feature on SonicW ALL security appliances.
High Availability 1134 SonicOS 5.8.1 Administrator Guide High Availability pr ovides a way to share SonicW ALL licenses between two SonicW ALL security appliances when one is acting as a high av ailability system for the other . T o use this feature, you must r egister the SonicW ALL appliances on MySonicW ALL as Associated Products.
High Availability 1135 SonicOS 5.8.1 Administrator Guide How High Availability Works High Availability r equires one SonicW ALL devic e co nfigured as the Primary SonicW ALL, and an identical SonicW ALL devic e configured as the Backu p SonicW ALL.
High Availability 1136 SonicOS 5.8.1 Administrator Guide • Preempt - Applies to a post-failover condition in which the Primary uni t has failed, and the Backup unit has assumed the Acti ve role.
High Availability 1137 SonicOS 5.8.1 Administrator Guide • “Benefits” on p age 11 3 7 • “How Does S t ateful High Av ailability Work?” on page 11 3 7 What is Stateful High Availability? Th.
High Availability 1138 SonicOS 5.8.1 Administrator Guide The following table list s the inform ation that is synchr onized and information that is not currently synchronized by S tatef ul High Availability .
High Availability 1139 SonicOS 5.8.1 Administrator Guide Stateful High Avai lability Example The following figure shows a sample S tateful High Availability ne twork. In case of a failover , the foll owing sequence of events occurs: 1. A PC user connects to the network, and the Primary SonicW ALL security appliance creates a session for the user .
High Availability 1140 SonicOS 5.8.1 Administrator Guide Active/Active DPI Overview This section provides an introduction to the Ac tive/Active DPI feature. Active/Active DPI requires S tateful High Availability and is supported on SonicW ALL E-Class NSA appliances.
High Availability 1141 SonicOS 5.8.1 Administrator Guide High Availability License Synchronization Overview This section provides an introduction to the SonicWALL High Availability license synchronization feature.
High Availability 1142 SonicOS 5.8.1 Administrator Guide • On SonicW ALL appliances that support the Po rtShield feature (SonicW ALL TZ series and NSA 240), High Availability can only be enabled if PortShield is disabled on all interfaces of both the Primary and Backup appliances.
High Availability 1143 SonicOS 5.8.1 Administrator Guide If you will not be using Primary/ Backup W AN Management IP address, make sure each entry fi e l d is s e t t o ‘ 0. 0 . 0 .0 ’ ( i n t h e Hi g h A v a i la b i li t y > M o n i to r i n g Pa g e) – the SonicWALL will report an error if the field is lef t blank.
High Availability 1144 SonicOS 5.8.1 Administrator Guide • Make sure Primar y SonicW ALL and Backup So nicW ALL security appliance’ s LAN, W AN, and other interfaces are properly configured for seamless failover . • Connect the Primary SonicW ALL and Backup SonicW ALL appliances with a CA T5 or CA T6-rated crossover cable.
High Availability 1145 SonicOS 5.8.1 Administrator Guide Perform the following steps: Ste p 1 Decide which interface to use for the additi onal connection between the appliances.
High Availability 1146 SonicOS 5.8.1 Administrator Guide T o use S t ateful High A vailability on SonicW ALL NSA appliances, you must purchase a S tateful High Availability Upgrade license for the Primary unit. S tateful High Avai lability is a licensed service that must be activated for the Primar y appliance on mysonicwa ll.
High Availability 1147 SonicOS 5.8.1 Administrator Guide Associating an Applianc e at First Registration T o register a new SonicW ALL security appliance and associate it as a Ba ckup unit to an existing Primary unit so that it can use High A vailability license synchronization, per form the following steps: Ste p 1 Login to MySonicW ALL.
High Availability 1148 SonicOS 5.8.1 Administrator Guide Ste p 6 If you clicked Continue without selecting a choice for HA Primary in the pr eceding step, click the radio button under Child Product T ype to select a choice for HA Secondary (Backup unit), and then click Continue .
High Availability 1149 SonicOS 5.8.1 Administrator Guide Y ou can click HA Secondary to display the My Product - Associated Product s page for the child/secondary/Backup unit. Note that you can also change the associated p roduct (parent) for this child on this page.
High Availability 1150 SonicOS 5.8.1 Administrator Guide Associating Pre-Re gistered Appliance s T o associate two already-register ed SonicW ALL security appliances so that they can u se High Availability license synchroniza tion, perform the following step s: Ste p 1 Login to MySonicW ALL.
High Availability 1151 SonicOS 5.8.1 Administrator Guide • If the existing uni t is an HA Primary or an unassociated appliance, click HA Secondary . • If the existing unit is an HA Secondary appliance, click HA Primary .
High Availability 1152 SonicOS 5.8.1 Administrator Guide Removing an HA As soci ation Y ou can remove the association between two SonicW ALL security appliances on MySonicW ALL at any time. Y ou might need to remo ve an existing HA associ ation if you replace an appliance or reconfigure your network.
High Availability 1153 SonicOS 5.8.1 Administrator Guide Replacing a SonicWALL Security Appliance If your SonicW ALL security ap pliance has a hardware failure while still under war ranty , SonicW ALL will replace it.
High Availability 1154 SonicOS 5.8.1 Administrator Guide Configuring High Availability in SonicOS T o configure High A vailability , you must confi gure High A vailability in the SonicOS management interface using the two Soni cW ALL appliances associated on MySonicWALL.
High Availability 1155 SonicOS 5.8.1 Administrator Guide Disabling PortShield with the PortShield Wizard On SonicW ALL applia nces that support the Port Shield feature, High A vailability can only be enabled if PortShield is disabled on all interf aces of both the Primary and Backup appliances.
High Availability 1156 SonicOS 5.8.1 Administrator Guide Disabling PortShield Manually On SonicW ALL applia nces that support the Port Shield feature, High A vailability can only be enabled if PortShield is disabled on all interf aces of both the Primary and Backup appliances.
High Availability 1157 SonicOS 5.8.1 Administrator Guide Ste p 3 Click the Configure button. Ste p 4 In the Switch Port Settings dialog box, select Unassigned in the PortShield Interface drop- down list. Ste p 5 Click OK . The Network > Port Shield Group s p age displays the interfaces as unassigned.
High Availability 1158 SonicOS 5.8.1 Administrator Guide T o configure the settings on the High A vailability > Settings p age: Ste p 1 Login as an administrator to the SonicOS user inter face on the Primary SonicW ALL. Ste p 2 In the left navigation pane, navigate to High A vailability > Settings .
High Availability 1159 SonicOS 5.8.1 Administrator Guide High Availability > Advanced Settings The configuration tasks on the High A vailability > Advanced p age are performed on the Primary unit and then are automatic ally synchronized to the Backup.
High Availability 1160 SonicOS 5.8.1 Administrator Guide Note SonicW ALL High Availabili ty cannot be configured using the built-in wireless interface, nor can it be configured using Dynamic W AN interfaces.
High Availability 1161 SonicOS 5.8.1 Administrator Guide the newly-Active appliance keep s the dynamic routes it had previous ly learned in its route table.
High Availability 1162 SonicOS 5.8.1 Administrator Guide When using logical monitoring, the HA Pair will ping the specified Logical Probe IP address target from the Primary as well as from the Backup SonicWALL. The IP address set in the Primary IP Address or Backup IP Address field is used as the source IP address for the ping.
High Availability 1163 SonicOS 5.8.1 Administrator Guide Ste p 5 In the Primary IP Address field, enter the unique LAN managem ent IP address of the Primary unit. Ste p 6 In the Backup IP Address field, enter the unique LAN management IP address of the Backup unit.
High Availability 1164 SonicOS 5.8.1 Administrator Guide Tip A compromise between the convenience of synchronizing Certificates and the added security of not synchronizing Certif icates is to temporarily enable the Include Certificate/ Keys setting and manually synchroniz e the settings, and then disable Include Certificate/ Keys .
High Availability 1165 SonicOS 5.8.1 Administrator Guide Applying Licenses to SonicWALL Security Appliances When your SonicW ALL security appliances hav e Internet access, each applia nce in a High Av.
High Availability 1166 SonicOS 5.8.1 Administrator Guide Ste p 4 Click Submit . Ste p 5 On the Systems > Licenses page under Manage Security Services Online , verify the services listed in the Security Services Summary table. Ste p 6 Repeat this procedure for the other appliance in the HA Pair .
High Availability 1167 SonicOS 5.8.1 Administrator Guide Copying the License Keyset from MySonicWALL Y ou can follow the procedure in this section to view the license keyset on MySonicW ALL and copy it to the SonicW ALL secu rity appliance.
High Availability 1168 SonicOS 5.8.1 Administrator Guide This is the license keyset for the SonicW ALL security appliance that you selected in S tep 3 . Ste p 6 T o copy the license keyset to the clipboard, press Ctrl+C . Ste p 7 Log in to the SonicOS user interface by using the individual LAN management IP address.
High Availability 1169 SonicOS 5.8.1 Administrator Guide Verifying High Availability Status There are several ways to view High A vailabi lity status in the SonicOS Enhanced management interface.
High Availability 1170 SonicOS 5.8.1 Administrator Guide instead of HA . When the HA interfaces are not connec ted or the link is down, the field displays the status in the form X5 No Link . When High Availability is not enabled, the field displays Disabled .
High Availability 1171 SonicOS 5.8.1 Administrator Guide – ERROR – Indicates that the Backup uni t has reached an error condition. – REBOOT – Indicates that the Ba ckup unit is rebooting. – NONE – When viewed on the Backup unit, NONE indicates that HA is not enabled on the Backup.
High Availability 1172 SonicOS 5.8.1 Administrator Guide • “Responses to DPI UTM Matches” on page 1 173 • “Logging” on p age 1 173 Comparing CPU Activity on Both Appliances As soon as Active/Active UTM is enabled on the S t ateful HA pair , you can observe a change in CPU utilization on both appliances.
High Availability 1173 SonicOS 5.8.1 Administrator Guide Additional Parameters in TSR Y ou can tell that Acti ve/Active UTM is correct ly configured on your S tateful HA pair by generating a T ech Support Report on the S ystem > Diagnostics p age.
High Availability 1174 SonicOS 5.8.1 Administrator Guide.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 1175 PART 18 Part 18: Security Services.
1176 SonicOS 5.8.1 Administrator Guide.
1177 SonicOS 5.8.1 Administrator Guide CHAPTER 70 Chapter 70: Managing SonicWALL Security Services SonicWALL Security Services SonicW ALL, Inc. of fers a variety of subscrip tion-based security services to provide layered security for your network.
SonicWALL Security Services 1178 SonicOS 5.8.1 Administrator Guide Note For more information on SonicW ALL security services, please visit http:// www .sonicwall.com . Note Complete product documentation for SonicW ALL security services are available on the SonicW ALL document ation Web site http://www .
SonicWALL Security Services 1179 SonicOS 5.8.1 Administrator Guide At the top of the list, you can click the link to the System > Licenses page to view license st atus and the available SonicW ALL security servic es and upgrades for your SonicW ALL security appliance and access mysonicwall.
SonicWALL Security Services 1180 SonicOS 5.8.1 Administrator Guide • Purchase/Activate SonicW ALL security service licenses • Receive SonicW ALL firmware and security service updates and alert s • Manage your SonicW ALL security services • Access SonicW ALL T echnical Support Y our mysonicwall.
