SonicWALL Technical Support.............. 4 North America Telephone Support ..........4 International Telephone Support ..........4 More Information on SonicWALL Products and Services ..... 5 Initial Configuration Using the Wizards....7 Internet Connectivity Using the Setup Wizard........7 Configuring a Static IP Address with NAT Enabled ......7 Setup Wizard ................
Page 3
SonicWALL PRO 3060/PRO 4060..........35 SonicWALL TZ 170..............35 System>Licenses.................36 Security Services Summary ............36 Manage Security Services Online ..........36 Manual Upgrade................37 System>Administration ................38 Firewall Name ................38 Administrator Name & Password ...........38 Changing the Administrator Password........38 Page 2 SonicWALL SonicOS Standard Administrator’s Guide...
Page 4
Automatic Notification of New Firmware........44 Firmware Management Table........... 44 Updating Firmware Manually............ 45 Creating a Backup Firmware Image ......... 45 SafeMode - Rebooting the SonicWALL ......... 45 System Information..............46 Firmware Management............. 46 FIPS (PRO 3060/PRO 4060) ............47 System>Diagnostics................
Page 6
Creating an Outbound Traffic Policy......... 75 Creating an Inbound Traffic Policy ........... 75 Network>ARP..................76 Network>DHCP Server ............... 77 Enabling DHCP Server ..............77 Configuring DHCP Server for Dynamic Ranges ......78 General..................78 DNS/WINS................79 VoIP Settings................79 Configuring Static DHCP Entries ........... 80 General..................
Page 7
Deleting Custom Services Groups ..........96 VPN ..............97 VPN>Settings ..................97 VPN Global Settings...............97 VPN Policies...................98 Currently Active VPN Tunnels............98 Configuring Group VPN on the SonicWALL ........98 Configuring GroupVPN with IKE using Preshared Secret ....98 General ..................99 Proposals ..................99 Advanced ................100 Client ..................101 Configuring GroupVPN with IKE using 3rd Party Certificates ..101...
Page 8
General ..................122 L2TP Server Settings ............. 122 IP Address Settings ..............123 L2TP Users................123 Adding L2TP Clients to the SonicWALL ......... 123 Currently Active L2TP Sessions ..........123 Digital Certificates ................123 Overview of X.509 v3 Certificates ..........123 SonicWALL Third Party Digital Certificate Support ......
Page 9
Configuration Notes..............141 Monitoring Links.................142 Security Services..........143 Security Services>Summary..............144 Security Services Summary ............144 Manage Services Online ..............144 If Your SonicWALL is Not Registered ..........145 Security Services Settings............145 SonicWALL Content Filtering Service..........145 Security Services>Content Filter ............146 Content Filter Status..............146 Activating SonicWALL CFS ............147 Activating a SonicWALL CFS FREE TRIAL......147...
Page 10
Adding a New Address ............152 SonicWALL Network Anti-Virus ............152 Security Services>Anti-Virus ............. 153 Activating SonicWALL Network Anti-Virus........153 Activating a SonicWALL Network Anti-Virus FREE TRIAL ..153 Network Anti-Virus E-Mail Filter ............153 Intrusion Prevention Service ............. 154 SonicWALL IPS Features ............154 SonicWALL Deep Packet Inspection ...........
Page 11
SonicWALL Support Programs ............167 Warranty Support - North America and International ....167 Appendix B- Configuring the Management Station TCP/IP Settings .................168 Windows 98..................168 Windows NT .................169 Windows 2000 ................170 Windows XP .................171 Macintosh OS 10................171 Page 10 SonicWALL SonicOS Standard Administrator’s Guide...
Specifications and descriptions subject to change without notice. Limited Warranty SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use.
Page 13
EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose.
Thank you for purchasing the SonicWALL Internet Security Appliance. Organizations of all kinds face an array of security threats -- and must react quickly with limited IT resources. That means that SonicWALL offers security solutions for specific business applications such as networking, site-to-site communications, telecommuting, POS transactions, or secure web-sites.
Applying Changes Click the Apply button at the top right corner of the SonicWALL Management Interface to save any configuration changes you made on the page. If the settings are contained in a secondary window within the Management Interface, when you click OK, the settings are automatically applied to the SonicWALL.
Chapter 4, Network - outlines configuring network settings manually for the SonicWALL as well as static routes and RIPv2 advertising on the network. Setting up the SonicWALL to act as the DHCP server on your network is also covered in this chapter.
Important information on a feature that requires callout for special attention. SonicWALL Technical Support For timely resolution of technical support questions, visit SonicWALL on the Internet at <http://www.sonicwall.com/services/support.html>. Web-based resources are available to help you resolve most technical issues or contact SonicWALL Technical Support.
Note: Please visit <http://www.sonicwall.com/services/contact.html> for the latest technical support telephone numbers. More Information on SonicWALL Products and Services Contact SonicWALL, Inc. for information about SonicWALL products and services at: Web: http://www.sonicwall.com E-mail: sales@sonicwall.com Phone: (408) 745-9600 Fax:(408) 745-9300 Introduction Page 5...
Page 19
Page 6 SonicWALL SonicOS Standard Administrator’s Guide...
(LAN) IP address on packets passing through a SonicWALL with a “fake” one from a fixed pool of addresses. The actual IP addresses of computers on the LAN are hidden from outside view.
Note: Your Web browser must be Java-enabled and support HTTP uploads in order to fully manage SonicWALL. Internet Explorer 5.0 and above as well as Netscape Navigator 4.0 and above meet these criteria. 1. Click the Setup Wizard button on the Network>Settings page. Read the instructions on the Welcome window and click Next to continue.
