SonicWALL Internet Security Appliances, Administrator'S Manual

Page 1: ...COMPREHENSIVE INTERNET SECURITY SonicWALL Internet Security Appliances ADMINISTRATOR S GUIDE ...

Page 2: ...istering at mySonicWALL com 46 Creating a New User Account 46 Problems Creating a MysonicWALL com User Account 51 User Name and Password Functions 51 Registering Your SonicWALL Internet Security Appliance 51 Click Here Registration 51 Quick Registration 52 Status and Options 53 Managing Your SonicWALL 54 Renaming Your SonicWALL 54 Transferring a SonicWALL Product 55 Delete Product 56 Managing Serv...

Page 3: ...ng Mode 76 LAN Settings 77 Multiple LAN Subnet Mask Support 77 WAN Settings 78 DNS Settings 78 Standard Configuration 79 NAT Enabled Configuration 79 NAT with DHCP Client Configuration 81 NAT with PPPoE Configuration 82 Restarting the SonicWALL 83 NAT with L2TP Client Configuration 84 Restarting the SonicWALL 85 NAT with PPTP Client Configuration 86 Restarting the SonicWALL 87 Setting the Time and...

Page 4: ...he Content Filtering List 103 Consent 105 Mandatory Filtered IP Addresses 106 Configuring N2H2 Internet Filtering 107 Restrict Web Features 107 Configuring the Websense Enterprise Content Filter 110 Restrict Web Features 110 Configuring the Websense Content Filter List 112 Websense Server Status 112 Settings 112 URL Cache 113 9 Web Management Tools 114 Restarting the SonicWALL 114 Preferences 115 ...

Page 5: ...29 Detection Prevention 129 Network Connection Inactivity Timeout 129 Add Service 130 Add a Known Service 130 Add a Custom Service 130 Enable Logging 131 Delete a Service 131 Rules 131 Maximum Number of Rules by Product 132 Network Access Rule Logic List 133 Bandwidth Management 133 Add A New Rule 134 Add New Rule Examples 136 Current Network Access Rules Table 137 Users 139 Global User Settings 1...

Page 6: ...ement 155 RIPv2 Authentication 156 DMZ Route Advertisement 156 DMZ Addresses 156 DMZ in Standard Mode 157 DMZ in NAT Mode 157 Delete a DMZ Address Range 158 HomePort Configuration 158 HomePort in Standard Mode 158 HomePort in NAT Mode 159 Delete a HomePort Address Range 159 One to One NAT 160 One to One NAT Configuration Example 161 Ethernet 162 WAN Link Settings 162 Enable Bandwidth Management 16...

Page 7: ... Dynamic Ranges and Static Entries 175 DHCP Status 176 13 SonicWALL VPN 177 VPN Management Interface 178 Summary Tab 178 Global VPN Settings 178 VPN Bandwidth Management 179 VPN Policies 179 Currently Active VPN Tunnels 179 SonicWALL NAT Traversal Support 180 AES Advanced Encryption Standard Support 180 Configure Tab 181 Add Modify IPSec Security Associations 181 Security Policy Settings 182 Desti...

Page 8: ...guration for Two SonicWALLs 208 IKE Configuration for Two SonicWALLs 211 Example of IKE Configuration for Two SonicWALLs 213 SonicWALL Third Party Digital Certificate Support 216 Overview of Third Party Digital Certificate Support 217 Creating a Certificate Signing Request 219 SonicWALL Enhanced VPN Logging 220 Testing a VPN Tunnel Connection Using PING 221 Configuring Windows Networking 222 14 Hi...

Page 9: ...LL SOHO3 and TELE3 249 SonicWALL GX 250 and GX 650 251 17 Troubleshooting Guide 254 The Link LED is off 254 A computer on the LAN cannot access the Internet 254 The SonicWALL does not establish authenticated sessions 254 The SonicWALL does not save changes that you have made 255 Duplicate IP address errors 255 Machines on the WAN are not reachable 255 VPN tunnel problems 255 18 Appendices 256 Appe...

Page 10: ... on the outside of the package for the product being returned for replacement or the product will be refused The RMA number can be obtained by calling SonicWALL Customer Service between the hours of 8 30 AM and 5 30 PM Pacific Standard Time Monday through Friday Phone 408 752 7819 Fax 408 745 9300 Web http www sonicwall com support This warranty does not apply if the Product has been damaged by ac...

Page 11: ... Management Interface Chapter 6 General and Network Settings describes the configuration of the SonicWALL IP settings time and password Chapter 7 Logging and Alerts illustrates the SonicWALL logging alerting and reporting features Chapter 8 Content Filtering and Blocking describes SonicWALL Web content filtering including subscription updates and customized Web blocking Chapter 9 Web Management To...

Page 12: ...se procedure Appendix H Mounting the SonicWALL PRO 200 and PRO 300 describes how to rack mount the SonicWALL appliance Appendix I Configuring RADIUS and ACE Servers provides vendor specific configuration instructions for RADIUS and ACE servers The appendix also includes a RADIUS Attributes Dictionary SonicWALL Technical Support For fast resolution of technical questions please visit the SonicWALL ...

Page 13: ...tering IP traffic MD5 authentication is used to encrypt communications between your Management Station and the SonicWALL Web Management Interface MD5 Authentication prevents unauthorized users from detecting and stealing the SonicWALL password as it is sent over your network SonicWALL Internet Security Appliance Functional Diagram The following figure illustrates the SonicWALL Internet security ap...

Page 14: ...low inbound traffic to network servers such as Web and e mail servers or that restrict outbound traffic to certain destinations on the Internet Autoupdate The SonicWALL maintains the highest level of security by automatically notifying you when new firmware is released When new firmware is available the SonicWALL Web Management Interface displays a link to download and install the latest firmware ...

Page 15: ...g Categories You can select the information you wish to display in the SonicWALL event log You can view the event log from the SonicWALL Web Management Interface or receive the log as an e mail file Syslog Server Support In addition to the standard screen log the SonicWALL can write detailed event log information to an external Syslog server Syslog is the industry standard method to capture inform...

Page 16: ...uration Installation Wizard The SonicWALL Installation Wizard helps you quickly install and configure the SonicWALL Online help SonicWALL help documentation is built into the SonicWALL Web Management Interface for easy access during installation and management IPSec VPN SonicWALL VPN SonicWALL VPN provides a simple secure tool that enables corporate offices and business partners to connect securel...

Page 17: ...r SonicWALL eliminates the need for separate IP addresses for all computers on your LAN It is a way to conserve IP addresses available from the pool of IPv4 addresses for the Internet If you do not have enough individual IP addresses for all computers on your network you can use NAT for your network configuration Instructions for configuring NAT Enabled mode begin on page 20 NAT with PPPoE Client ...

Page 18: ...e encryption of transmitted data PPTP typically supports older Microsoft clients that require tunneling connectivity or situations in which a tunnel passes through a firewall performing NAT Instructions for configuring NAT with PPTP Client begin on page 38 Configuring the SonicWALL in Standard Mode This section describes configuring the SonicWALL in Standard mode You must have a single static IP a...

Page 19: ...y This information is obtained from your ISP The SonicWALL Installation Wizard simplifies the initial installation and configuration of the SonicWALL The Wizard provides a series of menu driven instructions for setting the administrator password and configuring the settings necessary to access the Internet Accessing the Wizard Alert Your Web browser must be Java enabled and support HTTP uploads in...

Page 20: ...l Management System check box SonicWALL Global Management System SonicWALL GMS is a Web browser based security management system SonicWALL GMS allows enterprises and service providers to monitor and manage hundreds of remote SonicWALLs from a central location For more information about SonicWALL GMS contact SonicWALL Sales at 408 745 9600 3 Do not select the Use Global Management System check box ...

Page 21: ...tomatically or IP addresses from your ISP 5 Confirm that you have the proper network information necessary to configure the SonicWALL to access the Internet Click the hyperlinks for definitions of the networking terms Click Next to proceed to the next step Selecting Your Internet Connection 6 Select Assigned you a single static IP address if your ISP has provided you with a single valid IP address...

Page 22: ...electing NAT Enabled Mode If you selected Assigned you two or more static IP Addresses the Optional Network Address Translation page is displayed 7 The Optional Network Address Translation NAT page offers the ability to enable NAT Select Don t Use NAT if there are enough static IP addresses for your SonicWALL all PCs and all network devices on your LAN Selecting Don t Use NAT enables the Standard ...

Page 23: ...rver Addresses Click Next to continue Configuring LAN Network Settings 9 The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL The LAN Subnet Mask defines the range of IP addresses on the LAN The default values provided by the Sonic...

Page 24: ...zard To modify any of the settings click Back to return to the Connecting to the Internet page If the configuration is correct click Next to proceed to the Congratulations page Congratulations Alert The new SonicWALL LAN IP address displayed in the URL field of the Congratulations page is used to log in and manage the SonicWALL 11 Click Restart to restart the SonicWALL ...

Page 25: ... Wizard Configuring NAT with PPPoE Client The SonicWALL Installation Wizard simplifies the initial installation and configuration of the SonicWALL The Wizard provides a series of menu driven instructions for setting the administrator password and configuring the settings necessary to access the Internet Alert Be sure to have your network information including your user name and password ready This...

Page 26: ... New Password fields This window also displays the Use SonicWALL Global Management System check box 2 Do not select the Use Global Management System check box unless your SonicWALL is remotely managed by SonicWALL GMS Click Next to continue Setting the Time and Date 3 Select the appropriate Time Zone from the Time Zone menu The SonicWALL internal clock is set automatically by a Network Time Server...

Page 27: ...that you have the necessary network information from your ISP before proceeding with the Connecting to the Internet pages 4 Click the hyperlinks for definitions of the networking terms Click Next to continue Selecting Your Internet Connection 5 Select Provided you with desktop software a user name and password PPPoE if your ISP has provided you with desktop software a user name and password inform...

Page 28: ... and Password fields Configuring LAN Network Settings 8 The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL The LAN Subnet Mask defines the range of IP addresses on the LAN The default values provided by the SonicWALL work for mos...

Page 29: ...the Enable DHCP Server check box and specify the range of IP addresses that are assigned to computers on the LAN If the Enable DHCP Server check box is not selected the DHCP Server is disabled Click Next to continue Configuration Summary 10 The Configuration Summary page displays the configuration defined using the Installation Wizard To modify any of the settings click Back to return to the Conne...

Page 30: ...ed to log in and manage the SonicWALL 11 Click Restart to restart the SonicWALL Restarting Alert The final window provides important information to help configure the computers on the LAN 12 Click Print this Page to print the window information The SonicWALL takes 90 seconds to restart During this time the yellow Test LED is lit Click Close to exit the SonicWALL Wizard ...

Page 31: ...and the Password password The first time you access the SonicWALL Management interface the SonicWALL Installation Wizard automatically launches and begins the installation process 1 To configure your SonicWALL appliance read the instructions on the Wizard Welcome page and click Next to continue Setting the Password Alert It is very important to choose a password which cannot be easily guessed by o...

Page 32: ...ng to the Internet The Connecting to the Internet page lists the information required to complete the installation Tip Confirm that you have the necessary network information from your ISP before proceeding with the Connecting to the Internet pages 5 Confirm that you have the proper network information necessary to configure the SonicWALL to access the Internet Click the hyperlinks for definitions...

Page 33: ...rnet Connection 6 Select the option Automatically assigns you a dynamic IP address DHCP 7 The Obtain an IP address automatically page is displayed The Obtain an IP address automatically page states that the ISP dynamically assigns an IP address to the SonicWALL To confirm this click Next ...

Page 34: ...vided by the SonicWALL work for most networks If you do not use the default settings enter the SonicWALL LAN settings and click Next to continue Configuring the SonicWALL DHCP Server 9 The Optional SonicWALL DHCP Server page configures the SonicWALL DHCP Server If enabled the SonicWALL automatically configures the IP settings of computers on the LAN To enable the DHCP server select the Enable DHCP...

Page 35: ...on Wizard To modify any of the settings click Back to return to the Connecting to the Internet window If the configuration is correct click Next to proceed to the Congratulations page Congratulations Alert The new SonicWALL LAN IP address displayed in the URL field of the Congratulations window is used to log in and manage the SonicWALL 11 Click Restart to restart the SonicWALL ...

