SonicWALL Internet Security Appliances Administrator's Manual
  1. Manuals
  2. Brands
  3. SonicWALL Manuals
  4. Network Hardware
  5. Internet Security Appliances
  6. Administrator's manual
SonicWALL Internet Security Appliances Administrator's Manual

SonicWALL Internet Security Appliances Administrator's Manual

Sonicwall internet security appliances administrator's guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
COMPREHENSIVE INTERNET SECURITY
S o n i c WALL Internet Security Ap p l i a n c e s
A D M I N I S T RATOR'S GUIDE

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Internet Security Appliances and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for SonicWALL Internet Security Appliances

Summary of Contents for SonicWALL Internet Security Appliances

  • Page 1 COMPREHENSIVE INTERNET SECURITY ™ S o n i c WALL Internet Security Ap p l i a n c e s A D M I N I S T RATOR’S GUIDE...

  • Page 2: Table Of Contents

    Firmware Version ...13 1 Introduction ... 14 SonicWALL Internet Security Appliance Features ...15 2 Configuring the Network Mode on the SonicWALL ... 18 Configuring the SonicWALL in Standard Mode ...19 Configuring the SonicWALL in NAT Enabled Mode ...20 Configuring NAT with PPPoE Client ...26 Configuring NAT with DHCP Client ...32...
  • Page 3 Configuring a Modem Profile for Manual Dial-Up ...66 Status ...69 Modem Status ...69 Chat Scripts ...70 Custom Chat Scripts ...71 5 Managing Your SonicWALL Internet Security Appliance ... 72 Status ...73 CLI Support and Remote Management ...75 6 General and Network Settings ... 76 Network Settings ...76 Network Addressing Mode ...76...
  • Page 4 Bandwidth Usage by IP Address ...97 Bandwidth Usage by Service ...97 SonicWALL ViewPoint ...98 8 Content Filtering and Blocking ... 99 Configuring SonicWALL Content Filtering ...100 Restrict Web Features ...100 URL List ...101 Customizing the Content Filtering List ...103 Consent ...105 Mandatory Filtered IP Addresses ...106...
  • Page 5 Add New Rule Examples ...136 Current Network Access Rules Table ...137 Users ...139 Global User Settings ...139 User Login ...142 RADIUS ...143 Management ...145 SonicWALL SNMP Support ...145 SonicWALL Management Protocol ...146 Additional Management ...146 Page 4 SonicWALL Internet Security Appliance Administrator’s Guide...
  • Page 6 Intranet ...150 Installation ...150 Intranet Configuration ...151 Intranet Settings ...151 VPN Single-Armed Mode (stand-alone VPN gateway) ...152 Configuring a SonicWALL for VPN Single Armed Mode ...153 Routes ...154 LAN Route Advertisement ...155 RIPv2 Authentication ...156 DMZ Route Advertisement ...156 DMZ Addresses ...156 DMZ in Standard Mode ...157...
  • Page 7 Configuring the Central Gateway for VPN over DHCP ...169 Configuring the Remote Gateway for VPN over DHCP ...169 DHCP Status ...172 DHCP Server on the SonicWALL TELE3 TZ and TZX ...173 Setup ...173 Allow DHCP Pass Through in Standard Mode ...173 Configuring the SonicWALL DHCP Server ...174...
  • Page 8 VPN Terminated at the LAN, DMZ, or LAN/DMZ ...190 Advanced Settings for VPN Configurations ...191 Configuring SonicWALL VPN ...192 Group VPN Configuration for the SonicWALL and VPN Client ...193 Configuring Group VPN on the SonicWALL ...193 Group VPN Client Setup ...195 Manual Key Configuration for the SonicWALL and VPN Client ...199...
  • Page 9 A computer on the LAN cannot access the Internet ...254 The SonicWALL does not establish authenticated sessions ...254 The SonicWALL does not save changes that you have made ...255 Duplicate IP address errors ...255 Machines on the WAN are not reachable ...255 VPN tunnel problems ...255...

  • Page 10: Copyright Notice

    Where liability can not be limited under applicable law, the SonicWALL liability shall be limited to the amount you paid for the Product. This warranty gives you specific legal rights, and you can have other rights which vary from state to state.

  • Page 11: About This Guide

    Chapter 9, Web Management Tools - provides directions to restart the SonicWALL, import and export settings, upload new firmware, and perform diagnostic tests. Chapter 10, Network Access Rules - explains how to permit and block traffic through the SonicWALL, set up servers, and enable remote management.

  • Page 12: Sonicwall Technical Support

    Appendix F, Basic VPN Terms and Concepts - covers VPN terminology and configuration concepts. Appendix G, Erasing the Firmware - describes the firmware erase procedure. Appendix H, Mounting the SonicWALL PRO 200 and PRO 300 - describes how to rack mount the SonicWALL appliance.

  • Page 13: Introduction

    LAN unless they are authorized remote users or Network Access Rules were created to allow inbound access. If the SonicWALL includes a DMZ port, users on the LAN and the Internet have access to the devices on the DMZ.

  • Page 14: Sonicwall Internet Security Appliance Features

    • DMZ Port The SonicWALL PRO 100, PRO 200, PRO 300, PRO 230, and the SonicWALL PRO 330 include a DMZ port allowing users to access public servers, such as Web and FTP servers. While Internet users have unlimited access to the DMZ, the servers on the DMZ are still protected against DoS attacks.

  • Page 15: Content Filtering

    Logging and Reporting • Log Categories You can select the information you wish to display in the SonicWALL event log. You can view the event log from the SonicWALL Web Management Interface or receive the log as an e-mail file. •...
  • Page 16 • DHCP over VPN DHCP over VPN allows a Host (DHCP Client) behind a SonicWALL obtain an IP address lease from a DHCP server at the end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks residing in one IP subnet address space. This facilitates address administration for the networks using VPN tunnels.

  • Page 17: Configuring The Network Mode On The Sonicwall

    Network Address Translation (NAT) Enabled Using NAT to set up your SonicWALL eliminates the need for separate IP addresses for all computers on your LAN. It is a way to conserve IP addresses available from the pool of IPv4 addresses for the Internet.

  • Page 18: Configuring The Sonicwall In Standard Mode

    If you have DSL or cable, your WAN router is typically located at your ISP. 9. Enter your DNS IP address(es) in the DNS Server fields. 10. Click Update. Once the SonicWALL is updated, you must restart the SonicWALL for the changes to take effect.

  • Page 19: Configuring The Sonicwall In Nat Enabled Mode

    (LAN) IP address on packets passing through a SonicWALL with a “fake” one from a fixed pool of addresses. The actual IP addresses of computers on the LAN are hidden from outside view.If you are assigned a single IP address by your ISP, follow the instructions below.
  • Page 20 SonicWALLs from a central location. For more information about SonicWALL GMS, contact SonicWALL Sales at (408) 745-9600. 3. Do not select the Use Global Management System check box unless your SonicWALL is remotely managed by SonicWALL GMS. Click Next to continue.
  • Page 21 6. Select Assigned you a single static IP address, if your ISP has provided you with a single, valid IP address. You can configure the SonicWALL to use NAT with a single, static IP address. The advantages of Network Address Translation (NAT) are IP address conservation, and hiding your IP address from a public WAN such as the Internet.
  • Page 22 7. The Optional-Network Address Translation (NAT) page offers the ability to enable NAT. Select Don’t Use NAT, if there are enough static IP addresses for your SonicWALL, all PCs, and all network devices on your LAN. Selecting Don’t Use NAT enables the Standard mode. Select Use NAT, if valid IP addresses are in short supply or to hide all devices on your LAN behind the SonicWALL valid IP address.
  • Page 23 If you selected either NAT or Standard mode, the Getting to the Internet page is displayed. 8. Enter the IP address provided by your ISP in the SonicWALL WAN IP Address, WAN/DMZ Subnet Mask, WAN Gateway (Router) Address, and DNS Server Addresses. Click Next to continue.
  • Page 24 If the configuration is correct, click Next to proceed to the Congratulations page. Congratulations Alert The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations page, is used to log in and manage the SonicWALL. 11. Click Restart to restart the SonicWALL.

  • Page 25: Configuring Nat With Pppoe Client

    Alert The final page provides important information to help configure the computers on the LAN. Click Print this Page to print the window information. 12. The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Click Close to exit the SonicWALL Wizard.
  • Page 26 This window also displays the Use SonicWALL Global Management System check box. 2. Do not select the Use Global Management System check box unless your SonicWALL is remotely managed by SonicWALL GMS. Click Next to continue. Setting the Time and Date 3.
  • Page 27 Selecting Your Internet Connection 5. Select Provided you with desktop software, a user name and password (PPPoE), if your ISP has provided you with desktop software, a user name and password information. Page 28 SonicWALL Internet Security Appliance Administrator’s Guide...
  • Page 28 Configuring LAN Network Settings 8. The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask.The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN.
  • Page 29 9. The Optional-SonicWALL DHCP Server page configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically configures the IP settings of computers on the LAN. To enable the DHCP server, select the Enable DHCP Server check box, and specify the range of IP addresses that are assigned to computers on the LAN.
  • Page 30 Alert The final window provides important information to help configure the computers on the LAN. 12. Click Print this Page to print the window information. The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Click Close to exit the SonicWALL Wizard.

  • Page 31: Configuring Nat With Dhcp Client

    This page also displays the Use SonicWALL Global Management System check box. 3. Do not select the Use Global Management System check box unless your SonicWALL is remotely managed by SonicWALL GMS. Click Next to continue. Page 32 SonicWALL Internet Security Appliance Administrator’s Guide...
  • Page 32 Setting the Time and Date 4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next to continue. Connecting to the Internet The Connecting to the Internet page lists the information required to complete the installation.
  • Page 33 7. The Obtain an IP address automatically page is displayed. The Obtain an IP address automatically page states that the ISP dynamically assigns an IP address to the SonicWALL. To confirm this, click Next. Page 34 SonicWALL Internet Security Appliance Administrator’s Guide...
  • Page 34 Configuring LAN Network Settings 8. The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask. The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP addresses on the LAN.
  • Page 35 If the configuration is correct, click Next to proceed to the Congratulations page. Congratulations Alert The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations window, is used to log in and manage the SonicWALL.

  • Page 36: Configuring Nat With L2Tp Client

    Tip The final window provides important information to help configure the computers on the LAN. Click Print this Page to print this information. The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Click Close to exit the SonicWALL Wizard.

