1. Manuals
  2. Brands
  3. SonicWALL Manuals
  4. Firewall
  5. SonicOS Enhanced 2.2
  6. Administrator's manual

SonicWALL SonicOS Enhanced 2.2 Administrator's Manual

Sonicwall internet security appliance
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
COMPREHENSIVE INTERNET SECURITY
S o n i c WALL Internet Security Ap p l i a n c e s
SonicOS Enhanced 2.2
Administrator's Guide

Advertisement

Table of Contents
loading

Related Manuals for SonicWALL SonicOS Enhanced 2.2

Summary of Contents for SonicWALL SonicOS Enhanced 2.2

  • Page 1 COMPREHENSIVE INTERNET SECURITY ™ S o n i c WALL Internet Security Ap p l i a n c e s SonicOS Enhanced 2.2 Administrator's Guide...

  • Page 2: Table Of Contents

    SonicWALL Technical Support.............. 4 North America Telephone Support ..........4 International Telephone Support ..........4 More Information on SonicWALL Products and Services ..... 5 Initial Configuration Using the Wizards....7 Internet Connectivity Using the Setup Wizard........7 Configuring a Static IP Address with NAT Enabled ......7 Setup Wizard ................
  • Page 3 SonicWALL PRO 3060/PRO 4060..........35 SonicWALL TZ 170..............35 System>Licenses.................36 Security Services Summary ............36 Manage Security Services Online ..........36 Manual Upgrade................37 System>Administration ................38 Firewall Name ................38 Administrator Name & Password ...........38 Changing the Administrator Password........38 Page 2 SonicWALL SonicOS Standard Administrator’s Guide...
  • Page 4 Automatic Notification of New Firmware........44 Firmware Management Table........... 44 Updating Firmware Manually............ 45 Creating a Backup Firmware Image ......... 45 SafeMode - Rebooting the SonicWALL ......... 45 System Information..............46 Firmware Management............. 46 FIPS (PRO 3060/PRO 4060) ............47 System>Diagnostics................
  • Page 5 Route Advertisement ..............70 Route Advertisement Configuration ..........70 Routing Table .................71 Network > NAT Policies ...............72 The Default Many-to-One Outbound NAT Policy ......73 Configuring an Inbound Many-to-One NAT Policy ......74 Configuring a One-to-One NAT Policy ...........75 Page 4 SonicWALL SonicOS Standard Administrator’s Guide...
  • Page 6 Creating an Outbound Traffic Policy......... 75 Creating an Inbound Traffic Policy ........... 75 Network>ARP..................76 Network>DHCP Server ............... 77 Enabling DHCP Server ..............77 Configuring DHCP Server for Dynamic Ranges ......78 General..................78 DNS/WINS................79 VoIP Settings................79 Configuring Static DHCP Entries ........... 80 General..................
  • Page 7 Deleting Custom Services Groups ..........96 VPN ..............97 VPN>Settings ..................97 VPN Global Settings...............97 VPN Policies...................98 Currently Active VPN Tunnels............98 Configuring Group VPN on the SonicWALL ........98 Configuring GroupVPN with IKE using Preshared Secret ....98 General ..................99 Proposals ..................99 Advanced ................100 Client ..................101 Configuring GroupVPN with IKE using 3rd Party Certificates ..101...
  • Page 8 General ..................122 L2TP Server Settings ............. 122 IP Address Settings ..............123 L2TP Users................123 Adding L2TP Clients to the SonicWALL ......... 123 Currently Active L2TP Sessions ..........123 Digital Certificates ................123 Overview of X.509 v3 Certificates ..........123 SonicWALL Third Party Digital Certificate Support ......
  • Page 9 Configuration Notes..............141 Monitoring Links.................142 Security Services..........143 Security Services>Summary..............144 Security Services Summary ............144 Manage Services Online ..............144 If Your SonicWALL is Not Registered ..........145 Security Services Settings............145 SonicWALL Content Filtering Service..........145 Security Services>Content Filter ............146 Content Filter Status..............146 Activating SonicWALL CFS ............147 Activating a SonicWALL CFS FREE TRIAL......147...
  • Page 10 Adding a New Address ............152 SonicWALL Network Anti-Virus ............152 Security Services>Anti-Virus ............. 153 Activating SonicWALL Network Anti-Virus........153 Activating a SonicWALL Network Anti-Virus FREE TRIAL ..153 Network Anti-Virus E-Mail Filter ............153 Intrusion Prevention Service ............. 154 SonicWALL IPS Features ............154 SonicWALL Deep Packet Inspection ...........
  • Page 11 SonicWALL Support Programs ............167 Warranty Support - North America and International ....167 Appendix B- Configuring the Management Station TCP/IP Settings .................168 Windows 98..................168 Windows NT .................169 Windows 2000 ................170 Windows XP .................171 Macintosh OS 10................171 Page 10 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 12: Preface

    Specifications and descriptions subject to change without notice. Limited Warranty SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use.
  • Page 13 EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose.

  • Page 14: Introduction

    Thank you for purchasing the SonicWALL Internet Security Appliance. Organizations of all kinds face an array of security threats -- and must react quickly with limited IT resources. That means that SonicWALL offers security solutions for specific business applications such as networking, site-to-site communications, telecommuting, POS transactions, or secure web-sites.

  • Page 15: Navigating The Management Interface

    Applying Changes Click the Apply button at the top right corner of the SonicWALL Management Interface to save any configuration changes you made on the page. If the settings are contained in a secondary window within the Management Interface, when you click OK, the settings are automatically applied to the SonicWALL.

  • Page 16: Organization Of This Guide

    Chapter 4, Network - outlines configuring network settings manually for the SonicWALL as well as static routes and RIPv2 advertising on the network. Setting up the SonicWALL to act as the DHCP server on your network is also covered in this chapter.

  • Page 17: Icons Used In This Manual

    Important information on a feature that requires callout for special attention. SonicWALL Technical Support For timely resolution of technical support questions, visit SonicWALL on the Internet at <http://www.sonicwall.com/services/support.html>. Web-based resources are available to help you resolve most technical issues or contact SonicWALL Technical Support.

  • Page 18: More Information On Sonicwall Products And Services

    Note: Please visit <http://www.sonicwall.com/services/contact.html> for the latest technical support telephone numbers. More Information on SonicWALL Products and Services Contact SonicWALL, Inc. for information about SonicWALL products and services at: Web: http://www.sonicwall.com E-mail: sales@sonicwall.com Phone: (408) 745-9600 Fax:(408) 745-9300 Introduction Page 5...
  • Page 19 Page 6 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 20: Initial Configuration Using The Wizards

    (LAN) IP address on packets passing through a SonicWALL with a “fake” one from a fixed pool of addresses. The actual IP addresses of computers on the LAN are hidden from outside view.

