Page 2
(with all backup copies) may be sold, given, or loaned to another person. Under the law, copying includes translating into another language or format. SonicWALL is a registered trademark of SonicWALL, Inc. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective companies.
CONTENTS Software License Agreement for the SonicWALL Configuration Manager ....Limited Warranty....................Hardware Warranty ....................SonicWALL SSL-IA/SSL-R ................About This Guide....................SSL-IA/SSL-R Features................... Released Platforms ....................Text Conventions ....................Notes, Cautions, and Warnings................Installation...................... Panel Description ....................Package Contents....................Installing the Hardware ..................
Page 4
Text Conventions ....................Editing and Completion Features ................Overview ......................Configuration Security ................... Methods to Manage the SonicWALL SSL Appliance ........... Initiating a Management Session ................Using the Remote Configuration Manager ............... Top Level Command Set ..................Non-Privileged Command Set .................
U.S. Government export approval/ licensing. Failure to strictly comply with this provision shall automatically invalidate this License. License Subject to and conditional upon the terms of this SLA, SonicWALL grants you a non-exclusive, nontransferable license to use the SOFTWARE PRODUCT only in conjunction with SonicWALL SSL and LB devices.
1160 Bordeaux Drive, Sunnyvale, California 94089. Limited Warranty Media. For a period of ninety (90) days from the date of license, SonicWALL warrants to you only that the media containing the SOFTWARE (but not the SOFTWARE itself) is free from physical defects. NO OTHER EXPRESS WARRANTIES ARE MADE OR AUTHORIZED WITH RESPECT TO THE MEDIA.
Page 7
SOFTWARE PRODUCT, and shall continue until terminated. Without prejudice to any other rights, SonicWALL may terminate this SLA if you fail to comply with the terms and conditions of this SLA. In such event, you agree to return or destroy the SOFTWARE PRODUCT (including all related documents and components items as defined above) and any and all copies of same.
If there is a defect in the hardware, SonicWALL will replace the product at no charge, provided that it is returned to SonicWALL with transportation charges prepaid. A Return Materials Authorization (RMA) number must be displayed on the outside of the package for the product being returned for replacement or the product will be refused.
The SSL-IA/SSL-R are Secure Sockets Layer (SSL) offloading solutions that allow servers to provide both secure and non-secure services at the same high speeds. The SSL-IA is a small-footprint appliance; the SSL-R is a rack-mountable device. In this guide, the term “SSL appliance” refers to either device.
SSL version 2.0 and 3.0 support Released Platforms The SonicWALL configuration manager supports Linux Red Hat versions 5.2, 6.0, 6.1, 6.2, and 7.0; Windows NT 4.0; Windows 2000; and Solaris 2.6, 7, and 8 operating systems. The root directory of the CD-ROM includes a readme.txt file containing information that became available after this guide went to press.
Chapter 1 SonicWALL SSL-IA/SSL-R Additional text conventions, applicable to command line entry, are shown in Chapter C Command Summary. Notes, Cautions, and Warnings Throughout this manual you will see notes, cautions, and warnings drawing your attention to important information. An example of each is shown below.
Chapter 2 Installation INSTALLATION This chapter presents installation instructions for the SSL-IA/SSL-R hardware and software components. The products are referred to collectively as SonicWALL SSL appliances. This chapter also presents some examples for deploying SonicWALL SSL appliances. The Setup area of the SonicWALL website SSL Center contains helpful information, including: •...
Page 14
Figure 2-2 and 2-3 show the front and back panels of the SSL-R, respectively. Location of power LEDs and Ethernet interfaces is displayed. Power LED 1 Aux Port Console Port Server Interface Network Interface Power LED 2 Reset Switch Test LED Figure 2-2.
Web: <http://www.sonicwall.com/support/> Phone: (408) 745-9600. Installing the Hardware This section describes how to install the SSL-IA and SSL-R as free-standing and rack- mounted units, where applicable. Locating the SSL-IA (Free Standing) Place the SSL-IA on a level surface in an area with access to your network cabling. Allow at least an inch of space around the SSL-IA for adequate ventilation.
Page 16
AC power outlet. If you are installing a SSL-R, ensure the power switches are in the “0” (off) position, attach the power cables to the power inputs on the appliance, and plug the other ends into AC power outlets.