  • Page 37: Configuring Nat With Pptp Client

    17. The L2TP settings are filled in once a connection is made to the L2TP settings. 18. Click Update. Once the SonicWALL is updated, you must restart the SonicWALL for the changes to take effect. Configuring NAT with PPTP Client The SonicWALL Installation Wizard simplifies the initial installation and configuration of the SonicWALL.
  • Page 38 1. To set the password, enter a new password in the New Password and Confirm New Password fields. 2. Do not select the Use Global Management System check box unless your SonicWALL is remotely managed by SonicWALL GMS. Click Next to continue.
  • Page 39 Tip Confirm that you have the necessary network information from your ISP before proceeding with the Connecting to the Internet pages. 4. Confirm that you have the proper network information necessary to configure the SonicWALL to access the Internet. Click the hyperlinks for definitions of the networking terms. Click Next to proceed to the next step.
  • Page 40 Setting the User Name and Password for PPTP. 6. The SonicWALL ISP Settings (PPTP) page is displayed. Enter the server IP address in the Server IP field, and your user name and password in the User Name and Password fields.
  • Page 41 8. The Optional-SonicWALL DHCP Server page configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically configures the IP settings of computers on the LAN. To enable the DHCP server, select the Enable DHCP Server check box, and specify the range of IP addresses that are assigned to computers on the LAN.
  • Page 42 Tip The final window provides important information to help configure the computers on the LAN. Click Print this Page to print this information. The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Click Close to exit the SonicWALL Wizard.

  • Page 43: Logging Into The Sonicwall Management Interface

    Registration code - the registration code generated when the SonicWALL is registered at <http//www.mysonicwall.com>. • SonicWALL Active time - the length of time in days, hours and minutes that the SonicWALL is active. • Firmware version - shows the current version number of the firmware installed on the SonicWALL.
  • Page 44 Other SonicWALL general status information is displayed in this section relating to other features in the SonicWALL such as the type of network settings in use, log settings, content filter use, and if Stealth Mode is enabled on the SonicWALL.

  • Page 45: Registering At Mysonicwall.com

    3 Registering at mySonicWALL.com After you complete the initial installation and configuration of your SonicWALL, you should register your SonicWALL Internet Security Appliance at <http://www.mysonicwall.com>. MySonicWALL.com delivers a convenient, centralized way to register all your SonicWALL Internet Security appliances and Security Services. It eliminates the need to individually register SonicWALL appliances and upgrades to streamline the management of all your SonicWALL security services.

  • Page 46: Account Information

    Account Information 3. All field marked with an * are required fields. Be sure to fill out the form completely before submitting to the user database. Create a User Name and password for your mySonicWALL account. Confirm the password by typing it in the Confirm Password field. For your convenience, you can record the information below.

  • Page 47: Personal Information

    5. Complete the Personal Information section of the Registration form. Be sure to enter the correct e-mail address as the subscription code for your SonicWALL user account is e-mailed to you. The subscription code is necessary to activate your account.
  • Page 48 9. If all the information is correct, click OK. A confirmation message appears notifying you that your account must be activated within 72 hours of creating it. You also receive an e-mail with your subscription code in it. Write your subscription code below: Subscription code:_______________________________ Note: For security reasons, the subscriber name and part of the subscription code are masked.
  • Page 49 11. Enter the subscription code you received via e-mail into the Subscription Code field, and click Submit. 12. Your Account Management interface appears and you can now register SonicWALL Internet Security Appliances or Services. You can also delete or transfer appliances from your user account.

  • Page 50: Problems Creating A Mysonicwall.com User Account

    To register your SonicWALL Internet Security Appliance, click the hyperlink, Click Here, in the Registered SonicWALL Products section. Or to quickly register your appliance, enter the Activation Key of a service, or a SonicWALL Internet Security Appliance serial number into the field in the Quick Register section.

  • Page 51: Quick Registration

    Quick Registration To quickly register a SonicWALL Internet Security Appliance, enter the serial number in the field under the Quick Register section, and click Go. The serial number automatically appears in the Serial Number field. You can then create a Friendly Name for the appliance. If you enter the incorrect serial number into the Serial Number field, a message stating that the appliance is previously registered may be returned.

  • Page 52: Status And Options

    Status and Options Click Status and Options underneath the login information to search for the status and options relating to a particular SonicWALL appliance. Enter the SonicWALL serial number to search for the related information. Information displayed includes • Serial Number •...

  • Page 53: Managing Your Sonicwall

    Services Management. Renaming Your SonicWALL You can rename your SonicWALL at any time in order to manage your SonicWALLs. To rename your SonicWALL, click Rename in the Manage Products section. Enter the new name in the Friendly Name field, and click Submit.

  • Page 54: Transferring A Sonicwall Product

    You can transfer a SonicWALL to another mySonicWALL.com user at any time. Transferring a SonicWALL is necessary if you sell the appliance to another user, or if you want to transfer it to another person in your company. For example, the sales manager for the East Coast has left, and you were managing the services for his SonicWALL.

  • Page 55: Delete Product

    You can also delete a SonicWALL from your mySonicWALL.com user account. Click on the Friendly Name for the appliance, and then click Delete. A confirmation message appears in the next window, and you have successfully deleted a SonicWALL from your user account. You can add the SonicWALL back to your account at any time.

  • Page 56: Managing Services For Sonicwall Internet Security Appliances

    Managing Services for SonicWALL Internet Security Appliances In the Applicable Services section of mySonicWALL.com, a list of installed and inactivated services for your SonicWALL is displayed. Activated services are indicated by the Installed icon with a green check mark. Inactive services are indicated by the Activate icon with a red arrow.

  • Page 57: Activating Services Using Mysonicwall.com

    3. Enter the Activation Key into the Activation Key field, and select I have read and agreed to all of the above terms and conditions. Click Submit. 4. The Content Filter List subscription is now active, and you can download the Content Filter List through your SonicWALL appliance. Page 58 SonicWALL Internet Security Appliance Administrator’s Guide...
  • Page 58 Registering at mySonicWALL.com Page 59...

  • Page 59: Configuring The Tele3 Sp Modem Connection

    To improve the operational availability of networks and ensure fast recovery from network failures, the SonicWALL has the capability of using a modem to dial a secondary network connection for the WAN. In the event that the WAN Ethernet connection is lost or failing, the modem dials an ISP using a preconfigured profile preventing a lengthy interruption in active network connectivity.

  • Page 60: Configuring Modem Profiles

    Configuring Modem Profiles You can configure modem profiles on the SonicWALL using your dial-up ISP information for the connection. Multiple modem profiles can be used when you have a different profile for individual ISPs. Click Profiles, and follow the instructions below to configure your Dial-up Configuration.

  • Page 61: Isp Settings

    AutoUpdate and Anti-Virus. Also, if Enable WAN Failover is selected, the pings generated by the Probe can trigger the modem to dial when no WAN Ethernet connection is detected. If the Primary Profile cannot connect, the modem uses the Secondary Profile to dial an ISP. Page 62 SonicWALL Internet Security Appliance Administrator’s Guide...
  • Page 62 If you do not see your command listed, select Other, and enter the command in the field. 8. If the phone number for your ISP is busy, you can configure the number of times that the SonicWALL modem attempts to connect in the Dial Retries per Phone Number field. The default value is zero (0).

  • Page 63: Tele3 Sp Modem Configuration

    AT commands for modem initialization. To configure the SonicWALL modem settings, follow these steps: 1. Select the Primary Profile from the list of profiles that the SonicWALL uses to access the modem and dial the secondary connection. If you have enabled Manual Dial for the Primary Profile, the Secondary Profile is not used.

  • Page 64: Primary Interface

    SonicWALL is powered on. Because it can automatically detect the Ethernet connection, the Primary Interface is Ethernet. Failover Settings You can enable WAN failover for the SonicWALL by configuring settings in this section. Select Enable WAN Failover to use this feature on the SonicWALL. The Secondary Interface Setting defaults to Modem.

  • Page 65: Configuring A Modem Profile For Manual Dial-Up

    Successful Probes to Reactivate Primary field. The default value is five (5). By requiring a number of successful probes before the SonicWALL returns to its primary connection, you can prevent the SonicWALL from returning to the primary connection before the primary connection becomes stable.
  • Page 66 If you do not see your command listed, select Other, and enter the command in the field. 5. Configure the number of times that the SonicWALL modem attempts to connect if the dial-up connection is busy in the Dial Retries per Phone Number field. The default value is zero (0).
  • Page 67 9. Click Restart to enable the network settings on the TELE3 SP. Configuring the Modem Settings After your TELE3 SP has restarted, log into it using the SonicWALL LAN IP address. Click Modem, and configure the dial-up connection settings by creating a Modem Profile TELE3 SP. Refer to the Modem configuration steps in the section “Configuring Modem Profiles”...

  • Page 68: Status

    Status The Status tab displays dial-up connection information when the modem is active. Modem Status In the Modem Status section, the current active network information from your ISP is displayed when the modem is active: •WAN Gateway (Router) Address •WAN IP (NAT Public) Address •WAN Subnet Mask •DNS Server 1 •DNS Server 2...

  • Page 69: Chat Scripts

    PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol) from the PPP suite. Once a PPP connection is established, it looks like any other network interface. Page 70 SonicWALL Internet Security Appliance Administrator’s Guide...

  • Page 70: Custom Chat Scripts

    Custom Chat Scripts Custom chat scripts can be used when the ISP dial-up server does not use PAP or CHAP as an authentication protocol to control access. Instead, the ISP requires a user to log onto the dial-up server by prompting for a user name and password before establishing the PPP connection. For the most part, this type of server is part of the legacy systems rooted in the dumb terminal login architecture.

  • Page 71: Managing Your Sonicwall Internet Security Appliance

    “password”. If you cannot log into the SonicWALL, a cached copy of the page is displayed instead of the correct page. Click Reload or Refresh on the Web browser and try again. Also, be sure to wait until the Java applet has finished loading before attempting to log in.

  • Page 72: Status

    Check the Status window after making changes to ensure that the SonicWALL is configured properly. To view the Status tab, log into your SonicWALL using your Web browser. Click General and then click the Status tab to display the Status window.

  • Page 73: Contents

    Other SonicWALL general status information is displayed in this section relating to other features in the SonicWALL such as the type of network settings in use, log settings, content filter use, and if Stealth Mode is enabled on the SonicWALL.

  • Page 74: Cli Support And Remote Management

    SonicWALL appliance. The only modem currently supported is the US Robotics v.90/v.92 modem. CLI communication requires the following modem settings: •...