  • Page 21: Setup Wizard

    Note: Your Web browser must be Java-enabled and support HTTP uploads in order to fully manage SonicWALL. Internet Explorer 5.0 and above as well as Netscape Navigator 4.0 and above meet these criteria. 1. Click the Setup Wizard button on the Network>Settings page. Read the instructions on the Welcome window and click Next to continue.

  • Page 22: Step 2: Change Time Zone

    Step 2: Change Time Zone 3. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. Step 3: WAN Network Mode 4. Confirm that you have the proper network information necessary to configure the SonicWALL to access the Internet.

  • Page 23: Step 4: Wan Network Mode: Nat Enabled

    Step 4: WAN Network Mode: NAT Enabled 6. Enter the public IP address provided by your ISP in the SonicWALL WAN IP Address, then fill in the rest of the fields: WAN/OPT/DMZ Subnet Mask, WAN Gateway (Router) Address, and DNS Server Addresses.

  • Page 24: Step 6: Lan Dhcp Settings

    8. The Optional-SonicWALL DHCP Server window configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically configures the IP settings of computers on the LAN. To enable the DHCP server, select Enable DHCP Server, and specify the range of IP addresses that are assigned to computers on the LAN.

  • Page 25: Storing Sonicwall Configuration

    Setup Wizard Complete 10. The SonicWALL stores the network settings. 11. Click Restart to restart the SonicWALL. The SonicWALL takes approximately 90 seconds or longer to restart. During this time, the yellow Test LED is lit. Page 12 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 26: Configuring Dhcp Networking Mode

    Configuring DHCP Networking Mode DHCP is a networking mode that allows you to obtain an IP address for a specific length of time from a DHCP server. The length of time is called a lease which is renewed by the DHCP server typically after a few days.

  • Page 27: Step 3: Wan Network Mode

    0.0.1 Step 2: Change Time Zone 4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. Step 3: WAN Network Mode 5. Select DHCP, the Obtain an IP address automatically window is displayed. Click Next.

  • Page 28: Step 4: Wan Network Mode: Nat With Dhcp Client

    Step 4: WAN Network Mode: NAT with DHCP Client 6. The Obtain an IP address automatically window states that the ISP dynamically assigns an IP address to the SonicWALL. To confirm this, click Next. DHCP-based configurations are most common with cable modem connections.

  • Page 29: Step 6: Dhcp Settings

    Addresses and Subnet Masks. SonicWALL LAN IP Addresses are the private IP addresses assigned to the LAN of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the networks. The default values provided by the SonicWALL are useful for most networks. Click Next.

  • Page 30: Storing Sonicwall Configuration

    Storing SonicWALL Configuration Setup Wizard Complete 10. Click Restart to restart the SonicWALL. The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Tip! The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations window, is used to log in and manage the SonicWALL.

  • Page 31: Configuring Nat Enabled With Pppoe

    2. Read the instructions on the Welcome window and click Next to continue. Step 1: Change Password 3. To set the password, enter a new password in the New Password and Confirm New Password fields. Click Next. Page 18 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 32: Step 2: Change Time Zone

    Step 2: Change Time Zone 4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. Step 3: WAN Network Mode 5. The SonicWALL automatically detects the presence of a PPPoE server on the WAN. If not, then select PPPoE: Your ISP provided you with desktop software, a user name and password.

  • Page 33: Step 4: Wan Network Mode: Nat With Pppoe Client

    SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN. The default values provided by the SonicWALL are useful for most networks. If you do not use the default settings, enter your preferred IP addresses in the fields. Click Next.

  • Page 34: Step 6: Dhcp Server

    8. The Optional-SonicWALL DHCP Server window configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically assigns IP settings to computers on the LAN. To enable the DHCP server, select Enable DHCP Server, and specify the range of IP addresses that are assigned to computers on the LAN.

  • Page 35: Storing Sonicwall Configuration

    SonicWALL. Setup Wizard Complete 10. Click Restart to restart the SonicWALL. 11. The SonicWALL takes approximately 90 seconds or longer to restart. During this time, the yellow Test LED is lit. Configuring PPTP Network Mode NAT with PPTP Client mode uses Point to Point Tunneling Protocol (PPTP) to connect to a remote server.

  • Page 36: Step 1: Change Password

    1. Click the Setup Wizard button on the Network>Settings page. 2. Read the instructions on the Welcome window and click Next to continue. Step 1: Change Password 3. To set the password, enter a new password in the New Password and Confirm New Password fields.

  • Page 37: Step 2: Change Time Zone

    Step 2: Change Time Zone 4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next. Step 3: WAN Network Mode 5. Select PPTP: Provided you with a server IP address, a user name and password. Click Next.

  • Page 38: Step 4: Wan Network Mode: Nat With Pptp Client

    SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN. The default values provided by the SonicWALL are useful for most networks. If you do not use the default settings, enter your preferred IP addresses in the fields. Click Next.

  • Page 39: Step 6: Dhcp Server

    8. The Optional-SonicWALL DHCP Server window configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically assigns IP settings to computers on the LAN. To enable the DHCP server, select Enable DHCP Server, and specify the range of IP addresses that are assigned to computers on the LAN.

  • Page 40: Storing Sonicwall Configuration

    Storing SonicWALL Configuration Tip! The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations window, is used to log in and manage the SonicWALL. Setup Wizard Complete 10. Click Restart to restart the SonicWALL. The SonicWALL takes approximately 90 seconds or longer to restart.

  • Page 41: Create The Server With The Public Server Wizard

    Server Access Rules: The wizard creates an access policy allowing traffic from the WAN zone to the zone where the new server resides. Create the Server with the Public Server Wizard 1. Start wizard: In the navigator, click Wizards. 2. Select Public Server Wizard and click Next. Page 28 SonicWALL SonicOS Standard Administrator’s Guide...
  • Page 42 3. Select the type of server from the Server Type list. Depending on the type you select, the available services change. Check the box for the services you are enabling on this server. Click Next 4. Enter the name of the server. 5.
  • Page 43 The wizard creates a NAT policy to translate the destination addresses of all incoming packets with one of the services in the new service group and addressed to the WAN address to the address of the Page 30 SonicWALL SonicOS Standard Administrator’s Guide...
  • Page 44 DMZ. 10.Click Apply in the Public Server Configuration Summary page to complete the wizard and apply the configuration to your SonicWALL. Tip! The new IP address used to access the new server, internally and externally is displayed in the URL field of the Congratulations window.
  • Page 45 Page 32 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 46: System

    3 System This chapter describes the configuration of the SonicWALL IP settings, time, and password as well as providing instructions to restart the SonicWALL, import and export settings, upload new firmware, and perform diagnostic tests. System>Status The Status page contains five sections: System Messages, System Information, Security Services, Latest Alerts, and Network Interfaces.