If the connector does not disengage, press the tab down more firmly and pull again. If you are using the SonicWALL SSL appliance in two-port mode, you must connect Note: the cables to the SSL appliance so client requests (inbound) and server traffic (outbound) move through different ports.
Deployment Examples This section contains several examples for deployment of SonicWALL SSL appliances. Additional deployment and setup information can be found at: <http://www.sonicwall.com/ssl-center/ssl-setup.html> Single Appliance Installation—Dual-Port Mode A single SSL device provides SSL offloading and processing for an entire server farm.
Page 19
Chapter 2 Installation Single Appliance Installation—Single-Port Mode A single SSL device provides SSL offloading and processing for an entire server farm. This mode of operation is designed to be used in conjunction with Layer 7 switches. Additionally, the content switch must be configured to provide the filtering and security methods because the SSL appliance cannot prevent plain or clear text access to your server’s secure data while in this mode.
Page 20
Load Balanced SonicWALL SSL appliances can be installed in front of or behind a load balancer. If the load balancer is using URL- or cookie-related load balancing, install the appliance in front of the load balancer. In this configuration, the load balancer receives clear text packets decrypted by the SSL device.
Respond to the following screen prompt, pressing Enter to install the software: The following packages are available: 1. SNWLconfg SonicWALL Configuration Manager Select package(s) you wish to process (or “all” to process all packages). (default: all) [?,??,q] Type q to exit after installation.
Registering Your SonicWALL Product After you install the device, make sure to register the product at the MySonicWALL website: <http://www.mysonicwall.com> You can create a user account to activate and manage services for all of your SonicWALL products. Note: For the latest version of this manual and other SonicWALL documentation, go to http://www.sonicwall.com/products/documentation.html or...
Page 23
Access firmware and security service updates • Get SonicWALL alerts on services, firmware, and products • Check status of your SonicWALL services and upgrades linked to each registered SonicWALL device • Manage (activate, change, or delete) your SonicWALL security services online How do I Get Started with mySonicWALL.com?
This chapter presents a short introduction to basic SSL components and a description of how the components are used in configuring the SonicWALL SSL appliance. Instructions for using OpenSSL to generate keys and certificates is also included in this chapter.
Page 26
Use 443 (generally used for SSL transactions) as the SSL TCP service port and 443 as the clear text port. Configure the server to not use SSL and to monitor port 443. TCP service port 80 requests are serviced normally. Page 26 SSL-IA/SSL-R User’s Guide...
Chapter 3 SSL Introduction • Use 443 as the SSL TCP service port and 81 (or another unused port) for the clear text port. Configure the server to monitor port 81. TCP service port 80 requests are serviced normally. All data sent on any other port is passed through transparently in both directions. See the remoteport and sslport commands in Chapter C Command Summary.
Page 28
Internet Service Manager. Or you can open the Internet Service Manager in the Administrative Tools folder in the Control Panel. Right-click the web site object and click Properties in the shortcut menu. Click the Directory Security tab. Page 28 SSL-IA/SSL-R User’s Guide...
Chapter 3 SSL Introduction Click View Certificate in the Secure Communications panel. The Certificate Viewer appears. Click the Details tab. Click Copy to File. The Certificate Export Wizard appears. Click Next. The Export Private Key screen appears. Select the Yes, export the private key option. Click Next. The Export File Format screen appears.
Passwords SonicWALL SSL appliances use two levels of password protection: access- and enable-level. Access-level passwords control who can attach the configuration manager to the specific device and view statistics and other nonsensitive data. Enable-level passwords control who can view the same data available with access-level passwords as well as view sensitive data and configure the device.
(reloads) with factory default settings. Caution: All configuration is lost when using the factory default reset. SonicWALL SSL Configuration Components When you configure an appliance to perform SSL offloading you are actually setting up one or more logical secure servers whose SSL-related configurations reside in the appliance.
Page 32
GUI. Security Policies SonicWALL SSL appliances can process a wide range of single and composite cryptography schemes. The following table shows a comparison of the individual schemes. If you configure the device to use the weak security policy, all schemes marked as “weak” are used.
