SonicWALL SonicOS Enhanced 2.2, Administrator'S Manual

Page 1: ...COMPREHENSIVE INTERNET SECURITY SonicWALL Internet Security Appliances SonicOS Enhanced 2 2 Administrator s Guide...

Page 2: ...L Products and Services 5 Initial Configuration Using the Wizards 7 Internet Connectivity Using the Setup Wizard 7 Configuring a Static IP Address with NAT Enabled 7 Setup Wizard 8 Step 1 Change Passw...

Page 3: ...NAT with PPTP Client 25 Step 5 LAN Settings 25 Step 6 DHCP Server 26 Step 7 SonicWALL Configuration Summary 26 Storing SonicWALL Configuration 27 Setup Wizard Complete 27 Configuring a Public Server w...

Page 4: ...are Management Table 44 Updating Firmware Manually 45 Creating a Backup Firmware Image 45 SafeMode Rebooting the SonicWALL 45 System Information 46 Firmware Management 46 FIPS PRO 3060 PRO 4060 47 Sys...

Page 5: ...ilover 62 Network Zones 63 Adding a New Zone 64 Modifying a Zone 64 Network DNS 65 Network Address Objects 65 Default Address Objects and Groups 66 SonicWALL TZ 170 66 Default Address Objects 66 Defau...

Page 6: ...83 Editing an IP Helper Policy 83 Deleting IP Helper Policies 83 Network Web Proxy 83 Configuring Automatic Proxy Forwarding Web Only 84 Bypass Proxy Servers Upon Proxy Failure 84 Firewall 85 Using B...

Page 7: ...97 VPN Global Settings 97 VPN Policies 98 Currently Active VPN Tunnels 98 Configuring Group VPN on the SonicWALL 98 Configuring GroupVPN with IKE using Preshared Secret 98 General 99 Proposals 99 Adv...

Page 8: ...igital Certificates 123 Overview of X 509 v3 Certificates 123 SonicWALL Third Party Digital Certificate Support 124 VPN Local Certificates 124 Importing Certificate with Private Key 124 Certificate De...

Page 9: ...Forcing Transitions 141 Configuration Notes 141 Monitoring Links 142 Security Services 143 Security Services Summary 144 Security Services Summary 144 Manage Services Online 144 If Your SonicWALL is...

Page 10: ...pection Architecture Works 155 SonicWALL IPS Terminology 156 SonicWALL IPS Activation 157 mySonicWALL com 157 Activating SonicWALL IPS 157 Activating the SonicWALL IPS FREE TRIAL 158 Log 159 Log View...

Page 11: ...e 167 Internet Security Expertise 167 SonicWALL Support Programs 167 Warranty Support North America and International 167 Appendix B Configuring the Management Station TCP IP Settings 168 Windows 98 1...

Page 12: ...Limited Warranty SonicWALL Inc warrants that commencing from the delivery date to Customer but in any case commencing not more than ninety 90 days after the original shipment by SonicWALL and continu...

Page 13: ...ove fails of its essential purpose DISCLAIMER OF LIABILITY SONICWALL S SOLE LIABILITY IS THE SHIPMENT OF A REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY IN NO EVENT SHALL SONICWALL OR...

Page 14: ...g policy based BNAT object based management a multi level administrator GUI and enhanced VPN functionality SonicOS Enhanced is standard on the SonicWALL PRO 4060 and available as an upgrade on the Son...

Page 15: ...ment Interface when you click OK the settings are automatically applied to the SonicWALL Getting Help Each SonicWALL includes Web based online help available from the Management Interface Clicking the...

Page 16: ...to create a VPN tunnel between two SonicWALLs and creating a VPN tunnel from the VPN client to the SonicWALL Chapter 7 Users describes the configuration of user level authentication as well as the set...

Page 17: ...resolution of technical support questions visit SonicWALL on the Internet at http www sonicwall com services support html Web based resources are available to help you resolve most technical issues o...

Page 18: ...html for the latest technical support telephone numbers More Information on SonicWALL Products and Services Contact SonicWALL Inc for information about SonicWALL products and services at Web http www...

Page 19: ...Page 6 SonicWALL SonicOS Standard Administrator s Guide...

Page 20: ...Interface Configuring a Static IP Address with NAT Enabled Using NAT to set up your SonicWALL eliminates the need for public IP addresses for all computers on your LAN It is a way to conserve IP addre...