  • Page 75: General And Network Settings

    • NAT Enabled mode translates the private IP addresses on the network to the single, valid IP address of the SonicWALL. Select NAT Enabled if your ISP assigned you only one or two valid IP addresses. •...

  • Page 76: Lan Settings

    Alert This feature does not replace or substitute configuring routes with the Routes tab in the Advanced section of the SonicWALL. If you have to define a subnet on the other side of a router, you must define a static route using the Routes tab in the Advanced section.

  • Page 77: Wan Settings

    • SonicWALL WAN IP Address The SonicWALL WAN IP Address is a valid IP address assigned to the WAN port of the SonicWALL. This address should be assigned by your ISP. If you select NAT Enabled mode, this is the only address seen by users on the Internet and all activity appears to originate from this address.

  • Page 78: Standard Configuration

    IP addresses to all computers and network devices on your LAN. 2. Enter a unique, valid IP address from your LAN address range in the SonicWALL LAN IP Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for management of the SonicWALL.
  • Page 79 1. Select NAT Enabled from the Network Addressing Mode menu in the Network window. 2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for management of the SonicWALL.

  • Page 80: Nat With Dhcp Client Configuration

    NAT with DHCP Client Configuration The SonicWALL can receive an IP address from a DHCP server on the Internet. If your ISP did not provide you with a valid IP address, and instructed you to set your network settings to obtain an IP address automatically, enable NAT with DHCP Client.

  • Page 81: Nat With Pppoe Configuration

    1. Select NAT with PPPoE from the Network Addressing Mode menu. 2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used for management of the SonicWALL.

  • Page 82: Restarting The Sonicwall

    Restart the SonicWALL for these changes to take effect. Alert When NAT is enabled, the SonicWALL LAN IP Address is used as the gateway address for computers on the LAN. When your SonicWALL has successfully established a PPPoE connection, the Network page displays the SonicWALL WAN IP settings.

  • Page 83: Nat With L2Tp Client Configuration

    1. Select NAT with L2TP Client from the Network Addressing Mode menu. 2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used for management of the SonicWALL.

  • Page 84: Restarting The Sonicwall

    Restart the SonicWALL for these changes to take effect. Alert When NAT is enabled, the SonicWALL LAN IP Address is used as the gateway address for computers on the LAN. When your SonicWALL has successfully established a L2TP connection, the Network page displays the SonicWALL WAN IP settings.

  • Page 85: Nat With Pptp Client Configuration

    1. Select NAT with PPTP Client from the Network Addressing Mode menu. 2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used for management of the SonicWALL.

  • Page 86: Restarting The Sonicwall

    Restart the SonicWALL for these changes to take effect. Alert When NAT is enabled, the SonicWALL LAN IP Address is used as the gateway address for computers on the LAN. When your SonicWALL has successfully established a PPTP connection, the Network page displays the SonicWALL WAN IP settings.

  • Page 87: Setting The Time And Date

    Select Use NTP to set time automatically if you want to use your local server to set the SonicWALL clock. You can also set the Update Interval for the NTP server to synchronize the time in the SonicWALL. The default value is 60 minutes. You can add NTP servers to the SonicWALL for time synchronization by entering in the IP address of an NTP server in the Add NTP Server field.

  • Page 88: Configuring The Administrator Settings

    To set the password, enter the old password in the Old Password field, and the new password in the New Password field. Enter the new password again in the Confirm New Password field and click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.

  • Page 89: Setting The Administrator Inactivity Timeout

    Lock out user after __ failed login attempts in a 1 minute period field. Enter the length of time that must elapse before the user attempts to log into the SonicWALL again in the Lockout Period (minutes) field.

  • Page 90: Logging And Alerts

    The log is displayed in a table and is sortable by column. The SonicWALL can alert you of important events, such as an attack to the SonicWALL. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.

  • Page 91: Sonicwall Log Messages

    • TCP, UDP, or ICMP packets dropped When IP packets are blocked by the SonicWALL, dropped TCP, UDP and ICMP messages are displayed. The messages include the source and destination IP addresses of the packet. The TCP or UDP port number or the ICMP code follows the IP address. Log messages usually include the name of the service in quotation marks.

  • Page 92: Log Settings

    2. Send Log To - Enter your full e-mail address(username@mydomain.com) in the Send log to field to receive the event log via e-mail. Once sent, the log is cleared from the SonicWALL memory. If this field is left blank, the log is not e-mailed.
  • Page 93 5. Syslog Server - In addition to the standard event log, the SonicWALL can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514.

  • Page 94: Log Categories

    Log Categories You can define which log messages appear in the SonicWALL Event Log. All Log Categories are enabled by default except Network Debug. • System Maintenance Logs general system activity, such as administrator log ins, automatic downloads of the Content Filter Lists, and system activations.

  • Page 95: Alerts/Snmp Traps

    Reports The SonicWALL can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth.

  • Page 96: Web Site Hits

    • Reset Data Click Reset to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the SonicWALL is restarted. • View Data Select the desired report from the Report to view menu. The options are Web Site Hits, Bandwidth Usage by IP Address, and Bandwidth Usage by Service.

  • Page 97: Sonicwall Viewpoint

    SonicWALL ViewPoint SonicWALL ViewPoint is a software solution that creates dynamic, Web-based reports of network activity. ViewPoint generates both real-time and historical reports to provide a complete view of all activity through your SonicWALL Internet Security Appliance. With SonicWALL ViewPoint, you are able to monitor network access, enhance network security and anticipate future bandwidth needs.

  • Page 98: Content Filtering And Blocking

    SonicWALL Content Filter List updates. • N2H2 - N2H2 is a third party content filter software package supported by SonicWALL. You can obtain more information on N2H2 at [http://www.n2h2.com]. If you select N2H2 from the list, an N2H2 tab is available to configure the location of the N2H2 server and other settings.

  • Page 99: Configuring Sonicwall Content Filtering

    Enabling this feature protects users on the LAN from downloading malicious programs warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the SonicWALL blocks the Web content and the files that use these fraudulent certificates. Known fraudulent certificates blocked by SonicWALL include two certificates issued on January 29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee.

  • Page 100: Url List

    Don’t block Java/ActiveX/Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL using the Add Trusted Domain field. Java scripts, ActiveX, and cookies are not blocked from Trusted Domains if the checkbox is selected.
  • Page 101 Select Categories to Block Block all categories The SonicWALL uses a Content Filter List generated by CyberPatrol to block access to objectional Web sites. CyberPatrol classifies objectional Web sites based upon input from a wide range of social, political, and civic organizations. Select the Block all categories check box to block all of these categories.

  • Page 102: Customizing The Content Filtering List

    Customizing the Content Filtering List The Customize tab allows you to customize your URL List by manually entering domain names or keywords to be blocked or allowed. Custom Filter You can customize your URL list to include Allowed Domains, Forbidden Domains, and Keywords. By customizing your URL list, you can include specific domains to be allowed (accessed), forbidden (blocked), and include specific keywords to be used to block sites.
  • Page 103 • Log Only If this check box is selected, the SonicWALL logs and then allows access to all sites on the Content Filter, custom, and keyword lists. The Log Only check box allows you to monitor inappropriate usage without restricting access.

  • Page 104: Consent

    In an environment where there are more users than computers, such as a classroom or library, time limits are often imposed. The SonicWALL can be used to remind users when their time has expired by displaying the page defined in the Consent page URL field. Enter the time limit, in minutes, in the Maximum Web usage field.

  • Page 105: Mandatory Filtered Ip Addresses

    This Web page must reside on a Web server and be accessible as a URL by users on the LAN. This page must also contain a link to a page contained in the SonicWALL that tells the SonicWALL that the user agrees to have filtering enabled. The link must be <192.168.168.168/iAcceptFilter.html>, where the SonicWALL LAN IP Address is used instead...

  • Page 106: Configuring N2H2 Internet Filtering

    Configuring N2H2 Internet Filtering N2H2 is a third party Internet filtering package that allows you to use Internet content filtering through the SonicWALL. When you select N2H2 as your Content Filter List, the N2H2 tab is available. Restrict Web Features...
  • Page 107 Trusted Domains can be added in the Restrict Web Features section of the Configure tab. If you trust content on specific domains, you can select Don’t block Java/ActiveX/Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL. Java scripts, ActiveX, and cookies are not blocked from Trusted Domains if the checkbox is selected.

  • Page 108: Cache Size

    Reply Port Enter the UCP port number for the N2H2 server to send packets from the N2H2 client to the SonicWALL. The default port is 4005. User Name The User Name refers to a configuration of users, a group of users, or network defined within the...

  • Page 109: Configuring The Websense Enterprise Content Filter

    Websense is a third party software package that allows you to use Internet content filtering through the SonicWALL. Select Websense Enterprise from the Content Filter Type menu. Customization of the Content Filter List is not available if you select Websense as your source for content filtering.
  • Page 110 Trusted Domains can be added in the Restrict Web Features section of the Configure tab. If you trust content on specific domains, you can select Don’t block Java/ActiveX/Cookies to Trusted Domains and then add the Trusted Domains to the SonicWALL. Java scripts, ActiveX, and cookies are not blocked from Trusted Domains if the checkbox is selected.

  • Page 111: Configuring The Websense Content Filter List

    To enable reporting of users and groups defined on the Websense Enterprise server, leave this field blank. To enable reporting by a specific user or group behind the SonicWALL, enter the User Name configured on the Websense Enterprise Server for the user or group. If using NT-based directories on the Websense Enterprise Server, the User Name is in this format, for example: NTLM:\\domainname\username.

  • Page 112: Url Cache

    If Server is unavailable for 5 secs: If the Websense Enterprise server becomes unavailable, select from the following two options: • Block traffic to all Web sites • Allow traffic to all Web sites URL Cache Configure the size of the URL Cache in KB. Model XPRS, PRO, SOHO2, TELE2, SOHO3, TELE3, and PRO-Vx...

  • Page 113: Web Management Tools

    The SonicWALL can be restarted from the Web Management Interface. Click Restart SonicWALL, and then click Yes to confirm the restart. The SonicWALL takes up to 90 seconds to restart, and the yellow Test LED is lit. During the restart time, Internet access for all users on the LAN is momentarily interrupted.

  • Page 114: Preferences

    Exporting the Settings File It is possible to save the SonicWALL configuration information as a file on your computer, and retrieve it for later use. Click Export in the Preferences tab. 1. Click Export again to download the settings file. Then choose the location to save the settings file.