Additionally you can create your own specialized security policies, assigning the cryptographic schemes you wish to use singly or in combination. Methods to Manage the SonicWALL SSL Appliance You can configure the SonicWALL SSL appliance using one of four methods, three of which use the command-line interface configuration manager. •...
Page 34
URL or IP address Additionally, we provide a guided QuickStart wizard configuration method, available any time the configuration manager is used. To use this method of configuring the SonicWALL SSL appliance, see Chapter 4 QuickStart Wizard. Brief instructions are also included for initiating a management session using the configuration manager.
Telnet After you have assigned an IP address to the SonicWALL SSL appliance using the serial connection or remote configuration manager, you can attach to the appliance via telnet. Initiate a telnet session with the IP address previously assigned to the appliance.
Page 36
Solaris. Enter inxcfg at a Unix shell prompt. Windows NT and Windows 2000 Software. To start the configuration manager, use the Start menu and point to Programs>SonicWALL Corporation and click SonicWALL Configuration Manager, or double-click the shortcut on the desktop.
Page 37
“Network” port. Device types are networked SSL-IA, SSL-R, SSL-R3, and SSL-R6 devices and local SSL-PCI cards. For SSL-R3 and SSL-R6 devices, one instance is displayed in the device list for each SSL module (“Server”/”Network”...
(See Chapter 3 SSL Introduction for a discussion of port blocking.) You can abort the current clear text port designation and enter a different TCP service port, or approve using TCP service port 80 for clear text. Page 38 SSL-IA/SSL-R User’s Guide...
Page 39
Chapter 4 QuickStart Wizard You have completed TCP service port configuration of the logical secure server and are ready to specify the key to use. CONFIGURE SSL-SERVER ‘myServer’ KEY SSL-server name : myServer Ip address : 10.1.2.3 Secure Port : 443 Clear Port : 80 Each ssl-server is associated with a key.
Page 40
If you do not choose to re-enter the key and certificate, your choices are accepted, but the secure server is not configured correctly and will not function properly. Page 40 SSL-IA/SSL-R User’s Guide...
Page 41
Chapter 4 QuickStart Wizard After the certificate has been properly loaded, you are shown a summary and asked to specify a security policy. CONFIGURE SSL-SERVER ‘myServer’ SECURITY POLICY SSL-server name : myServer IP address : 10.1.2.3 Secure Port : 443 Clear Port : 80 Key name...
Page 42
(enable) password for the device. SETUP CONFIGURATION PASSWORD PROTECTION Would you like to set a password to protect configuration of the SSL-R? (y/n): Type y, and enter a password. Re-enter it to confirm. You must set a configuration password for the device to ensure its security. The password you enter is not displayed.
Page 43
Chapter 4 QuickStart Wizard Certificates *no certificate list entries* Certificate groups *no certificate group list entries* Security Policies ------------------------------------------ Name Id RC Policy List ------------------------------------------ default ARC4-MD5,ARC4-SHA,EXP-ARC4-MD5,EXP-ARC4-SHA, EXP1024-ARC4-MD5,EXP1024-ARC2-CBC-MD5, EXP1024-ARC4-SHA,NULL-MD5,NULL-SHA weak EXP-ARC4-MD5,EXP-ARC4-SHA,EXP-ARC2-MD5, EXP1024-ARC4-MD5,EXP1024-ARC2-CBC-MD5, EXP1024-DES-CBC-SHA,EXP1024-ARC4-SHA,NULL-MD5, NULL-SHA,EXP-DES-CBC-SHA strong DES-CBC-MD5,DES-CBC-SHA,DES-CBC3-MD5,DES-CBC3-SHA, ARC4-MD5,ARC4-SHA DES-CBC-MD5,DES-CBC-SHA,DES-CBC3-MD5,DES-CBC3-SHA, ARC4-MD5,ARC4-SHA,EXP-ARC4-MD5,EXP-ARC4-SHA, EXP-ARC2-MD5,EXP1024-ARC4-MD5,EXP1024-ARC2-CBC-MD5, EXP1024-DES-CBC-SHA,EXP1024-ARC4-SHA,NULL-MD5, NULL-SHA,EXP-DES-CBC-SHA SSL Servers...
Page 44
“Y” indicates the key and certificate match, “N” indicates the key and certificate do not match PKey The name of the private key assigned to the SSL server Cert The name of the certificate assigned to the SSL server Page 44 SSL-IA/SSL-R User’s Guide...
