™
COMPREHENSIVE INTERNET SECURITY
SonicWALL Internet Security Appliances
ADMINISTRATOR’S GUIDE
Download from Www.Somanuals.com. All Manuals Search And Download.
Contents
Copyright Notice ..................................................................................................11
About this Guide ..................................................................................................12
SonicWALL Technical Support ...........................................................................13
Firmware Version ................................................................................................13
1 Introduction ...................................................................................... 14
SonicWALL Internet Security Appliance Features .............................................15
2 Configuring the Network Mode on the SonicWALL ........................... 18
Configuring the SonicWALL in Standard Mode .................................................19
Configuring the SonicWALL in NAT Enabled Mode ...........................................20
Configuring NAT with PPPoE Client ....................................................................26
Configuring NAT with DHCP Client .....................................................................32
Configuring NAT with L2TP Client .......................................................................37
Configuring NAT with PPTP Client ......................................................................38
Logging into the SonicWALL Management Interface .......................................44
3 Registering at mySonicWALL.com .................................................... 46
Creating a New User Account .............................................................................46
Problems Creating a MysonicWALL.com User Account? ..................................51
User Name and Password Functions .................................................................51
Registering Your SonicWALL Internet Security Appliance ................................51
Click Here Registration .......................................................................................51
Quick Registration ...............................................................................................52
Status and Options .............................................................................................53
Managing Your SonicWALL .................................................................................54
Renaming Your SonicWALL ................................................................................54
Transferring a SonicWALL Product ....................................................................55
Delete Product ....................................................................................................56
Managing Services for SonicWALL Internet Security Appliances ....................57
Activating Services Using mySonicWALL.com ...................................................58
4 Configuring the TELE3 SP Modem Connection .................................. 60
Configuring the TELE3 SP WAN Failover Feature .............................................60
Configuring Modem Profiles ...............................................................................61
Dial-Up Configuration ..........................................................................................61
ISP Settings .........................................................................................................62
Location Settings ................................................................................................62
TELE3 SP Modem Configuration ........................................................................64
Modem Settings ..................................................................................................64
Contents Page 1
Download from Www.Somanuals.com. All Manuals Search And Download.
Primary Interface .................................................................................................65
Failover Settings .................................................................................................65
Configuring a Modem Profile for Manual Dial-Up .............................................66
Status ...................................................................................................................69
Modem Status .....................................................................................................69
Chat Scripts .........................................................................................................70
Custom Chat Scripts ...........................................................................................71
5 Managing Your SonicWALL Internet Security Appliance .................. 72
Status ...................................................................................................................73
CLI Support and Remote Management .............................................................75
6 General and Network Settings .......................................................... 76
Network Settings .................................................................................................76
Network Addressing Mode .................................................................................76
LAN Settings ........................................................................................................77
Multiple LAN Subnet Mask Support ..................................................................77
WAN Settings .......................................................................................................78
DNS Settings .......................................................................................................78
Standard Configuration ......................................................................................79
NAT Enabled Configuration ................................................................................79
NAT with DHCP Client Configuration ..................................................................81
NAT with PPPoE Configuration ...........................................................................82
Restarting the SonicWALL ..................................................................................83
NAT with L2TP Client Configuration ...................................................................84
Restarting the SonicWALL ..................................................................................85
NAT with PPTP Client Configuration ...................................................................86
Restarting the SonicWALL ..................................................................................87
Setting the Time and Date .................................................................................88
NTP Settings ........................................................................................................88
Configuring the Administrator Settings .............................................................89
Administrator Name ............................................................................................89
Change the Administrator Password .................................................................89
Setting the Administrator Inactivity Timeout .....................................................90
Login Failure Handling ........................................................................................90
Page 2 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
7 Logging and Alerts ............................................................................ 91
View Log ...............................................................................................................91
SonicWALL Log Messages ..................................................................................92
Log Settings .........................................................................................................93
Configure the following settings: ........................................................................93
Log Categories .....................................................................................................95
Alerts/SNMP Traps .............................................................................................96
Reports ................................................................................................................96
Web Site Hits .......................................................................................................97
Bandwidth Usage by IP Address ........................................................................97
Bandwidth Usage by Service ..............................................................................97
SonicWALL ViewPoint .........................................................................................98
8 Content Filtering and Blocking ......................................................... 99
Configuring SonicWALL Content Filtering ........................................................100
Restrict Web Features ......................................................................................100
URL List ..............................................................................................................101
Customizing the Content Filtering List .............................................................103
Consent ..............................................................................................................105
Mandatory Filtered IP Addresses .....................................................................106
Configuring N2H2 Internet Filtering .................................................................107
Restrict Web Features ......................................................................................107
Configuring the Websense Enterprise Content Filter .....................................110
Restrict Web Features ......................................................................................110
Configuring the Websense Content Filter List .................................................112
Websense Server Status ..................................................................................112
Settings ..............................................................................................................112
URL Cache .........................................................................................................113
9 Web Management Tools ................................................................. 114
Restarting the SonicWALL ................................................................................114
Preferences .......................................................................................................115
Exporting the Settings File ................................................................................115
Importing the Settings File ...............................................................................116
Restoring Factory Default Settings ..................................................................116
Updating Firmware ............................................................................................117
Updating Firmware Manually ...........................................................................118
Upgrade Features .............................................................................................119
Diagnostic Tools ................................................................................................120
DNS Name Lookup ...........................................................................................120
Contents Page 3
Download from Www.Somanuals.com. All Manuals Search And Download.
Ping ....................................................................................................................122
Packet Trace ......................................................................................................123
Trace Route .......................................................................................................126
10 Network Access Rules ................................................................... 127
Viewing Network Access Rules ........................................................................127
Services .............................................................................................................128
LAN Out ..............................................................................................................128
DMZ In (Optional) ..............................................................................................128
LAN In .................................................................................................................128
Public LAN Server ..............................................................................................129
Windows Networking (NetBIOS) Broadcast Pass Through .............................129
Windows Messenger Support ..........................................................................129
Detection Prevention ........................................................................................129
Network Connection Inactivity Timeout ...........................................................129
Add Service ........................................................................................................130
Add a Known Service ........................................................................................130
Add a Custom Service .......................................................................................130
Enable Logging ..................................................................................................131
Delete a Service ................................................................................................131
Rules ..................................................................................................................131
Maximum Number of Rules by Product ...........................................................132
Network Access Rule Logic List .......................................................................133
Bandwidth Management ..................................................................................133
Add A New Rule .................................................................................................134
Add New Rule Examples ...................................................................................136
Current Network Access Rules Table ...............................................................137
Users ..................................................................................................................139
Global User Settings .........................................................................................139
User Login ..........................................................................................................142
RADIUS ...............................................................................................................143
Management ....................................................................................................145
SonicWALL SNMP Support ...............................................................................145
SonicWALL Management Protocol ...................................................................146
Additional Management ...................................................................................146
Page 4 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
11 Advanced Features ....................................................................... 148
Proxy Relay ........................................................................................................148
Web Proxy Forwarding ......................................................................................148
Configuring Web Proxy Relay ............................................................................149
Bypass Proxy Servers Upon Proxy Failure .......................................................149
Intranet ..............................................................................................................150
Installation .........................................................................................................150
Intranet Configuration .......................................................................................151
Intranet Settings ...............................................................................................151
VPN Single-Armed Mode (stand-alone VPN gateway) .....................................152
Configuring a SonicWALL for VPN Single Armed Mode ..................................153
Routes ................................................................................................................154
LAN Route Advertisement ................................................................................155
RIPv2 Authentication ........................................................................................156
DMZ Route Advertisement ...............................................................................156
DMZ Addresses .................................................................................................156
DMZ in Standard Mode ....................................................................................157
DMZ in NAT Mode .............................................................................................157
Delete a DMZ Address Range ..........................................................................158
HomePort Configuration ...................................................................................158
HomePort in Standard Mode ...........................................................................158
HomePort in NAT Mode ....................................................................................159
Delete a HomePort Address Range .................................................................159
One-to-One NAT .................................................................................................160
One-to-One NAT Configuration Example ..........................................................161
Ethernet .............................................................................................................162
WAN Link Settings .............................................................................................162
Enable Bandwidth Management .....................................................................162
DMZ/WorkPort Link Settings ...........................................................................163
LAN/HomePort Link Settings ...........................................................................163
Proxy Management workstation ethernet address on WAN ..........................163
MTU Settings .....................................................................................................163
SonicWALL Bandwidth Management ..............................................................164
Contents Page 5
Download from Www.Somanuals.com. All Manuals Search And Download.
12 DHCP Server .................................................................................. 166
Setup ..................................................................................................................166
Allow DHCP Pass Through in Standard Mode .................................................166
Configuring the SonicWALL DHCP Server ........................................................167
Deleting Dynamic Ranges and Static Entries .................................................168
DHCP over VPN .................................................................................................168
DHCP Relay Mode .............................................................................................168
Configuring the Central Gateway for VPN over DHCP .....................................169
Configuring the Remote Gateway for VPN over DHCP ....................................169
DHCP Status ......................................................................................................172
DHCP Server on the SonicWALL TELE3 TZ and TZX .......................................173
Setup ..................................................................................................................173
Allow DHCP Pass Through in Standard Mode .................................................173
Configuring the SonicWALL DHCP Server ........................................................174
Deleting Dynamic Ranges and Static Entries .................................................175
DHCP Status ......................................................................................................176
13 SonicWALL VPN ............................................................................ 177
VPN Management Interface .............................................................................178
Summary Tab ....................................................................................................178
Global VPN Settings ..........................................................................................178
VPN Bandwidth Management ..........................................................................179
VPN Policies .......................................................................................................179
Currently Active VPN Tunnels ...........................................................................179
SonicWALL NAT Traversal Support ..................................................................180
AES (Advanced Encryption Standard) Support ...............................................180
Configure Tab ....................................................................................................181
Add/Modify IPSec Security Associations .........................................................181
Security Policy Settings .....................................................................................182
Destination Networks .......................................................................................186
Advanced Settings ............................................................................................187
Enable Keep Alive .............................................................................................187
Try to bring up all possible SAs ........................................................................187
Require authentication of local users .............................................................188
Require authentication of remote users .........................................................188
Enable Windows Networking (NetBIOS) broadcast ........................................188
Apply NAT and firewall rules .............................................................................188
Forward Packets to Remote VPNs ...................................................................188
Route all internet traffic through this SA .........................................................189
Page 6 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Enable Perfect Forward Secrecy ......................................................................189
Phase 2 DH Group ............................................................................................189
Default LAN Gateway ........................................................................................189
VPN Terminated at the LAN, DMZ, or LAN/DMZ .............................................190
Advanced Settings for VPN Configurations .....................................................191
Configuring SonicWALL VPN .............................................................................192
Group VPN Configuration for the SonicWALL and VPN Client ........................193
Configuring Group VPN on the SonicWALL ......................................................193
Group VPN Client Setup ....................................................................................195
Manual Key Configuration for the SonicWALL and VPN Client ......................199
Configuring the SonicWALL ..............................................................................199
Configuring the VPN Client ...............................................................................200
IKE and Manual Key Configuration for Two SonicWALLs ...............................206
Manual Key for Two SonicWALLs .....................................................................206
Configuring the Second SonicWALL Appliance ...............................................208
Example of Manual Key Configuration for Two SonicWALLs .........................208
IKE Configuration for Two SonicWALLs ...........................................................211
Example of IKE Configuration for Two SonicWALLs ........................................213
SonicWALL Third Party Digital Certificate Support ..........................................216
Overview of Third Party Digital Certificate Support .........................................217
Creating a Certificate Signing Request ............................................................219
SonicWALL Enhanced VPN Logging .................................................................220
Testing a VPN Tunnel Connection Using PING ................................................221
Configuring Windows Networking ....................................................................222
14 High Availability ............................................................................ 225
Before Configuring High Availability .................................................................225
Network Configuration for High Availability Pair .............................................225
Configuring High Availability on the Primary SonicWALL ................................226
Configuration Changes .....................................................................................228
Synchronizing Changes between the Primary and Backup SonicWALLs ......229
High Availability Status .....................................................................................229
High Availability Status Window .......................................................................230
E-mail Alerts Indicating Status Change ...........................................................231
View Log .............................................................................................................232
Forcing Transitions ............................................................................................232
Configuration Notes ..........................................................................................233
Contents Page 7
Download from Www.Somanuals.com. All Manuals Search And Download.
15 SonicWALL Options and Upgrades ................................................ 234
SonicWALL VPN Client ......................................................................................234
SonicWALL Network Anti-Virus .........................................................................234
Content Filter List Subscription ........................................................................235
Vulnerability Scanning Service .........................................................................235
SonicWALL Authentication Service ..................................................................235
SonicWALL ViewPoint Reporting ......................................................................236
SonicWALL Global Management System ........................................................236
Contact Your Reseller or SonicWALL ...............................................................236
16 Hardware Descriptions ................................................................. 237
SonicWALL PRO 230 and PRO 330 .................................................................237
SonicWALL PRO 200 and PRO 300..................................................................239
SonicWALL PRO 100..........................................................................................241
SonicWALL TELE3 SP ........................................................................................243
SonicWALL TELE3 TZ .........................................................................................245
SonicWALL TELE3 TZX .......................................................................................247
SonicWALL SOHO3 and TELE3..........................................................................249
SonicWALL GX 250 and GX 650.......................................................................251
17 Troubleshooting Guide .................................................................. 254
The Link LED is off ............................................................................................254
A computer on the LAN cannot access the Internet .......................................254
The SonicWALL does not establish authenticated sessions ..........................254
The SonicWALL does not save changes that you have made ........................255
Duplicate IP address errors ..............................................................................255
Machines on the WAN are not reachable ........................................................255
VPN tunnel problems ........................................................................................255
18 Appendices .................................................................................... 256
Appendix A - Technical Specifications .............................................................256
Appendix B - SonicWALL Support Solutions ....................................................257
Appendix C - Introduction to Networking .........................................................263
Appendix D - IP Port Numbers ..........................................................................268
Appendix E - Configuring TCP/IP Settings .......................................................269
Appendix F - Basic VPN Terms and Concepts .................................................274
Appendix G- Erasing the Firmware ...................................................................278
Appendix H- Mounting the SonicWALL PRO 200 and PRO 300 .....................279
Appendix I - Configuring RADIUS and ACE Servers .........................................280
Page 8 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Copyright Notice
©
2002 SonicWALL, Inc. All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in whole
or part, without the written consent of the manufacturer, except in the normal use of the software
to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted
copies as were affixed to the original. This exception does not allow copies to be made for others,
whether or not sold, but all of the material purchased (with all backup copies) can be sold, given, or
loaned to another person. Under the law, copying includes translating into another language or
format.
SonicWALL is a registered trademark of SonicWALL, Inc.
Other product and company names mentioned herein can be trademarks and/or registered
trademarks of their respective companies.
Specifications and descriptions subject to change without notice.
LIMITED WARRANTY
SonicWALL, Inc. warrants the SonicWALL Internet Security Appliance (the Product) for one (1) year
from the date of purchase against defects in materials and workmanship. If there is a defect in the
hardware, SonicWALL will replace the product at no charge, provided that it is returned to
SonicWALL with transportation charges prepaid. A Return Materials Authorization (RMA) number
must be displayed on the outside of the package for the product being returned for replacement or
the product will be refused. The RMA number can be obtained by calling SonicWALL Customer
Service between the hours of 8:30 AM and 5:30 PM Pacific Standard Time, Monday through Friday.
Phone:(408) 752-7819
Fax:(408) 745-9300
Web: <http://www.sonicwall.com/support>
This warranty does not apply if the Product has been damaged by accident, abuse, misuse, or
misapplication or has been modified without the written permission of SonicWALL.
In no event shall SonicWALL, Inc. or its suppliers be liable for any damages whatsoever (including,
without limitation, damages for loss of profits, business interruption, loss of information, or other
pecuniary loss) arising out of the use of or inability to use the Product.
Some states do not allow the exclusion or limitation of implied warranties or liability for incidental
or consequential damages, so the above limitation or exclusion can not apply to you. Where liability
can not be limited under applicable law, the SonicWALL liability shall be limited to the amount you
paid for the Product. This warranty gives you specific legal rights, and you can have other rights
which vary from state to state.
By using this Product, you agree to these limitations of liability.
THIS WARRANTY AND THE REMEDIES SET FORTH ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL
OTHER WARRANTIES, ORAL OR WRITTEN, EXPRESS OR IMPLIED.
No dealer, agent, or employee of SonicWALL is authorized to make any extension or addition to this
warranty.
Page 11
Download from Www.Somanuals.com. All Manuals Search And Download.
About this Guide
Thank you for purchasing the SonicWALL Internet Security appliance. The SonicWALL protects your
PC from attacks and intrusions, filters objectional Web sites, provides private VPN connections to
business partners and remote offices, and offers a centrally-managed defense against software
viruses.
This manual covers the configuration of the SonicWALL Internet Security appliance installation and
features.
Organization of this Guide
Chapter 1, Introduction - describes the features and applications of the SonicWALL.
Chapter 2, Configuring the Network Mode on the SonicWALL - describes the installation of the
SonicWALL and configuring network settings for the SonicWALL.
Chapter 3, Registering at mySonicWALL.com - provides details on registering your SonicWALL
appliance in the product registration database.
Chapter 4, Configuring the TELE3 SP Modem - contains detailed instructions on modem
configuration for the TELE3 SP.
Chapter 5, Managing Your SonicWALL Internet Security Appliance - provides a brief overview of the
SonicWALL Web Management Interface.
Chapter 6, General and Network Settings - describes the configuration of the SonicWALL IP settings,
time, and password.
Chapter 7, Logging and Alerts - illustrates the SonicWALL logging, alerting, and reporting features.
Chapter 8, Content Filtering and Blocking - describes SonicWALL Web content filtering, including
subscription updates and customized Web blocking.
Chapter 9, Web Management Tools - provides directions to restart the SonicWALL, import and export
settings, upload new firmware, and perform diagnostic tests.
Chapter 10, Network Access Rules - explains how to permit and block traffic through the SonicWALL,
set up servers, and enable remote management.
Chapter 11, Advanced Features - describes advanced SonicWALL settings, such as One-to-One NAT
and Automatic Web Proxying.
Chapter 12, DHCP Server - describes the configuration and setup of the SonicWALL DHCP server.
Chapter 13, SonicWALL VPN - explains how to create a VPN tunnel between two SonicWALLs and
creating a VPN tunnel from the VPN client to the SonicWALL.
Chapter 14, High Availability - describes the configuration of two SonicWALLs (one primary and one
backup) as a High Availability pair.
Chapter 15, SonicWALL Options and Upgrades - presents a brief summary of the SonicWALL's
subscription services, firmware upgrades and other options.
Page 12 SonicWALL Internet Security Appliance User’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 16, Hardware Descriptions - provides a description of the front and back of SonicWALL
Internet security appliances, including LED lights and ports.
Chapter 17, Troubleshooting Guide - shows solutions to commonly encountered problems.
Appendix A, Technical Specifications - lists the SonicWALL specifications.
Appendix B, SonicWALL Support Solutions - describes available support packages from SonicWALL.
Appendix C, Introduction to Networking - provides an overview of the Internet, TCP/IP settings, IP
security, and other general networking topics.
Appendix D, IP Port Numbers - offers information about IP port numbering.
Appendix E, Configuring TCP/IP Settings - provides instructions for configuring your Management
Station's IP address.
Appendix F, Basic VPN Terms and Concepts - covers VPN terminology and configuration concepts.
Appendix G, Erasing the Firmware - describes the firmware erase procedure.
Appendix H, Mounting the SonicWALL PRO 200 and PRO 300 - describes how to rack mount the
SonicWALL appliance.
Appendix I, Configuring RADIUS and ACE Servers - provides vendor-specific configuration
instructions for RADIUS and ACE servers. The appendix also includes a RADIUS Attributes Dictionary.
SonicWALL Technical Support
For fast resolution of technical questions, please visit the SonicWALL Tech Support Web site at
<http://www.sonicwall.com/support>. There, you will find resources to resolve most technical
issues and a Web request form to contact one of the SonicWALL Technical Support engineers.
Firmware Version
This manual is updated and released with firmware version 6.4.0.0. Always check
<http:www.sonciwall.com/products/documentation.html> for the latest version of this manual and
other upgrade manuals as well.
Icons Used in this Manual
Alert - Important information about features that can affect firewall performance, security
features, or cause potential problems with your SonicWALL.
TIP - Useful information about security features and configurations on your SonicWALL.
Page 13
Download from Www.Somanuals.com. All Manuals Search And Download.
1 Introduction
Your SonicWALL Internet Security Appliance
The SonicWALL Internet Security Appliance provides a complete security solution that protects your
network from attacks, intrusions, and malicious tampering. In addition, the SonicWALL filters
objectionable Web content and logs security threats. SonicWALL VPN provides secure, encrypted
communications to business partners and branch offices.
The SonicWALL Internet Security Appliance uses stateful packet inspection to ensure secure firewall
filtering. Stateful packet inspection is widely considered to be the most effective method of filtering
IP traffic. MD5 authentication is used to encrypt communications between your Management
Station and the SonicWALL Web Management Interface. MD5 Authentication prevents unauthorized
users from detecting and stealing the SonicWALL password as it is sent over your network.
SonicWALL Internet Security Appliance Functional Diagram
The following figure illustrates the SonicWALL Internet security appliance functions.
By default, the SonicWALL Internet security appliance allows outbound access from the LAN to the
Internet and blocks inbound access from the Internet to the LAN. Users on the Internet are restricted
from accessing resources on the LAN unless they are authorized remote users or Network Access
Rules were created to allow inbound access. If the SonicWALL includes a DMZ port, users on the
LAN and the Internet have access to the devices on the DMZ.
Page 14 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL Internet Security Appliance Features
Internet Security
•
ICSA-Certified Firewall
After undergoing a rigorous suite of tests to expose security vulnerabilities, SonicWALL Internet
security appliances have received Firewall Certification from ICSA, the internationally-accepted
authority on network security. The SonicWALL uses stateful packet inspection, the most
effective method of packet filtering, to protect your LAN from hackers and vandals on the
Internet.
•
•
Hacker Attack Prevention
The SonicWALL automatically detects and thwarts Denial of Service (DoS) attacks such as Ping
of Death, SYN Flood, LAND Attack, and IP Spoofing.
Network Address Translation (NAT)
Network Address Translation (NAT) translates the IP addresses used on your private LAN to a
single, public IP address that is used on the Internet. NAT allows multiple computers to access
the Internet, even if only one IP address has been provided by your ISP.
•
Network Access Rules
The default Network Access Rules allow traffic from the LAN to the Internet and block traffic
from the Internet to the LAN. You can create additional Network Access Rules that allow
inbound traffic to network servers, such as Web and e-mail servers, or that restrict outbound
traffic to certain destinations on the Internet.
•
•
Autoupdate
The SonicWALL maintains the highest level of security by automatically notifying you when new
firmware is released. When new firmware is available, the SonicWALL Web Management
Interface displays a link to download and install the latest firmware.
DMZ Port
The SonicWALL PRO 100, PRO 200, PRO 300, PRO 230, and the SonicWALL PRO 330 include
a DMZ port allowing users to access public servers, such as Web and FTP servers. While Internet
users have unlimited access to the DMZ, the servers on the DMZ are still protected against DoS
attacks.
•
HomePort
The TELE3 TZ and TELE3 TZX include a HomePort that allows you to separate company
computers from home computers on your home network yet share the same Internet
connection.
•
•
WorkPort
The TELE3 TZ and TELE3 TZX include a WorkPort that allows you to isolate your IPSec VPN and
secures your corporate connections with a stateful packet inspection firewall.
SNMP (Simple Network Management Protocol) Support
SNMP is a network protocol used over User Datagram Protocol (UDP) that allows network
administrators to monitor the status of the SonicWALL Internet Security Appliances and receive
notification of any critical events as they occur on the network.
Introduction Page 15
Download from Www.Somanuals.com. All Manuals Search And Download.
Content Filtering
•
SonicWALL Content Filtering
You can use the SonicWALL Web content filtering to enforce your company's Internet access
policies. The SonicWALL blocks specified categories, such as violence or nudity, using an
optional Content Filter List. Users on your network can bypass the Content Filter List by
authenticating with a unique user name and password.
•
Content Filter List Updates (optional)
Since content on the Internet is constantly changing, the SonicWALL automatically updates the
optional Content Filter List every week to ensure that access restrictions to new and relocated
Websites and newsgroups are properly enforced.
•
•
Log and Block or Log Only
You can configure the SonicWALL to log and block access to objectional Web sites, or to log
inappropriate usage without blocking Web access.
Filter Protocols
In addition to filtering access to Web sites, the SonicWALL can also block Newsgroups, ActiveX,
Java, Cookies, and Web Proxies.
Logging and Reporting
•
Log Categories
You can select the information you wish to display in the SonicWALL event log. You can view the
event log from the SonicWALL Web Management Interface or receive the log as an e-mail file.
•
Syslog Server Support
In addition to the standard screen log, the SonicWALL can write detailed event log information
to an external Syslog server. Syslog is the industry-standard method to capture information
about network activity.
•
ViewPoint Reporting (optional)
Monitoring critical network events and activity, such as security threats, inappropriate Web use,
and bandwidth levels, is an essential component of network security. SonicWALL ViewPoint
complements the SonicWALL security features by providing detailed and comprehensive
reports of network activity.
SonicWALL ViewPoint is a software application that creates dynamic, Web-based network
reports. ViewPoint reporting generates both real-time and historical reports to offer a complete
view of all activity through your SonicWALL Internet Security Appliance.
•
E-mail Alerts
The SonicWALL can be configured to send alerts of high-priority events, such as attacks, system
errors, and blocked Web sites. When these events occur, alerts can be immediately sent to an
e-mail address or e-mail pager.
Page 16 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Dynamic Host Configuration Protocol (DHCP)
•
•
•
DHCP Server
The DHCP Server offers centralized management of TCP/IP client configurations, including IP
addresses, gateway addresses, and DNS addresses. Upon startup, each network client receives
its TCP/IP settings automatically from the SonicWALL DHCP Server.
DHCP Client
The DHCP Client allows the SonicWALL to acquire TCP/IP settings (such as IP address, gateway
address, DNS address) from your ISP. This is necessary if your ISP assigns you a dynamic IP
address.
DHCP over VPN
DHCP over VPN allows a Host (DHCP Client) behind a SonicWALL obtain an IP address lease
from a DHCP server at the end of a VPN tunnel. In some network deployments, it is desirable to
have all VPN networks residing in one IP subnet address space. This facilitates address
administration for the networks using VPN tunnels.
Easy Installation and Configuration
•
Installation Wizard
The SonicWALL Installation Wizard helps you quickly install and configure the SonicWALL.
Online help
•
SonicWALL help documentation is built into the SonicWALL Web Management Interface for easy
access during installation and management.
IPSec VPN
•
SonicWALL VPN
SonicWALL VPN provides a simple, secure tool that enables corporate offices and business
partners to connect securely over the Internet. By encrypting data, SonicWALL VPN provides
private communications between two or more sites without the expense of leased site-to-site
lines.
•
VPN Client Software for Windows
Mobile users with dial-up Internet accounts can securely access remote network resources with
the SonicWALL VPN Client. The SonicWALL VPN Client establishes a private, encrypted VPN
tunnel to the SonicWALL, allowing users to transparently access network servers from any
location.
Contact SonicWALL, Inc. for information about the Content Filter List, Network
Anti-Virus subscriptions, and other upgrades.
Web:
http://www.sonicwall.com
E-mail: sales@sonicwall.com
Phone: (408) 745-9600
Fax:
(408) 745-9300
Introduction Page 17
Download from Www.Somanuals.com. All Manuals Search And Download.
2 Configuring the Network Mode on the SonicWALL
The SonicWALL Internet security appliance allows the following common network configurations:
Standard, NAT Enabled, NAT with PPPoE Client, NAT with DHCP Client, NAT with L2TP Client, and NAT
with PPTP Client are included in this chapter.
Standard Mode
Configuring the SonicWALL in Standard mode requires a static IP address from your ISP. In this
mode, you must have separate static IP addresses for all computers on your network.
Instructions for configuring a SonicWALL in Standard mode begin on page 19.
Network Address Translation (NAT) Enabled
Using NAT to set up your SonicWALL eliminates the need for separate IP addresses for all computers
on your LAN. It is a way to conserve IP addresses available from the pool of IPv4 addresses for the
Internet. If you do not have enough individual IP addresses for all computers on your network, you
can use NAT for your network configuration.
Instructions for configuring NAT Enabled mode begin on page 20.
NAT with PPPoE Client
NAT with PPPoE Client is a network protocol that uses Point to Point Protocol over Ethernet (PPPoE)
to connect with a remote site using various Remote Access Service products. This protocol is
typically found when using a DSL modem with an ISP requiring a user name and password to log into
the remote server. The ISP may then allow you to obtain an IP address automatically or give you a
specific IP address.
Instructions for configuring NAT with PPPoE Client mode begin on page 26.
Page 18 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
NAT with DHCP Client
NAT with DHCP Client is a networking mode that allows you to obtain an IP address for a specific
length of time from a DHCP server. The length of time is called a lease, which is renewed by the
DHCP server typically after a few days. When the lease is ready to expire, the client contacts the
server to renew the lease. This is a common network configuration for customers with cable or DSL
modems. You are not assigned a specific IP address by your ISP.
Instructions for configuring NAT with DHCP Client mode begin on page 32.
NAT with L2TP Client
NAT with L2TP Client is a networking mode that allows you to connect to a remote L2TP server to
obtain IP address settings. L2TP (Layer 2 Tunneling Protocol) is a network protocol using IPSec to
encrypt transmitted data, and is only supported by Windows 2000. If you are running other versions
of Windows, you must use PPTP as your tunneling protocol.
Instructions for configuring NAT with L2TP Client mode begin on page 37.
NAT with PPTP Client
NAT with PPTP Client is a networking mode supporting PPTP (Point to Point Tunneling Protocol) to
connect to a remote server. It uses Microsoft Point to Point Encryption (MPPE) to provide encryption
of transmitted data. PPTP typically supports older Microsoft clients that require tunneling
connectivity or situations in which a tunnel passes through a firewall performing NAT.
Instructions for configuring NAT with PPTP Client begin on page 38.
Configuring the SonicWALL in Standard Mode
This section describes configuring the SonicWALL in Standard mode. You must have a single, static
IP address to begin configuration. Follow the instructions below.
TIP Be sure to have your network information including your WAN IP address, subnet mask, and DNS
settings ready. This information is obtained from your ISP.
1. Open a Web browser and enter the default SonicWALL IP address, 192.168.168.168, in the
Location or Address field.
2. The Login window appears. Enter admin in the User Name field, and password in the Password
field.
3. Click Cancel on the initial Installation Wizard page to cancel the wizard.
4. Click Network in the General section.
5. Select Standard from the Network Addressing Mode menu.
6. Enter 192.168.168.1 in the SonicWALL LAN IP Address field.
7. Enter 255.255.255.0 in the LAN Subnet Mask field.
8. Enter your WAN router or default gateway IP address in the WAN Gateway (Router) Address field.
If you have DSL or cable, your WAN router is typically located at your ISP.
9. Enter your DNS IP address(es) in the DNS Server fields.
10. Click Update. Once the SonicWALL is updated, you must restart the SonicWALL for the changes
to take effect.
Configuring the Network Mode on the SonicWALL Page 19
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring the SonicWALL in NAT Enabled Mode
This section describes configuring the SonicWALL appliance in the NAT mode. Essentially, NAT
translates the IP addresses in one network into those for a different network. As a form of packet
filtering for firewalls, it protects a network from outside intrusion from hackers by replacing the
internal (LAN) IP address on packets passing through a SonicWALL with a “fake” one from a fixed
pool of addresses. The actual IP addresses of computers on the LAN are hidden from outside view.If
you are assigned a single IP address by your ISP, follow the instructions below.
Tip Be sure to have your network information including your WAN IP address, subnet mask, and DNS
settings ready. This information is obtained from your ISP.
The SonicWALL Installation Wizard simplifies the initial installation and configuration of the
SonicWALL. The Wizard provides a series of menu-driven instructions for setting the administrator
password and configuring the settings necessary to access the Internet.
Accessing the Wizard
Alert Your Web browser must be Java-enabled and support HTTP uploads in order to fully manage
SonicWALL. Internet Explorer 5.0 and above as well as Netscape Navigator 4.0 and above are
recommended.
1. Open a Web Browser. Then enter the default SonicWALL IP address, "192.168.168.168", into
the Location or Address field in the Web browser.
The first time you access the SonicWALL Management interface, the SonicWALL Installation Wizard
automatically launches and begins the installation process.Click Next to continue.
Tip To bypass the Wizard, click Cancel. Then log into the SonicWALL Management Interface by
entering the User Name "admin" and the Password "password".
Page 20 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Setting the Password
2. To set the password, enter a new password in the New Password and Confirm New Password
fields.
Alert It is very important to choose a password which cannot be easily guessed by others.
This page also displays the Use SonicWALL Global Management System check box. SonicWALL
Global Management System (SonicWALL GMS) is a Web browser-based security management
system. SonicWALL GMS allows enterprises and service providers to monitor and manage hundreds
of remote SonicWALLs from a central location. For more information about SonicWALL GMS, contact
SonicWALL Sales at (408) 745-9600.
3. Do not select the Use Global Management System check box unless your SonicWALL is remotely
managed by SonicWALL GMS. Click Next to continue.
Setting the Time and Date
Configuring the Network Mode on the SonicWALL Page 21
Download from Www.Somanuals.com. All Manuals Search And Download.
4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is
set automatically by a Network Time Server on the Internet. Click Next to continue.
Connecting to the Internet
The Connecting to the Internet screen lists the information required to complete the installation. You
need instructions for obtaining an IP address automatically or IP addresses from your ISP.
5. Confirm that you have the proper network information necessary to configure the SonicWALL to
access the Internet. Click the hyperlinks for definitions of the networking terms. Click Next to
proceed to the next step.
Selecting Your Internet Connection
6. Select Assigned you a single static IP address, if your ISP has provided you with a single, valid
IP address. You can configure the SonicWALL to use NAT with a single, static IP address. The
advantages of Network Address Translation (NAT) are IP address conservation, and hiding your
IP address from a public WAN such as the Internet.
Page 22 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Confirming Network Address Translation (NAT) Mode
If you select Assigned you a single static IP address in the Connecting to the Internet page, the Use
Network Address Translation (NAT) page is displayed.
The Use Network Address Translation (NAT) page verifies that the SonicWALL has a registered IP
address.
Selecting NAT Enabled Mode
If you selected Assigned you two or more static IP Addresses, the Optional-Network Address
Translation page is displayed.
7. The Optional-Network Address Translation (NAT) page offers the ability to enable NAT. Select
Don’t Use NAT, if there are enough static IP addresses for your SonicWALL, all PCs, and all
network devices on your LAN. Selecting Don’t Use NAT enables the Standard mode. Select Use
NAT, if valid IP addresses are in short supply or to hide all devices on your LAN behind the
SonicWALL valid IP address. Click Next to continue.
Configuring the Network Mode on the SonicWALL Page 23
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring WAN Network Settings
If you selected either NAT or Standard mode, the Getting to the Internet page is displayed.
8. Enter the IP address provided by your ISP in the SonicWALL WAN IP Address, WAN/DMZ Subnet
Mask, WAN Gateway (Router) Address, and DNS Server Addresses. Click Next to continue.
Configuring LAN Network Settings
9. The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP
Address and the LAN Subnet Mask. The SonicWALL LAN IP Address is the private IP address
assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP
addresses on the LAN. The default values provided by the SonicWALL work for most networks.
If you do not use the default settings, enter the SonicWALL LAN settings and click Next to
continue.
Page 24 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuration Summary
10. The Configuration Summary page displays the configuration defined using the Installation
Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet page.
If the configuration is correct, click Next to proceed to the Congratulations page.
Congratulations
Alert The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations page, is
used to log in and manage the SonicWALL.
11. Click Restart to restart the SonicWALL.
Configuring the Network Mode on the SonicWALL Page 25
Download from Www.Somanuals.com. All Manuals Search And Download.
Restarting
Alert The final page provides important information to help configure the computers on the LAN.
Click Print this Page to print the window information.
12. The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Click
Close to exit the SonicWALL Wizard.
Configuring NAT with PPPoE Client
The SonicWALL Installation Wizard simplifies the initial installation and configuration of the
SonicWALL. The Wizard provides a series of menu-driven instructions for setting the administrator
password and configuring the settings necessary to access the Internet.
Alert Be sure to have your network information including your user name and password ready. This
information is obtained from your ISP.
To configure your SonicWALL appliance, read the instructions on the Wizard Welcome page and click
Next to continue.
Page 26 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Setting the Password
Alert It is very important to choose a password which cannot be easily guessed by others.
1. To set the password, enter a new password in the New Password and Confirm New Password
fields.
This window also displays the Use SonicWALL Global Management System check box.
2. Do not select the Use Global Management System check box unless your SonicWALL is remotely
managed by SonicWALL GMS. Click Next to continue.
Setting the Time and Date
3. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is
set automatically by a Network Time Server on the Internet. Click Next to continue.
Configuring the Network Mode on the SonicWALL Page 27
Download from Www.Somanuals.com. All Manuals Search And Download.
Connecting to the Internet
The Connecting to the Internet page lists the information required to complete the installation.
Tip Confirm that you have the necessary network information from your ISP before proceeding with
the Connecting to the Internet pages.
4. Click the hyperlinks for definitions of the networking terms. Click Next to continue.
Selecting Your Internet Connection
5. Select Provided you with desktop software, a user name and password (PPPoE), if your ISP has
provided you with desktop software, a user name and password information.
Page 28 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Setting the User Name and Password for PPPoE
6. If you selected Provided you with desktop software, a user name and password (PPPoE), the
SonicWALL ISP Settings (PPPoE) page is displayed.
7. Enter the User Name and Password provided by your ISP into the User Name and Password
fields.
Configuring LAN Network Settings
8. The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP
Address and the LAN Subnet Mask.The SonicWALL LAN IP Address is the private IP address
assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP
addresses on the LAN. The default values provided by the SonicWALL work for most networks.
If you do not use the default settings, enter the SonicWALL LAN settings and click Next to
continue.
Configuring the Network Mode on the SonicWALL Page 29
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring the SonicWALL DHCP Server
9. The Optional-SonicWALL DHCP Server page configures the SonicWALL DHCP Server. If enabled,
the SonicWALL automatically configures the IP settings of computers on the LAN. To enable the
DHCP server, select the Enable DHCP Server check box, and specify the range of IP addresses
that are assigned to computers on the LAN.
If the Enable DHCP Server check box is not selected, the DHCP Server is disabled. Click Next to
continue.
Configuration Summary
10. The Configuration Summary page displays the configuration defined using the Installation
Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet
window. If the configuration is correct, click Next to proceed to the Congratulations page.
Page 30 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Congratulations
Alert The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations page, is
used to log in and manage the SonicWALL.
11. Click Restart to restart the SonicWALL.
Restarting
Alert The final window provides important information to help configure the computers on the LAN.
12. Click Print this Page to print the window information.
The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Click Close
to exit the SonicWALL Wizard.
Configuring the Network Mode on the SonicWALL Page 31
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring NAT with DHCP Client
Accessing the Installation Wizard
The SonicWALL Installation Wizard simplifies the initial installation and configuration of the
SonicWALL. The Wizard provides a series of menu-driven instructions for setting the administrator
password and configuring the settings necessary to access the Internet.
Tip To bypass the Wizard, click Cancel. Then log into the SonicWALL Management Interface by
entering the User Name "admin" and the Password "password".
The first time you access the SonicWALL Management interface, the SonicWALL Installation Wizard
automatically launches and begins the installation process.
1. To configure your SonicWALL appliance, read the instructions on the Wizard Welcome page and
click Next to continue.
Setting the Password
Alert It is very important to choose a password which cannot be easily guessed by others.
2. To set the password, enter a new password in the New Password and Confirm New Password
fields.
This page also displays the Use SonicWALL Global Management System check box.
3. Do not select the Use Global Management System check box unless your SonicWALL is remotely
managed by SonicWALL GMS. Click Next to continue.
Page 32 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Setting the Time and Date
4. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is
set automatically by a Network Time Server on the Internet. Click Next to continue.
Connecting to the Internet
The Connecting to the Internet page lists the information required to complete the installation.
Tip Confirm that you have the necessary network information from your ISP before proceeding with
the Connecting to the Internet pages.
5. Confirm that you have the proper network information necessary to configure the SonicWALL to
access the Internet. Click the hyperlinks for definitions of the networking terms. Click Next to
proceed to the next step.
Configuring the Network Mode on the SonicWALL Page 33
Download from Www.Somanuals.com. All Manuals Search And Download.
Selecting Your Internet Connection
6. Select the option, Automatically assigns you a dynamic IP address (DHCP).
7. The Obtain an IP address automatically page is displayed.
The Obtain an IP address automatically page states that the ISP dynamically assigns an IP address
to the SonicWALL. To confirm this, click Next.
Page 34 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring LAN Network Settings
8. The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP
Address and the LAN Subnet Mask. The SonicWALL LAN IP Address is the private IP address
assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP
addresses on the LAN. The default values provided by the SonicWALL work for most networks.
If you do not use the default settings, enter the SonicWALL LAN settings and click Next to
continue.
Configuring the SonicWALL DHCP Server
9. The Optional-SonicWALL DHCP Server page configures the SonicWALL DHCP Server. If enabled,
the SonicWALL automatically configures the IP settings of computers on the LAN. To enable the
DHCP server, select the Enable DHCP Server check box, and specify the range of IP addresses
that are assigned to computers on the LAN.
If the Enable DHCP Server check box is not selected, the DHCP Server is disabled. Click Next to
continue.
Configuring the Network Mode on the SonicWALL Page 35
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuration Summary
10. The Configuration Summary page displays the configuration defined using the Installation
Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet
window. If the configuration is correct, click Next to proceed to the Congratulations page.
Congratulations
Alert The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations window,
is used to log in and manage the SonicWALL.
11. Click Restart to restart the SonicWALL.
Page 36 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Restarting
Tip The final window provides important information to help configure the computers on the LAN.
Click Print this Page to print this information.
The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Click Close
to exit the SonicWALL Wizard.
Configuring NAT with L2TP Client
This section describes configuring the SonicWALL in NAT with L2TP Client mode. You must have a
single, static IP address to begin configuration. Follow the instructions below.
Tip Be sure to have your network information including your WAN IP address, subnet mask, and DNS
settings ready. This information is obtained from your ISP.
1. Open a Web browser and enter the default SonicWALL IP address, 192.168.168.168, in the
Location or Address fields.
2. The Login window appears. Enter admin in the User Name field, and password in the Password
field.
3. Click Cancel on the initial Installation Wizard page to cancel the wizard.
4. Click Network in the General section.
5. Select NAT with L2TP Client from the Network Addressing Mode menu.
6. Enter 192.168.168.1 in the SonicWALL LAN IP Address field.
7. Enter 255.255.255.0 in the LAN Subnet Mask field.
8. If you obtain an IP address dynamically from the L2TP server, select Obtain an IP address using
DHCP. The other fields in the WAN Settings are greyed out and are filled in when a connection
is made to the L2TP server.
9. If you have WAN IP address information, select Use the specified IP address.
10. Enter the WAN IP address for the gateway in the WAN Gateway (Router) Address field.
11. Enter the WAN IP address for the SonicWALL in the SonicWALL WAN IP (NAT Public) Address
field.
12. Enter your DNS IP address in the DNS Server field.
Configuring the Network Mode on the SonicWALL Page 37
Download from Www.Somanuals.com. All Manuals Search And Download.
13. Enter the host name in the L2TP Host Name field.
14. Enter the server IP address in the L2TP Server IP Address field.
15. Enter your user name and password in the User Name and User Password fields.
16. Select Disconnect after ___ minutes of inactivity if you want to end an inactive connection. Enter
the number of minutes of inactivity before the connection is dropped. The default value is 10
minutes.
17. The L2TP settings are filled in once a connection is made to the L2TP settings.
18. Click Update. Once the SonicWALL is updated, you must restart the SonicWALL for the changes
to take effect.
Configuring NAT with PPTP Client
The SonicWALL Installation Wizard simplifies the initial installation and configuration of the
SonicWALL. The Wizard provides a series of menu-driven instructions for setting the administrator
password and configuring the settings necessary to access the Internet.
Tip Be sure to have your network information including your PPTP Server IP address, user name,
and password ready. This information is obtained from your ISP.
The first time you access the SonicWALL Management interface, the SonicWALL Installation Wizard
automatically launches and begins the installation process.
1. To configure your SonicWALL appliance, read the instructions on the Wizard Welcome page and
click Next to continue.
Setting the Password
Page 38 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Alert It is very important to choose a password which cannot be easily guessed by others.
1. To set the password, enter a new password in the New Password and Confirm New Password
fields.
2. Do not select the Use Global Management System check box unless your SonicWALL is remotely
managed by SonicWALL GMS. Click Next to continue.
Setting the Time and Date
3. Select the appropriate Time Zone from the Time Zone menu. The SonicWALL internal clock is
set automatically by a Network Time Server on the Internet. Click Next to continue.
Configuring the Network Mode on the SonicWALL Page 39
Download from Www.Somanuals.com. All Manuals Search And Download.
Connecting to the Internet
The Connecting to the Internet page lists the information required to complete the installation.
Tip Confirm that you have the necessary network information from your ISP before proceeding with
the Connecting to the Internet pages.
4. Confirm that you have the proper network information necessary to configure the SonicWALL to
access the Internet. Click the hyperlinks for definitions of the networking terms. Click Next to
proceed to the next step.
Selecting Your Internet Connection
5. Select Provided you with server IP address, a user name and password (PPTP), if your ISP has
provided you with a server IP address, a user name, and a password information.
Page 40 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Setting the User Name and Password for PPTP.
6. The SonicWALL ISP Settings (PPTP) page is displayed. Enter the server IP address in the Server
IP field, and your user name and password in the User Name and Password fields.
Configuring LAN Network Settings
7. The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP
Address and the LAN Subnet Mask. The SonicWALL LAN IP Address is the private IP address
assigned to the LAN port of the SonicWALL. The LAN Subnet Mask defines the range of IP
addresses on the LAN. The default values provided by the SonicWALL work for most networks.
If you do not use the default settings, enter the SonicWALL LAN settings and click Next to
continue.
Configuring the Network Mode on the SonicWALL Page 41
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring the SonicWALL DHCP Server
8. The Optional-SonicWALL DHCP Server page configures the SonicWALL DHCP Server. If enabled,
the SonicWALL automatically configures the IP settings of computers on the LAN. To enable the
DHCP server, select the Enable DHCP Server check box, and specify the range of IP addresses
that are assigned to computers on the LAN.
If the Enable DHCP Server check box is not selected, the DHCP Server is disabled. Click Next to
continue.
Configuration Summary
9. The Configuration Summary page displays the configuration defined using the Installation
Wizard. To modify any of the settings, click Back to return to the Connecting to the Internet page.
If the configuration is correct, click Next to proceed to the Congratulations page.
Page 42 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Congratulations
Alert The new SonicWALL LAN IP address, displayed in the URL field of the Congratulations page, is
used to log in and manage the SonicWALL.
10. Click Restart to restart the SonicWALL.
Restarting
Tip The final window provides important information to help configure the computers on the LAN.
Click Print this Page to print this information.
The SonicWALL takes 90 seconds to restart. During this time, the yellow Test LED is lit. Click Close
to exit the SonicWALL Wizard.
Configuring the Network Mode on the SonicWALL Page 43
Download from Www.Somanuals.com. All Manuals Search And Download.
Logging into the SonicWALL Management Interface
Once the SonicWALL restarts, contact the SonicWALL Management interface at the new SonicWALL
LAN IP address. Enter the User Name “admin” and enter the new administrator password to log into
the SonicWALL.The Status page is displayed.
The Status tab displays the following information:
•
•
SonicWALL Serial Number - the serial number of the SonicWALL unit.
Number of LAN IP addresses allowed with this license - number of IP addresses managed by
the SonicWALL
•
•
•
Registration code - the registration code generated when the SonicWALL is registered at
<http//www.mysonicwall.com>.
SonicWALL Active time - the length of time in days, hours and minutes that the SonicWALL is
active.
Firmware version - shows the current version number of the firmware installed on the
SonicWALL.
•
•
•
ROM version - the version number of the ROM.
CPU - the type and speed of the SonicWALL processor.
VPN Hardware Accelerator Detected - indicates the presence of a VPN Hardware Accelerator in
the firewall. This allows better throughput for VPN connections.
•
•
•
•
RAM - the amount of Random Access Memory on the board
Flash - the size of the flash on the board
Ethernet Speeds - network speeds of the network card
Current Connections - number of computers connected to the SonicWALL.
Page 44 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Other SonicWALL general status information is displayed in this section relating to other features in
the SonicWALL such as the type of network settings in use, log settings, content filter use, and if
Stealth Mode is enabled on the SonicWALL.
Configuring the Network Mode on the SonicWALL Page 45
Download from Www.Somanuals.com. All Manuals Search And Download.
