Download Print this page

Dell SonicWALL GX250 Manual

Hide thumbs

Advertisement

Quick Links

Table of Contents
CONTENTS
Preface .............................................................................................................. 5
Copyright Notice ................................................................................................. 5
About This Guide ................................................................................................ 6
SonicWALL Technical Support .............................................................................. 7
............................................................................................ 8
Your SonicWALL Internet Security Appliance ........................................................ 8
SonicWALL Internet Security Appliance Features ................................................... 9
The GX Series of SonicWALL Products .................................................................11
Features and Benefits of the SonicWALL GX Series ..............................................13
SonicWALL GX Specifications ..............................................................................15
...............................................................16
SonicWALL GX250 and GX650 Front Panel ...........................................................16
SonicWALL GX250 and GX650 Rear Panel ...........................................................19
..............................................................20
Inspecting the Package ......................................................................................20
Overview ..........................................................................................................20
Connecting the SonicWALL to the Network ..........................................................21
Performing the Initial Configuration ....................................................................23
.......................................................33
Log into the SonicWALL From a Web Browser .....................................................33
CLI Support and Remote Management ................................................................35
.........................................................................37
Standard Configuration ......................................................................................39
NAT Enabled Configuration ................................................................................40
Multiple LAN Subnet Mask Support .....................................................................42
NAT with DHCP Client Configuration ...................................................................43
NAT with PPPoE Configuration ............................................................................44
Setting the Time and Date .................................................................................46
NTP Settings .....................................................................................................46
Setting the Administrator Password ....................................................................48
Setting the Administrator Inactivity Timeout ........................................................48
.................................................................50
View Log ..........................................................................................................50
SonicWALL Log Messages ..................................................................................51
Log Settings ......................................................................................................52
Log Categories ..................................................................................................54
Alert/SNMP Traps ..............................................................................................55
Log Reports ......................................................................................................56
SonicWALL Internet Security Appliance Guide Page 1

Advertisement

Table of Contents
loading

  Summary of Contents for Dell SonicWALL GX250

  • Page 1: Table Of Contents

    The GX Series of SonicWALL Products ..............11 Features and Benefits of the SonicWALL GX Series ..........13 SonicWALL GX Specifications ................15 2 HARDWARE DESCRIPTION ...............16 SonicWALL GX250 and GX650 Front Panel ............16 SonicWALL GX250 and GX650 Rear Panel ............19 3 SonicWALL INSTALLATION ..............20 Inspecting the Package ..................20 Overview ......................20...
  • Page 2 Web Site Hits ....................57 Bandwidth Usage by IP Address .................57 Bandwidth Usage by Service ................57 7 CONTENT FILTERING AND BLOCKING .........58 Time of Day ......................60 Updating the Filter List ..................60 Customizing the Filter List ..................62 Blocking by Keyword ..................64 Consent Features ....................64 8 WEB MANAGEMENT TOOLS ..............68 Restarting the SonicWALL ..................68...
  • Page 3 12 SONICWALL VPN ................112 VPN Applications .....................113 VPN Feature Chart ...................113 The VPN Interface ...................114 Current IPSec Security Associations ..............114 SonicWALL VPN Client for Remote Access and Management .......115 VPN Advanced Settings ..................117 Enabling Group VPN on the SonicWALL .............120 Group VPN Client Configuration ................122 Manual Key Configuration for the VPN Client .............125 VPN between Two SonicWALLs ................132...
  • Page 4 APPENDIX B- CONFIGURING TCP/IP SETTINGS ..........191 APPENDIX C- ERASING THE FIRMWARE ............192 APPENDIX D- SECURING THE SONICWALL ............193 APPENDIX E- ELECTROMAGNETIC COMPATIBILITY ...........194 SonicWALL GX250 and SonicWALL GX650 ............194 NOTES ......................195 INDEX ......................196 WARNINGS AND NOTICES ................200 Page 4 CONTENTS...
  • Page 5: Preface

    Preface Copyright Notice © 2001 SonicWALL, Inc. All rights reserved. Under the copyright laws, this manual or the software described within, may not be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original.
  • Page 6: About This Guide

    Local Area Network (LAN) from attacks and intrusions, filters objectional Web sites, provides private VPN connections to business partners and remote offices, and offers a centrally-managed defense against software viruses. This guide covers the installation and configuration of the SonicWALL GX250 and GX650. Organization of the Guide Chapter 1, Introduction, describes the features and applications of the SonicWALL.
  • Page 7: Sonicwall Technical Support

    Chapter 10, Advanced Features, describes advanced SonicWALL settings, such as One-to-One NAT, Automatic Web Proxying and DMZ addresses. Chapter 11, DHCP Server, describes the configuration and setup of the SonicWALL's DHCP server. Chapter 12, SonicWALL VPN, explains how to create a VPN tunnel between two SonicWALLs and from the VPN client to the SonicWALL.
  • Page 8: Introduction

    Web content and logs security threats. SonicWALL VPN provides secure, encrypted communications to business partners and branch offices. SonicWALL VPN is included with the SonicWALL GX250 and GX650. The SonicWALL uses stateful packet inspection to ensure secure firewall filtering. Stateful packet inspection is widely considered to be the most effective method of filtering IP traffic.
  • Page 9: Sonicwall Internet Security Appliance Features

    • DMZ Port SonicWALL GX250 and the SonicWALL GX650 include a DMZ port allowing users to access public servers, such as Web and FTP servers. While Internet users have unlimited access to the DMZ, the servers located on the DMZ are still protected against DoS attacks.
  • Page 10 • Content Filter List Updates (optional) Since content on the Internet is constantly changing, the SonicWALL automatically updates the Content Filter List every week to ensure that access restrictions to new and relocated sites are properly enforced. • Log and Block or Log Only You may configure the SonicWALL to log and block access to objectional Web sites, or to log inappropriate usage without blocking Web access.
  • Page 11: The Gx Series Of Sonicwall Products

    By encrypting data, SonicWALL VPN provides private communications between two or more sites without the expense of leased site-to-site lines. SonicWALL VPN comes standard with the SonicWALL the SonicWALL GX250 and the SonicWALL GX650. • VPN Client Software for Windows Mobile users with dial-up Internet accounts may securely access remote network resources with the SonicWALL VPN Client.
  • Page 12 designed for the demands of high-bandwidth environments. Security solutions for these sites must meet today's bandwidth requirements as well as provide scalability for future growth. Internet Security Solution for Enterprises and Data Centers The SonicWALL GX Series extends SonicWALL's award-winning Internet security solutions to meet the intensive demands of enterprises and data centers.
  • Page 13: Features And Benefits Of The Sonicwall Gx Series

    Features and Benefits of the SonicWALL GX Series The GX Series Feature Chart Model GX250 GX650 Standard Interfaces (3) 10/100Base-TX (3) 1000Base-SX Scalable, Upgradeable 20 interfaces 20 interfaces Design Firewall Throughput 100 Mbps 1 Gbps 3DES VPN Throughput 100 Mbps 260 Mbps Simultaneous 250,000...
  • Page 14 • ViewPoint. SonicWALL ViewPoint is a software application that creates dynamic, Web-based network reports. SonicWALL ViewPoint generates both real-time and historical reports to offer a complete view of all activity through your SonicWALL Internet security appliance. • SonicWALL GMS. SonicWALL GX models include SonicWALL Global Management System (GMS) to enable network administrators to manage their security net- works.
  • Page 15: Sonicwall Gx Specifications

    SonicWALL GX Specifications GX250 GX650 Speeds Firewall: 100 Mbps Firewall: 1.0 Gbps VPN: 100 Mbps VPN: 260 Mbps Maximum Simultaneous 5,000 10,000 Connections - VPN Security Associations Maximum Simultaneous Three (3) 10/100Base-T Three (3) 1000Base-SX or Connections (RJ-45) Two (2) expansion 1000Base-T slots available for Optional Expansion Cards...
  • Page 16: Hardware Description