Page 36: ...168 168 168 in the Location or Address fields 2 The Login window appears Enter admin in the User Name field and password in the Password field 3 Click Cancel on the initial Installation Wizard page to cancel the wizard 4 Click Network in the General section 5 Select NAT with L2TP Client from the Network Addressing Mode menu 6 Enter 192 168 168 1 in the SonicWALL LAN IP Address field 7 Enter 255 25...

Page 37: ... must restart the SonicWALL for the changes to take effect Configuring NAT with PPTP Client The SonicWALL Installation Wizard simplifies the initial installation and configuration of the SonicWALL The Wizard provides a series of menu driven instructions for setting the administrator password and configuring the settings necessary to access the Internet Tip Be sure to have your network information ...

Page 38: ... the New Password and Confirm New Password fields 2 Do not select the Use Global Management System check box unless your SonicWALL is remotely managed by SonicWALL GMS Click Next to continue Setting the Time and Date 3 Select the appropriate Time Zone from the Time Zone menu The SonicWALL internal clock is set automatically by a Network Time Server on the Internet Click Next to continue ...

Page 39: ...e proceeding with the Connecting to the Internet pages 4 Confirm that you have the proper network information necessary to configure the SonicWALL to access the Internet Click the hyperlinks for definitions of the networking terms Click Next to proceed to the next step Selecting Your Internet Connection 5 Select Provided you with server IP address a user name and password PPTP if your ISP has prov...

Page 40: ...ing LAN Network Settings 7 The Fill in information about your LAN page allows the configuration of the SonicWALL LAN IP Address and the LAN Subnet Mask The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL The LAN Subnet Mask defines the range of IP addresses on the LAN The default values provided by the SonicWALL work for most networks If you do not use ...

Page 41: ... the Enable DHCP Server check box and specify the range of IP addresses that are assigned to computers on the LAN If the Enable DHCP Server check box is not selected the DHCP Server is disabled Click Next to continue Configuration Summary 9 The Configuration Summary page displays the configuration defined using the Installation Wizard To modify any of the settings click Back to return to the Conne...

Page 42: ...is used to log in and manage the SonicWALL 10 Click Restart to restart the SonicWALL Restarting Tip The final window provides important information to help configure the computers on the LAN Click Print this Page to print this information The SonicWALL takes 90 seconds to restart During this time the yellow Test LED is lit Click Close to exit the SonicWALL Wizard ...

Page 43: ...LL Registration code the registration code generated when the SonicWALL is registered at http www mysonicwall com SonicWALL Active time the length of time in days hours and minutes that the SonicWALL is active Firmware version shows the current version number of the firmware installed on the SonicWALL ROM version the version number of the ROM CPU the type and speed of the SonicWALL processor VPN H...

Page 44: ...Page 45 Other SonicWALL general status information is displayed in this section relating to other features in the SonicWALL such as the type of network settings in use log settings content filter use and if Stealth Mode is enabled on the SonicWALL ...

Page 45: ...rvices Access firmware and security service updates Get SonicWALL alerts on services firmware and products Check status of your SonicWALL services and upgrades linked to each registered SonicWALL Internet security appliance Manage activate change or delete your SonicWALL security services online Alert You must register your SonicWALL on mySonicWALL com to access technical support By registering yo...

Page 46: ...or your convenience you can record the information below User Name ______________________ Password __________________ Alert You must remember your user name and password until you have activated your account If you forget your password before your user account is active you have to create a new user account Tip If your security policy doesn t allow you to write down passwords write down a hint or ...

Page 47: ...y to activate your account 6 Select your time zone from the Time Zone menu and then select any or all of the following options Yes I would like to be a Beta Tester No I do not want to be contacted by SonicWALL via e mail I would like to receive security alerts from SonicWALL I would like to receive product information from SonicWALL 7 Click Submit 8 Review your information carefully to ensure that...

Page 48: ...You also receive an e mail with your subscription code in it Write your subscription code below Subscription code _______________________________ Note For security reasons the subscriber name and part of the subscription code are masked 10 Return to the mySonicWALL com login screen or alternatively click on the link in the e mail message to provide your subscription code to activate your account ...

Page 49: ...he subscription code you received via e mail into the Subscription Code field and click Submit 12 Your Account Management interface appears and you can now register SonicWALL Internet Security Appliances or Services You can also delete or transfer appliances from your user account ...

Page 50: ...id not set up a Secret Question and Answer for your password a link appears allowing you to reset your password Be sure to use the same user name and e mail address as your MysonicWALL com user account Registering Your SonicWALL Internet Security Appliance To register your SonicWALL Internet Security Appliance click the hyperlink Click Here in the Registered SonicWALL Products section Or to quickl...

Page 51: ...number into the Serial Number field a message stating that the appliance is previously registered may be returned Write your SonicWALL serial number below SonicWALL Serial Number ____________________ After you register the SonicWALL the Friendly Name appears as a hyperlink under Registered SonicWALL Products Click on the Friendly Name to view the services activated on the appliance Note Services m...

Page 52: ... and options relating to a particular SonicWALL appliance Enter the SonicWALL serial number to search for the related information Information displayed includes Serial Number Product Registration Code Node Support Upgrade Key There is also a list of applicable services with their activation keys as well as expiration dates for subscriptions ...

Page 53: ...this section of Services Management Renaming Your SonicWALL You can rename your SonicWALL at any time in order to manage your SonicWALLs To rename your SonicWALL click Rename in the Manage Products section Enter the new name in the Friendly Name field and click Submit After clicking Submit a new page appears with the message that you have successfully renamed your SonicWALL ...

Page 54: ... sales manager for the East Coast has left and you were managing the services for his SonicWALL However another manager may have an immediate need for the SonicWALL and requests that you transfer the appliance to him To transfer a SonicWALL to another user click Transfer in the Manage Product section Enter the User Name of the new owner and the e mail address ID in the appropriate fields Click Sub...

Page 55: ... transfer a SonicWALL to another registered user of mySonicWALL com Delete Product You can also delete a SonicWALL from your mySonicWALL com user account Click on the Friendly Name for the appliance and then click Delete A confirmation message appears in the next window and you have successfully deleted a SonicWALL from your user account You can add the SonicWALL back to your account at any time ...

Page 56: ...icWALL is displayed Activated services are indicated by the Installed icon with a green check mark Inactive services are indicated by the Activate icon with a red arrow Activated service names are also hyperlinked to an information page with Activation Status and the Expiration Date of the service Services can also be renewed by clicking on the name and entering the activation key into the Activat...

Page 57: ...ded with the Content Filter List subscription and click the name 2 Click Activate next to Content Filter The following screen appears with an Activation Key field and a Terms and Conditions message 3 Enter the Activation Key into the Activation Key field and select I have read and agreed to all of the above terms and conditions Click Submit 4 The Content Filter List subscription is now active and ...

Page 58: ...Registering at mySonicWALL com Page 59 ...

Page 59: ...TELE3 SP modem connection for ISP failover or as a primary dial up access port Alert You cannot use the WAN failover feature if you have configured the TELE3 SP to use Standard mode in the Network section of the Management interface Configuring the TELE3 SP WAN Failover Feature The TELE3 SP modem can be used as a failover option when your always on DSL or cable connection fails The SonicWALL autom...

Page 60: ...aximum of ten 10 configuration profiles Dial Up Configuration The current profile is displayed in the Current Profile field You can select a profile from the menu to edit the configuration or create a new profile To create a new profile select Add New Profile from the menu and enter a name for the profile in the Name field You can use names such as Home Office or Traveling to distinguish different...

Page 61: ...ld Alternatively you can use your internal DNS server IP address or a specific DNS server IP address on the Internet 8 If your ISP has given you a script that runs when you access your ISP connection cut and paste the script text in the Chat Script field See the Information on Chat Scripts section at the end of this chapter for more information on using chat scripts Location Settings Use this sect...

Page 62: ...d when it connects to the ISP 4 Select Maximum Connection Time minutes if the connection is terminated after the specified time Enter the number of minutes for the connection to be active The value can range from 0 to 1440 minutes This feature does not conflict with Inactivity Timeout If both features are configured the connection is terminated based on the shortest configured time 5 If you select...

Page 63: ...used 2 Select the Secondary Profile from the list of profiles If the Primary Profile cannot establish a connection the SonicWALL uses the Secondary Profile to access the modem and establish a connection 3 Select the volume of the modem from the Speaker Volume menu The default value is Medium 4 Select Initialize Modem For Use In and select the country from the drop down menu United States is select...

Page 64: ...link detection does not occur Instead the probing rules apply to the connection using the parameters configured for Probe Interval Time and number of Missed Probes If probing is enabled on Dial up the dial up connection is terminated and re established when probing fails over the modem Use the following instructions to configure the Failover Settings 1 Select Enable WAN Failover 2 Select Enable Pr...

Page 65: ...ion necessary for dial up Internet access To configure your modem for manual dial up access follow these steps 1 Log onto your Management station and click Modem then Profiles 2 Create a name for your profile and enter it in the Name field ISP Settings 1 Enter the primary number used to dial up the ISP in the Primary Phone Number field Tip If a specific prefix is used to access an outside line suc...

Page 66: ...attempts to connect if the dial up connection is busy in the Dial Retries per Phone Number field The default value is zero 0 6 Enter the number of seconds between attempts to redial in the Delay Between Retries seconds field The default value is five 5 seconds 7 Click Update to add the dial up profile to the SonicWALL Configure Modem Settings 8 Select your manual dial up profile as the Primary Pro...

Page 67: ... setting of 255 255 255 0 in the Subnet Mask field If your dial up ISP has given you DNS Server IP address es enter the address es in the DNS Server Address fields If not then leave the DNS Server Address fields blank 6 Leave the default values in the SonicWALL LAN IP address field and Subnet Mask field 7 If your TELE3 SP acts as the DHCP server on your network select Enable DHCP Server and click ...

Page 68: ... WAN IP NAT Public Address WAN Subnet Mask DNS Server 1 DNS Server 2 DNS Server 3 Current Active Dial Up Profile id Current Connection Speed If the modem is inactive the Status page displays a list of possible reasons that your modem is inactive When the modem is active the network settings from the ISP are used for WAN access If you click General then Network a message is displayed reminding you ...

Page 69: ...onfigure the following on the modem return command responses don t echo characters report the connecting baud rate when connected and return verbose responses The next line has OK as the expected string and the interpreters waits for OK to be returned in response to the previous command ATV1 before continuing the script If OK is not returned within the default time period of 50 seconds the chat in...

Page 70: ...information Sometimes the scripts can be found by using a search engine on the Internet and using the keywords chat script ppp Linux ISP name A custom chat script can look like the following script ABORT NO CARRIER ABORT NO DIALTONE ABORT BUSY ATQ0 ATE0 ATM1 ATW2 ATV1 OK ATDT T CONNECT sername L assword P Tip The first character of username and password are ignored during PPP authentication The sc...

Page 71: ...actly as defined and click Login Tip All SonicWALLs are configured with the default User Name admin and the default Password password If you cannot log into the SonicWALL a cached copy of the page is displayed instead of the correct page Click Reload or Refresh on the Web browser and try again Also be sure to wait until the Java applet has finished loading before attempting to log in Once the pass...

Page 72: ...3 and TLSv1 Also the following encryption ciphers are supported RC4 MD5 EXP RC4 MD5 DES CBC3 SHA DES CBC SHA RC4 SHA EXP RC2 CBC MD5 NULL SHA and NULL MD5 The RSA key used is 1024 bit Status The Status window displays the status of your SonicWALL It contains an overview of the SonicWALL configuration as well as any important messages Check the Status window after making changes to ensure that the ...

Page 73: ...ardware Accelerator Detected indicates the presence of a VPN Hardware Accelerator in the firewall This allows better throughput for VPN connections RAM shows the amount of Random Access Memory on the board Flash indicates the size of the flash on the board Ethernet Speeds displays network speeds of the network card Current Connections number of computers connected to the SonicWALL Other SonicWALL ...

Page 74: ...t Security Appliance Once the SonicWALL is accessed type in the User Name and password admin for User Name and then the password used for the management interface The following CLI commands are available for the SonicWALL or Help displays a listing of the top level commands available Export exports preferences from the SonicWALL using Z modem file transfer protocol Import imports preferences from ...

Page 75: ...address scheme of your SonicWALL It includes six options Standard NAT Enabled NAT with DHCP Client NAT with PPPoE NAT with L2TP Client and NAT with PPTP Client Standard mode requires valid IP addresses for all computers on your network but allows re mote access to authenticated users NAT Enabled mode translates the private IP addresses on the network to the single valid IP address of the SonicWALL...