3 Registering at mySonicWALL.com
After you complete the initial installation and configuration of your SonicWALL, you should register
your SonicWALL Internet Security Appliance at <http://www.mysonicwall.com>. MySonicWALL.com
delivers a convenient, centralized way to register all your SonicWALL Internet Security appliances
and Security Services. It eliminates the need to individually register SonicWALL appliances and
upgrades to streamline the management of all your SonicWALL security services.
You can do the following with MySonicWALL.com:
•
•
•
•
Centrally register all your SonicWALL appliances and services.
Access firmware and security service updates.
Get SonicWALL alerts on services, firmware, and products.
Check status of your SonicWALL services and upgrades linked to each registered SonicWALL
Internet security appliance.
•
Manage (activate, change, or delete) your SonicWALL security services online.
Alert You must register your SonicWALL on mySonicWALL.com to access technical support. By
registering your SonicWALL, you provide the initial information necessary for technical support if
any problems arise during installation.
Creating a New User Account
If you currently have a MySonicWALL.com user account, you can skip this section and proceed to
Adding New Appliances or Services.
1. Enter <http://www.mysonicwall.com> into your Web browser.
2. As a new user, locate the statement, “If you are not a registered user, click here.” Click the link,
and an information form appears.
Page 46 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Account Information
3. All field marked with an * are required fields. Be sure to fill out the form completely before
submitting to the user database. Create a User Name and password for your mySonicWALL
account. Confirm the password by typing it in the Confirm Password field. For your convenience,
you can record the information below.
User Name:______________________ Password:__________________
Alert You must remember your user name and password until you have activated your account. If
you forget your password before your user account is active, you have to create a new user account.
Tip If your security policy doesn’t allow you to write down passwords, write down a hint or a prompt
for your password.
4. Create a Secret Question and Answer to prompt you for your password if you forget it.
Registering at mySonicWALL.com Page 47
Download from Www.Somanuals.com. All Manuals Search And Download.
Personal Information
5. Complete the Personal Information section of the Registration form.
Be sure to enter the correct e-mail address as the subscription code for your SonicWALL user
account is e-mailed to you. The subscription code is necessary to activate your account.
6. Select your time zone from the Time Zone menu, and then select any or all of the following
options:
•Yes, I would like to be a Beta Tester.
•No, I do not want to be contacted by SonicWALL via e-mail.
•I would like to receive security alerts from SonicWALL.
•I would like to receive product information from SonicWALL.
7. Click Submit.
8. Review your information carefully to ensure that it is accurate. Click Back on your Web browser
navigation bar to go back to the form and re-enter any information.
Page 48 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
9. If all the information is correct, click OK. A confirmation message appears notifying you that your
account must be activated within 72 hours of creating it. You also receive an e-mail with your
subscription code in it. Write your subscription code below:
Subscription code:_______________________________
Note: For security reasons, the subscriber name and part of the subscription code are masked.
10. Return to the mySonicWALL.com login screen, or alternatively, click on the link in the e-mail
message to provide your subscription code to activate your account.
Registering at mySonicWALL.com Page 49
Download from Www.Somanuals.com. All Manuals Search And Download.
_
11. Enter the subscription code you received via e-mail into the Subscription Code field, and click
Submit.
12. Your Account Management interface appears and you can now register SonicWALL Internet
Security Appliances or Services. You can also delete or transfer appliances from your user
account.
Page 50 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Problems Creating a MysonicWALL.com User Account?
If you’re having trouble creating a user account on the mySonicWALL.com Web site, be sure to check
the following items in your browser:
•Accept Cookies
•Internet Explorer 5.0 or higher
•Netscape 4.5 or higher
•Allow Java scripts
•Correct Password for MysonicWALL.com
User Name and Password Functions
If you forget your user name, you must send an e-mail message to Tech Support requesting your
user name. Be sure to include the e-mail address used to create the MysonicWALL.com account.
If you forget your password, use the Forget Password? Click here link to use your Secret Question
and Answer to remember your password. If you did not set up a Secret Question and Answer for your
password, a link appears allowing you to reset your password. Be sure to use the same user name
and e-mail address as your MysonicWALL.com user account.
Registering Your SonicWALL Internet Security Appliance
To register your SonicWALL Internet Security Appliance, click the hyperlink, Click Here, in the
Registered SonicWALL Products section. Or to quickly register your appliance, enter the Activation
Key of a service, or a SonicWALL Internet Security Appliance serial number into the field in the Quick
Register section.
Click Here Registration
If you use the hyperlink, Click Here, a My Products page appears, and you can register your
appliance by entering the Serial Number in the Add New Product field. You can also create a Friendly
Name, such as San Francisco Office, to identify the SonicWALL. Using Friendly Names can assist you
with managing multiple SonicWALLs.
Registering at mySonicWALL.com Page 51
Download from Www.Somanuals.com. All Manuals Search And Download.
Quick Registration
To quickly register a SonicWALL Internet Security Appliance, enter the serial number in the field
under the Quick Register section, and click Go. The serial number automatically appears in the
Serial Number field. You can then create a Friendly Name for the appliance. If you enter the incorrect
serial number into the Serial Number field, a message stating that the appliance is previously
registered may be returned. Write your SonicWALL serial number below.
SonicWALL Serial Number:____________________
After you register the SonicWALL, the Friendly Name appears as a hyperlink under Registered
SonicWALL Products. Click on the Friendly Name to view the services activated on the appliance.
Note: Services may vary from model to model and may not have the same activated fields as the
above appliance. Also, the serial number, registration code, and activation keys are masked for
security reasons.
Page 52 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Status and Options
Click Status and Options underneath the login information to search for the status and options
relating to a particular SonicWALL appliance. Enter the SonicWALL serial number to search for the
related information.
Information displayed includes
•
•
•
•
Serial Number
Product
Registration Code
Node Support Upgrade Key
There is also a list of applicable services with their activation keys as well as expiration dates for
subscriptions.
Registering at mySonicWALL.com Page 53
Download from Www.Somanuals.com. All Manuals Search And Download.
Managing Your SonicWALL
You can rename your SonicWALL, transfer your SonicWALL, or delete your SonicWALL in this section
of Services Management.
Renaming Your SonicWALL
You can rename your SonicWALL at any time in order to manage your SonicWALLs. To rename your
SonicWALL, click Rename in the Manage Products section. Enter the new name in the Friendly
Name field, and click Submit.
After clicking Submit, a new page appears with the message that you have successfully renamed
your SonicWALL.
Page 54 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Transferring a SonicWALL Product
You can transfer a SonicWALL to another mySonicWALL.com user at any time. Transferring a
SonicWALL is necessary if you sell the appliance to another user, or if you want to transfer it to
another person in your company. For example, the sales manager for the East Coast has left, and
you were managing the services for his SonicWALL. However, another manager may have an
immediate need for the SonicWALL, and requests that you transfer the appliance to him. To transfer
a SonicWALL to another user, click Transfer in the Manage Product section.
Enter the User Name of the new owner, and the e-mail address ID in the appropriate fields. Click
Submit. A page is returned with the message that you’ve successfully transferred the SonicWALL to
the new user.
Registering at mySonicWALL.com Page 55
Download from Www.Somanuals.com. All Manuals Search And Download.
Also, an e-mail message is sent to both the old and new user as a notification that the appliance
was transferred.
Tip You can only transfer a SonicWALL to another registered user of mySonicWALL.com.
Delete Product
You can also delete a SonicWALL from your mySonicWALL.com user account. Click on the Friendly
Name for the appliance, and then click Delete. A confirmation message appears in the next window,
and you have successfully deleted a SonicWALL from your user account. You can add the SonicWALL
back to your account at any time.
Page 56 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Managing Services for SonicWALL Internet Security Appliances
In the Applicable Services section of mySonicWALL.com, a list of installed and inactivated services
for your SonicWALL is displayed.
Activated services are indicated by the Installed icon with a green check mark.
Inactive services are indicated by the Activate icon with a red arrow.
Activated service names are also hyperlinked to an information page with Activation Status and the
Expiration Date of the service. Services can also be renewed by clicking on the name, and entering
the activation key into the Activation Key field.
Registering at mySonicWALL.com Page 57
Download from Www.Somanuals.com. All Manuals Search And Download.
Activating Services Using mySonicWALL.com
To activate a service such as Content Filter, use the following steps:
1. Log into mySonicWALL.com using your username and password. Select the appliance to be
upgraded with the Content Filter List subscription, and click the name.
2. Click Activate next to Content Filter. The following screen appears with an Activation Key field,
and a Terms and Conditions message.
3. Enter the Activation Key into the Activation Key field, and select I have read and agreed to all of
the above terms and conditions. Click Submit.
4. The Content Filter List subscription is now active, and you can download the Content Filter List
through your SonicWALL appliance.
Page 58 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Registering at mySonicWALL.com Page 59
Download from Www.Somanuals.com. All Manuals Search And Download.
4 Configuring the TELE3 SP Modem Connection
To improve the operational availability of networks and ensure fast recovery from network failures,
the SonicWALL has the capability of using a modem to dial a secondary network connection for the
WAN. In the event that the WAN Ethernet connection is lost or failing, the modem dials an ISP using
a preconfigured profile preventing a lengthy interruption in active network connectivity.
Alert Using the WAN failover feature may cause disruption of some features such as One-to-One
NAT. See the SonicWALL TELE3 SP Administrator’s Manual for affected features.
After configuring your computer on the LAN, you can configure the TELE3 SP modem connection for
ISP failover or as a primary dial-up access port.
Alert You cannot use the WAN failover feature if you have configured the TELE3 SP to use Standard
mode in the Network section of the Management interface.
Configuring the TELE3 SP WAN Failover Feature
The TELE3 SP modem can be used as a failover option when your “always on” DSL or cable
connection fails. The SonicWALL automatically detects the failure of the WAN connection and uses
the parameters configured for the modem to establish another active connection.
Alert The TELE3 SP modem can only dial out. Dialing into the internal modem is not supported.
However, an external modem can be connected to the CLI port for remotely accessing the
SonicWALL for out-of-band support.
To access the modem configuration section of your SonicWALL, log onto the Management interface,
and click Modem. There are two tabs used for modem configuration: Profiles and Configure.
Page 60 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring Modem Profiles
You can configure modem profiles on the SonicWALL using your dial-up ISP information for the
connection. Multiple modem profiles can be used when you have a different profile for individual
ISPs. Click Profiles, and follow the instructions below to configure your Dial-up Configuration.
Tip The SonicWALL supports a maximum of ten (10) configuration profiles.
Dial-Up Configuration
The current profile is displayed in the Current Profile field. You can select a profile from the menu to
edit the configuration or create a new profile. To create a new profile, select Add New Profile from
the menu, and enter a name for the profile in the Name field. You can use names such as Home,
Office, or Traveling to distinguish different profiles from each other. After you have created a name
for your dial-up configuration, you must configure the ISP settings in the dial-up ISP Settings section
and the Location Settings section.
Configuring the TELE3 SP Modem Connection Page 61
Download from Www.Somanuals.com. All Manuals Search And Download.
ISP Settings
To configure your ISP settings, you must obtain your Internet information from your dial-up Internet
Service Provider. Use the information to configure the following dial-up ISP Settings:
1. Enter the primary number used to dial your ISP in the Primary Phone Number field.
Tip If a specific prefix is used to access an outside line, such as 9, &, or , , enter the number as part
of the primary phone number.
2. Enter the secondary number used to dial your ISP in the Secondary Phone Number field
(optional).
3. Enter your dial-up ISP user name in the User field.
4. Enter the password provided by your dial-up ISP in the Password field.
5. Confirm your dial-up ISP password in the Confirm field.
6. In the IP address section, select Obtain Automatically if you do not have a permanent dial-up IP
address from your ISP. If you have a permanent dial-up IP address from your ISP, select Specify
and enter the IP address in the IP Address field.
Alert Do not enter your broadband/high speed ISP information here. Enter only your dial-up Internet
access information.
7. If you obtain an IP address automatically for your DNS server(s), select Obtain Automatically. If
your ISP has a specific IP address for the DNS server(s), select Specify and enter the IP address
in the field. Alternatively, you can use your internal DNS server IP address or a specific DNS
server IP address on the Internet.
8. If your ISP has given you a script that runs when you access your ISP connection, cut and paste
the script text in the Chat Script field. See the Information on Chat Scripts section at the end of
this chapter for more information on using chat scripts.
Location Settings
Use this section to configure modem behavior on the TELE3 SP for WAN failover. The TELE3 SP has
an autodetect feature that detects when the WAN Ethernet cable is physically disconnected from
the TELE3 SP and automatically dials the ISP whether or not Enable WAN Failover is selected. You
can override this feature by selecting Manual Dial for the modem behavior. There are three types of
dial-up behavior:
•Persistent Connection - By selecting Persistent Connection, the modem dials automatically
when a WAN connection fails. If the Primary Profile cannot connect, the modem uses the
Secondary Profile to dial an ISP.
•Dial on Data - Using Dial on Data requires that outbound data is detected before the modem
dials the ISP. Outbound data does not need to originate from computers on the LAN, but can
also be packets generated by the SonicWALLTELE3 SP internal applications such as
AutoUpdate and Anti-Virus. Also, if Enable WAN Failover is selected, the pings generated by the
Probe can trigger the modem to dial when no WAN Ethernet connection is detected. If the
Primary Profile cannot connect, the modem uses the Secondary Profile to dial an ISP.
Page 62 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
•Manual Dial - Selecting Manual Dial for a Primary Profile means that WAN Failover does not
automatically occur. Manual Dial requires you to log into the SonicWALL, click Modem, then
Configure. Click Connect and the modem uses the Primary Profile information to dial an ISP.
Alert If you are configuring two dial-up profiles for WAN failover, the modem behavior should be the
same for each profile. For example, if your Primary Profile uses Persistent Connection, your
Secondary Profile should also use Persistent Connection.
1. Select Persistent Connection if you want the modem connection to stay active until the WAN
Ethernet connection is reactivated. If you want the modem to dial the ISP only when there is
data to transmit, select Dial on Data. Select Manual Dial to dial up the connection only when
you want to dial the ISP as in the case of traveling with the SP.
Alert If you enable Persistent Connection for the modem, the modem connection remains active
until the WAN Ethernet connection is reactivated or you force disconnection by clicking Disconnect
on the Configure page.
2. Enter the number of minutes a dial-up connection is allowed to be inactive in the Inactivity
Timeout (minutes) field. The default value is five (5) minutes.
3. Select the connection speed from the Max Connection Speed (bps) menu.
Auto is the default setting as the TELE3 SP automatically detects the connection speed when it
connects to the ISP.
4. Select Maximum Connection Time (minutes) if the connection is terminated after the specified
time. Enter the number of minutes for the connection to be active. The value can range from 0
to 1440 minutes. This feature does not conflict with Inactivity Timeout. If both features are
configured, the connection is terminated based on the shortest configured time.
5. If you select Maximum Connection Time (minutes), enter the number of minutes to delay before
redialing the ISP in the Delay Before Reconnect. The value can range from 0 to 1440, and the
default value is 0 which means there is no delay before reconnecting to the ISP.
6. Select Disable VPN when Dialed if VPN Security Associations (SAs) are disabled when the
modem connects to the ISP. Terminating the dial-up connection re-enables the VPN SAs. This is
useful if you want to deploy your own point-to-point RAS network and want packets to be sent
in the clear to your intranets.
7. If you have call waiting on your telephone line, you should disable it or another call can interrupt
your connection to your ISP. Select Disable Call Waiting and then select command from the list.
If you do not see your command listed, select Other, and enter the command in the field.
8. If the phone number for your ISP is busy, you can configure the number of times that the
SonicWALL modem attempts to connect in the Dial Retries per Phone Number field. The default
value is zero (0).
9. Enter the number of seconds between attempts to redial in the Delay Between Retries
(seconds) field. The default value is five (5) seconds.
10. Click Update to add the dial-up profile to the SonicWALL.
Configuring the TELE3 SP Modem Connection Page 63
Download from Www.Somanuals.com. All Manuals Search And Download.
TELE3 SP Modem Configuration
The Configure tab allows you to enable the modem to provide secondary dial-up ISP connection
support and configure the modem settings. There are two sections available: Modem Settings and
Failover Settings.
Modem Settings
The Modem Settings section lets you select from a list of modem profiles, select the volume of the
modem, and also configure AT commands for modem initialization. To configure the SonicWALL
modem settings, follow these steps:
1. Select the Primary Profile from the list of profiles that the SonicWALL uses to access the modem
and dial the secondary connection. If you have enabled Manual Dial for the Primary Profile, the
Secondary Profile is not used.
2. Select the Secondary Profile from the list of profiles. If the Primary Profile cannot establish a
connection, the SonicWALL uses the Secondary Profile to access the modem and establish a
connection.
3. Select the volume of the modem from the Speaker Volume menu. The default value is Medium.
4. Select Initialize Modem For Use In and select the country from the drop down menu. United
States is selected by default.
5. If the modem uses AT commands to initialize, select Initialize Modem Using AT Commands.
Enter any AT commands used for the modem in the AT Commands (for modem initialization)
field. AT commands are instructions used to control a modem such as ATS7=30 (allow up to 30
seconds to wait for dialtone), ATS8=2 (set the amount of time the modem pauses when it
encounters a “,” in the string).
Tip The default settings for the modem are generally sufficient for normal operation. The AT
Commands (for modem initialization) box is provided for nonstandard situations.
Page 64 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Primary Interface
The SonicWALL TELE3 SP automatically detects if a WAN Ethernet connection exists when the
SonicWALL is powered on. Because it can automatically detect the Ethernet connection, the Primary
Interface is Ethernet.
Failover Settings
You can enable WAN failover for the SonicWALL by configuring settings in this section. Select Enable
WAN Failover to use this feature on the SonicWALL. The Secondary Interface Setting defaults to
Modem.
Preempt Mode
Select Preempt Mode if you want the TELE3 SP to re-establish the connection to the WAN Ethernet
interface after a connection failure on the WAN Ethernet port.
Probing on the TELE3 SP
Probing for WAN connectivity occurs over the Ethernet connection, the dial-up connection, or both.
When probing is disabled on the Ethernet link, the SP only performs link detection. If the Ethernet
connection is lost for a duration of 5-9 seconds, the SP considers the Ethernet connection to be
unavailable. If the Ethernet link is lost for 0-4 seconds, the SP does not consider the connection to
be lost. If you are swapping cables quickly, unnecessary WAN failover does not occur on the SP. If
probing is enabled and the cable is unplugged, the 5-9 seconds link detection does not occur.
Instead, the probing rules apply to the connection using the parameters configured for Probe
Interval Time and number of Missed Probes. If probing is enabled on Dial-up, the dial-up connection
is terminated and re-established when probing fails over the modem.
Use the following instructions to configure the Failover Settings:
1. Select Enable WAN Failover.
2. Select Enable Probing.
3. Select an option from the Probe Through menu. Select Ethernet Only to probe the Ethernet WAN
connection and failover to the modem when the connection is lost. Select Modem Only to probe
a dial-up connection and have the modem redial when the dial-up connection is lost. Select
Modem and Ethernet to enable both types of probing on the SP.
4. Enter the IP address for the probe target in the Probe Target (IP Address) field. The Probe IP
address is a static IP address on the WAN. If this field is left blank, or 0.0.0.0 is entered as the
address, the Probe Target is the WAN Gateway IP address.
Tip The probe is a ping sent to the IP address and is used, along with the response, as a method of
determining Internet connectivity.
5. In the Probe Interval (seconds) field, enter the amount of time between probes to the Probe
Target. Five (5) seconds is the default value. To deactivate the Probe Detection feature, enter
zero (0) as the value. In this case, the WAN Failover only occurs when loss of the physical WAN
Ethernet connection occurs on the TELE3 SP.
Configuring the TELE3 SP Modem Connection Page 65
Download from Www.Somanuals.com. All Manuals Search And Download.
6. Enter a value for the number of successful probes required to reactivate the primary connection
in the Successful Probes to Reactivate Primary field. The default value is five (5). By requiring a
number of successful probes before the SonicWALL returns to its primary connection, you can
prevent the SonicWALL from returning to the primary connection before the primary connection
becomes stable.
7. Enter the number of missed probes required for the WAN failover to occur in the Failover Trigger
Level (missed probes) field.
8. Enable Preempt Mode if you want the primary WAN Ethernet interface to take over from the
secondary modem WAN interface when it becomes active after a failure. If you do not enable
Preempt Mode, the secondary WAN modem interface remains active as the WAN interface until
you click Disconnect.
9. Click Update for the settings to take effect on the SonicWALL.
Configuring a Modem Profile for Manual Dial-Up
You can also use the modem to dial your ISP for Internet access without a broadband connection.
If you’re traveling with your TELE3 SP, you can create profiles for each ISP configuration necessary
for dial-up Internet access. To configure your modem for manual dial-up access, follow these steps:
1. Log onto your Management station, and click Modem, then Profiles.
2. Create a name for your profile and enter it in the Name field.
ISP Settings
1. Enter the primary number used to dial up the ISP in the Primary Phone Number field.
Tip If a specific prefix is used to access an outside line, such as 9, enter the number as part of the
phone number.
2. Enter the secondary number used to dial your ISP in the Secondary Phone Number field
(optional).
3. Enter your ISP user name in the User field.
4. Enter your ISP password in the Password field.
5. Confirm your ISP password in the Confirm field.
6. Select Obtain Automatically if you do not have a permanent IP address from your ISP. If you have
a permanent IP address from your ISP, select Specify and enter the IP address in the IP Address
field.
7. If you obtain an IP address automatically for your DNS Server(s), select Obtain Automatically. If
your dial-up ISP has a specific IP address for the DNS Server(s), select Specify and enter the IP
address in the field.
8. If your dial-up ISP has given you a script that runs when you access your dial-up ISP connection,
cut and paste the script text in the Chat Script field. See the Information on Chat Scripts section
at the end of this chapter for more information on using chat scripts.
Page 66 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Location Settings
1. Select Manual Dial to have the modem dial only when you click Connect on the Configure page.
2. Enter the number of minutes the connection is allowed to be inactive in the Inactivity Timeout
(minutes) field. The default value is five (5) minutes.
3. Select the connection speed from the Max Connection Speed (bps) menu. Auto is the default
setting.
4. If you have call waiting on your telephone line, you should disable it or another call can interrupt
your connection to your ISP. Select Disable Call Waiting and then select the command from the
list. If you do not see your command listed, select Other, and enter the command in the field.
5. Configure the number of times that the SonicWALL modem attempts to connect if the dial-up
connection is busy in the Dial Retries per Phone Number field. The default value is zero (0).
6. Enter the number of seconds between attempts to redial in the Delay Between Retries
(seconds) field. The default value is five (5) seconds.
7. Click Update to add the dial-up profile to the SonicWALL.
Configure Modem Settings
8. Select your manual dial-up profile as the Primary Profile.
9. Select None as the Secondary Profile.
10. Select the modem speaker volume from the Speaker Volume menu.
11. Click Connect to dial your ISP. When the modem has connected to the ISP, the button text
changes to Disconnect. To end the connection, click Disconnect. To dial-up manually, log onto
the Management station, and click Modem. Click Configure, and then click Connect.
If you attempt to dial-up your ISP while the WAN Ethernet connection is active, a warning message
is displayed:
Click OK to begin dialing the ISP, or Cancel to return to the current status.
Configuring the TELE3 SP Modem Connection Page 67
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring Your TELE3 SP in Modem Only Mode
Configuring the Network Settings
Follow these steps to configure your TELE3 SP to use only the modem for Internet access:
1. When the Installation Wizard launches, follow the steps in your Quick Start Guide until the Set
Your Password page appears. Enter and confirm your new password.
Tip If you do not set a new password, the Installation Wizard relaunches when the SonicWALL is
rebooted.
2. Continue with the Installation Wizard. A warning message appears alerting you that no WAN
connection was detected.
3. Select Assigned you a single static IP address and click Next.
4. The Use Network Address Translation window is displayed. Click Next.
5. Leave the default values of 0.0.0.0 in the SonicWALL WAN IP Address field and the WAN
Gateway (Router) Address field. Leave the default setting of 255.255.255.0 in the Subnet Mask
field. If your dial-up ISP has given you DNS Server IP address(es), enter the address(es) in the
DNS Server Address fields. If not, then leave the DNS Server Address fields blank.
6. Leave the default values in the SonicWALL LAN IP address field and Subnet Mask field.
7. If your TELE3 SP acts as the DHCP server on your network, select Enable DHCP Server and click
Next. If not, click Next.
8. Click Print this Page to print out the network settings of the TELE3 SP. Click Next.
9. Click Restart to enable the network settings on the TELE3 SP.
Configuring the Modem Settings
After your TELE3 SP has restarted, log into it using the SonicWALL LAN IP address. Click Modem, and
configure the dial-up connection settings by creating a Modem Profile TELE3 SP. Refer to the
Modem configuration steps in the section “Configuring Modem Profiles” on page 61.
Tested Internet Service Providers
The following Internet Service Providers (ISPs) have successfully tested with the TELE3 SP:
ISP
Additional Chat Script Required?
AT&T
No
No
No
No
No
MSN
Earthlink
High Stream
UUnet
Page 68 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Status
The Status tab displays dial-up connection information when the modem is active.
Modem Status
In the Modem Status section, the current active network information from your ISP is displayed
when the modem is active:
•WAN Gateway (Router) Address
•WAN IP (NAT Public) Address
•WAN Subnet Mask
•DNS Server 1
•DNS Server 2
•DNS Server 3
•Current Active Dial-Up Profile (id)
•Current Connection Speed
If the modem is inactive, the Status page displays a list of possible reasons that your modem is
inactive. When the modem is active, the network settings from the ISP are used for WAN access. If
you click General, then Network, a message is displayed reminding you that the modem is active
and the current network settings are displayed on the Modem Status page.
Configuring the TELE3 SP Modem Connection Page 69
Download from Www.Somanuals.com. All Manuals Search And Download.
Chat Scripts
Some legacy servers can require company-specific chat scripts for logging onto the dial-up servers.
A chat script, like other types of scripts, automates the act of typing commands using a keyboard. It
consists of commands and responses, made up of groups of expect-response pairs as well as
additional control commands, used by the chat script interpreter on the TELE3 SP. The TELE3 SP
uses a default chat script that works with most ISPs, but your ISP may require a chat script with
specific commands to “chat” with their server. If an ISP requires a specific chat script, it is typically
provided to you with your dial-up access information. The default chat script for the TELE3 SP has
the following commands:
ABORT ‘NO DIALTONE’
ABORT ‘BUSY’
ABOR ‘NO CARRIER’
“ATQ0
“ATE0
“ATM1
“ATL0
“ATV1
OK ATDT\T
CONNECT \D \C
The first three commands direct the chat script interpreter to abort if any of the strings “NO
CARRIER”. “NO DIALTONE”, or “BUSY” are received from the modem.
The next five commands are AT commands that tell the chat interpreter to wait for nothing as
“ defines an empty string, and configure the following on the modem: return command responses,
don’t echo characters, report the connecting baud rate when connected, and return verbose
responses.
The next line has OK as the expected string, and the interpreters waits for OK to be returned in
response to the previous command, ATV1, before continuing the script. If OK is not returned within
the default time period of 50 seconds, the chat interpreter aborts the script and the connection fails.
If OK is received, the prefix and phone number of the selected dial-up account is dialed. The \T
command is replaced by chat script interpreter with the prefix and phone number of the dial-up
account.
In the last line of the script, Connect is the expected response from the remote modem. If the
modems successfully connect, Connect is returned from the TELE3 SP modem.The \D adds a pause
of one second to allow the server to start the PPP authentication. The \C command ends the chat
script end without sending a carriage return to the modem. The TELE3 SP then attempts to establish
a PPP (Point-to-Point Protocol) connection over the serial link. The PPP connection usually includes
authentication of the user by using PAP (Password Authentication Protocol) or CHAP (Challenge
Handshake Authentication Protocol) from the PPP suite. Once a PPP connection is established, it
looks like any other network interface.
Page 70 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Custom Chat Scripts
Custom chat scripts can be used when the ISP dial-up server does not use PAP or CHAP as an
authentication protocol to control access. Instead, the ISP requires a user to log onto the dial-up
server by prompting for a user name and password before establishing the PPP connection. For the
most part, this type of server is part of the legacy systems rooted in the dumb terminal login
architecture. Because these types of servers can prompt for a user name and password in a variety
of ways or require subsequent commands to initiate the PPP connection, a Chat Script field is
provided for you to enter a custom script.
If a custom chat script is required by an ISP for establishing a connection, it is commonly found on
their web site or provided with their dial-up access information. Sometimes the scripts can be found
by using a search engine on the Internet and using the keywords, “chat script ppp Linux <ISP
name>”.
A custom chat script can look like the following script:
ABORT ‘NO CARRIER’
ABORT ‘NO DIALTONE’
ABORT ‘BUSY’
“ ATQ0
“ ATE0
“ ATM1
“ ATW2
“ ATV1
OK ATDT\T
CONNECT “
sername: \L
assword: \P
Tip The first character of username and password are ignored during PPP authentication.
The script looks a lot like the previous script with the exception of the commands at the end. There
is an empty string (“) after Connect which sends a carriage return command to the server. The chat
interpreter then waits for sername: substring. When a response is returned, the current PPP account
user name, substituting the \L command control string, is sent. Then, the chat interpreter waits for
the substring assword:, and sends the password, substituting \P with the PPP account password. If
either the sername or assword substring are not received within the timeout period, the chat
interpreter aborts the dial-up process resulting in a dial-up failure.
Configuring the TELE3 SP Modem Connection Page 71
Download from Www.Somanuals.com. All Manuals Search And Download.
5 Managing Your SonicWALL Internet Security Appliance
This chapter contains a brief overview of SonicWALL management commands and functions. The
commands and functions are accessed through the SonicWALL Web Management Interface.
You can manage the SonicWALL from any computer connected to the LAN port of the SonicWALL
using a Web browser. The computer used for management is referred to as the “Management
Station".
1. Log into the SonicWALL using a Web Browser.
Alert To manage the SonicWALL, your Web browser must have Java and Java applets enabled and
support HTTP uploads.
2. Open a Web browser and type the SonicWALL IP address, initially, "192.168.168.168", into the
Location or Address field at the top of the browser. An Authentication window with a Password
dialogue box is displayed.
3. Type “admin” in the User Name field and the password previously defined in the Installation
Wizard in the Password field. Passwords are case-sensitive. Enter the password exactly as
defined and click Login.
Tip All SonicWALLs are configured with the default User Name “admin” and the default Password
“password”.
If you cannot log into the SonicWALL, a cached copy of the page is displayed instead of the correct
page. Click Reload or Refresh on the Web browser and try again. Also, be sure to wait until the Java
applet has finished loading before attempting to log in.
Once the password is entered, an authenticated management session is established. This session
times out after 5 minutes of inactivity. The default time-out can be increased on the Password
window in the General section.
HTTPS Management
The SonicWALL family of Internet Security Appliances supports HTTPS Management using Secure
Socket Layer (SSL). HTTPS Management allows secure access to the SonicWALL without a VPN
client. It is a simple and secure way to manage your SonicWALL from both the LAN and the WAN.
You log into the SonicWALL Management interface using https://IP Address where the IP address
is the SonicWALL LAN IP address. For example, if the LAN IP address of your SonicWALL appliance
is 192.168.168.1, you can log into it by typing https://192.168.168.1. Access is encrypted using
SSL technology for a secure connection.
Page 72 SonicWALL Internet Security Appliance User’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
The first time you access the SonicWALL Management interface using HTTPS, you may see the
following information message:
Click Yes to continue the login process. SSL is supported by Netscape 4.7 and higher, as well as
Internet Explorer 5.5 and higher.
HTTPS management supports the following versions of SSL: SSLv2, SSLv3, and TLSv1. Also, the
following encryption ciphers are supported: RC4-MD5, EXP-RC4-MD5, DES-CBC3-SHA, DES-CBC-
SHA, RC4-SHA, EXP-RC2-CBC-MD5, NULL-SHA, and NULL-MD5. The RSA key used is 1024-bit.
Status
The Status window, displays the status of your SonicWALL. It contains an overview of the SonicWALL
configuration, as well as any important messages. Check the Status window after making changes
to ensure that the SonicWALL is configured properly.
To view the Status tab, log into your SonicWALL using your Web browser. Click General and then click
the Status tab to display the Status window.
Managing Your SonicWALL Internet Security Appliance Page 73
Download from Www.Somanuals.com. All Manuals Search And Download.
Note: The Status window displays the unique characteristics of the SonicWALL Internet Security
Appliance, such as the presence of VPN acceleration hardware or a different amount of memory.
Your Status window will be different from the window displayed above, depending on your settings.
The Status tab displays the following information:
•
•
SonicWALL Serial Number - the serial number of the SonicWALL unit.
Number of LAN IP addresses allowed with this license - number of IP addresses that can be
managed by the SonicWALL
•
•
•
Registration code - the registration code generated when the SonicWALL is registered at
<http//www.mysonicwall.com>.
SonicWALL Active time - the length of time in days, hours and minutes that the SonicWALL is
active.
Firmware version - shows the current version number of the firmware installed on the Son-
icWALL.
•
•
•
ROM version - indicates the version number of the ROM.
CPU - displays the type and speed of the SonicWALL processor.
VPN Hardware Accelerator Detected - indicates the presence of a VPN Hardware
Accelerator in the firewall. This allows better throughput for VPN connections.
•
•
•
•
RAM - shows the amount of Random Access Memory on the board.
Flash - indicates the size of the flash on the board.
Ethernet Speeds - displays network speeds of the network card.
Current Connections - number of computers connected to the SonicWALL.
Other SonicWALL general status information is displayed in this section relating to other features in
the SonicWALL such as the type of network settings in use, log settings, content filter use, and if
Stealth Mode is enabled on the SonicWALL.
The General, Log, Filter, Tools, Access, Advanced, DHCP, VPN, Anti-Virus, and High Availability
buttons appear on the left side of the window. When one of the buttons is clicked, related
management functions are selected by clicking the tabs at the top of the window.
A Logout button at the bottom of the screen terminates the management session and redisplays the
Authentication window. If Logout is clicked, you must log in again to manage the SonicWALL. online
help is also available. Click Help at the top of any browser window to view the help files stored in the
SonicWALL.
Page 74 SonicWALL Internet Security Appliance User’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
CLI Support and Remote Management
Out-of-band management is available on SonicWALL Internet Security Appliances using the CLI
(Command Line Interface) feature. SonicWALL Internet Security Appliances can be managed from a
console using typed commands and a modem or null-modem cable that is connected to the serial
port located on the back of the SonicWALL appliance. The only modem currently supported is the US
Robotics v.90/v.92 modem. CLI communication requires the following modem settings:
•
•
•
•
9600 bps
8 bits
no parity
no hand-shaking
After the modem is accessed, a terminal emulator window such as a hyper terminal window is used
to manage the SonicWALL Internet Security Appliance. Once the SonicWALL is accessed, type in the
User Name and password: admin for User Name and then the password used for the management
interface.
The following CLI commands are available for the SonicWALL:
•
•
•
•
•
•
•
? or Help - displays a listing of the top level commands available.
Export - exports preferences from the SonicWALL using Z-modem file transfer protocol.
Import - imports preferences from the SonicWALL using Z-modem file transfer protocol.
Logout - logout of the SonicWALL appliance.
Ping - pings either an IP address or domain name for a specified host.
Restart - restart the SonicWALL
Restore - restores the factory default settings for all saved parameters with the exception of the
password, the LAN IP address, and the subnet mask.
•
•
Status - displays the information typically seen on the Web management interface tab labeled
General.
TSR - retrieves a copy of the tech support report using Z-modem file transfer protocol.
Managing Your SonicWALL Internet Security Appliance Page 75
Download from Www.Somanuals.com. All Manuals Search And Download.
6 General and Network Settings
This chapter describes the tabs in the General section and the configuration of the SonicWALL
SonicWALL Internet Security appliance Network Settings. The Network Settings include the
SonicWALL IP settings, the administrator password, and the time and date. There are three tabs
other than Status in the General section:
•
•
•
Network
Time
Administrator
Network Settings
To configure the SonicWALL Network Settings, click General, and then click the Network tab.
Network Addressing Mode
The Network Addressing Mode menu determines the network address scheme of your SonicWALL.
It includes six options: Standard, NAT Enabled, NAT with DHCP Client, NAT with PPPoE, NAT with
L2TP Client, and NAT with PPTP Client.
•
Standard mode requires valid IP addresses for all computers on your network, but allows re-
mote access to authenticated users.
•
NAT Enabled mode translates the private IP addresses on the network to the single, valid IP
address of the SonicWALL. Select NAT Enabled if your ISP assigned you only one or two valid IP
addresses.
•
•
NAT with DHCP Client mode configures the SonicWALL to request IP settings from a DHCP serv-
er on the Internet. NAT with DHCP Client is a typical network addressing mode for cable and DSL
customers.
NAT with PPPoE mode uses PPPoE to connect to the Internet. If desktop software and a user
name and password is required by your ISP, select NAT with PPPoE.
Page 76 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
•
•
NAT with L2TP Client mode uses IPSec to connect a L2TP server and encrypts all data
transmitted from the client to the server. However, it does not encrypt network traffic to other
destinations.
NAT with PPTP Client mode uses Point to Point Tunneling Protocol (PPTP) to connect to a remote
server. It supports older Microsoft implementations requiring tunneling connectivity.
LAN Settings
•
SonicWALL LAN IP Address
The SonicWALL LAN IP Address is the IP address assigned to the SonicWALL LAN port. It is used
for managing the SonicWALL. This IP address should be a unique address from the LAN address
range.
•
LAN Subnet Mask
The LAN Subnet Mask defines which IP addresses are on the LAN. The default Class C subnet
mask of "255.255.255.0" supports up to 254 IP addresses on the LAN. If the Class C subnet
mask is used, all local area network addresses should contain the same first three numbers as
the SonicWALL LAN IP Address--for example, "192.168.168."
Multiple LAN Subnet Mask Support
Alert This feature does not replace or substitute configuring routes with the Routes tab in the
Advanced section of the SonicWALL. If you have to define a subnet on the other side of a router, you
must define a static route using the Routes tab in the Advanced section.
Multiple LAN Subnet Mask Support facilitates the support of legacy networks incorporating the
SonicWALL, and makes it easier to add additional nodes if the original subnet is full. Before you can
configure multiple local LAN subnets in the SonicWALL, you must have the following information:
•
Network Gateway Address - This is an IP address assigned to the SonicWALL in addition to the
existing LAN IP address. If you have configured your SonicWALL in Standard mode, the IP
address should be the Default Gateway IP address assigned to your Internet router on the same
subnet. All users on the subnet you are configuring must use this IP address as their default
router/gateway address.
•
Subnet Mask - This value defines the size, and based upon the Network Gateway entry, the
scope of the subnet. If you are configuring a subnet mask that currently exists on the LAN, enter
the existing subnet mask address into the Subnet Mask field. If you are configuring a new subnet
mask, use a subnet mask that does not overlap any previously defined subnet masks.
Alert The SonicWALL cannot be managed from any of the additional Network Gateway addresses.
You must use the IP address set as the LAN IP address of the SonicWALL. Also, you cannot mix
Standard and NAT subnets behind the SonicWALL.
General and Network Settings Page 77
Download from Www.Somanuals.com. All Manuals Search And Download.
WAN Settings
•
WAN Gateway (Router) Address
The WAN Gateway (Router) Address is the IP address of the WAN router or default gateway that
connects your network to the Internet. If you use Cable or DSL, your WAN router is typically
located at your ISP. If you use a router located at your site, use the IP address assigned to it.
If you select NAT with DHCP Client or NAT with PPPoE mode, the WAN Gateway (Router) Address
is assigned automatically.
•
SonicWALL WAN IP Address
The SonicWALL WAN IP Address is a valid IP address assigned to the WAN port of the
SonicWALL. This address should be assigned by your ISP.
If you select NAT Enabled mode, this is the only address seen by users on the Internet and all
activity appears to originate from this address.
If you select NAT with DHCP Client, NAT with PPPoE, NAT with L2TP Client, or NAT with PPTP
Client mode, the SonicWALL WAN IP address is assigned automatically.
If you select Standard mode, the SonicWALL WAN IP Address is the same as the SonicWALL LAN
IP Address.
•
WAN/LAN Subnet Mask
The WAN/LAN Subnet Mask determines which IP addresses are located on the WAN. This
subnet mask should be assigned by your ISP.
If you select NAT with DHCP Client, NAT with PPPoE, NAT with L2TP Client, or NAT with PPTP
Client mode, the WAN/LAN Subnet Mask is assigned automatically.
If you select Standard mode, the WAN/LAN Subnet Mask is the same as the LAN Subnet Mask.
DNS Settings
•
DNS Servers
DNS Servers, or Domain Name System Servers, are used by the SonicWALL for diagnostic tests
with the DNS Lookup Tool, and for upgrade and registration functionality. DNS Server addresses
should be assigned by your ISP.
If you select NAT with DHCP Client, NAT with PPPoE, NAT with L2TP Client, or NAT with PPTP
Client mode, the DNS Server addresses is assigned automatically.
Alert Enable and configure the SonicWALL DHCP server or manually configure client DNS settings
to obtain DNS name resolution.
Page 78 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Standard Configuration
If your ISP provided you with enough IP addresses for all the computers and network devices on your
LAN, enable Standard mode.
To configure Standard addressing mode, complete the following instructions:
1. Select Standard from the Network Addressing Mode menu. Because NAT is disabled, you must
assign valid IP addresses to all computers and network devices on your LAN.
2. Enter a unique, valid IP address from your LAN address range in the SonicWALL LAN IP Address
field. The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used
for management of the SonicWALL.
3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask tells your
SonicWALL which IP addresses are on your LAN. The default value, "255.255.255.0", supports
up to 254 IP addresses.
4. Enter your WAN router or default gateway address in the WAN Gateway (Router) Address field.
Your router is the device that connects your network to the Internet. If you use Cable or DSL,
your WAN router is typically located at your ISP. If you use a router located at your site, use the
IP address assigned to it.
5. Enter your DNS server IP address(es) in the DNS Servers field. The SonicWALL uses the DNS
servers for diagnostic tests and for upgrade and registration functionality.
6. Click Update. Once the SonicWALL has been updated, a message confirming the update is
displayed at the bottom of the browser window. Restart the SonicWALL for these changes to
take effect.
NAT Enabled Configuration
Network Address Translation (NAT) connects your entire network to the Internet using a single IP
address. Network Address Translation offers the following:
•
Internet access to additional computers on the LAN. Multiple computers can access the Internet
even if your ISP only assigned one or two valid IP addresses to your network.
•
Additional security and anonymity because your LAN IP addresses are invisible to the outside
world.
If your ISP hasn't provided enough IP addresses for all machines on your LAN, enable NAT and assign
your network a private IP address range. You should use addresses from one of the following
address ranges on your private network:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Tip If your network address range uses valid TCP/IP addresses, Internet sites within that range are
not accessible from the LAN. For example, if you assign the address range 199.2.23.1 -
199.2.23.255 to your LAN, a Web server on the Internet with the address of 199.2.23.20 is not
accessible.
General and Network Settings Page 79
Download from Www.Somanuals.com. All Manuals Search And Download.
When NAT is enabled, users on the Internet cannot access machines on the LAN unless they have
been designated as Public LAN Servers.
To enable Network Address Translation (NAT), complete the following instructions.
1. Select NAT Enabled from the Network Addressing Mode menu in the Network window.
2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field.
The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for
management of the SonicWALL.
3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask tells the
SonicWALL which IP addresses are on your LAN. Use the default value, "255.255.255.0", if
there are less than 254 computers on your LAN.
4. Enter your WAN router or default gateway address in the WAN Gateway (Router) Address field.
This is the device that connects your network to the Internet. If you use Cable or DSL, your WAN
router is probably located at your ISP. If you use a router located at your site, use the IP address
assigned to it.
5. Enter a valid IP address assigned by your ISP in the SonicWALL WAN IP (NAT Public) Address
field. Because NAT is enabled, all network activity appears to originate from this address.
6. Enter your WAN subnet mask in the WAN/LAN Subnet Mask field. This subnet mask should be
assigned by your ISP.
7. Enter your DNS server IP address(es) in the DNS Servers field. The SonicWALL uses these DNS
servers for diagnostic tests and for upgrade and registration functionality.
8. Click Update. Once the SonicWALL has been updated, a message confirming the update is
displayed at the bottom of the browser window. Restart the SonicWALL for these changes to
take effect.
If you enable Network Address Translation, designate the SonicWALL LAN IP Address as the gateway
address for computers on your LAN. Consider the following example:
•
The SonicWALL WAN Gateway (Router) Address is "10.1.1.1".
Page 80 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
•
•
•
The SonicWALL WAN IP (NAT Public) Address is "10.1.1.25".
The private SonicWALL LAN IP Address is "192.168.168.1".
Computers on the LAN have private IP addresses ranging from "192.168.168.2" to
"192.168.168.255".
In this example, "192.168.168.1", the SonicWALL LAN IP Address, is used as the gateway or router
address for all computers on the LAN.
NAT with DHCP Client Configuration
The SonicWALL can receive an IP address from a DHCP server on the Internet. If your ISP did not
provide you with a valid IP address, and instructed you to set your network settings to obtain an IP
address automatically, enable NAT with DHCP Client. This mode is typically used with Cable and DSL
connections.
To obtain IP settings dynamically, complete the following instructions.
1. Select NAT with DHCP Client from the Network Addressing Mode menu.
2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field.
The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for
management of the SonicWALL.
3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask tells your
SonicWALL which IP addresses are on your LAN. The default value, "255.255.255.0", supports
up to 254 IP addresses.
4. Click Update. Once the SonicWALL has been updated, a message confirming the update is
displayed at the bottom of the browser window. Restart the SonicWALL for these changes to
take effect.
Alert! When NAT is enabled, designate the SonicWALL LAN IP Address as the gateway address for
computers on the LAN.
General and Network Settings Page 81
Download from Www.Somanuals.com. All Manuals Search And Download.
When your SonicWALL has successfully received a DHCP lease, the Network window displays the
SonicWALL WAN IP settings.
•
•
The Lease Expires value shows when your DHCP lease expires.
The WAN Gateway (Router) Address, SonicWALL WAN IP (NAT Public) Address, WAN/LAN
Subnet Mask, and DNS Servers are obtained from a DHCP server on the Internet.
Alert Enable and configure the SonicWALL DHCP server or manually configure client DNS settings
to obtain DNS name resolution.
In the WAN/LAN Settings section of Network, you can Renew and Release the SonicWALL WAN IP
(NAT Public) Address lease. When you click on Renew, the SonicWALL renews the IP address used
for the WAN IP address. Click Release, and the lease is released with the DHCP server.
NAT with PPPoE Configuration
The SonicWALL can use Point-to-Point Protocol over Ethernet (PPPoE) to connect to the Internet. If
your ISP requires the installation of desktop software and user name and password authentication
to access the Internet, enable NAT with PPPoE.
To configure NAT with PPPoE, complete the following instructions.
1. Select NAT with PPPoE from the Network Addressing Mode menu.
2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field.
The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used
for management of the SonicWALL.
Page 82 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask tells your
SonicWALL which IP addresses are on your LAN. Use the default value, "255.255.255.0", if
there are less than 254 computers on your LAN.
4. Enter the user name provided by your ISP in the User Name field. The user name identifies the
PPPoE client.
5. Enter the password provided by your ISP in the Password field. The password authenticates the
PPPoE session. This field is case sensitive.
6. Select the Disconnect after __ Minutes of Inactivity check box to automatically disconnect the
PPPoE connection after a specified period of inactivity. Define a maximum number of minutes
of inactivity in the Minutes field. This value can range from 1 to 99 minutes.
7. In the WAN/LAN section, select Obtain an IP Address Automatically if your ISP does not provide
a static IP address. Select Use the following IP Address if your ISP assigns a specific IP address
to you.
8. Click Update. Once the SonicWALL has been updated, a message confirming the update is
displayed at the bottom of the browser window. Restart the SonicWALL for these changes to
take effect.
Alert When NAT is enabled, the SonicWALL LAN IP Address is used as the gateway address for
computers on the LAN.
When your SonicWALL has successfully established a PPPoE connection, the Network page displays
the SonicWALL WAN IP settings. The WAN Gateway (Router) Address, SonicWALL WAN IP (NAT
Public) Address, WAN/LAN Subnet Mask, and DNS Servers are displayed.
Alert Enable and configure the SonicWALL DHCP server or manually configure client DNS settings
to obtain DNS name resolution.
Restarting the SonicWALL
Once the network settings have been updated, the Status bar at the bottom of the browser window
displays "Restart SonicWALL for changes to take effect." Restart the SonicWALL by clicking Restart.
Then click Yes to confirm the restart and send the restart command to the SonicWALL. The restart
can take up to 90 seconds, during which time the SonicWALL is inaccessible and all network traffic
through the SonicWALL is halted.
Alert If you change the SonicWALL LAN IP Address, you must to change the Management Station IP
address to be in the same subnet as the new LAN IP address.
General and Network Settings Page 83
Download from Www.Somanuals.com. All Manuals Search And Download.
NAT with L2TP Client Configuration
The SonicWALL can use L2TP over Ethernet to connect to a L2TP server.