    SonicWALL Internet Security Appliances. SonicWALL GX250 and GX650 Front Panel The SonicWALL GX250 front panel is shown below, followed by a description of each item. The SonicWALL GX650 is identical to the SonicWALL GX250 except for the GX650 label on the front panel and the types of network interfaces installed.
  • Page 17 • Serial Port DB-9 RS-232 Serial port for a modem or null-modem cable to support Command Line Interface Management. There are three network interfaces on the GX250 and GX650 from left to right: • • • The GX250 includes three Fast Ethernet network interfaces. The GX650 includes either 1000Base-SX over Fiber or Gigabit Ethernet over Copper network interfaces.
  • Page 18 Mbps connection is obtained, the LED is yellow. Reset Switch Resets the SonicWALL GX250 or the SonicWALL GX650 to its factory clean state. This may be required if you forget the administrator password, or the SonicWALL firmware has become corrupt. Please go to Appendix C for instructions on erasing the SonicWALL firmware.
  • Page 19: Sonicwall Gx250 And Gx650 Rear Panel

    SonicWALL GX250 and GX650 Rear Panel The SonicWALL GX250 back panel is shown below, followed by a description of each The SonicWALL GX650 back panel is identical to the SonicWALL GX250. item. Power Input Cooling Fan Alarm Reset Power Button...
  • Page 20: Sonicwall Installation

    The LAN Ethernet port should be connected to a network hub or switch on the internal, protected network. • The DMZ Ethernet port, included with the SonicWALL GX250 and GX650, should be connected to publicly accessible servers, such as Web and Mail servers. •...
  • Page 21: Connecting The Sonicwall To The Network

    Power. Use the power adapter supplied with the SonicWALL, do not use another power supply. Note: If you are installing a SonicWALL GX250 or a SonicWALLGX650, connect the SonicWALL to an AC power outlet using a power cable. Then press the power switch to the On position.
  • Page 22 SonicWALL Installation Checklist The SonicWALL requires information about the IP address scheme of your network. Your Internet Service Provider (ISP) should be able to provide this information. • SonicWALL LAN IP Address The SonicWALL LAN IP address is the address assigned to the SonicWALL LAN port and is used to manage the SonicWALL.
  • Page 23: Performing The Initial Configuration

    Performing the Initial Configuration Setting up your Management Station All management functions on the SonicWALL are performed from a Web browser. Management can be performed from any computer connected to the LAN port of the SonicWALL. The computer used for management is referred to as the Management Station.
  • Page 24 instructions for setting the administrator password and configuring the settings necessary to access the Internet. Note: To bypass the Wizard, click Cancel. Then log into the SonicWALL's Management Interface by entering the User Name "admin" and the Password "password". To configure your SonicWALL appliance, read the instructions on the Wizard’s Welcome window and click Next to continue.
  • Page 25 Setting the Time and Date 4. From the pull-down menu, select the appropriate Time Zone. The SonicWALL internal clock is set automatically by a Network Time Server on the Internet. Click Next to continue. Confirming Network Information 5. Confirm that you have the proper network information needed to configure the SonicWALL to access the Internet.
  • Page 26 Selecting Your Internet Connection The SonicWALL supports four network addressing modes: NAT Enabled, Standard, NAT with PPPoE, and NAT with DHCP Client. Select the appropriate option in the Connecting to the Internet window. 6. Select the first option if your ISP has provided you with a single, valid IP address. If you select the first option, your SonicWALL enables NAT.
  • Page 27 The Use Network Address Translation (NAT) window verifies that the SonicWALL has a registered IP address. To confirm this, click Next and go to Step 10. Selecting Standard or NAT Enabled Mode If you selected the Assigned you a single static IP Address option in Step 6, the Optional-Network Address Translation window is displayed.
  • Page 28 Configuring WAN Network Settings If you selected either NAT or Standard mode, the Getting to the Internet window is displayed. 11. Enter the valid IP address provided by your ISP in the Getting to the Internet window. Enter the SonicWALL WAN IP Address, WAN/DMZ Subnet Mask, WAN Gateway (Router) Address, and DNS Server Addresses.
  • Page 29 Confirming DHCP Client Mode If you select NAT with DHCP Client in Step 6, the Obtain an IP address automatically window is displayed. 13. The Obtain an IP address automatically window states that the ISP dynami- cally assigns an IP address to the SonicWALL. To confirm this, click Next and go to Step 15.
  • Page 30 Configuring the SonicWALL DHCP Server 15. The Optional-SonicWALL’s DHCP Server window configures the SonicWALL DHCP Server. If enabled, the SonicWALL automatically configures the IP settings of computers on the LAN. To enable the DHCP server, check the Enable DHCP Server checkbox, and specify the range of IP addresses that are assigned to com- puters on the LAN.
  • Page 31 Congratulations Note:The new SonicWALL LAN IP address, displayed in the Congratulations window, is used to login and manage the SonicWALL 17. Click Restart to restart the SonicWALL. Restarting Note:The final window provides important information to help configure the computers on the LAN. Click Print this Page to print the window information.
  • Page 32 19. Log into the SonicWALL Management Interface. Once the SonicWALL restarts, con- tact the SonicWALL Web Management Interface at the new SonicWALL LAN IP address. Type the User Name “admin” and enter the new administrator pass- word to log into the SonicWALL. 20.
  • Page 33: Managing Your Sonicwall

    MANAGING YOUR SONICWALL This chapter contains a brief overview of SonicWALL management commands and functions. The commands and functions are accessed through the SonicWALL Web Management Interface. The configuration is the same for all SonicWALL Internet security appliances; any exceptions are noted. Log into the SonicWALL From a Web Browser You may manage the SonicWALL from any computer connected to the LAN port of the SonicWALL using a Web browser.
  • Page 34 3. Passwords are case-sensitive. Enter the password exactly as defined and click Login. Note: The SonicWALL Status window is displayed above. Each SonicWALL Internet security appliance displays unique characteristics, such as the presence of VPN acceleration hardware or a different amount of memory. The General, Log, Filter, Tools, Access, Advanced, DHCP, VPN, Anti-Virus, and High Availability buttons appear on the left side of the window.
  • Page 35: Cli Support And Remote Management

    CLI Support and Remote Management Out of band-width management is now available on SonicWALL appliances using the CLI (Command Line Interface) feature. SonicWALL Internet security appliances can now be managed from a console using typed commands and a modem or null-modem cable that is connected to the serial port located on the back of the SonicWALL appliance.The only modem currently supported is the Frost v.90 modem.
  • Page 36 The SonicWALL general management and configuration instructions are divided into the following 8 chapters: • Network Settings • Logging and Alerting • Content Filtering and Blocking • Web Management Tools • Network Access Rules • Advanced Features • DHCP Server •...
  • Page 37: Network Settings

    NETWORK SETTINGS This chapter describes the configuration of the SonicWALL Network Settings. The Network Settings include the SonicWALL IP settings, the administrator password, and the time and date. To configure the SonicWALL Network Settings, click General on the left side of the browser window, and then click the Network tab at the top of the window.
  • Page 38 • NAT with PPPoE mode uses PPPoE to connect to the Internet. If desktop soft- ware and a user name and password is required by your ISP, select NAT with PP- PoE. LAN Settings • SonicWALL LAN IP Address The SonicWALL LAN IP Address is the IP address assigned to the SonicWALL LAN port.
  • Page 39: Standard Configuration

    DNS Settings • DNS Servers DNS Servers, or Domain Name Servers, are used by the SonicWALL for diagnostic tests with the DNS Lookup Tool, and for upgrade and registration functionality. DNS Server addresses should be assigned by your ISP. If you select NAT with DHCP Client or NAT with PPPoE mode, the DNS Server addresses is assigned automatically.
  • Page 40: Nat Enabled Configuration

    NAT Enabled Configuration Network Address Translation (NAT) connects your entire network to the Internet using a single IP address. Network Address Translation offers the following: • Internet access to additional computers on the LAN. Multiple computers may ac- cess the Internet even if your ISP only assigned one or two valid IP addresses to your network.
  • Page 41 1. Select NAT Enabled from the Network Addressing Mode menu in the Network window. 2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL's LAN port and is used for management of the SonicWALL.
  • Page 42: Multiple Lan Subnet Mask Support

    8. Click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window. Restart the SonicWALL for these changes to take effect. If you enable Network Address Translation, designate the SonicWALL LAN IP Address as the gateway address for computers on your LAN.
  • Page 43: Nat With Dhcp Client Configuration