Page 76: ... on the other side of a router you must define a static route using the Routes tab in the Advanced section Multiple LAN Subnet Mask Support facilitates the support of legacy networks incorporating the SonicWALL and makes it easier to add additional nodes if the original subnet is full Before you can configure multiple local LAN subnets in the SonicWALL you must have the following information Netwo...

Page 77: ... NAT with PPTP Client mode the SonicWALL WAN IP address is assigned automatically If you select Standard mode the SonicWALL WAN IP Address is the same as the SonicWALL LAN IP Address WAN LAN Subnet Mask The WAN LAN Subnet Mask determines which IP addresses are located on the WAN This subnet mask should be assigned by your ISP If you select NAT with DHCP Client NAT with PPPoE NAT with L2TP Client o...

Page 78: ...ver IP address es in the DNS Servers field The SonicWALL uses the DNS servers for diagnostic tests and for upgrade and registration functionality 6 Click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Restart the SonicWALL for these changes to take effect NAT Enabled Configuration Network Address Translation NAT connects ...

Page 79: ...ss field This is the device that connects your network to the Internet If you use Cable or DSL your WAN router is probably located at your ISP If you use a router located at your site use the IP address assigned to it 5 Enter a valid IP address assigned by your ISP in the SonicWALL WAN IP NAT Public Address field Because NAT is enabled all network activity appears to originate from this address 6 ...

Page 80: ...h Cable and DSL connections To obtain IP settings dynamically complete the following instructions 1 Select NAT with DHCP Client from the Network Addressing Mode menu 2 Enter a unique IP address from your LAN address range in the SonicWALL LAN IP Address field The SonicWALL LAN IP Address is the address assigned to the SonicWALL LAN and is used for management of the SonicWALL 3 Enter your network s...

Page 81: ...icWALL WAN IP NAT Public Address lease When you click on Renew the SonicWALL renews the IP address used for the WAN IP address Click Release and the lease is released with the DHCP server NAT with PPPoE Configuration The SonicWALL can use Point to Point Protocol over Ethernet PPPoE to connect to the Internet If your ISP requires the installation of desktop software and user name and password authe...

Page 82: ... updated a message confirming the update is displayed at the bottom of the browser window Restart the SonicWALL for these changes to take effect Alert When NAT is enabled the SonicWALL LAN IP Address is used as the gateway address for computers on the LAN When your SonicWALL has successfully established a PPPoE connection the Network page displays the SonicWALL WAN IP settings The WAN Gateway Rout...

Page 83: ...n the LAN Subnet Mask field The LAN Subnet Mask tells your SonicWALL which IP addresses are on your LAN Use the default value 255 255 255 0 if there are less than 254 computers on your LAN 4 If you obtain a WAN IP address from the L2TP server select Obtain an IP address using DHCP If you have WAN IP address information select Use the specified IP address and enter your WAN information in the WAN G...

Page 84: ...page displays the SonicWALL WAN IP settings The WAN Gateway Router Address SonicWALL WAN IP NAT Public Address WAN LAN Subnet Mask and DNS Servers are displayed Alert Enable and configure the SonicWALL DHCP server or manually configure client DNS settings to obtain DNS name resolution Restarting the SonicWALL Once the network settings have been updated the Status bar at the bottom of the browser w...

Page 85: ...ess is the address assigned to the SonicWALL LAN port and is used for management of the SonicWALL 3 Enter your network subnet mask in the LAN Subnet Mask field The LAN Subnet Mask tells your SonicWALL which IP addresses are on your LAN Use the default value 255 255 255 0 if there are less than 254 computers on your LAN 4 If you obtain a WAN IP address from the PPTP server select Obtain an IP addre...

Page 86: ...hen your SonicWALL has successfully established a PPTP connection the Network page displays the SonicWALL WAN IP settings The WAN Gateway Router Address SonicWALL WAN IP NAT Public Address WAN LAN Subnet Mask and DNS Servers are displayed Alert Enable and configure the SonicWALL DHCP server or manually configure client DNS settings to obtain DNS name resolution Restarting the SonicWALL Once the ne...

Page 87: ...otocol used to synchronize computer clock times in a network of computers NTP uses Coordinated Universal Time UTC to synchronize computer clock times to a millisecond and sometimes to a fraction of a millisecond Select Use NTP to set time automatically if you want to use your local server to set the SonicWALL clock You can also set the Update Interval for the NTP server to synchronize the time in ...

Page 88: ...e the Administrator Password To set the password enter the old password in the Old Password field and the new password in the New Password field Enter the new password again in the Confirm New Password field and click Update Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Tip When setting the password for the first time remember ...

Page 89: ...can range from 1 to 99 minutes Click Update and a message confirming the update is displayed at the bottom of the browser window Login Failure Handling You can configure the SonicWALL to lockout an administrator or a user if the login credentials are incorrect Select Enable User Lockout on login failure to prevent users from attempting to log into the SonicWALL without proper authentication creden...

Page 90: ... displays potential security threats This log can be viewed with a browser using the SonicWALL Web Management Interface or it can be automatically sent to an e mail address for convenience and archiving The log is displayed in a table and is sortable by column The SonicWALL can alert you of important events such as an attack to the SonicWALL Alerts are immediately e mailed either to an e mail addr...

Page 91: ... for the 12 Content Filter List categories are shown below Descriptions of the categories are available at http www sonicwall com Content Filter categories html ActiveX Java Cookie or Code Archive blocked When ActiveX Java or Web cookies are blocked messages with the source and destination IP addresses of the connection attempt is displayed Ping of Death IP Spoof and SYN Flood Attacks The IP addre...

Page 92: ...the log is cleared from the SonicWALL memory If this field is left blank the log is not e mailed 3 Send Alerts To Enter your full e mail address username mydomain com in the Send alerts to field to be immediately e mailed when attacks or system errors occur Enter a standard e mail address or an e mail paging service If this field is left blank e mail alert messages are not sent 4 Firewall Name The...

Page 93: ...y option is selected then enter the day of the week the e mail is sent in the Every menu If the Weekly or the Daily option is selected enter the time of day when the e mail is sent in the At field If the When Full option is selected and the log fills up it is e mailed automatically 9 When log overflows The log buffer fills up if the SonicWALL cannot e mail the log file The default behavior is to o...

Page 94: ...va etc Logs Java ActiveX and Cookies blocked by the SonicWALL User Activity Logs successful and unsuccessful log in attempts VPN TCP Stats Logs TCP connections over VPN tunnels Attacks Logs messages showing Denial of Service attacks such as SYN Flood Ping of Death and IP spoofing Dropped TCP Logs blocked incoming TCP connections Dropped UDP Logs blocked incoming UDP packets Dropped ICMP Logs block...

Page 95: ... generate alert messages Blocked Web Sites Log entries categorized as Blocked Web Sites generate alert messages VPN Tunnel Status Log entries categorized as VPN Tunnel Status generate alert messages Once you have configured the Log Settings window click Update Once the SonicWALL is updated a message confirming the update is displayed at the bottom of the browser window Reports The SonicWALL can pe...

Page 96: ... accessed Web sites and the number of hits to a site during the current sample period The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites If leisure sports or other inappropriate sites appear in the Web Site Hits Report you can choose to block the sites Bandwidth Usage by IP Address Selecting Bandwidth Usage by IP Address from the Display Report menu displa...

Page 97: ... historical reports to provide a complete view of all activity through your SonicWALL Internet Security Appliance With SonicWALL ViewPoint you are able to monitor network access enhance network security and anticipate future bandwidth needs SonicWALL ViewPoint Displays bandwidth use by IP address and service Identifies inappropriate Web use Presents detailed reports of attacks Collects and aggrega...

Page 98: ...s content filtering using keywords Tip When you register your SonicWALL at http www mysonicwall com you can download a one month subscription to the SonicWALL Content Filter List updates N2H2 N2H2 is a third party content filter software package supported by SonicWALL You can obtain more information on N2H2 at http www n2h2 com If you select N2H2 from the list an N2H2 tab is available to configure...

Page 99: ... network Cookies Cookies are used by Web servers to track Web usage and remember user identity Cookies can also compromise users privacy by tracking Web activities Select the Cookies check box to disable Cookies Known Fraudulent Certificates Digital certificates help verify that Web content and files originated from an authorized party Enabling this feature protects users on the LAN from downloadi...

Page 100: ...ou to see the status of the Content Filter List as well as configure a specific time to download the list You can also determine how the SonicWALL responds when a Content Filter List is unavailable Selecting categories to block is also configured on this page List Status This section of the URL List tab indicates the status of the URL list If the Content Filter List is loaded a status message is d...

Page 101: ...cked Tip If you enable Block traffic to all Web sites except for Allowed Domains and you have a 30 day subscription to the Content Filter List you may not be able to access the Internet when the subscription expires Select Categories to Block Block all categories The SonicWALL uses a Content Filter List generated by CyberPatrol to block access to objectional Web sites CyberPatrol classifies object...

Page 102: ...e Content Filter List enter the host name such as www bad site com into the Forbidden Domains field 256 entries can be added to the Forbidden Domains list Alert Do not include the prefix http in either the Allowed Domains or Forbidden Domains the fields All subdomains are affected For example entering yahoo com applies to mail yahoo com and my yahoo com To remove a trusted or forbidden domain sele...

Page 103: ...y feature allows you to define specific times when Content Filtering is enforced For example you could configure the SonicWALL to filter employee Internet access during normal business hours but allow unrestricted access at night and on weekends Tip Time of Day restrictions only apply to the Content Filter List Customized blocking and Keyword blocking Consent and Restrict Web Features are not affe...

Page 104: ...Idle Timeout is 5 minutes configure here After a period of Web browser inactivity the SonicWALL requires the user to agree to the terms outlined in the Consent page before accessing the Internet again To configure the value follow the link to the Users window and enter the desired value in the User Idle Timeout section Consent page URL Optional Filtering When a user opens a Web browser on a comput...

Page 105: ...g a consent page is displayed You must create the Web page that appears when the Web browser is opened It can contain text from an Acceptable Use Policy and notification that violations are logged or blocked This Web page must reside on a Web server and be accessible as a URL by users on the LAN This page must also contain a link to a page contained in the SonicWALL that tells the SonicWALL that t...

Page 106: ...se security Select the ActiveX check box to block ActiveX controls Java Java is used to download and run small programs called applets on Web sites It is safer than ActiveX since it has built in security mechanisms Select the Java check box to block Java applets from the network Cookies Cookies are used by Web servers to track Web usage and remember user identity Cookies can also compromise users ...

Page 107: ...main name into the Add Trusted Domain field Click Update to add the domain to the list of trusted domains To delete a domain select it from the list and then click Delete Trusted Domains Trusted Domains can be added in the Restrict Web Features section of the Configure tab If you trust content on specific domains you can select Don t block Java ActiveX Cookies to Trusted Domains and then add the T...

Page 108: ...ts from the N2H2 client to the SonicWALL The default port is 4005 User Name The User Name refers to a configuration of users a group of users or network defined within the N2H2 software If Server is unavailable for 5 secs The default value for timeout of the server is 5 seconds but you can enter a value between 1 and 10 seconds If the N2H2 server becomes unavailable select from the following two o...

Page 109: ...llowing applications to block Block ActiveX ActiveX is a programming language that embeds scripts in Web pages Malicious programmers can use ActiveX to delete files or compromise security Select the ActiveX check box to block ActiveX controls Java Java is used to download and run small programs called applets on Web sites It is safer than ActiveX since it has built in security mechanisms Select th...

Page 110: ... servers on the WAN Don t Block Java ActiveX Cookies to Trusted Domains Select this option if you have trusted domains using Java ActiveX and Cookies To add a trusted domain enter the domain name into the Add Trusted Domain field Click Update to add the domain to the list of trusted domains To delete a domain select it from the list and then click Delete Trusted Domains Trusted Domains can be adde...

Page 111: ...raffic The default port number is 15686 User Name To enable reporting of users and groups defined on the Websense Enterprise server leave this field blank To enable reporting by a specific user or group behind the SonicWALL enter the User Name configured on the Websense Enterprise Server for the user or group If using NT based directories on the Websense Enterprise Server the User Name is in this ...