Step 2: Change Time Zone 3. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. Step 3: WAN Network Mode 4. Confirm that you have the proper network information necessary to configure the SonicWALL to access the Internet.
Step 4: WAN Network Mode: NAT Enabled 6. Enter the public IP address provided by your ISP in the SonicWALL WAN IP Address, then fill in the rest of the fields: WAN/OPT/DMZ Subnet Mask, WAN Gateway (Router) Address, and DNS Server Addresses.
8. The Optional-SonicWALL DHCP Server window configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically configures the IP settings of computers on the LAN. To enable the DHCP server, select Enable DHCP Server, and specify the range of IP addresses that are assigned to computers on the LAN.
Setup Wizard Complete 10. The SonicWALL stores the network settings. 11. Click Restart to restart the SonicWALL. The SonicWALL takes approximately 90 seconds or longer to restart. During this time, the yellow Test LED is lit. Page 12 SonicWALL SonicOS Standard Administrator’s Guide...
Configuring DHCP Networking Mode DHCP is a networking mode that allows you to obtain an IP address for a specific length of time from a DHCP server. The length of time is called a lease which is renewed by the DHCP server typically after a few days.
0.0.1 Step 2: Change Time Zone 4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. Step 3: WAN Network Mode 5. Select DHCP, the Obtain an IP address automatically window is displayed. Click Next.
Step 4: WAN Network Mode: NAT with DHCP Client 6. The Obtain an IP address automatically window states that the ISP dynamically assigns an IP address to the SonicWALL. To confirm this, click Next. DHCP-based configurations are most common with cable modem connections.
Addresses and Subnet Masks. SonicWALL LAN IP Addresses are the private IP addresses assigned to the LAN of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the networks. The default values provided by the SonicWALL are useful for most networks. Click Next.
Storing SonicWALL Configuration Setup Wizard Complete 10. Click Restart to restart the SonicWALL. The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Tip! The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations window, is used to log in and manage the SonicWALL.
2. Read the instructions on the Welcome window and click Next to continue. Step 1: Change Password 3. To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next. Page 18 SonicWALL SonicOS Standard Administrator’s Guide...
Step 2: Change Time Zone 4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. Step 3: WAN Network Mode 5. The SonicWALL automatically detects the presence of a PPPoE server on the WAN. If not, then select PPPoE: Your ISP provided you with desktop software, a user name and password.
SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN. The default values provided by the SonicWALL are useful for most networks. If you do not use the default settings, enter your preferred IP addresses in the fields. Click Next.
8. The Optional-SonicWALL DHCP Server window configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically assigns IP settings to computers on the LAN. To enable the DHCP server, select Enable DHCP Server, and specify the range of IP addresses that are assigned to computers on the LAN.
SonicWALL. Setup Wizard Complete 10. Click Restart to restart the SonicWALL. 11. The SonicWALL takes approximately 90 seconds or longer to restart. During this time, the yellow Test LED is lit. Configuring PPTP Network Mode NAT with PPTP Client mode uses Point to Point Tunneling Protocol (PPTP) to connect to a remote server.
1. Click the Setup Wizard button on the Network>Settings page. 2. Read the instructions on the Welcome window and click Next to continue. Step 1: Change Password 3. To set the password, enter a new password in the New Password and Confirm New Password fields.
Step 2: Change Time Zone 4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. Step 3: WAN Network Mode 5. Select PPTP: Provided you with a server IP address, a user name and password. Click Next.
SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN. The default values provided by the SonicWALL are useful for most networks. If you do not use the default settings, enter your preferred IP addresses in the fields. Click Next.
8. The Optional-SonicWALL DHCP Server window configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically assigns IP settings to computers on the LAN. To enable the DHCP server, select Enable DHCP Server, and specify the range of IP addresses that are assigned to computers on the LAN.
Storing SonicWALL Configuration Tip! The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations window, is used to log in and manage the SonicWALL. Setup Wizard Complete 10. Click Restart to restart the SonicWALL. The SonicWALL takes approximately 90 seconds or longer to restart.
Server Access Rules: The wizard creates an access policy allowing traffic from the WAN zone to the zone where the new server resides. Create the Server with the Public Server Wizard 1. Start wizard: In the navigator, click Wizards. 2. Select Public Server Wizard and click Next. Page 28 SonicWALL SonicOS Standard Administrator’s Guide...
Page 42
3. Select the type of server from the Server Type list. Depending on the type you select, the available services change. Check the box for the services you are enabling on this server. Click Next 4. Enter the name of the server. 5.
Page 43
The wizard creates a NAT policy to translate the destination addresses of all incoming packets with one of the services in the new service group and addressed to the WAN address to the address of the Page 30 SonicWALL SonicOS Standard Administrator’s Guide...
Page 44
DMZ. 10.Click Apply in the Public Server Configuration Summary page to complete the wizard and apply the configuration to your SonicWALL. Tip! The new IP address used to access the new server, internally and externally is displayed in the URL field of the Congratulations window.
Page 45
Page 32 SonicWALL SonicOS Standard Administrator’s Guide...
3 System This chapter describes the configuration of the SonicWALL IP settings, time, and password as well as providing instructions to restart the SonicWALL, import and export settings, upload new firmware, and perform diagnostic tests. System>Status The Status page contains five sections: System Messages, System Information, Security Services, Latest Alerts, and Network Interfaces.
2. Type your mySonicWALL.com username and password in the User Name and Password fields and click Submit. 3. Type in a “friendly name” for your SonicWALL in the Friendly Name field. A friendly name is used to help identify your SonicWALL, such as its location.