  • Page 47: Security Services

    2. Type your mySonicWALL.com username and password in the User Name and Password fields and click Submit. 3. Type in a “friendly name” for your SonicWALL in the Friendly Name field. A friendly name is used to help identify your SonicWALL, such as its location.

  • Page 48: Mysonicwall.com

    Access SonicWALL Technical Support Creating a mySonicWALL.com account is easy and free. Simply complete an online registration form. Once your account is created, you can register SonicWALL Internet Security Appliances and activate SonicWALL Security Services associated with the SonicWALL. Your mySonicWALL.com account is accessible from any Internet connection with a Web browser using the HTTPS (Hypertext Transfer Protocol Secure) protocol to protect your sensitive information.

  • Page 49: System>Licenses

    SonicWALL. The Security Service column lists all the available SonicWALL security services and upgrades available for the SonicWALL. The Status column indicates is the security service is activated (Licensed), available for activation (Not Licensed), or no longer active (Expired). The number of nodes/ users allowed for the license is displayed in the Count column.

  • Page 50: Manual Upgrade

    You can also get free trial subscriptions to SonicWALL Content Filter Service and Network Anti-Virus by clicking the For Free Trials click here link. When you click these links, the mySonicWALL.com Login page is displayed. Enter your mySonicWALL.com account username and password in the User Name and Password fields and click Submit.

  • Page 51: System>Administration

    The Firewall Name uniquely identifies the SonicWALL and defaults to the serial number of the SonicWALL. The serial number is also the MAC address of the unit. To change the Firewall Name, type a unique alphanumeric name in the Firewall Name field. It must be at least 8 characters in length.

  • Page 52: Enable Administrator/User Lockout

    HTTP management, you must include the port number when you use the IP address to log into the SonicWALL. For example, if you configure the port to be 76, then you must type <LAN IP Address>:76 into the Web browser, i.e. <http://192.168.168.1:76>. The default port for HTTPS management is 443.

  • Page 53: Configuring Log/Log Settings For Snmp

    SonicWALL. If your SNMP management system supports discovery, the SonicWALL agent automatically discover the SonicWALL appliance on the network. Otherwise, you must add the SonicWALL to the list of SNMP- managed devices on the SNMP management system.

  • Page 54: Enable Management Using Sonicwall Gms

    NAT Device IP Address field. The default VPN policy settings are displayed at the bottom of the Configure GMS Settings window. Existing Tunnel - If this option is selected, the GMS server and the SonicWALL already have an existing VPN tunnel over the connection. Enter the GMS host name or IP address in the GMS Host Name or IP Address field.

  • Page 55: System>Time

    System>Time The SonicWALL uses the time and date settings to time stamp log events, to automatically update SonicWALL Security Services, and for other internal purposes. By default, the SonicWALL uses an internal list of public NTP servers to automatically update the time. Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a network of computers.

  • Page 56: Ntp Settings

    NTP server is optional. Select Use NTP to set time automatically if you want to use your local server to set the SonicWALL clock. You can also configure Update Interval (minutes) for the NTP server to update the SonicWALL.

  • Page 57: Export Settings

    1. Click Export Settings. 2. Click Export. 3. Click Save, and then select a location to save the file. The file is named “sonicwall.exp” but can be renamed. 4. Click Save. This process can take up to a minute. The exported preferences file can be imported into the SonicWALL if it is necessary to reset the firmware.

  • Page 58: Updating Firmware Manually

    Only uploaded firmware can be saved to a different location. • Boot - clicking the icon reboots the SonicWALL with the firmware version listed in the same row. Alert! Clicking Boot next to any firmware image overwrites the existing current firmware image making it the Current Firmware image.

  • Page 59: System Information

    1 second. After the SonicWALL reboots, open your Web browser and enter the current IP address of the SonicWALL or the default IP address: 192.168.168.168. The SafeMode page is displayed: SafeMode allows you to do any of the following: •...

  • Page 60: Fips (Pro 3060/Pro 4060)

    SHA-1 and only FIPS-approved algorithms are supported (DES, 3DES, and AES with SHA-1). Select Enable FIPS Mode to enable the SonicWALL to comply with FIPS. When you check this setting, a dialog box is displayed with the following message: Warning! Modifying the FIPS mode will disconnect all users and restart the device.

  • Page 61: Select Diagnostic Tool

    You can choose any of the following diagnostic tools from the Diagnostic Tool menu. DNS Name Lookup The SonicWALL has a DNS lookup tool that returns the IP address of a domain name. Or, if you type an IP address, it returns the domain name for that address.

  • Page 62: Captured Packets

    From 207.88.211.116 / 1937 (00:40:10:0c:01:4e To 204.71.200.74 / 80 (02:00:cf:58:d3:6a) The SonicWALL forwards the client ACK to the remote host and waits for the data transfer to begin. When using packet traces to isolate network connectivity problems, look for the location where the three- way handshake is breaking down.

  • Page 63: Tech Support Report

    Tech Support Report The Tech Support Report generates a detailed report of the SonicWALL configuration and status, and saves it to the local hard disk. This file can then be e-mailed to SonicWALL Technical Support to help assist with a problem.

  • Page 64: System>Restart

    Management interface. Click Restart SonicWALL and then click Yes to confirm the restart. The SonicWALL takes approximately one minute to restart, and the yellow Test light is lit during the restart. During the restart time, Internet access is momentarily interrupted on the LAN.
  • Page 65 Page 52 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 66: Network

    ARP - view the ARP settings and clear the ARP cache as well as configure ARP cache time. • DHCP Server - configure the SonicWALL as a DHCP Server on your network to dynamically assign IP addresses to computers on your LAN or DMZ zones.

  • Page 67: Physical Interfaces

    Interface Settings The Interface Settings table lists the following information for each interface: Name - listed as X0, X1, X2, X3, X4, and X5 or LAN, WAN, or OPT/DMZ depending on your SonicWALL model. Zone - LAN, DMZ/OPT and WAN are listed by default. As zones are configured, the names are listed in this column.

  • Page 68: Configuring The Dmz/Opt Or Lan Interface

    If you need to force an Ethernet speed, duplex and/or MAC address, click the Advanced tab. The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links Network Page 55...

  • Page 69: Configuring The Wan Interface

    Static - configures the SonicWALL for a network that uses static IP addresses. DHCP - configures the SonicWALL to request IP settings from a DHCP server on the Internet. NAT with DHCP Client is a typical network addressing mode for cable and DSL customers.

  • Page 70: Dhcp

    User Login DHCP Host Name Comment Management User Login Renew Release Refresh PPPoE User Name User Password Comment Management User Login Inactivity Disconnect (minutes) Obtain IP Address Automatically Specify IP Address Obtain DNS Server Address Automatically Specify DNS Server PPTP User Name User Password PPTP Server IP Address...