Page 112: ...options Block traffic to all Web sites Allow traffic to all Web sites URL Cache Configure the size of the URL Cache in KB Tip A larger URL Cache size can result in noticeable improvements in Internet browsing response times Model Cache Size XPRS PRO SOHO2 TELE2 SOHO3 TELE3 and PRO Vx 128 PRO 100 PRO 200 PRO 300 PRO2 PRO VX2 256 GX250 GX 2500 GX650 GX 6500 1024 ...

Page 113: ...nicWALL firmware and perform several diagnostic tests There are four tabs in the Tools section Restart Preferences Firmware Diagnostic Restarting the SonicWALL Click Tools on the left side of the browser window and then click the Restart tab The SonicWALL can be restarted from the Web Management Interface Click Restart SonicWALL and then click Yes to confirm the restart The SonicWALL takes up to 9...

Page 114: ...icWALL factory default settings and launch the SonicWALL Installation Wizard These functions are described in detail in the following pages Exporting the Settings File It is possible to save the SonicWALL configuration information as a file on your computer and retrieve it for later use Click Export in the Preferences tab 1 Click Export again to download the settings file Then choose the location ...

Page 115: ...estart the SonicWALL for the settings to take effect Alert The Web browser used to Import Settings must support HTTP uploads Microsoft Internet Explorer 5 0 and higher as well as Netscape Navigator 4 0 and higher are recommended Restoring Factory Default Settings You can erase the SonicWALL configuration settings and restore the SonicWALL to its factory default state 1 Click Restore on the Prefere...

Page 116: ...ew firmware is available check box Then click Update If you enable firmware notification your SonicWALL sends a status message to SonicWALL Inc Firmware Server on a daily basis The status message includes the following information SonicWALL Serial Number Unit Type Current Firmware Version Language Current Available memory ROM version Options and Upgrades SonicWALL VPN Network Anti Virus Tip The So...

Page 117: ... as well as Netscape Navigator 4 0 and higher are recommended When firmware is uploaded the SonicWALL settings can be erased Before uploading new firmware export and save the SonicWALL settings so that they can be restored later Once the settings have been saved click Yes Click Browse and select the firmware file from your local hard drive or from the SonicWALL Companion CD Click Upload and then r...

Page 118: ...ion about SonicWALL options and upgrades You can also purchase upgrades by registering your SonicWALL at http www mysonicwall com and using the Buy Now option Web http www sonicwall com E mail sales sonicwall com Phone 408 745 9600 Fax 408 745 9300 When an upgrade is purchased an Activation Key and instructions for registering the upgrade are included Once you have registered the upgrade an Upgrad...

Page 119: ...ookup tool that returns the numerical IP address of a domain name or if you enter an IP address it returns the domain name 1 Select DNS Name Lookup from the Choose a diagnostic tool menu 2 Enter the host name to lookup in the Look up the name field and click Go Do not add the prefix http The SonicWALL then queries the DNS server and displays the result at the bottom of the screen Tip You must defi...

Page 120: ...ehind a router and the Ethernet address of the target device Find Network Path also shows the gateway the device is using and helps isolate configuration problems 1 Select Find Network Path from the Choose a diagnostic tool menu 2 Enter the IP address of the device and click Go The test takes a few seconds to complete Once completed a message showing the results is displayed in the browser window ...

Page 121: ...he DNS server or another machine at the ISP location If this test is successful try pinging devices outside the ISP This shows if the problem lies with the ISP connection 1 Select Ping from the Choose a diagnostic tool menu 2 Enter the IP address of the target device to ping and click Go The test takes a few seconds to complete Once completed a message showing the results is displayed in the brows...

Page 122: ...rwards SYN from LAN client to remote host 3 TCP received on WAN SYN ACK From 204 71 200 74 80 02 00 cf 58 d3 6a To 207 88 211 116 1937 00 40 10 0c 01 4e The SonicWALL receives SYN ACK from remote host 4 TCP sent on LAN SYN ACK From 204 71 200 74 80 02 00 cf 58 d3 6a To 192 168 168 158 1282 00 a0 4b 05 96 4a The SonicWALL forwards SYN ACK to LAN client 5 TCP received on LAN ACK From 192 168 168 158...

Page 123: ...This file can then be e mailed to SonicWALL Technical Support to help assist with a problem Alert You must register your SonicWALL on mySonicWALL com to receive technical support Before e mailing the Tech Support Report to the SonicWALL Technical Support team complete a Tech Support Request Form at http techsupport sonicwall com swtech html After the form is submitted a unique case number is retur...

Page 124: ...t from the Choose a diagnostic tool menu 2 Select the Report Options to be included with your e mail 3 Click Save Report to save the file to your system When you click Save Report a warning message is displayed 4 Click OK to save the file Attach the report to your Tech Support Request e mail ...

Page 125: ...Ping packets Trace Route can test interconnectivity with routers and other hosts that are farther and farther along the network path until the connection fails or until the remote host responds Enter the IP address or domain name of the destination host For example enter yahoo com and click Go A second window is displayed with each hop to the destination host By following the route you can diagnos...

Page 126: ...trict use of certain protocols such as Telnet to authorized users on the LAN The custom rules evaluate network traffic source IP address destination IP address IP protocol type and compare the information to rules created on the SonicWALL Network Access Rules take precedence and can override the SonicWALL s stateful packet inspection For example a rule that blocks IRC traffic takes precedence over...

Page 127: ... your LAN on the Internet Otherwise you are blocked from accessing that service By default the LAN Out check boxes are selected DMZ In Optional If the DMZ In is selected users on the Internet can access the service on the DMZ Otherwise they are blocked from accessing the service on the DMZ By default DMZ In is selected The DMZ In column does not appear in the Web Management Interface for the Sonic...

Page 128: ...rough the SonicWALL If Enable Support is selected it may affect the performance of the SonicWALL Detection Prevention Enable Stealth Mode By default the SonicWALL responds to incoming connection requests as either blocked or open If you enable Stealth Mode your SonicWALL does not respond to blocked inbound connection requests Stealth Mode makes your SonicWALL essentially invisible to hackers Rando...

Page 129: ...beled Name Service DNS for UDP port 53 and TCP port 53 Multiple entries with the same name are grouped together and are treated as a single service Up to 128 entries are supported Add a Known Service 1 Select the name of the service you want to add from the Add a known service list 2 Click Add The new service appears in the list box on the right side of the browser window Note that some services a...

Page 130: ...hlight the name in the list and click Delete Service If multiple entries with the same name exist delete all entries to remove the service Rules The SonicWALL evaluates the source IP address the destination IP address and the service type when determining whether to allow or deny traffic Custom rules take precedence and override the SonicWALL default rules By default the SonicWALL blocks all traff...

Page 131: ... window and then click the Rules tab Alert Use extreme caution when creating or deleting Network Access Rules as you an accidentally disable firewall protection or block access to the Internet Product Maximum Rules Rules Available for Bandwidth Management GX Series 300 100 PRO 300 PRO 330 200 100 PRO 100 PRO 200 PRO 230 100 50 TELE3 SOHO3 100 50 TELE2 SOHO2 XPRS2 XPRS PRO PRO Vx 100 20 ...

Page 132: ...g critical resources on the Internet 8 Does the rule create any security vulnerabilities 9 Does the rule conflict with any existing rules Bandwidth Management The SonicWALL can be configured for bandwidth management of outbound WAN network traffic via bandwidth management It allows network administrators to prioritize traffic Each Service added via a Rule has a checkbox to enable bandwidth managem...

Page 133: ...Range Begin field 5 Select the destination of the traffic affected by the rule either LAN or WAN or from the Destination Ethernet menu If you want to define the destination IP addresses that are affected by the rule for example to allow inbound Web access to several Web servers on your LAN enter the starting IP addresses of the address range in the Addr Range Begin field and the ending IP address ...

Page 134: ...s can be created that allow inbound IP traffic the SonicWALL does not disable protection from Denial of Service attacks such as the SYN Flood and Ping of Death attacks For example to configure the SonicWALL to allow Internet traffic to your Web server with an IP address of 208 5 5 5 Standard mode create the following rule 1 Verify that HTTP has been added as a Service as outlined previously 2 Clic...

Page 135: ...t Deny from the Action menu 3 Select NNTP from the Service menu If the service is not listed in the list you must to add it in the Add Service window 4 Select LAN from the Source Ethernet menu 5 Since all computers on the LAN are to be affected enter in the Source Addr Range Begin field 6 Select WAN from the Destination Ethernet menu 7 Enter in the Destination Addr Range Begin field to block acces...

Page 136: ...Delete a Rule To delete a rule click the Trash Can icon to the right of the rule in the Rules window A dialog box appears with the message Do you want to remove this rule Click OK Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window Enable Disable a Rule To disable a rule without permanently removing it clear the Enable check box to t...

Page 137: ...y specific Deny rules override Allow rules Rules are displayed in the Current Network Access Rules list from the most specific to the least specific and rules at the top override rules listed below For example consider the section of the Rules window shown below The Default Allow Rule 7 at the bottom of the page allows all traffic from the LAN to the WAN However Rule 1 blocks IRC Chat traffic from...

Page 138: ...twork Global User Settings Time users out after 5 minutes of inactivity Enter the number of allowable inactivity minutes before a user is automatically logged out of the network via the SonicWALL Limit login session time to Limit the length of time in minutes that a user is allowed to be logged into the network via the SonicWALL When a user logs into the SonicWALL using a username and password the...

Page 139: ...ilters if the user has unlimited access to the Internet from the LAN bypassing Web News Java and ActiveX blocking Access to VPNs Enable the check box if the user can send information over the VPN Security Associations with authentication enforcement Access from the VPN Client with XAUTH Enable the check box if the user requires XAUTH for authentication and accesses the firewall via a VPN client Li...

Page 140: ... the session and the Inactivity Remaining time Users Currently Locked Out After Login Failures A list of current users locked after failing to log into the SonicWALL correctly is displayed in this section The table lists the User Name Tried the IP Address Lockout Time Remaining and an Unlock icon The Unlock icon is used by the Administrator to allow the user access to the SonicWALL Click the icon ...

Page 141: ...onger than the session time set by the administrator The connection closes when the user exceeds the inactivity time out period or the maximum session time is exceeded If the connection is closed the user must re authenticate to regain their access through the SonicWALL Logging into the SonicWALL as the administrator automatically gives the user access to all VPN tunnels requiring authentication T...

Page 142: ... recommended 2 Define the RADIUS Server Timeout in Seconds The allowable range is 1 60 seconds with a default value of 5 RADIUS Servers 3 Specify the settings of the primary RADIUS server in the RADIUS servers section An optional secondary RADIUS server can be defined if a backup RADIUS server exists on the network 4 Enter the IP address of the RADIUS server in the IP Address field 5 Enter the Por...

Page 143: ...cation Limited Management Capabilities By enabling this check box the user has limited local man agement access to the SonicWALL Management interface The access is limited to the following pages General Status Network Time Log View Log Log Settings Log Reports Tools Restart Diagnostics minus Tech Support Report RADIUS Client Test You can test your RADIUS Client user name and password by typing in ...

Page 144: ...w Tivoli or SNMPC To configure SNMP in the SonicWALL Internet Security appliance log into the SonicWALL management interface Click Access then Management The SonicWALL SNMP agent generates two traps Cold Start Trap and Alert Traps Cold Start Traps indicates the SonicWALL appliance is re initializing itself so that the agent configuration or the appliance can be altered Alert Traps are based on the...

Page 145: ...cWALL Management Protocol The SonicWALL can be managed using HTTP or HTTPS and a Web browser Both HTTP and HTTPS are enabled by default The default port for HTTP is port 80 but you can configure access through another port Enter the number of the desired port in the Port field and click Update However if you configure another port for HTTP management you must include the port number when you use t...

Page 146: ... hexadecimal characters include 0 1 2 3 4 5 6 7 8 9 A B C D E and F An example of a valid encryption key is 1234567890A BCDEF Or you can use the randomly generated key that appears in the Encryption Key field 2 Enter a 32 character hexadecimal authentication key in the Authentication Key field An example of a valid authentication key is 1234567 890ABCDEF1234567890ABCDEF Or you can use the randomly...

Page 147: ...etermines if it has stored copies of the requested Web pages If it does not the proxy completes the request to the server on the Internet returning the requested information to the user and also saving it locally for future requests Setting up a Web proxy server on a network can be cumbersome because each computer on the network must be configured to direct Web requests to the server If you have a...