To configure NAT with L2TP Client, complete the following instructions.
1. Select NAT with L2TP Client from the Network Addressing Mode menu.
2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field.
The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used
for management of the SonicWALL.
3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask tells your
SonicWALL which IP addresses are on your LAN. Use the default value, "255.255.255.0", if
there are less than 254 computers on your LAN.
4. If you obtain a WAN IP address from the L2TP server, select Obtain an IP address using DHCP.
If you have WAN IP address information, select Use the specified IP address, and enter your
WAN information in the WAN Gateway(Router) Address, SonicWALL WAN IP (NAT Public)
Address, and WAN Subnet Mask fields.
5. Enter the DNS server IP address in the DNS Server 1 field.
6. Enter the L2TP server host name in the L2TP Host Name field.
7. Enter the IP address of the L2TP server in the L2TP Server IP Address field.
8. Enter your user name and password in the User Name and User Password fields.
Page 84 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
9. Select the Disconnect after __ Minutes of Inactivity check box to automatically disconnect the
L2TP connection after a specified period of inactivity. Define a maximum number of minutes of
inactivity in the Minutes field. This value can range from 1 to 99 minutes.
10. Click Update. Once the SonicWALL has been updated, a message confirming the update is
displayed at the bottom of the browser window. Restart the SonicWALL for these changes to
take effect.
Alert When NAT is enabled, the SonicWALL LAN IP Address is used as the gateway address for
computers on the LAN.
When your SonicWALL has successfully established a L2TP connection, the Network page displays
the SonicWALL WAN IP settings. The WAN Gateway (Router) Address, SonicWALL WAN IP (NAT
Public) Address, WAN/LAN Subnet Mask, and DNS Servers are displayed.
Alert Enable and configure the SonicWALL DHCP server or manually configure client DNS settings
to obtain DNS name resolution.
Restarting the SonicWALL
Once the network settings have been updated, the Status bar at the bottom of the browser window
displays "Restart SonicWALL for changes to take effect." Restart the SonicWALL by clicking Restart.
Then click Yes to confirm the restart and send the restart command to the SonicWALL. The restart
can take up to 90 seconds, during which time the SonicWALL is inaccessible and all network traffic
through the SonicWALL is halted.
Alert! If you change the SonicWALL LAN IP Address, you must to change the Management Station
IP address to be in the same subnet as the new LAN IP address.
General and Network Settings Page 85
Download from Www.Somanuals.com. All Manuals Search And Download.
NAT with PPTP Client Configuration
The SonicWALL can use Point-to-Point Tunneling Protocol over Ethernet to connect to a PPTP server.
This option supports older network implementations requiring tunneling support.
To configure NAT with PPTP Client, complete the following instructions.
1. Select NAT with PPTP Client from the Network Addressing Mode menu.
2. Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field.
The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN port and is used
for management of the SonicWALL.
3. Enter your network subnet mask in the LAN Subnet Mask field. The LAN Subnet Mask tells your
SonicWALL which IP addresses are on your LAN. Use the default value, "255.255.255.0", if
there are less than 254 computers on your LAN.
4. If you obtain a WAN IP address from the PPTP server, select Obtain an IP address using DHCP.
If you have WAN IP address information, select Use the specified IP address, and enter your
WAN information in the WAN Gateway(Router) Address, SonicWALL WAN IP (NAT Public)
Address, and WAN Subnet Mask fields.
5. Enter the DNS server IP address in the DNS Server 1 field.
6. Enter the PPTP server host name in the PPTP Host Name field.
Page 86 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
7. Enter the IP address of the PPTP server in the PPTP Server IP Address field.
8. Enter your user name and password in the User Name and User Password fields.
9. Select the Disconnect after __ Minutes of Inactivity check box to automatically disconnect the
L2TP connection after a specified period of inactivity. Define a maximum number of minutes of
inactivity in the Minutes field. This value can range from 1 to 99 minutes.
10. Click Update. Once the SonicWALL has been updated, a message confirming the update is
displayed at the bottom of the browser window. Restart the SonicWALL for these changes to
take effect.
Alert When NAT is enabled, the SonicWALL LAN IP Address is used as the gateway address for
computers on the LAN.
When your SonicWALL has successfully established a PPTP connection, the Network page displays
the SonicWALL WAN IP settings. The WAN Gateway (Router) Address, SonicWALL WAN IP (NAT
Public) Address, WAN/LAN Subnet Mask, and DNS Servers are displayed.
Alert Enable and configure the SonicWALL DHCP server or manually configure client DNS settings
to obtain DNS name resolution.
Restarting the SonicWALL
Once the network settings have been updated, the Status bar at the bottom of the browser window
displays "Restart SonicWALL for changes to take effect." Restart the SonicWALL by clicking Restart.
Then click Yes to confirm the restart and send the restart command to the SonicWALL. The restart
can take up to 90 seconds, during which time the SonicWALL is inaccessible and all network traffic
through the SonicWALL is halted.
Alert If you change the SonicWALL LAN IP Address, you must to change the Management Station IP
address to be in the same subnet as the new LAN IP address.
General and Network Settings Page 87
Download from Www.Somanuals.com. All Manuals Search And Download.
Setting the Time and Date
The SonicWALL uses the time and date settings to time stamp log events, to automatically update
the Content Filter List, and for other internal purposes.
1. Click the Time tab.
2. Select your time zone from the Time Zone menu.
3. Click Update to add the information to the SonicWALL.
You can also enable automatic adjustments for daylight savings time, use universal time (UTC)
rather than local time, and display the date in International format, with the day preceding the
month.
To set the time and date manually, clear the check boxes and enter the time (in 24-hour format) and
the date.
NTP Settings
Network Time Protocol (NTP) is a protocol used to synchronize computer clock times in a network of
computers. NTP uses Coordinated Universal Time (UTC) to synchronize computer clock times to a
millisecond, and sometimes to a fraction of a millisecond. Select Use NTP to set time automatically
if you want to use your local server to set the SonicWALL clock. You can also set the Update Interval
for the NTP server to synchronize the time in the SonicWALL. The default value is 60 minutes. You
can add NTP servers to the SonicWALL for time synchronization by entering in the IP address of an
NTP server in the Add NTP Server field. If there are no NTP Servers in the list, the internal NTP list is
used by default. To remove an NTP server, highlight the IP address and click Delete NTP Server.
When you have configured the Time window, click Update. Once the SonicWALL has been updated,
a message confirming the update is displayed at the bottom of the browser window.
Page 88 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring the Administrator Settings
The Password tab is now the Administrator tab. In this section, you can configure a new
administrator name, an administrator password, inactivity timeout, and login failure handling.
Administrator Name
The Administrator Name can be changed from the default setting of admin to any word using
alphanumeric characters up to 30 characters in length. To create an new administrator name, enter
the new name in the Administrator Name field. Click Update for the changes to take effect on the
SonicWALL.
Change the Administrator Password
To set the password, enter the old password in the Old Password field, and the new password in the
New Password field. Enter the new password again in the Confirm New Password field and click
Update. Once the SonicWALL has been updated, a message confirming the update is displayed at
the bottom of the browser window.
Tip When setting the password for the first time, remember that the SonicWALL default password
is “password”.
If the password is not entered exactly the same in both New Password fields, the password is not
changed. If you mistype the password, you are not locked out of the SonicWALL.
Alert The password cannot be recovered if it is lost or forgotten. If the password is lost, you must to
reset the SonicWALL to its factory default state.
General and Network Settings Page 89
Download from Www.Somanuals.com. All Manuals Search And Download.
Setting the Administrator Inactivity Timeout
The Administrator Inactivity Timeout setting allows you to configure the length of inactivity that can
elapse before you are automatically logged out of the Web Management Interface. The SonicWALL
is preconfigured to log out the administrator after 5 minutes of inactivity.
Tip If the Administrator Inactivity Timeout is extended beyond 5 minutes, you should end every
management session by clicking Logout to prevent unauthorized access to the SonicWALL Web
Management Interface.
Enter the desired number of minutes in the Administrator Inactivity Timeout section and click
Update. The Inactivity Timeout can range from 1 to 99 minutes. Click Update, and a message
confirming the update is displayed at the bottom of the browser window.
Login Failure Handling
You can configure the SonicWALL to lockout an administrator or a user if the login credentials are
incorrect. Select Enable User Lockout on login failure to prevent users from attempting to log into
the SonicWALL without proper authentication credentials. Enter the number of failed attempts
before the user is locked out in the Lock out user after __ failed login attempts in a 1 minute period
field. Enter the length of time that must elapse before the user attempts to log into the SonicWALL
again in the Lockout Period (minutes) field.
Alert If the administrator and a user are logging into the SonicWALL using the same source IP
address, the administrator is also locked out of the SonicWALL. The lockout is based on the source
IP address of the user or administrator.
Page 90 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
7 Logging and Alerts
This chapter describes the SonicWALL Internet security appliance logging, alerting, and reporting
features, which can be viewed in the Log section of the SonicWALL Web Management
Interface.There are four tabs in the Log section:
•
•
•
•
View Log
Log Settings
Reports
ViewPoint (requires a purchased upgrade)
View Log
The SonicWALL maintains an Event log which displays potential security threats. This log can be
viewed with a browser using the SonicWALL Web Management Interface, or it can be automatically
sent to an e-mail address for convenience and archiving. The log is displayed in a table and is
sortable by column.
The SonicWALL can alert you of important events, such as an attack to the SonicWALL. Alerts are
immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the
date and time of the event and a brief message describing the event.
Click Log on the left side of the browser window, and then click View Log.
Logging and Alerts Page 91
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL Log Messages
Each log entry contains the date and time of the event and a brief message describing the event. It
is also possible to copy the log entries from the management interface and paste into a report.
•
TCP, UDP, or ICMP packets dropped
When IP packets are blocked by the SonicWALL, dropped TCP, UDP and ICMP messages are
displayed. The messages include the source and destination IP addresses of the packet. The
TCP or UDP port number or the ICMP code follows the IP address. Log messages usually include
the name of the service in quotation marks.
•
Web, FTP, Gopher, or Newsgroup blocked
When a computer attempts to connect to the blocked site or newsgroup, a log event is
displayed. The computer’s IP address, Ethernet address, the name of the blocked Web site, and
the Content Filter List Code is displayed. Code definitions for the 12 Content Filter List
categories are shown below.
a=Violence/Profanity
b=Partial Nudity
c=Full Nudity
g=Satanic/Cult
h=Drug Culture
i=Militant/Extremist
j=Sex Education
k=Gambling/Illegal
l=Alcohol/Tobacco
d=Sexual Acts
e=Gross Depictions
f=Intolerance
Descriptions of the categories are available at <http://www.sonicwall.com/Content-Filter/
categories.html>.
•
ActiveX, Java, Cookie or Code Archive blocked
When ActiveX, Java or Web cookies are blocked, messages with the source and destination IP
addresses of the connection attempt is displayed.
•
Ping of Death, IP Spoof, and SYN Flood Attacks
The IP address of the machine under attack and the source of the attack is displayed. In most
attacks, the source address shown is fake and does not reflect the real source of the attack.
TIP! Some network conditions can produce network traffic that appears to be an attack, even when
no one is deliberately attacking the LAN. To follow up on a possible attack, contact your ISP to
determine the source of the attack. Regardless of the nature of the attack, your LAN is protected
and no further steps are needed.
Page 92 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Log Settings
Click Log on the left side of the browser window, and then click the Log Settings tab.
Configure the following settings:
1. Mail Server - To e-mail log or alert messages, enter the name or IP address of your mail server
in the Mail Server field. If this field is left blank, log and alert messages are not
e-mailed.
2. Send Log To - Enter your full e-mail address(username@mydomain.com) in the Send log to field
to receive the event log via e-mail. Once sent, the log is cleared from the SonicWALL memory. If
this field is left blank, the log is not e-mailed.
3. Send Alerts To - Enter your full e-mail address (username@mydomain.com) in the Send alerts
to field to be immediately e-mailed when attacks or system errors occur. Enter a standard e-mail
address or an e-mail paging service. If this field is left blank, e-mail alert messages are not sent.
4. Firewall Name - The Firewall Name appears in the subject of e-mails sent by the SonicWALL. The
Firewall Name is helpful if you are managing multiple SonicWALLs because it specifies the
individual SonicWALL sending a log or an alert e-mail. By default, the Firewall Name is set to the
SonicWALL serial number.
Logging and Alerts Page 93
Download from Www.Somanuals.com. All Manuals Search And Download.
5. Syslog Server - In addition to the standard event log, the SonicWALL can send a detailed log to
an external Syslog server. The SonicWALL Syslog captures all log activity and includes every
connection source and destination IP address, IP service, and number of bytes transferred. The
SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port
514.
Syslog Analyzers such as WebTrends Firewall Suite can be used to sort, analyze, and graph the
Syslog data.
Enter the Syslog server name or IP address in the Add Syslog Server field. Messages from the
SonicWALL are then sent to the servers. Up to three Syslog Server IP addresses can be added.
If the SonicWALL is managed by SGMS, however, the Syslog Server fields cannot be configured
by the administrator of the SonicWALL.
6. E-mail Log Now - Clicking E-mail Log Now immediately sends the log to the address in the Send
Log To field and then clears the log.
7. Clear Log Now - Clicking Clear Log Now deletes the contents of the log.
8. Send Log / Every / At - The Send Log menu determines the frequency of log e-mail messages:
Daily, Weekly, or When Full. If the Weekly option is selected, then enter the day of the week the
e-mail is sent in the Every menu. If the Weekly or the Daily option is selected, enter the time of
day when the e-mail is sent in the At field. If the When Full option is selected and the log fills up,
it is e-mailed automatically.
9. When log overflows - The log buffer fills up if the SonicWALL cannot e-mail the log file. The
default behavior is to overwrite the log and discard its contents. However, you can configure the
SonicWALL to shut down and prevent traffic from traveling through the SonicWALL if the log is
full.
10. Syslog Individual Event Rate (seconds/event) - The Syslog Individual Event Rate setting
prevents repetitive messages from being written to Syslog. If duplicate events occur during the
period specified in the Syslog Individual Event Rate field, they are not written to Syslog as
unique events. Instead, the additional events are counted, and then at the end of the period, a
message is written to the Syslog that includes the number of times the event occurred.
The Syslog Individual Event Rate default value is 60 seconds and the maximum value is 86,400
seconds (24 hours). Setting this value to 0 seconds sends all Syslog messages without filtering.
11. Syslog Format - You can choose the format of the Syslog to be Default or WebTrends. If you
select WebTrends, however, you must have WebTrends software installed on your system.
Page 94 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Log Categories
You can define which log messages appear in the SonicWALL Event Log. All Log Categories are
enabled by default except Network Debug.
•
System Maintenance
Logs general system activity, such as administrator log ins, automatic downloads of the Content
Filter Lists, and system activations.
•
•
•
•
•
•
System Errors
Logs problems with DNS, e-mail, and automatic downloads of the Content Filter List.
Blocked Web Sites
Logs Web sites or newsgroups blocked by the Content Filter List or by customized filtering.
Blocked Java, etc.
Logs Java, ActiveX, and Cookies blocked by the SonicWALL.
User Activity
Logs successful and unsuccessful log in attempts.
VPN TCP Stats
Logs TCP connections over VPN tunnels.
Attacks
Logs messages showing Denial of Service attacks, such as SYN Flood, Ping of Death, and IP
spoofing.
•
•
•
•
Dropped TCP
Logs blocked incoming TCP connections.
Dropped UDP
Logs blocked incoming UDP packets.
Dropped ICMP
Logs blocked incoming ICMP packets.
Network Debug
Logs NetBIOS broadcasts, ARP resolution problems, and NAT resolution problems. Also,
detailed messages for VPN connections are displayed to assist the network administrator with
troubleshooting problems with active VPN tunnels. Network Debug information is intended for
experienced network administrators.
Logging and Alerts Page 95
Download from Www.Somanuals.com. All Manuals Search And Download.
Alerts/SNMP Traps
Alerts are events, such as attacks, which warrant immediate attention. When events generate
alerts, messages are immediately sent to the e-mail address defined in the Send alerts to field.
Attacks and System Errors are enabled by default, Blocked Web Sites is disabled.
•
•
•
•
Attacks
Log entries categorized as Attacks generate alert messages.
System Errors
Log entries categorized as System Errors generate alert messages.
Blocked Web Sites
Log entries categorized as Blocked Web Sites generate alert messages.
VPN Tunnel Status
Log entries categorized as VPN Tunnel Status generate alert messages.
Once you have configured the Log Settings window, click Update. Once the SonicWALL is updated,
a message confirming the update is displayed at the bottom of the browser window.
Reports
The SonicWALL can perform a rolling analysis of the event log to show the top 25 most frequently
accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services
consuming the most bandwidth. Click Log on the left side of the browser window, and then click the
Reports tab.
Page 96 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
The Reports window includes the following functions and commands:
•
•
•
Start Data Collection
Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label
changes to Stop Data Collection.
Reset Data
Click Reset to clear the report statistics and begin a new sample period. The sample period is
also reset when data collection is stopped or started, and when the SonicWALL is restarted.
View Data
Select the desired report from the Report to view menu. The options are Web Site Hits,
Bandwidth Usage by IP Address, and Bandwidth Usage by Service. These reports are explained
below. Click Refresh Data to update the report. The length of time analyzed by the report is
displayed in the Current Sample Period.
Web Site Hits
Selecting Web Site Hits from the Display Report menu displays a table showing the URLs for the 25
most frequently accessed Web sites and the number of hits to a site during the current sample
period.
The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites. If
leisure, sports, or other inappropriate sites appear in the Web Site Hits Report, you can choose to
block the sites.
Bandwidth Usage by IP Address
Selecting Bandwidth Usage by IP Address from the Display Report menu displays a table showing
the IP Address of the 25 top users of Internet bandwidth and the number of megabytes transmitted
during the current sample period.
Bandwidth Usage by Service
Selecting Bandwidth Usage by Service from the Display Report menu displays a table showing the
name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc., and the number of
megabytes received from the service during the current sample period.
The Bandwidth Usage by Service report shows whether the services being used are appropriate for
your organization. If services such as video or push broadcasts are consuming a large portion of the
available bandwidth, you can choose to block these services.
Logging and Alerts Page 97
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL ViewPoint
SonicWALL ViewPoint is a software solution that creates dynamic, Web-based reports of network
activity. ViewPoint generates both real-time and historical reports to provide a complete view of all
activity through your SonicWALL Internet Security Appliance. With SonicWALL ViewPoint, you are
able to monitor network access, enhance network security and anticipate future bandwidth needs.
SonicWALL ViewPoint
•
•
•
•
Displays bandwidth use by IP address and service.
Identifies inappropriate Web use.
Presents detailed reports of attacks.
Collects and aggregates system and network errors.
Page 98 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
8 Content Filtering and Blocking
Internet content filtering allows you to create and enforce Internet access policies tailored to the
needs of your organization. You can block harmful Web applications from entering your network. and
select Web content categories to block or monitor, such as pornography or racial intolerance, from
a pre-defined Content Filter List.
There are three Content Filter Lists available for use with your SonicWALL:
•
SonicWALL - Selecting SonicWALL for the Content Filter List Type allows you use the SonicWALL
Content Filter List (optional upgrade) and completely customize your Content Filter features in-
cluding allowed and forbidden domains as well as content filtering using keywords.
Tip When you register your SonicWALL at <http://www.mysonicwall.com>, you can download a one
month subscription to the SonicWALL Content Filter List updates.
•
N2H2 - N2H2 is a third party content filter software package supported by SonicWALL. You can
obtain more information on N2H2 at [http://www.n2h2.com]. If you select N2H2 from the list,
an N2H2 tab is available to configure the location of the N2H2 server and other
settings.
•
Websense Enterprise - Websense Enterprise is also a third party content filter list package
supported by SonicWALL. You can obtain more information on Websense Enterprise at
[http://www.Websense.com]. If you select Websense Enterprise from the list, a Websense tab
is available to configure the location of the Websense server and other settings.
There are four tabs in the Filter section if the SonicWALL Content Filter is selected:
•
•
•
•
Configure
URL List
Customize
Consent
Content Filtering and Blocking Page 99
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring SonicWALL Content Filtering
The Configure tab is common between the three types of Content Filtering. Click Filter on the left
side of the browser window, and then click on the Configure tab.
Select the type of Content Filter from the Content Filter Type menu. To enforce Content Filtering on
the LAN, select Apply Content Filter.
Content filtering can also be enforced on the LAN, DMZ, or both. Select LAN, DMZ, or both. Both LAN
and DMZ are selected by default.
Restrict Web Features
Restrict Web Features enhances your network security by blocking potentially harmful Web
applications from entering your network. Select any of the following applications to block:
Block:
•
•
•
•
ActiveX
ActiveX is a programming language that embeds scripts in Web pages. Malicious programmers
can use ActiveX to delete files or compromise security. Select the ActiveX check box to block
ActiveX controls.
Java
Java is used to download and run small programs, called applets, on Web sites. It is safer than
ActiveX since it has built-in security mechanisms. Select the Java check box to block Java
applets from the network.
Cookies
Cookies are used by Web servers to track Web usage and remember user identity. Cookies can
also compromise users' privacy by tracking Web activities. Select the Cookies check box to
disable Cookies.
Known Fraudulent Certificates
Digital certificates help verify that Web content and files originated from an authorized party.
Enabling this feature protects users on the LAN from downloading malicious programs
warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the
SonicWALL blocks the Web content and the files that use these fraudulent certificates.
Known fraudulent certificates blocked by SonicWALL include two certificates issued on January
29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee.
•
•
Access to HTTP Proxy Servers
When a proxy server is located on the WAN, LAN users can circumvent content filtering by
pointing their computer to the proxy server. Check this box to prevent LAN users from accessing
proxy servers on the WAN.
Don’t Block Java/ActiveX/Cookies to Trusted Domains
Select this option if you have trusted domains using Java, ActiveX, and Cookies. To add a trusted
domain, enter the domain name into the Add Trusted Domain field. Click Update to add the
domain to the list of trusted domains. To delete a domain, select it from the list, and then click
Delete.
Page 100 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Trusted Domains
Trusted Domains can be added in the Restrict Web Features section of the Configure tab. If you trust
content on specific domains, you can select Don’t block Java/ActiveX/Cookies to Trusted Domains
and then add the Trusted Domains to the SonicWALL using the Add Trusted Domain field. Java
scripts, ActiveX, and cookies are not blocked from Trusted Domains if the checkbox is selected.
Message to display when a site is blocked
Enter your customized text to display to the user when access to a blocked site is attempted. The
default message is Web Site blocked by SonicWALL Filter. Any message, including embedded HTML,
up to 255 characters long, can be entered in this field.
URL List
The URL List page allows you to see the status of the Content Filter List as well as configure
a specific time to download the list. You can also determine how the SonicWALL responds
when a Content Filter List is unavailable. Selecting categories to block is also configured
on this page.
List Status
This section of the URL List tab indicates the status of the URL list. If the Content Filter List is loaded,
a status message is displayed in this section.
List Updates
It is important to note that Host names, and not TCP/IP addresses, are used for all filtering. Many
blocked sites operate server pools, where many computers service a single host name, making it
impractical and difficult to add and maintain the numerical addresses of every server in the pool.
Many sites included in the Content Filter List regularly change the IP address of the server to try to
bypass Content Filter Lists. For this reason, maintaining a current list subscription is critical for
effective content filtering.
Content Filtering and Blocking Page 101
Download from Www.Somanuals.com. All Manuals Search And Download.
Download Automatically every
Selecting Download Automatically every allows you to configure a specific time to download your
Content Filter List. Select a day of the week and a time (24-hour format), for example, Sun. at 22:00
hours. Or, you can click Download Now to immediately download your Content Filter List.
Tip It is recommended to download the URL List at a time when access to the Internet is at a
minimum as downloading the URL List disrupts connectivity to the Internet.
Settings
If you have enabled blocking by Filter Categories and the URL List becomes unavailable, there are
two options available:
•
•
Block traffic to all Web sites except for Allowed Domains
Selecting this option blocks traffic to all Web sites except Allowed Domains until the URL List is
available.
Allow traffic to all Web sites
Selecting this option allows traffic to all Web sites without the URL List. However, Forbidden
Domains and Keywords, if enabled, are still blocked.
Tip If you enable Block traffic to all Web sites except for Allowed Domains, and you have a 30-day
subscription to the Content Filter List, you may not be able to access the Internet when the
subscription expires.
Select Categories to Block
Block all categories
The SonicWALL uses a Content Filter List generated by CyberPatrol to block access to objectional
Web sites. CyberPatrol classifies objectional Web sites based upon input from a wide range of social,
political, and civic organizations. Select the Block all categories check box to block all of these
categories. Alternatively, you can select categories individually by selecting the appropriate check
box.
Tip When you register your SonicWALL at <http://www.mysonicwall.com>, you can download a one
month subscription to Content Filter List updates.
The following is a list of the Content Filter List categories:
Violence/Profanity
Partial Nudity
Full Nudity
Satanic/Cult
Drugs/Drug Culture
Militant/Extremist
Sex Education
Sexual Acts
Gross Depictions
Intolerance
Questionable/Illegal Gambling
Alcohol & Tobacco
Visit <http://www.sonicwall.com/Content-Filter/categories.html> for a detailed description of the
criteria used to define Content Filter List categories.
Page 102 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Customizing the Content Filtering List
The Customize tab allows you to customize your URL List by manually entering domain names or
keywords to be blocked or allowed.
Custom Filter
You can customize your URL list to include Allowed Domains, Forbidden Domains, and Keywords. By
customizing your URL list, you can include specific domains to be allowed (accessed), forbidden
(blocked), and include specific keywords to be used to block sites. Select the checkbox Enable
Allowed/Forbidden Domains to activate this feature.
To allow access to a Web site that is blocked by the Content Filter List, enter the host name, such
as “www.ok-site.com”, into the Allowed Domains fields. 256 entries can be added to the Allowed
Domains list.
To block a Web site that is not blocked by the Content Filter List, enter the host name, such as
“www.bad-site.com” into the Forbidden Domains field. 256 entries can be added to the Forbidden
Domains list.
Alert Do not include the prefix “http://” in either the Allowed Domains or Forbidden Domains the
fields. All subdomains are affected. For example, entering “yahoo.com” applies to “mail.yahoo.com”
and “my.yahoo.com”.
To remove a trusted or forbidden domain, select it from the appropriate list, and click Delete
Domain. Once the domain has been deleted, a message is displayed at the bottom of the Web
browser window.
To enable blocking using Keywords, select the Enable Keyword Blocking check box.
Enter the keyword to block in the Add Keyword field, and click Update. Once the keyword has been
added, a message confirming the update is displayed at the bottom of the browser window.
To remove a keyword, select it from the list and click Delete Keyword. Once the keyword has been
removed, a message confirming the update is displayed at the bottom of the browser window.
Content Filtering and Blocking Page 103
Download from Www.Somanuals.com. All Manuals Search And Download.
Tip Customized domains do not have to be re-entered when the Content Filter List is updated each
week and do not require a URL list subscription.
•
Enable Allowed/Forbidden Domains
To deactivate Custom Filter customization, clear the Enable Allowed/Forbidden Domains, and
click Update. This option allows you to enable and disable customization without removing and
re-entering custom domains.
•
•
Enable Keyword Blocking
Select the Enable Keyword Blocking if you want to block Web traffic based on your list of
customized keywords.
Disable all Web traffic except for Allowed Domains
When the Disable Web traffic except for Allowed Domains check box is selected, the SonicWALL
only allows Web access to sites on the Allowed Domains list. With careful screening, this can be
nearly 100% effective at blocking pornography and other objectional material.
Time of Day
The Time of Day feature allows you to define specific times when Content Filtering is enforced. For
example, you could configure the SonicWALL to filter employee Internet access during normal
business hours, but allow unrestricted access at night and on weekends.
Tip Time of Day restrictions only apply to the Content Filter List, Customized blocking and Keyword
blocking. Consent and Restrict Web Features are not affected.
•
•
Always Block
When selected, Content Filtering is enforced at all times.
Block Between
When selected, Content Filtering is enforced during the time and days specified. Enter the time
period, in 24-hour format, and select the starting and ending day of the week that Content
Filtering is enforced.
Filter Block Action
•
Log Only
If this check box is selected, the SonicWALL logs and then allows access to all sites on the
Content Filter, custom, and keyword lists. The Log Only check box allows you to monitor
inappropriate usage without restricting access.
•
Log and Block Access
Select the check box and the SonicWALL blocks access to sites on the Content Filter, custom,
and keyword lists. The SonicWALL also logs attempts to access these sites.
Page 104 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Consent
The Consent tab allows you to enforce content filtering on designated computers and provide
optional filtering on other computers. Consent can be configured to require the user to agree to the
terms outlined in an Acceptable Use Policy window before Web browsing is allowed.
Click Filter on the left side of the browser window, and then click the Consent tab.
•
Maximum Web usage
In an environment where there are more users than computers, such as a classroom or library,
time limits are often imposed. The SonicWALL can be used to remind users when their time has
expired by displaying the page defined in the Consent page URL field. Enter the time limit, in
minutes, in the Maximum Web usage field. When the default value of zero (0) is entered, this
feature is disabled.
•
•
User Idle Timeout is 5 minutes (configure here)
After a period of Web browser inactivity, the SonicWALL requires the user to agree to the terms
outlined in the Consent page before accessing the Internet again. To configure the value, follow
the link to the Users window and enter the desired value in the User Idle Timeout section.
Consent page URL (Optional Filtering)
When a user opens a Web browser on a computer requiring consent, they are shown a consent
page and given the option to access the Internet with or without content filtering. You must
create this Web (HTML) page. It can contain the text from, or links to an Acceptable Use Policy
(AUP).
This page must contain links to two pages contained in the SonicWALL, which, when selected,
tell the SonicWALL if the user wishes to have filtered or unfiltered access. The link for unfiltered
access must be <192.168.168.168/iAccept.html> and the link for filtered access must be
<192.168.168.168/iAcceptFilter.html>, where the SonicWALL LAN IP Address is used instead
of "192.168.168.168".
Content Filtering and Blocking Page 105
Download from Www.Somanuals.com. All Manuals Search And Download.
•
•
“Consent Accepted” URL (Filtering Off)
When a user accepts the terms outlined in the Consent page and chooses to access the Internet
without the protection of Content Filtering, they are shown a Web page confirming their
selection. Enter the URL of this page in the “Consent Accepted” (Filtering Off) field. This page
must reside on a Web server and be accessible as a URL by users on the LAN.
“Consent Accepted” URL (Filtering On)
When a user accepts the terms outlined in the Consent page and chooses to access the Internet
with the protection of Content Filtering, they are shown a Web page confirming their selection.
Enter the URL of this page in the “Consent Accepted” (Filtering On) field. This page must reside
on a Web server and be accessible as a URL by users on the LAN.
Mandatory Filtered IP Addresses
•
Consent page URL (Mandatory Filtering)
When a user opens a Web browser on a computer using mandatory content filtering, a consent
page is displayed. You must create the Web page that appears when the Web browser is
opened. It can contain text from an Acceptable Use Policy, and notification that violations are
logged or blocked.
This Web page must reside on a Web server and be accessible as a URL by users on the LAN.
This page must also contain a link to a page contained in the SonicWALL that tells the
SonicWALL that the user agrees to have filtering enabled. The link must be
<192.168.168.168/iAcceptFilter.html>, where the SonicWALL LAN IP Address is used instead
of "192.168.168.168".
Enter the URL of this page in the Consent page URL (Mandatory Filtering) field and click Update.
Once the SonicWALL has been updated, a message confirming the update is displayed at the
bottom of the Web browser window.
•
Add New Address
The SonicWALL can be configured to enforce content filtering for certain computers on the LAN.
Enter the IP addresses of these computers in the Add New Address field and click Submit
button. Up to 128 IP addresses can be entered.
To remove a computer from the list of computers to be filtered, highlight the IP address in the
Mandatory Filtered IP Addresses list and click Delete Address.
Page 106 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring N2H2 Internet Filtering
N2H2 is a third party Internet filtering package that allows you to use Internet content filtering
through the SonicWALL. When you select N2H2 as your Content Filter List, the N2H2 tab is available.
Restrict Web Features
Select any of the following applications to block:
Block:
•
•
•
•
ActiveX
ActiveX is a programming language that embeds scripts in Web pages. Malicious programmers
can use ActiveX to delete files or compromise security. Select the ActiveX check box to block
ActiveX controls.
Java
Java is used to download and run small programs, called applets, on Web sites. It is safer than
ActiveX since it has built-in security mechanisms. Select the Java check box to block Java
applets from the network.
Cookies
Cookies are used by Web servers to track Web usage and remember user identity. Cookies can
also compromise users' privacy by tracking Web activities. Select the Cookies check box to
disable Cookies.
Known Fraudulent Certificates
Digital certificates help verify that Web content and files originated from an authorized party.
Enabling this feature protects users on the LAN from downloading malicious programs
Content Filtering and Blocking Page 107
Download from Www.Somanuals.com. All Manuals Search And Download.
warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the
SonicWALL blocks the Web content and the files that use these fraudulent certificates.
Known fraudulent certificates blocked by SonicWALL include two certificates issued on January
29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee.
•
•
Access to HTTP Proxy Servers
When a proxy server is located on the WAN, LAN users can circumvent content filtering by
pointing their computer to the proxy server. Check this box to prevent LAN users from accessing
proxy servers on the WAN.
Don’t Block Java/ActiveX/Cookies to Trusted Domains
Select this option if you have trusted domains using Java, ActiveX, and Cookies. To add a trusted
domain, enter the domain name into the Add Trusted Domain field. Click Update to add the
domain to the list of trusted domains. To delete a domain, select it from the list, and then click
Delete.
Trusted Domains
Trusted Domains can be added in the Restrict Web Features section of the Configure tab. If you trust
content on specific domains, you can select Don’t block Java/ActiveX/Cookies to Trusted Domains
and then add the Trusted Domains to the SonicWALL. Java scripts, ActiveX, and cookies are not
blocked from Trusted Domains if the checkbox is selected.
Message to display when a site is blocked
Enter your customized text to display to the user when access to a blocked site is attempted. The
default message is Web Site blocked by SonicWALL Filter. Any message, including embedded HTML,
up to 255 characters long, can be entered in this field.
Customization of Content Filtering is not available if you select N2H2 as your source for your Content
Filter List. Refer to your N2H2 documentation for details on configuring N2H2 Internet Filtering for
your network.
Page 108 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
N2H2 Server Status
This section displays the status of the N2H2 Internet Filtering Protocol (IFP) server you are using for
Internet filtering.
Settings
Server Host Name or IP Address
Enter the Server Host Name or the IP address of the N2H2 Internet Filtering Protocol (IFP) server
used to receive IFP requests.
Listen Port
Enter the UDP port number for the N2H2 Internet Filtering Protocol (IFP) server to “listen” for the
N2H2 traffic. The default port is 4005.
Reply Port
Enter the UCP port number for the N2H2 server to send packets from the N2H2 client to the
SonicWALL. The default port is 4005.
User Name
The User Name refers to a configuration of users, a group of users, or network defined within the
N2H2 software
If Server is unavailable for 5 secs:
The default value for timeout of the server is 5 seconds, but you can enter a value between 1 and
10 seconds.
If the N2H2 server becomes unavailable, select from the following two options:
•
•
Block traffic to all Web sites
Allow traffic to all Web sites
URL Cache
Configure the size of the URL Cache in KB.
Model
Cache Size
128
XPRS, PRO, SOHO2, TELE2, SOHO3,
TELE3, and PRO-VX
PRO 100, PRO 200, PRO 300, PRO2,
PRO-VX2
256
GX250, GX 2500, GX650, GX 6500
1024
Tip A larger URL Cache size can increase in noticeable improvements in Internet browsing response
times.
Content Filtering and Blocking Page 109
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring the Websense Enterprise Content Filter
Websense is a third party software package that allows you to use Internet content filtering through
the SonicWALL. Select Websense Enterprise from the Content Filter Type menu.
Customization of the Content Filter List is not available if you select Websense as your source for
content filtering.
Restrict Web Features
Select any of the following applications to block:
Block:
•
•
•
ActiveX
ActiveX is a programming language that embeds scripts in Web pages. Malicious programmers
can use ActiveX to delete files or compromise security. Select the ActiveX check box to block
ActiveX controls.
Java
Java is used to download and run small programs, called applets, on Web sites. It is safer than
ActiveX since it has built-in security mechanisms. Select the Java check box to block Java
applets from the network.
Cookies
Cookies are used by Web servers to track Web usage and remember user identity. Cookies can
also compromise users' privacy by tracking Web activities. Select the Cookies check box to
disable Cookies.
Page 110 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
•
Known Fraudulent Certificates
Digital certificates help verify that Web content and files originated from an authorized party.
Enabling this feature protects users on the LAN from downloading malicious programs
warranted by these fraudulent certificates. If digital certificates are proven fraudulent, then the
SonicWALL blocks the Web content and the files that use these fraudulent certificates.
Known fraudulent certificates blocked by SonicWALL include two certificates issued on January
29 and 30, 2001 by VeriSign to an impostor masquerading as a Microsoft employee.
•
•
Access to HTTP Proxy Servers
When a proxy server is located on the WAN, LAN users can circumvent content filtering by
pointing their computer to the proxy server. Check this box to prevent LAN users from accessing
proxy servers on the WAN.
Don’t Block Java/ActiveX/Cookies to Trusted Domains
Select this option if you have trusted domains using Java, ActiveX, and Cookies. To add a trusted
domain, enter the domain name into the Add Trusted Domain field. Click Update to add the
domain to the list of trusted domains. To delete a domain, select it from the list, and then click
Delete.
Trusted Domains
Trusted Domains can be added in the Restrict Web Features section of the Configure tab. If you trust
content on specific domains, you can select Don’t block Java/ActiveX/Cookies to Trusted Domains
and then add the Trusted Domains to the SonicWALL. Java scripts, ActiveX, and cookies are not
blocked from Trusted Domains if the checkbox is selected.
Message to display when a site is blocked
When a user attempts to access a site blocked by the Websense Enterprise Content Filter List, only
Websense Enterprise messages are displayed in the browser. If the Websense Enterprise Content
Filter List server is unavailable, the default SonicWALL message is displayed.
Content Filtering and Blocking Page 111
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring the Websense Content Filter List
Configure the Websense Enterprise settings on this page.
Websense Server Status
This section displays the status of the Websense Enterprise server used for content filtering.
Settings
Server Host Name or IP Address
Enter the Server Host Name or the IP address of the Websense Enterprise server used for the
Content Filter List.
Server Port
Enter the UDP port number for the SonicWALL to “listen” for the Websense Enterprise traffic. The
default port number is 15686.
User Name
To enable reporting of users and groups defined on the Websense Enterprise server, leave this field
blank. To enable reporting by a specific user or group behind the SonicWALL, enter the User Name
configured on the Websense Enterprise Server for the user or group. If using NT-based directories
on the Websense Enterprise Server, the User Name is in this format, for example:
NTLM:\\domainname\username. If using LDAP-based directories on the Websense Enterprise
server, the User Name is in this format, for example: LDAP://o-domain/ou=sales/username.
If you are not sure about the entering a user name in this section, leave the field blank and consult
your Websense documentation for more information.
Page 112 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
If Server is unavailable for 5 secs:
If the Websense Enterprise server becomes unavailable, select from the following two options:
•
•
Block traffic to all Web sites
Allow traffic to all Web sites
URL Cache
Configure the size of the URL Cache in KB.
Model
Cache Size
128
XPRS, PRO, SOHO2, TELE2, SOHO3,
TELE3, and PRO-Vx
PRO 100, PRO 200, PRO 300, PRO2,
PRO-VX2
256
GX250, GX 2500, GX650, GX 6500
1024
Tip A larger URL Cache size can result in noticeable improvements in Internet browsing response
times.
Content Filtering and Blocking Page 113
Download from Www.Somanuals.com. All Manuals Search And Download.
9 Web Management Tools
This chapter describes the SonicWALL Management Tools, available in the Tools section of the
SonicWALL Web Management Interface. The Web Management Tools section allows you to restart
the SonicWALL, import and export configuration settings, update the SonicWALL firmware, and
perform several diagnostic tests.
There are four tabs in the Tools section:
•
•
•
•
Restart
Preferences
Firmware
Diagnostic
Restarting the SonicWALL
Click Tools on the left side of the browser window, and then click the Restart tab.
The SonicWALL can be restarted from the Web Management Interface. Click Restart SonicWALL,
and then click Yes to confirm the restart.
The SonicWALL takes up to 90 seconds to restart, and the yellow Test LED is lit. During the restart
time, Internet access for all users on the LAN is momentarily interrupted.
Page 114 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Preferences
Click Tools on the left side of the browser window, and then click the Preferences tab.
You can save the SonicWALL settings, and then retrieve them later for backup purposes. SonicWALL
recommends saving the SonicWALL settings when upgrading the firmware.
The Preferences window also provides options to restore the SonicWALL factory default settings and
launch the SonicWALL Installation Wizard. These functions are described in detail in the following
pages.
Exporting the Settings File
It is possible to save the SonicWALL configuration information as a file on your computer, and
retrieve it for later use. Click Export in the Preferences tab.
1. Click Export again to download the settings file. Then choose the location to save the settings
file. The file is named “sonicwall.exp” by default, but it can be renamed.
2. Click Save to save the file. This process can take up to a minute.
Web Management Tools Page 115
Download from Www.Somanuals.com. All Manuals Search And Download.
Importing the Settings File
After exporting a settings file, you can import it back to the SonicWALL.
1. Click Import in the Preferences tab.
2. Click Browse to locate a settings file which was saved using Export.
3. Select the file, and click Import.
4. Restart the SonicWALL for the settings to take effect.
Alert The Web browser used to Import Settings must support HTTP uploads. Microsoft Internet
Explorer 5.0 and higher, as well as Netscape Navigator 4.0 and higher, are recommended.
Restoring Factory Default Settings
You can erase the SonicWALL configuration settings and restore the SonicWALL to its factory default
state.
1. Click Restore on the Preferences tab to restore factory default settings.
2. Click Yes, and then restart the SonicWALL for the change to take effect.
Page 116 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Alert The SonicWALL LAN IP Address, LAN Subnet Mask, and the Administrator Password are not
reset.
Updating Firmware
The SonicWALL has flash memory and can be easily upgraded with new firmware. Current firmware
can be downloaded from SonicWALL, Inc. Web site directly into the SonicWALL.
Alert Firmware updates are only available to registered users. You can register your SonicWALL
online at <http://www.mysonicwall.com>.
Click Tools on the left side of the browser window, and then click the Firmware tab.
To be automatically notified when new firmware is available, select the Notify me when new
firmware is available check box. Then click Update. If you enable firmware notification, your
SonicWALL sends a status message to SonicWALL, Inc. Firmware Server on a daily basis. The status
message includes the following information:
•
•
•
•
•
•
•
SonicWALL Serial Number
Unit Type
Current Firmware Version
Language
Current Available memory
ROM version
Options and Upgrades (SonicWALL VPN, Network Anti-Virus)
Tip! The SonicWALL Privacy Policy is available at <http://www.sonicwall.com/corporate_info/
privacy.html> for additional information about privacy.
When new firmware is available, a message is e-mailed to the address specified in the Log Settings
window. In addition, the Status window includes notification of new firmware availability. This
notification provides links to firmware release notes and to a Firmware Update Wizard. The
Web Management Tools Page 117
Download from Www.Somanuals.com. All Manuals Search And Download.
Firmware Update Wizard simplifies and automates the upgrade process. Follow the instructions in
the Firmware Update Wizard to update the firmware.
Updating Firmware Manually
You can also upload firmware from the local hard drive. Click Upload Firmware.
Alert The Web browser used to import settings must support HTTP uploads. Microsoft Internet
Explorer 5.0 and higher as well as Netscape Navigator 4.0 and higher are recommended.
When firmware is uploaded, the SonicWALL settings can be erased. Before uploading new firmware,
export and save the SonicWALL settings so that they can be restored later. Once the settings have
been saved, click Yes.
Click Browse and select the firmware file from your local hard drive or from the SonicWALL
Companion CD. Click Upload, and then restart the SonicWALL.
Alert When uploading firmware to the SonicWALL, you must not interrupt the Web browser by
closing the window, clicking a link, or loading a new page. If the browser is interrupted, it can corrupt
the SonicWALL firmware.
Page 118 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Upgrade Features
SonicWALL Internet Security Appliances can be upgraded to support new or optional features.
Chapter 15, SonicWALL Options and Upgrades, provides a summary of the SonicWALL firmware
upgrades, subscription services, and support offerings. You can contact SonicWALL or your local
reseller for more information about SonicWALL options and upgrades. You can also purchase
upgrades by registering your SonicWALL at <http://www.mysonicwall.com>, and using the Buy Now
option.
Web:http://www.sonicwall.com
E-mail:sales@sonicwall.com
Phone:(408) 745-9600
Fax:(408) 745-9300
When an upgrade is purchased, an Activation Key and instructions for registering the upgrade are
included. Once you have registered the upgrade, an Upgrade Key is issued. Enter this key in the
Enter upgrade key field and click Update. Follow the instructions included with the upgrade for
configuration.
Web Management Tools Page 119
Download from Www.Somanuals.com. All Manuals Search And Download.
Diagnostic Tools
The SonicWALL has several built-in tools which help troubleshoot network problems. Click Tools on
the left side of the browser window and then click the Diagnostic tab.
DNS Name Lookup
The SonicWALL has a DNS lookup tool that returns the numerical IP address of a domain name or
if you enter an IP address, it returns the domain name.
1. Select DNS Name Lookup from the Choose a diagnostic tool menu.
2. Enter the host name to lookup in the Look up the name field and click Go. Do not add the prefix
"http://". The SonicWALL then queries the DNS server and displays the result at the bottom of
the screen.
Tip You must define a DNS server IP address in the Network tab of the General section to perform
DNS Name Lookup.
Page 120 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Find Network Path
The Find Network Path tool shows whether an IP host is located on the LAN or the WAN. This is
helpful in determining if the SonicWALL is properly configured. For example, if the SonicWALL
“thinks” that a computer on the Internet is located on the LAN, then the SonicWALL Network or
Intranet settings can be misconfigured. Find Network Path shows if the target device is behind a
router, and the Ethernet address of the target device. Find Network Path also shows the gateway
the device is using and helps isolate configuration problems.
1. Select Find Network Path from the Choose a diagnostic tool menu.
2. Enter the IP address of the device and click Go. The test takes a few seconds to complete. Once
completed, a message showing the results is displayed in the browser window.
If the network path is incorrect, select the SonicWALL Intranet and Static Routes settings.
Tip Find Network Path requires an IP address. The SonicWALL DNS Name Lookup tool can be used
to find the IP address of a host.
Web Management Tools Page 121
Download from Www.Somanuals.com. All Manuals Search And Download.
Ping
The Ping test bounces a packet off a machine on the Internet and returns it to the sender. This test
shows if the SonicWALL is able to contact the remote host. If users on the LAN are having problems
accessing services on the Internet, try pinging the DNS server, or another machine at the ISP
location. If this test is successful, try pinging devices outside the ISP. This shows if the problem lies
with the ISP connection.
1. Select Ping from the Choose a diagnostic tool menu.
2. Enter the IP address of the target device to ping and click Go. The test takes a few seconds to
complete. Once completed, a message showing the results is displayed in the browser window.
Tip Ping requires an IP address. The SonicWALL DNS Name Lookup tool can be used to find the IP
address of a host.
Page 122 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Packet Trace
The Packet Trace tool tracks the status of a communications stream as it moves from source to
destination. This is a useful tool to determine if a communications stream is being stopped at the
SonicWALL, or is lost on the Internet.
To interpret this tool, it is necessary to understand the three-way handshake that occurs for every
TCP connection. The following displays a typical three-way handshake initiated by a host on the
SonicWALL LAN to a remote host on the WAN.
1. TCP received on LAN [SYN]
From 192.168.168.158 / 1282 (00:a0:4b:05:96:4a)
To 204.71.200.74 / 80 (02:00:cf:58:d3:6a)
The SonicWALL receives SYN from LAN client.
2. TCP sent on WAN [SYN]
From 207.88.211.116 / 1937 (00:40:10:0c:01:4e)
To 204.71.200.74 / 80 (02:00:cf:58:d3:6a)
The SonicWALL forwards SYN from LAN client to remote host.
3. TCP received on WAN [SYN,ACK]
From 204.71.200.74 / 80 (02:00:cf:58:d3:6a)
To 207.88.211.116 / 1937 (00:40:10:0c:01:4e)
The SonicWALL receives SYN,ACK from remote host.
4. TCP sent on LAN [SYN,ACK]
From 204.71.200.74 / 80 (02:00:cf:58:d3:6a)
To 192.168.168.158 / 1282 (00:a0:4b:05:96:4a)
The SonicWALL forwards SYN,ACK to LAN client.
5. TCP received on LAN [ACK]
From 192.168.168.158 / 1282 (00:a0:4b:05:96:4a)
To 204.71.200.74 / 80 (02:00:cf:58:d3:6a)
Client sends a final ACK, and waits for start of data transfer.