    NAT with DHCP Client Configuration The SonicWALL may receive an IP address from a DHCP server on the Internet. If your ISP did not provide you with a valid IP address, but instructed you to obtain an IP address automatically, enable NAT with DHCP Client. NAT with DHCP Client mode is typically used with Cable and DSL connections.
  • Page 44: Nat With Pppoe Configuration

    When your SonicWALL has successfully received a DHCP lease, the Network window displays the SonicWALL WAN IP settings. • The Lease Expires value shows when your DHCP lease expires. • The WAN Gateway (Router) Address, SonicWALL WAN IP (NAT Public) Address, WAN/DMZ Subnet Mask, and DNS Servers is obtained from a DHCP server on the Internet.
  • Page 45 6. Enter your network's subnet mask in the LAN Subnet Mask field. The LAN Sub- net Mask tells your SonicWALL which IP addresses are on your LAN. Use the de- fault value, "255.255.255.0", if there are less than 254 computers on your LAN. If you have multiple subnets on your network, add the addresses using the Add LAN Subnet field.
  • Page 46: Setting The Time And Date

    Setting the Time and Date 1. Click the Time tab at the top of the browser window. The SonicWALL uses the time and date settings to time stamp log events, to automatically update the Content Filter List, and for other internal purposes. 2.
  • Page 47 available on the Internet. To remove an NTP server, highlight the IP address and click Delete NTP Server. When you have configured the Time window, click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the browser window.
  • Page 48: Setting The Administrator Password

    Setting the Administrator Password 1. Click the Password tab at the top of the window. The security of your SonicWALL is determined by your Administrator Password. To set the password, enter the old password in the Old Password field, and the new password in the New Password field.
  • Page 49 Note: If the Administrator Inactivity Timeout is extended beyond 5 minutes, you should end every management session by clicking Logout to prevent unauthorized access to the SonicWALL Web Management Interface. Set the inactivity timeout by entering the desired number of minutes in the Administrator Inactivity Timeout section and then click Update.
  • Page 50: Logging And Alerting

    LOGGING AND ALERTING This chapter describes the SonicWALL's logging, alerting and reporting features, which may be viewed in the Log section of the SonicWALL Web Management Interface. View Log The SonicWALL maintains an Event log which displays potential security threats. This log may be viewed with a browser using the SonicWALL Web Management Interface, or it may be automatically sent to an E-mail address for convenience and archiving.
  • Page 51: Sonicwall Log Messages

    SonicWALL Log Messages • TCP, UDP, or ICMP packets dropped When IP packets are blocked by the SonicWALL, dropped TCP, UDP and ICMP messages is displayed. The messages include the source and destination IP addresses of the packet. The TCP or UDP port number or the ICMP code follows the IP address.
  • Page 52: Log Settings

    Log Settings Click Log on the left side of the browser window, and then click the Log Settings tab at the top of the window. Configure the following settings: 1. Mail Server - To E-mail log or alert messages, enter the name or IP ad- dress of your mail server in the Mail Server field.
  • Page 53 5. Syslog Server - In addition to the standard event log, the SonicWALL can send a detailed log to an external Syslog server. Syslog is an industry-standard protocol used to capture information about network activity. The SonicWALL Syslog cap- tures all log activity and includes every connection’s source and destination IP ad- dress, IP service, and number of bytes transferred.
  • Page 54: Log Categories

    Log Categories You may define which log messages appear in the SonicWALL Event Log. All Log Categories are enabled by default except Network Debug. • System Maintenance When enabled, log messages showing general system activity, such as administrator logins, automatic downloads of the Content Filter Lists, and system activations, is displayed.
  • Page 55: Alert/Snmp Traps

    When checked, any denied TCP or UDP packets from the LAN network are logged. Alert/SNMP Traps Alerts are events, such as attacks, which warrant immediate attention. When events generate alerts, messages are immediately sent to the E-mail address defined in the Send alerts to field.
  • Page 56: Log Reports

    Log Reports The SonicWALL is able to perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. Click Log on the left side of the browser window, and then click the Reports tab at the top of the window.
  • Page 57: Web Site Hits

    Web Site Hits Selecting Web Site Hits from the Display Report menu displays a table showing the URLs for the 25 most frequently accessed Web sites and the number of hits to that site during the current sample period. The Web Site Hits report can help ensure that the majority of Web access is to appropriate Web sites.
  • Page 58: Content Filtering And Blocking

    CONTENT FILTERING AND BLOCKING This chapter describes the SonicWALL content filtering features which are configured in the Filter section of the SonicWALL Web Management Interface. Content Filtering and Blocking records Web site blocking by Filter List category, domain name, and keyword, and provides instructions to update the SonicWALL Content Filter List.
  • Page 59 Configure the following settings in the Categories window: Restrict Web Features • ActiveX ActiveX is a programming language that embeds scripts in Web pages. Malicious programmers can use ActiveX to delete files or compromise security. Select the ActiveX checkbox to block ActiveX controls. •...
  • Page 60: Time Of Day

    Block all categories checkbox to block all of these categories. Alternatively, you can select categories individually by selecting the appropriate checkbox. When you register your SonicWALL at <http://www.mysonicwall.com>, you may download a one month subscription to Content Filter List updates. The following is a list of the Content Filter List categories: Violence/Profanity Satanic/Cult...
  • Page 61 Click Filter on the left side of the browser window, and then click the List Update tab at the top of the window. Configure the following settings in the List Update window. • Download Now Click Download Now to immediately download and install a new Content Filter List.
  • Page 62: Customizing The Filter List

    In the If Filter List Not Loaded section, select either Block traffic to all web sites except for Trusted Domains or Allow traffic to all web sites. If Allow traffic to all web sites is selected, Forbidden Domains and Keywords are still blocked. Note: The SonicWALL does not ship with the Content Filter List installed.
  • Page 63 To block a Web site that is not blocked by the Content Filter List, enter the host name, such as “www.bad-site.com” into the Forbidden Domains field. 256 entries may be added to the Forbidden Domains list. Note: Do not include the prefix “http://” in either the Trusted Domains or Forbidden Domains the fields.
  • Page 64: Blocking By Keyword

    Blocking by Keyword Click Filter on the left side of the browser window, and then click the Keywords tab at the top of the window. The SonicWALL allows you to block Web URLs containing keywords. For example, if you add the keyword "XXX", the Web site <http://www.new-site.com/xxx.html> is blocked, even if it is not included in the Content Filter List.
  • Page 65 Click Filter on the left side of the browser window, and then click the Consent tab at the top of the window. • Require Consent Select the Require Consent checkbox to enable the Consent features. • Maximum Web usage In an environment where there are more users than computers, such as a classroom or library, time limits are often imposed.
  • Page 66 • Consent page URL (Optional Filtering) When a user opens a Web browser on a computer requiring consent, they are shown a consent page and given the option to access the Internet with or without content filtering. An example of this page is shown below: You must create this Web (HTML) page.
  • Page 67 • Consent page URL (Mandatory Filtering) When a user opens a Web browser on a computer with mandatory content filtering they are shown a consent page. You need to create this Web page. It may contain the text from an Acceptable Use Policy, and notification that violations are logged or blocked.
  • Page 68: Web Management Tools

    WEB MANAGEMENT TOOLS This chapter describes the SonicWALL Management Tools, which may be accessed in the Tools section of the SonicWALL Web Management Interface. The Web Management Tools section allows you to restart the SonicWALL, import and export configuration settings, update the SonicWALL firmware, and perform several diagnostic tests.
  • Page 69: Preferences

    Preferences Click Tools on the left side of the browser window, and then click the Preferences tab at the top of the window. You can save the SonicWALL settings, and then retrieve them later for backup purposes. It is recommended to save the SonicWALL settings when upgrading the firmware.
  • Page 70: Exporting The Settings File

    Exporting the Settings File It is possible to save the SonicWALL configuration information to a “preferences file” to your computer, and then to load it back into the SonicWALL later. 1. Click Export in the Preferences tab. 2. Click Export again to download the settings file. Then choose the location to save the settings file.
  • Page 71: Restoring Factory Default Settings