Page 148: ...ess in the SonicWALL Intranet tab Click the Intranet tab at the top of the window 5 To bypass the Proxy Servers if a failure occurs select the Bypass Proxy Servers Upon Proxy Server Failure check box 6 In the Intranet tab enter the proxy server s IP address in the Add Range field 7 Select Specified address ranges are attached to the WAN link and click Update Once the SonicWALL has been updated a m...

Page 149: ...he Intranet settings on the SonicWALL Creating an Intranet firewall is achieved by connecting the SonicWALL between an unprotected and a protected segment Installation 1 Connect the LAN Ethernet port on the back of the SonicWALL to the network segment to be protected against unauthorized access Alert Devices connected to the WAN port do not have firewall protection It is recommended that you use a...

Page 150: ...This is the default setting Specified address ranges are attached to the LAN link Select this option if it is easier to specify the devices on your LAN Then enter your LAN IP address range s If you do not include all com puters on your LAN the computers not included will be unable to send or receive data through the SonicWALL Specified address ranges are attached to the WAN link Select this option...

Page 151: ...o the appropriate IPSec gateway An example of a deployment is to place the SonicWALL between the existing firewall and the router connected to the Internet Traffic is sent in clear text to the SonicWALL then encrypted and sent to the appropriate VPN Gateway Alert VPN Single Armed Mode can only be enabled if the SonicWALL is in Standard mode on the Network tab If you are not using Standard for your...

Page 152: ... The LAN port is disabled when you configure a SonicWALL for VPN Single Armed mode 6 Configure a VPN SA using IKE and Pre shared Secret on the VPN SonicWALL to securely connect to the Remote SonicWALL Enter the Remote SonicWALL WAN IP address as the IPSec Gateway and the Remote SonicWALL LAN IP Address range as the Destination Network if configuring Many to One NAT 7 Click Advanced and then Routes...

Page 153: ... Subnet Mask are displayed in the Current Network Settings section To add Static Route entries complete the following instructions 1 Enter the destination network of the static route in the Dest Network field The destination network is the IP address subnet of the remote network segment Tip If the destination network uses IP addresses ranging from 192 168 1 1 to 192 168 1 255 enter 192 168 1 0 in ...

Page 154: ...AN To enable Route Advertisement on the LAN select one of the following types of RIP Advertisements RIPv1 Enabled RIPv1 is the first version of Routing Information Protocol RIPv2 Enabled multicast to send route advertisements using multicasting a single data packet to specific notes on the network RIPv2 Enabled broadcast to send route advertisements using broadcasting a single data packet to all n...

Page 155: ...tion Password Max 16 Chars field A maximum of 16 characters can be used to define a password MD5 Digest Enter a numerical value from 0 255 in the Authentication Key Id 0 255 field En ter a 32 hex digit value for the Authentication Key 32 hex digits field or use the generated key DMZ Route Advertisement All of the information and configuration instructions for LAN Route Advertisement apply to DMZ R...

Page 156: ...e DMZ Address Range does not include the SonicWALL WAN IP Address the WAN Gateway Router Address or any IP addresses assigned on the One to One NAT or Intranet windows Tip The SonicWALL supports up to 64 DMZ address ranges DMZ in NAT Mode The SonicWALL DMZ now has the ability to use private internal IP addresses rather than public IP addresses on the network Since NAT hides the true IP addresses i...

Page 157: ...ting home users from accessing computers on the WorkPort This security however also prevents home users from reaching the Internet unless the computers connected to the HomePort are configured to be in the same network as the HomePort First you must configure the HomePort to use NAT or Standard mode as the networking configuration Click Advanced on the left side of the browser window and then clic...

Page 158: ...HomePort Private Address field enter the private internal IP address assigned to the DMZ interface The default address of 172 0 16 1 is appropriate for most networks 2 Assign a subnet mask in the HomePort Subnet Mask field The WorkPort and the HomePort can have the same subnet mask but the subnets private IP addresses must be different For instance the WorkPort subnet can be 192 168 0 1 with a sub...

Page 159: ...essible from the Internet 3 Enter the beginning IP address of the valid address range being mapped in the Public Range Begin field This address should be assigned by your ISP Alert Do not include the SonicWALL WAN IP NAT Public Address or the WAN Gateway Router Address in this range 4 Enter the number of public IP addresses that should be mapped to private addresses in the Range Length field The r...

Page 160: ...8 1 2 4 in the Public Range Begin field 5 Type in 3 in the Range length field Tip You can configure the IP addresses individually but it is easier to configure them in a range However the IP addresses on both the private and public sides must be consecutive to configure a range of addresses 6 Click Update 7 Click Access then the Rules tab 8 Click Add New Rule and configure the following settings A...

Page 161: ...net card also forces these settings You must force from both sides of your connection to enable this setting WAN Link Settings Specifies the speed and duplex mode of the Ethernet connection to the WAN link The default selection is Auto Negotiate because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection The other choice Force with lists for speed and du...

Page 162: ...s Auto Negotiate because the Ethernet links automatically negotiate the speed and duplex mode of the Ethernet connection The other choice Force with lists for speed and duplex should be used only if your Ethernet card also forces these settings You must force from both sides of your connection to enable this setting Proxy Management workstation ethernet address on WAN If you are managing the Ether...

Page 163: ...nt can assign a portion of the available bandwidth and a priority to each class of network traffic Priorities rank from 0 zero highest to 7 lowest Defining a class of traffic that has 0 bandwidth allocated to it effectively blocks the traffic unless there is no other traffic with higher priority on the network The packet classifier analyzes a packet when it arrives for its packet protocol source i...

Page 164: ...ures Page 165 Examples of Bandwidth Management Rules Bandwidth Management Schema Rule Service Priority Guaranteed Maximum Allow SMTP 0 300 Kbps 1000 Kbps Allow FTP 1 100 Kbps 200 Kbps Allow HTTP 2 100 Kbps 200 Kbps ...

Page 165: ...omputers on your LAN To access the SonicWALL DHCP Setup window click DHCP on the left side of the browser window There are three tabs in the DHCP section Setup DHCP over VPN Status Setup Disable DHCP Server is the default setting in the SonicWALL Allow DHCP Pass Through in Standard Mode Network administrators can have a DHCP server located outside the SonicWALL Internet Security appliance To enabl...

Page 166: ... 6 Enter your WINS Server address es in the WINS Server 1 and WINS Server 2 fields WINS Servers resolve Windows based computer names to IP addresses If you do not have a WINS server leave these fields blank 7 Dynamic Ranges are the ranges of IP addresses dynamically assigned by the DHCP server The Dynamic Ranges should be in the same subnet as the SonicWALL LAN IP Address 8 Enter the beginning IP ...

Page 167: ...st DHCP Client behind a SonicWALL obtain an IP address lease from a DHCP server at the other end of a VPN tunnel In some network deployments it is desirable to have all VPN networks on one logical IP subnet and create the appearance of all VPN networks residing in one IP subnet address space This facilitates IP address administration for the networks using VPN tunnels DHCP Relay Mode The SonicWALL...

Page 168: ...ers in the Add DHCP Server field and click Update The SonicWALL now directs DHCP requests to the specified servers 4 To delete DHCP servers click on the IP address of the DHCP server and click Delete DHCP Server The server is removed from the list of DHCP servers 5 To complete the configuration go to VPN and click Configure 6 Select Destination network obtains IP addresses using DHCP through this ...

Page 169: ...across the VPN tunnel that is spoofing an authenticated user s IP address If you have any static devices however you must ensure that the correct Ethernet address is entered for the device The Ethernet address is used as part of the identification process and an incorrect Ethernet address can cause the SonicWALL to respond to IP spoofs 6 If the VPN tunnel is disrupted temporary DHCP leases can be ...

Page 170: ...ress used as the Relay IP Address It is recommended to reserve a block of IP address to use as Relay IP addresses 9 Select LAN Devices not allowed to obtain IP through SA if there are devices on the LAN that you do not want to obtain IP addresses through the VPN tunnel such as children s computers You must know the Ethernet address of the device to configure this setting The Ethernet address of a ...

Page 171: ...he scrolling window shows the details on the current bindings IP and MAC address of the bindings along with the type of binding Dynamic Dynamic BootP or Static BootP To delete a binding which frees the IP address in the DHCP server select the binding from the list and then click Delete Binding The operation takes a few seconds to complete Once completed a message confirming the update is displayed...

Page 172: ...uters on your WorkPort or your HomePort To access the SonicWALL DHCP Setup window click DHCP on the left side of the browser window There are three tabs in the DHCP section Setup DHCP over VPN Status Setup Disable DHCP Server is the default setting in the SonicWALL Allow DHCP Pass Through in Standard Mode Network administrators can have a DHCP server located outside the SonicWALL Internet Security...

Page 173: ...cWALL Network section then select Specify Manually Enter your DNS Server addresses in the DNS Server 1 DNS Server 2 and DNS Server 3 fields The DNS servers are used by computers on your WorkPort to resolve domain names to IP addresses You only enter one DNS Server address but multiple DNS entries improve performance and reliability 7 Enter your WINS Server address es in the WINS Server 1 and WINS ...

Page 174: ...WALL has been updated a message confirming the update is displayed at the bottom of your Web browser window Continue this process until you have added all the desired static entries Tip The SonicWALL DHCP server can assign a total of 254 dynamic and static IP addresses Deleting Dynamic Ranges and Static Entries To remove a range of addresses from the dynamic pool select it from the list of dynamic...

Page 175: ... scrolling window shows the details on the current bindings IP and MAC address of the bindings along with the type of binding Dynamic Dynamic BootP or Static BootP To delete a binding which frees the IP address in the DHCP server select the binding from the list and then click Delete Binding The operation takes a few seconds to complete Once completed a message confirming the update is displayed a...

Page 176: ...on for the SonicWALL and VPN Client Demonstrates the configuration of SonicWALL Group VPN settings on the SonicWALL Internet Security Appliance and VPN Client using the Group VPN Security Association Manual Key Configuration for the SonicWALL and VPN Client Explains the configuration of a SonicWALL appliance and a VPN client using the Manual Key Security Association IKE and Manual Key Configuratio...

Page 177: ...ts for every Security Association configuration Enable Fragmented Packet Handling if the VPN log report shows the log message Fragmented IPSec packet dropped select this feature Do not select it until the VPN tunnel is established and in operation Enable NAT Traversal select if a NAT device is located between your VPN endpoints See page 177 for more information on SonicWALL NAT Traversal Support K...

Page 178: ...PN bandwidth priority from the VPN bandwidth priority menu 0 highest to 7 lowest Tip Bandwidth management is available only on outbound VPN traffic You cannot configure individual Security Associations to use bandwidth management VPN Policies This section displays all of the VPN configurations in the SonicWALL appliance If you click the name of the security association the security association set...

Page 179: ...se IPSec VPNs protect traffic exchanged between authenticated endpoints but authenticated endpoints cannot be dynamically re mapped mid session for NAT traversal to work Therefore to preserve a dynamic NAT binding for the life of an IPSec session a 1 byte UDP is designated as a NAT Traversal keepalive and acts as a heartbeat sent by the VPN device behind the NAT or NAPT device The keepalive is sil...

Page 180: ... of security policy for the SA from the IPSec Keying Mode menu You can select IKE using Preshared Secret Manual Key or IKE using Certificates The IPSec Gateway Address field is used to configure the gateway for the security association Disabling Security Associations You can choose to disable certain security associations and still allow access by remote VPN clients The feature is useful if it is ...

Page 181: ... you can select from one of eight encryption methods AES support is available only on the PRO 230 PRO 330 and GX series These are listed in order from least secure to most secure If network speed is preferred then select DES MD5 If network security is preferred select 3DES SHA1 To compromise between network speed and network security select DES SHA1 AES Advanced Encryption Standard is an encryptio...

Page 182: ...ated as the Shared Secret The Shared Secret is not exported with the VPN Client Configuration File The Shared Secret must be distributed by the SonicWALL administrator Security Policy Settings for IKE using Pre shared Secret Exchange select Main Mode or Aggressive Mode Main Mode requires six one way messages between the peers and Aggressive Mode requires only three one way messages making Aggressi...