6. TCP sent on WAN [ACK]
From 207.88.211.116 / 1937 (00:40:10:0c:01:4e
To 204.71.200.74 / 80 (02:00:cf:58:d3:6a)
The SonicWALL forwards the client ACK to the remote host and waits for the data transfer to begin.
When using packet traces to isolate network connectivity problems, look for the location where the
three-way handshake is breaking down. This helps to determine if the problem resides with the
SonicWALL configuration, or if there is a problem on the Internet.
Web Management Tools Page 123
Download from Www.Somanuals.com. All Manuals Search And Download.
1. Select Packet Trace from the Choose a diagnostic tool menu.
Tip Packet Trace requires an IP address. The SonicWALL DNS Name Lookup tool can be used to find
the IP address of a host.
2. Enter the IP address of the remote host in the Trace on IP address field, and click Start. You
must enter an IP address in the Trace on IP address field; do not enter a host name, such as
“www.yahoo.com”.
3. Contact the remote host using an IP application such as Web, FTP, or Telnet.
4. Click Refresh and the packet trace information is displayed.
5. Click Stop to terminate the packet trace, and Reset to clear the results.
Tech Support Report
The Tech Support Report generates a detailed report of the SonicWALL configuration and status,
and saves it to the local hard disk. This file can then be e-mailed to SonicWALL Technical Support
to help assist with a problem.
Alert You must register your SonicWALL on mySonicWALL.com to receive technical support.
Before e-mailing the Tech Support Report to the SonicWALL Technical Support team, complete a
Tech Support Request Form at <http://techsupport.sonicwall.com/swtech.html>. After the form is
submitted, a unique case number is returned. Include this case number in all correspondence, as it
allows SonicWALL Technical Support to provide you with better service.
In the Tools section, click the Diagnostic tab, and then select Tech Support Report from the Choose
a diagnostic tool menu. Four Report Options are available in the Tech Support Report section:
•
•
VPN Keys - saves shared secrets, encryption, and authentication keys to the report.
ARP Cache - saves a table relating IP addresses to the corresponding MAC or physical
addresses.
•
•
DHCP Bindings - saves entries from the SonicWALL DHCP server.
IKE Info - saves current information about active IKE configurations.
Page 124 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Generating a Tech Support Report
1. Select Tech Support Report from the Choose a diagnostic tool menu.
2. Select the Report Options to be included with your e-mail.
3. Click Save Report to save the file to your system. When you click Save Report, a warning
message is displayed.
4. Click OK to save the file. Attach the report to your Tech Support Request e-mail.
Web Management Tools Page 125
Download from Www.Somanuals.com. All Manuals Search And Download.
Trace Route
Trace Route is a diagnostic utility to assist in diagnosing and troubleshooting router connections on
the Internet. By using Internet Connect Message Protocol (ICMP) echo packets similar to Ping
packets, Trace Route can test interconnectivity with routers and other hosts that are farther and
farther along the network path until the connection fails or until the remote host responds.
Enter the IP address or domain name of the destination host. For example, enter yahoo.com and
click Go.
A second window is displayed with each hop to the destination host:
By following the route, you can diagnose where the connection fails between the SonicWALL and the
destination.
Page 126 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
10 Network Access Rules
Network Access Rules are management tools that allow you to define inbound and outbound access
policy, configure user authentication, and enable remote management of the SonicWALL.
By default, the SonicWALL’s stateful packet inspection allows all communication from the LAN to
the Internet, and blocks all traffic to the LAN from the Internet. The following behaviors are defined
by the “Default” stateful inspection packet rule enabled in the SonicWALL:
•
•
•
•
Allow all sessions originating from the LAN to the WAN and DMZ.
Allow all sessions originating from the DMZ to the WAN.
Allow all sessions originating from the WAN to the DMZ.
Deny all sessions originating from the WAN and DMZ to the LAN.
Additional Network Access Rules can be defined to extend or override the default rules. For example,
rules can be created that block certain types of traffic such as IRC from the LAN to the WAN, or allow
certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the
Internet to specific hosts on the LAN, or restrict use of certain protocols such as Telnet to authorized
users on the LAN.
The custom rules evaluate network traffic source IP address, destination IP address, IP protocol
type, and compare the information to rules created on the SonicWALL. Network Access Rules take
precedence, and can override the SonicWALL’s stateful packet inspection. For example, a rule that
blocks IRC traffic takes precedence over the SonicWALL default setting of allowing this type of
traffic.
Alert The ability to define Network Access Rules is a very powerful tool. Using custom rules can
disable firewall protection or block all access to the Internet. Use caution when creating or deleting
Network Access Rules.
Viewing Network Access Rules
The Services window displays a table of defined Network Access Rules. Rules are sorted from the
most specific at the top, to less specific at the bottom of the table. At the bottom of the table is the
Default rule. The Default rule is all IP services except those listed in the Services window. Rules can
be created to override the behavior of the Default rule; for example, the Default rule allows users on
the LAN to access all Internet services, including NNTP News. However, LAN access to NNTP can be
unblocked by deselecting LAN Out corresponding to the NNTP News service.
Network Access Rules Page 127
Download from Www.Somanuals.com. All Manuals Search And Download.
Services
Click Access on the left side of the browser window, and then click the Services tab.
Note: The LAN In column is not displayed if NAT is enabled.
The Services window allows you to customize Network Access Rules by service. Services displayed
in the Services window relate to the rules in the Rules window, so any changes on the Services
window appear in the Rules window. The Default rule, at the bottom of the table, encompasses all
Services.
LAN Out
If the LAN Out check box is selected, you can access that service from your LAN on the Internet.
Otherwise, you are blocked from accessing that service. By default, the LAN Out check boxes are
selected.
DMZ In (Optional)
If the DMZ In is selected, users on the Internet can access the service on the DMZ. Otherwise, they
are blocked from accessing the service on the DMZ. By default, DMZ In is selected. The DMZ In
column does not appear in the Web Management Interface for the SonicWALL SOHO3 and TELE3
which do not have a separate DMZ port.
LAN In
If a LAN In checkbox is enabled, users on the Internet can access all computers on your network for
that service. By default, LAN In checkboxes are not enabled. Use caution when enabling a LAN In
service.
Alert If an Alert Icon appears next to a LAN Out, LAN In, or DMZ In check box, a rule in the Rules
window modifies that service.
Page 128 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Public LAN Server
A Public LAN Server is a LAN server designated to receive inbound traffic for a specific service, such
as Web or e-mail. You can define a Public LAN Server by entering the server's IP address in the Public
LAN Server field for the appropriate service. If you do not have a Public LAN Server for a service,
enter "0.0.0.0" in the field.
Windows Networking (NetBIOS) Broadcast Pass Through
Computers running Microsoft Windows communicate with one another through NetBIOS broadcast
packets. By default, the SonicWALL blocks these broadcasts. If you select From LAN to WAN, your
SonicWALL allows NetBIOS broadcasts from LAN to DMZ or from LAN to WAN. Then, LAN users are
able to view machines on the DMZ and the WAN in their Windows Network Neighborhood.
Windows Messenger Support
Select Enable Support if you are having problems using Windows Messenger through the
SonicWALL. If Enable Support is selected, it may affect the performance of the SonicWALL.
Detection Prevention
Enable Stealth Mode
By default, the SonicWALL responds to incoming connection requests as either "blocked" or "open".
If you enable Stealth Mode, your SonicWALL does not respond to blocked inbound connection
requests. Stealth Mode makes your SonicWALL essentially invisible to hackers.
Randomize IP ID
A Randomize IP ID check box is available to prevent hackers using various detection tools from
detecting the presence of a SonicWALL appliance. IP packets are given random IP IDs which makes
it more difficult for hackers to “fingerprint” the SonicWALL appliance. Use this check box for
additional security from hackers.
Network Connection Inactivity Timeout
If a connection to a remote server remains idle for more than five minutes, the SonicWALL closes
the connection. Without this timeout, Internet connections could stay open indefinitely, creating
potential security holes. You can increase the Inactivity Timeout if applications, such as Telnet and
FTP, are frequently disconnected.
Network Access Rules Page 129
Download from Www.Somanuals.com. All Manuals Search And Download.
Add Service
To add a service not listed in the Services window, click Access on the left side of the browser
window, and then click the Add Service tab.
The list on the right side of the window displays the services that are currently defined. These
services also appear in the Services window.
Two numbers appear in brackets next to each service. The first number indicates the service's IP
port number. The second number indicates the IP protocol type (6 for TCP, 17 for UDP, or 1 for
ICMP).
Tip There can be multiple entries with the same name. For example, the default configuration has
two entries labeled “Name Service (DNS)” for UDP port 53 and TCP port 53. Multiple entries with
the same name are grouped together, and are treated as a single service. Up to 128 entries are
supported.
Add a Known Service
1. Select the name of the service you want to add from the Add a known service list.
2. Click Add. The new service appears in the list box on the right side of the browser window. Note
that some services add more than one entry to the list.
Add a Custom Service
1. Select [Custom Service] from the Add a known service list.
2. Type a unique name, such as “CC:mail” or “Quake” in the Name field.
3. Enter the beginning number of the IP port range and ending number of the IP port range in the
Port Range fields. If the service only requires one IP port, enter the single port number in both
Port Range fields.
Tip Visit <http://www.ietf.org/rfc/rfc1700.txt> for a list of IP port numbers.
Page 130 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
4. Select the IP protocol type, TCP, UDP or ICMP, from the Protocol list.
5. Click Add. The new service appears in the list on the right side of the browser window.
Tip If multiple entries with the same name are created, they are grouped together as a single service
and can not function as expected.
Enable Logging
You can enable and disable logging of events in the SonicWALL Event Log. For example, if Linux
authentication messages are filling up your log, you can disable logging of Linux authentication.
1. Highlight the name of the desired service in the list.
2. Clear the Enable Logging check box.
3. Click Modify.
Delete a Service
To delete a service, highlight the name in the list, and click Delete Service. If multiple entries with
the same name exist, delete all entries to remove the service.
Rules
The SonicWALL evaluates the source IP address, the destination IP address, and the service type
when determining whether to allow or deny traffic. Custom rules take precedence and override the
SonicWALL default rules.
By default, the SonicWALL blocks all traffic from the Internet to the LAN and allows all traffic from
the LAN to the Internet. Custom rules can be created to modify the default rules. For example, rules
can be created for the following purposes:
•
•
•
•
Allow traffic from the Internet to a mail server on the LAN.
Restrict users on the LAN from using a specified service, such as QuickTime.
Allow specified IP addresses on the Internet to access a sensitive server on the LAN.
Configure bandwidth management for individual services.
Network Access Rules Page 131
Download from Www.Somanuals.com. All Manuals Search And Download.
Maximum Number of Rules by Product
Rules Available for
Bandwidth
Product
Maximum Rules
Management
GX Series
300
200
100
100
100
50
PRO 300, PRO 330
PRO 100, PRO 200,
PRO 230
TELE3, SOHO3
100
100
50
20
TELE2, SOHO2, XPRS2,
XPRS, PRO, PRO-Vx
To create custom Network Access Rules, click Access on the left side of the browser window, and
then click the Rules tab.
Alert Use extreme caution when creating or deleting Network Access Rules as you an accidentally
disable firewall protection or block access to the Internet.
Page 132 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Network Access Rule Logic List
It is important to fully consider the logic behind the new rule before it is added to the list. Use the
following guidelines to help you evaluate the impact of a rule before adding it to the list:
1. State the intent of the rule. For example, “This rule restricts all IRC access from the LAN to the
Internet.”
2. Is the intent of the rule to allow or deny traffic?
3. What is the direction of the traffic? From the LAN to the WAN, or from the WAN to the LAN?
4. List IP services affected by the rules.
5. List the computers on the LAN affected by the rule.
6. List the computers on the WAN affected by the rule. If allowing traffic from the WAN to the LAN,
it is better to allow WAN traffic only to certain computers on the LAN.
7. Does the rule prevent users from accessing critical resources on the Internet?
8. Does the rule create any security vulnerabilities?
9. Does the rule conflict with any existing rules?
Bandwidth Management
The SonicWALL can be configured for bandwidth management of outbound (WAN) network traffic
via bandwidth management. It allows network administrators to prioritize traffic. Each Service
added via a Rule has a checkbox to enable bandwidth management for the Service.
Select Enable Bandwidth Management in the Add Rule window then enter the Guaranteed
Bandwidth in Kbps for the Service, and enter the Maximum Bandwidth in number of Kbps for the
Service. Before you can enable and configure bandwidth management for Rules, you must enable
it on the Ethernet page in the Advanced section.
Alert Bandwidth management is very complex and requires extensive knowledge of networks and
networking protocols. Incorrect bandwidth management may cause network problems or
degradation of network performance. See Bandwidth Management in Chapter 10, Advanced for
more information.
Network Access Rules Page 133
Download from Www.Somanuals.com. All Manuals Search And Download.
Add A New Rule
1. Click Add New Rule... in the Rules window to open the Add Rule window.
2. Select Allow or Deny in the Action list depending upon whether the rule is intended to permit or
block IP traffic.
3. Select the name of the service affected by the Rule from the Service list. If the service is not
listed, you must define the service in the Add Service window. The Default service encompasses
all IP services.
4. Select the source of the traffic affected by the rule, either LAN or WAN, *(both), from the Source
Ethernet menu.
If you want to define the source IP addresses that are affected by the rule, such as restricting
certain users from accessing the Internet, enter the starting IP addresses of the address range
in the Addr Range Begin field and the ending IP address in the Addr Range End field. To include
all IP addresses, enter * in the Addr Range Begin field.
5. Select the destination of the traffic affected by the rule, either LAN or WAN or *, from the
Destination Ethernet menu.
If you want to define the destination IP addresses that are affected by the rule, for example, to
allow inbound Web access to several Web servers on your LAN, enter the starting IP addresses
of the address range in the Addr Range Begin field and the ending IP address in the Addr Range
End field. To include all IP addresses, enter * in the Addr Range Begin field.
6. Select always from the Apply this rule menu if the rule is always in effect.
7. Select from the Apply this rule to define the specific time and day of week to enforce the rule.
Enter the time of day (in 24-hour format) to begin and end enforcement. Then select the day of
the week to begin and end enforcement.
Tip If you want to enable the rule at different times depending on the day of the week, make
additional rules for each time period.
8. If you would like for the rule to timeout after a period of inactivity, set the amount of time, in
minutes, in the Inactivity Timeout in Minutes field. The default value is 5 minutes.
Page 134 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
9. Do not select the Allow Fragmented Packets check box. Large IP packets are often divided into
fragments before they are routed over the Internet and then reassembled at a destination host.
Because hackers exploit IP fragmentation in Denial of Service attacks, the SonicWALL blocks
fragmented packets by default. You can override the default configuration to allow fragmented
packets over PPTP or IPSec.
10. Enable Bandwidth Management, and enter the Guaranteed Bandwidth in Kbps.
11. Enter the maximum amount of bandwidth available to the Rule at any time in the Maximum
Bandwidth field. Assign a priority from 0 (highest) to 7 (lowest).
12. Click Update. Once the SonicWALL has been updated, the new rule appears in the list of Current
Network Access Rules.
Tip Although custom rules can be created that allow inbound IP traffic, the SonicWALL does not
disable protection from Denial of Service attacks, such as the SYN Flood and Ping of Death attacks.
For example, to configure the SonicWALL to allow Internet traffic to your Web server with an IP
address of 208.5.5.5 (Standard mode), create the following rule:
1. Verify that HTTP has been added as a Service as outlined previously.
2. Click the Rules tab, and click Add New Rule....
3. Select Allow, then Web (HTTP) from the Service menu.
4. Select WAN from the Ethernet Source menu, and leave the Addr Range Begin and Addr Range
End as they appear.
5. Select LAN from the Ethernet Destination menu, and enter in the IP address of the Web server,
208.5.5.5 in the Addr Range Begin field. No IP address is added in the Addr Range End since
the destination is not a range of IP addresses.
6. Select always from the Apply this rule menu.
7. Enter a value (in minutes) in the Activity Timeout in Minutes field.
8. Do not select the Allow Fragmented Packets check box.
Network Access Rules Page 135
Download from Www.Somanuals.com. All Manuals Search And Download.
9. If you want the Rule to have guaranteed bandwidth, select Enable Outbound Bandwidth
Management, and enter values for Guaranteed Bandwidth, Maximum Bandwidth, and
Bandwidth Priority.
10. Click Update to add the rule to the SonicWALL.
Tip The source part (WAN or LAN) can be limited to certain parts of the Internet using a range of IP
addresses on the WAN or LAN. For example, the following rule can be used to configure the same
Web server to be only visible from a single C class subnet on the Internet: Allow HTTP, Source WAN
216.77.88.1 - 216.77.88.254, Destination LAN 208.5.5.5.
Add New Rule Examples
The following examples illustrate methods for creating Network Access Rules.
Blocking LAN Access for Specific Services
This example shows how to block LAN access to NNTP servers on the Internet during business
hours.
1. Click Add New Rule in the Rules window to launch the Add Network Access Rule Web browser
window.
2. Select Deny from the Action menu.
3. Select NNTP from the Service menu. If the service is not listed in the list, you must to add it in
the Add Service window.
4. Select LAN from the Source Ethernet menu.
5. Since all computers on the LAN are to be affected, enter * in the Source Addr Range Begin field.
6. Select WAN from the Destination Ethernet menu.
7. Enter * in the Destination Addr Range Begin field to block access to all NNTP servers.
8. Select Apply this rule "from" to configure the time of enforcement.
9. Enter "8:30" and "17:30" in the hour fields.
10. Select Mon to Fri from the menu.
11. Click Update to add your new Rule.
Enabling Ping
By default, your SonicWALL does not respond to ping requests from the Internet. This Rule allows
ping requests from your ISP servers to your SonicWALL.
1. Click Add New Rule in the Rules window to launch the "Add Network Access Rule" window.
2. Select Allow from the Action menu.
3. Select Ping from the Service menu.
4. Select WAN from the Source Ethernet menu.
5. Enter the starting IP address of the ISP network in the Source Addr Range Begin field and the
ending IP address of the ISP network in the Source Addr Range End field.
6. Select LAN from the Destination Ethernet menu.
Page 136 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
7. Since the intent is to allow a ping only to the SonicWALL, enter the SonicWALL LAN IP Address
in the Destination Addr Range Begin field.
8. Select Always from the Apply this rule menu to ensure continuous enforcement.
9. Click Update to add your new Rule.
Current Network Access Rules Table
All Network Access Rules are listed in the Current Network Access Rules table in the Rules window.
The rules are listed from most to least specific. The rules at the top of Current Network Access Rules
list take precedence over rules at the bottom of the list.
Edit a Rule
To edit a rule, click the Note Pad icon to the right of the rule in the Rules window. A new Web browser
window appears, displaying the current configuration of the rule. Make the desired changes and
click Update to update the rule. The modified rule is displayed in the list of Current Network Access
Rules.
Delete a Rule
To delete a rule, click the Trash Can icon to the right of the rule in the Rules window. A dialog box
appears with the message “Do you want to remove this rule?”. Click OK. Once the SonicWALL has
been updated, a message confirming the update is displayed at the bottom of the browser window.
Enable/Disable a Rule
To disable a rule without permanently removing it, clear the Enable check box to the right of the rule
in the Rules window. To enable a disabled rule, select the Enable check box. The configuration is
updated automatically, and a message confirming the update is displayed at the bottom of the
browser window.
Restore the Default Network Access Rules
If the SonicWALL Network Access Rules have been modified or deleted, you can restore the Default
Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP traffic and
allow all outbound IP traffic. Click Restore Rules to Defaults in the Rules window to reset the
Network Access Rules. Once the SonicWALL has been updated, a message confirming the update
is displayed at the bottom of the browser window.
Network Access Rules Page 137
Download from Www.Somanuals.com. All Manuals Search And Download.
Understanding the Access Rule Hierarchy
The rule hierarchy has two basic concepts:
1. Specific rules override general rules:
An individual service is more specific than the Default service.
A single Ethernet link, such as LAN or WAN, is more specific than * (all).
A single IP address is more specific than an IP address range.
2. Equally specific Deny rules override Allow rules.
Rules are displayed in the Current Network Access Rules list from the most specific to the least
specific, and rules at the top override rules listed below. For example, consider the section of the
Rules window shown below.
The Default Allow Rule (#7) at the bottom of the page allows all traffic from the LAN to the WAN.
However, Rule #1 blocks IRC (Chat) traffic from a computer on the LAN to a server on the WAN.
The Default Deny Rule (#6) blocks all traffic from the WAN to the LAN, however, Rule #2 overrides
this rule by allowing Web traffic from the WAN to the LAN.
Page 138 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Users
Extensive features are available on the Users tab in the Access section of the Management
interface. User level access can be configured for authentication and access to the network.
Authentication can be performed using a local user database, RADIUS, or a combination of the two
applications.
For instructions on configuring individual users on RADIUS servers, see Appendix I.
Currently, when a VPN tunnel is established between two SonicWALL appliances, any users residing
on the local LAN of each SonicWALL can send data across the VPN. In some cases, complete user
access could be a security risk, and only authenticated users access the VPN tunnel and send data
across the network.
Global User Settings
•
Time users out after 5 minutes of inactivity - Enter the number of allowable inactivity minutes
before a user is automatically logged out of the network via the SonicWALL.
•
Limit login session time to - Limit the length of time, in minutes, that a user is allowed to be
logged into the network via the SonicWALL. When a user logs into the SonicWALL using a
username and password, the user can also set the maximum login session time, but LAN it
cannot be longer than the time configured by the administrator. If Limit login session time to is
not selected, then the user has unlimited login session time on the SonicWALL.
•
Allow DNS access for unauthenticated VPN users - Enabling this check box allows
unauthenticated DNS traffic to access the DNS server over a VPN tunnel with authentication
enforcement. Use this checkbox if you allow unauthenticated users to access the DNS server
on your LAN.
Network Access Rules Page 139
Download from Www.Somanuals.com. All Manuals Search And Download.
Users
•
Use RADIUS - Select Use Radius if you have configured RADIUS to authenticate users accessing
the network through the SonicWALL. If you have more than 100 users requiring authentication,
you must use a RADIUS server. If you select Use RADIUS, users must log into the SonicWALL
using HTTPS in order to encrypt the password sent to the SonicWALL. If a user attempts to log
into the SonicWALL using HTTP, the browser is automatically redirected to HTTPS.
•
•
Allow only users listed below - Enable this setting if you have a subset of RADIUS users
accessing the SonicWALL. The user names must be added to the internal SonicWALL user
database before they can be authenticated using RADIUS.
Authenticate users listed below - Selecting this option allows you to configure users in the local
database. To add new users, fill out the User Name, Password, and Confirm Password fields,
then select from the list of privileges allowed for the user:
- Remote Access - Enable this check box if the user accesses LAN resources through the firewall
from a remote location on the Internet.
Alert By enabling Remote Access, you allow unencrypted traffic over the Internet.
- Bypass Filters - Enable Bypass Filters if the user has unlimited access to the Internet from the
LAN, bypassing Web, News, Java, and ActiveX blocking.
- Access to VPNs - Enable the check box if the user can send information over the VPN Security
Associations with authentication enforcement.
- Access from the VPN Client with XAUTH - Enable the check box if the user requires XAUTH for
authentication and accesses the firewall via a VPN client.
- Limited Management Capabilities - By enabling this check box, the user has limited local
management access to the SonicWALL Management interface. The access is limited to the
following pages:
General - Status, Network, Time
Log - View Log, Log Settings, Log Reports
Tools - Restart, Diagnostics minus Tech Support Report
Tip The SonicWALL supports up to 100 users requiring RADIUS authentication in the local database.
Adding and Removing a User
Alert You must add a user to the Local Database to enforce access privileges.
To add a new user, complete the following steps.
1. Log into the Management interface, click Access, then Users.
2. Highlight -Add New User- in the Current User list box.
3. Enter the name of a user into the User Name field.
4. Enter the user password in the Password and Confirm Password field. The password is
case-sensitive.
5. Choose the privileges to be enabled for the user by selecting the appropriate check boxes.
6. Click Update to add the user to the SonicWALL database.
7. To remove a user, highlight the User Name, and click Remove User.
Page 140 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Current Users
A list of all current users is displayed in a table at the bottom of the page. The Current Users table
lists the User Name, the IP Address of the user, the Session Time, Time Remaining of the session,
and the Inactivity Remaining time.
Users Currently Locked Out After Login Failures
A list of current users locked after failing to log into the SonicWALL correctly is displayed in this
section. The table lists the User Name Tried, the IP Address, Lockout Time Remaining, and an Unlock
icon. The Unlock icon is used by the Administrator to allow the user access to the SonicWALL. Click
the icon to enable access for the user.
Network Access Rules Page 141
Download from Www.Somanuals.com. All Manuals Search And Download.
User Login
When a user other than the administrator logs into the SonicWALL Management interface, a page
is displayed with the user’s privileges listed. The user can set the maximum time for a login session,
but it cannot be longer than the session time set by the administrator. The connection closes when
the user exceeds the inactivity time-out period or the maximum session time is exceeded. If the
connection is closed, the user must re-authenticate to regain their access through the SonicWALL.
Logging into the SonicWALL as the administrator automatically gives the user access to all VPN
tunnels requiring authentication.
Tip Authentication sessions create a log entry in the SonicWALL, but user activity is not logged.
.
Page 142 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
RADIUS
RADIUS can provide control over user access and VPN access. RADIUS configuration is located in
the Access window.
To configure RADIUS settings, complete the following instructions.
Click the RADIUS tab.
1. Define the number of times the SonicWALL attempts to contact the RADIUS server in the
RADIUS Server Retries field. If the RADIUS server does not respond within the specified number
of retries, the connection is dropped. This field can range between 1 and 10, however 3 RADIUS
server retries is recommended.
2. Define the RADIUS Server Timeout in Seconds. The allowable range is 1-60 seconds with a
default value of 5.
RADIUS Servers
3. Specify the settings of the primary RADIUS server in the RADIUS servers section. An optional
secondary RADIUS server can be defined if a backup RADIUS server exists on the network.
4. Enter the IP address of the RADIUS server in the IP Address field.
5. Enter the Port Number for the RADIUS server.
6. If there is a secondary RADIUS server, enter the appropriate information in the Secondary
Server section.
7. Enter the RADIUS server administrative password or "shared secret" in the Shared Secret field.
The alphanumeric Shared Secret can range from 1 to 31 characters in length. The is case
sensitive.
Network Access Rules Page 143
Download from Www.Somanuals.com. All Manuals Search And Download.
RADIUS Users
You can select the default privileges for all RADIUS users in this section.
•
Remote Access - Enable this check box if the user accesses the SonicWALL from a remote com-
puter. This option is only available in Standard mode.
•
•
Bypass Filters - Enable Bypass Filters if the user can bypass Content Filter settings.
Access to VPNs - Enable the check box if the user can send information over VPN Security As-
sociations.
•
•
Access from the VPN Client with XAUTH - Enable the check box if a VPN client is using XAUTH for
authentication.
Limited Management Capabilities - By enabling this check box, the user has limited local man-
agement access to the SonicWALL Management interface. The access is limited to the following
pages:
- General - Status, Network, Time
- Log - View Log, Log Settings, Log Reports
- Tools - Restart, Diagnostics minus Tech Support Report
RADIUS Client Test
You can test your RADIUS Client user name and password by typing in a valid User name in the User
field, and the Password in the Password field. If the validation is successful, the Status messages
changes to Success. If the validation fails, the Status message changes to Failure. Once the
SonicWALL has been configured, a VPN Security Association requiring RADIUS authentication
prompts incoming VPN clients to enter a User Name and Password into a dialogue box.
Page 144 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Management
SonicWALL SNMP Support
SNMP (Simple Network Management Protocol) is a network protocol used over User Datagram
Protocol (UDP) that allows network administrators to monitor the status of the SonicWALL Internet
security appliances and receive notification of any critical events as they occur on the network.
SonicWALL Internet security appliances support SNMP v1/v2c and all relevant Management
Information Base II (MIBII) groups except egp and at. The SonicWALL replies to SNMP Get
commands for MIBII via any interface and supports a custom SonicWALL MIB for generating trap
messages. The custom SonicWALL MIB is available for download from the SonicWALL Website and
can be loaded into third-party SNMP management software such as HP Openview, Tivoli, or SNMPC.
To configure SNMP in the SonicWALL Internet Security appliance, log into the SonicWALL
management interface. Click Access, then Management.
The SonicWALL SNMP agent generates two traps: Cold Start Trap and Alert Traps. Cold Start Traps
indicates the SonicWALL appliance is re-initializing itself so that the agent configuration or the
appliance can be altered. Alert Traps are based on the existing SonicWALL alert messages which
allows the trap messages to share a common message string with the alerts. Accordingly, no trap
message can exist without a corresponding alert message.
To configure SNMP, enter the necessary information in the following fields:
1. To enable the SNMP agent, select Enable SNMP.
2. Enter the System Name. This is the hostname of the SonicWALL appliance.
3. In the System Contact field, type in the name of the network administrator for the SonicWALL
appliance.
4. Enter an e-mail address, telephone number, or pager number in the System Location field.
Network Access Rules Page 145
Download from Www.Somanuals.com. All Manuals Search And Download.
5. Create a name for a group or community of administrators who can view SNMP data, and enter
it in the Get Community Name field.
6. Create a name for a group or community of administrators who can view SNMP traps, and enter
it in the Trap Community Name field.
7. Enter the IP address or hostname of the SNMP management system receiving the SNMP traps
in the Host 1 through 4 fields. Up to 4 addresses or hostnames can be specified.
Configuration of the Log/Log Settings for SNMP
Trap messages are generated only for the categories that alert messages are normally sent, i.e.
attacks, system errors, blocked Web sites. If none of the categories are selected on the Log Settings
page, then none of the trap messages are sent out.
Configuration of the Service and Rules Pages
By default, the SonicWALL appliance responds only to SNMP Get messages received on its LAN
interface. Appropriate rules must be set up in the SonicWALL to allow SNMP traffic to and from the
WAN. SNMP trap messages can be sent via the LAN, WAN, or LAN interface.
If your SNMP management system supports discovery, the SNMP agent should automatically
discover the SonicWALL appliance on the network. Otherwise, you must add the SonicWALL
appliance to the list of SNMP manageable devices on the SNMP management system.
SonicWALL Management Protocol
The SonicWALL can be managed using HTTP or HTTPS and a Web browser. Both HTTP and HTTPS
are enabled by default. The default port for HTTP is port 80, but you can configure access through
another port. Enter the number of the desired port in the Port field, and click Update. However, if
you configure another port for HTTP management, you must include the port number when you use
the IP address to log into the SonicWALL. For example, if you configure the port to be 76, then you
must enter <LAN IP Address>:76 into the Web browser.
The default port for HTTPS management is 443, the standard port. You can add another layer of
security for logging into the SonicWALL by changing the default port. To configure another port for
HTTPS management, enter the preferred port number into the Port field, and click Update. For
example, if you configure the HTTPS Management Port to be 700, then you must log into the
SonicWALL using the port number as well as the IP address, for example,
<https://192.168.168.1:700> to access the SonicWALL.
The HTTPS Management Certificate Common Name field defaults to the SonicWALL LAN Address.
This allows you to continue using a certificate without downloading a new one each time you log into
the SonicWALL.
Additional Management
All SonicWALLs include a Management Security Association (SA) for secure remote management.
The Management SA does not permit access to remote network resources.
Tip If you have enabled VPN on your SonicWALL, the SonicWALL can be managed remotely using a
Management SA or with a VPN SA.
Page 146 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
To enable secure remote management, click Access on the left side of the browser window, and
click the Management tab. Then select Enable Management Using VPN Client to enable secure
remote management using Manual Key.
When remote management is enabled, a Management SA is automatically generated. The
Management SA uses Manual Keying to set up a VPN tunnel between the SonicWALL and the VPN
client. The Management SA also defines Inbound and Outbound Security Parameter Indices (SPIs)
which match the last eight digits of the SonicWALL serial number. The preset SPIs are displayed in
the Security Association Information section. It is not necessary to configure a VPN connection for
Remote Management as the Management SA is automatically configured in this section.
1. Enter a 16-character hexadecimal encryption key in the Encryption Key field. Valid hexadecimal
characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E and F. An example of a valid encryption
key is 1234567890A-BCDEF. Or you can use the randomly generated key that appears in the
Encryption Key field.
2. Enter a 32-character hexadecimal authentication key in the Authentication Key field. An
example of a valid authentication key is 1234567- 890ABCDEF1234567890ABCDEF. Or you
can use the randomly generated key that appears in the Authentication Key field.
3. Click Update. Restart the SonicWALL for the change to take effect.
Tip When a Management SA is created, the remote SonicWALL is managed at the SonicWALL WAN
IP Address.
4. Click Help in the upper right corner of the SonicWALL Management Interface to access detailed
instructions for configuring the VPN client. Additional instructions are available at <http://
www.sonicwall.com/products/documentation/VPN_documentation.html>.
Tip The Management Method list also includes the option for management by SonicWALL Global
Management System (SonicWALL GMS). Select this option if the SonicWALL is managed remotely
by SonicWALL GMS.
Network Access Rules Page 147
Download from Www.Somanuals.com. All Manuals Search And Download.
11 Advanced Features
This chapter describes the SonicWALL Advanced Features, such as Web Proxy Forwarding, DMZ
Address settings, and One-to-One NAT. The Advanced Features can be accessed in the Advanced
section of the SonicWALL Web Management Interface.There are six tabs in the Advanced section:
•
•
•
•
•
•
Proxy Relay
Intranet
Routes
DMZ Addresses
One-to-One NAT
Ethernet
Proxy Relay
Web Proxy Forwarding
A Web proxy server intercepts HTTP requests and determines if it has stored copies of the requested
Web pages. If it does not, the proxy completes the request to the server on the Internet, returning
the requested information to the user and also saving it locally for future requests.
Setting up a Web proxy server on a network can be cumbersome, because each computer on the
network must be configured to direct Web requests to the server.
If you have a proxy server on your network, instead of configuring each computer to point to the proxy
server, you can move the server to the WAN and enable Web Proxy Forwarding. The SonicWALL
automatically forwards all Web proxy requests to the proxy server without requiring all the
computers on the network to be configured.
Page 148 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring Web Proxy Relay
1. Connect your Web proxy server to a hub, and connect the hub to the SonicWALL WAN port.
Alert The proxy server must be located on the WAN or the DMZ; it can not be located on the LAN.
2. Log into the SonicWALL Web Management Interface. Click Advanced at the left side of the
browser window, and then click the Proxy Relay tab at the top of the window.
3. Enter the name or IP address of the proxy server in the Proxy Web Server field, and the proxy IP
port in the Proxy Web Server Port field. Click Update.
4. If the Web proxy server is located on the WAN between the SonicWALL and the Internet router,
add the Web proxy server address in the SonicWALL Intranet tab. Click the Intranet tab at the
top of the window.
5. To bypass the Proxy Servers if a failure occurs, select the Bypass Proxy Servers Upon Proxy
Server Failure check box.
6. In the Intranet tab, enter the proxy server's IP address in the Add Range field.
7. Select Specified address ranges are attached to the WAN link and click Update. Once the
SonicWALL has been updated, a message confirming the update is displayed at the bottom of
the browser window.
Bypass Proxy Servers Upon Proxy Failure
If a Web proxy server is specified in the Proxy Relay tab of the Advanced section, selecting the
Bypass Proxy Servers Upon Proxy Server Failure check box allows clients behind the SonicWALL to
bypass the Web proxy server in the event it becomes unavailable. Instead, the client’s browser
accesses the Internet directly as if a Web proxy server is not specified.
Advanced Features Page 149
Download from Www.Somanuals.com. All Manuals Search And Download.
Intranet
The SonicWALL can be configured as an Intranet firewall to prevent network users from accessing
sensitive servers. By default, users on your LAN can access the Internet router, but not devices
connected to the WAN port of the SonicWALL. To enable access to the area between the SonicWALL
WAN port and the Internet, you must configure the Intranet settings on the SonicWALL.
Creating an Intranet firewall is achieved by connecting the SonicWALL between an unprotected and
a protected segment.
Installation
1. Connect the LAN Ethernet port on the back of the SonicWALL to the network segment to be
protected against unauthorized access.
Alert Devices connected to the WAN port do not have firewall protection. It is recommended that you
use another SonicWALL Internet security appliance to protect computers on the WAN.
2. Connect the SonicWALL to a power outlet. For SonicWALL PRO 200,PRO 300, PRO 230, and
PRO 330, press the Power Switch to the ON position.
Page 150 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Intranet Configuration
Click Advanced on the left side of the browser window, and then click the Intranet tab.
To enable an Intranet firewall, you must specify which machines are located on the LAN, or you must
specify which machines are located on the WAN.
It is best to select the network area with the least number of machines. For example, if only one or
two machines are connected to the WAN, select Specified address ranges are attached to the WAN
link. That way, you only have to enter one or two IP addresses in the Add Range section. Specify the
IP addresses individually or as a range.
Intranet Settings
Select one of the following four options:
•
•
SonicWALL WAN link is connected directly to the Internet router - Select this option if the Son-
icwall is protecting your entire network. This is the default setting.
Specified address ranges are attached to the LAN link - Select this option if it is easier to specify
the devices on your LAN. Then enter your LAN IP address range(s). If you do not include all com-
puters on your LAN, the computers not included will be unable to send or receive data through
the SonicWALL.
•
•
Specified address ranges are attached to the WAN link - Select this option if it is easier to specify
the devices on your WAN. Then enter your WAN IP address range(s). Computers connected to
the WAN port that are not included are inaccessible to users on your LAN.
Add Range - To add a range of addresses, such as "199.2.23.50" to "199.2.23.54", enter the
starting address in the From Address field and the ending address in the To Address field. An
individual IP address should be entered in the From Address field only.
Tip Up to 64 address ranges can be entered.
Click Update. Once the SonicWALL has been updated, a message confirming the update is displayed
at the bottom of the browser window.
Advanced Features Page 151
Download from Www.Somanuals.com. All Manuals Search And Download.
VPN Single-Armed Mode (stand-alone VPN gateway)
Note: This feature is available only on the PRO 100, 200, 300, 230, 330, and GX series.
VPN Single-Armed Mode allows you to deploy a SonicWALL with single port (WAN) utilized as a VPN
tunnel termination point. Clear text traffic is routed to the single interface and the data is
encapsulated to the appropriate IPSec gateway.
An example of a deployment is to place the SonicWALL between the existing firewall and the router
connected to the Internet. Traffic is sent in clear text to the SonicWALL, then encrypted and sent to
the appropriate VPN Gateway.
Alert VPN Single Armed Mode can only be enabled if the SonicWALL is in Standard mode on the
Network tab. If you are not using Standard for your Network mode, a warning message is displayed.
If VPN Single-Armed Mode (stand-alone VPN gateway) is enabled, a warning message appears as
follows:
Click OK to enable the SonicWALL in VPN Single Armed Mode.
Page 152 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring a SonicWALL for VPN Single Armed Mode
You can use the following example information to configure the IP addresses on a SonicWALL for
VPN Single Armed Mode:
Remote SonicWALL
Corporate SonicWALL
WAN IP Address: 66.120.118.11
Subnet Mask: 255.255.255.0
LAN IP Address 192.168.1.1
WAN IP Address:66.120.118.25
Subnet Mask: 255.255.255.0
LAN IP Address: 192.168.3.1
Subnet Mask: 255.255.255.0
Subnet Mask: 255.255.255.0
VPN Single Armed Mode SonicWALL
WAN IP Address: 66.120.118.13
Subnet Mask: 255.255.255.0
LAN IP Address: 192.168.2.1
Subnet Mask: 255.255.255.0
To configure a SonicWALL in VPN Single Armed Mode in front of an existing SonicWALL, follow these
steps.
1. Configure the Remote and Corporate SonicWALLs in your preferred networking mode.
2. Configure a VPN SA using IKE and Pre-shared Secret on the Remote SonicWALL using the VPN
SonicWALL WAN IP address, 66.120.118.13, as the IPSec Gateway, and the Corporate
SonicWALL WAN IP address, 66.120.118.25, as the Destination Network.
3. Configure a Static Route on the Local SonicWALL to send network traffic destined for the
Remote SonicWALL to the VPN SonicWALL.
4. Configure the VPN SonicWALL in Standard networking mode.
5. Click Advanced, then Intranet. Select the VPN Single Armed Mode (stand alone VPN gateway)
checkbox, and click Update. A rule is automatically added to the VPN SonicWALL for HTTPS
management from the WAN. The LAN port is disabled when you configure a SonicWALL for VPN
Single Armed mode.
6. Configure a VPN SA using IKE and Pre-shared Secret on the VPN SonicWALL to securely connect
to the Remote SonicWALL. Enter the Remote SonicWALL WAN IP address as the IPSec Gateway
and the Remote SonicWALL LAN IP Address range as the Destination Network, if configuring
“Many to One NAT”.
7. Click Advanced, and then Routes. Enter the Corporate SonicWALL WAN IP address in the Dest.
Network field. Enter the subnet mask in the Subnet Mask field. Enter the Local SonicWALL WAN
IP address as the Gateway, and select WAN from the Link menu. Click Update.
Now that all SonicWALLs are configured, network traffic on the corporate SonicWALL destined for
the remote office is routed to the VPN SonicWALL, encrypted, and sent to the remote SonicWALL.
Advanced Features Page 153
Download from Www.Somanuals.com. All Manuals Search And Download.
Routes
If you have routers on your Local Area Network (LAN), Demilitarized Zone (DMZ), or Wide Area
Network (WAN), you can configure Static Routes on the SonicWALL.
Tip On the TELE3 TZ and TELE3 TZX, the LAN is labeled WorkPort and the DMZ is labeled HomePort.
Click Advanced on the left side of the browser window, and then click the Routes tab.
Static routes must be defined if the LAN, DMZ, or WAN are segmented into subnets, either for size
or practical considerations. For example, a subnet can be created to isolate a section of a company,
such as finance, from traffic on the rest of the LAN, DMZ, or WAN.
The SonicWALL LAN IP Address, LAN Subnet, WAN IP Address, and WAN/DMZ Subnet are displayed
in the Current Network Settings section. Refer to these settings when configuring your Static
Routes.The SonicWALL LAN IP Address, LAN Subnet Mask, WAN IP Address and WAN/DMZ Subnet
Mask are displayed in the Current Network Settings section. .
To add Static Route entries, complete the following instructions:
1. Enter the destination network of the static route in the Dest. Network field. The destination
network is the IP address subnet of the remote network segment.
Tip If the destination network uses IP addresses ranging from "192.168.1.1" to "192.168.1.255",
enter "192.168.1.0" in the Dest. Network field.
2. Enter the subnet mask of the remote network segment in the Subnet mask field.
3. Enter the IP address of your router in the Gateway field. This IP address should be in the same
subnet as the SonicWALL. If your router is located on the SonicWALL LAN, the Gateway address
should be in the same subnet as the SonicWALL LAN IP Address.
4. Select the port on the SonicWALL that the router is connected to either the LAN, the WAN, or the
DMZ, from the Link list.
5. Click Update. Once the SonicWALL has been updated, a message confirming the update is
displayed at the bottom of the Web browser window. Restart the SonicWALL for the change to
take effect.
Tip The SonicWALL can support up to 128 static route entries.
Page 154 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
LAN Route Advertisement
Note: This feature is only available on the PRO 100, PRO 200, PRO 230, PRO 300, and PRO 330.
The SonicWALL uses RIPv1 or RIPv2 to advertise its static and dynamic routes to other routers on
the network. Changes in the status of VPN tunnels between the SonicWALL and remote VPN
gateways are also reflected in the RIPv2 advertisements. Choose between RIPv1 or RIPv2 based on
your router’s capabilities or configuration. RIPv1 is an earlier version of the protocol that has fewer
features, and it also sends packets via broadcast instead of multicast. RIPv2 packets are
backwards-compatible and can be accepted by some RIPv1 implementations that provide an option
of listening for multicast packets. The RIPv2 Enabled (broadcast) selection broadcasts packets
instead of multicasting packets is for heterogeneous networks with a mixture of RIPv1 and RIPv2
routers.
Tip There is no route advertisement on the WAN.
To enable Route Advertisement on the LAN, select one of the following types of RIP Advertisements:
•
•
RIPv1 Enabled - RIPv1 is the first version of Routing Information Protocol.
RIPv2 Enabled (multicast) - to send route advertisements using multicasting (a single data
packet to specific notes on the network).
•
RIPv2 Enabled (broadcast) - to send route advertisements using broadcasting (a single data
packet to all nodes on the network).
Multicast destination IP address - sends the packet to a specific group of nodes on the network
listening for the RIPv2 multicast address of 224.0.0.9.
Broadcast destination IP address - sends packets to all nodes on the network.
•
Advertise Static Routes - If you have static routes configured on the SonicWALL, enable this fea-
ture to exclude them from Route Advertisement.
•
Route Change Damp Time (seconds) - is the delay between the time a VPN tunnel changes state
(up or down) and the time the change is advertised with RIP. The delay, in seconds, prevents
ambiguous route advertisements sent as a result of a temporary change in a VPN tunnel status.
Enter a value in seconds between advertisements broadcasted over the network in the Route
Advanced Features Page 155
Download from Www.Somanuals.com. All Manuals Search And Download.
Change Damp Time (seconds) field. The default value is 30 seconds. A lower value corresponds
with a higher volume of broadcast traffic over the network.
•
•
•
Deleted Route Advertisements - enter the number of advertisements that a deleted route
broadcasts until it stops in the Deleted Route Advertisements field. The default value is 5.
Route Metric (1-15) - Enter a value from 1 to 15 in the Route Metric field. This is the number of
times a packet touches a router from the source IP address to the destination IP address.
RIPv2 Route Tag (4 Hex Digits) - If RIPv2 is selected from the Route Advertisements menu, you
can enter a value for the Route Tag. This value is implementation-dependent and provides a
mechanism for routers to classify the originators of RIPv2 advertisements. This field is optional.
RIPv2 Authentication
You can enable RIPv2 Authentication by selecting the type of authentication from the menu:
•
•
•
User defined - Enter 4 hex digits in the Authentication Type (4 hex digits) field. Enter 32 hex
digits in the Authentication Data (32 Hex Digits) field.
Cleartext Password - Enter a password in the Authentication Password (Max 16 Chars) field. A
maximum of 16 characters can be used to define a password.
MD5 Digest - Enter a numerical value from 0-255 in the Authentication Key-Id (0-255) field. En-
ter a 32 hex digit value for the Authentication Key (32 hex digits) field, or use the generated key.
DMZ Route Advertisement
All of the information and configuration instructions for LAN Route Advertisement apply to DMZ
Route Advertisement configuration.
DMZ Addresses
Note: For the SonicWALL PRO 100, PRO 200, PRO 300, PRO 230, PRO 330, and GX series only
The SonicWALL provides security by preventing Internet users from accessing machines on the LAN.
This security, however, also prevents users from reaching public servers, such as Web or e-mail
servers.
The SonicWALL offers a special DMZ ("Demilitarized Zone") port that provides Internet access to
network servers. The DMZ sits between the local network and the Internet. Servers on the DMZ are
publicly accessible, but they are protected from attacks such as SYN Flood and Ping of Death. Use
of the DMZ port is optional.
Tip If you are configuring the SonicWALL SOHO3 or the SonicWALL TELE3, please go to Chapter 8,
Network Access Rules, for information about setting up publicly accessible servers.
Using the DMZ is a strongly recommended alternative to placing servers on the WAN port where they
are not protected or established Public LAN servers.
Page 156 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Click Advanced on the left side of the browser window, and then click DMZ Addresses.
Servers on the DMZ must have unique, valid IP addresses in the same subnet as the SonicWALL
WAN IP Address. Your ISP should be able to provide these IP addresses, as well as information on
setting up public servers.
DMZ in Standard Mode
To configure DMZ Addresses, complete the following instructions.
1. Enter the starting IP address of your valid IP address range in the From Address field.
2. Enter the ending IP address of your valid IP address range in the To Address field.
Alert You can enter an individual IP address in the From Address field only.
3. Click Update. Once the SonicWALL has been updated, a message confirming the update is
displayed at the bottom of the browser window.
If you receive an error when you click Update, confirm that the DMZ Address Range does not include
the SonicWALL WAN IP Address, the WAN Gateway (Router) Address, or any IP addresses assigned
on the One-to-One NAT or Intranet windows.
Tip The SonicWALL supports up to 64 DMZ address ranges.
DMZ in NAT Mode
The SonicWALL DMZ now has the ability to use private internal IP addresses rather than public IP
addresses on the network. Since NAT hides the true IP addresses in use on the network, NAT on the
DMZ is an additional security feature for the SonicWALL. The outside world only sees the outside
public IP address of the DMZ and not the internal private addresses.
To configure the DMZ in NAT Mode, use the following instructions:
1. In the DMZ Private Address field, enter the private internal IP address assigned to the DMZ
interface.
2. Assign a subnet mask in the DMZ Subnet Mask field. The LAN and DMZ can have the same
subnet mask, but the subnets must be different. For instance, the LAN subnet can be
192.168.0.1 with a subnet mask of 255.255.255.0, and the DMZ subnet can be 172.16.18.1
with a subnet mask of 255.255.255.0.
Advanced Features Page 157
Download from Www.Somanuals.com. All Manuals Search And Download.