Access SonicWALL Technical Support Creating a mySonicWALL.com account is easy and free. Simply complete an online registration form. Once your account is created, you can register SonicWALL Internet Security Appliances and activate SonicWALL Security Services associated with the SonicWALL. Your mySonicWALL.com account is accessible from any Internet connection with a Web browser using the HTTPS (Hypertext Transfer Protocol Secure) protocol to protect your sensitive information.
SonicWALL. The Security Service column lists all the available SonicWALL security services and upgrades available for the SonicWALL. The Status column indicates is the security service is activated (Licensed), available for activation (Not Licensed), or no longer active (Expired). The number of nodes/ users allowed for the license is displayed in the Count column.
You can also get free trial subscriptions to SonicWALL Content Filter Service and Network Anti-Virus by clicking the For Free Trials click here link. When you click these links, the mySonicWALL.com Login page is displayed. Enter your mySonicWALL.com account username and password in the User Name and Password fields and click Submit.
The Firewall Name uniquely identifies the SonicWALL and defaults to the serial number of the SonicWALL. The serial number is also the MAC address of the unit. To change the Firewall Name, type a unique alphanumeric name in the Firewall Name field. It must be at least 8 characters in length.
HTTP management, you must include the port number when you use the IP address to log into the SonicWALL. For example, if you configure the port to be 76, then you must type <LAN IP Address>:76 into the Web browser, i.e. <http://192.168.168.1:76>. The default port for HTTPS management is 443.
SonicWALL. If your SNMP management system supports discovery, the SonicWALL agent automatically discover the SonicWALL appliance on the network. Otherwise, you must add the SonicWALL to the list of SNMP- managed devices on the SNMP management system.
NAT Device IP Address field. The default VPN policy settings are displayed at the bottom of the Configure GMS Settings window. Existing Tunnel - If this option is selected, the GMS server and the SonicWALL already have an existing VPN tunnel over the connection. Enter the GMS host name or IP address in the GMS Host Name or IP Address field.
System>Time The SonicWALL uses the time and date settings to time stamp log events, to automatically update SonicWALL Security Services, and for other internal purposes. By default, the SonicWALL uses an internal list of public NTP servers to automatically update the time. Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a network of computers.
NTP server is optional. Select Use NTP to set time automatically if you want to use your local server to set the SonicWALL clock. You can also configure Update Interval (minutes) for the NTP server to update the SonicWALL.
1. Click Export Settings. 2. Click Export. 3. Click Save, and then select a location to save the file. The file is named “sonicwall.exp” but can be renamed. 4. Click Save. This process can take up to a minute. The exported preferences file can be imported into the SonicWALL if it is necessary to reset the firmware.
Only uploaded firmware can be saved to a different location. • Boot - clicking the icon reboots the SonicWALL with the firmware version listed in the same row. Alert! Clicking Boot next to any firmware image overwrites the existing current firmware image making it the Current Firmware image.
1 second. After the SonicWALL reboots, open your Web browser and enter the current IP address of the SonicWALL or the default IP address: 192.168.168.168. The SafeMode page is displayed: SafeMode allows you to do any of the following: •...
SHA-1 and only FIPS-approved algorithms are supported (DES, 3DES, and AES with SHA-1). Select Enable FIPS Mode to enable the SonicWALL to comply with FIPS. When you check this setting, a dialog box is displayed with the following message: Warning! Modifying the FIPS mode will disconnect all users and restart the device.
You can choose any of the following diagnostic tools from the Diagnostic Tool menu. DNS Name Lookup The SonicWALL has a DNS lookup tool that returns the IP address of a domain name. Or, if you type an IP address, it returns the domain name for that address.
From 207.88.211.116 / 1937 (00:40:10:0c:01:4e To 204.71.200.74 / 80 (02:00:cf:58:d3:6a) The SonicWALL forwards the client ACK to the remote host and waits for the data transfer to begin. When using packet traces to isolate network connectivity problems, look for the location where the three- way handshake is breaking down.
Tech Support Report The Tech Support Report generates a detailed report of the SonicWALL configuration and status, and saves it to the local hard disk. This file can then be e-mailed to SonicWALL Technical Support to help assist with a problem.
Management interface. Click Restart SonicWALL and then click Yes to confirm the restart. The SonicWALL takes approximately one minute to restart, and the yellow Test light is lit during the restart. During the restart time, Internet access is momentarily interrupted on the LAN.
Page 65
Page 52 SonicWALL SonicOS Standard Administrator’s Guide...
ARP - view the ARP settings and clear the ARP cache as well as configure ARP cache time. • DHCP Server - configure the SonicWALL as a DHCP Server on your network to dynamically assign IP addresses to computers on your LAN or DMZ zones.
Interface Settings The Interface Settings table lists the following information for each interface: Name - listed as X0, X1, X2, X3, X4, and X5 or LAN, WAN, or OPT/DMZ depending on your SonicWALL model. Zone - LAN, DMZ/OPT and WAN are listed by default. As zones are configured, the names are listed in this column.
If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links Network Page 55...
Static - configures the SonicWALL for a network that uses static IP addresses. DHCP - configures the SonicWALL to request IP settings from a DHCP server on the Internet. NAT with DHCP Client is a typical network addressing mode for cable and DSL customers.
User Login DHCP Host Name Comment Management User Login Renew Release Refresh PPPoE User Name User Password Comment Management User Login Inactivity Disconnect (minutes) Obtain IP Address Automatically Specify IP Address Obtain DNS Server Address Automatically Specify DNS Server PPTP User Name User Password PPTP Server IP Address...
Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu: •...
WAN port traffic by “failing over” to the secondary WAN port. This feature also allows you to perform simple load balancing for the WAN traffic on the SonicWALL. You can select a method of dividing the outbound WAN traffic between the two WAN ports and balance network traffic.