SonicWALL Security Services 1181 SonicOS 5.8.1 Administrator Guide If you are already connected to your mysonicwall.com account from the management interface, the Security Services Summary table is displayed. Click Synchronize to update the licensing and subscrip tion information on the SonicW ALL security appliance from your mysonicwall.
SonicWALL Security Services 1182 SonicOS 5.8.1 Administrator Guide • HTTP Clientless Notification Timeout fo r Gatewa y AntiVirus and AntiS pyware - Set the timeout duration after which the SonicW ALL security appliance notifies users when GA V or Anti-S pyware detect s an incoming thr eat from an HTTP server .
SonicWALL Security Services 1183 SonicOS 5.8.1 Administrator Guide 5. If the appliance has not been registered with mySonicW ALL.com, two additional fields are displayed: – MySonicW ALL Username - Enter the username for t he MySonicW ALL.com account that the appliance is to be registered to.
SonicWALL Security Services 1184 SonicOS 5.8.1 Administrator Guide Note The remaining steps can be performed while disconnected from the Internet. Ste p 6 Return to the Security Services > Summary page on the SonicW ALL security appliance GUI. Ste p 7 Click on the Import Signatures box.
1185 SonicOS 5.8.1 Administrator Guide CHAPTER 71 Chapter 71: Configuring SonicWALL Content Filtering Service Security Services > Content Filter The Security Services > Content Filter p age allows you to conf igure the Re strict Web Features and T rusted Domains settings, which are included with Son icOS Enh anced.
Security Services > Content Filter 1186 SonicOS 5.8.1 Administrator Guide For complete SonicW ALL Content Filtering Service documentation, see the SonicW ALL Content Filtering Service Admi nistrator ’s Guide available at http://www .sonicwal l.com/us/Support.
Security Services > Content Filter 1187 SonicOS 5.8.1 Administrator Guide established by the administrator . Almost inst ant aneously , the W eb site request is either allowed through or a W eb page is generated by the Soni cW ALL security appliance informing the user that the site has been bloc ked according to policy .
Security Services > Content Filter 1188 SonicOS 5.8.1 Administrator Guide The CFS App Control Po licy Settings Screen There are multiple changes/additions to th e CFS policy creation window when used in conjunction with Application Control. The table and image in this section provide information on Application Control interface for CFS.
Security Services > Content Filter 1189 SonicOS 5.8.1 Administrator Guide Feature Function Policy Name A friendly name for the policy . If applying a single policy to multiple groups, it is often a good idea to include the group name in this field.
Security Services > Content Filter 1190 SonicOS 5.8.1 Administrator Guide Choosing CFS Policy Management Type The choice of which policy management method to use – Via User and Zone Screens or Via Application Control – is made in the Security Services > Content Filter p age.
Security Services > Content Filter 1191 SonicOS 5.8.1 Administrator Guide Bandwidth Management Methods Bandwidth Management feature can be im plemente d in two separate ways: • Per Policy Method .
Security Services > Content Filter 1192 SonicOS 5.8.1 Administrator Guide Policies and Precedence: How Policies are Enforced This section provides an overvi ew of policy enforcement mechanism in CFS 3.0 to help the policy administrator create a streamlined set of rules without unnecessary redundancy or conflicting rule logic enforcement.
Security Services > Content Filter 1193 SonicOS 5.8.1 Administrator Guide Create an Applicat ion Object Create an application object containing forbidden content: Ste p 1 Navigate to the Firewall > Match Object s page in the SonicOS management interface.
Security Services > Content Filter 1194 SonicOS 5.8.1 Administrator Guide Create an Applicat ion Control Po licy to Block Forbidden Content Create an Application Control policy to block content defined in the Application Object: Ste p 1 Navigate to the Firewall > App Rules page in the SonicOS management interface.
Security Services > Content Filter 1195 SonicOS 5.8.1 Administrator Guide Bandwidth Managing Content T o create a CFS Policy for applyi ng BWM to non-productive content: • Create an Application O.
Security Services > Content Filter 1196 SonicOS 5.8.1 Administrator Guide T o create a new BWM action: Ste p 1 Navigate to the Firewall > Action Objects p age in the SonicOS management inte rface. Ste p 2 Click the Add New Action Object button, the Add/Edit Action Object window displays.
Security Services > Content Filter 1197 SonicOS 5.8.1 Administrator Guide Note If you chose not to create a custom BWM obj ect, you may use one of the pre-defined BWM objects (BWM high, BWM medium, or BWM low). Ste p 7 Optionally , select the Users/Group s who this policy is to be Included or Excluded on from the dropdown list.
Security Services > Content Filter 1198 SonicOS 5.8.1 Administrator Guide Create a Group-Specific Ap plication Control Policy Create an Application Control policy to block content defined in the Application Object: Ste p 1 Navigate to the Firewall > App Rules page in the SonicOS management interface.
Security Services > Content Filter 1199 SonicOS 5.8.1 Administrator Guide Creating a Custom CFS Category This section details creating a custom CFS ca tegory entry . CFS allows the administrator not only to create custom Policies, but also allows for custom domain name entries to the existing CFS rating categories.
Security Services > Content Filter 1200 SonicOS 5.8.1 Administrator Guide Note All subdomains of the domain entered are af fected. For example, entering “yahoo.com” applies to “mail.yahoo.com” and “my .yahoo.com”, hence it is not necessary to enter all FQDN entries for subdomai ns of a parent domain.
Security Services > Content Filter 1201 SonicOS 5.8.1 Administrator Guide Content Filter Status If SonicW ALL CFS is activated , the Content Filter S t atus section displays the st atus of the Content Filter Server , as well as the date and time that your subscription expires.
Security Services > Content Filter 1202 SonicOS 5.8.1 Administrator Guide Content Filter Type There are three types of content filtering available on the Soni cW ALL security appliance. These options are available from the Content Filter T ype menu.
Security Services > Content Filter 1203 SonicOS 5.8.1 Administrator Guide If you trust content on specific domains and want them to be exempt from Restrict W eb Features , follow these steps to add them: Ste p 1 Select the Do not block Java/ActiveX/Cookies to T rusted Domains checkbox.
Security Services > Content Filter 1204 SonicOS 5.8.1 Administrator Guide Modifying or Temporarily Disa bling the CFS Exclusion List T o modify or temporarily disable the CFS Exclusion List, perfor.
Security Services > Content Filter 1205 SonicOS 5.8.1 Administrator Guide Note SonicWALL recommends that you make the Default CFS Premium policy the most restrictive policy . Custom CFS policies are subject to content filter inheritance. This means that all custom CFS policies inher it the filters from the Default CF S policy .
Security Services > Content Filter 1206 SonicOS 5.8.1 Administrator Guide • Enable IP based HTTPS Content Filtering - Select this checkbox to enable HTTPS content filtering.
Security Services > Content Filter 1207 SonicOS 5.8.1 Administrator Guide Local Groups page. The Default CFS policy is always inherited by every user . A custom CFS policy allows you to modify the default CFS confi guration to tailor content filtering policies for particular user group s on your network.
Security Services > Content Filter 1208 SonicOS 5.8.1 Administrator Guide Ste p 5 Click the Settings tab. Ste p 6 Under Custom List Settings , select any of the following settings: – Disable Allowed Domains - select this set ting to disa ble the allowed domains that are listed on the Custom List tab in the SonicW ALL Filter Properties window .
Security Services > Content Filter 1209 SonicOS 5.8.1 Administrator Guide Tip Time of Day restrictions only apply to t he Content Filter List, Customized blocking and Keyword blocking. Consent and Restri ct W eb Features are not af fected. Custom List Y ou can customize your URL list to include Allowed Domains and Forbidden Domains .
Security Services > Content Filter 1210 SonicOS 5.8.1 Administrator Guide T o remove a trusted or forbidden domain, select it from the appropriate list, and click Delete . Once the domain has been deleted, the Statu s bar displays Ready . T o remove a keyword, select it from the list and click Delete .
Security Services > Content Filter 1211 SonicOS 5.8.1 Administrator Guide – Enable Keyword Blocking - select this setting to enable keyword blocking for the URLs that are listed in the Keyword Blocking section on the Custom List tab. Ste p 2 Click OK .
Security Services > Content Filter 1212 SonicOS 5.8.1 Administrator Guide Consent The Consent tab allows you to enforce content filtering on designated computer s and provide optional filtering on other comput ers.
Security Services > Content Filter 1213 SonicOS 5.8.1 Administrator Guide • Consent Accepted URL (filtering on) - When a user accepts the terms outlined in the Consent page and chooses to access the Inte rnet with the protection of Content Filtering, they are shown a W eb page confirming their sele ction.
Security Services > Content Filter 1214 SonicOS 5.8.1 Administrator Guide Settings • Server Host Name or IP Address - Enter the Server Host Name or the IP address of the Websense En terprise server used for the Content Filter List.
1215 SonicOS 5.8.1 Administrator Guide CHAPTER 72 Chapter 72: Activating SonicWALL Client Anti-Virus Security Services > Client AV Enforcement By their nature, anti-virus products typically require regular , active maintenance on every PC.
Security Services > Client AV Enforcement 1216 SonicOS 5.8.1 Administrator Guide SonicOS supports both McAfee and Kaspersky client anti-virus for client A V enforcement. These services are licensed sep arately , allo wing you to purchase the desired number of each license for your deployment.
Security Services > Cl ient AV Enforcement 1217 SonicOS 5.8.1 Administrator Guide Y our SonicWALL Client Anti-V irus subscripti on is activated on your SonicW ALL security appliance. Ste p 4 When you activate SonicW ALL Client Anti-Virus at www .mysonicwall.
Security Services > Client AV Enforcement 1218 SonicOS 5.8.1 Administrator Guide Ste p 3 In the configuration window , select the Enable Client A V Enforcement Service checkbox. Ste p 4 Click OK . Configuring Client Anti-Virus Settings The Settings section provides basic po licy and enforcement configuration.
Security Services > Cl ient AV Enforcement 1219 SonicOS 5.8.1 Administrator Guide Configuring Client Anti-Virus Policies The following features are available in the Client Anti-V irus Policies section: • Disable policing from T rusted to Public - Unchecked, this option enforces anti-virus policies on computers located on T rusted zones.
Security Services > Client AV Enforcement 1220 SonicOS 5.8.1 Administrator Guide Ste p 2 In the Edit Address Object Group window , select the address groups for which McAfee should be enforced in the left box and click the right arrow to move them into the box on the right.
Security Services > Cl ient AV Enforcement 1221 SonicOS 5.8.1 Administrator Guide Step 12 T o create another address group for enforcement exclusion, click the Add Entry (plus sign) button, and fill in the Name , Zone , St arting IP Address , and Ending IP Address for the range of clients in the Add Address Object window .
Security Services > Client AV Enforcement 1222 SonicOS 5.8.1 Administrator Guide.
1223 SonicOS 5.8.1 Administrator Guide CHAPTER 73 Chapter 73: Managing SonicWALL Gateway Anti- Virus Service Security Services > Gateway Anti-Virus SonicW ALL GA V delivers real-time virus protec tion directly on the SonicW ALL security appliance by using SonicW ALL ’s IPS-Deep Packet Inspection v2.