3. If you choose to use DMZ NAT Many to One Public Address (Optional), enter the DMZ public IP
address which is on the same subnet as the WAN for access to devices on the DMZ interface.
DMZ NAT Many to One Public Address is only available if your SonicWALL is configured in NAT
Enabled networking mode.
Delete a DMZ Address Range
To delete an address or range, select it in the Address Range list and click Delete. Once the
SonicWALL has been updated, a message confirming the update is displayed at the bottom of the
browser window.
HomePort Configuration
Note: For SonicWALL TELE3 TZ and TELE3 TZX Only
Computers connected to your HomePort must be configured to access the Internet through the
HomePort IP address. The SonicWALL provides security by preventing home users from accessing
computers on the WorkPort. This security, however, also prevents home users from reaching the
Internet unless the computers connected to the HomePort are configured to be in the same network
as the HomePort. First, you must configure the HomePort to use NAT or Standard mode as the
networking configuration.
Click Advanced on the left side of the browser window, and then click HomePort
Computers on the HomePort must have unique, valid IP addresses in the same subnet as the
SonicWALL WAN IP Address if you select HomePort in Standard mode. Your ISP should be able to
provide these IP addresses, as well as information on setting up public servers.
HomePort in Standard Mode
To configure the HomePort Addresses, complete the following instructions.
1. Enter the starting IP address of your valid IP address range in the From Address field.
2. Enter the ending IP address of your valid IP address range in the To Address field.
Alert You can enter an individual IP address in the From Address field only.
Page 158 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
3. Click Update. Once the SonicWALL has been updated, a message confirming the update is
displayed at the bottom of the browser window.
If you receive an error when you click Update, confirm that the HomePort Address Range does not
include the SonicWALL WAN IP Address, the WAN Gateway (Router) Address, or any IP addresses
assigned on the One-to-One NAT or Intranet windows.
Tip The SonicWALL supports up to 64 HomePort address ranges.
Configure the computers on the HomePort with the IP addresses provided by your ISP. Remember
to enter HomePort IP address as the default gateway IP address.
HomePort in NAT Mode
The SonicWALL HomePort now has the ability to use private internal IP addresses rather than public
IP addresses on the network. Since NAT hides the true IP addresses in use on the network, NAT on
the HomePort is an additional security feature for the SonicWALL. The outside world only sees the
outside public IP address of the DMZ and not the internal private addresses.
To configure the HomePort in NAT Mode, use the following instructions:
1. In the HomePort Private Address field, enter the private internal IP address assigned to the DMZ
interface. The default address of 172.0.16.1 is appropriate for most networks.
2. Assign a subnet mask in the HomePort Subnet Mask field. The WorkPort and the HomePort can
have the same subnet mask, but the subnets (private IP addresses) must be different. For
instance, the WorkPort subnet can be 192.168.0.1 with a subnet mask of 255.255.255.0, and
the HomePort subnet can be 172.16.18.1 with a subnet mask of 255.255.255.0.
3. If you choose to use HomePort NAT Many to One Public Address (Optional), enter the HomePort
public IP address which is on the same subnet as the WAN for access to devices on the
HomePort interface. HomePort NAT Many to One Public Address is only available if your
SonicWALL is configured in NAT Enabled networking mode on the WorkPort.
Configure your computers connected to the HomePort to reside on the same subnet, i.e. have an IP
address from the HomePort IP address range, and enter the HomePort IP address as the default
gateway IP address.
Delete a HomePort Address Range
To delete an address or range, select it in the Address Range list and click Delete. Once the
SonicWALL has been updated, a message confirming the update is displayed at the bottom of the
browser window.
Advanced Features Page 159
Download from Www.Somanuals.com. All Manuals Search And Download.
One-to-One NAT
One-to-One NAT maps valid, external addresses to private addresses hidden by NAT. Computers on
your private LAN are accessed on the Internet at the corresponding public IP addresses.
You can create a relationship between internal and external addresses by defining internal and
external address ranges. Once the relationship is defined, the computer with the first IP address of
the private address range is accessible at the first IP address of the external address range, the
second computer at the second external IP address, etc.
To configure One-to-One NAT, complete the following instructions.
1. Select the Enable One-to-One NAT check box.
2. Enter the beginning IP address of the private address range being mapped in the Private Range
Begin field. This is the IP address of the first machine that is accessible from the Internet.
3. Enter the beginning IP address of the valid address range being mapped in the Public Range
Begin field. This address should be assigned by your ISP.
Alert Do not include the SonicWALL WAN IP (NAT Public) Address or the WAN Gateway (Router)
Address in this range.
4. Enter the number of public IP addresses that should be mapped to private addresses in the
Range Length field. The range length can not exceed the number of valid IP addresses. Up to
64 ranges can be added. To map a single address, enter a Range Length of 1.
5. Click Update. Once the SonicWALL has been updated, a message confirming the update is
displayed at the bottom of the browser window. Restart the SonicWALL for changes to take
effect.
Alert The One-to-One NAT window maps valid, public IP addresses to private LAN IP addresses. It
does not allow traffic from the Internet to the private LAN.
Tip A rule must be created in the Rules section to allow access to LAN servers. After One-to-One NAT
is configured, create an Allow rule to permit traffic from the Internet to the private IP address(es) on
the LAN.
Page 160 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
One-to-One NAT Configuration Example
This example assumes that you have a SonicWALL running in the NAT-enabled mode, with IP
addresses on the LAN in the range 192.168.1.1 - 192.168.1.254, and a WAN IP address of
208.1.2.2. Also, you own the IP addresses in the range 208.1.2.1 - 208.1.2.6.
Alert If you have only one IP address from your ISP, you cannot use One-to-One NAT.
You have three web servers on the LAN with the IP addresses of 192.168.1.10, 192.168.1.11, and
192.168.1.12. Each of the servers must have a default gateway pointing to 192.168.1.1, the
SonicWALL LAN IP address.
You also have three additional IP addresses from your ISP, 208.1.2.4, 208.1.2.5, and 208.1.2.6,
that you want to use for three additional web servers. Use the following steps to configure One-to-
One NAT:
1. Log into the Management Interface, and click Advanced. Then click the One-to-One NAT tab.
2. Select Enable One-to-One NAT and click Update.
3. Type in the IP address, 192.168.1.10, in the Private Range Begin field.
4. Type in the IP address, 208.1.2.4, in the Public Range Begin field.
5. Type in 3 in the Range length field.
Tip You can configure the IP addresses individually, but it is easier to configure them in a range.
However, the IP addresses on both the private and public sides must be consecutive to configure a
range of addresses.
6. Click Update.
7. Click Access, then the Rules tab.
8. Click Add New Rule and configure the following settings:
•
•
•
•
•
Allow
Service - HTTP
Source - WAN
Destination - LAN 192.168.1.10 - 192.168.1.12
Apply this rule - always
9. Click Update and restart the SonicWALL.
The server configurations take effect after the SonicWALL restarts and the configuration is updated.
Requests for http://208.1.2.4 are answered by the server at 192.168.1.10. Requests for
http://208.1.2.5 are answered by the server at 192.168.1.11, and requests for http://208.1.2.6
are answered by the server at 192.168.1.12. From the LAN, the servers can only be accessed using
the private IP addresses (192.168.1.x), not the public IP addresses or domain names. For example,
from the LAN, you must use URLs like http://192.168.1.10 to reach the web servers. An IP address,
such as 192.168.1.10, on the LAN cannot be used in both public LAN server configurations and in
public LAN server One-to-One NAT configurations.
Advanced Features Page 161
Download from Www.Somanuals.com. All Manuals Search And Download.
Ethernet
The Ethernet tab allows the management of Ethernet settings using the SonicWALL Management
interface. The tab has the following settings:
•
•
•
•
•
•
WAN Link Settings
Enable Bandwidth Management
DMZ/WorkPort Link Settings
LAN/HomePort Link Settings
Proxy Management workstation Ethernet Address on WAN
MTU Settings
The default selection for all of the link settings is Auto Negotiate because the Ethernet links
automatically negotiate the speed and duplex mode of the Ethernet connection. The other choice,
Force, with lists for speed and duplex, should be used only if your Ethernet card also forces these
settings. You must force from both sides of your connection to enable this setting.
WAN Link Settings
Specifies the speed and duplex mode of the Ethernet connection to the WAN link. The default
selection is Auto Negotiate because the Ethernet links automatically negotiate the speed and
duplex mode of the Ethernet connection. The other choice, Force, with lists for speed and duplex,
should be used only if your Ethernet card also forces these settings. You must force from both sides
of your connection to enable this setting.
Enable Bandwidth Management
To enable Bandwidth Management on the SonicWALL, you must know the current bandwidth of your
connection. Once you have this figure, you can select Enable Bandwidth Management on the
Advanced/Ethernet page, and then enter the amount of available WAN bandwidth in Kbps. Click
Page 162 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Update to apply the changes to the SonicWALL. Now that you have enabled Bandwidth
Management, you can begin configuring Rules to use bandwidth management.
See Bandwidth Management at the end in this section for more information SonicWALL’s Bandwidth
Management features.
TIP! Traffic inbound from the WAN to the LAN/DMZ based on a Rule using bandwidth management
is allowed as if there is no bandwidth management in place. However, outbound traffic (reply
packets) for traffic associated with an inbound Rule is managed based on the configuration for that
Rule.
DMZ/WorkPort Link Settings
Specifies the speed and duplex mode of the Ethernet connection to the DMZ/WorkPort link. The
default selection is Auto Negotiate because the Ethernet links automatically negotiate the speed
and duplex mode of the Ethernet connection. The other choice, Force, with lists for speed and
duplex, should be used only if your Ethernet card also forces these settings. You must force from
both sides of your connection to enable this setting.
LAN/HomePort Link Settings
Specifies the speed and duplex mode of the Ethernet connection to the LAN or HomePort link. The
default selection is Auto Negotiate because the Ethernet links automatically negotiate the speed
and duplex mode of the Ethernet connection. The other choice, Force, with lists for speed and
duplex, should be used only if your Ethernet card also forces these settings. You must force from
both sides of your connection to enable this setting.
Proxy Management workstation ethernet address on WAN
If you are managing the Ethernet connection from the LAN side of your network, this check box can
be selected. The SonicWALL appliance takes the Ethernet address of the computer managing the
SonicWALL appliance and proxies that address onto the WAN port of the SonicWALL. If you are not
managing the SonicWALL appliance from the LAN side, the firmware looks for a random computer
on the LAN creating a lengthy search process.
MTU Settings
A network administrator may set the MTU (Maximum Transmission Unit) allowed over a packet or
frame-based network such as TCP/IP. If the MTU size is too large, it may require more transmissions
if the packet encounters a router unable to handle a larger packet. If the packet size is too small, this
could result in more packet header overhead and more acknowledgements that have to sent and
processed.
The default value is 1500 octets based on the Ethernet standard MTU. The minimum value that can
be set is 68. Decreasing the packet size may improve the performance of the network.
Advanced Features Page 163
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL Bandwidth Management
Bandwidth management is a means of allocating bandwidth resources to critical applications on a
network. By controlling the amount of bandwidth to an application or user, the network
administrator can reduce network traffic congestion, prevent a small number of users from
consuming all available bandwidth, or allow priority applications to run smoothly.
Bandwidth management works by allocating traffic to a class based upon application type, source
or destination addresses, or a combination of both. Traffic is then scheduled according to minimum
and maximum bandwidth configured for each traffic type.
Bandwidth Management is controlled by the SonicWALL Internet Security Appliance on outbound
traffic only. It is activated in the Ethernet tab. Configuring Bandwidth Management is handled in the
Rules tab of the Access section, which allows you to manage outgoing traffic according to TCP/IP or
UDP ports, services (FTP, HTTP, E-mail, SIP, etc.) and source and destination IP addresses. VPN
traffic can also be managed by enabling bandwidth management on the VPN Configure tab, and
then specifying the Guaranteed, Maximum, and priority of all VPN traffic through the SonicWALL.
Alert Bandwidth management cannot be configured for individual VPN Security Associations. It can
only be configured for all VPN traffic.
How SonicWALL Bandwidth Management Works
SonicWALL Bandwidth Management can assign a portion of the available bandwidth and a priority
to each class of network traffic. Priorities rank from 0 (zero), highest, to 7, lowest. Defining a class
of traffic that has 0 bandwidth allocated to it effectively blocks the traffic unless there is no other
traffic with higher priority on the network.
The packet classifier analyzes a packet when it arrives for its packet protocol, source information,
and destination information. It then allocates the packet to a class queue where it waits to be
processed. If the queue is full, the packet is dropped. Normal retransmission of data ensures that
the packet is sent again.
Class queues are processed based on the amount of bandwidth allocated (guaranteed and
maximum), and the priority assigned to the class queue. Within the class queue, packets are
processed on a first-in, first-out basis. When network traffic reaches the maximum allocated to the
class, packets from the next class in priority order are processed.
Typically, each class is allocated a portion of the available bandwidth, and when that limit is
reached, no more traffic for that particular class is forwarded. But if there is available bandwidth on
the network that is not in use by a particular class, a class can temporarily borrow bandwidth and
send traffic until the maximum bandwidth allocated to the class is reached.
Spare bandwidth is allocated among the highest priority classes until no more bandwidth is
available or until all of those classes have reached their maximum bandwidth. If this happens, the
remainder of the bandwidth is divided among the next priority classes. This process is repeated until
all of the available bandwidth is consumed
Page 164 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
.
Bandwidth Management Schema
Examples of Bandwidth Management Rules
Rule
Allow
Service
SMTP
Priority
Guaranteed
Maximum
0
1
2
300 Kbps
100 Kbps
100 Kbps
1000 Kbps
200 Kbps
200 Kbps
Allow
Allow
FTP
HTTP
Advanced Features Page 165
Download from Www.Somanuals.com. All Manuals Search And Download.
12 DHCP Server
This chapter describes the configuration of the SonicWALL DHCP Server.
DHCP, Dynamic Host Configuration Protocol, is a method to distribute TCP/IP settings from a
centralized server to computers on a network.
The SonicWALL DHCP Server distributes IP addresses, gateway addresses and DNS server
addresses to the computers on your LAN. To access the SonicWALL DHCP Setup window, click DHCP
on the left side of the browser window. There are three tabs in the DHCP section:
•
•
•
Setup
DHCP over VPN
Status
Setup
Disable DHCP Server is the default setting in the SonicWALL.
Allow DHCP Pass Through in Standard Mode
Network administrators can have a DHCP server located outside the SonicWALL Internet Security
appliance. To enable this feature in the SonicWALL appliance, follow these steps:
1. Click DHCP on the management interface. On the Setup tab, select Disable DHCP Server.
2. Select the Allow DHCP Pass Through check box.
Page 166 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring the SonicWALL DHCP Server
To configure the SonicWALL DHCP server for the LAN, complete the following instructions.
1. Select the Enable DHCP Server.
Alert Make sure there are no other DHCP servers on the LAN before you enable the DHCP server.
2. Enter the maximum length of the DHCP lease in the Lease Time field. The Lease Time
determines how often the DHCP Server renews IP leases. The default Lease Time is 60 minutes.
The length of time can range from 1 to 9999 minutes.
3. If configuring DHCP server for the LAN, enter the gateway address used by LAN computers to
access the Internet in the LAN Default Gateway field. Enter the SonicWALL LAN IP Address if NAT
is enabled.
4. Enter the domain name registered for your network in the Domain Name field. An example of a
domain name is "your-domain.com". If you do not have a domain name, leave this field blank.
5. Select Set DNS Servers using the SonicWALL Network settings to use the DNS servers that you
specified in the SonicWALL Network section.
If you want to use different DNS servers than the ones specified in the SonicWALL Network section,
then select Specify Manually. Enter your DNS Server addresses in the DNS Server 1, DNS Server 2,
and DNS Server 3 fields. The DNS servers are used by computers on your LAN to resolve domain
names to IP addresses. You can enter only one DNS Server address, but multiple DNS entries
improve performance and reliability.
6. Enter your WINS Server address(es) in the WINS Server 1 and WINS Server 2 fields. WINS
Servers resolve Windows-based computer names to IP addresses. If you do not have a WINS
server, leave these fields blank.
7. Dynamic Ranges are the ranges of IP addresses dynamically assigned by the DHCP server. The
Dynamic Ranges should be in the same subnet as the SonicWALL LAN IP Address.
8. Enter the beginning IP address of your LAN IP address range in the Range Start field. Enter the
ending IP address in the Range End field. Select the Allow BootP clients to use range check box
if you want BootP clients to receive IP leases. Then click Update. When the SonicWALL has been
updated, a message confirming the update is displayed at the bottom of the browser window.
Continue this process until you have added all the desired dynamic ranges.
Alert The DHCP Server does not assign an IP address from the dynamic range if the address is
already being used by a computer on your LAN.
9. The DHCP Server can also assign Static Entries, or static IP addresses, to computers on the LAN.
Static IP addresses should be assigned to servers that require permanent IP settings. Enter the
IP address assigned to your computer or server in the Static IP Address field.
10. Enter the Ethernet (MAC) address of your computer or server in the Ethernet Address field. Then
click Update. When the SonicWALL has been updated, a message confirming the update is
displayed at the bottom of your Web browser window. Continue this process until you have
added all the desired static entries.
Tip The SonicWALL DHCP server can assign a total of 254 dynamic and static IP addresses.
DHCP Server Page 167
Download from Www.Somanuals.com. All Manuals Search And Download.
Deleting Dynamic Ranges and Static Entries
•
To remove a range of addresses from the dynamic pool, select it from the list of dynamic ranges,
and click Delete Range. When the range has been deleted, a message confirming the update is
displayed at the bottom of the browser window.
•
To remove a static address, select it from the list of static entries and click Delete Static. When
the static entry has been deleted, a message confirming the update is displayed at the bottom
of the browser window.
DHCP over VPN
DHCP over VPN allows a Host (DHCP Client) behind a SonicWALL obtain an IP address lease from a
DHCP server at the other end of a VPN tunnel. In some network deployments, it is desirable to have
all VPN networks on one logical IP subnet, and create the appearance of all VPN networks residing
in one IP subnet address space. This facilitates IP address administration for the networks using
VPN tunnels.
DHCP Relay Mode
The SonicWALL appliance at the remote and central site are configured for VPN tunnels for initial
DHCP traffic as well as subsequent IP traffic between the sites. The SonicWALL at the remote site
(Remote Gateway) passes DHCP broadcast packets through its VPN tunnel. The SonicWALL at the
central site (Central Gateway) relays DHCP packets from the client on the remote network to the
DHCP server on the central site.
Page 168 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring the Central Gateway for VPN over DHCP
To configure DHCP over VPN for the Central Gateway, use the following steps:
1. Log into the Management interface, click DHCP, and then DHCP over VPN.
2. Select Central Gateway from the DHCP Relay Mode menu.
3. If you want to send DHCP requests to specific servers, enable the Send DHCP requests to the
server addresses listed below check box. Enter the IP addresses of DHCP servers in the Add
DHCP Server field, and click Update. The SonicWALL now directs DHCP requests to the specified
servers.
4. To delete DHCP servers, click on the IP address of the DHCP server, and click Delete DHCP
Server. The server is removed from the list of DHCP servers.
5. To complete the configuration, go to VPN and click Configure.
6. Select Destination network obtains IP addresses using DHCP through this SA in the Destination
Networks section. Click Update.
Configuring the Remote Gateway for VPN over DHCP
To configure the SonicWALL as a Remote Gateway, use the following steps:
1. Log into the Management interface, click DHCP, and then DHCP over VPN.
DHCP Server Page 169
Download from Www.Somanuals.com. All Manuals Search And Download.
2. Select Remote Gateway from the DHCP Relay Mode menu.
LAN IP Addresses
3. Select the VPN Security Association to be used for the VPN tunnel from the Obtain using DHCP
through this SA menu.
Alert Only VPN Security Associations using IKE can be used as VPN tunnels for DHCP.
4. The Relay IP address is a static IP address from the pool of specific IP addresses on the Central
Gateway. It should not be available in the scope of DHCP addresses. The SonicWALL can also
be managed through the Relay IP address.
5. If you enable Block traffic through tunnel when IP spoof detected, the SonicWALL blocks any
traffic across the VPN tunnel that is spoofing an authenticated user’s IP address. If you have
any static devices, however, you must ensure that the correct Ethernet address is entered for
the device. The Ethernet address is used as part of the identification process, and an incorrect
Ethernet address can cause the SonicWALL to respond to IP spoofs.
6. If the VPN tunnel is disrupted, temporary DHCP leases can be obtained from the local DHCP
server. Once the tunnel is again active, the local DHCP server stops issuing leases. Enable the
Obtain temporary lease from local DHCP server if tunnel is down check box. By enabling this
check box, you have a failover option in case the tunnel ceases to function. If you want to allow
temporary leases for a certain time period, enter the number of minutes for the temporary lease
in the Temporary Lease Time box. The default value is two (2) minutes.
Page 170 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
LAN Device Configuration
7. To configure Static Devices on the LAN, enter the IP address of the device in the IP Address field
and then enter the Ethernet Address of the device in the Ethernet Address field. An example of
a static device is a printer as it cannot obtain an IP lease dynamically. If you do not have Block
traffic through tunnel when IP spoof detected enabled, it is not necessary to enter the Ethernet
address of a device.
8. You must exclude the Static IP addresses from the pool of available IP addresses on the DHCP
server so that the DHCP server does not assign these addresses to DHCP clients. You should
also exclude the IP address used as the Relay IP Address. It is recommended to reserve a block
of IP address to use as Relay IP addresses.
9. Select LAN Devices not allowed to obtain IP through SA if there are devices on the LAN that you
do not want to obtain IP addresses through the VPN tunnel, such as children’s computers. You
must know the Ethernet address of the device to configure this setting. The Ethernet address
of a device can be determined by typing ipconfig/all into a Command Prompt window.
Alert You must configure the local DHCP server on the remote SonicWALL to assign IP leases to
these computers.
Alert If a remote site has trouble connecting to a central gateway and obtaining a lease, verify that
Deterministic Network Enhancer (DNE) is not enabled on the remote computer.
Tip If a static LAN IP address is outside of the DHCP scope, routing is possible to this IP, i.e. two
LANs.
DHCP Server Page 171
Download from Www.Somanuals.com. All Manuals Search And Download.
DHCP Status
A Status page is now available to review DHCP Server Status and DHCP over VPN Status. The DHCP
Server Status section reports the number of Current, Available Dynamic, Available Static leases as
well as the Total leases. The DHCP over VPN Status section reports the number of Current Dynamic,
Current Static, and the Total leases.Click the Status tab.
The scrolling window shows the details on the current bindings: IP and MAC address of the bindings,
along with the type of binding (Dynamic, Dynamic BootP, or Static BootP).
To delete a binding, which frees the IP address in the DHCP server, select the binding from the list,
and then click Delete Binding. The operation takes a few seconds to complete. Once completed, a
message confirming the update is displayed at the bottom of the Web browser window.
Click Refresh to reload the list of bindings. This can be necessary because Web pages are not
automatically refreshed, and new bindings can have been issued since the page was first loaded.
Page 172 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
DHCP Server on the SonicWALL TELE3 TZ and TZX
This section explains the configuration of the SonicWALL DHCP Server on the SonicWALL TELE3 TZ
and TZX. DHCP, Dynamic Host Configuration Protocol, is a method to distribute TCP/IP settings from
a centralized server to computers on a network.
The SonicWALL DHCP Server distributes IP addresses, gateway addresses and DNS server
addresses to the computers on your WorkPort or your HomePort. To access the SonicWALL DHCP
Setup window, click DHCP on the left side of the browser window. There are three tabs in the DHCP
section:
•
•
•
Setup
DHCP over VPN
Status
Setup
Disable DHCP Server is the default setting in the SonicWALL.
Allow DHCP Pass Through in Standard Mode
Network administrators can have a DHCP server located outside the SonicWALL Internet Security
appliance. To enable this feature in the SonicWALL appliance, follow these steps:
1. Click DHCP on the management interface. On the Setup tab, select Disable DHCP Server.
2. Select the Allow DHCP Pass Through check box.
DHCP Server Page 173
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring the SonicWALL DHCP Server
To configure the SonicWALL DHCP server for the WorkPort, the HomePort, or both, complete the
following instructions.
1. Select the Enable DHCP Server.
Alert Make sure there are no other DHCP servers on the WorkPort or HomePort before you enable
the DHCP server.
2. Enter the maximum length of the DHCP lease in the Lease Time field. The Lease Time
determines how often the DHCP Server renews IP leases. The default Lease Time is 60 minutes.
The length of time can range from 1 to 9999 minutes.
3. If configuring DHCP server for the WorkPort, enter the gateway address used by WorkPort
computers to access the Internet in the WorkPort Default Gateway field. Enter the SonicWALL
WorkPort IP Address if NAT is enabled.
4. If configuring DHCP server for the HomePort, enter the gateway address used by HomePort
computers to access the Internet in the HomePort Default Gateway field. Enter the SonicWALL
HomePort IP Address if NAT is enabled.
5. Enter the domain name registered for your network in the Domain Name field. An example of a
domain name is "your-domain.com". If you do not have a domain name, leave this field blank.
6. Select Set DNS Servers using the SonicWALL Network settings to use the DNS servers that you
specified in the SonicWALL Network section.
If you want to use different DNS servers than the ones specified in the SonicWALL Network section,
then select Specify Manually. Enter your DNS Server addresses in the DNS Server 1, DNS Server 2,
and DNS Server 3 fields. The DNS servers are used by computers on your WorkPort to resolve
domain names to IP addresses. You only enter one DNS Server address, but multiple DNS entries
improve performance and reliability.
7. Enter your WINS Server address(es) in the WINS Server 1 and WINS Server 2 fields. WINS
Servers resolve Windows-based computer names to IP addresses. If you do not have a WINS
server, leave these fields blank.
8. Dynamic Ranges are the ranges of IP addresses dynamically assigned by the DHCP server. The
Dynamic Ranges should be in the same subnet as the SonicWALL WorkPort IP Address.
9. Enter the beginning IP address of your WorkPort IP address range in the Range Start field. Enter
the ending IP address in the Range End field. Select the Allow BootP clients to use range check
box if you want BootP clients to receive IP leases. Then click Update. When the SonicWALL has
been updated, a message confirming the update is displayed at the bottom of the browser
window. Continue this process until you have added all the desired dynamic ranges.
10. Enter the beginning IP address of your HomePort IP address range in the Range Start field. Enter
the ending IP address in the Range End field. Select the Allow BootP clients to use range check
box if you want BootP clients to receive IP leases. Then click Update. When the SonicWALL has
been updated, a message confirming the update is displayed at the bottom of the browser
window.Continue this process until you have added all the desired dynamic ranges.
Page 174 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Tip The DHCP Server does not assign an IP address from the dynamic range if the address is already
being used by a computer on your WorkPort.
11. The DHCP Server can also assign Static Entries, or static IP addresses, to computers on the LAN.
Static IP addresses should be assigned to servers that require permanent IP settings. Enter the
IP address assigned to your computer or server in the Static IP Address field.
12. Enter the Ethernet (MAC) address of your computer or server in the Ethernet Address field. Then
click Update. When the SonicWALL has been updated, a message confirming the update is
displayed at the bottom of your Web browser window.Continue this process until you have
added all the desired static entries.
Tip The SonicWALL DHCP server can assign a total of 254 dynamic and static IP addresses.
Deleting Dynamic Ranges and Static Entries
•
To remove a range of addresses from the dynamic pool, select it from the list of dynamic ranges,
and click Delete Range. When the range has been deleted, a message confirming the update is
displayed at the bottom of the browser window.
•
To remove a static address, select it from the list of static entries and click Delete Static. When
the static entry has been deleted, a message confirming the update is displayed at the bottom
of the browser window.
DHCP Server Page 175
Download from Www.Somanuals.com. All Manuals Search And Download.
DHCP Status
A Status page is available to review DHCP Server Status and DHCP over VPN Status. The DHCP
Server Status section reports the number of Current, Available Dynamic, Available Static leases as
well as the Total leases. The DHCP over VPN Status section reports the number of Current Dynamic,
Current Static, and the Total leases.
Click the Status tab.
The scrolling window shows the details on the current bindings: IP and MAC address of the bindings,
along with the type of binding (Dynamic, Dynamic BootP, or Static BootP).
To delete a binding, which frees the IP address in the DHCP server, select the binding from the list,
and then click Delete Binding. The operation takes a few seconds to complete. Once completed, a
message confirming the update is displayed at the bottom of the Web browser window.
Click Refresh to reload the list of bindings. This can be necessary because Web pages are not
automatically refreshed, and new bindings can have been issued since the page was first loaded.
Page 176 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
13 SonicWALL VPN
SonicWALL VPN provides secure, encrypted communication to business partners and remote
offices at a fraction of the cost of dedicated leased lines. Using the SonicWALL intuitive Web
Management Interface, you can quickly create a VPN Security Association to a remote site.
Whenever data is intended for the remote site, the SonicWALL automatically encrypts the data and
sends it over the Internet to the remote site, where it is decrypted and forwarded to the intended
destination.
SonicWALL VPN is based on the industry-standard IPSec VPN implementation, so it is interoperable
with other VPN products, such as Check Point FireWall-1 and Axent Raptor.
This chapter is organized into the following sections:
•
SonicWALL VPN Management Interface - Describes the available settings for configuring and
managing VPN on SonicWALL Internet Security Appliances.
•
Group VPN Configuration for the SonicWALL and VPN Client - Demonstrates the configuration
of SonicWALL Group VPN settings on the SonicWALL Internet Security Appliance and VPN Client
using the Group VPN Security Association.
•
•
•
•
•
•
Manual Key Configuration for the SonicWALL and VPN Client - Explains the configuration of a
SonicWALL appliance and a VPN client using the Manual Key Security Association.
IKE and Manual Key Configuration for Two SonicWALLs - Describes VPN configuration between
two SonicWALL VPN gateways in Manual Key and IKE modes.
SonicWALL Third Party Digital Certificate Support - Explains setting up SonicWALLs for
digital certificates from VeriSign and Entrust.
SonicWALL Enhanced VPN Logging - Describes logging settings for both the SonicWALL appli-
ance and the VPN client for troubleshooting VPN problems.
Testing a VPN Tunnel Connection - Provides directions for testing a VPN tunnel configuration by
using "ping" to send data packets to a remote computer.
Configuring Windows Networking - Explains how to configure computers for Windows Network-
ing to enable VPN users to browse the remote network using Network Neighborhood.
SonicWALL VPN Page 177
Download from Www.Somanuals.com. All Manuals Search And Download.
VPN Management Interface
Summary Tab
The Summary tab has four sections: Global VPN Settings, VPN Bandwidth Management, VPN
Policies, and Currently Active VPN tunnels.
Global VPN Settings
The Global VPN Settings section displays the following information:
•
Unique Firewall Identifier - the default value is the serial number of the SonicWALL appliance.
You can change the Identifier, and use it for configuring VPN tunnels.
•
•
Enable VPN - must be selected to allow VPN security associations.
Disable all VPN Windows Networking (NetBIOS) broadcast - also selected. This check box disa-
bles NetBIOS broadcasts for every Security Association configuration.
•
Enable Fragmented Packet Handling - if the VPN log report shows the log message "Fragmented
IPSec packet dropped", select this feature. Do not select it until the VPN tunnel is established
and in operation.
•
•
Enable NAT Traversal - select if a NAT device is located between your VPN endpoints.
See page 177 for more information on SonicWALL NAT Traversal Support.
Keep Alive Interval (seconds) - the default value is 240 seconds (4 minutes). If Enable Keep
Alive is selected on the Advanced Settings window, this is the interval of time between “heart-
beats.”
•
Enable IKE Dead peer detection - select if you want inactive VPN tunnels to be dropped by the
SonicWALL. Enter the number of seconds between “heartbeats” in the Dead peer detection In-
terval (seconds) field. The default value is 60 seconds. Enter the number of missed heartbeats
Page 178 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
in the Failure Trigger Level (missed heartbeats) field. The default value is 3. If the trigger level
is reached, the VPN connection is dropped by the SonicWALL. The SonicWALL uses a UDP pack-
et protected by Phase 1 Encryption as the heartbeat.
VPN Bandwidth Management
You can allocate bandwidth to all outbound VPN traffic. To enable VPN Bandwidth Management,
select Enable VPN Bandwidth Management, and enter the amount of bandwidth in Kbps for VPN
guaranteed bandwidth and VPN maximum bandwidth. Select VPN bandwidth priority from the VPN
bandwidth priority menu, 0 (highest) to 7 (lowest).
Tip Bandwidth management is available only on outbound VPN traffic. You cannot configure
individual Security Associations to use bandwidth management.
VPN Policies
This section displays all of the VPN configurations in the SonicWALL appliance. If you click the name
of the security association, the security association settings are displayed. The Security Association,
Group VPN, is a default setting.
Currently Active VPN Tunnels
A list of currently active VPN tunnels is displayed in this section. The table lists the name of the SA,
the local LAN IP addresses, and the remote destination network IP addresses as well as the Peer
Gateway IP address.
SonicWALL VPN Page 179
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL NAT Traversal Support
VPN NAT Traversal is an Internet Draft proposed to IETF (Internet Engineering Task Force) to
overcome problems faced when IPSec traffic is intended to pass through a NAT device. NAT
Traversal addresses the issue of UDP (User Datagram Protocol) encapsulation by wrapping an IPSec
packet inside a UDP packet when a NAT or NAPT (Network Address Port Translator) device is
detected between peers.
Encapsulation of the IPSec packet requires decapsulation of the IPSec packet. Since ESP-protected
packets are exchanged between IKE peers using one of three methods, gateway to gateway, client
to gateway, and client to client, the IKE peers must support the same method of UDP encapsulation.
IKE peers exchange a known value to determine if they both support NAT Traversal. If the IKE peers
agree, IKE probes or discovery payloads are used to determine if a NAT or NAPT device is present.
Only if a NAT or NAPT device is detected is UDP encapsulation is used for IPSec packets.
NAT/NAT Traversal devices use dynamic mappings where a private IP address and source port
(192.168.168.168:X) are temporarily bound to a shared public IP address and an unused port
(207.126.101.100:Y). This binding is dissolved after a period of inactivity (minutes or seconds),
enabling pool reuse.
IPSec VPNs protect traffic exchanged between authenticated endpoints, but authenticated
endpoints cannot be dynamically re-mapped mid-session for NAT traversal to work. Therefore, to
preserve a dynamic NAT binding for the life of an IPSec session, a 1-byte UDP is designated as a
“NAT Traversal keepalive” and acts as a “heartbeat” sent by the VPN device behind the NAT or NAPT
device. The “keepalive” is silently discarded by the IPSec peer.
Selecting Enable NAT Traversal in the Global VPN Settings section of the Summary tab allows VPN
tunnels to support this protocol, and log messages are generated by the SonicWALL when a IPSec
Security Gateway is detected behind a NAT/NAPT device. The following log messages are found on
the View Log tab:
•
•
•
•
Peer IPSec Gateway behind a NAT/NAPT device
Local IPSec Security Gateway behind a NAT/NAPT device
No NAT/NAPT device detected between IPSec Security
Peer IPSec Security Gateway doesn’t support VPN NAT Traversal
AES (Advanced Encryption Standard) Support
AES is an encryption algorithm for securings sensitive but unclassified material by U.S. Government
agencies. It may become the official encryption standard for commercial transactions in the private
sector. As a symmetric algorithm (same key for encryption and decryption), it uses block encryption
of 128 bits in size, supporting key sizes of 128, 192, and 256.
AES support is only available on the PRO 230, PRO 330, and GX series. Support is limited to 128
and 256 bit keys for IKE Phase One tunnels, and 128 bit keys for Phase Two tunnels for both IKE
and Manual key.
Page 180 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Configure Tab
Add/Modify IPSec Security Associations
The Configure tab settings change depending on the Security Association (SA) and IPSec Keying
options you choose in the Add/Modify IPSec Security Associations. You can choose either Group
VPN (default) or Add New SA from the Security Association list. If you select Add New SA, a Name
field is displayed that allows you to create a name for the SA, such as Boston Office, Corporate Site,
etc. Select the type of security policy for the SA from the IPSec Keying Mode menu. You can select
IKE using Preshared Secret, Manual Key, or IKE using Certificates.
The IPSec Gateway Address field is used to configure the gateway for the security association.
Disabling Security Associations
You can choose to disable certain security associations and still allow access by remote VPN clients.
The feature is useful if it is suspected that a remote VPN user connection has become unstable or
insecure. It can also temporarily block access to the SonicWALL appliance if necessary. Disable the
Security Association by checking the Disable this SA check box. Click Update to enable the change
to take place.
SonicWALL VPN Page 181
Download from Www.Somanuals.com. All Manuals Search And Download.
Security Policy Settings
The following sections describe the Security Policy settings for Group VPN, IKE using Pre-shared
Secret, and Manual Key.
Security Policy Settings for Group VPN
•
Phase 1 DH Group - Diffie-Hellman (DH) key exchange (a key agreement protocol) is used during
phase 1 of the authentication process to establish pre-shared keys. Groups 1, 2, 5 use Modular-
Exponential with different prime lengths as listed below. If network speed is preferred, select
Group 1. If network security is preferred, select Group 5. To compromise between network
speed and network security, select Group 2.
Group Descriptor
Prime Size (bits)
Group 1
Group 2
Group 5
768
1024
1536
•
•
SA Life time (secs) - allows you to configure the length of time a VPN tunnel is active. The default
value is 28800 seconds (eight hours). You can configure up to 2,500,000 seconds (28.9 days).
Phase 1 Encryption/Authentication - select an encryption method from the Encryption/Authen-
tication for the VPN tunnel. If you select IKE using Pre-Shared Secret for your SA, you can select
from one of eight encryption methods:
AES-128 & MD5*
DES & MD5
AES-128 & SHA1*
DES & SHA1
AES-256 & MD5*
3DES & MD5
AES-256 & SHA1*
3DES & SHA1
*
AES support is available only on the PRO 230, PRO 330 and GX series.
These are listed in order from least secure to most secure. If network speed is preferred, then
select DES & MD5. If network security is preferred, select 3DES & SHA1. To compromise
between network speed and network security, select DES & SHA1. AES (Advanced Encryption
Standard) is an encryption method for securing sensitive but unclassified material by U.S.
Government agencies.
These are listed in order from least secure to most secure. If network speed is preferred, then
select DES & MD5. If network security is preferred, select 3DES & SHA1. To compromise
between network speed and network security, select DES & SHA1.
•
Phase 2 Encryption/Authentication - Phase 2 Encryption/Authentication is different for the
Group VPN SA. The VPN Client does not support ARCFour encryption methods, and you cannot
disable authentication in the VPN client. The following encryption methods are available for
Group VPN and are listed in order from most secure to least secure:
Page 182 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
- Strong Encrypt and Authenticate (ESP 3DES HMAC SHA1) - uses 168-bit 3DES encryption and
HMAC SHA1 authentication. 3DES is an extremely secure encryption method, and HMAC SHA1
is used to verify integrity. This method significantly impacts the data throughput of the
SonicWALL.
- Strong Encrypt and Authenticate (ESP 3DES HMAC MD5) - uses 168-bit 3DES encryption and
HMAC MD5 authentication. 3DES is an extremely secure encryption method, and HMAC MD5 is
used to verify integrity. This method significantly impacts the data throughput of the SonicWALL.
- Strong Encrypt and Authenticate (ESP DES HMAC SHA1) - uses 56-bit DES encryption and
HMAC SHA1 authentication.
- Strong Encrypt and Authenticate (ESP DES HMAC MD5) - uses 56-bit DES encryption and
HMAC MD5 authentication. This method impacts the data throughput of VPN communications.
SonicWALL VPN client supports this method.
- Strong Encrypt and Authenticate (ESP AES-128 HMAC MD5) - uses 128-bit AES encryption and
HMAC MD5 authentication.
- Strong Encrypt and Authenticate (ESP AES-128 HMAC SHA1) - uses 128-bit AES encryption and
HMAC SHA1 authentication.
•
Shared Secret - an alphanumeric key is automatically generated as the Shared Secret. The
Shared Secret is not exported with the VPN Client Configuration File. The Shared Secret must
be distributed by the SonicWALL administrator.
Security Policy Settings for IKE using Pre-shared Secret
•
Exchange - select Main Mode or Aggressive Mode. Main Mode requires six one-way messages
between the peers and Aggressive Mode requires only three one-way messages making
Aggressive Mode a little faster when establishing the connection. Selecting Aggressive Mode
forces the SonicWALL appliance to use Aggressive Mode to establish the VPN tunnel even if the
SonicWALL has a static IP address. Aggressive Mode is useful when the SonicWALL is located
behind another NAT device.
•
Phase 1 DH Group - Diffie-Hellman (DH) key exchange (a key agreement protocol) is used during
phase 1 of the authentication process to establish pre-shared keys. Groups 1, 2, 5 use Modular-
Exponential with different prime lengths as listed below:
Prime Size
Group Descriptor
(bits)
Group 1
Group 2
Group 5
768
1024
1536
If network speed is preferred, select Group 1. If network security is preferred, select Group 5.
To compromise between network speed and network security, select Group 2.
•
SA Life time (secs) - allows you to configure the length of time a VPN tunnel is active. The default
value is 28800 seconds (eight hours). You can configure up to 2,500,000 seconds (28.9 days).
SonicWALL VPN Page 183
Download from Www.Somanuals.com. All Manuals Search And Download.
•
Phase 1 Encryption/Authentication - select an encryption method from the Encryption/Authen-
tication for the VPN tunnel. If you select IKE using Pre-Shared Secret for your SA, you can select
from one of eight encryption methods:
AES-128 & MD5*
DES & MD5
AES-128 & SHA1*
DES & SHA1
AES-256 & MD5*
3DES & MD5
AES-256 & SHA1*
3DES & SHA1
*
AES support is available only on the PRO 230 and PRO 330.
The encryption methods are listed in order from least secure to most secure. If network speed
is preferred, then select DES & MD5. If network security is preferred, select 3DES & SHA1. To
compromise between network speed and network security, select DES & SHA1. AES (Advanced
Encryption Standard) is an encryption method for securing sensitive but unclassified material
by U.S. Government agencies.
Phase 2 Encryption/Authentication - The following encryption methods are available for IKE using
Preshared Secret:
- Tunnel Only (ESP Null) - does not provide encryption or authentication. This option offers
access to computers at private addresses behind NAT and allows unsupported services through
the SonicWALL.
- Encrypt (ESP DES) - uses 56-bit DES to encrypt data. DES is an extremely secure encryption
method supporting over 72 quadrillion possible encryption keys to encrypt data.
- Fast Encrypt (ESP ARCFour) - uses 56-bit ARCFour to encrypt data. ARCFour is a secure
encryption method and has little impact on the throughput of the SonicWALL.
- Strong Encrypt (ESP 3DES) - uses 168-bit 3DES (Triple DES) to encrypt data. 3DES is
considered to be an almost “unbreakable” encryption method, applying three DES keys in
succession, but it significantly impacts the data throughput of the SonicWALL.
- Strong Encrypt and Authenticate (ESP 3DES HMAC MD5) - uses 168-bit 3DES encryption and
HMAC MD5 authentication. 3DES is an extremely secure encryption method, and HMAC MD5 is
used to verify integrity. This method significantly impacts the data throughput of the SonicWALL.
- Strong Encrypt for Checkpoint (ESP 3DES) - interoperable with CheckPoint Firewall-1. In
manual key mode, Encrypt for CheckPoint uses 168-bit DES to encrypt data.
- Strong Encrypt and Authenticate (ESP 3DES HMAC SHA1) - uses 168-bit 3DES encryption and
HMAC SHA1 authentication. 3DES is an extremely secure encryption method, and HMAC SHA1
is used to verify integrity. This method significantly impacts the data throughput of the
SonicWALL.
- Encrypt for Checkpoint (ESP DES HMAC MD5) - uses 56-bit DES encryption and HMAC MD5
authentication. This method is compatible with CheckPoint Firewall-1.
Page 184 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
- Encrypt and Authenticate (ESP DES HMAC MD5) - uses 56-bit DES encryption and HMAC MD5
authentication. This method impacts the data throughput of VPN communications. SonicWALL
VPN client supports this method.
- Authenticate (AH MD5) - uses AH to authenticate and MD5 to generate a 128-bit message
digest.
- Authenticate (AH SHA1) - uses AH to authenticate and SHA1 to generate a 160-bit message
digest.
- Authenticate (ESP MD5) - authenticates using ESP as the security protocol and MD5 to
generate a 128-bit message digest.
- Authenticate (ESP SHA1) - authenticates using ESP as the security protocol and SHA1 to
generate a 160-bit message digest.
- Encrypt and Authenticate (ESP DES HMAC SHA1) - uses 56-bit DES encryption and HMAC SHA1
authentication.
- Strong Encrypt (ESP AES-128) - uses ESP to authenticate and 128-bit AES to encrypt.
- Strong Encrypt and Authenticate (ESP AES-128 HMAC MD5) - uses 128-bit AES encryption and
HMAC MD5 authentication.
- Strong Encrypt and Authenticate (ESP AES-128 HMAC SHA1) - uses 128-bit AES encryption and
HMAC SHA1 authentication.
*
AES support is available only on the PRO 230 and PRO 330.
•
If IKE using Pre-shared Secret is selected for the IPSec Keying Mode, the Shared Secret field is
displayed and you can enter your shared secret.
Security Policy Settings using Manual Key
Manual Key is configured differently than IKE using Pre-shared Secret or Group VPN. It requires an
Incoming and Outgoing Security Parameter Index (SPI) as well as an Encryption Key and
Authentication Key.
•
•
Incoming SPI - Enter the Security Parameter Index (SPI) that the remote location transmits to
identify the Security Association used for the VPN Tunnel. The SPI may be up to eight characters
long and is comprised of hexadecimal characters. Valid hexadecimal characters are "0" to "9",
and "a" to "f" inclusive (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f).
Outgoing SPI - Enter the Security Parameter Index (SPI) that the local SonicWALL transmits to
identify the Security Association used for the VPN Tunnel. The SPI may be up to eight characters
long and is comprised of hexadecimal characters.
Tip A Security Association's SPI must be unique when compared to SPIs used in other Security
Associations. However, a Security Association's Incoming SPI may be the same as the Outgoing SPI.
SonicWALL VPN Page 185
Download from Www.Somanuals.com. All Manuals Search And Download.
Destination Networks
In this section, enter the network settings for the remote VPN site (the “Destination Network”).
Include the subnet mask which determines broadcast addresses for NetBIOS support.
•
•
•
Use this SA as the default route for all Internet traffic (Security Associations using IKE with Pre-
shared Secret and Manual Key) - Enable this check box if all remote VPN connections access
the Internet through this SA. You can only configure one SA to use this setting.
Destination network obtains IP addresses using DHCP through this SA (Security Associations
using IKE and Pre-shared Secret but not Group VPN or Manual Key) - Enable this check box if
you are managing your IP address allocation from a central location.
Specify destination networks below - Configure the destination networks for your VPN Security
Association. Click Destination Networks to enter the IP address and subnet mask.
Adding Destination Networks
To add a second destination network, click Add New Network... and define the Network and Subnet
Mask fields of the second network segment. To modify a destination network, click the Notepad icon
to the right of the appropriate destination network entry. Then modify the appropriate fields and
click Update to update the configuration. To delete a destination network, click the Trash Can icon
to the far right of the appropriate destination network entry and then click OK to confirm the
removal.
Modifying and Deleting Existing Security Associations
The Security Association menu also allows you to modify and delete existing Security Associations.
To delete an SA, select it from the list and click the Delete This SA button. To modify an SA, select it
from the list, make the desired changes, and click Update. Once the SonicWALL has been updated,
a message confirming the update is displayed at the bottom of the Web browser window. Click
Update to enable the changes.
Accessing Remote Resources across a Virtual Private Network
SonicWALL VPN Clients, which cannot transmit NetBIOS broadcasts, can access resources across a
VPN by locating a remote computer by IP address. For example, if a remote office has a Microsoft®
SQL server, users at the local office can access the SQL server by using the server private IP
address.
There are several ways to facilitate connecting to a computer across a SonicWALL VPN:
•
•
•
Use the Find Computer tool
Create a LMHOSTS file in a local computer registry
Configure a WINS Server to resolve a name to a remote IP address.
For more information on accessing remote resources over a VPN,
<http://www.sonicwall.com/products/documentation/vpnremotehostswp.html.>
Page 186 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Advanced Settings
All of the Advanced Settings for VPN connections are accessed by clicking the Advanced Settings
button located on the Configure tab. The following settings are available in the Edit Advanced
Settings window:
•
Enable Keep Alive
- Try to bring up all possible SAs
Require authentication of local users
Require authentication of remote users
- Remote users behind VPN gateway
- Remote VPN clients with XAUTH
Enable Windows Networking (NetBIOS) broadcast
Apply NAT and firewall rules
•
•
•
•
•
•
•
•
•
Forward packets to remote VPNs
Enable Perfect Forward Secrecy
Phase 2 DH Group
Default LAN Gateway
VPN Terminated at LAN, DMZ, or LAN/DMZ
Enable Keep Alive
Selecting the Enable Keep Alive check box allows the VPN tunnel to remain active or maintain its
current connection by listening for traffic on the network segment between the two connections.
