GMS 7.0 Ag

GMS/UMA 7.
0 Administrators Guide
SonicWALL GMS 7.0 Administrators

Guide
1
PROTECTION AT THE
SPEED OF BUSINESS
SonicWALL GMS 7.0 Administrators Guide
SonicWALL GMS / UMA Administrators Guide

Version 7.0
SonicWALL, Inc.
2001 Logic Drive
San Jose, CA 95124-3452
Phone: +1.408.745.9600
Fax: +1.408.745.9300
E-mail: info@sonicwall.com
Copyright Notice
2012 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in
whole or part, without the written consent of the manufacturer, except in the normal use of the
software to make a backup copy. The same proprietary and copyright notices must be affixed
to any permitted copies as were affixed to the original. This exception does not allow copies to
be made for others, whether or not sold, but all of the material purchased (with all backup
copies) can be sold, given, or loaned to another person. Under the law, copying includes
translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Windows XP, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2003,
Internet Explorer, and Active Directory are trademarks or registered trademarks of
Microsoft Corporation.
Firefox is a trademark of the Mozilla Foundation.

Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe
Systems Incorporated in the U.S. and/or other countries.
Other product and company names mentioned herein may be trademarks and/or registered
trademarks of their respective companies and are the sole property of their respective
manufacturers.
ii
Table of Contents
Chapter 1: Introduction to SonicWALL GMS . . . . . . . . . . . . . . . . . . . . . . .1
Overview of SonicWALL GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
What Is SonicWALL GMS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
SonicWALL GMS 7.0 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Scaling SonicWALL GMS Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Deployment Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Operating System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Database Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
MySQL Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Java Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Browser Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
SonicWALL Appliance and Firmware Support . . . . . . . . . . . . . . . . . . . . . . . . . .10
SonicWALL GMS Gateway Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Network Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
SonicWALL GMS Internet Access through a Proxy Server . . . . . . . . . . . . . . . .12
Login to SonicWALL GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Navigating the SonicWALL GMS User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Dashboard Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Appliance Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Monitor Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Console Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Understanding SonicWALL GMS Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Using the SonicWALL GMS TreeControl Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Configuring SonicWALL GMS View Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Group Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Unit Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Creating SonicWALL GMS Fields and Dynamic Views . . . . . . . . . . . . . . . . . . .23
iii
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

Tips and Tutorials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Chapter 2: Adding SonicWALL Appliances and Performing Basic Management Tasks 31
Adding SonicWALL Appliances to SonicWALL GMS . . . . . . . . . . . . . . . . . . . . . . .31
Adding SonicWALL Appliances Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Importing SonicWALL Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Registering SonicWALL Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Modifying Management Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Modifying SonicWALL Appliance Management Options . . . . . . . . . . . . . . . . . .37
Changing Agents or Management Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Moving SonicWALL Appliances Between Groups . . . . . . . . . . . . . . . . . . . . . . .39
Deleting SonicWALL Appliances from GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Performing Basic Appliance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Chapter 3: Using the Dashboard Panel . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Using the Dashboard Control Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Using the Universal Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Using the Geographic Map View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Filtering with the Search Using Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Determining the Universal Dashboard Geographical Map Location . . . . . . . . .52
Geographic Map User Interface and Location Unknown . . . . . . . . . . . . . . . .52
Managing Page and Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Adding Widgets on the Universal Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Adding a New Dashboard Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Using the Universal Scheduled Reports Application . . . . . . . . . . . . . . . . . . . . . . . . .58
Using the Manage Templates Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Adding a Scheduled Report Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Managing the Scheduled Reports Component . . . . . . . . . . . . . . . . . . . . . . . . . . .76
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Chapter 4: Overview of Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
SonicWALL GMS Reporting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
iv
Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Navigating SonicWALL GMSReporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Global and Group Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Unit View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Layout of Reports Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
The Date Selector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Export Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
The Filter Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Adding Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Scheduling Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Report Data Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Layout of the Data Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Viewing Syslog Data of Generated Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Drilling Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Managing SonicWALL GMS Reports on the Console Panel . . . . . . . . . . . . . . . . . .108
Chapter 5: Viewing Firewall Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Firewall Reporting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Benefits of Firewall Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Firewall Reports Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Viewing Available Firewall Report Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Understanding the Data Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
How to View Firewall Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Viewing Global Summary Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Viewing Unit Level Status Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Using the Log Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Viewing Status Uptime/DownTime Summary Reports . . . . . . . . . . . . . . . . . . .129
Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Setting Up Currency Cost for Summarizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Adding Syslog Exclusion Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Chapter 6: Viewing SRA Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
SRA Reporting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
SRA Reports Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
What is SRA Reporting? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Benefits of SRA Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
How Does SRA Reporting Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Using and Configuring SRA Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Viewing Available SRA Report Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Configuring SRA Scheduled Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Navigating Through Detailed SRA Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Viewing SRA Summary Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
Viewing SRA Unit-Level Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Viewing Unit-Level Data Usage Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Viewing SRA Top Users Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Viewing Access Method Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Viewing SRA Authentication User Login Report . . . . . . . . . . . . . . . . . . . . . . . .147
Viewing SRA Authentication Failed Login Report . . . . . . . . . . . . . . . . . . . . . .148
Viewing Web Application Firewall (WAF) Reports . . . . . . . . . . . . . . . . . . . . . .148
Viewing Connection Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Viewing Uptime/Downtime Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Viewing SRA Analyzer Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Syslog Exclusion Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Chapter 7: Viewing CDP Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
CDP Reporting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
CDP Reports Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
What is CDP Reporting? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
vi
How to View CDP Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Viewing the Capacity Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Viewing Unit Backup Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
You can save the User Backup Report as a Custom report, for later viewing. For more information on Custom reports, refer to the Custom Reports section on page 107.Viewing Uptime/Downtime 169
Chapter 8: Introduction to Policy Management . . . . . . . . . . . . . . . . . . .171
SonicWALL GMS Policy Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . .171
Introduction to Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Introduction to SRA Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
Introduction to CDP Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Introduction to Email Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Chapter 9: Configuring Firewall System Settings . . . . . . . . . . . . . . . . .185
Viewing System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Configuring Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Viewing Licensed Node Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Configuring Administrator Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Using Configuration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
Restarting SonicWALL Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Requesting Diagnostics for SonicWALL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Inheriting Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Clearing the ARP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Synchronizing Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Synchronizing with mySonicWALL.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Manually Uploading Signature Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Generating Tech Support Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Configuring Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Configuring System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Configuring Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Editing Management Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
vii
Navigating the System > Certificates Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202

About Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Configuring CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Importing New Local and CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Generating a Certificate Signing Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Configuring SCEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Chapter 10: Configuring Firewall Network Settings . . . . . . . . . . . . . . .207
Overview of Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Virtual Interfaces (VLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208
Configuring Network Settings in SonicOS Enhanced . . . . . . . . . . . . . . . . . . . . . . .209
Configuring Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
WAN Failover and Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Configuring Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Configuring the WLAN Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
Configuring Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232
Configuring NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Configuring Web Proxy Forwarding Settings . . . . . . . . . . . . . . . . . . . . . . . . . . .239
Configuring Routing in SonicOS Enhanced . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Configuring RIP in SonicOS Enhanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
Configuring Advanced Routing for Tunnel Interfaces . . . . . . . . . . . . . . . . . . . .244
Configuring IP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Configuring ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Configuring SwitchPorts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250
Configuring PortShield Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Configuring MAC-IP Anti-Spoof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Configuring Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Configuring Network Settings in SonicOS Standard . . . . . . . . . . . . . . . . . . . . . . . .258
Configuring Basic Network Settings in SonicOS Standard . . . . . . . . . . . . . . . .258
viii
Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265

Configuring Web Proxy Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
Configuring Intranet Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
Configuring Routing in SonicOS Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
Configuring RIP in SonicOS Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
Configuring OPT Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Configuring One-to-One NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
Configuring Ethernet Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Configuring ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Chapter 11: Configuring Firewall Appliance Settings . . . . . . . . . . . . . .273
Understanding the Network Access Rules Hierarchy . . . . . . . . . . . . . . . . . . . . . . . .273
Configuring Firewall Settings in SonicOS Enhanced . . . . . . . . . . . . . . . . . . . . . . .275
Configuring Firewall Rules in SonicOS Enhanced . . . . . . . . . . . . . . . . . . . . . . .275
Configuring Advanced Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Configuring Bandwidth Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Configuring Multicast Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286
Configuring Voice over IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
Configuring TCP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
Configuring Quality of Service Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Configuring SSL Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Configuring Firewall Settings in SonicOS Standard . . . . . . . . . . . . . . . . . . . . . . . . .300
Configuring Rules in SonicOS Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Configuring Advanced Firewall Settings in SonicOS Standard . . . . . . . . . . . . .303
Configuring Voice over IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Chapter 12: Configuring Firewall Log Settings . . . . . . . . . . . . . . . . . . .305
Configuring Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
Configuring Enhanced Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Heartbeat Settings on the Enhanced Log Settings Page . . . . . . . . . . . . . . . . . .310
Configuring Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310
Chapter 13: Viewing Firewall Diagnostic Information . . . . . . . . . . . . . .313
ix
Viewing Network Diagnostic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

Viewing Connections Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Viewing CPU Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Viewing Process Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
Chapter 14: Configuring Firewall Website Blocking . . . . . . . . . . . . . . .319
Configuring General Website Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
Selecting the Content to Block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
Content Filter List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
CFS Filter List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324
Configuring the CFS Exclusion List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Configuring CFS Custom Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
Customizing Access by Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Enabling Website Blocking Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Adding Individual Forbidden/Allowed Domains . . . . . . . . . . . . . . . . . . . . . . .333
Adding Multiple Domains From a List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Timing Options in SonicOS Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Deleting Domains from the Domain Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
Blocking Access to Domains by Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
Blocking Web Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Configuring Access Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
N2H2 and Websense Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338
N2H2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338
Websense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Chapter 15: Configuring Firewall Dynamic Host Configuration Protocol 341
DHCP Server Options Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Configuring DHCP Over VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
Configuring Dynamic DHCP IP Address Ranges . . . . . . . . . . . . . . . . . . . . . . . . . .343
Configuring Static IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346
Configuring DHCP Option Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349
Configuring DHCP Option Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Configuring General DHCP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350

Configuring Trusted DHCP Relay Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
Chapter 16: Configuring Firewall User Settings . . . . . . . . . . . . . . . . . . .353
Configuring Users in SonicOS Enhanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
Configuring User Login Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354
Configuring LDAP and Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
Global User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Configuring an Acceptable Use Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
Configuring Local Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
Configuring Local Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368
Configuring ULA Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Configuring HTTP URL-Based ULA Settings . . . . . . . . . . . . . . . . . . . . . . . . . .370
Configuring RADIUS for SonicOS Enhanced . . . . . . . . . . . . . . . . . . . . . . . . . .370
Configuring Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372
Configuring Guest Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
Configuring Guest Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Configuring Users in SonicOS Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Configuring User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Global User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Configuring an Acceptable Use Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
Configuring ULA Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
Configuring HTTP URL-Based ULA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383
Configuring RADIUS for SonicOS Standard . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Chapter 17: Configuring App Control . . . . . . . . . . . . . . . . . . . . . . . . . . .387
App Control Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387
Configuring App Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389
Configuring App Rules Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
Searching App Rules Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
Filtering the Policies View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Sorting App Rules Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
xi
Viewing Tooltips for App Rules Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

Adding or Editing App Rules Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Enabling or Disabling App Rules Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Deleting App Rules Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Policy Type Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Configuring Advanced Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
Viewing App Control Advanced Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
Enabling App Control on Network Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
Configuring App Control Advanced Global Settings . . . . . . . . . . . . . . . . . . . . .405
Configuring Policies on App Control > Advanced . . . . . . . . . . . . . . . . . . . . . .408
Sorting App Control Advanced Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
Configuring Match Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Searching Match Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416
Adding or Editing Match Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417
Adding Application List Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419
Sorting Match Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Deleting Match Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Match Object Type Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424
Configuring Action Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428
Searching Action Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429
Adding or Editing Action Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430
Configuring Application Layer Bandwidth Management . . . . . . . . . . . . . . . . .431
Sorting Action Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437
Deleting Action Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438
Action Type Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438
Configuring Email Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .441
Searching Email Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .442
Adding or Editing Email Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443
Sorting Email Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
Deleting Email Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445
xii
Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

Controlling Email Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445
Controlling Risky Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451
Chapter 18: Configuring Firewall Anti-Spam Settings . . . . . . . . . . . . . .459
Activating Anti-Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459
Configuring Anti-Spam Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460
Configuring the Email Threat Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461
Configuring Email Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Configuring User Defined Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Configuring Advanced Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Configuring Anti-Spam Real-Time Black List Filtering . . . . . . . . . . . . . . . . . . . . . .464
Adding RBL Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
User-Defined SMTP Server Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465
Chapter 19: Configuring Firewall Virtual Private Networking . . . . . . . .467
VPN SA Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467
Deployment Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
Viewing the VPN Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469
Configuring VPN Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .470
Configuring ULA Settings for VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Configuring VPNs in SonicOS Enhanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Configuring VPNs in Interconnected Mode . . . . . . . . . . . . . . . . . . . . . . . . . . .473
Configuring VPNs in Non-Interconnected Mode . . . . . . . . . . . . . . . . . . . . . . .474
Generic VPN Configuration in SonicOS Enhanced . . . . . . . . . . . . . . . . . . . . .475
Configuring VPNs in SonicOS Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478
IKE Using SonicWALL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478
IKE Using Third-Party Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .484
IKE Using Pre-Shared Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .490
Manual Keying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495
Setting up the L2TP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500
xiii
Monitoring VPN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501

Management of VPN Client Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501
Enabling the VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502
Downloading VPN Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
VPN Terms and Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
Using OCSP with SonicWALL Security Appliances . . . . . . . . . . . . . . . . . . . . . . . .505
OpenCA OCSP Responder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506
Using OCSP with VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .506
Chapter 20: Configuring Firewall SSL VPN Settings . . . . . . . . . . . . . . .507
SSL VPN NetExtender Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507
What is SSL VPN NetExtender? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507
Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .508
NetExtender Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .508
SSL VPN > Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .510
SSL VPN > Portal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .511
SSL VPN > Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512
Configuring Zones for SSL VPN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512
Configuring the SSL VPN Client Address Range . . . . . . . . . . . . . . . . . . . . . . . .513
Configuring NetExtender Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .514
SSL VPN > Client Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .514
Configuring Tunnel All Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .515
Adding Client Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .515
Chapter 21: Configuring Firewall DPI-SSL Settings . . . . . . . . . . . . . . .517
DPI-SSL Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .517
Configuring Client SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518
Configuring General Client DPI-SSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . .518
Selecting the Re-Signing Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . .519
Configuring the Inclusion/Exclusion List . . . . . . . . . . . . . . . . . . . . . . . . . . . . .520
Client DPI-SSL Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .521
Configuring Server SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .522
xiv
Configuring General Server DPI-SSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . .523

Configuring the Exclusion List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .524
Configuring Server-to-Certificate Pairings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .524
SSL Offloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .525
Chapter 22: Configuring Firewall Security Services . . . . . . . . . . . . . . .527
Configuring Security Services Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527
Configuring SonicWALL Network Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . .528
Configuring Anti-Virus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .528
SonicWALL Network Anti-Virus Email Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530
Email Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530
Configuring the SonicWALL Content Filter Service . . . . . . . . . . . . . . . . . . . . . . . .532
Configuring the SonicWALL Intrusion Prevention Service . . . . . . . . . . . . . . . . . . .532
Overview of IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .533
SonicWALL Deep Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .533
Enabling Intrusion Prevention Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
Configuring IPS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536
Manual Upload of Keyset and Signature Files . . . . . . . . . . . . . . . . . . . . . . . . . .537
Configuring the SonicWALL RBL Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539
Configuring the SonicWALL Gateway Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . . . .540
Configuring GAV Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .541
Configuring GAV Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .542
Viewing SonicWALL GAV Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .542
Configuring the SonicWALL Anti-Spyware Service . . . . . . . . . . . . . . . . . . . . . . . . .543
Enabling SonicWALL Anti-Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .545
Specifying Spyware Danger Level Protection . . . . . . . . . . . . . . . . . . . . . . . . . . .545
Applying SonicWALL Anti-Spyware Protection to Zones (Enhanced) . . . . . .546
Chapter 23: Configuring Firewall High Availability . . . . . . . . . . . . . . . .549
Configuring High Availability Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .549
Configuring Advanced High Availability Settings . . . . . . . . . . . . . . . . . . . . . . . . . . .550
Monitoring High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .552
xv
Verifying High Availability Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .553

Chapter 24: Configuring Firewall SonicPoints . . . . . . . . . . . . . . . . . . . .555
Managing SonicPoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555
Before Managing SonicPoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556
SonicPoint Provisioning Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556
Updating SonicPoint Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
SonicPoint WLAN Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
Updating SonicPoint Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .566
Automatic Provisioning (SDP & SSPP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .566
Viewing Station Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
Event and Statistics Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
Using and Configuring SonicPoint IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Detecting SonicPoint Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Wireless Intrusion Detection Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568
Using and Configuring Virtual Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .570
Configuring Virtual Access Point Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . .571
Configuring Virtual Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .572
Configuring Virtual Access Point Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573
Configuring FairNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573
SonicPoint FairNet Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573
Configuring SonicPoint FairNet Bandwidth Limit Policies . . . . . . . . . . . . . . . .574
Chapter 25: Configuring Firewall Wireless Options . . . . . . . . . . . . . . .577
Configuring General Wireless Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .577
Configuring Access Point Radio Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .579
Configuring Wireless Client Bridge Radio Mode . . . . . . . . . . . . . . . . . . . . . . . .580
Wireless Radio Operating Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .580
Configuring Wireless Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .581
WEP Encryption Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .581
WEP Encryption Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .582
WPA and WPA2 Encryption Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .582
xvi
WPA and WPA2 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583

Preshared Key Settings (PSK) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Extensible Authentication Protocol (EAP) Settings . . . . . . . . . . . . . . . . . . . . . .584
Configuring Advanced Wireless Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .585
Configuring MAC Filter List Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .588
Configuring Intrusion Detection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .589
Viewing the Wireless > IDS page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .589
Configuring Wireless Intrusion Detection System Settings . . . . . . . . . . . . . . . .590
Authorized Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .592
Discovering Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .593
Scheduling Rogue Access Points Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
Configuring Wireless Virtual Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
Searching for Virtual Access Point Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
Configuring Virtual Access Point Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . .600
Configuring Virtual Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .600
Chapter 26: Configuring Firewall Wireless Guest Services . . . . . . . . .605
Configuring Wireless Guest Services Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .605
Adding a Guest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .607
Configuring the URL Allow List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .608
Denying Access to Networks with the IP Deny List . . . . . . . . . . . . . . . . . . . . . . . .608
Configuring the Custom Login Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .609
Configuring External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .610
Configuring General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611
Configuring Settings for Auth Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611
Configuring Web Content Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .612
Configuring Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .613
Configuring WGS Account Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .614
Chapter 27: Configuring Firewall Modem Options . . . . . . . . . . . . . . . . .615
Configuring the Modem Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .615
Configuring Modem Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .618
xvii
Configuring Advanced Modem Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .620

Chapter 28: Configuring Firewall Wireless WAN Options . . . . . . . . . . .621
About Wireless WAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621
Configuring the Connection Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .622
Configuring WWAN Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625
Configuring Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .626
Chapter 29: Configuring Firewall Web Filters with CSM . . . . . . . . . . . .629
Configuring Web Filter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .629
Configuring Web Filter Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .631
Modifying the *Default Policy Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .632
Adding Category Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .633
Restoring Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .634
Configuring Custom Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .634
Configuring Miscellaneous Web Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .635
Configuring the Custom Block Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .637
Chapter 30: Configuring Firewall Application Filters . . . . . . . . . . . . . .639
Configuring Application Filter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .639
Chapter 31: Registering and Upgrading SonicWALL Firewall Appliances 643
Registering SonicWALL Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643
Upgrading Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .644
Upgrading Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .645
Searching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .645
Creating License Sharing Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .647
Viewing Used Activation Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .650
Chapter 32: Configuring Firewall Events . . . . . . . . . . . . . . . . . . . . . . . .651
Adding Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651
Add Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651
Alert Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .652
Destination / Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .654
Enabling/Disabling Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655
xviii
Enabling a Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655

Disabling an Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655
Deleting Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655
Editing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656
Current Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656
Chapter 33: Adding SRA Appliances to SonicWALL GMS . . . . . . . . . .657
Preparing SRA Appliances for SonicWALL GMS Management . . . . . . . . . . . . . . .657
Preparing SonicWALL SRA Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657
Preparing SonicWALL Aventail EX-Series SRA Appliances . . . . . . . . . . . . . .658
Adding SRA Appliances in SonicWALL GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .659
Managing SRA Appliance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .660
Chapter 34: Using General SRA Status and Tools . . . . . . . . . . . . . . . . .661
SRA Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662
SRA Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .664
SRA Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .666
Updating SRA Appliance Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .666
Registering SonicWALL SRA Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .667
Upgrading SonicWALL SRA Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .667
Logging in to SRA using SonicWALL GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .668
Configuring Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .668
Adding Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .669
Enabling/Disabling Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671
Deleting Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .672
Editing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .672
Current Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .673
Chapter 35: CDP Appliance Management . . . . . . . . . . . . . . . . . . . . . . . .675
Adding a CDP Appliance to GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .675
Preparing the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .675
Adding the CDP Appliance to GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .676
Managing CDP General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .677
Viewing and Managing CDP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .677
CDP Appliance Tools for Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . .679
Editing CDP Appliance Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . .681
Registering CDP Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .681
Registration Tasks on GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .681
Registration Tasks on the CDP Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . .682
Configuring Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .682
xix
Adding Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682

Enabling/Disabling Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
Deleting Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
Editing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
Current Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
Template Management Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
Recording . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
Accessing the CDP Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692
Using Multi-Solution Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692
Logging into the CDP Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Configuring Multi-Solution Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Chapter 36: Email Security Appliance Management . . . . . . . . . . . . . . 695
Configuring Heartbeat using Email Security CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 695
Adding an ES Appliance to GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Managing ES General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
Viewing and Managing ES Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
ES Appliance Tools for Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Editing ES Appliance Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Registering ES Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Registration Tasks on GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Registration Tasks on the ES Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
Configuring Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
Adding Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
Enabling/Disabling Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
Deleting Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
Editing Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
Current Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Template Management Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Recording . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Accessing the ES Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
Using Multi-Solution Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Logging into the ES Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Configuring Multi-Solution Management (MSM) . . . . . . . . . . . . . . . . . . . . . . . 712
Chapter 37: Using Navigation and Monitoring Tools . . . . . . . . . . . . . . 715
Net Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
xx
Configuring the Net Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .716

Managing Categories and Devices on the Net Monitor . . . . . . . . . . . . . . . . . . .720
Managing Realtime Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .732
Managing Severity and Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .739
Adding Custom Icons to the Net Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . .744
Real-Time Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .745
Real-time Syslog Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .746
GMS Reports and Corresponding Syslog Categories . . . . . . . . . . . . . . . . . . . . . . . .747
Forwarding Syslog Data to Another Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . .748
Live Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .749
Chapter 38: Managing Inheritance in SonicWALL GMS . . . . . . . . . . . .759
Configuring Inheritance Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .759
Applying Inheritance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .761
Chapter 39: Configuring User Settings . . . . . . . . . . . . . . . . . . . . . . . . . .765
Chapter 40: Configuring Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . .767
Configuring Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .767
Configuring Log View Search Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .768
Chapter 41: Managing Scheduled Tasks . . . . . . . . . . . . . . . . . . . . . . . .771
Scheduled Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .771
Chapter 42: Configuring Console Management Settings . . . . . . . . . . .775
Configuring Management Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .775
Configuring Email Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .776
Configuring Prefs File Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .776
Enabling Reporting and Synchronization with Managed Units . . . . . . . . . . . . .777
Command Line Interface (CLI) Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777
Enhanced Security Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .777
Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .778
About Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .779
Creating a New Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .779
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .784
Creating User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .785
Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .786
Moving a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .787
Configuring Screen Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .788
Configuring Appliance Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .790
Configuring Unit, View, and Other Permissions . . . . . . . . . . . . . . . . . . . . . . . .791
xxi
Custom Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792

Creating Custom Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Configuring Prefs File Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Enabling Reporting and Synchronization with Managed Units . . . . . . . . . . . . 794
Enhanced Security Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Configuring Management Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
Managing Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796
Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796
Managing Agent Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
SNMP Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
Configuring SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
Inheritance Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
Message of the Day . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
Chapter 43: Managing Reports in the Console Panel . . . . . . . . . . . . . 801
Summarizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
About Summary Data in Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
Summarizer Settings and Summarization Interval for CDP . . . . . . . . . . . . . . . 802
Configuring the Data Deletion Schedule Settings . . . . . . . . . . . . . . . . . . . . . . . 805
Syslog Exclusion Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805
Email/Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Configuring Email/Archive Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Managing Legacy Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808
Chapter 44: Using Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811
Debug Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811
Configuring Debug Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812
Request Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
In order for a technical support representative to troubleshoot a problem, you might be asked to take a
snapshot of SonicWALL GMS or you might want to view the configuration yourself.Performing a System
Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
Performing the Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Snapshot Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815
Viewing the Snapshot or Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815
Summarizer Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816
Chapter 45: Granular Event Management . . . . . . . . . . . . . . . . . . . . . . . 821
Granular Event Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821
What is Granular Event Management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823
Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823
xxii
How Does Granular Event Management Work? . . . . . . . . . . . . . . . . . . . . . . . .824

Using Granular Event Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .824
About Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .825
Configuring Granular Event Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .826
Configuring Events on the Console Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . .827
Sample Event Alert Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .841
Chapter 46: Managing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .845
GMS License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .845
Upgrading a Demo License to a Retail License . . . . . . . . . . . . . . . . . . . . . . . . .846
Product Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .846
SonicWALL Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .849
Upgrading the Node License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .849
Purchasing Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .849
Activating the Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .850
Chapter 47: Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .851
URI Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .851
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .852
Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .852
Distributed Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .853
The Distributed Instances Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .853
Configuring Distributed Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .854
Adding a Distributed Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .854
Chapter 48: Using GMS Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .857
About GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .857
Tips and Tutorials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .857
Chapter 49: UMH/UMA System Settings . . . . . . . . . . . . . . . . . . . . . . . . .859
Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .859
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .861
Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .862
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .863
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .864
Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .865
Technical Support Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .866
Logs and Syslogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .867
File Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .867
Working with Multiple Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .868
xxiii
Backup/Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
Data Export Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870
RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873
Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873
Chapter 50: UMA Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 877
Chapter 51: UMH/UMA Deployment Settings . . . . . . . . . . . . . . . . . . . . 879
Deployment Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879
Configuring the All In One Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
Configuring the Database Only Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882
Configuring the Console Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882
Configuring the Agent Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
Configuring the Reports Summarizer Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884
Configuring the Monitor Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
Configuring the Event Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Configuring the Syslog Collector Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Configuring Database Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887
Deployment Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
Configuring Web Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
Configuring SMTP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
Configuring SSL Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
Deployment Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891
xxiv
CHAPTER 1
Introduction to SonicWALL GMS
This chapter introduces the SonicWALL Global Management System (GMS) User Interface (UI)
navigation and management views. SonicWALL GMS can be used in a variety of roles in a wide
range of networks. Network administrators can use SonicWALL GMS as a Management
Console role in an Enterprise network containing a single SonicWALL E-Class NSA or
SuperMassive appliance and also as a Remote Management System role for managing
multiple unit deployments for Enterprise and Service Provider networks consisting of hundreds
and thousands of firewalls, Email Security appliances, CDP appliances and Secure Remote
Access appliances.
This section includes the following subsections:
Overview of SonicWALL GMS section on page 1
Deployment Requirements section on page 7
Login to SonicWALL GMS section on page 14
Navigating the SonicWALL GMS User Interface section on page 14
Understanding SonicWALL GMS Icons section on page 18
Using the SonicWALL GMS TreeControl Menu section on page 19
Configuring SonicWALL GMS View Options section on page 20
Getting Help section on page 28
Overview of SonicWALL GMS

This section contains the following subsections:
What Is SonicWALL GMS? section on page 2
SonicWALL GMS 7.0 New Features section on page 3
Scaling SonicWALL GMS Deployments section on page 6
What Is SonicWALL GMS?

The SonicWALL GMS (SonicWALL GMS) is a Web-based application that can configure and
manage thousands of SonicWALL firewall appliances and NetMonitor non-SonicWALL
appliances from a central location.
SonicWALL GMS can be used as a Management Console in an Enterprise network containing
a single SonicWALL E-Class NSA or SuperMassive. SonicWALL GMS can also be used as a
Remote Management System for managing multiple unit deployments for Enterprise and
Service Provider networks consisting of hundreds and thousands of firewalls, Email Security
appliances, CDP appliances and Secure Remote Access appliances. This dramatically lowers
the cost of managing a secure distributed network. SonicWALL GMS does this by enabling
administrators to monitor the status of and apply configurations to all managed SonicWALL
appliances, groups of SonicWALL appliances, or individual SonicWALL appliances.
SonicWALL GMS also provides centralized management of scheduling and pushing firmware
updates to multiple appliances and to apply configuration backups of appliances at regular
intervals.
SonicWALL GMS provides monitoring features that enable you to view the current status of
SonicWALL appliances and non-SonicWALL appliances, pending tasks, and log messages. It
also provides graphical reporting of Firewall, SRA, and CDP appliance and network activities
for the SonicWALL appliances. A wide range of informative real-time and historical reports can
be generated to provide insight into usage trends and security events.
Note
SonicWALL Email Security reporting is not supported in SonicWALL GMS 7.0.

Network administrators can also configure multiple site VPNs for SonicWALL appliances. From
the SonicWALL GMS user interface (UI), you can add VPN licenses to SonicWALL appliances,
configure VPN settings, and enable or disable remote-client access for each network.
SonicWALL GMS 7.0 New Features

This section provides a list of new features in SonicWALL GMS:
Scalability and Data Accessibility EnhancementsThe following enhancements are

included in this release:
Drill down capabilities via direct access to the raw syslog data
Less disk space required due to higher compression rates
Near real-time reporting as syslogs are added to the database as they come in
Visualization, Usability and Workflow Enhancements: Application Visualization and

IntelligenceApplication visualization and intelligence reporting allows administrators to
see historic and real-time reports of what applications are being used by what users.
Reports are completely customizable using intuitive filtering and drill-down capabilities.
Compared to the SonicOS 5.8 Visualization and Application Control features, SonicWALL
GMS provides the following additional reporting features:
More historic data than

on firewall
Aggregation of data
across multiple devices
Easy access to
different devices
Reporting on the firewall is done in-memory since most firewalls do

not have a hard drive. SonicWALL GMS can store months of data
versus minutes or hours of data on the firewall.
SonicWALL GMS allow administrators to view application usage
across multiple SonicWALL firewalls not just one firewall.
SonicWALL GMS allow administrators to switch a report from one
device to another with the click of a mouse.
Universal DashboardThe Universal Dashboard serves as the first place an

administrator visits in SonicWALL GMS to find the information he needs. The Universal
Dashboard uses several subordinate tabs. SonicWALL GMS 7.0 provides several
pre-configured standard tabs but the administrator also has the ability to create their own
subordinate tabs (subtabs). The primary subtab is one that includes a geographic map that
auto-sizes to the region in which all SonicWALL devices are deployed. The status of each
device, such as. whether the device is up or down, is shown by using different icons on the
map. The remainder of the page includes widgets pulling data from across the SonicWALL
GMS application including logging and monitoring data. The data shown in each widget
depends on the selection made in the geographic map. Using a search bar administrators
can make complex appliance selections. All widgets are animated, interactive, and intuitive.
SonicWALL GMS 6.0 SP2 includes several navigation tools, to visually show what roles
have been assigned to what agents (SonicWALL GMS servers), and VPN monitoring tools
to show what devices are connected via VPN connections and which VPN tunnels are
active. In SonicWALL GMS 7.0 these navigation tools and VPN monitoring tools are
removed and replaced with similar tools available on the universal dashboard.
Universal Scheduled ReportsIn SonicWALL GMS 6.0 SP2 reports can be scheduled to
be created and mailed to an email address but theres not one place to do this centrally.
SonicWALL GMS 7.0 has one place to schedule reports to be created and mailed out
across multiple appliances of various types. This approach takes much less time and is
much more intuitive.
Scheduled reports can be saved as templates for future use. Several standard universal
scheduled report templates are included with SonicWALL GMS. Bundled universal
scheduled report templates include one to help witha compliance initiative for the Payment
Card Industry Data Security Standard (PCI DSS) and one to quickly visualize and report on
application usage on the network for a new firewall deployment.
NetMonitor TemplatesNetMonitor is a key component of SonicWALL GMS 6.0 SP2.

NetMonitor is a very powerful feature to monitor SNMP enabled devices. However, network
administrators have to fully understand the SNMP protocol to configure SonicWALL GMS
to monitor a device. SonicWALL GMS 7.0 adds pre-configured canned templates for
SonicWALL devices to more quickly setup devices for SNMP monitoring.
Next Generation Syslog Based ReportingSonicWALL GMS next generation reporting

provides the following new enhancements:
Flexible and Granular
Reporting
State of the Art User
Interface
Reports Consolidation
User Centric Reporting
Per User Bandwidth

Reporting
More Granular
Services Reporting
Client VPN Activity
Reporting
Narrative Descriptions
of Reports
Bandwidth and
Services Report per
Interface
More Detailed
Summary of Services
over VPN Report
More optimized access to the underlying data also facilitates

quick drill down capabilities and near real-time monitoring of
data as it comes in.
SonicWALL GMS 7.0 has a Flex-based Graphical User
Interface (GUI). A novel and intuitive interface layout with
multiple filtering options forms the front-end of a rich and
interactive web-based application for data analysis.
Simplicity is the ultimate sophistication. The inclusion of a
smart set of filters opens the door to a superior user
experience. Administrators actually need a smaller set of
reports to start from than before. Starting with one of the base
reports, any custom report can be quickly generated by
making the appropriate selections and saving the new custom
report as a template for future use.
SonicWALL GMS now reports on all activity of a user.
SonicWALL GMS 7.0 reports on user activity as logged by a
single SonicWALL device. Upcoming release versions may
include user centric reporting across multiple devices of
different types.
In SonicWALL GMS 6.0 SP2 bandwidth reporting was only
given for an appliance. SonicWALL GMS 7.0 introduces more
granular bandwidth reporting down to the user and application
level.
In SonicWALL GMS 6.0 SP2 the current services report only
lists well known services such as HTTP and FTP. In
SonicWALL GMS 7.0 this list of services is greatly expanded
to not so well known services and custom services.
A report detailing IPSec and SRA remote user sessions by
user.
Detailed descriptions for each available report.
Detailed reports filtered by interfaces.
Detailed report of services over VPN connections.
Rogue Wireless Access Point ReportingSonicWALL GMS 7.0 includes a new rogue
wireless access point report. This is especially important to customers subject to the
Payment Card Industry (PCI) Data Security Standard (DSS) programs operated by the
major payment brands.
As part of a PCI compliance initiative, if a customer is using wireless they must be able to
meet the following requirement. PCI Requirement 11.1: Test for the presence of wireless
access points by using a wireless analyzer at least quarterly or deploying a wireless
IDS/IPS to identify all wireless devices in use. The Test Procedure to satisfy this
Requirement is as follows:
Verify that a wireless analyzer is used at least quarterly, or that a wireless IDS/IPS is
implemented and configured to identify all wireless devices.
If a wireless IDS/IPS is implemented, verify the configuration to generate alerts to
personnel. Test for the presence of wireless access points by using a wireless analyzer
at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.
Verify the organizations Incident Response Plan (Requirement 12.9) includes a
response in the event unauthorized wireless devices are detected.
Using SonicWALL GMS 6.0 SP2 a customer can schedule a scan on an individual
firewall. However it is not possible to set a scheduled task for a group of firewalls.
SonicWALL GMS 7.0 adds the following functionality:
Schedule and perform a wireless IDS (WIDS) scan from SonicWALL GMS at the
unit/group levels.
Ability to identify rogue behavior from ad-hoc or peer-to-peer networking between

hosts (such as, turning a laptop into a Wireless Access Point) and accidental
associations for users connecting to neighboring rogue networks.
This has been provided, using a combinationof user driven on-demand reports and the
new scheduled reports for rogue wireless access points in SonicWALL GMS 7.0.
Schedule summarized reports from SonicWALL GMS at the unit/group level to be
emailed out on a periodic (daily/weekly/monthly) basis.
Reports are available in XML and PDF formats.
On screen and scheduled reports including the following data: MAC Address
(BBSID), SSID, Channel (such as, 1-11 for NA), Manufacturer, Signal Strength
(helpful in locating the rogue AP).
The time and date of the scan is also given, which gives an indication of the
duration of the access points since discovery.
LocalizationAll end-user facing reporting screens and some of the administrator

management screens of SonicWALL GMS 7.0 are localized in Japanese, simplified
Chinese and traditional Chinese. More specifically the following screens are localized:
Reports tab screens
Universal Dashboard
Universal Scheduled Reports (including pdf reports)
NetMonitor
Console Panel
Windows Installer
Note
The Firewall/SRA/CDP/ES policy panels in SonicWALL GMS 7.0 are not localized.
SonicOS SupportSonicWALL GMS 7.0 includes SonicOS support up to version 5.8.0

including IPS/ Gateway Anti-virus signature inheritance.
SRA SMB SupportSonicWALL GMS 7.0 expands support for SonicWALL SRA SMB
devices with the following functionality.
Backup of preference files
Web Application Firewall (WAF) reporting
Scaling SonicWALL GMS Deployments

SonicWALL GMS is designed to be highly scalable to support service providers and enterprise
customers with large numbers of SonicWALL appliances.
SonicWALL GMS offers a distributed management architecture, consisting of multiple servers,
multiple consoles and several agents. Each agent server can manage a number of SonicWALL
appliances. Additional capacity can be added to the management system by adding new agent
servers. This distributed architecture also provides redundancy and load balancing, assuring
reliable connections to the SonicWALL appliances under management.
In the distributed architecture, the console server provides the user a single interface to the
management system. Each agent server can manage a number of SonicWALL appliances,
depending on the SonicWALL GMS gateway that resides between the agent server and the
SonicWALL appliances and the amount of syslog traffic from the remotely managed appliances.
The SonicWALL GMS gateway that resides between a SonicWALL GMS agent server and
the SonicWALL appliances provides secure communications.
Each SonicWALL appliance can have a primary agent server and a standby server. Each
agent server can be a primary server for certain SonicWALL appliances and a standby
server for other SonicWALL appliances.
Configuration of and changes to the SonicWALL GMS and the SonicWALL appliances are
written to the database.
The users at the Admin Workstations can access the SonicWALL GMS console through a
Web browser (HTTP) from any location. The SonicWALL GMS console can also be
securely accessed using HTTPS.
The SonicWALL GMS console server can also be an agent server.
Deployment Requirements
Before installing SonicWALL GMS, review the following deployment requirements. SonicWALL
GMS can be hosted in three deployment scenarios as follows:
Microsoft Windows software
SonicWALL UMA appliance
VMware ESX/ESXi virtual appliance
This section includes the following subsections:
Operating System Requirements section on page 7
Database Requirements section on page 9
Java Requirements section on page 9
Browser Requirements section on page 9
SonicWALL Appliance and Firmware Support section on page 10
SonicWALL GMS Gateway Requirements section on page 11
Network Requirements section on page 12
SonicWALL GMS Internet Access through a Proxy Server section on page 12
Operating System Requirements

Microsoft Windows
The SonicWALL GMS supports the following Microsoft Windows operating systems:
Note
Windows Server 2003 32-bit and 64-bit (SP2)
Windows Server 2008 SBS R2 64-bit
Windows Server 2008 R2 Standard 32 bit and 64 bit
In all instances, SonicWALL GMS is running as a 32-bit application. Bundled databases run
in 64-bit mode on 64-bit Windows operating systems. All listed operating systems are
supported in both virtualized and non-virtualized (VMware ESXi 4.1) environments.
Hardware for Windows Server
x86 Environment: Minimum 3 GHz processor dual-core CPU Intel processor
4GB RAM
300 GB disk space
SonicWALL GMS Virtual Appliance
The elements of basic VMware structure must be implemented prior to deploying the
SonicWALL GMS Virtual Appliance. SonicWALL GMS Virtual Appliance runs on the following
VMware platforms:
ESXi 5.0
ESXi 4.0 Update 1 (Build 208167 and newer)
ESX 4.0 Update 1 (Build 208167 and newer)
Use the following client applications to import the image and configure the virtual settings:
VMware vSphere Provides infrastructure and application services in a graphical user
interface for ESX/ESXi, included with ESX/ESXi. Allows you to specify Thin or Thick (Flat)
provisioning when deploying SonicWALL GMS Virtual Appliance.
VMware vCenter Server Centrally manages multiple VMware ESX/ESXi environments.

Provides Thick provisioning when deploying SonicWALL GMS Virtual Appliance.
The following hardware resources are required for the SonicWALL GMS Virtual Appliance:
RAM 3168 MB
This is the maximum amount of RAM supported by the SonicWALL GMS Virtual Appliance
operating system, SonicLinux (VM), which is a 32-bit OS. Additional RAM provided to the
SonicWALL GMS Virtual Appliance in the virtual environment will not be utilized. A smaller
amount of RAM can be configured, but is not recommended.
CPU 2
This is the default number of CPUs provisioned in the SonicWALL GMS Virtual Appliance.
The minimum required number of CPUs is 1, and the maximum that the SonicWALL GMS
Virtual Appliance can use is 4.
Hard disk space:

For the 40 GB image Up to 40 GB on any datastore
For the 250 GB image Up to 250 GB on any datastore
For the 950 GB image Up to 950 GB on a datastore with either a 4 MB or 8 MB block
size
When using Thick, or Flat, provisioning as the storage type option, the entire amount of disk
space is allocated when you import and deploy the SonicWALL GMS Virtual Appliance file.
When using Thin provisioning, the initial size is very small and will grow dynamically as more
disk space is needed by the SonicWALL GMS application, until the maximum size is reached.
Once allocated, the size will not shrink if the application space requirements are subsequently
reduced.
Additional disk space provided to SonicWALL GMS Virtual Appliance in the virtual environment,
beyond the respective limits of 250 GB or 950 GB, will not be utilized.
ESX/ESXi can be configured with datastores of varying block sizes. The 4 or 8 MB er quirement
for the 950 GB deployment is because the block size determines the largest virtual disk that
can be deployed, as shown in the table:
Table 1
Block Size Effect on Virtual Disk Size
Block Size of
Datastore
1 MB
2 MB
4 MB
8 MB
Note
Largest Virtual
Disk
256 GB
512 GB
1 TB
2 TB
SonicWALL GMS management is not supported on Apple MacOS.
Database Requirements
The SonicWALL GMS release supports the following databases:
Microsoft SQL Server 2000 (SP4)
Microsoft SQL Server 2005 (SP1)
Microsoft SQL Server 2008
Regarding MS SQL Server 2005, SonicWALL GMS supports:
SQL Server 2005 Workgroup
SQL Server 2005 Standard
SQL Server 2005 Enterprise
SonicWALL GMS does not support MS SQL Server 2005 Express.
MySQL Requirements
SonicWALL GMS automatically installs MySQL as part of the base installation package.
Separately installed instances of MySQL is not supported with SonicWALL GMS 7.0.
Separately installed instances of MySQL is supported with SonicWALL GMS 6.0 only.
Java Requirements
SonicWALL GMS services uses Java SE 6 Update 23. SonicWALL GMS automatically
downloads the Java Plug-in 6.0 when accessing SonicWALL GMS. SonicWALL GMS uses
Tomcat 6.0.32.
Browser Requirements
Microsoft Internet Explorer 8.0 or higher
Mozilla Firefox 7.0 or higher
Google Chrome 14.0 or higher
SonicWALL Appliance and Firmware Support

Table 2
Platforms and Firmware Versions
SonicWALL Platforms
SonicWALL Firmware Version
Firewall / Network Security

SuperMassive series
SonicOS 6.0 or newer

Note: Only partial policy management and reporting
support is currently available. The following
SuperMassive specific features are not supported for
centralized policy management in GMS 7.0:
Multi-blade CASS
High Availability/Clustering
Support for Management Interface
Flow Reporting Configurations
Multi-blade VPN
Advanced Switching
Restart: SonicOS versus Chassis
Contact your SonicWALL Sales representative for

more information.
NSA series
SonicOS 5.0 or newer
TZ series
SonicOS Enhanced 3.2 or newer

SonicOS Standard 3.1 or newer
PRO series
SonicOS Enhanced 3.2 or newer
CSM series
SonicOS CF 2.0 or newer
Secure Remote Access

SonicWALL SMB SRA series
SonicOS SSL-VPN 2.0 or newer (management)

SonicOS SSL-VPN 2.1 or newer (reporting)
SonicWALL Aventail EX-series
SonicWALL Aventail 9.0 or newer
Backup and Recovery

SonicWALL CDP series
SonicWALL CDP 2.3 or newer (management)

SonicWALL CDP 5.1 or newer (reporting)
Email Security / Anti-Spam

SonicWALL Email Security series
Note
10
SonicWALL Email Security 7.2 or newer

(management only)
Legacy SonicWALL XPRS/XPRS2, SonicWALL SOHO2, SonicWALL Tele2, and

SonicWALL Pro/Pro-VX models are not supported for SonicWALL GMS management.
Appliances running SonicWALL legacy firmware including SonicOS Standard 1.x and
SonicWALL legacy firmware 6.x.x.x are not supported for SonicWALL GMS management.
Non-SonicWALL Appliance Support

SonicWALL GMS provides monitoring support for non-SonicWALL TCP/IP and SNMP-enabled
devices and applications.
SonicWALL GMS Gateway Requirements

A SonicWALL GMS gateway is a SonicWALL firewall appliance that allows for secure
communication between the SonicWALL GMS server and the managed appliance(s) using VPN
tunnels.
The SonicWALL GMS gateway must meet one of the following requirements:
Note
SonicWALL NSA Series network security appliance with minimum firmware version
SonicOS 5.0
SonicWALL PRO Series network security appliance with minimum firmware version
SonicOS Enhanced 3.2
SonicWALL VPN-based network security appliance
The SonicWALL GMS gateway should be at minimum a SonicWALL NSA 2400 with
minimum firmware SonicOS 5.0, or a SonicWALL PRO 2040 with minimum firmware
SonicOS Enhanced 3.2.
There are three SonicWALL GMS management methods with different SonicWALL GMS
gateway requirements. When using HTTPS as the management method, it is optional to have
a SonicWALL GMS gateway between each SonicWALL GMS agent server and the managed
SonicWALL appliance(s). If you select Existing VPN tunnel, a gateway is optional. If you select
Management VPN tunnel, you must have a SonicWALL GMS gateway between the SonicWALL
GMS agent server and the managed SonicWALL appliance(s) to allow each SonicWALL GMS
agent server to securely communicate with its managed appliance(s). The following list
provides more detail on SonicWALL GMS management methods and gateway requirements:
Management VPN tunnelA SonicWALL GMS gateway is required. Each SonicWALL

GMS agent server must have a dedicated gateway. The security association (SA) for this
type of VPN tunnel must be configured in the managed SonicWALL appliance(s).
SonicWALL GMS automatically creates the SA in the SonicWALL GMS gateway. For this
configuration, the SonicWALL GMS gateway must be a SonicWALL VPN-based appliance.
The SonicWALL GMS gateway can be configured in NAT-Enabled or transparent mode.
The reason for a dedicated gateway with this method is due to the Scheduler's function.
When a unit is added into SonicWALL GMS with 'Management VPN' as the method, the
scheduler service logs into the gateway and creates the management tunnel. Also, the
scheduler service periodically logs into its gateway and checks for management SAs. If
there are SAs created for units that the agent does not manage, the SAs are deleted. If
there are two agents sharing a gateway, they will be constantly deleting the other agents
SAs.
Existing VPN tunnelA SonicWALL GMS gateway is optional. SonicWALL GMS can use
VPN tunnels that already exist in the network to communicate with the managed
appliance(s). For this configuration, the SonicWALL GMS gateway can be a SonicWALL
VPN-based appliance or another VPN device that is interoperable with SonicWALL VPN.
11
HTTPSA SonicWALL GMS gateway is optional. SonicWALL GMS can use HTTPS
management instead of a VPN tunnel to communicate with the managed appliance(s).
However, the SonicWALL Aventail EX-Series SRA appliance allows HTTPS access only to
its LAN port(s), and not to its WAN port(s). This means that when SonicWALL GMS is
deployed outside of the Aventail LAN subnet(s), management traffic must be routed from
SonicWALL GMS to a gateway that allows access into the LAN network, and from there be
routed to the Aventail LAN port.
Network Requirements
To complete the SonicWALL GMS deployment process, the following network requirements
must be met:
Note
The SonicWALL GMS server must have access to the Internet
The SonicWALL GMS server must have a static IP address
The SonicWALL GMS servers network connection must be able to accommodate 1 KB/s
for each device under management. For example, if SonicWALL GMS is monitoring 100
SonicWALL appliances, the connection must support at least 100 KB/s.
Depending on the configuration of SonicWALL log settings and the amount of traffic handled
by each device, the network traffic can vary dramatically. The 1 KB/s for each device is a
general recommendation. Your installation requirements may be different.
SonicWALL GMS Internet Access through a Proxy Server

If the SonicWALL GMS server cannot access the Internet directly and needs to go through a
proxy server, the following proxy entries are required in the sgmsConfig.xml file of the
SonicWALL GMS server:
<Parameter
<Parameter
<Parameter
<Parameter
<Parameter
name="proxySet" value="1"/>
name="proxyHost" value="10.0.30.62"/>
name="proxyPort" value="3128"/>
name="proxyUser" value="0A57CF01AB39ACF8863C8089321B9287"/>
name="proxyPassword" value="EE80851182B4B962FC3E0EDF1F00275A"/>
The proxyUser and proxyPassword parameters are required only if the Proxy Server requires
authentication, in which case these are TEAV encrypted. This configuration supports both
HTTP and HTTPS Proxy, as long as the settings are identical for both.
To exempt certain hosts from the proxy configuration and allow them to beconnected to directly,
add the following tag to sgmsConfig.xml:
<Parameter name="nonProxyHosts"
value="*something.com|www.foo*|192.168.0.*"/>
The exact values of all of these parameters should be changed to the appropriate values for
your deployment. The asterisk symbol (*) is a wildcard that means any string. The pipe symbol
(|) is a delimiter for the hosts in the list.
To do TEAV encryption of the string test, please go to the directory <gms-install>\bin in a DOS
window. Type the following command:
..\jre\bin\java -cp . TEAV test
The following output displays:

input = [test]
12
Encrypted: 5F397A4552CC08F2A409A9297588F134
Decrypted: [test]
To edit the sgmsConfig.xml entries, perform the following steps:

Step 1
Login to the UMH system management interface:

http://<sgms_ipaddress>:<portnumber>/appliance
Step 2
Navigate to the following URL:

http://<sgms_ipaddress>:<portnumber>/appliance/techSupport.html
Step 3
Edit the sgmsConfig.xml file using the Configuration File editor.
13
Login to SonicWALL GMS
Login to SonicWALL GMS

After registering your SonicWALL GMS product, to login into the SonicWALL GMS
management interface, either double-click on the SonicWALL GMS icon on your desktop, or
from a remote system, access the following URL from a web browser:
http://<sgms_ipaddress>:<portnumber>
The SonicWALL GMS login page appears by default in English. To change the language
setting, click your language of choice at the bottom of the login page. The available language
choices for SonicWALL GMS 7.0 include English, Japanese, Simplified Chinese, and Tradition
Chinese.
Note
1.
Enter the SonicWALL user ID (default: admin) and password (default: password). Select
Local Domain as the domain (default).
2.
Click Submit. The SonicWALL GMS management interface displays.
For more information on installation, login procedures, and registration of your SonicWALL
GMS installation, please refer to the appropriate Getting Started Guide, available at:
<http://www.sonicwall.com/us/support.html>
Navigating the SonicWALL GMS User Interface

The following sections describe the four major panels of the SonicWALL GMS UI:
14
Dashboard Panel section on page 15
Appliance Panels section on page 15
Monitor Panel section on page 17
Console Panel section on page 17
Dashboard Panel
The Dashboard is a tab intended to work as a customizable dashboard where you are able to
monitor the latest happenings with your SonicWALL GMS 7.0 deployment, your network, the IT
and Security World, as well as the rest of the world.
Upon initial login, you see a default Dashboard tab. You are able to further customize this page
by configuring and adding preferred components.
Appliance Panels
The appliance panels enable administrators to add, delete, configure and view various
SonicWALL appliance types managed by SonicWALL GMS. These panels include:
Firewall PanelProvides centralized management and reporting on compatible firewall

appliances.
SRA PanelProvides centralized management and reporting on SonicWALL SRA and

Aventail appliances.
CDP PanelProvides centralized management and reporting SonicWALL Continuous

Data Protection appliances.
ES PanelProvides centralized management of SonicWALL Email Security appliances.
Within the Firewall, SRA, and CDP panels are two sub-panels:
Policies Panel section on page 16
Reports Panel section on page 16
15
Policies Panel
The Policies Panel is used to configure SonicWALL appliances. From these pages, you can
apply settings to all SonicWALL appliances being managed by SonicWALL GMS, all
SonicWALL appliances within a group, or individual SonicWALL appliances.
To open the Policies Panel, click the Firewall tab at the top of the SonicWALL GMS UI and then
click the Policies tab. The SonicWALL appropriate appliance Policies Panel appears:
Reports Panel
The Reports Panel is an essential component of network security that is used to view and
schedule reports about critical network events and activity, such as security threats,
inappropriate Web use, and bandwidth levels.
To open the Reports Panel, click the Firewall, SRA, or CDP tab at the top of the SonicWALL
GMS UI and then click the Reports tab.
In the Reports Panel, you can simultaneously expand multiple screen groups, allowing you to
compare them. Use Control-click (Windows) to toggle the screen group to the expanded group,
without collapsing previously-opened screen groups.
16
Monitor Panel
The Monitor Panel is the administrators central tool for monitoring the status of any managed
TCP/IP and SNMP capable devices and applications. The SonicWALL GMS Monitor panel
provides power and flexibility to help you manage availability of network devices, creating
custom threshold-based realtime monitor alerts and emailing or archiving network status
reports based on your specifications.
To access the Monitoring features, click the Monitor tab at the top of the SonicWALL GMS UI.
Console Panel
The Console Panel is used to configure SonicWALL GMS settings, view pending tasks,
manage licenses, and configure system wide granular event management settings.
To open the Console Panel, click the Console tab at the top of the SonicWALL GMS UI.
17
Understanding SonicWALL GMS Icons
Understanding SonicWALL GMS Icons

This section describes the meaning of icons that appear next to managed appliances listed in
the left pane of the SonicWALL GMS management interface.
Status
Icon
Description
One blue box indicates that the appliance is operating normally. The appliance is accessible from
SonicWALL GMS, and no tasks are pending or scheduled.
Two blue boxes indicate that appliances in a group are operating normally. All appliances in the
group are accessible from SonicWALL GMS and no tasks are pending or scheduled.
Three blue boxes indicate that all appliances in the global group of this type (Firewall/SRA/CDP)
are operating normally. All appliances of this type are accessible from SonicWALL GMS and no
tasks are pending or scheduled.
One blue box with a lightning flash indicates that one or more tasks are pending or running on the
appliance.
Two blue boxes with a lightning flash indicate that tasks are currently pending or running on one or
more appliances within the group.
Two blue boxes with a clock indicate that tasks are currently scheduled to execute at a future time
on one or more appliances within the group.
One blue box with a clock indicates that one or more tasks are scheduled on the appliance.
One yellow box indicates that the appliance has been added to SonicWALL GMS management
(provisioned), but not yet acquired.
Two yellow boxes indicate that one or more appliances in the group have been added to
SonicWALL GMS management, but not acquired.
Three yellow boxes indicate that one or more of the global group of appliances of this type
(Firewall/SRA/CDP) have been added to SonicWALL GMS management, but not acquired.
One yellow box with a lightning flash indicates that one or more tasks are pending on the
provisioned appliance.
Two yellow boxes with a lightning flash indicates that tasks are pending on one or more provisioned
appliances within the group.
One red box indicates that the appliance is no longer sending heartbeats to SonicWALL GMS.
Two red boxes indicate that one or more appliance in the group is no longer sending heartbeats to
SonicWALL GMS.
Three red boxes indicate that one or more of the global group of appliances of this type
(Firewall/SRA/CDP) is no longer sending heartbeats to SonicWALL GMS.
Two red boxes with a lightning flash indicate that one or more appliance in the group is no longer
sending heartbeats to SonicWALL GMS and has one or more tasks pending.
One red box with a lightning flash indicates that the appliance is no longer sending heartbeats to
SonicWALL GMS and has one or more tasks pending.
18
Using the SonicWALL GMS TreeControl Menu
Using the SonicWALL GMS TreeControl Menu

This section describes the content of the TreeControl menu within the SonicWALL GMS
management interface. The TreeControl menu view and update permissions can be configured
for multiple SonicWALL GMS user types. SonicWALL GMS provides granular screen
permissions to enable or disable all TreeControl menu screens for the Policies, Reports,
Monitor, and Console panels. For more information on configuring SonicWALL GMS user
screen, unit, or action permissions, refer to the Configuring Unit, View, and Other Permissions
section on page 791.
You can control the display of the TreeControl pane by selecting one of the appliance tabs at
the top. For example, when you click the Firewall tab, the TreeControl pane displays all the
managed firewall units. You can display any of the following appliance types when SonicWALL
GMS is managing all of these device types:
Firewall
SRA
CDP
ES
You can hide the entire TreeControl pane by clicking the sideways arrow icon, and re-display
the pane by clicking it again. This is helpful when viewing some reports or other extra-wide
screens, especially on the Monitor or Console panel.
To open a TreeControl menu, right-click the View All icon, a Group icon, or a Unit icon.
The following options are available in the right-click menu:
FindOpens a Find dialog box that allows you to search for groups or units.
RefreshRefreshes the SonicWALL GMS UI display.
Rename Unit(unit node only) Renames the selected SonicWALL appliance.
19
Configuring SonicWALL GMS View Options
Add UnitAdd a new unit to the SonicWALL GMS management view. Requires unit IP and
login information.
Modify Unit(unit node only) Change basic settings for the selected unit, including unit
name, IP and Login information, serial number, management port and
encryption/authentication keys.
DeleteDelete the selected unit, with option to delete interconnected SAs or to delete from
NetMonitor.
Add to NetMonitorAdd an existing unit to NetMonitor.
Import XMLImport an edited XML file to replace the current TreeControl navigation view.
Login to Unit(unit node only) Login to the selected unit using HTTP or HTTPS protocols.
Modify PropertiesDisplays the properties for the selected SonicWALL appliance.
Manage ViewsOpens a dialog box where you can create, delete, or modify a view.
Change ViewSelect pre-set or user created views. Views are created in the Manage
View window (see above).
Reassign AgentsOpens a dialog box where you can change the IP address of the
primary and standby schedulers and the type of VPN tunnel (management versus
site-to-site) used between SonicWALL GMS and the managed SonicWALL appliances.

The SonicWALL GMS UI is a robust and powerful tool you can use to apply settings to all
SonicWALL appliances being managed by SonicWALL GMS, all appliances or devices within a
group, or individual appliances or devices simply by selecting the Global, Group, or Unit node
within the SonicWALL GMS UI. The SonicWALL GMS UI supports up to seven levels of
hierarchal depths per view.
Note
Views are only available in the Policies and Reports Panel. Changing views does not affect
the Console or Monitor Panels.
This section describes each view and what to consider when making changes:
20
Group Node section on page 21
Unit Node section on page 22
Creating SonicWALL GMS Fields and Dynamic Views section on page 23
Group Node
From the Group node of the Policies panel, changes you make are applied to all SonicWALL
appliances within the group. The Global node is the top view that contains all appliances.
To open the Group node, click a group icon in the left pane of the SonicWALL GMS UI. The
Group Status page appears. The Group Node Status page contains a list of statistics for all
SonicWALL appliances within the group.
As you move through the SonicWALL GMS UI with the Group node selected and make
changes, those changes are broken down into configuration tasks and applied to each
subgroup and each SonicWALL appliance within the group.
As SonicWALL GMS processes the tasks, some SonicWALL appliances may be down or
offline. When this occurs, SonicWALL GMS spools the task and reattempts the update later.
Depending on the page that you are configuring, the SonicWALL appliance(s) may
automatically restart. We recommend scheduling the tasks to run when network activity is low.
To determine if a change requires restarting, refer to the configuration instructions for that task.
Making group changes through the SonicWALL GMS UI enables you to save time by instituting
changes that affect all SonicWALL appliances within the group through a single operation.
Although this is very convenient, some changes can have unintended consequences. Be
careful when making changes on a group or global level.
21
Unit Node
From the Unit node of the Policies panel, changes you make are only applied to the selected
SonicWALL appliance. To open the Unit node, click a SonicWALL appliance in the left pane of
the SonicWALL GMS UI. The Status page for the SonicWALL appliance appears.
From the Unit node on the Reports Panel, you can generate real-time and historical reports for
the selected SonicWALL appliance.
As you navigate the SonicWALL GMS UI, you can generate graphical reports and view detailed
log data for the selected SonicWALL appliance. For more information, refer to the Reports
Panel section on page 16.
As you navigate the SonicWALL GMS UI with a single SonicWALL appliance selected and
make changes, those changes are broken down into configuration tasks and sent to the
selected SonicWALL appliance.
As SonicWALL GMS processes the tasks, the SonicWALL appliance may be down or offline.
When this occurs, SonicWALL GMS spools the task and reattempts the update later.
Note
22
Depending on the page that you are configuring, the SonicWALL appliance may
automatically restart. We recommend scheduling the tasks to run when network activity is
low. To determine if a change requires restarting, refer to the configuration instructions for
that task.
Unit Node Status Page

The Unit Node Status page contains a list of statistics for the selected SonicWALL appliance:
SonicWALL Modelspecifies the model of the SonicWALL appliance. If the unit is not
registered, Not Registered appears instead of a model number.
Serial Numberspecifies the serial number of the SonicWALL appliance.
Number of LAN IPs allowedspecifies the number of IP addresses that are allowed on
the LAN.
DMZ Portspecifies whether the SonicWALL appliance has a DMZ port.
CPUspecifies the CPU used in the SonicWALL appliance.
VPN Upgradespecifies whether the SonicWALL is licensed for a VPN upgrade.
VPN Clientsspecifies whether the SonicWALL is licensed for VPN Clients.
Firmware Versionspecifies the version of the firmware installed on the SonicWALL

appliance.
Content Filter Subscription List/Servicespecifies whether the SonicWALL appliance is

licensed for a Content Filter List subscription.
Anti-Virus Subscriptionspecifies whether the SonicWALL appliance has an anti-virus

subscription.
Extended Warrantyspecifies whether the SonicWALL appliance has an extended

warranty.
SonicWALL Statusspecifies the operational status of the SonicWALL appliance.
Tasks Pendingspecifies whether the SonicWALL appliance has any pending tasks.
Agent Assignedspecifies the IP address of the SonicWALL GMS agent server that is the
primary agent managing the SonicWALL appliance.
Standby Agentspecifies the IP address of the peer SonicWALL GMS that acts as the
backup agent for this SonicWALL appliance. If the primary agent fails, this
SonicWALL GMS server begins managing the appliance.
Managed using Management Tunnelspecifies if the SonicWALL appliance is being

managed by SonicWALL GMS using the management VPN tunnel.
Fetch Uptimethe Uptime parameter indicates how long the SonicWALL has been
running since the last time it was powered up or restarted. To display the current uptime
setting at the unit level for the selected SonicWALL, click Fetch Uptime.
Creating SonicWALL GMS Fields and Dynamic Views

The SonicWALL GMS uses an innovative method for organizing SonicWALL appliances.
SonicWALL appliances are not forced into specific, limited, rigid hierarchies. You can simply
create a set of fields that define criteria (such as, country, city, state) which separate
SonicWALL appliances. Then, create and use dynamic views to display and sort appliances on
the fly. For information about organizing SonicWALL appliances, see the following sections:
About Default SonicWALL Fields section on page 24
Creating Custom Fields section on page 25
Understanding Dynamic Views section on page 26
Configuring Dynamic Views section on page 27
Changing Views section on page 28
23
About Default SonicWALL Fields

SonicWALL GMS includes standard fields that can be used to sort SonicWALL appliances
based on their model, their firmware version, and other criteria. Default SonicWALL GMS fields
include the following:
AV Enforcementplaces the SonicWALL appliances into two groups: appliances that

have anti-virus (AV) subscriptions and appliances that do not.
AV Statusplaces the SonicWALL appliances into different groups based on their status.
CFS Statusplaces the SonicWALL appliances into two groups: appliances that have
content filtering service (CFS) subscriptions and appliances that do not.
Dialup Modeperforms grouping based on whether an appliance has switched to dialup

mode for Internet access.
Firmwarecreates a group for each Firmware version and places each SonicWALL
appliance into its corresponding group.
Managementperforms grouping based on whether appliances are managed by HTTPS

Management mode, SonicWALL GMS Management Tunnel mode, or Existing/LAN mode.
Modelcreates a group for each SonicWALL model and places each SonicWALL
Network Typecreates a group for each network type and places each SonicWALL
appliance into its corresponding group. These include:
Standard
NAT with DHCP Client
NAT with PPPoE Client
NAT with L2TP Client
NAT with PPTP Client
NAT Enabled
Unknown
24
Nodescreates a group for each node range and places each SonicWALL appliance into
its corresponding group.
Registeredplaces the SonicWALL appliances into two groups: appliances that are
registered and appliances that are not.
Schedulercreates a group for each scheduler agent and places each SonicWALL
UnitStatusperforms grouping based on the Up/Down/Provisioned status of appliances.
VPN Presentplaces the SonicWALL appliances into two groups: appliances that have
VPN and appliances that do not.
Warranty Statusplaces the SonicWALL appliances into two groups: appliances that have
current warranties and appliances that do not.
Creating Custom Fields

When first configuring SonicWALL GMS, you can create custom fields that you can use to
organize managed appliances. SonicWALL GMS supports up to ten custom fields.
Note
Although SonicWALL GMS supports up to ten custom fields, only seven fields can be used
to sort SonicWALL appliances in any view.
The following are examples of custom fields that you can use:
Geographicuseful for organizing SonicWALL appliances by location. Especially useful

when used in combination with other grouping methods. Geographic fields may include:
Country
Time Zone
Region
City
Customer-baseduseful for organizations that are providing managed security services

for multiple customers. Customer-based fields may include:
Company
Division
Department
Configuration-baseduseful when SonicWALL appliances have very different

configurations. (such as, Filtering, No Filtering, Pornography Filtering, Violence Filtering, or
VPN).
User-typedifferent service offerings can be made available to different user types. For
example, engineering, sales, and customer service users can have very different
configuration requirements. Or, if offered as a service to end users, you can allow or
disallow network address translation (NAT) depending on the number of IP addresses that
you want to make available.
SonicWALL GMS is pre-configured with four custom fields: Country, Company, Department,
and State. These fields can be modified or deleted. To add fields, follow these steps:
1.
Click the Console tab, expand the Management tree and click Custom Groups.
2.
Right-click Custom Groupings in the right pane.
3.
Select Add Category from the pop-up menu.
4.
Enter the name of the group in the Category Name field.
25
Note
Note
Category names can only contain alpha-numeric characters. Special characters and/or
spaces are not accepted.
5.
Enter the default value for the group in the Default Value field.
6.
Click Ok. You can create up to ten fields.
Although the fields appear to be in a hierarchical form, this has no effect on how the fields
appears within a view.
To modify or delete fields, right-click any of the existing fields and select Properties or Delete
Category, respectively from the pop-up menu.
Understanding Dynamic Views

After creating custom fields and reviewing the SonicWALL GMS fields, SonicWALL GMS
administrators can set up views to dynamically filter the SonicWALL security appliances that
are displayed in the SonicWALL GMS user interface based on fields.
Note
Each view can filter for a maximum of seven fields.

Some views can include the following:
Standard Geographic Views

When the number of SonicWALL appliances managed by SonicWALL GMS becomes large,
you can divide the appliances geographically among SonicWALL administrators.
For example, if one administrator is responsible for each time zone in the United States,
you can choose the following grouping methods:
Administrator 1: Country: USA, Time Zone: Pacific, State, City.
Administrator 2: Country: USA, Time Zone: Mountain, State, City.
Administrator 3: Country: USA, Time Zone: Central, State, City.
Administrator 4: Country: USA, Time Zone: Eastern, State, City.
Firmware Views
To ensure that all SonicWALL appliances are using the current firmware, you can create a
view to check and update firmware versions and batch process firmware upgrades when
network activity is low.
For example, if you want to update all SonicWALL appliances to the latest firmware at 2:00
A.M., you can use the following grouping method:
Firmware Version, Time Zone
If you want to update SonicWALL appliances only for companies that have agreed to the
upgrade and you want the upgrades to take place at 2:00 A.M., you can use the following
grouping method:
Company, Firmware Version, Time Zone
26
Registration Views
To ensure that all SonicWALL appliances are registered, you can create a registration view
and check it periodically. To create a registration view, you can use the following grouping
method:
Registration Status, any other grouping fields
Upgrade Views
You can create views that contain information on which upgrades customers do not have
and forward this information to the Sales Department.
For example, you can choose the following grouping methods:
Content Filter List, Company, Division, Department
Anti-Virus, Company, Division, Department
Warranty Status, Company, Division, Department
Configuring Dynamic Views

To create a view, follow these steps:
1.
Right-click anywhere in the left pane of the SonicWALL GMS window and select Manage
Views from the pop-up menu. The Edit View page appears.
2.
Type a descriptive name for the new view in the View Name field.
3.
To make this view available to non-administrators, select Visible to Non-Administrators.
4.
To add a view category, click Add Level. View categories are used to filter SonicWALL
appliances in your view. The Group Categories column contains categories that are a
combination of custom fields and SonicWALL GMS fields.
5.
To change the Group Category field, select the desired field from the pull-down list. For a
list of SonicWALL GMS fields and their meanings, refer to the About Default SonicWALL
Fields section on page 24.
27
Getting Help
6.
Choose an Operator to apply to apply to the value for this view:

equals (default value)
starts with
ends with
contains
does not equal
does not contain
7.
Type a value for the category in the Value column.
8.
You can add up to seven categories or levels.
9.
To delete a view category, select the level and click Delete Level.
10. When you are finished configuring this view, click Modify View.
11. When you are finished, click Done.
Changing Views
To change views from within the SonicWALL GMS UI, follow these steps:
1.
Right-click anywhere in the left pane of the SonicWALL GMS window and select Change
View from the pop-up menu. The Change View dialog box appears.
2.
Select a view and click OK. The SonicWALL GMS UI displays only the SonicWALL
appliances that meet the requirements of the filters defined in the view.
Getting Help
In addition to this manual,SonicWALL GMS provides on-line help resources. To get help, follow
these steps:
28
1.
Navigate to the page where you need help.
2.
Click the Question Mark (?) in the upper right-hand corner of the window. Help for the
selected page appears.
Getting Help
Tips and Tutorials

Tips and tutorials are also available in some section of the user interface, and are denoted by
a Lightbulb icon:
To access tips and tutorials:

1.
2.
If available, click the Lightbulb icon in the upper right-hand corner of the window. Tips,
tutorials, and online help are displayed for this topic.
29
Getting Help
30
CHAPTER 2
Adding SonicWALL Appliances and
Performing Basic Management Tasks
This chapter describes how to add SonicWALL appliances to SonicWALL GMS, register
appliances, and modify management properties. It also provides an introduction to basic
appliance management tasks that can be performed through SonicWALL GMS. This chapter
contains the following sections:
Adding SonicWALL Appliances to SonicWALL GMS section on page 31
Registering SonicWALL Appliances section on page 36
Modifying Management Properties section on page 37
Deleting SonicWALL Appliances from GMS section on page 39
Performing Basic Appliance Management section on page 40
Adding SonicWALL Appliances to SonicWALL GMS

SonicWALL GMS can communicate with SonicWALL appliances through VPN tunnels,
HTTPS, or directly over VPN tunnels that already exist between the SonicWALL appliances and
the GMS gateway. When using HTTPS to access a SonicWALL Aventail SRA appliance, GMS
must connect to the LAN port of the Aventail appliance. When SonicWALL GMS is deployed
outside of the Aventail LAN subnet, management traffic must be routed from GMS to a gateway
that allows access into the LAN network, and from there be routed to the Aventail LAN port.
The following sections describe two methods for adding SonicWALL appliances to GMS:
Adding SonicWALL Appliances Manually section on page 32
Importing SonicWALL Appliances section on page 35
31
Adding SonicWALL Appliances Manually

To manually add a SonicWALL appliance using the SonicWALL GMS management interface,
follow these steps:
32
1.
Click the appliance tab that corresponds to the type of appliance that you want to add:
Firewall, SRA, CDP, or Email Security.
2.
Expand the SonicWALL GMS tree and select the group to which you will add the
SonicWALL appliance. Then, right-click the group and select Add Unit from the pop-up
menu. To not specify a group, right-click an open area in the left pane (TreeControl pane)
of the SonicWALL GMS management interface and select Add Unit. The Add Unit dialog
box appears.
3.
Enter a descriptive name for the SonicWALL appliance in the Unit Name field.
Do not enter the single quote character () in the Unit Name field.
4.
Note
If applicable, choose a Domain to add this appliance to from the Domain pull-down list.
Domain selection is only available to the admin of the LocalDomain. Individual domain
admins are only able to add an appliance to their respective domains.
5.
Enter the serial number of the SonicWALL appliance in the Serial Number field. On
SonicWALL Aventail appliances, the serial number is found on a sticker on the back of the
appliance. Enter it without hyphens into the field.
6.
For the Managed Address, choose weather to Determine automatically, or Specify

manually. Most deployments will be able to determine the address automatically.
7.
Enter the administrator login name for the SonicWALL appliance in the Login Name field.
For SonicWALL Aventail SRA appliances, the login name is pre-configured as GMS and
cannot be changed.
8.
Enter the password used to access the SonicWALL appliance in the Password field.
9.
For Management Mode, select from the following:

If the SonicWALL appliance will be managed through an existing VPN tunnel or over a
private network, select Using Existing Tunnel or LAN.
If the SonicWALL appliance will be managed through a dedicated management VPN
tunnel, select Using Management VPN Tunnel (default).
If the SonicWALL appliance will be managed over HTTPS, select Using HTTPS.
10. Enter the IP address of the managed appliance in the IP Address field.
11. Enter the port used to administer the SonicWALL appliance in the HTTP(S) Port field
(default ports are HTTP: 80; HTTPS: 443).
For SonicWALL Aventail appliance management, use HTTPS port 8443.

12. For VPN tunnel management, enter a 16-character encryption key in the SA Encryption
Key field. The key must be exactly 16 characters long and composed of hexadecimal
characters. Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0, 1, 2, 3, 4, 5,
6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
Note
This key must match the encryption key of the SonicWALL appliance. You can set the key
on the appliance by logging directly into it.
13. For VPN tunnel management, enter a 32-character authentication key in the SA
Authentication Key field. The key must be exactly 32 characters long and composed of
hexadecimal characters. For example, a valid key would be
1234567890abcdef1234567890abcdef.
Note
This key must match the authentication key of the SonicWALL appliance.
14. If the SonicWALL appliance uses the Anti-Virus feature, enter the Anti-Virus password.
Otherwise, leave the field blank.
15. Select the IP address of the SonicWALL GMS agent server that will manage the
SonicWALL appliance from the Agent IP Address list box:
33
If SonicWALL GMS is configured in a multi-tier distributed environment, you must select
the SonicWALL GMS Agent whose IP address matches the IP address that you
specified when configuring the SonicWALL appliance for SonicWALL GMS
management.
If SonicWALL GMS is in a single-server environment, the IP address of the
SonicWALL GMS agent server already appears in the field.
16. If SonicWALL GMS is configured in a multi-tier distributed environment, enter the IP
address of the backup SonicWALL GMS server in the Standby Agent IP field. The backup
server will automatically manage the SonicWALL appliance in the event of a primary server
failure. Any Agent can be configured as the backup.
Note
If SonicWALL GMS is deployed in a single server environment, leave this field blank.
17. To add the appliance to Net Monitor, select the Add this unit to Net Monitor checkbox.
18. Click Properties. The Unit Properties dialog box appears.
19. This dialog box displays the category fields to which the SonicWALL appliance belongs. To
change any of the values,select a new value from the pull-down list. When you are finished,
click OK. You are returned to the Add Unit dialog box.
20. Click OK. The User Privileges dialog box displays.
21. Select the user group or individual users to which read-write privileges should be assigned.
Keep in mind that admins always maintain read-write privileges, regardless of your
selection here.
22. Click OK. The new SonicWALL appliance appears in the SonicWALL GMS management
interface. It will have a yellow icon that indicates it has not yet been successfully acquired.
34
SonicWALL GMS will then attempt to establish a management VPN tunnel, set up an
HTTPS connection, or use the existing site-to-site VPN tunnel to access the appliance.
GMS then reads the appliance configuration and acquires the SonicWALL appliance for
management. This will take a few minutes.
Note
After the SonicWALL appliance is successfully acquired, its icon turns blue, its configuration
settings are displayed at the unit level, and its settings are saved to the database. A text
version of this configuration file is also saved in the file: <gms_directory>/etc/Prefs.In
a multi-tier distributed environment, both the primary and secondary SonicWALL GMS
Agents must be configured to use the same management method.
Importing SonicWALL Appliances

To reduce the amount of information that you have to manually enter when adding SonicWALL
appliances, GMS enables you to import the saved prefs file of a SonicWALL appliance. To add
a SonicWALL appliance to the SonicWALL GMS UI using the import option, follow these steps:
1.
Right-click in the left pane of the SonicWALL GMS UI and select Add Unit from the pop-up
menu. The Add Unit dialog box appears.
2.
Enter a descriptive name for the SonicWALL appliance in the Unit Name field. Do not enter
the single quote character (') in the SonicWALL Name field.
3.
Enter the password to access the SonicWALL appliance in the Password field.
4.
Click Import. The Import dialog box appears.
5.
Find and select the saved prefs file of the SonicWALL appliance. Click Import. You are
returned to the Add Unit dialog box.
6.
Click Properties. The Unit Properties dialog box appears.
7.
This dialog box displays fields to which the SonicWALL appliance belongs. To change any
of the values, enter a new value. When you are finished, click OK.
8.
After you are returned to the Add Unit dialog box, click OK again.
9.
Select the user group or individual users to which read-write privileges should be assigned.
Keep in mind that admins always maintain read-write privileges, regardless of your
selection here.
10. The new SonicWALL appliance appears in the SonicWALL GMS UI. It will have a yellow
icon that indicates it has not yet been successfully acquired.
The SonicWALL GMS will then attempt to establish a management VPN tunnel to the
appliance, read its configuration, and acquire it for management. This will take a few
minutes.
After the SonicWALL appliance is successfully acquired, its icon will turn blue, its
configuration settings will be displayed at the unit level, and its settings will be saved to the
database. A text version of this configuration file is also saved in:
<gms_directory>/etc/Prefs.
35
Registering SonicWALL Appliances

After successfully adding one or more SonicWALL appliances to the SonicWALL GMS UI, the
next step is to register them. Registration is required for firmware upgrades, technical support,
and more.
Note
Registering SonicWALL Aventail SRA appliances from GMS is not supported.

To register one or more SonicWALL appliances, follow these steps:
36
1.
Select the global icon, a group, or a SonicWALL appliance.
2.
Expand the Register/Upgrades tree and click Register SonicWALLs. The Register
SonicWALLs page appears.
3.
Click Register. The Modify Task Description and Schedule page displays.
SonicWALL GMS creates a task for each SonicWALL appliance registration. The Modify
Task Description and Schedule page allows you to customize the task description and set
the task execution time. During the task execution, SonicWALL GMS registers each
selected SonicWALL appliance using the information that you used to register with the
SonicWALL registration site. After registration is complete, the task will be removed from
the Scheduled Tasks page and the status of the task execution will be logged. To view these
logs, click the Console tab. Then, expand the Log tree and click View Log. For more
information on Scheduled Tasks, refer to the
4.
If the appliance is already registered, the Register SonicWALLs page will state This
appliance is registered.
Modifying Management Properties

The following sections describe how to modify management properties:
Modifying SonicWALL Appliance Management Options section on page 37
Changing Agents or Management Methods section on page 37
Moving SonicWALL Appliances Between Groups section on page 39
Modifying SonicWALL Appliance Management Options

If you make a mistake or need to change the settings of an added SonicWALL appliance, you
can manually modify its settings or how it is managed.
Note
If a unit has not been acquired (yellow icon), you can change its management mode using
this procedure. After it has been acquired (red or blue icon), you cannot change its
management mode using this procedure and must reassign it. For more information, refer
to the Changing Agents or Management Methods section on page 37.
To modify a SonicWALL appliance, perform the following steps:
1.
Right-click in the left pane of the SonicWALL GMS UI and select Modify Unit from the
pop-up menu. The Modify Unit dialog box appears.
2.
The Modify Unit dialog box contains the same options as the Add Unit dialog box. For
descriptions of the fields, refer to the Adding SonicWALL Appliances to SonicWALL GMS
section on page 31.
3.
When you have finished modifying options, click OK. The SonicWALL appliance settings
are modified.
Changing Agents or Management Methods

To provide increased flexibility when managing SonicWALL appliances, SonicWALL GMS
enables you to change the Agents that manage SonicWALL appliances, as well as their
management methods.
To change how a SonicWALL appliance is managed, follow these steps:
Caution
1.
Right-click on the group or appliance that you want to re-assign and select Re-assign
Agents from the pop-up menu.
2.
If the appliances to be re-assigned are managed using existing tunnels or the LAN, a
warning message is displayed. Click OK.
Make sure that the appliances will be able to successfully connect to the re-assigned GMS
to avoid losing connection to the appliances.
37
Note
3.
The Re-assign Agents dialog box appears.
4.
Select the IP address of the SonicWALL GMS agent server that will manage the
SonicWALL appliance from the Scheduler IP Address list box.
5.
If SonicWALL GMS is configured in a multi-tier distributed environment, enter the IP

address of the backup SonicWALL GMS server in the Standby Scheduler IP field. The
backup server will automatically manage the SonicWALL appliance in the event of a
primary failure. Any Agent can be configured as the backup.
If SonicWALL GMS is in a single server environment, leave this field blank.