Using the QuickStart Wizard with a Configured Appliance If you wish to run the QuickStart wizard for a previously configured SonicWALL SSL appliance, follow these steps: Initiate a management session and start the configuration manager as described previously.
Refer to Chapter 3 SSL Introduction for a brief introduction to how the SonicWALL SSL appliance works with components of the SSL protocol and description of the information you need to begin configuration. If you have not installed the software, refer to Chapter 2 Installation for instructions.
Passwords SonicWALL SSL appliances use two levels of password protection: access- and enable-level. Access-level passwords control who can attach the configuration manager to the specific device and view statistics and other nonsensitive data. Enable-level passwords control who can view the same data available with access-level passwords as well as view sensitive data and configure the device.
DB9 connector marked “CONSOLE”. Attach the other end to a serial port on the configuring computer. SSL-R —Attach the included null modem cable to the appliance port marked “CONSOLE”. Attach the other end of the null modem cable to a serial port on the configuring computer.
SonicWALL Configuration Manager, or double-click the shortcut on the desktop. Using the Remote Configuration Manager Enter show device list to display a list of all SonicWALL SSL devices in the same broadcast domain as the configuring computer. Devices are listed in the following format:...
Page 51
Chapter 5 Configuration Manager For example, entering show device list returns the following list of unattached devices: SSL-R sslDev1 SSL-R sslDev2 SSL-R myDevice SSL-IA sslBox3 To attach the configuration manager to the device myDevice , enter this command: on myDevice attach The auto completer function can assist data entry.
Note: The remote configuration instructions in this example assume only one SonicWALL SSL device is on available for configuration or that you have set the on-prefix to a single device. If you have more than one SSL device available for configuration, refer to section "Specifying Devices"...
Page 53
Chapter 5 Configuration Manager If you wish to configure the server using the remote configuration manager, initiate a remote management session, attach to the appliance, and when prompted to use the QuickStart wizard, enter n. Go to step step 3. For the remainder of these examples, system prompts are displayed as remote Note: configuration prompts.
Page 54
(_), hyphen (-), and period (.) characters. Security policy names must begin with an alphabetic character. Enter Server Configuration mode and create a server named myServer . Assign the IP address 10.1.2.4 and netmask 255.255.255.0. Assign port 443 for monitoring Page 54 SSL-IA/SSL-R User’s Guide...
Page 55
Chapter 5 Configuration Manager for SSL connections and port 81 for sending clear text. Assign the key association and security policies just created. Return to Privileged mode. (config-ssl[myDevice])> server myServer create (config-ssl-server[myServer])> ip address 10.1.2.4 (config-ssl-server[myServer])> sslport 443 (config-ssl-server[myServer])> remoteport 81 (config-ssl-server[myServer])>...
Page 56
You must enter the discover command using the TCP service port as an argument. The following command tells the configuration manager to use port 8089 to look for SonicWALL SSL appliances. inxcfg> discover port 8089 The device is listed following a show device list command.
Chapter 5 Configuration Manager Step-Up Certificates and Server-Gated Cryptography SonicWALL SSL devices support both Netscape International Step-Up Certificates and Microsoft Server-Gated Cryptography. No special configuration is needed for the device to function properly with these certificates. Load the certificate normally.
Supporting SNMP SonicWALL SSL appliances have basic support for SNMP functions. The device is shipped with SNMP disabled. This example demonstrates how to set basic SNMP data. EXAMPLE: Configuring SNMP Initiate a management session as described previously.
Supporting RIP SonicWALL SSL devices support Routing Information Protocol (RIP) versions 1 and 2. This example demonstrates how to enable RIP version 1 packet usage. EXAMPLE: Configuring RIP Initiate a management session as described previously.
Supporting Other Secure Protocols Along with SSL, SonicWALL SSL devices can support other secure protocols using TLS v1.0, SSL v2.0, and SSL v3.0. SFTP, IMAPS, POP3S, NNTPS, and LDAPS are some examples. The steps below show how to configure the SSL appliance for setting up a secure server to process only POP3S (S-POP) mail.
This chapter describes how to use the Graphical User Interface (GUI) to configure the SSL-IA and SSL-R. The GUI provides a convenient, web browser-based method of configuring SSL appliances. While most configuration options are available with the GUI, you must be aware of the following constraints: •...