Security Services > Gateway Anti-Virus 1224 SonicOS 5.8.1 Administrator Guide desktops. New signatures are created and adde d to the dat abase by a combination of SonicW ALL ’s SonicAlert T eam, third-party vi rus analysts, op en source developers and other sources.
Security Services > Gateway Anti-Virus 1225 SonicOS 5.8.1 Administrator Guide Remote Site Protection Ste p 1 Users send typical e-mail and files between remote sites and the corporate office. Ste p 2 SonicW ALL GA V scans and analyses files and e -mail messages on the SonicW ALL security appliance.
Security Services > Gateway Anti-Virus 1226 SonicOS 5.8.1 Administrator Guide HTTP File Downloads Ste p 1 Client makes a request to download a file from the Web. Ste p 2 File is downloaded through the Internet. Ste p 3 File is analyzed the SonicW ALL GA V engine for malicious code and viruses.
Security Services > Gateway Anti-Virus 1227 SonicOS 5.8.1 Administrator Guide single-pass, per-p acket basis. Reassembly free virus scanning functionality of the SonicW ALL GA V engine is inherited from the Deep Packet Inspection engine, which is capable of scanning streams without ever buf fering any of the bytes within the str eam.
Security Services > Gateway Anti-Virus 1228 SonicOS 5.8.1 Administrator Guide Note If you already have a mys onicW ALL.com account, go to “ Registering Y our SonicWALL Security Appliance” on page 1229 . Ste p 1 Log into the SonicW ALL security appliance management interface.
Security Services > Gateway Anti-Virus 1229 SonicOS 5.8.1 Administrator Guide Registering Your SonicWALL Security Appliance Ste p 1 Log into the SonicW ALL security appliance management inte rface.
Security Services > Gateway Anti-Virus 1230 SonicOS 5.8.1 Administrator Guide If you have an Activation Key for SonicW ALL Ga teway Anti-Vir us, Anti-S pyware, and Intrusion Prevention Service, per.
Security Services > Gateway Anti-Virus 1231 SonicOS 5.8.1 Administrator Guide Activating FREE TRIALs Y ou can try FREE TRIAL versions of Soni cW ALL Gateway Anti-Vir us, SonicW ALL Anti- S pyware, and SonicW ALL Intrusion Prevention Service.
Security Services > Gateway Anti-Virus 1232 SonicOS 5.8.1 Administrator Guide The Security Services > Gateway Anti-V irus page provides the settings for configuring SonicW ALL GA V on your SonicW ALL security appliance.
Security Services > Gateway Anti-Virus 1233 SonicOS 5.8.1 Administrator Guide Applying SonicWALL GAV Protection on Zones Y ou can enforce SonicWALL GA V not only between eac h network zone and the W AN, but also between internal zones.
Security Services > Gateway Anti-Virus 1234 SonicOS 5.8.1 Administrator Guide • Signature Dat abase Timest amp displays the last update to the Son icW ALL GA V signature database, not the last update to your SonicW ALL security appliance.
Security Services > Gateway Anti-Virus 1235 SonicOS 5.8.1 Administrator Guide Application-level awareness of the type of protocol that is transpo rti ng the violation allows SonicW ALL GA V to perform specific actions within the context of the appl ication to gracefully handle the rejection of the payload.
Security Services > Gateway Anti-Virus 1236 SonicOS 5.8.1 Administrator Guide Restricting File Transfers For each protocol you can restrict the transfer of files with s pecific attributes by clicking on the Settings button under the protocol in the Gateway Anti-Virus Global Settings section.
Security Services > Gateway Anti-Virus 1237 SonicOS 5.8.1 Administrator Guide Configuring Gateway AV Settings Clicking the Configure Gateway A V Settings button at the bottom of the Gateway Anti-Vi.
Security Services > Gateway Anti-Virus 1238 SonicOS 5.8.1 Administrator Guide Tip The HTTP Clientless Notification feature is also available for SonicWALL Anti-S pyware. Optionally , you can configure the timeout fo r the HTTP Clientle ss Notification on the Security Services > Summary page under the Security Services Summary head ing.
Security Services > Gateway Anti-Virus 1239 SonicOS 5.8.1 Administrator Guide Optionally , certain cloud-signatures can be excl uded from being enforced to alleviate false positive problems or to enable downloading specific virus files as necessary .
Security Services > Gateway Anti-Virus 1240 SonicOS 5.8.1 Administrator Guide gav_signatures Viewing SonicWALL GAV Signatures The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicW ALL GA V signature database.
Security Services > Gateway Anti-Virus 1241 SonicOS 5.8.1 Administrator Guide Navigating the Gateway An ti-Virus Signatures Table The SonicW ALL GA V signatures are displayed fifty to a page in the Gateway Anti-V irus Signatures table. The Items field displays the table number of the first signature.
Security Services > Gateway Anti-Virus 1242 SonicOS 5.8.1 Administrator Guide.
1243 SonicOS 5.8.1 Administrator Guide CHAPTER 74 Chapter 74: Activating Intrusion Prevention Service Security Services > Intrusion Prevention Service SonicW ALL Intrusion Prevention Service (Soni .
Security Services > Intrusion Prevention Service 1244 SonicOS 5.8.1 Administrator Guide How SonicWALL’s Deep Packet Inspection Works Deep Packet Inspection technology enables the firewall to investigat e farther into the protocol to examine information at the application layer and defend against attacks t argeting application vulnerabilities.
Security Services > Intr usion Prevention Service 1245 SonicOS 5.8.1 Administrator Guide SonicWALL IPS Terminology • St ateful Pa cket Inspection - looking at the header of the packet to control access based on port, protocol, and IP address. • Deep Packet Inspection - looking at the data portion of th e packet.
Security Services > Intrusion Prevention Service 1246 SonicOS 5.8.1 Administrator Guide Tip If your SonicWALL security appliance is connected to the Inter net and registered at mysonicwall.
Security Services > Intr usion Prevention Service 1247 SonicOS 5.8.1 Administrator Guide Ste p 5 In the mysonicwall Account page, enter in your information in the Account Information , Personal Information and Preferences fields. All fields ma rked with an asterisk ( * ) are required fields.
Security Services > Intrusion Prevention Service 1248 SonicOS 5.8.1 Administrator Guide Ste p 7 Please complete the Product Survey . SonicW ALL us es this information to further t ailor services to fit your needs. Ste p 8 Click Submit . Ste p 9 When the mysonicwall.
Security Services > Intr usion Prevention Service 1249 SonicOS 5.8.1 Administrator Guide Ste p 4 T ype in the Activation Key in the New License Key field and click Submit .
Security Services > Intrusion Prevention Service 1250 SonicOS 5.8.1 Administrator Guide Note For complete instructions on setting up SonicW ALL Intrusion Prevention Service, r efer to the SonicW ALL Intrusion Prevention Service Admin istrator ’s Guide available on the SonicW ALL document ation Web site http://www .
Security Services > Intr usion Prevention Service 1251 SonicOS 5.8.1 Administrator Guide Applying SonicWALL IPS Protection on Zones Y ou apply SonicWALL IPS to zones on the Network > Zones p age to enforce SonicW ALL IPS not only between each network zone an d the W A N, but also between internal zones.
Security Services > Intrusion Prevention Service 1252 SonicOS 5.8.1 Administrator Guide.
1253 SonicOS 5.8.1 Administrator Guide CHAPTER 75 Chapter 75: Activating Anti-Spyware Service Security Services > Anti-Spyware Service SonicW ALL Anti-S pyware is part of the S onicW ALL Gateway An.
Security Services > Anti-Spyware Service 1254 SonicOS 5.8.1 Administrator Guide Note Refer to the SonicW ALL Anti-Spyware Administrator ’ s Guid e on the SonicW ALL W eb site: http://www .sonicwall.com/us/Supp ort.html for complete p roduct documentation .
Security Servi ces > Anti-Spyware Serv ice 1255 SonicOS 5.8.1 Administrator Guide Creating a mysonicwall.com Account Creating a mysonicwall.com acc ount is fast, simple, and FREE . Simply complete an online registration form in the SonicW ALL se curity appliance management interface.
Security Services > Anti-Spyware Service 1256 SonicOS 5.8.1 Administrator Guide Registering Your SonicWALL Security Appliance Ste p 1 Log into the SonicW ALL security appliance management inte rface.
Security Servi ces > Anti-Spyware Serv ice 1257 SonicOS 5.8.1 Administrator Guide T o try a FREE TRIAL of SonicW ALL Gatewa y Anti- Virus, SonicW ALL Anti-S pyware, or SonicW ALL Intrusion Preventi.
Security Services > Anti-Spyware Service 1258 SonicOS 5.8.1 Administrator Guide Ste p 5 Click on the Gateway Anti-Virus link. The child Activation Key is automatically entered in the New License Key field.
1259 SonicOS 5.8.1 Administrator Guide CHAPTER 76 Chapter 76: Configuring SonicWALL Real-Time Blacklist SMTP Real-Time Black List Filtering The Security Services > RBL Filter page has been moved to Anti-S p am > RBL Filter .
SMTP Real-Time Black List Filt ering 1260 SonicOS 5.8.1 Administrator Guide.
1261 SonicOS 5.8.1 Administrator Guide CHAPTER 77 Chapter 77: Configuring Geo-IP and Botnet Filters This chapter contains the following sections: • “Security Services > Geo-IP Filter” on p ag.
Security Services > Geo-IP Filter 1262 SonicOS 5.8.1 Administrator Guide Security Services > Geo-IP Filter The Geo-IP Filter feature allo ws administrators to block c onnections to or fr om a geographic location based. The SonicW ALL appliance uses IP address to determine to the location of the connection.
Security Services > Geo-IP Filter 1263 SonicOS 5.8.1 Administrator Guide For this feature to work correctly , the country dat abase must be downloaded to the appliance. The Statu s indicator at the top right of the page turns yellow if this download fails.
Security Services > Botnet Filter 1264 SonicOS 5.8.1 Administrator Guide Security Services > Botnet Filter The Botnet Filtering feature allows administrat ors to block connections to or fr om Botnet command and control servers. T o configure Botnet filtering, perform the following step s: 1.
Security Services > Botnet Filter 1265 SonicOS 5.8.1 Administrator Guide Checking Geographic Location and Botnet Server Status The Botnet Filter also provides the ability to look up IP addr esses to determine the domain name, DNS server , the country of origin, and whether or not it is classified as a Botnet server .
Security Services > Botnet Filter 1266 SonicOS 5.8.1 Administrator Guide Note This Geo Location and Botnet Server stat us tool can also be accessed from the System > Diagnostics page.
SonicOS 5.8 Administrator Guide 1267 PART 19 Part 19: W AN Acceleration.
1268 SonicOS 5.8 Administrator Guide.
1269 SonicOS 5.8.1 Administrator Guide CHAPTER 78 Chapter 78: WAN Acceleration WAN Acceleration Overview This chapter provides an overview of the SonicW ALL WXA series appliance, basic and advanced deployment scenarios, and configurati on and verification examples.