Page 183: ...n possible encryption keys to encrypt data Fast Encrypt ESP ARCFour uses 56 bit ARCFour to encrypt data ARCFour is a secure encryption method and has little impact on the throughput of the SonicWALL Strong Encrypt ESP 3DES uses 168 bit 3DES Triple DES to encrypt data 3DES is considered to be an almost unbreakable encryption method applying three DES keys in succession but it significantly impacts ...

Page 184: ...C SHA1 authentication AES support is available only on the PRO 230 and PRO 330 If IKE using Pre shared Secret is selected for the IPSec Keying Mode the Shared Secret field is displayed and you can enter your shared secret Security Policy Settings using Manual Key Manual Key is configured differently than IKE using Pre shared Secret or Group VPN It requires an Incoming and Outgoing Security Paramet...

Page 185: ...ntry Then modify the appropriate fields and click Update to update the configuration To delete a destination network click the Trash Can icon to the far right of the appropriate destination network entry and then click OK to confirm the removal Modifying and Deleting Existing Security Associations The Security Association menu also allows you to modify and delete existing Security Associations To ...

Page 186: ...g NetBIOS broadcast Apply NAT and firewall rules Forward packets to remote VPNs Enable Perfect Forward Secrecy Phase 2 DH Group Default LAN Gateway VPN Terminated at LAN DMZ or LAN DMZ Enable Keep Alive Selecting the Enable Keep Alive check box allows the VPN tunnel to remain active or maintain its current connection by listening for traffic on the network segment between the two connections Inter...

Page 187: ...interface and the LAN segment of the corporation To protect the traffic NAT Network Address Translation is performed on the outbound packet before it is sent through the tunnel and in turn NAT is performed on inbound packets when they are received By using NAT for a VPN connection computers on the remote LAN are viewed as one address the SonicWALL public address from the corporate LAN If the Sonic...

Page 188: ...icWALL appliances or a Group VPN SA an additional Diffie Hellman key exchange is performed Enable Perfect Forward Secrecy adds incremental security between gateways Phase 2 DH Group If Enable Perfect Forward Secrecy is enabled select the type of Diffie Hellman DH Key Exchange a key agreement protocol to be used during phase 2 of the authentication process to establish pre shared keys Groups 1 2 an...

Page 189: ...t is routed through the gateway Otherwise the packet is dropped VPN Terminated at the LAN DMZ or LAN DMZ Selecting this option allows you to terminate a VPN tunnel on a specific destination instead of allowing the VPN tunnel to terminate on the SonicWALL network By terminating the VPN tunnel to a specific destination the VPN tunnel has access to a specific portion of the destination LAN or DMZ net...

Page 190: ...Certificates Group VPN using IKE Pre shared Secret Group VPN using IKE Certificates Manual Key IKE using Pre shared Secret IKE using Certificates1 Enable Keep Alive 3 Try to bring up all possible SAs 3 3 Require authentication of VPN clients using XAUTH 3 3 Require authentication of local users 3 3 3 Require authentication of remote users 3 3 3 Enable Windows Networking NetBIOS broadcast 3 3 3 3 3...

Page 191: ...e three methods Group Configuration uses IKE Internet Key Exchange and requires fewer settings on the VPN client enabling a quicker setup Simple configuration allows multiple clients to connect to a sin gle Security Association SA creating a group VPN tunnel The SonicWALL only supports one Group Configuration SA You can use the Group VPN SA for your single VPN client Manual Key Configuration requi...

Page 192: ...p VPN is only available for VPN clients and it is recommended to use Authentication Service or XAUTH RADIUS in conjunction with the Group VPN for added security To enable Group VPN follow the instructions below 1 Click VPN on the left side of the Management Station interface 2 Click on Group VPN The Security Association default setting is Group VPN 3 Configure the Group VPN to use either IKE using...

Page 193: ...nal key exchange Default LAN Gateway The Default LAN Gateway field allows the network administrator to specify the IP address of the default LAN route for incoming IPSec packets for this SA Tip It is not necessary to configure the Advanced Settings to get the VPN connection working between the SonicWALL and the VPN client You can configure the Advanced Settings later and then re import the SA into...

Page 194: ... the VPN client serial number when prompted 4 Restart your computer after you have installed the VPN client software For detailed instructions on installing the client software download the Client Installation Guide available at http www sonicwall com documentation html Group VPN Client Configuration To import the Group VPN security policy into the VPN Client use the following steps 1 Open the VPN...

Page 195: ...s successfully imported into the client The client application now has an imported Group VPN policy 4 Click the sign next to Group VPN to reveal two sections My Identity and Security Policy Select My Identity to view the settings 5 Click Pre Shared Key to enter the Pre Shared Secret created in the Group VPN settings in the SonicWALL appliance Click Enter Key and enter the pre shared secret Then cl...

Page 196: ...cy Group VPN can also be configured using digital certificates in the Security Association settings For more information on Group VPN configuration using digital certificates refer to the Authentication Service User s Guide on the SonicWALL Website http www sonicwall com vpn center vpn setup html ...

Page 197: ...a secure tunnel is active and sending data securely across the connection You can verify the connection by verifying the type of icon displayed in the system tray near the system clock The SonicWALL VPN Client icon is displayed in the System Tray if you are running a Windows operating system The icon changes to reflect the current status of your communication over the VPN tunnel ...

Page 198: ...e IPSec Keying Mode menu 3 Enter a descriptive name that identifies the VPN client in the Name field such as the client s location or name 4 Enter 0 0 0 0 in the IPSec Gateway Address field 5 Define an Incoming SPI and an Outgoing SPI The SPIs are hexadecimal 0123456789abcedf and can range from 3 to 8 characters in length Alert Each Security Association must have unique SPIs no two Security Associ...

Page 199: ...icking Add New Network automatically updates the VPN configuration and opens the VPN Destination Network window 10 Enter 0 0 0 0 in the Range Start Range End and Destination Subnet Mask for NetBIOS broadcast fields 11 Click Update to add the remote network and close the VPN Destination Network window Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of ...

Page 200: ...Policy box and entering the security policy name Configuring VPN Security and Remote Identity 1 Select Secure in the Network Security Policy box on the right side of the Security Policy Editor window 2 Select IP Subnet in the ID Type menu 3 Enter the SonicWALL LAN IP Address in the Subnet field 4 Enter the LAN Subnet Mask in the Mask field 5 Select All in the Protocol menu to permit all IP traffic...

Page 201: ...t from the Internet Interface menu Select PPP Adapter from the Name menu if you have a dial up Internet connection Select the Ethernet adapter if you have a dedicated cable ISDN or DSL line Configuring VPN Client Security Policy 3 Select Security Policy in the Network Security Policy window 4 Select Use Manual Keys in the Select Phase 1 Negotiation Mode menu 5 Click the next to Security Policy and...

Page 202: ...oposal 1 below Key Exchange Phase 2 2 Select Unspecified in the SA Life menu 3 Select None from the Compression menu 4 Select the Encapsulation Protocol ESP check box 5 Select DES from the Encryption Alg menu 6 Select MD5 from the Hash Alg menu 7 Select Tunnel from the Encapsulation menu 8 Leave the Authentication Protocol AH check box unselected ...

Page 203: ... Key in the ESP Authentication Key field then click OK Configuring Outbound VPN Client Keys 1 Click Outbound Keys An Outbound Keying Material box is displayed 2 Click Enter Key to define the encryption and authentication keys 3 Enter the SonicWALL Incoming SPI in the Security Parameter Index field 4 Select Binary in the Choose key format menu 5 Enter the SonicWALL appliance 16 character Encryption...

Page 204: ...e of icon displayed in the system tray near the system clock Open a command prompt window and ping an address on the remote network The icon should turn green indicating an active connection Verifying the VPN Client Icon in the System Tray The SonicWALL VPN Client icon is displayed in the System Tray if you are running a Windows operating system The icon changes to reflect the current status of yo...

Page 205: ...used to configure a VPN tunnel between two SonicWALLs Manual Key for Two SonicWALLs Click VPN on the left side of the SonicWALL browser window and then click the Configure tab 1 Select Manual Key from the IPSec Keying Mode menu 2 Select Add New SA from the Security Association menu 3 Enter a descriptive name for the Security Association such as Chicago Office or Remote Management in the Name field...

Page 206: ...thentication is not used this field is ignored 9 Click Add New Network to enter the destination network addresses Clicking Add New Network automatically updates the VPN configuration and opens the VPN Destination Network window 10 Enter the beginning IP address of the remote network address range in the Range Start field If NAT is enabled on the remote SonicWALL enter a private LAN IP address Ente...

Page 207: ...nfigure a secure VPN tunnel between the two sites The main office has the following network settings SonicWALL LAN IP address 192 168 11 1 LAN subnet mask 255 255 255 0 WAN router address 209 33 22 1 SonicWALL WAN IP address 209 33 22 2 WAN subnet mask 255 255 255 224 The remote office has the following network settings SonicWALL LAN IP address 192 168 22 222 LAN subnet mask 255 255 255 0 WAN rout...

Page 208: ...nfigure the remote SonicWALL use the following steps 1 Configure the network settings for the firewall using the Network tab located in the General section 2 Click Update and restart the SonicWALL if necessary 3 Click VPN then the Configure tab 4 Create a name for the remote office SA for example Remote Office 5 Enter the main office WAN IP address for the IPSec Gateway Address 6 Enter the Outgoin...

Page 209: ...s SA to access a remote site Default LAN Gateway if specifying the IP address of the default LAN route for incoming IPSec packets for this SA This is used in conjunction with the Route all internet traffic through this SA check box VPN Terminated at LAN DMZ or LAN DMZ select one of the three terminating points for the VPN tunnel 12 Click OK and then click Update ...

Page 210: ...name for the Security Association such as Palo Alto Office or NY Headquarters in the Name field 4 Enter the IP address of the remote SonicWALL in the IPSec Gateway Address field This address must be valid and should be the NAT Public IP Address if the remote SonicWALL uses Network Address Translation NAT Alert If the remote SonicWALL has a dynamic IP address enter 0 0 0 0 in the IPSec Gateway Addr...

Page 211: ...T 12 Enter the subnet mask of the remote network in the Subnet mask field 13 Click Update to add the remote network and close the VPN Destination Network window Once the SonicWALL has been updated a message confirming the update is displayed at the bottom of the browser window 14 Click Advanced Settings and select the boxes that apply to your SA Enable Keep Alive if you want to maintain the curren...

Page 212: ...ct IKE using pre shared secret from the IPSec Keying Mode menu 4 Because the SonicWALL TELE3 does not have a permanent WAN IP address the SonicWALL PRO 200 must authenticate the VPN session by matching the Name of the SA with the TELE3 Unique Firewall Identifier Enter the TELE3 Unique Firewall Identifier in the Name field in this example San Francisco Office 5 Enter the WAN IP address of the remot...

Page 213: ...e remote networks Apply NAT and firewall rules to apply NAT and firewall rules to the SA or just firewall rules if in Standard mode Forward packets to remote VPNs if creating a hub and spoke network configuration Enable Perfect Forward Secrecy if you want to add another layer of security by adding an ad ditional Diffie Hellman key exchange Phase 2 DH Group select the type of DH key exchange in Pha...

Page 214: ...work segment between the two connections Enable Windows Networking NetBIOS broadcast if remote clients use Windows Network Neighborhood to browse remote networks Apply NAT and firewall rules to apply NAT and firewall rules to the SA or just firewall rules if in Standard mode Forward packets to remote VPNs if creating a hub and spoke network configuration Enable Perfect Forward Secrecy if you want ...

Page 215: ...ty Certificates and Local Certificates is a more manual process than using the SonicWALL Authentication Service therefore experience with implementing Public Key Infrastructure PKI is necessary to understand the key components of digital certificates Internet Key Exchange IKE is an important part of IPSec VPN solutions and it can use digital signatures to authenticate peer devices before setting u...

Page 216: ...nto the SonicWALL to validate your Local Certificates Importing CA Certificates into the SonicWALL After your CA service has validated your CA Certificate you can import it into the SonicWALL and use it to validate Local Certificates for VPN Security Associations To import your CA Certificate into the SonicWALL use the following steps 1 Click VPN then CA Certificates 2 Click Browse and locate the ...

Page 217: ...f the certificate is not signed by the CA the Status is Request Generated You can also import the corresponding Signed Certificate in this section Additionally Certificate Signing Requests can be exported and deleted in the Certificate Details section of a Request Generated certificate Certificate Revocation List CRL A Certificate Revocation List CRL is a way to check the validity of an existing c...