    2. Click Browse to locate a settings file which was saved using Export. 3. Once the file is selected, click Import. 4. Restart the SonicWALL for the settings to take effect. Note: The Web browser used to Import Settings must support HTTP uploads. Netscape Navigator 3.0 and above is recommended.
  • Page 72 1. Click Tools on the left side of the browser window, and then click the Firmware tab at the top of the window. To be automatically notified when new firmware is available, check the Notify me when new firmware is available checkbox. Then click Update. If you enable firmware notification, your SonicWALL sends a status message to SonicWALL, Inc.
  • Page 73 Updating Firmware Manually You may also upload firmware from the local hard drive. Click Upload Firmware. Note: The Web browser used to upload new firmware into the SonicWALL must support HTTP uploads. Netscape Navigator 3.0 and above is recommended. When firmware is uploaded, the SonicWALL settings may be erased. It is recommended to save the SonicWALL's preferences so that they can be restored later.
  • Page 74: Upgrade Features

    Click Browse and select the firmware file from your local hard drive or from the SonicWALL Companion CD. Click Upload, and then restart the SonicWALL. Note: When uploading firmware to the SonicWALL, it is important not to interrupt the Web browser by closing the window, clicking a link, or loading a new page. If the browser is interrupted, it may corrupt the SonicWALL's firmware.
  • Page 75 1. Select DNS Name Lookup from the Choose a diagnostic tool menu. 2. Enter the host name to lookup in the Look up the name field and click Go. Do not add the prefix "http://". The SonicWALL then query the DNS server and display the result at the bottom of the screen.
  • Page 76: Ping

    1. Select Find Network Path from the Choose a diagnostic tool menu. 2. Enter the IP address of the device and click Go. The test takes a few seconds to complete. Once completed, a message showing the results is displayed in the browser window.
  • Page 77 1. Select Ping from the Choose a diagnostic tool menu. 2. Enter the IP address of the target device to ping and click Go. The test takes a few seconds to complete. Once completed, a message showing the results is displayed in the browser window.
  • Page 78 The SonicWALL forwards SYN from LAN client to remote host. 3. TCP received on WAN [SYN,ACK] From 204.71.200.74 / 80 (02:00:cf:58:d3:6a) To 207.88.211.116 / 1937 (00:40:10:0c:01:4e) The SonicWALL receives SYN,ACK from remote host. 4. TCP sent on LAN [SYN,ACK] From 204.71.200.74 / 80 (02:00:cf:58:d3:6a) To 192.168.168.158 / 1282 (00:a0:4b:05:96:4a) The SonicWALL forwards SYN,ACK to LAN client.
  • Page 79: Tech Support Report

    1. Select Packet Trace from the Choose a diagnostic tool menu. Note: Packet Trace requires an IP address. The SonicWALL DNS Name Lookup tool may be used to find the IP address of a host. 2. Enter the IP address of the remote host in the Trace on IP address field, and click Start.
  • Page 80 In the Tools section, click the Diagnostic tab, and then select Tech Support Report from the Choose a diagnostic tool menu. In the Tech Support Report section, there are three Report Options that can be selected to E-mail with your Tech Support Report: •...
  • Page 81: Network Access Rules

    NETWORK ACCESS RULES This chapter describes the SonicWALL Network Access Rules, which determine inbound and outbound access policy, user authentication and remote management. Network Access Rules are configured in the Access section of the SonicWALL Web Management Interface Services Click Access on the left side of the browser window, and then click the Services tab at the top of the window.
  • Page 82: Detection Prevention

    LAN In If a LAN In checkbox is checked, users on the Internet may access all computers on your LAN for that service. By default, LAN In checkboxes are not checked; use caution when enabling. The LAN In column is not displayed if NAT is enabled. DMZ In (Optional) If a DMZ In checkbox is checked, users on the Internet may access that service on the DMZ.
  • Page 83: Creating A Public Lan Server

    stay open indefinitely, creating potential security holes. You may increase the Inactivity Timeout if applications, such as Telnet and FTP, are frequently disconnected. Creating a Public LAN Server A Public LAN Server is a server on your LAN that is accessible to users on the Internet. Creating a Public LAN Server in the Services window is the easiest way to set up a mail server, Web server or other public server, on your LAN.
  • Page 84: Add Service

    Add Service To add a service that is not listed in the Services window, click Access on the left side of the browser window, and then click the Add Service tab at the top of the window. The list on the right side of the window displays the services that are currently defined. These services also appear in the Services window.
  • Page 85: Rules

    Add a Known Service 1. Select the name of the service you want to add from the Add a known service menu. 2. Click Add. The new service appears in the listbox on the right side of the browser window. Note that some services add more than one entry to the listbox. Add a Custom Service 1.
  • Page 86 • Allow traffic from the Internet to a mail server on the LAN. • Restrict users on the LAN from using a specified service, such as QuickTime. • Allow specified IP addresses on the Internet to access a sensitive server on the LAN.
  • Page 87 Add A New Rule 1. Click Add New Rule... to open the Add Rule window. 2. Select Allow or Deny in the Action menu depending upon whether the rule is intended to permit or block IP traffic. 3. Select the name of the service affected by the Rule from the Service menu. If the service is not listed, you need to define the service in the Add Service window.
  • Page 88 Note: If you want to enable the rule at different times depending on the day of the week, you will need to make additional rules for each time period. Note: Although custom rules may be created that allow inbound IP traffic, the SonicWALL does not disable protection from Denial of Service attacks, such as the SYN Flood and Ping of Death attacks.
  • Page 89: Understanding The Access Rule Hierarchy

    been updated, a message confirming the update is displayed at the bottom of the browser window. Understanding the Access Rule Hierarchy The rule hierarchy has two basic concepts: 1. Specific rules override general rules. • An individual service is more specific than the Default service. •...
  • Page 90 2. Select Deny from the Action menu. 3. Select NNTP from the Service menu. If the service is not listed in the menu, you need to add it in the Add Service window. 4. Select LAN from the Source Ethernet menu. 5.
  • Page 91: User Authentication

    User Authentication The SonicWALL provides an authentication method that gives authorized users on the Internet access to LAN resources and that allows users on the LAN to bypass Web content filtering. User Settings Click Access on the left side of the browser window, and then click on the Users tab at the top of the window.
  • Page 92 using names of friends, family, pets, etc. The password should consist of random characters, such as “a*$#7fe2j%42”. The password is case sensitive. 4. Choose the privileges to be enabled for the user by selecting one or both check- boxes. Two options are available: A.
  • Page 93: Remote Management

    Remote Management SonicWALL SNMP Support SNMP (Simple Network Management Protocol) is a network protocol over User Datagram Protocol (UDP) that provides network administrators with the ability to monitor the status of the SonicWALL appliances and receive notification of any critical events as they occur on the network.
  • Page 94: Remote Management

    To configure SNMP, type in the necessary information in the following fields: • Enable SNMP - To enable the SNMP agent, select Enabled SNMP. • System Name - This is the hostname of the SonicWALL appliance. • System Contact - Type in the name of the network administrator for the SonicWALL appliance.
  • Page 95 Managed: "from the LAN interface and remotely from the WAN interface" to enable secure remote management. When remote management is enabled, a Management SA is automatically generated. The Management SA uses Manual Keying to set up a VPN tunnel between the SonicWALL and the VPN client.
  • Page 96 Note: When a Management SA is created, the remote SonicWALL is managed at the SonicWALL WAN IP Address. In contrast, when connecting to a VPN SA, the remote SonicWALL is managed at the SonicWALL LAN IP Address. 4. Click Help in the upper right corner of the SonicWALL Management Interface to access detailed instructions for configuring the VPN client.
  • Page 97: Advanced Features

    ADVANCED FEATURES This chapter describes the SonicWALL Advanced Features, such as Web Proxy Forwarding, DMZ Address settings, One-to-One NAT, and Ethernet. The Advanced Features may be accessed in the Advanced section of the SonicWALL Web Management Interface. Web Proxy Forwarding A Web proxy server intercepts HTTP requests and determines if it has stored copies of the requested Web pages.
  • Page 98 2. Log into the SonicWALL Web Management Interface. Click Advanced at the left side of the browser window, and then click the Proxy Relay tab at the top of the window. 3. Enter the name or IP address of the proxy server in the Proxy Web Server field, and the proxy’s IP port in the Proxy Web Server Port field.
  • Page 99: Intranet