Page 21: ...ell as Netscape Navigator 4 0 and above meet these criteria 1 Click the Setup Wizard button on the Network Settings page Read the instructions on the Welcome window and click Next to continue Step 1 C...

Page 22: ...network information necessary to configure the SonicWALL to access the Internet Click the hyperlinks for definitions of the networking terms You can choose Static IP if your ISP assigns you a specific...

Page 23: ...es Click Next Step 5 LAN Settings 7 The LAN page allows the configuration of the SonicWALL LAN IP Addresses and the LAN Subnet Mask The SonicWALL LAN IP Addresses are the private IP address assigned t...

Page 24: ...rver and specify the range of IP addresses that are assigned to computers on the LAN If Disable DHCP Server is selected you must configure each computer on your network with a static IP address on you...

Page 25: ...de Storing SonicWALL Configuration Setup Wizard Complete 10 The SonicWALL stores the network settings 11 Click Restart to restart the SonicWALL The SonicWALL takes approximately 90 seconds or longer t...

Page 26: ...ew days When the lease is ready to expire the client contacts the server to renew the lease This is a common network configuration for customers with cable or DSL modems You are not assigned a specifi...

Page 27: ...ime Zone 4 Select the appropriate Time Zone from the Time Zone menu The SonicWALL internal clock is set automatically by a Network Time Server on the Internet Click Next Step 3 WAN Network Mode 5 Sele...

Page 28: ...k Mode NAT with DHCP Client 6 The Obtain an IP address automatically window states that the ISP dynamically assigns an IP address to the SonicWALL To confirm this click Next DHCP based configurations...

Page 29: ...ings 8 The Optional SonicWALL DHCP Server window configures the SonicWALL DHCP Server If enabled the SonicWALL automatically assigns IP settings to computers on the LAN To enable the DHCP server selec...

Page 30: ...up Wizard Complete 10 Click Restart to restart the SonicWALL The SonicWALL takes 90 seconds to restart During this time the yellow Test LED is lit Tip The new SonicWALL LAN IP address displayed in the...

Page 31: ...ypically found when using a DSL modem with an ISP requiring a user name and password to log into the remote server The ISP may then allow you to obtain an IP address automatically or give you a specif...

Page 32: ...Zone menu The SonicWALL internal clock is set automatically by a Network Time Server on the Internet Click Next Step 3 WAN Network Mode 5 The SonicWALL automatically detects the presence of a PPPoE se...

Page 33: ...k Next Step 5 LAN Settings 7 The LAN Settings page allows the configuration of SonicWALL LAN IP Addresses and LAN Subnet Mask The SonicWALL LAN IP Address is the private IP address assigned to the LAN...

Page 34: ...range of IP addresses that are assigned to computers on the LAN If Disable DHCP Server is selected you must configure each computer on your network with a static IP address on your LAN Click Next Ste...

Page 35: ...manage the SonicWALL Setup Wizard Complete 10 Click Restart to restart the SonicWALL 11 The SonicWALL takes approximately 90 seconds or longer to restart During this time the yellow Test LED is lit Co...

Page 36: ...the Setup Wizard button on the Network Settings page 2 Read the instructions on the Welcome window and click Next to continue Step 1 Change Password 3 To set the password enter a new password in the...

Page 37: ...one 4 Select the appropriate Time Zone from the Time Zone menu The SonicWALL internal clock is set automatically by a Network Time Server on the Internet Click Next Step 3 WAN Network Mode 5 Select PP...

Page 38: ...AN Settings page allows the configuration of SonicWALL LAN IP Addresses and LAN Subnet Mask The SonicWALL LAN IP Address is the private IP address assigned to the LAN port of the SonicWALL The LAN Sub...

Page 39: ...addresses that are assigned to computers on the LAN If Enable DHCP Server is not selected you must configure each computer on your network with a static IP address on your LAN Click Next Step 7 Sonic...

Page 40: ...w Test LED is lit Configuring a Public Server with the Wizard The Public Server Wizard steps you through adding a public server to your network and automates the following configuration steps Server A...

Page 41: ...Access Rules The wizard creates an access policy allowing traffic from the WAN zone to the zone where the new server resides Create the Server with the Public Server Wizard 1 Start wizard In the navig...

Page 42: ...rivate IP address of the server Specify an IP address in the range of addresses assigned to zone where you want to put this server The Public Server Wizard will automatically assign the server to the...

Page 43: ...erver in the example used the default WAN IP address for the Server Public IP Address the wizard states that it will use the existing WAN address object when constructing poli cies between the new ser...