  • Page 71: L2Tp

    Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL. Auto Negotiate is selected by default as the Link Speed because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection. If you want to specify the forced Ethernet speed and duplex, select one of the following options from the Link Speed menu: •...

  • Page 72: Bandwidth Management

    WAN port traffic by “failing over” to the secondary WAN port. This feature also allows you to perform simple load balancing for the WAN traffic on the SonicWALL. You can select a method of dividing the outbound WAN traffic between the two WAN ports and balance network traffic.

  • Page 73: Wan Failover And Load Balancing Settings

    The SonicWALL can monitor WAN traffic using Physical Monitoring which detects if the link is unplugged or disconnected, or Physical and Logical Monitoring, which monitors traffic at a higher level, such as upstream connectivity interruptions. Alert! Before you begin, be sure you have configured a user-defined interface to mirror the WAN port settings.

  • Page 74: Configuring Wan Probe Settings

    Configuring WAN Probe Settings The SonicWALL sends probes to a target IP address of an “always available” target upstream device on the network, such as an ISP side router, to monitor connectivity. To configure WAN Probe Settings: 1. Select Ping (ICMP) or TCP from the Probe Target menu.

  • Page 75: Creating A Nat Policy For Wan Failover

    Creating a NAT Policy for WAN Failover You need to create a NAT policy on your SonicWALL for WAN Failover. Follow these steps to create a NAT policy on your SonicWALL using the X4 interface (PRO 3060/4060) or OPT interface (TZ 170): 1.

  • Page 76: Network > Zones

    Network > Zones A Zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following strict physical interface scheme. There are four fixed Zone types: Trusted, Untrusted, Public, and Encrypted. Trusted is associated with LAN Zones.

  • Page 77: Adding A New Zone

    5. If you want to allow intra-zone communications, select Allow Interface Trust. If not, select the Allow Interface Trust checkbox. 6. Click OK. The new zone is now added to the SonicWALL. Modifying a Zone To modify the Zone name, the virtual route, or comments, click the Notepad icon next to the Zone to display the Edit Zone window.

  • Page 78: Network > Dns

    Network > DNS Configure the SonicWALL DNS settings manually on this page if necessary. In the DNS Settings section, select Specify DNS Servers Manually and enter the IP address(es) into the DNS Server fields. To use the DNS Settings configured for the WAN Zone, select Inherit DNS Settings Dynamically from the WAN Zone.

  • Page 79: Default Address Objects And Groups

    Custom Address Objects - displays Address Objects with custom properties. • Default Address Objects - displays Address Objects configured by default on the SonicWALL. Sorting Address Objects allows you to quickly and easily locate Address Objects configured on the SonicWALL.

  • Page 80: Default Address Groups

    DMZ Subnets • All WAN IP • All Interface IP • All LAN Management IP • All WAN Management IP SonicWALL PRO 3060/4060 Default Address Objects • LAN Primary IP • LAN Primary Subnet • WAN Primary IP • WAN Primary Subnet •...

  • Page 81: Adding An Address Object

    LAN, WAN, DMZ, or VPN. Creating Group Address Objects As more and more Address Objects are added to the SonicWALL, you can simplify managing the addresses and access policies by creating groups of addresses. Changes made to the group are applied to each address in the group.

  • Page 82: Network>Routing

    The selected item moves from the right column to the left column. Network>Routing If you have routers on your interfaces, you can configure static routes on the SonicWALL. Static routing means configuring the SonicWALL to route network traffic to a specific, predefined destination.

  • Page 83: Route Advertisement

    You can configure up to 512 routes on the SonicWALL. Tip! If the SonicWALL has a NAT Policy on the WAN, the internal (LAN) router needs to have a route of last resort (i.e. gateway address) that is the SonicWALL LAN IP address.

  • Page 84: Routing Table

    3. In the Advertise Default Route menu, select Never, or When WAN is up, or Always. 4. Enable Advertise Static Routes if you have static routes configured on the SonicWALL, enable this feature to exclude them from Route Advertisement.

  • Page 85: Network > Nat Policies

    LAN and WAN network settings. The SonicWALL LAN and WAN IP addresses are displayed as permanently published at all times. Network > NAT Policies When two hosts communicate using TCP/IP on the internet, there are four parameters used in any TCP or UDP connection: Source (IP) Address, Source (TCP/UDP) Port, Destination (IP) Address, and Destination (TCP/UDP) Port.

  • Page 86: The Default Many-To-One Outbound Nat Policy

    IP addresses. Tip! By default, LAN to WAN has a NAT policy predefined on the SonicWALL. The Default Many-to-One Outbound NAT Policy The default Many-to-One Outbound NAT policy is visible as Any -> WAN Primary IP in either Custom Policies or All Policies.

  • Page 87: Configuring An Inbound Many-To-One Nat Policy

    (LAN or DMZ zone). This example is for a web server sitting on the X0 interface, with an address object name of 'WWWserver. To configure this policy, follow these steps: Page 74 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 88: Configuring A One-To-One Nat Policy

    6. Select X1 from the Inbound Interface menu. 7. Select Any from the Outbound Interface menu. 8. Click OK to add the NAT policy to the SonicWALL. Note: The NAT policies window will not allow you to specify a destination interface when you translate the destination.

  • Page 89: Network>Arp

    7. Select Any from the Outbound Interface menu. 8. Click OK to add the NAT policy to the SonicWALL. Note: The NAT policies page does not allow you to specify a destination interface when you translate the destination. Tip! Enable is selected by default. Clear the checkbox to disable the policy after creating it.

  • Page 90: Network>Dhcp Server

    Enabling DHCP Server To enable the DHCP Server feature on the SonicWALL, select Enable DHCP Server, and click Configure. The DHCP Server Configuration window is displayed. In the Dynamic Ranges table, the Range Start, Range End, and Interface information is displayed.

  • Page 91: Configuring Dhcp Server For Dynamic Ranges

    Other and type a different IP address for the gateway. 8. If you select the SonicWALL LAN IP address from the Gateway Preferences menu, the Default Gateway and Subnet Mask fields are unavailable. If you select Other, the fields are available for you to type the Default Gateway and Subnet Mask information into the fields.

  • Page 92: Dns/Wins

    12. Inherit DNS Settings Dynamically using SonicWALL’s DNS Settings is selected by default. 13. If you do not want to use the SonicWALL network settings, select Specify Manually, and type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers.

  • Page 93: Configuring Static Dhcp Entries

    Configuring Static DHCP Entries Click the Static tab to add static DHCP entries to the SonicWALL. Static entries are IP addresses assigned to servers requiring permanent IP settings. Note: Static DHCP entries should not be configured for computers with IP addresses configured in Network To configure static entries, follow these steps: 1.