    SonicWALL Internet security appliance to protect computers on the WAN 3. Connect the SonicWALL to a power outlet. For SonicWALL GX250 and SonicWALL GX650, press the Power Switch to the ON position. SonicWALL Internet Security Appliance Guide Page 99...
  • Page 100 Configuration Click Advanced on the left side of the browser window, and then click the Intranet tab at the top of the window. To enable Intranet firewalling, you must specify which machines are located on the LAN, or you must specify which machines are located on the WAN. It is best to select the network area with the least number of machines.
  • Page 101 Select this option if it is easier to specify the devices on your WAN. Then enter your WAN IP address range(s). Computers connected to the WAN port that are not included will be inaccessible to users on your LAN. • Add Range To add a range of addresses, such as "199.2.23.50"...
  • Page 102: Routes

    Routes If you have routers on your Local Area Network, you have to configure the Static Routes section of the SonicWALL. Click Advanced on the left side of the browser window, and then click the Routes tab at the top of the window. The SonicWALL LAN IP Address, LAN Subnet Mask, WAN IP Address and WAN/DMZ Subnet Mask are displayed in the Current Network Settings section.
  • Page 103: Dmz Addresses

    Click Update. Once the SonicWALL has been updated, a message confirming the update is displayed at the bottom of the Web browser window. Restart the SonicWALL for the change to take effect. Note: The SonicWALL can support up to 64 static route entries. DMZ Addresses The SonicWALL provides security by preventing Internet users from accessing machines on the LAN.
  • Page 104 To configure DMZ Addresses, complete the following instructions. 1. Enter the starting IP address of your valid IP address range in the From Address field. 2. Enter the ending IP address of your valid IP address range in the To Address field. Note: You may enter an individual IP address in the From Address field only.
  • Page 105 computers with private IP addresses of 192.168.168.2 to 192.168.168.16 may be accessed at the corresponding external IP address, as shown in the diagram below. SonicWALL Internet Security Appliance Guide Page 105...
  • Page 106 To configure One-to-One NAT, complete the following instructions. 1. Check the Enable One-to-One NAT checkbox. 2. Enter the beginning IP address of the private address range being mapped in the Private Range Begin field. This is the IP address of the first machine that is ac- cessible from the Internet.
  • Page 107: The Ethernet Tab

    The Ethernet Tab In the Advanced section of the SonicWALL management interface, a new tab labeled Ethernet has been added. The Ethernet tab allows you to manage your Ethernet settings and is divided into two sections: • Ethernet Speed/Duplex Settings •...
  • Page 108: Mtu Settings

    Proxy Management workstation Ethernet address on WAN This checkbox may be checked if you are managing the Ethernet from the LAN side of your network. The SonicWALL appliance takes the Ethernet address of the computer that is managing the SonicWALL appliance and proxies that address on the WAN port of the SonicWALL.
  • Page 109: Dhcp Server

    DHCP SERVER This chapter describes the configuration of the SonicWALL DHCP Server. The SonicWALL DHCP Server distributes IP addresses, gateway addresses and DNS server addresses to the computers on your LAN. To access the SonicWALL DHCP Setup window, click DHCP on the left side of the browser window. To configure the SonicWALL DHCP server, complete the following instructions.
  • Page 110 4. Enter the domain name registered for your network in the Domain Name field. An example of a domain name is "your-domain.com". If you do not have a domain name, leave this field blank. 5. Select Set DNS Servers using the SonicWALL Network settings to use the DNS servers that you specified in the SonicWALL Network section.
  • Page 111: Dhcp Status

    Deleting Dynamic Ranges and Static Entries 1. To remove a range of addresses from the dynamic pool, select it from the list of dynamic ranges, and click Delete Range. When the range has been deleted, a message confirming the update is displayed at the bot- tom of the browser window.
  • Page 112: Sonicwall Vpn

    VPN products, such as Check Point FireWall-1 and Axent Raptor. Visit SonicWALL's Web site at <http://www.sonicwall.com/products/ documentation/WhitePapers.html> for information about VPN interoperability. SonicWALL VPN is included with the SonicWALL GX250 and the SonicWALL GX650. This chapter is organized into the following sections: • The VPN Summary Tab This section describes the Summary tab and settings.
  • Page 113: Vpn Applications

    • XAUTH/RADIUS Server Configuration This section describes using a RADIUS server for authentication of VPN Clients. • Deleting and Disabling Security Associations This section describes deleting and disabling Security Associations for VPN access. • Basic VPN Terms and Concepts This section provides a glossary defining applicable VPN terms such as encryption methods, authentication methods, and IPSec keying modes.
  • Page 114: The Vpn Interface

    specified in the VPN Feature Chart may connect at the same time without affecting the performance of the SonicWALL. The VPN Interface Click VPN on the left-side of the SonicWALL management station interface. There are four tabs in the VPN interface: •...
  • Page 115: Sonicwall Vpn Client For Remote Access And Management

    SonicWALL VPN Client for Remote Access and Management When you register the SonicWALL GX250 or the SonicWALL GX650 at <http:// www.mysonicwall.com>, you receive a single VPN Client for Windows and a VPN Client serial number. Using the VPN client software, you may establish a secure VPN tunnel to remotely manage the SonicWALL.
  • Page 116 Manual Key Configuration requires matching encryption and authentication keys. Each Manual Key SA allows 64 VPN clients sharing the same configuration. The number of VPN Clients that may be configured using Manual Key is 64 times the total number of Security Associations. For example, 5000 SAs or a total of 320,000 VPN clients may be configured to connect to the SonicWALL GX.
  • Page 117: Vpn Advanced Settings

    VPN Advanced Settings All of the Advanced Settings for VPN connections are now located by clicking Advanced Settings located in the middle of the Configure tab. The following settings are available in the Edit Advanced Settings window: • Enable Keep Alive •...
  • Page 118 Enable Perfect Forward Secrecy A new checkbox is available for the Security Association "IKE using Pre-shared Secret" between two SonicWALL appliances. The Enable Perfect Forward Secrecy checkbox increases the renegotiation time of the VPN tunnel. By enabling Perfect Forward Secrecy, a hacker using brute force to break encryption keys is not able to obtain other or future ipsec keys.
  • Page 119 both the central office SA and the remote site SA. Traffic is now able to go from branch office to branch office via the corporate office. Route all internet traffic through this SA Checking this box allows a network administrator to force all network traffic to the WAN to go through a VPN tunnel to a central site.
  • Page 120: Enabling Group Vpn On The Sonicwall

    Enabling Group VPN on the SonicWALL Click VPN on the left side of the SonicWALL browser window, and then click the Configure tab at the top of the window. The SonicWALL VPN tab defaults to a Group VPN setting. This feature facilitates the set up and deployment of multiple VPN clients by the administrator of the SonicWALL appliance.
  • Page 121 5. Select Encrypt and Authenticate (ESP DES HMAC MD5) from the Encryp- tion Method menu. 6. Type the Shared Secret in the Shared Secret text box. The Shared Secret should consist of a combination of letters and numbers rather than the name of a family member, pet, etc.
  • Page 122: Group Vpn Client Configuration

    Group VPN Client Configuration To import the Group VPN security policy into the Client, use the following steps: 1. Open the VPN Client. Click File, and then Import Security Policy. 2. A file location box appears which allows searching for the location of the saved se- curity file.
  • Page 123 4. Click the + sign next to Group VPN to reveal two sections: My Identity and Se- curity Policy. Select My Identity to view the settings. 5. Click Pre-Shared Key to enter the Pre-Shared Secret created in the Group VPN settings in the SonicWALL appliance. Click OK. 6.
  • Page 124 7. In the Internet Interface box, select the adapter used to access the Internet. Select PPP Adapter in the Name menu if you have a dial-up Internet account. Select your Ethernet adapter if you have a dedicated Cable, ISDN, or DSL line. 8.
  • Page 125: Manual Key Configuration For The Vpn Client