Page 44: ...side your network addressed to the WAN IP address back to the address of the mail server Server Access Rules The wizard creates an access policy allowing all mail traffic service traffic from the WAN...

Page 45: ...Page 32 SonicWALL SonicOS Standard Administrator s Guide...

Page 46: ...ing information is displayed in this section Model type of SonicWALL product Serial Number also the MAC address of the SonicWALL Authentication Code the alphanumeric code used to authenticate the Soni...

Page 47: ...can create a mySonicWALL com account directly from the SonicWALL Management Interface You can manually register your SonicWALL at the mySonicWALL com site using the Serial Number and Authentication C...

Page 48: ...ment interface for increased ease of use and simplified services activation Tip For more information on mySonicWALL com access the online help available at https www mysonicwall com Note mySonicWALL c...

Page 49: ...ot Licensed or no longer active Expired The number of nodes users allowed for the license is displayed in the Count column The information listed in the Security Services Summary table is updated from...

Page 50: ...vices Online page is displayed with licensing information from your mySonicWALL com account Manual Upgrade Manual Upgrade allows you to activate your services by typing the service activation key supp...

Page 51: ...an new administrator name type the new name in the Administrator Name field Click Apply for the changes to take effect on the SonicWALL Changing the Administrator Password To set the password Type th...

Page 52: ...include the port number when you use the IP address to log into the SonicWALL For example if you configure the port to be 76 then you must type LAN IP Address 76 into the Web browser i e http 192 168...

Page 53: ...least one IP address or host name but up to four addresses or host names can be used 7 Click OK Configuring Log Log Settings for SNMP Trap messages are generated only for the alert message categories...

Page 54: ...NAT Device IP Address field The default VPN policy settings are displayed at the bottom of the Configure GMS Settings window Existing Tunnel If this option is selected the GMS server and the SonicWALL...

Page 55: ...e and automatically update the time choose the time zone from the Time Zone menu The Use NTP to set time automatically is activated by default to use the NTP Network Time Protocol to set time automati...

Page 56: ...the SonicWALL configuration click Add The Add NTP Server window is displayed Type the IP address of an NTP server in the NTP Server field Click Ok Then click Apply on the System Time page to update t...

Page 57: ...e To receive automatic notification of new firmware select the Notify me when new firmware is available check box If you enable this feature the SonicWALL sends a status message to the SonicWALL firmw...

Page 58: ...me corrupted Updating Firmware Manually Click Upload New Firmware to upload new firmware to the SonicWALL The Upload Firmware window is displayed Browse to the firmware file located on your local driv...

Page 59: ...firmware images are listed Current Firmware firmware currently loaded on the SonicWALL Current Firmware with Factory Default Settings rebooting using this firmware image resets the SonicWALL to its de...

Page 60: ...PS When you check this setting a dialog box is displayed with the following message Warning Modifying the FIPS mode will disconnect all users and restart the device Click OK to proceed Click Clicking...

Page 61: ...configuration problems Ping The Ping test bounces a packet off a machine on the Internet and returns it to the sender This test shows if the SonicWALL is able to contact the remote host If users on t...

Page 62: ...SonicWALL configuration or if there is a problem on the Internet Select Packet Trace from the Diagnostic tool menu Tip Packet Trace requires an IP address The SonicWALL DNS Name Lookup tool can be us...

Page 63: ...s to the corresponding MAC or physical addresses DHCP Bindings saves entries from the SonicWALL DHCP server IKE Info saves current information about active IKE configurations Generating a Tech Support...

Page 64: ...e restarted from the Web Management interface Click Restart SonicWALL and then click Yes to confirm the restart The SonicWALL takes approximately one minute to restart and the yellow Test light is lit...

Page 65: ...Page 52 SonicWALL SonicOS Standard Administrator s Guide...

Page 66: ...configure static and dynamic routing by interface NAT Policies create NAT policies including One to One NAT Many to One NAT Many to Many NAT or One to Many NAT ARP view the ARP settings and clear the...

Page 67: ...are configured the names are listed in this column IP Address IP address assigned to the interface Subnet Mask the network mask assigned to the subnet IP Assignment you can select from DHCP or Static...

Page 68: ...tions enabled by default Click OK 3 Enter the IP address and subnet mask of the Zone in the IP Address and Subnet Mask fields 4 Enter any optional comment text in the Comment field This text is displa...

Page 69: ...n you choose from the IP Assignment menu complete the corresponding fields that are displayed after selecting the option Static configures the SonicWALL for a network that uses static IP addresses DHC...