6.
Select from the following management modes:

If the SonicWALL appliance will be managed through an existing VPN tunnel or over a
private network, select Using Existing Tunnel or LAN.
If the SonicWALL appliance will be managed through a dedicated management VPN
tunnel, select Using Management VPN Tunnel (default).
If the SonicWALL appliance will be managed over HTTPS, select Using HTTPS.
Note
7.
HTTPS management requires additional configuration on the appliance itself.
Enter the port used to administer the SonicWALL appliance in the SonicWALL HTTP Port
field (standard: 80; HTTPS: 443).
For SonicWALL Aventail appliance management, use HTTPS port 8443.
8.
38
When you are finished, click OK. A task is created for each selected SonicWALL appliance.
Deleting SonicWALL Appliances from GMS
Moving SonicWALL Appliances Between Groups

To move SonicWALL appliances between groups, simply change the properties of their custom
fields. To change these properties, follow these steps.
Note
1.
Right-click on a SonicWALL appliance or group in the left pane of the SonicWALL GMS UI
and select Modify Properties from the pop-up menu. The Properties dialog box appears
2.
Make any changes to the categories to which the SonicWALL appliance or group of
appliances belongs. For information on creating categories, refer to the Creating
SonicWALL GMS Fields and Dynamic Views section on page 23.
If you are performing this procedure at the group or global level, all parameters will be
changed for all selected SonicWALL appliances. For example, if you were attempting to only
change the Country attribute, all other parameters would be changed as well.
3.
Click OK. The SonicWALL appliance(s) are moved to the new group.
Deleting SonicWALL Appliances from GMS

To delete a SonicWALL appliance or a group of appliances from SonicWALL GMS, perform the
following steps:
Note
1.
Right-click on a SonicWALL appliance or group in the left pane and select Delete from the
pop-up menu.
2.
In the warning message that displays, click Yes. The SonicWALL appliance or group is
deleted from SonicWALL GMS.
After the deleting the SonicWALL appliance from SonicWALL GMS, unprovision the unit as a
best practice. To unprovision the unit, log in to the SonicWALL appliance and disable
SonicWALL GMS management to avoid sending unnecessary syslogs to the SonicWALL GMS
host.
39
Performing Basic Appliance Management
Performing Basic Appliance Management

This section provides links to locations in this guide that describe the most common appliance
management tasks.
Table 3
Appliance Management
Management Task
Location
Inheriting Group
Settings
Managing Inheritance in SonicWALL GMS section on page 759
Upgrading Firmware
Upgrading Firmware section on page 644
Managing Subscription
Services
Configuring Security Services Settings section on page 527
Manually Uploading
Signatures
Manually Uploading Signature Updates section on page 195
Managing Certificates
Configuring Certificates section on page 202

Generating a Certificate Signing Request section on page 205
40
Backing up the Prefs

File
Configuring System Settings section on page 197
Understanding
Heartbeat Messages
Configuring System Settings section on page 197

Configuring Log Settings section on page 305
CHAPTER 3
Using the Dashboard Panel
The Dashboard tab is a customizable executive summary of your SonicWALL GMS
deployment. The Dashboard tab provides powerful network visualization reporting, monitoring,
and search filtering tools consolidated into one area of the management user interface. The
Dashboard tab consists of the following components:
Using the Dashboard Control Bar section on page 42
Using the Universal Dashboard section on page 43
Managing Page and Widgets section on page 55
Using the Universal Scheduled Reports Application section on page 58
The Dashboard tab provides administrators with an executive summary through a Universal
Dashboard geographic map. As depicted in the screenshot below, the Geographic View
provides a scalable map that displays your SonicWALL GMS-managed units and SonicWALL
GMS servers using graphical icons--these icons provide system state information with a mouse
over. The Geographic View also provides global to regional map displays of VPN Monitor
Views. The administrator can also use the search option to quickly find keywords within their
SonicWALL GMS deployment. And each SonicWALL GMS administrator can create
multiple-customized views of the Universal Dashboard unique to their administrator login.
The Dashboard tab also provides administrators with a centralized location to create Universal
Scheduled Reports for Firewall, SRA, CDP, and Email Security reporting solutions.
Upon initial login, you see a defaultDashboard tab. You are able to further customize this page
The Dashboard tab also provides administrators with a centralized location to create Universal
Scheduled Reports for Firewall, SRA, CDP, and Email Security reporting solutions.
Upon initial login, you see a defaultDashboard tab. You are able to further customize this page
41
Using the Dashboard Control Bar
Using the Dashboard Control Bar

The Dashboard control bar provides top-of-the page menu items for customizing the settings of
this page. When the Dashboard loads after SonicWALL GMS login, the control bar is displayed
and then becomes hidden until you place your mouse cursor at the top of the page as shown
below. You can lock the control bar by clicking on the pin the control bar icon.
The Dashboard control bar provides the following components:
42
Universal DashboardIncludes Geographic View and associated widgets.
Universal Scheduled ReportsIncludes Universal Scheduled Reports Wizard to create

report templates.
My Default PageIncludes a default settings widgets page.
Manage Page and Widget SettingsThe cog wheel icon launches the Manage Page and
Widget Settings configuration tool. This tool allows you to edit, delete, or add new widgets
for your Universal Dashboard page, My Default Page, or a new user page. You can also
create widgets for a specific set of SonicWALL devices.
Save LayoutThe floppy disk icon allows you to Save Layout. This allows you to save
the Geographic View and the order of your list of widgets.
Search using KeywordsThe Search bar allows you to filter the information displayed on
the geographical map. The abc icon displays the Keyword help, which includes list of
available keywords, usage description, and filter example.
Switch to Full ScreenThe four arrows in four corners icon enables the page into
full-screen mode.
Pin Control BarThe pin icon allows you to keep the Dashboard control bar always on.
Using the Universal Dashboard

The Dashboard tab default view displays the Universal Dashboard. The Universal Dashboard
provides the administratorupon initial login with factory defaultsa geographical map
displaying SonicWALL GMS deployment information.
The Geographical View displays the following SonicWALL GMS elements graphically:
SonicWALL GMS-managed unitssuch as Firewall, CDP, SRA, and Email Security

appliances
SonicWALL GMS-host serverssuch as UMH hosts in server, console agent, or

database role configurations
Auto-discovered units behind the SonicWALL GMS remotely-managed unitssuch

as configured network address objects like public servers
Depending on the administrative access privileges that a logged in user has, the right subset
of objects above will be displayed on the geographical map. For example, the SonicWALL
GMS Servers will be available for display in the map only for the Administrators group users
of LocalDomain.
Using the Geographic Map View section on page 44
Filtering with the Search Using Keywords section on page 51
Determining the Universal Dashboard Geographical Map Location section on page 52
Geographic Map User Interface and Location Unknown section on page 52
43
Using the Geographic Map View

The Dashboard geographic map provides easy-to-use viewing controls. These controls allow
the administrator to use their mouse to hover over elements, configure elements using the
mouse right-click menus, and to scale the map to predefined size called fit to scale. More
information on using these viewing controls are described in the following table:
Table 4
Geographic Map Viewing Controls
Map View Control Location
Description
Zoom
Click the focus bar plus symbol

(+) and minus symbol (-) focus
bar to expand and contract the
viewing area
Using menus and mouse gestures, zoom in and zoom out of

regional areas of the Geographic map.
Fit to Scale
Fit-to-Scale button, a
mouse-over message displays
Show all the objects on the
Map
The Fit to Scale button provides an instant-zoom panning

view where the entire SonicWALL GMS deployment and
managed-devices are displayed all at once on the Map.
Clear Selection
An X button clears your

selection on the Map. This
button is below the Fit-to-Scale
button.
The clear selection button refreshes the Map and removes

previously a selected item or set.
Pin Icon
Hover over with mouse pointer

or right-click and select Details
Displays system information depending on the SonicWALL

appliance selected, below is for a SonicWALL firewall:
-Name: Displays SonicWALL appliance friendly name.
-Serial: Displays SonicWALL appliance serial number.
-Domain: Displays SonicWALL GMS domain group.
-Firmware: Displays firmware version.
-Type: Displays appliance type from Firewall, SRA, CDP,
ES, to network object.
-Management Mode: Displays HTTPS management
enabled or disabled.
-Management IP: Displays management IP address.
-LAN IP: Displays LAN IP address.
-Status: Displays node status from up, down, provisioned,
or unknown.
Blob or Group of
Pin Icons
Hover over with mouse pointer
Displays the number of units and appliance friendly name

for a specific group type.
Unknown
Click the slider to open a small

window on the right side of the
map.
Displays units and instances that cannot be placed on the

Map because their Geo Locations are not known. You can
drag and drop units from this list to the Map.
44
Using the Geographic View Zoom Bar section on page 45
Displaying All Objects on the Geographic Map section on page 46
Using the Deployment View section on page 47
Using the VPN Monitor View section on page 48
Dashboard Geographical Map Icons section on page 49
Using the Context-Sensitive Universal Dashboard Widgets section on page 50
Using the Geographic View Zoom Bar

The zoom bar for the Geographic Map allows the network administrator to scale the view to a
larger holistic view of the entire world or zoom down to a smaller local region. The zoom bar is
easy to use, and the page refreshes quickly. Click on the zoom bar minus (-) button to zoom
out to view a full map of the world.
Alternatively, click on the zoom bar plus (+) button to zoom in to view a specific area or region
of the Map. Another method to zooming into a target area of the map is by double-clicking a
spot on the Map. Each double-click zooms into the map one increment closer. You can also use
the scroll-button on a mouse to zoom.
45
Displaying All Objects on the Geographic Map

Since many SonicWALL GMS deployments contain dispersed devices in many different cities
and countries around the world, you can view all the objects at once by clicking on the Show
all the objects on the Map button. This button is located below the minus (-) button on the zoom
bar.
In this example, the entire SonicWALL GMS deployment of SonicWALL GMS hosts and
managed devices are located in the continental United States map. Therefore, clicking the
Show all objects on the Map button displays all the nodes for this deployment in the
continental United States map. To save this Geographic View, click on the floppy disc icon on
the Dashboard control panel.
46
Using the Deployment View

To change the Dashboard Geographic View default view to the Deployment View, point your
mouse cursor on the Map. Right-click the Map, and select Deployment View. The Deployment
View provides the location of your SonicWALL GMS hosts with graphical color lines to each
SonicWALL GMS-managed device as shown below.
The Dashboard Geographic View provides the ability to display your SonicWALL GMS
deployment for an all-in-one role configuration or a distributed deployment of multiple
SonicWALL GMS hosts in server, console or database role configurations. SonicWALL GMS
currently provides support for only a single management host location. This single management
host location allows you to view all your SonicWALL GMS-managed devices that contain a
defined geographic location. SonicWALL GMS-managed devices that do not have a defined
geographic location are listed on the right-margin of the Map in the a slider window: location
not known.
The Deployment View connecting lines from the SonicWALL GMS host to the SonicWALL
GMS-managed device are graphical color lines representing the status of the management
tunnel as follows:
HTTPS management up line: a blue solid line
HTTPS management down line: a red solid line
Management tunnel up line: a blue dashdot line
Management tunnel down line: a red dashdot line
Management tunnel provisioned line: a yellow dashdot line
47
Using the VPN Monitor View

To change the Dashboard Geographic View default view to the VPN Monitor View, point your
mouse cursor on the Map. Right-click the Map, and select VPN Monitor View.
The Dashboard Geographic View provides the ability to display the status of VPN service
security associations (SAs) for your SonicWALL GMS-managed firewalls that contain a defined
geographic location. The VPN Monitor View provides a graphical line segment between the
SonicWALL GMS-managed firewall and the VPN tunnel endpoint. The VPN tunnel endpoint can
be a remote site or an IPsec client computer. The VPN Monitor View displays connected and
non-connected SAs.
The VPN Monitor View provides the location of your SonicWALL firewall with graphical color
lines to each VPN tunnel endpoint as shown below. Navigate your mouse to the top-right corner
of the VPN Monitor View to filter the VPN Tunnel view from the following:
VPN Tunnel UpDisplays only up VPN SAs.
VPN Tunnel DownDisplays only down VPN SAs.
VPN Tunnel DisabledDisplays only disabled VPN SAs.
VPN Tunnel UnknownDisplays only VPN SAs whose location is unknown.
VPN Tunnel AllDisplays all VPN SAs.
The VPN Monitor View connecting lines from the SonicWALL GMS-managed firewall to the
VPN Tunnel endpoint are graphical color lines representing the status of the VPN tunnel as
follows:
VPN tunnel up line: a blue solid line
VPN tunnel down line: a red dash line
VPN tunnel disabled line: a gray dot line
VPN tunnel unknown line: a yellow dashdot line
For more information on configuring your SonicWALL GMS-managed firewall VPN settings,
refer to the Firewall > Policies > VPN > Settings page.
48
Dashboard Geographical Map Icons

This section provides a description of each icon displayed on the Map. The following table
provides a description reference for each unique graphical. Note when an icon pin is selected
on the Map, the icon changes color to a lighter highlight from dark gray to light blue indicating
the node is selected.
Table 5
Graphical Icon
Dashboard Geographic Map Icons
Description
A dark gray encapsulated pin icon displays an unselected SonicWALL
GMS-managed unit or group. While a light blue encapsulated pin icon
displays a selected SonicWALL GMS-managed unit or group.
Displays an up/down status SonicWALL GMS-host deployed in the
all-in-one role configuration.
Displays an up/down status SonicWALL GMS-host deployed in server
role configuration.
Displays an up/down status SonicWALL GMS-host deployed in console
agent role configuration.
Displays an up/down status SonicWALL GMS-host deployed in

database role configuration.
Displays an up status for a single unit or a group of SonicWALL
GMS-managed devices.
Displays a down status for a single unit or a group of SonicWALL
Displays a provisioned status for a single unit or a group of SonicWALL
Displays an unknown status for a single unit or a group of SonicWALL
VPN Monitor View

Displays an up status for a single or group of VPN tunnel endpoints.
Displays a down status for a single or group of VPN tunnel endpoints.
Displays a disabled status for a single or group of VPN tunnel endpoints.
Displays an unknown status for a single or group of VPN tunnel
endpoints.
49
Using the Context-Sensitive Universal Dashboard Widgets

The Geographic View provides context-sensitive widgets. Widgets are display windows
underneath the default Geographic Map. By default, widgets display a group-level data and
statistics of your entire SonicWALL GMS deployment. When you view widgets for the Universal
Dashboard, the data and statistics are representing group-level data and statistics.
For context-sensitive Widget data and statistics, you must select a node or group of nodes on
the Geographical Map. When a node on the Geographical Map is selected, the graphical Pin
Node icon changes color from black (unselected) to light blue (selected), and subsequently the
widget data and statistics become context-sensitive to the selected node or group of nodes.
Selecting a group of nodes on the Geographic Map can be performed by holding theCtrl button
while clicking the nodes one at a time. Alternatively, you can select a group of nodes on the
Geographic Map by holding the shift key and dragging your mouse cursor around the map
region as illustrated below.
The following widgets are displayed for the Universal Dashboard:
Note
LogsDisplays the log event message, the friendly name of the SonicWALL device, and
the date timestamp.
SitesDisplays site IP, browse time, hits, and the amount of data transferred.
AlertsDisplays the alert message and the last reported time.
ApplicationsDisplays application category, events, and the amount of data transferred.
Scheduled TasksDisplays the description of each scheduled task, the friendly name of
the SonicWALL device, and the local time of the schedule.
Threat CategoryDisplays Top Intrusion/Anti-Spyware/GAV Categories and Top Attacks

including respective action and event messages.
Data UsageDisplays a Timeline graph and a list of Top Protocols including protocol
service name, number of connections, and the amount of data transferred.
Select a node or group of nodes for context-sensitive widget data and statistics. The widgets
display context-sensitive data specific to the network traffic on the selected node.
For more information, refer to Adding Widgets on the Universal Dashboard section on
page 55.
50
Filtering with the Search Using Keywords

The Search bar at the top of the Dashboard tab enables the administrator to filter the
information displayed on the geographical map. Based on the search criteria, a blob can
become an icon, or icon can become a blob. The administrator can use the Search bar to
fine-tune the display on the geographic map the following SonicWALL GMS deployment
information:
SonicWALL firmware version
Network object name
User name
Object type including managed Firewall, SRA, CDP, or Email Security device, NetMonitored
device, or SonicWALL GMS servers
The Search bar uses both text and expression matching to allow the administrator to create
filter criteria with combination strings. For text criteria, the following search operators are
supported:
equals
contains
starts with
ends with
For expression type criteria, the following search operators are supported:
<
>
!=
The ABC icon next to the Search bar allows you to filter by selecting from a list in the Keyword
Help as shown below. The Keyword Help dialog provides a Description and Usage example for
each keyword. Verify the purpose and usage of the keyword before using the selected keyword
in a filter.
Select a keyword to be used for search or filter. The keywords listed on the left-hand side
provide filter options for your Geographic View. You can only select one keyword at a time. After
selecting a keyword, click on the Use button to add this search criteria.
Note
Not all keywords apply to all Widgets. For a few keywords there are Widgets with
applicability, and there are Widgets where the keyword is not interpreted based on context.
51
Determining the Universal Dashboard Geographical Map Location

An administrator now has multiple ways to determine the location of an object in the geographic
map. The following list is numbered chronologically show to location-configuration precedence
order:
1.
The public WAN IP of the network address object is used to determine the location of the
object in the geographic map. This excludes all objects with private addresses, for example,
10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 networks. A mapping service is used to map
the WAN IP to longitude and latitude, which is then translated into a location in the
Geographic View.
2.
When a unit is added into SonicWALL GMS, the administrator can specify the location of
the unit, either explicitly in a standard address format, or interactively through a map to
determine the longitude and latitude of the units position. Information provided using this
approach overrides the information retrieved using WAN IP as described in step 1.
3.
In the Geographic View, the administrator can drag a unit and position it anywhere in the
map. This updates the location information (longitude and latitude) of the network address
object and overrides information in step 1 and step 2.
4.
For network address objects whose location is unknown (either because its IP is not known
or the IP is in the private IP space, or the administrator has not provided longitude and
latitude information), these will be displayed in a special unknown area of the geographic
mapfrom where these can be dragged and placed anywhere in the map
5.
The SonicWALL GMS Servers public WAN IPs is determined by SonicWALL GMS using
Web services, and the IPs are used for initial positioning of the SonicWALL GMS servers.
Geographic Map User Interface and Location Unknown

An administrator trying to determine what section of the world map to display will view the
smallest geographic denomination that holds all network objects, in the order as follows:
52
World mapWhen network objects belong to different continents, the world map is
displayed.
Continent mapWhen network objects belong to different countries within a continent, the
continent map is displayed.
Country mapWhen network objects are contained in a single country, the country map
is displayed.
State mapWhen network objects are contained in North American states within Canada
and the United States, the state map is displayed.
City mapWhen network objects are contained within a single citys area limits, the city
map is displayed.
Local region/county mapwhen network objects are zoomed in to the smallest

geographic map area, the local region or county map is displayed.
The network objects displayed in the Geographic Map are either an individual network object
or an intuitive blob that represents a collection of network objects.
The Unknown section of the map is a place holder for all the network address objects whose
location is unspecified. Select a node in the Geographic Location Unknown list. Drag the node to a
location on the map, and the following message displays, Are you sure you to move the node?
Click the Yes button to accept this geographic location. The geographic location for the
selected node is updated with the new geographical longitude and latitude coordinates. To view
or update the location, right click the selected node as seen.
53
Updating the Location Address and Geocode

The Geographic View allows you to update the location information for a single node or a group
of nodes. There are many SonicWALL GMS deployments where a network administrator will
setup and configure multiple SonicWALL devices in one location and then deploy these devices
in dispersed areas around the world. This is made easy for SonicWALL GMS administrators by
right clicking on the Geographic Map the group node icon, and then entering the new location
information. The following page displays when you right click on a node on the Geographic
Map.
The location information requires the geographical map address if available, which includes the
following information:
Street
City
State
Zip code
Country
Alternatively, the location information also requires geo location, which includes the following
information:
Latitude
Longitude
Enter either the location address or geo location to save the location setting. You can use the
Locate buttons to locate based on an Address or Geocodes, and then complete the other field
based on location search results. For the best results, enter the location address for
SonicWALL appliances residing in North America or Europe, and you can click the Locate
Geocode button to identify the latitude and longitude coordinates. And for the best results for
SonicWALL appliances residing outside of North America or Europe, enter the Geo Location for
these devices. The Locate Address button does not provide the best results for devices
residing outside North America and Europe since the locate address Web service does not
provide detailed coverage for all areas.
You also can enter the location information for each SonicWALL device on the respective
System > Info page. When the location information is updated on these pages, the Geographic
Map is updated instantaneously.
54
Managing Page and Widgets

SonicWALL GMS provides administrators the ability to fully customize their Universal
Dashboard and My Default Page by adding Widgets. To edit or add Widgets, click on the cog
wheel icon and the Manage Page and Widgets configuration page displays as below.
Adding Widgets on the Universal Dashboard section on page 55
Adding a New Dashboard Page section on page 56
Adding Widgets on the Universal Dashboard

This section provides information on how to use the Manage Page and Widgets configuration
page for the Universal Dashboard. To add a new Widget, select from the pull-down menu the
following choices:
Note
Sites Widget
Data Usage Widget
Applications Widget
Scheduled Tasks
Logs
Alerts Widget
No Widget containing the same content can be added more than once in the Universal
Dashboard or My Default Page.
Up to a maximum of 25 Widgets can be added to the Universal Dashboard or the My Default
Page.
55
Adding a New Dashboard Page

The Universal Dashboard page provides context-sensitive Widgets based on your node
selection in the Geographic Map. And the My Default Page provides customizable Widgets that
are not context-sensitive to the Geographic Mapsince the Geographic Map Widget is not
available on the My Default Page or a New Dashboard Page. New Dashboard pages are
convenient for network administrators to create customizable Dashboard Widgets for
SonicWALL GMS users belonging to a particular SonicWALL GMS domain group. This allows
for different Dashboard pages for each user.
To add a new Dashboard page, launch the Manage Page and Widgets configuration page. And
click the plus (+) icon in the top-right corner. The following window displays.
Enter a new name for your new Dashboard page. Most commonly, network administrators
create new Dashboard pages for managed-security providers servicing customers around the
world. You can also create Dashboard pages for your companys different departments in
Engineering and IT Operations for customized Dashboard views.
Managing Your Widgets

Each Widget contains control options at the top panel, which include the following options:
Widget SettingsClick the cog wheel icon to edit, delete, or copy the widget to another
page.
Refresh WidgetClick the ying yang icon to refresh the data and statistics for the widget.
Widgets automatically refresh every 60 seconds.
MinimizeClick the minimize window icon to hide your Widget in the bottom-right corner.
Restore/MaximizeClick the four arrows in four corners icon to display the widget in
window in maximized view. Click the icon again to restore the Widget back to its original
window size.
Widgets can be resized by holding the bottom corners to the desired window size.
56
Widgets can also be re-ordered by drag and drop selection. Selecting a Widget and dragging
it over another Widget will change the the top panel to a darker colorthis represents a Widget
that is overlapping another Widget and the following message displays.
The drop position of the Widget allows you to re-order the position of your widget before the
selected widget. For example in this case, The Scheduled Tasks Widget is placed in the drop
position before the Applications Widget. The Dashboard page refreshes and now the widgets
are reorder as follows:
1.
Sites Widget
2.
Scheduled Tasks Widget
3.
Applications Widget
4.
Logs Widget
You can also re-order the position of Widgets by using the Manage Page and Widgets
configuration page. In the Manage Page and Widgets configuration page, drag the Widget you
want to re-order to your preferred drop location. The two Widgets will swap locations.
57
Using the Universal Scheduled Reports Application

Scheduled Reporting has been an essential reporting component since the initial release of the
SonicWALL GMS product. It provides management interfaces to let the user setup schedules and
configure reports to be exported in a periodic fashion and in various report formats. A typical
scheduled report configuration is broken down by functionality (Firewall, SRA, CDP, ES, and
Monitor) and by nodes (Group and Unit). Users need to navigate to separate tabs to configure
scheduled reports for different nodes. The Universal Scheduled Reporting application streamlines
the configuration processes to unify and enhance the existing functionality to the system-wide
usage patterns. This allows the user to collect report data from multiple appliances and create a
single global report.
Using the Manage Templates Component

Manage Templates are used to create a template that makes up the list of reports at group level or
unit level. The list of available reports for each of the product types (Firewall, SRA, CDP, and ES)
are abstract, so all the available reports in system are presented here. The report list contains the
appliance firmware and shows all the available reports in SonicWALL GMS for the appliance. This
decision on which report is applicable to a particular firmware version (for example, Application
Intelligence is for SonicOS 5.8 and above) is made at run time when the scheduled report engine
is ready to create the report. The schedule report creation and the template usage is detailed in this
section.
58
Adding a Template
Preform the following steps to add a template using the Template Manager:
Step 1
Navigate to the Universal Scheduled Report > Manage Templates page.
Step 2
Choose the tab for the appliance you wish to add a template to.
Step 3
Select the option for either a unit or group template.
Step 4
Click the Add Template button.

The Edit Template window displays
59
The Edit Template window displays. Note: the Visible to Non-Administrators checkbox is
available for SonicWALL GMS only.
Step 5
Enter a name for your template.
Step 6
The Visible To Non-Administrators checkbox is disabled by default, select the checkbox to

enable this option. This allows the end users to view list of all the report templates at a read-only
level.
Step 7
Select the checkbox next to the Reports you wish to use for this template.
Step 8
Select the checkbox next to the Policies you wish to use for this template.
Step 9
Click the Add button.

The configured template is now populated in the Template Manager list.
Editing an Existing Template

This section details the configuration procedures for editing an existing template. The Universal
Scheduled Report > Template Manager allows you to filter the template list by Name, Level,
Owner, and Last Update. Follow the steps below to use the search option to find and edit an
existing template.
Searching for an Existing Template
60
Step 1
Navigate to the Universal Scheduled Reports > Manage Template page.
Step 2
Click the search text field, then enter your search criteria.
A pull-down appears under the search text field

Step 3
Select a filter for your search criteria by clicking Name, Level, Owner, or Last Update from the
search pull-down list. In this example, we are entering unit for the search criteria and filtering
the search results by level.
The Template Manager window displays the latest search results. Notice the template list now
only shows report templates for level: units.
Note
To clear your search results and return the reports template list back to default, click the
Clear button.
Editing an Existing Template
Now that you found an existing template using the search filter, it is time to use the edit option.
61
Warning
Step 1
Editing an existing template also changes the associated scheduled reports (if
applicable).
Click the
icon for the report you wish to edit.
The Edit Template window displays
62
The Edit Template window displays. Note: the Visible to Non-Administrators checkbox is
available for SonicWALL GMS only.
Step 2
Edit the name for your template.
Step 3
The Visible To Non-Administrators checkbox is disabled by default, select the checkbox to

enable this option. This allows the end users to view list of all the report templates at a read-only
level.
Step 4
Select the checkbox next to the Reports you wish to use for this template.
Step 5
Select the checkbox next to the Polices you wish to use for this template.
Step 6
Click the Update button.

The configured template is now populated in the Template Manager list.
Deleting a Template
The Template Manager offers three different ways to delete a template: deleting a single
template, deleting multiple templates, or deleting all templates. Use the Searching for an
Existing Template section to search for templates to delete. Preform the following steps to
delete a Universal Scheduled Report Template(s):
Warning
Deleting a template(s) creates a cascading task to remove it from the Scheduled

Reports that are using this template.
63
Deleting a Single Template

Step 1
Step 2
Click the
icon for the template you wish to delete from the Template Manager list.
Deleting Multiple Templates
64
Step 1
Step 2
Click the checkboxes for the templates you wish to delete.
Step 3
Click the Delete Selected button. This button is grayed out by default until a checkbox is
selected.
Deleting all Templates

Step 1
Step 2
Select the Name checkbox, this selects all templates in the list.
Step 3
Click the Delete Selected button. This button is grayed out by default until a checkbox is
selected.
Adding a Scheduled Report Component

Using Universal Scheduled Reports gives you the ability to schedule reporting for multiple
appliances at once, combined into a single report. The Scheduled Reporting is a wizard based tool
that guides you through the steps for creating a scheduled report by manually selecting reports from
the report listing or picking a template created in the Using the Manage Templates Component
section, selecting a theme (cover logos, font colors, title, sub title), reporting properties (out put
format, language), scheduling a type (weekly, monthly), and choosing a destination (up to 5 email
addresses can be added for a single report). This section contains the following subsections:
Searching for a Group or Device section on page 65
Creating a Universal Scheduled Report section on page 67
Searching for a Group or Device

The Search option allows you to filter the Group/Device list by manually entering a device in
the search text field and selecting it from the search pull-down list. You can further filter the
Group/Device list by clicking the View pull-down and selecting a view type. The following
example guides you through the Device List search process, detailing the versatility of the
Universal Scheduled Reports > Configuration Manager search options.
65
Example
In this example we are using the Configuration Manager search options to find a SonicWALL
TZ 210 wireless-N device in the Device List.
Step 1
Navigate to Universal Scheduled Reports > Add A Scheduled Report.

Note: The Monitor tab is only available for SonicWALL GMS.
Step 2
Select the Firewall tab, located at the top of the Configuration Manager window.
Step 3
Click the View pull-down, then select a view type from the list. In this example we are selecting
Model View (Global View is selected by default), since we are searching for an exact appliance
model. You can also filter the Device List by Firmware View, Global View, Instance View, Status
View, or Gateway.
The Device List now displays all the appliance models.
Step 4
Select the Model: TZ 210 wireless-N.

A list of devices for that appliance model displays.
66
Note
Notice that the search history bar populates each time you filter the list. You can use this to
navigate back to previous search results.
You can also click the Search text-box (if you know the exact name of the device), then
manually enter the device name or select the device from the pull-down list.
Step 5
Click the
icon to schedule a report for that appliance. Refer to the Creating a Universal
Scheduled Report section for configuration procedures.
Creating a Universal Scheduled Report

The Universal Scheduled Reports > Configuration Manager allows you to create a single report
for multiple appliance models/devices at a group and unit level. The following example guides
you through the report configuration process, including: Selecting Reports, General
Information, and Theme Information, detailing the versatility of Universal Scheduled Reporting.
67
In this example we are using the Configuration Manager to schedule a single report for a
Firewall appliance model (group level) and SRA devices (unit level).
Selecting Reports
Step 1
Navigate to Universal Scheduled Reports > Add a Scheduled Report.

Note: The Monitor tab is only available for SonicWALL GMS.
Step 2
Select the Firewall tab, located at the top of the Configuration Manager window.
Step 3
Search for the TZ 210 wireless-N model group. Refer to steps 1-3 in the Searching for a Group
or Device section.
Step 4
Click the
icon for the Model: TZ 210 wireless-N.
The Reports tab displays in the Reports List.
Step 5
68
Click the Reports tab, then select the checkboxes for reports you wish to include or click the
Use Templates link to choose a template you created.
Note
Step 6
When you select reports in the Reports and Policies tabs, they populate in the list of
Selected Reports located on the right side of the Configuration Manager page. The Selected
Reports panel allows you to organize the list by dragging and dropping reports/devices,
collapse the reports lists for each device (clicking the arrow next to the device name), and
add a note to a report/device.
Click the Policies tab, then select the checkboxes for the policies you wish to include or click
the Use Templates link to choose a template you created.
The reports for the Firewall model group are now selected, next is choosing reports for the SRA
device.
Step 7
Select the SRA tab.

The SRA models display in the Device List.
Step 8
Click the Model: SRA 2000.
69
The Device List displays all the SRA 2000 devices.
Step 9
Click the
icon for the SRA 2000 5408.
The Reports window displays in the Reports List.

Step 10 Select the checkboxes for the reports you wish to include or click the Use Templates link to
choose a created template.
Note
The SRA only offers a Reports tab (no Policies tab).
Step 11 Click the Next button.
70
General Information
The General Information page displays.
Note
Step 1
Step 2
The settings entered in the Task Info, Format/Settings, and Email/Archive Info sections,
populate in the Configurations panel located on the right side of the General Information
page.
Enter the following in the Task Info panel:
Task Name: Example Report 1
Task Description: This is an example for configuring a Universal Scheduled Report
Select the following in the Format/Settings panel:
Report Type: Daily, Weekly, or Monthly
Report Format: PDF or XML (If XML is selected, the ZIP Password Protection option is
grayed out)
Report Language: English, Japanese, Chinese (Simplified), Chinese (Traditional)
Report Rows Display: 20, 50, 100
Disable the Report: Yes or No
Zip the Report: Yes or No
71
PDF Password Protect: Yes or No (If Yes is selected, a pop-up window appears and
prompts you to enter the Password)
Step 3
Click the archive checkbox to save a PDF report to a new folder.
Step 4
Perform the following in the Email / Archive Info panel:
Click the E-mail checkbox to send a PDF report to an email account or alias.
The Email configuration options display.
Click the E-Mail Destination pull-down, then select an Administrator, Appliance
User, or Enter multiple Adhoc Users.
Click the Add button after each selected destination.
The E-Mail Destination populates in the list.
Note
72
Multiple destinations can be sent in a single E-mail.
Enter the E-mail Subject: Weekly Firewall and SRA Report

Enter the E-Mail Body: This Universal Scheduled Report contains the SonicWALL
TZ 210 wireless-N group and SRA 2000 unit
Click the Archive checkbox to save a PDF report to a new folder.

Archive Folder: Test Archive Folder 1
Step 5
Click the Next button.
73
Theme Information
The Theme Information page displays. If XML is selected from the General Information page,
the Theme Information page is not displayed.
Note
Step 6
74
The settings entered in the Cover Page and Report Page panels automatically update in the
image located on the right side of the Theme Information page. To preview the cover / report
pages, select the Cover Page or Report Page tab.
Select / Enter the following in the Cover Page panel:
Cover Logo: Select a logo (click the pull-down and select a cover logo image) or Upload
a logo (click the Browse and Preview button to upload a logo)
Cover Title: Enter a name (Weekly Data Usage Report) for your Universal Scheduled
Report, then select or enter the foreground and background colors
Cover Subtitle: Enter a subtitle (U.S Engineering Department) for your Universal
Scheduled Report, then select or enter the foreground and background colors
Step 7
Select or enter the following in the Report Page panel:
Report Title: Foreground and Background colors
Report Description: Foreground and Background colors
Step 8
Click the Cover Page and Report Page tabs to preview your Universal Scheduled Report.
Step 9
Click the Finish button.
Note
When the Universal Scheduled Report PDF is exported, a table of contents is created. This
allows you to quickly browse through your scheduled reports.
The report is now scheduled and can be found in the Universal Scheduled Report > Manage
Scheduled Reports page.
75
Managing the Scheduled Reports Component

Managing Scheduled Reports is used to manage the scheduled report task inventory by resending,
Emailing / archiving now, editing, and deleting scheduled reports.
Resending a Scheduled Report

Preform the following steps to resend a scheduled report.
Step 1
Navigate to the Universal Scheduled Reports > Manage Scheduled Reports page.
f
Step 2
Use the filter options to searchfor a report in the Scheduled Report Management list, select the
checkbox of the report you wish to resend.
Step 3
Click the Resend for Data Range button.

The Select Data Range pop-up window displays.
76
Step 4
Enter the Start / End dates by clicking the
Step 5
Click the Re-send button.
icon and selecting the dates.
The Info pop-up window displays, confirming the schedule resend is complete.
Step 6
Click the OK button.
Emailing / Archiving Now

Preform the following steps to Email / Archive a Universal Scheduled Report before its
scheduled sending date.
Step 1
Step 2
Use the filter options to search for a report to Email /Archive in the Scheduled Report
Management list.
Step 3
Select the checkbox next to the report name.
Step 4
Click the Email/Archive Now button.

The Info pop-up window displays, confirming the immediate processing of Email / Archive.
Step 5
Click the OK button

Your Scheduled report is now Emailed and Archived.
77
Editing a Scheduled Report

Preform the following steps to edit an existing scheduled report.
78
Step 1
Step 2
Use the filter options to search for a report in the Scheduled Report Management list, click the
icon for that Report.
Step 3
To edit the Scheduled Report, use the same configuration procedure shown in the Creating a
Universal Scheduled Report section.
Disabling a Scheduled Report

Perform the following steps to disable a scheduled report.
Step 1
Navigate to the Universal Scheduled Report > Manage Scheduled Reports page.
Step 2
Click on the
icon for the report you wish to disable.
The Universal Scheduled Reports - Configuration Manager window displays.
Step 3
Click the Next button.

The General Information Page displays.
Step 4
Note
In the Format / Settings panel, navigate to the Disable the Report option and click the Yes
checkbox.
To enable the scheduled report, repeat steps 1-3, then click the No checkbox.
79
Deleting a Scheduled Report

Preform the following steps to delete an existing Universal Scheduled Report.
Step 1
Navigate to the Universal Scheduled Report > Manage Scheduled Reports page.
Step 2
Use the filter options to searchfor a report in the Scheduled Report Management list, select the
checkboxes for the reports you want to delete.
Step 3
Click the Delete Selected button.

The selected reports are now deleted.
Note
80
You can also use the
icon to delete a specific Scheduled Report.
CHAPTER 4
Overview of Reporting
This chapter describes how to use SonicWALL GMS reporting, including the type of information
that can appear in reports. A description of the available features in the user interface is
provided.
This chapter includes the following sections:
SonicWALL GMS Reporting Overview, page 81
Navigating SonicWALL GMSReporting, page 85
Report Data Container, page 99
Custom Reports, page 107
Troubleshooting Reports One of the most common reasons when a report does not display
is that no data is available for the selected appliance. There are several reasons why you
might see this error. GMS displays the most likely reason(s) and gives you instructions for
ways to resolve the problem., page 107
Managing SonicWALL GMS Reports on the Console Panel, page 108
SonicWALL GMS Reporting Overview

An essential component of network security is monitoring critical network events and activity,
such as security threats, inappropriate Web use, and bandwidth levels. SonicWALL GMS
Reporting complements SonicWALL's Internet security offerings by providing detailed and
comprehensive reports of network activity.
The SonicWALL GMS Reporting Module creates dynamic, Web-based network reports from the
reporting database.
The GMS software application generates both real-time and historical reports to offer a
complete view of all activity through SonicWALL Internet security appliances. With SonicWALL
GMS Reporting, you can monitor network access, enhance security, and anticipate future
bandwidth needs.
You can create Custom reports by using the report filter bar, available in most report screens
in the SonicWALL GMS UI. The report Filter Bar provides filters to allow customized reporting,
including pre-populated quick settings for some filter fields. A Date Selector allows paging
forward and backward in time, or selecting a particular time period for viewing, via a pull-down
81
calendar. The search operator field offers a comprehensive list of search operators that varies
depending on the search field, which can be either text-based or numeric. Refer to Layout of
Reports Display on page 90 to see these items in the context of the Report page.
You can search all columns of report data except columns that contain computed values, such
as %, Cost, or Browse Time. SonicWALL GMS waits until you click the Go button before it
begins building the new report.
The SonicWALL GMS Reporting Module provides an interactive interface that:
Displays bandwidth use by IP address and service
Identifies inappropriate Web use
Provides detailed reports of attacks
Collects and aggregates system and network errors
Shows VPN events and problems
Tracks Web usage by users and by Web sites visited
Provides detailed daily firewall logs to analyze specific events.
Viewing Reports
The GMS Reports view under the Firewall, SRA and CDP tabs is divided into three panes, as
shown below: the TreeControl Pane, the middle pane with the Policies and Reports tabs, and
the Reports pane.
82
TreeControl Pane: A list of views and individual units referred to as the TreeControl. In
the left pane, you can select a top level view, a group view, or a unit to display reports that
apply to the selected view or unit. GlobalView is the default top level selection.
List of Reports: The middle pane provides two tabs: Policies and Reports. The Reports
tab contains a list of available reports that changes according to your selection in the
TreeControl pane: GlobalView provides a general summary of various functions, and unit
view provides specific details. The reports are divided into categories. You can click on the
top level report in a category to expand it to view the list of reports in that category, then
click on an individual report name toview that report. To keep a category in expanded view,
click on the category while pressing the Ctrl key. Otherwise, the expanded entry will
collapse when the next entry is expanded.
The Reports Pane: The right pane displays the report that you selected in the middle pane
for the view or unit that you selected in the TreeControl. For most reports, a search bar is
provided at the top of the pane. Above the search bar, a time bar is provided. You can view the
report for a particular time by clicking right and left arrows, or clicking on the center field to
get a pull-down menu with more options. Click on icons in the upper left corner to send the
report to a PDF or UDP file. These files can then be printed for reference. A quick link to
the Universal Scheduled Reports menu is also provided, allowing you to set up scheduling
and other functions.
The SonicWALL GMS reporting module provides the following configurable reports under the
Firewall and SRA tabs:
Table 6
Data Usage*
User Activity Reports
Applications*
Web Activity*
Web Filter*
VPN Usage*
Threats (Summary
Only)
Firewall Reports
Provides an overall data usage report.

Produces a Detail report of user activity.
Provides information on application access and firewall
reports
Provides Web usage reports, including initiators and sites.
Provides web filter event reports, including initiators and
sites.
Provides VPN usage reports on policies, services, and initiators.
Access attempts by appliance.
83
Intrusions
GAV
Anti-Spyware
Attacks
Authentication
Analyzers
Up-Down
Configuration
Events
Custom Report
* Multi-Unit Report
Available
Provides event reports about intrusion prevention, targets, initiators, as well as detailed timelines.
Provides reporting on virus attacks blocked.
Provides reporting on attempts to install spyware.
Provides event reports about attacks, targets, and initiators,
Provides login reports.
Provides a detailed analysis of logs or activities.
Provides a timeline of Up-time vs. Downtime, either as a
summary or on a per unit basis.
Configures settings for Summarizer and Log Analyzers.
Creates, configures, and displays alerts.
Provides Internet Activity and Website Filtering reports
with details from raw data
Custom Reports are only available at the unit level.
Provides a high-level activity summary for multiple units.
Table 7
Data Usage*
User Activity Reports
Access Method
Authentication
WAF*
Connections*
Up-Down
Analyzers
Events
Custom Report
* Multi-Unit Report
Available
Provides an overall data usage report.

Produces a Detail report of user activity.
Provides information on application access and firewall
reports
Provides login reports.
Provides Web Application Usage (WAF) usage reports.
Provides web filter event reports.
Provides a timeline of Up-time vs. Downtime, either as a
summary or on a per unit basis.
Provides a detailed analysis of logs or activities.
Used to configure and view Alerts.
Provides Internet Activity and Website Filtering reports
with details from raw data
Custom Reports are only available at the unit level.
Provides a high-level activity summary for multiple units.
Table 8
Multi-unit Summary
Reports
Capacity
Backup Activity
Up/Down
84
SRA Reports
CDP Reports
Provide a high-level summary of disk capacity.

Provides a report on disk capacity for an individual appliance.
Provides a report on backup activity, including top agents
and top file extensions backed up.
Provides a timeline of Up-time vs. Downtime, on a per
unit basis.
Navigating SonicWALL GMSReporting

SonicWALL GMS Reporting is a robust and powerful tool you can use to view detailed reports
for individual SonicWALL appliances or groups of appliances.
This section describes each view and what toconsider when making changes. It also describes
the Search Bar and display options for interactive reports, as well as other enhancements
provided in SonicWALL GMS. See the following sections:
Global and Group Views section on page 85
Unit View section on page 86
Layout of Reports Display section on page 90
Setting a Date or Date Range section on page 92
Adding Filters section on page 96
Report Data Container section on page 99
Drilling Down section on page 101
Scheduling Reports section on page 99
Global and Group Views

From the Global and Group views of the Reports Panel, Summary reports are available for all
SonicWALL appliances within a group or all SonicWALL appliances being managed by
SonicWALL GMS. The Summary provides a high level report for all appliances. More detail is
available from the Unit view.
To open the Global or Group view, click the GlobalView icon in the upper-left hand corner of
the left pane or select a Group Icon. The global view Data Usage Summary page displays.
Summary pages are available for the major functions on the middle pane. By default, they
display both the Chart View and Grid View. You can use the toggle buttons to the right to display
either view, or both.
Note
The selected Chart of Grid view remains in effect only for the specified screen. Changing
screens will default back to the Chart and Grid View.
85
Unit View
The Unit view provides a detailed report for the selected SonicWALL appliance.
SonicWALL GMS provides interactive reports that create a clear and visually pleasing display
of information. You can control the way the information is displayed by adjusting the settings
through toggles that allow you to display a graphical chart, a grid view containing the
information in tabular format, or both (default). Reports are scheduled and configured in the
Universal Scheduled Reports settings. For more information, refer to the Using the Universal
Scheduled Reports Application section on page 58.
The Reports tab provides a list of available Reports. Click on the type of report to expand the
list items and view the available reports in that screen group.
86
Tip
At times, you may wish to see multiple screen groups at the same time. Ctrl-click to keep a
previously-expanded topic from collapsing when you select a new report category. For
example, you may want to view Data Usage, Applications, and Intrusions simultaneously, to
see what detail sections are available. Control-click on these entries to see all the screen
groups under these entries simultaneously.
87
The reports available are usually the reports that appear as sections in the Details view. The
Details entry is a shortcut to a view of all the available reports.
88
To access the Reports, use the following steps:

Step 1
Click on the desired tab at the top of the SonicWALL GMS interface.
Step 2
To open the Unit view, click on a device in the TreeControl pane.
Step 3
Then click the Report tab on the middle pane.
Step 4
Click on the desired report in the list of reports on the Reports tab.
89
The default view of a root-level report always shows the chart and grid view of the report. The
Sections displayed in the Grid View depend on the Report item selected and the filters applied
to it. Additional information can be displayed by mousing over certain elements of the Report.
Note
As you navigate the Reports panel with a single SonicWALL appliance selected and apply
filter settings, your filter settings will remain in effect throughout the session. To remove filter
settings, click on the search bar Remove Filters button. (Refer to the graphic in Layout of
Reports Display, below.)
Layout of Reports Display

The Report Display is comprised of the following areas:
90
The Filter Bar area, which includes the Time Bar, Export buttons and Custom Reports
buttons, and data filter functions
Report Data Container, containing the Chart and/or Grid Views
The figure below shows the layout of the Report.
The Report contains the following areas:
The Date Selector Bar
The Filter Bar
Export Options, including:

Schedule Report Button: brings up the Universal Scheduled Reports menus
Export to CSV
Export to PDF
Save button
91
Note
Load Custom Report button
Report Data Container. The Report Data Container consists of the Chart View and the
Grid View, the Show Chart, Show Grid, and Show Chart and Grid toggle buttons, and the
Reload Data button.
The Chart view is clickable. You can drill down to Detail sections simply by clicking on areas
of interest in the bar-chart or pie-chart.
The Date Selector

The Date Selector allows you to generate a report for only a specific date and time range. Use
the right and left quick-link arrows to move backward and forward in time, a day at a time.
Clicking the time field on the Date Selector brings up a pull-down menu that allows you to
customize your time and date ranges.
Setting a Date or Date Range

By default, summary reports display only information for a single date. However, by using the
Time Selector pull-down menu, you can fine-tune the time, date, or range of times and dates
you want to see. Over-time reports display information over a date range.
Selecting a Date and Time

The Time Selector allows you to specify any time or date interval desired, whether by day, or
in hour/minute intervals. To select a single date for a report, either use the Date Selector bar
and the left and right arrows to page through reports by date, or click on the displayed datefield
in the Time Selector to display the pull-down schedule menu.
92
You can select from:
Last 1 hour
Last 6 hours
Last 12 hours
Today - 00:00 to 23:59
Yesterday - 00:00 to 23:59
Last Week - the previous 7 days, from 00:00 to 23:59
Custom - a custom time and date range
In the pull-down schedule menu, you can specify a recent time snapshot, or click on Custom
to select the starting and ending dates and times. The Custom option allows you to select a
specific time and date or range from the Interval menu.
Step 1
To set up a custom time range, click in the Time Selector Bar. The Interval pull-down menu
appears.
In the Interval menu, you can either set the date manually or by using the pull-down calendar.
In the calendar, you can set the month by clicking the desired dates. If no data is available for
a specific date, that date will not be available (grayed out).
Step 2
Set a specific start and ending time by specifying hours and minutes you want to monitor. The
default for a date is an interval starting at hour 0 minute 0 (midnight) and ending at 23:59 (11:59
PM).
Step 3
The Interval menu also lets you set how many lines of information appears in the graph view.
Click the date, and when the Interval pull-down appears, specify the number of rows. Select 5,
10, 20, 50, or 100 from the Rows pull-down list to limit the display to a the specified number of
lines, for easier viewing.
Step 4
Click OK to generate the report.
93
Report data is sorted and ranked according to how many rows are displayed. By specifying a
limited number of rows to be displayed in the graph section of the Report, rankings will apply
only to the data in those rows. If you reverse the sort order by clicking on the column bar, only
the displayed items will be re-sorted.
To re-sort according to all collected data in the database, click on the Enable Server Side Sort
checkbox on the pull-down menu. The ranking of the grid items will then reflect all data from
the total entries.
By default, Client-side Sort is used, which sorts only the currently viewable data, which was
retrieved the first time the data base was clicked on.
For example, the snapshot below shows data displayed only as it pertains to ten rows.
If you re-rank the column to see the lowest number of hits, it will rank only the items displayed
in the ten rows you selected.
94
Use Enable Server Side Sort to sort data based on all underlying data records, not the
client-side sort. Server side Sort retrieves current data from the back end database. Client-side
sort merely rearranges the data already retrieved. You can still constrain your display to 10
rows, but the display will re-sort based on the total data collected in the back-end database,
and not just the data previously displayed.
Export Results
The Export Results icons allow you to save a report in either PDF or Excel format.
These buttons provide the following export options:

To the left of the Export Results icons is the Schedule Report icon. This button brings up the
Universal Scheduled Report Configuration Manager, allowing you to create a schedule for
generating the specified report, which will then be emailed to you. For more information, refer
to the Using the Universal Scheduled Reports Application section on page 58.
The Export Results icons allow you to save to a file, either in PDF or Excel format.
Tip
Export to PDF: This button will allow you to save the displayed report data to a PDF file.
The PDF can export a maximum of 2500 rows.
Export to CSV: This button allows you to send the report to a file in Microsoft Excel Comma
Separated Value (CSV) format. Excel can export a maximum of 10,000 rows.
To print a report, export it to PDF, using the Export to PDF button, then print out the PDF file.
95
If a very large Report file, such as a system log, is being exported, the number of lines that can
be saved is limited. When you click the icon, you will see a message like the following:
Select whether to print only the currently-displayed screen, or the maximum number of rows.
The Filter Bar

The Filter Bar provides filtering functions to narrow search results, to view subsets of report
data.
The Filter Bar is at the top of the Report. It contains the Add Filter (+) button for adding filters
and Go button to apply filters, as well as the Clear Filter button to clear all filters.
Using the Filter Bar allows you to view subsets of the report data, based on a set of pre-defined
filters.
Adding Filters
Filters can be added in two ways, either explicitly through the Filter Bar, or implicitly by clicking
on the hyperlinks in the grid sectionsof a displayed report. As hyperlinks are clicked, those link
criteria are added to the Filter bar as if it was added explicitly. Refer to Adding Filters Implicitly
section on page 98 for more information.
Use the Filter Bar to add pre-defined filters from a pull-down menu and to specify parameters
for those filters. Filter values will be matched in the database during report generation.
Click the Add Filter button (+) on the left to display a pull-down menu, which can then be used
to fine-tune the report data by selecting categories.
Filters can also be added by right-clicking on a column entry and selecting the Filter option from
the pull-down menu.
96
Filter criteria are context-dependant, meaning that SonicWALL GMS finds the specific filter
operators applicable to the entry. Many filter operators are used in connection with a text string
or numeric filter input value that determines what data to include in the report. This control uses
auto-complete to suggest a set of candidate values, or you can manually enter a different value.
Manually-entered values should be checked for blanks, illegal characters etc.
Operators are specified by clicking on the default operator to bring up the pull-down menu of
available operators.
Depending on the selected field type, text string or numeric, several filter operators are
available. The filter operators are used with a filter input value to restrict the information
displayed in the Detail report.
The operators are defined as shown in Table 9.
Table 9
Filter Operators
Operator
Definition
Equals
Only data that exactly matches the filter input text will
be included in the report
Start with
Data that begins with the input text will be included in

the report
End with
Data that ends with the input text will be included in

the report
Contains
Data that contains the input text will be included in the

report
Only data that exactly matches the filter input

numerical value will be included in the report
>
Data values that are greater than the input numerical

value will be included in the report
>=
Data values that are greater than or equal to the input

<=
Data values that are less than or equal to the input

<
Data values that are less than the input numerical

Data values that are not equal to the input numerical

You can also use wild-cards (*) in filters to match anything. For instance, you might want to
match a User name. You would select LIKE as the operator, and use * in connection with a
string. For example, joh* would match all users starting with joh, such as John, Johnny,
Johan, etc.
!=
97
Using the Filter Bar

Use the Filter Bar to manually (explicitly) add filters.
Step 1
To add a filter, click on the Add Filter (+) menu and select a filter from the pull-down menu.
Available Filter categories may differ, depending on the report, and may require parameters.
Some filter fields use operators with text or numeric values. Others might have pre-filled values.
For example, the Initiator Country filter displays a pull-down list, allowing you to display results
based on a selected country.
Step 2
Click the Go button (right-hand arrow) to add a filter Each filter must be applied by clicking on
Go before you can select and apply the next filter. The filter bar will show all filters added,
whether added from the menu bar or pull-down menu.
As filters are added, items that have been filtered out disappear from the listings, reappearing
only when the associated filter, or all filters, are removed.
Step 3
To remove a filter, click the + next to the filter in the menu bar and click the Go (right arrow)
button. To clear all filters, click the Clear Filter (x) next to the filter fields.
Adding Filters Implicitly

SonicWALL GMS also allows adding filters directly to a drillable (hypertext-linked) column to
create a criteria control, where you can set a value for the filter. Adding a filter to a column
allows you to restrict the display to view only the data related to the entry of interest.
In second-level reports with multiple subsections, filters can be added simply by clicking on the
hyperlinked data in the report section.
Step 1
To add a filter to a drillable column containing hypertext links, right-click on a hypertext column
cell and select Add Filter from the resulting pull-down context menu.
Because the filter is context-sensitive, it may suggest a set of candidate values, or you can manually
enter a different value. A new filter will be automatically added to the filter bar, and the report will
be updated accordingly.
Once added, the filter is added to the filter area of the Search Bar and no longer appears in the
pull-down list. The report will display only results restricted by that filter.
Step 2
To remove the filter, click the x next to that filter, or clear all filters by clicking the red X button
to the right of the field.
Saving/Viewing a Filtered Report

The Save Report pop-up menu allows you to save the currently-displayed report with a
specified name of no more than 20 characters. You can also overwrite an already-saved report
with the current report or overwrite the report to show a new date range.
Saved reports, even if created for a specific unit, are available for all units of that appliance
type. For example, if a report for the X1 interface was created for a specific unit, this report is
available from any unit: there is no need to create a X1 report for different units.
98
Report Data Container
Note
Custom Reports created by a specific user are viewable by that user, and no one else.
Domain Administrators can view all available reports.
Step 1
To save a report, along with its filter criteria, click the Save Report icon.
Step 2
Assign it a file name for later reference.
Step 3
To view a saved Custom Report, click the Custom Reports button to bring up a menu that
contains a list of all saved Custom reports available for viewing. Selecting a Custom Report from
this pull-down loads data for the selected report into the Report Data Container.
Step 4
You can also load a saved report from the Report tab on the middle bar menu. Click Custom
Reports on the Reports tab and select the desired report to load it into the Data Container.
Step 5
Click on the appropriate Export Results icon to save a report to a PDF file or Excel spreadsheet.
To print a copy of the report, click on the PDF icon and save it to a file, then print the PDF file.
Tip
Saved Reports can be modified or deleted by clicking on Custom > Manage Reports.
Scheduling Reports
You can schedule a report to be created and sent to you in email, using the Universal
Scheduled Reports function.
The Schedule Reports icon is located to the right side of the toolbar above the Load Custom
Reports button.
Click this icon to bring up the Universal Scheduled Report Configuration Manager.
When the Configuration Manager menu comes up, it will be pre-filled with the information about
the current Reports page. Using this report, you can set up specific tasks, chose the format for
the report, and other options. For more information on using Universal Scheduled Reports, refer
to the section: Universal Scheduled Reports.

The Report Data Container is the screen space where the report data is displayed.
SonicWALL GMS provides interactive reporting to create a clear and visually pleasing display
of information in the Report Data Container. The Root-level baseline report shows the Chart
View, usually containing a timeline or a pie chart and a Graph View.
You can control the way the information is displayed by adjusting the settings through toggles
or by configuring reports in the dashboard interface.
Reports have a Date Selector and Filter Bar at the top, with the Report Data Container below it.
Detail-level reports are available either by drilling down on hyperlinks in the Root-level view,
or, for some types of Reports, as a shortcut on the Report tab.
99
Note
Cell data in the report container can be copied by right-clicking the cell and selecting Copy
Cell Data from the pull-down menu.
Layout of the Data Container

The Report Data Container is comprised of a number of Sections. Sections are usually arranged
vertically stacked on top of each other. Each section has a Title Bar which contains the Section
title on the left and a group of buttons on the right.The Report itself may contain one or more
Sections of data, which are different facets of the report data.
Note
Root level reports available in the Reports panel usually contain only one section.
The Report Data Container sections either appear as a chart view, a grid view, or both.
The default display mode is Show Chart and Grid. In this mode, the data is available for
viewing as both a Chart and a Grid. This layout can be controlled by switching between 3
display mode options, any of which can be turned on/off at any time, using the utility toggle
button group on the Section Title Bar.
The display modes available on this layout are:
100
Show Chart: In this mode only the chart is visible and takes up all the available space
inside the section container. Charts show a timeline or pie chart.
Show Grid: In this mode only the Grid is visible.The Grid Display may contain more than
one Section,
Show Chart and Grid: In this mode both the chart and the grid are visible and are vertically
stacked.
Switching between these modes is handled through the utility toggle buttons.
Only one mode can be active at a time.

A Reload Data button is present on the title bar in all the layouts described above.
Clicking this button will instruct the application to refresh the section data.
You can determine if you have reachedthe final section in a multi-section Grid View by checking
if there is a message about the relevant time-zone at the bottom left of the report. If this
message is present, there are no more Grid sections available.
Viewing Syslog Data of Generated Reports

Different types of section data are available under the root-level report. The section level
reports are available through the Details entry on the middle pane Reports tab, for some
Reports. You can also drill down from the root level report to the second level Detail views,
containing multiple subsections, by right-clicking a hyperlink and selecting Drilldown from the
pull-down menu. The syslog fields corresponding to the applied filter will come up.
Drilling Down
Sections in the Grid display may contain drillable columns, containing hypertext links to bring
up a Detail Report. A drillable column appears as a column in the data grid, where the child values
appear underlined and in blue, and act asa hyperlink to additional information. Click on any of these
values to drill down to another report, using the value on which drill-down has been executed as a
filter. When you click on a drillable link, this filter will be added to the Filter Bar.
Drilling down navigates to a new Detail report, filtered by the data on which the drill-down was
executed. Drillable reports can display multiple grid sections in the sub-reports, or bring up a
System Analyzer view, depending on the item selected.
101
The following example illustrates how you can drill down through the Data Usage Report by
clicking on a drillable entry to gain more information and filter the results.
Step 1
Click on an appliance, then click Data Usage on the Reports tab. You will see a timeline
showing connections.
Step 2
Click on a hyperlinked Time to go to the Detail view of the Report. The Detail view contains
multiple sections, including Initiators, Responders, Service types, Initiator Countries, and
Responder Countries. Depending on the number of entries, you may need to scroll down to see
all the sections.
Note
102
You can also apply a filter through the Filter Bar or by right-clicking the entry. Select the filter
and click Go. The Report will show the detail view applicable to that filter.
Step 3
To further filter the output, to view only tcp/https usage, click on the tcp/https entry under
Services. A Detail report, filtered to show only usage of tcp/https, comes up. Notice that a
103
Service entry has been added to the Filter Bar.
104
Notice that the Report now focuses on the filter constraint from the drilled-down column.
Since this report also contains drill-down areas, you can drill down even further to add
additional constraints to the results.
Note
Many report categories contain a Details item in the list of reports. This link provides a
shortcut directly to the Detail view of all sub-sections of the report. You can apply filters
directly to the Detail view to further constrain the displayed information.
The Log Analyzer provides the most detailed Report information.
Step 4
Note
To view the Log Analyzer, go to the Reports tab once you have drilled down to the desired level
of detail and click on Analyzers > Log Analyzer.
Because Log Analyzer Reports can contain a very large amount of data, you may wish to
limit the amount of data displayed on the page. The amount of data in the report can also
affect the loading speed.
105
The Log Analyzer contains information about each connection, including port and interface
information, number of Bytes sent, etc.
You can drill down through the Log Analyzer Report as well. Clicking on a column item adds an
additional filter and narrows down your results, allowing you to zoom in on specific instances.
Some Log Analyzer reports can be reached as the final step of a drilldown process.
The bottom bar of the Log Analyzer contains a page bar, which allows you to navigate through
the report by paging forward and backward, or going to the specific page of interest.
106
Custom Reports
Custom Reports
Specific customized reports can be generated and saved by means of the Save icon. Click the
Save icon to bring up a drop down allowing you to save a custom report.
This menu will be pre-filled with a name reflecting the report it was based on. If anearlier report
with this name was generated, you can choose to overwrite it or save a new copy, or assign it
a different name.
The new Custom report will be added to the pull-down menu accessed when you click Load
Custom Report. It will also be added to the Reports Tab list under Custom. When a specific
Custom report is selected on the Load Custom Report pull-down menu, the button will reflect
the name of that report.
Custom Reports can also be accessed or deleted by going to Reports > Custom > Manage
Reports.
Troubleshooting Reports One of the most common reasonswhen
a report does not display is that no data is available for the selected appliance. There are
several reasons why you might see thiserror. GMS displays the most likely reason(s) and gives
you instructions for ways to resolve the problem.
The most common examples are shown below.
Appliance is in a Provisioned State:
GMS is waiting for a handshake response signal from the appliance. Generally, the TreeControl
menu will also flag the appliance with a lightning bolt on a yellow background.
Appliance is Down
Report Could Not Be Generated

There might be no data available for a variety of reasons. The most common causes are listed
in this message, along with actions to take.
107
Managing SonicWALL GMS Reports on the Console Panel
Managing SonicWALL GMS Reports on the Console

Panel
There are management settings for the GMSReporting Module on the GMS Console panel. A
Reports selection is available on the left menu bar, which allows you to set up certain tasks in
the right-hand Management pane, which contains limited configuration screens, used for
managing scheduled email report configuration, system debug-level logging, and show legacy
reports.
In this pane, you can set CDP Summarizer parameters and schedule emailing or archiving of
reports.
Data deletion or storage specified in these menus will take place after completion of the current
reports run.
For information about GMS management settings, see the Configuring Management
Settings section on page 775 in the Configuring Console Management Settings chapter.
For information about user screen permissions, see the Moving a User section on
page 787 in the Configuring Console Management Settings chapter.
Reports generated by pre 7.0 releases of SonicWALL GMS can still be viewed, but require
specific configuration. See Managing Legacy Reports section on page 808.
108
CHAPTER 5
Viewing Firewall Reports
This chapter describes how to generate reports using the SonicWALL GMS Reporting Module.
The following section describes how to configure the settings for viewing reports:
Firewall Reporting Overview section on page 109
How to View Firewall Reports section on page 113
Using the Log Analyzer section on page 124
Firewall Reporting Overview

The Reports available under the Firewall tab provide specific information on data gathered by
the SonicWALL GMS interface.
The Firewall reports display either summary or unit views of connections, bandwidth, uptime,
intrusions and attacks, and SRA usage, displayed in a Data Container. Information can be
viewed in either chart (timeline or pie chart) form, or tabular (grid) format. The list of available
reports allows you to navigate to a high-level or specific view.
All of the reports in SonicWALL GMS report on data gathered on a specific date or range of
dates. Data can be filtered by time constraints and data filters.
Benefits of Firewall Reporting

Firewall Reports allow you to access both real-time and historical reports and view all activity
on SonicWALL Internet security appliances. By monitoring network access, logins, and sites
accessed, you can enhance system security, monitor internet usage, and anticipate future
bandwidth needs.
You can gain more information from the display, simply by hovering the mouse pointer over
certain sections. Additionally, by clicking on selected sections of a pie chart or bar-graph
timeline view, you can view more information or view different aspects of the information
presented.
109
Firewall Reports Tab

The Firewall tab gives you access to the Firewalls reports section of the SonicWALL GMS
management interface. Reporting supports both graph and non-graph reports, and allows you
to filter data according to what you wish to view. It supports multiple product-licensing models.
Firewall Reports provide the following features:
Clickable reports with drill-down support on data rows
Report data filtering through the Search Bar
Log Analyzer
You can view Reports either as Summary reports for all or selected units on the
SonicWALL GMS network, or view detailed reports for individual units.
Viewing Available Firewall Report Types

To view the available types of reports for the Firewall appliances, perform the following steps:
Step 1
Log into your GMS management console.
Step 2
Click the Firewall tab.
Step 3
Select an appliance, global view, or group of appliances from the TreeControl.
Step 4
Click the Reports tab on the top of the screen.
Step 5
Expand the desired selection on the Reports list and click on it.
Note
All Reports show a one-day period unless another interval is specified in the Time Bar.
The following types of reports are available:
Global or Group Level Reports:
Data Usage
Summary: connections, listed by appliance, for one day (default)
Applications
Summary: connections, listed by application, for one day (default)
Web Activity
Summary: hits, listed by appliance, for one day (default)
Web Filter
Summary: access attempts, listed by appliance, for one day (default)
VPN Usage
Summary: VPN connections, listed by appliance, for one day (default)
Threats
Note
110
Summary: connection attempts, listed by appliance, for one day (default)
Summary Reports are not drillable and no Detail view is available.
Unit Level Reports

Detail views are available for all Report items unless otherwise noted.
Data Usage
Timeline: connections for one day (default)
Initiators: Top Initiators, listed by IP address, Initiator Host, User, and Responder,
displayed as a pie chart
Responders: Top Responders, listed by IP address, Responder Host, and Initiator,

displayed as a pie chart
Services: connections, listed by service protocol, displayed as a pie chart
Details: provides a shortcut to the Detail view normally reached by drilling down.
Detail sections include: Initiators, Services, Responders, Initiator Countries, and
Responder Countries. Additional filtering/drilldown takes you to the Log Analyzer
Applications
Data Usage connections, listed by application and threat level
Detected: events, listed by application and threat level
Blocked: blocked events, listed by application and threat level
Categories: types of applications attempting access
Initiators: events displayed by Initiator IP and Initiator host
Timeline: events over one day
User Activity
Details: a detailed report of activity for the specified user
Web Activity
Category: hits and browse time listed by information category
Sites: sites visited by IP, name, and category, with hits and browse time
Initiators: Initiator host and IP with category and user
Timeline: site hits with time of access and browse time
Details: provides a shortcut to an access timeline and Detail view normally reached
by drilling down. Detail sections include: Categories, Sites, and Initiators.
Web Filter
Category: hits and browse time listed by information category
Sites: sites visited by IP, name, and category, with hits and browse time
Timeline: site hits with time of access and browse time
Details: provides a shortcut to an access timeline and Detail view normally reached
by drilling down. Detail sections include: Categories, Sites, and Initiators.
VPN Usage
Policies: lists connections by VPN Policy
Services: Top VPN Services by Service Protocol
Timeline: VPN connections over a 1 day period
111
Intrusions
Detected: number of intrusion events by category
Targets: number of intrusion events by target host and IP
Timeline: intrusions listed by time of day
Gateway Viruses
Blocked: blocked virus attacks and number of attempts at access
Targets: targeted hosts and IP addresses
Initiators: initiating users, hosts, and IP addresses of the virus attack
Timeline: times when the virus attempted to gain access, displayed over time
Spyware
Detected: spyware detected by the firewall
Blocked: spyware blocked by the firewall
Targets: targeted hosts and IP addresses
Initiators: initiating users, hosts, and IP addresses of spyware download
Timeline: times when the spyware accessed the system, displayed over time
Attacks
Attempts: type of attack and times access was attempted
Targets: host and IP address, and number of times access was attempted
Initiators: top attack initiators by IP and host
Timeline: time and number of attempts at access, displayed over time
Authentication: authenticated users, their IP addresses, and type of login/logout
User Login
Admin Login
Failed Login
Analyzers
Log Analyzer: provides a detailed event-by event listing of all activity. The Log
Analyzer is drillable, but no Detail sections are available.
Up/Down
Timeline: provides a timeline of unit availability. No Detail sections are available.
Custom Reports: allows access to saved custom reports
Understanding the Data Container

The Report contains a filter bar at the top, plus the actual Data Container. The default Data
Container contains an interactive chart view, which contains either a grid view, containing a text
version of the information. One or more sections may be present in the grid view. Toggle buttons
allow you to display the Chart view, Grid view, or Chart and Grid view.
Grid sections are arranged in columns. Columns may be rearranged to view them from the top
down or bottom up, by clicking the up and down arrows in the column headings. oYu can narrow
results by applying a filter to a column: right-click on a column heading and click Add Filter.
112
How to View Firewall Reports
Hypertext-linked columns are drillable, meaning you can click on the hypertext entry to bring up
a Detail view with more information on the desired entry. Detail views might have multiple
sections.
The Detail views are usually reflected in the sub-headings under the Reports list, which provide
a shortcut directly to the Detail Report. To go to the full Detail view, click the Details entry in the
Reports list. From the Detail view, you can access the system logs, for event-by-event
information, or further filter the results. For more information on using the Log Analyzer to view
and filter syslog reports, see the Using the Log Analyzer section on page 124.
Details views can contain multiple sections. To determine if you have reached the end of the
list of sections, check for the time zone message, which indicates the end of the Detail View.
Reports with hyperlinked columns can be filtered on the column or by drilling down on the
hyperlinked entry.
You can also get to a filtered Detail view by clicking the section representing the desired
information in the pie chart.
To save a filtered view for later viewing, click on the Save icon on the Filter Bar. The saved view
will now appear under Custom Reports.
To learn more about Custom reports, see the Custom Reports section on page 135

The Firewall Summary reports display an overview of bandwidth, uptime, intrusions and
attacks, and SRA usage for managed SonicWALL Firewall appliances. The security summary
report provides data about worldwide security threats that can affect your network. The
summaries also display data about threats blocked by the SonicWALL security appliance.
You can view Firewall Reports as either as global or group summary reports, or by individual
unit:
Viewing Global Summary Reports section on page 113
Viewing Status Uptime/DownTime Summary Reports section on page 129
Custom Reports section on page 135
Viewing Global Summary Reports

Summary reports for data usage, applications, web usage and filtering, VPN usage, and threats
for managed SonicWALL appliances are available at the global level, through the TreeControl
menu. Summary reports are available for:
Data Usage
App Control
Web Usage
Web Filtering
VPN Usage
Threats
Group-level Summary reports provide an overview of information for all Firewalls under the
group node for the specified period. The report covers the connections and transfers by
appliance for Data Usage, App Control, and VPN Usage, For Web Usage and Web Filters, hits
113
are also included. Web filters and Threats list attempts at connection. Unless specified
differently in the Date Selector, the Summary report covers a single day. Global Summary
reports are not drillable.
To view the Summary report, perform the following steps:
Step 1
Click the Reports tab.
Step 2
Select the global icon or a group of appliances.
Step 3
Click Data Usage > Summary.

The timelines at the top of thepage display the totals, and the grid section sorts the information
by appliance or applications.
Similar summary reports are available for all the Global or Group reports specified above.
Viewing Unit Level Status Reports

Unit level reports display status for an individual SonicWALL appliance. From this information,
you can locate trouble spots within your network, such as a SonicWALL appliance that is having
network connectivity issues caused by the ISP. You can also monitor web usage, including
attempts to reach filtered sites, as well as incoming attacks on your network.
Note
Global reports are displayed in the GMSs timezone. Reports for individual SonicWALL
security appliances are displayed in the individual appliances time zone.
Viewing Data Usage Reports

The default Data Usage report displays a timeline for hours that the selected SonicWALL
appliance was online and functional during the time period with connections, transferred
connections, and cost displayed.
114
Step 1
Step 2
Click Data Usage > Timeline. (This is the default view when the Firewall Report interface
comes up.)
This report is drillable. Click on an Initiator IP entry to break the Timeline report down into its
Detail View report groups for the selected IP address. These groups also contain drillable
hyperlinks that will take you to more specific Detail View information. The columns can also be
filtered on. For more information on drilling down in a report, refer to Drilling Down on
page 101
The following Section entries are available:
Initiators: Initiators are grouped by IP, Host, User Name, Connections, and Transferred
Connections
Responders: Responders are grouped by IP, Host, User Name, Connections, and
Transferred Connections
Services: connections from the various services
Details: Provides a shortcut from the Details View
Viewing User Activity Logs

Web User Activity logs allow you to filter results to view only the activity of a specific user.
The User Activity Analyzer provides a detailed report listing activity filtered by user. If a user
report has been saved previously, bringing up the User Activity Analyzer will display a list of
saved reports under the Filter Bar.
115
If you wish to create a new report, use the Filter Bar to create a new report.
Step 1
Step 2
Select a SonicWALL appliance.
Step 3
Click on User Activity > Details to bring up the User Activity Analyzer. The User Activity
Analyzer generates a Detail report based on the user name.
If no user activity reports were saved, only the Filter Bar will display, with the User filter
pre-selected. You can enter a specific user name, or use the LIKE operator wildcards (*) to
match multiple names.
Step 4
Enter the name of the user into the field and click the Go (arrow) button to generate the report
The customized User Activity Details report will display a timeline of events, Initiators,
Responders, Services, Applications, Sites visited, Blocked site access attempted, VPN access
policy in use, user authentication, Intrusions, Initiator Countries, and Responder Countries
associated with that particular user.
Data for a particular user may not be available for all of these categories.
Viewing Applications Reports

Application Reports provide details on the applications detected and blocked by the firewall,
and their associated threat levels.
116
Step 1
Step 2
Step 3
Click Application > Data Usage.
The Applications Report displays a pie chart with the application and threat level it poses.
You can drill down for additional Details views on connections over time (Timeline view), Data
Usage, Detected applications, Blocked applications, Categories of applications, top initiators.
Viewing Web Activity Reports

Web Activity Reports provide detailed reports on browsing history.
Step 1
Step 2
Step 3
Click Web Activity > Categories.

The Web Activity Report displays a pie chart with the Top Categories of type of access, total
browse time, and hits.
You can drill down for additional Details views on connections over time (Timeline view), Sites
visited, Categories of sites, and Top Initiators. A Details entry links directly to the details view
of all entries.
Viewing Web Filter Reports

Web Filter Reports provide detailed reports on attempts to access blocked sites and content.
Step 1
Step 2
Step 3
Click Web Filter > Categories.
117
The Web Filter Report displays a pie chart with the Top Categories of blocked access and total
attempts to access.
You can drill down for additional Details views on connections over time (Timeline view), Sites
visited, Categories of sites, and Top initiators. A Details entry links directly to the details view
of all entries.
Viewing VPN Usage Reports

VPN usage reports provide details on the services and policies used by users of virtual private
networks.
118
Step 1
Step 2
Step 3
Click VPN Usage > Policies.
The VPN Usage Report displays total connections for each VPN Policy item as a pie chart and
tabular grid view.
You can drill down for additional Details views on Service protocols and Top initiators.
Viewing Intrusions Reports

Intrusion Reports provide details on types of intrusions and blocked access attempts.
Step 1
Step 2
Step 3
Click Intrusions > Detected .
119
The Attacks report provides a pie chart and a list of the initiating IP addresses, hosts, and users,
with number of attempts for each.
Drill down for additional Detail views of Intrusion Categories, Targets, Initiators, Ports affected,
Target Countries, and Initiator Countries.
Viewing Gateway Viruses Reports

The Gateway Viruses reports provide details on the Top Viruses that were blocked when
attempting to access the firewall.
Step 1
Step 2
Step 3
Click Gateway Viruses > Blocked .

The Top Viruses report appears.
120
The report provides details on the viruses blocked,the targets, initiators, and a timeline ofwhen
they attempted access.
Drilling down provides a list of virus identity, Targets, Initiators, Target Countries, and Initiator
Countries.
Viewing Spyware Reports

The Spyware report gives details of the spyware that was detected and/or blocked, the targets,
initiators, and a timeline of when they attempted access.
Step 1
Step 2
Step 3
Click Spyware > Detected.

The report provides details on the types of spyware detected and blocked, targets.
Drilling down provides a list of virus identity, Targets, Initiators, Target Countries, and Initiator
Countries.Drilling down lists countries of origin, and target countries.
Viewing Attacks Report

The Attacks report lists attempts go gain access, target systems, initiators, and a timeline of
when the attack occurred.
Step 1
Step 2
Step 3
Click Attacks > Attempts.
121
The Attacks report provides a pie chart and a list of the initiating IP addresses and hosts.
Drill down for additional Detail views of Intrusion Categories, Targets, Initiators, Ports affected,
Target Countries, and Initiator Countries.
Viewing Authentication Reports

Authentication reports provide information on users attempting to access the Firewall.
122
Step 1
Step 2
Step 3
Click Authentication > User Login.
The Authentication report displays a list of authenticated users, their IP addresses, service,
time they were logged in, and type of login/logout. Additional Reports are available for
Administrator logins and failed login attempts.
Clicking on hyperlinks provides additional filtering for the reports.
123
Using the Log Analyzer
You can filter on the Service to view SRA and other appliances by drilling down to the syslog.
Step 1
Go to the filter bar and click on the + and select Service from the pull-down menu. Click on the
= operator, and click on the field next to it to bring up the pull-down menu. Select SSLVPN from
the pull-down list
Step 2
Click Go to view a report for that Service.
Note
For the Duration and Service categories to be present, the Firewall appliance firmware must
be at least version 5.6.0.

The Log Analyzer allows advanced users to examine raw data for status and troubleshooting.
The Analyzer logs contain detailed information from the system logs on each transaction that
occurred on the specified SonicWALL appliance. These logs can be filtered or drilled down to
further narrow the focus of the information, allowing analysis of data about alerts, interfaces,
bandwidth consumption, etc. The Log Analyzer is only available at the individual unit level.
Because of space constraints, some column items, particularly the log event messages, may
not be fully visible in the Reports pane. To view the full report, export the report to an Excel
spreadsheet to view, sort, or organize messages.
Log information can be saved for later analysis and reloaded from Custom Reports.
To load a report for viewing, either:
Note
124
Click Load Custom Report and select from the pull-down list of saved Custom Reports.
Click on Analyzers > Log Analyzer to view the current log.
The Log Analyzer entries display raw log information for every connection. Depending on
the amount of traffic, this can quickly consume a large amount of space in the database. It
is highly recommended to be careful when choosing the number of days of information to be
stored.
The log displays information specific to either a particular report or overall system information,
depending on the path used to reach the log, either from the individual report level or from the
Log Analyzer entry on the Reports tab. Entries in the Analyzer log will vary, according to the
relevant report type.
The log event messages are color-keyed according to priority. Red is the highest priority,
followed by yellow for Alerts. Messages without color keys are informational, only. The color
categories are:
Alert: Yellow
Critical: Red
Debug: White
Emergency: Red
Error: White
Info: White
Notice: White
Warning: White
Color keys allow you to immediately focus on the priority level of the message, and filter data
accordingly.
Filtering the Analyzer Log

The Log Analyzer allows you to add filters to view user-or incident-specific data. The Log
analyzer can be reached either by drilling down in individual reports, or from the Analyzers item
under the Reports tab.
125
To view the Analyzer Log, perform the following steps:

Step 1
Step 2
Select a SonicWALL appliance from the TreeControl pane.
Step 3
Click to expand the Analyzer tree and click on Log Analyzer. The saved Log Analyzer report
page displays.
Note
Step 4
Because system logs have a large number of entries, it is advisable to constrain the number
of entries displayed on the page.
Saved system logs are limited in the number of rows that will be saved. If saving to PDF, a
maximum of 2500 rows will be saved. If saving to Excel, a maximum of 10,000 rows will be
saved.
To add a filter, click on the + in the Filter Bar and specify the desired filter item and parameters.
Available filters include filters for Application, Category, DST Interface, DST Port, Duration,
Initiator Country, Host, or IP address, Interface, Message, Priority, Responder country, IP, or
Name, Service, Session, Src Interface, Src Port, URL, User, or VPN Policy. This full list is
available from the Log Analyzer Entry.
If you are viewing the log in the Log Analyzer view for a specific application entry, only those
filters specific to that entry will be available.
Log views are drillable, and will add filters as column entries are drilled. Click on an entry of
interest to add a filter and further constrain the information displayed.
126
Log Analyzer Use Case

In the following use case, we will sort and filter the captured event information to evaluate
threats targeted toward the X0 default interface.
On the Reports tab, click on Analyzers > Log Analyzers.
In the Log Analyzer, click on the + to add a filter, and select the Interface filter. Type in X0 to
specify the default interface. filter. Click on the Go button.
127
The Log Analyzer will be filtered on the X0 port interface.
Notice that some entries are flagged in yellow, indicating that these are Alerts. The Priority filter
can sort the entries according to the level of priority: Alert, Critical, Debug, Emergency, Error,
Info, Notice, or Warning.
To view only the Alerts, click on the + button and select Priority. Choose Alert from the
pull-down list.
128
Click the Go button to filter the log on the additional criteria. It will now display only those
instances on the X0 interface having an Alert status.
This will allow you to begin debugging, or further investigate use of the database.
More information can also be found by using Universal Scheduled Reports.
Viewing Status Uptime/DownTime Summary Reports

The Status Up-Time Summary report contains information on the status of a SonicWALL
appliance or group of appliances during each hour of the specified day.
To view the Status Up-Time Summary report, perform the following steps:
Step 1
Step 2
Step 3
Expand the Status tree and click Up-Time Summary. The Up-Time Summary page displays.
The bar graph displays the amount of time the SonicWALL appliance(s) were online and
functional during each hour of the day.
The Report contains the following information:
Hourwhen the sample was taken.
Up Timenumber of minutes during the hour that the SonicWALL appliance was Up.
Down Timenumber of minutes during the hour that the SonicWALL appliance was
Down.
129
Step 4
130
Up Time %percentage of time the SonicWALL appliance was Up over the hour.
By default, the GMS Reporting Module shows yesterdays report. To change the date of the
report and other settings, click the date field to access the pull-down calendar, or click the
backward arrow to page further back in time, on a day-by-day basis.
Configuration Settings
Configuration Settings
Configuration settings allow you to set up certain parameters for how data is displayed in
Reports. You can set up currency cost per Megabyte for the Summarizer, or add filters for the
Log Analyzer reports.
Setting Up Currency Cost for Summarizer

The Data Usage page contains a Cost per connection entry. You can set what currency and the
cost per Megabyte.
Step 1
Click Configuration > Settings on the Reports tab.
Step 2
Select the currency of the desired country and the cost per MB.
Step 3
Click Update. The cost will be immediately reflect on the Data Usage page.
Adding Syslog Exclusion Filters

Exclusion Filters restrict what information is used to generate Reports. This is achieved by
filtering out syslogs (based on the criteria specified in the Syslog Filter screen) from being
uploaded to the Reports database. These filtered syslogs are, however, stored in the file system
and archived, thus ensuring that all syslogs are available for audit trailing purposes. Excluding
data from being uploaded to the Reporting database in this way can be useful in maintaining
confidentiality regarding use history, or eliminating data corresponding to certain users who are
not of interest. For instance, you might use an Exclusion Filter to eliminate data from the
company CEO. This screen is used to specify syslog filters for the unit selected in the
TreeControl. A similar screen exists for system wide syslog filtering, in the Console Panels
Reports > Syslog Filter screen
Step 1
To add an Exclusion filter, click on Configuration > Filters.
131
Alerts
The Syslog Exclusion Filter page comes up. This page allows you to view what filters are
currently applied, add filters, or remove filters.
Step 2
To configure and add an Exclusion Filter, click Add Filter. The Add Filter menu comes up.
Step 3
Specify the field you want to modify, and select an operator and value. Click Update.
The Reports will now be filtered according to the selected criteria. Exclusion Filter settings are
picked up by the Summarizer at specified regular intervals.
Alerts
The Events entry on the Reports tab allows you to configure and view alerts specific to
Reporting for the unit selected. The Events entry on the Reports tab allows you to configure
and view alerts specific to Reporting for the unit selected, through the Alert Settings and
Current Alerts items.
You can follow specific alerts. For more information, refer to the Using Granular Event
Management section on page 824.
Step 1
Click on Events > Alert Settings.

The Alerts menu comes up. You can use this menu to search for Alerts by name or type, either
by exact match or matching strings. Click Search to find an Alert of interest.
132
Alerts
Step 2
You can also add an alert. Click Add Alert on the Alerts menu. The resulting pop-up menu
allows you to specify the type of data you want to track, how often to poll for data, and whether
it is visible to only administrators or to non-administrators as well.
Alert Types are pre-defined, static parameters and are not customizable. Available categories
are:
Alert Type
Description
Bandwidth usage (Billing Cycle)
Tracks the bandwidth total in bytes per billing

cycle. The value that the threshold will use is
Numeric.
Bandwidth Usage (Daily)
Tracks the daily bandwidth total in bytes. The

value that the threshold will use is Numeric.
133
Alerts
Step 3
Note
Alert Type
Description
Events/Hits (Daily)
Tracks the daily events/hits total. The value that

the threshold will use is Numeric.
Number of Threats (Daily)
Tracks the daily attacks count. The value that the

threshold will use is Numeric.
Select the Alert Type and click on Edit Content to edit threshold values. A popup menu will
come up. You can choose from the preset Threshold values or create a new threshold value by
clicking the icon to the right of the Threshold banner. Only one new threshold can be created
at a time. For more information on thresholds, see the Configuring Event Thresholds section
on page 829.
Threshold values may not be available for all Alert types. If thisis the case, the Edit Content
field will not be present.
Step 4
Alerts can be emailed to you or a specified destination on a regular schedule. You can specify
up to 5 destinations. Click Add Destination to enable and select from the pull-downs of
destination and schedule entries.
Step 5
Click Add Destination again to add up to 5 destinations and associated schedules.
For more information on configuring Destinations, refer to the Destination / Schedule section
on page 838.
Step 6
134
Click Update when you have finished configuring the Alert. It will be added to the list of Alerts
on the menu.
Custom Reports
You can view any currently-configured alerts by clicking Alerts > Current Alerts. A display of the
current Alerts will come up.
The listing will show the severity level of the Alert, the unit it applies to, and a description.
Additional details can be obtained by hovering over the balloon on the right side of the column.
Custom Reports
You can configure a report with customized filters, then save it for later viewing and analysis.
Saving a Report allows you to view it later, by loading it through the Custom Reports interface.
Custom Reports can either be saved directly, or configured through Universal Scheduled
Reports. You can either load the report through the Custom Report pull-down on the Search
Bar, or click Reports > Custom and choose from the list of saved Custom reports.
Regularly scheduled Custom Reports can be configured through the Universal Scheduled
Reports interface, accessible through the Custom Reports icon in the upper right corner. These
reports can be set up to be emailed to you on a regular schedule.
Custom Reports are available at the unit level for all appliances visible on the Firewall tab. The
Log Analyzer must be enabled for the appliance.
The Manage Reports screen (Custom Reports > Manage Reports) allows you to view what
Custom Reports are available and delete reports from the system.
For more information on configuring and scheduling custom Reports refer to the Universal
Scheduled Reports section.
135
Custom Reports
136
CHAPTER 6
Viewing SRA Reports
This chapter describes how to view SonicWALL Global Management System (GMS) Secure
Remote Access Reports. SRA reporting includes reports for the Web Access Firewall (WAF)
and summarization for SRA appliances using Secure Remote Access (SRA).
This chapter contains the following sections:
SRA Reporting Overview section on page 137
Using and Configuring SRA Reporting section on page 139
Viewing SRA Unit-Level Reports section on page 142
Viewing SRA Analyzer Logs section on page 158
SRA Reporting Overview

This section provides an introduction to the Secure Remote Access reporting feature.
SonicWALL SRA appliances are protected by the user portal on the Web Application Firewall
(WAF).This section contains the following subsections:
SRA Reports Tab section on page 137
What is SRA Reporting? section on page 138
Benefits of SRA Reporting section on page 138
How Does SRA Reporting Work? section on page 138
After reading the GMS SRA Reporting Overview section, you will understand the main steps to
be taken in order to create and customize reports successfully.
SRA Reports Tab

The SRA tab gives you access to the Secure Remote Access (SRA) Reports section of the
GMS management interface. Reporting supports both graph and non-graph reports, and allows
you to filter data according to what you wish to view.
137
SRA Reporting Overview
What is SRA Reporting?

Secure Remote Access (SRA) reporting allows you to configure and design the way you view
your reports and the manner in which you receive them. This feature offers various types of
static and dynamic reporting in which you can customize the way information is reported.
SonicWALL GMS SRA reporting provides a visual presentation of User connectivity activity,
Up_Down status, and other reports related to remote access. With SRA reporting, you are able
to view your reports in enhanced graphs, create granular, custom reports, create scheduled
reports, and search for reports using the search bar tool.
Custom reports are also available in SRAreporting. SonicWALL appliances managed with SRA
provide Resource Activity reports for tracking the source, destination, and other information
about resource activity passing through a SonicWALL SRA device that can then be saved as a
Custom report, for later viewing.
Custom Reports can be created through an intuitive, responsive interface for customizing the
report layout and configuring content filtering prior to generating the report. Two types of reports
are available: Detailed Reports and Summary Reports. Both provide detailed information, but
are formatted to meet different needs. A Detailed Report displays the data in sortable, resizable
columns, while a Summary Report provides top level information in graphs that you can click
to drill down for detailed information. By customizing the report, you can then save it for later
viewing and analysis.
Once you set up a Custom Report that meets your needs, you can save the report for later
viewing, then manage it through the Custom Reports Manage Reports entry, or export the
report as a PDF or CSV (Excel) file.
Benefits of SRA Reporting

SRA reports provide visibility into the resource use by logged in users, leading to policies that
enhance the user experience and the productivity of employees. The following capabilities
contribute to the benefits of the SRA reporting feature:
SRA Detail Level Reports can track events to the minute or second of the day for forensics
and troubleshooting
Interactive charts allow drill-down into specific details
Table structure with ability to adjust column width of data grid
Improved report navigation
Report search
Scheduled reports
How Does SRA Reporting Work?

Syslog information for SonicWALL remote appliances is sent to the GMS syslog collector and
uploaded to the Reports Database by the summarizer. The frequency of upload is nearly
real-time: data is uploaded to the Reports database as soon as the Syslog Collector closes the
file. The file is closed and ready for upload as soon asit reaches 10,000 MB per file or if the file
has been open for 3 minutes, whichever comes first.
This database is saved using a date/time suffix, and contains tables full of data for each
appliance. All the syslog data received by SonicWALL GMS is available in the database.
138
Using and Configuring SRA Reporting
SRA Reporting supports scheduled reports to be sent on a daily, weekly, or monthly basis to
any specified email address.

This section describes how to use and configure SRA reporting. See the following subsections:
Viewing Available SRA Report Types section on page 139
Configuring SRA Scheduled Reports section on page 140
Viewing Available SRA Report Types

To view the available types of reports for SRA Web Application Firewalls (WAF), perform the
following steps:
1.
Log into your GMS management console.
2.
Click the SRA tab.
3.