    Manual Key Configuration for the VPN Client To configure the SonicWALL appliance, click VPN on the left side of the browser window, and check the Enable VPN checkbox to allow the VPN connection. 1. Check the Disable VPN Windows Networking (NetBIOS) broadcast check- box.
  • Page 126 Note: Each Security Association must have unique SPIs; no two Security Associations can share the same SPIs. However, each Security Association’s Incoming SPI may be the same as the Outgoing SPI 7. Select Encrypt and Authenticate (ESP DES HMAC MD5) from the Encryp- tion Method menu.
  • Page 127 Installing the VPN Client Software 1. When you register your SonicWALL or SonicWALL VPN Upgrade at <http:// www.mysonicwall.com>, a unique VPN client serial number and link to download the SonicWALL VPN Client zip file is displayed. 2. Unzip the SonicWALL VPN Client zip file. 3.
  • Page 128 6. Check the Connect using Secure Gateway Tunnel checkbox. 7. Select IP Address in the ID Type menu at the bottom of the Security Policy Editor window. 8. Enter the SonicWALL WAN IP Address in the field below the ID Type menu. Enter the NAT Public Address if NAT is enabled.
  • Page 129 Configuring VPN Client Identity 1. Click My Identity in the Network Security Policy box on the left side of the Security Policy Editor window. 2. Choose None in the Select Certificate menu on the right side of the Security Policy Editor window. 3.
  • Page 130 Configuring VPN Client Key Exchange Proposal 1. Double click Key Exchange in the Network Security Policy box. Then select Proposal 1 below Key Exchange. 2. Select Unspecified in the SA Life menu. 3. Select None in the Compressed menu. 4. Check the Encapsulation Protocol (ESP) checkbox. 5.
  • Page 131 Configuring Inbound VPN Client Keys 1. Click Inbound Keys . The Inbound Keying Material box appears. 2. Click Enter Key to define the encryption and authentication keys. 3. Type the SonicWALL Outgoing SPI in the Security Parameter Index field. 4. Select Binary in the Choose key format options. 5.
  • Page 132: Vpn Between Two Sonicwalls

    Saving SonicWALL VPN Client Settings 1. Select Save Changes in the File menu in the top left corner of the Security Pol- icy Editor window. Instructions for testing the VPN tunnel and configuring WINS for browsing a remote network are found in the section Testing the VPN Tunnel. VPN between Two SonicWALLs VPN between two SonicWALLs allows users to securely access files and applications at remote locations.
  • Page 133 3. Enter a descriptive name for the Security Association, such as "Chicago Office" or "Remote Management", in the Name field. 4. Enter the IP address of the remote VPN gateway, such as another SonicWALL VPN gateway, in the IPSec Gateway Address field. This must be a valid IP address and is the remote VPN gateway NAT Public Address if NAT is enabled.
  • Page 134 • Strong Encrypt and Authenticate (ESP 3DES HMAC SHA-1) is similar to Strong Encrypt and Authenticate (ESP 3DES HMAC MD5) but uses HMAC SHA-1 instead of HMAC-MD5. • Encrypt for Check Point (ESP DES rfc1829) is interoperable with Check Point Firewall-1.
  • Page 135 it must also be entered in the Authentication Key field in the remote SonicWALL. If authentication is not used, this field is ignored. 10. Click Add New Network... to enter the destination network addresses. Clicking Add New Network... automatically updates the VPN configuration and opens the VPN Destination Network window.
  • Page 136: Ike Configuration Between Two Sonicwalls

    IKE Configuration between Two SonicWALLs An alternative to Manual Key configuration is Internet Key Exchange (IKE). IKE transparently negotiates encryption and authentication keys. The two SonicWALL appliances authenticate the IKE VPN session by matching preshared keys and IP addresses or Unique Firewall Identifiers. To create an IKE Security Association, click VPN on the left side of the browser window, and then click the Configure tab at the top of the window.
  • Page 137 5. Define the length of time before an IKE Security Association automatically renego- tiates in the SA Life Time (secs) field. The SA Life Time may range from 120 to 2,500,000 seconds. Note: A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys.
  • Page 138 • Authenticate (AH SHA-1) uses SHA-1 instead of MD5. • Authenticate (ESP MD5) does not provide data confidentiality (no data encryp- tion), but it uses MD5 for authentication. • Authenticate (ESP SHA-1) similar to MD5 but uses SHA-1 for authentication. 7.
  • Page 139: Example: Linking Two Sonicwalls

    A company wants to use VPN to link two offices together, one in Chicago and the other in San Francisco. To do this, the SonicWALL GX250 in Chicago and the SonicWALL TELE2 in San Francisco must have corresponding Security Associations.
  • Page 140 19. Click OK to close the Advanced Settings window. 20. Click Update to add the remote network and close the VPN Destination Net- work window. Once the SonicWALL GX250 is updated, a message confirming the update is displayed at the bottom of the browser window.
  • Page 141 5. Enter the SonicWALL GX250 WAN IP Address in the IPSec Gateway Address field. This address must be valid, and is the SonicWALL GX250 NAT Public Address, or "216.0.0.20." 6. Enter "86,400" in the SA Life time (secs) field to renegotiate keys daily.
  • Page 142: Testing A Vpn Tunnel Connection Using Ping

    Testing a VPN Tunnel Connection Using PING To verify that your VPN tunnel is working properly, it is useful to ping the IP address of a computer on the remote network. By pinging the remote network, you send data packets to the remote network and the remote network replies that it has received the data packets.
  • Page 143 • WINS Server IP Address • Internal DNS (optional) Use the following steps to configure Windows Networking on your computer (Windows98): 1. Click Start, then Control Panel. Locate the Network icon and double-click it. 2. Select Client for Microsoft Networks from the list, and then click Properties. 3.
  • Page 144 4. Click on the Identification tab, and enter the domain name provided by your ad- ministrator in the Workgroup text box. 5. Click on TCP/IP or Dial-Up Adapter, and then Properties. Click the WINS Configuration tab, and select Enable WINS Resolution. Enter the WINS serv- Page 144 SONICWALL VPN...
  • Page 145 er IP address given to you by the administrator, and click Add. The WINS server address now appears in the text box below the address entry box. 6. If your administrator has given you an internal DNS address, click the DNS Configuration tab and enter the DNS IP address.
  • Page 146: Adding, Modifying And Deleting Destination Networks

    Adding, Modifying and Deleting Destination Networks You may add, modify or delete destination networks. To add a second destination network, click Add New Network... and define the Network and Subnet Mask fields of the second network segment. To modify a destination network, click the Notepad icon to the right of the appropriate destination network entry.
  • Page 147 1. Click VPN on the left side of the browser window and then click the Configure tab at the top of the window. 2. Select IKE using pre-shared secret from the IPSec Keying Mode menu. 3. Check the Require XAUTH/RADIUS (only allows VPN clients) checkbox. This forces inbound VPN clients to connect to this Security Association to authenticate to a RADIUS server.
  • Page 148 Configuring the RADIUS Settings Click VPN on the left side of the browser window, and then click the RADIUS tab at the top of the window. To configure RADIUS settings, complete the following instructions. 1. Check the Enable RADIUS checkbox. 2.
  • Page 149: Sonicwall Enhanced Vpn Logging

    2. Enter the UDP port number that the RADIUS server listens on. The Steel- Belted RADIUS server is set, by default, to listen on port 1645. 3. Enter the RADIUS server's administrative password or "shared secret" in the Shared Secret field. The alphanumeric Shared Secret may range from 1 to 30 characters in length.
  • Page 150: Disabling Security Associations

    Disabling Security Associations Administrators may choose to disable certain security associations and still allow access by remote VPN clients. The feature is useful if it is suspected that a remote VPN user connection has become unstable or insecure. It can also temporarily block access to the SonicWALL appliance if necessary.
  • Page 151: Editing And Deleting Security Associations

    Editing and Deleting Security Associations In the Current IPSec Security Associations section of the VPN Summary tab, VPN Security Associations may be edited by either clicking on the hyperlinked name of the Security Associaton or by clicking the Notepad icon located after the Encryption Method.
  • Page 152: Basic Vpn Terms And Concepts

    Basic VPN Terms and Concepts • VPN Tunnel A VPN Tunnel is a term that describes a connection between two or more private nodes or LANs over a public network, typically the Internet. Encryption is often used to maintain the confidentiality of private data when traveling over the Internet.
  • Page 153 • Internet Key Exchange (IKE) IKE is a negotiation and key exchange protocol specified by the Internet Engineering Task Force (IETF). An IKE SA automatically negotiates Encryption and Authentication Keys. With IKE, an initial exchange authenticates the VPN session and automatically negotiates keys that will be used to pass IP traffic. The initial exchange occurs on UDP port 500, so when an IKE SA is created, the SonicWALL will automatically open up port 500 to allow the IKE key exchange.
  • Page 154 • Data Encryption Standard (DES) When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to generate and verify a message authentication code. SonicWALL DES encryption algorithm uses a 56 bit key.
  • Page 155: High Availability