  • Page 115: Importing The Settings File

    Explorer 5.0 and higher, as well as Netscape Navigator 4.0 and higher, are recommended. Restoring Factory Default Settings You can erase the SonicWALL configuration settings and restore the SonicWALL to its factory default state. 1. Click Restore on the Preferences tab to restore factory default settings.

  • Page 116: Updating Firmware

    To be automatically notified when new firmware is available, select the Notify me when new firmware is available check box. Then click Update. If you enable firmware notification, your SonicWALL sends a status message to SonicWALL, Inc. Firmware Server on a daily basis. The status message includes the following information: •...

  • Page 117: Updating Firmware Manually

    Explorer 5.0 and higher as well as Netscape Navigator 4.0 and higher are recommended. When firmware is uploaded, the SonicWALL settings can be erased. Before uploading new firmware, export and save the SonicWALL settings so that they can be restored later. Once the settings have been saved, click Yes.

  • Page 118: Upgrade Features

    Upgrade Features SonicWALL Internet Security Appliances can be upgraded to support new or optional features. Chapter 15, SonicWALL Options and Upgrades, provides a summary of the SonicWALL firmware upgrades, subscription services, and support offerings. You can contact SonicWALL or your local reseller for more information about SonicWALL options and upgrades.

  • Page 119: Diagnostic Tools

    Diagnostic tab. DNS Name Lookup The SonicWALL has a DNS lookup tool that returns the numerical IP address of a domain name or if you enter an IP address, it returns the domain name.
  • Page 120 SonicWALL is properly configured. For example, if the SonicWALL “thinks” that a computer on the Internet is located on the LAN, then the SonicWALL Network or Intranet settings can be misconfigured. Find Network Path shows if the target device is behind a router, and the Ethernet address of the target device.

  • Page 121: Ping

    The Ping test bounces a packet off a machine on the Internet and returns it to the sender. This test shows if the SonicWALL is able to contact the remote host. If users on the LAN are having problems accessing services on the Internet, try pinging the DNS server, or another machine at the ISP location.

  • Page 122: Packet Trace

    From 207.88.211.116 / 1937 (00:40:10:0c:01:4e To 204.71.200.74 / 80 (02:00:cf:58:d3:6a) The SonicWALL forwards the client ACK to the remote host and waits for the data transfer to begin. When using packet traces to isolate network connectivity problems, look for the location where the three-way handshake is breaking down.
  • Page 123 1. Select Packet Trace from the Choose a diagnostic tool menu. Tip Packet Trace requires an IP address. The SonicWALL DNS Name Lookup tool can be used to find the IP address of a host. 2. Enter the IP address of the remote host in the Trace on IP address field, and click Start. You must enter an IP address in the Trace on IP address field;...
  • Page 124 Generating a Tech Support Report 1. Select Tech Support Report from the Choose a diagnostic tool menu. 2. Select the Report Options to be included with your e-mail. 3. Click Save Report to save the file to your system. When you click Save Report, a warning message is displayed.

  • Page 125: Trace Route

    Enter the IP address or domain name of the destination host. For example, enter yahoo.com and click Go. A second window is displayed with each hop to the destination host: By following the route, you can diagnose where the connection fails between the SonicWALL and the destination. Page 126 SonicWALL Internet Security Appliance Administrator’s Guide...

  • Page 126: 10 Network Access Rules

    The custom rules evaluate network traffic source IP address, destination IP address, IP protocol type, and compare the information to rules created on the SonicWALL. Network Access Rules take precedence, and can override the SonicWALL’s stateful packet inspection. For example, a rule that blocks IRC traffic takes precedence over the SonicWALL default setting of allowing this type of traffic.

  • Page 127: Services

    DMZ. By default, DMZ In is selected. The DMZ In column does not appear in the Web Management Interface for the SonicWALL SOHO3 and TELE3 which do not have a separate DMZ port.

  • Page 128: Public Lan Server

    By default, the SonicWALL blocks these broadcasts. If you select From LAN to WAN, your SonicWALL allows NetBIOS broadcasts from LAN to DMZ or from LAN to WAN. Then, LAN users are able to view machines on the DMZ and the WAN in their Windows Network Neighborhood.

  • Page 129: Add Service

    3. Enter the beginning number of the IP port range and ending number of the IP port range in the Port Range fields. If the service only requires one IP port, enter the single port number in both Port Range fields. Tip Visit <http://www.ietf.org/rfc/rfc1700.txt> for a list of IP port numbers. Page 130 SonicWALL Internet Security Appliance Administrator’s Guide...

  • Page 130: Enable Logging

    Custom rules take precedence and override the SonicWALL default rules. By default, the SonicWALL blocks all traffic from the Internet to the LAN and allows all traffic from the LAN to the Internet. Custom rules can be created to modify the default rules. For example, rules can be created for the following purposes: •...

  • Page 131: Maximum Number Of Rules By Product

    Rules tab. Alert Use extreme caution when creating or deleting Network Access Rules as you an accidentally disable firewall protection or block access to the Internet. Page 132 SonicWALL Internet Security Appliance Administrator’s Guide Rules Available for Maximum Rules...

  • Page 132: Network Access Rule Logic List

    9. Does the rule conflict with any existing rules? Bandwidth Management The SonicWALL can be configured for bandwidth management of outbound (WAN) network traffic via bandwidth management. It allows network administrators to prioritize traffic. Each Service added via a Rule has a checkbox to enable bandwidth management for the Service.

  • Page 133: Add A New Rule

    8. If you would like for the rule to timeout after a period of inactivity, set the amount of time, in minutes, in the Inactivity Timeout in Minutes field. The default value is 5 minutes. Page 134 SonicWALL Internet Security Appliance Administrator’s Guide...
  • Page 134 11. Enter the maximum amount of bandwidth available to the Rule at any time in the Maximum Bandwidth field. Assign a priority from 0 (highest) to 7 (lowest). 12. Click Update. Once the SonicWALL has been updated, the new rule appears in the list of Current Network Access Rules.

  • Page 135: Add New Rule Examples

    11. Click Update to add your new Rule. Enabling Ping By default, your SonicWALL does not respond to ping requests from the Internet. This Rule allows ping requests from your ISP servers to your SonicWALL. 1. Click Add New Rule in the Rules window to launch the "Add Network Access Rule" window.

  • Page 136: Current Network Access Rules Table

    7. Since the intent is to allow a ping only to the SonicWALL, enter the SonicWALL LAN IP Address in the Destination Addr Range Begin field. 8. Select Always from the Apply this rule menu to ensure continuous enforcement. 9. Click Update to add your new Rule.
  • Page 137 However, Rule #1 blocks IRC (Chat) traffic from a computer on the LAN to a server on the WAN. The Default Deny Rule (#6) blocks all traffic from the WAN to the LAN, however, Rule #2 overrides this rule by allowing Web traffic from the WAN to the LAN. Page 138 SonicWALL Internet Security Appliance Administrator’s Guide...

  • Page 138: Users

    Currently, when a VPN tunnel is established between two SonicWALL appliances, any users residing on the local LAN of each SonicWALL can send data across the VPN. In some cases, complete user access could be a security risk, and only authenticated users access the VPN tunnel and send data across the network.
  • Page 139 RADIUS server. If you select Use RADIUS, users must log into the SonicWALL using HTTPS in order to encrypt the password sent to the SonicWALL. If a user attempts to log into the SonicWALL using HTTP, the browser is automatically redirected to HTTPS.
  • Page 140 Users Currently Locked Out After Login Failures A list of current users locked after failing to log into the SonicWALL correctly is displayed in this section. The table lists the User Name Tried, the IP Address, Lockout Time Remaining, and an Unlock icon.

  • Page 141: User Login

    Logging into the SonicWALL as the administrator automatically gives the user access to all VPN tunnels requiring authentication. Tip Authentication sessions create a log entry in the SonicWALL, but user activity is not logged. Page 142 SonicWALL Internet Security Appliance Administrator’s Guide...

  • Page 142: Radius

    To configure RADIUS settings, complete the following instructions. Click the RADIUS tab. 1. Define the number of times the SonicWALL attempts to contact the RADIUS server in the RADIUS Server Retries field. If the RADIUS server does not respond within the specified number of retries, the connection is dropped.
  • Page 143 You can select the default privileges for all RADIUS users in this section. • Remote Access - Enable this check box if the user accesses the SonicWALL from a remote com- puter. This option is only available in Standard mode.

  • Page 144: Management

    1. To enable the SNMP agent, select Enable SNMP. 2. Enter the System Name. This is the hostname of the SonicWALL appliance. 3. In the System Contact field, type in the name of the network administrator for the SonicWALL appliance.

  • Page 145: Sonicwall Management Protocol

    HTTP management, you must include the port number when you use the IP address to log into the SonicWALL. For example, if you configure the port to be 76, then you must enter <LAN IP Address>:76 into the Web browser.
  • Page 146 When remote management is enabled, a Management SA is automatically generated. The Management SA uses Manual Keying to set up a VPN tunnel between the SonicWALL and the VPN client. The Management SA also defines Inbound and Outbound Security Parameter Indices (SPIs) which match the last eight digits of the SonicWALL serial number.

  • Page 147: 11 Advanced Features

    If you have a proxy server on your network, instead of configuring each computer to point to the proxy server, you can move the server to the WAN and enable Web Proxy Forwarding. The SonicWALL automatically forwards all Web proxy requests to the proxy server without requiring all the computers on the network to be configured.

  • Page 148: Configuring Web Proxy Relay

    Configuring Web Proxy Relay 1. Connect your Web proxy server to a hub, and connect the hub to the SonicWALL WAN port. Alert The proxy server must be located on the WAN or the DMZ; it can not be located on the LAN.

  • Page 149: Intranet

    Installation 1. Connect the LAN Ethernet port on the back of the SonicWALL to the network segment to be protected against unauthorized access. Alert Devices connected to the WAN port do not have firewall protection. It is recommended that you use another SonicWALL Internet security appliance to protect computers on the WAN.

  • Page 150: Intranet Configuration

    Intranet Settings Select one of the following four options: • SonicWALL WAN link is connected directly to the Internet router - Select this option if the Son- icwall is protecting your entire network. This is the default setting. • Specified address ranges are attached to the LAN link - Select this option if it is easier to specify the devices on your LAN.