Group Level Reports:
Data Usage
Summary: connections per SRA appliance
WAF
Summary: connections listed by appliance for one day (default)
Connections
Summary: offloaded connections listed by appliance for one day (default)
Unit Level Reports

Clicking on hyperlinks in the Unit Level Reports takes you to the Analyzer Log, where you
can view more information.
Data Usage
Timeline: total connections listed by hour
Users: connections listed by user
User Activity
Details: a detailed report of activity for the specified user
Access Method
Summary: connections per connection protocol (HTTPS, NetExtender, etc)
Users: top users by protocol
Authentication
User login: authenticated user logins by time and IP protocol. User Login reports
combine admin users with all other users in the same report.
Failed login: Failed login attempts with initiator IP address.
139
WAF
Timeline: total threats detected per appliance
Threats Detected: top threats detected per day
Threats Prevented: top threats prevented per day
Apps Detected: top applications detected per day
Apps Prevented: top applications blocked per day
Users Detected: number of concurrent users per day
Users Prevented: number of blocked users prevented per day
Connections
Timeline: a summary of offloaded connections under the group node per SRA
appliance, listed for one day.
Applications: offloaded connections by application
Users: offloaded connections by user
Up/Down
Timeline: uptime and downtime by hour for one day
Analyzers
Log Analyzer: logs of all activity
Configuration: menus allow setting Report display options
Log Analyzer Filter: applies filters to the system logs uploaded to the reporting
database
Events: these menus allow setting options
Note
Alert Settings: provides search functions, adding or removing Alerts
Current Alerts: displays current applicable Alerts.Custom
You can use the Date Selector to select reports covering other intervals than those listed
here.
Configuring SRA Scheduled Reports

SRA reports are scheduled through the Universal Scheduled Reports interface. Additionally,
you can configure alerts and filter the syslog.
To configure SRA scheduled reports and summarization, click on the Schedule Report icon.
The Universal Schedule Report menu comes up. For more information on scheduling and
configuring reports, refer to the section on Universal Scheduled Reports.
Navigating Through Detailed SRA Reports

SRA reports display either summary or unit views, displayed in a Data Container. Information
can be viewed in either chart (timeline or pie chart) form, or tabular (grid) format. The list of
available reports allows you to navigate to a high-level or specific view. Data can be filtered by
time constraints or data filters.
140
Viewing SRA Summary Reports
Drillable reports give access to additional information by clicking on hyperlinks to go to the

Detail view. For some reports, you can go directly to the detail views by clicking Details in the
Policies/Reports pane.
Data filtering can be applied either by using the Filter Bar, drilling down through hyperlinked
data, or applying a filter to a drillable data column.
Viewing SRA Summary Reports

The SRA group level Summary report displays all SRA interfaces under that group level node,
along with the total number of threats detected on the specified day.
The SRA Summary report is available for Data Usage, Web Application Firewall (WAF), and
Connections. It shows the number of connections handled by the SRA appliances on the
specified day or interval. The grid-level reports lists each appliance by name, along with the
number of connections. To view the Data Usage Summary report, perform the following steps:
Step 1
Step 2
Select the global icon or a group in the TreeControl menu.
Step 3
Expand the Data Usage, WAF, or Connections tree and click Summary. The Summary page
displays.
For more information, click on an individual appliance in the TreeControl menu. More settings,
as well as more detailed information, is available at the Unit View level.
141
Viewing SRA Unit-Level Reports

Unit View reports provide detail about Data Usage, Access Method, Authentication, WAF
Access, Connections, and Uptime and Downtime. You can also view the results from the
Analyzers or saved Custom Reports.
Viewing Unit-Level Data Usage Reports

Step 1
Step 2
Select the desired Unit in the TreeControl menu.
Step 3
Expand the Data Usage entry and click Timeline to display the Report.
Step 4
The graph displays the number of connections to the selected SRA appliance during the
desired interval. The current 24 hours is displayed by default.
The timeline contains the following information:
Hourwhen the sample was taken.
Connectionsnumber of connections to the SRA appliance
Step 5
To change the interval of the report, use the left arrow to click back a day at a time, or click on
the Time Bar to access the Interval menu pull-down calendar.
Step 6
After selecting a date, click Search. The GMS Reporting Module displays the report for the
selected day.
Note
142
The date setting will stay in effect for all similar reports during your active login
session.
Viewing SRA Top Users Reports

The Top Users report displays the users who used the most connections on the specified date.
To view the Top Users report, perform the following steps:
Step 1
Step 2
Select the SRA appliance.
Step 3
Expand the Data Usage tree and click Users. The Top Users page displays.
Step 4
The pie chart displays the percentage of connections used by each user.
The table contains the following information for all users:
Usersthe user name
Connectionsnumber of connection events or hits
By default, the GMS Reporting Module shows yesterdays report, a pie chart for the top six
users, and a table for all users. To change the date of the report, click the Start field to access
the pull-down calendar.
Step 5
To display a limited number of users, use the Search Bar fields.
Note
This report allows you to drill down by user. Clicking on a user in either the chart or
grid view will take you to the Log Analyzer.
143
Viewing User Activity Logs

Web User Activity logs allow you to filter results to view only the activity of a specific user.
The User Activity Analyzer provides a detailed report listing activity filtered by user. If a user
report has been saved previously, bringing up the User Activity Analyzer will display a list of
saved reports under the Filter Bar.
If you wish to create a new report, use the Filter Bar to create a new report.
Step 1
Step 2
Step 3
Click on User Activity > Details to bring up the User Activity Analyzer. The User Activity
Analyzer generates a Detail report based on the user name.
If no user activity reports were saved, only the Filter Bar will display, with the User filter
pre-selected. You can enter a specific user name, or use the LIKE operator wildcards (*) to
match multiple names.
Step 4
Enter the name of the user into the field and click the Go (arrow) button to generate the report
The customized User Activity Details report will display a timeline of events, Initiators,
Responders, Services, Applications, Sites visited, Blocked site access attempted, VPN access
policy in use, user authentication, Intrusions, Initiator Countries, and Responder Countries
associated with that particular user.
Data for a particular user may not be available for all of these categories.
Viewing Access Method Reports

Access Methods provide an overview of the protocols used to access the net. They are
available as a summary pie chart or in a Top User report, both of which provide additional
information on the access protocol of the specified user through the Log Analyzer.
144
Viewing the Access Summary Report

The Access Summary report provides an overview of the types of access protocols used.
Clicking on a hyperlinked protocol entry will take you to the Log Analyzer view for more details.
To view the Summary Report:
Step 1
Step 2
Select a SRA appliance.
Step 3
Expand the Access Method tree and click Summary. The Access Method Summary page
appears.
Step 4
Click on a section of the pie chart to obtain more details, or hover the mouse over an item on
the Protocol column and right click Add Filter to narrow the results to a particular access
protocol. The results will display in the Log Analyzer report.
145
Viewing the Top Users Access Report

Step 1
Step 2
Step 3
Expand the Access Method tree and click Users. The Top Users report appears.
In the chart view, you can click on either the pie chart or user list to obtain more information
from the Log Analyzer. Results will be filtered by user, and the setting added to the filter bar.
Alternatively, you can hover your mouse over a user in the User column of the grid view, then
right click to filter results. For full details on that user, drill down by clicking on the user name
in the column.
146
Viewing SRA Authentication User Login Report

The Authentication Summary report shows an overview of user logins and login attempts and
disconnections by time, user, IP address, type of connection/disconnection, and amount of time
the connection was established. Authentication reports are only available at the unit level.
Step 1
Step 2
Step 3
Expand the Authentication tree and click User Login. The Authenticated User Login report
appears.
Note
All reports appear in the appliances time zone.

The user login report shows the login for users that logged on to the SRA appliance during the
specified day.
Timethe time that the user logged in
Userthe user name
Initiator IPthe IP address of the users computer
Messagethe type of connection/disconnect
Durationthe duration of the user login session
147
Viewing SRA Authentication Failed Login Report

The Authentication Failed Login report shows an overview of user logins and login attempts and
disconnections by time, user, IP address, type of connection/disconnection, and amount of time
the connection was established. Authentication reports are only available at the unit level.
Step 1
Step 2
Step 3
Expand the Authentication tree and click User Login. The Authenticated User Login report
appears.
Note
All reports appear in the appliances time zone.

The failed login report shows the login attempts for users that attempted to log on to the SRA
appliance during the specified day.
Timethe time that the user logged in
Userthe user name
Initiator IPthe IP address of the users computer
Messageabout the type of failed attempt
Viewing Web Application Firewall (WAF) Reports

The Web Application Firewall (WAF) Summary report contains information on the number of
connections incurring Application Firewall activity logged by a SonicWALL appliance during
each hour of the specified day, or at the global or group level, by each group of SonicWALL
appliances for the day.
148
The Web Application Firewall provides the following Reports:
Timeline
Threats Detected
Threats Prevented
Apps Detected
Apps Prevented
Users Detected
Users Prevented
Clicking on hyperlinks in these reports take you to the Log Analyzer view, for more details.
To view reports:
Step 1
Click on the SRA tab and either GlobalView for the group or by individual appliance in the
TreeControl view on the left tab of the interface.
Step 2
Click Reports on the middle tab.
Step 3
Select the WAF entry to expand it and click on the Report you want to view.
Viewing Connections Timeline

The WAF Connections timeline displays connections to the web firewall over time.
To view the Web Application Firewall Summary report, perform the following steps:
Step 1
Click the SRA tab.
Step 2
Step 3
Click Connections > Timeline
149
The Timeline displays the unit level summary report containing Offloaded Connections
information for an individual SRA system.
Click on the hyperlinks available in this report to go to the Log Analyzer.
Viewing WAF Top Threats Detected

The Threats Detected report displays the threats detected, according to signature,
classification, and severity. To view the Web Application Firewall Top Threats Detected report,
perform the following steps:
150
Step 1
Click the SRA tab.
Step 2
Step 3
Click on the Reports tab.
Step 4
Click WAF > Threats Detected.
The Top Threats Detected screen shows the top threats detected by the firewall, and gives
details on the Threat Signature, Threat Classification, Threat Severity, in addition to total
threats detected.
Viewing WAF Top Threats Prevented

To view the Web Application Firewall Top Threats Prevented report, perform the following steps:
Step 1
Click the SRA tab.
Step 2
Step 3
Step 4
Click WAF > Threats Prevented.

The Top Threats Prevented view shows Top Threats detected and prevented by the web
firewall, with details on the Threat Signature, Threat Classification, Threat Severity, in addition
to total threats detected.
151
Viewing WAF Top Applications Detected

To view the Web Application Firewall Top Applications Detected report, perform the following
steps:
Step 1
Click the SRA tab.
Step 2
Step 3
Step 4
Click WAF > Applications Detected.

The Top Applications Detected report will list applications with the most number of threats detected
by the WAF process. It will display the Application IP, URI and the Detections in order of the number
of detections.
Viewing WAF Top Applications Prevented

To view the Web Application Firewall Top Applications Detected report, perform the following
steps:
152
Step 1
Click the SRA tab.
Step 2
Step 3
Step 4
Click WAF > Applications Detected.
The Top Applications Prevented report will list applications with the most number of threats
prevented by the Web Application Firewall. It will display the Application IP, URI and the preventions
in order of the number of threats prevented by the firewall
Viewing WAF Top Users Detected

The Top Users Detected report will list the top authenticated users from whom threats have been
detected by the Web firewall. It will display the User Name, User Agent and the Detections in order
of the number of detections.
The Top Users report displays the users who made the most VPN connections on the specified
date.
To view the Top Users report, perform the following steps:
Step 1
Click the SRA tab.
Step 2
Step 3
Step 4
Click WAF > Users Detected. The Top Users page displays.
Step 5
The pie chart displays the VPN connections for the top VPN users.
Step 6
The table contains the following information by default:

Usersthe users login. You can drill down to learn the IP address of the user.
Agent - the User agent and version being used.
Detectionsthe number of VPN connections in order of number of detections.
153
MBytesthe number of megabytes transferred.

Step 7
By default, the GMS Reporting Module shows yesterdays report, a pie chart, and the ten top
users. To change the date of the report, use the Search Bar and click the Start or End field to
access the pull-down calendar, or click More Options for report display settings.
Viewing WAF Top Users Prevented

To view the Web Application Firewall Top Users Prevented report, perform the following steps:
Step 1
Click the SRA tab.
Step 2
Step 3
Step 4
Click WAF > Users Prevented.

The Top Users Prevented report lists the top authenticated users from whom threats have been
prevented by the SonicWALL web firewall. It displays their user name, user agent, and
preventions, in order of the number of preventions.
Viewing Connection Reports

Connection reports show the number of connections, as well as throughput data, application
and user data.
154
Viewing the Offloaded Connection Timeline

The Offloaded Connection Summary report lists the total connections made for all offloaded
applications for one day, displayed per hour per day. The grid section displays peak
connections per second, peak throughput, average connections per second, and average
throughput per hour.
To view the Offloaded Connections Timeline report, perform the following steps:
Step 1
Click the SRA tab.
Step 2
Step 3
Step 4
Click Connections > Timeline.

The Offloaded Connections Summary report displays.
155
Viewing the Offloaded Connections Top Applications Report

The Top Applications report lists those applications having the most offloaded connections, as
well as information about the application and throughput.
To view the report:
Step 1
Click the SRA tab.
Step 2
Step 3
Step 4
Click Connections > Applications.
The report displays the IP address of the application, the URI, and how many connections were
established. The report is drillable on the application IP address to obtain the Log Analyzer
report.
156
Viewing the Offloaded Connections Top Users Report

The Top Users report lists the users who have the most offloaded connections It displays the
User Name, User agent, and connections, in order of number of offloaded connections. The
report will drill down to the Top Applications, filtered by User Name.
To view the report:
Step 1
Click the SRA tab.
Step 2
Step 3
Step 4
Click Connections > Users.
The report will drill down to the Top Applications, filtered by User Name.
157
Viewing SRA Analyzer Logs
Viewing Uptime/Downtime Reports

The Uptime/Downtime status timeline displays a timeline of up units in green and down units in
red, for a 24-hour period.

Analyzer logs contain detailed information from the system logs on each transaction that
occurred on the SRA appliance.
The Log Analyzer allows advanced users to examine raw data for status and troubleshooting
information. The Analyzer logs contain detailed information from the system logs on each
transaction that occurred on the specified SonicWALL appliance. These logs can be filtered or
drilled down to further narrow the focus of the information, allowing analysis of data about
alerts, traffic, bandwidth consumption, etc. The Log Analyzer is only available at the individual
unit level.
The SRA Log Analyzer contains information about Initiator and Responder IP addresses,
Status Messages, User and Services used, as well as the time and duration of the session.
You can filter the log on IP address, Message, User, or Service.
Clicking hyperlinks on SRA Reports takes you the Analyzer Log view of the information. Log
information can be saved by using the Save icon on the Filter Bar for a specific report. This
report will then Appear in the list of Custom Reports.
For more information on the Log Analyzer, refer to Using the Log Analyzer section on
page 124.
158
Saving System Log Reports

To load the report for later viewing, either:
Note
Click Load Custom Report and select from the pull-down list of saved Custom reports.
Click on Analyzers > Log Analyzer
The Log Analyzer entries display raw log information for every connection. Depending on
the amount of traffic, this can quickly consume a large amount of space in the database. It
is highly recommended to be careful when choosing the number of days of information that
will be stored. For more information, see Configuring SRA Scheduled Reports on
page 140 and Universal Scheduled Reports.
You can also click on the print icon to save a log to PDF of Excel format.
Note
Saved system logs are limited in the number of rows that will be saved. If saving to PDF, a
maximum of 2500 rows will be saved. If saving to Excel, a maximum of 10,000 rows will be
saved.
Viewing the Analyzer Log for a SRA Appliance

To view the Log, perform the following steps:
Step 1
Step 2
Step 3
Expand the Analyzer tree and click on Log Analyzer. The saved Log report page displays.
Syslog Exclusion Filter

Filters allow you to fine-tune what information is displayed in Reports. Filters allow you to
narrow search results and view subsets of report data.
Use this screen to manage the volume of syslog uploaded to the reporting database. The factory default filters
are configured to upload only the syslog needed to generate the reports. This can be fine tuned further, but it
required advanced knowledge of the syslog and consequently should be performed by experts only. Adding a
wrong filter could lead to receiving a Report Could Not Be Generated message.
Step 1
To add a filter, click on Configuration > Filters.
159
Alerts
The Syslog Exclusion Filter page comes up. This page allows you to view filters currently
applied, add filters, or remove filters.
Step 2
To configure and add a filter, click Add Filter. The Add Filter menu comes up.
Step 3
Specify the field you want to modify, and select an operator and value. Click Update.
Alerts
The Events entry on the Reports tab allows you to configure and view alerts specific to
Reporting for the unit selected. The Events entry on the Reports tab allows you to configure
and view alerts specific to Reporting for the unit selected, through the Alert Settings and
Current Alerts items.
You can follow specific alerts. For more information, refer to CHAPTER 45, Granular Event
Management..
Step 1
160
Click on Events > Alert Settings.
Alerts
The Alerts menu comes up. You can use this menu to search for Alerts by name or type, either
by exact match or matching strings. Click Search to find an Alert of interest.
Step 2
You can also add an alert. Click Add Alert on the Alerts menu. The resulting pop-up menu
allows you to specify the type of data you want to track, how often to poll for data, and whether
it is visible to only administrators or to non-administrators as well.
161
Custom Reports
Alert Types are pre-defined, static parameters and are not customizable. Available Alert types
for SRA are:
Alert Type
Description
Bandwidth usage (Billing Cycle)
Tracks the bandwidth total in bytes per billing

cycle. The value that the threshold will use is
Numeric.

Events/Hits (Total)
Step 3
Note
Tracks the daily bandwidth total in bytes. The

value that the threshold will use is Numeric.
Tracks the daily events/hits total. The value that
the threshold will use is Numeric.
Select the Alert Type and click on Edit Content to edit threshold values. A popup menu will
come up. You can choose from the preset Threshold values or create a new threshold value by
clicking the icon to the right of the Threshold banner. Only one new threshold can be created
at a time. For more information on thresholds, see the Configuring Event Thresholds section
on page 829.
Threshold values may not be available for all Alert types. If thisis the case, the Edit Content
field will not be present.
Step 4
Alerts can be emailed to you or a specified destination on a regular schedule. You can specify
up to 5 destinations. Click Add Destination to enable and select from the pull-downs of
destination and schedule entries.
Step 5
Click Update when you have finished configuring the Alert. It will be added to the list of Alerts
on the menu.
Custom Reports
You can configure a report with customized filters, then save it for later viewing and analysis.
Saving a Report allows you to view it later, by loading it through the Custom Reports interface.
Custom Reports can either be saved directly, or configured through the Universal Scheduled
Reports. You can either load the report through the Custom Report pull-down on the Search
Bar, or click Reports > Custom and choose from the list of saved Custom reports.
Custom Reports are available at the unit level for all appliances visible on the SRA at b. The Log
Analyzer must be enabled for the appliance.
The Manage Reports screen (Custom Reports > Manage Reports) allows you to view what
Custom Reports are available and delete reports from the system.
For more information on Custom Reports, refer to the Custom Reports section on page 135.
162
CHAPTER 7
Viewing CDP Reports
This chapter describes how to generate and view Continuous Data Protection (CDP) Reports
on the SonicWALL Global Management System (GMS). CDP is a secure backup solution that
runs continuously, backing up data from assigned agents, such as servers, laptops, and PCs.
CDP Reporting Overview section on page 163
How to View CDP Reports section on page 164
CDP Reporting Overview

This section provides an introduction to the CDP reporting feature. This section contains the
following subsections:
CDP Reports Tab section on page 163
What is CDP Reporting? section on page 163
After reading the SonicWALL GMS CDP Reporting Overview section, you will understand the
main steps to be taken in order to create and customize reports successfully.
CDP Reports Tab

The CDP tab gives you access to the Continuous Data Protection (CDP) Reports section of the
SonicWALL GMS management interface. Reporting supports both graph and non-graph
reports, and allows you to filter data according to what you wish to view. It supports multiple
product-licensing models.
What is CDP Reporting?

Reports on SonicWALL Continuous Data Protection (CDP) appliances allows administrators to
monitor online status and disk space usage, either globally within a network, or by appliance.
CDP reporting also provides detailed backup reports for individual appliances.
163
How to View CDP Reports
The Filter Bar provides an intuitive, responsive interface for customizing the CDP report layout
and configuring content filtering to focus on specific times and/or details. Hyperlinks allow
access to additional reports data, by clicking on column entries to drill down to the desired detail
view. By using these functions, you can:
Track events to the minute or second of the day for forensics and troubleshooting
Drill-down to find specific details
Track appliance activity

To view the available types of reports for CDP, perform the following steps:
1.
Log into your SonicWALL GMS management console.
2.
Click the CDP tab.
3.

Group Level Reports:
Capacity
Summary: disk capacity listed by appliance for one day (default)
Unit Level Reports

Backup Activity
Top Agents: total connections listed by hour
Top File Extensions: connections listed by user
Backup Details
User Backup Activity
Up/Down
Timeline: Up and down time for one day, listed by hour (default)
Drilling down through the Group Level Capacity Summary report by appliance takes you to the
Unit Level Summary Report. By drilling down through hypertext links in the Summary, you
access the Detail-level reports.
Click Backup Activity > Backup Details to go directly to the Detail report.
For more information on how to navigate through the Reports, refer to Navigating
SonicWALL GMSReporting on page 85.
Viewing the Capacity Summary Report

The Capacity report provides an overview of disk usage, either for multiple devices via the
Global View, or by individual unit, broken down by appliance or agent. Clicking on an appliance
link in the global summary will take you to a Summary report for the agents of that appliance.
To view the Capacity report:
164
Step 1
Click the CDP tab.
Step 2
Click the Reports tab on the top of the screen. By default, the global capacity report comes up.
The report includes the used and free quotas of the capacity for each appliance, as well as what
percentage of that capacity is free.
Step 3
To view the Capacity Summary for an individual unit, click on the unit in the TreeControl panel.
A detailed view of the agents and quotas for the unit comes up.
Click the agent name to add a filter and obtain a Detail view of backup information.
Viewing Unit Backup Activity

You can view backups for Top Agents and Top File Extensions for a system. These files are
drillable. You can also Click Backup Details to go directly to a Detail report.
165
Viewing the Top Agents Report

The Top Agents report lists the name of the agent, backup size, size of the compressed disk
file in KB, and policy. The agents are displayed on a pie chart.
To view the Top Agents report, perform the following steps:
Step 1
Click the CDP tab.
Step 2
Step 3
Click on the entry for the desired SonicwALL appliance.
Step 4
Click on Backup Activity > Top Agents.
Drilling down takes you to the Detail level report, listing the backed up appliance and listing its
backed up files and folders. The Detail report also provides status on whether the backup
operation was successful. You can shortcut to an unfiltered version of the Detail report by
clicking Backup Details.
166
Top File Extensions

The Top File Extensions report lists the extension, backup size, size of the compressed disk file
in KB, and number of backed up files.
Step 1
Click the CDP tab.
Step 2
Step 3
Click on the entry for the desired SonicWALL appliance.
Step 4
Click on Top File Extensions on the Reports tab.
Drilling down takes you to the Detail level report, listing the backed up appliance and its files
and folders
Viewing the Detail View Report

SonicWALL GMS provides a shortcut to the Detail view of CDP reports. The Detail view
includes: what appliances were backed up and when, whether the operation was successful,
the agent for the appliance, and the file and folder names backed up, with respective sizes of
both original files and folders and backed up files and folders.
To see the Detail view:
Step 1
Click the CDP tab.
Step 2
Step 3
Step 4
Click on Backup Details on the Reports tab.

A detail view, similar to what you might see inthe Log Analyzer, comes up. The CDP detail view
is not organized into graph and grid view sections like the Firewall and SRA views. However,
by clicking on links, you can filter results.
167
If desired, the Detail view of backup activity can be saved. It will then appear under Custom
Reports, and in the Manage Reports list.
For more information on Custom reports, refer to Custom Reports section on page 107.
Viewing the User Backup Report

Viewing User Backup Reports takes you to the Detail view of the Backup report. The Detail view
includes: what appliances were backed up and when, whether the operation was successful,
the agent for the appliance, and the file and folder names backed up, with respective sizes of
both original files and folders and backed up files and folders.
To see the Detail view:
168
Step 1
Click the CDP tab.
Step 2
Step 3
Step 4
Click on Backup > User Backups on the Reports tab.
You can save the User Backup Report as a Custom report, for later viewing. For more information on Custom
reports, refer to the Custom Reports section on page 107.
Viewing Uptime/Downtime
Timelines provide an overview of whether a device or group of devices are online. This can be
useful in determining if a backup operation failed or did not take place, due to device
unavailability. You can view the total uptime and downtime for a specific appliance, allowing you
to determine when an appliance was online and percentage of time it was in service.
Step 1
Click the CDP tab.
Step 2
Step 3

Click Up/Down > Timeline to view a summary timeline of uptime/downtime for a specific
device.
169
170
CHAPTER 8
Introduction to Policy Management
This chapter describes how to use SonicWALL GMS to configure policies on the full range of
SonicWALL platforms.
SonicWALL GMS Policy Configuration Overview, page 171
Introduction to Firewall Policies, page 172
Introduction to SRA Policies, page 180
Introduction to CDP Policies, page 181
Introduction to Email Security Policies, page 182
SonicWALL GMS Policy Configuration Overview

The appliance panels enable administrators to add, delete, configure and view various
SonicWALL appliance types managed by SonicWALL GMS.
The policy panels include:
Firewall PanelFor management and reporting on compatible firewall appliances.
SRA PanelFor management and reporting on SonicWALL SRA and Aventail appliances.
CDP PanelFor management of SonicWALL Continuous Data Protection appliances.
ES PanelFor management of SonicWALL Email Security appliances.
The policy panels are used to configure SonicWALL appliances. From these pages, you can
apply settings to all SonicWALL appliances being managed by SonicWALL GMS, all
SonicWALL appliances within a group, or individual SonicWALL appliances.
171
Introduction to Firewall Policies

To open the Policies Panel, click the Firewall tab at the top of the SonicWALL GMS UI and then
click the Policies subtab. The SonicWALL appropriate appliance Policies Panel appears:
System
This chapter covers a variety SonicWALL firewall appliance controls for managing system
status information, registering the SonicWALL firewall appliance, activating and managing
SonicWALL Security Services licenses, configuring SonicWALL firewall appliance local and
remote management options, managing firmware versions and preferences, and using included
diagnostics tools for troubleshooting.
This chapter describes how to use SonicWALL GMS to configure general System Policy
settings on managed SonicWALL appliances. The following sections describe how to configure
the system settings:
172
StatusProvides a comprehensive collection of information to help you manage your

SonicWALL security appliances and SonicWALL Security Services licenses. It includes
GMS status information on Firewall, Management, Subscription, and Firewall Models.
Refer to the Viewing System Status section on page 185.
TimeDescribes how to change the time and time options for one or more SonicWALL
appliances. Refer to the Configuring Time Settings section on page 187.
Licensed Nodes (Unit-level view only)Provides a Node License Status table listing the
number of nodes your SonicWALL security appliance is licensed to have connected at any
one time, how many nodes arecurrently connected, and how many nodes you have in your
Node license Exclusion List. Refer to the Viewing Licensed Node Status section on
page 188.
AdministratorDescribes how to change the administrator and password options for one
or more SonicWALL appliances. Refer to the Configuring Administrator Settings section
on page 189.
ToolsProvides a set of common system configuration tasks for restarting an appliance,

requesting diagnostic information, inheriting settings, system synchronization, and
synchronizing the appliance to mysonicwall.com. Also includes options to generate a Tech
Support Report (TSR) and the ability to email the TSR. Refer to the Using Configuration
Tools section on page 190.
InfoDescribes how to change contact information for one or more SonicWALL

appliances. Refer to the Configuring Contact Information section on page 196.
SettingsDescribes how to backup and save SonicWALL appliance settings as well as

restore them from preferences files. Refer to the Configuring System Settings section on
page 197.
SchedulesDescribes how to create and configure schedule groups, which are used to
apply firewall rules for specify days and hours of the week. Refer to the Configuring
Schedules section on page 198.
ManagementDescribes how to edit the remote management settings on SonicWALL

security appliances for management by GMS or VPN client. Refer to the Editing
Management Settings section on page 200.
SNMPDescribes how to configure Simple Network Management Protocol. Refer to the

Configuring SNMP section on page 201.
Certificates (Unit-level view only)Describes how to configure both third-party

Certificate Authority (CA) certificates and local certificates. Refer to the Navigating the
System > Certificates Page section on page 202.
Network
This chapter covers configuring the SonicWALL firewall appliance for your network
environment. This chapter describes how to configure network settings for SonicWALL
appliances. It is divided into sections for SonicWALL security appliances running SonicOS
Enhanced and SonicOS Standard.
Overview of Interfaces section on page 207
Configuring Network Settings in SonicOS Enhanced section on page 209
Configuring Network Settings in SonicOS Standard section on page 258
Firewall
This chapter describes access rules, which is a set of application-specific policies that gives
you granular control over network traffic on the level of users, email users, schedules, and
IP-subnets. The primary functionality of this application-layer access control feature is to
regulate Web browsing, file transfer, email, and email attachments. The Firewall settings in
173
SonicWALL GMS are different for SonicWALL security appliances running SonicOS Enhanced
and Standard. The following sections describe how to configure Firewall settings for each of the
operating systems:
Understanding the Network Access Rules Hierarchy section on page 273
Configuring Firewall Settings in SonicOS Enhanced section on page 275
Configuring Firewall Settings in SonicOS Standard section on page 300
Log
This chapter covers managing the SonicWALL firewall appliances enhanced logging, alerting,
and reporting features. The SonicWALL firewall appliances logging features provide a
comprehensive set of log categories for monitoring security and network activities. This chapter
describes how to the SonicWALL GMS to configure where the SonicWALL appliance(s) send
their logs, how often the logs are sent, and what information is included.
Configuring Enhanced Log Settings section on page 307
Configuring Name Resolution section on page 310
Diagnostics
SonicWALL appliances store information about all devices with which they have
communicated. When you generate diagnostic information, only one report can be generated
at a time and the information is only maintained during the current session. For example, if you
run a firewall log report and then log off or generate another report, the firewall log report data
will be lost until you run the report again.
Viewing Network Diagnostic Settings section on page 313
Viewing Connections Monitor section on page 315
Viewing CPU Monitor section on page 316
Viewing Process Monitor section on page 317
Website Blocking
This chapter describes how to use SonicWALL GMS to configure website blocking options for
one or more SonicWALL appliances. This functionality can be used to deny access to material
supplied by the active content filtering subscription, specific domains, domains by keyword, and
Web features such as ActiveX, Java, and cookies.
174
Configuring General Website Blocking section on page 319
Configuring the CFS Exclusion List section on page 329
Blocking Web Features section on page 336
Configuring Access Consent section on page 337
N2H2 and Websense Content Filtering section on page 338
DHCP
This chapter describes how to use the SonicWALL GMS (SonicWALL GMS) to configure
SonicWALL appliances as DHCP servers. Dynamic Host Configuration Protocol (DHCP)
enables network administrators to automate the assignment of IP addresses from a centralized
DHCP server. This conserves IP addresses and make it easy for mobile users to move among
different segments of the network without having to manually enter new IP addresses.
This chapters includes the following sections:
DHCP Server Options Overview section on page 341
Configuring DHCP Over VPN section on page 342
Configuring Dynamic DHCP IP Address Ranges section on page 343
Configuring Static IP Addresses section on page 346
Configuring DHCP Option Objects section on page 349
Configuring DHCP Option Groups section on page 350
Configuring General DHCP Settings section on page 350
Configuring Trusted DHCP Relay Agents section on page 351
Users
This chapter covers how to configure the SonicWALL firewall appliances for user level
authentication as well as manage guest services. This chapter describes how to use the
SonicWALL GMS to configure user and user access settings. Included in this chapter are the
following sections:
Configuring Users in SonicOS Enhanced section on page 353
Configuring Users in SonicOS Standard section on page 380
App Control
This chapter describes how to configure App Control policies for SonicWALL firewall appliances
from SonicWALL GMS. This chapter includes the following sections:
App Control Overview section on page 387
Configuring App Rules section on page 389
Configuring Advanced Policies section on page 401
Configuring Match Objects section on page 415
Configuring Action Objects section on page 428
Configuring Email Address Objects section on page 441
Use Cases section on page 445
Anti-Spam
This chapter provides a quick, efficient, and effective way to add anti-spam, anti-phishing, and
anti-virus capabilities to your SonicWALL firewall appliance. There are two primary ways
inbound messages are analyzed by the Anti-Spam feature - Advanced IP Reputation
Management and Cloud-based Advanced Content Management. IP Address Reputation uses
the GRID Network to identify the IP addresses of known spammers, and reject any mail from
those senders without even allowing a connection. GRID Network Sender IP Reputation
Management checks the IP address of incoming connecting requests against a series of lists
and statistics to ensure that the connection has a probability of delivering valuable email. The
lists are compiled using the collaborative intelligence of the SonicWALL GRID Network. Known
spammers are prevented from connecting to the SonicWALL firewall appliance, and their junk
email payloads never consume system resources on the targeted systems.
175
This chapter includes the following subsections:
Activating Anti-Spam section on page 459
Configuring Anti-Spam Settings section on page 460
Configuring Anti-Spam Real-Time Black List Filtering section on page 464
VPN
This chapter covers how to create VPN policies on the SonicWALL firewall appliance to support
SonicWALL Global VPN Clients as well as creating site-to-site VPN policies for connecting
remote offices running SonicWALL firewall appliances. A VPN is a private data network that
uses encryption technologies to operate over public networks. This chapter contains the
following sections:
VPN SA Management Overview section on page 467
Viewing the VPN Summary section on page 469
Configuring VPN Settings section on page 470
Configuring ULA Settings for VPNs section on page 472
Configuring VPNs in SonicOS Enhanced section on page 472
Configuring VPNs in SonicOS Standard section on page 478
Setting up the L2TP Server section on page 500
Monitoring VPN Connections section on page 501
Management of VPN Client Users section on page 501
VPN Terms and Concepts section on page 503
Using OCSP with SonicWALL Security Appliances section on page 505
SSL VPN
This chapter provides information on how to configure the SRA features on the SonicWALL
SRA appliances. SonicWALLs SRA features provide secure, seamless, remote access to
resources on your local network using the NetExtender client.
SSL VPN NetExtender Overview section on page 507
SSL VPN > Server Settings section on page 510
SSL VPN > Portal Settings section on page 511
SSL VPN > Client Settings section on page 512
SSL VPN > Client Routes section on page 514
DPI-SSL
This chapter describes the Deep Packet Inspection Secure Socket Layer (DPI-SSL) feature to
allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. Client DPI-SSL is
used to inspect HTTPS traffic when clients on the SonicWALL firewall appliances LAN access
content located on the WAN. Server DPI-SSL is used to inspect HTTPS traffic when remote clients
connect over the WAN to access content located on the SonicWALL firewall appliances LAN.
This chapter contains the following subsections:
176
DPI-SSL Overview section on page 517
Configuring Client SSL section on page 518
Configuring Server SSL section on page 522
Security Services
This chapter includes an overview of available SonicWALL Security Services as well as

instructions for activating the service, including FREE trials. These subscription-based services
include SonicWALL Gateway Anti-Virus, SonicWALL Intrusion Prevention Service, SonicWALL
Content Filtering Service, SonicWALL Client Anti-Virus, and well as other services.
SonicWALL firewall appliances offer several services for protecting networks against viruses
and attacks. This chapter provides concept overviews and configuration tasks for deploying
these services.
Configuring Security Services Settings section on page 527
Configuring SonicWALL Network Anti-Virus section on page 528
SonicWALL Network Anti-Virus Email Filter section on page 530
Configuring the SonicWALL Content Filter Service section on page 532
Configuring the SonicWALL Intrusion Prevention Service section on page 532
Configuring the SonicWALL RBL Filter section on page 539
Configuring the SonicWALL Gateway Anti-Virus section on page 540
Configuring the SonicWALL Anti-Spyware Service section on page 543
High Availability
This chapter describes how to use SonicWALL GMS to configure High Availability, which allows
the administrator to specify a primary and secondary SonicWALL appliance. In the case that
the connection to the primary device fails, connectivity will transfer to the backup device.
In addition, SonicWALL GMS can utilize the same device pairing technology to implement
different forms of load balancing. Load balancing helps regulate the flow of network traffic by
splitting that traffic between primary and secondary SonicWALL devices. This chapter includes
the following sections:
Configuring High Availability Settings section on page 549
Configuring Advanced High Availability Settings section on page 550
Monitoring High Availability section on page 552
Verifying High Availability Status section on page 553
SonicPoints
This chapter describes how to configure SonicPoint managed secure wireless access points.
Managing SonicPoints section on page 555
Viewing Station Status section on page 567
Using and Configuring SonicPoint IDS section on page 568
Using and Configuring Virtual Access Points section on page 570
Configuring FairNet section on page 573
Wireless
This chapter describes how to configure wireless connectivity options for wireless SonicWALL
appliances. Included in this chapter are the following sections:
Configuring General Wireless Settings section on page 577
Configuring Wireless Security Settings section on page 581
177
Configuring Advanced Wireless Settings section on page 585
Configuring MAC Filter List Settings section on page 588
Configuring Intrusion Detection Settings section on page 589
Configuring Wireless Virtual Access Points section on page 599
WGS
This chapter describes how to configure Wireless Guest Services (WGS) enabled appliances
running SonicOS Standard. For appliances running SonicOS Standard, these configuration
options are available at the unit level. Wireless Guest Services allows the administrator to
configure wireless access points for guest access. Wireless Guest Services is configured with
optional custom login pages, user accounts and is compatible with several different
authentication methods including those which require external authentication. Included in this
chapter are the following sections:
Configuring Wireless Guest Services Settings section on page 605
Configuring the URL Allow List section on page 608
Denying Access to Networks with the IP Deny List section on page 608
Configuring the Custom Login Screen section on page 609
Configuring External Authentication section on page 610
Configuring WGS Account Profiles section on page 614
Modem
This chapter describes how to configure the dialup settings for SonicWALL SmartPath (SP) and
SmartPath ISDN (SPi) appliances. SonicWALL SP appliances have a WAN Failover feature
that enables automatic use of a built-in modem to establish Internet connectivity when the
primary broadband connection becomes unavailable. This is ideal when the SonicWALL
appliance must remain connected to the Internet, regardless of network speed.
Configuring the Modem Profile section on page 615
Configuring Modem Settings section on page 618
Configuring Advanced Modem Settings section on page 620
WWAN
This chapter describes how to configure the Wireless Wide Area Network (WWAN) settings for
SonicWALL security appliances that use 3G and other Wireless WAN functionality to utilize
data connections over cellular networks.
About Wireless WAN section on page 621
Configuring the Connection Profile section on page 622
Configuring WWAN Settings section on page 625
Configuring Advanced Settings section on page 626
Web Filters
SonicWALL Content Security Manager (CSM) CF provides appliance-based Internet filtering

that enhances security and employee productivity, optimizes network utilization, and mitigates
legal liabilities by managing access to objectionable and unproductive Web content. This
chapter provides configuration tasks for deploying these services.
178
Configuring Web Filter Settings section on page 629
Configuring Web Filter Policies section on page 631
Configuring Custom Categories section on page 634
Configuring Miscellaneous Web Filters section on page 635
Configuring the Custom Block Page section on page 637
Application Filters
This chapter provides configuration tasks for deploying SonicWALL CSM application filtering
services. SonicWALL Content Security Manager (CSM) provides appliance-based application
filtering that enhances security and employee productivity and optimizes network utilization.
This chapter contains the Configuring Application Filter Settings section on page 639.
Register/Upgrades
This chapter describes how to register and upgrade your SonicWALL firewall appliances. This
chapter contains the following subsections:
Upgrading Licenses section on page 645
Searching section on page 645
Creating License Sharing Groups section on page 647
Viewing Used Activation Codes section on page 650
Events
This section provides an introduction to the SonicOS Event Alerts feature. This chapter
contains the Adding Alerts section on page 651.
179
Introduction to SRA Policies
Introduction to SRA Policies

This chapter provides instructions for modifying the general status and tools for SonicWALL
SRA platforms. To modify the general status and tools of a SRA appliance using SonicWALL
GMS, click the SRA tab at the top of the screen, then select the Policies subtab. In the center
pane, select General. You will see the options Status, Tools and Info.
General
The General > Status section provides the current status of the SRA appliance and allows
for an instant update of appliance information using the Fetch Information button.
The General > Tools section provides the following options: Restart Appliance,
Synchronize Now, Synchronize the Appliance with mysonicwall.com.
Note
The Restart Appliance option is not available for SonicWALL Aventail SRA
appliances.
The General > Info section provides the ability to update the contact information for the
SRA appliance.
Register/Upgrades
The Register/Upgrades > Register screen provides the ability to register CDP appliances
with your mysonicwall.com account.
Note
180
Introduction to CDP Policies
Events
The Events > Alerts screen allows you to add, edit, or delete a Unit Status alert for
managed CDP appliances.
The Events > Current Alerts screen displays all active alerts for this appliance.
Preparing SRA Appliances for SonicWALL GMS Management section on page 657
Adding SRA Appliances in SonicWALL GMS section on page 659
Managing SRA Appliance Settings section on page 660
SRA Status section on page 662
SRA Tools section on page 664
SRA Info section on page 666
Registering SonicWALL SRA Appliances section on page 667
Upgrading SonicWALL SRA Firmware section on page 667
Logging in to SRA using SonicWALL GMS section on page 668
Configuring Alerts section on page 668
Introduction to CDP Policies

After a SonicWALL CDP appliance has been added to GMS, the unit can be managed through
the CDP Policies panel.
General
The General > Status status window displays information about all CDP devices in the
current GMS deployment when in the global view.
181
Introduction to Email Security Policies
When an individual appliance is selected, the status window displays information about
the currently selected CDP appliance.
The General > Info screen allows you to edit CDP appliance information on a global or unit
level.
The General > Tools section provides options to synchronize both the static and dynamic
information.
Register/Upgrades
The Register/Upgrades > Register screen provides the ability to register CDP appliances
with your mysonicwall.com account.
Events
managed CDP appliances.
Adding a CDP Appliance to GMS section on page 675
Managing CDP General Settings section on page 677
Registering CDP Appliances section on page 681

After a SonicWALL Email Security appliance has been added to SonicWALL GMS, the unit can
be managed through the ES Policies panel.
General
The General > Status windows displays both general deployment status, as well as individual
appliance status for Email Security appliances.
182
The General > Tools section provides options to force your SonicWALL ES appliance to
synchronize its license and subscription information with mySonicWALL.com immediately.
The General > Info screen allows you to edit Email Security appliance information on a global
or unit level.
Register/Upgrades
The Register/Upgrades > Register ESA screen provides the ability to register CDP
appliances with your mysonicwall.com account.
Events
managed ES appliances.
Configuring Heartbeat using Email Security CLI section on page 695
Adding an ES Appliance to GMS section on page 696
Managing ES General Settings section on page 697
Registering ES Appliances section on page 701
183
184
CHAPTER 9
Configuring Firewall System Settings
Viewing System Status
The System Status page provides a comprehensive collection of information to help you
manage your SonicWALL security appliances and SonicWALL Security Services licenses. In
the global view mode, it provides a summary of all of the devices that are managed by the
SonicWALL GMS, including the number of appliances, whether the appliances are up or down,
and the number of security services subscriptions.
To view a summary of all devices managed by the GMS, click the Change View icon
at the
top left and select GlobalView. Expand the System tree in the middle panel, and click on
Status. The Status page displays.
185
Viewing System Status
At the individual appliance level, the Status page provides more details such as the serial
number, firmware version, and information on management, reporting, and security service
subscriptions.
To view a summary of the status of an individual appliance, select the appliance in the left pane,
and then click System > Status in the navigation pane. The Status page displays.
If tasks are pending for the selected unit, GMS provides a hyperlink that takes the user to the
Tasks Screen for that unit. Also in System > Status, GMS displays the Last Log Entry for the
unit with a hyperlink that takes the user to the unit Logs screen. The links are only provided if
the user actually has permissions to access those screens on the Console panel.
In the Subscription section header, GMS provides a click here link that displays your current
subscription details on the Register/Upgrades > Search screen. The search parameters are
pre-populated for retrieving the subscription services that are currently active on the
appliance(s) and the search is executed and the results are sorted by Expiry Date for your
convenience.
This page provides a PDF icon that you can click to get a PDF file containing the same content
as the Web page.
At the bottom of the status screen, GMS provides a way to retrieve dynamic information about
the selected appliance, and also provides a link to the GMS Getting Started Guide.
You can click the Fetch Information link to view the following dynamic information:
Firewall UpTime since Last Reboot
Last Modified Time and the user who last modified the appliance
Modem speed and active profile used (only for dial-up appliances)
You can retrieved this information by clicking the Fetch Information button at the global, group,
or unit level. The actual results, however, are displayed only at the unit level.
To view the SonicWALL GMS Getting Started Guide, click the Open Getting Started
Instructions In New Window button.
186
Configuring Time Settings
Configuring Time Settings

The SonicWALL GMS (SonicWALL GMS) user interface (UI) is similar to the standard
SonicWALL appliance UI. However, SonicWALL GMS offers the ability to push configuration
settings to a single SonicWALL appliance, a group of SonicWALL appliances, or all SonicWALL
appliances being managed by the SonicWALL GMS. To change time settings on one or more
SonicWALL appliances, perform the following steps:
1.
Expand the System tree and click Time. The Time page displays.
2.
Select the Time Zone of the appliance(s) from the Time Zone field.
3.
To configure the SonicWALL(s) to automatically adjust their clocks for Daylight Savings
Time, select the Automatically Adjust Clock for Daylight Savings Changes check box.
4.
To configure the SonicWALL(s) to use Universal Time Coordinated (UTC) or Greenwich

Mean Time (GMT) instead of local time, select the Display UTC in Logs Instead of Local
Time check box.
5.
To configure the SonicWALL(s) to display the time in the international time format, select
the Display Time in International Format check box.
6.
Select from the following:

To manually configure the time and date, make sure the Use NTP to set time
automatically check box is deselected. The SonicWALL appliance(s) will automatically

use the time settings of the SonicWALL GMS agent.
To configure the SonicWALL(s) to automatically set the local time using Network Time
Protocol (NTP), select the Use NTP to set time automatically check box.
7.
When you are finished, click Update. A task gets scheduled to apply the new settings for
each selected appliance.
8.
If you don't want to use theSonicWALL appliance's internal NTP list, you can add your own
NTP list. To add an NTP server, enter the IP address of an NTP server in the Add NTP
Server field.
A task gets scheduled to add the NTP server to each selected SonicWALL appliance.
Note
9.
To add additional NTP servers, click Add and enter another NTP server.
To clear all screen settings and start over, click Reset.
187
Viewing Licensed Node Status
Note
If you are not using NTP for the appliance, then GMS configures the time of the appliance
to be identical to the time of the GMS Agent pushing the configuration to the appliance (after
adjusting for any time zone differences).
Viewing Licensed Node Status

A node is a computer or other device connected to your LAN with an IP address. If your
SonicWALL security appliance is licensed for unlimited nodes, the Licensed Nodes section
displays the message: The SonicWALL is licensed for unlimited Nodes/Users. No other
settings are displayed.
If your SonicWALL security appliance is not licensed for unlimited nodes, the Node License
Status table lists how many nodes your security appliance is licensed to have connected at any
one time, how many nodes are currently connected, and how many nodes you have in your
Node License Exclusion List. To view licensed node information, perform the following steps:
1.
Expand the System tree and click on Licensed Nodes. The Licensed Nodes page
displays.
2.
To update the licensed node information, click on Request Licensed Node Information
from the appliance. The Currently Licensed Nodes table lists details on each node
connected to your security appliance. Above the table, GMS displays how many nodes the
appliance is licensed for.
When you exclude a node, you block it from connecting to your network through the security
appliance. Excluding a node creates an address object for that IP address and assigns it to the
Node License Exclusion List address group. To exclude a node that is currently licensed,
188
1.
Click the configure icon in the Exclude column of the Currently Licensed Nodes table.
Then click Ok on the warning message that displays.
2.
To exclude a node that is not currently licensed, click on Add New Node For Exclusion.
The Add License Exclusion Node window displays.
3.
Enter the IP address of the node in the Node IP Address field.
4.
Optionally, you can enter a comment about the node in the Comment field.
5.
Click Update.
Configuring Administrator Settings
In SonicOS Enhanced, you can manage the License Exclusion List group and address
objects in the Network > Address Objects page of the management interface. On the
Address Objects page, scroll down to the Node License Exclusion List row and click the
configure icon. Refer to the Configuring Address Objects section on page 232 for instructions
on managing address objects.
Configuring Administrator Settings

The Administrator page configures administrator settings for the SonicWALL appliance. These
settings affect both SonicWALL GMS and other administrators. To change administrator
settings on one or more SonicWALL appliances, perform the following steps:
1.
Expand the System tree and click Administrator. The Administrator page displays.
2.
Enter the login name for the administrator in the Administrator Login Name field.
3.
Specify the maximum number of days after which the a password expires and must be updated
in the Password must be changed every (days) field.
4.
Specify the number of previous passwords that are remembered and that a new password
cannot match in the Bar repeated passwords for this many changes field.
5.
Specify the minimum password length in the Enforce a minimum password length of
field.
6.
Select the level of password complexity from the Enforce Password Complexity
pull-down list. You can select one of the following:
None
Require both alphanumeric and numeric characters
Require alphabetic, numeric and symbolic characters
7.
Select the Administrators checkbox to apply these password constraints only to full and
read-only administrators.
8.
Select the Other full administrators checkbox to apply these password constraints to all
administrators with local passwords.
9.
Select the Limited administrators checkbox to apply these password constraints to all
local users with limited administrator privileges.
189
Using Configuration Tools
10. Select the Other local users checkbox to apply these password constraints only to
non-administrator users.
11. Specify how long the SonicWALL appliance(s) wait (in minutes) before logging out inactive
administrators in the Log out the Administrator after inactivity of field.
12. To lockout the SonicWALL appliance after user login failure, select the Enable user
lockout on login failure check box. Then, specify the numberof login failure attempts that
must occur before the user is locked out in the Failed login attempts per minute before
lockout field and how long the user will be locked out in the Lockout Period field.
13. For On preemption by another administrator:, select one of the following actions to take
when an administrator is preempted by another:
Drop to non-config mode - move the preempted administrator to non-configuration
mode
Log out - log out the preempted administrator.

14. Select from the following options to change the SonicWALL appliance password(s):
If you are configuring a SonicWALL appliance at the unit level, enter and reenter the
new SonicWALL password. Then, enter the SonicWALL GMS password and click
Change Password. The password is changed.
If you are configuring a SonicWALL appliance at the group or global level, enter the
SonicWALL GMS password and click Change Password. Each SonicWALL appliance
will receive a unique randomly generated password. This unique password is encrypted
and recorded in the SonicWALL GMS database.
At the non-unit level, passwords can be configured in two ways:
GMS can assign random passwords to the appliances (recommended for security
purposes).
The user can specify a specific password which will be assigned to all the
appliances in the node (not recommended).
To have GMS assign random passwords, leave the New SonicWALL Password and
Confirm New SonicWALL Passwords fields empty.
Note
The unique encrypted password is also written into a file in <gms_directory>/etc/.

The filename format is Prefs<serialnumber>.pwd; each file contains the old and the
new password for the SonicWALL appliance. The file gets overwritten every time the
password for the SonicWALL appliance is changed. The encryption is base64.
15. When you are finished, click Update. A task gets spooled and once it is executed
successfully, the settings are updated for the selected SonicWALL appliances.
16. To clear all screen settings and start over, click Reset.

This chapter describes how to use SonicWALL tools to restart SonicWALL appliances, request
diagnostics, inherit settings from the group, and more. The following sections describe the
options available in the GMS tools menu:
190
Restarting SonicWALL Appliances section on page 191
Requesting Diagnostics for SonicWALL section on page 191
Inheriting Settings section on page 192
Clearing the ARP Cache section on page 194
Synchronizing Appliances section on page 194
Synchronizing with mySonicWALL.com section on page 195
Manually Uploading Signature Updates section on page 195
Generating Tech Support Reports section on page 196
Restarting SonicWALL Appliances

Some SonicWALL GMS changes require the SonicWALL appliance(s) to automatically be
restarted after changes are applied. However, there may be instances when you want to restart
the SonicWALL appliance(s) manually. To restart one or more SonicWALL appliances, perform
the following steps:
Note
1.
Expand the System tree and click Tools. The Tools page displays.
2.
To restart the selected SonicWALL appliance(s), click Restart SonicWALL.
We recommend restarting the SonicWALL appliance(s) when network activity is low.
Requesting Diagnostics for SonicWALL

To request diagnostics for SonicWALL appliances, perform the following steps:
1.
2.
To request diagnostics for the selected SonicWALL appliance(s), click Request

Diagnostics. SonicWALL GMS schedules a task to request diagnostics for the selected
SonicWALL appliances.
3.
To view the diagnostics, navigate to Diagnostics > Snapshot Status on the Console panel.
4.
In the Diagnostics Requested pull-down list, select the diagnostics that you want to review.
5.
Click View SnapShot Data.
191
Inheriting Settings
On the Policies panel, in the System > Tools screen, you can apply inheritance filters at a global,
group, or appliance level. You can select an existing inheritance filter and customize which of its
rules are actually inherited. You can do this on the fly, without the need to create an entirely separate
filter.
For more information on inheritance, refer to the Configuring Inheritance Filters section on
page 759.
To apply the inheritance filters, perform the following steps:
192
1.
2.
Select the appropriate radio button for either forward or reverse inheritance. Use the Filter
drop down menu to select the desired filter to apply. Click the Preview button to proceed
to the Preview of Inheritance Settings window.
Note
When configuring forward inheritance at the group level, all selected settings are pushed to
all units in the group.
3.
Note
Review the settings to be inherited. Users may continue with all of the default screens
selected for inheritance or select only specific screens for inheritance by checking boxes
next to the desired settings.
The Preview panel footer states, All referring objects should also be selected as part of the
settings picked, to avoid any dependency errors while inheriting. If the user deselects
dependent screen data, the settings will not inherit properly.
4.
If the user is attempting forward inheritance, they may click Update to proceed. If the user
is attempting to reverse inherit settings,an additional selection must be made at the bottom
of the Preview panel. The user must select either to update the chosen settings to only the
target parent node, or to update the target parent node along with all unit nodes under it.
Once the user makes this selection, they may click Update to proceed, or Reset to edit
previous selections.
5.
If the user selects to update the target parent node and all unit nodes, a Modify Task
Description and Schedule panel opens in place of the Preview panel. (This panel will not
appear if the user selects Update only target parent node). If the Modify Task
Description and Schedule panel opens, the user can edit the task description in the
Description field. They may also adjust the schedule for inheritance, or continue with the
193
default scheduling. If the user chooses to edit the timing by clicking on the arrow next to
Schedule, a calendar expands allowing the user to click on a radio button for Immediate
execution, or to select an alternate day and time for inheritance to occur.
6.
Once the user has completed any edits, they select either Accept or Cancel to execute
or cancel the scheduled inheritance, respectively.
Once the inheritance operation begins, a progress bar appears, along with text stating the
operation may take a few minutes, depending on the volume of data to be inherited.
Once the inheritance operation is complete, the desired settings from the unit or group node
should now be updated and reflected in the parent nodes settings, as well as in the settings of
all other units, if selected.
Note
For the Access/Services and Access/Rules pages, by default, inheriting group settings
overwrites the values at the unit level with the group values. If youwish for SonicWALL GMS
to append the group settings to the values at the unit level, you need to enable the Append
Group Settings option on the General/GMS Settings page on the Console Panel.
For more information on inheritance, refer to the Managing Inheritance in SonicWALL GMS
Clearing the ARP Cache

communicated.
To clear the ARP Cache for one or more SonicWALL appliances, perform the following steps:
1.
2.
Click Clear ARP Cache.
Synchronizing Appliances
If a change is made to the SonicWALL appliance through any means other than through GMS,
SonicWALL GMS will be notified of the change through the syslog data stream. You can
configure an alert through the Granular Event Management framework to send email notification
when a local administrator makes changes to a SonicWALL appliance through the local user
interface rather than through GMS. After the syslog notification is received, SonicWALL GMS will
schedule a task to synchronize its database with the local change. After the task successfully
executes, the current configuration (prefs) file is read from the SonicWALL appliance and
loaded into the database.
194
Auto-synchronization automatically occurs whenever SonicWALL GMS receives a local change

notification status syslog message from a SonicWALL appliance.
You can also force an auto-synchronization at any time for a SonicWALL appliance or a group
of SonicWALL appliances. To do this, perform the following steps:
Note
1.
2.
To synchronize the selected SonicWALL appliance(s), click Synchronize Now.

SonicWALL GMS schedules a task to synchronize the selected SonicWALL appliances.
The auto-synchronization feature can be disabled on the Console/Management Settings

screen and by unchecking the Enable Auto Synchronization checkbox.
Synchronizing with mySonicWALL.com

SonicWALL appliances check their licenses/subscriptions with mysonicwall.com once very 24
hours. Using the Synchronize with mysonicwall.com Now button, a user can have an
appliance synchronize this information with mysonicwall.com without waiting for the 24-hour
schedule. To force the SonicWALL to synchronize with mysonicwall.com now, perform the
following steps:
1.
2.
To synchronize the selected SonicWALL appliance(s), click Synchronize with

mysonicwall.com Now. SonicWALL GMS schedules a task to synchronize the selected
SonicWALL appliances license information into GMS.
Manually Uploading Signature Updates

For SonicWALL appliances that do not have direct access to the Internet (for example,
appliances in high-security environments) you can manually upload updates to security service
signatures. To instruct GMS to download updates to security service signatures, perform the
following steps:
Note
1.
Click on the Console tab, expand the Management tree, and click on GMS Settings.
2.
Select the check boxes for the Firewalls managed by this GMS do not have Internet
Access and Upload latest signatures on subscription status change settings. Refer to
the Configuring Management Settings section on page 775 for more information.
3.
Click on the Policies tab, expand the System tree, and click Tools.
4.
When there are updates signatures to upload, the Upload Signatures Now button is
displayed. Click this button to manually upload the signatures.
The Upload Signatures Now button is displayed only when the GMS has downloaded
updated signature files that are ready to be uploaded.
195
Configuring Contact Information
Generating Tech Support Reports

To generate a Tech Support Report that is emailed to the administrator email address perform
1.
2.
Select any of the following four report options:

VPN KeysSaves shared secrets, encryption, and authentication keys to the report.
ARP CacheSaves a table relating IP addresses to the corresponding MAC or
physical addresses.
DHCP BindingsSaves entries from the SonicWALL security appliance DHCP server.
IKE InfoSaves current information about active IKE configurations.
3.
Click Email TechSupport Report. The requested reports are emailed to the administrator
email address.
Configuring Contact Information

The System > Info page contains contact information for the SonicWALL appliance. These
settings are for informational purposes only and do not affect the operation of SonicWALL
appliances. To change informational settings on one or more SonicWALL appliances, perform
196
1.
Expand the System tree and click Info. The Info page displays.
2.
Enter appliance contact information for the SonicWALL appliance(s).
Configuring System Settings
3.
After entering the street address, city, state, zip code, and country appliance contact
information, click the Locate Geocode button. This will populate the GeoLocation field with
the SonicWALL appliance latitude and longitude coordinates. Similarly, you can enter the
latitude or longitude coordinates, and click the Locate Address button to populate the
address information fields. The location information enables your SonicWALL appliance to
display on the Dashboard Geographic Map. For more information on using the Dashboard
Geographic Map to drag and drop the location of your unit, refer to the Using the Universal
Dashboard section on page 43.
4.
When you are finished, click Update. A task gets spooled and once it is executed
successfully, the information is updated for the selected SonicWALL appliances.
5.
To reset all screen settings and start over, click Reset.
Configuring System Settings

SonicWALL GMS enables you to save SonicWALL appliance settings to the SonicWALL GMS
database which can be used for restoration purposes. GMS can automatically take back ups of
the appliance configuration files at regular schedules and store them in the database. The
schedule is configured in the Console > Management > GMS Settings screen Automatically
save... Here you can specify that a back up should never be taken or back ups should be taken
on a daily or weekly schedule. If the schedules are set for daily or weekly, then the back ups
are performed for all appliances for which the Enable Prefs File Backup checkbox is selected
in this screen.
To purge older back ups, you can specify how many of the latest prefs files should be stored in
the database. The listbox here displays all the Prefs files backed up, along with the firmware
version. In addition to automatic back ups, you can manually force a Prefs back up by selecting
the Store settings... buttons.
To save or apply SonicWALL appliance settings, perform the following steps:
1.
Expand the System tree and click Settings. The Settings page displays.
2.
To save the settings of a SonicWALL appliance to the SonicWALL GMS database, enter a
name for the settings in the Name field and click Store settings read from unit. Then, if
you want to save these settings to a local file, click Save the settings to a local file. You
can save multiple version of settings for each SonicWALL appliance to the
SonicWALL GMS database and to different local files.
197
Configuring Schedules
3.
Note
Note
To apply settings to the SonicWALL appliance directly from SonicWALL GMS database,
select the saved settings and click Restore the settings to the unit.
The Restore the settings to the unit option is available only at the unit level, and not at the
group and global levels. This option previously was available at the group and global levels.
GMS now does not display the option at both the group and global levels to minimize risk of
you writing a non-compatible prefs file to an incorrect firmware version running on a
SonicWALL appliance.
4.
To store an external Prefs file into the database, enter the path to the file and click Store
settings from local file. The Store settings from local file button is used to store the prefs
file from the local hard disk into the GMS database so that it displays in the list box of the
Settings page. Once stored in the database (when it will display in the list box), you can
then click the Restore the settings to the unit button.
5.
To automatically backup the preferences for the selected SonicWALL appliance, select the
Enable Prefs File Backup check box and click Update.
The backed up prefs file contains the configuration settings and the firmware version of the
security appliance you are backing up.
6.
Go to the Console > Management > GMS Settings page and update the values in the
Automatically save prefs file section. This enables you to specify when and how frequently
GMS backs up the prefs files.
7.
If you want to automatically purge older backups, select the number of newer backup files
you want to keep in the Number of newest Prefs Files to be preserved field. Enter 0 to
prevent purging of older backups.
8.
Set the value in the Missed Reports Threshold field to the number of heartbeat messages
GMS can miss before considering the unit to be down.
GMS relies on special syslogs called heartbeat messages to determine if an appliance is
up and running. By default, if GMS does not receive three successive heartbeat messages,
it makes the appliance as down. You can customize this threshold to any number. If you
set the value to 0, then GMS will not mark this node as down.
9.
To delete settings from the SonicWALL GMS database, select the saved settings and click
Delete the settings.
You can configure schedule groups on the Policies panel, in System > Schedules. Schedule
Groups are groups of schedules to which you can apply firewall rules. For example, you might
want to block access to auction sites during business hours, but allow employees to access the
sites after hours.
You can apply rules to specific schedule times or all schedules within a Schedule Group. For
example, you might create an Engineering Work Hours group that runs from 11:00 AM to 9:00
PM, Monday through Friday and 12:00 PM to 5:00 PM, Saturday and Sunday. Once configured,
you can apply specific firewall rules to the entire Engineering Work Hours Schedule Group or
only to the weekday schedule.
198
To create a Schedule Group, perform the following steps:
Note
1.
Expand the System tree and click Schedules. The Schedules page displays.
2.
To add a Schedule Group, click Add Schedule Group.
3.
Enter the name of the Schedule Group in the Name field.
4.
In the Schedule Type section, select if the schedule will occur Once, Recurring, or Mixed.
The one-time and mixed schedule types are only available for systems running SonicOS
Enhanced 5.5 and above.
5.
For a schedule that occurs only once, select the year, month, date, hour, and minutes for
the Start and End fields.
6.
For recurring schedules, select the check boxes for each day the schedule will apply.
7.
Enter the start time for the recurring schedule in the Start Time field. Make sure to use the
24-hour format.
8.
Enter the end time for the recurring schedule in the Stop Time field. Make sure to use the
24-hour format.
9.
Click Add.
10. Repeat Step 4. through Step 9. for each schedule to add.

11. To delete a schedule, select the schedule and click Delete.
12. Click OK. The Schedule Group is added and configured.
13. To edit a Schedule Group, click its Edit icon (
). The Edit Schedule Group dialog box

displays. Edit the Schedule Group details and click OK.
199
Editing Management Settings
Editing Management Settings

To edit the remote management settings for a SonicWALL security appliance, perform the
following steps:
1.
Caution
Note
200
Expand the System tree and click Management. The Management page displays.
Changing the management parameters can cause units to be disconnected from GMS.
2.
Enter the port number for HTTP connections in the HTTP Port field.
3.
To enable HTTPS access to the appliance, select the Enable HTTPS Access to the unit
checkbox and enter the port number in the HTTPS Port field. For the SonicWALL Aventail
appliance, use port 8443 for HTTPS access.
4.
The Certificate Common Name field defaults to the SonicWALL LAN Address. This allows
you to continue using a certificate without downloading a new one each time you log into
the appliance.
To change the HTTP or HTTPS ports for SonicOS Enhanced units, go to the Firewalls >
Service Objects screen and edit the corresponding service object.
5.
Specify whether the appliance is to be managed by GMS or a VPN client in the Enable
Management Using pull-down menu.
6.
Enter the IP address or host name of the GMS server in the GMS HostName or IPAddress
field.
7.
Enter the syslog server port (default: 514) in the GMS Syslog Server Port field.
8.
If the GMS is behind a device performing Network Address Translation (NAT), select the
GMS behind NAT Device checkbox and enter the IP address in the NAT Device IP
Address field.
9.
If the appliance will be managed over an existing VPN tunnel, select the GMS on VPN (No
SA Required) checkbox.
Configuring SNMP
10. To minimize the amount of syslog between the GMS and the SonicWALL security
appliance, select the Send Heartbeat Status Messages Only checkbox. This option
should be used if you do not need the data to generate reports in GMS. When you check
this setting, the unit will only send heartbeat (m=96) messages that tell GMS that the unit
is alive. Click the Change button.
11. To allow users on the LAN interface to ping the appliance to verify that it is online, select
the Enable Ping from LAN/WorkPort to management interface checkbox. Click the
Change button.
12. To allow GMS administrators to preempt users who are logged in directly to the SonicWALL
security appliance, select the Allow GMS to preempt a logged in administrator

checkbox.
13. If you have configured security associations on the appliance the Security Association
Information section displays at the bottom of the Management page. Enter the SA keys in
the Encryption Key and Authentication Key fields and click Change Only SA Keys.
14. When you have finished configuring remote management settings, click Update.
Configuring SNMP
This section describes how to configure Simple Network Management Protocol (SNMP)
settings for one or more SonicWALL appliances.
To configure SNMP, perform the following steps:
1.
Expand the System tree and click SNMP. The SNMP page displays.
2.
Select the Enable SNMP check box.
3.
Enter a name for the System Name field.
4.
Enter the name of the administrator responsible for the SNMP server in the System
Contact field.
5.
Enter the location of the SNMP server in the System Location field.
6.
Enter the community name from which the SNMP server will respond to Get requests in the
Get Community Name field.
7.
Enter the name of administrator group that can view SNMP traps in the Trap Community
Name field
8.
Enter the SNMP server IP addresses or hostnames in the Hosts 1-4 fields.
9.
When you are finished, click Update. A task gets spooled and once it is executed
successfully, the information is updated for each selected SonicWALL appliances.
201
Configuring SNMP
Configuring Certificates
The Certificates dialog box displays details for Certificate Authority (CA) Certificates and local
certificates that you have imported or configured on your SonicWALL appliance.
This section contains the following sub-sections:
Navigating the System > Certificates Page, page 202
About Certificates, page 203
Configuring CA Certificates, page 204
Importing New Local and CA Certificates, page 204
Generating a Certificate Signing Request, page 205
Configuring SCEP, page 206
Navigating the System > Certificates Page

The Certificate and Certificate Requests section provides all the settings for managing CA
and Local Certificates.
View Style
The View Style menu allows you to choose which certificates are displayed.
Options include:
202
All Certificates - displays all certificates and certificate requests.
Imported certificates and requests - displays all imported certificates and generated
certificate requests.
Built-in certificates - displays all certificates included with the SonicWALL security
appliance.
Include expired and built-in certificates - displays all expired and built-in certificates.
Configuring SNMP
Certificates and Certificate Requests

The Certificates and Certificate Requests table displays information about your certificates.
Information and options include:
Certificate - the name of the certificate.
Type - the type of certificate, which can include CA or Local.
Validated - the validation information.
Expires - the date and time the certificate expires.
Details - the details of the certificate. Moving the pointer over the MAGNIFYING GLASS
icon displays the details of the certificate.
Configure - Allows configuration with the following options:

Edit icon to make changes to the certificate
Delete icon to remove a certificate
Import icon to import either certificate revocation lists (for CA certificates) or signed
certificates (for Pending requests).
New Signing Request - Create a new signing request directly from the GMS user interface
SCEP - Manage certificates using the Simple Certificate Enrollment Protocol (SCEP)
standard
About Certificates
A digital certificate is an electronic means to verify identity by using a trusted third party known
as a Certificate Authority (CA). SonicWALL now supports third party certificates in addition to
the existing Authentication Service.
SonicWALL security appliances interoperate with any X.509v3-compliant provider of Certificates. However,
SonicWALL security appliances have been tested with the following vendors of Certificate Authority
Certificates:
Entrust
Microsoft
OpenCA
OpenSSL
VeriSign
203
Configuring SNMP
Configuring CA Certificates
To configure CA Certificates in this dialog box, perform the following steps.
1.
From the Name list box, click on a certificate.
2.
Note the details, including the certificate name and subject in the Details region.
3.
Click on the Email Certificate button if you want to send the certificate to a location by
email.
4.
Click the Delete Certificate button if you want to remove the certificate.
5.
Specify a URL of the location of the Certificate Revocation List (CRL) in the CRL URL field.
Then click the CRL URL button to launch the CRL.
6.
To import a CRL, click the Browse button for the Import CRL field and navigate to the CRL.
Then click the Import CRL button to import the CRL.
7.
Click on the Invalidate Certificates and Security Association if CRL import or

processing fails checkbox to ensure safe cleanup of half-imported certificates if when
trying to import a CRL, the process is interrupted.
Importing New Local and CA Certificates

This option allows you to import pre-existing certificates stored locally.
To import a certificate:
8.
Click the Import Certificate link.
9.
Choose between a local end-user certificate or a CA certificate.
10. (local only) Enter a name in the Certificate Name field.

11. (local only) Enter the password used to encrypt the certificate in the Certificate
Management Password field.
12. Browse to the certificate location and Open the file.

13. Click the Import button to complete the process.
204
Configuring SNMP
Generating a Certificate Signing Request

Note
This section assumes that you are familiar with Public Key Infrastructure (PKI) and the
implementation of digital certificates with VPN.
To obtain a certificate, perform the following steps:
1.
On the System > Certificates page, click the New Signing Request link.
2.
Complete the information in the Generate Certificate Request section and click Generate
Request. The request displays in the Current Certificate Requests section.
3.
Click Export. You are prompted to save the file. It will be saved in the PKCS 10 format.
4.
Obtain a certificate from one of the approved certificate authorities using the PKCS 10 file.
5.
After you receive the certificate file, locate and import the file by clicking Browse in the
Import Certificate With Private Key section. Then click Import. The certificate will appear
in the Current Local Certificates section.
205
Configuring SNMP
Configuring SCEP
Note
SCEP configuration is supported at the appliance level.

The Simple Certificate Enrollment Protocol (SCEP) simplifies the process of issuing large
numbers of certificates using an automatic enrollment technique. SCEP is supported for
appliances running SonicOS Enhanced 5.5 or higher. To configure SCEP, perform the following
steps:
1.
On the System > Certificates page, click the SCEP link. The SCEP Configuration window
displays.
2.
Configure the following options for the SCEP configuration:
CSR list - Select a certificate signing request (CSR) list if one has been uploaded.
Challenge Password - (optional) Enter the password that is used to authenticate the
enrollment request.
CA URL - Enter the URL of the certificate authority.
Request Count - The default is 256.
Polling Interval(S) - The default is 30.
Max Polling Time(S) - The default is 28800.
3.
206
Click the SCEP button to apply the SCEP configuration.
CHAPTER 10
Configuring Firewall Network Settings
This chapter describes how to configure network settings for SonicWALL appliances. It is
divided into sections for SonicWALL security appliances running SonicOS Enhanced and
SonicOS Standard.
Overview of Interfaces section on page 207
Configuring Network Settings in SonicOS Enhanced section on page 209
Configuring Network Settings in SonicOS Standard section on page 258
Overview of Interfaces
You can configure the LAN interface in three different modes:
Static IPUses a static IP address and acts as a gateway for devices on the LAN.
Transparent ModeAllows you to assign a single IP address to two physical interfaces,

where each interface accesses an exclusive range of IP addresses in the shared subnet.
Behaves as a proxy at Layer 3, intercepting ARPs and changing source MAC addresses of
packets traversing the interface pair.
Layer 2 Bridged ModeSimilar to Transparent Mode, but dynamically learns IP addresses

on both interfaces so that you do not need to subdivide the subnet that is being bridged.
Provides deep-packet inspection and application of policies before forwarding packets. Places
the bridged interfaces into promiscuous mode and passes traffic between them with source and
destination MAC addresses intact.
Figure 10:1 shows the basic interfaces for a SonicWALL appliance. The WAN interface can use
a static or dynamic IP address and can connect to the Internet via Transmission Control
Protocol (TCP), Point-to-Point Protocol over Ethernet (PPPoE), Level 2 Tunneling Protocol
(L2TP), or Point-to-Point Tunneling Protocol (PPTP).
A SonicWALL appliance might have one, many, or no optional interfaces. Optional interfaces
can be configured for LAN, WAN, DMZ, WLAN, or Multicast connections, or they can be
disabled.
207
Overview of Interfaces
Figure 10:1 Interfaces
Network Security Appliance
E7500
LAN
Static IP
Transparent Mode
Layer 2 Bridge Mode
OPT
(LAN/WAN/DMZ/Multicast)
Static IP
Dynamic IP
WAN
Static IP, Dynamic IP,
TCP, PPPoE, L2TP, PPTP
Internet
LAN
DMZ
WAN
Virtual Interfaces (VLAN)

On the SonicWALL NSA Series and SonicWALL PRO 2040/3060/4060/4100/5060 security
appliances, virtual Interfaces are sub-interfaces assigned to a physical interface. Virtual
interfaces allow you to have more than one interface on one physical connection. Virtual
interfaces provide many of the same features as physical interfaces, including Zone
assignment, DHCP Server, and NAT and Access Rule controls. Selecting Layer 2 Bridged
mode is not possible for a VLAN interface.
VLAN support on SonicOS Enhanced is achieved by means of sub-interfaces, which are logical
interfaces nested beneath a physical interface. Every unique VLAN ID requires its own
sub-interface. For reasons of security and control, SonicOS does not participate in any VLAN
trunking protocols, but instead requires that each VLAN that is to be supported be configured
and assigned appropriate security characteristics.
208
Configuring Network Settings in SonicOS Enhanced
Figure 10:2 VLAN Interfaces
Network Security Appliance
E7500
X0
VLAN 10
10.10.10.5 10.10.10.7
10.10.10.9
10.20.20.3
X3
VLAN 20
10.20.20.5
10.10.10.4
10.10.10.2
10.20.20.7
LAN / WLAN
10.10.10.1/24 / 10.20.20.1/24
SonicOS Enhanced 4.0 and higher can apply bandwidth management to both egress
(outbound) and ingress (inbound) traffic on the WAN interface. Outbound bandwidth
management is done using Class Based Queuing. Inbound Bandwidth Management is done by
implementing ACK delay algorithm that uses TCPs intrinsic behavior to control the traffic.
Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service
(QoS) for the SonicWALL security appliance. Every packet destined to the WAN interface is
queued in the corresponding priority queue. The scheduler then dequeues the packets and
transmits it on the link depending on the guaranteed bandwidth for the flow and the available
link bandwidth.

The following sections describe how to configure network settings in SonicOS Enhanced:
Configuring Interface Settings section on page 210
WAN Failover and Load Balancing section on page 220
Configuring Zones section on page 223
Configuring the WLAN Zone section on page 226
Configuring DNS section on page 229
Configuring Dynamic DNS section on page 230
Configuring Address Objects section on page 232
Configuring NAT Policies section on page 234
Configuring Web Proxy Forwarding Settings section on page 239
Configuring RIP in SonicOS Enhanced section on page 242
Configuring IP Helper section on page 245
Configuring ARP section on page 247
Configuring SwitchPorts section on page 250
Configuring PortShield Groups section on page 251
209
Configuring MAC-IP Anti-Spoof section on page 252
Configuring Network Monitor section on page 256
Configuring Interface Settings

Interface settings define the networks associated with the LAN, WAN, optional (OPT), and
WWAN interfaces. This includes protocols, gateways, DNS servers, Virtual LANs, and
management settings. To configure the network interfaces for one or more SonicWALL
appliance, perform the following steps:
1.
Note
Select a single SonicWALL appliance, or a group of SonicWALL appliances running

SonicOS Enhanced.
Group level interface edits are only available for SonicWALL firewall appliances.
2.
Expand the Network tree and click Interfaces. The Interfaces page displays.
3.
Click the Edit icon ( ) of the LAN, WAN, OPT, or WWAN interface. The Edit Interface
window is displayed.
For a WWAN interface, GMS navigates directly to the Network > WWAN > Settings
screen. For configuration information, refer to the Configuring WWAN Settings section on
page 625.
Editing Interface Settings

You can edit interface settings in the Network > Interfaces screen by clicking the edit icon in
the row for the interface that you want to edit. The Edit Interface dialog box displays.
210
Transparent Mode
The following options are available when configuring an interface in Transparent Mode:
For LAN, DMZ, or Multicast interfaces, configure the following settings:
For IP Assignment, select Static, Transparent Mode, or Layer 2 Bridged Mode. The display
changes according to your selection. Configure the resulting field as follows:
StaticFor static IP addresses, enter the IP Address for the interface and Subnet
Mask for the network.
Transparent ModeFor transparent mode, select an address object that contains the
range of IP addresses you want to have access through this interface in the
Transparent Range menu.
PortShield Switch ModeFor SonicWALL TZ 210, TZ 210W and NSA 240
appliances, you can configure interfaces for PortShield switch mode, which manually
groups ports together to share a common network subnet as well as common zone
settings. For more information, refer to the Configuring PortShield Groups section on
page 251.
Layer 2 Bridge Mode
Note
When configuring a zone for Layer 2 Bridge Mode, the only access rule automatically added
is an allow rule between the bridge pair. Other necessary access rules must be added
manually.
211
The following options are available when configuring an interface in Layer 2 Bridge Mode:
Layer 2 Bridged ModeOn appliances running SonicOS Enhanced 3.5 and 4.0 or
higher, you can select Layer 2 Bridged Mode for physical interfaces in either the LAN or the
DMZ zone. On appliances running SonicOS Enhanced 5.5 or higher, you can select Layer
2 Bridge Mode for the WLAN zone.
In the Bridged-to field, select a WAN, LAN, or DMZ interface with a static IP
address.
Select the Block all non-IPv4 traffic checkbox to allow only IPv4 traffic on this
bridge-pair.
Select the Never route traffic on this bridge-pair checkbox to prevent traffic from
being routed to another interface.
Select the Only sniff traffic on this bridge-pair checkbox to allow the bridged
interface to be connected to a mirrored port on a switch in a one-arm mode to
perform intrusion detection by examining traffic going through the switch.
Select the Disable stateful-inspection on this bridge-pair to enable asymmetric

routing on this interface.
Layer 2 Bridge Bypass Relay Control
The Engage physical bypass on malfunction option enables Layer 2 Bridge Bypass
Relay Control, also known as Fail to Wire. The bypass relay option provides the user
the choice of avoiding disruption of network traffic by bypassing the firewall in the event
of a malfunction. The bypass relay will be closed for any unexpected anomaly (power
failure, watchdog exception, fallback to safe-mode).
Note
The Engage physical bypass on malfunction option is available only for SonicWALL
E7500 appliances running SonicOS Enhanced version 5.5 or higher and only when the X0
interface is bridged to the X1 interface.
Selecting the Engage physical bypass on malfunction option automatically
configures the other Layer 2 Bridge mode options as follows:
212
Block all non-IPv4 traffic - Disabled
Never route traffic - Enabled
Only sniff traffic - Disabled
Disable stateful-inspection - Not modified
CommentEnter any comments regarding the interface.
ManagementSelect one or more of the following management options:

HTTPAllows HTTP management over the interface.
HTTPSAllows HTTPS management over the interface.
PingThe interface will respond to ping requests.
SNMPThe interface will support Simple Network Management Protocol (SNMP).
SSHThe interface will support Secure Shell (SSH) for CLI-based administration.
User LoginSelect from the following user login options:

HTTPWhen selected, users will be able to login using HTTP.
HTTPSWhen selected, users will be able to login using HTTPS.
Add rule to enable redirect from HTTP to HTTPSRedirects users to HTTPS when
they attempt to access the device using HTTP. This option is only applicable when
HTTPS access is enabled and HTTP access is not.
WAN Settings
Perform the following steps to configure the WAN settings for the SonicWALL appliance.
1.
Select how the WAN connects to the Internet from the IP Assignment list box:
StaticConfigure the following settings for static IP address interfaces:
IP AddressEnter the IP address of the interface.
Subnet MaskEnter the subnet mask for the network.
Default GatewayIP address of the WAN gateway.
DNS Server 1-3IP addresses of the DNS Servers.
DHCPConfigure the following settings if the WAN IP address will use DHCP:
Host NameSpecifies the host name of the SonicWALL device on the WAN interface.
IP Address, Subnet Mask, Gateway (Router) Address, and DNS Server 1-3These
settings are automatically filled in by DHCP.
213
PPPoEConfigure the following settings if the WAN IP address will use PPPoE:
ScheduleSelect the schedule for when the interface is enabled. The default value is
Always on. The available options can be customized in the System > Schedule page.
The default choices are:
Always on
Work Hours or M-T-W-TH-F 08:00-17:00 (these two options are the same
schedules)
M-T-W-TH-F 00:00-08:00
After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same
schedules)
Weekend Hours or SA-SU 00:00-24:00 (these two options are the same
schedules)
User NameEnter username provided by the ISP.

PasswordEnter the password used to authenticate the username with the ISP. This
field is case-sensitive.

Service NameEnter the name of a service that must be supported by PPPoE servers
that respond to a client connection request. The service name can be up to 50

characters. Many installations use the system name as a service name, for example
sonicwall-server or redback-server. If the service name is left blank the client will
connect to any service.
To configure the SonicWALL appliance(s) to dynamically obtain an IP address,

select Obtain an IP Address automatically.
To configure the SonicWALL appliance(s) to use a fixed IP address, select Use the
following IP Address and enter the IP address.
214
To configure the SonicWALL appliance(s) to obtain the DNS server information

automatically, select Obtain DNS Server Address Automatically.
To specify DNS servers, select Specify DNS Servers and enter the DNS Server IP
addresses.
Note
For PPPoE interfaces, a Protocol tab appears that displays the acquired IP address, subnet
mask, gateway address, and DNS server addresses.
Click the Protocol tab.
View the settings for the acquired IP addr
ess, subnet mask, gateway address, and DNS
server addresses.
Inactivity DisconnectSpecify how long (in minutes) the SonicWALL appliance waits
before disconnecting from the Internet, and select the checkbox.
Strictly use LCP echo packets for server keep-aliveThis checkbox is enabled
when the client recognizes that the server relies on Link Control Protocol (LCP) echo
requests for keeping the PPPoE connection alive.
Disconnect the PPPoE client if the server does not send traffic for __
minutesSelect this checkbox and enter the number of minutes to wait without traffic
before the connection is ended. When enabled, the PPPoE client monitors traffic from
the server on the tunnel and disconnects when no traffic is seen for the specified time
period.
PPTPConfigure the following settings if the WAN IP address will use PPTP:
Always on. The available options can be customized in the System > Schedules page.
Always on
schedules)
M-T-W-TH-F 00:00-08:00
schedules)
schedules)

User PasswordEnter the password used to authenticate the username with the ISP.
This field is case-sensitive.
PPTP Server IP Addressthis information is provided by your ISP.

PPTP (Client) Host Namethis information is provided by your ISP.
before disconnecting from the Internet.
Select from the following from the PPTP IP Assignment list box:
To configure the SonicWALL appliance(s) to dynamically obtain an IP address, select
DHCP.
To configure the SonicWALL appliance(s) to use a fixed IP address, select Static and
enter the IP address, subnet mask, and gateway IP address.
Note
For PPTP interfaces, a Protocol tab appears that displays the acquired IP address, subnet
215
L2TPConfigure the following settings if the WAN IP address will use L2TP:
Always on. The available options can be customized in the System > Schedules page.
Always on
schedules)
M-T-W-TH-F 00:00-08:00
schedules)
schedules)

User PasswordEnter the password used to authenticate the username with the ISP.
This field is case-sensitive.
L2TP Server IP Addressthis information is provided by your ISP.

L2TP (Client) Host Namethis information is provided by your ISP.
before disconnecting from the Internet.
Select from the following from the L2TP IP Assignment list box:
Note
To configure the SonicWALL appliance(s) to dynamically obtain an IP address,

select DHCP.
To configure the SonicWALL appliance(s) to use a fixed IP address, select Static

and enter the IP address, subnet mask, and gateway IP address.
For L2TP interfaces, a Protocol tab appears that displays the acquired IP address, subnet
2.
Select one or more of the following management options:

HTTPWhen selected, allows HTTP management from the interface.
HTTPSWhen selected, allows HTTPS management from the interface.
PingWhen selected, the interface will respond to ping requests.
SNMPWhen selected, the interface will support Simple Network Management
Protocol (SNMP).
3.

4.
216
Click Update. The settings are saved. To clear any changes and start over, click Reset.
Advanced Settings
5.
Click the Advanced tab and configure the following Ethernet settings:
Link SpeedTo configure the interface to automatically negotiate Ethernet settings,
select Auto Negotiate. If you want to specify the forced Ethernet speed and duplex,
select the appropriate setting.
Override Default MAC AddressSelect to manually enter the MAC address.
Otherwise, the default MAC address is used.
Enable Multicast SupportSelect to enable multicast on the interface.
Interface MTUSpecify the size of the Maximum Transmission Unit (MTU) in

octets (default: 1500).
To fragment packets that are larger than this MTU, select the Fragment non-VPN
outbound packets larger than this Interface's MTU checkbox.
To block notifications that this interface can receive fragmented packets, select the Do
not send ICMP Fragmentation Needed for outbound packets over the Interface
MTU checkbox.
Note
If the maximum transmission unit (MTU) size is too large for a remote router, it may require
more transmissions. If the packet size is too small, this could result in more packet header
overhead and more acknowledgements that have to be processed.
To ignore Dont Fragment (DF) bits from routers connected to the SonicWALL
appliance, select the Ignore Don't Fragment (DF) Bit check box.
Expert Mode
6.
Under the Expert Mode Settings heading, select the Use Routed Mode - Add NAT Policy
to prevent outbound\inbound translation checkbox to enable Routed Mode for the
interface. Routed Mode provides an alternative for NAT for routing traffic between separate
public IP address ranges. NAT translations will be automatically disabled for the interface,
and all inbound and outbound traffic will be routed to the WAN interface
In the Set NAT Policy's outbound\inbound interface to pull-down menu, select the
WAN interface that is to be used to route traffic for the interface. The firewall then
creates no-NAT policies for both the configured interface and the selected WAN
interface. These policies override any more general M21 NAT policies that may be
configured for the interfaces.
7.
Click OK.
8.
The firewall then creates no-NAT policies for both the configured interface and the
selected WAN interface. These policies override any more general M21 NAT policies that
may be configured for the interfaces.
The availability of Expert Mode depends on the zone and IP address assignment configuration
of the interface, as follows:
LAN & DMZ Expert Mode is available for interfaces that are assigned a static IP address.
WAN Expert Mode is not available.
WLAN - Expert Mode is available for all WLAN interfaces, regardless of IP assignment.
217
Bandwidth Management
SonicOS Enhanced can apply bandwidth management to both egress (outbound) and ingress
(inbound) traffic on the interfaces in the WAN zone. Outbound bandwidth management is done
using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK
delay algorithm that uses TCPs intrinsic behavior to control the traffic.
Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service
(QoS) for the SonicWALL security appliance. Every packet destined to the WAN interface is
queued in the corresponding priority queue. The scheduler then dequeues the packets and
transmits it on the link depending on the guaranteed bandwidth for the flow and the available
link bandwidth.
Use the Bandwidth Management section of the Edit Interface screen to enable or disable the
ingress and egress bandwidth management. Egress and Ingress available link bandwidth can
be used to configure the upstream and downstream connection speeds in kilobits per second.
Note
The Bandwidth Management settings are applied to all interfaces in the WAN zone, not just
to the interface being configured.
Enable Egress Bandwidth Management - Enables outbound bandwidth management.