WAN Acceleration Overview 1270 SonicOS 5.8.1 Administrator Guide What is WAN Acceleration? The SonicW ALL WXA series appliances deploy ed in one-arm mode with SonicW ALL NSA/TZ series appliances allow.
WAN Acceleration Overview 1271 SonicOS 5.8.1 Administrator Guide The three separate TCP connections are created between network devices that work together to accelerate traffic using TCP Acceleration. This reduces response time to p acket losses and increases throughput.
WAN Acceleration Overview 1272 SonicOS 5.8.1 Administrator Guide Benefits The WFS Acceleration service pr ovides the following benefits: • Increased data transfer speeds • Low latency • Advanced.
WAN Acceleration Overview 1273 SonicOS 5.8.1 Administrator Guide Ste p 3 The SonicW ALL WXA at the dat a c enter is configured to share All Shares on the File Server . Ste p 4 The SonicW ALL WXA at the re mote site is configured to share All Shares on the WXA appliance located at the dat a center .
WAN Acceleration > Status 1274 SonicOS 5.8.1 Administrator Guide • It is recommended that the WXA appliance retrieve NTP updates from the Domain Controller . • It is recommended that the DNS server accept secure updates. • Configure the zone properties of an interface to which the WXA appliance is connected as a LAN zone.
WAN Acceleration > Status 1275 SonicOS 5.8.1 Administrator Guide Figure 4 W AN Accelera tion > Status Page Name Description Action Items Provides the options to Refresh, Probe for WXA, Create static DHCP lease for WXA, and Apply Changes. See “Action Items” section on page 1276 for details.
WAN Acceleration > Status 1276 SonicOS 5.8.1 Administrator Guide Action Items System Inform ation Panel Device Configuration Panel Name Description Refresh Refreshes the W AN Acceleration > St atus page. The refresh interval can be entered in the text field.
WAN Acceleration > Status 1277 SonicOS 5.8.1 Administrator Guide TCP Accelerat ion Panel WXA Interface Displays the SonicW ALL NSA/TZ series appliance interface that the SonicW A LL WXA series appliance is connected to. WXA IP Address Displays the IP address of the SonicW ALL WXA series appliance.
WAN Acceleration > TCP Acceleration 1278 SonicOS 5.8.1 Administrator Guide WFS Acceleration Panel WAN Acceleration > TCP Acceleration The WAN Acceleration > TCP Acceleration page provides an overview of how to configure and monitor the TCP Acceleratio n service.
WAN Acceleration > TCP Acceleration 1279 SonicOS 5.8.1 Administrator Guide Name Description Configuration T ab En ab l e t he T C P Ac c e le r a ti o n se rvice and select s the mode, se rvice object, and exclude object s. The W AN Acceleration feature must be enabled before you can en able or con figure the TCP Accelera tion service.
WAN Acceleration > TCP Acceleration 1280 SonicOS 5.8.1 Administrator Guide Configuration Tab Figure 6 TCP Acceleration > Configuration Name Description Enable TCP Acceleration Enables or disables the TCP Acceleration service. This is selected by default.
WAN Acceleration > TCP Acceleration 1281 SonicOS 5.8.1 Administrator Guide Statistics Tab Figure 7 TC P Acceleration > Statistics Name Description Covering Period Click the Covering Period drop-down list and select the period of time the data displa ys on the S tatistics tab.
WAN Acceleration > TCP Acceleration 1282 SonicOS 5.8.1 Administrator Guide Connections Tab Figure 8 TCP Accelerat ion > Connections Name Description Remote Node Select the remote node that your SonicW ALL WXA ser ies appliance is associated with.
WAN Acceleration > WFS Acceleration 1283 SonicOS 5.8.1 Administrator Guide WAN Acceleration > WFS Acceleration This section describes the entities that are present on the W AN Acceleration > WFS Acceleration page.
WAN Acceleration > WFS Acceleration 1284 SonicOS 5.8.1 Administrator Guide Configuration Tab The Configuration t ab allows you to enable t he WFS Acceleration service and select a public IP address for the WXA series appliance.
WAN Acceleration > WFS Acceleration 1285 SonicOS 5.8.1 Administrator Guide Domain Details Tab Th e D o m a in D et ai l s tab a ll o ws y o u t o configure the SonicWALL WXA series appliance to match th a t of t h e M i cr o s o f t W in d o ws D om a i n i t i s t o jo i n .
WAN Acceleration > WFS Acceleration 1286 SonicOS 5.8.1 Administrator Guide Figure 12 WFS Acceler ation > Domain Details (Name A uto-discovered) Action Buttons Name Description Auto-discovered Do.
WAN Acceleration > WFS Acceleration 1287 SonicOS 5.8.1 Administrator Guide Hostname: Displays the hostname for the So nicWALL WXA ser i es appliance. If an account is created on the domain u sing the SonicWALL WXA series appli- ance hostname, the SonicWALL WXA series appliance attempts to join the domain.
WAN Acceleration > WFS Acceleration 1288 SonicOS 5.8.1 Administrator Guide Figure 13 Configure Domain Po p-up Window Join Domain The SonicWALL WXA series appliance joins the domain (be comes part of the domain) that is id entified in the FQDN. The Join Domain Pop-up Window is displayed, Figure 18 on page 1291 .
WAN Acceleration > WFS Acceleration 1289 SonicOS 5.8.1 Administrator Guide Figure 14 Configure Ho stname Pop-up Window Note If the device has already joined the domain, changing the host name requires the device to rejoin the domain.
WAN Acceleration > WFS Acceleration 1290 SonicOS 5.8.1 Administrator Guide Figure 16 Time Synchronizatio n Pop-up Win do w Name Description Use the Domain Controller for T ime Synchronization: Check- box When enabled (checked) the domain controlle r is used as the time synchronization source.
WAN Acceleration > WFS Acceleration 1291 SonicOS 5.8.1 Administrator Guide Figure 17 Advanced Options Pop-up Window Figure 18 Join Doma in Pop-up Window Enter the username and password of the domain administrator account.
WAN Acceleration > WFS Acceleration 1292 SonicOS 5.8.1 Administrator Guide Shares Tab The Shares tab configures the SonicW ALL WXA se ries appliance to accelerate specific shares and servers. Figure 19 WFS Acceleratio n > Shares Name Description Add New Server .
WAN Acceleration > WFS Acceleration 1293 SonicOS 5.8.1 Administrator Guide Figure 20 Add Server and Edit Ser ver Details Pop-up Windows Name Description Remote Server Name: Text Field and Drop-dow n The name of the remote server.
WAN Acceleration > WFS Acceleration 1294 SonicOS 5.8.1 Administrator Guide Figure 21 Add Share and Edit Share Details Pop-up Windows Default Cache Read Ahead: Te xt Field (Add Server Po p-up only) The default size (measured in bytes) for read-ahead sp eed in the cache.
WAN Acceleration > WFS Acceleration 1295 SonicOS 5.8.1 Administrator Guide Statistics Tab The S t atistics t ab displays performance st at istics for the WFS Acceleration service.
WAN Acceleration > WFS Acceleration 1296 SonicOS 5.8.1 Administrator Guide Tools Tab The T ools tab provides diagnostic tools for the WFS Acceleration service. The Diagnostic T ools drop-down provi des the following selections: • DNS Name Lookup — Performs a search on a specific Name or IP address, Figure 23 .
WAN Acceleration > WFS Acceleration 1297 SonicOS 5.8.1 Administrator Guide Figure 23 DNS Name Lookup Pa nel The DNS Name Lookup Panel displays the following information: Name Description Primary DN.
WAN Acceleration > WFS Acceleration 1298 SonicOS 5.8.1 Administrator Guide Figure 24 Availabl e Shares Panel The Available Shares Panel provides the following configuration options: Note If the Son.
WAN Acceleration > WFS Acceleration 1299 SonicOS 5.8.1 Administrator Guide Figure 25 Test WFS Configuration Option The T est WFS Configuration Panel provi des the following c onfiguration options: .
WAN Acceleration > System 1300 SonicOS 5.8.1 Administrator Guide WAN Acceleration > System This section describes the entities that ar e present in the WAN Acceleration > System tabs.
WAN Acceleration > System 1301 SonicOS 5.8.1 Administrator Guide System Status Tab Figure 28 Advanced > Sy stem Status Name Description System Information Panel (Read-only) Displays the following information: • Model Number • Serial Number • Firmware V ersion.
WAN Acceleration > System 1302 SonicOS 5.8.1 Administrator Guide Figure 29 Time Settings > Time Synchronization Pop -up Window • Use the Domain Controller for Time Synchronization: Checkbox — Select this checkbox to use the domain controller as the time synchronization source.
WAN Acceleration > System 1303 SonicOS 5.8.1 Administrator Guide Interface Status Tab Figure 30 System > Interfac e Status Name Description Refresh Refreshes the Interface S tatus tab. The refresh interval can be entered in the text field. The interval can be increased to a maximum of 600 seconds.
WAN Acceleration > System 1304 SonicOS 5.8.1 Administrator Guide Figure 31 Maximum T ran sm ission U nit • MTU: T ext Field — The Maximum T ransmission Unit (MTU). • Apply Button — Applies all changes. • Cancel Button — Cancels the operation.
WAN Acceleration > System 1305 SonicOS 5.8.1 Administrator Guide Management Tab Figure 32 System > Ma nagement Name Description SNMP Panel Enables the simple network monitoring protocol server . Add read-only and read-write communities for a specific client IP or subnet, see Figure 33 .
WAN Acceleration > System 1306 SonicOS 5.8.1 Administrator Guide Figure 33 Add New Communi ty Pop-Up Window Settings Tab Figure 34 System > Settin gs Name Description Community Name Enter the community name being used to communicate with the SNMP feature.
WAN Acceleration > System 1307 SonicOS 5.8.1 Administrator Guide Firmware Tab Figure 35 System > Fi rmware Name Description Current Settings Panel Allows you to downl oad a copy of the current settings. Perform this before making any changes to the firmwa re.
WAN Acceleration > Logs 1308 SonicOS 5.8.1 Administrator Guide WAN Acceleration > Logs The W AN Acceleration > Log page provides a det ailed list of the log event messages.
Configuring WAN Acceleration 1309 SonicOS 5.8.1 Administrator Guide Configuring WAN Acceleration This section includes procedures for configur ing the SonicWALL WXA series appliance. All configuration procedures are performed on t he SonicW ALL NSA/TZ series appliance’s management interface.
Configuring WAN Acceleration 1310 SonicOS 5.8.1 Administrator Guide The Interface Settings General T ab is displayed. Ste p 9 Enter and do the following: • Zone: Drop-down — LAN • Mode/IP Assignment: Drop-down — St atic IP Mode • IP Address: T ext Field — Enter the IP Address for the port.
Configuring WAN Acceleration 1311 SonicOS 5.8.1 Administrator Guide Step 13 Under the DCHP Server Lease Scopes, click Add Dynamic . The Dynamic Range Configuration window is displayed. Step 14 Do the following: a. Select the Enable this DHCP Scope checkbox.
Configuring WAN Acceleration 1312 SonicOS 5.8.1 Administrator Guide Step 16 Confirm that the SonicW ALL NSA/TZ has a DCHP lease for the SonicW ALL WXA.