Interruption of the signal forces the tunnel to renegotiate the connection.
Try to bring up all possible SAs
If multiple SAs are configured on the SonicWALL, select this feature to have the SonicWALL
renegotiate the tunnels if they lose communication with the SonicWALL.
SonicWALL VPN Page 187
Download from Www.Somanuals.com. All Manuals Search And Download.
Require authentication of local users
Selecting this check box requires that all outbound VPN traffic on this SA is from an authenticated
user. Unauthenticated traffic is not allowed on the VPN tunnel.
Require authentication of remote users
Enabling this feature requires that all inbound traffic on this SA is from an authenticated user.
Unauthenticated traffic is not allowed on the VPN tunnel. Select Remote users behind VPN gateway
if remote users have a VPN tunnel terminating on the VPN gateway. Select Remote VPN clients
behind VPN gateway if remote users require authentication using XAUTH and are accessing the
SonicWALL via a VPN client.
Enable Windows Networking (NetBIOS) broadcast
Computers running Microsoft Windows® communicate with one another through NetBIOS broadcast
packets. Select the Enable Windows Networking (NetBIOS) broadcast check box to access remote
network resources by browsing the Windows® Network Neighborhood.
Apply NAT and firewall rules
This feature allows a remote site’s LAN subnet to be hidden from the corporate site, and is most
useful when a remote office’s network traffic is initiated to the corporate office. The IPSec tunnel is
located between the SonicWALL WAN interface and the LAN segment of the corporation. To protect
the traffic, NAT (Network Address Translation) is performed on the outbound packet before it is sent
through the tunnel, and in turn, NAT is performed on inbound packets when they are received. By
using NAT for a VPN connection, computers on the remote LAN are viewed as one address (the
SonicWALL public address) from the corporate LAN.
If the SonicWALL uses the Standard network configuration, using this check box applies the firewall
access rules and checks for attacks, but not NAT.
Alert You cannot use this feature if you have Route all internet traffic through this SA enabled.
Alert Offices can have overlapping LAN IP ranges if the Apply NAT and firewall rules option is
selected.
Forward Packets to Remote VPNs
Selecting the Forward Packets to Remote VPNs check box for a Security Association allows the
remote VPN tunnel to participate in the SonicWALL routing table. Inbound traffic is decrypted and
can now be forwarded to a remote site via another VPN tunnel. Normally, inbound traffic is
decrypted and only forwarded to the SonicWALL LAN or a specific route on the LAN specified on the
Routes tab located under the Advanced section.
Enabling this feature allows a network administrator to create a “hub and spoke” network
configuration by forwarding inbound traffic to a remote site via a VPN security association. To create
a “hub and spoke” network, enable the Forward Packets to Remote VPNs check box for each
Page 188 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Security Association in your SonicWALL. Traffic can travel from a branch office to a branch office via
the corporate office.
Route all internet traffic through this SA
Selecting this box allows a network administrator to force all WAN-destined traffic to go through a
VPN tunnel to a central site. Outgoing packets are checked against the remote network definitions
for all Security Associations (SA). If a match is detected, the packet is then routed to the appropriate
destination. If no match is detected, the SonicWALL checks for the presence of a SA using this
configuration. If an SA is detected, the packet is sent using that SA. If there is no SA with this option
enabled, and if the destination does not match any other SA, the packet goes unencrypted to the
WAN.
Enable Perfect Forward Secrecy
The Enable Perfect Forward Secrecy check box increases the renegotiation time of the VPN tunnel.
By enabling Perfect Forward Secrecy, a hacker using brute force to break encryption keys is not able
to obtain other or future IPSec keys. During the phase 2 renegotiation between two SonicWALL
appliances or a Group VPN SA, an additional Diffie-Hellman key exchange is performed. Enable
Perfect Forward Secrecy adds incremental security between gateways.
Phase 2 DH Group
If Enable Perfect Forward Secrecy is enabled, select the type of Diffie-Hellman (DH) Key Exchange (a
key agreement protocol) to be used during phase 2 of the authentication process to establish pre-
shared keys. Groups 1, 2, and 5 use Modular-Exponentiation with different prime lengths as listed
below:
Group Descriptor
Prime Size (bits)
1
2
5
768
1024
1536
If network connection speed is an issue, select Group 1. If network security is an issue, select Group
5. To compromise between speed and security, select Group 2.
Default LAN Gateway
A Default LAN Gateway is used at a central site in conjunction with a remote site using the Route all
internet traffic through this SA check box. The Default LAN Gateway field allows the network
administrator to specify the IP address of the default LAN route for incoming IPSec packets for this
SA.
Incoming packets are decoded by the SonicWALL and compared to static routes configured in the
SonicWALL. Since packets can have any IP address destination, it is impossible to configure enough
static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up
SonicWALL VPN Page 189
Download from Www.Somanuals.com. All Manuals Search And Download.
a route for the LAN. If no route is found, the SonicWALL checks for a Default LAN Gateway. If a
Default LAN Gateway is detected, the packet is routed through the gateway. Otherwise, the packet
is dropped.
VPN Terminated at the LAN, DMZ, or LAN/DMZ
Selecting this option allows you to terminate a VPN tunnel on a specific destination instead of
allowing the VPN tunnel to terminate on the SonicWALL network. By terminating the VPN tunnel to
a specific destination, the VPN tunnel has access to a specific portion of the destination LAN or DMZ
network.
Page 190 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Advanced Settings for VPN Configurations
The following table lists the available settings for each VPN configuration. The boxes checked are
applicable to the given configuration mode.
Group VPN
using IKE/Pre-
shared Secret
Group VPN
using IKE/
Certificates
IKE using
Certificates1
IKE using Pre-
shared Secret
Manual Key*
Enable Keep Alive
3
3
Try to bring up all possible
SAs
3
Require authentication of
VPN clients using XAUTH
3
3
3
3
3
3
Require authentication of
local users
3
3
3
3
3
3
Require authentication of
remote users
Enable Windows
Networking (NetBIOS)
broadcast
3
Apply NAT and Firewall
Settings
Forward Packets to Remote
VPNs
3
3
3
3
3
3
3
3
3
3
3
3
3
3
Enable Perfect Forward
Secrecy
Phase 2 DH Group
3
3
3
3
3
3
3
3
3
3
3
3
Default LAN Gateway
3
3
Terminate VPN on the LAN,
DMZ or LAN/DMZ
*Default LAN Gateway and Forward Packets to Remote VPN are not configured for VPN Client to SonicWALL appliance connections using
Manual Key Exchange.
1 These parameters apply to both SonicWALL Certificates and Third Party Certificates.
SonicWALL VPN Page 191
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring SonicWALL VPN
This section covers the configuration of SonicWALL VPN for the SonicWALL Internet Security
Appliance as well as the installation and configuration of the SonicWALL VPN client software. Group
Configuration, Manual Key Configuration, and IKE Configuration (SonicWALL to SonicWALL) are
described in this chapter.
You can create a VPN client Security Association by using Manual Key Configuration, Group
Configuration or Advanced Configuration. Before choosing your SonicWALL VPN client configuration,
evaluate the differences between the three methods.
•
Group Configuration uses IKE (Internet Key Exchange) and requires fewer settings on the VPN
client, enabling a quicker setup. Simple configuration allows multiple clients to connect to a sin-
gle Security Association (SA), creating a group VPN tunnel. The SonicWALL only supports one
Group Configuration SA. You can use the Group VPN SA for your single VPN client.
•
•
Manual Key Configuration requires matching encryption and authentication keys. Because
Manual Key Configuration supports multiple SAs, it enables individual control over remote us-
ers.
Advanced Configuration requires a complex setup and is therefore not recommended for most
SonicWALL administrators. Advanced Configuration instructions are available on the Web at the
following address:
<http://www.sonicwall.com/products/documentation/VPN_documentation.html>.
Page 192 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Group VPN Configuration for the SonicWALL and VPN Client
Configuring Group VPN on the SonicWALL
Click VPN on the left side of the SonicWALL browser window, and then click Configure.
The SonicWALL VPN tab defaults to a Group VPN setting. This feature facilitates the set up and
deployment of multiple VPN clients by the administrator of the SonicWALL appliance. Security
settings can now be exported to the remote client and imported into the remote VPN client settings.
Group VPN allows for easy deployment of multiple VPN clients making it unnecessary to individually
configure remote VPN clients. Group VPN is only available for VPN clients and it is recommended to
use Authentication Service or XAUTH/RADIUS in conjunction with the Group VPN for added security.
To enable Group VPN, follow the instructions below:
1. Click VPN on the left side of the Management Station interface.
2. Click on Group VPN. The Security Association default setting is Group VPN.
3. Configure the Group VPN to use either IKE using Pre-shared Secrets or IKE using Certificates.
To use certificates, an Authentication Service upgrade must be purchased.
4. Select Group 2 from the Phase 1 DH Group menu.
5. Enter the SA Life Time value in minutes. A value of 28800 seconds (8 hours) is recommended.
6. Select 3DES & SHA1 from the Phase 1 Encryption/Authentication menu.
7. Select Encrypt and Authenticate (ESP 3DES HMAC MD5) from the Phase 2 Encryption/
Authentication menu.
SonicWALL VPN Page 193
Download from Www.Somanuals.com. All Manuals Search And Download.
8. Create and enter a Shared Secret in the Shared Secret field or use the Shared Secret
automatically generated by the SonicWALL. The Shared Secret should consist of a combination
of letters and numbers rather than the name of a family member, pet, etc. It is also case-
sensitive.
9. Click Advanced Settings to open the window. Select any of the following boxes that apply to your
SA:
Require authentication of VPN clients via XAUTH - requires VPN client authentication via a
RADIUS server.
Apply NAT and firewall rules - to apply NAT and firewall rules to the SA or just firewall rules if in
Standard mode.
Forward packets to remote VPNs - if creating a “hub and spoke” network.
Enable Perfect Forward Secrecy - if adding an additional layer of security using a second Diffie-
Hellman key exchange.
Phase 2 DH Group - generates a additional key exchange.
Default LAN Gateway - The Default LAN Gateway field allows the network administrator to
specify the IP address of the default LAN route for incoming IPSec packets for this SA.
Tip It is not necessary to configure the Advanced Settings to get the VPN connection working
between the SonicWALL and the VPN client. You can configure the Advanced Settings later, and
then re-import the SA into the VPN Client.
10. Click Update to enable the changes.
To export the Group VPN settings to remote VPN clients, click on Export next to VPN Client
Configuration File. The security file can be saved to a floppy disk or e-mailed to a remote VPN client.
The Shared Secret, however, is not exported, and must be entered manually by the remote VPN
client. Also, the SA must be enabled to export the configuration file.
Alert You must use the Group VPN Security Association even if you have only one VPN client to
deploy, and you want to use IKE using Pre-shared Secret for your SA. The Group VPN Security
Association defaults to the Simple Configuration previously available in firmware version 5.1.1.
Page 194 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Group VPN Client Setup
Installing the VPN Client Software
1. When you register your SonicWALL or SonicWALL VPN Upgrade, a unique VPN client serial
number and link to download the SonicWALL VPN Client zip file is displayed.
2. Unzip the SonicWALL VPN Client zip file.
3. Double-click setup.exe and follow the VPN client setup program step-by-step instructions. Enter
the VPN client serial number when prompted.
4. Restart your computer after you have installed the VPN client software.
For detailed instructions on installing the client software, download the Client Installation Guide
available at <http://www.sonicwall.com/documentation.html>.
Group VPN Client Configuration
To import the Group VPN security policy into the VPN Client, use the following steps:
1. Open the VPN Client. Click File, and then Import Security Policy.
2. A file location box appears which allows you to search for the location of the saved security file.
Select the file, and click Open.
SonicWALL VPN Page 195
Download from Www.Somanuals.com. All Manuals Search And Download.
3. A dialogue box confirming the request to import the security file appears.
Click Yes, and another box appears confirming that the file is successfully imported into the
client. The client application now has an imported Group VPN policy.
4. Click the + sign next to Group VPN to reveal two sections: My Identity and Security Policy. Select
My Identity to view the settings.
5. Click Pre-Shared Key to enter the Pre-Shared Secret created in the Group VPN settings in the
SonicWALL appliance. Click Enter Key and enter the pre-shared secret. Then click OK.
Page 196 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
6. Click File, then Save Changes to save the settings to the security policy.
Group VPN can also be configured using digital certificates in the Security Association settings. For
more information on Group VPN configuration using digital certificates, refer to the Authentication
Service User's Guide on the SonicWALL Website:
<http://www.sonicwall.com/vpn-center/vpn-setup.html>.
SonicWALL VPN Page 197
Download from Www.Somanuals.com. All Manuals Search And Download.
Verifying the VPN Tunnel as Active
After the Group VPN Policy is active on the VPN Client, you can verify that a secure tunnel is active
and sending data securely across the connection. You can verify the connection by verifying the type
of icon displayed in the system tray near the system clock. The SonicWALL VPN Client icon is
displayed in the System Tray if you are running a Windows operating system. The icon changes to
reflect the current status of your communication over the VPN tunnel.
Page 198 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Manual Key Configuration for the SonicWALL and VPN Client
Configuring the SonicWALL
To configure the SonicWALL appliance, click VPN on the left side of the browser window, and select
Enable VPN to allow the VPN connection.
1. Select Disable VPN Windows Networking (NetBIOS) broadcast. Leave the Enable Fragmented
Packet Handling unselected until the SonicWALL logs show many fragmented packets
transmitted.
2. Click the Configure tab and select Add New SA from the Security Association menu. Then select
Manual Key from the IPSec Keying Mode menu.
3. Enter a descriptive name that identifies the VPN client in the Name field, such as the client’s
location or name.
4. Enter "0.0.0.0" in the IPSec Gateway Address field.
5. Define an Incoming SPI and an Outgoing SPI. The SPIs are hexadecimal (0123456789abcedf)
and can range from 3 to 8 characters in length.
Alert Each Security Association must have unique SPIs; no two Security Associations can share the
same SPIs. However, each Security Association Incoming SPI can be the same as the Outgoing SPI.
6. Select Encrypt and Authenticate (ESP 3DES HMAC MD5) from the Encryption Method menu.
Alert It is important to remember the Encryption Method selected as you need to select the same
parameters in the VPN Client configuration.
SonicWALL VPN Page 199
Download from Www.Somanuals.com. All Manuals Search And Download.
7. Enter a 16 character hexadecimal encryption key in the Encryption Key field or use the default
value. This encryption key is used to configure the remote SonicWALL client's encryption key,
therefore, write it down to use when configuring the client.
8. Enter a 32 character hexadecimal authentication key in the Authentication Key field or use the
default value. Write down the key to use while configuring the client settings.
Tip Valid hexadecimal characters include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a,b, c, d, e, and f.
1234567890abcdef is an example of a valid DES or ARCFour encryption key. If you enter an
incorrect encryption key, an error message is displayed at the bottom of the browser window.
9. Click Add New Network... to enter the destination network addresses. Clicking Add New
Network... automatically updates the VPN configuration and opens the VPN Destination
Network window.
10. Enter "0.0.0.0" in the Range Start, Range End, and Destination Subnet Mask for NetBIOS
broadcast fields.
11. Click Update to add the remote network and close the VPN Destination Network window. Once
the SonicWALL has been updated, a message confirming the update is displayed at the bottom
of the browser window.
Configuring the VPN Client
Installing the VPN Client Software
1. When you register your SonicWALL VPN Upgrade at <http://www.mysonicwall.com>, a unique
VPN client serial number and link to download the SonicWALL VPN Client zip file is displayed.
Alert SonicWALL PRO 300 lists an additional 50 serial numbers on the back of the SonicWALL VPN
Client certificate.
2. Unzip the SonicWALL VPN Client zip file.
3. Double-click setup.exe and follow the VPN client setup program step-by-step instructions. Enter
the VPN client serial number when prompted.
4. Restart your computer after installing the VPN client software.
Page 200 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Launching the SonicWALL VPN Client
To launch the VPN client, select SonicWALL VPN Client Security Policy Editor from the Windows Start
menu, or double-click the icon in the Windows Task Bar.
Click My Connections, and right click to select Add > Connection at the top of the Security Policy
Editor window.
TIP! The security policy is renamed to match the SA name created in the SonicWALL. You can rename the
security policy by highlighting New Connection in the Network Security Policy box and entering the security
policy name.
Configuring VPN Security and Remote Identity
1. Select Secure in the Network Security Policy box on the right side of the Security Policy Editor
window.
2. Select IP Subnet in the ID Type menu.
3. Enter the SonicWALL LAN IP Address in the Subnet field.
4. Enter the LAN Subnet Mask in the Mask field.
5. Select All in the Protocol menu to permit all IP traffic through the VPN tunnel.
6. Select the Connect using Secure Gateway Tunnel check box.
7. Select IP Address in the ID Type menu at the bottom of the Security Policy Editor window.
8. Enter the SonicWALL WAN IP Address in the field below the ID Type menu. Enter the NAT Public
Address if NAT is enabled.
SonicWALL VPN Page 201
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring VPN Client Identity
To configure the VPN Client Identity, click My Identity in the Network Security Policy window.
1. Select None from the Select Certificate menu.
2. Select the method used to access the Internet from the Internet Interface menu. Select PPP
Adapter from the Name menu if you have a dial-up Internet connection. Select the Ethernet
adapter if you have a dedicated cable, ISDN, or DSL line.
Configuring VPN Client Security Policy
3. Select Security Policy in the Network Security Policy window.
4. Select Use Manual Keys in the Select Phase 1 Negotiation Mode menu.
5. Click the + next to Security Policy, and select Key Exchange (Phase 2). Click the + next to Key
Exchange (Phase 2), and select Proposal 1.
Page 202 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring VPN Client Key Exchange Proposal
1. Select Key Exchange (Phase 2) in the Network Security Policy box. Then select Proposal 1 below
Key Exchange (Phase 2).
2. Select Unspecified in the SA Life menu.
3. Select None from the Compression menu.
4. Select the Encapsulation Protocol (ESP) check box.
5. Select DES from the Encryption Alg menu.
6. Select MD5 from the Hash Alg menu.
7. Select Tunnel from the Encapsulation menu.
8. Leave the Authentication Protocol (AH) check box unselected.
SonicWALL VPN Page 203
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring Inbound VPN Client Keys
1. Click Inbound Keys. The Inbound Keying Material box appears.
2. Click Enter Key to define the encryption and authentication keys.
3. Enter the SonicWALL Outgoing SPI in the Security Parameter Index field.
4. Select Binary in the Choose key format options.
5. Enter the SonicWALL 16-character Encryption Key in the ESP Encryption Key field.
6. Enter the SonicWALL 32-character Authentication Key in the ESP Authentication Key field, then
click OK.
Configuring Outbound VPN Client Keys
1. Click Outbound Keys. An Outbound Keying Material box is displayed.
2. Click Enter Key to define the encryption and authentication keys.
3. Enter the SonicWALL Incoming SPI in the Security Parameter Index field.
4. Select Binary in the Choose key format menu.
5. Enter the SonicWALL appliance 16-character Encryption Key in the ESP Encryption Key field.
6. Enter the SonicWALL appliance 32-character Authentication Key in the ESP Authentication Key
field and then click OK.
Saving SonicWALL VPN Client Settings
Select Save Changes in the File menu in the top left corner of the Security Policy Editor window.
Page 204 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Verifying the VPN Tunnel as Active
After configuring the VPN Client, you can verify that a secure tunnel is active and sending data
securely across the connection. You can verify the connection by verifying the type of icon displayed
in the system tray near the system clock.
Open a command prompt window and ping an address on the remote network. The icon should turn
green indicating an active connection.
Verifying the VPN Client Icon in the System Tray
The SonicWALL VPN Client icon is displayed in the System Tray if you are running a Windows
operating system. The icon changes to reflect the current status of your communication over the
VPN tunnel.
SonicWALL VPN Page 205
Download from Www.Somanuals.com. All Manuals Search And Download.
IKE and Manual Key Configuration for Two SonicWALLs
VPN between two SonicWALLs allows users to securely access files and applications at remote
locations. The first step to set up a VPN between two SonicWALLs is creating corresponding Security
Associations (SAs). The instructions below describe how to create an SA using Manual Keying and
Internet Key Exchange (IKE). These instructions are followed by an example illustrating a VPN tunnel
between two SonicWALLs. Either Manual Key or IKE using Preshared Secret can be used to
configure a VPN tunnel between two SonicWALLs.
Manual Key for Two SonicWALLs
Click VPN on the left side of the SonicWALL browser window, and then click the Configure tab.
1. Select Manual Key from the IPSec Keying Mode menu.
2. Select -Add New SA- from the Security Association menu.
3. Enter a descriptive name for the Security Association, such as "Chicago Office" or "Remote
Management", in the Name field.
4. Enter the IP address of the remote VPN gateway in the IPSec Gateway Address field. This must
be a valid IP address and is the remote VPN gateway NAT Public Address if NAT is enabled. Enter
"0.0.0.0" if the remote VPN gateway has a dynamic IP address.
5. Define an SPI (Security Parameter Index) that the remote SonicWALL uses to identify the
Security Association in the Incoming SPI field.
Page 206 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
6. Define an SPI that the local SonicWALL uses to identify the Security Association in the Outgoing
SPI field.SPIs should range from 3 to 8 characters in length and include only hexadecimal
characters.
Alert Each Security Association must have unique SPIs; no two Security Associations can share the
same SPIs. However, each Security Association Incoming SPI can be the same as the Outgoing SPI.
7. Select an encryption algorithm from the Encryption Method menu. Enter a 16-character
hexadecimal key in the Encryption Key field if you are using DES or ARCFour encryption. Enter
a 48-character hexadecimal key if you are using Triple DES encryption. This encryption key must
match the remote SonicWALL's encryption key.
When a new SA is created, a 48-character key is automatically generated in the Encryption Key
field. This can be used as a valid key for Triple DES. If this key is used, it must also be entered
in the Encryption Key field in the remote SonicWALL. If Tunnel Only (ESP NULL) or Authenticate
(AH MD5) is used, the Encryption Key field is ignored.
8. Enter a 32-character, hexadecimal key in the Authentication Key field.
When a new SA is created, a 32-character key is automatically generated in the Authentication
Key field. This key can be used as a valid key. If this key is used, it must also be entered in the
Authentication Key field in the remote SonicWALL. If authentication is not used, this field is
ignored.
9. Click Add New Network... to enter the destination network addresses. Clicking Add New
Network... automatically updates the VPN configuration and opens the VPN Destination
Network window.
10. Enter the beginning IP address of the remote network address range in the Range Start field. If
NAT is enabled on the remote SonicWALL, enter a private LAN IP address. Enter "0.0.0.0" to
accept all remote SonicWALLs with matching encryption and authentication keys.
11. Enter the ending IP address of the remote network's address range in the Range End field. If
NAT is enabled on the remote SonicWALL, enter a private LAN IP address. Enter "0.0.0.0" to
accept all remote SonicWALLs with matching encryption and authentication keys.
12. Enter the remote network subnet mask in the Destination Subnet Mask for NetBIOS broadcast
field if Enable Windows Networking (NetBIOS) Broadcast is selected. Otherwise, enter "0.0.0.0"
in the field.
13. Click Update to add the remote network and close the VPN Destination Network window. Once
the SonicWALL has been updated, a message confirming the update is displayed at the bottom
of the browser window.
14. Click Advanced Settings and check the boxes that apply to your SA:
Enable Windows Networking (NetBIOS) broadcast - if the remote clients use Windows Network
Neighborhood to browse remote networks.
Apply NAT and firewall rules - to apply NAT and firewall rules to the SA or just firewall rules if in
Standard mode.
Route all internet traffic through this SA - if forcing internet traffic from the WAN to use this SA
to access a remote site.
SonicWALL VPN Page 207
Download from Www.Somanuals.com. All Manuals Search And Download.
Default LAN Gateway if specifying the IP address of the default LAN route for incoming IPSec
packets for this SA. This is used in conjunction with the Route all internet traffic through this SA
check box.
VPN Terminated at LAN, DMZ, or LAN/DMZ- select one of the three terminating points for the
VPN tunnel.
15. Click OK to close the Advanced Settings window. Then click Update to update the SonicWALL.
Configuring the Second SonicWALL Appliance
To configure the second SonicWALL appliance, follow the same configuration steps as the first
SonicWALL. You must enter the same SPIs and Encryption keys as the first SonicWALL appliance
into the settings of the second SonicWALL appliance.
Example of Manual Key Configuration for Two SonicWALLs
Widgit, Inc. wants to connect their main office with a branch office on the East Coast. Using a
SonicWALL PRO 300 and a TELE3, they can configure a secure VPN tunnel between the two sites.
The main office has the following network settings:
•
•
•
•
•
SonicWALL LAN IP address - 192.168.11.1
LAN subnet mask - 255.255.255.0
WAN router address - 209.33.22.1
SonicWALL WAN IP address - 209.33.22.2
WAN subnet mask - 255.255.255.224
The remote office has the following network settings:
•
•
•
•
•
SonicWALL LAN IP address - 192.168.22.222
LAN subnet mask - 255.255.255.0
WAN router address - 207.66.55.129
SonicWALL WAN IP address - 207.66.55.130
WAN subnet mask - 255.255.255.248
To configure the main office PRO 300, use the following steps:
1. Configure the network settings for the firewall using the Network tab located in the General
section.
2. Click Update and restart the SonicWALL if necessary.
3. Click VPN, then the Configure tab.
4. Create a name for the main office SA, for example, Main Office.
5. Enter the remote office WAN IP address for the IPSec Gateway Address.
6. Create an Incoming SPI using alphanumeric characters.
7. Create an Outgoing SPI using alphanumeric characters.
8. Select Strong Encrypt (ESP 3DES) as the Encryption Method.
9. Write the Encryption Key down or use cut and paste to copy it to a Notepad window.
Page 208 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
10. Click Add New Network. Enter the IP address, “192.168.22.1” in the Range Start field. Enter
the IP address, “192.168.22.254” in the Range End field. This Range End value is appropriate
even if NetBIOS broadcast support is enabled. Leave the subnet mask field blank. Click Update.
11. Click Advanced Settings and select the features that apply to the SA.
Enable Windows Networking (NetBIOS) broadcast - if the remote clients use Windows Network
Neighborhood to browse remote networks.
Apply NAT and firewall rules - to apply NAT and firewall rules to the SA or just firewall rules if in
Standard mode.
Route all internet traffic through this SA - if forcing Internet traffic from the WAN to use this SA
to access a remote site.
Default LAN Gateway if specifying the IP address of the default LAN route for incoming IPSec
packets for this SA. This is used in conjunction with the Route all internet traffic through this SA
check box.
VPN Terminated at LAN, DMZ, or LAN/DMZ- select one of the three terminating points for the
VPN tunnel.
12. Click OK, and then click Update.
Configuring the Remote SonicWALL
To configure the remote SonicWALL, use the following steps:
1. Configure the network settings for the firewall using the Network tab located in the General
section.
2. Click Update and restart the SonicWALL if necessary.
3. Click VPN, then the Configure tab.
4. Create a name for the remote office SA, for example, Remote Office.
5. Enter the main office WAN IP address for the IPSec Gateway Address.
6. Enter the Outgoing SPI of the main office in the Incoming SPI field.
7. Enter the Incoming SPI of the main office in the Outgoing SPI field.
8. Select Strong Encrypt (ESP 3DES) as the Encryption Method.
9. Enter the Encryption Key from the Main Office configuration.
10. Click Add New Network. Enter the IP address, “192.168.11.1” in the Range Start field. Enter
the IP address, “192.168.11.254” in the Range End field. This Range End value is appropriate
even if NetBIOS broadcast support is enabled. Leave the subnet mask field blank. Click Update.
11. Click Advanced Settings and select the features that apply to the SA.
Enable Windows Networking (NetBIOS) broadcast - if the remote clients use Windows Network
Neighborhood to browse remote networks.
Apply NAT and firewall rules - to apply NAT and firewall rules to the SA or just firewall rules if in
Standard mode.
Forward packets to remote VPNs - if creating a “hub and spoke” network configuration
SonicWALL VPN Page 209
Download from Www.Somanuals.com. All Manuals Search And Download.
Route all internet traffic through this SA - if forcing internet traffic from the WAN to use this SA
to access a remote site.
Default LAN Gateway if specifying the IP address of the default LAN route for incoming IPSec
packets for this SA. This is used in conjunction with the Route all internet traffic through this SA
check box.
VPN Terminated at LAN, DMZ, or LAN/DMZ- select one of the three terminating points for the
VPN tunnel.
12. Click OK, and then click Update.
Page 210 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
IKE Configuration for Two SonicWALLs
An alternative to Manual Key configuration is Internet Key Exchange (IKE). IKE transparently
negotiates encryption and authentication keys. The two SonicWALL appliances authenticate the IKE
VPN session by matching preshared keys and IP addresses or Unique Firewall Identifiers.
To create an IKE Security Association, click VPN on the left side of the browser window, and then
click the Configure tab.
1. Select IKE using pre-shared secret from the IPSec Keying Mode menu.
2. Select -Add New SA- from the Security Association menu.
3. Enter a descriptive name for the Security Association, such as "Palo Alto Office" or "NY
Headquarters", in the Name field.
4. Enter the IP address of the remote SonicWALL in the IPSec Gateway Address field. This address
must be valid, and should be the NAT Public IP Address if the remote SonicWALL uses Network
Address Translation (NAT).
Alert If the remote SonicWALL has a dynamic IP address, enter "0.0.0.0" in the IPSec Gateway
Address field. The remote SonicWALL initiates IKE negotiation in Aggressive Mode because it has a
dynamic IP address, and authenticates using the SA Names and Unique Firewall Identifiers rather
than the IP addresses. Therefore, the SA Name for the SonicWALL must match the opposite
SonicWALL Unique Firewall Identifier.
5. Select Main Mode from the Exchange menu.
6. Select Group 1 from the Phase 1 DH Group menu.
SonicWALL VPN Page 211
Download from Www.Somanuals.com. All Manuals Search And Download.
7. Define the length of time before an IKE Security Association automatically renegotiates in the
SA Life Time (secs) field. The SA Life Time can range from 120 to 2,500,000 seconds.
Tip A short SA Life Time increases security by forcing the two VPN gateways to update the encryption
and authentication keys. However, every time the VPN tunnel renegotiates, users accessing remote
resources are disconnected. Therefore, the default SA Life Time of 28,800 seconds (8 hours) is
recommended.
8. Select 3DES & SHA1 from the Phase 1 Encryption/Authentication menu.
9. Select Strong Encrypt and Authenticate (ESP 3DES HMAC SHA1) from the Phase 2 Encryption/
Authentication menu. Enter an alphanumeric “secret” in the Shared Secret field. The Shared
Secret must match the corresponding field in the remote SonicWALL. This field can range from
4 to 128 characters in length and is case sensitive.
10. Click Add New Network... to define the destination network addresses. Clicking Add New
Network... updates the VPN configuration and opens the VPN Destination Network window.
11. Enter the IP address of the remote network in the Network field. This address is a private
address if the remote LAN has enabled NAT.
12. Enter the subnet mask of the remote network in the Subnet mask field.
13. Click Update to add the remote network and close the VPN Destination Network window. Once
the SonicWALL has been updated, a message confirming the update is displayed at the bottom
of the browser window.
14. Click Advanced Settings and select the boxes that apply to your SA:
Enable Keep Alive - if you want to maintain the current connection by listening for traffic on the
network segment between the two connections.
Enable Windows Networking (NetBIOS) broadcast - if remote clients use Windows Network
Neighborhood to browse remote networks.
Apply NAT and firewall rules - to apply NAT and firewall rules to the SA or just firewall rules if in
Standard mode.
Forward packets to remote VPNs - if creating a “hub and spoke” network configuration
Enable Perfect Forward Secrecy - if you want to add another layer of security by adding an
additional Diffie-Hellman key exchange.
Phase 2 DH Group - select the level of Phase 2 DH key exchange if Perfect Forward Secrecy is
enabled.
Default LAN Gateway - if specifying the IP address of the default LAN route for incoming IPSec
packets for this SA. This is used in conjunction with the Route all internet traffic through this SA
check box.
VPN Terminated at LAN, DMZ, or LAN/DMZ- select one of the three terminating points for the
VPN tunnel.
15. Click OK to close the Advanced Settings window. Click Update to apply the changes to the
SonicWALL.
Page 212 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Example of IKE Configuration for Two SonicWALLs
The following example illustrates the steps necessary to create an IKE VPN tunnel between a
SonicWALL PRO 200 and a SonicWALL TELE3.
A company wants to use VPN to link two offices together, one in Chicago and the other in San
Francisco. To do this, the SonicWALL PRO 200 in Chicago and the SonicWALL TELE3 in San
Francisco must have corresponding Security Associations.
Configuring a SonicWALL PRO 200 in Chicago
1. Enter the SonicWALL PRO 200 Unique Firewall Identifier in the VPN Summary window. In this
example, it is "Chicago Office”.
2. Create a new Security Association by selecting -Add New SA- from the Security Association
menu in the VPN Configure window.
3. Select IKE using pre-shared secret from the IPSec Keying Mode menu.
4. Because the SonicWALL TELE3 does not have a permanent WAN IP address, the SonicWALL
PRO 200 must authenticate the VPN session by matching the Name of the SA with the TELE3
Unique Firewall Identifier. Enter the TELE3 Unique Firewall Identifier in the Name field, in this
example, "San Francisco Office."
5. Enter the WAN IP address of the remote SonicWALL in the IPSec Gateway Address field. In this
example, the San Francisco SonicWALL TELE3 has a dynamic IP address, therefore enter
"0.0.0.0" in the IPSec Gateway Address field
Alert Only one of the two IPSec gateways can have a dynamic IP address when using SonicWALL
VPN.
6. Select Main Mode from the Exchange menu.
7. Select Group 1 from the Phase 1 DH Group menu.
8. Enter "28800" in the SA Life time (secs) field to renegotiate IKE encryption and authentication
keys every 8 hours.
9. Select 3DES & SHA1 from the Phase 1 DH Group menu.
SonicWALL VPN Page 213
Download from Www.Somanuals.com. All Manuals Search And Download.
10. Select a VPN encryption method from the Phase 2 Encryption/Authentication menu. Since data
throughput and security are the primary concern, select Encrypt and Authenticate (ESP 3DES
HMAC SHA1).
11. Define a Shared Secret. Write down this key as it is required when configuring the San Francisco
Office SonicWALL TELE3.
12. Click Add New Network... to open the VPN Destination Network window and enter the
destination network addresses.
13. Enter the IP address and subnet mask of the destination network, the San Francisco office, in
the Network and Subnet Mask fields. Since NAT is enabled at the San Francisco office, enter a
private LAN IP address. In this example, enter "192.168.1.1" and subnet mask
"255.255.255.0." Click OK to add the destination network address.
Alert The Destination Network Address must NOT be in the local network address range. Therefore,
the San Francisco and Chicago offices must have different LAN IP address ranges.
14. Click Advanced Settings. Select the following boxes that apply to your SA:
•
•
•
Enable Keep Alive - if you want to maintain the current connection by listening for traffic on the
network segment between the two connections.
Enable Windows Networking (NetBIOS) broadcast - if remote clients use Windows Network
Neighborhood to browse remote networks.
Apply NAT and firewall rules - to apply NAT and firewall rules to the SA or just firewall rules if in
Standard mode.
•
•
Forward packets to remote VPNs - if creating a “hub and spoke” network configuration
Enable Perfect Forward Secrecy - if you want to add another layer of security by adding an ad-
ditional Diffie-Hellman key exchange.
•
•
Phase 2 DH Group - select the type of DH key exchange in Phase 2 for Perfect Forward Secrecy.
Default LAN Gateway - if specifying the IP address of the default LAN route for incoming IPSec
packets for this SA. This is used in conjunction with the Route all internet traffic through this SA
check box.
•
VPN Terminated at LAN, DMZ, or LAN/DMZ- select one of the three terminating points for the
VPN tunnel.
15. Click Update to add the Security Association. Once the SonicWALL PRO 200 is updated, a
message confirming the update is displayed at the bottom of the browser window.
Configuring a SonicWALL TELE3 in San Francisco
1. Enter the SonicWALL TELE3 Unique Firewall Identifier in the VPN Summary window, in this
example, "San Francisco Office." Click Update.
2. Click Configure and select -Add New SA- from the Security Association menu.
3. Select IKE using pre-shared secret from the IPSec Keying Mode menu.
4. Enter the SonicWALL PRO 200 Unique Firewall Identifier in the SonicWALL TELE3 Name field,
in this example, "Chicago Office."
5. Enter the SonicWALL PRO 200 WAN IP Address in the IPSec Gateway Address field. This address
must be valid, and is the SonicWALL PRO 200 NAT Public Address, or "216.0.0.20."
Page 214 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
6. Select Group 2 from the Phase 1 DH Group menu.
7. Enter 28800 in the SA Life time (secs) field to renegotiate keys daily.
8. Select 3DES & SHA1 from the Phase 1 Encryption/Authentication menu.
9. Select the encryption algorithm from the Phase 2 Encryption/Authentication menu. The San
Francisco office Phase 2 Encryption/Authentication must match Chicago, so Encrypt and
Authenticate (ESP 3DES HMAC SHA1) must be selected.
10. Enter the same Shared Secret used in the Chicago Office SonicWALL PRO 200 into the
SonicWALL TELE3 Shared Secret field.
11. Click Add New Network... to open the VPN Destination Network window and define the
destination network addresses.
12. Enter the IP address and subnet mask of the destination network, the Chicago office, in the
Network and Subnet Mask fields. Since NAT is enabled at the Chicago office, enter a private LAN
IP address. In this example, enter "192.168.2.1" and subnet mask "255.255.255.0."
13. Click Advanced Settings. Select the following boxes that apply to your SA:
Enable Keep Alive - if you want to maintain the current connection by listening for traffic on the
network segment between the two connections.
Enable Windows Networking (NetBIOS) broadcast - if remote clients use Windows Network
Neighborhood to browse remote networks.
Apply NAT and firewall rules - to apply NAT and firewall rules to the SA or just firewall rules if in
Standard mode.
Forward packets to remote VPNs - if creating a “hub and spoke” network configuration
Enable Perfect Forward Secrecy - if you want to add another layer of security by adding an
additional Diffie-Hellman key exchange.
Phase 2 DH Group - select the type of DH key exchange in Phase 2 for Perfect Forward Secrecy.
Default LAN Gateway - if specifying the IP address of the default LAN route for incoming IPSec
packets for this SA. This is used in conjunction with the Route all traffic through this SA check
box.
VPN Terminated at LAN, DMZ, or LAN/DMZ- select one of the three terminating points for the
VPN tunnel.
14. Click Update to add the remote network and close the VPN Destination Network window. Once
the SonicWALL TELE3 has been updated, a message confirming the update is displayed at the
bottom of the browser window.
Tip Since Window Networking (NetBIOS) has been enabled, users can view remote computers in
their Windows Network Neighborhood. Users can also access resources on the remote LAN by
entering servers' or workstations remote IP addresses.
SonicWALL VPN Page 215
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL Third Party Digital Certificate Support
Tip This section assumes that you are familiar with Public Key Infrastructure (PKI) and the
implementation of digital certificates with VPN.
A digital certificate is an electronic means to verify identity by a trusted third party known as a
Certificate Authority (CA). SonicWALL now supports third party certificates in addition to the existing
Authentication Service. The difference between third party certificates and the SonicWALL
Authentication Service is the ability to select the source for your CA certificate. Using Certificate
Authority Certificates and Local Certificates is a more manual process than using the SonicWALL
Authentication Service; therefore, experience with implementing Public Key Infrastructure (PKI) is
necessary to understand the key components of digital certificates.
Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital
signatures to authenticate peer devices before setting up security associations. Without digital
signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric keys.
Devices using digital signatures do not require configuration changes every time a new device is
added to the network.
SonicWALL has implemented X.509v3 as its certificate form and CRLv2 for its certificate revocation
list.
SonicWALL supports the following two vendors of Certificate Authority Certificates:
•
•
VeriSign
Entrust
Page 216 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Overview of Third Party Digital Certificate Support
X.509 Version 3 Certificate Standard
X.509 v3 certificate standard is a specification to be used with cryptographic certificates and allows
you to define extensions which you can include with your certificate. SonicWALL has implemented
this standard in its third party certificate support. You can use a certificate signed and verified by a
third party CA to use with a VPN SA.
A typical certificate consists of two sections: a data section and a signature section. The data section
typically contains information such as the version of X.509 supported by the certificate, a certificate
serial number, information, information about the user’s public key, the Distinguished Name (DN),
validation period for the certificate, optional information such as the target use of the certificate.
The signature section includes the cryptographic algorithm used by the issuing CA, and the CA digital
signature.
To implement the use of certificates for VPN SAs, you must locate a source for a valid CA certificate
from a third party CA service. Once you have a valid CA certificate, you can import it into the
SonicWALL to validate your Local Certificates.
Importing CA Certificates into the SonicWALL
After your CA service has validated your CA Certificate, you can import it into the SonicWALL and use
it to validate Local Certificates for VPN Security Associations. To import your CA Certificate into the
SonicWALL, use the following steps:
1. Click VPN, then CA Certificates.
2. Click Browse, and locate the PKCS#7 or DER encoded file sent by the CA service.
3. Click Open to set the directory path to the certificate, and then click Import to import the
certificate into the SonicWALL. Once it is imported, you can view the Certificate Details.
Certificate Details
The Certificate Details section lists the following information:
•
•
•
•
•
•
Certificate Authority
Subject Distinguished Name
Certificate Issuer
Certificate Serial Number
Expiration Date
No CRL loaded/CRL Expires on
The Certificate Issuer, Certificate Serial Number, and the Expiration Date are generated by the CA
service. The information is used when a Generate Certificate Signing Request is created and sent
to your CA service for validation.
To delete the certificate, click Delete This Certificate. You can delete a certificate if it has expired or
if you decide not to use Third Party Certificates for VPN authentication. Click Export This CA
Certificate to export the file to your hard drive or a floppy disk
SonicWALL VPN Page 217
Download from Www.Somanuals.com. All Manuals Search And Download.
Importing Certificate with private key
After a certificate is signed by the CA and returned to you, you can import the certificate into the
SonicWALL to be used as a Local Certificate for a VPN Security Association. Use the following steps
to import the certificate into the SonicWALL:
1. In the Import Certificate with private key section of Local Certificates, enter the Certificate
Name.
2. Enter the Certificate Management Password. This password was created when you exported
your signed certificate.
3. Use Browse to locate the certificate file.
4. Click Import, and the certificate appears in the list of Current Certificates.
5. To view details about the certificate, select it from the list of Current Certificates.
Certificate Details
Both Certificate Requests and validated Certificates appear in the list of Current Certificates. The
Certificate Details section lists the same information as the CA Certificate Details section, but a
Status entry now appears in the details. If a certificate is valid and ready to be used with a VPN
Security Association, the Status is Verified. If the certificate is not signed by the CA, the Status is
Request Generated. You can also import the corresponding Signed Certificate in this section.
Additionally, Certificate Signing Requests can be exported and deleted in the Certificate Details
section of a Request Generated certificate.
Certificate Revocation List (CRL)
A Certificate Revocation List (CRL) is a way to check the validity of an existing certificate. A certificate
may be invalid for several reasons:
•
•
•
It is no longer needed.
A certificate was stolen or compromised.
A new certificate was issued that takes precedence over the old certificate.
If a certificate is invalid, the CA may publish the certificate on a Certificate Revocation List at a given
interval, or on an online server in a X.509 v3 database using Online Certificate Status Protocol
(OCSP). Consult your CA provider for specific details on locating a CRL file or URL.
Tip The SonicWALL supports obtaining the CRL via HTTP or manually downloading the list.
You can import the CRL by locating the URL and then importing it into the SonicWALL. Certificates
are checked against the CRL by the SonicWALL for validity when they are used.
You can also enter a URL location of the CRL by entering the address in the Enter CRL’s location for
this CA (URL) field. The CRL is downloaded automatically at intervals determined by the CA service.
Page 218 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Creating a Certificate Signing Request
To create a certificate for use with a VPN SA, follow these steps:
Tip! You should create a Certificate Policy to used in conjunction with local certificates. A Certificate
Policy determines the authentication requirements and the authority limits required for the
validation of a certificate.
1. Click VPN, then Local Certificates.
2. In the Generate Certificate Signing Request section, enter a name for the certificate in the
Certificate Name field. Using the drop down menus, enter information for the certificate
request. As you enter information in the Request fields, the Distinguished Name (DN) is created.
You may also attach an optional Subject Alternative Name to the certificate such as the Domain
Name or E-mail Address.
3. The Subject Key type is preset as an RSA algorithm. RSA is a public key cryptographic algorithm
used for encrypting data.
4. Select a Subject Key size from the from the Subject Key Size menu.
5. Not all key sizes are supported by a Certificate Authority, therefore you should check with your
Certificate Authority for supported key sizes.
6. Click Generate to create a certificate file.
7. Once the Certificate Signing Request is generated, a message describing the result is displayed.
8. Click Export to download the file to your computer, and then click Save to save it to a directory
on your computer.
9. Now that you have generated the Certificate Request, you can send it to your CA service for
validation.
Importing a Signed Local Certificate
When the CA service returns the signed certificate request generated locally, import it into the
SonicWALL using the following steps:
1. In the Current Certificates section of Local Certificates, select the corresponding request from
the Certificates menu.
2. Click Browse, and select the *.der from the Choose File dialogue box.
3. Click Import Certificate.
4. The certificate is now updated to Verified, and you can now use it for a VPN SA using a third party
certificate.
SonicWALL VPN Page 219
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring a VPN Security Association using IKE and a Third Party Certificate
To create a VPN SA using IKE and third party certificates, follow these steps:
1. Click VPN, then Configure. In the Add/Modify IPSec Associations section, Select IKE using 3rd
Party Certificates from the IPSec Keying Mode menu.
2. Enter a Name for the Security Association in the Name field.
3. Select a certificate from the Select Certificate list.
4. Enter the Gateway address in the IPSec Gateway Address field.
5. In the Security Policy section, select the type of DH group from the Phase 1 DH Group menu.
6. The SA Lifetime (secs) automatically defaults to 28800 seconds (8 hours).
7. Select the type of Phase 1 Encryption/Authentication from the menu.
8. Select the type of Phase 2 Encryption/Authentication from the menu.
9. In the Peer Certificate’s ID section, you must select the ID Type from the ID Type menu. You can
select Distinguished Name, E-mail ID, or Domain Name from the menu. Then cut and paste the
information from the Local Certificate into the text field.
10. In the Destination Networks section, select the type of destination for the VPN tunnel:
- Use this SA as default route for all Internet traffic can be used for only one SA, and routes all
VPN traffic destined for the WAN through the SA.
- Destination network obtains IP addresses using DHCP through this SA to allow computers at
the VPN destination to obtain IP addresses using DHCP over VPN.
- Specify destination network below If the VPN destination is a specific IP address.
11. Click Add New Network... Enter the network IP address and subnet mask in the fields, and click
OK.
SonicWALL Enhanced VPN Logging
If Network Debug is selected in the Log Settings tab panel, detailed logs are kept of the VPN
negotiations with the SonicWALL appliance. Enhanced VPN Logging is useful for evaluating VPN
connections when problems can occur with the connections.
To use the enhanced VPN Logging feature, perform the following steps:
1. Click Log on the left side of the management interface.
2. Click on the Logging Settings tab, and locate the Network Debug check box.
Page 220 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
3. Select the Network Debug check box, and then click Update to enable the Network Debug
setting.
Testing a VPN Tunnel Connection Using PING
To verify that your VPN tunnel is working properly, it is necessary to ping the IP address of a
computer on the remote network. By pinging the remote network, you send data packets to the
remote network and the remote network replies that it has received the data packets. Your
administrator supplies the remote IP address that you can use for testing. The following steps
explain how to ping a remote IP address.
1. Locate the Windows Start button in the lower left hand corner of the desktop operating system.
Click Start, then Run, and then type Command in the Open filepath box. A DOS window opens
to the C:>\ prompt.
2. Type ping, then the IP address of the host computer. Press Enter to begin the data
communication.
3. A successful ping communication returns data packet information to you. An unsuccessful ping
returns a message of Request Timed Out.
SonicWALL VPN Page 221
Download from Www.Somanuals.com. All Manuals Search And Download.
If you are unable to ping the remote network, wait a few minutes for the VPN tunnel to become
established, and try pinging the network again. If you are still unable to ping the remote network,
contact your network administrator.
Configuring Windows Networking
After you have successfully pinged the remote host and confirmed that your VPN tunnel is working,
your administrator can ask you to configure your computer for Windows Networking. By configuring
your computer for Windows® Networking, you are able to browse the remote network using Network
Neighborhood. Before logging into the remote network, you must get the following information from
your administrator:
•
•
•
•
Server Account information including your username and password
Domain Name
WINS Server IP Address
Internal DNS (optional)
Use the following steps to configure Windows Networking on your computer (Windows98):
1. Click Start, then Control Panel. Locate the Network icon and double-click it.
2. Select Client for Microsoft Networks from the list, and then click Properties.
Page 222 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
3. Select the Logon to Windows NT Domain check box, and enter the domain name provided by
your administrator into the Windows NT domain text box. Select Quick Logon under Network
logon options section.