Available Interface Egress Bandwidth (Kbps) - Specifies the available bandwidth for
WAN interfaces in Kbps.
Enable Ingress Bandwidth Management - Enables inbound bandwidth management.
9.
Available Interface Ingress Bandwidth (Kbps) - Specifies the available bandwidth for
WAN interfaces in Kbps
10. Configure the following Bandwidth Management settings:
To enable egress bandwidth management on this interface, select the check box and
enter the bandwidth of the connection in the Available Interface Bandwidth field in
kilobytes per second (Kbps).
To enable ingress bandwidth management on this interface, select the check box and
enter the bandwidth of the connection in the Available Interface Bandwidth field in
kilobytes per second (Kbps).
11. Click Update. The settings are saved. To clear any changes and start over, click Reset.
Configuring VLAN Sub-Interfaces

When you add a VLAN sub-interface, you need to assign it to a Zone, assign it a VLAN Tag,
and assign it to a physical interface. Based on your zone assignment, you configure the VLAN
sub-interface the same way you configure a physical interface for the same zone.
1.
218
At the bottom of the Network > Interfaces page, click Add VLAN Interface. The Add
Interface window displays.
2.
Select a Zone to assign to the interface. You can select LAN, DMZ, WLAN, or unassigned.
The zone assignment does not have to be the same as the parent (physical) interface.
3.
Enter a Portshield Interface Name for the sub-interface.
4.
Declare the parent (physical) interface to which this sub-interface will belong. There is no
per-interface limit to the number of sub-interfaces you can assign you may assign
sub-interfaces up to the system limit (in the hundreds).
5.
For LAN and DMZ, select Static or Transparent for the IP Assignment. WLAN interfaces
use static IP addresses:
For static IP addresses, enter the IP Address for the interface and Subnet Mask for
the network.
For transparent mode, select an address object that contains the range of IP addresses
you want to have access through this interface in the Transparent Range menu.
6.
ManagementSelect from the following management options:

HTTPWhen selected, allows HTTP management from the interface.
HTTPSWhen selected, allows HTTPS management from the interface.
PingWhen selected, the interface will respond to ping requests.
SNMPWhen selected, the interface will support Simple Network Management
Protocol (SNMP).
7.

8.
Check Create Default DHCP Lease Scope to indicate that the amount of time allowed for
an IP address issued by DHCP will be the default.
9.
Click OK.
The Virtual interface displays in the VLAN Interfaces table below the Interfaces table.
WAN Connection Model

To configure the WAN connection model for a SonicWALL appliance with WWAN capability
running SonicOS Enhanced 3.6 or higher, navigate to the Network > Interfaces page and
select one of the following options in the WAN Connection Model pull-down menu:
WWAN onlyThe WAN interface is disabled and the WWAN interface is used exclusively.
Ethernet onlyThe WWAN interface is disabled and the WAN interface is used
exclusively.
Ethernet with WWAN FailoverThe WAN interface is used as the primary interface and
the WWAN interface is disabled. If the WAN connection fails, the WWAN interface is
enabled and a WWAN connection is automatically initiated.
219
Note
The Wan Connection Model option does not apply to TZ200 through NSA240 units running
SonicOS Enhanced 5.6 and above. For these devices, any WWAN interfaces are treated as
a regular WAN interface and failover to the WWAN is configured as a secondary WAN
interface. See the Configuring Multiple WAN Interfaces section on page 222 for more
information.
Managing WWAN Connections

To initiate a WWAN connection, perform the following steps:
1.
In the Interface Settings table, in the WWAN row, click Connect. The SonicWALL
appliance attempts to connect to the WWAN service provider.
2.
To disconnect a WWAN connection, click Disconnect.
WAN Failover and Load Balancing

WAN Failover enables you to configure one of the user-defined interfaces as a secondary WAN
port. The secondary WAN port can be used in a simple active/passive setup to allow traffic to
be only routed through the secondary WAN port if the Primary WAN port is unavailable. This
allows the SonicWALL to maintain a persistent connection for WAN port traffic by failing over
to the secondary WAN port.
For a SonicWALL appliance with a WWAN interface, such as a TZ 190, you can configure
failover using the WWAN interface. Failover between the Ethernet WAN (the WAN port, OPT
port, or both) and the WWAN is supported through the WAN Connection Model setting.
This feature also allows you to perform simple load balancing for the WAN traffic on the
SonicWALL. You can select a method of dividing the outbound WAN traffic between the two
WAN ports and balance network traffic. Load-balancing is currently only supported on Ethernet
WAN interfaces, but not on WWAN interfaces.
The SonicWALL can monitor WAN traffic using Physical Monitoring which detects if the link is
unplugged or disconnected, or Physical and Logical Monitoring, which monitors traffic at a
higher level, such as upstream connectivity interruptions.
Note
Before you begin, be sure you have configured a user-defined interface to mirror the WAN
port settings.
To configure the WAN Failover for a SonicWALL appliance, perform the following steps:
Note
220
1.
Expand the Network tree and click WAN Failover & LB. The WAN Failover & LB page
displays.
2.
Select the Enable Load Balancing check box.
3.
Select the secondary interface(s) from the Secondary WAN Interface pull-down menu.
If this is not configured, you will need to configure a WAN interface from the Network >
Interfaces page.
Appliances running SonicOS Enhanced 5.5 can support up to three alternate WAN
interfaces. For these appliances, the Secondary WAN Interface pull-down menu is
replaced with up to three Alternate WAN pull-down menus. The pull-down menu will
contain all interfaces configured as WAN interfaces.
4.
Specify how often the SonicWALL appliance will check the interface (5-300 seconds) in the
Check interface every field (default: 5 seconds).
5.
Specify the number of times the SonicWALL appliance tests the interface as inactive before
failing over in the Deactive interface after field (default: 3). For example, if the SonicWALL
appliance tests the interface every 5 seconds and finds the interface inactive after 3
successive attempts, it will fail over to the secondary interface after 15 seconds.
6.
Specify the number of times the SonicWALL appliance tests the interface as active before
failing back to the primary interface in the Deactive interface after field (default: 3). For
example, if the SonicWALL appliance tests the interface every 5 seconds and finds the
interface active after 3 successive attempts, it will fail back to the primary interface after 15
seconds.
7.
To configure outbound load balancing, select from the following:

Select Basic Active/Passive Failover to enable a basic failover setup. When the
primary device fails to provide a connection, it will enter standby and allow the
secondary device to take over network traffic. Check the Preempt and failback to
Primary WAN when possible checkbox to enable immediate failback to the primary
device when available.
Select Per Connection Round-Robin to enable a Round-Robin form of load
balancing. In the 17th or 18th century, when peasants in France wanted to complain to
the king using a petition, the usual reaction from the monarch was to seize the two or
three people on top of that petition list and execute them. In order to stop this form of
arbitrary vengeance, the names were signed in a circle at the bottom of the petition so
that no one would be on top of the list. This became known as a Round-Robin. Thus,
in load balancing, Round-Robin is where network requests are applied to a circular list.
When the network load becomes too much, GMS acts as a monarch and picks several
of the network clients from the list to execute. This process allows GMS to quickly and
easily free up network resources.
Select Spillover-based and enter a value (in Kb/sec) to enable the secondary device
to serve as a load balancer. With this option selected, traffic will be re-routed to the
secondary device should the primary WAN device exceed the specified bandwidth.
Select Percentage-Based to split network traffic between the primary and secondary
or alternate WAN interfaces based on your specified percentages.
Enter a Primary WAN Percentage and Secondary WAN Percentage that add up
to 100 to divide traffic between the two WAN interfaces.
Appliances running SonicOS Enhanced 5.5 or above can divide traffic between up
to four WAN interfaces. Enter a Primary WAN Percentage, and up to three
Alternate WAN Percentage settings that add up to 100.
When using Percentage-Based load balancing, you may select the Use Source and
Destination IP Addresses Binding checkbox to keep related traffic together across
an interface.
Timesaver
When using Percentage-Based load balancing, fill in the Primary WAN Percentage field
only. The Secondary WAN Percentage field will be calculated for you.
221
8.
The SonicWALL appliance can monitor the WAN by detecting whether the link is unplugged
or disconnected or by sending probes to a target IP address of an always available target
upstream device on the WAN network, such as an ISP side router. To enable probe
monitoring, select the Enable Probe Monitoring check box and configure the following
settings:
Primary WAN Probe SettingsSelect the protocol used for monitoring and enter the
IP address and port (TCP only) of the probe target. If there will be an optional probe
target, specify these settings also and select whether the SonicWALL appliance must
test both targets or either target.
Secondary WAN Probe SettingsSelect the protocol used for monitoring and enter
the IP address and port (TCP only) of the secondary probe target. If there will be an
optional secondary probe target, specify these settings also and select whether the
SonicWALL appliance must test both targets or either target.
WWAN WAN Probe SettingsSelect the protocol used for monitoring and enter the
IP address and port (TCP only) of the WWAN probe target. If there will be an optional
WWAN probe target, specify these settings also and select whether the SonicWALL
appliance must test both targets or either target.
Note
TCP probing is useful if you do not have ping (ICPM) response enabled on your network
devices. In this case, TCP can be used to probe the device on a user-specified port.
9.
Select the Respond to Probes checkbox to enable GMS managed devices to respond to
probe requests. With this option selected, you can also check the Any TCP-SYN to Port
checkbox and enter a specific port to probe.
10. Click the Update button at the bottom of the page to save these settings.
Configuring Multiple WAN Interfaces

The Multiple WAN (MWAN) feature allows the administrator to configure all but one of the
appliance's interface for WAN network routing (one interface must remain configured for the
LAN zone for local administration). All of the WAN interfaces can be probed using the SNWL
Global Responder host. Multiple WAN is configured across the following sections of the UI.
Configuring Network Interfaces for Multiple WAN

The Network > Interfaces page allows more than two WAN interfaces to be configured for
routing. It is possible to configure WAN interfaces in the Network Interfaces page, but not
include them in the Failover & LB. Only the Primary WAN Ethernet Interface is required to be
part of the LB group whenever LB has been enabled. Any WAN interface that does not belong
to the LB group is not included in the LB function, but performs normal WAN routing functions.
Note
222
A virtual WAN interface may belong to the LB group. However, prior to using within the LB
group, please ensure that the virtual WAN network is fully routable like that of a physical
WAN.
Routing the Default & Secondary Default Gateways for Multiple WAN
Because the gateway address objects previously associated with the Primary WAN and
Secondary WAN are now deprecated, user-configured Static Routes need to be re-created in
order to use the correct gateway address objects associated with the WAN interfaces. This
must be configured manually as part of the firmware upgrade procedure on the Network >
Routing (ENH) page.
The old address object, Default Gateway, corresponds to the default gateway associated with
the Primary WAN in the LB group. The Secondary Default Gateway address object
corresponds to the default gateway associated with Alternate WAN #1.
Note
After re-adding the routes, delete the old ones referring to the Default and Secondary
Default Gateways.
Configuring DNS for Multiple WAN

If DNS name resolution issues are encountered with multiple WAN interfaces, you may need to
select the Specify DNS Servers Manually option on the Network > DNS page and set the
servers to Public DNS Servers (ICANN or non-ICANN).
Depending on your location, some DNS Servers may respond faster than others. Verify that
these servers work correctly from your installation prior to using your SonicWALL appliance.
Configuring Zones
A Zone is a logical grouping of one or more interfaces designed to make management, such as
the definition and application of Access Rules, a simpler and more intuitive process than
following a strict physical interface scheme. There are four fixed Zone types: Trusted,
Untrusted, Public, and Encrypted. Trusted is associated with LAN Zones. These fixed Zone
types cannot be modified or deleted. A Zone instance is created from a Zone type and named
accordingly, i.e Sales, Finance, etc.
Only the number of interfaces limits the number of Zone instances for Trusted and Untrusted
Zone types. The Untrusted Zone type (i.e. the WAN) is restricted to two Zone instances. The
Encrypted Zone type is a special system Zone comprising all VPN traffic and doesnt have any
associated interfaces.
Trusted and Public Zone types offer an option, Interface Trust, to automate the creation of
Access Rules to allow traffic to flow between the Interfaces of a Zone instance. For example, if
the LAN Zone has interfaces X0, X3, and X5 assigned to it, checking Allow Interface Trust on
the LAN Zone creates the necessary Access Rules to allow hosts on these Interfaces to
communicate with each other.
To add or edit a Zone, perform the following steps:
1.
223
2.
Expand the Network tree and click Zones. The Zones page displays.
3.
Click the Edit Icon (

dialog box displays.
4.
If this is a new Zone, enter a name for the Zone.
5.
Select the Security Type.
6.
To configure the SonicWALL appliance to automatically create the rules that allow data to
freely flow between interfaces in the same Zone, select the Allow Interface Trust check
box.
7.
To enforce content filtering on multiple interfaces in the same Trusted or Public Zones,
select the Enforce Content Filtering Service check box.
8.
For appliances running SonicOS Enhanced 4.0 or above, if the selected node is a group or
global node, or if the selected appliance is licensed for SonicWALL CFS Premium, select a
predefined CFS policy or the default policy from the CFS Policy pull-down list. The
pull-down list is only populated if the Enforce Content Filtering Service checkbox is
enabled. It is not available for the WAN zone.
9.
To enforce network anti-virus protection on multiple interfaces in the same Trusted or Public
Zones, select the Enforce Network Anti-Virus Service check box.
) for a Zone or click Add New Zone. The Edit Zone or Add Zone
10. To enforce gateway anti-virus protection on multiple interfaces in the same Trusted or
Public Zones, select the Enable Gateway Anti-Virus Service check box.
11. To enforce Intrusion Prevention Services (IPS) on multiple interfaces in the same Trusted
or Public Zones, select the Enable IPS check box.
12. To enable Anti-Spyware on the zone, select Enable Anti-Spyware Service.

13. To enforce security policies for Global Security Clients on multiple interfaces in the same
Trusted or Public Zones, select Enforce Global Security Clients.
14. To automatically create a GroupVPN policy for this zone, select Create Group VPN.
224
15. For appliances running SonicOS Enhanced 4.0 or above, select the Enable SSL Control
check box to allow SSL Control in this zone. This check box is not active for the VPN or
Multicast zones.
16. For WLAN zones, see for information about configuring settings on the other tabs. For all
other zones, click Update when you are finished. The Zone is modified or added for
selected SonicWALL appliance. To clear all settings and start over, click Reset.
Configuring Guest Services on Non-Wireless Zones

Trusted and Public Zone types offer the ability to configure guest services. To configure Guest
Services on a non-wireless zone, perform the following steps:
1.
When the Security Type for a zone is selected as either Trusted or Public, the Guest
Services tab displays.
2.
Select the Enable Guest Services checkbox.
3.
Configure any of the following options:

Enforce Guest Login over HTTPSRequires guests to use HTTPS instead of HTTP
to access the guest services.
Enable inter-guest communicationAllows guests connecting to SonicPoints in
this Zone to communicate directly and wirelessly with each other.
Bypass AV Check for GuestsAllows guest traffic to bypass Anti-Virus protection.
Enable External Guest AuthenticationRequires guests connecting from the
device or network you selectto authenticate before gaining access. This feature, based
on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and
providing them parametrically bound network access.
Note
Refer to the SonicWALL Lightweight Hotspot Messaging technote available at

the SonicWALL documentation Web site
http://www.sonicwall.com/us/Support.html for complete configuration of the
Enable External Guest Authentication feature.
Custom Authentication PageRedirects users to a custom authentication page

when they first connect to the zone. Click Configure to set up the custom authentication
page. Enter either a URL to an authentication page or a custom challenge statement in
the text field, and click OK.
Post Authentication PageDirects users to the page you specify immediately after
successful authentication. Enter a URL for the post-authentication page in the filed.
225
Bypass Guest AuthenticationAllows the appliance to integrate into environments

already using some form of user-level authentication. This feature automates the Guest
Services authentication process, allowing users to reach Guest Services resources
without requiring authentication. This feature should only be used when unrestricted
Guest Services access is desired, or when another device upstream of the appliance is
enforcing authentication.
Redirect SMTP traffic toRedirects SMTP traffic incoming on this zone to an SMTP
server you specify. Select the address object to redirect traffic to.
Deny NetworksBlocks traffic from the networks you name. Select the subnet,
address group, or IP address to block traffic from.
Pass NetworksAutomatically allows traffic through the zone from the networks you
select.
Max GuestsSpecifies the maximum number of guest users allowed to connect to
the zone. The default is 10.
4.
Click OK to apply these settings to the zone.
Configuring the WLAN Zone

The Add Zone or Edit Zone screens for WLAN zones contain two tabs that are not available for
other zones. This section describes the settings on the Wireless and Guest Services tabs of the
Add or Edit Zone screens. For instructions about WLAN configuration settings on the General
tab, see Configuring Zones, page 223.
To configure specific wireless-zone settings:
Tip
226
1.
2.
In the Network > Zones pages, click the Add New Zone or the Edit icon for the WLAN zone.
3.
Configure the settings on the General tab as described for other zones. To expose the
wireless-only tabs when adding a new zone, select Wireless for the Security Type.
4.
Click the Wireless tab.
5.
On the Wireless tab, select Only allow traffic generated by a SonicPoint to allow only
traffic from SonicWALL SonicPoints to enter the WLAN Zone interface. This allows
maximum security of your WLAN. Uncheck this opt
ion if you want to allow any traffic on your
WLAN Zone regardless of whether or not it is from a wireless connection.
Uncheck Only allow traffic generated by a SonicPoint and use the zone on a wired
interface to allow guest services on that interface.
6.
Select SRA Enforcement to require that all traffic that enters into the WLAN Zone be
authenticated through a SonicWALL SRA appliance. If you select both SRA Enforcement,
and WiFiSec Enforcement, the Wireless zone will allow traffic authenticated by either a
SRA or an IPsec VPN.
7.
In the SRA Server list, select an address object to direct traffic to the SonicWALL SRA
appliance.
8.
In the SRA Service list, select the service or group of services you want to allow for clients
authenticated through the SRA.
9.
Select WiFiSec Enforcement to require that all traffic that enters into the WLAN Zone
interface be either IPsec traffic, WPA traffic, or both. With WiFiSec Enforcement enabled,
all non-guest wireless clients connected to SonicPoints attached to an interface belonging
to a Zone on which WiFiSec is enforced are required to use the strong security of IPsec.
The VPN connection inherent in WiFiSec terminates at the WLAN GroupVPN, which you
can configure independently of WAN GroupVPN or other Zone GroupVPN instances. If
you select both WiFiSec Enforcement, and SRA Enforcement, the Wireless zone will allow
traffic authenticated by either a SRA or an IPsec VPN.
10. If you have enabled WiFiSec Enforcement, you can specify services that are allowed to
bypass the WiFiSec enforcement by checking WiFiSec Exception Service and then
selecting the service you want to exempt from WiFiSec enforcement.
11. If you have enabled WiFiSec Enforcement, you can select Require WiFiSec for
Site-to-Site VPN Tunnel Traversal to require WiFiSec security for all wireless connections
through the WLAN zone that are part of a site-to-site VPN.
12. Select Trust WPA traffic as WiFiSec to accept WPA as an allowable alternative to IPsec.
Both WPA-PSK (Pre-shared key) and WPA-EAP (Extensible Authentication Protocol using
an external 802.1x/EAP capable RADIUS server) will be supported on SonicPoints.
13. Under the SonicPoint Settings heading, select the SonicPoint Provisioning Profile you
want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects
to this zone, it will automatically be provisioned by the settings in the SonicPoint
Provisioning Profile, unless you have individually configured it with different settings.
14. Click the Guest Services tab. You can choose from the following configuration options for
Wireless Guest Services:
Enable Wireless Guest ServicesEnables guest services on the WLAN zone.

Enforce Guest Login over HTTPSRequires guests to use HTTPS instead of HTTP
to access the guest services.
227
Enable inter-guest communicationAllows guests connecting to SonicPoints in

this WLAN Zone to communicate directly and wirelessly with each other.
Bypass AV Check for GuestsAllows guest traffic to bypass Anti-Virus protection.
Enable External Guest AuthenticationRequires guests connecting from the
device or network you selectto authenticate before gaining access. This feature, based
on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and
providing them parametrically bound network access.
Note
Refer to the SonicWALL Lightweight Hotspot Messaging technote available at

the SonicWALL documentation Web site
http://www.sonicwall.com/us/Support.html for complete configuration of the
Enable External Guest Authentication feature.
Custom Authentication PageRedirects users to a custom authentication page

when they first connect to a SonicPoint in the WLAN zone. Click Configure to set up the
custom authentication page. Enter either a URL to an authentication page or a custom
challenge statement in the text field, and click OK.
Post Authentication PageDirects users to the page you specify immediately after
successful authentication. Enter a URL for the post-authentication page in the filed.
Bypass Guest AuthenticationAllows a SonicPoint running WGS to integrate into
environments already using some form of user-level authentication. This feature
automates the WGS authentication process, allowing wireless users to reach WGS
resources without requiring authentication. This feature should only be used when
unrestricted WGS access is desired, or when another device upstream of the
SonicPoint is enforcing authentication.
Redirect SMTP traffic toRedirects SMTP traffic incoming on this zone to an SMTP
server you specify. Select the address object to redirect traffic to.
Deny NetworksBlocks traffic from the networks you name. Select the subnet,
address group, or IP address to block traffic from.
Pass NetworksAutomatically allows traffic through the WLAN zone from the
networks you select.
Max GuestsSpecifies the maximum number of guest users allowed to connect to
the WLAN zone. The default is 10.
Enable Dynamic Address Translation (DAT)Wireless Guest Services (WGS)
provides spur of the moment hotspot access to wireless-capable guests and visitors.
For easy connectivity, WGS allows wireless users to authenticate and associate, obtain
IP settings from the SonicWALL appliance Wireless DHCP services, and authenticate
using any Web-browser. Without DAT, if a WGS user is not a DHCP client, but instead
has static IP settings incompatible with the Wireless WLAN network settings, network
connectivity is prevented until the users settings change to compatible values.
Dynamic Address Translation (DAT) is a form of Network Address Translation (NAT)
that allows the SonicWALL Wireless to support any IP addressing scheme for WGS
users. For example, the SonicWALL Wireless WLAN interface is configured with an
address of 172.16.31.1, and one WGS client has a static IP Address of 192.168.0.10
and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10
and a gateway of 10.1.1.1, and DAT enables network communication for both of these
clients.
15. Click OK to apply these settings to the WLAN zone.
228
Configuring DNS
Domain Name System (DNS) is the Internet standard for locating domain names and
translating them into IP addresses. By default, the SonicWALL appliance will inherit its DNS
settings from the WAN Zone. To configure DNS, perform the following steps:
Note
Network > DNS is only available in appliances running SonicOS Enhanced.

1.
Expand the Network tree and click DNS. The DNS page displays.
2.

To specific IP addresses manually, select Specify DNS Servers Manually and enter the
IP addresses of the servers.
To inherit the DNS settings from the WAN Zone configuration, select Inherit DNS
Settings Dynamically from WAN Zone.

3.
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
DNS Rebinding Attack Prevention

DNS rebinding is a DNS-based attack on code embedded in web pages. Normally requests
from code embedded in web pages (JavaScript, Java and Flash) are bound to the web-sitethey
are originating from.DNS rebinding attackers register a domain which is delegated to a DNS
server they control. The domains exploit very short TTL parameters to scan the attacked
network and perform other malicious activities.
To configure DNS, perform the following steps:
1.
Select the Enable DNS Rebinding Attack Prevention checkbox.
2.
From the Action pull-down menu, select an action to perform when a DNS rebinding attack
is detected:
Log Attack
Log Attack & Return a Query Refused Reply
Log Attack & Drop DNS Reply
3.
(Optional) For the Allowed Domains pull-down menu, select an FQDN Address
Object/Group containing allowed domain-names (e.g. *.sonicwall.com) for which locally
connected/routed subnets should be considered legal responses.
229
Configuring Dynamic DNS

Dynamic DNS (DDNS) is a service provided by various companies and organizations that
dynamically changes IP addresses to automatically update DNS records without manual
intervention. This service allows for network access using domain names rather than IP
addresses, even when the targets IP addresses change.
To configure Dynamic DNS on the SonicWALL security appliance, perform these steps:
230
1.
Expand the Network tree and click Dynamic DNS. The Dynamic DNS page displays.
2.
Click Add Dynamic DNS Profile. The Add Dynamic DNS Profile window is displayed.
3.
Select the Provider from the pull-down list at the top of the page. This example uses
DynDNS.org. Dyndns.org requires the selection of a service. This example assumes you
have created a dynamic service record with dyndns.org.
4.
Enter a name to assign to the DDNS entry in the Profile Name field. This can be any value
used to identify the entry in the Dynamic DNS Settings table.
5.
If Enable this profile is checked, the profile is administratively enabled, and the
SonicWALL security appliance takes the actions defined in the Online Settings section on
the Advanced tab.
6.
If Use Online Settings is checked, the profile is administratively online.
7.
Enter your dyndns.org username and password in the User Name and Password fields.
8.
Enter the fully qualified domain name (FQDN) of the hostname you registered with
dyndns.org in the Domain Name field. Make sure you provide the same hostname and
domain as you configured.
9.
Optionally, select a WAN interface in the Bound to pull-down menu to assign this DDNS
profile to that specific WAN interface. This allows administrators who are configuring
multiple-WAN load balancing to advertise a predictable IP address to the DDNS service. By
default, this is set to ANY, which means the profile is free to use any of the WAN interfaces
on the appliance. (The Bound to option is supported for appliances running SonicOS 5.6
and higher.
10. When using DynDNS.org, select the Service Type from the pull-down list that corresponds
to your type of service through DynDNS.org. The options are:

DynamicA free Dynamic DNS service.
CustomA managed primary DNS solution that provides a unified primary/secondary
DNS service and a web-based interface. Supports both dynamic and static IP
addresses.
StaticA free DNS service for static IP addresses.

11. When using DynsDNS.org, you may optionally select Enable Wildcard and/or configure an
MX entry in the Mail Exchanger field. Check Backup MX if your DDNS provider allows for
the specification of an alternative IP address for the MX record.
12. Click the Advanced tab. You can typically leave the default settings on this page.
13. The On-line Settings section provides control over what address is registered with the
dynamic DNS provider. The options are:
Let the server detect IP AddressThe dynamic DNS provider determines the IP
address based upon the source address of the connection. This is the most
common setting.
Automatically set IP Address to the Primary WAN Interface IP AddressThis

will cause the SonicWALL device to assert its WAN IP address as the registered IP
address, overriding auto-detection by the dynamic DNS server. Useful if detection
is not working correctly.
Specify IP Address manuallyAllows for the IP address to be registered to be

manually specified and asserted.
14. The Off-line Settings section controls what IP Address is registered with the dynamic DNS
service provider if the dynamic DNS entry is taken off-line locally (disabled) on the
SonicWALL. The options are:
Do nothingthe default setting. This allows the previously registered address to

remain current with the dynamic DNS provider.
Use the Off-Line IP Address previously configured at Providers siteif your

provider supports manual configuration of Off-Line Settings, you can select this
option to use those settings when this profile is taken administratively offline.
Make Host UnknownUnregisters the entry.
Specify IP Address manuallyManually specify the IP address.
231
15. When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
Configuring Address Objects

Note
Address objects are only supported in SonicOS Enhanced.

SonicOS Enhanced supports Address Objects, which can be a host, network, MAC or IP
address range. An Address Object Group is a group of Address Objects or other Address
Object Groups. Once defined, you can quickly establish NAT Policies, VPN Security
Associations (SAs), firewall rules, and DHCP settings between Address Objects and Address
Object Groups without individual configuration.
All SonicWALL appliances come with a group of pre-defined default network objects. These
include subnets for each interface, interface IP addresses for each interface, management IP
addresses, and more.
For appliances running SonicOS Enhanced, GMS supports paginated navigation and sorting
by column header on the Address Objects screen. In either of the tables, you can click a column
header to use for sorting. An arrow is displayed to the right of the selected column header. You
can click the arrow to reverse the sorting order of the entries in the table.
You can perform the following tasks from the Address Object page:
Creating an Address Object Group section on page 232
Creating an Address Object section on page 233
Deleting a Network Address Group or Object section on page 234
Creating an Address Object Group

To create an Address Object Group, perform the following steps:
1.
232
Expand the Network tree and click Address Objects. The Address Objects page displays.
2.
Scroll down and click Add New Group.
3.
Enter a name for the Address Object Group in the Name field.
4.
Select an object or group that will be a part of the Address Object Group and click the right
arrow. Repeat for each object or group to add.
5.
When you are finished, click OK.
Creating an Address Object

The Network > Address Objects page allows you to create address objects. You can create
various kinds of address objects, including Host, Range, and Network. For a SonicWALL
appliance running SonicOS Enhanced 3.5 or 4.0(or higher), you can create Fully Qualified
Domain Name (FQDN) or MAC dynamic address objects. The FQDN and MAC address objects
are available in the Address Objects pull-down lists in a number of other configuration screens,
including Zones, SonicPoints, and Access Rules. These dynamic address objects are resolved
to an IP address when used, either by the ARP cache or the DNS server of the SonicWALL.
To create an address object, perform the following steps:
1.
Scroll to the bottom of the Address Objects page and click Add New Address Object.
2.
Enter a name for the Address Object in the Name field.
3.
Select the zone to which this Address Object will be assigned from the Zone Assignment
list box.
4.

To specify an individual IP address, select Host from the Type pull-down menu and
enter the IP address.
To specify an IP address range, select Range from the Type pull-down menu and enter
the starting and ending IP addresses.
To specify a network, select Network from the Type pull-down menu and enter the IP
address and subnet mask.
To specify a MAC address, select MAC from the Type pull-down menu and enter the
MAC address.
233
To specify a FQDN, select FQDN from the Type pull-down menu and enter the host
name.
5.
When you are finished, click OK.
6.
Repeat this procedure for each Address Object to add.
Modifying a Network Address Group or Object

To modify a network address group or object, perform the following steps:
1.
Go to the Network > Address Object page.
2.
Click the Edit icon (
3.
Modify the settings and click OK.
) next to the selected address group or object.
Deleting a Network Address Group or Object

GMS now enables you to delete a single address group or object more conveniently as well as
select multiple objects at a time. To delete network address group objects, perform the following
steps:
1.
Go to the Network > Address Object page.
2.
Click on the Trash can icon of the selected address group or object.
Configuring NAT Policies

Note
The NAT policies page is only supported in SonicOS Enhanced.

SonicWALL appliances support Network Address Translation (NAT). NAT is the automated
translation of IP addresses between different networks. For example, a company might use
private IP addresses on a LAN that are represented by a single IP address on the WAN side of
the SonicWALL appliance.
SonicWALL appliances support two types of NAT:
Address-to-Address Translationlocal addresses are matched to public IP addresses.

For example, the private IPaddress 10.50.42.112 might be mapped to the public IPaddress
132.22.3.2.
Port Translation or Network Address Port Translation (NAPT)local addresses are

dynamically matched to public IP address/port combinations (standard TCP ports). For
example, the private IP address 192.168.102.12 might be mapped to the public IP address
48.12.11.1 using port 2302.
Note
IP address/port combinations are dynamic and not preserved for new connections.
For example, the first connection for IP address might use port 2302, but the second
connection might use 2832.
Common Types of Mapping

SonicWALL supports several types of address mapping. These include
234
One-to-One Mappingone local IP address is mapped to one public IP address using

Address-to-Address translation.
Many-to-One Mappingmany local IP addresses are mapped to a single public IP

address using NAPT.
Many-to-Many Mappingmany local IP addresses are mapped to many public IP

addresses. If the number of public IP addresses are greater than or equal to the number of
local IP addresses, the SonicWALL appliance uses Address-to-Address translation. If the
number of public IP addresses is less than the number of local IP addresses, the
SonicWALL appliance uses NAPT. For example. If there are 10 private IP addresses and 5
public IP addresses, two private IP addresses will be assigned to each public IP address
using NAPT.
SonicWALL NAT Policy Fields

When configuring a NAT Policy, you will configure a group of settings that specify how the IP
address originates and how it will be translated. Additionally, you can apply a group of filters
that allow you to apply different policies to specific services and interfaces.
Original Sourceused to remap IP addresses based on the source address, this field
specifies an Address Object that can consist of an IP address or IP address range.
Note
This field can also be used as a filter.
Translated Sourcespecifies the IP address or IP address range to which the original

source will be mapped.
Original Destinationused to remap IP addresses based on the destination address, this

field specifies an Address Object that can consist of an IP address or IP address range.
Note
This field can also be used as a filter.
Translated Destinationspecifies the IP address or IP address range to which the original

Original Serviceused to filter destination addresses by service, this field specifies a

Service Object that can be a single service or group of services.
Translated Service.specifies the service or port to which the original service will be
remapped.
Source Interfacefilters source addresses by interface.
Destination Interfacefilters destination addresses by interface.
Common NAT Configuration Types

The following sections describe common NAT configuration types:
One-to-One Mapping section on page 236
Many-to-One Mapping section on page 236
Many-to-Many Mapping section on page 236
235
One-to-One Mapping
To configure one-to-one mapping from the private network to the public network, select the
Address Object that corresponds to the private network IP address in the Original Source field
and the public IP address that it will used to reach the Internet in the Translated Source field.
Leave the other fields alone, unless you want to filter by service or interface.
Note
If you map more than one private IP address to the same public IP address, the private IP
addresses will automatically be configured for port mapping or NAPT.
To configure one-to-one mapping from the public network to the private network, select the
Address Object that corresponds to the public network IP address in the Original Destination
field and the private IP address that it will used to reach the server in the Translated
Destination field. Leave the other fields alone, unless you want to filter by service or interface.
Note
If you map one public IP address to more than one private IP address, the public IP
addresses will be mapped to the first private IP address. Load balancing is not supported.
Additionally, you must set the Original Source to Any.
Many-to-One Mapping
To configure many-to-one mapping from the private network to the public network, select the
select the Address Object that corresponds to the private network IP addresses in the Original
Source field and the public IP address that it will used to reach the Internet in the Translated
Source field. Leave the other fields alone, unless you want to filter by service or interface.
Note
You can also specify Any in the Original Source field and the Address Object of the LAN
interface in the Translated Source field.
Many-to-Many Mapping
To configure many-to-many mapping from the private network to the public network, select the
select the Address Object that corresponds to the private network IP addresses in the Original
Source field and the public IP addresses to which they will be mapped in the Translated
Source field. Leave the other fields alone, unless you want to filter by service or interface.
Note
If the IP address range specified in the Original Source is larger than the Translated Source,
the SonicWALL appliance will use port mapping or NAPT. If the Translated Source is equal
to or larger than the Original Source, addresses will be individually mapped.
To configure many-to-many mapping from the public network to the private network, select the
Address Object that corresponds to the public network IP addresses in the Original
Destination field and the IP addresses on the private network in the Translated Destination
field. Leave the other fields alone, unless you want to filter by service or interface.
Note
236
If the IP address range specified in the Original Destination is smaller than the Translated
Destination, the SonicWALL appliance will be individually mapped to the first translated IP
addresses in the translated range. If the Translated Destination is equal to or smaller than
the Original Destination, addresses will be individually mapped.
NAT Load Balancing and Probing

NAT load balancing provides the ability to balance incoming traffic across multiple, similar
network resources. Load Balancing distributes traffic among similar network resources so that
no single server becomes overwhelmed, allowing for reliability and redundancy. If one server
becomes unavailable, traffic is routed to available resources, providing maximum uptime.
With probing enabled, the SonicWALL will use one of two methods to probe the addresses in
the load-balancing group, using either a simple ICMP ping query to determine if the resource
is alive, or a TCP socket open query to determine if the resource is alive. Per the configurable
intervals, the SonicWALL can direct traffic away from a non-responding resource, and return
traffic to the resource once it has begun to respond again.
NAT Load Balancing Methods

NAT load balancing is configured on the Advanced tab of a NAT policy.
SonicOS offers the following NAT methods:
Sticky IPSource IP always connects to the same Destination IP(assuming it is alive). This
method is best for publicly hosted sites requiring connection persistence, such as Web
applications, Web forms, or shopping cart applications. This is the default mechanism, and
is recommended for most deployments.
Round RobinSource IP cycles through each live load-balanced resource for each
connection. This method is best for equal load distribution when persistence is not required.
Block Remap/Symmetrical RemapThese two methods are useful when you know the
source IP addresses/networks (e.g. when you want to precisely control how traffic from one
subnet is translated to another).
Random DistributionSource IP connects to Destination IP randomly. This method is

useful when you wish to randomly spread traffic across internal resources.
For more information about NAT Load Balancing, see the SonicOS Enhanced 4.0
Administrators Guide.
237
Configuring NAT Policies

To configure NAT Policies on a unit running SonicOS Enhanced, perform the following steps:
1.
Expand the Network tree and click NAT Policies. The NAT Policies page displays.
2.
To edit an existing policy, click its Edit icon (
3.
Configure the following:
). To add a new policy, click Add NAT Policy.
Original Sourceused to remap IP addresses based on the source address, this field
specifies an Address Object that can consist of an IP address or IP address range.
Translated Sourcespecifies the IP address or IPaddress range to which the original
Original Destinationused to remap IP addresses based on the destination address,
this field specifies an Address Object that can consist of an IP address or IP address
range.
Translated Destinationspecifies the IP address or IP address range to which the
original source will be mapped.
Original Serviceused to filter source addresses by service, this field specifies a
Service Object that can be a single service or group of services.
238
Translated Serviceused to filter destination addresses by service, this field specifies
a Service Object that can be a single service or group of services.
Source Interfacefilters source addresses by interface.

Destination Interfacefilters destination addresses by interface.
4.
To enable the NAT policy, select the Enable check box.
5.
Add any comments to the Comments field.
6.
If you selected an Address Group Object for any of the pull-down lists on the General tab,
you can make changes on the Advanced tab. Click the Advanced tab.
7.
Select the NAT method from the NAT Method pull-down list.
For information on the available methods, see NAT Load Balancing Methods on
page 237.
8.
Optionally select the Enable Probing checkbox and make desired changes to the following
fields:
Probe host every ... secondsindicates how often to probe the addresses in the
load-balancing group
Probe Typespecifies to use either Ping (ICMP) or TCP (checks that a socket is
opened) for probing
Portspecifies the port that the probe will use, such as TCP port 80 for a Web server
Reply time outspecifies the number of seconds to wait for a reply to the probe
Deactivate host after ... missed intervalsspecifies the number of reply time outs
before deciding that the host is unreachable
Reactivate host after ... successful intervalsspecifies the number of replies
received before deciding that the host is available for load balancing again
9.
When you are finished, click Update. The policy is added and you are returned to the NAT
Policies screen.
Configuring Web Proxy Forwarding Settings

A Web proxy server intercepts HTTP requests and determines if it has stored copies of the
requested Web pages. If it does not, the proxy completes the request to the server on the
Internet, returning the requested information to the user and also saving it locally for future
requests.
239
Setting up a Web proxy server on a network can be cumbersome, because each computer on
the network must be configured to direct Web requests to the server.
If there is a proxy server on the SonicWALL appliances network, you can move the SonicWALL
appliance between the network and the proxy server, and enable Web Proxy Forwarding. This
will forward all WAN requests to the proxy server without requiring the computers to be
individually configured.
To configure Web Proxy Forwarding settings, perform the following steps:
1.
Expand the Network tree and click Web Proxy. The Web Proxy page displays.
2.
Enter the name or IP address of the proxy server in the Proxy Web Server field.
3.
Enter the proxy IP port in the Proxy Web Server Port field.
4.
To bypass the Proxy Server if a failure occurs, select the Bypass Proxy Servers Upon
Proxy Server Failure check box.
5.
If you have clients configured on the DMZ, select the Forward DMZ Client Requests to
Proxy Server check box.
6.
Configuring Routing in SonicOS Enhanced

If you have routers on your interfaces, you can configure the SonicWALL appliance to route
network traffic to specific predefined destinations. Static routes must be defined if the network
connected to an interface is segmented into subnets, either for size or practical considerations.
For example, a subnet can be created to isolate a section of a company, such as finance, from
network traffic on the rest of the LAN, DMZ, or WAN.
To add static routes, perform the following steps:
1.
240
Expand the Network tree and click Routing. The Routing page displays.
2.
Click Add Route Policy.
3.
Select the source address object from the Source list box.
4.
Select the destination address object from the Destination list box.
5.
Specify the type of service that will be routed from the Service list box.
6.
Select the address object that will act as a gateway for packets matching these settings.
7.
Select the interface through which these packets will be routed from the Interface list box.
8.
Specify the RIP metric in the Metric field.
9.
Type a descriptive comment into the Comment field.
10. For appliances running SonicOS Enhanced 4.0 and above, optionally select the Disable
route when the interface is disconnected checkbox.
11. For appliances running SonicOS Enhanced 4.0 and above, select the Allow VPN path to
take precedence checkbox to allow a matching VPN network to take precedence over the
static route when the VPN tunnel is up.
12. When you are finished, click Update. The route settings are configured for the selected
SonicWALL appliance(s). To clear all screen settings and start over, click Reset.
Probe-Enabled Policy Based Routing Configuration

For appliances running SonicOS Enhanced 5.5 and above, you can optionally configure a
Network Monitor policy for the route. When a Network Monitor policy is used, the static route is
dynamically disabled or enabled, based on the state of the probe for the policy.
1.
In the Probe pull-down menu select the appropriate Network Monitor object or select
Create New Network Monitor object... to dynamically create a new object. For more
information, see Configuring Network Monitor on page 256.
241
Configuring RIP in SonicOS Enhanced
2.
Typical configurations will not check the Disable route when probe succeeds checkbox,
because typically administrators will want to disable a route when a probe to the routes
destination fails. This option is provided to give administrators added flexibility for defining
routes and probes.
3.
Select the Probe default state is UP to have the route consider the probe to be successful
(i.e. in the UP state) when the attached Network Monitor policy is in the UNKNOWN
state. This is useful to control the probe-based behavior when a unit of a High Availability
pair transitions from IDLE to ACTIVE, because this transition sets all Network Monitor
policy states to UNKNOWN.
4.
Click Update to apply the configuration.

Routing Information Protocol (RIP) is a distance-vector routing protocol that is commonly used
in small homogeneous networks. Using RIP, a router will periodically send its entire routing
table to its closest neighbor, which passes the information to its next neighbor, and so on.
Eventually, all routers within the network will have the information about the routing paths.
When attempting to route packets, a router will check the routing table and select the path that
requires the fewest hops.
SonicWALL appliances support RIPv1 or RIPv2 to advertise its static and dynamic routes to
other routers on the network. Changes in the status of VPN tunnels between the SonicWALL
and remote VPN gateways are also reflected in the RIPv2 advertisements. Choose between
RIPv1 or RIPv2 based on your routers capabilities or configuration. RIPv1 is an earlier version
of the protocol that has fewer features, and it also sends packets via broadcast instead of
multicast. RIPv2 packets are backwards-compatible and can be accepted by some RIPv1
implementations that provide an option of listening for multicast packets. The RIPv2 Enabled
(broadcast) selection broadcasts packets instead of multicasting packets, and is for
heterogeneous networks with a mixture of RIPv1 and RIPv2 routers.
To configure RIP, perform the following steps:
1.
242
Expand the Network tree and click RIP (ENH). The RIP (ENH) page displays.
2.
Click the Edit Icon (

displays.
) for an interface. The Edit Route Advertising Settings dialog box
3.
Select the RIP version from the RIP Advertisements list box:
RIPv1 Enabledfirst version of RIP.
RIPv2 Enabled (multicast)sends route advertisements using multicasting (a single
data packet to specific nodes on the network).
RIPv2 Enabled (broadcast)sends route advertisements using broadcasting (a
single data packet to all nodes on the network).
4.
In the Advertise Default Route menu, select Never, or When WAN is up, or Always.
5.
To advertise static routes that you specified on the Routes page, select the Advertise
Static Routes check box.
6.
To advertise remote VPN networks that you specified on the Routes page, select the
Advertise Remote VPN Networks check box.
7.
To set the amount of time between a VPN tunnel state change and the time the change is
advertised, enter a value in the Route Change Damp Time field (default: 30 seconds).
8.
To specify the number of advertisements that are sent after a route is deleted, enter a value
in the Deleted Route Advertisements field (default: 5 advertisements).
9.
By default, the connection between this router and its neighbor counts as one hop.
However, there are cases where you want to discourage or reduce the use of this route by
adding additional hops. To change the hop count of this route, enter the number of hops in
the Route Metric field.
10. Optional. If RIPv2 is selected from the Route Advertisements list box, you can enter a
value for the Route Tag. This value is implementation-dependent and provides a
mechanism for routers to classify the originators of RIPv2 advertisements.
11. Optional. Select from the following RIPv2 Authentication options:

User DefinedEnter 4 hex digits in the Authentication Type field and 32 hex digits in
the Authentication Data field.
Cleartext PasswordEnter a password (16 characters or less) in the Authentication
Password field.
MD5 DigestEnter a numerical value from 0-255 in the Authentication Key-Id field.
Enter a 32 hex digit value for the Authentication Key field, or use the generated key.
243
12. When you are finished, click Update. The settings are changed for the SonicWALL
Configuring Advanced Routing for Tunnel Interfaces

For appliances running SonicOS versions 5.6 and higher, VPN Tunnel Interfaces can be
configured for advanced routing. To do so, you must enable advanced routing for the tunnel
interface on the Advanced tab of its configuration. See the Generic VPN Configuration in
SonicOS Enhanced section on page 475 for more information.
After you have enabled advanced routing for a Tunnel Interface, it is displayed in the list with
the other interfaces in the Advanced Routing table on the Network > RIP (ENH) page.
The RIP configurations for Tunnel Interfaces are very similar to the configurations for traditional
interfaces with the addition of two new options that are listed at the bottom of the RIP
configuration window under a new Global Unnumbered Configuration heading.
Global Unnumbered Configuration

Because Tunnel Interfaces are not physical interfaces and have no inherent IP address, they
must borrow the IP address of another interface. Therefore, the advanced routing
configuration for a Tunnel Interface includes the following options for specifying the source and
destination IP addresses for the tunnel:
Note
The borrowed IP address must be a static IP address.
Note
IP Address Borrowed From - The interface whose IP address is used as the source IP
address for the Tunnel Interface.
Remote IP Address - The IP address of the remote peer to which the Tunnel Interface is
connected. In the case of a SonicWALL-to-SonicWALL configuration with another Tunnel
Interface, this should be the IP address of the borrowed interface of the Tunnel Interface
on the remote peer.
The IP Address Borrowed From and Remote IP Address values apply to both RIP for the
Tunnel Interface.
Guidelines for Configuring Tunnel Interfaces for Advanced Routing

The following guidelines will ensure success when configuring Tunnel Interfaces for advanced
routing:
Tip
The borrowed interface must have a static IP address assignment.
The borrowed interface cannot have RIP enabled on its configuration.
SonicWALL recommends creating a VLAN interface that is dedicated solely for use as the
borrowed interface. This avoids conflicts when using wired connected interfaces.
244
The IP address of the borrowed interface should be from a private address space, and
should have a unique IP address in respect to any remote Tunnel Interface endpoints.
The Remote IP Address of the endpoint of the Tunnel Interface should be in the same
network subnet as the borrowed interface.
The same borrowed interface may be used for multiple Tunnel Interfaces, provided that the
Tunnel interfaces are all connected to different remote devices.
When more than one Tunnel Interface on an appliance is connected to the same remote
device, each Tunnel Interface must use a unique borrowed interface.
Depending on the specific circumstances of your network configuration, these guidelines may
not be essential to ensure that the Tunnel Interface functions properly. But these guidelines are
SonicWALL best practices that will avoid potential network connectivity issues.
Configuring IP Helper
The IP Helper allows the SonicWALL to forward DHCP requests originating from the interfaces
on a SonicWALL to a centralized DHCP server on the behalf of the requesting client. IP Helper
is used extensively in routed VLAN environments where a DHCP server is not available for
each interface, or where the layer 3 routing mechanism is not capable of acting as a DHCP
server itself. The IP Helper also allows NetBIOS broadcasts to be forwarded with DHCP client
requests.
Note
IP Helper is only supported in SonicOS Enhanced.

To enable IP Helper and add an IP Helper policy, perform the following steps:
1.
Expand the Network tree and click IP Helper. The IP Helper page displays.
2.
Select the Enable IP Helper check box.

For appliances running SonicOS Enhanced versions lower than 5.5, you can also configure
DHCP and NetBIOS support:
3.
To enable DHCP support, select Enable DHCP Support.
4.
To enable NetBIOS support, select Enable NetBIOS Support.
245
Configuring Relay Protocols

Appliances running SonicOS Enhanced versions 5.5 and higher support Enhanced IP Helper
that offers configurable Relay Protocols. The following built-in applications are included:
DHCPUDP port number 67/68
Net-Bios NSUDP port number 137
Net-Bios DatagramUDP port number 138
DNSUDP port number 53
Time ServiceUDP port number 37
Wake on LAN (WOL)
mDNSUDP port number 5353; multicast address 224.0.0.251
To enable any of these protocols, select the Enable checkbox and click Update.
To configure additional protocols, perform the following steps:
1.
Click Add Relay Protocol. The Add IP Helper Application window displays.
2.
Configure the following options:
NameThe name of the protocols. Note that these are case sensitive and must be unique.
Port 1/2The unique UDP port number.
Translate IPTranslation of the source IP while forwarding a packet.
TimeoutIP Helper cache timeout in seconds at an increment of 10.
Raw ModeUnidirectional forwarding that does not create an IP Helper cache. This is
suitable for most of the user-defined protocols that are used for discovery, for example
WOL/mDNS.
3.
246
Click Update.
Configuring IP Helper Policies

1.
To add an IP Helper Policy, click Add IP Helper Policy. The Add IP Helper dialog box
displays.
2.
The policy is enabled by default. To configure the policy without enabling it, clear the
Enabled check box.
3.
Select DHCP or NetBIOS from the Protocol menu.
4.
Select a source Interface or Zone from the From menu.
5.
Select a destination IP address or subnet from the To menu.
6.
Enter an optional comment in the Comment field.
7.
Click OK to add the policy to the IP Helper Policies table.
8.
Repeat this procedure for each policy to add. To delete a policy, click the trash can icon
next to the policy.
9.
Configuring ARP
ARP (Address Resolution Protocol) maps layer 3 (IP addresses) to layer 2 (physical or MAC
addresses) to enable communications between hosts residing on the same subnet. ARP is a
broadcast protocol that can create excessive amounts of network traffic on your network. To
minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously
learned ARP information.
247
To configure ARP, perform the following steps:

1.
Expand the Network tree and click ARP. The ARP page displays.
Static ARP Entries

The Static ARP feature allows for static mappings to be created between layer 2 MAC
addresses and layer 3 IP addresses, but also provides the following capabilities:
248
Publish EntryEnabling the Publish Entry option in the Add Static ARP window causes
the SonicWALL device to respond to ARP queries for the specified IP address with the
specified MAC address. This can be used, for example, to have the SonicWALL device
reply for a secondary IP address on a particular interface by adding the MAC address of
the SonicWALL. See the Secondary Subnet section that follows.
Bind MAC AddressEnabling the Bind MAC Address option in the Add Static ARP
window binds the MAC address specified to the designated IP address and interface. This
can be used to ensure that a particular workstation (as recognized by the network card's
unique MAC address) can only be used on a specified interface on the SonicWALL. Once
the MAC address is bound to an interface, the SonicWALL will not respond to that MAC
address on any other interface. It will also remove any dynamically cached references to
that MAC address that might have been present, and it will prohibit additional (non-unique)
static mappings of that MAC address.
Update IP Address DynamicallyThe Update IP Address Dynamically setting in the

Add Static ARP window is a sub-feature of the Bind MAC Address option. This allows for
a MAC address to be bound to an interface when DHCP is being used to dynamically
allocate IP addressing. Enabling this option will blur the IP Address field, and will populate
the ARP Cache with the IP Address allocated by the SonicWALL's internal DHCP server,
or by the external DHCP server if IP Helper is in use.
Secondary Subnets with Static ARP

The Static ARP feature allows for secondary subnets to be added on other interfaces, and
without the addition of automatic NAT rules.
Adding a Secondary Subnet using the Static ARP Method

1.
Add a 'published' static ARP entry for the gateway address that will be used for the
secondary subnet, assigning it the MAC address of the SonicWALL interface to which it will
be connected.
2.
Add a static route for that subnet, so that the SonicWALL regards it as valid traffic, and
knows to which interface to route that subnet's traffic.
3.
Add Access Rules to allow traffic destined for that subnet to traverse the correct network
interface.
4.
Optional: Add a static route on upstream device(s) so that they know which gateway IP to
use to reach the secondary subnet.
Flushing the ARP Cache

It is sometimes necessary to flush the ARP cache if the IP address has changed for a device
on the network. Since the IP addressis linked to a physical address, the IP addresscan change
but still be associated with the physical address in the ARP Cache. Flushing the ARP Cache
allows new information to be gathered and stored in the ARP Cache. Click Flush ARP Cache
to clear the information.
To configure a specific length of time for the entry to time out, enter a value in minutes in the
ARP Cache entry time out (minutes) field.
Navigating and Sorting the ARP Cache Table Entries

To view ARP cache information, click Request ARP Cache display from unit(s).
The ARP Cache table provides easy pagination for viewing a large number of ARP entries. You
can navigate a large number of ARP entries listed in the ARP Cache table by using the
navigation control bar located at the top right of the ARP Cache table. Navigation control bar
includes four buttons. The far left button displays the first page of the table. The far right button
displays the last page. The inside left and right arrow buttons moved the previous or next page
respectively.
You can enter the policy number (the number listed before the policy name in the # Name
column) in the Items field to move to a specific ARP entry. The default table configuration
displays 50 entries per page. You can change this default number of entries for tables on the
System > Administration page.
You can sort the entries in the table by clicking on the column header. The entries are sorted
by ascending or descending order. The arrow to the right of the column entry indicates the
sorting status. A down arrow means ascending order. An up arrow indicates a descending
order.
249
Configuring SwitchPorts
The SwitchPorts page allows you to manage the assignments of ports to PortShield interfaces.
A PortShield interface is a virtual interface with a set of ports assigned to it. To configure a
SwitchPort, perform the following steps:
1.
Expand the Network tree and click SwitchPorts. The SwitchPorts page displays.
2.
Click the Edit icon ( ) for the SwitchPort you want to configure. The SwitchPort
Configuration window displays.
The name of the PortShield interface group will be assigned by default.

3.
Click on the Port Enable list box and click on either the Enable or Disable option to either
activate or deactivate the interfaces in the PortShield interface group.
4.
Click on the PortShield interface list box and click on the PortShield interface you created
in the previous procedure.
5.
Click on the Link Speed list box and click on a throughput speed you want to assign the
interface. The choices are:
Auto negotiate
100Mbps Full Duplex
100 Mbps Half Duplex
10 Mbps Full Duplex
10 Mbps Half Duplex
250
Note
Do not change this setting from the default of Auto negotiate unless your system requires
you to do so. Also, note that for any setting involving the Full Duplex feature to work properly,
be sure to configure Full Duplex on both ends of the link. By not having Full Duplex
configured on both ends, a duplex mismatch occurs, causing throughput loss.
6.
Click on the Rate Limit option and Select on a value. The rate limit value enables you to
throttle traffic coming into the switch. Remember, these values apply to inbound traffic only.
7.
Click Ok. Wait for a few seconds. The system then will incorporate the changes you made
to the PortShield interface Group and add it back to the switch ports list.
Configuring PortShield Groups

On the Network > PortShield Groups page, you can manually group ports together, which
allows them to share a common network subnet as well as common zone settings.
Note
The PortShield Groups page is supported on appliances running SonicOS Enhanced

versions 5.5 or higher.
To assign an interface to a PortShield group, perform the following steps:
Note
1.
Navigate to the Network > PortShield Groups page.
2.
Click on the Configure icon for the interface you want to assign to a PortShield group. The
Edit Switch Port window displays.
Interfaces must be configured before being grouped with PortShield.
3.
In the Port Enabled pull-down menu, select whether you want to enabled or disable the
interface.
4.
In the PortShield Interface pull-down menu, select which interface you want to assign as
the master interface for the PortShield interface.
251
5.
In the Link Speed pull-down menu, select the link speed for the interfaces.
6.
Click OK.
Configuring MAC-IP Anti-Spoof

MAC and IP address-based attacks are increasingly common in todays network security
environment. These types of attacks often target a Local Area Network (LAN) and can originate
from either outside or inside a network. In fact, anywhere internal LANs are somewhat exposed,
such as in office conference rooms, schools, or libraries, could provide an opening to these
types of attacks. These attacks also go by various names: man-in-the-middle attacks, ARP
poisoning, SPITS. The MAC-IP Anti-Spoof feature lowers the risk of these attacks by providing
administrators with different ways to control access to a network, and by eliminating spoofing
attacks at OSI Layer 2/3.
The effectiveness of the MAC-IP Anti-Spoof feature focuses on two areas. The first is admission
control which allows administrators the ability to select which devices gain access to the
network. The second area is the elimination of spoofing attacks, such as denial-of-service
attacks, at Layer 2. To achieve these goals, two caches of information must be built: the MAC-IP
Anti-Spoof Cache, and the ARP Cache.
The MAC-IP Anti-Spoof cache validates incoming packets and determines whether they are to
be allowed inside the network. An incoming packets source MAC and IP addresses are looked
up in this cache. If they arefound, the packet is allowed through. The MAC-IP Anti-Spoof cache
is built through one or more of the following sub-systems:
DHCP Server-based leases (SonicWALLs - DHCP Server)
DHCP relay-based leases (SonicWALLs - IP Helper)
Static ARP entries
User created static entries
The ARP Cache is built through the following subsystems:
ARP packets; both ARP requests and responses
Static ARP entries from user-created entries
MAC-IP Anti-Spoof Cache
The MAC-IP Anti-Spoof subsystem achieves egress control by locking the ARP cache, so
egress packets (packets exiting the network) are not spoofed by a bad device or by unwanted
ARP packets. This prevents a firewall from routing a packet to the unintended device, based on
mapping. This also prevents man-in-the-middle attacks by refreshing a clients own MAC
address inside its ARP cache.
The following sections describe how to configure MAC-IP Anti-Spoof:
Interface Settings on page 252
Anti-Spoof Cache on page 254
Spoof Detect List on page 255
Interface Settings
To edit MAC-IP Anti-Spoof settings within the Network Security Appliance management interface,
252
go to the Network > MAC-IP Anti-spoof page.
To configure settings for a particular interface, click the pencil icon in the Configure column for the
desired interface. The Settings window is displayed for the selected interface.
In this window, the following settings can be enabled or disabled by clicking on the corresponding
checkbox. Once your setting selections for this interface are complete, click OK. The following
options are available:
Enable: To enable the MAC-IP Anti-Spoof subsystem on traffic through this interface
Static ARP: Allows the Anti-Spoof cache to be built from static ARP entries
DHCP Server: Allows the Anti-Spoof cache to be built from active DHCP leases from the
SonicWALL DHCP server
DHCP Relay: Allows the Anti-Spoof cache to be built from active DHCP leases, from the
DHCP relay, based on IP Helper.
253
ARP Lock: Locks ARP entries for devices listed in the MAC-IP Anti-Spoof cache. This
applies egress control for an interface through the MAC-IP Anti-Spoof configuration, and
adds MAC-IP cache entries as permanent entries in the ARP cache. This controls ARP
poisoning attacks, as the ARP cache is not altered by illegitimate ARP packets.
ARP Watch: Enables generation of unsolicited unicast ARP responses towards the clients
machine for every MAC-IP cache entry on the interface. This process helps prevent
man-in-the-middle attacks.
Enforce: Enables ingress control on the interface, blocking traffic from devices not listed
in the MAC-IP Anti-Spoof cache.
Spoof Detection: Logs all devices that fail to pass Anti-spoof cache and lists them in the
Spoof Detected List.
Allow Management: Allows through all packets destined for the appliances IP address,
even if coming from devices currently not listed in the Anti-Spoof cache.
Once the settings have been adjusted, the interfaces listing will be updated on the MAC-IP
Anti-Spoof panel. The green circle with white check mark icons denote which settings have been
enabled.
Note
The following interfaces are excluded from the MAC-IP Anti-Spoof list: Non-ethernet
interfaces, port-shield member interfaces, Layer 2 bridge pair interfaces, high availability
interfaces, and high availability data interfaces.
Anti-Spoof Cache
The MAC-IP Anti-Spoof Cache lists all the devices presently listed as authorized to access
the network, and all devices marked as blacklisted (denied access) from the network. To add
a device to the list, perform the following tasks:
1.
Click the Add Anti-Spoof Cache button.
2.
Enter the IP address for the device.
3.
Enter the MAC addresses for the device. Enter the information in the provided fields.
4.
Check the a router setting to allow traffic coming from behind this device.
5.
Check the a blacklisted device setting to block packets from this device, irrespective of its
IP address.
6.
Click OK.
If you need to edit a static Anti-Spoof cache entry, click the pencil icon, under the Configure
column, on the same line.
Single, or multiple, static anti-spoof cache entries can be deleted. To do this, select the delete
checkbox next to each entry, then click the Delete Anti-Spoof Cache(s) button.
254
To clear cache statistics, select the desired devices, then click Clear Stats.
Some packet types are bypassed even though the MAC-IP Anti-Spoof feature is enabled: 1)
Non-IP packets, 2) DHCP packets with source IP as 0, 3) Packets from a VPN tunnel, 4)
Packets with invalid unicast IPs as their source IPs, and 5) Packets from interfaces where the
Management status is not enabled under anti-spoof settings.
The Anti-Spoof Cache Search section provides the ability to search the entries in the cache.
To search the MAC-IP Anti-Spoof Cache, perform the following steps:
1.
In the search pull-down menu, select whether you want to search by IP address or
Interface.
2.
Select what type of search: Equals, Starts with, Ends with, or Contains.
3.
Enter a search string in the text box.
4.
Click Search. Matching entries in the MAC-IP Anti-Spoof cache will be displayed.
Spoof Detect List

Note
Spoof Detected List display is available only at the Unit level.

The Spoof Detect List displays devices that failed to pass the ingress anti-spoof cache check.
Entries on this list can be added as a static anti-spoof entry. To view the Spoof Detect List, click
the Request Spoof Detected List from Firewall link.
To add an entry to the static anti-spoof list, click on the pencil icon under the Add column for
the desired device. An alert message window will open, asking if you wish to add this static
entry. Click OK to proceed.
Entries can be flushed from the list by clicking the Flush button. The name of each device can
also be resolved using NetBios, by clicking the Resolve button.
255
Configuring Network Monitor

This section describes how to configure the Network Monitor feature, which provides a flexible
mechanism for monitoring network path viability. The results and status of this monitoring are
displayed on the Network Monitor page, and are also provided to affected client components
and logged in the system log.
Each custom NM policy defines a destination Address Object to be probed. This Address
Object may be a Host, Group, Range, or FQDN. When the destination Address Object is a
Group, Range or FQDN with multiple resolved addresses, Network Monitor probes each probe
target and derives the NM Policy state based on the results.
To add a network monitor policy on the SonicWALL security appliance, perform these steps:
1.
From the Network > Network Monitor page, click the Add button. The Add Network
Monitor Policy window is displayed.
2.
Enter the following information to define the network monitor policy:
Name - Enter a description of the Network Monitor policy.
Probe Target - Select the Address Object or Address Group to be the target of the policy.
Address Objects may be Hosts, Groups, Ranges, or FQDNs object. Objects within a Group
object may be Host, Range, or FQDN Address Objects. You can dynamically create a new
address object by selecting Create New Address Object.
Probe Type - Select the appropriate type of probe for the network monitor policy:
Ping (ICMP) - This probe uses the route table to find the egress interface and next-hop
for the defined probe targets. A Ping echo-request is sent out the egress interface with
the source IP address of the egress interface. An echo response must return on the
same interface within the specified Response Timeout time limit for the ping to be
counted as successful.
TCP - This probe uses the route table to find the egress interface and next-hop for the
defined probe targets. A TCP SYN packet is sent to the probe target with the source IP
address of the egress interface. A successful response will be counted independently
for each probe target when the target responds with either a SYN/ACK or RST via the
256
same interface within the Response Timeout time window. When a SYN/ACK is
received, a RST is sent to close the connection. If a RST is received, no response is
returned.
Ping (ICMP) - Explicit Route - This probe bypasses the route table and uses the
source IP address of the interface specified in the Outbound Interface pull-down menu
to send a Ping to the argets.
t
If a Next Hop Gateway is not specified,the probe assumes
that the targets are directly connected to the Outbound Interface's network.
TCP - Explicit Route - This probe bypasses the route table and uses the source IP
address of the interface specified in the Outbound Interface pull-down menu to send a
TCP SYN packet to the targets. If a Next Hop Gateway is not specified, the probe
assumes that the targets are directly connected to the Outbound Interface's network.
When a SYN/ACK is received, a RST is sent to close the connection. If a RST is
received, no response is returned.
Next Hop Gateway - Manually specifies the next hop that is used from the outbound
interface to reach the probe target. This option must be configured for Explicit Route
policies. For non-Explicit Route policies, the probe uses the appliances route table to
determine the egress interface to reach the probe target.If a Next Hop Gateway is not
specified, the probe assumes that the targets are directly connected to the Outbound
Interface's network.
Outbound Interface - Manually specifies which interface is used to send the probe. This
option must be configured for Explicit Route policies. For non-Explicit Route policies, the
probe uses the appliances route table to determine the egress interface to reach the probe
target.
Port - Specifies the destination port of target hosts for TCP probes. A port is not specified
for Ping probes.
3.
Optionally, you can adjust the following thresholds for the probes:
Probe hosts every - The number of seconds between each probe. This number cannot be
less than the Reply time out field.
Reply time out - The number of seconds the NetworkMonitor waits for a response for each
individual probe before a missed-probe will be counted for the specific probe target. The
Reply time out cannot exceed the Probe hosts every field.
Probe state is set to DOWN after - The number of consecutive missed probes that triggers
a host state transition to DOWN.
Probe state is set to UP after - The number of consecutive successful probes that triggers
a host state transition to UP.
All Hosts Must Respond - Selecting this checkbox specifies that all of the probe target
Host States must be UP before the Policy State can transition to UP. If not checked, the
Policy State is set to UP when any of the Host States are UP.
4.
Optionally, you can enter a descriptive comment about the policy in the Comment field.
5.
Click Update to submit the Network Monitor policy. Then click Update on the Network >
Network Monitor page.
When configuring a static route, you can optionally configure a Network Monitor policy for the
route. When a Network Monitor policy is used, the static route is dynamically disabled or
enabled, based on the state of the probe for the policy. For more information, see
Probe-Enabled Policy Based Routing Configuration on page 241.
257
Configuring Network Settings in SonicOS Standard

The following sections describe how to configure network settings in SonicOS Standard:
Configuring Basic Network Settings in SonicOS Standard section on page 258
Configuring Web Proxy Forwarding section on page 265
Configuring Intranet Settings section on page 265
Configuring Routing in SonicOS Standard section on page 267
Configuring RIP in SonicOS Standard section on page 267
Configuring One-to-One NAT section on page 270
Configuring Ethernet Settings section on page 271
Configuring ARP section on page 272
Configuring Basic Network Settings in SonicOS Standard

The Network settings page is used to configure the network addressing mode, LAN settings,
WAN settings, DMZ settings, and the DNS server address(es). SonicOS Standard supports six
network addressing modes. For all of these modes, first configure the universal settings:
LAN Settings for all Network Addressing Modes section on page 258
Then configure the settings for the appropriate network addressing mode:
Note
Standard Mode section on page 259
NAT-Enabled Mode section on page 259
NAT with DHCP Client Mode section on page 261
NAT With PPPoE Client section on page 261
NAT With L2TP Client section on page 262
NAT With PPTP Client section on page 264
Making changes to this page causes the SonicWALL appliance will automatically restart. We
recommend scheduling the tasks to run when network activity is low.
LAN Settings for all Network Addressing Modes

For all six of the network addressing modes supported in SonicOS Standard, complete the
following basic network settings:
1.
Enter the IP address assigned to the LAN interface in the SonicWALL LAN IP Address field
and the subnet the IP address belongs to in the LAN Subnet Mask field.
2.
To add an additional subnet, enter the IP address and subnet in theNetwork Gateway and
Subnet Mask fields and click Add Subnet.
3.
Enter the IP address of the router that provides Internet access to SonicWALL appliance in
the WAN Gateway (Router) Address field.
The SonicWALL WAN IP Address and WAN Subnet Mask are automatically set to the
SonicWALL LAN IP Address. and LAN Subnet Mask, respectively.
258
Standard Mode
When you select Standard Mode (also known as Transparent Mode), Network Address
Translation (NAT) is disabled. All nodes on the LAN or WorkPort that will access or be accessed
from the Internet must use valid, Internet-accessible IP addresses.
To configure a SonicWALL appliance for standard network addressing, perform the following
steps:
Note
1.
On the Network > Settings, select Standard from the Network Addressing Mode area.
2.
Configure the LAN Settings as described in the LAN Settings for all Network Addressing
Modes section on page 258.
3.
Enter the IP addresses of the DNS servers in the DNS Server 1-3 fields.
SonicWALL appliances require the IP address of at least one DNS server to function
properly.
4.
NAT-Enabled Mode
NAT provides anonymity to machines on the LAN or WorkPort by connecting the entire network
to the Internet using a single IP address. This provides security to the internal machines by
hiding them from the outside world and conserves IP addresses.
When using NAT, we recommend using internal network IP addresses from a special range.
The following IP address ranges are reserved for private IP networks and are not routed on the
Internet:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
259
If your network uses IP addresses that are notregistered to your organization and are not within
the private IP address ranges, the servers on the Internet to which those IP addresses belong
will not be accessible from your network. For example, if an IP address on your network is
185.5.20.105 and it is not registered to your organization, the server that uses that IP address
on the Internet will not be accessible from your network.
Note
If you choose to use NAT, but need to make some machines available to the outside world,
use One-to-One NAT. One-to-One NAT maps external IP addresses to private IP addresses.
For more information, refer to the Configuring One-to-One NAT section on page 270.
To configure a SonicWALL appliance for NAT, perform the following steps:
1.
On the Network > Settings page, select NAT Enabled from the Network Addressing Mode
area.
2.
3.
Configure the following WAN Settings:

SonicWALL WAN IP (NAT Public) AddressPublic IP address used to access the
Internet. All activity on the Internet will appear to originate from this address. This IP
address must be valid and is generally supplied by your Internet Service Provider (ISP).
WAN Gateway (Router) AddressAddress of the router that attaches the LAN to the
Internet.
WAN Subnet MaskDetermines the subnet to which the public IP address belongs.
This is generally supplied by your ISP.
4.
Note
SonicWALL appliances require the IP address of at least one DNS server to function
properly.
5.
260
Enter the IP addresses of the DNS servers in the DNS Server 1-3 fields.
NAT with DHCP Client Mode

When you select the NAT with DHCP Client mode, the SonicWALL appliance uses DHCP to
obtain a dynamic IP address from the ISP and NAT. For more information on NAT, refer to the
NAT-Enabled Mode section on page 259.
To configure a SonicWALL appliance for NAT with a DHCP client, perform the following steps:
1.
On the Network > Settings, page, select NAT with DHCP Client from the Network
Addressing Mode area.
2.
Configure the LAN Settings as described in LAN Settings for all Network Addressing
3.
The WAN settings and the DNS server IP addresses are automatically provided by the
DHCP server of the service provider. You do not need to configure any parameters in the
WAN Settings area.
4.
In the Other Settings area, enter the name of the DHCP server in the Host Name field.
5.
When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
NAT With PPPoE Client

When you select the NAT with PPPoE Client mode, the SonicWALL appliance uses PPP over
Ethernet (PPPoE) to connect to the Internet. PPPoE is required by some ISPs to authenticate
users over broadband Internet access devices (e.g., DSL, cable modems, wireless). Note that
when using NAT for the PPPoE client, the password appears in clear text.
Note
When this mode is selected, the SonicWALL LAN IP Address is used as the gateway
address for computers on the LAN or WorkPort.
261
To configure a SonicWALL appliance for NAT with PPPoE, perform the following steps:
1.
On the Network > Settings, page, select NAT with PPPoE Client from the Network
2.
3.
Configure the following ISP Settings:

User Nameusername provided by the ISP.
Passwordpassword used to authenticate the username with the ISP. This field is
case-sensitive.
4.
To specify how long the SonicWALL appliance waits before disconnecting from the Internet,
select the Disconnect after minutes of inactivity checkbox and enter the amount of time
in the inactivity field.
5.

To configure the SonicWALL appliance(s) to dynamically obtain an IP address, select
Obtain an IP Address automatically.

To configure the SonicWALL appliance(s) to use a fixed IP address, select Use the
following IP Address and enter the IP address.
6.
NAT With L2TP Client

When you select the NAT with L2TP Client mode, the SonicWALL appliance uses Layer Two
Tunneling Protocol (L2TP) to connect to the Internet.
262
Note
When this mode is selected, the SonicWALL LAN (WorkPort) IP Address is used as the
gateway address for computers on the LAN or WorkPort.
To configure a SonicWALL appliance for NAT with L2TP, perform the following steps:
1.
On the Network > Settings, page, select NAT with L2TP Client from the Network
2.
3.
Select from the following WAN settings:

To configure the SonicWALL appliance to dynamically obtain an IP address, select
Obtain an IP address using DHCP.
To renew the IP address, click Renew Lease.
To release the IP address, click Release.
To configure the SonicWALL appliance to use fixed settings, select Use the specified
IP address and enter the following:
SonicWALL WAN IP (NAT Public) AddressPublic IP address used to access

the Internet. All activity on the Internet will appear to originate from this address.
This IP address must be valid and is generally supplied by your Internet Service
Provider (ISP).
WAN Gateway (Router) AddressAddress of the router that attaches the LAN to
the Internet.
WAN Subnet MaskDetermines the subnet to which the public IP address

belongs. This is generally supplied by your ISP.
4.
Enter the IP address of the DNS server in the DNS Server 1 field.
5.
Configure the following ISP L2TP Settings:

L2TP Host Namethis information is provided by your ISP.
L2TP Server IP Addressthis information is provided by your ISP.
Passwordpassword used to authenticate the username with the ISP. This field is
case-sensitive.
263
6.
7.
NAT With PPTP Client

When you select the NAT with PPTP Client mode, the SonicWALL appliance uses
Point-to-Point Tunneling Protocol (PPTP) to connect to the Internet.
When this mode is selected, the SonicWALL LAN (WorkPort) IP Address is used as the
gateway address for computers on the LAN or WorkPort.
To configure a SonicWALL appliance for NAT with PPTP, perform the following steps:
1.
On the Network > Settings, page, select NAT with PPTP Client from the Network
2.
3.
Select from the following WAN settings:

To configure the SonicWALL appliance to dynamically obtain an IP address, select
Obtain an IP address using DHCP.
To renew the IP address, click Renew Lease.
To release the IP address, click Release.
To configure the SonicWALL appliance to use fixed settings, select Use the specified
IP address and enter the following:
SonicWALL WAN IP (NAT Public) AddressPublic IP address used to access

the Internet. All activity on the Internet will appear to originate from this address.
This IP address must be valid and is generally supplied by your Internet Service
Provider (ISP).
WAN Gateway (Router) AddressAddress of the router that attaches the LAN to
the Internet.
WAN Subnet MaskDetermines the subnet to which the public IP address

belongs. This is generally supplied by your ISP.
4.
Enter the IP address of the DNS server in the DNS Server 1 field.
5.
Configure the following ISP PPTP Settings:

PPTP Host Namethis information is provided by your ISP.
PPTP Server IP Addressthis information is provided by your ISP.
264
User Passwordpassword used to authenticate the username with the ISP. This field
is case-sensitive.
6.
7.
Configuring Dynamic DNS

Note
Dynamic DNS forwarding settings are identical in SonicOS Standard and Enhanced. For
configuration information, refer to the Configuring Dynamic DNS section on page 230 in
the SonicOS Enhanced section of this chapter.
Configuring Web Proxy Forwarding

Note
Web proxy forwarding settings are identical in SonicOS Standard and Enhanced. For
configuration information, refer to the Configuring Web Proxy Forwarding Settings section
on page 239 in the SonicOS Enhanced section of this chapter.
Configuring Intranet Settings

SonicWALLs can be installed between LAN segments of intranets to prevent unauthorized
access to certain resources. For example, if the administrative offices of a school are on the
same network as the student computer lab, they can be separated by a SonicWALL.
Figure 10:3 shows how a SonicWALL appliance can be installed between two network
segments on an Intranet.
Figure 10:3 SonicWALL Intranet Configuration
265
Note
Devices connected to the WAN port do not have firewall or content filter protection. To
protect these units, install another SonicWALL appliance between the Internet and devices
connected to the WAN port of the other SonicWALL appliance.
Although the systems on the WAN and LAN links are separated, they are still on the same
subnet. Consequentially, you must make the systems on the larger network aware of the
systems on the smaller network. To do this, perform the following steps:
1.
Expand the Network tree and click Intranet. The Intranet page displays.
2.

If the SonicWALL is not used to separate LAN segments on the intranet, select
SonicWALLs WAN link is connected to the Internet Router.

If the smaller network is connected to the LAN, select Specified addresses are
attached to the LAN link.

If the smaller network is connected to the WAN, select Specified addresses are
attached to the WAN link.

3.
Enter the IP address or IP address range of a system or group of systems on the smaller
network:
To enter a single IP address, enter the IP address in the Addr Range Begin field.
To enter a range of IP addresses, enter the starting IP address in the Addr Range
Begin field and the ending IP address in the Addr Range End field.
Click Add Range.
266
4.
Repeat Step 3. for each IP address or IP address range on the smaller network.
5.
6.
To define which services can be accessed from outside the restricted network segment,
refer to the Configuring Firewall Settings in SonicOS Standard section on page 300.
Configuring Routing in SonicOS Standard

If the LAN(s) have internal routers, their addresses and network information must be entered
into the SonicWALL(s). To add an internal router, perform the following steps:
1.
Expand the Network tree and click Routing. The Routing page displays.
2.
Select whether the router is connected to the LAN (WorkPort), WAN, or OPT interface from
the Link list box.
3.
Enter the destination network IP addresses in the Destination Network and Subnet Mask
fields.
4.
Enter the IP address of the router in the Gateway field.
5.
Click Add Route. Repeat Step 2. through Step 4. for each route that you want to add.
6.
Configuring RIP in SonicOS Standard

RIP is a distance-vector routing protocol that is commonly used in small homogeneous
networks. Using RIP, a router will periodically send its entire routing table to its closest neighbor,
which passes the information to its next neighbor, and so on. Eventually, all routers within the
network will have the information about the routing paths. When attempting to route packets, a
router will check the routing table and select the path that requires the fewest hops.
RIP is not supported by all SonicWALL appliances.
To configure RIP, perform the following steps:
1.
Expand the Network tree and click RIP. The RIP page displays.
2.
Select the RIP version from the RIP Advertisements list box:
267
RIPv1 Enabledfirst version of RIP.

RIPv2 Enabled (multicast)sends route advertisements using multicasting (a single
data packet to specific nodes on the network).
RIPv2 Enabled (broadcast)sends route advertisements using broadcasting (a
single data packet to all nodes on the network).
3.
To advertise static routes that you specified on the Routing page, select the Advertise
Static Routes check box.
4.
To set the amount of time between a VPN tunnel state change and the time the change is
advertised, enter a value in the Route Change Damp Time field (default: 30 seconds).
5.
To specify the number of advertisements that are sent after a route is deleted, enter a value
in the Deleted Route Advertisements field (default: 5 advertisements).
6.
By default, the connection between this router and its neighbor counts as one hop.
However, there are cases where you want to discourage or reduce the use of this route by
adding additional hops. To change the hop count of this route, enter the number of hops in
the Route Metric field.
7.
Optional. If RIPv2 is selected from the Route Advertisements list box, you can enter a value
in the RIPv2 Route Tag field. This value is implementation-dependent and provides a
mechanism for routers to classify the originators of RIPv2 advertisements.
8.
Optional. Select from the following RIPv2 Authentication options:

User DefinedEnter 4 hex digits in the Authentication Type field and 32 hex digits in
the Authentication Data field.
Cleartext PasswordEnter a password (16 characters or less) in the Authentication
Password field.
MD5 DigestEnter a numerical value from 0-255 in the Authentication Key-Id field.
Enter a 32 hex digit value for the Authentication Key field, or use the generated key.
9.
Configuring OPT Addresses

SonicWALL appliances protect users by preventing Internet users from accessing systems
within the LAN (WorkPort). However, this security also prevents users from reaching servers
intended for public access, such as Web and mail servers.
To allow these services, many SonicWALL models have a special Demilitarized Zone (DMZ)
port (also known as the HomePort) which is used for public servers. The DMZ sits between the
LAN (WorkPort) and the Internet. Servers on the DMZ are publicly accessible, but are protected
from denial of service attacks such as SYN Flood and Ping of Death.
Although the DMZ port is optional, it is strongly recommended for public servers or when
connecting the servers directly to the Internet where they are not protected.
Note
Some newer SonicWALL appliances have one or more OPT ports that can be configured as
a DMZ port. For more information, refer to the Overview of Interfaces section on page 207.
Each server on the DMZ port or HomePort requires a unique, publishable Internet IP address.
The ISP that provides your Internet connection should be able to provide these addresses.
268
To add OPT IP addresses, perform the following steps:

1.
Expand the Network tree and click DMZ Addresses or HomePort Addresses.
2.
The DMZ/HomePort Addresses page displays.
3.

If the devices on the DMZ will use fixed IP addresses, select OPT in Standard Mode.
Then, enter the starting IP address in the Addr Range Begin field, the ending IP
address in the Addr Range End field, and click Add Range. Repeat this step for each
range of IP addresses.
To enter a single IP address, enter the IP address in the Addr Range Begin field.
If the devices on the DMZ or HomePort will use NAT, select OPT in NAT Mode and do
the following:
4.
Enter the private internal IP address assigned to the DMZ or HomePort interface in
the OPT Private Address field.
Assign a subnet mask in the DMZ or HomePort Subnet Mask field. The LAN
(WorkPort) and OPT can have the same subnet mask, but the subnets must be
different. For instance, the LAN subnet can be 192.168.0.1 with a subnet mask of
255.255.255.0, and the DMZ subnet can be 172.16.18.1 with a subnet mask of
255.255.255.0.
To define a DMZ or HomePort public IP address that will be used to access devices
on the DMZ interface, enter an IP address in the OPT NAT Many to One Public
Address field (Optional).