  • Page 151: Vpn Single-Armed Mode (Stand-Alone Vpn Gateway)

    IPSec gateway. An example of a deployment is to place the SonicWALL between the existing firewall and the router connected to the Internet. Traffic is sent in clear text to the SonicWALL, then encrypted and sent to the appropriate VPN Gateway.

  • Page 152: Configuring A Sonicwall For Vpn Single Armed Mode

    Subnet Mask: 255.255.255.0 LAN IP Address: 192.168.2.1 Subnet Mask: 255.255.255.0 To configure a SonicWALL in VPN Single Armed Mode in front of an existing SonicWALL, follow these steps. 1. Configure the Remote and Corporate SonicWALLs in your preferred networking mode.

  • Page 153: Routes

    SonicWALL. If your router is located on the SonicWALL LAN, the Gateway address should be in the same subnet as the SonicWALL LAN IP Address. 4. Select the port on the SonicWALL that the router is connected to either the LAN, the WAN, or the DMZ, from the Link list.

  • Page 154: Lan Route Advertisement

    Note: This feature is only available on the PRO 100, PRO 200, PRO 230, PRO 300, and PRO 330. The SonicWALL uses RIPv1 or RIPv2 to advertise its static and dynamic routes to other routers on the network. Changes in the status of VPN tunnels between the SonicWALL and remote VPN gateways are also reflected in the RIPv2 advertisements.

  • Page 155: Ripv2 Authentication

    Route Advertisement configuration. DMZ Addresses Note: For the SonicWALL PRO 100, PRO 200, PRO 300, PRO 230, PRO 330, and GX series only The SonicWALL provides security by preventing Internet users from accessing machines on the LAN. This security, however, also prevents users from reaching public servers, such as Web or e-mail servers.

  • Page 156: Dmz In Standard Mode

    Click Advanced on the left side of the browser window, and then click DMZ Addresses. Servers on the DMZ must have unique, valid IP addresses in the same subnet as the SonicWALL WAN IP Address. Your ISP should be able to provide these IP addresses, as well as information on setting up public servers.

  • Page 157: Delete A Dmz Address Range

    3. If you choose to use DMZ NAT Many to One Public Address (Optional), enter the DMZ public IP address which is on the same subnet as the WAN for access to devices on the DMZ interface. DMZ NAT Many to One Public Address is only available if your SonicWALL is configured in NAT Enabled networking mode.

  • Page 158: Homeport In Nat Mode

    HomePort IP address as the default gateway IP address. HomePort in NAT Mode The SonicWALL HomePort now has the ability to use private internal IP addresses rather than public IP addresses on the network. Since NAT hides the true IP addresses in use on the network, NAT on the HomePort is an additional security feature for the SonicWALL.

  • Page 159: One-To-One Nat

    3. Enter the beginning IP address of the valid address range being mapped in the Public Range Begin field. This address should be assigned by your ISP. Alert Do not include the SonicWALL WAN IP (NAT Public) Address or the WAN Gateway (Router) Address in this range.

  • Page 160: One-To-One Nat Configuration Example

    One-to-One NAT Configuration Example This example assumes that you have a SonicWALL running in the NAT-enabled mode, with IP addresses on the LAN in the range 192.168.1.1 - 192.168.1.254, and a WAN IP address of 208.1.2.2. Also, you own the IP addresses in the range 208.1.2.1 - 208.1.2.6.

  • Page 161: Ethernet

    Enable Bandwidth Management To enable Bandwidth Management on the SonicWALL, you must know the current bandwidth of your connection. Once you have this figure, you can select Enable Bandwidth Management on the Advanced/Ethernet page, and then enter the amount of available WAN bandwidth in Kbps. Click...

  • Page 162: Dmz/Workport Link Settings

    The SonicWALL appliance takes the Ethernet address of the computer managing the SonicWALL appliance and proxies that address onto the WAN port of the SonicWALL. If you are not managing the SonicWALL appliance from the LAN side, the firmware looks for a random computer on the LAN creating a lengthy search process.

  • Page 163: Sonicwall Bandwidth Management

    VPN Configure tab, and then specifying the Guaranteed, Maximum, and priority of all VPN traffic through the SonicWALL. Alert Bandwidth management cannot be configured for individual VPN Security Associations. It can only be configured for all VPN traffic.
  • Page 164 Bandwidth Management Schema Examples of Bandwidth Management Rules Rule Service Allow SMTP Allow Allow HTTP Priority Guaranteed 300 Kbps 100 Kbps 100 Kbps Maximum 1000 Kbps 200 Kbps 200 Kbps Advanced Features Page 165...

  • Page 165: 12 Dhcp Server

    The SonicWALL DHCP Server distributes IP addresses, gateway addresses and DNS server addresses to the computers on your LAN. To access the SonicWALL DHCP Setup window, click DHCP on the left side of the browser window. There are three tabs in the DHCP section: •...

  • Page 166: Configuring The Sonicwall Dhcp Server

    The length of time can range from 1 to 9999 minutes. 3. If configuring DHCP server for the LAN, enter the gateway address used by LAN computers to access the Internet in the LAN Default Gateway field. Enter the SonicWALL LAN IP Address if NAT is enabled.

  • Page 167: Deleting Dynamic Ranges And Static Entries

    DHCP over VPN DHCP over VPN allows a Host (DHCP Client) behind a SonicWALL obtain an IP address lease from a DHCP server at the other end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks on one logical IP subnet, and create the appearance of all VPN networks residing in one IP subnet address space.

  • Page 168: Configuring The Central Gateway For Vpn Over Dhcp

    3. If you want to send DHCP requests to specific servers, enable the Send DHCP requests to the server addresses listed below check box. Enter the IP addresses of DHCP servers in the Add DHCP Server field, and click Update. The SonicWALL now directs DHCP requests to the specified servers.
  • Page 169 4. The Relay IP address is a static IP address from the pool of specific IP addresses on the Central Gateway. It should not be available in the scope of DHCP addresses. The SonicWALL can also be managed through the Relay IP address.
  • Page 170 Ethernet address of the device to configure this setting. The Ethernet address of a device can be determined by typing ipconfig/all into a Command Prompt window. Alert You must configure the local DHCP server on the remote SonicWALL to assign IP leases to these computers.

  • Page 171: Dhcp Status

    Click Refresh to reload the list of bindings. This can be necessary because Web pages are not automatically refreshed, and new bindings can have been issued since the page was first loaded. Page 172 SonicWALL Internet Security Appliance Administrator’s Guide...

  • Page 172: Dhcp Server On The Sonicwall Tele3 Tz And Tzx

    DHCP Server on the SonicWALL TELE3 TZ and TZX This section explains the configuration of the SonicWALL DHCP Server on the SonicWALL TELE3 TZ and TZX. DHCP, Dynamic Host Configuration Protocol, is a method to distribute TCP/IP settings from a centralized server to computers on a network.

  • Page 173: Configuring The Sonicwall Dhcp Server

    5. Enter the domain name registered for your network in the Domain Name field. An example of a domain name is "your-domain.com". If you do not have a domain name, leave this field blank. 6. Select Set DNS Servers using the SonicWALL Network settings to use the DNS servers that you specified in the SonicWALL Network section.

  • Page 174: Deleting Dynamic Ranges And Static Entries

    Web browser window.Continue this process until you have added all the desired static entries. Tip The SonicWALL DHCP server can assign a total of 254 dynamic and static IP addresses. Deleting Dynamic Ranges and Static Entries •...

  • Page 175: Dhcp Status

    Click Refresh to reload the list of bindings. This can be necessary because Web pages are not automatically refreshed, and new bindings can have been issued since the page was first loaded. Page 176 SonicWALL Internet Security Appliance Administrator’s Guide...

  • Page 176: 13 Sonicwall Vpn

    SonicWALL VPN provides secure, encrypted communication to business partners and remote offices at a fraction of the cost of dedicated leased lines. Using the SonicWALL intuitive Web Management Interface, you can quickly create a VPN Security Association to a remote site.

  • Page 177: Vpn Management Interface

    Global VPN Settings The Global VPN Settings section displays the following information: • Unique Firewall Identifier - the default value is the serial number of the SonicWALL appliance. You can change the Identifier, and use it for configuring VPN tunnels. •...

  • Page 178: Vpn Bandwidth Management

    Security Associations to use bandwidth management. VPN Policies This section displays all of the VPN configurations in the SonicWALL appliance. If you click the name of the security association, the security association settings are displayed. The Security Association, Group VPN, is a default setting.

  • Page 179: Sonicwall Nat Traversal Support

    Selecting Enable NAT Traversal in the Global VPN Settings section of the Summary tab allows VPN tunnels to support this protocol, and log messages are generated by the SonicWALL when a IPSec Security Gateway is detected behind a NAT/NAPT device. The following log messages are found on the View Log tab: •...

  • Page 180: Configure Tab

    The feature is useful if it is suspected that a remote VPN user connection has become unstable or insecure. It can also temporarily block access to the SonicWALL appliance if necessary. Disable the Security Association by checking the Disable this SA check box. Click Update to enable the change to take place.

  • Page 181: Security Policy Settings

    Group VPN SA. The VPN Client does not support ARCFour encryption methods, and you cannot disable authentication in the VPN client. The following encryption methods are available for Group VPN and are listed in order from most secure to least secure: Page 182 SonicWALL Internet Security Appliance Administrator’s Guide Group Descriptor Prime Size (bits)
  • Page 182 Aggressive Mode a little faster when establishing the connection. Selecting Aggressive Mode forces the SonicWALL appliance to use Aggressive Mode to establish the VPN tunnel even if the SonicWALL has a static IP address. Aggressive Mode is useful when the SonicWALL is located behind another NAT device.
  • Page 183 HMAC MD5 authentication. 3DES is an extremely secure encryption method, and HMAC MD5 is used to verify integrity. This method significantly impacts the data throughput of the SonicWALL. - Strong Encrypt for Checkpoint (ESP 3DES) - interoperable with CheckPoint Firewall-1. In manual key mode, Encrypt for CheckPoint uses 168-bit DES to encrypt data.
  • Page 184 "a" to "f" inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). • Outgoing SPI - Enter the Security Parameter Index (SPI) that the local SonicWALL transmits to identify the Security Association used for the VPN Tunnel. The SPI may be up to eight characters long and is comprised of hexadecimal characters.

  • Page 185: Destination Networks

    To delete an SA, select it from the list and click the Delete This SA button. To modify an SA, select it from the list, make the desired changes, and click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the Web browser window. Click Update to enable the changes.