    HIGH AVAILABILITY A reliable Internet connection has become a mission critical requirement for today's modern business. Internet connections today are used for accessing important real- time data for decision-making, reaching E-commerce customers, connecting with business partners, and extending communications across the distributed enterprise. The loss of this mission critical connection can have serious, and sometimes disastrous, consequences on an organization.The following applications are examples of the mission critical nature of an Internet connection today:...
  • Page 156: Getting Started With High Availability

    Getting Started with High Availability Before You Start Before attempting to configure two SonicWALLs as a High Availability pair, check the following requirements: • You have two (2) SonicWALL GX 250, two (2) GX650, two (2) PRO, or two PRO-Vx Internet Security Appliances.
  • Page 157: Configuring High Availability

    Note: The two SonicWALLs in the High Availability pair sends “heartbeats” over the LAN network segment. The High Availability feature does not function if the LAN ports are not connected together. Configuring High Availability Configuring High Availability on the Primary SonicWALL Click High Availability on the left side of the SonicWALL browser window, and then click Configure at the top of the window.
  • Page 158 Note: This IP address is different from the IP address used to contact the SonicWALL in the General Network settings. • WAN IP Address (Optional) - This is a unique WAN IP address used to remotely manage the primary SonicWALL whether it is Active or Idle. Note: The Synchronize Now button is used for diagnostics and troubleshooting purposes and is not required for initial configuration.
  • Page 159 icWALL becomes active after bootup, it looks for the backup SonicWALL on the net- work. In some cases, there may be a delay in locating the backup firewall due to network delays built into some switches. Configure the primary SonicWALL to allow an increment of time (in seconds) to look for the backup SonicWALLon the net- work.
  • Page 160: High Availability Status

    Configuration Changes Configuration changes for the High Availability pair can be made on the primary or the backup SonicWALL. The primary and backup SonicWALL appliances are accessible from their unique IP addresses. A label indicates which SonicWALL appliance is accessed. Note: If you change the IP address of either SonicWALL, synchronization cannot occur between the two SonicWALLs without updating the changes manually in the High Availiability configuration.
  • Page 161 top of the window. If the primary SonicWALL is active, the first line in the status window above indicates that the primary SonicWALL is currently Active. If the backup SonicWALL is active, the first line changes to reflect the active status of the backup as shown below: The first line in the status window indicates that the backup SonicWALL is currently Active.
  • Page 162: E-Mail Alerts Indicating Status Change

    the backup has taken over for the primary, this window indicates that the backup is currently Active. Note: In the event of a failure in the primary SonicWALL, you may access the Web Management Interface of the backup SonicWALL at the primary SonicWALL LAN IP Address or at the backup SonicWALL LAN IP Address.
  • Page 163 Forcing Transitions In some cases, it may be necessary to force a transition from one active SonicWALL to another – for example, to force the primary SonicWALL to become active again after a failure when Preempt Mode has not been enabled, or to force the backup SonicWALL to become active in order to do preventative maintenance on the primary SonicWALL.
  • Page 164: Viewpoint

    VIEWPOINT Monitoring critical network events and activity, such as security threats, inappropriate Web use, and bandwidth levels, is an essential component of network security. SonicWALL ViewPoint compliments SonicWALL's Internet security offerings by providing detailed and comprehensive reports of network activity. SonicWALL ViewPoint is a software application that creates dynamic, Web-based network reports.
  • Page 165: Getting Started With Viewpoint

    Getting Started with ViewPoint SonicWALL ViewPoint is a software reporting solution that may be installed on any computer on the SonicWALL's LAN. The computer used to host the reporting software is referred to as the “ViewPoint Server.” Minimum System Requirements The following is a list of the minimum requirements for the ViewPoint Server: •...
  • Page 166: Configuring The Sonicwall For Viewpoint

    Configuring the SonicWALL for ViewPoint This page describes the configuration of the SonicWALL to direct the syslog to the ViewPoint Server. 1. Click Log on the left side of the browser window, and then click the Log Settings tab. 2. Enter the IP address or domain name of the ViewPoint Server in the Syslog Serv- er field.
  • Page 167: Installing Viewpoint Software

    Installing ViewPoint Software You may download the ViewPoint software file from the SonicWALL, Inc. Web site. When ViewPoint version 1.1 is available, the ViewPoint software will be included on a CD-ROM. If your SonicWALL GX series included a ViewPoint CD, you may skip the following instructions and instead run the ViewPoint setup program from the ViewPoint Internet Download Installation To download and install the software from the Internet, save the ViewPoint executable...
  • Page 168 Once the programs are installed, you may close the ViewPoint Installation Wizard window. You need to restart your computer for the changes to take effect. Page 168 Installing ViewPoint Software...
  • Page 169: Managing Viewpoint

    Managing ViewPoint Logging into the ViewPoint Web Interface You must configure several settings in the ViewPoint Web Interface in order to view network reports. Login to the ViewPoint Web Interface. Type http://LocalHost or http://<ViewPoint Server IP Address> into the Location or Address field of your Web browser or launch ViewPoint from the SonicWALL folder in the Windows Start menu.
  • Page 170: Configuring Viewpoint Settings

    Configuring ViewPoint Settings ViewPoint requires that clients successfully authenticate to access reports. This authentication mechanism prevents unknown users from viewing sensitive network data. The ViewPoint Configuration window allows you to modify the ViewPoint user name and password. 1. From the ViewPoint Web Interface, expand the Configure option on the left side of the browser window and then click ViewPoint.
  • Page 171: Configuring Sonicwall Settings For Viewpoint

    Configuring SonicWALL Settings for Viewpoint ViewPoint transparently authenticates to your SonicWALL Internet security appliance for status and state information. ViewPoint uses the SonicWALL administrator password and IP address configured during ViewPoint installation to authenticate. If the SonicWALL IP address or password is changed, you will need to modify the ViewPoint settings to reflect these changes.
  • Page 172: Configuring Syslog Settings

    Note: If you lose or forget the password that had been defined in the SonicWALL Configuration window and ViewPoint cannot authenticate to your SonicWALL, you will need to uninstall and reinstall the ViewPoint software, and then define the correct SonicWALL administrator password. Configuring Syslog Settings The Syslog Configuration window allows you to change the UDP port number that ViewPoint syslog server listens on, to configure ViewPoint to forward syslog data to...
  • Page 173 4. Enter the port number that the syslog data uses to send data in the Port Number field. 5. You may configure the maximum size of the ViewPoint database. To limit the da- tabase by number of days, select the Maximum Number of Days in Database radio button and enter the number of days that syslog messages should be saved in the corresponding field.
  • Page 174: Setting The Viewpoint Report Date

    Setting the ViewPoint Report Date You may change the ViewPoint report date quickly and easily. 1. To change the report date, click the Date option in the top right corner of the browser window. 2. The current report date is highlighted in the ViewPoint date calendar. Select the desired month and year from the Month and Year menus.
  • Page 175: Viewpoint Web Interface

    ViewPoint Web Interface This section briefly describes the ViewPoint Web Interface and the Web-based help options. The ViewPoint Web Interface may be accessed from any computer located on the same network as the ViewPoint Server from a Web browser. Note: Please use Internet Explorer 4.0 or greater or Netscape Navigator 4.x to login and manage ViewPoint.
  • Page 176 Source The Source is the domain or host name or the IP address of the device that initiated an event. Destination The Destination is the domain or host name or the IP address that the event was directed towards. Event/Hit There are two primary methods to measure network activity through the SonicWALL, the amount of data transferred in bytes or the number of individual events.
  • Page 177: Viewpoint Report Descriptions

    ViewPoint Report Descriptions General Reports Status The General Status report displays comprehensive information about the current status of the SonicWALL. The Status report includes the SonicWALL serial number, firmware version, ROM version, enabled upgrades and subscriptions, the number of users connected to the SonicWALL, and other state information. Admin Login The Administrative Login report displays successful administrative authentications to the SonicWALL that occurred during the report period.
  • Page 178: Bandwidth Reports