Configuring WAN Acceleration 1313 SonicOS 5.8.1 Administrator Guide Step 17 Navigate to the W AN Acceleration > S t atus p age. Step 18 Click Create static DHCP leas e for WXA .
Configuring WAN Acceleration 1314 SonicOS 5.8.1 Administrator Guide Step 19 V erify that the lease wa s created. Navigate to the Network > DHCP Server page.
Configuring WAN Acceleration 1315 SonicOS 5.8.1 Administrator Guide Configuring TCP Acceleration The TCP Acceleration service can be deployed in three different deployment scenarios including: site-to-site VPN, routed mode, and layer 2 bridge mode.
Configuring WAN Acceleration 1316 SonicOS 5.8.1 Administrator Guide The Configure VPN Policy pop-up window displays. Figure 38 VPN Policy Advanced Configuration Ste p 3 Select the Advanced tab. Ste p 4 Select the checkbox for Permit TCP Acceleration .
Configuring WAN Acceleration 1317 SonicOS 5.8.1 Administrator Guide Configuring TCP Acceleration on a Non-VPN (Routed Mode) If you do not have a VPN configured on your netwo rk and you are using a cu stom routing policy , you need to add two routing policies on each site : One for outgoing traffic, and one for incoming traffic.
Configuring WAN Acceleration 1318 SonicOS 5.8.1 Administrator Guide Configuring a Routing Po licy for Outgoing Traffic The steps in this section are configured from the Remote Site. Follow the same step s for configuring the Data Center . Ste p 1 Navigate to the Network > Address Object s page.
Configuring WAN Acceleration 1319 SonicOS 5.8.1 Administrator Guide Ste p 9 Navigate to the Network > Routing page. Figure 42 Add Routing Pol icies Step 10 Click the Add button.
Configuring WAN Acceleration 1320 SonicOS 5.8.1 Administrator Guide The Route Policy Settings pop-up window displays. Figure 43 Route Policy Settings Ste p 11 Click the Source drop-down, select Any . Step 12 Click the Destination drop-down, select the address object you created ( Data Center .
Configuring WAN Acceleration 1321 SonicOS 5.8.1 Administrator Guide Configuring a Routing Po licy for Incoming Traffic The steps in this section are configured from the Remote Site. Follow the same steps f or configuring the Data Center . Ste p 1 Navigate to the Network > Address Object s page.
Configuring WAN Acceleration 1322 SonicOS 5.8.1 Administrator Guide Ste p 9 Navigate to the Network > Routing page. Figure 46 Add Routing Pol icies Step 10 Click the Add button. The Route Policy Settings pop-up window displays. Figure 47 Route Policy Settings Ste p 11 Click the Source drop-down, select Data Center .
Configuring WAN Acceleration 1323 SonicOS 5.8.1 Administrator Guide Step 14 Click the Gateway drop-down, select ( 0.0.0.0 ). Step 15 Click the Interface drop-down, select the X0 interface. Step 16 Enter 1 in the Metric text field. This gives the route policy a high priority leve l.
Configuring WAN Acceleration 1324 SonicOS 5.8.1 Administrator Guide Example 2 T o configure acceleration of only the HTTP web traffic. Follow the step s below: Ste p 1 Navigate to W A N Acceleration > TCP Acceleration. Ste p 2 Select the Configuration tab.
Configuring WAN Acceleration 1325 SonicOS 5.8.1 Administrator Guide Example 3 T o configure acceleration of everything except Micr osoft SQL database traf fic or traf fic to the Guest Authentication Servers. Follow the step s below: Ste p 1 Navigate to W A N Acceleration > TCP Acceleration.
Configuring WAN Acceleration 1326 SonicOS 5.8.1 Administrator Guide Configuring WFS Acceleration This section provides details on configuring WFS Accelerati on. The SonicW ALL WXA series appliance must be connected to a SonicW ALL NSA or TZ series appliance on a port other than X0 and X1.
Configuring WAN Acceleration 1327 SonicOS 5.8.1 Administrator Guide Enabling WFS Acceleration Once you have configured the network interf ace for the port you want to connect the SonicW ALL WXA series appliance to the Soni cW ALL NSA or TZ series appliance, you can configure WFS Acceleration.
Configuring WAN Acceleration 1328 SonicOS 5.8.1 Administrator Guide Joining the Domain After you have configured the network interface, enabled WF S Acceleration, and created a DHCP Scope, you can configure the lo cal and remote domains.
Configuring WAN Acceleration 1329 SonicOS 5.8.1 Administrator Guide Ste p 3 Enter your settings, and then click Apply Changes . The page will be populated with the Co nfigured Domain settings. Ste p 4 Click Join D omain . The J oin Domain pop-up window displays.
Configuring WAN Acceleration 1330 SonicOS 5.8.1 Administrator Guide At the SonicW ALL NSA/TZ security appliance, nearest to the domain controller (dat a center site), perform the following step s: Ste p 1 Login to the SonicW ALL NSA/TZ securi ty appliance at the dat a center .
Configuring WAN Acceleration 1331 SonicOS 5.8.1 Administrator Guide At the SonicW ALL NSA/TZ security appliance, farthest from the domain controller (remote site), perform the following step s: Ste p 1 Login to the NSA/TZ security appl iance at your remote site.
Configuring WAN Acceleration 1332 SonicOS 5.8.1 Administrator Guide Automatically Joining the Domain for WFS Acceleration T o auto-join the SonicW ALL WXA series appliances, perform the following steps: Ste p 1 Access the domain controller and create a comput er account.
Configuring WAN Acceleration 1333 SonicOS 5.8.1 Administrator Guide Ste p 4 Right click on the computer account, go to Propertie s and select the setting T rusted for Delegation . Ste p 5 Open a cmd.exe window . Ste p 6 Set the password for the computer account, where ABCD -EFGH is the auth code.
Configuring WAN Acceleration 1334 SonicOS 5.8.1 Administrator Guide At the SonicW ALL NSA/TZ security appliance, nearest to the domain controller (dat a center site), perform the following step s: Ste p 1 Login to the SonicW ALL NSA/TZ securi ty appliance at the dat a center .
Configuring WAN Acceleration 1335 SonicOS 5.8.1 Administrator Guide Ste p 6 Click Add New Server ... . The Add Server Pop-up window is displayed. • Remote Server Name: Te x t F i e l d — Enter the host name of the DC/Share server .
Configuring WAN Acceleration 1336 SonicOS 5.8.1 Administrator Guide Ste p 5 Make sure the Remote Server Name and the Local Device Name ( from step 4 for the dat a center site) text fields match. Ste p 6 Enter the information for this server , and then click Apply .
Configuring WAN Acceleration 1337 SonicOS 5.8.1 Administrator Guide Configuring Reverse Lookup After both WXA appliances are added to the dom ain , corresponding Computer Account s for WXA appliances, DNS Host name, and PTR record s are automatically created on the DC and DNS servers.
Configuring WAN Acceleration 1338 SonicOS 5.8.1 Administrator Guide Note For WFS, you must assess the share name that is mapped to the WXA applia nce and not the actual file share. For example, //WXA-T est rather than //FileServer1. Note For adding/configuring shares for FileServer1, see “Joining the Domain” on p age 1328 .
Configuring WAN Acceleration 1339 SonicOS 5.8.1 Administrator Guide Ste p 1 Add WXA 4000-GMS hostname as the SPN for host WXA-4000. setspn -A CIFS/WXA-4000- GMS WXA-4000 Ste p 2 Add WXA-4000-GMS.utm.soniclab.us hostname as the SPN for host WXA-4000. setspn -A CIFS/WX A-4000-GMS.
Configuring WAN Acceleration 1340 SonicOS 5.8.1 Administrator Guide Ste p 9 Configure FileServer2 on the dat a center as follows: On the NSA/TZ security appliance, navigate to the W AN Acceleration > WFS Acceleration > Click the Shares tab, expand Shares in the Configuration column, and then click the Add New Shares.
Configuring WAN Acceleration 1341 SonicOS 5.8.1 Administrator Guide Note The newly created hostname for the data center and remote office should be updated with the NA T IP of the X0 interface on the NSA/TZ se curity appliance that is located at the data center and remote office, respectively .
Configuring WAN Acceleration 1342 SonicOS 5.8.1 Administrator Guide Figure 53 Remote Of fice.
Configuring WAN Acceleration 1343 SonicOS 5.8.1 Administrator Guide Verifying WAN Acceleration Configurations This section details how to verify if t he TCP Acceleration and WFS Acceleration on your SonicW ALL WXA series appli ance is configured correctly .
Configuring WAN Acceleration 1344 SonicOS 5.8.1 Administrator Guide Verifying the WFS Accel eration Configuration After completing the step-by-step WFS Accele ration configur ation pr ocedures. V erify WFS Acceleration is working by two dif ferent methods: • Click the T est Configuration button in the WFS Acceleration > Domain Details t ab.
Configuring WAN Acceleration 1345 SonicOS 5.8.1 Administrator Guide Verify Using the WFS A cceleration > Tools Tab T o verify that the WFS Acceleration service was successful using the WFS Acceleration > T ools tab, perform the following steps: Ste p 1 Navigate to the W AN Acceleration > WFS Acceleration.
Configuring WAN Acceleration 1346 SonicOS 5.8.1 Administrator Guide Troubleshooting WFS Acceleration Problem: The Joined Domains checkbox is not selected in the Domain Det ails tab. Solution: Click Join D omain at the bottom of the page. When the Join Domain pop-up window is displayed, leave the fiel ds empty , and then click Apply .
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 1347 PART 20 Part 20: Log.
1348 SonicOS 5.8.1 Administrator Guide.
1349 SonicOS 5.8.1 Administrator Guide CHAPTER 79 Chapter 79: Managing Log Events Log > View The SonicW ALL security appliance maintains an Event log for tracking potential security threats. This log can be vie wed in the Log > View p age, or it can be automatically sent to an e-mail address for convenience and archiving.
Log > View 1350 SonicOS 5.8.1 Administrator Guide Log View Table The log is displayed in a table and is sortable by column. The log table columns include: • Tim e - the date and time of the event. • Priority - the level of priority as sociated with your log event.
Log > View 1351 SonicOS 5.8.1 Administrator Guide Clear Log T o delete the contents of the log, click the Clear Log button near the top right corner of the page. Export Log T o export the contents of the log to a defined destinat ion, click the Export Log button below the filter table.
Log > View 1352 SonicOS 5.8.1 Administrator Guide Ste p 3 Check the Group Filters box next to any two or more criteria to combine them with a logical OR .
Log > View 1353 SonicOS 5.8.1 Administrator Guide While data-recorder s are good at recording dat a, they lack the sort of deep-p acket inspection intelligence afforded by IPS/GA V/ASPY/AF .
Log > View 1354 SonicOS 5.8.1 Administrator Guide 6. The requested dat a will be presented to the cl ient as a .cap file, and can be saved or viewed on the local machine.
1355 SonicOS 5.8.1 Administrator Guide CHAPTER 80 Chapter 80: Configuring Log Categories Log > Categories This chapter provides confi guration tasks to enable you to categorize and customize the logging functions on your SonicW ALL security appliance for troubleshooting and diagnostics.
Log > Categories 1356 SonicOS 5.8.1 Administrator Guide Log Severity/Priority This section provides information on configuring the level of pr iority log messages are captured and corresponding alert messages are sent through e-mail for notification.