  • Page 94: Dns/Wins

    When selected, the DNS Server IP fields are unavailable. 12. If you do not want to use the SonicWALL network settings, select Specify Manually, and type the IP address of your DNS Server in the DNS Server 1 field. You can specify two additional DNS servers.

  • Page 95: Current Dhcp Leases

    The IP Helper allows the SonicWALL to forward DHCP requests originating from the interfaces on a SonicWALL to a centralized DHCP server on the behalf of the requesting client. IP Helper is used extensively in routed VLAN environments where a DHCP server is not available for each interface, or where the layer 3 routing mechanism is not capable of acting as a DHCP server itself.

  • Page 96: Adding An Ip Helper Policy

    WAN and enable Web Proxy Forwarding. The SonicWALL automatically forwards all Web proxy requests to the proxy server without requiring all the computers on the network to be configured.

  • Page 97: Configuring Automatic Proxy Forwarding (Web Only)

    To configure a Proxy Web sever, select the Network>Web Proxy page. 1. Connect your Web proxy server to a hub, and connect the hub to the SonicWALL WAN port. 2. Type the name or IP address of the proxy server in the Proxy Web Server (name or IP address) field.

  • Page 98: Firewall

    20 percent of available bandwidth available to it and can get as much as 40 percent of available bandwidth. If this is the only rule using Bandwidth Management, it has priority over all other rules on the SonicWALL. Other rules use the leftover bandwidth minus 20 percent of bandwidth or minus 40 percent of bandwidth.

  • Page 99: Firewall>Access Rules

    Option Buttons - Select LAN, WAN, VPN, ALL from the From Zone column. Then select LAN, WAN, VPN, ALL from the To Zone column. Click OK to display the rules. • All Rules - selecting All Rules displays all rules configured on the SonicWALL. Page 86 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 100: Zone Rules

    Each view displays a table of defined Network Access Rules. For example, selecting All Rules displays all the Network Access Rules for all Zones. Zone Rules Selecting a Zone from the Matrix, Drop-down Boxes, or Option Buttons view displays the Access Rules for the specific Zone.

  • Page 101: Adding Rules

    Adding Rules To add Access Rules to the SonicWALL, follow these steps: 1. Click Add at the bottom of the Access Rules table. The Add Rule window is displayed. 2. Select Allow, Deny, or Discard from the Action list depending upon whether the rule is intended to permit or block IP traffic.

  • Page 102: Adding New Rule Examples

    16. Click OK. Tip! Although custom rules can be created that allow inbound IP traffic, the SonicWALL does not disable protection from Denial of Service attacks, such as the SYN Flood and Ping of Death attacks. Adding New Rule Examples The following examples illustrate methods for creating Network Access Rules.

  • Page 103: Enabling Ping

    7. Enter any comments in the Comment field. 8. Click OK. Enabling Ping By default, your SonicWALL does not respond to ping requests from the Internet. This Rule allows ping requests from your ISP servers to your SonicWALL. 1. Click Add to launch the Add Rule window.

  • Page 104: Firewall > Advanced

    WAN (untrusted). You need to check this setting when you want the SonicWALL to do the SIP trans- formation. If your SIP proxy is located on the public (WAN) side of the SonicWALL and SIP clients are on the LAN side, the SIP clients by default embed/use their private IP address in the SIP/Session Def- inition Protocol (SDP) that are sent to the SIP proxy, hense these messages are not changed and the SIP proxy does not know how to get back to the client behind the SonicWALL.

  • Page 105: Source Routed Packets

    TCP Connection Inactivity Timeout If a connection to a remote server remains idle for more than five minutes, the SonicWALL closes the connection. Without this timeout, Internet connections could stay open indefinitely, creating potential security holes.

  • Page 106: Firewall > Schedules

    Firewall > Schedules Schedules The SonicWALL has the flexibility to create and add schedules for Access Rules or Access Rule Groups. In the Schedules table, there are three default schedules: Work Hours, After Hours, and Weekend Hours. You can modify these schedule by clicking on the Notepad icon in the Configure column.

  • Page 107: Deleting Schedules

    Web servers (HTTP) respond to requests from clients (browser software) for access to files and data. Services are used by the SonicWALL to configure network access rules for allowing or denying traffic to the network. The SonicWALL includes Default Services that are predefined services and also allows you to create Custom Services.

  • Page 108: Custom Services

    • Name - the name of the service. • Protocol - the protocol of the service (TCP, UDP, or ICMP). • Port Start - the starting port number for the service. • Port End - the ending port number for the service. •...

  • Page 109: Editing Custom Services Groups

    Add Service Group window. Deleting Custom Services Groups Click the Trashcan icon to delete the individual custom service group entry. You can delete all custom service groups by clicking the Delete button. Page 96 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 110: Vpn>Settings

    Enable VPN must be selected to allow VPN policies through the SonicWALL. • Unique Firewall Identifier - the default value is the serial number of the SonicWALL. You can change the Identifier, and use it for configuring VPN tunnels. VPN Page 97...

  • Page 111: Vpn Policies

    • Name - user-defined name to identify the Security Association. • Gateway - the IP address of the remote SonicWALL. If 0.0.0.0 is used, no Gateway is displayed. • Destinations - the IP addresses of the destination networks. •...

  • Page 112: General

    1. Click the Notepad icon in the Group VPN entry. The VPN Policy window is displayed. General 2. In the General tab, IKE using Preshared Secret is the default setting for IPSec Keying Mode. A Shared Secret is automatically generated in the Shared Secret field, or you can generate your own shared secret.

  • Page 113: Advanced

    For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway.

  • Page 114: Client

    SonicWALL Distributed Security Client, which provides policy enforced firewall protection before allowing a Global VPN Client connection. Note: For more information on the SonicWALL Global Security Client and Distributed Security Client, see the SonicWALL Global Security Client Administrator’s Guide. •...

  • Page 115: Proposals

    For packets received via an IPSec tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.

  • Page 116: Client

    1. Click the Disk icon in the Configure column for the GroupVPN entry in the VPN Policies table. The Export VPN Client Policy window appears. 2. rcf format is required for SonicWALL Global Clients is selected by default. Files saved in the rcf format can be password encrypted. The SonicWALL provides a default file name for the configuration file, which you can change.

  • Page 117: Site To Site Vpn Configurations

    Site-to-Site VPN configurations can include the following options: • Branch Office (Gateway to Gateway) - A SonicWALL is configured to connect to another Son- icWALL via a VPN tunnel. Or, a SonicWALL is configured to connect via IPSec to another manufac- turer’s firewall. •...