The following examples demonstrate how to use the GUI to configure general appliance settings. Note: To save time, make all the changes you wish, then click Save Changes to write the configuration to the appliances’ flash memory. Page 62 SSL-IA/SSL-R User’s Guide...
Page 63
Chapter 6 Graphical User Interface Reference EXAMPLE: Setting the Device Name (Hostname) Click General to activate the General tabs. Click the Settings tab. Type the name to wish to assign to the appliance in the Device Name text box. Click Update. EXAMPLE: Resetting the IP Address Click Network to activate the Network tabs.
Page 64
EXAMPLE: Configuring an Ethernet Interface In this example, the Network interface is set to 100 Mb, full duplex. Click Network to activate the Network tabs. Locate the Network Interface panel. Select “Full 100” from the list box. Page 64 SSL-IA/SSL-R User’s Guide...
The following examples demonstrate how to set up SSL configurations for the appliance. If necessary, refer to Chapter 3 SSL Introduction for information on how the SonicWALL SSL appliance works with SSL protocol information. EXAMPLE: Setting up a Secure Server In this example, the default SSL port (443) and remote port 81 are used.
Page 66
Select “strong” from the Security Policy list box. Select “myCert” from the Certificate list box. Select “myKey” from the Private Key list box. Click OK to create the secure server in the appliance. EXAMPLE: Creating and Using Chained Certificates Click SSL to activate the SSL tabs. Page 66 SSL-IA/SSL-R User’s Guide...
Page 67
Chapter 6 Graphical User Interface Reference Click the Certificate Groups tab. Click New Certificate Group. The Add Certificate Group window opens. Type the name for the group in the Name text box. Click and CTRL-click the certificates listed in the Member Certificates list box to add to the certificate group.
Appendix A Technical Specifications TECHNICAL SPECIFICATIONS The SSL-IA/SSL-R have the following specifications: Specification SSL-IA SSL-R Interfaces: RJ-45 10/100Base-T Ethernet ports Serial Ports: 2 (on serial access cable) Mini-din9: Power: Operating voltage 100-240 VAC, 50-60 Hz Power: Consumption 25 W Power Supply...
TROUBLESHOOTING GUIDE This chapter provides solutions for problems that you might encounter when using the SonicWALL Transaction Security appliance. If you are unable to solve your problem, please visit SonicWALL’s Technical Support Web site at <http://support.sonicwall.com>. There, you will find resources to help you resolve most technical issues, and instructions for contacting SonicWALL’s Technical Support engineers.
Page 72
SonicWALL SSL appliance, enter the discover command to find new devices in the same broadcast domain. I cannot connect to the appliance using the GUI. • Use any of the configuration manager methods to ensure that web management is enabled. Attach to the appliance, if necessary, then use these commands:...
COMMAND SUMMARY This appendix contains a categorized listing of configuration manager commands for SonicWALL SSL devices. Each command is described and, where appropriate, an example of usage is included. Chapter 6 Graphical User Interface Reference contains instructions for using the GUI.
Most configuration commands require filling all fields in the command. You can use the Tab key to help you. For example, if you enter this: ip address Tab Page 74 SSL-IA/SSL-R User’s Guide...
Appendix C Command Summary You’ll receive this prompt: ip address <IP address> [netmask [netmask]] Where: <IP address> = a.b.c.d|0xhhhhhhhh [netmask] = keyword [Netmask address] = a.b.c.d|0xhhhhhhhh (config-server)# ip address Use the information displayed to help you enter the command with the correct syntax and data.
Passwords SonicWALL SSL appliances use two levels of password protection: access- and enable-level. Access-level passwords control who can attach the configuration manager to the specific device and view statistics and other nonsensitive data. Enable-level passwords control who can view the same data available with access-level passwords as well as view sensitive data and configure the device.
Caution: All configuration is lost when using the factory default reset. Methods to Manage the SonicWALL SSL Appliance You can configure the SonicWALL SSL appliance using one of four methods, three of which use the command-line interface configuration manager. •...