Log > Categories 1357 SonicOS 5.8.1 Administrator Guide Log Categories SonicW ALL security appliances provide autom atic attack protection against well known exploits. The majority of these legacy attacks were identified by te llt ale IP or TCP/UDP characteristics, and recognition was limited to a se t of fixed layer 3 and layer 4 values.
Log > Categories 1358 SonicOS 5.8.1 Administrator Guide Dropped TCP Legacy Logs blocked incoming TCP connections Dropped UDP Legacy Logs blocked incoming UDP p ackets Dynamic Address Objects Extend.
Log > Categories 1359 SonicOS 5.8.1 Administrator Guide Managing Log Categories The Log Categories table displays log category information organized into the following columns: • Category - Displays log category name. • Description - Provides description of the log category activity type.
Log > Categories 1360 SonicOS 5.8.1 Administrator Guide.
1361 SonicOS 5.8.1 Administrator Guide CHAPTER 81 Chapter 81: Configuring Syslog Settings Log > Syslog In addition to the standard event log, the SonicW ALL security appl iance can send a detailed log to an external Syslog server .
Log > Syslog 1362 SonicOS 5.8.1 Administrator Guide Syslog Settings Syslog Facility • Syslog Facility - Allows you to select the faciliti es and severities of the messages based on the syslog protocol. Note See RCF 3164 - The BSD Syslog Protocol for more information.
Log > Syslog 1363 SonicOS 5.8.1 Administrator Guide Syslog Servers Adding a Syslog Server T o add syslog servers to the SonicW ALL security appliance Ste p 1 Click Add . The Add Syslog Server window is displayed. Ste p 2 T ype the Syslog server name or IP address in the Name or IP Address field.
Log > Syslog 1364 SonicOS 5.8.1 Administrator Guide.
1365 SonicOS 5.8.1 Administrator Guide CHAPTER 82 Chapter 82: Configuring Log Automation Log > Automation The Log > Automation p age includ es settings for configur ing the SonicW ALL to send log files using e-mail and configuri ng mail server settings.
Log > Automation 1366 SonicOS 5.8.1 Administrator Guide • Send Log - Determines the frequency of s ending log files. The options ar e When Full , Weekly , or Daily . If the Weekly or Daily option is selected, then se lect the day of the week the log is sent in the every menu and the time of day in 24-hour format in the At field.
Log > Automation 1367 SonicOS 5.8.1 Administrator Guide • Confirm Password - Confirm the password. – Mask Password - Leave this enabled to send the password as encrypted text. • DeepSee Base URL - Defines the format for the base URL for the DeepSee path.
Log > Automation 1368 SonicOS 5.8.1 Administrator Guide.
1369 SonicOS 5.8.1 Administrator Guide CHAPTER 83 Chapter 83: Configuring Flow Reporting Log > Flow Reporting The Log > Flow Reporting page includes settings for confi guring the SonicW ALL to view statistics based on Flow Reporting and Internal Reporting.
Log > Flow Reporting 1370 SonicOS 5.8.1 Administrator Guide • “NetFlow T ables” on page 1381 External Flow Reporting Statistics The External Flow Reporting S t atistics apply to al l external flows.
Log > Flow Reporting 1371 SonicOS 5.8.1 Administrator Guide Internal App Flow Reporting Statistics The App Flow Reporting S tatistics apply to all internal flows.
Log > Flow Reporting 1372 SonicOS 5.8.1 Administrator Guide • T op Apps —Displays the Applications graph. • Bits per second —Displays the Bandwid th graph. • Packets per second —Displays the Packet Rate graph. • A verage p acket size —Displays the Packet Size graph.
Log > Flow Reporting 1373 SonicOS 5.8.1 Administrator Guide • External Collector ’s IP address —T ype in the external collec tor IP address to which the appliance will generate flow r eports. This IP add ress must be reachable from the firewall.
Log > Flow Reporting 1374 SonicOS 5.8.1 Administrator Guide – URL ratings – VPNs – Devices – SP AMs – Locations – VOIPs • Include Following Additional Report s via IPFIX —Additional IPFIX report s can be generated from the firewall in IPFIX with extensions mode.
Log > Flow Reporting 1375 SonicOS 5.8.1 Administrator Guide no rules have the flow reporting option enabl ed, no data will be reported to the AppFlow collector . This option is an additional way to control which flows are reported internally or externally .
Log > Flow Reporting 1376 SonicOS 5.8.1 Administrator Guide • Include Following URL T ypes —Use this drop-down list to se lect the type of URLs to be reported.
Log > Flow Reporting 1377 SonicOS 5.8.1 Administrator Guide User Configuration Tasks Depending on the type of flows you are collecti ng, you will need to determine which type of reporting will work best with your setup and confi guration.
Log > Flow Reporting 1378 SonicOS 5.8.1 Administrator Guide Ste p 3 Select Net flow version-9 from the External Flow Reporting Format drop-down list.
Log > Flow Reporting 1379 SonicOS 5.8.1 Administrator Guide Note The above fields are the required fields for successful IPFIX conf iguration. All other configurable fields are optional. IPFIX with Extensions Configuration Procedures T o configure IPFIX with extensions flow reporting, follow the step s listed below .
Log > Flow Reporting 1380 SonicOS 5.8.1 Administrator Guide Step 13 Select the tables for which to receive dynamic flows from the Send Dynamic AppFlow For Following T ables drop-down list. Step 14 Select any additional reports to be generated for a flow from the Include Following Additional Reports via IPFIX drop-down list.
Log > Flow Reporting 1381 SonicOS 5.8.1 Administrator Guide Ste p 6 Select the tables for which to receive st atic flows from the Send St atic AppFlow For Following Ta b l e s drop-down list. Then, click Accept . . Note Currently , Scrutinizer supports Applications and Threats only .
Log > Flow Reporting 1382 SonicOS 5.8.1 Administrator Guide Static Tables S t atic T ables are tables with data that does not change over time. However , this data is required to correlate with other t ables. S tatic t ables are usually repor ted at a specified interval, but may also be configured to send just once.
Log > Flow Reporting 1383 SonicOS 5.8.1 Administrator Guide • Connected Devices— This table reports the list of all devices connected through the SonicW ALL appliance, incl uding the MAC addresses, IP addresses, Interface, and NETBIOS name of connected devices.
Log > Flow Reporting 1384 SonicOS 5.8.1 Administrator Guide NetFlow version 5 Flow Record Format NetFlow version 9 An example of a NetFlow version 9 template is displayed below .
Log > Flow Reporting 1385 SonicOS 5.8.1 Administrator Guide The following table det ails the NetFlow vers ion 9 T emplate FlowSet Field Descriptions. IPFIX (NetFlow version 10) An example of an IPFIX (NetFlow version 10) template. The following table det ails the IPFIX T emplate FlowSet Field Descriptions.
Log > Flow Reporting 1386 SonicOS 5.8.1 Administrator Guide The following Name T emplate is a standard for the IPFIX with extensions templates. The values specified are static and correlate to the T able Name of all the NetFlow exportable templates.
1387 SonicOS 5.8.1 Administrator Guide CHAPTER 84 Chapter 84: Configuring Name Resolution Log > Name Resolution The Log > Name Resolution p age includes settings for configuring the name server s used to resolve IP addresses and server names in the log r eports.
Log > Name Resolution 1388 SonicOS 5.8.1 Administrator Guide • None : The security appliance will not attempt to resolve IP addresses and Names in the log reports. • DNS : The security appliance will use the DNS server you specify to resolve addresses and names.
1389 SonicOS 5.8.1 Administrator Guide CHAPTER 85 Chapter 85: Generating Log Reports Log > Reports The SonicW ALL security appliance can perform a rolling analysis o f the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwid th by IP addr ess, and the top 25 services consuming the most bandwid th.
Log > Reports 1390 SonicOS 5.8.1 Administrator Guide Data Collection The Reports window includes the follow ing functions and commands: • Data Collection section Click S t art Dat a Collection to begin log analysis. When log analysis is enabl ed, the button label changes to S top Dat a Collection .
1391 SonicOS 5.8.1 Administrator Guide CHAPTER 86 Chapter 86: Activating SonicWALL ViewPoint Log > ViewPoint SonicW ALL Vi ewPoint is a We b-based graphical reporting tool that provides unprecedented security awareness and control over your network environment through detailed and comprehensive reports of your security and net work activities.
Log > ViewPoint 1392 SonicOS 5.8.1 Administrator Guide Activating ViewPoint The Log > ViewPoint p age allows you to activa te the Vi ewPoint license directly from the SonicW ALL Management Inte rface using two methods. If you received a license activation key , enter t he activation key in the Enter upgrade key field, and click Accept .
Log > ViewPoint 1393 SonicOS 5.8.1 Administrator Guide 2. Enter your mysonicwall.com acc ount username and password in the User Name and Password fields, then click Submit . The System > Licenses page is displayed. If your SonicW ALL security appliance is already connec ted to your mysonicwall.
Log > ViewPoint 1394 SonicOS 5.8.1 Administrator Guide Note The Override Syslog Settings with ViewPoint Sett ings control on the Log > Syslog pag e is automatically checked when you enable V iewPoint from the Log > V iewPoint p age.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 1395 PART 21 Part 21: Wi z a r d s.
1396 SonicOS 5.8.1 Administrator Guide.
1397 SonicOS 5.8.1 Administrator Guide CHAPTER 87 Chapter 87: Configuring Internet Connectivity on SonicWALL Appliances Wizards > Setup Wizard The first time you log into your SonicW ALL appliance, the Setup Wizard is launched automatically .
Wizards > Setup Wizard 1398 SonicOS 5.8.1 Administrator Guide Essentially , NA T translates the IP addresses in one network into those for a dif ferent network.
Wizards > Setup W izard 1399 SonicOS 5.8.1 Administrator Guide Change Password 4. T o set the p assword, enter a new passwor d in the New Password and Confirm New Password fields. Click Next . Tip It is very important to choose a p asswo rd which cannot be easi ly guessed by others.
Wizards > Setup Wizard 1400 SonicOS 5.8.1 Administrator Guide Configure 3G/Modem 6. If you are setting up a SonicW ALL TZ series ap pliance that supports 3G devices for Wireless W AN connection ove.
Wizards > Setup W izard 1401 SonicOS 5.8.1 Administrator Guide 10. Click Next . Configure Modem 11 . If you are setting up a SonicWALL TZ se ries app liance that supports analog mode m devices for dial-up W AN connection, select how you will use the modem.
Wizards > Setup Wizard 1402 SonicOS 5.8.1 Administrator Guide WAN Network Mode: NAT Enabled 17. Enter the public IP address pr ovided by your ISP in the SonicW ALL W AN IP Address , then fill in the rest of the fields: W AN Subnet Mask , W AN Gateway (Router) Address , and DNS Server Addresses .
Wizards > Setup W izard 1403 SonicOS 5.8.1 Administrator Guide WAN Network Mode: NAT with PPPoE Client NA T with PPPoE Client is a network protocol that uses Po int to Point Protocol over Ethernet to connect with a remote site using various Remo te Access Service products.