The SonicWALL can monitor WAN traffic using Physical Monitoring which detects if the link is unplugged or disconnected, or Physical and Logical Monitoring, which monitors traffic at a higher level, such as upstream connectivity interruptions. Alert! Before you begin, be sure you have configured a user-defined interface to mirror the WAN port settings.
Configuring WAN Probe Settings The SonicWALL sends probes to a target IP address of an “always available” target upstream device on the network, such as an ISP side router, to monitor connectivity. To configure WAN Probe Settings: 1. Select Ping (ICMP) or TCP from the Probe Target menu.
Creating a NAT Policy for WAN Failover You need to create a NAT policy on your SonicWALL for WAN Failover. Follow these steps to create a NAT policy on your SonicWALL using the X4 interface (PRO 3060/4060) or OPT interface (TZ 170): 1.
Network > Zones A Zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following strict physical interface scheme. There are four fixed Zone types: Trusted, Untrusted, Public, and Encrypted. Trusted is associated with LAN Zones.
5. If you want to allow intra-zone communications, select Allow Interface Trust. If not, select the Allow Interface Trust checkbox. 6. Click OK. The new zone is now added to the SonicWALL. Modifying a Zone To modify the Zone name, the virtual route, or comments, click the Notepad icon next to the Zone to display the Edit Zone window.
Network > DNS Configure the SonicWALL DNS settings manually on this page if necessary. In the DNS Settings section, select Specify DNS Servers Manually and enter the IP address(es) into the DNS Server fields. To use the DNS Settings configured for the WAN Zone, select Inherit DNS Settings Dynamically from the WAN Zone.
Custom Address Objects - displays Address Objects with custom properties. • Default Address Objects - displays Address Objects configured by default on the SonicWALL. Sorting Address Objects allows you to quickly and easily locate Address Objects configured on the SonicWALL.
DMZ Subnets • All WAN IP • All Interface IP • All LAN Management IP • All WAN Management IP SonicWALL PRO 3060/4060 Default Address Objects • LAN Primary IP • LAN Primary Subnet • WAN Primary IP • WAN Primary Subnet •...
LAN, WAN, DMZ, or VPN. Creating Group Address Objects As more and more Address Objects are added to the SonicWALL, you can simplify managing the addresses and access policies by creating groups of addresses. Changes made to the group are applied to each address in the group.
The selected item moves from the right column to the left column. Network>Routing If you have routers on your interfaces, you can configure static routes on the SonicWALL. Static routing means configuring the SonicWALL to route network traffic to a specific, predefined destination.
You can configure up to 512 routes on the SonicWALL. Tip! If the SonicWALL has a NAT Policy on the WAN, the internal (LAN) router needs to have a route of last resort (i.e. gateway address) that is the SonicWALL LAN IP address.
3. In the Advertise Default Route menu, select Never, or When WAN is up, or Always. 4. Enable Advertise Static Routes if you have static routes configured on the SonicWALL, enable this feature to exclude them from Route Advertisement.
LAN and WAN network settings. The SonicWALL LAN and WAN IP addresses are displayed as permanently published at all times. Network > NAT Policies When two hosts communicate using TCP/IP on the internet, there are four parameters used in any TCP or UDP connection: Source (IP) Address, Source (TCP/UDP) Port, Destination (IP) Address, and Destination (TCP/UDP) Port.
IP addresses. Tip! By default, LAN to WAN has a NAT policy predefined on the SonicWALL. The Default Many-to-One Outbound NAT Policy The default Many-to-One Outbound NAT policy is visible as Any -> WAN Primary IP in either Custom Policies or All Policies.
(LAN or DMZ zone). This example is for a web server sitting on the X0 interface, with an address object name of 'WWWserver. To configure this policy, follow these steps: Page 74 SonicWALL SonicOS Standard Administrator’s Guide...
6. Select X1 from the Inbound Interface menu. 7. Select Any from the Outbound Interface menu. 8. Click OK to add the NAT policy to the SonicWALL. Note: The NAT policies window will not allow you to specify a destination interface when you translate the destination.
7. Select Any from the Outbound Interface menu. 8. Click OK to add the NAT policy to the SonicWALL. Note: The NAT policies page does not allow you to specify a destination interface when you translate the destination. Tip! Enable is selected by default. Clear the checkbox to disable the policy after creating it.
Enabling DHCP Server To enable the DHCP Server feature on the SonicWALL, select Enable DHCP Server, and click Configure. The DHCP Server Configuration window is displayed. In the Dynamic Ranges table, the Range Start, Range End, and Interface information is displayed.
Other and type a different IP address for the gateway. 8. If you select the SonicWALL LAN IP address from the Gateway Preferences menu, the Default Gateway and Subnet Mask fields are unavailable. If you select Other, the fields are available for you to type the Default Gateway and Subnet Mask information into the fields.
12. Inherit DNS Settings Dynamically using SonicWALL’s DNS Settings is selected by default. 13. If you do not want to use the SonicWALL network settings, select Specify Manually, and type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers.
Configuring Static DHCP Entries Click the Static tab to add static DHCP entries to the SonicWALL. Static entries are IP addresses assigned to servers requiring permanent IP settings. Note: Static DHCP entries should not be configured for computers with IP addresses configured in Network To configure static entries, follow these steps: 1.
When selected, the DNS Server IP fields are unavailable. 12. If you do not want to use the SonicWALL network settings, select Specify Manually, and type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers.