Page 70: ...r Login Inactivity Disconnect minutes Obtain IP Address Automatically Specify IP Address Obtain DNS Server Address Automatically Specify DNS Server PPTP User Name User Password PPTP Server IP Address...

Page 71: ...the Advanced tab The Ethernet Settings section allows you to manage the Ethernet settings of links connected to the SonicWALL Auto Negotiate is selected by default as the Link Speed because the Ethern...

Page 72: ...available bandwidth for this interface in Kbps NAT Policy Settings Selecting Create default NAT Policy automatically translates the Source Address of packets from the Default LAN to your new WAN Inte...

Page 73: ...rface after _ missed intervals enter a number between 1 and 10 The default value is 3 If the default value is used then the interface is considered inactive after 3 successive attempts at 5 seconds ea...

Page 74: ...et is unable to contact the target device the interface is deactivated and traffic is no longer sent to the primary WAN WAN Load Balancing Statistics The WAN Load Balancing Statistics table displays t...

Page 75: ...es Selecting Percentage based as the Outbound Load Balancing Method allows you to specify the percentages of network traffic sent through the primary and secondary WAN interfaces This method allows yo...

Page 76: ...i e the WAN is restricted to two Zone instances The Encrypted Zone type is a special system Zone comprising all VPN traffic and doesn t have any associated interfaces Trusted and Public Zone types of...

Page 77: ...t Filtering Service to enforce Internet content filtering on the Zone Note Custom Content Filtering Service policies are specified in the Users Local Groups page 4 Select Enforce AV Service to enforce...

Page 78: ...into the DNS Server fields To use the DNS Settings configured for the WAN Zone select Inherit DNS Settings Dynamically from the WAN Zone Network Address Objects An Address Object consists of a host a...

Page 79: ...s Objects view displays the default Address Objects and Address Groups for your SonicWALL The Default Address Objects entries cannot be modified or deleted Therefore the Notepad Edit and Trashcan dele...

Page 80: ...WAN Management IP SonicWALL PRO 3060 4060 Default Address Objects LAN Primary IP LAN Primary Subnet WAN Primary IP WAN Primary Subnet X2 IP X2 Subnet X3 IP X3 Subnet X4 IP X4 Subnet X5 IP X5 Subnet De...

Page 81: ...you selected Network enter the network IP address and netmask in the Network and Netmask fields 6 Select the zone to assign to the Address Object from the Zone Assignment menu You can choose LAN WAN D...

Page 82: ...finance from network traffic on the rest of the LAN DMZ or WAN Static Routes Static Routes are configured when network traffic is directed to subnets located behind routers on your network Static Rou...

Page 83: ...ss that is the SonicWALL LAN IP address Route Advertisement The SonicWALL uses RIPv1 or RIPv2 to advertise its static and dynamic routes to other routers on the network Changes in the status of VPN tu...

Page 84: ...as a result of temporary change in the VPN tunnel status 7 Enter the number of advertisements that a deleted route broadcasts until it stops in the Deleted Route Advertisements 0 99 field The default...

Page 85: ...5 5 required for the web server s responses to get back to the computer with the web browser This default NAT policy for outbound traffic is explained in detail later You can create customized NAT po...

Page 86: ...mary IP in either Custom Policies or All Policies It translates any source to the WAN Primary IP as the traffic goes out to the Internet The Destination and Service are not translated The default poli...

Page 87: ...osen make the interfaces accessible by ping SNMP HTTP and or HTTPS or if they have enabled GroupVPN or other VPN configurations which use IKE Key Exchange The figure below shows how your System Polici...

Page 88: ...re used server_IP_private and server_IP_Public Creating an Outbound Traffic Policy To configure a One to One NAT Policy follow these steps 1 Click the Add button under the NAT Policies table to displa...

Page 89: ...ARP is a broadcast protocol that can create excessive amounts of network traffic on your network To minimize the broadcast traffic an ARP cache is maintained to store and reuse previously learned ARP...

Page 90: ...and DNS server addresses to the computers on your network Enabling DHCP Server To enable the DHCP Server feature on the SonicWALL select Enable DHCP Server and click Configure The DHCP Server Configur...

Page 91: ...default IP address is appropriate for most networks 5 Type the last IP address in the Range End field If there are more than 25 computers on your network type the appropriate ending IP address in the...

Page 92: ...d type the IP address of your DNS Server in the DNS Server 1 field You can specify two additional DNS servers 14 If you have WINS running on your network type the WINS server IP address es in the WINS...