  • Page 118: Vpn Planning Sheet For Site-To-Site Vpn Policies

    You need the information below before you begin configuring Site-to-Site VPN Policies. Site A Workstation LAN IP Address: ___.___.___.___ Subnet Mask: ___.___.___.___ Default Gateway: ___.___.___.___ SonicWALL LAN IP Address: ___.___.___.___ WAN IP Address: ___.___.___.___ Subnet Mask: ___.___.___.___ Default Gateway: ___.___.___.___ Router Internet Gateway WAN IP Address: ___.___.___.___...

  • Page 119: Creating Vpn Policies Using The Vpn Policy Window

    Tip! Use the VPN Planning Sheet for Site-to-Site VPN Policies to record your settings. These settings are necessary to configure the remote SonicWALL and create a successful VPN connection. Configuring a VPN Policy with IKE using Preshared Secret To configure a VPN Policy using Internet Key Exchange (IKE), follow the steps below: 1.
  • Page 120 Optionally, specify a Local IKE ID (optional) and Peer IKE ID (optional) for this Policy. By default, the IP Address (ID_IPv4_ADDR) is used for Main Mode negotiations, and the SonicWALL Identifier (ID_USER_FQDN) is used for Aggressive Mode. 7. Click the Network tab.
  • Page 121 Keep Alives will allow for the automatic renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire. Page 108 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 122: Configuring A Vpn Policy Using Manual Key

    17. Select Enable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood. 18. Select Apply NAT Policies if you want the SonicWALL to translate the Local, Remote or both networks communicating via this VPN tunnel. To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network menu.
  • Page 123 10. Enter a 16 character hexadecimal encryption key in the Encryption Key field or use the default value. This encryption key is used to configure the remote SonicWALL encryption key, therefore, write it down to use when configuring the SonicWALL.
  • Page 124 Select Enable Windows Networking (NetBIOS) broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood. Select Apply NAT Policies if your want the SonicWALL to translate the Local, Remote or both networks communicating via this VPN tunnel. To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network drop-down box.

  • Page 125: Remote Sonicwall

    Internet through this SA. You can only configure one SA to use this setting. Alternatively, select Choose Destination network from list, and select the address object or group. 7. Click the Proposals tab. Page 112 SonicWALL SonicOS Standard Administrator’s Guide...
  • Page 126 10. Enter a 16 character hexadecimal encryption key in the Encryption Key field or use the default value. This encryption key is used to configure the remote SonicWALL encryption key, therefore, write it down to use when configuring the remote SonicWALL.
  • Page 127 Select Enable Windows Networking (NetBIOS) broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood. Select Apply NAT Policies if you want the SonicWALL to translate the Local, Remote or both networks communicating via this VPN tunnel. To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network drop-down box.
  • Page 128 3. Type a Name for the Security Association in the Name field. 4. Type the IP address or Fully Qualified Domain Name (FQDN) of the primary remote SonicWALL in the IPSec Primary Gateway Name or Address field. If you have a secondary remote SonicWALL, enter the IP address or Fully Qualified Domain Name (FQDN) in the IPSec Secondary Gateway Name or Address field.
  • Page 129 Select Enable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood. Select Apply NAT Policies if you want the SonicWALL to translate the Local, Remote or both networks communicating via this VPN tunnel. To perform Network Address Translation on the Local Network, select or create an Address Object in the Translated Local Network menu.

  • Page 130: Advanced Vpn Settings

    Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats in the Failure Trigger Level (missed heartbeats) field. The default value is 3. If the trigger level is reached, the VPN connection is dropped by the SonicWALL. The SonicWALL uses a UDP packet protected by Phase 1 Encryption as the heartbeat.

  • Page 131: Vpn>Dhcp Over Vpn

    VPN>DHCP over VPN DHCP over VPN allows a Host (DHCP Client) behind a SonicWALL obtain an IP address lease from a DHCP server at the other end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks on one logical IP subnet, and create the appearance of all VPN networks residing in one IP subnet address space.

  • Page 132: Configuring The Central Gateway For Dhcp Over Vpn

    6. Click Add. The IP Address window is displayed. 7. Type the IP addresses of DHCP servers in the IP Address field, and click OK. The SonicWALL now directs DHCP requests to the specified servers. 8. Type the IP address of a relay server in the Relay IP Address (Optional) field.

  • Page 133: Configuring Dhcp Over Vpn Remote Gateway

    4. The Relay IP address is a static IP address from the pool of specific IP addresses on the Central Gateway. It should not be available in the scope of DHCP addresses. The SonicWALL can also be managed through the Relay IP address.

  • Page 134: Current Dhcp Over Vpn Leases

    IP address used as the Relay IP Address. It is recommended to reserve a block of IP address to use as Relay IP addresses. Click Add, and type the Ethernet address in the Ethernet Address field. Alert! You must configure the local DHCP server on the remote SonicWALL to assign IP leases to these computers. Alert! If a remote site has trouble connecting to a central gateway and obtaining a lease, verify that Deterministic Network Enhancer (DNE) is not enabled on the remote computer.

  • Page 135: Vpn>L2Tp Server

    VPN tunnel to provide additional security, and you can implement it with IPSec to provide a secure, encrypted VPN solution. General To enable L2TP Server functionality on the SonicWALL, select Enable L2TP Server. Then click Configure to display the L2TP Server Configuration window. L2TP Server Settings Configure the following settings: Page 122 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 136: Ip Address Settings

    A digital certificate is an electronic means to verify identity by a trusted third party known as a Certificate Authority (CA). X.509 v3 certificate standard is a specification to be used with cryptographic certificates and allows you to define extensions which you can include with your certificate. SonicWALL has implemented this standard in its third party certificate support.

  • Page 137: Sonicwall Third Party Digital Certificate Support

    To implement the use of certificates for VPN SAs, you must locate a source for a valid CA certificate from a third party CA service. Once you have a valid CA certificate, you can import it into the SonicWALL to validate your Local Certificates.

  • Page 138: Certificate Details

    Certificate Details To view details about the certificate, select the certificate from the Certificates menu in the Current Certificates section. The Certificate Details section lists the following information about the certificate: • Certificate Issuer • Subject Distinguished Name • Certificate Serial Number •...

  • Page 139: Vpn>Ca Certificates

    VPN>CA Certificates Importing CA Certificates into the SonicWALL After your CA service has validated your CA Certificate, you can import it into the SonicWALL and use it to validate Local Certificates for VPN Security Associations. To import your CA Certificate into the SonicWALL, follow these steps: 1.