Page 218: ...ncrypting data 4 Select a Subject Key size from the from the Subject Key Size menu 5 Not all key sizes are supported by a Certificate Authority therefore you should check with your Certificate Authority for supported key sizes 6 Click Generate to create a certificate file 7 Once the Certificate Signing Request is generated a message describing the result is displayed 8 Click Export to download the...

Page 219: ...ed Name E mail ID or Domain Name from the menu Then cut and paste the information from the Local Certificate into the text field 10 In the Destination Networks section select the type of destination for the VPN tunnel Use this SA as default route for all Internet traffic can be used for only one SA and routes all VPN traffic destined for the WAN through the SA Destination network obtains IP addres...

Page 220: ...t has received the data packets Your administrator supplies the remote IP address that you can use for testing The following steps explain how to ping a remote IP address 1 Locate the Windows Start button in the lower left hand corner of the desktop operating system Click Start then Run and then type Command in the Open filepath box A DOS window opens to the C prompt 2 Type ping then the IP addres...

Page 221: ...an ask you to configure your computer for Windows Networking By configuring your computer for Windows Networking you are able to browse the remote network using Network Neighborhood Before logging into the remote network you must get the following information from your administrator Server Account information including your username and password Domain Name WINS Server IP Address Internal DNS opti...

Page 222: ... box and enter the domain name provided by your administrator into the Windows NT domain text box Select Quick Logon under Network logon options section 4 Click on the Identification tab and enter the domain name provided by your administrator in the Workgroup text box ...

Page 223: ...ess 7 Windows 98 users must restart their computer for the settings to take effect and then log into the remote domain Windows 2000 users should consult their network administrators for instructions to set up the remote domain access If your remote network does not have a network domain server you cannot set up a WINS server and browse the network using Network Neighborhood To access shared resour...

Page 224: ... IP addresses are required to remotely manage both the primary Son icWALL and the backup SonicWALL Alert SonicWALL High Availability does not support dynamic IP address assignment from your ISP Each SonicWALL in the High Availability pair must have the same firmware version installed Each SonicWALL in the High Availability pair must have the same upgrades and subscriptions enabled If the backup un...

Page 225: ...its 2 Turn on the primary SonicWALL unit and wait for the diagnostics cycle to complete Configure all of the settings in the primary SonicWALL before configuring High Availability 3 Click High Availability on the left and begin configuring the following settings for the primary SonicWALL LAN IP Address This is a unique IP address for accessing the primary SonicWALL from the LAN whether it is Activ...

Page 226: ...tween 3 seconds and 255 seconds This interval is the amount of time in seconds that elapses between heartbeats passed between the two SonicWALLs in the High Availability pair 7 Enter the Failover Trigger Level in terms of the number of missed heartbeats Use a value between 2 and 99 missed heartbeats When the backup unit detects this number of consecutive missed heartbeats the backup SonicWALL take...

Page 227: ... message is displayed at the bottom of the screen An error message also appears on the Status tab To view the error message on the Status tab click General on the left side of the browser and then Status at the top of the window To check the backup SonicWALL firmware version or serial number log into the backup SonicWALL click General on the left side of the browser window and then click Status at...

Page 228: ...l are synchronized automatically between the two firewalls If you click Synchronize Now the Backup SonicWall restarts and becomes temporarily unavailable for use as a backup firewall High Availability Status If failure of the primary SonicWALL occurs the backup SonicWALL assumes the primary SonicWALL LAN and WAN IP Addresses There are three primary methods to check the status of the High Availabil...

Page 229: ...ilability Status window you can log into the primary or backup SonicWALL LAN IP Address Click High Availability on the left side of the browser window and then click Configure at the top of the window If the primary SonicWALL is active the first line in the status window above indicates that the primary SonicWALL is currently Active If the backup SonicWALL is active the first line changes to refle...

Page 230: ...s When the primary SonicWALL restarts after a failure it is accessible using the third IP address created during configuration If preempt mode is enabled the primary SonicWALL becomes the active firewall and the backup firewall returns to idle status E mail Alerts Indicating Status Change If you have configured the primary SonicWALL to send E mail alerts you receive alert E mails when there is a c...

Page 231: ...some cases it may be necessary to force a transition from one active SonicWALL to another for example to force the primary SonicWALL to become active again after a failure when Preempt Mode has not been enabled or to force the backup SonicWALL to become active in order to do preventive maintenance on the primary SonicWALL To force such a transition it is necessary to interrupt the heartbeat from t...

Page 232: ...rd Do not change the password on the Backup firewall when it is in Idle con dition Changing the password prevents communication between the firewalls If you are configuring the SonicWALL in Standard mode on the network an additional IP address is necessary for the High Availability configuration Auto Update If Auto Update is enabled for firmware upgrades the Primary SonicWALL should be upgraded fi...

Page 233: ...irus offers a new approach to virus protection by delivering managed anti virus protection over the Internet By combining leading edge anti virus technology from McAfee com with SonicWALL Internet Security Appliances Complete Anti Virus ensures that all the computers on your network have a secure defense against viruses SonicWALL Network Anti Virus provides constant uninterrupted protection by mon...

Page 234: ...d and provides administrators with in depth expert guidance to quickly close up any security holes in a network This subscription based service offers vulnerability assessment scans that can scheduled on a regular basis or run on demand when policies change or new equipment is deployed For more information on the SonicWALL Vulnerability Scanning Service visit http www sonicwall com products vss So...

Page 235: ...hat extends the SonicWALL s ease of administration giving you the tools to manage the security policies of remote distributed networks SonicWALL GMS lets you administer SonicWALLs at your corporate headquarters branch offices and telecommuters from a central location SonicWALL GMS reduces staffing requirements speeds up deployment and lowers delivery costs by centralizing the management and monito...

Page 236: ...conds when an event generates an alert Alarm LED flashes for 10 seconds Alert events are defined in the Log Settings section in Chapter 5 There are three Ethernet ports one for each of the LAN DMZ and WAN ports Link Lights up when a Twisted Pair connection is made to another Ethernet device usually a hub on the port Note that the device connected to the SonicWALL must support the standard Link Int...

Page 237: ... es Powers the SonicWALL on and off Power Input s Connects the SonicWALL to power input The use of an Uninterruptible Power Supply UPS is strongly recommended to protect the SonicWALL against damage or loss of data due to electrical storms power failures or power surges The PRO 330 has dual supply inputs Cooling Vents The SonicWALL is convection cooled an internal fan is not necessary Do not block...

Page 238: ...ests take about 90 seconds If the Test LED remains lit after this time the software is corrupt and must be reinstalled Alarm Lights up and flashes for 10 seconds when an event generates an alert Alarm LED flashes for 10 seconds Alert events are defined in the Log Settings section in Chapter 5 There are three Ethernet ports one for each of the LAN DMZ and WAN ports Link Lights up when a Twisted Pai...

Page 239: ...port for Command Line Interface support Reset Switch Resets the SonicWALL PRO 200 or the SonicWALL PRO 300 to its factory clean state This can be required if you forget the administrator password or the SonicWALL firmware has become corrupt Power Input Connects the SonicWALL to power input The use of an Uninterruptible Power Supply UPS is strongly recommended to protect the SonicWALL against damag...

Page 240: ... and must be reinstalled There are three Ethernet ports one for each of the LAN DMZ and WAN ports Link Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch or directly connected to a computer Note that the connected Ethernet device must support the standard Link Integrity test 100 Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or dire...

Page 241: ...100Mbps Ethernet ports provide connectivity for both Ethernet and Fast Ethernet networks The Ethernet ports connect the SonicWALL PRO 100 to the LAN DMZ and WAN using Twisted Pair cable with RJ45 connectors Power Input Connects to the external power supply that is provided with the SonicWALL PRO 100 The use of an Uninterruptible Power Supply UPS is recommended to protect the SonicWALL PRO 100 agai...

Page 242: ...ted to a computer Note that the connected Ethernet device must support the standard Link Integrity test 100 Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or directly connected to a computer with a 100Mbps network interface Activity Flashes when the SonicWALLTELE3 SP transmits or receives a packet through the Twisted Pair port Test Lights up when the SonicWALL TELE3 S...

Page 243: ...cWALL TELE3 SP using a v 90 v 92 US Robotics external modem or a null modem cable 2 Twisted Pair 10Base T 100Base T Ethernet Ports 2 Auto switching 10Mbps 100Mbps Ethernet ports provide connectivity for both Ethernet and Fast Ethernet networks The Ethernet ports connect the SonicWALL TELE3 SP to the LAN and WAN using Twisted Pair cable with RJ45 connectors TELE3 SP Modem Port A V 90 internal modem...

Page 244: ... be reinstalled There are three Ethernet ports one for each of the WorkPort HomePort and WAN ports Link Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch or directly connected to a computer Note that the connected Ethernet device must support the standard Link Integrity test 100 Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or dir...

Page 245: ...nectivity for both Ethernet and Fast Ethernet networks The Ethernet ports connect the SonicWALL TZ to the LAN DMZ and WAN using Twisted Pair cable with RJ45 connectors Power Input Connects to the external power supply that is provided with the SonicWALL TZ The use of an Uninterruptible Power Supply UPS is recommended to protect the SonicWALL TZ against damage or loss of data due to electrical stor...

Page 246: ...rrupt and must be reinstalled There are three Ethernet ports one for each of the LAN DMZ and WAN ports Link Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch or directly connected to a computer Note that the connected Ethernet device must support the standard Link Integrity test 100 Lights up when the Twisted Pair port is connected to a 100Mbps hub or switch or...

Page 247: ...uto switching 10Mbps 100Mbps Ethernet ports provide connectivity for both Ethernet and Fast Ethernet networks The Ethernet ports connect the SonicWALL TZX to the WorkPort HomePort and WAN using Twisted Pair cable with RJ45 connectors Power Input Connects to the external power supply that is provided with the SonicWALL TZX The use of an Uninterruptible Power Supply UPS is recommended to protect the...

Page 248: ...se tests take about 90 seconds If the Test LED remains lit after this time the software is corrupt and must be reinstalled There are two Ethernet ports one of the following for the LAN and WAN ports Link Lights up when the Twisted Pair port is connected to a 10Mbps or 100Mbps hub or switch or directly connected to a computer Note that the connected Ethernet device must support the standard Link In...

Page 249: ...Ethernet Ports 2 Auto switching 10Mbps 100Mbps Ethernet ports provide connectivity for both Ethernet and Fast Ethernet networks The Ethernet ports connect the SonicWALL to the LAN and WAN using Twisted Pair cable with RJ45 connectors Power Input Connects to the external power supply which is provided with the SonicWALL SOHO3 and the SonicWALL TELE3 The use of an Uninterruptible Power Supply UPS is...

Page 250: ...up when the SonicWALL is powered up and performing diagnostic tests for proper operation These tests take up to 5 minutes If the Test LED remains lit after this time the firmware is corrupt and must be reinstalled Serial Port DB 9 RS 232 Serial port for a modem or null modem cable to support Command Line Interface Management There are three network interfaces on the GX 250 and GX 650 from left to ...

Page 251: ...bit networks Before inserting the cables into the network ports on the fiber optics card remove the plug from the ports The 1000Base SX interface has the following LED lights Transmit TX The TX light is lit when the network is transmitting data over the network connection Receive RX The RX light is lit when data is received over the network connection Link The Link LED indicates that the interface...

Page 252: ...0 60 Hz Power Switches One power switch for each hot swappable power supply module The audible alarm sounds if only one power supply is functioning Alarm Reset Button The Alarm Reset button resets the audible alarm Cooling Vents The SonicWALL is convection cooled and has an internal fan that is not crucial to the function of the GX but provides additional cooling to the unit Do not block the cooli...

Page 253: ...e SonicWALL authentication screen does not appear check for Ethernet connectivity problems Confirm that the computer without Internet access is assigned an IP address in the correct subnet Make sure that the SonicWALL is powered on and responsive If a computer can access the SonicWALL Management Interface but cannot view Web sites then check DNS configuration of the computer Try restarting your In...

Page 254: ...achines on the WAN are not reachable Make sure the Intranet settings in the Advanced section are correct If these suggestions don t help please take a look at the current FAQ Frequently Asked Questions and Troubleshooting Guide on the SonicWALL Web site http www sonicwall com support VPN tunnel problems Document your VPN layout Did you draw out the design before setting it up VPNs are a routed net...