Page 93: ...is displayed General 2 In the General page make sure the Enable this DHCP Range is checked if you want to enable this range 3 Select the interface from the Interface menu The IP addresses are in the...

Page 94: ...ailable 12 If you do not want to use the SonicWALL network settings select Specify Manually and type the IP address of your DNS Server in the DNS Server 1 field You can specify two additional DNS serv...

Page 95: ...available for each interface or where the layer 3 routing mechanism is not capable of acting as a DHCP server itself The IP Helper also allows NetBIOS broadcasts to be forwarded with DHCP client requ...

Page 96: ...dow Deleting IP Helper Policies Click the Trashcan icon to delete the individual IP Helper policy entry Click the Delete button to delete all the selected IP Helper policies in the IP Helper Policies...

Page 97: ...he Proxy Servers if a failure occurs select the Bypass Proxy Servers Upon Proxy Server Failure check box 5 Select Forward DMZ Client Requests to Proxy Server if you have clients configured on the DMZ...

Page 98: ...le a rule that blocks IRC traffic takes precedence over the SonicWALL default setting of allowing this type of traffic Alert The ability to define Network Access Rules is a very powerful tool Using cu...

Page 99: ...nd LAN WAN VPN or other interface in the To column Select the Notepad icon in the table cell to view the rules Drop down Boxes displays two pull down menus From Zone and To Zone Select an interface fr...

Page 100: ...to less specific at the bottom of the table At the bottom of the table is the Any rule The Default rule is all IP services except those listed in the Access Rules page Rules can be created to override...

Page 101: ...ys the Add Service window or Add Service Group window 4 Select the source of the traffic affected by the rule from the Source list Selecting Create New Network displays the Add Address Object window 5...

Page 102: ...14 Enter the maximum amount of bandwidth available to the Rule at any time in the Maximum Bandwidth field Tip Rules using Bandwidth Management take priority over rules without bandwidth management 15...

Page 103: ...Select Always from the Schedule menu to ensure continuous enforcement 9 Click OK Editing a Rule Click the Notepad icon to display the Edit Rule window which includes the same settings as the Add Rule...

Page 104: ...ws Messenger on the Windows XP Enable SIP Transformations Select this option to transform SIP messaging from LAN trusted to WAN untrusted You need to check this setting when you want the SonicWALL to...

Page 105: ...o support on demand delivery of real time data such as audio and video RTSP Real Time Streaming Protocol is an application level protocol for control over delivery of data with real time properties So...

Page 106: ...d Weekend Hours You can modify these schedule by clicking on the Notepad icon in the Configure column Adding a Schedule To create schedules click Add The Add Schedule window is displayed 1 Enter a nam...

Page 107: ...er asking the server for the correct time NTP and the server returns a response Other types of services provide access to different types of data Web servers HTTP respond to requests from clients brow...

Page 108: ...es by creating a Custom Services Group for easy policy enforcement Adding Custom Services If a protocol is not listed in the Default Services table you can add it to the Custom Services table by click...

Page 109: ...ing the Ctrl key on your keyboard and clicking on the services 5 Click to remove the services 6 When you are finished click OK to add the group to Custom Services Groups Clicking on the left of a Cust...

Page 110: ...hat enable network to network VPN connections Using the SonicWALL intuitive Management Interface you can quickly create a VPN Security Association SA to a remote site Whenever data is intended for the...

Page 111: ...te destination network IP addresses as well as the Peer Gateway IP address Configuring Group VPN on the SonicWALL SonicWALL VPN defaults to a Group VPN setting This feature facilitates the set up and...

Page 112: ...ocess In the IKE Phase 1 Proposal section select the following settings Group 2 from the DH Group menu 3DES from the Encryption menu SHA1 from the Authentication menu Leave the default setting 28800 i...

Page 113: ...LL Since packets can have any IP address des tination it is impossible to configure enough static routes to handle the traffic For packets received via an IPSec tunnel the SonicWALL looks up a route f...

Page 114: ...SonicWALL Distributed Security Client which provides policy enforced firewall protection before allowing a Global VPN Client connection Note For more information on the SonicWALL Global Security Clien...

Page 115: ...and select any of the following optional settings that you want to apply to your GroupVPN Policy Enable Windows Networking NetBIOS broadcast allows access to remote network resources by browsing the...

Page 116: ...r this Connection only allows a VPN connection from a remote computer running the SonicWALL Distributed Security Client which provides policy enforced firewall protection before allowing a Global VPN...