  • Page 140: Certificate Revocation List (Crl)

    4. Click Import to import the certificate into the SonicWALL. Automatic CRL Update To enable automatic CRL updates to the SonicWALL, type the URL of the CRL server for your CA service in the Enter CRL’s location (URL) for auto-import, then click Apply.
  • Page 141 Page 128 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 142: Users

    User level authentication can performed using a local user database, RADIUS, or a combination of the two applications. The local database on the SonicWALL can support up to 1000 users. If you have more than 1000 users, you must use RADIUS for authentication Users>Status...

  • Page 143: User>Settings

    SonicWALL. If you select Use RADIUS for user authentication, users must log into the SonicWALL using HTTPS in order to encrypt the pass- word sent to the SonicWALL. If a user attempts to log into the SonicWALL using HTTP, the browser is automatically redirected to HTTPS.

  • Page 144: Radius Servers

    2. Define the RADIUS Server Timeout in Seconds. The allowable range is 1-60 seconds with a default value of 5. 3. Define the number of times the SonicWALL attempts to contact the RADIUS server in the RADIUS Server Retries field. If the RADIUS server does not respond within the specified number of retries, the connection is dropped.

  • Page 145: Radius Users

    • Enter duplicate RADIUS user names locally on the SonicWALL If you have previously configured User Groups on the SonicWALL, select the group from the Default user group to which all RADIUS user belong menu. Page 132 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 146: Radius Client Test

    Enter the number of minutes in this field. • Enable login session limit - you can limit the time a user is logged into the SonicWALL by selecting the check box and typing the amount of time, in minutes, in the Login session limit (minutes) field.

  • Page 147: User>Local Users

    Acceptable Use Policies can use HTML formatting in the body of the message. User>Local Users Add local users to the SonicWALL internal database. Click Add User to display the Add User configuration window. Follow the steps below to add users locally.

  • Page 148: Groups

    Groups To add the user to a User Group, select one or more groups, and click ->. The user then becomes a member of the selected groups. To remove a group, select the group from the Member of column, and click <-.

  • Page 149: Users>Local Groups

    Web, News, Java, and ActiveX blocking. • Limited Management Capabilities - By enabling this check box, the user has limited local manage- ment access to the SonicWALL Management interface. The access is limited to the following pages: • General - Status, Network, Time •...

  • Page 150: Hardware Failover

    Son- icWALL. • All SonicWALL ports being used must be connected together with a hub or switch. If each SonicWALL has a unique WAN IP Address for remote management, the WAN IP Addresses must be in the same subnet.

  • Page 151: Configuring Hardware Failover On The Primary Sonicwall

    1. Connect the primary SonicWALL and the backup SonicWALL to the network, but leave the power turned off on both units. 2. Turn on the primary SonicWALL unit and wait for the diagnostics cycle to complete. Configure all of the settings in the primary SonicWALL before enabling Hardware Failover.

  • Page 152: Sonicwall Address Settings

    Serial Number - The Primary SonicWALL serial number cannot be changed unless it is changed in System >Administration. • X0 (LAN) IP Address - This is a unique IP address for accessing the primary SonicWALL from the LAN whether it is Active or Idle. Alert! This IP address is different from the IP address used to contact the SonicWALL in the Network settings.

  • Page 153: Configuration Changes

    A label indicates which SonicWALL appliance is accessed. Alert! You can change the IP address of either SonicWALL for the X0 or X1 interfaces as long as they’re in the same subnet as the Primary and Backup Hardware Failover WAN/LAN IP address.

  • Page 154: Forcing Transitions

    Forcing Transitions In some cases, it may be necessary to force a transition from one active SonicWALL to another – for example, to force the primary SonicWALL to become active again after a failure when Preempt Mode has not been enabled, or to force the backup SonicWALL to become active in order to do preventive maintenance on the primary SonicWALL.

  • Page 155: Monitoring Links

    The Hardware Failover>Monitoring page allows you to enter the IP address of the router for Interfaces X0 to X4 to monitor the link. Enter the IP address for the router connected to the respective Interface in the Probe Address Settings section. Click Apply. Page 142 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 156: Security Services

    Security Services>Content Filtering page that are included with SonicOS. Note: For complete product documentation for the SonicWALL Security Services in this chapter as well as all SonicWALL Security Services and Upgrades, visit the SonicWALL documentation site at www.sonicwall.com/services/documentation.
  • Page 157 Manage Services Online table is updated from your mysSonicWALL.com account. Note: If you have activated SonicWALL Global Security Client on your SonicWALL, a Policy Editor button is displayed below the Manage Services Online table for configuring security policies. See the SonicWALL Global Security Client Administrator’s Guide for instructions on configuring the Policy...

  • Page 158: If Your Sonicwall Is Not Registered

    A rating is returned to the SonicWALL and then compared to the content filtering policy established by the administrator. Almost instantaneously, the Web site request is either allowed through or a Web page is generated by the SonicWALL informing the user that the site has been blocked according to policy.

  • Page 159: Security Services>Content Filter

    If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click here. If SonicWALL CFS is not activated, you must activate it. If you do not have an Activation Key, you must purchase SonicWALL CFS from a SonicWALL reseller or from your mySonicWALL.com account (limited...

  • Page 160: Activating Sonicwall Cfs

    SonicWALL Content Filtering Service that is available as an upgrade. You can obtain more informa- tion about SonicWALL Content Filtering Service at <http://www.sonicwall.com/products/cfs.html • N2H2 - N2H2 is a third party content filter software package supported by SonicWALL. You can obtain more information on N2H2 at <http://www.n2h2.com>. •...

  • Page 161: Restrict Web Features

    If digital certificates are proven fraudulent, then the SonicWALL blocks the Web content and the files that use these fraudulent certificates. Known fraudulent certificates blocked by SonicWALL include two certificates issued on January 29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee.

  • Page 162: Message To Display When Blocking

    You can enter your customized text to display to the user when access to a blocked site is attempted. The default message is This site is blocked by the SonicWALL Content Filter Service. Any message, including embedded HTML, up to 255 characters long, can be entered in this field.

  • Page 163: Disable All Web Traffic Except For Allowed Domains

    Disable all Web traffic except for Allowed Domains When the Disable Web traffic except for Allowed Domains check box is selected, the SonicWALL only allows Web access to sites on the Allowed Domains list. With careful screening, this can be nearly 100% effective at blocking pornography and other objectionable material.

  • Page 164: Consent

    Maximum Web Usage (minutes) - In an environment where there are more users than computers, such as a classroom or library, time limits are often imposed. The SonicWALL can be used to remind users when their time has expired by displaying the page defined in the Consent page URL field. En- ter the time limit, in minutes, in the Maximum Web usage field.

  • Page 165: Mandatory Filtered Ip Addresses

    This Web page must reside on a Web server and be accessible as a URL by users on the LAN. This page must also contain a link to a page contained in the SonicWALL that tells the SonicWALL that the user agrees to have filtering enabled.