  • Page 186: Advanced Settings

    Interruption of the signal forces the tunnel to renegotiate the connection. Try to bring up all possible SAs If multiple SAs are configured on the SonicWALL, select this feature to have the SonicWALL renegotiate the tunnels if they lose communication with the SonicWALL.

  • Page 187: Require Authentication Of Local Users

    VPN tunnel. Normally, inbound traffic is decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the Routes tab located under the Advanced section.

  • Page 188: Route All Internet Traffic Through This Sa

    Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via the corporate office. Route all internet traffic through this SA Selecting this box allows a network administrator to force all WAN-destined traffic to go through a VPN tunnel to a central site.

  • Page 189: Vpn Terminated At The Lan, Dmz, Or Lan/Dmz

    LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped. VPN Terminated at the LAN, DMZ, or LAN/DMZ Selecting this option allows you to terminate a VPN tunnel on a specific destination instead of allowing the VPN tunnel to terminate on the SonicWALL network.

  • Page 190: Advanced Settings For Vpn Configurations

    Terminate VPN on the LAN, DMZ or LAN/DMZ *Default LAN Gateway and Forward Packets to Remote VPN are not configured for VPN Client to SonicWALL appliance connections using Manual Key Exchange. These parameters apply to both SonicWALL Certificates and Third Party Certificates.

  • Page 191: Configuring Sonicwall Vpn

    Configuring SonicWALL VPN This section covers the configuration of SonicWALL VPN for the SonicWALL Internet Security Appliance as well as the installation and configuration of the SonicWALL VPN client software. Group Configuration, Manual Key Configuration, and IKE Configuration (SonicWALL to SonicWALL) are described in this chapter.

  • Page 192: Group Vpn Configuration For The Sonicwall And Vpn Client

    Click VPN on the left side of the SonicWALL browser window, and then click Configure. The SonicWALL VPN tab defaults to a Group VPN setting. This feature facilitates the set up and deployment of multiple VPN clients by the administrator of the SonicWALL appliance. Security settings can now be exported to the remote client and imported into the remote VPN client settings.
  • Page 193 IP address of the default LAN route for incoming IPSec packets for this SA. Tip It is not necessary to configure the Advanced Settings to get the VPN connection working between the SonicWALL and the VPN client. You can configure the Advanced Settings later, and then re-import the SA into the VPN Client.

  • Page 194: Group Vpn Client Setup

    Group VPN Client Setup Installing the VPN Client Software 1. When you register your SonicWALL or SonicWALL VPN Upgrade, a unique VPN client serial number and link to download the SonicWALL VPN Client zip file is displayed. 2. Unzip the SonicWALL VPN Client zip file.
  • Page 195 My Identity to view the settings. 5. Click Pre-Shared Key to enter the Pre-Shared Secret created in the Group VPN settings in the SonicWALL appliance. Click Enter Key and enter the pre-shared secret. Then click OK. Page 196 SonicWALL Internet Security Appliance Administrator’s Guide...
  • Page 196 Group VPN can also be configured using digital certificates in the Security Association settings. For more information on Group VPN configuration using digital certificates, refer to the Authentication Service User's Guide on the SonicWALL Website: <http://www.sonicwall.com/vpn-center/vpn-setup.html>. SonicWALL VPN Page 197...
  • Page 197 You can verify the connection by verifying the type of icon displayed in the system tray near the system clock. The SonicWALL VPN Client icon is displayed in the System Tray if you are running a Windows operating system. The icon changes to reflect the current status of your communication over the VPN tunnel.

  • Page 198: Manual Key Configuration For The Sonicwall And Vpn Client

    Manual Key Configuration for the SonicWALL and VPN Client Configuring the SonicWALL To configure the SonicWALL appliance, click VPN on the left side of the browser window, and select Enable VPN to allow the VPN connection. 1. Select Disable VPN Windows Networking (NetBIOS) broadcast. Leave the Enable Fragmented Packet Handling unselected until the SonicWALL logs show many fragmented packets transmitted.

  • Page 199: Configuring The Vpn Client

    1. When you register your SonicWALL VPN Upgrade at <http://www.mysonicwall.com>, a unique VPN client serial number and link to download the SonicWALL VPN Client zip file is displayed. Alert SonicWALL PRO 300 lists an additional 50 serial numbers on the back of the SonicWALL VPN Client certificate.
  • Page 200 Click My Connections, and right click to select Add > Connection at the top of the Security Policy Editor window. TIP! The security policy is renamed to match the SA name created in the SonicWALL. You can rename the security policy by highlighting New Connection in the Network Security Policy box and entering the security policy name.
  • Page 201 4. Select Use Manual Keys in the Select Phase 1 Negotiation Mode menu. 5. Click the + next to Security Policy, and select Key Exchange (Phase 2). Click the + next to Key Exchange (Phase 2), and select Proposal 1. Page 202 SonicWALL Internet Security Appliance Administrator’s Guide...
  • Page 202 4. Select the Encapsulation Protocol (ESP) check box. 5. Select DES from the Encryption Alg menu. 6. Select MD5 from the Hash Alg menu. 7. Select Tunnel from the Encapsulation menu. 8. Leave the Authentication Protocol (AH) check box unselected. SonicWALL VPN Page 203...
  • Page 203 4. Select Binary in the Choose key format options. 5. Enter the SonicWALL 16-character Encryption Key in the ESP Encryption Key field. 6. Enter the SonicWALL 32-character Authentication Key in the ESP Authentication Key field, then click OK. Configuring Outbound VPN Client Keys 1.
  • Page 204 Verifying the VPN Client Icon in the System Tray The SonicWALL VPN Client icon is displayed in the System Tray if you are running a Windows operating system. The icon changes to reflect the current status of your communication over the VPN tunnel.

  • Page 205: Ike And Manual Key Configuration For Two Sonicwalls

    VPN tunnel between two SonicWALLs. Manual Key for Two SonicWALLs Click VPN on the left side of the SonicWALL browser window, and then click the Configure tab. 1. Select Manual Key from the IPSec Keying Mode menu. 2. Select -Add New SA- from the Security Association menu.
  • Page 206 6. Define an SPI that the local SonicWALL uses to identify the Security Association in the Outgoing SPI field.SPIs should range from 3 to 8 characters in length and include only hexadecimal characters. Alert Each Security Association must have unique SPIs; no two Security Associations can share the same SPIs.

  • Page 207: Configuring The Second Sonicwall Appliance

    Widgit, Inc. wants to connect their main office with a branch office on the East Coast. Using a SonicWALL PRO 300 and a TELE3, they can configure a secure VPN tunnel between the two sites. The main office has the following network settings: •...
  • Page 208 VPN tunnel. 12. Click OK, and then click Update. Configuring the Remote SonicWALL To configure the remote SonicWALL, use the following steps: 1. Configure the network settings for the firewall using the Network tab located in the General section. 2. Click Update and restart the SonicWALL if necessary.
  • Page 209 SA. This is used in conjunction with the Route all internet traffic through this SA check box. VPN Terminated at LAN, DMZ, or LAN/DMZ- select one of the three terminating points for the VPN tunnel. 12. Click OK, and then click Update. Page 210 SonicWALL Internet Security Appliance Administrator’s Guide...

  • Page 210: Ike Configuration For Two Sonicwalls

    3. Enter a descriptive name for the Security Association, such as "Palo Alto Office" or "NY Headquarters", in the Name field. 4. Enter the IP address of the remote SonicWALL in the IPSec Gateway Address field. This address must be valid, and should be the NAT Public IP Address if the remote SonicWALL uses Network Address Translation (NAT).
  • Page 211 9. Select Strong Encrypt and Authenticate (ESP 3DES HMAC SHA1) from the Phase 2 Encryption/ Authentication menu. Enter an alphanumeric “secret” in the Shared Secret field. The Shared Secret must match the corresponding field in the remote SonicWALL. This field can range from 4 to 128 characters in length and is case sensitive.

  • Page 212: Example Of Ike Configuration For Two Sonicwalls

    Unique Firewall Identifier. Enter the TELE3 Unique Firewall Identifier in the Name field, in this example, "San Francisco Office." 5. Enter the WAN IP address of the remote SonicWALL in the IPSec Gateway Address field. In this example, the San Francisco SonicWALL TELE3 has a dynamic IP address, therefore enter "0.0.0.0"...
  • Page 213 4. Enter the SonicWALL PRO 200 Unique Firewall Identifier in the SonicWALL TELE3 Name field, in this example, "Chicago Office." 5. Enter the SonicWALL PRO 200 WAN IP Address in the IPSec Gateway Address field. This address must be valid, and is the SonicWALL PRO 200 NAT Public Address, or "216.0.0.20."...
  • Page 214 Francisco office Phase 2 Encryption/Authentication must match Chicago, so Encrypt and Authenticate (ESP 3DES HMAC SHA1) must be selected. 10. Enter the same Shared Secret used in the Chicago Office SonicWALL PRO 200 into the SonicWALL TELE3 Shared Secret field.

  • Page 215: Sonicwall Third Party Digital Certificate Support

    A digital certificate is an electronic means to verify identity by a trusted third party known as a Certificate Authority (CA). SonicWALL now supports third party certificates in addition to the existing Authentication Service. The difference between third party certificates and the SonicWALL Authentication Service is the ability to select the source for your CA certificate.

  • Page 216: Overview Of Third Party Digital Certificate Support

    Importing CA Certificates into the SonicWALL After your CA service has validated your CA Certificate, you can import it into the SonicWALL and use it to validate Local Certificates for VPN Security Associations. To import your CA Certificate into the SonicWALL, use the following steps: 1.
  • Page 217 After a certificate is signed by the CA and returned to you, you can import the certificate into the SonicWALL to be used as a Local Certificate for a VPN Security Association. Use the following steps to import the certificate into the SonicWALL: 1.

  • Page 218: Creating A Certificate Signing Request

    Importing a Signed Local Certificate When the CA service returns the signed certificate request generated locally, import it into the SonicWALL using the following steps: 1. In the Current Certificates section of Local Certificates, select the corresponding request from the Certificates menu.

  • Page 219: Sonicwall Enhanced Vpn Logging

    SonicWALL Enhanced VPN Logging If Network Debug is selected in the Log Settings tab panel, detailed logs are kept of the VPN negotiations with the SonicWALL appliance. Enhanced VPN Logging is useful for evaluating VPN connections when problems can occur with the connections.

  • Page 220: Testing A Vpn Tunnel Connection Using Ping

    2. Type ping, then the IP address of the host computer. Press Enter to begin the data communication. 3. A successful ping communication returns data packet information to you. An unsuccessful ping returns a message of Request Timed Out. SonicWALL VPN Page 221...