Page 255: ...5 x 1 75 17 x 10 36 x 1 75 19 x 8 875 x 1 75 17 x10 36 x 1 75 Weight 1 1 lbs 0 48 kg 1 1 lbs 0 48 kg 1 1 lbs 0 48 kg 6 0 lbs 2 7 kg 7 3 lbs 3 32 kg 6 0 lbs 2 7 kg 7 8 lbs 3 54 kg Power 100V to 240V AC 100V to 240V AC 100V to 240V AC 100V to 240V AC 100V to 240V AC 100V to 240V AC 100V to 240V AC TELE3 SP TELE3 TZ TELE3 TZX GX250 GX650 Processor 133 MHz Toshiba TX3927 with security ASIC 133 MHz Tos...

Page 256: ...experience in networking and Internet security They are also supported by the best in class tools and processes that ensure a quick and accurate solution to your problem SonicWALL Support Offers Warranty Support North America and International SonicWALL products are recognized as extremely reliable as well as easy to configure install and manage SonicWALL Warranty Support enhances these features w...

Page 257: ...technical support experts help solve your problems or answer your questions quickly reducing your risk of Internet attack Knowledge Base Instant access to solutions and documentation provides answers to questions and solves problems electronically Firmware Software Upgrades Automatic firmware and software upgrades give instant access to new features and capabilities allowing you to extend your Int...

Page 258: ...ent of failing hardware returned to the SonicWALL factory for a period of year following the date of purchase Upon diagnosis of a hardware failure a SonicWALL technical specialist issues an RMA number and provides instructions for returning the hardware to SonicWALL SonicWALL ships a replacement appliance to you based upon the RMA information Upon receipt of the failed appliance SonicWALL ships a ...

Page 259: ...f purchase Upon diagnosis of a hardware failure a SonicWALL technical specialist issues an RMA number and provides instructions for returning the hardware to SonicWALL Upon receipt of the failed appliance SonicWALL ships a fully functional appliance The replacement appliance is equivalent to a new appliance SonicWALL does not accept failed appliances without a valid RMA number Software Firmware Up...

Page 260: ...cialist issues an RMA number and provides instructions for returning the hardware to SonicWALL SonicWALL ships a replacement appliance to you based upon the RMA information You are responsible for returning the failed appliance to SonicWALL with 30 days or be charged for the full replacement cost SonicWALL does not accept failed appliances without a valid RMA number Software Firmware Support Sonic...

Page 261: ...e failure a SonicWALL technical specialist issues an RMA number and provides instructions for returning the hardware to SonicWALL Upon receipt of the failed appliance SonicWALL ships a fully functional replacement appliance to you The replacement appliance is equivalent to a new appliance SonicWALL does not accept failed appliances without a valid RMA number Software Firmware Support SonicWALL log...

Page 262: ...ort where the network cable is connected Network Types LAN stands for Local Area Network Local area refers to a network in one location Local Area Networks connect computers and devices close to each other such as on one floor of a building one building or a campus LANs can connect as few as two computers or as many as 100 computers WAN Wide Area Network connects LANs together The networks that ma...

Page 263: ...e such as www sonicwall com instead of an IP address such as 192 168 168 168 to access a computer DHCP Dynamic Host Configuration Protocol DHCP allows communication between network devices and a server that administers IP numbers A DHCP server leases IP addresses and other TCP IP information to DHCP client that requests them Typically a DHCP client leases an IP address for a period of time from a ...

Page 264: ...ires the entire number when communicating with other devices There are three classes of IP addresses A B and C Like a main business phone number that one can call and then be transferred through interchange numbers to an individual s extension number the different classes of IP addresses provide for varying levels of interchanges or subnetworks and extensions or device numbers The classes are base...

Page 265: ...een different subnetworks unless addressed to travel there While this helps to keep overall network traffic more manageable it also introduces another level of complexity To communicate with a device on another network one must go through a gateway that connects the two networks Therefore users must know the default gateway IP address If there is no gateway in the network use an IP address of 0 0 ...

Page 266: ...not the number of simultaneous connections to the Internet If you have fewer than the maximum number of computers or other devices on your LAN but it appears that the IP license limit is exceeded download a Tech Support Report and review the devices with IP addresses Rogue devices such as printers are filling up the SonicWALL IP address limit Tech Support Reports are explained in the Tools chapter...

Page 267: ...ses or by programs executed by privileged users Many popular services such as Web FTP SMTP POP3 e mail DNS etc operate in this port range The assigned ports use a small portion of the possible port numbers For many years the assigned ports were in the range 0 255 Recently the range for assigned ports managed by the IANA has been expanded to the range 0 1023 Registered Port Numbers Registered Ports...

Page 268: ...agement Station s current TCP IP settings If the Management Station accesses the Internet through an existing broadband connection then the TCP IP settings can be helpful when configuring the IP settings of the SonicWALL Windows 98 1 From the Start list highlight Settings and then select Control Panel 2 Double click the Network icon in the Control Panel window 3 Double click TCP IP in the TCP IP P...

Page 269: ...ouble click TCP IP in the TCP IP Properties window 4 Select the Specify an IP Address radio button 5 Enter 192 168 168 200 in the IP Address field 6 Enter 255 255 255 0 in the Subnet Mask field 7 Click DNS at the top of the window 8 Enter the DNS IP address in the Preferred DNS Server field If you have more than one address enter the second one in the Alternate DNS server field 9 Click OK and then...

Page 270: ...ouble click Internet Protocol TCP IP to open the TCP IP properties window 5 Select Use the following IP address and enter 192 168 168 200 in the IP address field 6 Enter 255 255 255 0 in the Subnet mask field 7 Enter the DNS IP address in the Preferred DNS Server field If you have more than one address enter the second one in the Alternate DNS server field 8 Click OK then OK again 9 Click Close to...

Page 271: ... Protocol TCP IP to open the Internet Protocol TCP IP Properties window 3 Select Use the following IP address and enter 192 168 168 200 in the IP address field 4 Enter 255 255 255 0 in the Subnet Mask field 5 Enter the DNS IP address in the Preferred DNS Server field If you have more than one address enter the second one in the Alternate DNS server field ...

Page 272: ...anel and then choose TCP IP to open the TCP IP Control Panel 2 From the Configure list choose Manually 3 Enter 192 168 168 200 in the IP address field 4 Enter the Subnet Mask address in the Subnet Mask field 5 Click OK Follow the SonicWALL Installation Wizard instructions to perform the initial setup of the SonicWALL ...

Page 273: ... length but typically consist of 16 or 32 characters The longer the key the more difficult it is to break the encryption Asymmetric vs Symmetric Cryptography Asymmetric and symmetric cryptography refer to the keys used to authenticate or encrypt and decrypt the data Asymmetric cryptography or public key cryptography uses two keys for verification Organizations such as RSA Data Security and Verisig...

Page 274: ...ve but unclassified materials by U S Government agencies It may eventually become the standard encryption method for commercial transactions in the private sector As a potential replacement for DES and possible 3DES AES is a symmetric algorithm which means it uses the same key for encryption and decryption and block encryption 128 bits in size The algorithm supports key sizes of 128 192 and 256 bi...

Page 275: ...ing requirements of VPN and also increases the communications latency The increased latency is primarily due to the calculation of the authentication data by the sender and the calculation and comparison of the authentication data by the receiver for each IP packet containing an Authentication Header ...

Page 276: ... and is comprised of hexadecimal characters Valid hexadecimal characters are 0 to 9 and a to f inclusive 0 1 2 3 4 5 6 7 8 9 a b c d e f For example a valid key would be 1234567890abcdef Strong Encryption Triple DES Strong Encryption or Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is dramatically more secure than DES and is considered to be virtually unbreakable b...

Page 277: ...e reset button that is not recessed on the back of the unit follow the procedure below to locate the blue reset button If your SonicWALL DMZ unit has a circular reset button that is recessed in the back of the unit then it s an older DMZ model and you should follow the procedure for locating the reset button inside the unit Erasing the Firmware for all Models 1 Turn off the SonicWALL and disconnec...

Page 278: ... tightened to ensure secure installation Choose a mounting location where all four mounting holes line up with those of the mounting bars of the 19 inch rack mount cabinet Mount in a location away from direct sunlight and sources of heat A maximum ambient temper ature of 104º F 40º C is recommended Route cables away from power lines fluorescent lighting fixtures and sources of noise such as radios...

Page 279: ...RADIUS server version 3 0 from Funk Software supports pre configuration of vendor specific attributes in a vendor specific dictionary file SonicWALL dct is the new dictionary file for the SonicWALL To configure the Steel Belted RADIUS server to include the SonicWALL dct file use the following instructions 1 Locate the directory that Steel Belted RADIUS is installed C RADIUS by default and copy the...

Page 280: ... on the server It also only allows one vendor specific attribute to be set per profile and only support vendor specific attributes containing ASCII text User privileges are added manually using the following instructions 1 Open the ACE Server Database Administrator program 2 Select Edit Profiles from the menu and select the profile to be configured with user privileges Click OK 3 From the Availabl...

Page 281: ...t 3 Click Edit Profile and then click Advanced Click Add 4 Select Vendor Specific from the list and click Add The Multivalued Attribute Information box appears 5 Click Add The Vendor Specific Attribute Information box appears 6 Click Enter Vendor Code and enter 8741 as the vendor code 7 Click Yes It conforms and then click Configure Attribute The Configure VSA RFC compliant window appears 8 Enter ...

Page 282: ...Appendices Page 283 RADIUS Attributes Dictionary The following is the RADIUS dictionary in the format used with Funk Software s Steel Belted RADIUS server ...

Page 283: ...Page 284 SonicWALL Internet Security Appliance Administrator s Guide Notes ...

Page 284: ...Appendices Page 285 Notes ...

Page 285: ...Page 286 SonicWALL Internet Security Appliance Administrator s Guide Notes ...

Page 286: ...Appendices Page 287 Notes ...

Page 287: ...Page 288 SonicWALL Internet Security Appliance Administrator s Guide Notes ...

Page 288: ...Appendices Page 289 Notes ...

Page 289: ...st 218 Choose a diagnostic tool 120 Clear Log Now 94 Client Default Gateway 174 Cold Start Trap 145 Configuration 151 Configuration Changes 228 Configuring High Availability 226 Configuring N2H2 Internet Filtering 107 Configuring Websense Enterprise Content Filter 110 Connect using Secure Gateway Tunnel 201 Consent 105 Consent page URL 105 Content Filter List 16 88 Content Filter List Subscription...

Page 290: ...en Domains 103 Forcing Transitions 232 Front Panel 243 Functional Diagram 14 G General 76 Global IPSec Settings 178 Global Management System 236 Global User Settings 139 Group VPN 177 193 Guaranteed Bandwidth 133 H Hash Alg 203 heartbeat 227 Heartbeat Interval 227 heartbeats 225 High Availability 225 High Availability Status 229 I ICSA 15 IKE Configuration between Two SonicWALLs 211 IKE using Cert...

Page 291: ...Keys 204 Outgoing SPI 185 199 204 P Packet Trace 123 Phase 1 DH Group 182 183 Ping 122 Ping of Death 15 Preempt mode 227 Preferences 115 Pre Shared Key 196 Pre Shared Secret 196 private key 218 Protocol 201 Proxy Web Server Port 149 Public LAN Server 129 R RADIUS Client Test 144 RADIUS Servers 143 RADIUS Users 144 Randomize IP ID 129 Relay IP address 170 Remote Management 145 Reports 96 Reset Data...

Page 292: ...Updating Firmware 117 Upgrade Key 119 URL List 101 Use Aggressive Mode 187 User Activity 95 Users 139 V View Data 97 View Log 91 232 ViewPoint 236 VPN 17 VPN Client 17 234 VPN Client Configuration File 194 VPN Destination Network 200 VPN Interface 178 VPN Logging 177 VPN Tunnel 177 274 Vulnerability Scanning Service 235 W WAN Gateway Router Address 24 WAN IP Address 24 WAN Settings 78 WAN DMZ Subn...

Page 293: ...ames mentioned herein may be trademarks and or registered trademarks of their respective companies Specifications and descriptions subject to change with out notice T 408 745 9600 F 408 745 9300 www sonicwall com SonicWALL Inc 1143 Borregas Avenue Sunnyvale CA 94089 1306 P N 232 000291 01 Rev A 11 02 ...