Wizards > Setup Wizard 1404 SonicOS 5.8.1 Administrator Guide LAN Settings Note On a SonicW ALL TZ series appli ance, the LAN Settings and LAN DHCP Server settings are only displayed if you selected the Office Gateway deployment scenario. 27. The LAN page allows the configur ation of the SonicW ALL LAN IP Addresses and the LAN Subnet Mask .
Wizards > Setup W izard 1405 SonicOS 5.8.1 Administrator Guide WLAN Radio Settings (SonicW ALL wireless security appli ances only) Select whether or not you want to configure Wi- If Protected Access (WP A) security: • WP A/WP A2 Mode - WP A is the security wireless pr otocol based on 802.
Wizards > Setup Wizard 1406 SonicOS 5.8.1 Administrator Guide Ports Assignment 30. (SonicW ALL TZ series and NSA 240 appliances only) Option ally , you can configure the initial PortShield group assignment s for your appliance.
Wizards > Setup W izard 1407 SonicOS 5.8.1 Administrator Guide SonicWALL Configuration Summary 31. The Configuration Summary window displays the conf iguration defined using the Installation Wizard. T o modify any of the settings, click Back to return to the Connecting to the Internet window .
Wizards > Setup Wizard 1408 SonicOS 5.8.1 Administrator Guide.
1409 SonicOS 5.8.1 Administrator Guide CHAPTER 88 Chapter 88: Using the Registration & License Wizard Wizards > Registration & License Wizard The SonicW ALL Registration and License Wiza rd simplifies the process of registering your SonicW ALL security appliance and obt aining licenses for additional securi ty services.
Wizards > Registration & License Wiza rd 1410 SonicOS 5.8.1 Administrator Guide Ste p 6 The Registration and License W izard launches your mysonicwall.com shopping cart. Make sure that your pop-up blocker is turned of f. Ste p 7 V erify that the services you want to purc hase are listed in the shopping cart.
Wizards > Registration & License Wizard 1411 SonicOS 5.8.1 Administrator Guide Ste p 11 Click Next to synchronize your newly purchased lic enses. The SonicW ALL security appliance synchronizes with mysonicwall.com. Step 12 Y our new security services are now availabl e on the SonicW ALL secu rity appliance.
Wizards > Registration & License Wiza rd 1412 SonicOS 5.8.1 Administrator Guide.
1413 SonicOS 5.8.1 Administrator Guide CHAPTER 89 Chapter 89: Configuring a Public Server with the Wizard Wizards > Public Server Wizard 1. S t art the wizard: In the navigator , click Wizar ds .
Wizards > Public Server Wizard 1414 SonicOS 5.8.1 Administrator Guide 3. Select the type of server from the Server T ype list. Depending on the type you select, the available services change. Check the box for the services you are enabling on this server .
Wizards > Public Server Wizard 1415 SonicOS 5.8.1 Administrator Guide 9. The Summary page displays a summary of the configuration you selected in the wizard.
Wizards > Public Server Wizard 1416 SonicOS 5.8.1 Administrator Guide.
1417 SonicOS 5.8.1 Administrator Guide CHAPTER 90 Chapter 90: Configuring VPN Policies with the VPN Policy Wizard Wizards > VPN Wizard The VPN Policy Wizard walks you step-by-step through the configuration of GroupVPN on the SonicW ALL.
Wizards > VPN Wizard 1418 SonicOS 5.8.1 Administrator Guide Ste p 4 In the IKE Phase 1 Key Method p age, you select the authentica tion key to use for this VPN policy: – Default Key : If you choo.
Wizards > VPN Wizard 1419 SonicOS 5.8.1 Administrator Guide – DH Group : The Diffie-Hellman (DH) group ar e the group of numbers used to create the key pair . Each subsequent group uses lar ger numbers to start with. Y ou can choose Group 1, Group 2, or Group 5.
Wizards > VPN Wizard 1420 SonicOS 5.8.1 Administrator Guide Note If you enable user authenticati on, the users must be entered in the SonicW ALL database for authentication. Users are entered in to the SonicW ALL database on the Users > Local Users page, and then added to group s in the Users > Local Group s page.
Wizards > VPN Wizard 1421 SonicOS 5.8.1 Administrator Guide Configuring a Site-to-Site VPN using the VPN Wizard Y ou use the VPN Po licy Wizard to create the site-to-site VPN po licy . Using the VPN Wizard to Configure Preshared Secret Ste p 1 On the System > St atus p age, click on Wizard s .
Wizards > VPN Wizard 1422 SonicOS 5.8.1 Administrator Guide – Policy Name : Enter a name you can use to refer to the policy . For example, Boston Office. – Preshared Key : Enter a character string to use to authenticate traf fic during IKE Phase 1 negotiation.
Wizards > VPN Wizard 1423 SonicOS 5.8.1 Administrator Guide If the object or group you want has not been created yet, select Create Object or Create Group . Create the new object or gr oup in the dialog box that pops up. Then select the new object or group.
Wizards > VPN Wizard 1424 SonicOS 5.8.1 Administrator Guide – Encryption : This is the method for encrypting data through the VPN T unnel. The methods are listed in order of security . DES is the least secure and the and takes the least amount of time to encrypt and decrypt .
1425 SonicOS 5.8.1 Administrator Guide CHAPTER 91 Chapter 91: Using the Application Firewall Wizard Wizards > Application Firewall Wizard The Application Firewall wizard provides safe configuration for many common use cases, but not for everything.
Wizards > Application Firewall Wizard 1426 SonicOS 5.8.1 Administrator Guide Ste p 7 The screen displayed here will vary depending on your choice of policy rule in the previous step.
Wizards > Application Firewall Wizard 1427 SonicOS 5.8.1 Administrator Guide • Blocking Action - reset connection (W eb Access, FTP) • Blocking Action - add block message (FTP) • Add Email Ba.
Wizards > Application Firewall Wizard 1428 SonicOS 5.8.1 Administrator Guide.
SonicOS 5.8 . 1 A dm i ni st r at or Gu ide 1429 PART 22 Part 22: Appendices.
1430 SonicOS 5.8.1 Administrator Guide.
Appendix A: CLI Guide 1431 SonicOS Enhanced 5.6 Admini strator’s Guide Appendix A: CLI Guide Appendix A: CLI Guide This appendix contains a categorized listing of Command Lin e Interface (CLI) commands for SonicOS Enhanced firmware. Each command is described, and where appropriate, an example of usage is included.
Appendix A: CLI Gu ide 1432 SonicOS Enhanced 5.6 Administrator’ s Guide Text Conventions Bold text indicates a command executed by interacting wi th the user interface.
Appendix A: CLI Guide 1433 SonicOS Enhanced 5.6 Admini strator’s Guide Most configuration commands require completing all fields in the command. For commands with several possible completing commands, the Ta b or ? key display all options.
Appendix A: CLI Gu ide 1434 SonicOS Enhanced 5.6 Administrator’ s Guide Configuration Security SonicW ALL Internet Security appliances a llow easy , flexible c onfiguration without compromising the security of thei r configuration or your network. Passwords The SonicW ALL CLI currently uses the administr ator ’s password to obtain access.
Appendix A: CLI Guide 1435 SonicOS Enhanced 5.6 Admini strator’s Guide Management Methods for the SonicWALL Network Security Appliance Y ou can configure the SonicWALL appl iance using one of three methods: • Using a serial connection and the configuration manager – An IP address assignment is not necessar y for appliance management.
Appendix A: CLI Gu ide 1436 SonicOS Enhanced 5.6 Administrator’ s Guide Initiating an SSH Management Session via Ethernet Note This option works for customers administeri ng a device that does not have a cable for console access to the CLI.
Appendix A: CLI Guide 1437 SonicOS Enhanced 5.6 Admini strator’s Guide clear pp-stats Clears presentation protocol statistics clear screen Clears the console screen, lea v ing a sing le prompt line .
Appendix A: CLI Gu ide 1438 SonicOS Enhanced 5.6 Administrator’ s Guide language-overrid e chinese Overrides current un it l ang uag e setting, rese ts to Chinese language-overrid e english Override.
Appendix A: CLI Guide 1439 SonicOS Enhanced 5.6 Admini strator’s Guide show ars rip Displays all ARS paths using Routing Information Protocol (RIP) show baud Displays current baud rate show buf-memz.
Appendix A: CLI Gu ide 1440 SonicOS Enhanced 5.6 Administrator’ s Guide show mem-pools Displays unit’s current memory pool block allocation show memory Displays system memory on t he appliance sho.
Appendix A: CLI Guide 1441 SonicOS Enhanced 5.6 Admini strator’s Guide show sslvpn client Settings Displays all current clie nt settings associated with SSL-VPN connections to the unit shown on the .
Appendix A: CLI Gu ide 1442 SonicOS Enhanced 5.6 Administrator’ s Guide show tsr dhcp-server Displays TSR data relating to DHCP serv er connections show tsr dhcp-server-st at D isplays TSR data rela.
Appendix A: CLI Guide 1443 SonicOS Enhanced 5.6 Admini strator’s Guide show tsr mirror-state Displays TSR data relating to database mirror state statistics show tsr msn Displays TSR data relating to.
Appendix A: CLI Gu ide 1444 SonicOS Enhanced 5.6 Administrator’ s Guide show tsr time Displays TSR data relating to appliance’s time policy configuration show tsr timers D isplays the timers secti.
Appendix A: CLI Guide 1445 SonicOS Enhanced 5.6 Admini strator’s Guide show vpn sa < string > ike Displays Internet Key Exchange data for a VPN security association, specified by a particular .
Appendix A: CLI Gu ide 1446 SonicOS Enhanced 5.6 Administrator’ s Guide show zones Displays configurable zones on the appliance and interfaces associated with each zo ne stacktrace Runs report of th.
Appendix A: CLI Guide 1447 SonicOS Enhanced 5.6 Admini strator’s Guide T able 7 Configure Level Co mmands Command Description ACCESS RULES SUB -COMMANNDS access-rules < fr om-zone > < to-zo.
Appendix A: CLI Gu ide 1448 SonicOS Enhanced 5.6 Administrator’ s Guide < modify > commands < index > Modifies specific acc ess rules ind ex action < allow | deny | dis- card > Mod.
Appendix A: CLI Guide 1449 SonicOS Enhanced 5.6 Admini strator’s Guide ADDRESS GROUP/AD DRESS OBJEC T SUB-COMMANDS abort Exits to top-le vel me n u and ca nc els changes where ne eded [ no ] address.
Appendix A: CLI Gu ide 1450 SonicOS Enhanced 5.6 Administrator’ s Guide GMS SUB-COMMANDS < gms > algorithm < des-md5 | frd3- sha > Set s GMS encryption and authentica- tion algo rithm [ .
Appendix A: CLI Guide 1451 SonicOS Enhanced 5.6 Admini strator’s Guide NAT SUB-COMMANDS nat Accesses sub-commands to configure NAT policies < add > commands orig-src < original source objec.
Appendix A: CLI Gu ide 1452 SonicOS Enhanced 5.6 Administrator’ s Guide < modify > commands < item-number > Allows modification of a specific NAT policy [ no ] enable Enables/Disables a .
Appendix A: CLI Guide 1453 SonicOS Enhanced 5.6 Admini strator’s Guide SERVICE SUB-COMM ANDS service Accesses sub-commands to configure individual services < add > commands < service name &.