  • Page 166: Security Services>Anti-Virus

    Security Services>Anti-Virus If SonicWALL Network Anti-Virus is not activated, you must activate it. If you do not have an Activation Key, you must purchase SonicWALL Network Anti-Virus from a SonicWALL reseller or from your mySonicWALL.com account (limited to customer in the USA and Canada).

  • Page 167: Intrusion Prevention Service

    SonicWALL’s industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows SonicWALL IPS to detect and prevent attacks based on a global, attack group, or per- signature basis to provide maximum flexibility and control false positives.

  • Page 168: Sonicwall Deep Packet Inspection

    This technology allows the administrator to detect and log intrusions that pass through the SonicWALL Security Appliance, as well as prevent them (i.e. dropping the packet or resetting the TCP connection). SonicWALL’s Deep Packet Inspection technology also correctly handles TCP fragmented byte stream inspection as if no TCP fragmentation has occurred.

  • Page 169: Sonicwall Ips Terminology

    Intrusion Prevention - finding anomalies and malicious activity in traffic and reacting to it. • Snort - an open source network intrusion detection system. SonicWALL IPS includes open-source Snort signatures, as well as signatures from other signature databases, and SonicWALL created signatures.

  • Page 170: Sonicwall Ips Activation

    SonicWALL IPS Activation If you do not have SonicWALL IPS activated on your SonicWALL, you must purchase SonicWALL IPS from a SonicWALL reseller or through your mySonicWALL.com account (limited to customers in the USA and Canada). If you do not have SonicWALL IPS installed on your SonicWALL, the Security Services>Intrusion Prevention page indicates an upgrade is required and includes a link to activate your IPS subscription from the SonicWALL Management Interface or to activate a FREE TRIAL of SonicWALL IPS.

  • Page 171: Activating The Sonicwall Ips Free Trial

    2. Enter your mySonicWALL.com account username and password in the User Name and Password fields, then click Submit. The System>Licenses page is displayed. If your SonicWALL is already connected to your mySonicWALL.com account, the System>Licenses page appears after you click the FREE TRIAL link.

  • Page 172: Log>View

    The log is displayed in a table and can be sorted by column. The SonicWALL can alert you of important events, such as an attack to the SonicWALL. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.

  • Page 173: Log Table

    Clear Log Clicking Clear Log deletes the contents of the log. E-mail Log If you have configured the SonicWALL to e-mail log files, clicking E-mail Log sends the current log files to the e-mail address specified in the Log>Automation>E-mail section. Note: The SonicWALL can alert you of important events, such as an attack to the SonicWALL.

  • Page 174: Log>Categories

    Log>Categories You can define which log messages appear in the SonicWALL Event Log. All Log Categories are enabled by default except Network Debug and Denied LAN IP. Log Categories • Log all Categories Select Log all Categories to begin logging all event categories.

  • Page 175: Alerts & Snmp Traps

    System Environment Log entries categorized as System Environment generate alert messages. Once you have configured the Log Settings page, click Apply. Once the SonicWALL is updated, a message confirming the update is displayed at the bottom of the browser window.

  • Page 176: Log>Automation

    Send Log To - type your full e-mail address in the Send log to field to receive the event log via e- mail. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed.

  • Page 177: Adding A Syslog Server

    4. Click Apply to save all Syslog Server settings. Log>Reports The SonicWALL can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth.

  • Page 178: Data Collection

    • Reset Data Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL is restarted. • View Data Select the desired report from the Report to view menu. The options are Web Site Hits, Bandwidth Usage by IP Address, and Bandwidth Usage by Service.

  • Page 179: Log>Viewpoint

    Log>ViewPoint SonicWALL ViewPoint SonicWALL ViewPoint is a software solution that creates dynamic, Web-based reports of network activity. ViewPoint generates both real-time and historical reports to provide a complete view of all activity through your SonicWALL Internet Security Appliance. With SonicWALL ViewPoint, you are able to monitor network access, enhance network security and anticipate future bandwidth needs.

  • Page 180: Appendices

    They are also supported by the best in class tools and processes that ensure a quick and accurate solution to your problem. SonicWALL Support Programs SonicWALL offers a variety of support programs designed to get the support you need when you need it. For more information on SonicWALL Support Services, please visit <http://www.sonicwall.com/products/supportservices.html.

  • Page 181: Appendix B- Configuring The Management Station Tcp/Ip Settings

    TCP/IP Settings The following steps describe how to configure the Management Station TCP/IP settings in order to initially contact the SonicWALL. It is assumed that the Management Station can access the Internet through an existing connection. The SonicWALL is pre-configured with the IP address 192.168.168.168. During the initial configuration, it is necessary to temporarily change the IP address of the Management Station to one in the same subnet as the SonicWALL.

  • Page 182: Windows Nt

    Windows NT 1.From the Start list, highlight Settings and then select Control Panel. 2.Double-click the Network icon in the Control Panel window. 3.Double-click TCP/IP in the TCP/IP Properties window. 4.Select Specify an IP Address. 5.Type "192.168.168.200" in the IP Address field. 6.Type "255.255.255.0"...

  • Page 183: Windows 2000

    7.Type the DNS IP address in the Preferred DNS Server field. If you have more than one address, enter the second one in the Alternate DNS server field. 8.Click OK, then OK again. 9.Click Close to finish the network configuration. Page 170 SonicWALL SonicOS Standard Administrator’s Guide...

  • Page 184: Windows Xp

    Windows XP 1.Open the Local Area Connection Properties window. 2.Double-click Internet Protocol (TCP/IP) to open the Internet Protocol (TCP/IP) Properties window. 3.Select Use the following IP address and type 192.168.168.200 in the IP address field. 4.Type 255.255.255.0 in the Subnet Mask field. 5.Type the DNS IP address in the Preferred DNS Server field.
  • Page 185 Page 172 SonicWALL SonicOS Standard Administrator’s Guide...
  • Page 186 Scheduling Services GMS Management Viewing Granular Policy Management Zones Activating IPS FREE TRIAL Hardware Failover Address Objects Monitoring Links Primary SonicWALL Creating Groups Status Default Public Server Wizard Interface Administrator Name and Password Internet Traffic Statistics Application Control Interfaces Configuring LAN/DMZ/OPT Interfaces...
  • Page 187 Setup Wizard DHCP Mode WAN Failover and Load Balancing NAT with PPPoE Web Management Server NAT with PPTP Web Proxy Static IP Address with NAT Enabled Signature Zones Signature Database SNMP Management Snort Page 174 SonicWALL SonicOS Enhanced Administrator’s Guide...
  • Page 188 Page 175...
  • Page 189 Page 176 SonicWALL SonicOS Enhanced Administrator’s Guide...
  • Page 190 F: 408.745.9300 © 2002 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.

Table of Contents