Sonicpoint Enforcement; Enabling Traffic From Non-Sonicpoint Devices - SonicWALL SonicPoint Administrator's Manual

:
• WiFiSec Enforcement: The ability to require that all traffic that enters into a Wireless Zone
interface be either IPSec traffic, WPA traffic, or both.
• Guest Services: Guest Services will only be available on interfaces belonging to a Wireless Zone.
Recent Guest Services enhancements include Profiles for automated account generation,
customizable post-authentication landing page, SMTP Redirection, and the integration of Guest
Services accounts and local user accounts and groups.
• SonicPoint Profiles: The ability to define profiles containing the complete set of SonicPoint
parameters that can be assigned to a Wireless Zone, and inherited by any connected SonicPoint.
• Automatic SonicPoint Provisioning: Utilizing the newly developed SonicWALL Discovery
Protocol (SDP) and SonicWALL Simple Provisioning Protocol (SSPP) SonicPoints will be
automatically updated with the latest firmware and configurations by their managing SonicWALL
appliance.
• NAT Policy Enforcement: A Wireless zone can only be configured with NAT enabled. When you
create a Wireless zone, or assign an interface to the WLAN zone, SonicOS automatically creates a
NAT policy for it.

SonicPoint Enforcement

SonicPoint Enforcement is automatically enabled on all Wireless Zones, but can be overridden by
deselecting the enforcement option in the wireless portion of the configuration environment for the
WLAN zone in SonicOS 3.0 and greater. The enforcement feature requires that any traffic that enters
into a Wireless Zone be delivered using a SonicPoint. When not overridden, traffic cannot pass from
an industry-standard Access Point, or even from a wired host through a Wireless Zone. Therefore,
only SonicPoints should be connected to Wireless Zone interfaces, either directly or through a switch
or hub. Layer 2 connectivity between SonicPoints and the managing SonicWALL appliance is
required.
Wireless Zone interfaces will automatically recognize when a SonicPoint has been connected using
the SonicWALL Discovery Protocol (SDP). SDP will then conjoin the SonicPoint to the SonicOS
Enhanced enabled SonicWALL PRO Series security appliance or SonicWALL TZ Series security
appliance that first discovered it, making it its peer (to protect against the event of a SonicPoint being
on an L2 segment with more than one PRO). Once peered, SDP will negotiate encryption parameters
and will determine the configuration state of the SonicPoint. If the configuration state is validated by
the PRO, the SonicPoint will immediately enter into an operational state.
Whenever the operating system on the SonicPoint is out of sync with the OS on the PRO-series
device, the SonicWALL PRO Series security appliance uses the SonicWALL Simple Provisioning
Protocol (SSPP) and reconfigures the SonicPoint as needed. For example, if you upgrade the
firmware in the PRO-series device to a newer version. The SonicWALL PRO Series security
appliance automatically detects that the SonicPoint is out of sync and provisions the SonicPoint with
updated firmware.

Enabling Traffic from Non-SonicPoint Devices

In prior versions of SonicOS Enhanced, when an interface was assigned to a Wireless Zone, that
interface would only accept traffic that arrived through a SonicPoint. This provided the benefit of
ensuring that all wireless communications were secure. To accommodate the need to integrate
SonicPoints into existing networks where SonicPoint devices would be installed on the same physical
segment as existing wireless notes, administrator control has been provided over the application of
SonicPoint Enforcement. SonicOS Enhanced 3.1 for SonicPoint now provides an option that provides
two options for the device:
• it allows traffic only generated by a SonicPoint device.
• it allows traffic generated by a non-SonicWALL access point device.
12
S WALL S P
ONIC ONIC OINT
A ' G
DMINISTRATOR S UIDE