Page 78
URL or IP address Additionally, we provide a guided QuickStart wizard configuration method, available any time the configuration manager is used. To use this method of configuring the SonicWALL SSL appliance, see Chapter 4 QuickStart Wizard. Brief instructions are also included for initiating a management session using the configuration manager.
Telnet After you have assigned an IP address to the SonicWALL SSL appliance using the serial connection or remote configuration manager, you can attach to the appliance via telnet. Initiate a telnet session with the IP address previously assigned to the appliance.
SonicWALL Configuration Manager, or double-click the shortcut on the desktop. Using the Remote Configuration Manager Enter show device list to display a list of all SonicWALL SSL devices in the same broadcast domain as the configuring computer. Devices are listed in the following format:...
Page 81
Appendix C Command Summary below create a device group named myGroup and add three devices to it and display the contents of the group. inxcfg> group myGroup create (group[myGroup])> device sslDev1 (group[myGroup])> device sslDev2 (group[myGroup])> device myDevice (group[myGroup])> info group name: myGroup number of devices: 3 device: sslDev1 device: sslDev2...
Note: If you have forgotten the device’s access password, see Appliance Factory Default Reset Password on page 77. Command: clear screen Availability: Remote, Serial, Telnet Description: Clears the display, leaving only one prompt line. Page 82 SSL-IA/SSL-R User’s Guide...
Page 83
Appendix C Command Summary Command: Remote, Serial, Telnet Availability: Description: Clears the display, leaving only one prompt line. Command: discover [port <portid>] Remote Availability: Description: Checks the network for new remote devices. Use the port option to specify a TCP service port to search for devices when using an alternate remote management port, where portid is the port number.
Page 84
Press any key to stop displaying statistics. When using remote configuration, use the form of the command to specify the target(s) of the command, where devname is the Page 84 SSL-IA/SSL-R User’s Guide...
Page 85
Version MacAddr IPaddr Device types are networked SSL-IA, SSL-R, SSL-R3, and SSL-R6 devices and local SSL-PCI cards. For SSL-R3 and SSL-R6 devices, one instance is displayed in the device list for each SSL module (“Server”/”Network” port pair) on the appliance.
Page 87
Appendix C Command Summary Command: show ip domain-name on <devname|groupname|all> show ip domain-name Remote, Serial, Telnet Availability: Description: Displays DNS configuration information for a single device. When using remote configuration, use the form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and represents all appropriate devices.
Page 88
Command: show profile Availability: Remote Description: Displays current user preferences setting. Command: show rack Availability: Remote Description: Displays a list of discovered SSL-R3 and SSL-R6 systems. Page 88 SSL-IA/SSL-R User’s Guide...
Page 89
Appendix C Command Summary Command: show remote-management on <devname|groupname|all> show remote-management Remote, Serial, Telnet Availability: Description: Displays remote management information for a single device. When using remote configuration, use the form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and represents all appropriate devices.
Page 90
SSL System Write Broken Connection Errors to Client SSLR SSL System Read Errors from Client SSLRBC SSL System Read Broken Connection Errors from Client SVRW System Write Errors to Remote Server SVRWBC Broken Connection Write Errors to Remote Server Page 90 SSL-IA/SSL-R User’s Guide...
Page 91
Appendix C Command Summary Error Description SVRR System Read Errors from Remote Server SVRRBC Broken Connection Read Errors from Remote Server Command: show ssl key [<keyname>] on <devname|groupname|all> show ssl key [<keyname>] Remote, Serial, Telnet Availability: Description: Displays summary data for the specified public/private key pair loaded on a single device, where keyname is the name of the key.
Page 92
When using remote configuration, use the form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and represents all appropriate devices. Page 92 SSL-IA/SSL-R User’s Guide...
Page 93
Appendix C Command Summary Command: show terminal Remote, Serial, Telnet Availability: Description: Displays terminal setting information. Command: show version Remote, Serial, Telnet Availability: Description: Displays configuration manager version information. Command: [no] terminal history <length> Remote, Serial, Telnet Availability: Sets the number of commands saved in the history buffer, where length is the Description: number of commands.
Page 94
Resets all SSL statistics for a single device. When using remote configuration, use form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and represents all appropriate devices. Page 94 SSL-IA/SSL-R User’s Guide...
Page 95
Remote Description: Uploads a SonicWALL image file to the device flash, where filename is the path and name of the file. You are prompted for the file name if you do not provide it on the command line. When using remote configuration, use the...