The IP Helper allows the SonicWALL to forward DHCP requests originating from the interfaces on a SonicWALL to a centralized DHCP server on the behalf of the requesting client. IP Helper is used extensively in routed VLAN environments where a DHCP server is not available for each interface, or where the layer 3 routing mechanism is not capable of acting as a DHCP server itself.
WAN and enable Web Proxy Forwarding. The SonicWALL automatically forwards all Web proxy requests to the proxy server without requiring all the computers on the network to be configured.
To configure a Proxy Web sever, select the Network>Web Proxy page. 1. Connect your Web proxy server to a hub, and connect the hub to the SonicWALL WAN port. 2. Type the name or IP address of the proxy server in the Proxy Web Server (name or IP address) field.
20 percent of available bandwidth available to it and can get as much as 40 percent of available bandwidth. If this is the only rule using Bandwidth Management, it has priority over all other rules on the SonicWALL. Other rules use the leftover bandwidth minus 20 percent of bandwidth or minus 40 percent of bandwidth.
Option Buttons - Select LAN, WAN, VPN, ALL from the From Zone column. Then select LAN, WAN, VPN, ALL from the To Zone column. Click OK to display the rules. • All Rules - selecting All Rules displays all rules configured on the SonicWALL. Page 86 SonicWALL SonicOS Standard Administrator’s Guide...
Each view displays a table of defined Network Access Rules. For example, selecting All Rules displays all the Network Access Rules for all Zones. Zone Rules Selecting a Zone from the Matrix, Drop-down Boxes, or Option Buttons view displays the Access Rules for the specific Zone.
Adding Rules To add Access Rules to the SonicWALL, follow these steps: 1. Click Add at the bottom of the Access Rules table. The Add Rule window is displayed. 2. Select Allow, Deny, or Discard from the Action list depending upon whether the rule is intended to permit or block IP traffic.
16. Click OK. Tip! Although custom rules can be created that allow inbound IP traffic, the SonicWALL does not disable protection from Denial of Service attacks, such as the SYN Flood and Ping of Death attacks. Adding New Rule Examples The following examples illustrate methods for creating Network Access Rules.
7. Enter any comments in the Comment field. 8. Click OK. Enabling Ping By default, your SonicWALL does not respond to ping requests from the Internet. This Rule allows ping requests from your ISP servers to your SonicWALL. 1. Click Add to launch the Add Rule window.
WAN (untrusted). You need to check this setting when you want the SonicWALL to do the SIP trans- formation. If your SIP proxy is located on the public (WAN) side of the SonicWALL and SIP clients are on the LAN side, the SIP clients by default embed/use their private IP address in the SIP/Session Def- inition Protocol (SDP) that are sent to the SIP proxy, hense these messages are not changed and the SIP proxy does not know how to get back to the client behind the SonicWALL.
TCP Connection Inactivity Timeout If a connection to a remote server remains idle for more than five minutes, the SonicWALL closes the connection. Without this timeout, Internet connections could stay open indefinitely, creating potential security holes.
Firewall > Schedules Schedules The SonicWALL has the flexibility to create and add schedules for Access Rules or Access Rule Groups. In the Schedules table, there are three default schedules: Work Hours, After Hours, and Weekend Hours. You can modify these schedule by clicking on the Notepad icon in the Configure column.
Web servers (HTTP) respond to requests from clients (browser software) for access to files and data. Services are used by the SonicWALL to configure network access rules for allowing or denying traffic to the network. The SonicWALL includes Default Services that are predefined services and also allows you to create Custom Services.
• Name - the name of the service. • Protocol - the protocol of the service (TCP, UDP, or ICMP). • Port Start - the starting port number for the service. • Port End - the ending port number for the service. •...
Add Service Group window. Deleting Custom Services Groups Click the Trashcan icon to delete the individual custom service group entry. You can delete all custom service groups by clicking the Delete button. Page 96 SonicWALL SonicOS Standard Administrator’s Guide...
Enable VPN must be selected to allow VPN policies through the SonicWALL. • Unique Firewall Identifier - the default value is the serial number of the SonicWALL. You can change the Identifier, and use it for configuring VPN tunnels. VPN Page 97...
• Name - user-defined name to identify the Security Association. • Gateway - the IP address of the remote SonicWALL. If 0.0.0.0 is used, no Gateway is displayed. • Destinations - the IP addresses of the destination networks. •...
1. Click the Notepad icon in the Group VPN entry. The VPN Policy window is displayed. General 2. In the General tab, IKE using Preshared Secret is the default setting for IPSec Keying Mode. A Shared Secret is automatically generated in the Shared Secret field, or you can generate your own shared secret.
For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway.
SonicWALL Distributed Security Client, which provides policy enforced firewall protection before allowing a Global VPN Client connection. Note: For more information on the SonicWALL Global Security Client and Distributed Security Client, see the SonicWALL Global Security Client Administrator’s Guide. •...
For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
1. Click the Disk icon in the Configure column for the GroupVPN entry in the VPN Policies table. The Export VPN Client Policy window appears. 2. rcf format is required for SonicWALL Global Clients is selected by default. Files saved in the rcf format can be password encrypted. The SonicWALL provides a default file name for the configuration file, which you can change.
Site-to-Site VPN configurations can include the following options: • Branch Office (Gateway to Gateway) - A SonicWALL is configured to connect to another Son- icWALL via a VPN tunnel. Or, a SonicWALL is configured to connect via IPSec to another manufac- turer’s firewall. •...
You need the information below before you begin configuring Site-to-Site VPN Policies. Site A Workstation LAN IP Address: ___.___.___.___ Subnet Mask: ___.___.___.___ Default Gateway: ___.___.___.___ SonicWALL LAN IP Address: ___.___.___.___ WAN IP Address: ___.___.___.___ Subnet Mask: ___.___.___.___ Default Gateway: ___.___.___.___ Router Internet Gateway WAN IP Address: ___.___.___.___...