Enter a single IP address in the Addr Range Begin field.
Enter a range of IP addresses in the Addr Range Begin field and the ending IP address
in the Addr Range End field.
5.
Click Add Range.
6.
To enter additional IP addresses and IP address ranges, repeat Steps 3. and 4.
7.
269
Configuring One-to-One NAT

One-to-One NAT maps valid external IP addresses to internal addresses hidden by NAT. This
enables you to hide most of your network by using internal IP addresses. However, some
machines may require access. This enables you to allow direct access when necessary.
To do this, assign a range of internal IP addresses to a range of external IP addresses of equal
size. The first internal IP address will correspond to the first external IP address, the second
internal IP address to the second external IP address, and so on.
For example, if an ISP has assigned IP addresses 209.19.28.16 through 209.19.28.31 with
209.19.28.16 as the NAT public address and the address range 192.168.168.1 through
192.168.168.255 is used on the LAN (WorkPort), the following table shows how the IP
addresses will be assigned.
Table 10
One-to-One NAT Example
LAN Address
WAN Address
Accessed Via
192.168.168.1
209.19.28.16
Inaccessible, NAT public IP

address
192.168.168.2
209.19.28.17
209.19.28.17
192.168.168.3
209.19.28.18
209.19.28.18
[...]
[...]
[...]
192.168.168.16 209.19.28.31
209.19.28.31
192.168.168.16 No
corresponding
IP address
No corresponding IP
address
[...]
[...]
[...]
192.168.168.16 No
corresponding
IP address
No corresponding IP
address
To configure One-to-One NAT, perform the following steps:

1.
Expand the Network tree and click One-to-One NAT. The One-to-One NAT page displays.
Figure 10:4 One-to-One NAT Page
2.
Select the Enable One-to-One NAT check box.
3.
Enter the first IP address of the internal IP address range in the Private Range Begin field.
4.
Enter the first corresponding external IP address in the Public Range Begin field.
5.
Enter the number of IP addresses in the range in the Range Length field.
6.
Click Add Range.
Note: Do not include the NAT Public IP Address in a range.
270
7.
To add additional IP address ranges, repeat Step 3. through 6. for each range. When you
are finished, click Update. The settings are changed for each selected SonicWALL
Configuring Ethernet Settings

This section describes how to configure Ethernet settings on each port of the SonicWALL
appliance(s).
The Ethernet Settings screen is only available on SonicWALL 6.x.x.x firmware versions and
SonicOS Standard firmware versions.
To configure Ethernet settings, perform the following steps:
1.
Expand the Network tree and click Ethernet. The Ethernet page displays.
2.
Select from the following WAN Link Settings:

To configure the WAN link to automatically negotiate Ethernet settings, select Auto
Negotiate.
To specify WAN link settings, select Force and select the speed and duplex settings.
3.
Select from the following OPT Link Settings:

To configure the OPT to automatically negotiate Ethernet settings, select Auto
Negotiate.
To specify OPT link settings, select Force and select the speed and duplex settings.
4.
Select from the following LAN Link Settings:

To configure the LAN link to automatically negotiate Ethernet settings, select Auto
Negotiate.
To specify LAN link settings, select Force and select the speed and duplex settings.
5.
If you are managing the Ethernet connection from the LAN (WorkPort) side of your network,
select the Proxy Management Workstation Ethernet Address on WAN check box. The
SonicWALL appliance will take the Ethernet address of the computer that is managing the
SonicWALL appliance and will proxy the address on the WAN port of the SonicWALL. If you
are not managing the SonicWALL appliance from the LAN side of your network, the
firmware looks for a random computer on the LAN which can be a lengthy search process.
6.
To limit the size of packets sent over the Ethernet WAN interface, select the Fragment
Outbound Packets Larger than the WAN MTU check box and enter the maximum size in
the WAN MTU field.
271
If the maximum transmission unit (MTU) size is too large for a remote router, it may require
more transmissions. If the packet size is too small, this could result in more packet header
overhead and more acknowledgements that have to be processed. The default size is
1,500 MTU.
7.
To enable bandwidth management, select the Enable check box and enter the bandwidth
of the connection in the Available Bandwidth field.
8.
Configuring ARP
Note
272
ARP settings are identical in SonicOS Standard and Enhanced. For configuration
information, refer to the Configuring ARP section on page 247 in the SonicOS Enhanced
section of this chapter.
CHAPTER 11
Configuring Firewall Appliance Settings
The Firewall settings in SonicWALL GMS are different for SonicWALL security appliances
running SonicOS Enhanced and Standard. The following sections describe how to configure
Firewall settings for each of the operating systems:
Understanding the Network Access Rules Hierarchy section on page 273
Configuring Firewall Settings in SonicOS Enhanced section on page 275
Configuring Firewall Settings in SonicOS Standard section on page 300
Understanding the Network Access Rules Hierarchy

To determine whether packets are allowed through the SonicWALL firewall appliance, each
SonicWALL checks the destination IP address, source IP address, and port against the firewall
rules.
Note
Firewall rules take precedence over the default Firewall functions. Because it is possible to
disable all protection or block all access to the Internet, use caution when creating or
deleting network access rules.
Network access rules do not disable protection from Denial of Service attacks such as SYN
Flood, Ping of Death, LAND, and so on. However, it is possible to create vulnerabilities to
attacks that exploit application weaknesses.
It is important to consider the purpose and ramifications of a rule before adding it to the firewall
rule list. Use the following guidelines to determine the rule logic:
What is the purpose of the rule? For example, This rule will restrict all Internet Relay Chat
(IRC) access from the LAN (WorkPort) to the Internet. Or, This rule will allow a remote
Lotus Notes server to synchronize with our internal Notes server via the Internet.
Will the rule allow or deny traffic?
What is the flow of the traffic: LAN (WorkPort) to Internet or Internet to LAN (WorkPort)?
Which IP services will be affected?
Which computers on the LAN (WorkPort) will be affected?
273
Understanding the Network Access Rules Hierarchy
Which computers on the Internet will be affected? Be as specific as possible. For example,
if traffic is being allowed from the Internet to the LAN (WorkPort), it is better to only allow
specific computers to access the LAN or WorkPort.
After determining the logic of the rule, consider the ramifications:
Will this rule stop LAN (WorkPort) users from accessing important resources on the
Internet? For example, if IRC is blocked, are there users who require this service?
Can the rule be modified to be more specific? For example, if IRC is blocked for all users,
will a rule that only blocks certain users be more effective?
Will this rule allow Internet users to access LAN or WorkPort resources in a way that makes
the LAN vulnerable? For example, if NetBIOS ports (UDP 137,138, 139) are allowed from
the Internet to the LAN, Internet users may be able to connect to PCs that have file sharing
enabled.
Does this rule conflict with other rules?
The rule hierarchy uses two basic concepts:
Specific rules override general rules.
Equally specific Deny rules override Allow rules.
For example: a rule defining a specific service is more specific than the Default rule; a defined
Ethernet link, such as LAN (WorkPort), or WAN, is more specific than * (all); and a single IP
address is more specific than an IP address range.
Rules are listed in the LAN (WorkPort) Interface window from most specific to the least specific,
and rules at the top override rules listed below.
To illustrate this, consider the rules shown below:
Table 11
Sample Rules.
Actio
n
Service
Source
Destination
Deny
Chat (IRC)
206.18.25.4 (LAN)
148.178.90.55
(WAN)
Allow
Ping
199.2.23.0 - 199.2.23.255
(WAN)
206.18.25.4 (LAN)
Deny
Web (HTTP)
216.37.125.0 - 216.37.125.255
(WAN)
Allow
Lotus Notes
WAN
LAN (WorkPort)
Deny
News (NNTP) LAN (WorkPort)
Deny
Default
LAN (WorkPort)
Allow
Default
LAN (WorkPort)
The Default Allow Rule (#7) at the bottom of thepage allows all traffic from the LAN (WorkPort)
out to the WAN. However, Rule #5 blocks all NNTP traffic from the LAN (WorkPort).
The Default Deny Rule (#6) blocks traffic from the WAN to the LAN (WorkPort). However, Rule
#4 overrides part of this rule by allowing Lotus Notes into the LAN (WorkPort) from the WAN.
274
Configuring Firewall Settings in SonicOS Enhanced

The following sections describe how to configure Firewall settings in SonicOS Enhanced:
Configuring Firewall Rules in SonicOS Enhanced section on page 275
Configuring Advanced Firewall Settings section on page 281
Configuring Bandwidth Management section on page 283
Configuring Multicast Settings section on page 286
Configuring Voice over IP Settings section on page 287
Configuring TCP Settings section on page 289
Configuring Quality of Service Mapping section on page 291
Configuring SSL Control section on page 298
Configuring Firewall Rules in SonicOS Enhanced

To configure rules for SonicOS Enhanced, the service or service group that the rule will apply
to must first be defined. If it is not, you can define the service or service group and then create
one or more rules for it.
To create one or more rules for the service, refer to the Configuring Access Rules section on
page 275.
To configure a service or service group, refer to the Configuring Service Objects section on
page 278 and the Adding a Service Group section on page 280.
Configuring Access Rules

The following procedure describes how to add, modify, reset to defaults, or delete firewall rules
for SonicWALL firewall appliances running SonicOS Enhanced. For appliances running
SonicOS Enhanced, GMS supports paginated navigation and sorting by column header on the
Access Rules screen. In the Access Rules table, you can click the column header to use for
sorting. An arrow is displayed to theright of the selected column header. You can click the arrow
to reverse the sorting order of the entries in the table.
By hovering your mouse over entries on the Access Rules screen, you can display information
about an object, such as an Address Object or Service.
To configure an access rule, perform the following steps:
1.
275
Note
2.
Expand the Firewall tree and click Access Rules. The Access Rules page displays. The
Firewall > Access Rules page enables you to select multiple views of Access Rules,
including pull-down boxes, Matrix, and All Rules. The default view is the Matrix View which
provides a matrix of source and destination nodes between LAN, WAN, VPN, Multicast, and
WLAN.
3.
From the Matrix View, click the Edit icon ( ). for the source and destination interfaces for
which you will configure a rule. The Access Rules table for that interface pair displays.
4.
Below the Access Rules table, click Add Rule. The Add Rule dialog box displays.
5.
Select whether access to this service will be allowed or denied.
If a policy has a No-Edit policy action, the Action radio buttons will not be editable.
6.
Select a service from the from the Service Name list box. If the service does not exist, refer
to the Configuring Service Objects section on page 278.
7.
Select the source Address Object from the Source list box.
8.
Select the destination Address Object from the Destination list box.
9.
Specify if this rule applies to all users or to an individual user or group in the Users Allowed
list box.
10. Specify when the rule will be applied by selecting a schedule or Schedule Group from the
Schedule list box. If the rule will always be applied, select Always on. If the schedule does
not exist, refer to the Configuring Schedules section on page 198.
11. To enable logging for this rule, select the Logging check box.
276
12. Check the Allow Fragmented Packets checkbox to allow fragmented packets.
Caution
Fragmented packets are used in certain types of Denial of Service attacks and, by default,
are blocked. You should only enable the Allow Fragmented Packets check box if users are
experiencing problems accessing certain applications and the SonicWALL logs show many
dropped fragmented packets.
13. Add any comments to the Comment field.
14. Click the Advanced tab.
15. Specify how long (in minutes) TCP connections may remain idle before the connection is
terminated in the TCP Connectivity Inactivity Timeout field.
16. Specify how long (in seconds) UDP connections may remain idle before the connection is
terminated in the UDP Connectivity Inactivity Timeout field.
17. Specify the percentage of the maximum connections this rule is to allow in the Number of
connections allowed (% of maximum connections) field.
18. Set a limit for the maximum number of connections allowed per source IP Address by
selecting Enable connection limit for each Source IP Address and entering the value in
the Threshold field.(Only available for Allow rules).
19. Set a limit for the maximum number of connections allowed per destination IP Address by
selecting Enable connection limit for each Destination IP Address field and entering the
value in the Threshold field.(Only available for Allow rules).
20. Click the QoS tab. For information on configuring the QoS tab, refer to the Configuring
Quality of Service Mapping section on page 291.
21. Click the Bandwidth tab. The Bandwidth page displays.
22. SonicWALL appliances can manage inbound and outbound traffic on the primary WAN
interface using bandwidth management.
277
23. To enable outbound bandwidth management for this service, select the Enable Outbound
Bandwidth Management check box.
Enter the amount of bandwidth that will always be available to this service in the
Guaranteed Bandwidth field, and select either % or Kbps in the pull-down list. Keep in
mind that this bandwidth will be permanently assigned to this service and not available to
other services, regardless of the amount of bandwidth this service does or does not use.
Enter the maximum amount of bandwidth that will be available to this service in the
Maximum Bandwidth field.
Select the priority of this service from the Bandwidth Priority list box. Select a priority from
0 (highest) to 7 (lowest).
24. To enable inbound bandwidth management for this service, select the Enable Inbound
Bandwidth Management check box.
Guaranteed Bandwidth field, and select either % or Kbps in the pull-down list. Keep in
mind that this bandwidth will be permanently assigned to this service and not available to
other services, regardless of the amount of bandwidth this service does or does not use.
Note
In order to configure bandwidth management for this service, bandwidth

management must be enabled on the SonicWALL appliance. For information on
configuring bandwidth management in SonicOS Standard, refer to the Configuring
Ethernet Settings section on page 271. For SonicOS Enhanced, refer to the
Overview of Interfaces section on page 207.
25. To track bandwidth usage for this service, select the Enable Tracking Bandwidth Usage
check box.
26. To add this rule to the rule list, click OK. You are returned to the Access Rules page.
27. If the network access rules have been modified or deleted, you can restore the Default
Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP
traffic and allow all outbound IP traffic. To restore the network access rules to their default
settings, click Restore Rules to Defaults and then click Update. A task is scheduled to
update the rules page for each selected SonicWALL appliance.
28. To modify a rule, click its Edit icon (
). The Add/Modify Rule dialog box displays. When

you are finished making changes, click OK. SonicWALL GMS creates a task that modifies
the rule for each selected SonicWALL appliance.
29. To enable logging for a rule, select its Logging check box.
30. To disable a rule without deleting it, deselect its Enable check box.
31. To delete a rule, click its trash can icon. SonicWALL GMS creates a task that deletes the
rule for each selected SonicWALL appliance.
Configuring Service Objects

A Service Object is a protocol/port range combination that defines a service. A Service Group
is a group of services that, once defined, enable you to quickly establish firewall rules without
manually configuring each service.
278
By default, a large number of services are pre-defined. GMS supports paginated navigation and
sorting by column header in the Service Objects screen. In any of the tables, you can click the
column header to use for sorting. An arrow is displayed to the right of the selected column header.
You can click the arrow to reverse the sorting order of the entries in the table.
To add a service, perform the following steps:
Note
1.
Select the global icon, a group, or a SonicWALL appliance running SonicOS Enhanced.
2.
Expand the Firewall tree and click Service Objects.
3.
To add a service in the Custom Services section, click Add Service.
4.
Enter the name of the service in the Name field.
5.
Select the type of protocol from the Protocol pull-down list.
6.
Enter the starting and ending port for the service in the Port Range fields. For a service that
uses a single port, type the port number into the first field.
7.
Click OK. The service is added and appears in the Custom Services section.
Although most default services can not be edited or deleted, you can edit or delete custom
services by clicking the edit
or delete
buttons that correspond to the desired custom
service.
Editing Custom Services

Click the Edit icon
under Configure to edit the service in the Edit Service window, which
includes the same configuration settings as the Add Service window.
279
Deleting Custom Services

Click the Trashcan icon
to delete an individual custom service. You can delete all custom
services by selecting the checkboxes on the left-hand side of the rows under Custom Services,
and then clicking UPDATE.
Adding a Service Group

A Service Group is a group of services that can be used to quickly apply rules to large numbers
of services without individually configuring each service. By default, many Service Groups are
pre-defined. To add a new Service Group, perform the following steps:
1.
To add a service group, click the Add Group button on the Service Objects page.
The Add Service Group dialog box displays.
Note
2.
Enter a name for the service group in the Name field.
3.
To add a service, select it and click the right arrow button.
4.
To remove a service, select it and click the left arrow button.
5.
Click OK. The service group is added.
Service Groups can be edited or deleted by clicking the Edit

correspond to the desired Service Group.
or Trashcan
icons that
Editing Custom Services Groups

Click the Edit icon
under Configure to edit the custom service group in the Edit Service
Group window, which includes the same configuration settings as the Add Service Group
window.
Deleting Custom Services Groups

Click the Trashcan icon
to delete the individual custom service group entry. You can delete
all custom service groups by selecting the checkboxes on the left-hand side of the rows under
Custom Service Groups, and then clicking UPDATE.
280
Configuring Advanced Firewall Settings

To configure advanced access settings, perform the following steps:
1.
Select the global icon, a group, or a SonicWALL appliance running SonicOS Enhanced.
2.
Expand the Firewall tree and click Advanced. The Advanced page displays.
3.
To enable stealth mode, select the Enable Stealth Mode check box. During normal
operation, SonicWALL appliances respond to incoming connection requests as either
blocked or open. During stealth operation, SonicWALL appliances do not respond to
inbound requests, making the appliances invisible to potential hackers.
4.
To configure the SonicWALL appliance(s) to generate random IP IDs, select the

Randomize IP ID check box. This prevents hackers from using various detection tools to
fingerprint IP IDs and detect the presence of a SonicWALL appliance.
5.
Select Decrement IP TTL for forwarded traffic to decrease the Time-to-live (TTL) value
for packets that have been forwarded and therefore have already been in the network for
some time. TTL is a value in an IP packet that tells a network router whether or not the
packet has been in the network too long and should be discarded.
6.
Select Never generate ICMP Time-Exceeded packets if you do not want the SonicWALL
appliance to generate these reporting packets. The SonicWALL appliance generates
Time-Exceeded packets to report when it has dropped a packet because its TTL value has
decreased to zero.
7.
Select the dynamic ports that will be supported from the Dynamic Ports area:
Enable support for Oracle (SQLNet)Select if you have Oracle applications on your
network.
Enable support for Windows MessengerSelect this option to support special SIP
messaging used in Windows Messenger on Windows XP.
Enable RTSP TransformationsSelect this option to support on-demand delivery of
real-time data, such as audio and video. Real Time Streaming Protocol (RTSP) is an
application-level protocol for control over delivery of data with real-time properties.
8.
The Drop Source Routed Packets check box is selected by default. Clear the check box
if you are testing traffic between two specific hosts and you are using source routing.
281
Connections Settings
9.
The Connections section provides the ability to fine-tune the performance of the appliance
to prioritize either optimal performance or support for an increased number of simultaneous
connections that are inspected by Firewall services. For appliances running SonicOS 5.6.0
and above, select one of the following options:
Disable Anti-Spyware, Gateway AV and IPS Engine (increases maximum SPI
connections) This option ensures that the appliance performance will not be
degraded under high-traffic conditions. Firewall connections may be dropped to
preserve performance.
Recommended for normal deployments with Firewall services enabledThis is
the default setting that provides a balanced deployment.
Optimized for deployments requiring more Firewall connections but less
performance criticalThis option prioritizes support for the maximum number of

simultaneous Firewall connections. Performance may be slowed under high-traffic
conditions.
For appliances running SonicOS Enhanced releases lower than 5.6.0, the single Disable
Anti-Spyware, Gateway AV and IPS Engine (increases maximum SPI connections)
option is available as a checkbox.
10. To specify how long the SonicWALL appliance(s) wait before closing inactive TCP
connections outside the LAN, enter the amount of time in the Default Connection Timeout
field (default: 25 minutes). The Connection Inactivity Timeout option disables connections
outside the LAN if they are idle for a specified period of time. Without this timeout,
connections can stay open indefinitely and create potential security holes.
282
11. Select the Force inbound and outbound FTP data connections to use default port 20
check box to specify that any FTP data connection through the SonicWALL must come from
port 20 or the connection will be dropped and logged. By default, FTP connections from port
20 are allowed, but remapped to outbound traffic ports such as 1024.
12. Under IP, UDP Checksum Enforcement, select one or both checkboxes to force the
SonicWALL to perform checksums on IP packet headers and on UDP packets. Packets with
invalid checksums will be dropped. This helps to prevent attacks that involve falsification of
header fields that define important characteristics of the packet.
13. To specify how long the SonicWALL appliance(s) wait before closing inactive UDP
connections outside the LAN, enter the amount of time in the Default UDP Connection
Timeout field.
14. Set a limit for the maximum number of connections allowed per source IP Address by
selecting Enable connection limit for each Source IP Address and entering the value in
the Threshold field.(Only available for Allow rules).
15. Set a limit for the maximum number of connections allowed per destination IP Address by
selecting Enable connection limit for each Destination IP Address field and entering the
value in the Threshold field.(Only available for Allow rules).
16. When you are finished, click Update. The settings are changed for each selected
Configuring Bandwidth Management

The following sections describe SonicWALLs implementation of Bandwidth Management
(BWM):
Tip
Understanding Bandwidth Management on page 283
Configuring Bandwidth Management on page 285
For more information on SonicWALL Bandwidth Management, including configuration

examples, see the SonicOS Enhanced 5.8.1 Administrators Guide.
Understanding Bandwidth Management

BWM is controlled by the SonicWALL security appliance on ingress and egress traffic. It allows
network administrators to guarantee minimum bandwidth and prioritize traffic based on access
rules created in the Firewall > Access Rules page on the SonicWALL management interface.
By controlling the amount of bandwidth to an application or user, the network administrator can
prevent a small number of applications or users to consume all available bandwidth. Balancing
the bandwidth allocated to different network traffic and then assigning priorities to traffic can
improve network performance. Anti-Spam provides eight priority queues (0 7 or Realtime
Lowest).
283
Three types of bandwidth management are available:

BWM Type
Description
WAN
Only WAN zones can have assigned guaranteed and maximum

bandwidth to services and have prioritized traffic.
Default WAN BWM queues:
0 Realtime
Global
5 Medium
7 Low
(Default) All zones can have assigned guaranteed and maximum

bandwidth to services and have prioritized traffic. When global BWM is
enabled on an interface, all of the traffic to and from that interface is
bandwidth managed.
Default Global BWM queues:
None
2 High
4 Medium: Default priority for all traffic that is not managed by a

BWM enabled Firewall Access rule or Application Control Policy.
6 Low
Disables BWM.
When global BWM is enabled on an interface, all of the traffic to and from that interface is
bandwidth managed.
For example, with bandwidth management type none, if there are three traffic types (1, 2, and
3) that are using an interface with the link capability of 100 Mbps, the cumulative capacity for
all three types is 100 Mbps.
Then when bandwidth management type Global is enabled on that interface and the available
ingress and egress traffic are configured to 10 Mbps, the following occurs:
By default, the traffic types are sent to the Medium (4) Priority queue. This queue has, by
default, a Guaranteed percentage of 50 and aMaximum percentage of 100. These values mean
that the cumulative link capability is 10 Mbps with no global BWM enabled policies configured.
Packet Queuing
BWM rules each consume memory for packet queuing, so the number of allowed queued
packets and rules on SonicOS Enhanced is limited by platform (values are subject to change):
284
Platform
TZ 170 Family
PRO 1260
PRO 2040
PRO 3060
PRO 4060
PRO 5060
Max Queued
Packets
220
220
520
2080
2080
6240
Max Total BWM

Rules
40
40
50
200
200
200
NSA 3500
2080
100
NSA 4500
2080
100
Platform
Max Queued
Packets
Max Total BWM

Rules
NSA 5000
2080
100
NSA E5500
6420
100
NSA E6500
6420
100
NSA E7500
6420
100
Configuring Bandwidth Management

Configuring BWM is a three step process:
1.
Enable bandwidth management on the Firewall > BWM page.
2.
Enable BWM on an interface/firewall/app rule
3.
Allocate the available bandwidth for that interface on the ingress and egress traffic. It then
assigns individual limits for each class of network traffic.
By assigning priorities to network traffic, applications requiring a quick response time, such as
Telnet, can take precedence over traffic requiring less response time, such as FTP.
To configure bandwidth management, navigate to the Firewall > BWM page.
This page consists of the following entities:
Note
The defaults are set by SonicWALL to provide BWM ease-of-use. It is recommended that
you review the specific bandwidth needs and enter the values on this page accordingly.
Bandwidth Management Type Option:

WAN Only WAN zones can have assigned guaranteed and maximum bandwidth to
services and have prioritized traffic.
Global All zones can have assigned guaranteed and maximum bandwidth to
services and have prioritized traffic.
None (Default) Disables BWM.
285
Note
When you change the Bandwidth Management Type from Global to WAN, the default BWM
actions that are in use in any App Rules policies will be automatically converted to WAN
BWM Medium, no matter what level they were set to before the change.
When you change the Type from WAN to Global, the default BWM actions are converted to
BWM Global-Medium. The firewall does not store your previous action priority levels when
you switch the Type back and forth. You can view the conversions on the Firewall > App
Rules page.
Priority Column Displays the priority number and name.
Enable Checkbox When checked, the priority queue is enabled.
Guaranteed and Maximum\Burst Text Field Enables the guaranteed and

maximum/burst rates. The corresponding Enable checkbox must be checked in order for
the rate to take effect. These rates are identified as a percentage. The configured
bandwidth on an interface is used in calculating the absolute value. The sum of all
guaranteed bandwidth must not exceed 100%, and the guaranteed bandwidth must not be
greater than the maximum bandwidth per queue.
The default settings for this page consists of three priorities with preconfigured guaranteed and
maximum bandwidth. The medium priority has the highest guaranteed value since this priority
queue is used by default for all traffic not governed by a BWM enabled policy.
Configuring Multicast Settings

To configure multicast settings, perform the following steps:
1.

At unit level, the Multicast screen is available only for SonicWALL firewall appliances with
SonicOS Enhanced firmware version 2.5 and higher.
2.
Expand the Firewall tree and click Multicast. The Multicast page displays.
3.
To enable multicast, select the Enable Multicast check box.
4.

Require IGMP Membership reports for multicast data forwardingThis checkbox
is enabled by default. Select this checkbox to improve performance by regulating

muliticast data to be forwarded to only interfaces belonging to an enabled multicast
group address.
286
Multicast state table entry timeout (minutes)This field has a default of 5. Thevalue
range for this field is 5 to 60 (minutes). Increase the value if you have a client that is
not sending reports periodically.
5.

To receive all (class D) multicast addresses, select Enable reception of all multicast
addresses. Receiving all multicast addresses may cause your network to experience
performance degradation.
Default. To enable reception for the following multicast addresses, select Enable
reception for the following multicast addresses and select Create a new multicast
object or Create new multicast group from the list box.
6.
To view the IGMP State Information, click Request IGMP State Information. The following
information displays:
Multicast Group AddressProvides the multicast group address the interface is
joined to.
Interface / VPN TunnelProvides the interface (such as X0) or the VPN policy.
IGMP VersionProvides the IGMP version (such as V2 or V3).
Time RemainingProvides the remaining time left for the multicast session. This is
calculated by subtracting the Multicast state table entry timeout (minutes) value,
which has the default value of 5 minutes, and the elapsed time since the multicast
address was added.
7.
Configuring Voice over IP Settings

To configure Voice over IP (VoIP) settings, perform the following steps:
1.
2.
Expand the Firewall tree and click VoIP. The VoIP page displays.
3.
To enable secure NAT, select the Use secure NAT check box.
4.
Select Enable SIP Transformations to support translation of Session Initiation Protocol

(SIP) messages.
287
Tip
By default, NAT translates Layer 3 addresses, but does not translate Layer 5 SIP/SDP
addresses. Unless there is another NAT traversal solution that requires this feature to be
turned off, it is highly recommended to enable SIP transformations.
After enabling SIP transformations, configure the following options:
Select Permit non-SIP packets on signaling port to enable applications such as
Apple iChat and MSN Messenger, which use the SIP signaling port for additional
proprietary messages. Enabling this checkbox may open your network to malicious
attacks caused by malformed or invalid SIP traffic. This checkbox is disabled by default.
(SonicOS Enhanced only) Select the Enable SIP Back-to-Back User Agent (B2BUA)
support setting when the SonicWALL security appliance can see both legs of a voice
call (for example, when a phone on the LAN calls another phone on the LAN). This
setting should only be enabled when the SIP Proxy Server is being used as a B2BUA.
Tip
If there is not the possibility of the SonicWALL security appliance seeing both legs of voice
calls (for example, when calls will only be made to and received from phones on the WAN),
the Enable SIP Back-to-Back User Agent (B2BUA) support setting should be disabled to
avoid unnecessary CPU usage.
SIP Signaling inactivity time out (seconds)Specifies the period of time that must
elapse before timing out an inactive SIP session if no SIP signaling occurs (default:
1800 seconds or 30 minutes).
SIP Media inactivity time out (seconds)Specifies the period of time that must
elapse before timing out an inactive SIP session if no media transfer activity occurs
(default: 120 seconds or 2 minutes).
The Additional SIP signaling port (UDP) for transformations setting allows you to
specify a nonstandard UDP port used to carry SIP signaling traffic. Normally, SIP
signaling traffic is carried on UDP port 5060. However, a number of commercial VoIP
services use different ports, such as 1560. Using this setting, the security appliance
performs SIP transformation on these non-standard ports.
Tip
Tip: Vonages VoIP service uses UDP port 5061.

5.
Select Enable H.323 Transformations to allow stateful H.323 protocol-aware packet

content inspection and modification by the SonicWALL. The SonicWALL performs any
dynamic IP address and transport port mapping within the H.323 packets, which is
necessary for communication between H.323 parties in trusted and untrusted
networks/zones. Clear this check box to bypass the H.323 specific processing performed
by the SonicWALL.
After enabling H.323 transformations, configure the following options:
Only accept incoming calls from Gatekeeperwhen selected, only incoming calls
from specified Gatekeeper IP address will be accepted.
Enable LDAP ILS Support when selected, the SonicWALL appliance will support
Lightweight Directory Access Protocol (LDAP) and Microsoft Netmeetings Internet

Locator Service (ILS)
H.323 Signaling/Media inactivity time out (seconds)specifies how long the
SonicWALL appliance waits before closing a connection when no activity is occurring.
288
Default WAN/DMZ Gatekeeper IP Addressspecifies the IP address of the H.323
Gatekeeper that acts as a proxy server between clients on the private network and the
Internet.
6.
Configuring TCP Settings

To configure TCP settings, perform the following steps:
1.

At unit level, the TCP Settings screen is available only for SonicWALL firewall appliances
with SonicOS Enhanced firmware version 3.0 and higher.
Note
2.
Expand the Firewall tree and click TCP Settings. The TCP Settings page displays.
3.
Select Enforce strict TCP compliance with RFC 793 and RFC 1122 to force VoIP traffic
to comply with RFC 793 (TCP) and RFC 1122 (Internet Hosts, including Link and IP layers)
standards.
4.
Select Enable TCP Checksum Validation to drop any packets with invalid TCP
checksums.
5.
Enter a value for the Default TCP Connection Timeout. This is the default time assigned
to Access Rules for TCP traffic. If a TCP session is active for a period in excess of this
setting, the TCP connection will be cleared by the SonicWALL.
Setting excessively long connection time-outs will slow the reclamation of stale resources,
and in extreme cases could lead to exhaustion of the connection cache.
6.
Specify the Maximum Segment Lifetime to set the number of seconds that any TCP
packet is valid before it expires. This setting is also used to determine the amount of time
(calculated as twice the Maximum Segment Lifetime, or 2MSL) that an actively closed TCP
connection remains in the TIME_WAIT state to ensure that the proper FIN / ACK exchange
has occurred to cleanly close the TCP connection.
7.
Configure the Layer 3 SYN Flood Protection options. Select the desired level of protection
against half-opened TCP sessions and high-frequency SYN packet transmissions:
289
Watch and Report Possible SYN FloodsThis option enables the device to monitor
SYN traffic on all interfaces on the device and to log suspected SYN flood activity that
exceeds a packet count threshold. The feature does not turn on the SYN Proxy on the
device so the device forwards the TCP three-way handshake without modification. This
is the least invasive level of SYN Flood protection. Select this option if your network is
not in a high risk environment.
Proxy WAN Client Connections When Attack is SuspectedThis option enables
the device to enable the SYN Proxy feature on WAN interfaces when the number of
incomplete connection attempts per second surpasses a specified threshold. This
method ensures the device continues to process valid traffic during the attack and that
performance does not degrade. Proxy mode remains enabled until all WAN SYN flood
attacks stop occurring or until the device blacklists all of them using the SYN
Blacklisting feature. This is the intermediate level of SYN Flood protection. Select this
option if your network experiences SYN Flood attacks from internal or external sources.
Always Proxy WAN Client ConnectionsThis option sets the device to always use
SYN Proxy. This method blocks all spoofed SYN packets from passing through the
device. Note that this is an extreme security measure and directs the device to respond
to port scans on all TCP ports because the SYN Proxy feature forces the device to
respond to all TCP SYN connection attempts. This can degrade performance and can
generate a false positive. Select this option only if your network is in a high risk
environment.
8.
Configure the SYN Attack Threshold. The appliance gathers statistics on WAN TCP
connections, keeping track of the maximum and average maximum and incomplete WAN
connections per second. Out of these statistics, the device suggests a value for the SYN
flood threshold in the Suggested value calculated from gathered statistics field. Enter
the desired threshold for the number of incomplete connection attempts per second before
the device drops packets in the Attack Threshold field.
9.
Configure the SYN-Proxy Options:

All LAN/DMZ servers support the TCP SACK optionThis checkbox enables
Selective ACK where a packet can be dropped and the receiving device indicateswhich
packets it received. Enable this checkbox only when you know that all servers covered
by the SonicWALL firewall appliance accessed from the WAN support the SACK option.
Limit MSS sent to WAN clients (when connections are proxied)Enables you to
enter the maximum Minimum Segment Size value. If you specify an override value for
the default of 1460, this indicates that a segment of that size or smaller will be sent to
the client in the SYN/ACK cookie. Setting this value too low can decreaseperformance
when the SYN Proxy is always enabled. Setting this value too high can break
connections if the server responds with a smaller MSS value.
Maximum TCP MSS sent to WAN clientsThe value of the MSS. The default is 1460.
Note
When using Proxy WAN client connections, remember to set these options conservatively
since they only affect connections when a SYN Flood takes place. This ensures that
legitimate connections can proceed during an attack.
Always log SYN packets receivedLogs all SYN packets received.
290
10. Configure the Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting options to
configure how the appliance deals with devices that exceeded the SYN, RST, and FIN
Blacklist attack threshold:
Threshold for SYN/RST/FIN flood blacklisting (SYNs / Sec)The maximum number
of SYN, RST, and FIN packets allowed per second. The default is 1,000. This value
should be larger than the SYN Proxy threshold value because blacklisting attempts to
thwart more vigorous local attacks or severe attacks from a WAN network.
Enable SYN/RST/FIN flood blacklisting on all interfacesThis checkbox enables
the blacklisting feature on all interfaces on the SonicWALL firewall appliance.
Never blacklist WAN machinesThis checkbox ensures that systems on the WAN
are never added to the SYN Blacklist. This option is recommended as leaving it
unchecked may interrupt traffic to and from the SonicWALL firewall appliances WAN
ports.
Always allow SonicWall management trafficThis checkbox causes IP traffic from
a blacklisted device targeting the SonicWALL firewall appliances WAN IP addresses to

not be filtered. This allows management traffic, and routing protocols to maintain
connectivity through a blacklisted device.
Configuring Quality of Service Mapping

Quality of Service (QoS) adds the ability to recognize, map, modify, and generate the
industry-standard 802.1p and Differentiated Services Code Points (DSCP) Class of Service
(CoS) designators. When used in combination with a QoS capable network infrastructure,
SonicOS QoS features provide predictability that is vital for certain types of applications, such
as Voice over IP (VoIP), multimedia content, or business-critical applications such as credit
card processing. To centrally manage the 802.1p-DSCP Mappings Table, GMS now provides a
new configuration found under the path Policies > Firewalls > QoS Mapping.
Even the highest amounts of bandwidth ultimately are used to capacity at some point by users
on the network. Being able to manage bandwidth to obtain the most efficient use from it is
essential. Only QoS, when configured and implemented correctly, properly manages traffic and
guarantees the desired levels of network service. Three concepts are central to the traffic
management provided by QoS:
Classification
Marking
Conditioning
The following sections describe how to understand and configure QoS:
Working with Classification section on page 292
Working with Conditioning section on page 293
Working with 802.1p and DSCP QoS section on page 293
Working with DSCP Marking section on page 294
Configuring QoS section on page 296
Enabling 802.1p Tagging section on page 296
Creating a QoS Rule section on page 297
Configuring QoS Settings section on page 297
291
Working with Classification

Classification is necessary as a first step to identify traffic that needs to be prioritized for optimal
use. GMS uses access rules as the inter
face to classification of traffic. This provides fine control
using combination of Address Object, Service Object, and Schedule Object elements, allowing
for classification criteria as general as all HTTP traffic and as specific as SSH traffic from HostA
to ServerB on Wednesdays at 2:12am.
GMS provides the ability to recognize, map, modify, and generate the industry-standard
external CoS designators, DSCP and 802.1p protocols.
Once identified, or classified, it can be managed. Management can be performed internally by
SonicWALL BWM, which is effective as long as the network is a fully contained autonomous
system. Once external or intermediate elements are introduced, for example, foreign network
infrastructures with unknown configurations, or other hosts contending for bandwidth (for
example, the endpoints of the network and all entities in between are within your management.
BWM works exactly as configured. Once external entities are introduced, the precision and
efficacy of BWM configurations can begin to degrade.
Once GMS classifies the traffic, it then tags it to communicate this classification to certain
external systems that are capable of abiding by CoS tags. The external systems then can
participate in providing QoS to traffic passing through them.
Note
Many service providers do not support CoS tags such as 802.1p or DSCP. Also, most
network equipment with standard configurations will not be able to recognize 802.1p tags,
and could drop tagged traffic.
Note
If you wish to use 802.1p or DSCP marking on your network or your service providers
network, you must first establish that these methods are supported. Verify that your internal
network equipment can support CoS priority marking, and that it is correctly configured to
do so. Check with your service provider - some offer fee-based support for QoS using these
CoS methods.
Working with Marking

Once the traffic has been classified, if it is to be handled by QoS capable external systems, it
must be tagged to enable external systems to make use of the classification, and provide
correct handling and Per Hop Behaviors (PHB). An example of a QoS capable external system
is a CoS-aware switch or router that might be available on a premium service providers
infrastructure, or on a private WAN.
Originally, this was attempted at the IP layer(layer 3) with RFC 791s three precedence bits and
RFC 1394 ToS (type of service) field, but this was not widely used. Its successor, RFC 2474,
introduced the more widely used DSCP (Differentiated Services Code Point) which offers up to
64 classifications, in addition to user-definable classes. DSCP was further enhanced by RFC
2598 (Expedited Forwarding, intended to provide leased-line behaviors) and RFC 2697
(Assured Forwarding levels within classes, also known as Gold, Silver, and Bronze levels).
DSCP is a safe marking method for traffic that traverses public networks because there is no
risk of incompatibility. At the very worst, a hop along the path might disregard or strip the DSCP
tag, but it will rarely mistreat or discard the packet.
The other prevalent method of CoS marking is IEEE 802.1p which occurs at the MAC layer
(layer 3) and is closely related to IEEE 802.1Q VLAN marking, sharing the same 16-bit field,
although it is actually defined in the IEEE 802.1D standard. Unlike DSCP, 802.1p will only work
292
with 802.1p capable equipment, and is not universally interoperable. Additionally, 802.1p,
because of its different packet structure, can rarely traverse wide area networks, even private
WANs. Nonetheless, 802.1p is gaining wide support among Voice and Video over IP vendors,
so a solution for supporting 802.1p across network boundaries (i.e., WAN links) was introduced
in the form of 802.1p to DSCP mapping.
802.1p to DSCP mapping allows 802.1p tags from one LAN to be mapped to DSCP values by
GMS, allowing the packets to safely traverse WAN links. When the packets arrive on the other
side of the WAN or VPN, the receiving GMS appliance can then map the DSCP tags back to
802.1p tags for use on that LAN.
Working with Conditioning

Finally, the traffic can be conditioned or managed using any of the many policing, queueing,
and shaping methods available. GMS provides internal conditioning capabilities with its Egress
and Ingress Bandwidth Management (BWM). SonicWALL BWM is a perfectly effective solution
for fully autonomous private networks with sufficient bandwidth, but can become somewhat less
effective as more unknown external network elements and bandwidth, but can become
somewhat less effective as more unknown external network elements and bandwidth
contention are introduced.
To provide end-to-end QoS, business-class service providers are increasingly offering traffic
conditioning services on their IP networks. These services typically depend on the customer
premise equipment to classify and tag the traffic, generally using a standard marking method
such as DSCP. GMS has the ability to DSCP mark traffic after classification, as well as the
ability to map 802.1p tags to DSCP tags for external network traversal and CoS preservation.
For VPN traffic, GMS can DSCP mark not only the internal (payload) packets, but the external
(encapsulating) packets as well so that QoS capable service providers can offer QoS even on
encrypted VPN traffic.
The actual conditioning method employed by service providers varies from one to the next, but
it generally involves a class-based queueing method such as Weighted Fair Queuing for
prioritizing traffic, in addition to a congestion avoidance method, such as tail-drop or Random
Early Detection.
Working with 802.1p and DSCP QoS

The following sections detail the 802.1p standards and DSCP QoS.
GMS supports layer 2 and layer 3 CoS methods forbroad interoperability with external systems
participating in QoS enabled environments. The layer 2 method is the IEEE 802.1p standard
wherein 3 bits of an additional 16 bits. inserted into the header of the Ethernet frame can be
used to designate the priority of the fame, as illustrated in the following figure.
TPID: Tag Protocol Identifier begins at byte 12 (after the 6-byte destination and source
fields), is 2 bytes long, and has an Ethertype of 0x8100 for tagged traffic.
293
802.1p: The first three bits of the TCI (Tag Control Information - beginning at byte 14, and
spanning 2 bytes) define user priority, giving eight (2^3) priority levels. IEEE 802.1p defines
the operation for these 3 user priority bits.
CFI: Canonical Format Indicator is a single-bit flag, always set to zero for Ethernet
switches. CFI is used for compatibility reasons between Ethernet networks and Token Ring
networks. If a frame received at an Ethernet port has a CFI set to 1, then that frame should
not be forwarded as it is to an untagged port.
VLAN ID: VLAN ID (starts at bit 5 of byte 14) is the identification of the VLAN. It has 12 bits
and allows for the identification of 4,096 (2^12)unique VLAN IDs. Of the 4,096 possible IDs,
an ID of 0 is used to identify priority frames, and an ID of 4,095 (FFF) is reserved, so the
maximum possible VLAN configurations are 4,094.
802.1p support begins by enabling 802.1p marking on the interfaces which you wish to have
process 802.1p tags. 802.1p can be enabled on any Ethernet interface on any SonicWALL
appliance that supports VLANs, including the SonicWALL NSA Series and PRO 2040, PRO
3060, PRO 4060, PRO 4100, and PRO 5060.
Note
802.1p tagging is not currently supported on the SonicWALL TZ Series or PRO 1260.
Although Enable 802.1p tagging does not appear as an option on VLAN sub-interfaces, it is
related to the 802.1q tags of VLAN subinterfaces. The behavior of the 802.1p field within these
tags can be controlled by firewall access rules. The default 802.1p capable network Access
Rule action of None resets existing 802.1p tags to 0, unless otherwise configured.
Enabling 802.1p marking allows the target interface to recognize incoming 802.1p tags
generated by 802.1p capable network devices, and will also allow the target interface to
generate 802.1p tags, as controlled by Access Rules. Frames that have 802.1p tags inserted
by GMS will bear VLAN ID 0.
802.1p tags will only be inserted according to access rules, so enabling 802.1p marking on an
interface will not, at its default setting, disrupt communications with 802.1p-incapable devices.
802.1p requires the specific support by the networking devices with which you wish to use this
method of prioritization. Many voice and video over IP devices provide support for 802.1p, but
the feature must be enabled. Check your equipments documentation for information on 802.1p
support if you are unsure. Similarly, many server and host network cards (NICs) have the ability
to support 802.1p, but the feature is usually disabled by default.
Working with DSCP Marking

DSCP (Differentiated Services Code Point) marking uses six bits of the eight bit ToS field in the
IP header to provide up to 64 classes (or code points) for traffic. Since DSCP is a layer 3
marking method, there is no concern about compatibility as there is with 802.1p marking.
Devices that do not support DSCP will simply ignore the tags, or at worst, they reset the tag
value to 0.
294
The above diagram depicts an IP packet, with a close-up on the ToS portion of the header. The
ToS bits were originally used for Precedence and ToS (delay, throughput, reliability, and cost)
settings, but were later reused by the RFC 2474 for the more versatile DSCP settings. The
following table shows the commonly used code point as well as their mapping to the legacy
Precedence and ToS settings.
Table 12
Code Points
DSCP DSCP Description
Legacy IP Precedence
Legacy IP ToS (D,

T, R)
Best Effort
0 (Routine - 000)
Class 1
1 (Priority - 001)
10
Class 1, Gold AF11 1 (Priority - 001)
12
Class 1, Silver
AF12
1 (Priority - 001)
14
Class 1, Bronze
AF13
1 (Priority - 001)
D, T
16
Class 2
2 (Immediate - 010)
18
Class 2, Gold AF21 2 (Immediate - 010)
20
Class 2, Silver
AF22
2 (Immediate - 010)
22
Class 2, Bronze
AF23
2 (Immediate - 010)
D, T
24
Class 3
3 (Flash - 011)
26
Class 3, Gold AF31 3 (Flash - 011)
27
Class 3, Silver
AF32
3 (Flash - 011)
30
Class 3, Bronze
AF33
3 (Flash - 011)
D, T
32
Class 4
4 (Flash Override - 100) -
34
Class 4, Gold AF41 4 (Flash Override - 100) T
36
Class 4, Silver
AF42
4 (Flash Override - 100) D
38
Class 4, Bronze
AF43
4 (Flash Override - 100) D, T
40
Express
Forwarding
5 (CRITIC/ECP - 101)
46
Expedited
Forwarding (EF)
5 (CRITIC/ECP - 101)
D, T
48
Control
6 (Internet Control - 110) -
56
Control
7 (Internet Control - 111) -
DSCP marking can be performed on traffic to and from any interface and to and from any zone
type, without exception. DSCP marking is controlled by Access Rules, from the QoS tab, and
can be used in conjunction with 802.1p marking, as well as with SonicOS internal bandwidth
management.
295
DSCP Marking and Mixed VPN Traffic

Among the security measures and characteristics pertaining to them, IPSec VPNs employ
anti-replay mechanisms based upon monotonically incrementing sequence numbers added to
the ESP header. Packets with duplicate sequence numbers are dropped, as are packets that
do not adhere to sequence criteria. One criterion governs the handling of out-of-order packets.
GMS provides a replay window of 64 packets, i.e., if an ESP packet for a Security Association
(SA) is delayed by more than 64 packets, the packet will be dropped.
This should be considered when using DSCP marking to provide layer 3 QoS to traffic
traversing a VPN. If you have a VPN tunnel transporting a variety of traffic, some that is being
DSCP tagged high priority (for example, VoIP), and some that is DSCP tagged low-priority, or
untagged/best-effort packets over the best-effort ESP packets. Under certain traffic conditions,
this can result in the best-effort packets being delayed for more than 64 packets, causing them
to be dropped by the receiving SonicWALLs anti-replay defenses.
If symptoms of such a scenario emerge (for example, excessive retransmissions of low-priority
traffic), it is recommended that you create a separate VPN policy for the high-priority and
low-priority classes of traffic. This is most easily accomplished by placing the high-priority hosts
(for example, the VoIP network) on their own subnet.
Configuring QoS
To configure QoS, perform the following tasks:
Enabling 802.1p Tagging section on page 296
Creating a QoS Rule section on page 297
Configuring QoS Settings section on page 297
Adding a Service section on page 301
Creating Rules section on page 302
Enabling 802.1p Tagging

Before you begin to perform any QoS configuration tasks, you first need to enable your device
to accept QoS values. To do that you have to enable the IEEE 802.1p tagging protocol. You
enable protocols at the WAN interface level. To enable 802.1p tagging, perform the following
steps:
296
1.
Click on the Interfaces option in the Network menu. GMS displays the Interfaces list.
2.
Click on the Configuration icon for the WAN interface. GMS displays the Edit Interface
dialog box.
3.
Click on the Advanced Tab. GMS displays the Advanced Tab.
4.
Click on the Enable 802.1p tagging checkbox to place a check mark in the checkbox.
5.
Click Update.
Creating a QoS Rule

The next step you must perform is you need to create a QoS rule for the WAN interface in the
Access Rules dialog box. To configure a QoS rule, perform the following steps:
1.
From the Firewall menu, click on the Access Rules option. GMS displays the Access
Rules dialog box that contains various interfaces for which you can create an access rule.
2.
Select the LAN > WAN rule and click Add Rule. GMS displays the Add Rule dialog box.
3.
Click the QoS tab. The QoS page displays.
4.
Under DSCP Marking Settings select the DSCP Marking Action. You can select None,
Preserve, Explicit, or Map. Preserve is the default.
None: DSCP values in packets are reset to 0.
Preserve: DSCP values in packets will remain unaltered.
Explicit: Set the DSCP value to the value you select in the Explicit DSCP Value field.
This is a numeric value between 0 and 63.
5.
Under 802.1p Marking Settings select the 802.1p Marking Action. You can select None,
Preserve, Explicit, or Map. None is the default.
6.
Click Ok. GMS configures your WAN interface to accept traffic shaping values.
Configuring QoS Settings

Now that you have enabled the 802.1p protocol and created a specific QoS rule, you can create
your QoS settings. To create QoS settings, perform the following steps:
1.
Click on the QoS Settings option in the Firewall menu. GMS displays the QoS Mapping
dialog box:
297
2.
Click on the Configuration icon for any of the 802.1p Class of Service objects. GMS displays
the class of service Edit QoS Mapping dialog box.
3.
Configure the following 802.1p to DSCP conversion settings:

To DSCP: Indicates the value of the DSCP marking value that indicates the priority of
the traffic.
From DSCP Begin: The lower limit of the range of values for marking that indicates the
priority assigned to a packet traveling across the network.
From DSCP End: The upper limit of the range of values for marking that indicates the
priority assigned to a packet traveling across the network.
Configuring SSL Control

SonicWALL appliances running SonicOS Enhanced 4.0 and higher allow SSL Control, a system
for providing visibility into the handshake of SSL sessions, and a method for constructing
policies to control the establishment of SSL connections. SSL (Secure Sockets Layer) is the
dominant standard for the encryption of TCP based network communications, with its most
common and well-known application being HTTPS (HTTP over SSL). SSL provides digital
certificate-based endpoint identification, and cryptographic and digest-based confidentiality to
network communications.
An effect of the security provided by SSL is the obscuration of all payload, including the URL
(Uniform Resource Locator, for example, https://www.mysonicwall.com) being requested by a
client when establishing an HTTPS session. This is due to the fact that HTTP is transported
within the encrypted SSL tunnel when using HTTPS. It is not until the SSL session is
established (step 14) that the actual target resource (www.mysonicwall.com) is requested by
the client, but since the SSL session is already established, no inspection of the session data
by the SonicWALL firewall appliance or any other intermediate device is possible. As a result,
URL based content filtering systems cannot consider the request to determine permissibility in
any way other than by IP address.
298
While IP address based filtering does not work well for unencrypted HTTP because of the
efficiency and popularity of Host-header based virtual hosting (defined in Key Concepts below),
IP filtering can work effectively for HTTPS due to the rarity of Host-header based HTTPS sites.
But this trust relies on the integrity of the HTTPS server operator, and assumes that SSL is not
being used for deceptive purposes.
For the most part, SSL is employed legitimately, being used to secure sensitive
communications, such as online shopping or banking, or any session where there is an
exchange of personal or valuable information. The ever decreasing cost and complexity of SSL,
however, has also spurred the growth of more dubious applications of SSL, designed primarily
for the purposes of obfuscation or concealment rather than security.
An increasingly common camouflage is the use of SSL encrypted Web-based proxy servers for
the purpose of hiding browsing details, and bypassing content filters. While it is simple to block
well known HTTPS proxy services of this sort by their IP address, it is virtually impossible to
block the thousands of privately-hosted proxy servers that are readily available through a
simple Web-search. The challenge is not the ever-increasing number of such services, but
rather their unpredictable nature. Since these services are often hosted on home networks
using dynamically addressed DSL and cable modem connections, the targets are constantly
moving. Trying to block an unknown SSL target would require blocking all SSL traffic, which is
practically infeasible.
SSL Control provides a number of methods to address this challenge by arming the security
administrator with the ability to dissect and apply policy based controls to SSL session
establishment. While the current implementation does not decode the SSL application data, it
does allow for gateway-based identification and disallowance of suspicious SSL traffic.
For more information about SSL Control, see the SonicOS Enhanced 4.0 Administrators
Guide.
To configure SSL Control, perform the following steps:
1.
Select the global icon, a group, or a SonicWALL appliance running SonicOS Enhanced 4.0
or higher.
2.
Expand the Firewall tree and click SSL Control. The SSL Control page displays.
3.
Under General Settings, select the Enable SSL Control checkbox to enable SSL Control
for the selected group or appliance.
4.
Under Action, select one of the following:

Log the eventIf an SSL policy violation, as defined within the Configuration section
below, is detected, the event will be logged, but the SSL connection will be allowed to
continue.
299
Configuring Firewall Settings in SonicOS Standard
Block the connection and log the eventIn the event of a policy violation, the
connection will be blocked and the event will be logged.
5.
Under Configuration, select one or more of the following:

Enable BlacklistControls detection of the entries in the blacklist, as configured in the
Custom Lists section below.
Enable WhitelistControls detection of the entries inthe whitelist, as configured in the
Custom Lists section below. Whitelisted entries take precedence over all other SSL
control settings.
Detect Expired CertificatesControls detection of certificates whose start date is
before the current system time, or whose end date is beyond the current system time.
Date validation depends on the SonicWALLs System Time. Make sure your System
Time is set correctly, preferably synchronized with NTP, on the System > Time page.
Detect SSLv2Controls detection of SSLv2 exchanges. SSLv2 is known to be
susceptible to cipher downgrade attacks because it does not perform integrity checking
on the handshake. Best practices recommend using SSLv3 or TLS instead of SSLv2.
Detect Self-Signed CertificatesControls the detection of certificates where both the
issuer and the subject have the same common name.
Detect Certificate signed by an Untrusted CAControls the detection of certificates
where the issuers certificate is not in the SonicWALLs System > Certificates trusted
store.
Detect Weak Ciphers(< 64bits)Controls the detection of SSL sessions negotiated
with symmetric ciphers less than 64 bits, commonly indicating export cipher usage.
6.
Under Custom Lists, configure the Blacklist and Whitelist by defining strings for matching
common names in SSL certificates. Entries are case-sensitive and are used with
pattern-matching. For example, sonicwall.com will match https://www.sonicwall.com
and https://mysonicwall.com , but not https://www.sonicwall.de.
To add an entry to the Blacklist, type it into the Black List field and then click Add.
To add an entry to the Whitelist, type it into the White List field and then click Add.
7.
When finished, click Update. To return to default values and start over, click Reset.

The following sections describe how to configure firewall settings in SonicOS Standard:
Configuring Rules in SonicOS Standard section on page 300
Configuring Advanced Firewall Settings in SonicOS Standard section on page 303
Configuring Voice over IP Settings section on page 304
Configuring Rules in SonicOS Standard

To configure rules for SonicOS Standard, perform the following steps:
300
1.
Determine whether the service for which you want to create a rule is defined. If not, define
the service. Refer to the Adding a Service section on page 301.
2.
Create one or more rules for the service. Refer to the Creating Rules section on page 302.
3.
Repeat this procedure for each service for which you would like to define rules.
Adding a Service
By default, a large number of services are pre-defined. This section describes how to add a new
or custom service. To add a service, perform the following steps:
Note
1.
2.
Expand the Firewall tree and click Services. The Services page displays.
3.
To add a known service (e.g., HTTP, FTP, News), select the service from the Service Name
list box and click Add Known Service. Repeat this step for each service that you would
like to add. A task is scheduled for each service for each selected SonicWALL appliance.
Features and services vary widely depending on the managed appliances firmware type
and version. Some options, including Add Known Service are only available when
managing a Non-SonicOS device (such as a SonicWALL TELE3 TZX).
4.
To add a custom service, enter its name in the Service Name field, enter the port range it
uses in the Port Begin and Port End fields, select the appropriate protocol check boxes,
and click Add Custom Service. Repeat this step for each service that you would like to
add. A task gets scheduled for each service for each selected SonicWALL appliance.
5.
To remove a service from the list, select its trash can check box and click Update. A task
gets scheduled to update the services page for each selected SonicWALL appliance.
6.
301
Creating Rules
This section describes how to define rules for defined services in SonicOS Standard. To create
a rule, perform the following steps:
Caution
1.
2.
Expand the Firewall tree and click Rules. The Rules page displays.
3.
Click Add Rule. The Add Rule dialog box displays.
4.
Select a service from the from the Service Name list box. If the service does not exist, refer
to the Adding a Service section on page 301.
5.
Select whether access to this service will be allowed or denied.
6.
Select the SonicWALL interface to which this rule applies from the Source list box..
7.
To apply the rule to a range of IP addresses, enter the first and last IP addresses of the
range in the Addr. begin field and Addr. End fields, respectively. The rule will apply to
requests originating from IP addresses within this range. For all IP addresses, enter an
asterisk (*).
8.
Specify when the rule will be applied. By default, it is Always. To specify a time, enter the
time of day (in 24-hour format) to begin and end enforcement. Then, enter the days of the
week to begin and end rule enforcement.
9.
Specify how long (in minutes) the connection may remain idle before the connection is
terminated in the Inactivity Timeout field.
Fragmented packets are used in certain types of Denial of Service attacks and, by default,
are blocked. You should only enable the Allow Fragmented Packets check box if users are
experiencing problems accessing certain applications and the SonicWALL logs show many
dropped fragmented packets.
10. SonicWALL appliances can manage outbound traffic using bandwidth management. To
enable bandwidth management for this service, select the Enable Outbound Bandwidth
Management check box.
Guaranteed Bandwidth field. Keep in mind that this bandwidth will be permanently
assigned to this service and not available to other services, regardless of the amount of
bandwidth this service does or does not use.
302
Note
In order to configure bandwidth management for this service, bandwidth

management must be enabled on the SonicWALL appliance. To configure bandwidth
management in SonicOS Standard, refer to the Configuring Ethernet Settings
section on page 271. For SonicOS Enhanced, refer to the Overview of Interfaces
11. To add this rule to the rule list, click Update. Repeat Step 3. through Step 11. for each rule
that you will to add.
12. If the network access rules have been modified or deleted, you can restore the Default
Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP
traffic and allow all outbound IP traffic. To restore the network access rules to their default
settings, click Restore Rules to Defaults and click Update. A task is scheduled to update
the rules page for each selected SonicWALL appliance.
13. If the network access rules for a SonicWALL appliance need to be uniform with access rules
for other SonicWALL appliances in the same group, you can restore the group rules.
To do this, click Restore Rules to Group Settings and click Update. A task is scheduled
to overwrite the rules page for each selected SonicWALL appliance.
If you want to append the group rulesto the current rules, make sure the Append Services
and Rules inherited from group check box is selected on the GMS Settings page of the
Console Panel.
Note
This option is not available at the group or global level.
14. To modify a rule, select its notepad icon. The Add/Modify Rule dialog box displays. When
you are finished making changes, click Update. SonicWALL GMS creates a task that
modifies the rule for each selected SonicWALL appliance.
15. To disable a rule without deleting it, deselect its Enable Rule check box.
16. To delete a rule, select its trash can icon and click Update. SonicWALL GMS creates a task
that deletes the rule for each selected SonicWALL appliance.
Configuring Advanced Firewall Settings in SonicOS Standard

To configure advanced access settings, perform the following steps:
1.
2.
Expand the Firewall tree and click Advanced. The Advanced page displays.
3.
Computers running Microsoft Windows communicate with each other through NetBIOS
broadcast packets. By default, SonicWALL appliances block these broadcasts. To allow
NetBIOS packets to pass among the interfaces select the appropriate checkbox in the
Windows Networking (NetBIOS) Broadcast Pass Through section.
4.
Detection prevention helps hide SonicWALL appliances from potential hackers. Select from
the following Detection Prevention options:
To enable stealth mode, select the Enable Stealth Mode check box. During normal
operation, SonicWALL appliances respond to incoming connection requests as either

blocked or open. During stealth operation, SonicWALL appliances do not respond to
inbound requests, making the appliances invisible to potential hackers.
303
Hackers can use various detection tools to fingerprint IP IDs and detect the presence
of a SonicWALL appliance. To configure the SonicWALL appliance(s) to generate

random IP IDs, select the Randomize IP ID check box.
5.
Select the dynamic ports that will be supported from the Dynamic Ports area:
Enable support for Oracle (SQLNet)Select if you have Oracle applications on your
network.
Enable support for Windows MessengerSelect this option to support special SIP
messaging used in Windows Messenger on the Windows XP.
Enable RTSP TransformationsSelect this option to support on-demand delivery of
real-time data, such as audio and video. Real Time Streaming Protocol (RTSP) is an
application-level protocol for control over delivery of data with real-time properties.
6.
The Drop Source Routed Packets check box is selected by default. Clear the check box
if you are testing traffic between two specific hosts and you are using source routing.
7.
Select Disable Anti-Spyware, Gateway AV and IPS Engine if you want to enable more
connections at the expense of the Gateway Anti-Virus and Intrusion Prevention services.
This is generally not recommended because it opens the SonicWALL security appliance to
possible threats.
8.
The Connection Inactivity Timeout option disables connections outside the LAN if they are
idle for a specified period of time. Without this timeout, connections can stay open
indefinitely and create potential security holes. To specify how long the SonicWALL
appliance(s) wait before closing inactive connections outside the LAN, enter the amount of
time in the Default Connection Timeout field (default: 25 minutes).
9.
By default, FTP connections from port 20 are allowed, but remapped to outbound traffic
ports such as 1024. If you select the Force inbound and outbound FTP data
connections to use default port 20 check box, any FTP data connection through the
SonicWALL must come from port 20 or the connection will be dropped and logged.
Note
To enforce IP Header, UDP, TCP, or ICMP checksums, select the appropriate

option from the IP, UDP, TCP, ICMP Checksum Enforcement section.
Configuring Voice over IP Settings

VoIP settings are identical in SonicOS Enhanced and SonicOS Standard. To configure VoIP,
refer to the Configuring Voice over IP Settings section on page 287.
304
CHAPTER 12
Configuring Firewall Log Settings
This chapter describes how to the SonicWALL GMS to configure where the SonicWALL
appliance(s) send their logs, how often the logs are sent, and what information is included.
Configuring Enhanced Log Settings section on page 307
Configuring Name Resolution section on page 310
Configuring Log Settings

To configure log settings, perform the following steps:
1.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
Select the Policies tab. In the center pane, navigate to Log > Log Settings.
3.
Enter the IP address or name of the mail server in the Mail Server (name or IP Address)
field.
305
4.
Enter the name of the SonicWALL appliance in the Firewall Name field. The firewall name
appears in the subject of email sent by the SonicWALL appliance. By default, the firewall
name is the same as the SonicWALL appliance serial number.
Note
The name of the SonicWALL appliance cannot be configured at the group or global
level.
5.
To override syslog settings with ViewPoint settings, check the Override Syslog settings
with ViewPoint settings box.
6.
To select a syslog format, choose one of the two options from theSyslog Format pull-down
menu:
DefaultThe standard SonicWALL syslog format.
WebTrendsA reporting software that analyzes traffic activity, protocol usage,
security problems, resource usage, bandwidth consumption, and more. For more
information, visit http://www.webtrends.com.
7.
To specify how often SonicWALL GMS logs repetitive events, enter the time period (in
seconds) in the Syslog Event Redundancy Filter field (default: 60 seconds). This
prevents repetitive events from being logged to the syslog. If duplicate events occur during
the period, they will be logged as a single event that specifies the number of times that the
event occurred.The minimum is 0seconds and the maximum is 86,400 seconds (24 hours).
If you specify 0, all events are logged.
For GMS network deployments using Gen-2/Distributed Summarizer Mode, enter 0 in the
Syslog Event Redundancy Filter field. Although a higher setting prevents a log file from
being full of repetitive events, setting this field to anything other than 0 will result in
inaccurate reporting.
For information about the Distributed Summarizer, see the Additionally, you can select the
number of days that raw syslog data is stored. The raw data is made up of information for
every connection. Depending on the amount of traffic, this can quickly consume an
enormous amount of space in the database. Be very careful when selecting how much raw
information to store. As of SonicWALL GMS 7.0, Summarizer processing applies to CDP
appliances, only. section on page 801.
8.
To enable event rate limiting, check the Enable Event Rate Limiting box and enter a
maximum number of events per second in the Maximum Events Per Second field.
9.
To enable data rate limiting, check the Enable Data Rate Limiting box and enter a
maximum bytes per second in the Maximum Bytes Per Second field.
10. Specify how often the SonicWALL appliance(s) send heartbeats to SonicWALL GMS in the
Heartbeat Rate field (default: 60 seconds). If SonicWALL GMS does not receive a
heartbeat message within three intervals, SonicWALL GMS will consider the SonicWALL
appliances offline or unavailable and its icon will turn red.
Note
It is highly recommended to leave the Heartbeat Rate at the default setting of 60

seconds. Values close to zero will generate a large number of status messages. The
maximum value is 86,400 seconds (24 hours).
11. Enter the complete email address (for example, administrator@company.com) where the
log will be sent in the Email Log to field. If this field is left blank, the log will not be sent.
Note
306
This address will also be used as the return address.
Configuring Enhanced Log Settings
12. Some events, such as an attack, may require immediate attention. Enter the complete email
address or email pager address in the Email Alerts to field. If this field is left blank, alerts
will not be sent.
Note
For information about alerts in the GMS Granular Event Management framework, see
Configuring Granular Event Management section on page 826.
13. To email the log now, click Email Log Now.
14. To clear the log, click Clear Log Now. A confirmation displays. Click OK to clear the log.
15. To add a syslog server, enter the IP address and port in the Syslog Server IP Address and
Port fields. Click Add.
16. For automated log delivery, specify when the log file will be sent from the Send Log
pull-down menu. Select When Full, Daily, or Weekly. If the log will be sent daily, select the
time that the log will be sent (24-hour format). If the log will be sent weekly, select the day
of the week and the time.
17. In some cases, the log buffer may fill up. This may occur if there is a problem with the mail
server and the log cannot be successfully emailed. Under When Log Overflows, select
Overwrite Log (SonicWALL appliances will overwrite the log and discard its contents) or
Shutdown SonicWALL (this will prevent further traffic from not being logged).
18. Select information to log from the Categories section. To select all categories, check the
Select All box.
Note
If you are using SonicWALL GMS, make sure that it can generate all reports for each
SonicWALL appliance by selecting all log category check boxes except for Network
Debug.
19. When you are finished, click Update.

1.
In the center pane, navigate to Log > Enhanced Log Settings.
307
2.
Enter the IP address or name of the mail server in the Mail Server (name or IP Address)
field.
3.
Enter the email address that will appear as the sender on emails in the From E-mail
Address field.
4.
Select a method of authentication from the Authentication Method pull-down menu, either
None or POP before SMTP.
5.
If you selected POP before SMTP, enter the POP server name or IP address in the POP
Server (name or IP address) field, and the POP account user name and password in the
Username and Password fields.
6.
Enter the name of the SonicWALL appliance in the Firewall Name field. The firewall name
appears in the subject of email sent by the SonicWALL appliance. By default, the firewall
name is the same as the SonicWALL appliance serial number.
Note
The name of the SonicWALL appliance cannot be configured at the group or global
level.
7.
In the Syslog Facility pull-down menu, select one of the syslog facility options.
8.
To override syslog settings with ViewPoint settings, check the Override Syslog settings
with ViewPoint settings box.
9.
To select a syslog format, choose one of the two options from theSyslog Format pull-down
menu:
DefaultThe standard SonicWALL syslog format.
WebTrendsA reporting software that analyzes traffic activity, protocol usage,
security problems, resource usage, bandwidth consumption, and more. For more
information, visit http://www.webtrends.com.
10. To specify how often SonicWALL GMS logs repetitive events, enter the time period (in
seconds) in the Syslog Event Redundancy Filter field (default: 60 seconds). This
prevents repetitive events from being logged to the syslog. If duplicate events occur during
the period, they will be logged as a single event that specifies the number of times that the
event occurred.The minimum is 0seconds and the maximum is 86,400 seconds (24 hours).
If you specify 0, all events are logged.
11. To enable event rate limiting, check the Enable Event Rate Limiting box and enter a
maximum number of events per second in the Maximum Events Per Second field.
12. To enable data rate limiting, check the Enable Data Rate Limiting box and enter a
maximum bytes per second in the Maximum Bytes Per Second field.
13. Specify how often the SonicWALL appliance(s) send heartbeats to SonicWALL GMS in the
Heartbeat Rate field (default: 60 seconds). If SonicWALL GMS does not receive a
heartbeat message within three intervals, SonicWALL GMS will consider the SonicWALL
appliances offline or unavailable and its icon will turn red.
Note
It is highly recommended to leave the Heartbeat Rate at the default setting of 60

seconds. Values close to zero will generate a large number of status messages. The
maximum value is 86400 seconds (24 hours).
14. Enter the complete email address (for example, administrator@company.com) where the
log will be sent in the Email Log to field. If this field is left blank, the log will not be sent.
308
Note
15. Some events, such as an attack, may require immediate attention. Enter the complete email
address or email pager address in the Email Alerts to field. If this field is left blank, alerts
will not be sent.
Note
16. To email the log now, click Email Log Now. The scheduler displays.
17. Expand Schedule by clicking the plus icon.
18. Select Immediate or specify a future date and time.
19. Click Accept.
20. To clear the log, click Clear Log Now. A confirmation displays. Click OK to clear the log.
21. To add a syslog server, enter the IP address and port in the Syslog Server IP Address and
Port fields. Click Add. The scheduler displays.

24. Click Accept.
25. For automated log delivery, specify when the log file will be sent from the Send Log
pull-down menu. Select When Full, Daily, or Weekly. If the log will be sent daily, select the
time that the log will be sent (24-hour format). If the log will be sent weekly, select the day
of the week and the time.
26. In some cases, the log buffer may fill up. This may occur if there is a problem with the mail
server and the log cannot be successfully emailed. Under When Log Overflows, select
Overwrite Log (SonicWALL appliances will overwrite the log and discard its contents) or
Shutdown SonicWALL (this will prevent further traffic from not being logged).
27. From the Logging Level pull-down menu, select one of the logging level options.
28. From the Alert Level pull-down menu, select one of the alert level options.
29. Enter a period of time, in seconds, in the Log Redundancy Filter (seconds) field.
30. Enter a period of time, in seconds, in the Alert Redundancy Filter (seconds) field.
31. For each category in the Categories table, select a combination of Log, Alerts, and
Syslog.
Note
If you are using SonicWALL GMS, make sure that it can generate all reports for each
SonicWALL appliance by selecting all log category check boxes.
32. When you are finished, click Update. The scheduler displays.
35. Click Accept.
309
Configuring Name Resolution
Heartbeat Settings on the Enhanced Log Settings Page

A heartbeat is a message generated by the SonicWALL firewall appliance sent out at various
intervals to a connected management server to determine whether the management server
connected to the SonicWALL firewall appliance is active. You can now set a threshold value for
how often a heartbeat message is generated. You can do this on the Log Settings page.
To specify the Heartbeat Rate, perform the following:
1.
Navigate to the Policies Panel.
2.
Click the Log menu to display logging options.
3.
Click the Log Settings option. GMS displays the Log Settings dialog box.
4.
In the Heartbeat Rate field in the General region, type a value that represents the number
of seconds that is the interval between heartbeat tests. Note that the default interval is 60
seconds.

To configure name resolution, perform the following steps:
310
1.
2.
Select the Policies tab.
3.
In the center pane, navigate to Log > Name Resolution.
4.
From the Name Resolution Method pull-down menu, select none, DNS, NetBios or DNS
then NetBios.
5.
For DNS and DNS then NetBios, configure the following DNS settings:
Specify DNS Servers ManuallySelect this radio button to manually configure the
DNS servers and specify the IP address(es) in the Log Resolution DNS Server 1 - 3
fields.
Inherit DNS Settings Dynamically from WANSelect this radio button to inherit the
DNS settings from the WAN.
6.
Click Update.
311
312
CHAPTER 13
Viewing Firewall Diagnostic Information
communicated. When you generate diagnostic information, only one report can be generated
at a time and the information is only maintained during the current session. For example, if you
run a firewall log report and then log off or generate another report, the firewall log report data
will be lost until you run the report again.
Viewing Network Diagnostic Settings section on page 313
Viewing Connections Monitor section on page 315
Viewing CPU Monitor section on page 316
Viewing Process Monitor section on page 317
Viewing Network Diagnostic Settings

To view network settings, perform the following steps:
1.
2.
Click the Policies tab. In the center pane, navigate to Diagnostics > Network.
3.
To refresh the diagnostic data, click Refresh Diagnostic Data display.
313
Viewing Network Diagnostic Settings
4.
To delete the diagnostic data, click Delete Diagnostic Data display.
5.
To view the log file for the selected SonicWALL appliance(s), click Request Log file
display from unit(s).
6.
To test the RADIUS server, enter the username and password of a valid user in the User
and Password fields and click Radius Client Test.
7.
To perform a DNS lookup from the SonicWALL appliance(s), enter a hostname or IP

address in the Host field and click DNS Lookup.
8.
To find a network path from the SonicWALL appliance(s), enter an IP address in the Host
field and click Find Network Path.
9.
To ping a host from the SonicWALL appliance(s), enter a hostname or IP address in the
Host field and click Ping.
10. To perform a Traceroute from the SonicWALL appliance(s), enter a hostname or IP address
in the Host field and click TraceRoute Lookup.
11. To view dynamic routing information, click Fetch Default Route Policies (SonicOS 2.5
Enhanced or later).
12. To perform a reverse name resolution, enter an IP address in the Reverse Lookup the IP
Address field and click Reverse Name Resolution.
13. To perform a real-time black list lookup, enter an IP address in the IP Address field, a
FQDN for the RBL in the RBL Domain field, and DNS server information in the DNS Server
field. Click Real-time Black List Lookup.
14. To generate a Tech Support Report, select any of the following four report options:
VPN KeysSaves shared secrets, encryption, and authentication keys to the

report.
ARP CacheSaves a table relating IP addresses to the corresponding MAC or

physical addresses.
DHCP BindingsSaves entries from the SonicWALL security appliance DHCP

server.
IKE InfoSaves current information about active IKE configurations.
15. Click Fetch Tech Support Report.

16. To request a packet trace, enter the IP address of the remote host in the Host field, and
click Start. You must enter an IP address in the Host field; do not enter a host name, such
as www.yahoo.com. Click Stop to terminate the packet trace and Query to query the
trace. To reset a host, enter the IP address in the Host field and click Reset.
314
Viewing Connections Monitor
Viewing Connections Monitor

The Connections Monitor displays real-time, configurable views of all connections to and
through a SonicWALL security appliance.
To view connections monitor data, perform the following steps:
1.
2.
Click the Policies tab. In the center pane, navigate to Diagnostics > Connections
Monitor.
3.
Select the filters values to sort by.
You can filter the results to display only connections matching certain criteria. You can filter by
Source IP, Destination IP, Destination Port, Protocol, Source Interface, and Destination
Interface. Enter your filter criteria in the Active Connections Monitor Settings table.
The fields you enter values into are combined into a search string with a logical AND. For
example, if you enter values for Source IP and Destination IP, the search string will look for
connections matching:
Source IP AND Destination IP
Check the Group Filters box next to any two or more criteria to combine them with a logical
OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check
Group Filter next to Source IP and Destination IP, the search string will look for connections
matching:
(Source IP OR Destination IP) AND Protocol
4.
Click Fetch Active Connections Monitor to apply the filter immediately to the Active
Connections Monitor table. The scheduler displays.
5.
Expand Schedule by clicking the plus icon.
6.
Select Immediate or specify a future date and time.
315
Viewing CPU Monitor
7.
Click Accept. The updated Connections Monitor page displays.
Viewing CPU Monitor

For GMS managed SonicWALL firewall appliances running SonicOS 3.0 and higher, the CPU
Monitor displays real-time CPU utilization in second, minute, hour, and day intervals. To view
CPU utilization data, perform the following steps:
1.
2.
Click the Policies tab. In the center pane, navigate to Diagnostics > CPU Monitor.
3.
To refresh the CPU diagnostic display, click Refresh Diagnostic Data display.
4.
To delete the CPU diagnostic display, click Delete Diagnostic Data display.
5.
To modify the time period for the CPU data, select one of the following periods from the
Chart for pull-down menu:
CPU History for the last 60 secondsDisplays CPU history for the last minute.
316
Viewing Process Monitor
CPU History for the last 60 minutesDisplays CPU history for the last hour.
CPU History for the last 24 hoursDisplays CPU history for the last day.
CPU History for the last 30 daysDisplays CPU history for the last 30 days.
6.
Click Fetch CPU Information to display CPU information from the SonicWALL appliance.
The scheduler displays.
7.
8.
9.
Click Accept.

For GMS managed SonicWALL firewall appliances running SonicOS 3.0 and higher, the
Process Monitor displays individual system processes, their CPU utilization, and their system
time.
To view diagnostic data, perform the following steps:
1.
2.
Expand the Diagnostics tree and click Process Monitor. The Process Monitor page
displays.
3.
To refresh the process diagnostic display, click Refresh Diagnostic Data display.
4.
To delete the process diagnostic display, click Delete Diagnostic Data display.
5.
Click Fetch Process Information to display Process Monitor information. The scheduler
displays.
6.
7.
8.
Click Accept.
317
318
CHAPTER 14
Configuring Firewall Website Blocking
This chapter describes how to use SonicWALL GMS to configure website blocking options for
one or more SonicWALL appliances. This functionality can be used to deny access to material
supplied by the active content filtering subscription, specific domains, domains by keyword, and
Web features such as ActiveX, Java, and cookies.
Note
Configuring General Website Blocking section on page 319
Configuring the CFS Exclusion List section on page 329
Blocking Web Features section on page 336
Configuring Access Consent section on page 337
N2H2 and Websense Content Filtering section on page 338
SonicWALL appliances are entitled to a one-month content filter trial subscription.
Configuring General Website Blocking

The general page is used to configure whether access to restricted content, sites, and features
is blocked or logged, if and when users can access blocked material, and the message that will
be displayed when users attempt to access blocked material.
SonicWALL offers two types of content filtering and supports two third-party content filtering
packages: N2H2 and Websense Enterprise. To configure filtering options for N2H2 or
Websense, view the documentation that came with the software package.
To configure general blocking options, perform the following steps:
1.
2.
Click the Policies tab.
319
Configuring General Website Blocking
3.
In the center pane, navigate to Website Blocking > General. The Website Blocking
General page displays.
4.
Select the content filtering package that you will use:

SonicWALL CFSEnables the CFS SonicWALL filtering package based on the
firmware version of the SonicWALL appliance. To configure SonicWALL content

filtering, refer to the Selecting the Content to Block section on page 321.
N2H2To use N2H2, you must have the N2H2 software package running on a server
in your network. For more information, visit www.n2h2.com.
WebsenseTo use Websense, you must have the Websense Enterprise software
package running on a server in your network. For more information, visit

www.websense.com.
Note
Timesaver
If you select N2H2 or Websense, make sure to configure the appropriate filtering
options. For more information, refer to the N2H2 and Websense Content Filtering
5.
A trusted domain is a domain that is allowed to use Web features such as Java, ActiveX,
and cookies. To create a list of trusted domains, select the Don't block
Java/ActiveX/Cookies to Trusted Domains check box.
6.
Enter one or more domains name in the Trusted Domains field and click Add. The
scheduler displays. Multiple domains should be separated by a ; semicolon.
Importing a .txt file with one domain name per line is the easiest way to add multiple
domains to a Trusted Domains list. Click the Import... button to add multiple domains from
a text file.
7.
8.
9.
Click Accept.
10. Repeat steps 5 - 10 for other domains you would like to add.
Note
320
Enter the domain name only. For example, yahoo.com. Do not include http://.
Entering yahoo.com will also allow access to www.yahoo.com, my.yahoo.com,
sports.yahoo.com, and so on.
Selecting the Content to Block
Note
This feature will only enable Web features for the selected domains. To make the
domain available for unrestricted browsing, add it to the Allowed Domains list. For
more information, refer to the Customizing Access by Domain section on page 331.
11. To delete a domain from the Trusted Domain list, click the checkbox in the trash can column
for the domain and click Update.
12. To apply content filtering and Web feature restrictions to the LAN port (WorkPort), select
LAN/WorkPort.
13. To apply content filtering and Web feature restrictions to the DMZ port (HomePort), select
DMZ/HomePort/WLAN/OPT. For SonicWALL wireless appliances, the

DMZ/HomePort/WLAN/OPT option also applies content filtering and Web feature
restrictions to the WLAN interface.
14. Enter the message that will be displayed when users attempt to access restricted content,
sites, and features. For example, This Web site is blocked is restricted. Get back to work.
18. Click Accept.

Depending on the version of the firmware, you will use either the CFL Filter List or the CFSFilter
List page. If a SonicWALL appliance uses CFL, it will periodically download a filter list that will
be used to block objectionable sites. If a SonicWALL appliance uses CFS, it will send a request
to the SonicWALL site each time a request for potentially objectionable material is made.
Note
You must activate a service licence to use CFL or CFS content blocking.
Content Filter List

The CFL Filter List page defines categories of website content that will be blocked and when
the SonicWALL appliance(s) will download the content filter list.
Note
This page does not affect N2H2 or Websense content filtering. For information on
configuring filtering options for these software packages, refer to their documentation.
To configure the filter list, perform the following steps:
1.
In the left pane, select the global icon, a group or a SonicWALL appliance.
2.
321
3.
In the center pane, navigate to Website Blocking > CFL Filter List.
4.
Select the content to block by checking the box next to any of the following categories (to
select all categories, check the Select All box):
Violence/ProfanityIncludes pictures or text depicting extreme cruelty, or physical or
emotional acts against any animal or person that are primarily intended to hurt or inflict
pain. Obscene words, phrases, and profanity are defined as text that uses, but is not
limited to, George Carlins seven censored words, more often than once every 50
messages (Newsgroups) or once a page (Web sites).
Partial NudityPictures exposing the female breast or full exposure of either male or
female buttocks, except when exposing genitalia. Excludes all swimsuits, including
thongs.
Full NudityPictures exposing any or all portions of the human genitalia. Excludes
sites containing nudity or partial nudity of a wholesome nature. For example, Web sites
hosted by publications such as National Geographic or Smithsonian Magazine and
museums such as the Guggenheim, the Louvre, or the Museum of Modern Art are not
blocked.
Sexual Acts (graphics or text)Pictures or text exposing anyone or anything
involved in explicit sexual acts and or lewd and lascivious behavior, including
masturbation, copulation, pedophilia, and intimacy involving nude or partially nude
people in heterosexual, bisexual, lesbian or homosexual encounters. This also includes
phone sex ads, dating services, adult personals, CD-ROMs, and videos.
Gross Depictions (graphics or text)Pictures or descriptive text of anyone or
anything that are crudely vulgar or grossly deficient in civility or behavior, or that show
scatological impropriety. For example, maiming, bloody figures, or indecent depiction
of bodily functions.
Intolerance (graphics or text)Pictures or text advocating prejudice or discrimination
against any race, color, national origin, religion, disability or handicap, gender, or
sexual orientation. Includes any picture or text that elevates one group over another.
Also includes intolerant jokes or slurs.
322
Satanic/Cult (graphics or text)Pictures or text advocating devil worship, an affinity
for evil or wickedness, or the advocacy to join a cult. A cult is defined as a closed
society headed by a single individual where loyalty is demanded and leaving is
punishable.
Drug Culture (graphics or text)Pictures or text advocating the illegal use of drugs
for entertainment. Includes substances used for other than their primary purpose to
alter the individuals state of mind, such asglue sniffing. Excludes currently illegal drugs
legally prescribed for medicinal purposes (e.g., drugs used to treat glaucoma or
cancer).
Militant/Extremist (graphics or text)Pictures or text advocating extremely
aggressive and combative behaviors, or unlawful political measures. Topics include

groups that advocate violence as a means to achieve their goals. Includes how to
information on weapons making, ammunition making, or the making or use of
pyrotechnic materials. Also includes the use of weapons for unlawful reasons.
Sex Education (graphics or text)Pictures or text advocating the proper use of
contraceptives. This topic includes condom use, the correct way to wear a condom and
how to put a condom in place. Also included are sites relating to discussion about the
use of the Pill, IUDs, and other types of contraceptives. In addition to the above, this
includes discussion sites on discussing diseases with a partner, pregnancy, and
respecting boundaries. Excluded from this category are commercial sites selling sexual
paraphernalia.
Gambling/Questionable/Illegal (graphics or text)Pictures or text advocating
materials or activities of a dubious nature which that beillegal in any or all jurisdictions,
such as illegal business schemes, chain letters, copyright infringement, computer
hacking, phreaking (using someones phone lines without permission), and software
piracy..
Alcohol/Tobacco (graphics or text)Pictures or text advocating the sale,
consumption, or production of alcoholic beverages and tobacco products.
5.
Tip
To configure the SonicWALL appliance(s) to download the content list weekly, select the
Automatically Download List Every check box and select the day of the week and time
when the download will occur.
If you select this option, configure the SonicWALL appliance(s) to download the list at a time
when network activity is low.
Note
This option requires a subscription to the Content Filter List updates.
6.
To download a new content filter list now, click the Download Filter List Now button. The
scheduler displays.
7.
8.
9.
Click Accept.
10. Select one of the following Logging options:

Log and Block AccessBlocks access to restricted content, sites, and features and
logs access attempts.
323
Log OnlyDoes not block access to restricted content, sites, and features, but logs
access. This enables organizations to monitor appropriate usage without restricting

access.
11. Select from the following filter list expiration options:

To block access to all Web sites except trusted domains thirty days after the filter list
expires, select Block traffic to all websites except for Allowed Domains.
To allow access to all Web sites thirty days after the filter list expires, select Allow
traffic access to all websites.

15. Click Accept.
CFS Filter List

The CFS Filter List allows you to block objectionable content. You must have a license for the
CFS Filter List.
To configure the Content Filter Service, perform the following steps:
Configuring the General CFS Filter List Settings section on page 324.
Configuring the CFS Standard Page section on page 325.
Configuring the CFS Premium Page section on page 327.
Configuring the General CFS Filter List Settings

The CFS Filter List page defines categories of Web site content that will be blocked in real time.
Each time a request for potentially objectionable material is made, CFS sends a request to the
SonicWALL site.
Note
324
1.
2.
3.
In the center pane, navigate to Website Blocking > CFS Filter List.
4.
To enable failover to a backup CFS server, select the Enable CFS Server Failover
checkbox.
5.
To filter both HTTP and HTTPS traffic, select the Enable HTTPS Content Filtering
checkbox. HTTPS content filtering is IP and hostname based. While HTTP content filtering
can perform redirects to enforce authentication or provide a block page, HTTPS filtered
pages will be silently blocked.
6.
Specify how long the SonicWALL appliance will wait if the CFS server is unavailable before
blocking Web traffic in the If Server is unavailable for field.
7.
Specify the action the SonicWALL appliance will take if the server is unavailable. To block
access to all Web sites, select Block traffic to all Web sites. To allow access to all Web
sites, select Allow traffic to all Web sites.
8.
Specify how the SonicWALL appliance will respond to blocked URLs in theIf Server marks
URL as blocked section:
Block Access to URLBlocks access to restricted content, sites, and features.
Log Access to URLDoes not block access to restricted content, sites, and features,
but logs access. This enables organizations to monitor appropriate usage without
restricting access.
9.
Specify the size of the URL cache in the Cache Size field. For information on valid ranges,
click the Click here for valid ranges link.
13. Click Accept.
Configuring the CFS Standard Page

The CFS Standard page defines categories of Web site content that will be blocked in real time.
Note
1.
325
2.
3.
In the center pane, navigate to the Website Blocking > CFS Standard.
4.
Select the content to block by checking the box next to one of the following categories (to
select all categories, check the Select all box):
Violence/Hate/RacismIncludes pictures or text exposing extreme cruelty, or
physical or emotional acts against any animal or person that are primarily intended to
hurt or inflict pain. Includes pictures or text advocating prejudice or discrimination
against any race, color, national origin, religion, disability or handicap, gender, or
sexual orientation. Includes any picture or text that elevates one group over another.
Also includes intolerant jokes or slurs.
Cult/Occult (graphics or text)Pictures or text advocating devil worship, an affinity
for evil or wickedness, or the advocacy to join a cult. A cult is defined as a closed
society headed by a single individual where loyalty is demanded and leaving is
punishable.
Intimate Apparel/Swimsuit Partial NudityPictures exposing males or females in
lingerie, swimsuits, or other intimate apparel.
Drugs/Illegal Drugs (graphics or text)Pictures or text advocating the illegal use of
drugs for entertainment. Includes substances used for other than their primary purpose
to alter the individuals state of mind, such as glue sniffing. Excludes currently illegal
drugs legally prescribed for medicinal purposes (e.g., drugs used to treat glaucoma or
cancer).
Nudism (graphics or text)Pictures or text advocating nudism, providing information,
or advertising related resorts or services.
Illegal Skills/Questionable Skills (graphics or text)Pictures or text advocating
materials or activities of a dubious nature which that beillegal in any or all jurisdictions,
such as illegal business schemes, chain letters, copyright infringement, computer
hacking, phreaking (using someones phone lines without permission), and software
piracy.
Pornography (graphics or text)Pictures of any or all portions of the human genitalia
and pictures or text exposing anyone or anything involved in explicit sexual acts and or
lewd and lascivious behavior, including masturbation, copulation, pedophilia, and
intimacy involving nude or partially nude people in heterosexual, bisexual, lesbian or
homosexual encounters. Excludes sites containing nudity or partial nudity of a
wholesome nature and all swimsuits, including thongs.
Sex Education (graphics or text)Pictures or text advocating the proper use of
contraceptives. This topic includes condom use, the correct way to wear a condom and
how to put a condom in place. Also included are sites relating to discussion about the
use of the Pill, IUDs, and other types of contraceptives. In addition to the above, this
326
includes discussion sites on discussing diseases with a partner, pregnancy, and

respecting boundaries. Excluded from this category are commercial sites selling sexual
paraphernalia.
Weapons (graphics or text)Pictures or text advocating the legal or illegal use of
weapons, providing weapons for sale, or advocating extremely aggressive and

combative behaviors, or unlawful political measures.
Gambling (graphics or text)Pictures or text providing or advocating gambling
services relating to lotteries, casinos, betting, numbers games, on-line sports, and
financial betting, including non-monetary dares
Adult/Mature Content (graphics or text)Pictures or text such as phone sex ads,
dating services, adult personals, CD-ROMs, and videos. Excludes sites containing
nudity or partial nudity of a wholesome nature and all swimsuits, including thongs.
Alcohol & Tobacco (graphics or text)Pictures or text advocating the sale,
consumption, or production of alcoholic beverages and tobacco products.
5.
When you are finished, click Update. The scheduler displays.
6.
7.
8.
Click Accept.
9.
If you believe that a website is rated incorrectly, or to submit a new URL for blocking, click
the here link in the sentence If you believe that a Web site is rated incorrectly or you
wish to submit a new URL, click here.
Configuring the CFS Premium Page

The CFS Premium service enables you to add advanced content filtering functionality to one or
more SonicWALL appliances by choosing specific content to filter from 64 different content
categories. This section describes how to configure the CFS Premium service.
Note
To configure the CFS Premium service, perform the following steps:
1.
2.
3.
In the center pane, navigate to Website Blocking > CFS Premium.
327
4.
Click Add CFS Policy.
5.
Enter a name for the policy.
6.
Click the URL List tab.
7.
Check the boxes of the categories to block. To select all categories, check the Select all
Categories box.
8.
Click the Settings tab.

a. To disable the allowed domains list, select the Disable Allowed Domains check box.
b. To prevent access to domains specified in the Forbidden Domain list, select the Enable
Forbidden Domains check box.
328
Configuring the CFS Exclusion List
c. To enable the keyword blocking feature, select the Enable Keyword Blocking check
box.
9.
From the pull-down menu, select when the forbidden URLs will be blocked.
10. When you are finished, click OK. The scheduler displays.
13. Click Accept.
14. Repeat this procedure for each filter that you would like to add.
Configuring the CFS Exclusion List

The CFS exclusion list allows you to specify an IP address or IP address range that is excluded
from Website blocking.
To enable and configure a CFS exclusion list, perform the following tasks:
1.
2.
Click the Policies tab. In the center pane, navigate to

Website Blocking > CFS Exclusion List.
3.
Check the Enable CFS Exclusion List box to enable CFS block list exclusions.
329
Configuring CFS Custom Category
4.
Enter an IP address or IP address range to exclude. For a single IP address, enter the same
IP address in the IP Address From and IP Address To fields. For a range, enter the
beginning IP address in the IP Address From field and the ending IP address in the IP
Address To field.
5.
Click Add IP Range Entry.
6.
Repeat steps 5 and 6 to add more IP addresses or IP address ranges.
7.
To delete an IP address or IP address range from the CFS exclusion list, click the checkbox
in the trashcan column for the addresses.a truste4d
8.
Click Update. The scheduler displays.
9.