4. Click on the Identification tab, and enter the domain name provided by your administrator in the
Workgroup text box.
SonicWALL VPN Page 223
Download from Www.Somanuals.com. All Manuals Search And Download.
5. Click on TCP/IP or Dial-Up Adapter, and then Properties. Click the WINS Configuration tab, and
select Enable WINS Resolution. Enter the WINS server IP address given to you by the
administrator, and click Add. The WINS server address now appears in the text box below the
address entry box.
6. If your administrator has given you an internal DNS address, click the DNS Configuration tab
and enter the DNS IP address.
7. Windows 98® users must restart their computer for the settings to take effect, and then log into
the remote domain.
Windows 2000® users should consult their network administrators for instructions to set up the
remote domain access.
If your remote network does not have a network domain server, you cannot set up a WINS server
and browse the network using Network Neighborhood.
To access shared resources on remote computers, you must know the private IP address of the
remote computer, and use the Find tool in the Start menu. Type in the IP address into the Computer
Named text box, and click Find Now. To access the computer remotely, double-click on the computer
icon in the box.
Page 224 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
14 High Availability
Given the critical nature of Internet connections, SonicWALL High Availability is standard on the
SonicWALL product line. SonicWALL High Availability eliminates network downtime by allowing the
configuration of two SonicWALLs (one primary and one backup) as a High Availability pair. In this
configuration, the backup SonicWALL monitors the primary SonicWALL and takes over operation in
the event of a failure. This ensures a secure and reliable connection between the protected network
and the Internet.
Before Configuring High Availability
Before attempting to configure two SonicWALLs as a High Availability pair, check the following
requirements:
•
You have two (2) SonicWALL Internet Security Appliances. The High Availability pair must consist
of two identical SonicWALL models.
•
You have at least one (1) valid, static IP address available from your Internet Service Provider
(ISP). Two (2) valid, static IP addresses are required to remotely manage both the primary Son-
icWALL and the backup SonicWALL.
Alert SonicWALL High Availability does not support dynamic IP address assignment from your ISP.
•
•
Each SonicWALL in the High Availability pair must have the same firmware version installed.
Each SonicWALL in the High Availability pair must have the same upgrades and subscriptions
enabled. If the backup unit does not have the same upgrades and subscriptions enabled, these
functions are not supported in the event of a failure of the primary SonicWALL.
Network Configuration for High Availability Pair
The following diagram illustrates the network configuration for a High Availability pair:
All SonicWALL ports being used must be connected together with a hub or switch. Each SonicWALL
must have a unique LAN IP Address on the same LAN subnet. If each SonicWALL has a unique WAN
IP Address for remote management, the WAN IP Addresses must be in the same subnet.
Alert The two SonicWALLs in the High Availability pair sends “heartbeats” over the LAN network
segment. The High Availability feature does not function if the LAN ports are not connected.
High Availability Page 225
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring High Availability on the Primary SonicWALL
Click High Availability on the left side of the SonicWALL browser window, and then click Configure at
the top of the window.
The top half of the window displays the primary SonicWALL serial number and network settings. The
bottom half of the window displays the backup SonicWALL information boxes. To configure High
Availability, follow the steps below:
1. Connect the primary SonicWALL and the backup SonicWALL to the network, but leave the power
turned off on both units.
2. Turn on the primary SonicWALL unit and wait for the diagnostics cycle to complete. Configure
all of the settings in the primary SonicWALL before configuring High Availability.
3. Click High Availability on the left and begin configuring the following settings for the primary
SonicWALL:
•LAN IP Address - This is a unique IP address for accessing the primary SonicWALL from the
LAN whether it is Active or Idle.
Alert This IP address is different from the IP address used to contact the SonicWALL in the General
Network settings.
•WAN IP Address (Optional) - This is a unique WAN IP address used to remotely manage the
primary SonicWALL whether it is Active or Idle.
Tip The Synchronize Now button is used for diagnostics and troubleshooting purposes and is not
required for initial configuration.
Page 226 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
4. In the Web Management interface for the primary SonicWALL, configure the backup SonicWALL
settings as follows:
•Serial Number - Enter the serial number of the backup SonicWALL.
•LAN IP Address - The unique LAN IP address used to access and manage the backup Son-
icWALL whether it is Active or Idle.
Alert This IP address is different from the IP address used to contact the SonicWALL in the General
Network settings.
•WAN IP Address (Optional) - This is a unique WAN IP address used to remotely manage the
primary SonicWALL whether it is Active or Idle.
5. Check the Preempt mode checkbox if you want the primary to SonicWALL to takeover from the
backup SonicWALL whenever the primary becomes available (for example, after recovering
from a failure and restarting). If this option is not used, the backup SonicWALL remains the
active SonicWALL.
Tip The primary and backup SonicWALLs use a “heartbeat” signal to communicate with one
another. This heartbeat is sent between the SonicWALLs over the network segment connected to
the LAN ports of the two SonicWALLs. The interruption of this heartbeat signal triggers the backup
SonicWALL to take over operation from the active unit of the High Availability pair. The time required
for the backup SonicWALL to take over from the active unit depends on the Heartbeat Interval and
the Failover Trigger Level.
6. Enter the Heartbeat Interval time in seconds. Use a value between 3 seconds and 255 seconds.
This interval is the amount of time in seconds that elapses between heartbeats passed between
the two SonicWALLs in the High Availability pair.
7. Enter the Failover Trigger Level in terms of the number of missed heartbeats. Use a value
between 2 and 99 missed heartbeats. When the backup unit detects this number of
consecutive missed heartbeats, the backup SonicWALL takes over operation from the active
unit.
Example: Assume that the Heartbeat Interval and the Failover Trigger Level are 5 seconds and 2
missed heartbeats respectively. Based on these values, the backup SonicWALL takes over from the
active unit after 10 seconds in the event of a failure in the active unit.
8. Enter the Active SonicWALL Detection Time in seconds using a value between 0 and 300. The
default value of 0 is correct in most cases.When any SonicWALL (primary or backup) becomes
active after bootup, it looks for an active SonicWALL configured for High Availability on the
network. If another SonicWALL is active, the SonicWALL that is booting up transitions to the Idle
mode. In some cases, there may be a delay in locating another SonicWALL due to network
delays or problems with hubs or switches. You can configure either the primary or backup
SonicWALL to allow an increment of time (in seconds) to look for another SonicWALL configured
for High Availability on the network. You may enter a value between 0 and 300 seconds, but the
default value of 0 seconds is sufficient in most cases.
9. Click Update. Once the SonicWALL has been updated, a message confirming the update is
displayed at the bottom of the browser window.
High Availability Page 227
Download from Www.Somanuals.com. All Manuals Search And Download.
Alert It is important during initial configuration that the backup SonicWALL has not been previously
configured for use. If the backup SonicWALL has previous network settings, it is recommended to
reset the SonicWALL to the factory default settings using Restore Factory Default Settings located
in the Tools section. Additionally, the password must be changed back to the default password of
“password” using the Password tab in the General section.
10. Power on the backup SonicWALL used for High Availability. After completing the diagnostic
cycle, the primary SonicWALL auto-detects the presence of the backup SonicWALL and
synchronizes the settings.
11. To confirm that the synchronization is successful, check the primary SonicWALL log for a High
Availability confirmation message. Alternatively, you can log into the backup SonicWALL using
its unique LAN IP address and confirm that it is the backup SonicWALL.
If the primary SonicWALL fails to synchronize with the backup, an error message is displayed at the
bottom of the screen. An error message also appears on the Status tab. To view the error message
on the Status tab, click General on the left side of the browser and then Status at the top of the
window.
To check the backup SonicWALL firmware version or serial number, log into the backup SonicWALL,
click General on the left side of the browser window and then click Status at the top of the window.
Both the firmware version and the SonicWALL serial number are displayed at the top of the window.
If the backup SonicWALL serial number was incorrectly specified in the primary SonicWALL Web
Management Interface, log into the primary SonicWALL and correct the backup SonicWALL Serial
Number field.
At this point, you have successfully configured your two SonicWALLs as a High Availability pair. In the
event of a failure in the primary unit, the backup unit takes over operation and maintains the
connection between the protected network and the Internet.
Configuration Changes
Configuration changes for the High Availability pair can be made on the primary or the backup
SonicWALL. The primary and backup SonicWALL appliances are accessible from their unique IP
addresses. A label indicates which SonicWALL appliance is accessed.
Page 228 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Alert If you change the IP address of either SonicWALL, synchronization cannot occur between the
two SonicWALLs without updating the changes manually in the High Availability configuration.
Synchronizing Changes between the Primary and Backup SonicWALLs
Changes made to the Primary or Backup firewall are synchronized automatically between the two
firewalls. If you click Synchronize Now, the Backup SonicWall restarts and becomes temporarily
unavailable for use as a backup firewall.
High Availability Status
If failure of the primary SonicWALL occurs, the backup SonicWALL assumes the primary SonicWALL
LAN and WAN IP Addresses. There are three primary methods to check the status of the High
Availability pair: the High Availability Status window, E-mail Alerts and View Log. These methods are
described in the following sections.
High Availability Page 229
Download from Www.Somanuals.com. All Manuals Search And Download.
High Availability Status Window
One method to determine which SonicWALL is active is to check the High Availability Status page for
the High Availability pair. To view the High Availability Status window, you can log into the primary or
backup SonicWALL LAN IP Address. Click High Availability on the left side of the browser window and
then click Configure at the top of the window. If the primary SonicWALL is active, the first line in the
status window above indicates that the primary SonicWALL is currently Active.
.
If the backup SonicWALL is active, the first line changes to reflect the active status of the backup as
shown below:
Page 230 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
The first line in the status window indicates that the backup SonicWALL is currently Active. It is also
possible to check the status of the backup SonicWALL by logging into the LAN IP Address of the
backup SonicWALL. If the primary SonicWALL is operating normally, the status window indicates
that the backup SonicWALL is currently Idle. If the backup has taken over for the primary, this
window indicates that the backup is currently Active.
Tip In the event of a failure in the primary SonicWALL, you can access the Web Management
Interface of the backup SonicWALL at the primary SonicWALL LAN IP Address or at the backup
SonicWALL LAN IP Address. When the primary SonicWALL restarts after a failure, it is accessible
using the third IP address created during configuration. If preempt mode is enabled, the primary
SonicWALL becomes the active firewall and the backup firewall returns to idle status.
E-mail Alerts Indicating Status Change
If you have configured the primary SonicWALL to send E-mail alerts, you receive alert E-mails when
there is a change in the status of the High Availability pair. For example, when the backup
SonicWALL takes over for the primary after a failure, an E-mail alert is sent indicating that the
backup has transitioned from Idle to Active. If the primary SonicWALL subsequently resumes
operation after that failure, and Preempt Mode has been enabled, the primary SonicWALL takes
over and another E-mail alert is sent to the administrator indicating that the primary has pre-empted
the backup.
High Availability Page 231
Download from Www.Somanuals.com. All Manuals Search And Download.
View Log
The SonicWALL also maintains an event log that displays these High Availability events in addition
to other status messages and possible security threats. This log may be viewed with a browser using
the SonicWALL Web Management Interface or it may be automatically sent to the administrator’s E-
mail address.
To view the SonicWALL log, click Log on the left side of the browser window and then click on View
Log at the top of the window.
Forcing Transitions
In some cases, it may be necessary to force a transition from one active SonicWALL to another – for
example, to force the primary SonicWALL to become active again after a failure when Preempt Mode
has not been enabled, or to force the backup SonicWALL to become active in order to do preventive
maintenance on the primary SonicWALL.
To force such a transition, it is necessary to interrupt the heartbeat from the currently active
SonicWALL. This may be accomplished by disconnecting the active SonicWALL’s LAN port, by
shutting off power on the currently active unit, or by restarting it from the Web Management
Interface. In all of these cases, heartbeats from the active SonicWALL are interrupted, which forces
the currently Idle unit to become Active.
Page 232 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
To restart the active SonicWALL, log into the primary SonicWALL LAN IP Address and click Tools on
the left side of the browser window and then click Restart at the top of the window.
Click Restart SonicWALL, then Yes to confirm the restart. Once the active SonicWALL restarts, the
other SonicWALL in the High Availability pair takes over operation.
Alert If the Preempt Mode checkbox has been checked for the primary SonicWALL, the primary unit
takes over operation from the backup unit after the restart is complete.
Configuration Notes
•
•
•
Changing Password - Do not change the password on the Backup firewall when it is in Idle con-
dition. Changing the password prevents communication between the firewalls.
If you are configuring the SonicWALL in Standard mode on the network, an additional IP address
is necessary for the High Availability configuration.
Auto Update - If Auto Update is enabled for firmware upgrades, the Primary SonicWALL should
be upgraded first. And during the upgrade, the backup SonicWALL should be disconnected from
the LAN or turned off. When the firmware upgrade is performed on the backup SonicWALL, the
Primary SonicWALL should be disconnected from the network or turned off.
•
Changes made to the backup SonicWALL do not get updated on the Primary SonicWALL until
synchronization takes place between the two units.
High Availability Page 233
Download from Www.Somanuals.com. All Manuals Search And Download.
15 SonicWALL Options and Upgrades
SonicWALL, Inc. offers a variety of options and upgrades to enhance the functionality of your
SonicWALL Internet security appliance. SonicWALL options and upgrades include the following:
•
•
•
•
•
•
•
SonicWALL VPN Client
SonicWALL Network Anti-Virus Subscription
Content Filter List Subscription
Vulnerability Scanning Service
Authentication Service
ViewPoint Reporting
SonicWALL Global Management
SonicWALL VPN Client
The SonicWALL VPN Client allows remote users to securely access resources on your private LAN
from a broadband or dial-up Internet connection. It establishes a private, encrypted VPN tunnel to
the SonicWALL, allowing users to contact your network servers from any location. The SonicWALL
VPN Client is perfect for business travelers and remote users who require access to private
resources on your network.
For more information on the SonicWALL VPN Client, visit
http://www.sonicwall.com/vpn/index.html
SonicWALL Network Anti-Virus
SonicWALL Network Anti-Virus offers a new approach to virus protection by delivering managed anti-
virus protection over the Internet. By combining leading-edge anti-virus technology from
McAfee.com with SonicWALL Internet Security Appliances, Complete Anti-Virus ensures that all the
computers on your network have a secure defense against viruses.
SonicWALL Network Anti-Virus provides constant, uninterrupted protection by monitoring computers
for outdated virus software and automatically triggering the installation of new virus software. In
addition, the SonicWALL restricts access to the Internet if virus software is not detected on the
client, enforcing virus protection. This strategy ensures that current virus software is installed and
active on every computer on the network, preventing a rogue user from disabling virus protection
and exposing the entire organization to an outbreak.
SonicWALL Network Anti-Virus provides centrally managed and enforced virus installation,
transparent software updates, and comprehensive Web-based reports. SonicWALL Network Anti-
Virus is a subscription-based solution that can be purchased in 5-, 10-, 50-, and 100-license annual
subscriptions.
For more information on the SonicWALL Network Anti-Virus, visit
http://www.sonicwall.com/anti-virus/index.html
Page 234 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Content Filter List Subscription
Inappropriate online content can create an uncomfortable work environment, lead to harassment
lawsuits, or expose children to pornography or racially intolerant sites. The SonicWALL Content Filter
List subscription allows your organization to create and enforce Internet access policies tailored to
the requirements of the organization.
An annual subscription to the Content Filter List (provided by CyberPatrol) allows you to block or
monitor access to undesirable Internet sites, such as pornography or violence. Automatic weekly
updates of the customizable Content Filter List ensure proper enforcement of access restrictions to
new and relocated sites.
For more information on the SonicWALL Content Filtering, visit
http://www.sonicwall.com/content-filter/index.html
Vulnerability Scanning Service
SonicWALL Vulnerability Scanning Service is an automated, subscription that provides network
administrators a "hacker's eye view" of a company's network perimeter, including public servers,
routers and gateways, and integrates with SonicWALL's industry-leading Internet security
appliances.
SonicWALL Vulnerability Scanning Service examines a network perimeter for security weaknesses
on an ongoing basis. It reports all vulnerabilities detected and provides administrators with in-depth,
expert guidance to quickly close up any security holes in a network. This subscription based service
offers vulnerability assessment scans that can scheduled on a regular basis or run on demand when
policies change or new equipment is deployed.
For more information on the SonicWALL Vulnerability Scanning Service, visit
http://www.sonicwall.com/products/vss/
SonicWALL Authentication Service
SonicWALL Authentication Service delivers strong authentication of VPN users across the Internet
to protect your organization's valuable and confidential resources. Implemented in collaboration
with VeriSign, the leading provider of trusted services, SonicWALL Authentication Service is an
affordable, easy to administer, end-to-end digital certificate solution for your organization. When
combined with SonicWALL VPN, the SonicWALL Authentication Service guarantees that the right
people access the right resources.
With SonicWALL Authentication Service, organizations can take advantage of the power of public
key infrastructure (PKI) and digital certificates without incurring the high cost and complexity of
creating the infrastructure themselves. Network administrators manage the SonicWALL
Authentication Service directly from the SonicWALL Internet security appliance and VPN user
certificates are conveniently distributed on a secure, Web-based server.
For more information on the SonicWALL Authentication Service, visit
http://www.sonicwall.com/authentication-service/index.html
SonicWALL Options and Upgrades Page 235
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL ViewPoint Reporting
SonicWALL ViewPoint, a Web-based graphical reporting tool, enables administrators to understand
and manage their network. ViewPoint compliments and extends SonicWALL's complete security
platform by delivering comprehensive, high-level historical reports and real-time monitoring.
SonicWALL ViewPoint includes everything you need to get up and running in one easy-to-install
product, including a Web server, syslog server, database and reporting software. ViewPoint uses a
Web-based interface and easily installs on any Windows NT or Windows 2000 computer on the
network.
For more information on the SonicWALL ViewPoint, visit
http://www.sonicwall.com/products/viewpoint/
SonicWALL Global Management System
SonicWALL Global Management System (GMS) is a scalable, cost-effective solution that extends the
SonicWALL's ease of administration, giving you the tools to manage the security policies of remote,
distributed networks.
SonicWALL GMS lets you administer SonicWALLs at your corporate headquarters, branch offices
and telecommuters from a central location. SonicWALL GMS reduces staffing requirements, speeds
up deployment, and lowers delivery costs by centralizing the management and monitoring of
security policies. SonicWALL GMS uses a hierarchical structure to simplify the management of
SonicWALLs with similar security profiles. This gives you the flexibility to manage the security
policies of remote SonicWALLs on an individual, group or global level.
For more information on the SonicWALL Global Management System, visit
http://www.sonicwall.com/products/sgms/index.html
Contact Your Reseller or SonicWALL
Contact your local reseller to purchase SonicWALL upgrades. A SonicWALL sales representative can
help locate a SonicWALL-authorized reseller near you.
Web:http://www.sonicwall.com E-mail:sales@sonicwall.com
Phone:(888) 557-6642 or (408) 745-9600 Fax: (408) 745-9300
Page 236 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
16 Hardware Descriptions
This chapter provides detailed illustrations and descriptions of the SonicWALL Internet Security
Appliances front and back panels by model. Refer to this chapter to learn about the location of LEDs,
switches, and connectors.
More information is provided in Appendix A, Technical Specifications.
SonicWALL PRO 230 and PRO 330 Front Panel
Alarm
DMZ
Power
LAN
WAN
Serial Port
Test
LAN Port LEDs
Link, Activity
DMZ Port LEDs WAN Port LEDs
Link, Activity Link, Activity
SonicWALL PRO 230 and PRO 330 Front Panel Description
•
Power
Lights up when power is applied to SonicWALL PRO 230 or SonicWALL PRO 330.
Test
•
Lights up when the SonicWALL is powered up and performing diagnostic tests to check for proper
operation. These tests take about 90 seconds. If the Test LED remains lit after this time, the software is
corrupt and must be reinstalled.
•
•
Alarm
Lights up and flashes for 10 seconds when an event generates an alert. Alarm LED flashes for 10 seconds.
Alert events are defined in the Log Settings section in Chapter 5.
There are three Ethernet ports; one for each of the LAN, DMZ, and WAN ports:
Link
Lights up when a Twisted Pair connection is made to another Ethernet device (usually a hub) on the port.
Note that the device connected to the SonicWALL must support the standard Link Integrity test.
•
•
Activity
Lights up when the SonicWALL transmits or receives a packet through the Twisted Pair port onto the
network.
(3) Twisted Pair (10Base-T, 100Base-T) Ethernet Ports
(3) Auto switching 10Mbps/100Mbps Ethernet ports provide connectivity for both Ethernet and Fast
Ethernet networks. The Ethernet ports connect the SonicWALL to the LAN, DMZ, and WAN using Twisted
Pair cable with RJ45 connectors.
•
Serial Port
DB-9 RS-232 Serial port for Command Line Interface support.
Hardware Descriptions Page 237
Download from Www.Somanuals.com. All Manuals Search And Download.
•
Reset Switch
Resets the SonicWALL PRO 200 or the SonicWALL PRO 300 to its factory clean state. This can be required
if you forget the administrator password, or the SonicWALL firmware has become corrupt.
SonicWALL PRO 230 and PRO 330 Rear Panel Description
Power Input
Power Switch (PRO 330 Only)
Power Switch
Power Input
(PRO 330 only)
Cooling Vents
•
•
Power Switch(es)
Powers the SonicWALL on and off.
Power Input(s)
Connects the SonicWALL to power input. The use of an Uninterruptible Power Supply (UPS) is
strongly recommended to protect the SonicWALL against damage, or loss of data due to
electrical storms, power failures, or power surges. (The PRO 330 has dual supply inputs.)
•
Cooling Vents
The SonicWALL is convection cooled; an internal fan is not necessary. Do not block the cooling vents
on the SonicWALL side panels.
Page 238 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL PRO 200 and PRO 300 Front Panel
The SonicWALL PRO 200 front panel is shown below, followed by a description of each item. The
SonicWALL PRO 300 is identical to the SonicWALL PRO 200 except for the PRO 300 label on the
front panel and the inclusion of VPN accelerator hardware and an additional 8MB of RAM.
LAN Port LEDs
Link, Activity
Power, Test, and
Alarm LEDs
WAN Port LEDs
Link, Activity
DMZ Port LEDs
Link, Activity
SonicWALL PRO 200 and PRO 300 Front Panel Description
•
Power
Lights up when power is applied to SonicWALL PRO or SonicWALL PRO 300.
Test
•
Lights up when the SonicWALL is powered up and performing diagnostic tests to check for
proper operation. These tests take about 90 seconds. If the Test LED remains lit after this time,
the software is corrupt and must be reinstalled.
•
Alarm
Lights up and flashes for 10 seconds when an event generates an alert. Alarm LED flashes for
10 seconds. Alert events are defined in the Log Settings section in Chapter 5.
There are three Ethernet ports; one for each of the LAN, DMZ, and WAN ports:
•
Link
Lights up when a Twisted Pair connection is made to another Ethernet device (usually a hub) on
the port. Note that the device connected to the SonicWALL must support the standard Link
Integrity test.
•
Activity
Lights up when the SonicWALL transmits or receives a packet through the Twisted Pair port onto
the network.
Hardware Descriptions Page 239
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL PRO 200 and PRO 300 Back Panel
The SonicWALL PRO 200 back panel is shown below, followed by a description of each item. The
SonicWALL PRO 300 back panel is identical to the SonicWALL PRO 200.
RS-232
Reset
Serial Port
Switch
Cooling
Vents
10Mbps/100Mbps
LAN Ethernet Port
10Mbps/100Mbps
WAN Ethernet Port
5VDC, 2A
10Mbps/100Mbps
DMZ Ethernet Port
Power Input
SonicWALL PRO 200 and PRO 300 Back Panel Description
•
(3) Twisted Pair (10Base-T, 100Base-T) Ethernet Ports
(3) Auto switching 10Mbps/100Mbps Ethernet ports provide connectivity for both Ethernet and
Fast Ethernet networks. The Ethernet ports connect the SonicWALL to the LAN, DMZ, and WAN
using Twisted Pair cable with RJ45 connectors.
•
•
Serial Port
DB-9 RS-232 Serial port for Command Line Interface support.
Reset Switch
Resets the SonicWALL PRO 200 or the SonicWALL PRO 300 to its factory clean state. This can
be required if you forget the administrator password, or the SonicWALL firmware has become
corrupt.
•
Power Input
Connects the SonicWALL to power input. The use of an Uninterruptible Power Supply (UPS) is
strongly recommended to protect the SonicWALL against damage, or loss of data due to
electrical storms, power failures, or power surges.
•
•
Power Switch
Powers the SonicWALL on and off.
Cooling Vents
The SonicWALL is convection cooled; an internal fan is not necessary. Do not block the cooling
vents on the SonicWALL side panels.
Page 240 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL PRO 100 Front Panel
The SonicWALL PRO 100 front panel is shown below, followed by a description of each item.
Test LED
LAN Port LEDs
DMZ Port LEDs
Link, 100, Activity Link, 100, Activity
Power LED
WAN Port LEDs
Link, 100, Activity
SonicWALL PRO 100 Front Panel Description
•
Power
Lights up when power is applied to the SonicWALL PRO 100.
Test
•
Lights up when the SonicWALL PRO 100 is first powered up and performing diagnostic tests to
check for proper operation. These tests take about 90 seconds. If the Test LED remains lit after
this time, the software is corrupt and must be reinstalled.
There are three Ethernet ports; one for each of the LAN, DMZ, and WAN ports:
Link
•
Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch, or
directly connected to a computer. Note that the connected Ethernet device must support the
standard Link Integrity test.
•
•
100
Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or directly
connected to a computer with a 100Mbps network interface.
Activity
Flashes when the SonicWALL PRO 100 transmits or receives a packet through the Twisted Pair
port.
Hardware Descriptions Page 241
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL PRO 100 Back Panel
The SonicWALL PRO 100 back panel is shown below, followed by a description of each item.
Cooling Vents
Reset Switch
Serial Port
5VDC,2A
Power input
10Mbps/100Mbps
LAN Ethernet Port
10Mbps/100Mbps
DMZ Ethernet Port
10Mbps/100Mpbs
WAN Ethernet Port
SonicWALL PRO 100 Back Panel Description
•
Reset Switch
Erases the firmware and resets SonicWALL PRO 100 to its factory clean state. This can be
necessary if the administrator password is forgotten, or the firmware has become corrupt.
•
•
Serial Port
DB-9 RS-232 Serial port for Command Line Interface support.
(3) Twisted Pair (10Base-T, 100Base-T) Ethernet Ports
(3) Auto switching 10Mbps/100Mbps Ethernet ports provide connectivity for both Ethernet and
Fast Ethernet networks. The Ethernet ports connect the SonicWALL PRO 100 to the LAN, DMZ,
and WAN using Twisted Pair cable with RJ45 connectors.
•
•
Power Input
Connects to the external power supply that is provided with the SonicWALL PRO 100. The use
of an Uninterruptible Power Supply (UPS) is recommended to protect the SonicWALL PRO 100
against damage or loss of data due to electrical storms, power failures, or power surges.
Cooling Vents
The SonicWALL PRO 100 is convection cooled; an internal fan is not necessary. Do not block
the cooling vents.
Page 242 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL TELE3 SP Front Panel
The SonicWALL TELE3 SP front panel is shown below, followed by a description of each item.
Modem LED WAN Port LEDs
Link, 100, Activity
LAN Port LEDs
Link, 100, Activity
Test LED
Power LED
SonicWALL TELE3 SP Front Panel Description
•
Power
Lights up when power is applied to the SonicWALL TELE3 SP.
•
Modem
Lights up when the modem has established a dial-up connection.
There is are two Ethernet ports for the LAN and WAN connections:
Link
•
Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch, or
directly connected to a computer. Note that the connected Ethernet device must support the
standard Link Integrity test.
•
•
•
100
Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or directly
connected to a computer with a 100Mbps network interface.
Activity
Flashes when the SonicWALLTELE3 SP transmits or receives a packet through the Twisted Pair
port.
Test
Lights up when the SonicWALL TELE3 SP is first powered up and performing diagnostic tests to
check for proper operation. These tests take about 90 seconds. If the Test LED remains lit after
this time, the software is corrupt and must be reinstalled.
Hardware Descriptions Page 243
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL TELE3 SP Back Panel
The SonicWALL TELE3 SP back panel is shown below, followed by a description of each item.
Cooling Vents
5VDC,2A
10Mbps/100Mpbs
WAN Ethernet Port
Power input
Reset Switch
10Mbps/100Mbps
LAN Ethernet Port
WAN Modem Port
CLI Port
The SonicWALL TELE3 SP Back Panel Description
•
Power Input
Connects to the external power supply that is provided with the SonicWALL TELE3 SP. The use
of an Uninterruptible Power Supply (UPS) is recommended to protect the SonicWALL TELE3 SP
against damage or loss of data due to electrical storms, power failures, or power surges.
•
•
Reset Switch
Erases the firmware and resets SonicWALL TELE3 SP to its factory clean state.
CLI (Command Line Interface) Port
DB-9 RS-232 Serial port allows out of band management of the SonicWALL TELE3 SP using a
v.90/v.92 US Robotics external modem or a null-modem cable.
•
(2) Twisted Pair (10Base-T, 100Base-T) Ethernet Ports
(2) Auto switching 10Mbps/100Mbps Ethernet ports provide connectivity for both Ethernet and
Fast Ethernet networks. The Ethernet ports connect the SonicWALL TELE3 SP to the LAN and
WAN using Twisted Pair cable with RJ45 connectors.
•
•
TELE3 SP Modem Port
A V.90 internal modem provides dial-up access to establish connectivity to the Internet. It uses
a standard RJ-11 telephone cord.
Cooling Vents
The SonicWALL TELE3 SP is convection cooled; an internal fan is not necessary. Do not block
the cooling vents.
•
•
Test
Lights up when the SonicWALL is powered up and performing diagnostic tests for proper oper-
ation. These tests take up to 5 minutes.
Page 244 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL TELE3 TZ Front Panel
The SonicWALL TELE3 TZ front panel is shown below, followed by a description of each item.
WAN Port LEDs
Power LED
HomePort Port LEDs WorkPort LEDs
Link, 100, Activity
Link, 100, Activity
Test LED
Link, 100, Activity
SonicWALL TELE3 TZ Front Panel Description
•
Power
Lights up when power is applied to the SonicWALL TZ.
Test
•
Lights up when the SonicWALL TZ is first powered up and performing diagnostic tests to check
for proper operation. These tests take about 90 seconds. If the Test LED remains lit after this
time, the software is corrupt and must be reinstalled.
There are three Ethernet ports; one for each of the WorkPort, HomePort, and WAN ports:
Link
•
Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch, or
directly connected to a computer. Note that the connected Ethernet device must support the
standard Link Integrity test.
•
•
100
Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or directly
connected to a computer with a 100Mbps network interface.
Activity
Flashes when the SonicWALL TZX transmits or receives a packet through the Twisted Pair port.
Hardware Descriptions Page 245
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL TELE3 TZ Back Panel
Cooling Vents
5VDC,2A
Power input
Reset Switch
10Mbps/100Mbps
WorkPort Ethernet Port HomePort Ethernet Port
10Mbps/100Mbps
10Mbps/100Mpbs
WAN Ethernet Port
SonicWALL TELE3 TZ Back Panel Description
•
Reset Switch
Erases the firmware and resets SonicWALL TZ to its factory clean state. This can be necessary
if the administrator password is forgotten, or the firmware has become corrupt.
•
•
Serial Port
DB-9 RS-232 Serial port for Command Line Interface support.
(3) Twisted Pair (10Base-T, 100Base-T) Ethernet Ports
(3) Auto switching 10Mbps/100Mbps Ethernet ports provide connectivity for both Ethernet and
Fast Ethernet networks. The Ethernet ports connect the SonicWALL TZ to the LAN, DMZ, and
WAN using Twisted Pair cable with RJ45 connectors.
•
•
Power Input
Connects to the external power supply that is provided with the SonicWALL TZ. The use of an
Uninterruptible Power Supply (UPS) is recommended to protect the SonicWALL TZ against
damage or loss of data due to electrical storms, power failures, or power surges.
Cooling Vents
The SonicWALL TZ is convection cooled; an internal fan is not necessary. Do not block the cooling
vents.
Page 246 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL TELE3 TZX Front Panel
The SonicWALL TELE3 TZX front panel is shown below, followed by a description of each item.
Power LED
HomePort LEDs
Link
WAN Port LEDs
Link, 100, Activity
WorkPort LEDs
Link, 100, Activity
Test LED
SonicWALL TELE3 TZX Front Panel Description
•
Power
Lights up when power is applied to the SonicWALL TZX.
Test
•
Lights up when the SonicWALL TZX is first powered up and performing diagnostic tests to check
for proper operation. These tests take about 90 seconds. If the Test LED remains lit after this
time, the software is corrupt and must be reinstalled.
There are three Ethernet ports; one for each of the LAN, DMZ, and WAN ports:
Link
•
Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch, or
directly connected to a computer. Note that the connected Ethernet device must support the
standard Link Integrity test.
•
•
100
Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or directly
connected to a computer with a 100Mbps network interface.
Activity
Flashes when the SonicWALL PRO 100 transmits or receives a packet through the Twisted Pair
port.
Hardware Descriptions Page 247
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL TELE3 TZX Back Panel l
5VDC,2A
Power input
Reset Switch
10Mbps/100Mbps
WorkPort Ethernet Port HomePort Ethernet PortWAN Ethernet Port
Serial Port
10Mbps/100Mbps
10Mbps/100Mpbs
SonicWALL TELE3 TZX Back Panel Description
•
Reset Switch
Erases the firmware and resets SonicWALL TZX to its factory clean state. This can be necessary
if the administrator password is forgotten, or the firmware has become corrupt.
•
•
Serial Port
DB-9 RS-232 Serial port for Command Line Interface support.
(6) Twisted Pair (10Base-T, 100Base-T) Ethernet Ports
(6) Auto switching 10Mbps/100Mbps Ethernet ports provide connectivity for both Ethernet and
Fast Ethernet networks. The Ethernet ports connect the SonicWALL TZX to the WorkPort,
HomePort, and WAN using Twisted Pair cable with RJ45 connectors.
•
Power Input
Connects to the external power supply that is provided with the SonicWALL TZX. The use of an
Uninterruptible Power Supply (UPS) is recommended to protect the SonicWALL TZX against
damage or loss of data due to electrical storms, power failures, or power surges.
Page 248 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL SOHO3 and TELE3 Front Panel
The SonicWALL SOHO3 front panel is shown below, followed by a description of each item. The
SonicWALL TELE3 is identical to the SonicWALL SOHO3 except for the TELE3 label on the front panel
and the inclusion of SonicWALL VPN.
Test LED
LAN Port LEDs
Link, 100, Activity
WAN Port LEDs
Power LED
Link, 100, Activity
SonicWALL SOHO3 and TELE3 Front Panel Description
•
Power
Lights up when power is applied to the SonicWALL SOHO3 or SonicWALL TELE3.
Test
•
Lights up when the SonicWALL is first powered up and performing diagnostic tests to check for
proper operation. These tests take about 90 seconds. If the Test LED remains lit after this time,
the software is corrupt and must be reinstalled. There are two Ethernet ports: one of the
following for the LAN and WAN ports:
•
Link
Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch or
directly connected to a computer. Note that the connected Ethernet device must support the
standard Link Integrity test.
•
•
100
Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or directly
connected to a computer with a 100Mbps network interface.
Activity
Flashes when the SonicWALL transmits or receives a packet through the Twisted Pair port.
Hardware Descriptions Page 249
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL SOHO3 and TELE3 Back Panel
The SonicWALL SOHO3 back panel is shown below, followed by a description of each item. The
SonicWALL TELE3 back panel is identical to the SonicWALL SOHO3.
Cooling Vents
Reset Switch
5VDC,2A
Power Input
Serial Port
10Mbps/100Mbps
LAN Ethernet Port
10Mbps/100Mbps
WAN Ethernet Port
SonicWALL SOHO3 and TELE3 Back Panel Description
•
Reset Switch
Erases the firmware and resets the SonicWALL to its factory clean state. This can be necessary
if you forget the administrator password or the firmware has become corrupt.
•
•
Serial Port
DB-9 RS-232 Serial port for Command Line Interface support.
(2) Twisted Pair (10Base-T, 100Base-T) Ethernet Ports
(2) Auto switching 10Mbps/100Mbps Ethernet ports provide connectivity for both Ethernet and
Fast Ethernet networks. The Ethernet ports connect the SonicWALL to the LAN and WAN using
Twisted Pair cable with RJ45 connectors.
•
•
Power Input
Connects to the external power supply which is provided with the SonicWALL SOHO3 and the
SonicWALL TELE3. The use of an Uninterruptible Power Supply (UPS) is recommended to
protect against damage or loss of data due to electrical storms, power failures, or power surges.
Cooling Vents
The SonicWALL is convection cooled; an internal fan is not necessary. Do not block the cooling
vents on the SonicWALL SOHO3 or the TELE3 side panels.
Page 250 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL GX 250 and GX 650 Front Panel
The SonicWALL GX 250 front panel is shown below, followed by a description of each item. The
SonicWALL GX 650 is identical to the SonicWALL GX250 except for the GX 650 label on the front
panel and the types of network interfaces installed.
DMZ
LAN
Power
Test
Serial Port WAN
SonicWALL GX250 and GX 650 Front Panel Description
•
Power
Lights up green if both power supplies are functioning on the SonicWALL GX250 or SonicWALL
GX 650. If it is red, one of the power supplies has failed, and an audible alarm also sounds.
•
Test
Lights up when the SonicWALL is powered up and performing diagnostic tests for proper
operation. These tests take up to 5 minutes. If the Test LED remains lit after this time, the
firmware is corrupt and must be reinstalled.
•
Serial Port
DB-9 RS-232 Serial port for a modem or null-modem cable to support Command Line Interface
Management.
There are three network interfaces on the GX 250 and GX 650 from left to right:
•
•
•
WAN
LAN
DMZ
The GX250 includes three Fast Ethernet network interfaces.The GX 650 includes either 1000Base-
SX over Fiber or Gigabit Ethernet over Copper network interfaces.
Three types of network cards are available in the GX series:
Fast Ethernet (10/100Base-T)
Gigabit over Fiber (1000Base-SX)
Gigabit over Copper (1000Base-T)
Hardware Descriptions Page 251
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL GX250 Front Panel
Three Fast Ethernet interfaces provide connectivity for either Ethernet and Fast Ethernet networks.
The Ethernet ports connect the SonicWALL to the LAN, DMZ, and WAN using category 5 twisted pair
cable with RJ-45 connectors. The standard NIC has two LEDs:
•
Link/Activity
The Link light is green when a twisted pair connection is made to another Ethernet device
(usually a switch or a hub) on the port. Note that the device connected to the SonicWALL must
support the standard link integrity test. The Link LED blinks, indicating Activity, when the
SonicWALL transmits or receives a packet through the Twisted Pair port onto the network.
•
Network Speed
The Network Speed LED is not lit if the network speed is 10 Mbps, and the LED is green if the
network speed is 100 Mbps.
SonicWALL GX 650 Front Panel
Three Gigabit over Fiber or Copper ports provide connectivity for Gigabit networks. Before inserting
the cables into the network ports on the fiber optics card, remove the plug from the ports. The
1000Base-SX interface has the following LED lights:
•
•
•
Transmit (TX)
The TX light is lit when the network is transmitting data over the network connection.
Receive (RX)
The RX light is lit when data is received over the network connection.
Link
The Link LED indicates that the interface is connected to a valid link partner and is receiving
link pulses.
The 1000Base-T network interface has the following LEDs:
•
Link
The Link light is green when a network connection is made to another Ethernet device (usually
a hub) on the port.
•
•
Activity
The Activity LED blinks, indicating Activity, when the SonicWALL transmits or receives a frame.
Network Speed
The Network Speed light remains off if there is no connection or if a 10Mbps connection is
made. If a 100 Mbps connection is made, the LED is green. If a 1000 Mbps connection is
obtained, the LED is yellow.
•
Reset Switch
Resets the SonicWALL GX250 or the SonicWALL GX 650 to its factory clean state. This may be
required if you forget the administrator password, or the SonicWALL firmware has become
corrupt.
Page 252 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL GX 250 and GX 650 Back Panel Description
Power Inputs
Power Switches
Cooling Vents
Alarm Reset
•
•
Power Inputs
There are two power input receptacles to connect the SonicWALL to the AC power input. The unit
comes standard with redundant hot swappable power supplies with active power function
correction (100-240 VAC 50/60 Hz).
Power Switches
One power switch for each hot swappable power supply module. The audible alarm sounds if
only one power supply is functioning.
•
•
Alarm Reset Button
The Alarm Reset button resets the audible alarm.
Cooling Vents
The SonicWALL is convection cooled and has an internal fan that is not crucial to the function
of the GX, but provides additional cooling to the unit. Do not block the cooling vents on the
SonicWALL front and back panels.
Hardware Descriptions Page 253
Download from Www.Somanuals.com. All Manuals Search And Download.
17 Troubleshooting Guide
This chapter provides solutions for problems that you might encounter when using the SonicWALL.
If you are unable to solve your problem, please visit the SonicWALL Tech Support Web site at
<http://www.sonicwall.com/support>. There, you will find resources to help you resolve most
technical issues, as well as a means to contact one of the SonicWALL Technical Support
engineers.
The Link LED is off
•
Make sure the SonicWALL is powered on.
•
Make sure the cable connections are secure. Gently moving the cable back and forth should not
make the Link LED turn on and off.
•
•
Try replacing the cable with a known good cable.
Is it the correct cable? Try using a standard Ethernet or crossover cable instead.
A computer on the LAN cannot access the Internet
•
If NAT is enabled, make sure the default router address of the LAN computer is set to the
SonicWALL LAN IP Address.
•
All computers on the LAN should be able to log into the SonicWALL Management Interface by
typing the SonicWALL LAN IP Address into the Location or Go to field from a Web browser. If the
SonicWALL authentication screen does not appear, check for Ethernet connectivity problems.
Confirm that the computer without Internet access is assigned an IP address in the correct
subnet.
•
•
Make sure that the SonicWALL is powered on and responsive.
If a computer can access the SonicWALL Management Interface, but cannot view Web sites,
then check DNS configuration of the computer.
•
•
Try restarting your Internet router and the computer.
The Internet connection can be down. Disconnect the SonicWALL and try to access the
Internet.
•
If there are any host devices other than the Internet router connected to the WAN port, they are
inaccessible to users on the LAN unless you have configured the SonicWALL
Intranet settings.
The SonicWALL does not establish authenticated sessions
•
During initial configuration make sure to change the Management Station's IP address to one
in the same subnet as the SonicWALL's, such as "192.168.168.200".
•
•
Check to make sure the Web browser has Java, JavaScript, or ActiveX enabled.
Make sure the users are attempting to log into the correct IP address. The correct address is
the SonicWALL LAN IP Address, and not the NAT Public Address if NAT is enabled.
•
•
Make sure that users are attempting to log in with a valid user name and password.
Remember that passwords are case-sensitive; make sure the "Caps Lock" key is off.
Page 254 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
•
If you are using an Internet Explorer browser, you can want to click the Refresh button several
times to fully load the Java and Java script programs. Also, wait until Java applet has completely
loaded before attempting to log in.
The SonicWALL does not save changes that you have made
•
When configuring the SonicWALL, be sure to click Update before moving to another window or
tab, or all changes will be lost.
•
Click Refresh or Reload in the Web browser. The changes can have occurred, but the Web
browser can be caching the old configuration.
Duplicate IP address errors
Duplicate IP address errors occur when the SonicWALL is installed
•
•
Try restarting the router, or restarting LAN computers.
Make sure the LAN is not connected to the WAN port of the SonicWALL.
Machines on the WAN are not reachable
•
Make sure the Intranet settings in the Advanced section are correct.
If these suggestions don’t help, please take a look at the current FAQ (Frequently Asked Questions)
and Troubleshooting Guide on the SonicWALL Web site:
<http://www.sonicwall.com/support>.
VPN tunnel problems
•
Document your VPN layout. Did you draw out the design before setting it up?
•
VPNs are a routed network. Trace a packet’s path through the devices on your network and see
if there is any reason for it to be blocked.
•
•
Re-check your entries for typographical errors.
Check the basic network configuration on the LAN PCs. Make sure the correct default router in-
formation is entered.
•
•
Enable Network Debug and VPN Tunnel Status on the Log Settings page.
Ping the other protected network from using Ping on the Tools page. If ping works, then the prob-
lem is on the LAN.
•
Reset the VPN to basic configuration using Manual key and DES HMAC MD5. If that works, then
upgrade to IKE and pre-shared secret.
Troubleshooting Guide Page 255
Download from Www.Somanuals.com. All Manuals Search And Download.
18 Appendices
Appendix A - Technical Specifications
SonicWALL Hardware and Performance
PRO 330
TELE3
SOHO3
PRO 100
PRO 200
PRO 230
PRO 300
Processor
133 MHz
Toshiba
TX3927 with
security ASIC
133 MHz Toshiba 133 MHz
233 MHz
Toshiba
233 MHz
Toshiba
233 MHz
Toshiba
233 MHz
Toshiba
TX3927 with
security ASIC
Toshiba
TX3927 with
security ASIC
StrongARM RISC StrongARM RISC StrongARM RISC StrongARM RISC
with security
with security
with security
with security
ASIC
ASIC
ASIC
ASIC
RAM
16 MB
4 MB
16 MB
4 MB
16 MB
4 MB
16 MB
4 MB
64 MB
4 MB
64 MB
4 MB
64 MB RAM
4 MB
Flash Memory
Concurrent
6,000
6,000
6,000
30,000
30,000
128,000
128,000
Connections
Firewall Users
5
10/25/50
75 Mbps
Unlimited
75 Mbps
Unlimited
190 Mbps
Unlimited
190 Mbps
Unlimited
190 Mbps
Unlimited
190 Mbps
Firewall
75 Mbps
Performance
3DES (168-bit)
VPN Tunnels
Dimensions
20 Mbps
5
20 Mbps
10
20 Mbps
50
25 Mbps
500
25 Mbps
500
45 Mbps
1,000
45 Mbps
1,000
8.25” x 6.5” x 2” 8.25” x 6.5” x 2” 8.25” x 6.5” x 2” 19” x 8.875” x
1.75”
17” x 10.36” x
1.75”
19” x 8.875” x
1.75”
17” x10.36” x
1.75”
Weight
Power
1.1 lbs (0.48 kg) 1.1 lbs (0.48 kg) 1.1 lbs (0.48 kg) 6.0 lbs (2.7 kg) 7.3 lbs (3.32 kg) 6.0 lbs (2.7 kg) 7.8 lbs (3.54 kg)
100V to 240V AC 100V to 240V AC 100V to 240V AC 100V to 240V AC 100V to 240V AC 100V to 240V AC 100V to 240V AC
TELE3 SP
TELE3 TZ
TELE3 TZX
GX250
GX650
Processor
133 MHz
133 MHz Toshiba 133 MHz
866 MHz Intel
866 MHz Intel
Toshiba
TX3927 with
TX3927 with
security ASIC
Toshiba
TX3927 with
Pentium with CS- Pentium with CS-
1
1
security ASIC
security ASIC
Security Asic
Security Asic
RAM
16 MB
4 MB
16 MB
4 MB
16 MB
4 MB
128 MB
16 MB
256 MB
16 MB
Flash Memory
Concurrent
6,000
6,000
6,000
250,000
500,000
Connections
Firewall Users
10
5
5
Unlimited
200 Mbps
Unlimited
1.6 Gbps
Firewall
75 Mbps
75 Mbps
75 Mbps
Performance
3DES (168-bit)
VPN Tunnels
Dimensions
20 Mbps
10
20 Mbps
5
20 Mbps
5
192 Mbps
5,000
285 Gbps
20,000
6.50” x 4.66” x 8.25” x 6.5” x 2” 9.07” x 6.62” x 19” x 19” x
1.33”
19” x 19” x
5.25”
1.63”
1.1 lbs (0.48 kg) 1.1 lbs (0.48 kg) 30 lbs
(13.5 kg)
5.25”
Weight
8 oz (0.23 kg)
30 lbs
(13.5 kg)
Power
100V to 240V AC 100V to 240V AC 100V to 240V AC 100V to 240V
100V to 240V
Note: Specifications for the SonicWALL Internet security appliances are subject to change. Please
verify the above specifications with product datasheets.
Standards
Certifications
Environment
o
o
TCP/IP, UDP, ICMP, HTTP,
IPSec, IKE, SNMP, FTP, DHCP, wall, ICSA IPSec VPN
PPPoE
FCC, UL, BSMI, VCCI, CSA, ISCA Fire-
Temperature: 40 - 105 F, 5 - 40 C
Humidity: 5-90% non-condensing
Page 256 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Appendix B - SonicWALL Support Solutions
SonicWALL’s powerful security solutions give unprecedented protection from the risks of Internet
attacks. SonicWALL’s comprehensive support services protect your network security investment
and offer the support you need - when you need it.