Tip! Use the VPN Planning Sheet for Site-to-Site VPN Policies to record your settings. These settings are necessary to configure the remote SonicWALL and create a successful VPN connection. Configuring a VPN Policy with IKE using Preshared Secret To configure a VPN Policy using Internet Key Exchange (IKE), follow the steps below: 1.
Page 120
Optionally, specify a Local IKE ID (optional) and Peer IKE ID (optional) for this Policy. By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the SonicWALL Identifier (ID_USER_FQDN) is used for Aggressive Mode. 7. Click the Network tab.
Page 121
Keep Alives will allow for the automatic renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire. Page 108 SonicWALL SonicOS Standard Administrator’s Guide...
17. Select Enable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood. 18. Select Apply NAT Policies if you want the SonicWALL to translate the Local, Remote or both networks communicating via this VPN tunnel. To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network menu.
Page 123
10. Enter a 16 character hexadecimal encryption key in the Encryption Key field or use the default value. This encryption key is used to configure the remote SonicWALL encryption key, therefore, write it down to use when configuring the SonicWALL.
Page 124
Select Enable Windows Networking (NetBIOS) broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood. Select Apply NAT Policies if your want the SonicWALL to translate the Local, Remote or both networks communicating via this VPN tunnel. To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network drop-down box.
Internet through this SA. You can only configure one SA to use this setting. Alternatively, select Choose Destination network from list, and select the address object or group. 7. Click the Proposals tab. Page 112 SonicWALL SonicOS Standard Administrator’s Guide...
Page 126
10. Enter a 16 character hexadecimal encryption key in the Encryption Key field or use the default value. This encryption key is used to configure the remote SonicWALL encryption key, therefore, write it down to use when configuring the remote SonicWALL.
Page 127
Select Enable Windows Networking (NetBIOS) broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood. Select Apply NAT Policies if you want the SonicWALL to translate the Local, Remote or both networks communicating via this VPN tunnel. To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network drop-down box.
Page 128
3. Type a Name for the Security Association in the Name field. 4. Type the IP address or Fully Qualified Domain Name (FQDN) of the primary remote SonicWALL in the IPSec Primary Gateway Name or Address field. If you have a secondary remote SonicWALL, enter the IP address or Fully Qualified Domain Name (FQDN) in the IPSec Secondary Gateway Name or Address field.
Page 129
Select Enable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood. Select Apply NAT Policies if you want the SonicWALL to translate the Local, Remote or both networks communicating via this VPN tunnel. To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network menu.
Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats in the Failure Trigger Level (missed heartbeats) field. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the SonicWALL. The SonicWALL uses a UDP packet protected by Phase 1 Encryption as the heartbeat.
VPN>DHCP over VPN DHCP over VPN allows a Host (DHCP Client) behind a SonicWALL obtain an IP address lease from a DHCP server at the other end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks on one logical IP subnet, and create the appearance of all VPN networks residing in one IP subnet address space.
6. Click Add. The IP Address window is displayed. 7. Type the IP addresses of DHCP servers in the IP Address field, and click OK. The SonicWALL now directs DHCP requests to the specified servers. 8. Type the IP address of a relay server in the Relay IP Address (Optional) field.
4. The Relay IP address is a static IP address from the pool of specific IP addresses on the Central Gateway. It should not be available in the scope of DHCP addresses. The SonicWALL can also be managed through the Relay IP address.
IP address used as the Relay IP Address. It is recommended to reserve a block of IP address to use as Relay IP addresses. Click Add, and type the Ethernet address in the Ethernet Address field. Alert! You must configure the local DHCP server on the remote SonicWALL to assign IP leases to these computers. Alert! If a remote site has trouble connecting to a central gateway and obtaining a lease, verify that Deterministic Network Enhancer (DNE) is not enabled on the remote computer.
VPN tunnel to provide additional security, and you can implement it with IPSec to provide a secure, encrypted VPN solution. General To enable L2TP Server functionality on the SonicWALL, select Enable L2TP Server. Then click Configure to display the L2TP Server Configuration window. L2TP Server Settings Configure the following settings: Page 122 SonicWALL SonicOS Standard Administrator’s Guide...
A digital certificate is an electronic means to verify identity by a trusted third party known as a Certificate Authority (CA). X.509 v3 certificate standard is a specification to be used with cryptographic certificates and allows you to define extensions which you can include with your certificate. SonicWALL has implemented this standard in its third party certificate support.
To implement the use of certificates for VPN SAs, you must locate a source for a valid CA certificate from a third party CA service. Once you have a valid CA certificate, you can import it into the SonicWALL to validate your Local Certificates.
Certificate Details To view details about the certificate, select the certificate from the Certificates menu in the Current Certificates section. The Certificate Details section lists the following information about the certificate: • Certificate Issuer • Subject Distinguished Name • Certificate Serial Number •...
VPN>CA Certificates Importing CA Certificates into the SonicWALL After your CA service has validated your CA Certificate, you can import it into the SonicWALL and use it to validate Local Certificates for VPN Security Associations. To import your CA Certificate into the SonicWALL, follow these steps: 1.
4. Click Import to import the certificate into the SonicWALL. Automatic CRL Update To enable automatic CRL updates to the SonicWALL, type the URL of the CRL server for your CA service in the Enter CRL’s location (URL) for auto-import, then click Apply.
Page 141
Page 128 SonicWALL SonicOS Standard Administrator’s Guide...
User level authentication can performed using a local user database, RADIUS, or a combination of the two applications. The local database on the SonicWALL can support up to 1000 users. If you have more than 1000 users, you must use RADIUS for authentication Users>Status...