11. Click Accept.
Configuring CFS Custom Category

This section details creating a custom CFS category entry. CFS allows the administrator not
only to create custom Policies, but also allows for custom domain name entries to the existing
CFS rating categories. This allows for insertion of custom CFS-managed content into the
existing and very flexible category structure.
The CFS Custom Category page is available for appliances running SonicOS Enhanced 5.6 and
higher.
330
1.
Navigate to the Website Blocking > CFS Custom Category page.
2.
Select the Enable CFS Custom Category checkbox.
3.
Click the Update button to save your changes and enable the Custom Category feature.
Customizing Access by Domain
Note
4.
Click the Add... button to create a custom category.
5.
Enter a descriptive Name for the custom entry.
6.
Choose the pre-defined Category to which this entry will be added.
7.
Enter a domain name into the Content field.
All subdomains of the domain entered are affected. For example, entering yahoo.com
applies to mail.yahoo.com and my.yahoo.com, hence it is not necessary to enter all
FQDN entries for subdomains of a parent domain.
8.
Click the Add button to add the custom entry.
9.
Repeat steps 7. through 8. to add additional entries.
10. Click OK when you are finished.
The CFS Custom Category Search option provides the ability to search the configured custom
categories. To do so, perform the following steps:
1.
In the Search pull-down menu, select whether to search by Name or Category.
2.
When searching by name, select what type of search to perform: Equals, Starts with,
Ends with, or Contains.
3.
When searching by name, enter the value to search for in the text box.
4.
When searching by category, select which category to search for.
5.
Click Search.

The Customization page is used to block or allow access to specific domain names. This
enables an organization to block access to domains that are not in the content filter list, allow
access to domains in the content filter list, or only allow access to specific domains.
Allowed domains are domains that users can access, regardless of whether they appear in the
content filter list. Allowed domains are particularly useful for dedicated systems that are only
allowed to access specific websites. Up to 256 entries are supported in the Allowed Domains
list.
331
Timesaver
Importing a .txt file with one domain per line is the easiest way to add multiple domains to
a forbidden/allowed list. See the Adding Multiple Domains From a List section on p
age 333
for more.
Forbidden domains are domains that users will not be allowed to access. This is useful when a
website disrupts a corporate or educational environment. To find out which websites are most
frequently accessed, refer to the Top Web Site Hits section of the log report. Up to 256 entries
are supported in the Forbidden Domains list.
Note
This feature is not available if you select N2H2 or Websense content filtering. For
information on configuring filtering options for these software packages, refer to their
documentation.
Enabling Website Blocking Customization

To configure list customization options:
332
1.
2.
3.
In the center pane, navigate to Website Blocking > Customization.
4.
Enable list customization by checking the Enable Allowed/Forbidden Domains box.
5.
To disable Web traffic except for allowed domains, check the Disable all Web traffic
except for Allowed Domains box. (This option is available only on appliances running
SonicOS Standard, or other non-Enhanced firmware.)
Adding Individual Forbidden/Allowed Domains

To add one or more allowed/forbidden domains:
1.
Note
To add a small number of domains, enter the domain name in the Allowed Domains field
and click Add. The scheduler displays.You can add several domains at once by separating
your entries with a semicolon ;.
Enter the domain name only. For example, yahoo.com. Do not include http://. Entering
yahoo.com will also allow access to www.yahoo.com, my.yahoo.com, sports.yahoo.com,
and so on.
2.
3.
4.
Click Accept.
5.
Repeat this step for each domain you would like to add.
Adding Multiple Domains From a List

To add a large number of domains from a text-based list:
1.
Click the Import... button, the upload file window displays.
2.
Click the Browse... button to upload a text-based (.txt) file containing the URL list. The
URLs in this text file must be separated by line breaks.
3.
In the Schedule window, select Immediate or specify a future date and time.
4.
Click Accept.
Timing Options in SonicOS Standard

To configure timing options for SonicOS Standard appliances:
1.
Select one of the following Timing options. (This option is available only on appliances
running SonicOS Standard, or other non-Enhanced firmware.)
Always BlockAlways blocks access to all restricted content, sites, and features.
Block FromBlocks access to restricted content, sites, and features between the
selected hours. Select the from and to hours and the day range from the pull-down
menus.
2.
3.
4.
5.
Click Accept.
333
Blocking Access to Domains by Keywords
Deleting Domains from the Domain Lists

To delete one or more domains from the Allowed Domain or Forbidden Domain lists, perform
1.
Navigate to Website Blocking > Customization.
2.
Check the box below the trash can icon and next tothe item you want to delete. Repeat this
step for each domain that you want to remove from the domain lists.
3.
4.
5.
6.
Click Accept.

The URL Keywords page is used to block access to domain names by keyword. This provides
a second line of defense against objectionable material. For example, if the keyword xxx was
included in the list, the site www.new-site.com/xxx.html would be blocked.
Note
Be careful when using this feature. For example, blocking the word breast can prevent
access to both pornographic or objectionable sites, but will also block sites on breast cancer.
Note
documentation.
To configure domain blocking by keyword, perform the following steps:
334
1.
2.
Timesaver
3.
In the center pane, navigate to Website Blocking > URL Keywords.
4.
Enable keyword blocking by checking the Enable Keyword Blocking box.
5.
6.
7.
8.
Click Accept.
9.
To add one or more keywords, enter them in the URL Keyword field and click Add. The
scheduler displays. Multiple keywords should be separated by a ; semicolon.
Importing a .txt file with one keyword per line is the easiest way to add multiple keywords.
Click the Import... button to add multiple keywords from a text file.
12. Click Accept. Repeat these steps for each keyword you would like to add.
13. To remove a keyword, select its check box below the trash can icon. Repeat this step for
each keyword that you want to remove from the keyword lists.
335
Blocking Web Features
Blocking Web Features

The Web Features page is used to block ActiveX Controls, Java, cookies, Web proxy, and
known fraudulent certificates. To block these features, perform the following steps:
1.
2.
3.
In the center pane, navigate to Website Blocking > Web Features.
4.
Check the boxes next to the objects to block:

ActiveXBlocks ActiveX controls. ActiveX is a programming language used to imbed
small programs in Web pages. It is generally considered insecure because it ispossible

for malicious programmers to write controls that can delete files, compromise security,
or cause other damage.
JavaBlocks Java applets. Java applets are downloadable Web applications that are
used on many websites. Selecting this option will block all Java applets, regardless of
their function.
CookiesPrevents websites from placing information on user hard drives. Cookiesare
used by Web servers to track Web usage and remember user identity. Cookies can
compromise users' privacy by tracking Web activities.
Note
Blocking cookies on the public Internet creates a large number of accessibility

problems. Most sites make extensive use of cookies to generate Web pages and
blocking cookies will make most e-commerce applications unusable.
Access to HTTP Proxy ServersBlocks users from accessing Web proxy servers on
the Internet to circumvent content filtering by pointing their computers to the proxy
servers.
Known Fraudulent CertificatesBlocks access to Web content that originated from
a known fraudulent certificate. Digital certificates help verify that Web content
originated from an authorized party.
336
5.
6.
7.
8.
Click Accept.
Configuring Access Consent
Configuring Access Consent

The consent feature allows organizations to specify computers that are always filtered and
computers that are filtered by user request. This feature is popular in libraries, Internet cafes,
and other public Internet systems.
Note
documentation.
To configure the consent feature, perform the following steps:
1.
2.
3.
In the center pane, navigate to Website Blocking > Consent.
4.
Check the Require Consent check box to require consent. Users can choose if they want
filtering or not.
5.
Enter the maximum time (in minutes) a user can access the Internet in the Maximum Web
Usage field.
6.
Specify the maximum amount of time (in minutes) a connection may remain idle before the
user is logged out and must agree to the consent agreement again in the User Idle
Timeout field.
7.
Enter the URL of the Web page from which users choose to enable filtering in theConsent
Page URL (Optional Filtering) field. This page displays when users first attempt to access
the Internet and must contain a link for choosing unfiltered access and a link for choosing
filtered access. The link for unfiltered access is IPaddress/iAccept.html. The link for filtered
access is IPaddress/iAcceptFilter.html. IPaddress is the LAN (WorkPort) IP address of the
8.
Enter the URL of the page that displays when users choose to access the Internet without
content filtering in the Consent Accepted URL (Filtering Off) field. This page must be
accessible on the LAN (WorkPort).
9.
Enter the URL of the page that displays when users access the Internet with content filtering
enabled in the Consent Accepted URL (Filtering On) field. This page must be
accessible on the LAN (WorkPort).
10. When a user opens a Web browser on a computer with mandatory content filtering they will
be shown a consent page. Enter the URL for the consent page in the Consent Page URL
(Mandatory Filtering) field. You will need to create this Web page. It usually contains an
Acceptable Use Policy and a notification that violations will be logged or blocked.
337
N2H2 and Websense Content Filtering
This Web page must reside on a Web server that is accessible as a URL by LAN (WorkPort)
users. This page must also contain a link that tells the SonicWALL appliance that the user
agrees to having filtering enabled. To do this, create the following link:
IPaddress/iAcceptFilter.html
where IPaddress is the LAN (WorkPort) IP address of the SonicWALL appliance.
11. To enforce content filtering for a specific computer on the LAN, enter the IP address in the
IP Addresses field of the Mandatory Filtered IP Addresses section and click Add. Up to
128 IP addresses can be entered.
12. To remove a computer from the list of computers to be filtered, click the checkbox in the
trash can column for the IP address.
16. Click Accept.

This following sections describes additional filtering configuration options for N2H2 and
Websense content filtering:
N2H2 section on page 338
Websense section on page 339
N2H2
To configure N2H2 content filtering options, perform the following steps:
338
1.
2.
Click the Policies tab
3.
In the center pane, navigate to Website Blocking > N2H2.
4.
Enter the N2H2 server name or IP address in the Server Host Name or IP Address field.
5.
Enter the port that the N2H2 server listens for N2H2 requests in the Listen Port field
(default: 4005).
6.
Enter the port that the N2H2 server uses to send packets to the SonicWALL appliances in
the Reply Port field (default: 4005).
7.
Enter the username associated with the N2H2 account in the User Name field.
8.
Enter the size of the URL cache in the URL Cache Size field. A larger URL cache can
improve browser response times.
9.
Select the action that the SonicWALL appliance(s) will take if the N2H2 server is
unavailable beyond a specified period of time. First, enter the time period (in seconds) in
the If user is unavailable for field. Then, select one of the options:
To block traffic to all Web sites, select Block traffic to all Web sites.
To allow access to all Web sites, select Allow traffic to all Web sites.
10. If a server marks a URL as blocked, select one of the following actions:
Block Access to URLBlocks access to restricted sites and logs access attempts.
Log Access to URLDoes not block access to restricted sites, but logs access. This
enables organizations to monitor appropriate usage without restricting access.
14. Click Accept.
Websense
To configure Websense content filtering options, perform the following steps:
1.
2.
3.
In the center pane, navigate to Website Blocking > Websense.
4.
Enter the Websense server name or IP address in the Server Host Name or IP Address
field.
5.
Enter the port used for Websense packets in the Server Port field (default: 15868).
6.
Enter the username associated with the Websense account in the User Name field.
7.
Enter the size of the URL cache in the URL Cache Size field. A larger URL cache can
improve browser response times. The default cache size is 50.
339
8.
Enter a time period (in seconds) in the If user is unavailable for field. Then, select the
action that the SonicWALL appliance(s) will take after that period of time:
To block traffic to all Web sites, select Block traffic to all Web sites.
To allow access to all Web sites, select Allow traffic to all Web sites.
9.

12. Click Accept.
340
CHAPTER 15
Configuring Firewall Dynamic Host
Configuration Protocol
This chapter describes how to use the SonicWALL GMS (SonicWALL GMS) to configure
SonicWALL appliances as DHCP servers. Dynamic Host Configuration Protocol (DHCP)
enables network administrators to automate the assignment of IP addresses from a centralized
DHCP server. This conserves IP addresses and make it easy for mobile users to move among
different segments of the network without having to manually enter new IP addresses.
This chapters includes the following sections:
DHCP Server Options Overview section on page 341
Configuring DHCP Over VPN section on page 342
Configuring Dynamic DHCP IP Address Ranges section on page 343
Configuring Static IP Addresses section on page 346
Configuring DHCP Option Objects section on page 349
Configuring DHCP Option Groups section on page 350
Configuring General DHCP Settings section on page 350
DHCP Server Options Overview

For SonicWALL appliances running SonicOS Enhanced 4.0 and above, the SonicWALL DHCP
server options feature provides support for DHCP options, also known as vendor extensions,
as defined primarily in RFCs 2131 and 2132. DHCP options allow you to specify additional
DHCP parameters in the form of pre-defined, vendor-specific information that is stored in the
options field of a DHCP message. When the DHCP message is sent to clients on the network,
it provides vendor-specific configuration and service information. The SonicOS Enhanced
Administrators Guide provides a list of DHCP options by RFC-assigned option number.
SonicWALL GMS provides a way to define DHCP options using a drop down list based on
RFC-defined option numbers, allowing administrators to easily create DHCP objects and object
groups, and configure DHCP generic options for dynamic and static DHCP lease scopes. Once
defined, the DHCP option is included in the options field of the DHCP message, which is then
passed to DHCP clients on the network, describing the network configuration and service(s)
available.
341
Configuring DHCP Over VPN
Configuring DHCP Over VPN

Note
This screen is available at the unit/appliance level only.

DHCP over VPN enables clients of the SonicWALL appliance to obtain IP addresses from a
DHCP server at the other end of the VPN tunnel or a local DHCP server.
To configure DHCP over VPN, perform the following steps:
1.
2.
Expand the DHCP tree and click DHCP over VPN. The DHCP over VPN page displays
3.

To configure the SonicWALL appliance to forward DHCP requests through a VPN
tunnel, select Remote Gateway from the DHCP Relay Mode list box and do the
following:
342
Select the security association (SA) through which the DHCP server resides from
the Obtain using DHCP through this SA list box.
Enter the IP address that will be inserted by the SonicWALL appliance as the IP
address of the DHCP Relay Agent in the Relay IP Address field.
To manage this SonicWALL appliance remotely through the VPN tunnel from
behind the Central Gateway, enter the management IP address in the Remote
Management IP Address field.
If you enable Block traffic through tunnel when IP spoof detected, the
SonicWALL blocks any traffic across the VPN tunnel that is spoofing an
authenticated users IP address. If you have any static devices, however, you must
ensure that the correct Ethernet address is entered for the device.
If the VPN tunnel is disrupted, temporary DHCP leases can be obtained from the
local SonicWALL appliance. Once the tunnel is active, it will stop issuing leases. To
enable this option, select the Obtain temporary lease from local DHCP server if
tunnel is down check box.
When you enable this option, clients will be able to obtain IP addresses if the tunnel
is unavailable. To ensure that clients use the remote DHCP server shortly after it
becomes available, enter a short lease time in the Temporary Lease Time field.
The default value is two minutes.
Make sure to enable DHCP and enter an IP address range on the DHCP Setup
page. Otherwise, the SonicWALL appliance will be unable to act as a DHCP server.
Configuring Dynamic DHCP IP Address Ranges
To specify static IP addresses on the LAN (WorkPort), enter the IP address and
MAC address and click Add. Repeat this step for each device that uses a static IP
address.
To specify a device that is not allowed to obtain an IP address through the SA, enter
its MAC address and click Add. Repeat this step for each device that will not be
allowed to obtain an IP address through the SA.
To configure the SonicWALL appliance to forward DHCP requests to local servers,
select Central Gateway from the DHCP Relay Mode list box and do the following:
4.
To configure the SonicWALL appliance to send DHCP requests to specific DHCP

servers, select the Send DHCP requests to the server addresses listed below
check box. Then, enter the IP address of a DHCP server and click Add. Repeat this
step for DHCP server that you want to add.
To configure the SonicWALL appliance to broadcast DHCP requests, deselect the

Send DHCP requests to the server addresses listed below check box and leave
the DHCP Servers field blank.
To use the DHCP server built into the SonicWALL appliance for some clients, select
the Use Internal DHCP Server check box.
To use the internal DHCP server for Global VPN clients, select the For Global VPN
Client check box.
To use the internal DHCP server for remote firewalls, select the For Remote
Firewalls check box.

Note

This section describes how to configure dynamic IP address ranges.
To configure one or more dynamic IP address ranges, perform the following steps:
1.
2.
Expand the DHCP tree and click Dynamic Ranges. The Dynamic Ranges page displays.
3.
Do one of the following:

To enable the DHCP server, select the Enable DHCP Server check box.
To disable the DHCP server, deselect the Enable DHCP Server check box.
4.
Select Enable Conflict Detection to turn on automatic DHCP scope conflict detection on
each zone.
343
5.
To add or edit a dynamic range, do one of the following:

To add a dynamic range, click Add Dynamic Range.
To edit an existing dynamic range, click the icon in the Edit Dynamic Range column.
The DHCP Setup dialog for Dynamic Ranges is displayed.
6.
In the DHCP Setup dialog box, on the General tab, complete the following fields:
Select the Enable this DHCP Scope check box to enable the DHCP range. Deselect
it to disable the range.
Enter the start of the range in the Range Start field.

Enter the end of the range in the Range End field.
In the Lease Time field, type the number of minutes that an IP address is used before
another IP address is issued (or the same one is re-issued). 1440 minutes (24 hours)
is the default value.
Specify the IP address and subnet mask of the default gateway for this IP address
range in the Default Gateway and Subnet Mask fields. By default, these fields will use
the settings on the Network Settings page.
Select the Allow BootP clients to use range check box if you have BootP clients on
this network.
BootP stands for bootstrap protocol, which is a TCP/IP protocol and service that allows
diskless workstations to obtain their IP address, other TCP/IP configuration
information, and their boot image file from a BootP server.
344
7.
Click the DNS/WINS tab.
8.
In the DHCP Setup dialog box, on the DNS/WINS tab, complete the following fields:
Optionally enter the domain name associated with this IP address range in the Domain
Name field.
To configure one or more DNS servers for this range, do one of the following:
To use the DNS servers specified on the Network Settings page, select Set DNS
Servers using SonicWALLs Network settings.
To specify the DNS servers manually for this IP address range, select Specify
Manually and then type the IP address of your DNS Server in the DNS Server 1
field. You can specify two additional DNS servers.
If you have WINS running on your network, type the WINS server IP address in the
WINS Server 1 field. You can add an additional WINS server.
9.
For units running SonicOS Enhanced 4.0 and above, click the Advanced tab. This tab
allows you to configure the SonicWALL DHCP server to send Cisco Call Manager
information to VoIP clients on the network, and to configure DHCP generic options for lease
scopes.
10. Enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You
can add two additional VoIP Call Manager addresses. For more information about
configuring VoIP, refer to the Configuring Voice over IP Settings section on page 287.
345
Configuring Static IP Addresses
11. To configure a DHCP lease scope, select a DHCP option or option group in the DHCP
Generic Option Group pull-down menu.
12. To always use DHCP options for this DHCP server lease scope, select the Send Generic
options always checkbox.
13. When you are finished, click OK. The settings are saved. To clear all screen settings and
start over, click Cancel.

Static entries are IP addresses assigned to servers requiring permanent IP settings.
Note

To configure one or more static IP addresses, perform the following steps:
1.
2.
Expand the DHCP tree and click Static Entries. The Static Entries page displays
3.

4.
Select Enable Conflict Detection to turn on automatic DHCP scope conflict detection on
each zone.
5.
To add or edit a static entry, do one of the following:

To add a static entry, click Add Static Entry.
To edit an existing static entry, click the icon in the Edit Static Entry column.
346
The DHCP Setup dialog for Static Entries is displayed.
6.
In the DHCP Setup dialog box, on the General tab, complete the following fields:
Select the Enable this DHCP Scope check box to enable this static DHCP scope.
Deselect it to disable the scope.
Type a descriptive name for this static DHCP entry in the Entry Name field.
Type the IP address of the device in the Static IP Address field.
Enter the Ethernet (MAC) address of the device in the Ethernet Address field.
In the Lease Time field, type the number of minutes that an IP address is used before
it is re-issued. 1440 minutes (24 hours) is the default value.
Specify the IP address and subnet mask of the default gateway for this IP address in
the Default Gateway and Subnet Mask fields. By default, these fields will use the
settings on the Network Settings page.
7.
To add a static IP address, click Add Static Entry and complete the following fields:
Specify the IP address and subnet mask of the default gateway for this IP address in
the Default Gateway and Subnet Mask fields. By default, these fields will use the
settings on the Network Settings page.
Enter the lease time for this IP address in the Lease Time field.
8.
Click the DNS/WINS tab.
347
9.
In the DHCP Setup dialog box, on the DNS/WINS tab, complete the following fields:
If you have a domain name associated with this IP address, enter it in the Domain
Name field.
To configure one or more DNS servers for this range, do one of the following:
To use the DNS servers specified on the Network Settings page, select Set DNS
Servers using SonicWALLs Network settings.
To specify the DNS servers manually for this IP address, select Specify Manually
and then type the IP address of your DNS Server in the DNS Server 1 field. You
can specify two additional DNS servers.
If you have WINS running on your network, type the WINS server IP address in the
WINS Server 1 field. You can add an additional WINS server.
10. For units running SonicOS Enhanced 4.0 and above, click the Advanced tab. This tab
allows you to configure the SonicWALL DHCP server to send Cisco Call Manager
information to VoIP clients on the network, and to configure DHCP generic options for lease
scopes.
11. Enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You
can add two additional VoIP Call Manager addresses. For more information about
configuring VoIP, refer to the Configuring Voice over IP Settings section on page 287.
12. To configure a DHCP lease scope, select a DHCP option or option group in the DHCP
Generic Option Group pull-down menu.
13. To always use DHCP options for this DHCP server lease scope, select the Send Generic
options always checkbox.
14. When you are finished, click OK. The settings are saved. To clear all screen settings and
start over, click Cancel.
348
Configuring DHCP Option Objects
Configuring DHCP Option Objects

Note
This screen is available at the unit/appliance level only for units running SonicOS Enhanced
4.0 and above.
This section describes how to configure DHCP Option Objects. DHCP Option Objects can be
used when setting DHCP Generic Options for DHCP Dynamic Ranges or Static Entries. For
more information about DHCP Options, refer to the DHCP Server Options Overview section
on page 341.
To configure DHCP Option Objects:

Step 1
Expand the DHCP tree and click Option Objects.
Step 2
Click Add New Object or the Configure icon for an existing object. The Add/Edit DHCP Option
Objects page displays.
Step 3
Type a name for the option in the Option Name field.
Step 4
From the Option Number pull-down list, select the option number that corresponds to your
DHCP option.
Step 5
Optionally check the Option Array checkbox to allow entry of multiple option values in the
Option Value field.
Step 6
The option type displays in the Option Type pull-down menu. The pull-down menu will be
functional only if multiple option numbers are available.
Step 7
Type the option value, for example, an IP address, in the Option Value field. If Option Array is
checked, multiple values may be entered, separated by a semi-colon (;).
Step 8
Click the OK button. The object will display in the DHCP Option Object Settings list.
349
Configuring DHCP Option Groups
Configuring DHCP Option Groups

Note
This screen is available at the unit/appliance level only for units running SonicOS Enhanced
4.0 and above.
This section describes how to configure DHCP Option Groups. For more information about
DHCP Options, refer to the DHCP Server Options Overview section on page 341.
To configure DHCP Option Groups:
Step 1
Expand the DHCP tree and click Option Groups.
Step 2
Click Add New Group or the Configure icon for an existing group. The Add/Edit DHCP Option
Group page displays.
Step 3
Type a name for the group in the Name field.
Step 4
To add DHCP Option Objects to the group, select one or more objects on the left side and click
the arrow to move them to the right.
Step 5
To remove DHCP Option Objects from the group, select one or more objects on the right side
and click the arrow to move them to the left. Or, click Remove All to remove all objects from the
group.
Step 6
When finished, click OK.
Configuring General DHCP Settings

Note
This screen is available at the Group level only.

This section describes how to configure general DHCP settings for a group of appliances. The
settings in the Policies > DHCP > Setup page apply to all appliances in the selected group,
depending on their inheritance settings.
To configure general IP, perform the following steps:
350
1.
Select the global icon or a group name.
2.
Expand the DHCP tree and click Setup. The Static Entries page displays.
Configuring Trusted DHCP Relay Agents
3.

To disable the DHCP server and configure computers on the LAN (WorkPort) to use a
DHCP server outside the firewall, deselect the Enable DHCP Server check box and
select the Allow DHCP Pass Through check box.
Enter the lease time for this IP address in the Lease Time field.
Optional. Enter the domain name associated with this IP address in the Domain Name
field.
To use the DNS and WINS servers specified on the Network Settings page, select Set
DNS Servers using SonicWALLs Network settings.

To specify the DNS servers manually for this IP address, select Specify Manually and
enter the IP addresses of the DNS and WINS servers.
4.
When you are finished, click Update. The settings are saved. To clear all screen settings
and start over, click Reset.

This section describes how to configure trusted DHCP relay agents. The settings for thisfeature
are configured in the Policies > DHCP > Trusted Agents page.
To configure a trusted DHCP relay agent, perform the following steps:
Note
1.
Navigate to the Policies > DHCP > Trusted Agents screen in the SonicWALL GMS user
interface.
2.
Click the Enable Trusted DHCP Relay Agent List checkbox to enable this feature.
3.
Choose a Trusted Relay Agent List from the pull-down menu.
The default selection for the trusted agent list is the Default Trusted Relay Agent List
address group. The entries for this address group are defined in the Network > Address
Objects page.
4.
Click the Update button to confirm your changes.
351
352
CHAPTER 16
Configuring Firewall User Settings
This chapter describes how to use the SonicWALL GMS to configure user and user access
settings. Included in this chapter are the following sections:
Configuring Users in SonicOS Enhanced section on page 353
Configuring Users in SonicOS Standard section on page 380
Configuring Users in SonicOS Enhanced

The following sections describe how to configure user settings in SonicOS Enhanced:
Configuring User Login Settings section on page 354
Configuring LDAP and Active Directory section on page 355
Global User Settings section on page 365
Configuring an Acceptable Use Policy section on page 366
Configuring Local Users section on page 366
Configuring Local Groups section on page 368
Configuring ULA Settings section on page 370
Configuring HTTP URL-Based ULA Settings section on page 370
Configuring RADIUS for SonicOS Enhanced section on page 370
Configuring Single Sign-On section on page 372
Configuring Guest Services section on page 377
Configuring Guest Accounts section on page 379
353
Configuring User Login Settings

In addition to the authentication methods available in SonicOS Standard, SonicOS Enhanced
allows you to use Lightweight Directory Access Protocol (LDAP) to authenticate users. LDAP
is compatible with Microsofts Active Directory.
For SonicWALL appliances running SonicOS Enhanced 4.0 and higher, you can select the
SonicWALL Single Sign-On Agent to provide Single Sign-On functionality. Single Sign-On
(SSO) is a transparent user authentication mechanism that provides privileged access to
multiple network resources with a single workstation login. SonicWALL PRO and TZ series
security appliances running SonicOS Enhanced 4.0 provide SSO functionality using the
SonicWALL Single Sign-On Agent (SSO Agent) to identify user activity based on workstation
IP address when Active Directory is being used for authentication. The SonicWALL SSO Agent
must be installed on a computer in the same domain as Active Directory.
The Policies > Users > Settings page for SonicOS Enhanced is shown below.
To configure User Login Settings:

Step 1
Select one of the following authentication methods from the Authentication method for login
pull-down list:
Local UsersTo configure users in the local database using the Users > Local Users
and Users > Local Groups pages. For information on configuring local users and
groups, refer to the Configuring Local Users section on page 366 and the Configuring
Local Groups section on page 368.
RADIUSIf you have more than 1,000 users or want to add an extra layer of security
for authenticating the user to the SonicWALL. If you select Use RADIUS for user
authentication, users must log into the SonicWALL using HTTPS in order to encrypt the
password sent to the SonicWALL. If a user attempts to log into the SonicWALL using
HTTP, the browser is automatically redirected to HTTPS. For information on configuring
RADIUS, refer to the Configuring RADIUS for SonicOS Enhanced section on
page 370.
RADIUS + Local UsersIf you want to use both RADIUS and the SonicWALL local
user database for authentication. For information on configuring RADIUS, refer to the
Configuring RADIUS for SonicOS Enhanced section on page 370.
LDAPIf you use a Lightweight Directory Access Protocol (LDAP) server or Microsoft
Active Directory (AD) server to maintain all your user account data. For information
about configuring LDAP, refer to the Configuring LDAP and Active Directory section
on page 355.
354
LDAP + Local UsersIf you want to use both LDAP and the SonicWALL local user
database for authentication. For information about configuring LDAP, refer to the
Configuring LDAP and Active Directory section on page 355.
Step 2
In the Single-sign-on method pull-down list, select SonicWALL SSO Agent if you are using
Active Directory for authentication and the SonicWALL SSO Agent is installed on a computer
in the same domain. Otherwise, select None. For information on configuring SSO, refer to the
Configuring Single Sign-On section on page 372.
Step 3
To require that user names are treated as case-sensitive, select the Case-sensitive user
names checkbox.
Step 4
To prevent a user from logging in from more than one location at a time, select the Enforce
login uniqueness check box.
Step 5
Enter the number of minutes that the login authentication page is displayed in the Show
authentication page for field.
Step 6
Select Redirect users from HTTPS to HTTP on completion of login if the session does not
need to be encrypted.
Configuring LDAP and Active Directory

In addition to RADIUS and the local userdatabase, SonicOS Enhanced can support LDAP and
Microsoft Active Directory (AD) directory services for user authentication. The following
sections describe how to configure LDAP and Active Directory:
LDAP Terms section on page 355
Prerequisites for LDAP Configuration section on page 356
Configuring LDAP section on page 358
Further Information on LDAP Schemas section on page 364
Active Directory support on SonicOS Enhanced is not a single-sign on mechanism by itself, but
rather the ability for SonicOS Enhanced to act as an LDAP client against an Active Directorys
LDAP interface using Microsofts implementation of an LDAP schema. SonicOS Enhanced
provides extremely flexible schema interoperability, with support for the Microsoft AD schema,
the LDAP core schema, the RFC2798 inetOrgPerson schema, and even user-defined
schemas. Connectivity to LDAP servers is also flexible, with support for following protocols:
LDAPv2 (RFC3494)
LDAPv3 (RFC2251-2256, RFC3377)
LDAPv3 over TLS (RFC2830)
LDAPv3 with STARTTLS (RFC2830)
LDAP Referrals (RFC2251)
LDAP Terms
The following terms are useful when working with LDAP and its variants:
AttributeA data item stored in an object in an LDAP directory. Object can have required
attributes or allowed attributes. For example, the dc attribute is a required attribute of the
dcObject (domain component) object.
cnThe common name attribute is a required component of many object classes

throughout LDAP.
355
dcThe domain component attribute is commonly found at the root of a distinguished

name, and is commonly a required attribute.
dnA distinguished name, which is a globally unique name for a user or other object. It
is made up of a number of components, usually starting with a common name (cn)
component and ending with a domain specified as two or more domain components (dc).
For example, cn=john,cn=users,dc=domain,dc=com
EntryThe data that is stored in the LDAP directory. Entries are stored in attribute/value
(or name/value) pairs, where the attributes are defined by object classes. A sample entry
would be cn=john where cn (common name) is the attribute, and john is the value.
ObjectIn LDAP terminology, the entries in a directory are referred to as objects. For the
purposes of the SonicOS implementation of the LDAP client, the critical objects are User
and Group objects. Different implementations of LDAP can refer to these object classes in
different fashions, for example, Active Directory refers to the user object as user and the
group object as group, while RFC2798 refers to the user object as inetOrgPerson and the
group object as groupOfNames.
Object classObject classes define the type of entries that an LDAP directory may
contain. A sample object class, as used by AD, would be user or group.
ouThe organizational unit attribute is a required component of most LDAP schema

implementations.
SchemaThe schema is the set of rules or the structure that defines the types of data that
can be stored in a directory, and how that data can be stored. Data is stored in the form of
entries.
TLSTransport Layer Security is the IETF standardized version of SSL (Secure Sockets
Layer). TLS 1.0 is the successor to SSL 3.0.
Microsoft Active Directorys Classes can be browsed at

<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/classe
s_all.asp>
LDAP / AD Configuration is performed from the User > Settings page.
Selecting either LDAP or LDAP+Local Users and clicking Apply at the top of the page will
enable LDAP support, the former using an LDAP directory server exclusively, and the latter
using a combination of the LDAP server and the local user database. Upon applying these
settings, an informational alert will be presented. Because the SonicWALL will be receiving
sensitive username and password information from authenticating clients, HTTPS logins will
automatically be enabled to secure the credential exchanges.
Prerequisites for LDAP Configuration

Before beginning your LDAP configuration, you should prepare your LDAP server and your
SonicWALL for LDAP over TLS support. This will involve installing a server certificate and your
LDAP server, and a CA (Certificate Authority) certificate for the issuing CA on your SonicWALL.
Assuming this has not already been done, the steps for performing these tasks in an Active
Directory environment follow:
Configuring the CA on the Active Directory server:
Note
356
1.
Navigate to Start > Settings > Control Panel > Add/Remove Programs.
2.
Select Add/Remove Windows Components.
Skip step numbers 3 through 7 if Certificate Services are already installed.
3.
Select Certificate Services.
4.
Select Enterprise Root CA when prompted.
5.
Enter the requested information. For detailed information on CA setup, see

http://www.microsoft.com/windows2000/techinfo/planning/security/casetupsteps.asp
6.
Launch the Domain Security Policy application:
7.
Start > Run > dompol.msc.
8.
Open Security Settings > Public Key Policies.
9.
Right click on Automatic Certificate Request Settings.
10. Select New > Automatic Certificate Request.

11. Step through the wizard, and select Domain Controller from the list.
Exporting the CA certificate from the AD server:

1.
Launch the Certification Authority application: Start > Run > certsrv.msc.
2.
Right click on the CA you created, select properties.
3.
On the General tab, click the View Certificate button.
4.
From the Details tab, select Copy to File.
5.
Step through the wizard, select the Base-64 Encoded X.509 (.cer) format.
6.
Specify a path and filename to which to save the certificate.
Importing the CA certificate onto the SonicWALL:

1.
Browse to System > CA Certificates.
2.
Select Add new CA certificate. Browse to and select the certificate file you just exported
3.
Click the Import certificate button.
Note
Should installation of Certificate Services on the Active Directory server be

undesirable for some reason, secure operation can be achieved without TLS by
using LDAP with RADIUS see RADIUS with LDAP for user groups section later.
357
Configuring LDAP
Perform the following steps to configure LDAP authentication.
1.
Browse to the User > Settings page and select either LDAP or LDAP + Local Users.
2.
Click the Configure LDAP button to launch the LDAP configuration window:
3.
Configure the following options in the LDAP settings window:

Name or IP AddressEnter the FQDN or the IP address of the LDAP server against
which you wish to authenticate. If using a name, be certain it can be resolved by your
DNS server. Also, if using TLS with the Require valid certificate from server option, the
name provided here must match the name to which the server certificate was issued
(i.e. the CN) or the TLS exchange will fail.
Port NumberThe default LDAP over TLS port number is TCP 636. The default LDAP
(unencrypted) port number is TCP 389. If you are using a custom listening port on your
LDAP server, specify it here.
Server timeoutThe amount of time, in seconds, that the SonicWALL will wait for a
response from the LDAP server before timing out. Allowable ranges are 1 to 99999 (in
case youre running your LDAP server on a VIC-20 located on the moon), with adefault
of 10 seconds.
Anonymous LoginSome LDAP servers allow for the tree to be accessed
anonymously. If your server supports this (MS AS generally does not), then you may
select this option.
Login nameSpecify a user name which has rights to log in to theLDAP directory. The
login name will automatically be presented to the LDAP server in full dn notation. This
can be any account with LDAP read privileges (essentially any user account)
Administrative privileges are not required. Note that this is the users name, not their
login ID (e.g. John Smith rather than jsmith).
Login passwordThe password for the user account specified above.

Protocol versionSelect either LDAPv3 or LDAPv2. Most modern implementations of
LDAP, including AD, employ LDAPv3.
358
Use TLSUse Transport Layer Security (SSL) to log in to the LDAP server. It is
strongly recommended that TLS be used to protected the username and password
information that will be sent across the network. Most modern implementations of LDAP
server, including AD, support TLS. Deselecting this default setting will provide an alert
which must be accepted to proceed.
Send LDAP Start TLS RequestSome LDAP server implementations support the
Start TLS directive rather than using native LDAP over TLS. This allows the LDAP
server to listen on one port (normally 389) for LDAP connections, and to switch to TLS
as directed by the client. AD does not use this option, and it should only be selected if
required by your LDAP server.
Require valid certificate from serverValidates the certificate presented by the
server during the TLS exchange, matching the name specified above to the name on
the certificate. Deselecting this default option will present an alert, but exchanges
between the SonicWALL and the LDAP server will still use TLS only without issuance
validation.
Local certificate for TLSOptional, to be used only if the LDAP server requires a
client certificate for connections. Useful for LDAP server implementations that return
passwords to ensure the identity of the LDAP client (AD does not return passwords).
This setting is not required for AD.
If your network uses multiple LDAP/AD servers with referrals, then select one as the
primary server (probably the one that holds the bulk of the users) and use the above
settings for that server. It will then refer h
t e SonicWALL on to the other servers for users
in domains other than its own. For the SonicWALL to be able to log in to those other
servers, each server must have a user configured with the same credentials (user
name, password and location in the directory) as per the login to primary server. This
may entail creating a special user in the directory for the SonicWALL login. Note that
only read access to the directory is required.
4.
Select the Schema tab:
LDAP SchemaSelect Microsoft Active Directory, RFC2798 inetOrgPerson,
RFC2307 Network Information Service, Samba SMB, Novell eDirectory, or

user-defined. Selecting any of the predefined schemas will automatically populate the
fields used by that schema with their correct values. Selecting user-defined will allow
you to specify your own values use this only if you have a specific or proprietary LDAP
schema configuration.
359
Object classThis defines which attribute represents the individual user account to
which the next two fields apply.
Login name attributeThis defines which attribute is used for login authentication:
sAMAccountName for Microsoft Active Directory
inetOrgPerson for RFC2798 inetOrgPerson
posixAccount for RFC2307 Network Information Service
sambaSAMAccount for Samba SMB
inetOrgPerson for Novell eDirectory
Qualified login name attribute if not empty, this specifies an attribute of a user
object that sets an alternative login name for the user in name@domain format. This
may be needed with multiple domains in particular, where the simple login name may
not be unique across domains. This is set to mail for Microsoft Active Directory and
RFC2798 inetOrgPerson.
User group membership attribute this attribute contains the information in the user
object of which groups it belongs to. This is memberOf in Microsoft Active Directory.
The other pre-defined schemas store group membership information in the group object
rather than the user object, and therefore do not use this field.
Framed IP address attribute this attribute can be used to retrieve a static IP address
that is assigned to a user in the directory. Currently it is only used for a user connecting
via L2TP with the SonicWALLs L2TP server In future this may also be supported for
Global VPN Client. In Active Directory the static IP address is configured on the Dial-in
tab of a users properties.
5.
Select the Directory tab.
Primary Domain specify the user domain used by your LDAP implementation. For
AD, this will be the Active Directory domain name, e.g. yourADdomain.com. Changes
to this field will, optionally, automatically update the tree information in the rest of the
page. This is set to mydomain.com by default for all schemas except Novell
eDirectory, for which it is set to o=mydomain.
User tree for login to server The tree in which the userspecified in the Settings tab
resides. For example, in AD the administrator accounts default tree is the sameas the
user tree.
360
Trees containing users The trees where users commonly reside in the LDAP
directory. One default value is provided which can be edited, an up to a total of 64 DN

values may be provided, and the SonicWALL search the directory using them all until
a match is found, or the list is exhausted. If you have created other user containers
within your LDAP or AD directory, you should specify them here.
Trees containing user groups Same as above, only with regard to user group
containers, and a maximum of 32 DN values may be provided. These are only

applicable when there is no user group membership attribute in the schema's user
object, and are not used with AD.
All the above trees are normally given in URL format but can alternatively be specified
as distinguished names (e.g. myDom.com/Sales/Users could alternatively be given
as the DN ou=Users,ou=Sales,dc=myDom,dc=com). The latter form will be
necessary if the DN does not conform to the normal formatting rules as per that
example. In Active Directory the URL corresponding to the distinguished name for a
tree is displayed on the Object tab in the properties of the container at the top of the
tree.
Note
AD has some built-in containers that do not conform (e.g. the DN for the top level
Users container is formatted as cn=Users,dc=, using cn rather than ou) but the
SonicWALL knows about and deals with these, so they can be entered in the simpler
URL format.
Ordering is not critical, but since they aresearched in the given order it is most efficient
to place the most commonly used trees first in each list. If referrals between multiple
LDAP servers are to be used, then the trees are best ordered with those on the primary
server first, and the rest in the same order that they will be referred.
Note
When working with AD, to locate the location of a user in the directory for the User
tree for login to server field, the directory can be searched manually from the Active
Directory Users and Settings control panel applet on the server, or a directory search
utility such as queryad.vbs in the Windows NT/2000/XP Resource Kit can be run
from any PC in the domain.
Auto-configure This causes the SonicWALL to auto-configure the Trees containing
users and Trees containing user groups fields by scanning through the
directory/directories looking for all trees that contain user objects. The User tree for
login to server must first be set, and clicking the Auto-configure button then brings up
the following dialog:
361
6.
Select whether to append new located trees to the current configuration, or to start from
scratch removing all currently configured trees first, and then click OK. Note that it will quite
likely locate trees that are not needed for user login and some tidying up afterwards,
manually removing such entries, is worth while.
If using multiple LDAP/AD servers with referrals, this process can be repeated for each,
replacing the Domain to search accordingly and selecting Append to existing trees on
each subsequent run.
7.
Select the LDAP Users tab.
Allow only users listed locally Requires that LDAP users also be present in the
SonicWALL local user database for logins to be allowed.
User group membership can be set locally by duplicating LDAP user names
Allows for group membership (and privileges) to be determined by the intersection of

local user and LDAP user configurations.
Default LDAP User Group A default group on the SonicWALL to which LDAP users
will belong in addition to group memberships configured on the LDAP server.
Group memberships (and privileges) can also be assigned simply with LDAP. By
creating user groups on the LDAP/AD server with the same name as SonicWALL
built-in groups (such as Guest Services, Content Filtering Bypass, Limited
Administrators) and assigning users to these groups in the directory, or creating user
groups on the SonicWALL with the same name as existing LDAP/AD user groups,
SonicWALL group memberships will be granted upon successful LDAP authentication.
The SonicWALL appliance can retrieve group memberships more efficiently in the case
of Active Directory by taking advantage of its unique trait of returning a memberOf
attribute for a user.
362
8.
Select the LDAP Relay tab.
The RADIUS to LDAP Relay feature is designed for use in a topology where there is a
central site with an LDAP/AD server and a central SonicWALL, with remote satellite sites
connected into it via low-end SonicWALL security appliances that may not support LDAP.
In that case the central SonicWALL can operate as a RADIUS server for the remote
SonicWALLs, acting as a gateway betweenRADIUS and LDAP, and relaying authentication
requests from them to the LDAP server.
Additionally, for remote SonicWALLs running non-enhanced firmware, with this feature the
central SonicWALL can return legacy user privilege information to them based on user
group memberships learned via LDAP. This avoids what can be very complex configuration
of an external RADIUS server such as IAS for those SonicWALLs.
9.
Configure the following LDAP Relay options:

Enable RADIUS to LDAP Relay Enables this feature.
Allow RADIUS clients to connect via - Check the relevant checkboxes and policy
rules will be added to allow incoming Radius requests accordingly.
RADIUS shared secret - This is a shared secret common to all remote SonicWALLs.
User groups for legacy users These define the user groups that correspond to the
legacy Access to VPNs, Access from VPN client with XAUTH, Access from L2TP
VPN client and Allow Internet access (when access is restricted) privileges
respectively. When a user in one of the given user groups is authenticated, the remote
SonicWALL will be informed that the user is to be given the relevant privilege.
Note
The Bypass filters and Limited management capabilities privileges are returned based on
membership to user groups named Content Filtering Bypass and Limited Administrators
these are not configurable.
363
10. Select the Test tab.
The Test page allows for the configured LDAP settings to be tested by attempting
authentication with specified user and password credentials. Any user group memberships
and/or framed IP address configured on the LDAP/AD server for the user will be displayed.
Further Information on LDAP Schemas
364
Microsoft Active Directory: Schema information is available at

<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/act
ive_directory_schema.asp> and
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_reference
.asp>
RFC2798 InetOrgPerson: Schema definition and development information is available at

<http://rfc.net/rfc2798.html>
RFC2307 Network Information Service: Schema definition and development information

is available at <http://rfc.net/rfc2307.html>
Samba SMB: Development information is available at <http://us5.samba.org/samba/>
Novell eDirectory: LDAP integration information is available at

<http://www.novell.com/documentation/edir873/index.html?page=/documentation/edir873/
edir873/data/h0000007.html>
User-defined schemas: See the documentation for your LDAP installation. You can also see
general information on LDAP at <http://rfc.net/rfc1777.html>
Global User Settings

The settings listed below apply to all users when authenticated through the SonicWALL. To
configure global user settings, expand the Users tab and click on the Settings tab.
The following options are configured in the User Session Settings section:
Inactivity timeout (minutes): users can be logged out of the SonicWALL after a
preconfigured inactivity time. Enter the number of minutes in this field. The default value is
5 minutes.
Enable login session limit: you can limit the time a user is logged into the SonicWALL by
selecting the check box and typing the amount of time, in minutes, in the Login session
limit (minutes) field. The default value is 30 minutes.
Login page timeout (minutes): defines how much time a user has to log in before the login
page times out. If it times out, a message displays saying they must click before attempting
to log in again.
Show user login status window with logout button: causes a status window to display
with a Log Out button during the users session. The user can click the Log Out button to
log out of their session.
User's login status window refreshes every (minutes): determines how often the users
status display is updated.
User's login status window sends status heartbeat every (seconds): determines how
often a heartbeat is sent back to the SonicWALL. This heartbeat notifies the SonicWALL of
a users connection status and continues to be sent as long at the status window is open.
Enable disconnected user detection: causes the SonicWALL to detect when a users
connection is no longer valid and end the session.
Timeout on heartbeat from user's login status window (minutes): sets the time needed
without a reply from the heartbeat before ending the user session.
LDAP read from server options: are available when the LDAP option is active. The
options are:
Automatically update the schema configuration
Export details of the schema
365
Configuring an Acceptable Use Policy

An acceptable use policy (AUP) is a policy users must agree to follow in order to access a
network or the Internet. It is common practice for many businesses and educational facilities to
require that employees or students agree to an acceptable use policy before accessing the
network or Internet through the SonicWALL.
The Acceptable Use Policy section allows you to create the AUP message window for users.
You can use HTML formatting in the body of your message. Clicking the Example Template
button creates a preformatted HTML template for your AUP window.
Perform the following steps to configure an AUP:
Caution
1.
Expand the Users tree and click on the Settings tab.
2.
Select which users will see the AUP page by selecting the Display on login from
checkboxes. For SonicOS Enhanced, select the zones that will display the AUP page. For
SonicOS Standard, select the network interfaces.
3.
Configure the dimensions of the AUP window in pixels in the Window size (pixels) fields.
4.
Check the Enable scroll bars on the window to allow users to scroll through the AUP
window contents.
5.
Enter the text for the AUP in the Acceptable use policy page content. The content can
include HTML formatting. The page that is displayed to the userincludes an I Accept button
or Cancel button for user confirmation.
6.
Click the Example Template button to create a preformatted HTML template for your AUP
window.
Clicking the Example Template button will overwrite the existing content in the AUP
window.
7.
Click the Preview button to display your AUP message as it will appear for the user.
8.
Click Update.
Configuring Local Users

SonicOS Enhanced uses a Group/User hierarchy for organizing users. This section describes
how to configure new users and groups. To add or edit a user, perform the following steps:
1.
366
Expand the Users tree and click Local Users. The Local Users page displays.
2.
To add a local group, click Add New Local User. To edit the settings of an existing user,
click its Configure icon.
3.

Namename of the user.
Passwordpassword of the user.
Bypass Filtersselect Bypass Filters if the user will have unlimited access to the
Internet from the LAN, bypassing Web, News, Java, and ActiveX blocking.
Limited Management Capabilitiesselect this option to provide the user limited local
management access to the SonicWALL Management interface. The access is limited

to the following pages:
GeneralStatus, Network, Time
LogView Log, Log Settings, Log Reports
ToolsRestart, Diagnostics minus Tech Support Report
4.
Click the Groups tab.
5.
Select a user group to which this user will be a member and click the right arrow button (->).
Repeat this step for each group to add.
6.
Click the VPN Access tab.
367
7.
Select a network to which this user will be able to access through the VPN client software
and click the right arrow button (->). Repeat this step for each network to add.
8.
When you are finished, click OK. The settings are saved. Repeat this procedure for each
user to add or modify.
Configuring Local Groups

By default, SonicOS Enhanced has five groups. These include:
Everyone
Guest Services
Trusted Users
Content Filtering Bypass
Limited Administrators
The permissions of these groups will automatically be applied to its members unless you
manually modify a users settings.
To add or edit a group, perform the following steps:
1.
Expand the Users tree and click Local Groups. The Local Groups page displays.
2.
To add a local group, click Add New Local Group. To edit the settings of an existing group,
click its Configure icon.
3.

Bypass Filtersselect Bypass Filters if the users within the group will have unlimited
access to the Internet from the LAN, bypassing Web, News, Java, and ActiveX
blocking.
Limited Management Capabilitiesselect this option to provide users within the
group limited local management access to the SonicWALL Management interface. The
access is limited to the following pages:
368
GeneralStatus, Network, Time
LogView Log, Log Settings, Log Reports
ToolsRestart, Diagnostics minus Tech Support Report
4.
Click the Members tab.
5.
Select the members or groups that will belong to this group and click the right arrow button
(->).
6.
Click the VPN Access tab.
7.
Select the networks to which users within this group will be able to access through their
VPN client software and click the right arrow button (->).
8.
Click the CFS Policy tab.
9.
Select a CFS policy to apply to the group in the Policy pull-down menu.
10. When you are finished, click OK. The settings are saved.
369
Configuring ULA Settings

ULA Settings are only available in SonicOS Standard. Refer to the Configuring ULA Settings
Configuring HTTP URL-Based ULA Settings

This section describes how to configure HTTP URL-Based ULA settings. This feature enables
users to access specific URLs without requiring authentication. To configure HTTP URL ULA
settings, perform the following steps:
1.
Expand the Users tree and click HTTP URL ULA. The HTTP URL ULA page displays.
2.
Enter the fully qualified URL of the site that users will be allowed to access without being
authenticated in the ULA HTTP URLs field.
3.
Click Add.
4.
Click Update.
Configuring RADIUS for SonicOS Enhanced

If you selected Use RADIUS for user authentication or Use RADIUS but also allow locally
configured users, you must now configure RADIUS information. To configure RADIUS,
perform the following steps.
1.
370
Expand the Users tree and click on RADIUS.
2.
Define the number of times the SonicWALL attempts to contact the RADIUS server in the
RADIUS Server Retries field. If the RADIUS server does not respond within the specified
number of retries, the connection is dropped. This field can range between 0 and 10,
however 3 RADIUS server retries is recommended.
3.
Define the RADIUS Server Timeout in Seconds. The allowable range is 1-60 seconds
with a default value of 5.
RADIUS Servers
1.
Specify the following setting for the primary RADIUS server in the Primary Server section:
Type the IP address of the RADIUS server in the IP Address field.
Type the Port Number for the RADIUS server.
Type the RADIUS server administrative password or shared secret in the Shared
Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in
length. The shared secret is case sensitive.
2.
If there is a secondary RADIUS server, type the appropriate information in the Secondary
Server section.
1.
To only allow users that are configured locally, but to still use RADIUS to authenticate them,
select the Allow only users listed locally check box.
2.
Select the mechanism used for setting user group memberships for RADIUS users from the
following list:
RADIUS Users
Use SonicWALL vendor-specific attribute on RADIUS server: select to tell the
RADIUS server to send vendor-specific attributes back to the SonicWALL appliance.
Use RADIUS Filter-ID attribute on RADIUS server: select to tell the RADIUS server
to send Filter-ID user attributes back to the SonicWALL appliance. Filter-ID attributes
include the names of user groups that a user belongs to.
Enter duplicate RADIUS user names locally on the SonicWALL: select when the
RADIUS server contains user names and passwords, but has no user group
information. The SonicWALL appliance contains the user group configuration for each
user, while RADIUS simply authenticates the password.
3.
For a shortcut for managing RADIUS user groups, check Memberships can be set locally
by duplicating RADIUS user names. When you create users with the same name locally
on the security appliance and manage their group memberships, the memberships in the
RADIUS database will automatically change to mirror your local changes.
4.
If you have previously configured User Groups on the SonicWALL, select the group from
the Default user group to which all RADIUS user belong menu.
5.
You can create a new group by choosing Create a new user group... from the list. The Add
Group window displays.
RADIUS Client Test

To test your RADIUS Client user name and password, perform the following steps:
1.
Navigate to the Diagnostics > Network page.
2.
Enter a valid user name in the User field, and the password in the Password field.
371
3.
Click the RADIUS Client Test button.
If the validation is successful, the Status messages changes to Success. If the validation fails,
the Status message changes to Failure. Once the SonicWALL has been configured, a VPN
Security Association requiring RADIUS authentication prompts incoming VPN clients to type a
User Name and Password into a dialogue box.
Configuring Single Sign-On

SonicWALL SSO Agent identifies users by IP address using a SonicWALL ADConnector
compatible protocol and automatically determines when a user has logged out to prevent
unauthorized access. Based on data from SonicWALL SSO Agent, the SonicWALL security
appliance queries LDAP or the local database to determine group membership. Memberships
are matched against policy, and based on user privileges, access is granted or denied. The
configured inactivity and session limit timers apply with SSO, though users who are logged out
are automatically and transparently logged back in when they send further traffic.
To configure SSO settings:
372
Step 1
On the User > Settings page, if you are using Active Directory for authentication select
SonicWALL SSO Agent from the Single sign-on method pull-down list, and then click the
Configure button.
Step 2
In the Transparent Authentication Configuration screen, in the Name or IP Address field, enter
the host name or IP Address of the workstation on which SonicWALL SSO Agent is installed.
Step 3
In Port Number, enter the port number of the workstation on which SonicWALL SSO Agent is
installed. The default port is 2258.
Step 4
In the Shared Key field, enter the shared key that you created or generated in the SonicWALL
SSO Agent. The shared key must match exactly. Re-enter the shared key in the Confirm
Shared Key field.
Step 5
In the Timeout (seconds) field, enter a number of seconds before the authentication attempt
times out.
Step 6
In the Retries field, enter the number of authentication attempts.
Step 7
Click on the Advanced tab inside the Settings tab.

The Maximum requests to send at a time setting is available on the Advanced tab of the SSO
agent configuration.
This setting controls the maximum number of requests that can be sent from the appliance to
the agent at the same time. The agent processes multiple requests concurrently, spawning a
separate thread in the PC to handle each. Sending too many requests at a time can overload
the PC on which the agent is running. If the number of requests to send exceeds the maximum,
then some are placed on an internal ring buffer queue. Requests waiting on the ring buffer for
too long could lead to slow response times in SSO authentication.
Step 8
This setting works in conjunction with the automatically calculated number of user requests per
message to the agent when polling to check the status of logged in users. The number of user
requests per message is calculated based on recent polling response times. SonicOS adjusts
this number as high as possible to minimize the number of messages that need to be sent,
which reduces the load on the agent and helps reduce network traffic between the appliance
and the agent. However, the number is kept low enough to allow the agent to process all of the
user requests in the message within the poll period. This avoids potential problems such as
timeouts and failures to quickly detect logged out users.
Users Tab
Step 9
Click the Users tab. The User Settings page displays.
Step 10 Check the box next to Allow only users listed locally to allow only users listed locally to be
authenticated.
Step 11 Check the box next to Simple user names in local database to use simple user names. This
setting ignores the domain component of a user name. If this box is not checked, user names
in the local database must match exactly the full names returned from the agent, including the
domain component.
Step 12 Check the box next to Allow limited access for non-domain users to allow limited access to
users who are logged in to a computer but not into a domain. These users will not be given
access to the Trusted Users user group. They are identified in logs as
373
computer-name/user-name. When performing local authentication and the Simple user names
in local database option is disabled, user names must be configured in the local database
using the full computer-name/user-name identification.
Step 13 (Available for SonicOS 5.6 and higher.) Select the Probe users for checkbox and select either
NetAPI or WMI (depending on which is configured for the SSO Agent) to attempt browser NTLM
authentication before the SonicWALL SSO agent attempts to acquire the user information.
This causes the SonicWALL firewall appliance to probe for a response on the NetAPI/WMIport
before requesting that the SSO Agent identify a user. If no response occurs, these devices will
fail SSO immediately. For a Windows PC the probe will generally work (unless blocked by a
personal firewall) and the SonicWALL SSO agent will be used. For a Linux/Mac PC (assuming
it is not set up to run Samba server) the probe will fail, the SSO agent will be bypassed and
NTLM authentication will be used when HTTP traffic is sent.
NTLM cannot identify the user until they browse with HTTP, so any traffic sent before that will
be treated as unidentified. The default CFS policy will be applied, and any rule requiring
authenticated users will not let the traffic pass.
If NTLM is configured to be used before the SonicWALL SSO agent, then if HTTP traffic is
received first, the user will beauthenticated with NTLM. If non-HTTP traffic is received first, the
SonicWALL SSO agent will be used for authentication.
Step 14 To use LDAP to retrieve user information, select the Use LDAP to retrieve user group
information radio button.
Step 15 To use local configuration, select the Local configuration radio button.
Step 16 In the Polling rate (minutes) field, enter a polling interval, in minutes, that the security
appliance will poll the workstation running SSO Agent to verify that users are still logged on.
Step 17 In the Hold time after (minutes) field, enter a time, in minutes, that the security appliance will
wait before trying again to identify traffic after an initial failure to do so. This feature rate-limits
requests to the agent.
Step 18 (Available for SonicOS 5.6 and higher.) To populate the User names used by Windows
services list, type the service login name in the dialog box (the simple name only, without the
domain or PC name) add click Add. Repeat as necessary for additional user names, and then
click Update.
374
Enforcement Tab
Note
On appliances running SonicOS versions 5.5 and lower, the Enforcement tab is called the
Content Filter tab. The configuration is identical, regardless of the name of the tab.
Step 19 Click on the Enforcement tab if you want to bypass SSO for traffic from non-user devices such
as internal proxy web servers or IP phones.
Step 20 (Available in SonicOS releases 5.6 and higher.) To bypass SSO for traffic from certain devices
or locations and apply the default content filtering policy to the traffic, select the appropriate
address object or address group from the first pull-down menu under SSO Bypass. To bypass
SSO for certain services or types of traffic, select the service from the second pull-down menu.
The first setting is used where traffic that would be subject to security services screening can
emanate from a device other than a user's workstation (such as an internal proxy Web server
or IP phone). It prevents the SonicWALL from attempting to identify such a device as a network
user in order to select the content filtering policy to apply. The default content filtering policy will
be used for all traffic from the selected IP addresses.
The second setting is appropriate for user traffic that does not need to be authenticated, and
triggering SSO might cause an unacceptable delay for the service.
SSO bypass settings do not apply when SSO is triggered by firewall access rules requiring user
authentication. To configure this type of SSO bypass, add access rules that do not require user
authentication for the affected traffic.
375
Terminal Services Tab

Step 21 (Available in SonicOS releases 5.6 and higher.) Click on the Terminal Services tab.
Step 22 Click the Add button. The page is updated to display a new row in the table at the top, and new
input fields in the lower half of the page.
Step 23 In the Host Name or IP Address(es) field, enter the name or IP address of the terminal server
on which SonicWALL TSA is installed. If the terminal server is multi-homed (has multiple IP
addresses) and you are identifying the host by IP address rather than DNS name, enter all the
IP addresses as a comma-separated list.
As you type in values for the fields, the row at the top is updated in red to highlight the new
information.
Step 24 In the Port field, enter the port number of the workstation on which SonicWALL TSA is installed.
The default port is 2259. Note that agents at different IP addresses can have the same port
number.
Note
In global view, a maximum of 256 TSA agents can be configured. On the unit level, the
maximum depends on the type of SonicWALL appliance.
Step 25 In the Shared Key field, enter the shared key that you created or generated in the SonicWALL
TSA. The shared key must match exactly. Re-enter the shared key in the Confirm Shared Key
field.
Step 26 Repeat Steps 22 through 25 to add additional TSA agents.

Step 27 Click the General Settings tab inside the Terminal Services tab.
Step 28 The Allow traffic from services on the terminal server to bypass user authentication in
access rules checkbox is selected by default. This allows traffic such as Windows updates or
anti-virus updates, which is not associated with any user login session, to pass without
376
authentication. If you clear this checkbox, traffic from services can be blocked if firewall access
rules require user authentication. In this case, you can add rules to allow access for All to the
services traffic destinations, or configure the destinations as HTTP URLs that can bypass user
authentication in access rules.
Content Filter Tab
Step 29 Click on the Content Filter tab if you are using the SonicWALL Content Filtering Service (CFS)
and there is a proxy server in your network.
Note
The Content Filter tab is only displayed for SonicOS releases 5.5 and lower, and
if Premium CFS is enabled on the SonicWALL security appliance. For SonicOS
releases 5.6 and higher, the Content Filter tab is combined with the Enforcement
tab. See Enforcement Tab on page 375 for more information.
Step 30 To bypass SSO for content filtering traffic and apply the default content filtering policy to the
traffic, select the appropriate address object or address group from the pull-down list. This
setting should be used where traffic that would be subject to content filtering can emanate from
a device other than a user's workstation (such as an internal proxy web server). It prevents the
SonicWALL from attempting to identify such a device as a network user in order to select the
content filtering policy to apply. The default content filtering policy will be used for all traffic from
the selected IP addresses.
Test Tab
Step 31 You can test the Transparent Authentication Configuration settings on the Policies >
Diagnostics > Network page. For more information, click the Test tab.
Step 32 When finished, click OK.
Configuring Guest Services

Guest Services determine the limits and configuration of the guest accounts. Guest accounts
are temporary accounts set up for users to log into your network.
You can create guest accounts manually as needed or generate them in batches. Guest
accounts are typically limited to a pre-determined life-span. After their life span, by default, the
accounts are removed.
377
To configure Guest Services, perform the following steps:

1.
Expand the Users tree and click on Guest Services
2.
Check Show guest login status window with logout button to display a user login
window on the userss workstation whenever the user is logged in. Users must keep this
window open during their login session. The window displays the time remaining in their
current session. Users can log out but clicking the Logout button in the login status window.
3.
To create a guest profile, click Add below the Guest Profile list. The Add Guest Profile page
displays.
4.
In the Add Guest Profile window, configure the following options:

Profile Name: Enter the name of the profile.
User Name Prefix: Enter the first part of every user account name generated from this
profile.
Auto-generate user name: Check this to allow guest accounts generated from this
profile to have an automatically generated user name. The user name is usually the
prefix plus a two- or three-digit number.
Auto-generate password: Check this to allow guest accounts generated from this
profile to have an automatically generated password. The generated password is an

eight-character unique alphabetic string.
Enable Account: Check this for all guest accounts generated from this profile to be
enabled upon creation.
Auto-Prune Account: Check this to have the accountremoved from the database after
its lifetime expires.
378
Enforce login uniqueness: Check this to allow only a single instance of an account to
be used at any one time. By default, this feature is enabled when creating a new guest
account. If you want to allow multiple users to login with a single account, disable this
enforcement by clearing the Enforce login uniqueness checkbox.
Account Lifetime: This setting defines how long an account remains on the security
appliance before the account expires. If Auto-Prune is enabled, the account is deleted
when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list
of guest accounts with an Expired status, allowing easy reactivation.
Session Lifetime: Defines how long a guest login session remains active after it has
been activated. By default, activation occurs the first time a guest user logs into an
account. Alternatively, activation can occur at the time the account is created by
clearing the Activate account upon first login checkbox. The Session Lifetime
cannot exceed the value set in the Account Lifetime
Idle Timeout: Defines the maximum period of time when no traffic is passed on an
activated guest services session. Exceeding the period defined by this setting expires
the session, but the account itself remains active as long as the Account Lifetime
hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime.
Comment: Any text can be entered as a comment in the Comment field.

5.
Click OK to add the profile.
Configuring Guest Accounts

To view statistics on a guest account, move your mouse over the Statistics icon in the line of
the guest account. The statistics window will display the cumulative total bytes and packets sent
and received for all completed sessions. Currently active sessions will not be added to the
statistics until the guest user logs out. To create a guest account, perform the following steps:
1.
Expand the Users tree and click on Guest Accounts.
2.
Under the list of accounts, click Add Guest.
379
Configuring Users in SonicOS Standard
3.
Configure the following parameters for the guest account:

Profile: Select the Guest Profile to generate this account from.
Name: Enter a name for the account or click Generate. The generated name is the
prefix in the profile and a random two or three digit number.
Comment: Enter a descriptive comment.

Password: Enter the user account password or click Generate. The generated
password is a random string of eight alphabetic characters.
Confirm Password: If you did not generate the password, re-enter it.
Enable Guest Services Privilege: Check this for the account to be enabled upon
creation.
Enforce login uniqueness: Check this to allow only one instance of this account to log
into the security appliance at one time. Leave it unchecked to allow multiple users to
use this account at once.
Automatically prune account upon account expiration: Check this to have the
account removed from the database after its lifetime expires.
Account Lifetime: This setting defines how long an account remains on the security
appliance before the account expires. If Auto-Prune is enabled, the account is deleted
when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list
of guest accounts with an Expired status, allowing easy reactivation. This setting
overrides the account lifetime setting in the profile.
Session Lifetime: Defines how long a guest login session remains active after it has
been activated. By default, activation occurs the first time a guest user logs into an
account. Alternatively, activation can occur at the time the account is created by
clearing the Activate account upon first login checkbox. The Session Lifetime
cannot exceed the value set in the Account Lifetime. This setting overrides the
session lifetime setting in the profile.
Idle Timeout: Defines the maximum period of time when no traffic is passed on an
activated guest services session. Exceeding the period defined by this setting expires
the session, but the account itself remains active as long as the Account Lifetime
hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime.
This setting overrides the idle timeout setting in the profile.
4.
Click Update.

The following sections describe how to configure users in SonicOS Standard:
380
Configuring User Settings section on page 381
Global User Settings section on page 382
Configuring an Acceptable Use Policy section on page 383
Configuring ULA Settings section on page 383
Configuring HTTP URL-Based ULA section on page 383
Configuring RADIUS for SonicOS Standard section on page 384
Configuring User Settings

SonicWALL appliances can be configured to authenticate users through a Remote
Authentication Dial-In User Service (RADIUS) server, a local user list, or a combination of both.
If authenticated locally or a combination of lo
cally and through RADIUS, SonicWALL appliances
can also control user access privileges.
Note
In order for changes on this page to take effect, the SonicWALL(s) will automatically be
restarted. We recommend configuring these options when network activity is low.
To add a user, perform the following steps:
1.
Expand the Users tree and click Settings. The User Settings page displays.
2.
Select the authentication method in the User Login Settings section:

To use RADIUS for all user authentication, select RADIUS from the Authentication
method for login pull-down menu.
To only allow users that are configured locally, but to still use RADIUS to
authenticate them, select the Allow only users listed below check box.
To grant users the privileges that are configured locally, but to still use RADIUS for
authentication, select the Include privileges from users listed locally checkbox.
To bypass RADIUS and only authenticate using the local user database, select Local
Users from the Authentication method for login pull-down menu.
3.
To add a user, do the following:

Enter the user name in the User Name field.
Select from the following user privileges:
Remote Accessenables the users to access LAN resources from the Internet.
This option is only available in Standard mode.
Bypass Filtersenables Bypass Filters if the user can bypass Content Filtering
settings.
381
Note
Access to VPNsenables the users to send information over the VPN Security
Associations.
Access from VPN Client with XAUTHuse if a VPN client is using XAUTH for
authentication.
Access Internet Accessenables the users to access the Internet.
L2TP Clientenables the user to connect using an L2TP client.
Wireless Guest Serviceenables Wireless Guest Services for this user.
Easy WGS MAC Filteringenables (and enforces) MAC address filtering for
wireless guest service-enabled connections.
Limited Managementallows authorized users limited local management access

to the SonicWALL interface. Access is limited to the General page (Status, Network,
Time), the Log page (View Log, Log Settings, Log Reports), and the Tools page
(Restart, Diagnostics minus Tech Support).
Enter the password in the New Password field and reenter it in the Confirm
Password field.
Passwords are case-sensitive.

When you are finished, click Add. SonicWALL GMS creates a task that adds these
users for each selected SonicWALL appliance. Repeat this step for each user that you
want to add (up to 100 users).
Global User Settings

The settings listed below apply to all users when authenticated through the SonicWALL. To
configure global user settings, expander the Users tab and click on the Settings tab. The
following options are configured in the User Session Settings section:
382
Inactivity timeout (minutes): users can be logged out of the SonicWALL after a
preconfigured inactivity time. Enter the number of minutes in this field. The default value is
5 minutes.
Enable login session limit: you can limit the time a user is logged into the SonicWALL by
selecting the check box and typing the amount of time, in minutes, in the Login session
limit (minutes) field. The default value is 30 minutes.
Login session timeout: defines how much time a user has to log in before the login page
times out. If it times out, a message displays saying they must click before attempting to
log in again.
Show user login status window with logout button: causes a status window to display
with a Log Out button during the users session. The user can click the Log Out button to
log out of their session.
User's login status window refreshes every: determines how often the users status
display is updated.
Enable disconnected user detection: causes the SonicWALL to detect when a users
connection is no longer valid and end the session.
User's login status window sends heartbeat every (seconds): sets the frequency of the
heartbeat signal used to detect whether the user still has a valid connection
Allow unauthenticated VPN users to access DNS: allows unauthenticated users access
to DNS servers across a VPN tunnel with authentication enforcement.
Configuring an Acceptable Use Policy

The Acceptable Use Policy (AUP) configuration is identical for SonicOS Standard and SonicOS
Enhanced. For information on configuring an AUP, refer to the Configuring an Acceptable Use
Policy section on page 366.
Configuring ULA Settings

This section describes how to configure User Level Authentication (ULA) settings. ULA settings
are not available on Enhanced firmware. To configure ULA settings, perform the following
steps:
1.
Expand the Users tree and click User ULA Settings. The User ULA Settings page
displays.
2.
To only allow authenticated users to access the Internet, select the Allow only
authenticated users to access the Internet check box.
3.
To allow unauthenticated users to access a service, select the service in the Always allow
these services area and click Add. Repeat this step for each service to add.
4.
To specify a range of IP addresses that will always be allowed to access the Internet, enter
the IP address in the Begin field and the size of the range in the Length field. Repeat this
step for each range to add.
5.
Configuring HTTP URL-Based ULA

The HTTP URL-based ULA configuration is identical for SonicOS Standard and SonicOS
Enhanced. For information on configuring HTTP URL-based ULA, refer to the Configuring
HTTP URL-Based ULA Settings section on page 370.
383
Configuring RADIUS for SonicOS Standard

If you selected Use RADIUS for user authentication, you must now configure RADIUS
information. To configure RADIUS, perform the following steps.
1.
Expand the Users tab and click on RADIUS.
2.
Define the number of times the SonicWALL attempts to contact the RADIUS server in the
RADIUS Server Retries field. If the RADIUS server does not respond within the specified
number of retries, the connection is dropped. This field can range between 0 and 10,
however 3 RADIUS server retries is recommended.
3.
Define the RADIUS Server Timeout in Seconds. The allowable range is 1-60 seconds
with a default value of 5.
RADIUS Servers
1.
Specify the following setting for the primary RADIUS server in the Primary Server section:
Type the IP address of the RADIUS server in the IP Address field.
Type the Port Number for the RADIUS server.
Type the RADIUS server administrative password or shared secret in the Shared
Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in
length. The shared secret is case sensitive.
2.
If there is a secondary RADIUS server, type the appropriate information in the Secondary
Server section.
RADIUS Users
1.
Configure the following privileges for all RADIUS users:

Allow Internet Access (when access is restricted)enables the users to access the
Internet when Internet access is restricted to authorized users only.
Bypass Filtersenables Bypass Filters if the user can bypass Content Filtering
settings.
Access to VPNsenables the users to send information over the VPN Security
Associations.
Access from VPN Client with XAUTHuse if a VPN client is using XAUTH for
authentication.
Access L2TP Client from VPN Clientenables the user to connect using an L2TP
client through a secure VPN tunnel.
384
Wireless Guest Serviceallows access (after RADIUS authentication) for Wireless
Guest Services users.
Easy WGS MAC Filteringenables (and enforces) MAC address filtering for wireless
guest service-enabled connections.
Limited Managementallows authorized users limited local management access to
the SonicWALL interface. Access is limited to the General page (Status, Network,
Time), the Log page (View Log, Log Settings, Log Reports), and the Tools page
(Restart, Diagnostics minus Tech Support).
Allow Only Users Listed LocallyDisallows access to RADIUS users, except for
those with duplicate local credentials.
RADIUS Client Test
To test your RADIUS Client user name and password, perform the following steps:
1.
Navigate to the Diagnostics > Network page.
2.
Enter a valid user name in the User field, and the password in the Password field.
3.
Click the RADIUS Client Test button.
If the validation is successful, the Status messages changes to Success. If the validation fails,
the Status message changes to Failure. Once the SonicWALL has been configured, a VPN
Security Association requiring RADIUS authentication prompts incoming VPN clients to type a
User Name and Password into a dialogue box.
385
386
CHAPTER 17
Configuring App Control
This chapter describes how to configure App Control policies for SonicWALL firewalls from
SonicWALL GMS. This chapter includes the following sections:
App Control Overview section on page 387
Configuring App Rules section on page 389
Configuring Advanced Policies section on page 401
Configuring Match Objects section on page 415
Configuring Action Objects section on page 428
Configuring Email Address Objects section on page 441
Use Cases section on page 445
App Control Overview

App Control utilizes SonicOS Deep Packet Inspection to scan application layer network traffic
as it passes through the gateway and locate content that matches configured applications.
When a match is found, App Control performs the configured action.
App Control allows you to set policy rules for application signatures. As a set of
application-specific policies, App Control gives you granular control over network traffic on the
level of users, email users, schedules, and IP-subnets. The primary functionality of this
application-layer access control feature is to block, log, or manage bandwidth consumption of
Web based applications, Web browsing, file transfer, email, and email attachments.
There are two ways to create App Control policies using SonicWALL GMS. You can configure
App Control policies on the App Control > App Rules page or on App Control > Advanced.
App Control > App Rules The App Rules page provides a way to create a targeted App
Control policy using match objects, action objects, or email address objects. These objects
allow you to be very specific about what to look for in the traffic and provide a number of
ways to control it, including bandwidth management and custom actions. App Rules
policies can define the type of applications to scan, the traffic direction, the content or
keywords to match, the user or domain to match, and the action to perform. For ease of
use, you can create App Rules policies for any of the categories, applications, or signatures
that are also available on the App Control > Advanced page.
387
App Control Overview
App Control > Advanced The Advanced page provides a simple and direct way of
configuring global App Control policies. An App Control > Advanced policy defines whether
to block or log an application, which users, groups, or IP address ranges to include or
exclude, and a schedule for enforcement. You can quickly enable blocking or logging for a
whole category of applications, or can just as easily locate and do the same for an individual
application or individual signature. Once enabled, the category, application, or signature is
blocked or logged globally without the need to create a policy on the App Rules page.
App Control is licensed together in a bundle with other security services, including SonicWALL
Gateway Anti-Virus (GAV), Anti-Spyware, and Intrusion Prevention Service (IPS).
You must enable App Control before you can use it. App Control > App Rules and App Control
> Advanced are both enabled with global settings, and App Control must also be enabled on
each network zone that you want to control.
SonicWALL GMS supports App Control on SonicWALL firewall appliances that are running
SonicOS 5.8.1.4 firmware or higher. The units must be licensed for Gateway Anti-Virus.
App Control is supported for Firewalls at the group level and unit level in SonicWALL GMS.
When a unit is selected that is running a version of SonicOS lower than 5.8.1.4, the App Control
menu group is not visible in the middle panel. However, when the group level is selected, the
App Control menu group is available and you can configure objects and policies, even if the
group does not yet contain a unit running 5.8.1.4 or higher. This allows you to prepare the policy
configuration prior to bringing a unit with 5.8.1.4 under GMS management.
Inheritance is supported for App Control policies and configurations. Inheritance in SonicWALL
GMS allows a nodes settings to be inherited to and from unit, group and parent nodes. For
more information about inheritance, see Chapter 38, Managing Inheritance in SonicWALL
GMS.
On SonicWALL TZ 100 and 200 series appliances, the Security Services > Application Control
screen in the SonicOS interface corresponds to the App Control > Advanced screen in
SonicWALL GMS. TZ 100 and 200 boxes do not support App Rules policies. This means that
the App Rules, Match Objects, Action Objects, and Email Address Objects screens do not
appear for these models.
For related information and use case configurations, see the Use Cases section on page 445
as well as the SonicOS 5.8.1 Application Control Feature Module, available on
www.sonicwall.com at:
http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=455
388
Configuring App Rules

The App Control > App Rules page provides global settings, search functions, a policies view
filter, and the list of App Rules policies. From here, you can add a new policy or delete a policy.
Note
Changing the Bandwidth Management Type on the Firewall > BWM page from Global to
WAN, or from WAN to Global, automatically sets the Medium priority action object for any
policies using predefined Global or WAN BWM action objects. If Bandwidth Management
Type is set to None on the Firewall > BWM page, you will have to change the action object
of the policy manually to replace the predefined Global or WAN BWM action objects.
See Configuring Application Layer Bandwidth Management on page 431 for more
information.
See the following sections for configuration information about the settings on this page:
Configuring App Rules Global Settings on page 390
Searching App Rules Policies on page 390
Filtering the Policies View on page 391
Sorting App Rules Policies on page 392
Viewing Tooltips for App Rules Policies on page 393
Adding or Editing App Rules Policies on page 394
Enabling or Disabling App Rules Policies on page 397
Deleting App Rules Policies on page 398
Policy Type Reference on page 398
389
Configuring App Rules Global Settings

The App Rules page provides global settings to enable use of App Rules policies and to control
logging behavior.
To configure App Rules global settings:

Step 1
In the TreeControl, select the unit or group to configure.
Step 2
On the Policies tab, on the App Control > App Rules page, select the Enable App Rules
checkbox to enable App Control on this unit or group.
Step 3
Enter the minimum number of seconds between log entries for multiple matches of the same
policy in the Global Log Redundancy Filter field. If set to zero, a log entry is created for each
policy match.
This global setting applies to all App Rules policies. You can also set custom log redundancy
for an individual policy in the Add/Edit Policy screen. Per-policy settings override the global
setting.
Step 4
Click Update to apply changes in the global settings. Click Reset to clear all changes on the
page and return fields to their default values.
Searching App Rules Policies

You can search the list of App Rules policies using several different filters, each combined with
one of several operators and a target value that you provide.
To perform a filtered search of App Rules policies:

Step 1
In the TreeControl, select the unit or group on which to search.
Step 2
On the Policies tab, on the App Control > App Rules page, select one of the following search
objects from the first Search pull-down list:
Step 3
390
Name the full or partial name of the policy
Object the full or partial name of the match object in the policy
Action the full or partial name of the action object used in the policy
Select one of the following operators from the next pull-down list:
Equals search for any policy in which the search object exactly matches the target value
Starts with search for any policy in which the search object begins with the target value
Ends with search for any policy in which the search object ends with the target value
Contains search for any policy in which the search object contains the target value
Step 4
In the text box, type in the target value that you are searching for in the Name, Object, or Action
search object.
Step 5
Click Search to search your policies for one or more matches. Click Clear to set the search
fields back to defaults.
The App Rules Policies list changes to display only the policies found by your search.
Filtering the Policies View

The App Rules Policies View Style area provides two ways to filter the policies that are
displayed on the App Control > App Rules page. You can choose to display policies by the
type of policy or by the type of action used in the policy. These filters can be combined, allowing
you to display only policies of a specific type that use a particular type of action. Policies that
do not match the selected filter settings are removed from the display.
To filter the display by a specific type of policy, select the desired type from the Policy Type
pull-down list. The available selections include the same policy types that are available when
creating a policy.
For example, after selecting App Control Content as the Policy Type, the display changes to
show only policies of the App Control Content type.
391
To filter the display by a specific type of action used in the policy, select the desired type from
the Action Type pull-down list.
For example, after selecting App Control Content as the Policy Type, you could select
Reset/Drop as the Action Type. The display changes to show only App Control Content type
policies that use a Reset/Drop action type.
To change the display back to the default showing all policies, either select All for both Policy
Type and Action Type, or simply navigate away from the page and then back to it.
Sorting App Rules Policies

You can sort the list of App Rulespolicies by clicking on any of the underlined columnheadings,
including Name, Object, Action, and Enable. The first time you click one of these headings
the policy list is sorted in descending alphabetical order from top to bottom, according to the
first letter or symbol of the items in that column.
392
For example, clicking the Name heading sorts the policies alphabetically by the first letter of the
policy name, from A at the top to Z at the bottom. A small upward-pointing arrow is displayed
next to the Name heading, indicating that, if the heading is clicked, it will cause the list to be
sorted in ascending order by name (Z to A).
To resort the list in ascending order, click the heading a second time.
Names beginning with a symbol or number come before names beginning withany alphabetical
character. When sorting by Object name, automatically created objects beginning with tilde (~)
come before objects beginning with any alphabetical character. The same holds true if you use
a symbol or number as the first letter when naming an object, action, or policy.
When sorting by the Enable heading, the first click places all enabled policies at the top of the
list. Clicking again puts disabled policies at the top.
Viewing Tooltips for App Rules Policies

The App Rules main page provides mouse-over tooltips for the policy values. These tooltips
display a number of details about the values.
To display the tooltips, move your mouse pointer slowly over the elements within each policy.
The tooltip will automatically pop up with the available information.
Table 13 lists some of the information that can be displayed for the elements under each
heading. The type of information will vary depending on the object type.
Table 13
Tooltip Displays
Heading
Potential Settings Information in Tooltip
Name
Status Enabled or Disabled
Policy Type
N/A
Object
Object Properties Type, Match Type, Input Type, Negative Matching,

Content
Action
Action Properties Type, Content, BWM Inbound/Outbound Parameters
Direction
N/A
Comments
Comments Source/Destination Address, To/From Service, Log, Log

Redundancy Filter, Included/Excluded Users, Email Users, Schedule
Enable
N/A
The actual information displayed depends on the settings configured for the policy or object.
393
Adding or Editing App Rules Policies

When you have created a match object, and optionally, an action or an email address object,
you are ready to create a policy that uses them. Only a limited number of App Rules policies
are allowed, depending on the SonicOS appliance model.
You can use App Control to create custom App Rules policies to control specific aspects of
traffic on your network. A policy is a set of match objects, properties, and specific prevention
actions.
To create a policy, perform the following tasks:
Create a match object
Select and optionally customize an action object
Reference the match object and action when you create the policy
When you create a policy, you select a policy type. Each policy type specifies the values or
value types that are valid for the source, destination, match object type, and action fields in the
policy.
You can further define the policy to include or exclude specific users or groups, select a
schedule, turn on logging, and specify the connection side as well as basic or advanced
direction types. A basic direction type simply indicates inbound or outbound. An advanced
direction type allows zone to zone direction configuration, such as from the LAN to the WAN.
394
To configure an App Rules policy, perform the following steps:

Step 1
Step 2
Navigate to the App Control > App Rules page on the Policies tab.
Step 3
To edit an existing policy, click the pencil icon

under Configure for it. To add a new policy,
click Add New Policy. The App Control Policy Settings window displays.
Step 4
In the App Control Policies Settings window, type a descriptive name into the Policy Name
field.
Step 5
Select a Policy Type from the pull-down list. Your selection here will affect available options in
the window. For information about available policy types, see Policy Type Reference on
page 398.
Step 6
Select a source and destination Address Group or Address Object from theAddress pull-down
lists. Only a single Address field is available for IPS Content, App Control Content, or CFS
policy types.
Step 7
Select the source or destination service from the Service pull-down lists. Some policy types do
not provide a choice of service.
Step 8
For Exclusion Address, optionally select an Address Group or Address Object from the
pull-down list. This address will not be affected by the policy.
Step 9
For Match Object, select a match object from the pull-down list. The list contains the defined
match objects that are applicable to the policy type.
395
Step 10 For Action, select an action from the pull-down list. The list contains actions that are applicable
to the policy type and the match object, and can include the predefined actions, plus any
customized actions. For a log-only policy, select No Action.
Step 11 For Users/Groups, select from the pull-down lists for both Included and Excluded. The
selected users or group under Excluded will not be affected by the policy.
Step 12 If the policy type is SMTP Client, select from the pull-down lists for MAIL FROM and RCPT TO,
for both Included and Excluded. The selected users or group under Excluded will not be
affected by the policy.
Step 13 For Schedule, select from the pull-down list. The list provides a variety of schedules for the
policy to be in effect.
Step 14 Select the Enable Flow Reporting checkbox to enable internal and external flow reporting
based on data flows, connection related flows, non-connection related flows regarding
applications, viruses, spyware, intrusions, and other information.
Step 15 If you want the policy to create a log entry when a match is found, select the Enable Logging
checkbox.
Step 16 To record more details in the log, select the Log individual object content checkbox.
Step 17 If the policy type is IPS Content, select the Log using IPS message format checkbox to
display the category in the log entry as Intrusion Prevention rather than Application Control,
and to use a prefix such as IPS Detection Alert in the log message rather than Application
Control Alert. This is useful if you want to use log filters to search for IPS alerts.
Step 18 If the policy type is App Control Content, select the Log using App Control message format
checkbox to display the category in the log entry as Application Control, and to use a prefix
such as Application Control Detection Alert in the log message. This is useful if you want to
use log filters to search for Application Control alerts.
Step 19 If the policy type is CFS, select the Log using CFS message format checkbox to display the
category in the log entry as Network Access, and to use a log message such as Web site
access denied in the log message rather than no prefix. This is useful if you want to use log
filters to search for content filtering alerts.
Step 20 For Log Redundancy Filter, you can either select Global Settings to use the global value set
on the App Control > App Rules page, or you can enter a number of seconds to delay between
each log entry for this policy. The local setting overrides the global setting only for this policy;
other policies are not affected.
Step 21 For Connection Side, select from the pull-down list. The available choices depend on the
policy type and can include Client Side, Server Side, or Both, referring to the side where the
traffic originates. IPS Content, App Control Content, or CFS policy types do not provide this
configuration option.
Step 22 For Direction, click either Basic or Advanced and select a direction from the pull-down list.
Basic allows you to select Incoming, Outgoing, or Both. Advanced allows you to select
between zones, such as LAN to WAN. IPS Content, App Control Content, or CFS policy types
do not provide this configuration option.
Step 23 If the policy type is IPS Content, App Control Content, or CFS, select a zone from the Zone
pull-down list. The policy will be applied to this zone.
Step 24 If the policy type is CFS, select an entry from the CFS Allow List pull-down list. The list
contains any defined CFS Allow/Forbidden List type of match objects, and also provides
None as a selection. The domains in the selected entry will not be affected by the policy.
Step 25 If the policy type is CFS, select an entry from the CFS Forbidden List pull-down list. The list
contains any defined CFS Allow/Forbidden List type of match objects, and also provides
None as a selection. The domains in the selected entry will be denied access to matching
content, instead of having the defined action applied.
396
Step 26 If the policy type is CFS, select the Enable Safe Search Enforcement checkbox to prevent
safe search enforcement from being disabled on search engines such as Google, Yahoo, Bing,
and others.
Step 27 Click OK. The Modify Task Description and Schedule window displays.
Step 28 A description is automatically added in the Description field. Optionally change the
description.
Step 29 For Schedule, select one of the following radio buttons and set any associated fields:
Default Use the default schedule configured for the Agent that manages this unit
Immediate Activate this policy immediately
At Select the exact time to activate this policy using the pull-down lists for the hour,
minute, time zone, month, and year. If your GMS deployment includes Agents in different
time zones, you can select among them in the time zone pull-down list. Select the date from
the calendar.
Step 30 Click Accept to save the policy with this schedule. Click Cancel to exit without saving the
policy.
At the unit level, you may need to refresh the App Control > App Rules page to see your new
policy in the list.
Enabling or Disabling App Rules Policies