Page 117: ...mic and static IP addresses the VPN gateway with the dynamic address must initiate the VPN connection Site to Site VPN configurations can include the following options Branch Office Gateway to Gateway...

Page 118: ...ask ___ ___ ___ ___ DNS Server 1 ___ ___ ___ ___ DNS Server 2 ___ ___ ___ ___ Additional Information SA Name ____________________ Manual Key SPI In_____ SPI Out_____ Enc Key ____________________ Auth...

Page 119: ...the VPN Planning Sheet for Site to Site VPN Policies to record your settings These settings are necessary to configure the remote SonicWALL and create a successful VPN connection Configuring a VPN Pol...

Page 120: ...nnel If hosts on this side of the VPN connection will be obtaining their addressing from a DHCP server on the remote side of the tunnel select Local network obtains IP addresses using DHCP through thi...

Page 121: ...osite side of the tunnel are configured to match 13 Under IPSec Phase 2 Proposal the default values for Protocol Encryption Authentication Enable Perfect Forward Secrecy DH Group and Lifetime are acce...

Page 122: ...through the VPN tunnel select HTTP HTTPS or both from Management via this SA Select HTTP HTTPS or both in the User login via this SA to allow users to login using the SA 20 If you wish to use a router...

Page 123: ...Incoming SPI and an Outgoing SPI The SPIs are hexadecimal 0123456789abcedf and can range from 3 to 8 characters in length Alert Each Security Association must have unique SPIs no two Security Associa...

Page 124: ...e Local Remote or both networks communicating via this VPN tunnel To perform Network Address Translation on the Local Network select or create an Address Object in the Translated Local Network drop do...

Page 125: ...way Name or Address field 5 Click the Network tab 6 Select a local network from Choose local network from list if a specific local network can access the VPN tunnel If traffic can originate from any l...

Page 126: ...must match the values on the remote SonicWALL 10 Enter a 16 character hexadecimal encryption key in the Encryption Key field or use the default value This encryption key is used to configure the remot...

Page 127: ...mote should be translated but not both Apply NAT Policies is particularly useful in cases where both sides of a tunnel use either the same or overlapping subnets Alert You cannot use this feature if y...

Page 128: ...ic can originate from any local network select Any Address 10 Under Destination Networks select Use this VPN Tunnel as default route for all Internet traffic if all remote VPN connections access the I...

Page 129: ...rk menu To translate the Remote Network select or create an Address Object in the Translated Remote Network menu Generally if NAT is required on a tunnel either Local or Remote should be translated bu...

Page 130: ...ed heartbeats Enter the number of missed heartbeats in the Failure Trigger Level missed heartbeats field The default value is 3 If the trigger level is reached the VPN connection is dropped by the Son...

Page 131: ...with old IP addresses and reconnects to the peer gateway VPN DHCP over VPN DHCP over VPN allows a Host DHCP Client behind a SonicWALL obtain an IP address lease from a DHCP server at the other end of...

Page 132: ...Use Internal DHCP Server to enable the Global VPN Client or a remote firewall or both to use an internal DHCP server to obtain IP addressing information 5 If you want to send DHCP requests to specifi...

Page 133: ...traffic across the VPN tunnel that is spoofing an authenticated user s IP address If you have any static devices however you must ensure that the correct Ethernet address is typed for the device The...

Page 134: ...ay and obtaining a lease verify that Deterministic Network Enhancer DNE is not enabled on the remote computer Tip If a static LAN IP address is outside of the DHCP scope routing is possible to this IP...

Page 135: ...m L2TP supports several of the authentication options supported by PPP including Password Authentication Protocol PAP Challenge Handshake Authentication Protocol CHAP and Microsoft Challenge Handshake...

Page 136: ...se PPP IP the source IP address of the connection Interface the type of interface used to access the L2TP Server whether it s a VPN client or another SonicWALL appliance Authentication type of authent...

Page 137: ...nto the SonicWALL using the VPN CA Certificates page Once you import the valid CA certificate you can use it to validate your local certificates you add in the VPN Local Certificates page VPN Local Ce...

Page 138: ...t Add New Local Certificate from the Certificates menu 2 In the Generate Certificate Signing Request section enter a name for the certificate in the Certificate Name field 3 Enter information for the...

Page 139: ...ificate 4 Click Import to import the certificate into the SonicWALL Once it is imported you can view the Certificate Details Certificate Details The Certificate Details section lists the following inf...