SonicWALL. If you select Use RADIUS for user authentication, users must log into the SonicWALL using HTTPS in order to encrypt the pass- word sent to the SonicWALL. If a user attempts to log into the SonicWALL using HTTP, the browser is automatically redirected to HTTPS.
2. Define the RADIUS Server Timeout in Seconds. The allowable range is 1-60 seconds with a default value of 5. 3. Define the number of times the SonicWALL attempts to contact the RADIUS server in the RADIUS Server Retries field. If the RADIUS server does not respond within the specified number of retries, the connection is dropped.
• Enter duplicate RADIUS user names locally on the SonicWALL If you have previously configured User Groups on the SonicWALL, select the group from the Default user group to which all RADIUS user belong menu. Page 132 SonicWALL SonicOS Standard Administrator’s Guide...
Enter the number of minutes in this field. • Enable login session limit - you can limit the time a user is logged into the SonicWALL by selecting the check box and typing the amount of time, in minutes, in the Login session limit (minutes) field.
Acceptable Use Policies can use HTML formatting in the body of the message. User>Local Users Add local users to the SonicWALL internal database. Click Add User to display the Add User configuration window. Follow the steps below to add users locally.
Groups To add the user to a User Group, select one or more groups, and click ->. The user then becomes a member of the selected groups. To remove a group, select the group from the Member of column, and click <-.
Web, News, Java, and ActiveX blocking. • Limited Management Capabilities - By enabling this check box, the user has limited local manage- ment access to the SonicWALL Management interface. The access is limited to the following pages: • General - Status, Network, Time •...
Son- icWALL. • All SonicWALL ports being used must be connected together with a hub or switch. If each SonicWALL has a unique WAN IP Address for remote management, the WAN IP Addresses must be in the same subnet.
1. Connect the primary SonicWALL and the backup SonicWALL to the network, but leave the power turned off on both units. 2. Turn on the primary SonicWALL unit and wait for the diagnostics cycle to complete. Configure all of the settings in the primary SonicWALL before enabling Hardware Failover.
Serial Number - The Primary SonicWALL serial number cannot be changed unless it is changed in System >Administration. • X0 (LAN) IP Address - This is a unique IP address for accessing the primary SonicWALL from the LAN whether it is Active or Idle. Alert! This IP address is different from the IP address used to contact the SonicWALL in the Network settings.
A label indicates which SonicWALL appliance is accessed. Alert! You can change the IP address of either SonicWALL for the X0 or X1 interfaces as long as they’re in the same subnet as the Primary and Backup Hardware Failover WAN/LAN IP address.
Forcing Transitions In some cases, it may be necessary to force a transition from one active SonicWALL to another – for example, to force the primary SonicWALL to become active again after a failure when Preempt Mode has not been enabled, or to force the backup SonicWALL to become active in order to do preventive maintenance on the primary SonicWALL.
The Hardware Failover>Monitoring page allows you to enter the IP address of the router for Interfaces X0 to X4 to monitor the link. Enter the IP address for the router connected to the respective Interface in the Probe Address Settings section. Click Apply. Page 142 SonicWALL SonicOS Standard Administrator’s Guide...
Security Services>Content Filtering page that are included with SonicOS. Note: For complete product documentation for the SonicWALL Security Services in this chapter as well as all SonicWALL Security Services and Upgrades, visit the SonicWALL documentation site at www.sonicwall.com/services/documentation.
Page 157
Manage Services Online table is updated from your mysSonicWALL.com account. Note: If you have activated SonicWALL Global Security Client on your SonicWALL, a Policy Editor button is displayed below the Manage Services Online table for configuring security policies. See the SonicWALL Global Security Client Administrator’s Guide for instructions on configuring the Policy...
A rating is returned to the SonicWALL and then compared to the content filtering policy established by the administrator. Almost instantaneously, the Web site request is either allowed through or a Web page is generated by the SonicWALL informing the user that the site has been blocked according to policy.
If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click here. If SonicWALL CFS is not activated, you must activate it. If you do not have an Activation Key, you must purchase SonicWALL CFS from a SonicWALL reseller or from your mySonicWALL.com account (limited...
SonicWALL Content Filtering Service that is available as an upgrade. You can obtain more informa- tion about SonicWALL Content Filtering Service at <http://www.sonicwall.com/products/cfs.html • N2H2 - N2H2 is a third party content filter software package supported by SonicWALL. You can obtain more information on N2H2 at <http://www.n2h2.com>. •...
If digital certificates are proven fraudulent, then the SonicWALL blocks the Web content and the files that use these fraudulent certificates. Known fraudulent certificates blocked by SonicWALL include two certificates issued on January 29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee.
You can enter your customized text to display to the user when access to a blocked site is attempted. The default message is This site is blocked by the SonicWALL Content Filter Service. Any message, including embedded HTML, up to 255 characters long, can be entered in this field.
Disable all Web traffic except for Allowed Domains When the Disable Web traffic except for Allowed Domains check box is selected, the SonicWALL only allows Web access to sites on the Allowed Domains list. With careful screening, this can be nearly 100% effective at blocking pornography and other objectionable material.
Maximum Web Usage (minutes) - In an environment where there are more users than computers, such as a classroom or library, time limits are often imposed. The SonicWALL can be used to remind users when their time has expired by displaying the page defined in the Consent page URL field. En- ter the time limit, in minutes, in the Maximum Web usage field.
This Web page must reside on a Web server and be accessible as a URL by users on the LAN. This page must also contain a link to a page contained in the SonicWALL that tells the SonicWALL that the user agrees to have filtering enabled.