You can enable or disable existing App Rules policies directly on the App Control > App Rules
page.
To enable or disable a policy, perform the following steps:
Step 1
Step 2
Step 3
To enable a policy, select the checkbox in the Enable column for that policy. To disable the
policy, clear the checkbox.
Step 4
Click the Update button. The Modify Task Description and Schedule window displays.
Step 5
Select the Schedule settings, then click Accept to save the policy with this schedule. Click
Cancel to exit without saving the policy.
397
Deleting App Rules Policies

To delete one or more App Rules policies, perform the following steps:
Step 1
Step 2
Step 3
To delete a single policy, click the trash can icon

in the confirmation dialog.
Step 4
To delete one or more policies, select the checkboxes for the ones to delete and click Delete
Policy(s), and then click OK in the confirmation dialog.
under Configure for it, and then click OK
Policy Type Reference

Table 14 describes the characteristics of the available App Rules policy types.
Table 14
Valid
Source
Service /
Description Default
Valid
Destination
Service /
Valid Match
Default
Object Type
App
Control
Content
Policy using
dynamic
Application
Control
related
objects for
any
application
layer
protocol
N/A
N/A
Application
Category List,
Application
List,
Application
Signature List
Reset/Drop,
N/A
No Action,
Bypass DPI,
Packet
Monitor, BWM
Global-*,
WAN BWM *
CFS
Policy for
content
filtering
N/A
N/A
CFS Category
List, CFS
Allow /
Forbidden List
CFS Block
Page, Packet
Monitor, No
Action, BWM
Global-*,
WAN BWM *
N/A
Custom
Policy
Policy using Any /

custom
Any
objects for
any
application
layer
protocol;
can be used
to create
IPS-style
custom
signatures
Any / Any
Custom
Object
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action, BWM
Global-*,
WAN BWM *
Client Side,
Server
Side, Both
Policy
Type
398
Policy Types
Valid Action
Type
Connection
Side
Valid
Source
Service /
Description Default
Valid
Destination
Service /
Valid Match
Default
Object Type
Any FTP
Any /
command
Any
transferred
over the FTP
control
channel
Valid Action
Type
Connection
Side
FTP Control FTP

/ FTP
Command,
Control
FTP
Command +
Value, Custom
Object
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action
Client Side
FTP
An attempt
Any /
Client File to upload a Any
Upload
file over FTP
(STOR
command)
FTP Control Filename, file

/ FTP
extension
Control
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action, BWM
Global-*,
WAN BWM *
Client Side
An attempt
FTP
Client File to download
Download a file over
FTP (RETR
command)
FTP Control Filename, file

extension
/ FTP
Control
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action, BWM
Global-*,
WAN BWM *
Client Side
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action
Both
Policy
Type
FTP
Client
Any /
Any
FTP Data
Transfer
Data
Any /
transferred
Any
over the FTP
Data
channel
Any / Any
HTTP
Client
Policy which Any /

is applicable Any
to Web
browser
traffic or any
HTTP
request that
originates
on the client
Any / HTTP HTTP Host,

Reset/Drop,
(configurabl HTTP Cookie, Bypass DPI,
e)
HTTP
Packet
Referrer,
Monitor1,
No Action,
HTTP
BWM
Request
Global-*,
Custom
Header, HTTP WAN BWM *
URI Content,
HTTP User
Agent, Web
Browser, File
Name, File
Extension
Custom
Object
File Content
Object
Client Side
399
Policy
Type
400
Valid
Source
Service /
Description Default
Valid
Destination
Service /
Valid Match
Default
Object Type
Valid Action
Type
Connection
Side
HTTP
Server
Response
originated
by an HTTP
Server
Any /
Any / Any
HTTP
(configur
able)
ActiveX Class
ID, HTTP Set
Cookie, HTTP
Response,
File Content
Object,
Custom
Header,
Custom
Object
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action, BWM
Global-*,
WAN BWM *
Server Side
IPS
Content
Policy using
dynamic
Intrusion
Prevention
related
objects for
any
application
layer
protocol
N/A
N/A
IPS Signature
Category List,
IPS Signature
List
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action, BWM
Global-*,
WAN BWM *
N/A
POP3
Client
Policy to
Any /
inspect
Any
traffic
generated
by a POP3
client;
typically
useful for a
POP3 server
admin
POP3
(Retrieve
Email) /
POP3
(Retrieve
Email)
Custom
Object
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action
Client Side
Configuring Advanced Policies
Policy
Type
Valid
Source
Service /
Description Default
POP3
Server
Policy to
inspect
email
downloaded
from a POP3
server to a
POP3 client;
used for
email
filtering
SMTP
Client
Policy
Any /
applies to
Any
SMTP traffic
that
originates
on the client
Valid
Destination
Service /
Valid Match
Default
Object Type
POP3
Any / Any
(Retrieve
Email) /
POP3
(Retrieve
Email)
SMTP
(Send
Email)/
SMTP
(Send
Email)
Valid Action
Type
Connection
Side
Email Body,
Email CC,
Email From,
Email To,
Email Subject,
File Name,
File
Extension,
MIME Custom
Header
Reset/Drop,
Disable
attachment,
Bypass DPI,
No action
Server Side
Email Body,
Email CC,
Email From,
Email To,
Email Size,
Email Subject,
Custom
Object, File
Content, File
Name, File
Extension,
MIME Custom
Header,
Reset/Drop,
Client Side
Block SMTP
E-Mail
Without
Reply, Bypass
DPI, Packet
Monitor, No
Action
1. Packet Monitor action not supported for File Name or File Extension Custom Object

The App Control > Advanced page provides an alternate method of adding App Control
policies. The configuration method on the App Control > Advanced page allows granular control
of specific categories, applications, or signatures. This includes granular logging control,
granular inclusion and exclusion of users, groups, or IP address ranges, and schedule
configuration. The settings here are global policies and independent from any custom App
Rules policy, and do not need to be added to an App Rules policy to take effect.
You can configure the following settings on this page:
Select a category, an application, or a signature.
Select blocking, logging, or both as the action.
Specify users, groups, or IP address ranges to include in or exclude from the action.
Set a schedule for enforcing the controls.
The App Control > Advanced screen provides application signatures management for all
supported firewalls running SonicOS 5.8.1.4 or higher.
401
Only 50 rows can be displayed in this page. To view additional rows, use the pagination controls
to the right of the Items field.
The App Control > Advanced page provides an App Control View Style section. When you
select Application or Signature in the Viewed By field in this section, the listed items are
displayed as links in the App Control Advanced section. You can click these links for more
details about the application or signature. A summary is provided, as well as information from
Wikipedia, if available.
Note
When All is selected in the Category pull-down list while Viewed By is set to Category, and
then one of the category links is clicked, the View Style settings are changed to select that
category in the Category pull-down list and set Viewed By to Application, displaying all
the applications in that category.
See the following sections:
402
Viewing App Control Advanced Status on page 403
Enabling App Control on Network Zones on page 403
Configuring App Control Advanced Global Settings on page 405
Configuring Policies on App Control > Advanced on page 408
Sorting App Control Advanced Items on page 414
Viewing App Control Advanced Status

The App Control Status section at the top of the page displays the date of the most recent
signature database available in MySonicWALL. This database contains thousands of
signatures for application viruses and other malware being tracked by SonicWALL. SonicWALL
appliances periodically synchronize with MySonicWALL to download updates to the database.
The Status section also displays the expiration date of the App Control Service license. If the
service expires, no new signatures are downloaded to the appliance from MySonicWALL.
A link to the Network > Zones page is provided next, for convenient navigation. You must
enable App Control on each zone where you want it to inspect network traffic. If App Control is
not enabled on any zones, a warning is displayed here. See Enabling App Control on Network
Zones on page 403 for a description of enabling App Control on a network zone.
Enabling App Control on Network Zones

You must enable App Control on each zone where you want to use App Control Advanced
policies to inspect network traffic. A link to the Network > Zones page is provided on the App
Control > Advanced page for convenient navigation.
Note
App Control policies are applied to traffic within a network zone only if you enable the App
Control Service for that zone. App Rules policies are independent, and not affected by the
App Control setting for network zones.
403
To enable App Control on a network zone:

Step 1
Step 2
On the Policies tab, on the App Control > Advanced page, click Network > Zones in the App
Control Status section at the top of the page.
Step 3
On the Network > Zones page, click the Edit icon for the desired zone. The Edit Network Zone
screen displays.
Step 4
Select the Enable App Control Service checkbox.
Step 5
Click OK. The Modify Task Description and Schedule window displays.
Step 6
A description is automatically added in the Description field. Optionally change the

description.
Step 7
For Schedule, select one of the following radio buttons and set any associated fields:
Step 8
404
Immediate Enable the configuration immediately
At Select the exact time to enable the configuration by using the pull-down lists for the
hour, minute, time zone, month, and year. If your GMS deployment includes Agents in
different time zones, you can select among them in the time zone pull-down list. Select the
date from the calendar.
Click Accept to enable the configuration on this schedule. Click Cancel to exit without saving
the configuration.
Configuring App Control Advanced Global Settings

App Control is a licensed service, and you must also enable it to activate the functionality. The
App Control > Advanced page provides the following global settings:
Enable App Control Globally enable App Control
Configure App Control Settings Configure a global exclusion list for App Control
Update App Control Signature Database Synchronize signatures with MySonicWALL
Reset App Control Settings & Policies Delete all App Control configuration and policies
for the selected unit or for all units in the selected group
Enabling App Control Globally on page 405
Configuring an App Control Advanced Exclusion List on page 406
Synchronizing the Signature Database on page 407
Resetting App Control to Factory Defaults on page 407
Enabling App Control Globally

To globally enable App Control Advanced policies:
Step 1
Step 2
On the Policies tab, navigate to the App Control > Advanced page.
Step 3
In the App Control Global Settings area, select the Enable App Control checkbox to globally
enable App Control.
App Control policies are applied to traffic within a network zone only if you enable the App
Control Service for that zone. See Enabling App Control on Network Zones on page 403 for
a description of enabling App Control on a network zone.
Step 4
Click the Update button. The Modify Task Description and Schedule window displays.
Step 5

description.
Step 6
Step 7
Immediate Enable App Control Advanced policies immediately
At Select the exact time to enable App Control Advanced policies by using the pull-down
lists for the hour, minute, time zone, month, and year. If your GMS deployment includes
Agents in different time zones, you can select among them in the time zone pull-down list.
Select the date from the calendar.
Click Accept to enable App Control Advanced policies on this schedule. Click Cancel to exit
without saving the configuration.
405
Configuring an App Control Advanced Exclusion List

To configure a exclusion list for App Control Advanced policies:
406
Step 1
Step 2
Step 3
In the App Control Global Settings area, click Configure App Control Settings to bring up
the App Control Exclusion List window.
Step 4
Select the Enable Application Control Exclusion List to activate the exclusion options in the
window.
Step 5
To use the IPS exclusion list, which can be configured from the Security Services > Intrusion
Prevention page, select the Use IPS Exclusion List radio button.
Step 6
To use an address object for the exclusion list, select the Use Application Control Exclusion
Address Object radio button, and then select an address object from the pull-down list.
Step 7
Step 8

description.
Step 9
Immediate Enable the exclusion list immediately
At Select the exact time to enable the exclusion list by using the pull-down lists for the
hour, minute, time zone, month, and year. If your GMS deployment includes Agents in
different time zones, you can select among them in the time zone pull-down list. Select the
date from the calendar.
Step 10 Click Accept to enable the exclusion list on this schedule. Click Cancel to exit without saving
the configuration.
Synchronizing the Signature Database

To synchronize the signature database with MySonicWALL:
Step 1
Step 2
Step 3
In the App Control Global Settings area, click Update App Control Signature Database.
The Modify Task Description and Schedule window displays.
Step 4

description.
Step 5
Step 6
Immediate Synchronize the database immediately
At Select the exact time to synchronize the database using the pull-down lists for the hour,
the calendar.
Click Accept to synchronize the database on this schedule. Click Cancel to exit without saving
the configuration.
Resetting App Control to Factory Defaults

To reset App Control settings and policy configuration to the factory default values for the
selected unit or for all units in the selected group:
Step 1
Step 2
Step 3
In the App Control Global Settings area, click the Reset App Control Settings & Policies
button.
Step 4
Click OK in the confirmation dialog box. The Modify Task Description and Schedule window
displays.
Step 5

description.
Step 6
Immediate Perform the reset immediately
407
Step 7
At Select the exact time to perform the reset using the pull-down lists for the hour, minute,
time zone, month, and year. If your GMS deployment includes Agents in different time
zones, you can select among them in the time zone pull-down list. Select the date from the
calendar.
Click Accept to perform the reset on this schedule. Click Cancel to exit without saving the
configuration.
Configuring Policies on App Control > Advanced

The App Control > Advanced page provides a way to configure global App Control policies to
block or log categories, applications, and signatures. Policies configured on this page are
independent from policies created on App Control > App Rules, and do not need to be added
to an App Rules policy to take effect.
You can configure the following settings on this page:
Select a category, an application, or a signature.
Select blocking, logging, or both as the action.
Specify users, groups, or IP address ranges to include in or exclude from the action.
Set a schedule for enforcing the controls.
While these application control settings are independent from App Rules policies, you can also
create application match objects for any of the categories, applications, or signatures available
here, and use those match objects in an App Rules policy.
Configuring App Control by Category on page 408
Configuring App Control by Application on page 410
Configuring App Control by Signature on page 412
Configuring App Control by Category

Category based configuration is the most broadly based method of policy configuration on the
App Control > Advanced page. The list of categories is available in the Category pull-down list
in the App Control View Style section.
408
To configure an App Control policy for an application category:

Step 1
Step 2
On the Policies tab, on the App Control > Advanced page in the App Control View Style
section, select Category from the Viewed By pull-down list. The list of available categories is
displayed in the App Control Advanced section. Each category has a Configure button
in
its row.
Step 3
Click the Configure button in the row for the category you want to work with. The App Control
Category Settings window opens.
Step 4
Alternatively, select an application category from the Category pull-down list in the View Style
area. A Configure button
appears to the right of the field as soon as a category is selected.
Click the Configure button to open up the App Control Category Settings window for the
selected category.
Step 5
To block applications in this category, select Enable in the Block pull-down list.
Step 6
To create a log entry when applications in this category are detected, select Enable in the Log
pull-down list.
Step 7
To target the selected block or log actions to a specific user or group of users, select a user
group or individual user from the Included Users/Groups pull-down list. Select All to apply the
policy to all users.
Step 8
To exclude a specific user or group of users from the selected block or log actions, select a user
group or individual user from the Excluded Users/Groups pull-down list. Select None to apply
the policy to all users.
Step 9
To target the selected block or log actions to a specific IP address or address range, select an
Address Group or Address Object from the Included IP Address Range pull-down list. Select
All to apply the policy to all IP addresses.
Step 10 To exclude a specific IP address or address range from the selected block orlog actions, select
an Address Group or Address Object from the Excluded IP Address Range pull-down list.
Select None to apply the policy to all IP addresses.
Step 11 To enable this policy during specific days of the week and hours of the day, select one of the
schedules from the Schedule pull-down list.
Step 12 To specify a delay between log entries for repetitive events, type the number of seconds for the
delay into the Log Redundancy Filter field.
409
Step 13 Click OK. The Modify Task Description and Schedule window displays, for GMS scheduling.
description.
Immediate Enable the policy immediately
At Select the exact time to enable the policy by using the pull-down lists for the hour,
the calendar.
Step 16 Click Accept to save the configuration. Click Cancel to exit without saving the configuration.
Configuring App Control by Application

Application based configuration is the middle level of policy configuration on the App Control >
Advanced page, between the category based and signature based levels.
The list of applications is available in the Application pull-down list in the App Control View
Style section. With a category selected, the list contains applications within that category. If the
category is set to All, applications for all categories are listed.
This configuration method allows you to create policy rules specific to a single application if you
want to enforce the policy settings only on the signatures of this application without affecting
other applications in the same category.
To configure an App Control policy for a specific application:
410
Step 1
Step 2
On the Policies tab, on the App Control > Advanced page in the App Control View Style
area, first select a category from the Category pull-down list.
Step 3
Next, select Application in the Viewed By pull-down list. The list of available applications in
the selected category is displayed in the App Control Advanced section. Each application has
a Configure button
in its row.
Step 4
Click the Configure button in the row for the application you want to work with. TheApp Control
App Settings window opens.
Step 5
Alternatively, select an application in this category from the Application pull-down list. A
Configure button
appears to the right of the field as soonas an application is selected. Click
the Configure button to open up the App Control App Settings window for the selected
application.
Step 6
The fields at the top of the window display the values for the App Category Name and App
Name, and are not editable. In the other fields, the application configuration parameters default
to the current settings of the category to which the application belongs. To retain this connection
to the category settings for one or more fields, leave the selection in place for those fields.
Step 7
To block this application, select Enable in the Block pull-down list.
Step 8
To create a log entry when this application is detected, select Enable in the Log pull-down list.
Step 9
To target the selected block or log actions to a specific user or group of users, select a user
Step 10 To exclude a specific user or group of users from the selected block or log actions, select a user
Step 11 To target the selected block or log actions to a specific IP address or address range, select an
Step 14 To use the same Log Redundancy Filter settings that are set for the entire category, leave the
Use Category Settings checkbox selected. To specify a different delay between log entries for
repetitive events, clear the Use Category Settings checkbox and type the number of seconds
for the delay into the Log Redundancy Filter field.
411
description.
the calendar.
Configuring App Control by Signature

Signature based configuration is the lowest, most specific, level of policy configuration on the
App Control > Advanced page.
Setting a policy based on a specific signature allows you to configure policy settings for the
individual signature without influence on other signatures of the same application.
To configure an App Control policy for a specific signature:
Step 1
Step 2
On the Policies tab, on the App Control > Advanced page, first select a category from the
Category pull-down list.
Step 3
Next, select an application in this category from the Application pull-down list.
Step 4
To display the specific signatures for this application, select Signature in the Viewed by
pull-down list.
The Farmville gaming application has three signatures.
412
Step 5
Click the Configure button in the row for the signature you want to work with. The App Control
Signature Settings window opens.
Step 6
Alternatively, enter the Signature ID, shown in the ID column, into the Lookup Signature ID
field and click the Configure button next to the field to open the App Control Signature Settings
window.
Step 7
In the App Control Signature Settings window, several fields at the top of the window are not
editable. These fields display the values for the Signature Category, Signature Name,
Signature ID, Application ID, Priority, and Direction of the traffic in which this signature can
be detected.
In the other fields, the default policy settings for the signature are set to the current settings for
the application to which the signature belongs. To retain this connection to the application
settings for one or more fields, leave the selection in place for those fields.
Step 8
To block this signature, select Enable in the Block pull-down list.
Step 9
To create a log entry when this signature is detected, select Enable in the Log pull-down list.
Step 10 To target the selected block or log actions to a specific user or group of users, select a user
Step 11 To exclude a specific user or group of users from the selected block or log actions, select a user
Step 12 To target the selected block or log actions to a specific IP address or address range, select an
Step 15 To use the same Log Redundancy Filter settings that are set for all signatures in the
application, leave the Use App Settings checkbox selected. To specify a different delay
between log entries for repetitive events, clear the Use App Settings checkbox and type the
number of seconds for the delay into the Log Redundancy Filter field.
413
Step 16 To view more details about the signature, click the Note: Click here for comprehensive
information regarding this signature. The SonicWALL Security Center page for the signature
is displayed.
description.
the calendar.
If you have configured any settings for Users/Groups, IP Address Range, or Schedule fields,
icons are displayed in the Comments column for the entry on the App Control > Advanced
page. You can hover your mouse pointer over the icons to display a tooltip with the configured
settings.
Sorting App Control Advanced Items

You can sort the list of App Control Advanced items by clicking on several of the headings,
including Category, Application, Name, and ID. The first time you click one of these headings
the list is sorted in descending alphabetical order from top to bottom, according to the first letter
or symbol of the items in that column.
414
Configuring Match Objects
For example, clicking the Application heading sorts all rows alphabetically by the first letter of
the application name, from numbers at the top to Z at the bottom. Names beginning with a
symbol or number come before names beginning with any alphabetical character.
To resort the list in ascending order, click the heading a second time.

This section describes match objects and includes procedures for searching match objects and
for adding, editing, or deleting a match object on the App Control > Match Objects page. A
limited number of match objects are allowed, depending on the appliance model.
See the following sections for configuration steps and information:
Searching Match Objects on page 416
Adding or Editing Match Objects on page 417
Adding Application List Objects on page 419
Sorting Match Objects on page 423
Deleting Match Objects on page 423
Match Object Type Reference on page 424
415
Match objects represent the set of conditions which must be matched in order for actions to take
place. This includes the object type, the match type (exact, partial, prefix, or suffix), the input
representation (text or hexadecimal), and the actual content to match.
Hexadecimal input representation is used to match binary content such as executable files,
while text input representation is used to match things like file or email content. You can also
use hexadecimal input representation for binary content found in a graphic image. Text input
representation could be used to match the same graphic if it contains a certain string in one of
its properties fields.
The maximum size for a match object is 8192 (8K) bytes. Match objects do not provide
matching for regular expressions on appliances running SonicOS 5.8.1.x. You can use a proxy
server for this functionality.
The File Content match object type provides a way to match a pattern or keyword within a
compressed (zip/gzip) file. This type of match object can only be used with FTP Data Transfer,
HTTP Server, or SMTP Client policies.
Note
The App Control > Match Objects page might not contain values in all columns for some
types of match objects, when those fields are not applicable to those particular match object
types.
Searching Match Objects

You can search the list of match objects using several different filters, each combined with an
operator and a target value.
To perform a filtered search of match objects:

Step 1
Step 2
On the Policies tab, on the App Control > Match Objects page, select one of the following
search objects from the first Search pull-down list:
Step 3
416
Name the full or partial name of the match object
Object Type the object type of the match object; see Table 15 on page 424 for the list of
match object types
Match Type the match type, one of Exact, Partial, Prefix, Suffix, used in the match object
Equals search for any match object in which the name exactly matches the target value
Starts with search for any match object in which the name begins with the target value
Ends with search for any match object in which the name ends with the target value
Contains search for any match object in which the name contains the target value
= (Equals sign) search for any match object inwhich the object type or match type exactly
matches the selected target value
Step 4
When searching for a Name, a text box is displayed to the right of the operator. In the text box,
type the target value that you are searching for in the match object name.
Step 5
When searching for an Object Type or Match Type, select the target value from the pull-down
list to the right of the operator.
Step 6
Click Search to search your objects for one or more matches. Click Clear to set the search
The Match Objects list changes to display only the match objects found by your search.
Adding or Editing Match Objects

To configure a match object, perform the following steps:
Step 1
Step 2
Navigate to the App Control > Match Objects page on the Policies tab.
Step 3
To edit an existing match object, click the pencil icon

under Configure for it. To add a new
match object, click Add New Match Object. The Match Object Settings window displays.
Step 4
In the Match Object Settings window, in the Object Name text box, type a descriptive name
for the object.
Step 5
Select a Match Object Type from the pull-down list. Your selection here will affect available
options in this screen. See Table 15 on page 424 for a description of Match Object Types.
Step 6
Select a Match Type from the pull-down list. The available selections depend on the Match
Object Type.
Step 7
See the Extra Properties column in Table 15 on page 424 for a description of the additional
fields and options that may appear on the page for different Match Object Types. Select the
desired values for any additional fields or options.
Step 8
For the Input Representation, click Alphanumeric to match a text pattern, or click
Hexadecimal if you want to match binary content.
417
You can use a hex editor or a network protocol analyzer like Wireshark to obtain hex format for
binary files.
Step 9
The Enable Negative Matching checkbox may be available, depending on the Match Type.
Select the checkbox to match anything except the pattern in the Content text box. See
Negative Matching on page 419 for more information about using this option.
Step 10 In the Content text box, type the pattern to match, and then click Add. The content appears in
the List text box. Repeat to add another element to match.
You can add multiple entries to create a list of content elements to match. All content that you
provide in a match object is case-insensitive for matching purposes. List entries are matched
using the logical OR, so if any item in the list is matched, the action for the policy is executed.
Step 11 Alternatively, you can click Load From File to import a list of elements from a text file. Each
element in the file must be on a line by itself. The maximum file size is limited to 8192 bytes.
Step 12 To remove an element from the list, select the element in the List box and then click Remove.
To remove all elements, click Remove All.
description.
Immediate Create the object immediately
At Select the exact time to activate this object using the pull-down lists for the hour,
the calendar.
Step 16 Click Accept to save the match object with this schedule. Click Cancel to exit without saving
the match object.
At the unit level, you may need to refresh the App Control > Match Objects page to see your
new match object in the list.
418
Negative Matching
Negative matching provides an alternate way to specify which content to block. You can enable
negative matching in a match object when you want to block everything except a particular type
of content. When you use the object in a policy, the policy will execute actions based on
absence of the content specified inthe match object. Multiple list entries in a negative matching
object are matched using the logical AND, meaning that the policy action is executed only when
all specified negative matching entries are matched.
Although all App Rules policies are DENY policies, you can simulate an ALLOW policy by using
negative matching. For instance, you can allow email .txt attachments and block attachments
of all other file types. Or you can allow a few types, and block all others.
Not all match object types can utilize negative matching. For those that can, you will see the
Enable Negative Matching checkbox on the Match Object Settings screen.
Adding Application List Objects

The App Control > Match Objects page also contains the Add Application List Object button,
which opens the Add Application List Object screen. This screen provides another interface
for creating an application list object and an application category list object, both of which are
specific types of match objects.
Two tabs are available:
Application You can create an application list object on this tab. This screen allows
selection of the application category, threat level, and type of technology. After selections
are made, the list of applications matching those criteria is displayed, and you can select
one or more for the object.
Category You can create a category list object on this tab. A list of application categories
and their descriptions are provided.
419
Application Tab
The Application tab provides a list of applications for selection. Each application includes one
or more signatures. You can control which applications are displayed by selecting one or more
application categories, threat levels, and technologies. To select all application categories,
threat levels, and technologies, click the green check mark below the Search button near the
top right of the display.
To search for a keyword in all application names and signatures, type it into the Search field
and click the Search button. For example, type bittorrent into the Search field and click the
Search button to find multiple applications with bittorrent (not case-sensitive) in the
application name or in the name of a signature under the application. To display the signatures
included by an application, click the arrow next to the application name to expand the details
for it.
When the application list is reduced to a list that is focussed on your preferences, you can
select the individual applications for your filter by clicking the Plus icon next to them, and then
save your selections as an application filter object with a custom name or an automatically
generated name.
420
To configure an application list object:

Step 1
On the App Control > Match Objects page, click the Add Application List Object button. The
Add Application List Object screen displays.
Step 2
On the Application tab, to name this object, clear the Auto-generate match object name
checkbox and then type a name for the object in the Match Object Name field. To use
automatic naming, leave the field blank and leave the Auto-generate match object name
checkbox selected.
Step 3
Clear specific category checkboxes or clear the Category checkbox to clear all category
checkboxes, then select the checkboxes for the desired categories. Use the scrollbar in this
section to view the entire category list. The list of applications in the lower panel changes as
you clear and select categories.
Step 4
Clear specific threat level checkboxes or clear the Threat Level checkbox to clear all threat
level checkboxes, then select the checkboxes for the desired threat levels. The list of
applications in the lower panel changes as you clear and select threat levels.
Step 5
Clear specific technology checkboxes or clear the Technology checkbox to clear all technology
checkboxes, then select the checkboxes for the desired technologies. The list of applications
in the lower panel changes as you clear and select technologies.
Step 6
In the application list, click the Plus to select the desired applications for your object. The Plus
changes to a green check mark, and the application is added to the Application Group field
on the right.
You can edit the list in this field by deleting individual items or by clicking the X at the top to
delete all items.
Step 7
Click the OK button. The Modify Task Description and Schedule window displays.
Step 8

description.
Step 9
the calendar.
Step 10 Click Accept to save the match object with this schedule. Click Cancel to exit without saving
the match object.
You will see the object name listed on the AppControl > Match Objects page with an object type
of Application List. This object can then be selected when creating an App Rules policy.
Match Objects created using the Auto-generate match object name option display a tilde (~)
as the first character of the object name.
Category Tab
The Category tab provides a list of application categories for selection. You can select any
combination of categories and then save your selections as an application category list object
with a custom or automatic name.
421
By hovering your mouse pointer over a category in the list, you can see a description of it.
To configure an application category list object:
422
Step 1
On the App Control > Match Objects page, click the Add Application List Object button. The
Add Application List Object screen displays.
Step 2
Click the Category tab.
Step 3
To name this object, clear the Auto-generate match object name checkbox and then type a
name for the object in the Match Object Name field. To use automatic naming, leave the field
blank and leave the Auto-generate match object name checkbox selected.
Step 4
Clear specific category checkboxes or clear the Category checkbox to clear all category
checkboxes, then select the checkboxes for the desired categories. Use the scrollbar in this
section to view the entire category list.
Step 5
Click the OK button. The Modify Task Description and Schedule window displays.
Step 6

description.
Step 7
Step 8
the calendar.
Click Accept to save the match object with this schedule. Click Cancel to exit without saving
the match object.
You will see the object name listed on the AppControl > Match Objects page with an object type
of Application Category List. This object can then be selected when creating an App Rules
policy.
Match Objects created using the Auto-generate match object name option display a tilde (~)
as the first character of the object name.
Sorting Match Objects

You can sort the list of match objects by clicking on the Name column heading. The first time
you click the heading, the match objects list is sorted in descending alphabetical order from top
to bottom, according to the first letter or symbol of the items in that column.
A small upward-pointing arrow is displayed next to the Name heading, indicating that, if the
heading is clicked again, it will cause the list to be sorted in ascending order by name (Z to A).
Names beginning with a symbol or number come before names beginning withany alphabetical
character. In descending order, automatically created objects beginning with tilde (~) are
displayed before objects beginning with any alphabetical character. The same holds true if you
use a symbol or number as the first letter when naming an object.
Deleting Match Objects

Match objects can be deleted unless they are in use by an App Rules policy.
To delete one or more match objects, perform the following steps:
Step 1
In the TreeControl select the unit or group to configure.
Step 2
Step 3
To delete one or more match objects, select the checkboxes for the ones to delete and click
Delete Match Object(s).
To delete a single match object, click the trash can icon

click OK in the confirmation dialog.
under Configure for it, and then
If any of the selected objects is currently in use by an App Rules policy, a popup message
notifies you that it cannot be deleted. Click OK in the dialog box. If multiple objects were
selected for deletion and one of them is in use by a policy, none are deleted when Delete Match
Object(s) is clicked.
Step 4
In the confirmation dialog box, click OK.
Step 5
In the Modify Task Description and Schedule window, select the Schedule settings for this
task and then click Accept.
423
Match Object Type Reference

Table 15 describes the supported match object types.
Table 15
Negative
Matching
Extra Properties
Class ID of an
Exact
Active-X
component. For
example, ClassID of
Gator Active-X
component is
c1fb8842-5281-45c
e-a271-8fd5f117ba5
f
No
None
Application
Category List
Allows specification N/A

of application
categories, such as
Multimedia., P2P, or
Social Networking
No
Application
Categories select
the category from a
pull-down list of
application
categories
Application List
Allows specification
of individual
applications within
the application
category that you
select
N/A
No
Application
Categories see
above;
of individual
signatures for the
application and
category that you
select
N/A
Object Type
Description
ActiveX ClassID
Application
Signature List
424
Match Object Types
Match Types
Application
select the specific
application from the
pull-down list
No
Application
Categories see
above;
Application see
above;
Application
Signature select
the specific
signature from the
pull-down list
CFS
Allows specification Exact, Partial,
Allow/Forbidden List of allowed and
Prefix, Suffix
forbidden domains
for Content Filtering
No
None
CFS Category List
No
A list of 64
categories is
provided to choose
from
Allows selection of N/A

one or more Content
Filtering categories
Object Type
Description
Match Types
Negative
Matching
Custom Object
of an IPS-style
custom set of
conditions.
Exact
No
There are 4
additional, optional
parameters that can
be set: Offset
(describes from
what byte in packet
payload we should
start matching the
pattern starts with
1; helps minimize
false positives in
matching), Depth
(describes at what
byte in the packet
payload we should
stop matching the
pattern starts with
1), Payload Size
Minimum and
Maximum size of
data in a packet.
Email Body
Any content in the

body of an email.
Partial
No
None
Email CC (MIME
Header)
Any content in the

CC MIME Header.
Exact, Partial,
Prefix, Suffix
Yes
None
Email From (MIME

Header)
Any content in the

Exact, Partial,
From MIME Header. Prefix, Suffix
Yes
None
Email Size
of the maximum
email size that can
be sent.
N/A
No
Email Size the

number of bytes in
the email
Email Subject
(MIME Header)
Any content in the

Subject MIME
Header.
Exact, Partial,
Prefix, Suffix
Yes
None
Email To (MIME
Header)
Any content in the

To MIME Header.
Exact, Partial,
Prefix, Suffix
Yes
None
MIME Custom
Header
Allows for creation

of MIME custom
headers.
Exact, Partial,
Prefix, Suffix
Yes
A Custom header
name needs to be
specified.
File Content
Allows specification Partial

of a pattern to match
in the content of a
file. The pattern will
be matched even if
the file is
compressed.
No
Disable
attachment action
should never be
applied to this
object.
Extra Properties
425
Negative
Matching
Extra Properties
Yes
None
Filename Extension In cases of email,

Exact
this is an
attachment filename
extension. In cases
of HTTP, this is a
filename extension
of an uploaded
attachment to the
Web mail account.
In cases of FTP, this
is a filename
extension of an
uploaded or
downloaded file.
Yes
None
FTP Command
Allows selection of
specific FTP
commands.
No
Command the
FTP command,
such as ABORT,
DELETE, GET,
PASSWORD,
RESTART, QUIT,
SIZE. Type HELP
for the complete list
of commands.
FTP Command +
Value
Allows selection of Exact, Partial,

specific FTP
Prefix, Suffix
commands and
specification of their
values.
Yes
Command (see
above);
of a Cookie sent by
a browser.
Yes
Object Type
Description
Filename
In cases of email,
Exact, Partial,
this is an
Prefix, Suffix
attachment name. In
cases of HTTP, this
is a filename of an
uploaded
attachment to the
Web mail account.
In cases of FTP, this
is a filename of an
uploaded or
downloaded file.
HTTP Cookie
Header
426
Match Types
N/A
Exact, Partial,
Prefix, Suffix
Argument a
value you type in,
such as the
filename to
GET/PUT or the
directory name
used with MKDIR
None
Negative
Matching
Extra Properties
Content found
Exact, Partial,
inside of the HTTP Prefix, Suffix
Host header.
Represents
hostname of the
destination server in
the HTTP request,
such as
www.google.com.
Yes
None
HTTP Referrer
Header
Allows specification Exact, Partial,

of content of a
Prefix, Suffix
Referrer header
sent by a browser
this can be useful to
control or keep stats
of which Web sites
redirected a user to
customers Web
site.
Yes
None
HTTP Request
Custom Header
Allows handling of
custom HTTP
Request headers.
Exact, Partial,
Prefix, Suffix
Yes
Custom Header
Name Specify a
custom header
name.
HTTP Response
Custom Header
Allows handling of
custom HTTP
Response headers.
Exact, Partial,
Prefix, Suffix
Yes
Custom Header
Name Specify a
custom header
name.
HTTP Set Cookie
Set-Cookie
Exact, Partial,
headers. Provides a Prefix, Suffix
way to disallow
certain cookies to
be set in a browser.
Yes
None
HTTP URI Content
Any content found

inside of the URI in
the HTTP request.
Exact, Partial,
Prefix, Suffix
No
None
HTTP User-Agent
Any content inside

of a User-Agent
header. For
example:
User-Agent: Skype.
Exact, Partial,
Prefix, Suffix
Yes
None
MIME Custom
Header
Any content inside

of a MIME header.
Exact, Partial,
Prefix, Suffix
Yes
Custom Header
Name Specify the
MIME header name
to match.
Web Browser
Allows selection of
specific Web
browsers (MSIE,
Netscape, Firefox,
Safari, Chrome).
N/A
Yes
Browser Specify
the browser type;
choose from MSIE,
Netscape, Firefox,
Safari, Chrome
Object Type
Description
HTTP Host Header
Match Types
427
Configuring Action Objects
Match Types
Negative
Matching
Object Type
Description
Extra Properties
IPS Signature
Category List

one or more IPS
signature groups.
Each group contains
multiple pre-defined
IPS signatures.
No
IDP Categories
choose from the a
pull-down list of IPS
attack categories,
including ACTIVEX,
EXPLOIT, JAVA,
LDAP,
MEDIA-PLAYERS,
SQL-INJECTION,
WEB-ATTACKS,
and others
IPS Signature List

one or more specific
IPS signatures for
enhanced
granularity.
No
IDP Category
(see above); IDP
Signature choose
signatures from any
IDP Category

Action Objects define how the App Rules policy reacts to matching events. You can choose a
customizable action or select one of the predefined actions.
The predefined actions have no configurable settings and are displayed in the App Control >
Action Objects page.
A number of BWM (bandwidth management) action options are available in the predefined
action list. The BWM action options change depending on the Bandwidth Management Type
setting on the Firewall > BWM page. If the Bandwidth Management Type is set to Global, all
eight levels of BWM are available. If the Bandwidth Management Type is set to WAN, the
predefined actions list includes three levels of WAN BWM. If the Bandwidth Management
Type is set to None, the predefined actions list does not include any BWM actions.
You can view the settings by mousing over the Content column of a BWM action on the App
Control > Action Objects page. For more information about BWM actions, see Configuring
Application Layer Bandwidth Management on page 431.
428
Table 16 lists the predefined actions available on the App Control > Action Objects page. If
BWM Type = None, no additional predefined BWM actions are available.
Table 16
Always Available
Block SMTP E-Mail

Without Reply
Bypass DPI
CFS Block Page
No Action
Packet Monitor
Reset/Drop
Predefined Actions
If BWM Type = Global
If BWM Type = WAN
BWM Global-High
WAN BWM High
BWM Global-Highest
WAN BWM Medium
BWM Global-Low
WAN BWM Low
BWM Global-Lowest
BWM Global-Medium
BWM Global-Medium High
BWM Global-Medium Low
BWM Global-Realtime
Searching Action Objects on page 429
Adding or Editing Action Objects on page 430
Configuring Application Layer Bandwidth Management on page 431
Deleting Action Objects on page 438
Action Type Reference on page 438
Searching Action Objects

You can search the list of action objects using different filters, each combined with an operator
and a target value.
To perform a filtered search of action objects:

Step 1
Step 2
On the Policies tab, on the App Control > Action Objects page, select one of the following
search objects from the first Search pull-down list:
Step 3
Name the full or partial name of the action object
Action Type the action type of the action object; see Table 18 on page 438 for the list of
action types
Equals search for any action object in which the name exactly matches the target value
Starts with search for any action object in which the name begins with the target value
Ends with search for any action object in which the name ends with the target value
429
Contains search for any action object in which the name contains the target value
= (Equals sign) search for any action object in which the action type exactly matches the
selected target value
Step 4
type the target value that you are searching for in the action object name.
Step 5
When searching for an Action Type, select the target value from the pull-down list to the right
of the operator.
Step 6
The Action Objects list changes to display only the action objects found by your search.
Adding or Editing Action Objects

If you do not want one of the predefined actions, you can add an action object that uses one of
the configurable actions. The Actions Objects Settings window provides a way to customize
a configurable action with text or a URL, or custom bandwidth management settings if BWM
Type is set to WAN on the Firewall > BWM page. The predefined actions plus any configurable
actions that you have created are available for selection when you create an App Rules policy.
A limited number of action objects are allowed, depending on the appliance model.
To configure an action object, perform the following steps:
430
Step 1
Step 2
Navigate to the App Control > Action Objects page on the Policies tab.
Step 3
To edit an existing action object, click the pencil icon

action object, click Add New Action Object. The Action Object Settings window displays.
Step 4
In the Action Name field, type a descriptive name for the action.
Step 5
In the Action pull-down list, select the action that you want.
Step 6
In the Content text box, type the text or URL to be used in the action.
Step 7
If HTTP Block Page is selected as the action, a Color pull-down list is displayed. Choose a
background color for the block page from the Color pull-down list. Color choices are white,
yellow, red, or blue.
Step 8
If Bandwidth Management is selected as theaction, additional fields are displayed. Bandwidth

management has some prerequisites; see the Configuring Application Layer Bandwidth
Management section on page 431 for configuration information.
Step 9
description.
the calendar.
Step 12 Click Accept to save the action object with this schedule. Click Cancel to exit without saving
the action object.
At the unit level, you may need to refresh the App Control > Action Objects page to see your
new action object in the list.
Configuring Application Layer Bandwidth Management

Application layer bandwidth management (BWM) allows you to create policies that regulate
bandwidth consumption by specific file types within a protocol, while allowing other file types to
use unlimited bandwidth. This enables you to distinguish between desirable and undesirable
traffic within the same protocol. Application layer bandwidth management is supported for all
Application matches, as well as custom App Rules policies using HTTP client, HTTP Server,
Custom, and FTP file transfer types. For details about policy types, see Table 14 on page 398.
If the Bandwidth Management Type on the Firewall > BWM page is set to Global, application
layer bandwidth management functionality is supported with eight predefined, default BWM
priority levels, available for selection on the App Control > Action Objects page. There is also
a customizable Bandwidth Management type action, available when adding a new action
object.
Note
The maximum action objects allowed is the total of 17 default action objects plus the allowed
number of custom action objects. Of the default action objects, 14 are Global type default
actions and 3 are WAN type default actions.
431
All application bandwidth management is tied in with global bandwidth management, which is
configured on the Firewall > BWM page. Two types of bandwidth management are available:
WAN and Global. The None option allows you to specify no bandwidth management. When the
type is set to WAN, bandwidth management is allowed only on interfaces in the WAN zone. With
a type of Global, interfaces in all zones can be configured with bandwidth management. All App
Control screens that offer an option for bandwidth management provide a link to the Firewall
> BWM page so that you can easily configure global bandwidth management settings for the
type and configure the guaranteed and maximum percentages allowed for each priority level.
The Firewall > BWM page is shown below.
It is a best practice to configure global bandwidth management settings before configuring App
Control policies that use BWM.
Changing the Bandwidth Management Type on the Firewall > BWM page between WAN and
Global causes BWM to be disabled in all Firewall Access Rules, while default BWM action
objects in App Rules policies will convert accordingly to correspond to the new bandwidth
management type.
When you change the Bandwidth Management Type from Global to WAN, the default BWM
actions that are in use in any App Rules policies will be automatically converted to WAN BWM
Medium, no matter what level they were set to before the change.
When you change the Type from WAN to Global, the default BWM actions are converted to
BWM Global-Medium. The firewall does not store your previous action priority levels when you
switch the Type back and forth. You can view the conversions on the App Control > App Rules
page.
Custom bandwidth management actions behave differently than the default BWM actions.
Custom BWM actions are configured by adding a new action object from the App Control >
Action Objects page and selecting the Bandwidth Management action type. Custom
bandwidth management actions and policies using them retain their priority level setting when
the Bandwidth Management Type is changed from Global to WAN, and from WAN to Global.
When the Bandwidth Management Type is set to Global, the Add/Edit Action Object screen
provides the Bandwidth Priority option, but uses the values that are specified in the Priority
table on the Firewall > BWM page for Guaranteed Bandwidth and Maximum Bandwidth. The
Per Action or Per Policy Bandwidth Aggregation Method options are not available for Action
Objects when Bandwidth Management Type is set to Global.
432
Note
All priorities will be displayed (Realtime through Lowest), regardless if all have been
configured. Refer to the Firewall > BWM page to determine which priorities are enabled. If
the Bandwidth Management Type is set to Global and you select a Bandwidth Priority
that is not enabled, the traffic is automatically mapped to the level 4 priority (Medium). For
a BWM Type of WAN, the default priority is level 7 (Low).
When the Bandwidth Management Type is set to WAN, the Add/Edit Action Object screen
provides Per Action or Per Policy Bandwidth Aggregation Method options and you can specify
values for Guaranteed Bandwidth, Maximum Bandwidth, and Bandwidth Priority.
When configuring a Bandwidth Management action, you can select either Per Action or Per
Policy. Per Policy means that when you create a limit of 10 Mbps in an Action Object, and three
different policies use the Action Object, then each policy can consume up to 10 Mbps of
bandwidth. Per Action means that the three policies combined can only use 10 Mbps.
When using Per Action, multiple policies are subject to a single aggregate bandwidth
management setting when they share the same action. For example, consider the following two
App Rules policies:
One manages the bandwidth for downloading executable files
Another manages the bandwidth for P2P applications traffic
If these two policies share the same bandwidth management Action (500 Kbit/sec max
bandwidth):
Using the Per Action aggregation method, the downloads of executable files and traffic
from P2P applications combined cannot exceed 500 Kbit/sec.
Using the Per Policy bandwidth aggregation method, a bandwidth of 500 Kbit/sec is
allowed for executable file downloads while concurrent P2P traffic is also allowed a
bandwidth of 500 Kbit/sec.
The predefined BWM High, BWM Medium, and BWM Low actions are all Per Action.
Application layer bandwidth management configuration is handled in the same way as the
Ethernet bandwidth management configuration associated with Firewall > Access Rules. Both
are tied in with the global bandwidth management settings. However, with App Control you can
specify all content type, which you cannot do with access rules.
When the Bandwidth Management Type on the Firewall > BWM page is set to WAN,
bandwidth management policies defined with Firewall > Access Rules always have priority
over application layer bandwidth management policies. Thus, if an access rule bandwidth
management policy is applied to a certain connection, then an application layer bandwidth
management policy will never be applied to that connection.
When the Bandwidth Management Type is set to Global, the reverse is true, giving App
Control bandwidth management policies priority over Firewall Access Rule bandwidth
management policies.
Configuring Bandwidth Management Actions

To use application layer bandwidth management, you must first enable bandwidth management
on the interface that will handle the traffic. Once enabled, you can select Bandwidth
Management in the Action pull-down list when creating an action object.
433
If the global bandwidth management settings have the Bandwidth Management Type set to
WAN on the Firewall > BWM page, then only interfaces in WAN zones can have assigned
guaranteed and maximum bandwidth settings and have prioritized traffic. If the Bandwidth
Management Type is set to Global, then all zones can have assigned guaranteed and
maximum bandwidth settings and have prioritized traffic.
See the following sections for configuration details:
Configuring Bandwidth Management on an Interface on page 434
Configuring a Bandwidth Management Action on page 435
Configuring Bandwidth Management on an Interface

To enable bandwidth management on an interface, perform the following steps:
434
Step 1
Step 2
Navigate to the Network > Interfaces page on the Policies tab.
Step 3
In the Interface Settings table, click the icon under Edit for the desired interface.
Step 4
In the Edit Interface window, click the Advanced tab.
Step 5
Do one or both of the following:
Under Bandwidth Management, to manage outbound bandwidth, select the Enable

Egress Bandwidth Management checkbox, and optionally set the Available Interface
Egress Bandwidth (Kbps) field to the maximum for the interface. See Table 17.
Under Bandwidth Management, to manage inbound bandwidth, select the Enable

Ingress Bandwidth Management checkbox and optionally set the Available Interface
Ingress Bandwidth (Kbps) field to the maximum for the interface. See Table 17.
Table 17
Step 6
Maximum Interface Bandwidth Settings
Interface Rating
Max Bandwidth in Kilobits/second
100 Megabits per second
100,000
1 Gigabit per second
1,000,000
Click OK.
Configuring a Bandwidth Management Action

After bandwidth management is enabled on the interface, you can configure Bandwidth
Management for an action object in App Control.
To configure Bandwidth Management in an action object:
Step 1
Step 2
Step 3
To edit an existing action object, click the pencil icon

action object, click Add New Action Object. The Action Object Settings window displays.
435
Step 4
In the Action Name field, type a descriptive name for the action.
In the Action pull-down list, select Bandwidth Management.
If the Bandwidth Management Type is set to WAN on the Firewall > BWM page, the screen
displays the following options, which are not displayed if Bandwidth Management Type is set
to Global:
Bandwidth Aggregation Method
Guaranteed Bandwidth
Maximum Bandwidth
Bandwidth Priority
Enable Tracking Bandwidth Usage
When the BWM type is Global, the global values for these options are used for the action. In
case of a BWM type of WAN, the configuration of these options is included in the following
steps.
Step 5
Step 6
436
In the Bandwidth Aggregation Method pull-down list, select one of the following:
Per Policy When multiple policies are using the same Bandwidth Management action,
each policy can consume up to the configured bandwidth even when the policies are active
at the same time.
Per Action When multiple policies are using the same Bandwidth Management action,
the total bandwidth is limited as configured for all policies combined if they are active at the
same time.
To manage outbound bandwidth, select the Enable Outbound Bandwidth Management

checkbox.
Step 7
To specify the Guaranteed Bandwidth, optionally enter a value either as a percentage or as

kilobits per second. In the pull-down list, select either % or Kbps.
If you plan to use this custom action for rate limiting rather than guaranteeing bandwidth, you
do not need to change the Guaranteed Bandwidth field.
Step 8
To specify the Maximum Bandwidth, optionally enter a value either as a percentage or as

kilobits per second. In the pull-down list, select either % or Kbps.
If you plan to use this custom action for guaranteeing bandwidth rather than rate limiting, you
do not need to change the Maximum Bandwidth field.
Step 9
For Bandwidth Priority, select a priority level from the pull-down list, where 0 is the highest
and 7 is the lowest.
Step 10 Optionally select Enable Tracking Bandwidth Usage to track the usage. When bandwidth
usage tracking is enabled, you can view the usage in the Action Properties tooltip by mousing
over the Action of a policy on the App Control > App Rules page.
description.
Immediate Activate the configuration immediately
At Select the exact time to activate this configuration using the pull-down lists for the hour,
the calendar.
Step 14 Click Accept to configure bandwidth settings with this schedule. Click Cancel to exit without
saving the action object.
You can see the resulting action in the Action Objects screen.
Sorting Action Objects

You can sort the list of action objects by clicking on the Name column heading. The first time
you click the heading, the action objects list is sorted in descending alphabetical order from top
to bottom, according to the first letter or symbol of the items in that column.
The list of predefined action objects is sorted separately from the list of custom, configurable
action objects. The sorted list of predefined action objects always appears on the first page,
followed by the sorted list of configurable action objects.
A small upward-pointing arrow is displayed next to the Name heading, indicating that, if the
heading is clicked again, it will cause the predefined and configurable action object lists to be
sorted in ascending order by name (Z to A).
In descending order, names beginning with a symbol or number come before names beginning
with any alphabetical character.
437
Deleting Action Objects

Action objects created from one of the configurable actions can be deleted, unless they are in
use by an App Rules policy. The predefined action objects cannot be deleted or edited.
To delete one or more action objects, perform the following steps:
Step 1
Step 2
Step 3
To delete one or more action objects, select the checkboxes for the ones to delete and click
Delete Action Object(s). The checkboxes cannot be selected for predefined action
objects.
To delete a single action object, click the trash can icon

under Configure for it, and then
click OK in the confirmation dialog. The trash can icon is not enabled for predefined action
objects.
Step 4
Step 5
Action Type Reference

Table 18 describes the available action types. You can view the settings by mousing over the
Content column of a BWM action on the App Control > Action Objects page.
Table 18
438
Action Types
Predefined
or Custom
Action Type
Description
BWM Global-Realtime
Manages inbound and outbound bandwidth, can be

configured for guaranteed bandwidth in varying
amounts and maximum/burst bandwidth usage up to
100% of total available bandwidth, sets a priority of
zero.
Predefined
BWM Global-Highest

one.
Predefined
BWM Global-High

amounts (default is 30%) and maximum/burst
bandwidth usage up to 100% of total available
bandwidth, sets a priority of two.
Predefined
Predefined
or Custom
Action Type
Description
BWM Global-Medium
High

three.
Predefined
BWM Global-Medium

bandwidth, sets a priority of four.
Predefined
BWM Global-Medium
Low

five.
Predefined
BWM Global-Low

bandwidth, sets a priority of six.
Predefined
BWM Global-Lowest

seven.
Predefined
Block SMTP E-Mail

Without Reply
Blocks SMTP email and do not notify the sender.
Predefined
Bypass DPI
Bypasses Deep Packet Inspection components IPS, Predefined

GAV, Anti-Spyware and Application Control. This
action persists for the duration of the entire
connection as soon as it istriggered. Special handling
is applied to FTP control channels that are never
bypassed for Application Control inspection. This
action supports proper handling of the FTP data
channel. Note that Bypass DPI does not stop filters
that are enabled on the Firewall > SSL Control page.
WAN BWM High

100% of total available bandwidth.
Predefined
WAN BWM Medium

Predefined
WAN BWM Low

Predefined
439
Configuring Email Address Objects
Predefined
or Custom
Action Type
Description
Block SMTP Email Send Error Reply
Blocks SMTP email and notifies the sender with a

customized error message.
Custom
Disable Email
Attachment - Add Text
Disables attachment inside of an email and adds

customized text.
Custom
Email - Add Text
Appends custom text at the end of the email.
Custom
FTP Notification Reply
Sends text back to the client over the FTP control

channel without terminating the connection.
Custom
HTTP Block Page
Allows a custom HTTP block page configuration with Custom

a choice of colors.
HTTP Redirect
Provides HTTP Redirect functionality. For example, if Custom

someone would like to redirect people to the Google
Web site, the customizable part will look like:
http://www.google.com
If an HTTP Redirect is sent from Application Control
to a browser that has a form open, the information in
the form will be lost.
Bandwidth Management
Allows definition of bandwidth management

constraints with same semantics as Access Rule
BWM policy definition.
Custom

App Control allows the creation of custom email address lists as email address objects. These
email address objects can be used in an SMTP client policy configuration. Email address
objects can represent either individual users or the entire domain. You can also create an email
address object that represents a group by adding a list of individual addresses to the object.
This provides a way to easily include or exclude a group of users when creating an App Rules
policy of type SMTP Client.
A limited number of email address objects are allowed, depending on the appliance model.
440
Searching Email Address Objects on page 442
Adding or Editing Email Address Objects on page 443
Sorting Email Address Objects on page 444
Deleting Email Address Objects on page 445
Searching Email Address Objects

You can search the list of email address objects using several different filters, each combined
with an operator and a target value.
To perform a filtered search of email address objects:

Step 1
Step 2
On the Policies tab, on the App Control > Email Address Objects page, select one of the
following search objects from the first Search pull-down list:
Step 3
Name the full or partial name of the email address object
Match Type the match type of the email address object, which can be either Exact Match
or Partial Match
Equals search for any email address object in which the name exactly matches the at rget
value
Starts with search for any email address object in which the name begins with the target
value
Ends with search for any email address object in which the name ends with the target
value
Contains search for any email address object in which the name contains the target value
= (Equals sign) search for any email address object in which the match type exactly
matches the selected target value, which can be either Exact Match or Partial Match
Step 4
type the target value that you are searching for in the match object name.
Step 5
When searching for a Match Type, select the target value from the pull-down list to the right of
the operator.
Step 6
The Email Address Objects list changes to display only the email address objects found by
your search.
441
Adding or Editing Email Address Objects

You can create email address objects for use with SMTP Client policies. An email address
object can be a list of user email addresses or an entire domain.
To configure email address object settings, perform the following steps:

Step 1
Step 2
Navigate to the App Control > Email Address Objects page on the Policies tab.
Step 3
To edit an existing email address object, click the pencil icon

under Configure for it. To add
a new email address object, click Add New Email Address Object. The Email Address
Object Settings window displays.
Step 4
In the Email Address Object Name field, type a descriptive name for the action.
Step 5
Select one of the following from the Match Type pull-down list:
Step 6
Exact Match To match the email address exactly
Partial Match To match any part of the email address
In the Content text box, type the content to match and then click Add. Repeat this step until
you have added as many elements as you want.
For example, to match on a domain, select Partial Match in the previous step and then type @
followed by the domain name in the Content field, for example, type: @sonicwall.com. To
match on an individual user, select Exact Match in the previous step and then type the full
email address in the Content field, for example: alan@sonicwall.com.
Alternatively, you can click Load From File to import a list of elements from a text file. Each
element in the file must be on a line by itself. The maximum file size is 2048 bytes.
Although existing user groups cannot be specified during configuration, by defining an email
address object with a list of users, you can use App Control to simulate groups.
442
Step 7
Step 8

description.
Step 9
the calendar.
Step 10 Click Accept to save the email address object with the selected schedule. Click Cancel to exit
without saving the email address object.
At the unit level, you may need to refresh the App Control > Email Address Objects page to
see your new email address object in the list.
Sorting Email Address Objects

You can sort the list of email address objects by clicking on the Name or Match Type column
heading. The first time you click the Name heading, the email address objects list is sorted in
descending alphabetical order (A to Z) from topto bottom, according to the first letter or symbol
of the items in that column. Names beginning with a symbol or number come before names
beginning with any alphabetical character.
The first time you click the Match Type heading, the email address objects list is sorted to
display objects using Exact Match at the top of the list, following by those using Partial Match.
This is descending order.
A small upward-pointing arrow is displayed next to the heading, indicating that, if the heading
is clicked again, it will cause the list to be sorted in ascending order.
443
Use Cases
Deleting Email Address Objects

Email address objects can be deleted unless they are in use by an App Rules policy.
To delete one or more email address objects, perform the following steps:
Step 1
Step 2
Navigate to the App Control > Email Address Objects page on the Policies tab.
Step 3
To delete one or more email address objects, select the checkboxes for the ones to delete
and click Delete Email Address Object(s).
To delete a single email address object, click the trash can icon
and then click OK in the confirmation dialog.
under Configure for it,
Step 4
Step 5
Use Cases
The following use cases are presented in this section:
Controlling Email Attachments on page 445
Controlling Risky Applications on page 451
Controlling Email Attachments

App Control can be very effective for certain types of email control, especially when a blanket
policy is desired. For example, you can prevent sending attachments of a given type, such as
.exe, on a per-user basis, or for an entire domain. However, because the file name extension
is being matched in this case, changing the extension before sending the attachment will
bypass filtering. Note that you can also prevent attachments in this way on your email server if
you have one. If not, then App Control provides the functionality.
Another way to control attachments is by creating a match object that scans for file content
matching strings such as confidential, internal use only and proprietary. A policy using
such a match object implements basic controls over the transfer of proprietary data.
You can also create a policy that prevents email to or from a specific domain or a specific user.
You can use App Control to limit email file size, but not to limit the number of attachments. App
Control can also block files based on MIME type.
App Control can scan email attachments that are text-based or are compressed to one level,
but not encrypted.
444
Use Cases
In this example, we create a policy that blocks executable attachments except when they are
sent by a member of the Support team. To do this we define an email address object containing
the email addresses of the Support team, then define a match object to match file name
extensions of executable files, then define an action object to strip the attachment and give the
user a message, and finally define an App Rules policy that uses all these objects.
See the following sections for the necessary procedures:
Creating a Support Team Email Address Object on page 446
Creating a Match Object for Executable File Extensions on page 447
Creating an Action Object for Blocking the Email on page 449
Creating an SMTP Client App Rules Policy on page 450
Creating a Support Team Email Address Object

First, create an email address object for the Support team:
Step 1
On the App Control > Email Address Objects page, click Add New Email Address Object.
Step 2
In the Email Address Object page, type a descriptive name for the object into the Email
Address Object Name field, such as Support team.
Step 3
Select Exact Match from the Match Type pull-down list. For an exact match, you must provide
both the username and the domain parts of the email addresses to include in the object.
Step 4
In the Content field, type in the first email address or alias used by the Support team, then click
Add. The address is copied into the List box.
445
Use Cases
Step 5
If more than one email address is used by the Support team, repeat Step 4 until all desired
email addresses are included in the List box.
Step 6
Step 7
To view all the options for Schedule, click the arrow to its right.
Step 8
For this example, select Immediate to create the object immediately.
Step 9
Click Accept to save the email address object with the selected schedule.
The new object is listed on the App Control > Email Address Objects page.
Creating a Match Object for Executable File Extensions

Next, create a match object that matches file names with extensions such as .exe, indicating
that they are executable:
Step 1
446
On the App Control > Match Objects page, click Add New Match Object.
Use Cases
Step 2
In the Match Object Settings window, in the Object Name text box, type a descriptive name
for the object, such as Executable Files.
Step 3
Using the Match Object Type pull-down list, select File Extension.
Step 4
The Match Type field is set to Exact Match; there are no other choices in this case.
Step 5
For the Input Representation, click Alphanumeric.
Step 6
Leave the Enable Negative Matching checkbox cleared.
Step 7
In the Content text box, type the executable file name extensions to match, and then click Add
after each one. For this case, we add exe, vbs, bat, awk, and cgi, The extensions appear in the
List text box.
Step 8
Step 9
For the Schedule, select Immediate to create the object immediately.
Step 10 Click Accept to save the match object with the selected schedule.
The new object is listed on the App Control > Match Objects page.
447
Use Cases
Creating an Action Object for Blocking the Email

Now we need to create an action object that will block the email when executable attachments
are found. We could use the predefined Block SMTP E-Mail Without Reply action, but we will
create a custom action object that will provide an explanation of why the attachment was
blocked. However, it would be more secure to use the predefined action in most situations.
To create the action object:
Step 1
On the App Control > Action Objects page, click Add New Action Object.
Step 2
In the Action Object Settings window, in the Action Name text box, type a descriptive name
for the object, such as Block email with executable.
Step 3
In the Action pull-down list, select Disable E-Mail Attachment - Add Text.
Step 4
In the Content text box, type the explanation that you want users to see, such as Executable
attachments are not allowed.
Step 5
Step 6
For the Schedule, select Immediate to create the object immediately.
Step 7
Click Accept to save the action object with the selected schedule.
The new object is listed on the App Control > Action Objects page.
448
Use Cases
Creating an SMTP Client App Rules Policy

The next step is to create an App Rules policy that uses our email address object and match
object, and combines them with an action object to block executable attachments except in
email from members of the Support team.
To create the App Rules policy:
Step 1
On the App Control > App Rules page, click Add New Policy.
Step 2
In the App Control Policies Settings window, type a descriptive name such as Block
Executable Attachments into the Policy Name field.
Step 3
Select SMTP Client from the Policy Type pull-down list.
Step 4
Leave Any as the source and destination in the Address pull-down lists.
Step 5
The Service pull-down lists do not provide a choice of service. The Source is Any, and the
Destination is SMTP (send E-Mail).
Step 6
For Exclusion Address, select None from the pull-down list.
Step 7
In the Match Object pull-down list, select the Executable Files match object that was just
created.
Step 8
In the Action pull-down list., select the Block email with executable action that was just
created.
Step 9
For Users/Groups, select All from the pull-down list under Included and select None in the
Excluded pull-down list.
449
Use Cases
Step 10 For MAIL FROM, select Any from the pull-down list under Included and select the Support
team email address object in the Excluded pull-down list. The Support team email addresses
will not be affected by the policy.
Step 11 For RCPT TO, select Any from the pull-down list under Included and select None in the
Step 12 For Schedule, select Always on from the pull-down list.

Step 13 Leave the Enable Flow Reporting checkbox cleared.
Step 14 If you want the policy to create a log entry when a match is found, select the Enable Logging
checkbox.
Step 15 To record more details in the log, select the Log individual object content checkbox.
Step 16 For Log Redundancy Filter, select Use Global Settings to use the global value set on the
App Control > App Rules page.
Step 17 For Connection Side, only Client Side is available in the pull-down list.
Step 18 For Direction, select the Basic radio button and select Both in the pull-down list.
Step 20 For the Schedule, select Immediate to create the policy immediately.
Step 21 Click Accept to save the policy with the selected schedule.
The new policy is listed on the App Control > App Rules page.
Controlling Risky Applications

The SonicWALL application signature databases are part of the App Control feature, allowing
very granular control over policy configuration and actions relating to them. These signature
databases are used to protect users from application vulnerabilities as well as worms, Trojans,
peer-to-peer transfers, spyware, and backdoor exploits. The extensible signature language
used in the SonicWALL Reassembly Free Deep Packet Inspection engine also provides
proactive defense against newly discovered application and protocol vulnerabilities.
App Control provides two ways to create policies for controlling applications. On the App
Control > Advanced page, you can quickly create a policy for a specific category, application,
or signature. You can select blocking, logging, or both to control the traffic. While a category
includes many applications, this method does not allow you to control applications belonging to
more than one category with a single policy. Similarly, while an application can include multiple
signatures, you cannot include signatures from different applications in a policy, unless you
create a policy for the whole category.
450
Use Cases
By using the Add Application List Object feature on the App Control > Match Objects page,
you can achieve more granularity and select specific applications from different categories.
Then, this object can be used in an App Rules policy.
To include signatures from different applications in a single policy, you need to use the Add
New Match Object feature with a Match Object Type of Application Signature List. This
allows you to select any signature from the same database that is used for App Control >
Advanced, no matter what category or application the signature belongs to, and add them into
a single match object. You can then create an App Rules policy using this match object to
control those specific signatures.
Our example in this use case uses theAdd Application List Object feature to create an object
containing the riskiest applications in the database. We then create an App Rules policy using
this object, and block the application traffic using the predefined Reset/Drop action.
Creating the Application List Object on page 452
Creating an App Control Content App Rules Policy on page 456
Creating the Application List Object

This procedure shows how to select the riskiest applications in the database, and create a
single object containing them.
To create the application list object:
Step 1
Step 2
451
Use Cases
452
Step 3
Click the Add Application List Object button. The Add Application List Object screen
displays.
Step 4
On the Application tab, to name this object, clear the Auto-generate match object name
checkbox and then type a name such as Riskiest apps for the object in the Match Object
Name field.
Step 5
Leave all category checkboxes selected under Category at the top left.
Step 6
Under Threat Level, clear all threat level checkboxes except for the one next to SEVERE. The
list of applications in the lower panel changes as you clear the threat level checkboxes.
Step 7
Leave all technology checkboxes selected under Technology.
Use Cases
The screen now shows all applications that have a threat level of SEVERE.
If you want to see the signatures included byany of the applications, click the arrow next to the
application name to expand the details for it.
453
Use Cases
Step 8
In the application list where you see the names of all the SEVERE rated applications, click the
Plus sign next to Name to select all of the listed applications for your object. A dialog box pops
up to warn you that selecting the entire list may ake
t awhile. In our case, it will nottake too long
since there are only a dozen or so applications in the list.
Step 9
Click OK in the warning dialog box. All of the Plus signs change to green check marks, and the
applications are added to the Application Group field on the right.
Step 10 Click the OK button. The Modify Task Description and Schedule window displays.
Step 11 For the Schedule, select Immediate to create the object immediately.
454
Use Cases
Step 12 Click Accept to save the object with the selected schedule.
The new object is listed on the App Control > Match Objects page.
Creating an App Control Content App Rules Policy

The next step is to create an App Rules policy that uses our application list object and combines
it with an action object to block these risky applications.
To create the App Rules policy:
Step 1
On the App Control > App Rules page, click Add New Policy.
Step 2
In the App Control Policies Settings window, type a descriptive name such as Block Risky
Apps into the Policy Name field.
455
Use Cases
Step 3
Select App Control Content from the Policy Type pull-down list.
Step 4
Leave Any in the Address pull-down list.
Step 5
Leave None in the Exclusion Address pull-down list.
Step 6
In the Match Object pull-down list, select the Riskiest apps match object that was just created.
Step 7
In the Action pull-down list., select the Reset/Drop predefined action.
Step 8
For Users/Groups, select All from the pull-down list under Included and select None in the
Step 9
For Schedule, select Always on from the pull-down list.
Step 10 Optionally select the Enable Flow Reporting checkbox to enable internal and external flow
reporting based on data flows, connection related flows, non-connection related flows
regarding applications, viruses, spyware, intrusions, and other information.
Step 11 Select the Enable Logging checkbox. This causes the policy to create a log entry when a
match is found.
Step 12 Optionally, to record more details in the log, select the Log individual object content
checkbox.
Step 13 Select the Log using App Control message format checkbox. This changes logging to
display the category in the log entry as Application Control, and to use a prefix such as
Application Control Detection Alert in the log message. This is useful if you want to use log
filters to search for Application Control alerts.
Step 14 For Log Redundancy Filter, select Global Settings. This uses the global value set on the App
Control > App Rules page. Alternatively, you can enter a number of seconds to delay between
each log entry for this policy. The local setting overrides the global setting only for this policy;
other policies are not affected.
456
Use Cases
Step 15 Select Any from the Zone pull-down list to apply this policy to all zones.
Step 17 For the Schedule, select Immediate to create the policy immediately.
Step 18 Click Accept to save the policy with the selected schedule.
The new policy is listed on the App Control > App Rules page.
457
Use Cases
458
CHAPTER 18
Configuring Firewall Anti-Spam Settings
This chapter provides a quick, efficient, and effective way to add anti-spam, anti-phishing, and
anti-virus capabilities to your SonicWALL firewall appliance. There are two primary ways
inbound messages are analyzed by the Anti-Spam feature - Advanced IP Reputation
Management and Cloud-based Advanced Content Management. IP Address Reputation uses
the GRID Network to identify the IP addresses of known spammers, and reject any mail from
those senders without even allowing a connection. GRID Network Sender IP Reputation
Management checks the IP address of incoming connecting requests against a series of lists
and statistics to ensure that the connection has a probability of delivering valuable email. The
lists are compiled using the collaborative intelligence of the SonicWALL GRID Network. Known
spammers are prevented from connecting to the SonicWALL firewall appliance, and their junk
email payloads never consume system resources on the targeted systems.
This chapter includes the following subsections:
Activating Anti-Spam section on page 459
Configuring Anti-Spam Settings section on page 460
Configuring Anti-Spam Real-Time Black List Filtering section on page 464
Activating Anti-Spam
To activate the Comprehensive Anti-Spam Service, perform the following steps:
Step 1
Navigate to the Policies > Anti-Spam > Settings page.
459
Configuring Anti-Spam Settings
Step 2
Select the Enable Anti-Spam Service checkbox to activate the Anti-Spam service.
The Comprehensive Anti-Spam Service is now activated.

You can configure the Comprehensive Anti-Spam Service on the Anti-Spam > Settings page,
including installing the Junk Store and configuring email threat categories. See the following
sections:
460
Configuring the Email Threat Categories on page 461
Configuring Email Domains on page 462
Configuring User Defined Access Lists on page 462
Configuring Advanced Options on page 462
Configuring Anti-Spam Real-Time Black List Filtering on page 464
Configuring the Email Threat Categories

The Email Threat Categories section enables the administrator to configure the settings for
users messages. Choose settings for messages that contain spam, phishing, and virus issues.
The default settings are:
Likely Spam Store in Junk Box
Definite Spam Permanently Delete
Likely Phishing Tag with [LIKELY PHISHING]
Definite Phishing Store in Junk Box
Likely Virus Store in Junk Box
Definite Virus Permanently Delete
Use the pull-down options to choose how to to handle messages in each threat category. Your
options are:
Response
Effect
Filtering off
SonicWALL Anti-Spam service will not scan and

filter any email, so all email messages in this
category are delivered to the recipients without
modification.
Tag With
The email is tagged with a term in the subject line,

for example, [JUNK] or [Possible Junk?]. Selecting
this option allows the user to have control of the
email and junk it if it is unwanted.
Store in Junk Box
The email message is stored in the Junk Box. It

can be unjunked by users and administrators with
appropriate permissions.
Reject Mail
The email message is returned to sender with a

message indicating that it was not deliverable.
Permanently Delete
The email message is permanently deleted.

CAUTION: If you select this option, your
organization risks losing wanted email.
461
Configuring Email Domains

The Comprehensive Anti-Spam Service supports up to 5 domains. If you are using more than
one domain, choose the Multiple Domains option and contact SonicWALL or your SonicWALL
reseller for more information.
Configuring User Defined Access Lists

User-defined Access Lists designate which clients are allowed to connect to deliver email.
You can also set clients to be automatically rejected.
Configuring Advanced Options

Click the down-arrow next to Advanced Options to expand this section.
462
Advanced options allow you to set the following:

Setting
Description
Allow / Reject delivery of

unprocessed mails when
Comprehensive
Anti-Spam Service is
unavailable
If the Anti-Spam service is not enabled or

unavailable for some other reason, you can
choose Allow to let all unprocessed emails go
through. Spam messages will be delivered to
users, as well as good email. If the setting is
Reject, no email will be delivered until the
Anti-Spam service is re-enabled.
Tag and Deliver / Reject

/ Delete emails when
SonicWALL Junk Store is
unavailable
If the SonicWALL Junk Store cannot accept spam

messages, you can choose to delete them, reject
them, or deliver them with cautionary subject
lines such as [Phishing] Please renew your
account
Probe Interval
Set the number of minutes between messages to

the monitoring service.
Success Count
Threshold
Set the number of successes required to report a

success to the monitoring service.
Failure Count Threshold
Set the number of failures required to report a

failure to the monitoring service.
Server Public IP Address The IP address of the server that is available for
external connections.
Server Private IP
Address
The IP address of the server for internal traffic.
Inbound Email Port
The port your SonicWALL firewall appliance has

open to receive email from outside sources.
Enable Email System

Detection
Enables the detection of other anti-spam

solutions in the network perimeter.
463
Configuring Anti-Spam Real-Time Black List Filtering

The Policies > Anti-Spam > RBL Filter page only allows configuration of Real-Time Black List
filtering if the Anti-Spam Service is not enabled.
SMTP Real-Time Black List (RBL) is a mechanism for publishing the IP addresses of SMTP
spammers use. There are a number of organizations that compile this information both for free:
http://www.spamhaus.org, and for profit: http://www.mail-abuse.com. A well-maintained list of
RBL services and their efficacy can be found at:
http://www.sdsc.edu/~jeff/spam/cbc.html
Note
SMTP RBL is an aggressive spam filtering technique that can be prone to false-positives
because it is based on lists compiled from reported spam activity. The SonicOS
implementation of SMTP RBL filtering provides a number of fine-tuning mechanisms to help
ensure filtering accuracy.
RBL list providers publish their lists using DNS. Blacklisted IP addresses appear in the
database of the list provider's DNS domain using inverted IP notation of the SMTP server in
question as a prefix to the domain name. A response code from 127.0.0.2 to 127.0.0.9 indicates
some type of undesirability:
127.0.0.2 - Open Relay
127.0.0.3 - Dialup Spam Source
127.0.0.4 - Spam Source
127.0.0.5 - Smart Host
127.0.0.6 - Spamware Site
127.0.0.7 - Bad List Server
127.0.0.8 - Insecure Script
127.0.0.9 - Open Proxy Server
For example, if an SMTP server with IP address 1.2.3.4 has been blacklisted by RBL list
provider sbl-xbl.spamhaus.org, then a DNS query to 4.3.2.1.sbl-xbl.spamhaus.org will provide
a 127.0.0.4 response, indicating that the server is a known source of spam, and the connection
will be dropped.
464
Note
Most spam today is known to be sent from hijacked or zombie machines running a thin
SMTP server implementation.Unlike legitimate SMTP servers, these zombie machines
rarely attempt to retry failed delivery attempts. Once the delivery attempt is blocked by the
SonicWALL RBL filter, no subsequent delivery attempts for that same piece of spam will be
made.
When Enable Real-time Black List Blocking is enabled on the Anti-Spam > RBL Filter page,
inbound connections from hosts on the WAN, or outbound connections to hosts on the WAN
are checked against each enabled RBL service with a DNS request to the DNS servers
configured under RBL DNS Servers.
The RBL DNS Servers menu allows you to specify the DNS servers. You can choose Inherit
Settings from WAN Zone or Specify DNS Servers Manually. If you select Specify DNS
Servers Manually, enter the DNS server addresses in the DNS Server fields.
The DNS responses are collected and cached. If any of the queries result in a blacklisted
response, the server will be filtered. Responses are cached using TTL values, and
non-blacklisted responses are assigned a cache TTL of 2 hours. If the cache fills up, then cache
entries are discarded in a FIFO (first-in-first-out) fashion.
The IP address check uses the cache to determine if a connection should be dropped. Initially,
IP addresses are not in the cache anda DNS request must be made. In this case the IP address
is assumed innocent until proven guilty, and the check results in the allowing of the connection.
A DNS request is made and results are cached in a separate task. When subsequent packets
from this IP address are checked, if the IP address is blacklisted, the connection will be
dropped.
Adding RBL Services

You can add additional RBL services in the Real-time Black List Services section.
To add an RBL service, click the Add button. In the Add RBL Domain window, you specify the
RBL domain to be queried, enable it for use, and specify its expected response codes. Most
RBL services list the responses they provide on their Web site, although selecting Block All
Responses is generally acceptable.
Statistics are maintained for each RBL Service in the RBL Service table, and can be viewed
with a mouseover of the (statistics) icon to the right on the service entry.
User-Defined SMTP Server Lists

The User Defined SMTP Server Lists section allows for Address Objects to be used to
construct a white-list (explicit allow) or black-list (explicit deny) of SMTP servers. Entries in this
list will bypass the RBL querying procedure. For example, to ensure that you always receive
SMTP connections from a partner site's SMTP server, create an Address Object for the server
using the Add button, click the edit icon in the Configure column of the RBL User White List
row, and add the Address Object. The table will be updated, and that server will always be
allowed to make SMTP exchanges.
The System > Diagnostics page also provides a Real-time Black List Lookup feature that
allows for SMTP IP addresses (or RBL services, or DNS servers) to be specifically tested.
465
466
CHAPTER 19
Configuring Firewall Virtual Private
Networking
A Virtual Private Network (VPN) is a private data network that uses encryption technologies to
operate over public networks. This chapter contains the following sections:
VPN SA Management Overview section on page 467
Viewing the VPN Summary section on page 469
Configuring VPN Settings section on page 470
Configuring ULA Settings for VPNs section on page 472
Configuring VPNs in SonicOS Enhanced section on page 472
Configuring VPNs in SonicOS Standard section on page 478
Setting up the L2TP Server section on page 500
Monitoring VPN Connections section on page 501
Management of VPN Client Users section on page 501
VPN Terms and Concepts section on page 503
Using OCSP with SonicWALL Security Appliances section on page 505
VPN SA Management Overview

Each node in a network can exchange data by establishing a VPN tunnel or a Security
Association (SA) with one or more other nodes. Once a tunnel is established, the SA uses
encryption and authentication keys to ensure data security and integrity.
A security key string is an encryption key that isused to encrypt and decrypt secure data. Both
nodes must have the key to exchange data. For example, the announcer of the Little Orphan
Show used the same key to encode the secret messages that the kids used to decode the
messages.
Although an encrypted message cannot be read, it can be tampered with externally. Using an
authentication key prevents external tampering. An authentication key is a hash function that is
applied to the message content andis checked by the message recipient to verify the message
was not modified in transit.
467
VPN SA Management Overview
In order to ensure message security, it is very important that the security and authentication
keys are not discovered by outside parties. Otherwise, the messages could be read in transit.
Deployment Caveats
When managing one or more VPNs through GMS, be aware of the following caveats:
Because of the individual nature of deployment, VPN SA configurations are not inheritable.
If updates are completed at the group node, separate tasks must be created for each
individual unit within that node.
Authentication Methods
SonicWALL appliances can use the following methods to exchange security and authentication
keys:
SonicWALL certificateseach SonicWALL appliance obtains a certificate from the

SonicWALL Certificate Authority (CA). Security and authentication keys are exchanged
using public-key cryptography and authenticity of each node is verified by the SonicWALL
CA.
After the SA expires, the SonicWALL appliances will reestablish an SA using the same
public keys, but the security and authentication keys will be different. If one set of security
and authentication keys is compromised by an outside party, that party will be unable to
compromise the next set of keys.
Third-party certificatesthe SonicWALL appliance and peer device obtain certificates

from the third-party certificate authorities. Security and authentication keys are exchanged
using public-key cryptography and authenticity of each node is verified by the third-party
CA.
After the SA expires, the peers will reestablish an SA using the same public keys, but will
not use the same security and authentication keys.
Pre-shared secreteach SonicWALL appliance has a shared secret that is used to

establish an SA.
public keys, but will not use the same security and authentication keys.
Pre-exchanged security and authentication keyskeys are exchanged in advance.

The SA will always use the same encryption and authentication keys. If the keys are
compromised by an outside party, they will remain compromised until the keys are changed.
Note
468
For an explanation of VPN terms, refer to the VPN Terms and Concepts section on
page 503.
Viewing the VPN Summary
Viewing the VPN Summary

To view the VPN summary, perform the following steps:
1.
Expand the VPN tree and click Summary. The VPN Summary page displays.
Note
2.
If VPN is already configured for the SonicWALL appliance, a list of current SAs
displays. The unique firewall identifier also displays.
Note the improved navigation for managing VPNs through use of page navigation arrows
within the Current IPSec Security Associations. To navigate through the pages, click on the
navigation arrow buttons in the upper right corner of the VPN Summary Page as shown in
the figure here.
When managing VPNs, the VPN Summary Window sometimes can have too many VPNs listed
for you to easily find the VPN entry you want to view. To make VPN searching and viewing more
easy, GMS now provides a pagination feature in the VPN Summary screen which breaks the
list of VPNs into multiple pages. Each page can display up to 50 VPNs. To display the next page
of VPNs, simply click the Next button. GMS displaysthe succeeding page of the VPN Summary
Window.
469
Configuring VPN Settings

To configure VPN settings, perform the following steps:
1.
Expand the VPN tree and click Settings. The VPN Settings page displays.
2.
Under Global IPSec Settings, select the Enable VPN check box.
3.
To disable all NetBIOS broadcasts, select the Disable all VPN Windows Networking
(NetBIOS) broadcast check box.
4.
To improve interoperability with other VPN gateways and applications that use a large data
packet size, select the Enable Fragmented Packet Handling check box. Packet
fragmentation overburdens a network router by resending data packets and causes
network traffic to slow down between networks.
The Enable Fragmented Packet Handling option configures the SonicWALL appliance to
listen to the intermediate router and, if necessary, send Internet Control Message Protocol
(ICMP) messages to the router to decrease the size of the data packets. Enabling this
option is recommended if the VPN tunnel logs contain many Fragmented IPSec packets
dropped messages.
470
5.
To ignore Dont Fragment (DF) bits from routers connected to the SonicWALL appliance,
select the Ignore DF Bit check box.
6.
NAT Traversal is an Internet Engineering Task Force (IETF) draft standard that wraps an
IPsec packet into a UDP/IP header, allowing NAT devices to change IP addresses without
affecting the integrity of the IPsec packet. To enable NAT traversal, select the Enable NAT
Traversal check box.
7.
Specify how often the SonicWALL appliance issues a Keepalive in the Keep alive time
field.
8.
To enable detection of a dead peer, select the Enable IKE Dead peer detection. Then,
specify how often the SonicWALL appliance attempt to detect a peer in the Dead peer
detection Interval field and specify the number of failed attempts that must occur before
closing the VPN tunnel in the Failure Trigger Level field.
9.
Select Enable Dead Peer Detection for Idle vpn sessions if you want idle VPN
connections to be dropped by the SonicWALL security appliance after the time value
defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field.
10. Select VPN Single Armed mode to use single armed mode, allowing the appliance to act
as a stand-alone VPN gateway, using the WAN port as the VPN tunnel termination point.
11. Select Clean up Active Tunnels when Peer Gateway DNS names resolves to a
different IP address to break down SAs associated with old IP addresses and reconnect
to the peer gateway.
12. Select Preserve IKE Port for Pass-Through Connections to preserve UDP 500/4500
source port and IP address information for pass-through VPN connections.
13. Select Enable OCSP Checking and enter the OCSP Responder URL to enable use of
Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the
URL where to check certificate status.
14. Select Send vpn tunnel traps only when tunnel status changes to send tunnel traps
when the tunnel status changes. By default, the firewall sends traps for VPN up/down
status. To minimize email alerts based on VPN traps, check this box.
15. Select Use RADIUS in and then select either MSCHAP or MSCHAPv2 mode for XAUTH
to allow VPN client users to change expired passwords at login time.
16. Under IKEv2 Settings, select Send IKEv2 Cookie Notify to send cookies to IKEv2 peers
as an authentication tool.
17. Use the IKEv2 Dynamic Client Proposal settings to configure the Internet Key Exchange
(IKE) attributes rather than using the default settings. Previously, only the default settings
were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the
SHA1 authentication method. Appliances running SonicOS Enhanced 4.0 and higher can
now be configured with the following IKE Proposal settings:
DH GroupSelect Group 1, Group 2, or Group 5 from the pull-down list. This sets DH
group in the global IPsec policy for a zero(0.0.0.0) gateway, IKEv2 mode tunnel with
dynamic peer gateways.
EncryptionSelect DES, 3DES, AES-128, AES-192, or AES-256 from the pull-down
list. This sets the encryption algorithm in the global IPsec policy for a zero(0.0.0.0)
gateway, IKEv2 mode tunnel with dynamic peer gateways whose IP addresses are not
static.
AuthenticationSelect MD5 or SHA1 from the pull-down list. This sets the
authentication algorithm in the global IPsec policy for a zero(0.0.0.0) gateway, IKEv2
mode tunnel with dynamic peer gateways whose IP addresses are not static.
If a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPSec gateway is defined, you
cannot configure these IKE Proposal settings on an individual policy basis.
Note
The VPN policy on the remote gateway must also be configured with the same
settings.
18. When you are finished, click Update. To clear all screen settings and start over, click Reset.
471
Configuring ULA Settings for VPNs
Configuring ULA Settings for VPNs

To configure User Level Authentication settings for VPNs, perform the following steps:
Note
ULA settings are only available in SonicOS Standard.