Page 96
Command: copy to flash <url> Serial, Telnet Availability: Uploads a SonicWALL image file to the device flash, where url is the URL of the file. Description: Command: copy to running-configuration [<filename>] on <devname|groupname|all> copy to running-configuration [<filename>]...
Page 97
Appendix C Command Summary name of a single device, groupname is the name of a user-defined device group, represents all appropriate devices. Command: erase startup-configuration on <devname|groupname|all> erase startup-configuration Remote, Serial, Telnet Availability: Description: Erases the startup configuration stored in flash on the device. You must specify a device unless only one device is attached.
Page 99
Appendix C Command Summary Command: write network <url> Serial, Telnet Availability: Writes the configuration of the device to a file on a remote host, where url is the Description: URL of the file. Command: write terminal on <devname|groupname|all> write terminal Remote, Serial, Telnet Availability: Description:...
Displays information for a specific command, where command is the name of the Description: command. If no command is specified, help information is displayed for all Group Configuration commands. Command: info Availability: Remote Description: Displays current information about the group being created or edited. Page 100 SSL-IA/SSL-R User’s Guide...
Appendix C Command Summary Configuration Command Set Use Configuration mode commands to configure the Ethernet interface and SSL functions of the SSL device. Enter Configuration mode using the configure command in Privileged mode. Command: [no] access-list <id> <permit | deny> <ipaddr> <mask> Remote, Serial, Telnet Availability: Adds an access list entry to the end of the specified access list, where id is the list...
Page 102
IP address. The metric flag is used to show the total number of hops to the destination IP address. Use flag to delete the specified static route entry from the device’s routing table. Page 102 SSL-IA/SSL-R User’s Guide...
Page 103
Appendix C Command Summary Command: [no] ip route default <ipaddr> Remote, Serial, Telnet Availability: Sets the default route for the current device, where ipaddr is the IP address of the Description: default router to use. Use the flag to clear the IP address for the default router. Command: [no] keepalive-monitor <ipaddr>...
Page 104
Sets the shared secret passphrase used for encryption, where passphrase is the shared secret. You are prompted for this passphrase the next time an attach attempt is made. Use the form of the command to delete the passphrase. Page 104 SSL-IA/SSL-R User’s Guide...
Page 105
Appendix C Command Summary Command: [no] rip [v1|v2] Remote, Serial, Telnet Availability: Description: Enables Routing Interface Protocol (RIP) for the current device. You must specify either versions of the protocol. Using the flag disables RIP completely if you do not specify a version to disable. Example: no rip v2 The first command enables both RIP versions.
Page 106
Enables generic SNMP traps. Use the no flag to disable generic SNMP traps. Command: Availability: Remote, Serial, Telnet Description: Enters the SSL Configuration mode for the current SSL device. See the section "SSL Configuration Command Set" for more information. Page 106 SSL-IA/SSL-R User’s Guide...
Page 107
Appendix C Command Summary Command: [no] syslog <ipaddr> Remote, Serial, Telnet Availability: Adds the specified IP address to the syslog list for the device, where ipaddr is the Description: specified IP address. Using the flag removes the specified IP address from the syslog list of the current device.
Page 108
If you do not specify a command, help information is displayed for all Interface Configuration commands. Command: speed <10|100> Availability: Remote, Serial, Telnet Description: Forces the speed of the current Ethernet interface to 10 Mbps or 100 Mbps. Page 108 SSL-IA/SSL-R User’s Guide...
Page 109
Appendix C Command Summary SSL Configuration Command Set Use these commands to set up and manage the SSL configuration for the current SSL device. Enter the SSL Configuration mode by using the configure command in the Privileged mode and the ssl command in Configuration mode. Command: [no] cert <certname>...
Page 110
The flag is used to remove a server. You may have up to 255 servers configured. See the section "Server Configuration Command Set" for more information. Page 110 SSL-IA/SSL-R User’s Guide...
Page 111
Appendix C Command Summary Certificate Configuration Command Set Use Certificate Configuration commands to set up and manage certificate objects. Enter Certificate Configuration mode by using the configure command in Privileged mode, the ssl command in Configuration mode, and the cert command in SSL Configuration mode. Command: binhex <value>] Remote, Serial, Telnet...