Security Services>Anti-Virus If SonicWALL Network Anti-Virus is not activated, you must activate it. If you do not have an Activation Key, you must purchase SonicWALL Network Anti-Virus from a SonicWALL reseller or from your mySonicWALL.com account (limited to customer in the USA and Canada).
SonicWALL’s industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows SonicWALL IPS to detect and prevent attacks based on a global, attack group, or per- signature basis to provide maximum flexibility and control false positives.
This technology allows the administrator to detect and log intrusions that pass through the SonicWALL Security Appliance, as well as prevent them (i.e. dropping the packet or resetting the TCP connection). SonicWALL’s Deep Packet Inspection technology also correctly handles TCP fragmented byte stream inspection as if no TCP fragmentation has occurred.
Intrusion Prevention - finding anomalies and malicious activity in traffic and reacting to it. • Snort - an open source network intrusion detection system. SonicWALL IPS includes open-source Snort signatures, as well as signatures from other signature databases, and SonicWALL created signatures.
SonicWALL IPS Activation If you do not have SonicWALL IPS activated on your SonicWALL, you must purchase SonicWALL IPS from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers in the USA and Canada). If you do not have SonicWALL IPS installed on your SonicWALL, the Security Services>Intrusion Prevention page indicates an upgrade is required and includes a link to activate your IPS subscription from the SonicWALL Management Interface or to activate a FREE TRIAL of SonicWALL IPS.
2. Enter your mySonicWALL.com account username and password in the User Name and Password fields, then click Submit. The System>Licenses page is displayed. If your SonicWALL is already connected to your mySonicWALL.com account, the System>Licenses page appears after you click the FREE TRIAL link.
The log is displayed in a table and can be sorted by column. The SonicWALL can alert you of important events, such as an attack to the SonicWALL. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.
Clear Log Clicking Clear Log deletes the contents of the log. E-mail Log If you have configured the SonicWALL to e-mail log files, clicking E-mail Log sends the current log files to the e-mail address specified in the Log>Automation>E-mail section. Note: The SonicWALL can alert you of important events, such as an attack to the SonicWALL.
Log>Categories You can define which log messages appear in the SonicWALL Event Log. All Log Categories are enabled by default except Network Debug and Denied LAN IP. Log Categories • Log all Categories Select Log all Categories to begin logging all event categories.
System Environment Log entries categorized as System Environment generate alert messages. Once you have configured the Log Settings page, click Apply. Once the SonicWALL is updated, a message confirming the update is displayed at the bottom of the browser window.
Send Log To - type your full e-mail address in the Send log to field to receive the event log via e- mail. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed.
4. Click Apply to save all Syslog Server settings. Log>Reports The SonicWALL can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth.
• Reset Data Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL is restarted. • View Data Select the desired report from the Report to view menu. The options are Web Site Hits, Bandwidth Usage by IP Address, and Bandwidth Usage by Service.
Log>ViewPoint SonicWALL ViewPoint SonicWALL ViewPoint is a software solution that creates dynamic, Web-based reports of network activity. ViewPoint generates both real-time and historical reports to provide a complete view of all activity through your SonicWALL Internet Security Appliance. With SonicWALL ViewPoint, you are able to monitor network access, enhance network security and anticipate future bandwidth needs.
They are also supported by the best in class tools and processes that ensure a quick and accurate solution to your problem. SonicWALL Support Programs SonicWALL offers a variety of support programs designed to get the support you need when you need it. For more information on SonicWALL Support Services, please visit <http://www.sonicwall.com/products/supportservices.html.
TCP/IP Settings The following steps describe how to configure the Management Station TCP/IP settings in order to initially contact the SonicWALL. It is assumed that the Management Station can access the Internet through an existing connection. The SonicWALL is pre-configured with the IP address 192.168.168.168. During the initial configuration, it is necessary to temporarily change the IP address of the Management Station to one in the same subnet as the SonicWALL.
Windows NT 1.From the Start list, highlight Settings and then select Control Panel. 2.Double-click the Network icon in the Control Panel window. 3.Double-click TCP/IP in the TCP/IP Properties window. 4.Select Specify an IP Address. 5.Type "192.168.168.200" in the IP Address field. 6.Type "255.255.255.0"...
7.Type the DNS IP address in the Preferred DNS Server field. If you have more than one address, enter the second one in the Alternate DNS server field. 8.Click OK, then OK again. 9.Click Close to finish the network configuration. Page 170 SonicWALL SonicOS Standard Administrator’s Guide...
Windows XP 1.Open the Local Area Connection Properties window. 2.Double-click Internet Protocol (TCP/IP) to open the Internet Protocol (TCP/IP) Properties window. 3.Select Use the following IP address and type 192.168.168.200 in the IP address field. 4.Type 255.255.255.0 in the Subnet Mask field. 5.Type the DNS IP address in the Preferred DNS Server field.
Page 185
Page 172 SonicWALL SonicOS Standard Administrator’s Guide...
Page 186
Scheduling Services GMS Management Viewing Granular Policy Management Zones Activating IPS FREE TRIAL Hardware Failover Address Objects Monitoring Links Primary SonicWALL Creating Groups Status Default Public Server Wizard Interface Administrator Name and Password Internet Traffic Statistics Application Control Interfaces Configuring LAN/DMZ/OPT Interfaces...
Page 187
Setup Wizard DHCP Mode WAN Failover and Load Balancing NAT with PPPoE Web Management Server NAT with PPTP Web Proxy Static IP Address with NAT Enabled Signature Zones Signature Database SNMP Management Snort Page 174 SonicWALL SonicOS Enhanced Administrator’s Guide...