Appendix A: CLI Gu ide 1454 SonicOS Enhanced 5.6 Administrator’ s Guide SONICPOINT SUB-C OMMANDS < sonicpoint >< string > Configures a SonicPoint profile sync Synchronizes configured Son.
Appendix A: CLI Guide 1455 SonicOS Enhanced 5.6 Admini strator’s Guide radio-a authtype < both | open | psk | shared > Sets the method type for authentication to be both, open , WPA/PSK, or WE.
Appendix A: CLI Gu ide 1456 SonicOS Enhanced 5.6 Administrator’ s Guide radio-a wpa inte rval < uvalue > Sets the length of time between re-keying the WPA key radio-a wpa psk < string > Sets WiFi Protected Access Pre-shared key passphrase [ no ] radio-g enable Enables or disables 802.
Appendix A: CLI Guide 1457 SonicOS Enhanced 5.6 Admini strator’s Guide radio-g ofdm-pow er < uvalue > Sets the difference in radio transmit power allowed between 802.
Appendix A: CLI Gu ide 1458 SonicOS Enhanced 5.6 Administrator’ s Guide SSH SUB-COMMANDS ssh enable <inte rface> Enables SSH management for the specified interface ssh genkey Cr eates a new ke.
Appendix A: CLI Guide 1459 SonicOS Enhanced 5.6 Admini strator’s Guide [ no ] advanced multicast Enables IP multicasting traffic to pass through the VPN tunn el [ no ] advanced netbios Enables or di.
Appendix A: CLI Gu ide 1460 SonicOS Enhanced 5.6 Administrator’ s Guide proposal ipsec [< esp | ah >] [ encr < des | triple- des | aes-128 | aes-192 | aes- 256 >] [ auth < md5 | sha1 .
Appendix A: CLI Guide 1461 SonicOS Enhanced 5.6 Admini strator’s Guide VPN SUB-COMMANDS (MANUAL KE Y) abort Exits to top-le vel me n u and ca nc els changes where ne eded [ no ] advanced apply-nat &.
Appendix A: CLI Gu ide 1462 SonicOS Enhanced 5.6 Administrator’ s Guide proposal ipsec [< esp | ah >] [ encr < des | triple- des | aes-128 | aes-192 | aes- 256 >] [ auth < md5 | sha1 .
Appendix A: CLI Guide 1463 SonicOS Enhanced 5.6 Admini strator’s Guide cert < certname > Selects a certificate for the SonicWALL end Exits configuration mode exit Exits menu and app lies chang.
Appendix A: CLI Gu ide 1464 SonicOS Enhanced 5.6 Administrator’ s Guide SSL VPN CLIENT S UB-COMMANDS abort Exits to top-level menu without applying changes address < start i p address > < e.
Appendix A: CLI Guide 1465 SonicOS Enhanced 5.6 Admini strator’s Guide SSL VPN PORTAL S UB-COMMANDS abort Exits to top-level menu without applying changes [ no ] auto-launch Enables/Disables auto ma.
Appendix A: CLI Gu ide 1466 SonicOS Enhanced 5.6 Administrator’ s Guide SSL VPN ROUTE SU B-COMMANDS abort Exits to top-level menu without applying changes add-routes < address object name > Ad.
Appendix A: CLI Guide 1467 SonicOS Enhanced 5.6 Admini strator’s Guide T able 8 LAN Interface C onfigurat ion Command Description interface < x0 | x1 | x2 | x3 | x4 | x5 > [< lan | wan | dm.
Appendix A: CLI Gu ide 1468 SonicOS Enhanced 5.6 Administrator’ s Guide T able 9 W AN Interface Configuration Command Description < wan > auto Sets the interface to auto-negotiate bandwidth-ma.
Appendix A: CLI Guide 1469 SonicOS Enhanced 5.6 Admini strator’s Guide Mode DHCP WAN Interface Configuration end Exits configuration mode finished Exits configur ation mode to top me nu help < co.
Appendix A: CLI Gu ide 1470 SonicOS Enhanced 5.6 Administrator’ s Guide info Displays IP information about the inter- face [ no ] ip < IP Address> Sets/Clears the IP address for the interface .
Appendix A: CLI Guide 1471 SonicOS Enhanced 5.6 Admini strator’s Guide info Displays IP information about the inter- face [no ] lan-icmp Assigns/clears LAN-ICMP logging cat- egory [ no ] lan-tcp Ass.
Appendix A: CLI Gu ide 1472 SonicOS Enhanced 5.6 Administrator’ s Guide zone <wan|lan|dmz> Enters the zone configuration menu end Exits configuration mode finished Exits configur ation mode to.
Appendix A: CLI Guide 1473 SonicOS Enhanced 5.6 Admini strator’s Guide < guest services > SUB-COMMANDS abort Exits to top-le vel me n u and ca nc els changes where ne eded bypass antivirus Con.
Appendix A: CLI Gu ide 1474 SonicOS Enhanced 5.6 Administrator’ s Guide Configuring Site-to-Site VPN Using CLI This section describes how to create a VPN po licy using the Command Line Interface. Y ou can configure all of the parameters using t he CL I, and enable the VPN without using the Web management interface.
Appendix A: CLI Guide 1475 SonicOS Enhanced 5.6 Admini strator’s Guide Configuration In this example, a site-to- site VPN is configured between two TZ 200 appliance, with the following settings: Local TZ 200 (home): WAN IP: 10.50.31. 150 LAN subnet: 192.
Appendix A: CLI Gu ide 1476 SonicOS Enhanced 5.6 Administrator’ s Guide 4. Configure the Pre-Shared Key . In this ex ample, the Pr e-Shared Key is sonicwall: (config-vpn[Offic eVPN])> pre -shared-secret sonicwall 5. Configure the IPSec gateway: (config-vpn[Offic eVPN])> gw ip-address 10.
Appendix A: CLI Guide 1477 SonicOS Enhanced 5.6 Admini strator’s Guide Set Default Route OFF, Apply VPN Access Co ntrol List OFF Require GSC OFF Use Default Key O FF Policy: OfficeVPN (Enabled) Key Mode: Pre-sha red Primary GW: 10.50 .31.104 Secondary GW: 0.
Appendix A: CLI Gu ide 1478 SonicOS Enhanced 5.6 Administrator’ s Guide Lan Default GW: 0 .0.0.0 Require XAUTH: OF F Bound To: Zone WAN 3. T ype the command show vpn sa “name” to see the active SA: (config[TZ200])> show vpn sa "OfficeVPN" Policy: OfficeVPN IKE SAs GW: 10.
Appendix A: CLI Guide 1479 SonicOS Enhanced 5.6 Admini strator’s Guide -t 1 automatic detect setting; 2 configura tion script; 3 proxy server -s proxy address/URL of automatic conf igurati on script.
Appendix A: CLI Gu ide 1480 SonicOS Enhanced 5.6 Administrator’ s Guide -r filena me Gene rate a diagnos tic report. -v Disp lay NetExtende r version i nformation . -h Disp lay this usage informatio n. server: Specify t he server e ither in FQDN or IP addre ss.
1481 SonicOS 5.8.1 Administrator Guide Index Symbols 1409 , 1413 , 1417 – 1418 Numerics 802.11a 516 , 522 802.11b 467 802.11g 467 , 516 , 522 802.11n 467 , 516 – 517 A acceptable us e po licy 1024.
1482 SonicOS 5.8.1 Administrator Guide application control action objects 642 , 668 application list objects 640 , 666 bandwidth man agement 621 , 669 BWM actions, predefined 642 BWM policy precedence.
1483 SonicOS 5.8.1 Administrator Guide diagnostics 165 active conne ctions monit or 169 check network settings 168 core monitor 172 CPU monitor 173 DNS name lookup 175 find network path 175 link monit.
1484 SonicOS 5.8.1 Administrator Guide high availability active/active UT M ov er vie w 1140 active/active UT M pr er e qu isite s 1154 applying licenses to each unit 11 65 associating appliances on M.
1485 SonicOS 5.8.1 Administrator Guide log automati on 57 , 1365 , 1369 DeepSee 1367 e-mail alert addresses 1365 e-mailing logs 1351 event messag e pr ior ity lev els 1352 exporting 1351 generating re.
1486 SonicOS 5.8.1 Administrator Guide P packet mon itor advanced f ilter settings 151 basic operation 87 , 154 benefits 140 configuring 143 display filter 147 export file t ypes 162 firewall rules ba.
1487 SonicOS 5.8.1 Administrator Guide security services licenses 102 managing online 1180 manual upgrade 103 manual upgrade for close d environments 104 manually update 1183 summary 1177 security ser.
1488 SonicOS 5.8.1 Administrator Guide syslog adding ser ver 1363 event redun dancy rat e 1362 server settings 1362 syslog server 1361 system alerts 97 information 96 network inte rfaces 100 status 95.
1489 SonicOS 5.8.1 Administrator Guide WAN Acceleration 1269 advanced page 1300 configuration task list 1274 configuring 1309 configuring WFS acceleration 1326 deployment considerations 1273 logs 1308.
PROTECTION A T THE SPEED OF BUSINESS ™ SonicWA LL, Inc. 11 4 3 Borregas Avenue T+ 1 40 8 .74 5. 96 00 www .so n i c wa ll . c om Sunnyva l eC A 9 40 89 - 1 30 6F + 1 40 8 .7 45 . 9 300 P/ N : 232-0007 3 8 -00 Rev E , 4/ 1 2 ©20 1 2 descriptions sub ject to change without notice.
Un punto importante, dopo l’acquisto del dispositivo (o anche prima di acquisto) è quello di leggere il manuale. Dobbiamo farlo per diversi motivi semplici:
Se non hai ancora comprato il SonicWALL 5.8.1 è un buon momento per familiarizzare con i dati di base del prodotto. Prime consultare le pagine iniziali del manuale d’uso, che si trova al di sopra. Dovresti trovare lì i dati tecnici più importanti del SonicWALL 5.8.1 - in questo modo è possibile verificare se l’apparecchio soddisfa le tue esigenze. Esplorando le pagine segenti del manuali d’uso SonicWALL 5.8.1 imparerai tutte le caratteristiche del prodotto e le informazioni sul suo funzionamento. Le informazioni sul SonicWALL 5.8.1 ti aiuteranno sicuramente a prendere una decisione relativa all’acquisto.
In una situazione in cui hai già il SonicWALL 5.8.1, ma non hai ancora letto il manuale d’uso, dovresti farlo per le ragioni sopra descritte. Saprai quindi se hai correttamente usato le funzioni disponibili, e se hai commesso errori che possono ridurre la durata di vita del SonicWALL 5.8.1.
Tuttavia, uno dei ruoli più importanti per l’utente svolti dal manuale d’uso è quello di aiutare a risolvere i problemi con il SonicWALL 5.8.1. Quasi sempre, ci troverai Troubleshooting, cioè i guasti più frequenti e malfunzionamenti del dispositivo SonicWALL 5.8.1 insieme con le istruzioni su come risolverli. Anche se non si riesci a risolvere il problema, il manuale d’uso ti mostrerà il percorso di ulteriori procedimenti – il contatto con il centro servizio clienti o il servizio più vicino.