Knowledge Base
All SonicWALL customers have immediate, 24X7 access to our state-of-the-art electronic support
tools. Power searching technologies on our Web site allow customers to locate information quickly
and easily from our robust collection of technical information - including manuals, product
specifications, operating instructions, FAQs, Web pages, and known solutions to common customer
questions and challenges.
Internet Security Expertise
Technical Support is only as good as the people providing it to you. SonicWALL support professionals
are Certified Internet Security Administrators with years of experience in networking and Internet
security. They are also supported by the best in class tools and processes that ensure a quick and
accurate solution to your problem.
SonicWALL Support Offers
Warranty Support - North America and International
SonicWALL products are recognized as extremely reliable as well as easy to configure, install, and
manage. SonicWALL Warranty Support enhances these features with
•
•
1 year, factory replacement for defective hardware
90 days of advisory support for installation and configuration assistance during local
business hours
•
•
90 days of software and firmware updates
Access to SonicWALL’s electronic support and Knowledge Base system.
SonicWALL Support 8X5
Designed for customers who need advanced technical support and the additional benefits of
ongoing software and firmware updates, SonicWALL Support 8X5 is an annual service that includes
•
•
•
•
Factory replacement for defective hardware
Telephone or electronic technical support during local business hours
Access to SonicWALL’s electronic support and Knowledge Base systems
All software and firmware updates and upgrades
Appendices Page 257
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL Support 24X7
For customers with mission-critical network requirements who cannot afford downtime, SonicWALL
Support 24X7 is an annual subscription service that offers
•
•
•
•
Advanced-exchanged replacement of defective hardware
Telephone or electronic support, 24 hours, seven days a week
Enhanced escalation for high priority problems
Access to SonicWALL’s electronic support and Knowledge Base systems
All of SonicWALL Support Services offer a variety of support services to meet your unique needs
including fast, responsive service, instant access to electronic support tools, and high quality
technical support.
SonicWALL Support Services Features and Benefits
Telephone or Web-based Technical Support. SonicWALL’s technical support experts help solve your
problems or answer your questions quickly, reducing your risk of Internet attack.
Knowledge Base. Instant access to solutions and documentation provides answers to questions
and solves problems electronically.
Firmware/Software Upgrades. Automatic firmware and software upgrades give instant access to
new features and capabilities, allowing you to extend your Internet security investment.
Annual Support Agreement. Low, fixed prices for support services allow you to budget accurately and
protect you from unexpected technical support expenses.
SonicWALL
Warranty
SonicWALL
Support 8X5
Super SonicWALL
Support
Telephone/Web-based 90 days
technical support
1-year
1-year
8:00 a.m. - 5:00 p.m., 8:00 a.m. - 5:00 p.m., 24 hours by 7 days a
local time, Monday -
Friday
local time, Monday - week
Friday
Hardware Replacement 1 year, return to
factory
1 year, return to
factory
1 year, advanced
exchange
Software/Firmware
Updates
90 days
1-year
1-year
Enhanced Escalation
Yes
Page 258 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Warranty Support - North America
Included with all SonicWALL products, SonicWALL warranty support includes return-to-factory
hardware replacement for one year. Warranty Support also includes technical support and
software/firmware updates for 90 days. Coverage is provided during normal business hours.
Coverage Hours
Support is provided during standard business hours, 24 hours per day local time, seven days per
week, including locally-recognized SonicWALL holidays.
Telephone and Web-based Support
SonicWALL provides technical assistance during standard coverage hours by telephone or through
Web-based support tools for 90 days after the date of purchase. A SonicWALL technical specialist
works with you to remotely diagnose and identify firmware and hardware not performing to
documented specifications. Web-based support includes interactive communication with a
SonicWALL technical specialist. SonicWALL also provides general assistance regarding usage and
documentation on a limited basis.
Hardware Service
Warranty Support includes the repair or replacement of failing hardware returned to the SonicWALL
factory for a period of year following the date of purchase.
Upon diagnosis of a hardware failure, a SonicWALL technical specialist issues an RMA number and
provides instructions for returning the hardware to SonicWALL. SonicWALL ships a replacement
appliance to you based upon the RMA information. Upon receipt of the failed appliance, SonicWALL
ships a fully functional replacement appliance to you. The replacement appliance is equivalent to a
new appliance.
SonicWALL does not accept failed appliances without a valid RMA number.
Software/Firmware Support
SonicWALL logs, tracks, prioritizes, and resolves software, firmware and/or documentation bug
reports and enhancement requests for software support for a period of 90 days after the date of
purchase.
Software/Firmware Updates
All software and firmware maintenance releases and updates are included for 90 days after the
date of purchase. SonicWALL notifies administrators via electronic mail of new updates. The
updates are delivered exclusively via the Web.
Support Tools
Warranty Support provides access to SonicWALL’s Web-based support tools, including FAQs,
documentation, and Knowledge Base systems.
Availability
This warranty is available only in the United States and Canada.
Appendices Page 259
Download from Www.Somanuals.com. All Manuals Search And Download.
Warranty Support - International
Included with all SonicWALL products, SonicWALL warranty support includes return-to-factory
hardware replacement for one year. Warranty Support also includes technical support and
software/firmware updates for 90 days. Coverage is provided during normal business hours.
Coverage Hours
Support is provided during standard business hours, 24 hours per day local time, seven days per
week, including locally-recognized SonicWALL holidays.
Hardware Service
Warranty Support includes the repair or replacement of failing hardware returned to the SonicWALL
factory for a period of year following the date of purchase.
Upon diagnosis of a hardware failure, a SonicWALL technical specialist issues an RMA number and
provides instructions for returning the hardware to SonicWALL. Upon receipt of the failed appliance,
SonicWALL ships a fully functional appliance. The replacement appliance is equivalent to a new
appliance.
SonicWALL does not accept failed appliances without a valid RMA number.
Software/Firmware Updates
All software and firmware maintenance releases and updates are included for 90 days after the
date of purchase. SonicWALL notifies administrators via electronic mail of new updates. The
updates are delivered exclusively via the Web.
Support Tools
Warranty Support provides access to SonicWALL’s Web-based support tools, including FAQs,
documentation, and Knowledge Base systems.
Availability
This warranty applied to products sold in Europe, the Middle East, Africa, Asia, Central and South
America.
Page 260 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL Support 24X7
Available for all SonicWALL products, SonicWALL Support 24X7 includes software/firmware
technical support, and factory replacement of defective hardware. Coverage is provided 24 hours a
day, seven days a week.
Coverage Hours
Support is provided during standard business hours, 24 hours per day local time, seven days per
week, including locally-recognized SonicWALL holidays.
Telephone and Web-based Support
SonicWALL provides technical assistance during standard coverage hours by telephone or through
Web-based support tools. A SonicWALL technical specialist works with you to remotely diagnose and
identify firmware and hardware not performing to documented specifications. Web-based support
includes interactive communication with a SonicWALL technical specialist. SonicWALL also provides
general assistance regarding usage and documentation on a limited basis.
Hardware Service
SonicWALL Support 24X7 includes the repair or replacement of failing hardware returned to the
SonicWALL factory.
Upon diagnosis of a hardware failure, a SonicWALL technical specialist issues an RMA number and
provides instructions for returning the hardware to SonicWALL. SonicWALL ships a replacement
appliance to you based upon the RMA information. You are responsible for returning the failed
appliance to SonicWALL with 30 days or be charged for the full replacement cost.
SonicWALL does not accept failed appliances without a valid RMA number.
Software/Firmware Support
SonicWALL logs, tracks, prioritizes, and resolves software, firmware and/or documentation bug
reports and enhancement requests for software support under this agreement.
SonicWALL Support 24X7 includes priority escalation based on problem severity.
Support for software, firmware, and documentation is limited to the most current version and the
immediate prior revision.
Software/Firmware Updates
All software and firmware maintenance releases and updates are included with this agreement.
SonicWALL notifies administrators via electronic mail of new updates. The updates are delivered
exclusively via the Web.
Support Tools
SonicWALL Support 24X7 provides access to SonicWALL’s Web-based support tools, including
FAQs, documentation, and Knowledge Base systems.
Availability
SonicWALL Support 24X7 is an annual service available for sale at the time of product purchase or
anytime before warranty expiration.
Appendices Page 261
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL Support 8X5
Available for all products, SonicWALL Support 8X5 includes software/firmware technical support
and factory hardware replacement. Coverage is provided during standard business hours.
Coverage Hours
Support is provided during standard business hours, 8:00 a.m. - 5:00 p.m. local time, Monday
through Friday, excluding locally-recognized SonicWALL holidays.
Telephone and Web-based Support
SonicWALL provides technical assistance during standard coverage hours by telephone or through
Web-based support tools. A SonicWALL technical specialist works with you to remotely diagnose and
identify firmware and hardware not performing to documented specifications. Web-based support
includes interactive communication with a SonicWALL technical specialist. SonicWALL also provides
general assistance regarding usage and documentation on a limited basis.
Hardware Service
SonicWALL Support 8X5 includes the repair or replacement of failing hardware returned to the
SonicWALL factory.
Upon diagnosis of a hardware failure, a SonicWALL technical specialist issues an RMA number and
provides instructions for returning the hardware to SonicWALL. Upon receipt of the failed appliance,
SonicWALL ships a fully functional replacement appliance to you. The replacement appliance is
equivalent to a new appliance.
SonicWALL does not accept failed appliances without a valid RMA number.
Software/Firmware Support
SonicWALL logs, tracks, prioritizes, and resolves software, firmware and/or documentation bug
reports and enhancement requests for software support under this agreement.
SonicWALL Support 8X5 includes priority escalation based on problem severity.
Support for software, firmware, and documentation is limited to the most current version and the
immediate prior revision.
Software/Firmware Updates
All software and firmware maintenance releases and updates are included with this agreement.
SonicWALL notifies administrators via electronic mail of new updates. The updates are delivered
exclusively via the Web.
Support Tools
SonicWALL Support 8X5 provides access to SonicWALL’s Web-based support tools, including FAQs,
documentation, and Knowledge Base systems.
Availability
SonicWALL Support 8X5 is an annual service available for sale at the time of product purchase or
anytime before warranty expiration.
Page 262 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Appendix C - Introduction to Networking
This appendix provides a non-technical overview of the network protocols supported by the
SonicWALL and includes a discussion of Internet Protocol (IP) addressing.
It can be helpful to review a book on TCP/IP for an overview of protocols such as TCP (Transmission
Control Protocol), UDP (User Datagram Protocol), and ICMP (Internet Control Message Protocol). The
following book is recommended for beginner and intermediate network administrators:
Teach Yourself TCP/IP in 14 Days Second Edition
Timothy Parker, Ph.D
SAMS Publishing
ISBN # 0-672-30885-1
Network Hardware Components
•
•
•
•
•
Computers - IBM- compatible, MAC, notebooks, and PDAs
Resources - printers, fax machines, tape backup units, and file storage devices
Cables - crossover, ethernet
Connectors - bridges, routers
Network Interface Card (NIC) - a card installed inside a computer that physically connects a
computer to a network and controls the flow of data from the network to the computer. The NIC
has a port where the network cable is connected.
Network Types
•
LAN stands for Local Area Network. Local area refers to a network in one location, Local Area
Networks connect computers and devices close to each other such as on one floor of a building,
one building, or a campus. LANs can connect as few as two computers or as many as 100
computers.
•
WAN (Wide Area Network) connects LANs together. The networks that make up a WAN can be
located throughout a country or even around the world. If a single company owns a WAN, it is
often referred to as an enterprise network. The Internet is currently the largest WAN.
Firewalls
A firewall is a software or hardware system that prevents unauthorized outside access, theft,
deletion, or modification of information stored on a local network. Typically, unauthorized access
would be via an organization’s Internet connection.
Gateways
A gateway can be a computer that acts as a connector between a private internal network and
another network such as the Internet. A gateway used as a firewall can transmit information from
an internal network to the Internet. Also, gateways can examine incoming information and
determine if the information is allowed access to the network.
Appendices Page 263
Download from Www.Somanuals.com. All Manuals Search And Download.
Network Protocols
The method that used to regulate a workstation’s access to a computer network to prevent data
collisions. The SonicWALL uses the TCP/IP protocol.
•
TCP/IP - Internet Protocol, or "IP", provides connectionless data transfer over a TCP/IP network.
Since IP alone does not provide end-to-end data reliability as well as some other services, other
protocols such as TCP (Transmission Control Protocol) can be added to provide these services.
In TCP/IP, TCP works with IP to ensure the integrity of the data traveling over the network. TCP/
IP is the protocol of the Internet.
•
•
•
•
FTP - File Transfer Protocol (FTP) is used to transfer documents between different types of com-
puters on a TCP/IP network.
HTTP - HyperText Transfer Protocol (HTTP) is a widely used protocol to transfer information over
the Internet. Typically, it is used to transfer information from Web servers to Web browsers.
UDP - User Datagram Protocol (UDP) transfers information using virtual ports between two ap-
plications on a TCP/IP network. Slightly faster than TCP, it is not as reliable.
DNS - Domain Name System (DNS) is a protocol that matches Internet computer names to their
corresponding IP addresses. By using DNS, a user can type in a computer name, such as
www.sonicwall.com, instead of an IP address, such as 192.168.168.168, to access a
computer.
•
•
DHCP - Dynamic Host Configuration Protocol (DHCP) allows communication between network
devices and a server that administers IP numbers. A DHCP server leases IP addresses and other
TCP/IP information to DHCP client that requests them. Typically, a DHCP client leases an IP
address for a period of time from a DHCP server which allows a larger number of clients to use
a set pool of IP addresses.
WINS - Windows Internet Naming System (WINS), used on Microsoft® TCP/IP Networks, matches
Microsoft® network computer names to IP addresses. Using this protocol allows computers on
the Microsoft® network to communicate with other networks and computers that use the TCP/
IP suite.
•
•
HTTPS - Secure HyperText Transfer Protocol (HTTPS) is a protocol to transfer information
securely over the Internet. HTTPS encrypts and decrypts information exchanged between a Web
server and a Web browser using Secure Socket Layer (SSL).
SMTP - Simple Mail Transfer Protocol (SMTP) is used to send and receive e-mail messages.
Typically, SMTP is used only to send e-mail while another protocol, POP3, is used to receive e-
mail messages.
•
•
POP3 - Post Office Protocol 3 (POP3) is used to receive e-mail messages and storing messages
on a server, referred to as a POP server.
ICMP - Internet Control Messages Protocol (ICMP) reports errors and controls messages on a
TCP/IP network. PING uses ICMP protocol to test if a network device is available.
Page 264 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
IP Addressing
To become part of an IP network, a network device must have an IP address. An IP address is a
unique number that differentiates one device from another on the network to avoid confusion during
communication. To help illustrate IP addresses, the following sections compare an IP address to the
telephone numbering system, a system that is used every day.
Like a phone number with its long distance “1” and area code, an IP address contains a set of four
numbers. While we separate phone number components with dashes, for example 1-408-555-
1212, IP address number components are separated by decimal points or dots (called dotted
decimal notation), for example 123.45.67.89. Because computers use a binary number system,
each number in the set must be less than 255.
There are three components of IP addressing:
•
•
•
IP address
Subnet mask
Default gateway
IP Address
Just as each household or business requires a unique phone number, a networked device (such as
a computer, printer, file server, or router) must have a unique IP address. Unlike phone numbers,
an IP address requires the entire number when communicating with other devices.
There are three classes of IP addresses: A, B, and C. Like a main business phone number that one
can call, and then be transferred through interchange numbers to an individual’s extension number,
the different classes of IP addresses provide for varying levels of “interchanges” or subnetworks,
and “extensions” or device numbers. The classes are based on estimated network size:
•
•
•
Class A — used for very large networks with hundreds of subnetworks and thousands of devices.
Class A networks use IP addresses between 0.0.0.0 and 127.0.0.0.
Class B — used for medium to large networks with 10–100 subnetworks and hundreds of de-
vices. Class B networks use IP addresses between 128.0.0.0 and 191.0.0.0.
Class C — used for small to medium networks, usually with only a few subnetworks and less than
250 devices. Class C networks use IP addresses between 192.0.0.0 and 223.0.0.0.
Just as one would go to the phone company for a phone number, there are controlling bodies for IP
addresses. The overall controlling body for IP addresses worldwide is InterNIC. Businesses or
individuals can request one or many IP addresses from InterNIC. It’s a good idea to estimate the
network’s future growth when requesting the class and number of IP addresses requested.
Appendices Page 265
Download from Www.Somanuals.com. All Manuals Search And Download.
Subnet Mask
The IP addressing system allows subnetworks or “interchanges” to be created and device numbers
or “extensions” to be established within these subnetworks. These numbers are created using a
mathematical device called a subnet mask. A subnet mask, like the IP address, is a set of four
numbers in dotted decimal notation. Subnet masks typically take three forms:
•
•
•
255.0.0.0
255.255.0.0
255.255.255.0
The number 255 “masks” out the corresponding number of the IP address, resulting in IP address
numbers that are valid for the network. For example, an IP address of 123.45.67.89 and a subnet
mask of 255.255.255.0 results in a sub network number of 123.45.67.0 and a device number of
89. The IP address numbers that are actually valid to use are those assigned by InterNIC. Otherwise,
anyone could set up IP addresses that are duplicates of those at another company.
The subnet mask used for the network typically corresponds to the class of IP address assigned. If
the IP address is Class A, it uses a subnet mask of 255.0.0.0. Class B addresses use a subnet mask
of 255.255.0.0, and Class C IP addresses use a subnet mask of 255.255.255.0.
Default Gateway
A default gateway is like a long distance operator. Users can dial the operator to get assistance
connecting to the end party. In complex networks with many subnetworks, gateways keep traffic
from traveling between different subnetworks unless addressed to travel there. While this helps to
keep overall network traffic more manageable, it also introduces another level of complexity.
To communicate with a device on another network, one must go through a gateway that connects
the two networks. Therefore, users must know the default gateway IP address. If there is no gateway
in the network, use an IP address of 0.0.0.0 in fields that apply to a default gateway.
Network Address Translation (NAT)
NAT hides internal IP addresses by converting all internal host IP addresses to the IP address of the
firewall as packets are routed through the firewall. The firewall then retransmits the data payload of
the internal host from its own address using a translation table to keep track of which sockets on
the exterior interface equate to which sockets on the interior interface. To the Internet, all of the
traffic on the network appears to come from the same computer.
Nodes
A node is a device, such as a PC or a printer, on a network with an IP address. The feature chart
shows how many node licenses for PCs or printers are included with a SonicWALL Internet Security
appliance. The TELE3 has a non-upgradeable 5-node license, but the SOHO3 is upgradeable up to
have 10, 50, or an unlimited number of node licenses. The PRO 100, PRO 200, and PRO 300 have
an unlimited number of node licenses.
The TELE3, SOHO3-10, and SOHO3-50 allow a maximum of 5, 10, or 50 LAN IP addresses,
respectively, to exist on the LAN (Local Area Network). The licenses for the nodes are counted
cumulatively, not simultaneously. When the SonicWALL is turned on and configured, the SonicWALL
Page 266 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
begins to count IP addresses against the license, and continues to count new LAN IP addresses
accessing the Internet until the appliance is rebooted.
When a computer or other device connects to the LAN port of the SonicWALL, it is detected via
broadcast and stores the computer or other device IP address in memory. If 5, 10, or 50 IP
addresses have been stored in the SonicWALL, the SonicWALL does not permit any additional
machines to access the Internet. Therefore, the SonicWALL restricts the number of IP addresses on
the LAN, not the number of simultaneous connections to the Internet.
If you have fewer than the maximum number of computers or other devices on your LAN, but it
appears that the IP license limit is exceeded, download a Tech Support Report and review the
devices with IP addresses. Rogue devices such as printers are filling up the SonicWALL IP address
limit. Tech Support Reports are explained in the Tools chapter of this manual.
Additionally, computers with two (2) Network Interface Cards (NIC) can take up two IP addresses.
You must reconfigure your network to avoid these problems by turning off IP forwarding on
Windows® NT or Windows2000® servers using two NICs.
If devices on the LAN receive IP addresses from a DHCP server, see the DHCP chapter of this
manual.
Appendices Page 267
Download from Www.Somanuals.com. All Manuals Search And Download.
Appendix D - IP Port Numbers
The port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic
and/or Private Ports.
Well Known Ports range from 0 through 1023.
Registered Ports range from 1024 through 49151.
Dynamic and/or Private Ports range from 49152 through 65535.
Well Known Port Numbers
Well Known Ports are controlled and assigned by the Internet Assigned Numbers Authority (IANA)
<http://www.iana.org> and on most systems can only be used by system processes, or by programs
executed by privileged users. Many popular services, such as Web, FTP, SMTP/POP3 e-mail, DNS,
etc. operate in this port range.
The assigned ports use a small portion of the possible port numbers. For many years the assigned
ports were in the range 0-255. Recently, the range for assigned ports managed by the IANA has
been expanded to the range 0-1023.
Registered Port Numbers
Registered Ports are not controlled by the IANA and on most systems can be used by ordinary user
processes or programs executed by ordinary users.
While the IANA can not control uses of these ports it does list uses of these ports as a convenience.
The Registered Ports are in the range 1024-65535.
Visit <http://www.ietf.org/rfc/rfc1700.txt> for a list of IP port numbers.
Page 268 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Appendix E - Configuring TCP/IP Settings
The following steps describe how to configure the Management Station TCP/IP settings in order to
initially contact the SonicWALL. It is assumed that the Management Station can access the Internet
through an existing connection.
The SonicWALL is pre-configured with the IP address “192.168.168.168". During the initial
configuration, it is necessary to temporarily change the IP address of the Management Station to
one in the same subnet as the SonicWALL. For initial configuration, set the IP address of the
Management Station to "192.168.168.200".
Make a note of the Management Station's current TCP/IP settings. If the Management Station
accesses the Internet through an existing broadband connection, then the TCP/IP settings can be
helpful when configuring the IP settings of the SonicWALL.
Windows 98
1. From the Start list, highlight Settings and then select Control Panel.
2.Double-click the Network icon in the Control Panel window.
3.Double-click TCP/IP in the TCP/IP Properties window.
4.Select the Specify an IP Address radio button.
5.Enter "192.168.168.200" in the IP Address field.
6.Enter "255.255.255.0" in the Subnet Mask field.
7.Click DNS Configuration.
8.Enter the DNS IP address in the Preferred DNS Server field.
If you have more than one address, enter the second one in
the Alternate DNS server field.
9.Click OK, and then click OK again.
10.Restart the computer for changes to take effect.
Appendices Page 269
Download from Www.Somanuals.com. All Manuals Search And Download.
Windows NT
1. From the Start list, highlight Settings and then select Control Panel.
2.Double-click the Network icon in the Control Panel window.
3.Double-click TCP/IP in the TCP/IP Properties window.
4.Select the Specify an IP Address radio button.
5.Enter "192.168.168.200" in the IP Address field.
6.Enter "255.255.255.0" in the Subnet Mask field.
7.Click DNS at the top of the window.
8.Enter the DNS IP address in the Preferred DNS Server field.
If you have more than one address, enter the second one in the
Alternate DNS server field.
9.Click OK, and then click OK again.
Page 270 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Windows 2000
1. In Windows 2000, click Start, then Settings.
2. Click Network and Dial-up Connections. Double-click the network connection name to open the
Status window.
3.Click Status to open the Properties window.
4.Double-click Internet Protocol (TCP/IP) to open the TCP/IP
properties window.
5.Select Use the following IP address and enter
192.168.168.200 in the IP address field.
6.Enter 255.255.255.0 in the Subnet mask field.
7.Enter the DNS IP address in the Preferred DNS Server field.
If you have more than one address, enter the second one in
the Alternate DNS server field.
8.Click OK, then OK again.
9.Click Close to finish the network configuration.
Appendices Page 271
Download from Www.Somanuals.com. All Manuals Search And Download.
Windows XP
1. Open the Local Area Connection Properties window.
2.Double-click Internet Protocol (TCP/IP) to open the
Internet Protocol (TCP/IP) Properties window.
3.Select Use the following IP address and enter
192.168.168.200 in the IP address field.
4.Enter 255.255.255.0 in the Subnet Mask field.
5.Enter the DNS IP address in the Preferred DNS Server
field. If you have more than one address, enter the second
one in the Alternate DNS server field.
Page 272 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Macintosh OS 10
From a Macintosh computer, do the following:
1. From the Apple list, choose Control Panel, and then choose TCP/IP to open the TCP/IP Control
Panel.
2. From the Configure list, choose Manually.
3. Enter "192.168.168.200" in the IP address field.
4. Enter the Subnet Mask address in the Subnet Mask field.
5. Click OK.
Follow the SonicWALL Installation Wizard instructions to perform the initial setup of the SonicWALL.
Appendices Page 273
Download from Www.Somanuals.com. All Manuals Search And Download.
Appendix F - Basic VPN Terms and Concepts
•
VPN Tunnel
A VPN Tunnel is a term that describes a connection between two or more private nodes or LANs
over a public network, typically the Internet. Encryption is often used to maintain the
confidentiality of private data when traveling over the Internet.
•
Encryption
Encryption is a mathematical operation that transforms data from "clear text" (something that
a human or a program can interpret) to "cipher text" (something that cannot be interpreted).
Usually the mathematical operation requires that an alphanumeric "key" be supplied along with
the clear text. The key and clear text are processed by the encryption operation, which leads to
data scrambling that makes encryption secure. Decryption is the opposite of encryption: it is a
mathematical operation that transforms cipher text to clear text.
•
•
Key
A key is an alphanumeric string used by the encryption operation to transform clear text into
cipher text. A key is comprised of hexadecimal characters (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d,
e, f). A valid key would be 1234567890abcdef. Keys used in VPN communications can range
in length, but typically consist of 16 or 32 characters. The longer the key, the more difficult it is
to break the encryption.
Asymmetric vs. Symmetric Cryptography
Asymmetric and symmetric cryptography refer to the keys used to authenticate, or encrypt and
decrypt the data.
Asymmetric cryptography, or public key cryptography, uses two keys for verification.
Organizations, such as RSA Data Security and Verisign, support asymmetric cryptography.
With symmetric cryptography, the same key is used to authenticate on both ends of the VPN.
Symmetric cryptography, or secret key cryptography, is usually faster than asymmetric
cryptography. Therefore symmetric algorithms are often used when large quantities of data
have to be exchanged. SonicWALL VPN uses Symmetric Cryptography. As a result, the key on
both ends of the VPN tunnel must match exactly.
•
Security Association (SA)
A Security Association (SA) is a group of security settings related to a specific VPN tunnel. A
Security Association groups together all of the settings necessary to create a VPN tunnel.
Different SAs can be created to connect branch offices, allow secure remote management, and
pass unsupported traffic. All Security Associations require a specified Encryption Method, IPSec
Gateway Address and Destination Network Address. IKE includes a Shared Secret. Manual
Keying includes two SPIs and an Encryption and Authentication Key.
Page 274 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
•
Internet Key Exchange (IKE)
IKE is a negotiation and key exchange protocol specified by the Internet Engineering Task Force
(IETF). An IKE SA automatically negotiates Phase 1 Encryption/Authentication Keys. With IKE,
an initial exchange authenticates the VPN session and automatically negotiates keys that is
used to pass IP traffic. The initial exchange occurs on UDP port 500, so when an IKE SA is
created, the SonicWALL automatically opens port 500 to allow the IKE key exchange.
•
•
Manual Key
The Manual Key SA allows you to specify the Encryption and Authentication keys as well as
Incoming and Outgoing Security Parameter Indices (SPI). SonicWALL VPN supports Manual Key
VPN Security Associations.
Shared Secret
A Shared Secret is a predefined field that the two endpoints of a VPN tunnel use to set up an
IKE SA. This field can be any combination of alphanumeric characters with a minimum length
of 4 characters and a maximum of 128 characters. Precautions should be taken when
delivering/exchanging this shared secret to assure that a third party cannot compromise the
security of a VPN tunnel.
•
Advanced Encryption Standard (AES)
AES is an encryption algorithm for securing sensitive but unclassified materials by U.S.
Government agencies. It may eventually become the standard encryption method for
commercial transactions in the private sector.
As a potential replacement for DES and possible 3DES, AES is a symmetric algorithm which
means it uses the same key for encryption and decryption and block encryption 128-bits in size.
The algorithm supports key sizes of 128, 192, and 256 bits as a minimum.
•
Encapsulating Security Payload (ESP)
ESP provides confidentiality and integrity of data by encrypting the data and encapsulating it
into IP packets. Encryption can be in the form of ARCFour (similar to the popular RC4 encryption
method), DES, etc.
The use of ESP increases the processing requirements in SonicWALL VPN and also increases
the communications latency. The increased latency is due to the encryption and decryption
required for each IP packet containing an Encapsulating Security Payload.
ESP typically involves encryption of the packet payload using standard encryption mechanisms,
such as RC4, ARCFour, DES, or 3DES. The SonicWALL supports 56-bit ARCFour and 56-bit DES
and 168-bit 3DES.
•
Authentication Header (AH)
The Authentication Header provides strong integrity and authentication by adding
authentication information to IP packets. This authentication information is calculated using
header and payload data in the IP packet which provides an additional level of security.
Appendices Page 275
Download from Www.Somanuals.com. All Manuals Search And Download.
Using AH increases the processing requirements of VPN and also increases the
communications latency. The increased latency is primarily due to the calculation of the
authentication data by the sender, and the calculation and comparison of the authentication
data by the receiver for each IP packet containing an Authentication Header.
Page 276 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
•
Data Encryption Standard (DES)
When DES is used for data communications, both sender and receiver must know the same
secret key, which can be used to encrypt and decrypt the message, or to generate and verify a
message authentication code. SonicWALL DES encryption algorithm uses a 56 bit key.
The SonicWALL VPN DES Key must be exactly 16-characters long and is comprised of
hexadecimal characters. Valid hexadecimal characters are "0" to "9", and "a" to "f" inclusive (0,
1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
•
ARCFour
ARCFour is used for communications with secure Web sites using the SSL protocol. Many banks
use a 40 bit key ARCFour for online banking, while others use a 128 bit key. SonicWALL VPN
uses a 56 bit key for ARCFour.
ARCFour is faster than DES for several reasons. First, it is a newer encryption mechanism than
DES. As a result, it benefits from advances in encryption technology. Second, unlike DES, it is
designed to encrypt data streams, rather than static storage.
The SonicWALL VPN ARCFour key must be exactly 16 characters long and is comprised of
hexadecimal characters. Valid hexadecimal characters are "0" to "9", and "a" to "f" inclusive (0,
1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
•
Strong Encryption (Triple DES)
Strong Encryption, or Triple DES (3DES), is a variation on DES that uses a 168-bit key. As a
result, 3DES is dramatically more secure than DES, and is considered to be virtually
unbreakable by security experts. It also requires a great deal more processing power, resulting
in increased latency and decreased throughput.
The SonicWALL 3DES Key must be exactly 24 characters long and is comprised of hexadecimal
characters. Valid hexadecimal characters are "0" to "9", and "a" to "f" inclusive (0, 1, 2, 3, 4, 5,
6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef12345678.
•
Security Parameter Index (SPI)
The SPI is used to establish a VPN tunnel. The SPI is transmitted from the remote VPN gateway
to the local VPN gateway. The local VPN gateway then uses the network, encryption and keys
associated with the SPI to establish the tunnel.
The SPI must be unique, is from one to eight characters long, and is comprised of hexadecimal
characters. Valid hexadecimal characters are "0" to "9", and "a" to "f" inclusive (0, 1, 2, 3, 4, 5,
6, 7, 8, 9, a, b, c, d, e, f). For example, valid SPIs would be 999 or 1234abcd.
Appendices Page 277
Download from Www.Somanuals.com. All Manuals Search And Download.
Appendix G- Erasing the Firmware
There can be instances when it is necessary to reset the SonicWALL to its factory clean state if the
following events happen to the appliance:
•
•
•
•
Administrator password is forgotten
The firmware has become corrupt, and you cannot contact the Management Interface
The test light comes on and stays on for more than a few minutes.
During the troubleshooting process, you must start from a “known” state.
Once the firmware is erased, new firmware must be loaded, and the SonicWALL must be
reconfigured.
The following procedure erases all settings and reverts the unit to the factory default state. It is
necessary to follow the initial configuration procedures detailed in this manual's QuickStart section
to reconfigure the SonicWALL. If you need the firmware, download it from <http://
firmware.sonicwall.com> or load it from the CD included with the appliance. You can also download
firmware by logging into <http://www.mysonicwall.com> as a registered user.
Locating the Reset button on your SonicWALL
SonicWALL SOHO3, PRO 100, TELE3, SOHO 10, SOHO 50, XPRS, SOHO Telecommuter, PRO 200,
PRO 300, and newer SonicWALL DMZ models use the small recessed button on the back of the unit
for this procedure. If your SonicWALL DMZ unit has a square reset button that is not recessed on
the back of the unit, follow the procedure below to locate the blue reset button.
If your SonicWALL DMZ unit has a circular reset button that is recessed in the back of the unit, then
it’s an older DMZ model and you should follow the procedure for locating the reset button inside the
unit.
Erasing the Firmware for all Models
1. Turn off the SonicWALL and disconnect all cables to the network.
2. Locate the recessed Reset Switch on the back panel of the SonicWALL.
3. Press and hold the Reset Switch and then apply power to the SonicWALL. Once the Test LED
starts to flash, let go of the Reset Switch.
The Test LED flashes for approximately 90 seconds while the firmware is erased. After completing
the diagnostic sequence, the Test LED stays lit, indicating that the firmware has been erased. It is
normal for the Test LED to stay lit after erasing the firmware. It does not go off until the firmware is
installed and loaded into memory by the automatic restart.
4. Log back into the SonicWALL at the default IP address, "http://192.168.168.168". Make sure
that the Management Station's IP address is in the same subnet as the SonicWALL--for
example, "192.168.168.200".
5. The SonicWALL Management Interface displays a message stating that the firmware has been
erased. Click the Browse button to locate the SonicWALL firmware file on the Management
Station hard drive. Or upload the firmware file that is located on the SonicWALL Companion CD.
6. Reconfigure the SonicWALL as described in Chapter 2.
Page 278 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Appendix H- Mounting the SonicWALL PRO 200 and PRO 300
The SonicWALL PRO 200 and SonicWALL PRO 300 are designed to be mounted in a standard 19-
inch rack mount cabinet. The following conditions are required for proper installation:
•
Use the mounting hardware recommended by the rack manufacturer and ensure that the rack
is adequate for the application.
•
Four mounting screws, compatible with the rack design, must be used and hand tightened to
ensure secure installation. Choose a mounting location where all four mounting holes line up
with those of the mounting bars of the 19-inch rack mount cabinet.
•
•
Mount in a location away from direct sunlight and sources of heat. A maximum ambient temper-
ature of 104º F (40º C) is recommended.
Route cables away from power lines, fluorescent lighting fixtures, and sources of noise such as
radios, transmitters, and broadband amplifiers
•
•
Ensure that no water or excessive moisture can enter the unit.
Allow unrestricted airflow around the unit and through the vents on the side of the unit. A mini-
mum of 1 inch (25.44mm) clearance is recommended.
Appendices Page 279
Download from Www.Somanuals.com. All Manuals Search And Download.
Appendix I - Configuring RADIUS and ACE Servers
Individual users must have their privileges defined on the RADIUS server used for authenticating the
users. Global user privileges can be configured on the RADIUS tab of the SonicWALL management
interface, but SonicWALL-specific privileges must be configured on the RADIUS server.
Different vendors also have different methods of configuring the privileges on their servers. In some
cases, it can be complex, but most allow for the configuration of group profiles or policies which
means you can configure the attributes once per group.
This Appendix describes the configuration of user privileges on various vendors of RADIUS servers,
and also notes the particular RADIUS servers which support CHAP (Challenge Handshake
Authentication Protocol) mode. CHAP support is required if HTTPS is not available for logging into
the SonicWALL.
Steel Belted RADIUS (Funk Software)
Steel Belted RADIUS server version 3.0 from Funk Software supports pre-configuration of vendor-
specific attributes in a vendor-specific dictionary file. SonicWALL.dct is the new dictionary file for the
SonicWALL.
To configure the Steel Belted RADIUS server to include the SonicWALL.dct file, use the following
instructions:
1. Locate the directory that Steel Belted RADIUS is installed, C:\RADIUS by default, and copy the
SonicWALL.dct file into C:\RADIUS\Service folder.
2. Edit the vendor.ini file located in the Service folder using Notepad. Add the following lines so
that they are in alphabetical order with the other vendor products in the file:
Table 1:
vendor-product
dictionary
= SonicWALL Firewall
= SonicWALL
= no
ignore-ports
port-number-usage
help-id
= per-port-type
= 2000
3. Edit the dictiona.dcm file using Notepad, and add the entry @sonicwall.dct to it, keeping the
entry in alphabetical order with the existing entries.
4. Restart the Windows service called Steel Belted RADIUS Service.
5. Run the Steel Belted RADIUS Administrator.
6. Click RAS Clients, and select SonicWALL Firewall from the Make/Model list. Click Save.
If there is no entry for SonicWALL Firewall, be sure that steps 2 and 3 were performed correctly.
Page 280 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Configuring User Privileges
To configure user privileges, follow these steps:
1. With Steel Belted RADIUS Administrator open, click Users and select the User to configure. Or
select a profile to be configured from the Profile Name menu.
2. Click Ins and select SonicWALL-User-Privilege from the Available Attributes list.
3. Select the privilege to be set, and click Add. Repeat until all of the privileges are added for the
user.
Steel Belted RADIUS does support CHAP, so authentication takes place even if HTTPS is not
available when logging into the SonicWALL management interface. Select Allow PAP or CHAP when
setting user passwords.
ACE Server (RSA)
The ACE Server, version 4.1, from RSA, configures RADIUS attributes into the profiles. It does not
support pre-configuration of vendor-specific attributes on the server. It also only allows one vendor-
specific attribute to be set per profile, and only support vendor-specific attributes containing ASCII
text. User privileges are added manually using the following instructions:
1. Open the ACE Server Database Administrator program.
2. Select Edit Profiles from the menu, and select the profile to be configured with user privileges.
Click OK.
3. From the Available Attributes menu, select Vendor-Specific, and then click Add Attribute... .
4. Set the value to 8741 2 “privileges-list” where privileges list is a comma-separated list of 2-
letter privileges, as follows:
RA - Remote Access
BF - Bypass Filters
VC - Access from VPN Client
VA - Access to VPNs
LM - Limited Management
For example, to configure a profile with Access to VPN privileges and allow Access from VPN Client,
the value is set as follows:
8714 2 “VA, VC”
The ACE Server from RSA does not support CHAP with RADIUS, therefore it is necessary to configure
the SonicWALL to use HTTPS when logging into the SonicWALL management interface.
Appendices Page 281
Download from Www.Somanuals.com. All Manuals Search And Download.
ACS Server (Cisco)
The ACS server, version 2.6, from Cisco does not support the configuration of vendor-specific
privileges. Therefore, if a ACS Server is deployed, user privileges cannot be configured on the server.
The ACS server can still be used for authentication if the RADIUS users are configured globally on
the SonicWALL to have the same privileges. Also, the ACS server supports CHAP, so it can be used
if HTTPS is not available when logging into the SonicWALL management interface.
Internet Authentication Service (Windows NT/2000 Server)
The RADIUS server used on Microsoft Windows NT and Windows 2000 servers is known as the
Internet Authentication Service (IAS). The RADIUS attributes are configured using policies, and does
not support pre-configuration of vendor-specific attributes. The RADIUS attributes are entered
manually into the service by using the following instructions:
1. Open IAS, and select Remote Access Policies.
2. Select the policy to be configured for user privileges, and right click. Select Properties from the
list.
3. Click Edit Profile, and then click Advanced. Click Add.
4. Select Vendor-Specific from the list, and click Add. The Multivalued Attribute Information box
appears.
5. Click Add. The Vendor-Specific Attribute Information box appears.
6. Click Enter Vendor Code, and enter 8741 as the vendor code.
7. Click Yes, It conforms, and then click Configure Attribute. The Configure VSA (RFC compliant)
window appears.
8. Enter 1 as the Vendor-assigned attribute number.
9. Select Decimal as the Attribute format.
10. Enter one of the following values as the Attribute value. Each value defines a privilege for users
within the policy.
1 - Remote Access
2 - Bypass Filters
3 - Access from VPN Client
4 - Access to VPNs
11. Click OK, and then OK again to return to the Multivalued Attribute Information window.
Repeat Steps 5 through 11 for each privilege configured for a policy.
For further information, refer to “To configure vendor-specific attributes for a remote access policy”
in the IAS help file.
With IAS, the user database is located on the domain controller. Therefore, IAS only supports CHAP
with RADIUS if the domain controller is configured to store passwords using reversible encryption
for all users. If the domain controller is not configured in this manner, it is necessary to use HTTPS
to log into the SonicWALL management interface.
Page 282 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
RADIUS Attributes Dictionary
The following is the RADIUS dictionary in the format used with Funk Software’s Steel Belted RADIUS
server.
Appendices Page 283
Download from Www.Somanuals.com. All Manuals Search And Download.
Notes
Page 284 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Notes
Appendices Page 285
Download from Www.Somanuals.com. All Manuals Search And Download.
Notes
Page 286 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Notes
Appendices Page 287
Download from Www.Somanuals.com. All Manuals Search And Download.
Notes
Page 288 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Notes
Appendices Page 289
Download from Www.Somanuals.com. All Manuals Search And Download.
Index
Configuring N2H2 Internet Filtering 107
Configuring Websense Enterprise Content Filter
Connect using Secure Gateway Tunnel 201
A
Activation Key 119
ActiveX 100, 107, 110
Add New Network... 200
Add Service 130
Add/Modify IPSec Security Associations 182
Alert Categories 96
Alert Traps 145
Allow BootP clients to use range 167, 174
Allow DNS access 139
Allow Fragmented Packets 135
Allowed Domains 103
Data Encryption Standard (DES) 277
Default Allow Rule 138
Default Deny Rule 138
Default Rules 137
Anti-Virus 234
Apply NAT and firewall rules 188
ARCFour 277
Asymmetric vs. Symmetric Cryptography 274
Attacks 95, 96
Authentication 72
Authentication Header (AH) 275
Authentication Key 200
Authentication Protocol (AH) 203
Authentication Service 193, 235
Auto Update 15
Delete a Rule 137
Delete Binding 172, 176
Delete Keyword 103
Denial of Service 15
Destination Ethernet 136
DHCP Client 17
DHCP over VPN 166, 168
DHCP over VPN Status 172
DHCP Relay Mode 168
DHCP Server 17, 166, 173
DHCP Server Status 172
DHCP Setup 166
DHCP Status 172, 176
Diagnostic Tools 120
Diagram of SonicWALL PRO's functions 14
Display Report 97
DMZ Address Range 157
DMZ Addresses 156
DNS Name Lookup 120
DNS Server 167, 174
DNS Server Addresses 24
Domain Name 167, 174
Dropped ICMP 95
B
Bandwidth Management 133
Bandwidth Usage by IP Address 97
Bandwidth Usage by Service 97
Basic VPN Terms and Concepts 274
Block all categories 102
Blocked Java, ActiveX, and Cookies 95
Blocked Web Sites 95, 96
C
Certificate Authority Certificates 216
Certificate Revocation List 218
Choose a diagnostic tool 120
Clear Log Now 94
Client Default Gateway 174
Cold Start Trap 145
Configuration 151
Dropped TCP 95
Dropped UDP 95
Configuration Changes 228
Configuring High Availability 226
Page 290 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Dynamic Host Configuration Protocol (DHCP)
17
Dynamic Ranges 167, 174
E
Hash Alg 203
Edit a Rule 137
heartbeat 227
E-mail Alerts 16, 231
E-mail Log Now 94
Heartbeat Interval 227
heartbeats 225
Enable Allowed/Forbidden Domains 103
Enable Bandwidth Management 133
Enable DHCP Server 30, 35, 42, 167, 174
Enable Fragmented Packet Handling 178
Enable Keep Alive 187
Enable VPN 178
Enable/Disable a Rule 137
Enabling Ping 136
Encapsulating Security Payload (ESP) 275
Encapsulation 203
Encapsulation Protocol (ESP) 203
Encryption 274
Encryption Alg 203
Encryption Key 200
High Availability 225
High Availability Status 229
IKE Configuration between Two SonicWALLs 211
IKE using Certificates 193
IKE using pre-shared secret 211
IKE using Preshared Secrets 193
Import Security Policy 195
Importing the Settings File 116
Incoming SPI 185, 199
Installation and Configuration 17
Installation Wizard 17
Internet Key Exchange (IKE) 211, 275
Intranet 150
Encryption Method 193
Enhanced VPN Logging 220
Event 91
IPSec Gateway Address 181, 199
IPSec Keying Mode 199
IPSec VPN 17
Exporting the Settings File 115
F
Factory Default 116
Failover Trigger 227
Failover Trigger Level 227
Filter 100
Filter Block Action 104
Filter Protocols 16
Find Network Path 121
Firewall Name 93
Forbidden Domains 103
Forcing Transitions 232
Front Panel 243
Java 100, 107, 110
Key Exchange 203
Keywords 103
LAN IP address 167, 174
LAN Out 128
Functional Diagram 14
LAN Settings 77
LAN Subnet Mask 24, 29, 35, 41
Lease Time 167, 174
Link 243
Local Certificates 216
Log 91
G
General 76
Global IPSec Settings 178
Global Management System 236
Global User Settings 139
Index Page 291
Download from Www.Somanuals.com. All Manuals Search And Download.
Log and Block Access 104
Log Categories 16
Log Only 104
Log Settings 93
Logout 74
Preempt mode 227
Preferences 115
M
Management SA 146
Management Tools 114
Mandatory Filtering 106
Manual Key 177
Manual Key Configuration 199
Manual Keying 275
Mask 201
MD5 203
Modem Port 244
My Identity 196
RADIUS Client Test 144
RADIUS Servers 143
RADIUS Users 144
Randomize IP ID 129
N
N2H2 99
NAT Enabled 76
NAT Enabled Configuration 79
NAT Traversal Support 178
NAT with DHCP 76
NAT with DHCP Client 81
NAT with PPPoE 76, 82, 84, 86
Network 225
Network Access Rules 15
Network Address Translation (NAT) 15
Network Anti-Virus 234
Network Configuration for High Availability Pair
225
SA Life Time 193
Security Association 193
Security Association (SA) 274
Security Parameter Index 204
Security Parameter Index (SPI) 277
Security Policy 196
Security Policy Editor 201
Send Alerts To 93
Send Log / Every / At 94
Send Log To 93
Network Debug 95, 220
Network Security Policy 203
Network Settings 76
Shared Secret 275
SNMP 145
SonicWALL GMS 147
Standard 76
Standard Configuration 79
Start Data Collection 97
Static Devices on the LAN 171
Static Entries 167, 175
Static Routes 154
Status 73
Stealth Mode 129
Strong Encryption (TripleDES) 277
Subnet 201
O
Online help 17
Outbound Keys 204
Outgoing SPI 185, 199, 204
P
Packet Trace 123
Phase 1 DH Group 182, 183
Ping 122
Ping of Death 15
Page 292 SonicWALL Internet Security Appliance Administrator’s Guide
Download from Www.Somanuals.com. All Manuals Search And Download.
Syslog Individual Event Rate 94
Syslog Server 94
Syslog Server 1 94
Syslog Server Support 16
System Errors 95, 96
System Maintenance 95
View Data 97
View Log 91, 232
ViewPoint 236
VPN Client 17, 234
VPN Tunnel 177, 274
T
Tech Support Report 124
Tech Support Request Form 124
Temporary Lease Time 170
Third Party Digital Certificate 216
Time 88
Time of Day 104
Time users out 139
Trace Route 126
Tunnel 203
Twisted Pair 243
WAN Gateway (Router) Address 24
WAN IP Address 24
WAN Settings 78
WAN/DMZ Subnet Mask 24
Web Proxy Relay 149
Web Site Hits 97
Websense Enterprise 99
Websense Server Status 112
Windows Networking 129, 222
WINS Server 167, 174
U
Unique Firewall Identifier 178
Updating Firmware 117
Upgrade Key 119
URL List 101
Use Aggressive Mode 187
User Activity 95
WorkPort Default Gateway 167, 174
Users 139
X
X.509 217
Index Page 293
Download from Www.Somanuals.com. All Manuals Search And Download.
SonicWALL,Inc.
1143 Borregas Avenue
Sunnyvale,CA 94089-1306
T: 408.745.9600
F: 408.745.9300
www.sonicwall.com
© 2002 SonicWALL, Inc. SonicWALL is a registered trademark of SonicWALL, Inc. Other product and company names mentioned herein may be
trademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice.
P/ N 232- 000291- 01
Rev A 11/ 02
Download from Www.Somanuals.com. All Manuals Search And Download.
|
Sennheiser Musical Instrument SKM 3072 U x SKM 3072 U User Manual
Sharp All in One Printer MX M260 User Manual
Sharp Copier AR 160 User Manual
Sharp Flat Panel Television LC 45D40U User Manual
Shindaiwa Blower X7501920300 User Manual
Shure Range 98H C User Manual
Soehnle Scale GBF 9200 User Manual
Sony Computer Monitor Color Graphic Display User Manual
Sony Speaker System SRS RF80RK User Manual
Symbol Technologies Scanner PTC 860IM User Manual