Page 140: ...wnloading the list You can import the CRL by manually downloading the CRL and then importing it into the SonicWALL You can also enter the URL location of the CRL by entering the address in the Enter C...

Page 141: ...Page 128 SonicWALL SonicOS Standard Administrator s Guide...

Page 142: ...connection User level authentication can performed using a local user database RADIUS or a combination of the two applications The local database on the SonicWALL can support up to 1000 users If you...

Page 143: ...entication users must log into the SonicWALL using HTTPS in order to encrypt the pass word sent to the SonicWALL If a user attempts to log into the SonicWALL using HTTP the browser is automatically re...

Page 144: ...of the primary RADIUS server in the RADIUS servers section An optional secondary RADIUS server can be defined if a backup RADIUS server exists on the network 5 Type the IP address of the RADIUS server...

Page 145: ...hanism used for setting user group memberships for RADIUS users from the following list Use SonicWALL vendor specific attribute on RADIUS server select to apply specific attributes from the RADIUS ser...

Page 146: ...in this field Enable login session limit you can limit the time a user is logged into the SonicWALL by selecting the check box and typing the amount of time in minutes in the Login session limit minu...

Page 147: ...ser and type it in the Password field Passwords are case sensitive and should consist of a combination of letters and numbers rather than names of family friends or pets 3 Confirm the password by rety...

Page 148: ...groups To remove a group select the group from the Member of column and click VPN Access To allow users to access networks using a VPN tunnel select the network from the Networks list and click to mov...

Page 149: ...ctiveX blocking Limited Management Capabilities By enabling this check box the user has limited local manage ment access to the SonicWALL Management interface The access is limited to the following pa...

Page 150: ...by allowing the configuration of two SonicWALL appliances one primary and one backup as a Hardware Failover pair In this configuration the backup SonicWALL monitors the primary SonicWALL and takes ov...

Page 151: ...e for example after recovering from a failure and restarting If this option is not used the backup SonicWALL remains the active SonicWALL Alert The primary and backup SonicWALL appliances use a heartb...

Page 152: ...tem Administration X0 LAN IP Address This is a unique IP address for accessing the primary SonicWALL from the LAN whether it is Active or Idle Alert This IP address is different from the IP address us...

Page 153: ...N LAN IP address Synchronizing Changes between the Primary and Backup SonicWALLs Changes made to the Primary or Backup firewall are synchronized automatically between the two firewalls If you click Sy...

Page 154: ...om the currently active SonicWALL This may be accomplished by disconnecting the active SonicWALL s LAN port by shutting off power on the currently active unit or by restarting it from the Web Manageme...

Page 155: ...ing Links The Hardware Failover Monitoring page allows you to enter the IP address of the router for Interfaces X0 to X4 to monitor the link Enter the IP address for the router connected to the respec...

Page 156: ...http www sonicwall com This chapter provides an overview of the SonicWALL Security Services listed under Security Services in the SonicWALL Management Interface which includes SonicWALL Content Filter...

Page 157: ...service expiration date is displayed in the Expiration column Manage Services Online Clicking the To Activate Upgrade or Renew services click here link displays the mySonicWALL com Login page Enter yo...

Page 158: ...n icWALL SonicWALL Content Filtering Service SonicWALL Content Filtering Service CFS enforces protection and productivity policies for businesses schools and libraries to reduce legal and privacy risk...

Page 159: ...or higher as well as SonicOS Enhanced 2 0 or higher Security Services Content Filter The Security Services Content Filter page allows you to configure the SonicWALL Restrict Web Features and Trusted...

Page 160: ...try a FREE TRIAL of SonicWALL CFS by following these steps 1 Click the FREE TRIAL link The mySonicWALL com Login page is displayed 2 Enter your mySonicWALL com account username and password in the Us...

Page 161: ...proxy servers on the WAN Known Fraudulent Certificates Digital certificates help verify that Web content and files originated from an authorized party Enabling this feature protects users on the LAN...

Page 162: ...u can customize SonicWALL filter features included with SonicOS from the SonicWALL Filter Properties window To display the SonicWALL Filter Properties window select SonicWALL CFS from the Content Filt...

Page 163: ...he Add Keyword field and click OK To remove a keyword select it from the list and click Delete Once the keyword has been removed the Status bar displays Ready Disable all Web traffic except for Allowe...

Page 164: ...sers window and enter the desired value in the User Idle Time out section Consent Page URL optional filtering When a user opens a Web browser on a computer requiring consent they are shown a consent p...