Page 112
After the command is entered, you are prompted to paste a certificate from the cut buffer. You can use a text editor to copy the certificate from a file. After the certificate is pasted, you must press Enter twice to complete the command. Page 112 SSL-IA/SSL-R User’s Guide...
Page 113
Appendix C Command Summary Certificate Group Configuration Command Set Use Certificate Group Configuration commands to set up and manage certificate groups utilized for chaining. Enter Certificate Group Configuration mode by using the configure command in Privileged mode, the ssl command in Configuration mode, and the certgroup command in SSL Configuration mode.
Page 114
Remote, Serial, Telnet Description: Loads a private key into the key entity, where key-filename is the name of the key file exported from IIS 4 only. You must enter a private key password. If you do not Page 114 SSL-IA/SSL-R User’s Guide...
Page 115
Appendix C Command Summary enter the file name, you are prompted for it. You must enter the path if the file is not located in the current directory. Command: pem [<key-filename>] Remote, Serial, Telnet Availability: Loads a PEM-encoded X509 private key into the key object, where key-filename is Description: the path and name of the PEM-encoded key file.
Page 116
Exits Security Policy Configuration mode, activates all changes, and returns to SSL Configuration mode. Command: exit Availability: Remote, Serial, Telnet Description: Exits Security Policy Configuration mode, activates all changes, and returns to SSL Configuration mode. Page 116 SSL-IA/SSL-R User’s Guide...
Page 117
Appendix C Command Summary Command: help [command>] Remote, Serial, Telnet Availability: Displays help information for the specified command, where command is the name Description: of the command. If you do not specify a command, help information is displayed for all Security Policy Configuration commands. Command: info Remote, Serial, Telnet...
Page 118
Remote, Serial, Telnet Description: Exits Server Configuration mode, activates all changes, and returns to SSL Configuration mode. Command: exit Availability: Remote, Serial, Telnet Description: Exits Server Configuration mode, activates all changes, and returns to SSL Configuration mode. Page 118 SSL-IA/SSL-R User’s Guide...
Page 119
Appendix C Command Summary Command: help [command] Remote, Serial, Telnet Availability: Displays help information for the specified command, where command is the name Description: of the command. If you do not specify a command, help information is displayed for all Server Configuration Commands. Command: info Remote, Serial, Telnet...
Page 120
Enables to servers to function as a transparent proxy (default). The flag is used to disable this behavior. When transparent proxy behavior is disabled, the device accepts connections on the device’s IP address rather than on the server’s address. Page 120 SSL-IA/SSL-R User’s Guide...
Appendix D Glossary GLOSSARY 10Base-T The IEEE standard for 10 Mbps CSMA/CD networking on twisted-pair cable. 100Base-T The IEEE standard for 100 Mbps CSMA/CD networking over two pairs of Category 5 or packet signaling, on a cable. Access to the cable is based on CSMA/CD. Certificate Digital information that proves the identity of the server;...
To maintain compliance with the limits of a Class A digital device, SonicWALL requires that you use quality interface cables when connecting to this device. During testing for certification, SonicWALL used Category 5 cables.
Page 124
VCCI Canadian Radio Frequency Emissions Statement This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada. Page 124 SSL-IA/SSL-R User’s Guide...
Page 125
Appendix E Electromagnetic Compatibility EC Declaration of Conformity—SSL-IA Page 125...
INDEX Ethernet interface 56 group configuration command set 100 access list GUI 33 definition 31 interface configuration command set 108 Apache mod_SSL 27 key 39 ApacheSSL 27 key configuration command set 114 management method comparison 33 non-privileged command set 82 Canadian Radio Frequency Emissions Statement 124 other secure protocols 60 certificate...
Page 128
29 QuickStart wizard key configuration command set 114 description 34 loading 39 starting 36 naming conventions 27 using 35 QuickStart wizard 39 using with configured appliance 45 using existing 27 key configuration command set 114 Page 128 SSL-IA/SSL-R User’s Guide...
Page 129
114 resetting to factory defaults 31 security policy configuration command set 116 server configuration command set 118 RIP 59 SonicWALL configuration components 31 SSL configuration command set 109 secure management versions supported 10 See encrypted management...