  • Page 221: Configuring Windows Networking

    1. Click Start, then Control Panel. Locate the Network icon and double-click it. 2. Select Client for Microsoft Networks from the list, and then click Properties. Page 222 SonicWALL Internet Security Appliance Administrator’s Guide Networking, you are able to browse the remote network using Network...
  • Page 222 Windows NT domain text box. Select Quick Logon under Network logon options section. 4. Click on the Identification tab, and enter the domain name provided by your administrator in the Workgroup text box. SonicWALL VPN Page 223...
  • Page 223 Find tool in the Start menu. Type in the IP address into the Computer Named text box, and click Find Now. To access the computer remotely, double-click on the computer icon in the box. Page 224 SonicWALL Internet Security Appliance Administrator’s Guide...

  • Page 224: 14 High Availability

    All SonicWALL ports being used must be connected together with a hub or switch. Each SonicWALL must have a unique LAN IP Address on the same LAN subnet. If each SonicWALL has a unique WAN IP Address for remote management, the WAN IP Addresses must be in the same subnet.

  • Page 225: Configuring High Availability On The Primary Sonicwall

    •LAN IP Address - This is a unique IP address for accessing the primary SonicWALL from the LAN whether it is Active or Idle. Alert This IP address is different from the IP address used to contact the SonicWALL in the General Network settings.
  • Page 226 •LAN IP Address - The unique LAN IP address used to access and manage the backup Son- icWALL whether it is Active or Idle. Alert This IP address is different from the IP address used to contact the SonicWALL in the General Network settings.

  • Page 227: Configuration Changes

    LAN IP address and confirm that it is the backup SonicWALL. If the primary SonicWALL fails to synchronize with the backup, an error message is displayed at the bottom of the screen. An error message also appears on the Status tab. To view the error message on the Status tab, click General on the left side of the browser and then Status at the top of the window.

  • Page 228: Synchronizing Changes Between The Primary And Backup Sonicwalls

    Alert If you change the IP address of either SonicWALL, synchronization cannot occur between the two SonicWALLs without updating the changes manually in the High Availability configuration. Synchronizing Changes between the Primary and Backup SonicWALLs Changes made to the Primary or Backup firewall are synchronized automatically between the two firewalls.

  • Page 229: High Availability Status Window

    SonicWALL LAN IP Address. Click High Availability on the left side of the browser window and then click Configure at the top of the window. If the primary SonicWALL is active, the first line in the status window above indicates that the primary SonicWALL is currently Active.

  • Page 230: E-Mail Alerts Indicating Status Change

    The first line in the status window indicates that the backup SonicWALL is currently Active. It is also possible to check the status of the backup SonicWALL by logging into the LAN IP Address of the backup SonicWALL. If the primary SonicWALL is operating normally, the status window indicates that the backup SonicWALL is currently Idle.

  • Page 231: View Log

    SonicWALL Web Management Interface or it may be automatically sent to the administrator’s E- mail address. To view the SonicWALL log, click Log on the left side of the browser window and then click on View Log at the top of the window.

  • Page 232: Configuration Notes

    To restart the active SonicWALL, log into the primary SonicWALL LAN IP Address and click Tools on the left side of the browser window and then click Restart at the top of the window. Click Restart SonicWALL, then Yes to confirm the restart. Once the active SonicWALL restarts, the other SonicWALL in the High Availability pair takes over operation.

  • Page 233: 15 Sonicwall Options And Upgrades

    In addition, the SonicWALL restricts access to the Internet if virus software is not detected on the client, enforcing virus protection. This strategy ensures that current virus software is installed and active on every computer on the network, preventing a rogue user from disabling virus protection and exposing the entire organization to an outbreak.

  • Page 234: Content Filter List Subscription

    Inappropriate online content can create an uncomfortable work environment, lead to harassment lawsuits, or expose children to pornography or racially intolerant sites. The SonicWALL Content Filter List subscription allows your organization to create and enforce Internet access policies tailored to the requirements of the organization.

  • Page 235: Sonicwall Viewpoint Reporting

    SonicWALL Global Management System SonicWALL Global Management System (GMS) is a scalable, cost-effective solution that extends the SonicWALL's ease of administration, giving you the tools to manage the security policies of remote, distributed networks. SonicWALL GMS lets you administer SonicWALLs at your corporate headquarters, branch offices and telecommuters from a central location.

  • Page 236: 16 Hardware Descriptions

    Note that the device connected to the SonicWALL must support the standard Link Integrity test • Activity Lights up when the SonicWALL transmits or receives a packet through the Twisted Pair port onto the network. • (3) Twisted Pair (10Base-T, 100Base-T) Ethernet Ports (3) Auto switching 10Mbps/100Mbps Ethernet ports provide connectivity for both Ethernet and Fast Ethernet networks.
  • Page 237 • Reset Switch Resets the SonicWALL PRO 200 or the SonicWALL PRO 300 to its factory clean state. This can be required if you forget the administrator password, or the SonicWALL firmware has become corrupt SonicWALL PRO 230 and PRO 330 Rear Panel Description...

  • Page 238: Sonicwall Pro 200 And Pro 300

    The SonicWALL PRO 200 front panel is shown below, followed by a description of each item. The SonicWALL PRO 300 is identical to the SonicWALL PRO 200 except for the PRO 300 label on the front panel and the inclusion of VPN accelerator hardware and an additional 8MB of RAM.
  • Page 239 SonicWALL PRO 200 and PRO 300 Back Panel The SonicWALL PRO 200 back panel is shown below, followed by a description of each item. The SonicWALL PRO 300 back panel is identical to the SonicWALL PRO 200. Cooling Vents 10Mbps/100Mbps...

  • Page 240: Sonicwall Pro 100

    SonicWALL PRO 100 Front Panel The SonicWALL PRO 100 front panel is shown below, followed by a description of each item. Power LED SonicWALL PRO 100 Front Panel Description • Power Lights up when power is applied to the SonicWALL PRO 100.
  • Page 241 SonicWALL PRO 100 Back Panel The SonicWALL PRO 100 back panel is shown below, followed by a description of each item. Cooling Vents Reset Switch Serial Port SonicWALL PRO 100 Back Panel Description • Reset Switch Erases the firmware and resets SonicWALL PRO 100 to its factory clean state. This can be necessary if the administrator password is forgotten, or the firmware has become corrupt.

  • Page 242: Sonicwall Tele3 Sp

    SonicWALL TELE3 SP Front Panel The SonicWALL TELE3 SP front panel is shown below, followed by a description of each item. Modem LED WAN Port LEDs Power LED Link, 100, Activity SonicWALL TELE3 SP Front Panel Description • Power Lights up when power is applied to the SonicWALL TELE3 SP.

  • Page 243: The Sonicwall Tele3 Sp Back Panel Description

    SonicWALL TELE3 SP Back Panel The SonicWALL TELE3 SP back panel is shown below, followed by a description of each item. Cooling Vents 5VDC,2A Power input Reset Switch The SonicWALL TELE3 SP Back Panel Description • Power Input Connects to the external power supply that is provided with the SonicWALL TELE3 SP. The use of an Uninterruptible Power Supply (UPS) is recommended to protect the SonicWALL TELE3 SP against damage or loss of data due to electrical storms, power failures, or power surges.
  • Page 244 SonicWALL TELE3 TZ Front Panel The SonicWALL TELE3 TZ front panel is shown below, followed by a description of each item. Power LED SonicWALL TELE3 TZ Front Panel Description • Power Lights up when power is applied to the SonicWALL TZ.
  • Page 245 • Power Input Connects to the external power supply that is provided with the SonicWALL TZ. The use of an Uninterruptible Power Supply (UPS) is recommended to protect the SonicWALL TZ against damage or loss of data due to electrical storms, power failures, or power surges.

  • Page 246: Sonicwall Tele3 Tzx

    SonicWALL TELE3 TZX Front Panel The SonicWALL TELE3 TZX front panel is shown below, followed by a description of each item. Power LED WAN Port LEDs Link, 100, Activity SonicWALL TELE3 TZX Front Panel Description • Power Lights up when power is applied to the SonicWALL TZX.
  • Page 247 • Power Input Connects to the external power supply that is provided with the SonicWALL TZX. The use of an Uninterruptible Power Supply (UPS) is recommended to protect the SonicWALL TZX against damage or loss of data due to electrical storms, power failures, or power surges.

  • Page 248: Sonicwall Soho3 And Tele3

    SonicWALL SOHO3 and TELE3 Front Panel The SonicWALL SOHO3 front panel is shown below, followed by a description of each item. The SonicWALL TELE3 is identical to the SonicWALL SOHO3 except for the TELE3 label on the front panel and the inclusion of SonicWALL VPN.
  • Page 249 SonicWALL SOHO3 and TELE3 Back Panel The SonicWALL SOHO3 back panel is shown below, followed by a description of each item. The SonicWALL TELE3 back panel is identical to the SonicWALL SOHO3. Cooling Vents Reset Switch Serial Port SonicWALL SOHO3 and TELE3 Back Panel Description •...

  • Page 250: Sonicwall Gx 250 And Gx 650

    The SonicWALL GX 250 front panel is shown below, followed by a description of each item. The SonicWALL GX 650 is identical to the SonicWALL GX250 except for the GX 650 label on the front panel and the types of network interfaces installed.
  • Page 251 The Link light is green when a twisted pair connection is made to another Ethernet device (usually a switch or a hub) on the port. Note that the device connected to the SonicWALL must support the standard link integrity test. The Link LED blinks, indicating Activity, when the SonicWALL transmits or receives a packet through the Twisted Pair port onto the network.
  • Page 252 SonicWALL GX 250 and GX 650 Back Panel Description • Power Inputs There are two power input receptacles to connect the SonicWALL to the AC power input. The unit comes standard with redundant hot swappable power supplies with active power function correction (100-240 VAC 50/60 Hz).

  • Page 253: 17 Troubleshooting Guide

    All computers on the LAN should be able to log into the SonicWALL Management Interface by typing the SonicWALL LAN IP Address into the Location or Go to field from a Web browser. If the SonicWALL authentication screen does not appear, check for Ethernet connectivity problems.

  • Page 254: The Sonicwall Does Not Save Changes That You Have Made

    The SonicWALL does not save changes that you have made • When configuring the SonicWALL, be sure to click Update before moving to another window or tab, or all changes will be lost. •...