Page 165: ...ltered highlight the IP address in the Mandatory Filtered IP Addresses list and click Delete SonicWALL Network Anti Virus By their nature anti virus products typically require regular active maintenan...

Page 166: ...n Key in the New License Key field and click Submit Your SonicWALL Network Anti Virus subscription is activated on your SonicWALL If you activated SonicWALL Network Anti Virus at www mySonicWALL com t...

Page 167: ...lable memory for exceptional performance on SonicWALL appliances Inter Zone Intrusion Prevention SonicWALL IPS provides an additional layer of protection against malicious threats by allowing administ...

Page 168: ...ffic and alerts the administrator Intrusion prevention finds the anomalies in the traffic and reacts to it preventing the traffic from passing through Deep Packet Inspection is a technology that allow...

Page 169: ...e farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities Intrusion Detection a process of identifying and flagging m...

Page 170: ...mySonicWALL com account is accessible from any Internet connection with a Web browser using the HTTPS Hypertext Transfer Protocol Secure protocol to protect your sensitive information You can also ac...

Page 171: ...our mySonicWALL com account username and password in the User Name and Password fields then click Submit The System Licenses page is displayed If your SonicWALL is already connected to your mySonicWAL...

Page 172: ...and a brief message describing the event It is also possible to copy the log entries from the management interface and paste into a report Dropped TCP UDP or ICMP packets When IP packets are blocked...

Page 173: ...ssage provides description of the event Source displays source network and IP address Destination displays the destination network and IP address Notes provides additional information about the event...

Page 174: ...s system activations System Errors Logs problems with DNS or e mail Blocked Web Sites Logs Web sites or newsgroups blocked by the Content Filter List or by customized filtering Blocked Java etc Logs J...

Page 175: ...es are immediately sent to the e mail address defined in the Send alerts to field Attacks System Errors and System Environment are enabled by default Blocked Web Sites and VPN Tunnel Status are disabl...

Page 176: ...Send Log Every At The Send Log menu determines the frequency of log e mail messages Dai ly Weekly or When Full If the Weekly or Daily option is selected then select the day of the week the e mail is...

Page 177: ...t If the SonicWALL is managed by SonicWALL GMS the Syslog Server fields cannot be configured by the administrator of the SonicWALL Adding a Syslog Server To add syslog servers to the SonicWALL click A...

Page 178: ...ly accessed Web sites and the number of hits to a site during the current sample period The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites If leisure sports o...

Page 179: ...Security Appliance With SonicWALL ViewPoint you are able to monitor network access enhance network security and anticipate future bandwidth needs SonicWALL ViewPoint Displays bandwidth use by IP addr...

Page 180: ...y Expertise Technical Support is only as good as the people providing it to you SonicWALL support professionals are Certified Internet Security Administrators with years of experience in networking an...

Page 181: ...to 192 168 168 200 Make a note of the Management Station s current TCP IP settings If the Management Station accesses the Internet through an existing broadband connection then the TCP IP settings ca...

Page 182: ...IP in the TCP IP Properties window 4 Select Specify an IP Address 5 Type 192 168 168 200 in the IP Address field 6 Type 255 255 255 0 in the Subnet Mask field 7 Click DNS at the top of the window 8 T...

Page 183: ...operties window 4 Double click Internet Protocol TCP IP to open the TCP IP properties window 5 Select Use the following IP address and enter 192 168 168 200 in the IP address field 6 Type 255 255 255...

Page 184: ...e the DNS IP address in the Preferred DNS Server field If you have more than one address type the second one in the Alternate DNS server field 6 Click OK for the settings to take effect on the compute...

Page 185: ...Page 172 SonicWALL SonicOS Standard Administrator s Guide...

Page 186: ...alse Positives 155 FIPS 47 Firewall Name 38 Firmware Management Automatic Notification 44 Backup Firmware Image 45 Booting Firmware 45 Export Settings 44 Import Settings 43 SafeMode 45 Updating Firmwa...

Page 187: ...NAT with PPPoE 18 NAT with PPTP 22 Static IP Address with NAT Enabled 7 Signature 156 Signature Database 154 SNMP Management 39 Snort 156 SonicWALL Support Options 167 Stateful Packet Inspection 156...

Page 188: ...Page 175...

Page 189: ...Page 176 SonicWALL SonicOS Enhanced Administrator s Guide...

Page 190: ...mes mentioned herein may be trademarks and or registered trademarks of their respective companies Specifications and descriptions subject to change with out notice T 408 745 9600 F 408 745 9300 www so...