    System Events The System Events report lists events and errors that occurred to the SonicWALL Internet security appliance during the report period. System events include successful downloads of the Content Filter List, SonicWALL activations, DHCP and PPPoE informational messages, and High Availability backup firewall activation. System errors listed include problems downloading the Content Filter List, difficulties obtaining a DHCP Client or PPPoE Client Lease, deactivation of the SonicWALL because the log was full, and the number of simultaneous connections exceeding the limit.
  • Page 179: Services Reports

    Services Reports Service Summary The Service Summary Report shows the amount of bandwidth used by a service. This report reveals inappropriate use of Internet bandwidth and can help determine network access policies enforced by your SonicWALL. The Service Summary Report displays a graph of FTP, HTTP, ICMP, NetBIOS, DNS, NTP, SMTP and other service traffic by the number of events or IP connections that have occurred.
  • Page 180: Web Filter Reports

    Top Users of Web The Top Users of Web report shows the most active users accessing Web sites on the Internet or on the LAN or DMZ network segments. This report displays the number of Web site hits and the amount of bandwidth transferred, identifying inappropriate or excessive Web usage.
  • Page 181: Ftp Usage Reports

    Note: The Web sites displayed in the table include links to the blocked sites, so that the ViewPoint administrator may view and evaluate blocked Web sites. The ViewPoint administrator may also be blocked from accessing these sites if he or she does not have privileges to bypass the SonicWALL's Content Filter List.
  • Page 182: Mail Usage Reports

    The Top Users of FTP report displays a pie chart of the top 10 users of FTP by the number of KBytes transferred. The report table lists the top 10 users displayed in the chart, the number of FTP events generated by the user, the number of KBytes transferred by the user, and the number of KBytes as a percentage of total KBytes of FTP during the report period.
  • Page 183 The Top Sources of Attacks report displays a pie chart of the top 10 sources by the number of attacks. The report table lists the top 10 sources displayed in the chart, the number of attacks generated by the source, and the number of attacks as a percentage of the total attacks during the report period.
  • Page 184: Accessing Viewpoint Remotely

    Accessing ViewPoint Remotely Because the ViewPoint Interface is Web browser-based, any user on the SonicWALL's LAN may login and look at ViewPoint network reports. Even users located across a VPN or accessing network resources through applications such as pcAnywhere should be able to contact the ViewPoint Web Interface.
  • Page 185: Uninstalling Viewpoint

    Uninstalling ViewPoint Uninstall the ViewPoint program and all of its components from your system by relaunching the ViewPoint setup program. 1. If you installed ViewPoint from a CD, load the CD into your server and run the ViewPoint setup program. If you downloaded the ViewPoint executable file from the SonicWALL Web site, then select and launch the ViewPoint executable file from your local disk.
  • Page 186: Active Viewpoint Services

    pages are requested. To learn more about Tomcat software or the Apache Software Foundation, visit http://www.apache.org. SonicWALL ViewPoint Software SonicWALL ViewPoint software includes proprietary HTML, Java and servlet files as well as a Syslog Daemon. The SonicWALL Syslog Daemon receives syslog messages from a SonicWALL Internet security appliance on UDP port 514 and then forwards the messages to the MySQL database.
  • Page 187: Sonicwall Options And Features

    SONICWALL OPTIONS AND FEATURES SonicWALL, Inc. offers a variety of options and upgrades to enhance the functionality of your SonicWALL Internet security appliance. SonicWALL options and upgrades include the following: • SonicWALL Network Anti-Virus Subscription • SonicWALL Content Filter List Subscription •...
  • Page 188: Sonicwall Authentication Service

    relocated sites. Users may be given a password to bypass the filter, giving them unrestricted access to the Internet. SonicWALL Authentication Service SonicWALL Authentication Service provides extra security for VPN tunnels and users. SonicWALL Vulnerability Scanning Service You can scan your network for any security vulnerabilities using the SonicWALL Vulnerability Scanning Service.
  • Page 189 to manage the security policies of remote SonicWALLs on an individual, group or global level. Please visit SonicWALL's site <http://www.sonicwall.com/products/ services.html> for more information about SonicWALL options and upgrades. Contact your local reseller to purchase SonicWALL upgrades. A SonicWALL sales representative can help locate a SonicWALL-authorized reseller near you.
  • Page 190: Appendices

    APPENDICES APPENDIX A- IP PORT NUMBERS The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The Well Known Ports range from 0 through 1023. The Registered Ports range from 1024 through 49151. The Dynamic and/or Private Ports range from 49152 through 65535.
  • Page 191: Appendix B- Configuring Tcp/Ip Settings

    APPENDIX B- CONFIGURING TCP/IP SETTINGS The following steps describe how to configure the Management Station's TCP/IP settings in order to initially contact the SonicWALL. It is assumed that the Management Station can access the Internet through an existing connection. The SonicWALL is pre-configured with the IP address “192.168.168.168". During the initial configuration, it is necessary to temporarily change the IP address of the Management Station to one in the same subnet as the SonicWALL.
  • Page 192: Appendix C- Erasing The Firmware

    APPENDIX C- ERASING THE FIRMWARE It may be necessary to reset the SonicWALL to its factory clean state if the administrator password is forgotten, or the firmware has become corrupt. Once the firmware is erased, new firmware must be loaded, and the SonicWALL must be reconfigured.
  • Page 193: Appendix D- Securing The Sonicwall

    APPENDIX D- SECURING THE SONICWALL Mounting the SonicWALL GX250 and SonicWALL GX650 The SonicWALL GX250 and SonicWALL GX650 are designed to be mounted in a standard 19-inch rack mount cabinet. The following conditions are required for proper installation: • Use the mounting hardware recommended by the rack manufacturer and ensure that the rack is adequate for the application.
  • Page 194: Appendix E- Electromagnetic Compatibility

    APPENDIX E- ELECTROMAGNETIC COMPATIBILITY SonicWALL GX250 and SonicWALL GX650 FCC Statement This device generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. This device has been tested and found to comply with the...
  • Page 195: Notes

    NOTES SonicWALL Internet Security Appliance Guide Page Page 195...
  • Page 196: Index

    INDEX Clear Log Now 53 Client Default Gateway 109 Client for Microsoft Networks 143 Configuration 100 Access 81 Configuration Changes 160 Accessing ViewPoint Remotely 184 Configure 114 Activation Key 74 Configuring High Availability 157 Active ViewPoint Services 186 Configuring SonicWALL Settings 171 ActiveX 59 Connect using Secure Gateway Tunnel 128 Add New Network 138...
  • Page 197 Edit a Rule 88 Hash Alg 130 E-mail Alerts 10 heartbeat 158 E-mail Log Now 53 Heartbeat Interval 158 Enable DHCP Server 30 heartbeats 157 Enable Fragmented Packet Handling 114 Help 175 Enable RADIUS 148 High Availability 155 Enable VPN 114 High Availability Status 160 Enable/Disable a Rule 88 http...
  • Page 198 LAN Settings 38 Outbound Keys 131 LAN Subnet Mask 22 Outgoing SPI 125 Lease Time 109 List Update 60 Location 184 Packet Trace 77 Log 50 Password 184 Log and Block Access 59 pcAnywhere 184 Log Categories 10 Per Incident Support 187 Log Only 59 Ping 76 Log Settings 52...
  • Page 199 SonicWALL INSTALLATION 20 Upgrade Key 74 SPI 154 Use Manual Keys 128 srvany.exe 186 User Activity 54 Standard 26 User Idle Timeout 91 Standard Configuration 39 User Login 177 Start Data Collection 56 User Name 184 Static Entries 110 Static Routes 102 Status 34 View Data 56 Stealth Mode 82...
  • Page 200: Warnings And Notices

    WARNINGS AND NOTICES Lithium Battery Disposal Warning The Lithium Battery used in the SonicWALL Internet Security appliance must not be replaced by the user. The SonicWALL must be returned to a SonicWALL authorized service center for replacement with the same or equivalent type recommended by the manufacturer.

This manual is also suitable for:

Sonicwall gx650