  • Page 255: 18 Appendices

    8 oz (0.23 kg) 1.1 lbs (0.48 kg) Power 100V to 240V AC 100V to 240V AC Note: Specifications for the SonicWALL Internet security appliances are subject to change. Please verify the above specifications with product datasheets. Standards TCP/IP, UDP, ICMP, HTTP,...

  • Page 256: Appendix B - Sonicwall Support Solutions

    Internet Security Expertise Technical Support is only as good as the people providing it to you. SonicWALL support professionals are Certified Internet Security Administrators with years of experience in networking and Internet security. They are also supported by the best in class tools and processes that ensure a quick and accurate solution to your problem.

  • Page 257: Warranty

    • Access to SonicWALL’s electronic support and Knowledge Base systems All of SonicWALL Support Services offer a variety of support services to meet your unique needs including fast, responsive service, instant access to electronic support tools, and high quality technical support.
  • Page 258 SonicWALL provides technical assistance during standard coverage hours by telephone or through Web-based support tools for 90 days after the date of purchase. A SonicWALL technical specialist works with you to remotely diagnose and identify firmware and hardware not performing to documented specifications.

  • Page 259: Software/Firmware Updates

    Upon diagnosis of a hardware failure, a SonicWALL technical specialist issues an RMA number and provides instructions for returning the hardware to SonicWALL. Upon receipt of the failed appliance, SonicWALL ships a fully functional appliance.
  • Page 260 SonicWALL Support 24X7 provides access to SonicWALL’s Web-based support tools, including FAQs, documentation, and Knowledge Base systems. Availability SonicWALL Support 24X7 is an annual service available for sale at the time of product purchase or anytime before warranty expiration. Appendices Page 261...
  • Page 261 SonicWALL Support 8X5 provides access to SonicWALL’s Web-based support tools, including FAQs, documentation, and Knowledge Base systems. Availability SonicWALL Support 8X5 is an annual service available for sale at the time of product purchase or anytime before warranty expiration. Page 262 SonicWALL Internet Security Appliance Administrator’s Guide...

  • Page 262: Appendix C - Introduction To Networking

    This appendix provides a non-technical overview of the network protocols supported by the SonicWALL and includes a discussion of Internet Protocol (IP) addressing. It can be helpful to review a book on TCP/IP for an overview of protocols such as TCP (Transmission Control Protocol), UDP (User Datagram Protocol), and ICMP (Internet Control Message Protocol).

  • Page 263: Network Protocols

    DNS - Domain Name System (DNS) is a protocol that matches Internet computer names to their corresponding IP addresses. By using DNS, a user can type in a computer name, such as www.sonicwall.com, instead of an IP address, such as 192.168.168.168, to access a computer.
  • Page 264 IP Addressing To become part of an IP network, a network device must have an IP address. An IP address is a unique number that differentiates one device from another on the network to avoid confusion during communication. To help illustrate IP addresses, the following sections compare an IP address to the telephone numbering system, a system that is used every day.

  • Page 265: Network Address Translation (Nat)

    A node is a device, such as a PC or a printer, on a network with an IP address. The feature chart shows how many node licenses for PCs or printers are included with a SonicWALL Internet Security appliance. The TELE3 has a non-upgradeable 5-node license, but the SOHO3 is upgradeable up to have 10, 50, or an unlimited number of node licenses.
  • Page 266 Internet until the appliance is rebooted. When a computer or other device connects to the LAN port of the SonicWALL, it is detected via broadcast and stores the computer or other device IP address in memory. If 5, 10, or 50 IP addresses have been stored in the SonicWALL, the SonicWALL does not permit any additional machines to access the Internet.

  • Page 267: Appendix D - Ip Port Numbers

    While the IANA can not control uses of these ports it does list uses of these ports as a convenience. The Registered Ports are in the range 1024-65535. Visit <http://www.ietf.org/rfc/rfc1700.txt> for a list of IP port numbers. Page 268 SonicWALL Internet Security Appliance Administrator’s Guide...

  • Page 268: Appendix E - Configuring Tcp/Ip Settings

    The SonicWALL is pre-configured with the IP address “192.168.168.168". During the initial configuration, it is necessary to temporarily change the IP address of the Management Station to one in the same subnet as the SonicWALL. For initial configuration, set the IP address of the Management Station to "192.168.168.200".
  • Page 269 Windows NT 1. From the Start list, highlight Settings and then select Control Panel. Page 270 SonicWALL Internet Security Appliance Administrator’s Guide 2.Double-click the Network icon in the Control Panel window. 3.Double-click TCP/IP in the TCP/IP Properties window. 4.Select the Specify an IP Address radio button.
  • Page 270 Windows 2000 1. In Windows 2000, click Start, then Settings. 2. Click Network and Dial-up Connections. Double-click the network connection name to open the Status window. 3.Click Status to open the Properties window. 4.Double-click Internet Protocol (TCP/IP) to open the TCP/IP properties window.
  • Page 271 Windows XP 1. Open the Local Area Connection Properties window. Page 272 SonicWALL Internet Security Appliance Administrator’s Guide 2.Double-click Internet Protocol (TCP/IP) to open the Internet Protocol (TCP/IP) Properties window. 3.Select Use the following IP address and enter 192.168.168.200 in the IP address field.
  • Page 272 2. From the Configure list, choose Manually. 3. Enter "192.168.168.200" in the IP address field. 4. Enter the Subnet Mask address in the Subnet Mask field. 5. Click OK. Follow the SonicWALL Installation Wizard instructions to perform the initial setup of the SonicWALL. Appendices Page 273...

  • Page 273: Appendix F - Basic Vpn Terms And Concepts

    Symmetric cryptography, or secret key cryptography, is usually faster than asymmetric cryptography. Therefore symmetric algorithms are often used when large quantities of data have to be exchanged. SonicWALL VPN uses Symmetric Cryptography. As a result, the key on both ends of the VPN tunnel must match exactly.
  • Page 274 IP packet containing an Encapsulating Security Payload. ESP typically involves encryption of the packet payload using standard encryption mechanisms, such as RC4, ARCFour, DES, or 3DES. The SonicWALL supports 56-bit ARCFour and 56-bit DES and 168-bit 3DES.
  • Page 275 The increased latency is primarily due to the calculation of the authentication data by the sender, and the calculation and comparison of the authentication data by the receiver for each IP packet containing an Authentication Header. Page 276 SonicWALL Internet Security Appliance Administrator’s Guide...
  • Page 276 ARCFour is used for communications with secure Web sites using the SSL protocol. Many banks use a 40 bit key ARCFour for online banking, while others use a 128 bit key. SonicWALL VPN uses a 56 bit key for ARCFour.

  • Page 277: Appendix G- Erasing The Firmware

    If your SonicWALL DMZ unit has a circular reset button that is recessed in the back of the unit, then it’s an older DMZ model and you should follow the procedure for locating the reset button inside the unit.

  • Page 278: Appendix H- Mounting The Sonicwall Pro 200 And Pro

    Appendix H- Mounting the SonicWALL PRO 200 and PRO 300 The SonicWALL PRO 200 and SonicWALL PRO 300 are designed to be mounted in a standard 19- inch rack mount cabinet. The following conditions are required for proper installation: •...

  • Page 279: Appendix I - Configuring Radius And Ace Servers

    6. Click RAS Clients, and select SonicWALL Firewall from the Make/Model list. Click Save. If there is no entry for SonicWALL Firewall, be sure that steps 2 and 3 were performed correctly. Page 280 SonicWALL Internet Security Appliance Administrator’s Guide...

  • Page 280: Configuring User Privileges

    3. Select the privilege to be set, and click Add. Repeat until all of the privileges are added for the user. Steel Belted RADIUS does support CHAP, so authentication takes place even if HTTPS is not available when logging into the SonicWALL management interface. Select Allow PAP or CHAP when setting user passwords. ACE Server (RSA) The ACE Server, version 4.1, from RSA, configures RADIUS attributes into the profiles.
  • Page 281 The ACS server can still be used for authentication if the RADIUS users are configured globally on the SonicWALL to have the same privileges. Also, the ACS server supports CHAP, so it can be used if HTTPS is not available when logging into the SonicWALL management interface.
  • Page 282 RADIUS Attributes Dictionary The following is the RADIUS dictionary in the format used with Funk Software’s Steel Belted RADIUS server. Appendices Page 283...
  • Page 283 Notes Page 284 SonicWALL Internet Security Appliance Administrator’s Guide...
  • Page 284 Notes Appendices Page 285...
  • Page 285 Notes Page 286 SonicWALL Internet Security Appliance Administrator’s Guide...
  • Page 286 Notes Appendices Page 287...
  • Page 287 Notes Page 288 SonicWALL Internet Security Appliance Administrator’s Guide...
  • Page 288 Notes Appendices Page 289...
  • Page 289 Client Default Gateway 174 Cold Start Trap 145 Configuration 151 Configuration Changes 228 Configuring High Availability 226 Page 290 SonicWALL Internet Security Appliance Administrator’s Guide Configuring N2H2 Internet Filtering 107 Configuring Websense Enterprise Content Filter Connect using Secure Gateway Tunnel 201 Consent 105...
  • Page 290 Dynamic Host Configuration Protocol (DHCP) Dynamic Ranges 167, 174 Edit a Rule 137 E-mail Alerts 16, 231 E-mail Log Now 94 Enable Allowed/Forbidden Domains 103 Enable Bandwidth Management 133 Enable DHCP Server 30, 35, 42, 167, 174 Enable Fragmented Packet Handling 178 Enable Keep Alive 187 Enable VPN 178 Enable/Disable a Rule 137...
  • Page 291 Outgoing SPI 185, 199, 204 Packet Trace 123 Phase 1 DH Group 182, 183 Ping 122 Ping of Death 15 Page 292 SonicWALL Internet Security Appliance Administrator’s Guide Preempt mode 227 Preferences 115 Pre-Shared Key 196 Pre-Shared Secret 196 private key 218...
  • Page 292 Syslog Individual Event Rate 94 Syslog Server 94 Syslog Server 1 94 Syslog Server Support 16 System Errors 95, 96 System Maintenance 95 Tech Support Report 124 Tech Support Request Form 124 Temporary Lease Time 170 Third Party Digital Certificate 216 Time 88 Time of Day 104 Time users out 139...
  • Page 293 F: 408.745.9300 © 2002 SonicWALL, I n c . SonicWALL is a registered trademark of SonicWALL, I n c . Other product and company names mentioned herein may be t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.

Table of Contents