1.
Expand the VPN tree and click ULA Settings.
2.
To allow unauthenticated users to access a service, select the service in the Allow these
services to bypass user authentication on VPN SAs area and click Add. Repeat this
step for each service to add.
3.
To specify a range of IP addresses that will always be allowed to access the Internet, enter
the IP address in the Begin field and the size of the range in the Length field.
4.
Click Add. The scheduler displays.
5.
Expand Schedule by clicking the plus button.
6.
7.
Click Accept.
8.
When you are finished, click Update.
9.
Repeat steps 3 through 8 to add more ranges.
10. To delete an entry, select the checkbox the left of the service or IP address range and click
Update.
Configuring VPNs in SonicOS Enhanced

SonicOS uses Address Objects and Address Object Groups to simplify network configuration
and interconnection. Address objects are network addresses or hosts. Address object groups
are groups of address objects and/or address object groups.
When you configure VPN between Address Object Groups on two SonicWALL appliances,
SonicWALL GMS will automatically establish VPN connections between every network within
those groups. This saves a lot of configuration time and dramatically simplifies VPN
configuration.
472
Configuring VPNs in Interconnected Mode section on page 473For VPNs between two
Configuring VPNs in Non-Interconnected Mode section on page 474For VPN between

a SonicWALL appliance and another device.
When you have completed the interconnected or non-interconnected configuration procedure,

continue on to the following section:
Generic VPN Configuration in SonicOS Enhanced section on page 475
Configuring VPNs in Interconnected Mode

Establishing a VPN between two SonicWALL appliances that are being managed by
SonicWALL GMS is easy. Because SonicWALL GMS is aware of the configuration settings, it
will automatically configure most of the VPN settings without any user intervention. To establish
VPNs between two SonicWALL appliances that are being managed by SonicWALL GMS,
Note
Note
1.
Expand the VPN tree and click Configure 2.0. The VPN Configure page displays with the
General tab selected.
2.
To establish a new SA, select Add New SA from the Security Association list box.
3.
Select the Interconnected check box.
4.
To configure SonicWALL GMS to convert the SAs to non-interconnected mode VPN

tunnels, select the Make SAs viewable in Non-Interconnected Mode check box.
Making an SA viewable in Non-Interconnected mode is not reversible.

5.
Select the destination SonicWALL appliance by clicking Select Destination Node and
selecting the node from the dialog box that displays.
6.
To initially disable the SA upon creation, select the Disable SA check box. This option can
always be unchecked at a later time.
7.
Select from the following keying modes from the IPSec Keying Mode list box:
SonicWALL GMS automatically creates a pre-shared key, SPI, encryption key,

authentication key, or certificate information as applicable, for each mode described below.
Manual Keykeys are exchanged in advance. The SA will always use the same
encryption and authentication keys. If the keys are compromised by an outside party,
they will remain compromised until the keys are changed.
IKE Using Pre-Shared Secreteach SonicWALL appliance has a shared secret that
is used to establish an SA.
473
public keys, but will not use the same security and authentication keys. Configure the
following:
Local IKE IDspecifies whether the IP address or SonicWALL Identifier will be

used as the IKE ID for the local SonicWALL appliance.
Peer IKE IDspecifies whether the IP address or SonicWALL Identifier will be used
as the IKE ID for the peer SonicWALL appliance.
IKE Using 3rd Party Certificatesthe SonicWALL appliance and peer device obtain
certificates from the third-party certificate authorities. Security and authentication keys
are exchanged using public-key cryptography and authenticity of each node is verified
by the third-party CA.
After the SA expires, the peers will reestablish an SA using the same public keys, but
will not use the same security and authentication keys.
8.
Continue to Generic VPN Configuration in SonicOS Enhanced section on page 475.
Configuring VPNs in Non-Interconnected Mode

To establish VPNs between two SonicWALL appliances that are being managed by
SonicWALL GMS, perform the following steps:
1.
Expand the VPN tree and click Configure 2.0. The VPN Configure page displays with the
General tab selected.
2.
To establish a new SA, select Add New SA from the Security Association list box.
3.
Deselect the Interconnected check box.
4.
Select the Disable SA check box to initially disable the SA upon creation. This option can
be unchecked at a later time.
5.
Select from the following keying modes from the IPSec Keying Mode list box:
Manual Keykeys are exchanged in advance.
The SA will always use the same encryption and authentication keys. If the keys are
compromised by an outside party, they will remain compromised until the keys are
changed. If you select this option, configure the following:
474
Namespecifies the name of the SA.
IPSec Gateway Name or Addressspecifies the name or IP address of the

gateway.
IKE Using Pre-Shared Secreteach SonicWALL appliance has a shared secret that
is used to establish an SA. After the SA expires, the SonicWALL appliances will
reestablish an SA using the same public keys, but will not use the same security and
authentication keys. Configure the following:
IPSec Primary Gateway Name or Addressspecifies the name or IP address of

the primary gateway.
IPSec Secondary Gateway Name or Addressspecifies the name or IP address

of the secondary gateway.
Shared Secretspecifies the shared secret used to negotiate the VPN tunnel.
Local IKE IDspecifies the whether the IP address or SonicWALL Identifier will be
used as the IKE ID for the local SonicWALL appliance.
Peer IKE IDspecifies the whether the IP address or SonicWALL Identifier will be
used as the IKE ID for the peer SonicWALL appliance.
IKE Using 3rd Party Certificatesthe SonicWALL appliance and peer device obtain
certificates from the third-party certificate authorities. Security and authentication keys
are exchanged using public-key cryptography and authenticity of each node is verified
by the third-party CA.
After the SA expires, the peers will reestablish an SA using the same public keys, but
will not use the same security and authentication keys. If you select this option,
configure the following:
IPSec Primary Gateway Name or Addressspecifies the name or IP address of

the primary gateway.
IPSec Secondary Gateway Name or Addressspecifies the name or IP address

of the secondary gateway.
Third Party Certificatespecifies the certificate used to establish the SAs.
Peer Certificate's ID Typespecifies the ID type of the peer certificate.
ID string to matchspecifies the string used to establish the SAs.
Generic VPN Configuration in SonicOS Enhanced

To configure the additional options for VPNs in SonicOS Enhanced, perform the following steps:
1.
Click the Network tab. Select which local networks will be establishing VPN connections
with the destination networks:
Choose local network from listspecifies an Address Object that contains one or
more networks. For information on creating address objects, refer to the documentation
that accompanied the SonicWALL appliance.
Local network obtains IP addresses using DHCP through this VPN
Tunnelindicates that the computers on the local network will obtain their IP
addresses from the destination network.
Any addressconfigures all networks to establish VPN connections with the specified
destination networks.
2.
Select the destination networks with which the local networks will connect:
Use this VPN Tunnel as default route for all Internet trafficconfigures all networks
on the destination network to use this VPN for all Internet traffic.
475
Destination network obtains IP addresses using DHCP through this VPN
Tunnelindicates that the computers on the destination network will obtain their IP
addresses from the local network.
Choose destination network from listspecifies an Address Object that contains
one or more networks. For information on creating address objects, refer to the
documentation that accompanied the SonicWALL appliance.
3.
(Optional) Click the Proposals tab.
4.
Select the IKE Phase 1 Proposal Options (Certificates and Pre-Shared Secret only):
ExchangeSelect the exchange mode from the Exchange list box. Aggressive mode
improves the performance of IKE SA negotiation by only requiring three packet

exchanges. However, it provides no identity protection. Otherwise, select Main Mode.
DH Groupspecifies the Diffie-Hellman group to use when the VPN devices are
negotiating encryption and authentication keys.
Note
Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure

1024-bit Diffie-Hellman value, and Group 5 specifies the currently most secure
1536-bit Diffie-Hellman value.
Encryptionspecifies the type of encryption key to use when the VPN devices are
negotiating encryption keys.
Authenticationspecifies the type of authentication key to use when the VPN devices
are negotiating authentication keys.
Life Time (seconds)specifies how long a tunnel will remain active before being
renegotiated. We recommend a value of 28,800 seconds (8 hours).
5.
Select the IKE Phase 2 Proposal Options:

Protocolspecifies the type of protocol to use for VPN communications (AH or ESP).
Encryptionspecifies the type of encryption key to use when the VPN devices after
negotiating encryption keys.
Authenticationspecifies the type of authentication key to use when the VPN devices
after negotiating authentication keys.
Enable Perfect Forward Secrecywhen selected, this option prevents repeated
compromises of the same security key when reestablishing a tunnel.
DH Groupspecifies the Diffie-Hellman group to use when the VPN devices after
negotiating encryption and authentication keys.
Life Time (seconds)specifies how long a tunnel will remain active before being
renegotiated. We recommend a value of 28,800 seconds (8 hours).
6.
(Optional) Click the Advanced tab.
7.
Configure the following Advanced settings:

Enable Keep Aliveconfigures the VPN tunnel to remain open as long as there is
network traffic on the SA.
Note
476
The Allow Advanced Routing, Enable Transport Mode, and Enable Multicast
options are available for VPN policies that are configured as follows:
Policy Type: Tunnel Interface
IPSec Keying Mode: IKE using Preshared Secret or IKE using third party certs
Allow Advanced Routing - Adds this Tunnel Interface to the list of interfaces in the
Advanced Routing table on the Network > Routing page. By making this an optional
setting, this avoids adding all Tunnel Interfaces to the Advanced Routing table, which
helps streamline the routing configuration. (This option is supported for SonicOS
versions 5.6 and higher.)
Enable Transport Mode - Forces the IPsec negotiation to use Transport mode instead
of Tunnel Mode. This has been introduced for compatibility with Nortel. When this
option is enabled on the local firewall, it MUST be enabled on the remote firewall as
well for the negotiation to succeed. (This option is supported for SonicOS versions 5.6
and higher.)
Enable Multicast - Allows multicast traffic through the VPN tunnel.

Enable Windows Networking Broadcastenables NetBIOS broadcasts across the
SA.
Apply NAT Policiesenables NAT for the selected networks.

Management via this SAspecifies which protocols can be used to manage the
SonicWALL appliance through this SA. In addition to HTTP and HTTPS, you can enable
the SSH management of the device through the IPsec tunnel. When the SSH check box
is selected in an IPsec Policy, an SSH session can be initiated to the device using the
IPsec tunnel for the policy.
User login via this SAspecifies the protocols that users can use to login to the
SonicWALL appliance through this SA.
Default LAN Gatewayspecifies the default gateway when routing all traffic through
this tunnel (required for Enhanced-to-Standard configuration, optional for

Enhanced-to-Enhanced).
VPN Policy bound tospecifies the zone or interface to which the VPN tunnel will
terminate.
Preempt Secondary Gateway enables preemption of a secondary gateway to the
primary gateway in the IPsec policy. If a secondary gateway is configured in the IPsec
Policy, an IPsec tunnel is established with the secondary gateway when the primary
gateway is unreachable. If this option is enabled in the policy, a periodic discovery is
attempted for the primary gateway and if discovered successfully, tunnels are switched
back to the primary gateway from the secondary gateway.
Primary Gateway Detection Interval specifies the time interval in seconds for the
discovery of the primary IPsec gateway if it is unreachable. The minimum value is 120
and the maximum value is 28800.
Enable Windows Networking Broadcastenables NetBIOS broadcasts across the
SA.
8.
When you are finished, click OK. SonicWALL GMS begins establishing VPN tunnels
between all specified networks.
477
Configuring VPNs in SonicOS Standard

This section describes how to configure VPN version 1.0 for SonicOS Standard. To configure
VPN for SonicOS Enhanced, refer to the Configuring VPNs in SonicOS Enhanced section on
page 472.
SonicWALL GMS supports several methods for establishing and maintaining security
associations (SAs). These include:
IKE Using SonicWALL Certificates section on page 478
IKE Using Third-Party Certificates section on page 484
IKE Using Pre-Shared Secret section on page 490
Manual Keying section on page 495
IKE Using SonicWALL Certificates

The following sections describe how to configure SAs for Internet Key Exchange (IKE) using
SonicWALL certificates:
Note
When All Appliances are Managed by SonicWALL GMS section on page 479
When One Appliance Is Not Managed by SonicWALL GMS section on page 481
as a Certificate Authority (CA). SonicWALL certificates are the easiest certificate solution for
establishing the identity of peer VPN devices and users.
Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital
signatures to authenticate peer devices before setting up security associations. Without digital
signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric
keys. Devices using digital signatures do not require configuration changes every time a new
device is added to the network.
Note
Although SAs can be established with most IPSec-compliant devices, SonicWALL

Certificates can only be used between SonicWALL appliances.
This section describes how to establish SAs between SonicWALL appliances that are managed
by SonicWALL GMS and SonicWALL appliances that are not managed by SonicWALL GMS.
Note
478
Before establishing SAs using SonicWALL certificates, you must obtain a Public Key
Infrastructure (PKI) administrator certificate and apply it to each SonicWALL appliance. For
more information, refer to the Registering and Upgrading SonicWALL Firewall Appliances
When All Appliances are Managed by SonicWALL GMS

To enable VPN using certificates, perform the following steps:
1.
Expand the VPN tree and click Configure. The VPN Configure page displays.
2.
Select the Use Interconnected Mode check box.
3.
For the IPSec Keying Mode, Select IKE using SonicWALL Certificates.
4.

To add a new SA, select Add a new Security Association.
To delete an existing SA, select Delete an existing Security Association.
To edit an existing SA, select Modify an existing Security Association.
5.
Click Select Destination.

A dialog box that contains all SonicWALL appliances managed by this SonicWALL GMS
displays.
Note
6.
Select the SonicWALL appliance or group to which you will establish SAs and click the
Select button. The name of the target displays in the Target SonicWALL Group/Node
field.
7.
Aggressive mode improves the performance of IKE SA negotiation by only requiring three
packet exchanges. However, it provides no identity protection. To enable aggressive mode,
select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
8.
Select the Diffie-Hellman (DH) group that will be used when the VPN devices are
negotiating encryption and authentication keys from the Phase 1 DH Group list box.
Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit
Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit
Diffie-Hellman value.
479
9.
Select the Diffie-Hellman group that will be used when the VPN devices have established
an SA from the Phase 2 DH Group list box.
10. Select the type of encryption and authentication keys used when the VPN devices are
negotiating encryption and authentication keys from the Phase 1

Encryption/Authentication list box.
11. Select the type of encryption and authentication keys used for the SAs from the Phase 2
12. To specify the default LANgateway, enter the IP address of the gateway in theDefault LAN
Gateway field.
A Default LAN Gateway is used at a central site in conjunction with a remote site using the
Route all Internet traffic through this destination unit check box. The Default LAN
Gateway field allows the network administrator to specify the IP address of the default LAN
route for incoming Internet Protocol Security (IPSec) packets for this SA.
Incoming packets are decoded by the SonicWALL and compared to static routes configured
in the SonicWALL. Since packets can have any IP address destination, it is impossible to
configure enough static routes to handle the traffic. For packets received via an IPSec
tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL
checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is
routed through the gateway. Otherwise, the packet is dropped.
13. To specify how long the tunnel is active before being renegotiated, enter a value in the SA
Lifetime field. We recommend a value of 28,800 seconds (8 hours).
14. To prevent repeated compromises of the same security key when reestablishing a tunnel,
select the Enable Perfect Forward Secrecy check box.
15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA,
select the Enable Keep Alive check box.
16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate
any VPN traffic, select the Try to bring up all possible SAs check box.
17. To disable this SA, select Disable This SA.

18. Select Enable Wireless Secure Bridging Mode to enable wireless secure bridging mode,
a feature that allows two or more physicallyseparated networks to be joined using a secure
wireless connection.
19. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking
Broadcast check box.
20. To allow the remote VPN tunnel to be included in the routing table, select the Forward
Packets to Remote VPNs check box.
Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually
specified route (refer to the Configuring Routing in SonicOS Enhanced section on
page 240). This option enables you to create a hub and spoke network configuration
where all traffic is routed among branch offices via the corporate office.
Note
To create a hub and spoke network, make sure to select the Forward Packets to Remote
VPNs check box for each SA.
21. To force all network traffic to the WAN through a VPN to a central site, select the Route all
Internet traffic through destination unit check box.
When this option is selected, all traffic that is not destined for another SA is forwarded
through this VPN tunnel. If this option is not specified and the destination does not match
any SA, the packet is forwarded unencrypted to the WAN.
480
Note
Only one SA can have this option enabled.

22. Select one the following VPN termination options:
To configure the VPN tunnel to terminate at the LAN or WorkPort, select LAN. Users
on the other side of the SA will be able to access the LAN, but not the OPT.
To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the
other side of the SA will be able to access the OPT, but not the LAN.
To allow users on the other side of the SA to access both the LAN and DMZ, select
LAN/OPT.
23. Select from the following NAT and Firewall Rules:
To disable NAT and not apply firewall rules to traffic coming through this SA, select
Disabled.
To enable NAT and firewall rules for the selected SonicWALL appliance, select Source.
If NAT is enabled, all traffic originating from this appliance will appear to originate from
a single IP address and network firewall rules will be applied to all traffic on this SA.
To enable NAT and firewall rules for the selected SonicWALL appliance and its peer,
select Source and Destination. If NAT is enabled, all traffic originating from this
appliance will appear to originate from a single IP address and all traffic originating from
its peer will appear to originate from a single IP address. Network firewall rules will be
applied to all traffic on this SA.
Note
Applying firewall rules can dramatically affect services that run between the networks. For
more information, refer to the Configuring Firewall Appliance Settings section on
page 273.
24. Select how local users are authenticated:
To disable authentication for local users, select Disabled.
To configure local users to be authenticated locally, either through the SonicWALL
device or the RADIUS server, select Source.
To configure local users to be authenticated on the destination network, either through
the SonicWALL device or the RADIUS server, select Destination.
To authenticate local users both locally and on the destination network, select Source
and Destination.
25. Similarly, select how remote users are authenticated.
When One Appliance Is Not Managed by SonicWALL GMS

Although SAs can be established with most IPSec-compliant devices, Certificates can only be
used between SonicWALL appliances.
This section describes how to establish SonicWALL certificate-based SAs between SonicWALL
appliances that are managed by SonicWALL GMS and SonicWALL appliances that are not
managed by SonicWALL GMS.
481
To create SAs using certificates, perform the following steps:

1.
2.
Deselect the Use Interconnected Mode check box.
3.
Select IKE using SonicWALL Certificates.
4.
Select the appropriate option to add, delete or modify a Security Association.
5.
Enter the name of the remote firewall/VPN gateway in the Security Association Name
field. This name must match exactly if the device has a dynamic IP address.
6.
Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address
field. This address must be valid and will be the public IP address if the remote LAN has
NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left
blank if the name matches.
7.
To specify how long the tunnel is active before being renegotiated, enter a value in the SA
8.
To specify the default LANgateway, enter the IP address of the gateway in theDefault LAN
Gateway field.
Route all internet traffic through destination unit check box. The Default LAN Gateway
field allows the network administrator to specify the IP address of the default LAN route for
incoming IPSec packets for this SA.
9.
To disable this SA, select Disable This SA.
482
11. Select Enable Wireless Secure Bridging Mode to enable wireless secure bridging mode,
a feature that allows two or more physicallyseparated networks to be joined using a secure
wireless connection
13. To apply NAT and firewall rules to all traffic coming through this SA, select the Apply NAT
and firewall rules check box.
This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear
to originate from a single IP address.
This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it
to another VPN tunnel. This feature can be used to create a hub and spoke network
configuration by routing traffic among SAs. To do this, make sure to enable this option for
all SAs.
17. To require local users to authenticate locally before accessing the SA, select the Require
authentication of local users check box.
18. To require remote users to authenticate with this SonicWALL appliance or the local RADIUS
server before accessing resources, select the Require authentication of remote users
check box.
19. Enter the serial number of the target SonicWALL appliance in the Peer SonicWALL Serial
# field.
20. Aggressive mode improves the performance of IKE SA negotiation by only requiring three

21. Select the Diffie-Hellman group that will be used when the VPN devices are negotiating
encryption and authentication keys from the Phase 1 DH Group list box.
Note

22. Select the Diffie-Hellman group that will be used when the VPN devices have established

25. Specify the destination networks by selecting from the following:

To allow this SA to be used as the default route for all Internet traffic, select Use this
SA as default route for all Internet traffic.
483
If the destination network will receive its IP addresses on this network using DHCP,
select Destination network obtains IP addresses using DHCP.
To specify destination networks, select Specify destination networks below. Then,
click Add Networks and enter the destination network IP addresses and subnet masks.
IKE Using Third-Party Certificates

Note
as a Certificate Authority (CA). SonicWALL now supports third party certificates in addition to
the existing Authentication Service. The difference between third party certificates and the
SonicWALL Authentication Service is the ability to select the source for your CA certificate.
Using Certificate Authority Certificates and Local Certificates is a more manual process than
using the SonicWALL Authentication Service; therefore, experience with implementing Public
Key Infrastructure (PKI) is necessary to understand the key components of digital certificates.
Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital
signatures to authenticate peer devices before setting up security associations. Without digital
signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric
keys. Devices using digital signatures do not require configuration changes every time a new
device is added to the network.
SonicWALL has implemented X.509v3 as its certificate form and CRLv2 for its certificate
revocation list. SonicWALL supports the following two vendors of Certificate Authority
Certificates:
VeriSign
Entrust
Obtaining a Certificate
To obtain a certificate, refer to the Generating a Certificate Signing Request section on
page 205. After you have obtained certificates for both devices, continue to configure the VPN.

Setting up a VPN tunnel between appliances requires you to configure several parameters on
both appliances. When setting up VPN tunnels between SonicWALL appliances managed by
SonicWALL GMS, all selected appliances are automatically configured based on the settings
that you entered.
484
To enable VPN using third-party certificates when both devices are managed by
SonicWALL GMS, perform the following steps:
Note
1.
2.
3.
Select IKE using 3rd Party Certificates.
SonicWALL GMS automatically creates a pre-shared key, SPI, encryption key,

authentication key, or certificate information as applicable.
4.
Select the appropriate option to add, delete, or modify a security association.
5.
Click Select Destination. A dialog box that contains all SonicWALL appliances managed
by this SonicWALL GMS displays.
6.
field.
7.
8.
Select the Diffie-Hellman (DH) group that will be used when the VPN devices are
negotiating encryption and authentication keys from the Phase 1 DH Group list box.
Note
9.

485

Gateway field.
Route all Internet traffic through this destination unit check box. The Default LAN
Gateway field allows the network administrator to specify the IP address of the default LAN
route for incoming Internet Protocol Security (IPSec) packets for this SA.
17. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
Note
To create a hub and spoke network, make sure to select the Forward Packets to
Remote VPNs check box for each SA.
Note
486
21. If the remote side of this VPN connection is to obtain its addressing from a DHCP server on
this side of the tunnel, select Enable "Destination network obtains IP addresses using
DHCP through this SA" on Target.

To configure the VPN tunnel to terminate at the LAN, select LAN. Users on the other
side of the SA will be able to access the LAN, but not the DMZ.
To allow users on the other side of the SA to access both the LAN and OPT, select
LAN/OPT.
Disabled.
Note
page 273.
and Destination.
487

This section describes how to configure VPN when the target appliance is not managed by
SonicWALL GMS. To create SAs using third-party certificates, perform the following steps:
1.
2.
3.
Select IKE using 3rd Party Certificates.
4.
Select the appropriate option to add, delete or modify a security association.
5.
6.
Select the certificate to use from the Select Certificate list box.
7.
blank if the name matches. Optionally, you can specify a IPSec Secondary Gateway Name
or Address.
8.
To specify how long the tunnel is active before being renegotiated, enter a value in the SA
9.
Gateway field.
488
and firewall rules check box. This feature is useful for hiding the LAN subnet from the
corporate site. All traffic will appear to originate from a single IP address.
Packets to Remote VPNs check box. This will enable the SonicWALL appliance to receive
VPN traffic, decrypt it, and forward it to another VPN tunnel.This feature can be used to
create a hub and spoke network configuration by routing traffic among SAs. To do this,
make sure to enable this option for all SAs.
check box.

Note


24. Select whether the peer device uses a distinguished name, email ID, or domain name as
its certificate ID from the Peer Certificates ID list box.
25. Enter the peer devices certificate ID in the Peer Certificates ID field.
26. Select from the following:

click Add Networks and enter the destination network IP addresses and subnet masks.
489
Note
To disable this SA without deleting it, select the Disable this SA check box and click
Update.
IKE Using Pre-Shared Secret

When using IKE with a pre-shared secret, two VPN devices establish encryption and
authentication keys using a shared secret. After the SA expires, the SonicWALL appliances will
reestablish an SA using the same shared secret, but will not use the same security and
authentication keys.

that you entered.
To configure an SA using IKE with pre-shared secrets, perform the following steps:
490
1.
2.
3.
Select IKE using Pre-shared Secret.
4.
5.
6.
field.
7.
8.
Select the Diffie-Hellman group that will be used when the VPN devices are negotiating
Note
9.

1024-bit DiffieHellman value, and Group 5 specifies the currently most secure 1536-bit

Gateway field.
491
Note
internet traffic through destination unit check box.
Note

21. If the remote side of this VPN connection is to obtain its addressing from a DHCP server on
this side of the tunnel, select Enable "Destination network obtains IP addresses using
DHCP through this SA" on Target.

To configure the VPN tunnel to terminate at the LAN or WorkPort, select LAN. Users
on the other side of the SA will be able to access the LAN, but not the OPT.
LAN/OPT.
Disabled.
Note
page 273.
492
and Destination.
26. Select either Remote users behind VPN gateway or Remote VPN clients with XAUTH.
Note
To disable this SA, select the Disable this SA check box and click Update.

SonicWALL GMS.
To enable VPN using IKE with a pre-shared secret, perform the following steps:
1.
2.
3.
Select IKE using Pre-Shared Secret in the IPSec Keying mode section.
4.
5.
6.
blank if the name matches.
493
7.
Enter the amount of time before an IKE SA will automatically negotiate (120 to 2,499,999
seconds) in SA Lifetime.
8.
Gateway field.
Route all Internet traffic through destination unit check box. The Default LAN Gateway
9.
To prevent repeated compromises of the same security key when reestablishing a tunnel,
11. To access remote resources within the Windows Network Neighborhood, select the Enable
Windows Networking (NetBIOS) Broadcast check box.
all SAs.
check box.
18. Select either Remote users behind VPN gateway or Remote VPN clients with XAUTH.
Note
Only SonicWALL VPN clients can authenticate to a RADIUS server. Users tunneling from
another VPN gateway will not be able to complete the VPN tunnel if this check box is
selected.
19. Enter the shared secret in the Shared Secret field.
494

Note
Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit
Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit



click Add Network and enter the destination network IP addresses and subnet masks.
27. Create an SA in the remote VPN device for each SonicWALL appliance that you have
configured.
Note
To disable this SA without deleting it, select the Disable this SA check box and click
Update.
Manual Keying
Manual keying involves exchanging keys in encryption and authentication keys in advance.
Although this is the simplest method of establishing an SA between two VPN devices, the SA
will always use the same encryption and authentication keys. If the keys are compromised by
an outside party, they will remain compromised until the keys are changed.
495

that you entered.
To enable VPN using manual keying, perform the following steps:
1.
2.
3.
Select Manual Key.
4.
5.
6.
field.
7.
Select one of the encryption methods from the Encryption Method list box.
8.
Gateway field.
496
9.
To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
(NetBIOS) Broadcast check box.
Note
To configure the VPN tunnel to terminate at the LAN, select LAN. Users on the other
side of the SA will be able to access the LAN, but not the DMZ.
LAN/OPT.
Disabled.
Note
Applying firewall rules can dramatically affect services that run between the
networks. For more information, refer to the Configuring Firewall Appliance
Settings section on page 273
497

and Destination.

SonicWALL GMS.
To enable VPN using manual keying, perform the following steps:
498
1.
2.
3.
Select Manual Key in the IPSec Keying mode section.
4.
Select the appropriate option to add, delete or modify a security association.
5.
Enter a descriptive name for the SA in the Security Association Name field.
6.
Enter the IP address of the remote firewall in the IPSec Gateway Address field. This
address must be valid and will be the public IP address if the remote LAN has NAT enabled.
7.
Gateway field.
8.
To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
9.
To access remote resources within the Windows Network Neighborhood, select the Enable
Windows Networking (NetBIOS) Broadcast check box.
all SAs.
check box.
14. Select one of the encryption methods from the Encryption Method list box.
15. Enter the key used for encryption in the Encryption Key field. The DES and ARCFour Keys
must be exactly 16 characters long and be composed of hexadecimal characters.

Encryption keys less than 16 characters will not be accepted; keys longer than 16
characters will be truncated.
Note
Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a,

b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
This key must match the encryption key of the remote VPN gateway or client. If encryption
is not used, this field is ignored.
16. Enter the key used for authentication in the Authentication Key field. The authentication
key must be exactly 32 characters long and be composed of hexadecimal characters.

Authentication keys less than 32 characters will not be accepted; keys longer than 32
characters will be truncated.
Note
Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a,

b, c, d, e, f). For example, a valid key would be 1234567890abcdef1234567890abcdef.
499
Setting up the L2TP Server
This key must match the authentication key of the remote VPN gateway or client. If
authentication is not used, this field is ignored.
17. Enter the Security Parameter Index (SPI) that the remote location will send to identify the
Security Association used for the VPN Tunnel in the Incoming SPI field.
Note
The SPI may be up to eight characters long and be composed of hexadecimal characters.
Valid hexadecimal characters are 0 to 9, and a to f (e.g., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a,
b, c, d, e, f).
The hexadecimal characters 0 to ff inclusive are reserved by the Internet Engineering
Task Force (IETF) and are not allowed for use as an SPI. For example, a valid SPI would be
1234abcd.
Note
The SPI for an SA must be unique when compared to SPIs for other SAs. However, the
Incoming SPI can be the same as the Outgoing SPI on the same SA.
18. Enter the Security Parameter Index (SPI) that the local SonicWALL VPN will transmit to
identify the Security Association used for the VPN Tunnel in the Outgoing SPI field.


click Modify and enter the destination network IP addresses and subnet masks.
21. Create an SA in the remote VPN device for each SonicWALL appliance that you have
configured.
Setting up the L2TP Server

To support secure LT2P connections from remote clients, perform the following steps:
500
1.
Expand the VPN tree and click L2TP. The L2TP page displays.
2.
Select the Enable L2TP Server check box.
Monitoring VPN Connections
3.
Specify how often the SonicWALL appliance issues a Keepalive in the Keep alive time
field.
4.
Enter the IP addresses of the DNS Servers in the DNS Server fields.
5.
Enter the IP addresses of the WINS Servers in the WINS Server fields.
6.

To assign IP addresses to L2TP clients that are provided by the RADIUS server, select
IP address provided by RADIUS Server.

To use IP addresses from a local L2TP IP address pool, select Use the Local L2TP IP
pool and enter the starting and ending IP addresses in the Start IP and End IP fields.
7.
When you are finished, click Update. To clear all screen settings and start over, click Reset.
Monitoring VPN Connections

To monitor VPN connections, perform the following steps:
1.
Expand the VPN tree and click Monitor. The Monitor page displays.
2.
Select the category of tunnels to display the Display Options section and click Refresh.
You can select Show Up Tunnels, Show Down Tunnels, or Show All Tunnels.
3.
To synchronize the tunnel status information, click Synchronize Tunnel Status

Information.
4.
To refresh the statistics, click Refresh Selected Tunnel Statistics.
5.
To view the tunnel statistics, select one or more tunnels and click View Selected Tunnel
Statistics.
6.
To renegotiate selected tunnels, select one or more tunnels and click Renegotiate
Selected Tunnels.
Management of VPN Client Users

To configure VPN Clients on SonicWALL appliances, perform the following procedures:
Registering and Upgrading SonicWALL Firewall Appliances section on page 643
Enabling the VPN Client section on page 502
501
Management of VPN Client Users
Enabling the VPN Client

After applying a VPN Client license to one or more SonicWALL appliances, perform the
following steps:
1.
Navigate to Policies > VPN > Summary.
2.
Click the Export button next to the SA.
3.
To email the SPD file to the SonicWALL GMS administrator or the VPN Client user, click
Email SPD file. The file is attached to the email. A task is scheduled for each email.
Note
A copy of the SPD file is also stored in the SonicWALL Agent's <gms_directory\etc
directory.
4.
Once the SPD file is received, it can be loaded by the VPN Client software on the VPN
Client user's computer.
5.
If the user does not have the VPN Client software, you can send both the SPD file and the
email the client software by clicking Email SPD File and VPN Client.
6.
In SonicOS Standard only, VPN clients use RCF files to import data used to communicate
with SonicWALL appliances. To send an RCF File to an email address, enter the following
information:
Enter the email address in the Email Address field.
Enter and reenter the RCF File password in the RCF File Export Password and
Confirm Password fields.
Select whether the file will be used for WAN or wireless connections.
Note
502
To email the file, click Email RCF File.
To email the file with the Global VPN Client software, click Email RCF File and
Global VPN Client.
Before the VPN client can be emailed to users, it must be downloaded to the
<gms_directory>\etc directory from mysonicwall.com.
VPN Terms and Concepts
Downloading VPN Client Software

To download the VPN Client software from mysonicwall.com, perform the following steps:
1.
Click the Console Panel tab at the top of the SonicWALL GMS UI.
2.
Expand the Licenses tree and click GMS License.
3.
Click Login in a new window. This will open a new browser into the GMS account on
mysonicwall.com.
4.
Download the VPN Client software from mysonicwall.com to a local directory.
5.
Copy the VPN Client software to SonicWALL Agent's <gms_directory>\etc directory.
6.
Rename the file to SWVpnClient.zip.

Before installing and SonicWALL VPN, it is important to understand the following basic terms
and concepts.
Asymmetric vs. Symmetric CryptographyAsymmetric and symmetric cryptography

refer to the keys used to authenticate, or encrypt and decrypt the data.
Asymmetric cryptography, or public key cryptography, uses two keys for verification.
Organizations such as RSA Data Security and VeriSign support asymmetric cryptography.
With symmetric cryptography, the same key is used to authenticate on both ends of the
VPN. Symmetric cryptography, or secret key cryptography, is usually faster than
asymmetric cryptography. Therefore symmetric algorithms are often used when large
quantities of data need to be exchanged.
SonicWALL VPN uses symmetric cryptography. As a result, the key on both ends of the
VPN tunnel must match exactly.
ARCFourARCFour is used for communications with secure Web sites using the SSL
protocol. Many banks use a 40-bit key ARCFour for online banking, while others use a
128-bit key. SonicWALL VPN uses a 56-bit key for ARCFour.
The ARCFour key must be exactly 16 characters long and is composed of hexadecimal
characters. Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0, 1, 2, 3, 4, 5,
6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
Authentication Header (AH)The authentication header is a mechanism for providing

strong integrity and authentication for IP packets. The Authentication Header does not offer
confidentiality and protection from traffic analysis.
The IP authentication header provides security by adding authentication information to an
IP packet. This authentication information is calculated using all header and payload data
in the IP packet. This provides significantly more security than is currently present in IP.
Use of an AH will increase the processing requirements of SonicWALL VPN and will also
increase the communications latency. The increased latency is primarily due to the
calculation of the authentication data by the sender and the calculation and comparison of
the authentication data by the receiver for each IP packet.
Data Encryption Standard (DES)When DES is used for data communications, both
sender and receiver must know the same secret key, which can be used to encrypt and
decrypt the message, or to generate and verify a message authentication code. The
SonicWALL DES encryption algorithm uses a 56-bit key.
503
The DES Key must be exactly 16 characters long and is composed of hexadecimal
characters. Valid hexadecimal characters are 0 to 9, and a to f inclusive (0, 1, 2, 3,
4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
Encapsulating Security Payload (ESP)ESP provides confidentiality and integrity of

data by encrypting the data and encapsulating it into IP packets. Encryption may be in the
form of ARCFour (similar to the popular RC4 encryption method), DES, etc.
The use of ESP typically increases the processing requirements and communications
latency. The increased latency is primarily due to the encryption and decryption required
for each IP packet containing an ESP.
ESP typically involves encryption of the packet payload using standard encryption
mechanisms, such as RC4, ARCFour, DES, or 3DES.
ESP has no mechanism for providing strong integrity and authentication of the data.
EncryptionEncryption is a mathematical operation that transforms data from clear text

(something that a human or a program can interpret) to cipher text (something that cannot
be interpreted). Usually the mathematical operation requires that an alphanumeric key be
supplied along with the clear text. The key and clear text are processed by the encryption
operation, which leads to the data scrambling that makes encryption secure. Decryption is
the opposite of encryption: it is a mathematical operation that transforms cipher text to clear
text. Decryption also requires a key.
Shared SecretA shared secret is a predefined field that the two endpoints of a VPN
tunnel use to set up an IKE SA. This field can be any combination of alphanumeric
characters with a minimum length of 4 characters and a maximum of 128 characters.
Precautions should be taken when delivering/exchanging this shared secret to assure that
a third party cannot compromise the security of a VPN tunnel.
Internet Key Exchange (IKE)IKE is a negotiation and key exchange protocol specified
by the Internet Engineering Task Force (IETF). An IKE SA automatically negotiates
encryption and authentication keys. With IKE, an initial exchange authenticates the VPN
session and automatically negotiates keys that will be used to pass IP traffic.
KeyA key is an alphanumeric string that is used by the encryption operation to transform
clear text into cipher text. A key is composed of hexadecimal characters (0, 1, 2, 3, 4, 5, 6,
7, 8, 9, a, b, c, d, e, f). A valid key would be 1234567890abcdef. Keys used in VPN
communications can vary in length, but are typically 16 or 32 characters. The longer the
key, the more difficult it is to break the encryption. The reason for this is that most methods
used to break encryption involve trying every possible combination of characters, similar to
trying to find someones telephone number by dialing every possible combination of phone
numbers.
Manual KeyManual keying allows the SonicWALL administrator to specify the encryption
and authentication keys. SonicWALL VPN supports the ability to manually set up a security
association as well as the ability to automatically negotiate an SA using IKE.
Security Association (SA)An SA is the group of security settings needed to create a

VPN tunnel. All SAs require an encryption method, an IPSec gateway address, and a
destination network address. IKE includes a shared secret. manual keying includes two
SPIs and an encryption and authentication key.
SonicWALL PRO appliances supports up to 100 SAs. SonicWALL SOHO2 and SonicWALL
XPRS2 appliances support 10 and 25 SAs, respectively. Different SAs may be created to
connect branch offices, allow secure remote management, and pass unsupported traffic.
504
Security Parameter Index (SPI)The SPI is used to establish a VPN tunnel. The SPI is
transmitted from the remote VPN gateway to the local VPN gateway. The local VPN
gateway then uses the network, encryption, and key values that the administrator
associated with the SPI to establish the tunnel.
Using OCSP with SonicWALL Security Appliances
The SPI must be unique, is from one to eight characters long, and is composed of
hexadecimal characters. Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0,
1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, valid SPIs would be 999 or 1234abcd.
Triple Data Encryption Standard (3DES)3DES is the same as DES, except that it
applies three DES keys in succession and is significantly more secure. However, 3DES has
significantly more processing requirements than DES.
The 3DES Key must be exactly 16 characters long and is composed of hexadecimal
characters. Valid hexadecimal characters are 0 to 9, and a to f inclusive (0, 1, 2, 3,
4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
VPN TunnelTunneling is the encapsulation of point-to-point transmissions inside IP

packets. A VPN Tunnel is a term that is used to describe a connection between two ormore
private nodes or LANs over a public network, typically the Internet. Encryption is often used
to maintain the confidentiality of private data when traveling over the Internet.

Online Certificate Status Protocol (OCSP) allows you to check VPN certificate status without
CRLs. This allows timely updates regarding the status of the certificates used on your
SonicWALL.
OCSP is designed to augment or replace Certificate Revocation Lists (CRL) in your Public Key
Infrastructure (PKI) or digital certificate system. The CRL is used to validate the digital
certificates comprised by the PKI. This allows the Certificate Authority (CA) to revoke
certificates before their scheduled expiration date and is useful in protecting the PKI system
against stolen or invalid certificates.
Certificate Revocation Lists main disadvantage is the need for frequent updates to keep the
CRL of every client current. These frequent updates greatly increase network traffic when the
complete CRL is downloaded by every client. Depending on the frequency of the CRL updates,
a period of time can exist when a certificate is revoked by the CRL but the client has not
received the CRL update and permits the certificate to be used.
Online Certificate Status Protocol determines the current status of a digital certificate without
using a CRL. OCSP enables the client or application to directly determine the status of an
identified digital certificate. This provides more timely information about the certificate than is
possible with CRLs. In addition, each client typically only checks a few certificates and does not
incur the overhead of downloading an entire CRL for only a few entries. This greatly reduces
the network traffic associated with certificate validation.
OCSP transports messages over HTTP for maximum compatibility with existing networks. This
requires careful configuration of any caching servers in the network to avoid receiving a cached
copy of an OCSP response that might be out of date.
The OCSP client communicates an OCSP responder. The OCSP responder can be a CA server
or another server that communicates with the CA server to determine the certificate status. The
OCSP client issues a status request to an OCSP responder and suspends the acceptance of
the certificate until the responder provides a response. The client request includes data such
as protocol version, service request, target certificate identification and optional extensions.
These optional extensions may or may not be acknowledged by the OCSP responder.
The OCSP responder receives the request from the client and checks that the message is
properly formed and if the responder is able to respond to the service request. Then it checks
if the request contains the correct information needed for the service desired. If all conditions
are satisfied, the responder returns a definitive response to the OCSP client. The OCSP
responder is required to provide a basic response of GOOD, REVOKED, or UNKNOWN. If both
the OCSP client and responder support the optional extensions, other responses are possible.
505
The GOOD state is the desired response as it indicates the certificate has not been revoked.
The REVOKED state indicates that the certificate has been revoked. The UNKNOWN state
indicates the responder does not have information about the certificate in question.
OCSP servers typically work with a CA server in push or pull setup. The CA server can be
configured to push a CRL list (revocation list) to the OCSP server. Additionally the OCSP server
can be configured to periodically download (pull) the CRL from the CA server. The OCSP server
must also be configured with an OCSP response signing certificate issued by the CA server.
The signing certificate must be properly formatted or the OCSP client will not accept the
response from the OSCP server.
OpenCA OCSP Responder

Using OCSP requires the OpenCA (OpenSource Certificate Authority) OpenCA OCSP
Responder as it is the only supported OCSP responder. OpenCA OCSP Responder is available
at <http://www.openca.org/ocspd/>. The OpenCA OCSP Responder is an rfc2560 compliant
OCSP responder that runs on a default port of 2560 in homage to being based on rfc2560.
Note
For SonicOS to act as an OCSP client to a responder, the CA certificate must be loaded onto
the SonicWALL system.
Using OCSP with VPN Policies

The SonicWALL OCSP settings can be configured on a policy level or globally. To configure
OCSP checking for individual VPN policies. Then click on the VPNs page.
506
1.
Select the radio button next to Enable OCSP Check
2.
Specify the OCSP Responder URL of the OCSP server, for example
<http://192.168.168.220:2560> where 192.168.168.220 is the IP address of your OCSP
server and 2560 is the default port of operation for the OpenCA OCSP responder service.
CHAPTER 20
Configuring Firewall SSL VPN Settings
This chapter provides information on how to configure the SSL VPN features on the SonicWALL
SRA appliances. SonicWALLs SSL VPN features provide secure, seamless, remote access to
resources on your local network using the NetExtender client.
SSL VPN NetExtender Overview section on page 507
SSL VPN > Server Settings section on page 510
SSL VPN > Portal Settings section on page 511
SSL VPN > Client Settings section on page 512
SSL VPN > Client Routes section on page 514
SSL VPN NetExtender Overview

This section provides an introduction to the SonicOS SSL VPN NetExtender feature as
managed within SonicWALL GMS. This section contains the following subsections:
What is SSL VPN NetExtender? section on page 507
Benefits section on page 508
NetExtender Concepts section on page 508
What is SSL VPN NetExtender?

SonicWALLs SSL VPN NetExtender feature is a transparent software application for Windows,
Mac, and Linux users that enables remote users to securely connect to the remote network.
With NetExtender, remote users can securely run any application on theremote network. Users
can upload and download files, mount network drives, and access resources as if they were on
the local network. The NetExtender connection uses a Point-to-Point Protocol (PPP)
connection.
507
Benefits
NetExtender provides remote users with full access to your protected internal network. The
experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender
does not require any manual client installation. Instead, the NetExtender Windows client is
automatically installed on a remote users PC by an ActiveX control when using the Internet
Explorer browser, or with the XPCOM plugin when using Firefox. On MacOS systems,
supported browsers use Java controls to automatically install NetExtender from the Virtual
Office portal. Linux systems can also install and use the NetExtender client.
After installation, NetExtender automatically launches and connects a virtual adapter for secure
SSL VPN point-to-point access to permitted hosts and subnets on the internal network.
NetExtender Concepts
The following sections describe advanced NetExtender concepts:
Stand-Alone Client section on page 508
Client Routes section on page 508
Tunnel All Mode section on page 509
Connection Scripts section on page 509
Proxy Configuration section on page 509
Stand-Alone Client
NetExtender is a browser-installed lightweight application that provides comprehensive
remote access without requiring users to manually download and install the application. The
first time a user launches NetExtender, the NetExtender stand-alone client is automatically
installed on the users PC or Mac. The installer creates a profile based on the users login
information. The installer window then closes and automatically launches NetExtender. If
the user has a legacy version of NetExtender installed, the installer will first uninstall the old
NetExtender and install the new version.
Once the NetExtender stand-alone client has been installed, Windows users can launch
NetExtender from their PCs Start > Programs menu and configure NetExtender to launch
when Windows boots. Mac users can launch NetExtender from their system Applications folder,
or drag the icon to the dockfor quick access. On Linux systems, the installer creates a desktop
shortcut in /usr/share/NetExtender. This can be dragged to the shortcut bar in environments
like Gnome and KDE.
Client Routes
NetExtender client routes are used to allow and deny access for SSL VPN users to various
network resources. Address objects are used to easily and dynamically configure access to
network resources.
508
Tunnel All Mode

Tunnel All mode routes all traffic to and from the remote user over the SSL VPN NetExtender
tunnelincluding traffic destined for the remote users local network. This is accomplished by
adding the following routes to the remote clients route table:
IP Address
Subnet mask
0.0.0.0
0.0.0.0
0.0.0.0
128.0.0.0
128.0.0.0
128.0.0.0
NetExtender also adds routes for the local networks of all connected Network Connections.
These routes are configured with higher metrics than any existing routes to force traffic
destined for the local network over the SSL VPN tunnel instead. For example, if a remote user
is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is
added to route traffic through the SSL VPN tunnel.
Tunnel All mode is configured on the SSL VPN > Client Routes page.
Connection Scripts
SonicWALL SSL VPN provides users with the ability to run batch file scripts when
NetExtender connects and disconnects. The scripts can be used to map or disconnect
network drives and printers, launch applications, or open files or Web sites. NetExtender
Connection Scripts can support any valid batch file commands.
Proxy Configuration
SonicWALL SSL VPN supports NetExtender sessions using proxy configurations. Currently,
only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your
browser is already configured for proxy access, NetExtender automatically inherits the proxy
settings. The proxy settings can also be manually configured in the NetExtender client
preferences. NetExtender can automatically detect proxy settings for proxy servers that support
the Web Proxy Auto Discovery (WPAD) Protocol.
NetExtender provides three options for configuring proxy settings:
Automatically detect settings - To use this setting, the proxy server must support Web
Proxy Auto Discovery Protocol (WPAD)), which can push the proxy settings script to the
client automatically.
Use automatic configuration script - If you know the location of the proxy settings script,
you can select this option and provide the URL of the script.
Use proxy server - You can use this option to specify the IP address and port of the proxy
server. Optionally, you can enter an IP address ordomain in the BypassProxy field to allow
direct connections to those addresses and bypass the proxy server. If required, you can
enter a user name and password for the proxy server. If the proxy server requires a
username and password, but you do not specify them, a NetExtender pop-up window will
prompt you to enter them when you first connect.
509
SSL VPN > Server Settings
When NetExtender connects using proxy settings, it establishes an HTTPS connection to the
proxy server instead of connecting to the SonicWALL security appliance. server directly. The
proxy server then forwards traffic to the SSL VPN server. All traffic is encrypted by SSL with the
certificate negotiated by NetExtender, of which the proxy server has no knowledge. The
connecting process is identical for proxy and non-proxy users.
SSL VPN > Server Settings

The SSL VPN > Server Settings page is used to configure details of the SonicWALL security
appliances behavior as an SSL VPN server.
.
The following options can be configured on the SSL VPN > Server Settings page.
SSL VPN Status on Zones: This displays the SSL VPN Access status on each Zone.
Green indicates active SSL VPN status, while red indicates inactive SSL VPN status. To
enable or disable SSL VPN access on a zone, click on the Network >Zones link to jump to
the Edit Zone window.
SSL VPN Port: Set the SSL VPN port for the appliance. The default is 4433.
Certificate Selection: Select the certificate that will be used to authenticate SSL VPN
users. All imported local certificates are available to be selected in the pull-down menu. To
manage certificates, go to the System > Certificates page.
Note
510
The Certificate Selection option is only available at the unit level, not at the group
level.
Enable Server Cipher Preference: Select this checkbox to configure a preferred cipher
method. The available ciphers are RC4_MD5, 3DES_SHA1, and AES256_SHA1.
SSL VPN > Portal Settings
RADIUS User Settings: This option is only available when either RADIUS or LDAP is
configured to authenticate SSL VPN users. Select the Use RADIUS in checkbox to have
RADIUS use MSCHAP (or MSCHAPv2) mode. Enabling MSCHAP-mode RADIUS will allow
users to change expired passwords at login time.
In LDAP, password updates can only be done when using either Novell eDirectory or Active
Directory with TLS and binding to it using an administrative account. If LDAP is not configured
as such, password updates for SSL VPN users will be performed using MSCHAP-mode
RADIUS, after using LDAP to authenticate the user.
Note
RADIUS must be enabled on the Users > RADIUS page. Click the link at the bottom
of the SSL VPN > Server Settings page to go to Users > RADIUS to modify the
configuration.
SSL VPN > Portal Settings

The Policies > SSL VPN > Portal Settings page is used to configure the appearance and
functionality of the SSL VPN Virtual Office web portal. The Virtual Office portal is the website
that uses log in to launch NetExtender. It can be customized to match any existing company
website or design style
.
The following settings configure the appearance of the Virtual Office portal:
Portal Site Title - The text displayed in the top title of the web browser.
Portal Banner Title - The the text displayed next to the logo at the top of the page.
Home Page Message - The HTML code that is displayed above the NetExtender icon.
Login Message - The HTML code that is displayed when users are prompted to log in to
the Virtual Office.
Example Template - Resets the Home Page Message and Login Message fields to the
default example template.
Preview - Launch a pop-up window that displays the HTML code.
The following options customize the functionality of the Virtual Office portal:
511
SSL VPN > Client Settings
Launch NetExtender after login - Automatically launches NetExtender after a user logs in.
Display Import Certificate Button - Displays an Import Certificate button on the Virtual
Office page. This initiates the process of importing the SonicWALL security appliances
self-signed certificate onto the web browser. This option only applies to the Internet
Explorer browser on PCs running Windows 2000 or Windows XP.
Enable HTTP meta tags for cache control - Inserts HTTP tags into the browser that
instruct the web browser not to cache the Virtual Office page. SonicWALL recommends
enabling this option.
The Customized Logo field is used to display a logo other than the SonicWALL logo at the top
of the Virtual Office portal. Enter the URL of the logo in the Customized Logo field. The logo
must be in GIF format of size 155 x 36, and a transparent or light background is recommended.

The Policies > SSL VPN > Client Settings page allows the administrator to enable SSL VPN
access on zones and configure the client address range information and NetExtender client
settings. It also displays which zones have SSL VPN access enabled.
The following tasks are configured on the SSL VPN > Client Settings page:
Configuring Zones for SSL VPN Access section on page 512
Configuring the SSL VPN Client Address Range section on page 513
Configuring NetExtender Client Settings section on page 514
Configuring Zones for SSL VPN Access

All of the zones on the SonicWALL security appliance are displayed in the SSL VPN Status on
Zones section of the SSL VPN > Client Settings page. SSL VPN access must be enabled on
a zone before users can access the Virtual Office web portal. A green button to the left of the
name of the zone indicates that SSL VPN access is enabled. A red button indicates that SSL
VPN access is disabled. To change the SSL VPN access for a zone, simply click the name of
the zone on the SSL VPN > Client Settings page.
512
SSL VPN Access can also be configured on the Network > Zones page by clicking the
configure icon for the zone.
Note
WAN management must be enabled on the zone to terminate SSL VPN sessions. Even
though the zone has SSL VPN enabled, if the management interface is disabled, SSL VPN
will not work correctly.
Configuring the SSL VPN Client Address Range

The SSL VPN Client Address Range defines the IP address pool from which addresses will be
assigned to remote users during NetExtender sessions. The range needs to be large enough
to accommodate the maximum number of concurrent NetExtender users you wish to support
plus one (for example, the range for 15 users requires 16 addresses, such as 192.168.200.100
to 192.168.200.115).
Note
The range must fall within the same subnet as the interface to which the SRA appliance is
connected, and in cases where there are other hosts on the same segment as the SRA
appliance, it must not overlap or collide with any assigned addresses.
To configure the SSL VPN Client Address Range, perform the following steps:
Step 1
Navigate to the SSL VPN > Client Settings page.
Step 2
In the NetExtender Start IP field, enter the first IP address in the client address range.
Step 3
In the NetExtender End IP field, enter the last IP address in the client address range.
Step 4
In the DNS Server 1 field, enter the IP address of the primary DNS server, or click the Default
DNS Settings to use the default settings.
Step 5
(Optional) In the DNS Server 2 field, enter the IP address of the backup DNS server.
Step 6
(Optional) In the DNS Domain field, enter the domain name for the DNS servers.
Step 7
In the User Domain field, enter the domain name for the users. The value of this field must
match the domain field in the NetExtender client.
Step 8
(Optional) In the WINS Server 1 field, enter the IP address of the primary WINS server.
Step 9
(Optional) In the WINS Server 2 field, enter the IP address of the backup WINS server.
Step 10 In the Interface pull-down menu, select the interface to be used for SSL VPN services.
Note
The IP address range must be on the same subnet as the interface used for SSL VPN
services.
Step 11 Click the Zone name at the top of the page to enable SSL VPN access on it with these settings.
The indicator should be green for the Zone you want to enable.
Step 12 Click Accept.
513
SSL VPN > Client Routes
Configuring NetExtender Client Settings

NetExtender client settings are configured on the bottom of the SSL VPN > Client Settings
page. The following settings to customize the behavior of NetExtender when users connect and
disconnect.
Default Session Timeout (minutes) - The default timeout value for client inactivity, after
which the clients session is terminated.
Enable NetBIOS Over SSLVPN - Allows NetExtender clients to broadcast NetBIOS to the
SSL VPN subnet.
Enable Client Autoupdate - The NetExtender client checks for updates every time it is
launched.
Exit Client After Disconnect - The NetExtender client exits when it becomes disconnected
from the SSL VPN server. To reconnect, users will have to either return to the SSL VPN
portal or launch NetExtender from their Programs menu.
Uninstall Client After Disconnect - The NetExtender client automatically uninstalls when
it becomes disconnected from the SSL VPN server. To reconnect, users will have to return
to the SSL VPN portal.
Create Client Connection Profile - The NetExtender client will create a connection profile
recording the SSL VPN Server name, the Domain name and optionally the username and
password.
Communication Between Clients - Enables NetExtender clients that are connected to the
same server to communicate.
User Name & Password Caching - Provide flexibility in allowing users to cache their
usernames and passwords in the NetExtender client. The three options are Allow saving
of user name only, Allow saving of user name & password, and Prohibit saving of
user name & password. These options enable administrators to balance security needs
against ease of use for users.

The Policies > SSL VPN > Client Routes page allows the administrator to control the network
access allowed for SSL VPN users. The NetExtender client routes are passed to all
NetExtender clients and are used to govern whichprivate networks and resources remote user
can access via the SSL VPN connection.
514
The following tasks are configured on the SSL VPN > Client Routes page:
Configuring Tunnel All Mode section on page 515
Adding Client Routes section on page 515
Configuring Tunnel All Mode

Select Enabled from the Tunnel All Mode pull-down list to force all traffic for NetExtender
users over the SSL VPN NetExtender tunnelincluding traffic destined for the remote users
local network. This is accomplished by adding the following routes to the remote clients route
table:
IP Address
Subnet mask
0.0.0.0
0.0.0.0
0.0.0.0
128.0.0.0
128.0.0.0
128.0.0.0
NetExtender also adds routes for the local networks of all connected Network Connections.
These routes are configured with higher metrics than any existing routes to force traffic
destined for the local network over the SSL VPN tunnel instead. For example, if a remote user
is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is
added to route traffic through the SSL VPN tunnel.
Adding Client Routes

The Add Client Routes pull-down menu is used to configure access to network resources for
SSL VPN users. Select the address object to which you want to allow SSL VPN access. Select
Create new address object to create a new address object. Creating client routes causes
access rules to automatically be created to allow this access. Alternatively, you can manually
configure access rules for the SSL VPN zone on the Firewall > Access Rules page. For more
information, see Configuring Access Rules on page 275.
515
516
CHAPTER 21
Configuring Firewall DPI-SSL Settings
This chapter describes the Deep Packet Inspection Secure Socket Layer (DPI-SSL) feature to
allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. Client DPI-SSL is
used to inspect HTTPS traffic when clients on the SonicWALL firewall appliances LAN access
content located on the WAN. Server DPI-SSL is used to inspect HTTPS traffic when remote clients
connect over the WAN to access content located on the SonicWALL firewall appliances LAN.
DPI-SSL Overview section on page 517
Configuring Client SSL section on page 518
Configuring Server SSL section on page 522
DPI-SSL Overview
This section provides an introduction to the SonicOS Enhanced DPI-SSL feature as managed
within GMS. Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWALLs
Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and
other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and
then re-encrypted and sent along to its destination if no threats or vulnerabilities are found.
DPI-SSL provides additional security, application control, and data leakage prevention for
analyzing encrypted HTTPS and other SSL-based traffic.
The following security services and features are capable of utilizing DPI-SSL:
Gateway Anti-Virus
Gateway Anti-Spyware
Intrusion Prevention
Content Filtering
Application Firewall
Packet Capture
Packet Mirror
517
Configuring Client SSL
DPI-SSL has two main deployment scenarios:
Client DPI-SSL: Used to inspect HTTPS traffic when clients on the SonicWALL security
appliances LAN access content located on the WAN.
Server DPI-SSL: Used to inspect HTTPS traffic when remote clients connect over the WAN
to access content located on the SonicWALL security appliances LAN.
The DPI-SSL feature is available in SonicOS Enhanced 5.6 and higher.

The Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients
on the LAN browse content located on the WAN. In the Client DPI-SSL scenario, the
SonicWALL firewall appliance typically does not own the certificates and private keys for the
content it is inspecting. After the appliance performs DPI-SSL inspection, it re-writes the
certificate sent by the remote server and signs this newly generated certificate with the
certificate specified in the Client DPI-SSL configuration. By default, this is the SonicWALL
certificate authority (CA) certificate, or a different certificate can be specified. Users should be
instructed to add the certificate to their browsers trusted list to avoid certificate trust errors.
The following sections describe how to configure Client DPI-SSL:
Configuring General Client DPI-SSL Settings on page 518
Configuring the Inclusion/Exclusion List on page 520
Adding Trust to the Browser on page 521
Content Filtering on page 521
Configuring General Client DPI-SSL Settings

To enable Client DPI-SSL inspection, perform the following steps:
518
1.
Navigate to the DPI-SSL > Client SSL page.
2.
The DPI-SSL Status section displays the status of the DPI-SSL license for the appliance.
3.
Select the Enable SSL Client Inspection checkbox.
4.
Select which of the following services to perform inspection with: Intrusion Prevent,
Gateway Anti-Virus, Gateway Anti-Spyware, Application Firewall, and Content Filter.
5.
Click Update.
Selecting the Re-Signing Certificate Authority

By default, DPI-SSL uses the Default SonicWALL DPI-SSL CA Certificate to re-sign traffic
that has been inspected. Optionally, users can specify that another certificate will be used. To
use a custom certificate, you must first import the certificate to the SonicWALL firewall
appliance:
1.
Navigate to the System > Certificates page.
2.
Click Import Certificate.
3.
Select the Import a local end-user certificate with private key from a PKCS#12 (.p12
or .pfx) encoded file option.
4.
Choose password and click Import.
After the certificate has been imported, you must configure it on the Client DPI-SSL page:
1.
2.
Scroll down to the Certificate Re-Signing Authority section and select the certificate from
the pull-down menu.
3.
Click Update.
For help with creating PKCS-12 formatted files, see Creating PKCS-12 Formatted Certificate
File on page 521.
519
Configuring the Inclusion/Exclusion List

By default, the DPI-SSL applies to all traffic on the appliance when it is enabled. You can
configure an Inclusion/Exclusion list to customize which traffic DPI-SSL inspection will apply to.
The Inclusion/Exclusion list provides the ability to specify certain objects, groups, or
hostnames. In deployments that are processing a large amount of traffic, it can be useful to
exclude trusted sources in order to reduce the CPU impact of DPI-SSL and to prevent the
appliance from reaching the maximum number of concurrent DPI-SSL inspected connections.
The Inclusion/Exclusion section of the Client SSL page contains three options for specifying
the inclusion list:
Tip
520
On the Address Object/Group line, select an address object or group from the Exclude
pull-down menu to exempt it from DPI-SSL inspection.
On the Service Object/Group line, select a service object or group from the Exclude
On the User Object/Group line, select a user object or group from the Exclude pull-down
menu to exempt it from DPI-SSL inspection.
The Include pull-down menu can be used to fine tune the specified exclusion list. For
example, by selecting the Remote-office-California address object in the Exclude
pull-down and the Remote-office-Oakland address object in the Include pull-down.
The Common Name Exclusions section is used to add domain names to the exclusion
list. To add a domain name, type it in the text box and click Add.
Click Update to confirm the configuration.
Adding Trust to the Browser

In the previous section we described how to configure a re-signing certificate authority. In order
for re-signing certificate authority to successfully re-sign certificates browsers would have to
trust this certificate authority. Such trust can be established by having re-signing certificate
imported into the browser's trusted CA list.
Internet Explorer: Go to Tools > Internet Options, click the Content tab and click
Certificates. Click the Trusted Root Certification Authorities tab and click Import. The
Certificate Import Wizard will guide you through importing the certificate.
Firefox: Go to Tools > Options, click the Advanced tab and then the Encryption tab. Click
View Certificates, select the Authorities tab, and click Import. Select the certificate file,
make sure the Trust this CA to identify websites check box is selected, and click OK.
Mac: Double-click the certificate file, select Keychain menu, click X509 Anchors, and then
click OK. Enter the system username and password and click OK.
Creating PKCS-12 Formatted Certificate File

PKCS12 formatted certificate file can be created using Linux system with OpenSSL. In order to
create a PKCS-12 formatted certificate file, one needs to have two main components of the
certificate:
Private key (typically a file with .key extension or the word key in the filename)
Certificate with a public key (typically a file with .crt extension or the word cert as part of
filename).
For example, Apache HTTP server on Linux has its private key and certificate in the following
locations:
/etc/httpd/conf/ssl.key/server.key
/etc/httpd/conf/ssl.crt/server.crt
With these two files available, run the following command:

openssl pkcs12 -export -out out.p12 -inkey server.key -in server.crt
In this example out.p12 will become the PKCS-12 formatted certificate file and server.key and
server.crt are the PEM formatted private key and the certificate file respectively.
After the above command, one would be prompted for the password to protect/encrypted the
file. After the password is chosen, the creation of PKCS-12 formatted certificate file is complete
and it can be imported into the SonicWALL firewall appliance.
Client DPI-SSL Examples

The following sections provide configuration examples:
Content Filtering on page 521
Application Firewall on page 522
Content Filtering
To perform SonicWALL Content Filtering on HTTPS and SSL-based traffic using DPI-SSL,
1.
521
Configuring Server SSL
Note
2.
Select the Enable SSL Inspection checkbox and the Content Filter checkbox.
3.
Click Update.
4.
Navigate to the Website Blocking > CFS Filter List page and click the Configure button.
5.
Uncheck the Enable IP based HTTPS Content Filtering checkbox.
6.
Select the appropriate categories to be blocked.
7.
Click Update.
8.
Navigate to a blocked site using the HTTPS protocol to verify that it is properly blocked.
For content filtering over DPI-SSL, the first time HTTPS access is blocked result in a blank
page being displayed. If the page is refreshed, the user will see the SonicWALL block page.
Application Firewall
Note
Application Firewall is supported for appliances running SonicOS 5.8 and higher.
Enable Application Firewall checkbox on the Client DPI-SSL screen and enable Application
Firewall on the Application Firewall >Policies screen.
1.
Navigate to the DPI-SSL > Client SSL page
2.
Select the Enable SSL Inspection checkbox and the Application Firewall checkbox.
3.
Click Update.
4.
Navigate to the App Control> App Rules page.
5.
Enable Application App Rules.
6.
Configure an HTTP Client policy to block Microsoft Internet Explorer browser.
7.
Select block page as an action for the policy. Click Apply.
8.
Access any website using the HTTPS protocol with Internet Explorer and verify that it is
blocked.
DPI-SSL also supports Application Level Bandwidth Management over SSL tunnels.
Application Firewall HTTP bandwidth management policies also applies to content that is
accessed over HTTPS when DPI-SSL is enabled for Application Firewall.

The Server DPI-SSL deployment scenario is typically used to inspect HTTPS traffic when
remote clients connect over the WAN to access content located on the SonicWALL security
appliances LAN. Server DPI-SSL allows theuser to configure pairings of an address object and
certificate. When the appliance detects SSL connections to the address object, it presents the
paired certificate and negotiates SSL with the connecting client.
Afterward, if the pairing defines the server to be 'cleartext' then a standard TCP connection is
made to the server on the original (post NAT remapping) port. If the pairing is not defined to be
cleartext, then an SSL connection to the server is negotiated. This allows for end-to-end
encryption of the connection.
522
In this deployment scenario the owner of the SonicWALL firewall appliance owns the
certificates and private keys of the origin content servers. Administrator would have to import
server's original certificate onto the SonicWALL firewall appliance and create appropriate
server IP address to server certificate mappings in the Server DPI-SSL UI.
The following sections describe how to configure Server DPI-SSL:
Configuring General Server DPI-SSL Settings on page 523
Configuring the Exclusion List on page 524
Configuring Server-to-Certificate Pairings on page 524
SSL Offloading on page 525
Configuring General Server DPI-SSL Settings

To enable Server DPI-SSL inspection, perform the following steps:
Note
1.
Navigate to the DPI-SSL > Server SSL page.
2.
The DPI-SSL Status section displays the status of the DPI-SSL license for the appliance.
3.
Select the Enable SSL Server Inspection checkbox.
4.
Select which of the following services to perform inspection with: Intrusion Prevent,
Gateway Anti-Virus, Gateway Anti-Spyware, and Application Firewall.
5.
Click Update.
6.
Scroll down to the SSL Servers section to configure the server or servers to which DPI-SSL
inspection will be applied. See Configuring Server-to-Certificate Pairings on page 524.
The SSL Servers section is available only at the unit level.
523
Configuring the Exclusion List

By default, the DPI-SSL applies to all traffic on the appliance when it is enabled. You can
configure an Inclusion/Exclusion list to customize which traffic DPI-SSL inspection will apply to.
The Inclusion/Exclusion list provides the ability to specify certain objects, groups, or
hostnames. In deployments that are processing a large amount of traffic, it can be useful to
exclude trusted sources in order to reduce the CPU impact of DPI-SSL and to prevent the
appliance from reaching the maximum number of concurrent DPI-SSL inspected connections.
The Inclusion/Exclusion section of the Server SSL page contains two options for specifying
the inclusion list:
On the Address Object/Group line, select an address object or group from the Exclude
On the User Object/Group line, select a user object or group from the Exclude pull-down
menu to exempt it from DPI-SSL inspection.
Note
The Include pull-down menu can be used to fine tune the specified exclusion list.
For example, by selecting the Remote-office-California address object in the
Exclude pull-down and the Remote-office-Oakland address object in the Include
pull-down.
Configuring Server-to-Certificate Pairings

Server DPI-SSL inspection requires that you specify which certificate will be used to sign traffic
for each server that will have DPI-SSL inspection performed on its traffic. To configure a
server-to-certificate pairing, perform the following steps:
1.
Note
524
Navigate to the DPI-SSL > Server SSL page and scroll down to the SSL Servers section.
The SSL Servers section is available only at the unit level, not at the group level.
2.
3.
In the Address Object/Group pull-down menu, select the address object or group for the
server or servers that you want to apply DPI-SSL inspection to.
4.
In the SSL Certificate pull-down menu, select the certificate that will be used to sign the
traffic for the server. For more information on importing a new certificate to the appliance,
seeSelecting the Re-Signing Certificate Authority on page 519. For information on
creating a certificate, see Creating PKCS-12 Formatted Certificate File on page 521.
5.
Select the Cleartext checkbox to enable SSL offloading. See SSL Offloading on page 525
for more information.
6.
Click Add.
SSL Offloading
When adding server-to-certificate pairs, a cleartext option is available. This option indicates
that the portion of the TCP connection between the SonicWALL firewall appliance and the local
server will be in the clear without SSL layer, thus allowing SSL processing to be offloaded from
the server by the appliance.
Please note that in order for such configuration to work properly, a NAT policy needs to be
created on the Network > NAT Policies page to map traffic destined for the offload server from
an SSL port to a non-SSL port. For example, in case of HTTPS traffic being used with SSL
offloading, an inbound NAT policy remapping traffic from port 443 to port 80 needs to becreated
in order for things to work properly.
525
526
CHAPTER 22
Configuring Firewall Security Services
SonicWALL security appliances offer several services for protecting networks against viruses
and attacks. This chapter provides concept overviews and configuration tasks for deploying
these services.
Configuring SonicWALL Network Anti-Virus section on page 528
SonicWALL Network Anti-Virus Email Filter section on page 530
Configuring the SonicWALL Content Filter Service section on page 532
Configuring the SonicWALL Intrusion Prevention Service section on page 532
Configuring the SonicWALL RBL Filter section on page 539
Configuring the SonicWALL Gateway Anti-Virus section on page 540
Configuring the SonicWALL Anti-Spyware Service section on page 543
Configuring Security Services Settings

This page provides the ability for SonicWALL firewall appliances that operate in networks where
they must access the Internet through a proxy server to download signatures. This feature also
allows for registration of SonicWALL firewall appliances through a proxy server without
compromising privacy.
The Security Services > Settings page is available for appliances running SonicOS Enhanced 5.6
and higher.
To enable signature download or appliance registration through a proxy server, perform the
following steps:
1.
527
Configuring SonicWALL Network Anti-Virus
2.
Expand the Security Services tree and click Settings.
3.
Select the Download Signatures through a Proxy Server checkbox.
4.
In the Proxy Server Name or IP Address field, enter the hostname or IP address of the
proxy server.
5.
In the Proxy Server Port field, enter the port number used to connect to the proxy server.
6.
Select the This Proxy Server requires Authentication checkbox if the proxy server
requires a username and password.

SonicWALL Network Anti-Virus is a distributed, gateway-enforced solution that ensures
always-on, always-updated anti-virus software for every client on your network. The
SonicWALL constantly monitors the version of the virus definition file and automatically triggers
download and installation of new virus definition files to each users computer. In addition, the
SonicWALL restricts each users access to the Internet until they are protected, therefore acting
as an automatic enforcer of the companys virus protection policy.
This new approach ensures the most current version of the virus definition file is installed and
active on each PC on the network, preventing a rogue user from disabling the virus protection
and potentially exposing the entire organization to an outbreak. And most importantly,
SonicWALL Network Anti-Virus offloads the costly and time-consuming burden of maintaining
and updating anti-virus software across the entire network.
SonicWALL Network Anti-Virus also includes Network Anti-Virus Email Filter to selectively
manage inbound Email attachments as they pass through the SonicWALL to control the flow of
executable files, scripts, and applications into your network.
Configuring Anti-Virus Settings

SonicWALL GMS (SonicWALL GMS) offers anti-virus protection on a subscription-basis
through a partnership with McAfee. This section describes how to configure Anti-Virus settings
for SonicWALL appliances.
Note
528
SonicWALL appliances are entitled to a one-month anti-virus trial subscription. To

enable the trial subscription, refer to the Registering and Upgrading SonicWALL
Firewall Appliances section on page 643.
Anti-Virus Settings
To configure Anti-Virus settings for one or more SonicWALL appliances, follow these steps:
1.
2.
Expand the Security Services tree and click AV Configure. The AV Configure page
appears.
3.
Select the Enable Anti-Virus Client Automated Installation, Updates and Enforcement
check box.
4.
To enforce Anti-Virus protection on the DMZ port or HomePort (if available), select the
Enable DMZ/HomePort/WLAN/OPT Policing check box.
5.
To disable policing from the LAN to the DMZ, select the Disable policing from
LAN/WorkPort to DMZ/HomePort/WLAN/OPT check box.
6.
To configure the SonicWALL appliance(s) to only check for updates once a day, select the
Reduce AV Traffic for ISDN connections check box. This is useful for low bandwidth
connections or connections that are not always on.
7.
SonicWALL GMS automatically downloads the latest virus definition files. To configure the
maximum number of days that can pass before SonicWALL GMS downloads the latest files,
select the number of days from the Maximum Days Allowed Before Forcing Update list
box.
8.
Significant virus events can occur without warning (e.g., Melissa, ILOVEYOU, and others).
When these occur, SonicWALL GMS can be configured to block network traffic until the
latest virus definition files are downloaded. To configure this feature, determine which types
of events will require updating. Then, select the Low Risk, Medium Risk, or High Risk
check boxes.
Exempt Computers
The Exempt Computers section allows the GMS administrator to specify address ranges which
should be explicitly included or excluded in Anti-Virus enforcement.
1.
Select the Enforce Anti-Virus policies for all computers radio button to enforce
Anti-Virus policies across your entire network. Selecting this option forces computers to
install VirusScan ASaP in order to access the Internet or the DMZ. This is the default
configuration
2.
Select the Include specific address ranges in the Anti-Virus enforcement radio button
to force a specified range of addresses to adhere to Anti-Virus enforcement. Choosing this
option allows the administrator to define ranges of IP addresses to receive Anti-Virus
529
SonicWALL Network Anti-Virus Email Filter
enforcement. If you select this option, specify a range of IP addresses to be enforced. Any
computer requiring enforcement needs a static IP address within the specified range of IP
addresses. Up to 64 IP address ranges can be entered for enforcement.
3.
Select the Exclude specific address ranges in the Anti-Virus enforcement radio button
to exempt a specified range of addresses from Anti-Virus enforcement. Selecting this
option allows the administrator to define ranges of IP addresses that are exempt from
Anti-Virus enforcement. If you select this option, specify the range of IP addresses are
exempt. Any computer requiring unrestricted Internet access needs a static IP address
within the specified range of IP addresses. Up to 64 IP address ranges can be entered.

The Network Anti-Virus Email Filter allows the administrator to selectively delete or disable
inbound Email attachments as they pass through the SonicWALL. This feature provides control
over executable files and scripts, and applications sent as Email attachments.
This feature is available only with the purchase of an Email Filter subscription.
Email Filtering
During an outbreak, Email filtering allows for preemptive blocking of known filenames and
newly discovered viruses before the Anti-Virus signature (DAT) files are actually available.
This feature also provides full filename blocking of virus files, allowing SonicWALL to block only
malicious attachments, while enabling all other attachments through. For example, during a
virus outbreak, only the virus file is blocked while other productive files (such as Word
documents and Excel spreadsheets) are allowed through.
To configure email filter settings for one or more SonicWALL appliances, follow these steps:
1.
530
2.
Expand the Security Services tree and click EMail Filter. The EMail Filter screen displays.
Email Attachment Filtering

This section allows the administrator to specify file extensions to filter. By default, common
executable files.vbs and .exe are blocked.
To enable infected email attachment blocking on inbound SMTP and POP3 Email protocols,
select the Enable Email Attachment Filtering Alert Service check box. Only files that
were discovered to be infected will be blocked. If a message contains uninfected
attachments, those will be forwarded to the recipient.
To specify file extensions to filter, select the Enable Email Attachment FIltering of
Forbidden File Extensions checkbox.
If choosing to specify forbidden file extensions, enter the file extensions (one at a time) in
the Forbidden File Extensions box and click the Add button. Remove extensions from the
list by selecting the checkbox to the left of the file extension and clicking theUpdate button
at the bottom of the page.
Click the Update button to save your changes.
Email Attachment Filtering Options

This section allows the administrator to handle forbidden file extensions in the following two
ways:
Select the Disable the forbidden file by altering the file extension and attach warning
text radio button to alter the file extension by replacing the third character of file extensions
with _. If the email attachment is a valid file, the message recipient may return the
attachment to its original file extension without damaging the file.
Select Delete forbidden file and attach warning text to remove the forbidden file from the
Email message entirely and attach warning text to the message.
In the Warning Message Text field (maximum 256 characters), enter the text you wish to
attach to messages containing forbidden files.
531
Configuring the SonicWALL Content Filter Service
Note
Only infected files will be blocked. If a message contains uninfected attachments, those will
be forwarded to the recipient.
Email Blocking
This option allows the administrator to block fragments of Email messages.
Check the Block Email fragments (Content-Type message\partial) to block fragmented

messages from being delivered.
When you are finished, click Update. The settings are changed for each selected SonicWALL
The SonicWALL appliance will block viruses that are discovered by the virus signaturefiles and
filenames that are known to be infected during an outbreak.
Configuring the SonicWALL Content Filter Service

The default SonicWALL Content Filtering Service (CFS) policy is available with or without a
CFS subscription. With a valid CFS subscription, you can create custom CFS policies and apply
them to network zones or to groups of users. For example, a school could create one policy for
teachers and another for students.
The settings for SonicWALL CFS are configured on the Policies > Website Blocking page in
SonicWALL GMS. Refer to the Configuring General Website Blocking section on page 319.
Configuring the SonicWALL Intrusion Prevention

Service
The Intrusion Prevention Service (IPS) is a subscription-based service that is frequently
updated to protect your networks from new attacks and undesired uses that expose your
network to potential risks such as Instant Messaging (IM) or Peer-to-Peer (P2P) applications.
For information on adding the IPS to SonicWALL appliances, refer to the Registering and
Upgrading SonicWALL Firewall Appliances section on page 643
532
Overview of IPS section on page 533
SonicWALL Deep Packet Inspection section on page 533
Enabling Intrusion Prevention Services section on page 534
Configuring IPS Policies section on page 536
Manual Upload of Keyset and Signature Files section on page 537
Configuring the SonicWALL Intrusion Prevention Service
Overview of IPS
SonicWALL Intrusion Prevention Service (SonicWALL IPS) delivers a configurable, high
performance Deep Packet Inspection engine for extended protection of key network services
such as Web, Email, file transfer, Windows services and DNS. SonicWALL IPS is designed to
protect against application vulnerabilities as well as worms,Trojans, and peer-to-peer, spyware
and backdoor exploits. The extensible signature language used in SonicWALLs Deep Packet
Inspection engine also provides proactive defense against newly discovered application and
protocol vulnerabilities. SonicWALL IPS offloads the costly and time-consuming burden of
maintaining and updating signatures for new hacker attacks through SonicWALLs
industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows
SonicWALL IPS to detect and prevent attacks based on a global, attack group, or per-signature
basis to provide maximum flexibility and control false positives.
SonicWALL Deep Packet Inspection

Deep Packet Inspection looks at the data portion of the packet. The Deep Packet Inspection
technology includes intrusion detection and intrusion prevention. Intrusion detection finds
anomalies in the traffic and alerts the administrator. Intrusion prevention finds the anomalies in
the traffic and reacts to it, preventing the traffic from passing through.
Deep Packet Inspection is a technology that allows a SonicWALL Security Appliance to classify
passing traffic based on rules. These rules include information about layer 3 and layer 4 content
of the packet as well as the information that describes the contents of the packets payload,
including the application data (for example, an FTP session, an HTTP Web browser session,
or even a middleware database connection). This technology allows the administrator to detect
and log intrusions that pass through the SonicWALL Security Appliance, as well as prevent
them (i.e. dropping the packet or resetting the TCP connection). SonicWALLs Deep Packet
Inspection technology also correctly handles TCP fragmented byte stream inspection as if no
TCP fragmentation has occurred.
How SonicWALLs Deep Packet Inspection Architecture Works

Deep Packet Inspection technology enables the SonicWALL firewall appliance to investigate
farther into the protocol to examine information at the application layer and defend against
attacks targeting application vulnerabilities. This is the technology behind SonicWALL Intrusion
Prevention Service. SonicWALLs Deep Packet Inspection technology enables dynamic
signature updates pushed from the SonicWALL Distributed Enforcement Architecture.
The following steps describe how the SonicWALL Deep Packet Inspection Architecture works:
1.
Pattern Definition Language Interpreter uses signatures that can be written to detect and
prevent against known and unknown protocols, applications and exploits.
2.
TCP packets arriving out-of-order are reassembled by the Deep Packet Inspection
framework.
3.
Deep Packet Inspection engine preprocessing involves normalization of the packets

payload. For example, a HTTP request may be URL encoded and thus the request is URL
decoded in order to perform correct pattern matching on the payload.
4.
Deep Packet Inspection engine postprocessors perform actions which may either simply
pass the packet without modification, or could drop a packet or could even reset a TCP
connection.
533
5.
SonicWALLs Deep Packet Inspection framework supports complete signature matching

across the TCP fragments without performing any reassembly (unless the packets are out
of order). This results in more efficient use of processor and memory for greater
performance.
If TCP packets arrive out of order, the SonicWALL IPS engine reassembles them before
inspection. However, SonicWALLs IPS framework supports complete signature matching
across the TCP fragments without having to perform complete reassembly. SonicWALLs
unique reassembly-free matching solution dramatically reduces CPU and memory resource
requirements.
Enabling Intrusion Prevention Services

To configure IPS settings for one or more SonicWALL appliances, perform the following steps:
1.
534
2.
Expand the Security Services tree and click Intrusion Prevention. The Intrusion
Prevention page appears.
3.
Check the Enable IPS checkbox to enable the service.
4.
Select the check boxes of the interface ports to monitor.
5.
Configure the following settings for High Priority Attacks in the IPS Settings area:
To to detect, log, and prevent all high priority attacks, select the Prevent All check box.
To detect and log all high priority attacks, select the Detect All check box.
To prevent the log from becoming overloaded with entries for the same attack, enter a
value in the Log Redundancy Filter field. For example, if you entered a value of 30
seconds and there were 100 SubSeven attacks during that period of time, only one
attack would be logged during that 30 second period.
6.
Repeat Step 3 for the remaining categories as applicable, including Medium Priority
Attacks, Low Priority Attacks, IM (Instant Messaging) Applications, and P2P
(Peer-to-Peer) Applications.
7.
Click Configuring IPS Settings to choose one of the following options:

If Enable IP Reassembly is enabled, the SonicWALL security appliance reassembles
fragmented packets for full application layer inspection.
If Prevent Invalid Checksum is enabled, the SonicWALL security appliance
automatically drops and resets the connection, to prevent the traffic from reaching its
destination.
If Detect Invalid Checksum is enabled, the SonicWALL security appliance logs and
alerts any traffic, but does not take any action against the traffic. The connection
proceeds to its intended destination.
535
If Enable IPS Exclusion List is enabled, this SonicWALL security appliance bypasses
IPS enforcement for a specified IP range. This requires the addition of an IPS Range
(below).
8.
To force the firmware to download all signatures, click Update IPS Signature Database.
9.
To reset your IPS settings to the defaults, click Reset IPS Settings & Policies.
Configuring IPS Policies

This section allows the administrator to configure settings for individual attacks.
1.
536
Locate the type of attack that you would like to view. To sort by category, select a category
from the Categories list box. To sort by priority, select a priority level from the Priority list
box.
2.
After locating a type of attack to configure, click its Configure Icon (

dialog box appears.
). The Configure IPS
3.
Select whether attack detection for this type of attack is enabled, disabled, or uses the
default global settings for the attack category from the Prevention list box.
4.
Select whether attack prevention for this type of attack is enabled, disabled, or uses the
default global settings for the attack category from the Detection list box.
5.
Select which users or groups to include for this attack type in the Included Users/Groups
list box
6.
Select which users or groups to exclude for this attack type in the Excluded Users/Groups
list box.
7.
Select an IP address range to include for this attack type in the Included IP Address
Range list box
8.
Select an IP address range to exclude for this attack type in the Excluded IP Address
Range list box
9.
Select a time range to enforce attack protection on this attack type from the Schedule list
box.
10. Enter a timespan (in seconds) to run the Log Redundancy Filter (seconds) field, or select
the checkbox to Use Category Settings.
11. When you are finished, click Update. You are returned to the Intrusion Prevention page.
12. Repeat Steps 2. through 16 for each attack to edit.
13. To reset all attacks to their default settings, click Reset ALL IPS Settings and Policies.
Manual Upload of Keyset and Signature Files

GMS now enables you to manually upload signature files in instances when the Internet is not
active on your system. This is useful for SonicWALL security appliances that do not have direct
Internet connectivity such as those deployed in high-security environments. In these situations,
GMS retrieves the new signatures and then uploads them to the SonicWALL security appliance.
To enable manual upload signature files, perform the following steps:
1.
Navigate to the Console Panel.
2.
Click on the Management menu.
537
3.
Click on the GMS Settings option. The GMS Settings dialog box displays.
4.
Check the following checkbox:

Firewalls managed by this GMS do not have Internet Access - This indicates that the
SonicWALL appliances managed by GMS cannot directly reach the Internet.
Note
Note that keyset files will be uploaded at the time of registering a unit or when there
is a change in the user license.
5.
In the Policies tab, navigate to the System > Tools page to upload keyset and signature
files.
6.
Click the Upload Signatures Now button.
538
Configuring the SonicWALL RBL Filter
Configuring the SonicWALL RBL Filter

The Real-time Black List (RBL) section allows the administrator to block sources of spam,
malware and other unscrupulous infestations by way of black-listing. In addition, SMTP servers
may also be specified as allowed by way of white-listing.
RBL list providers publish their lists via DNS. Blacklisted IP addresses appear in the database
of the list provider's DNS domain using inverted IP notation of the SMTP server in question as
a prefix to the domain name. A response code from 127.0.0.2 to 127.0.0.9 indicates some type
of undesirability. To configure Real-time Black Listing.
1.
2.
Expand the Security Services tree and click RBL Filter. The Global Security Client screen
displays.
3.
Check the Enable Real-time Black List Blocking checkbox to enable the service.
4.
In the RBL DNS Servers pull-down list, choose to Inherit Settings from WAN Zone or
Specify DNS Servers Manually.
5.
If choosing to specify your DNS servers manually, enter the server names in the DNS
Server (1, 2, 3) fields below.
6.
Click the Add RBL Service link to add a new RBL domain.
7.
Enter the RBL Domain you wish to block and check the appropriate responses in the RBL
Blocked Responses section below. You also have the option to Block All Responses.
8.
Click the OK button to save this new RBL Service.
9.
Click the Update button to update these settings.
539
Configuring the SonicWALL Gateway Anti-Virus

To configure SonicWALL Gateway Anti-Virus to begin protecting your network, you need to
Note
540
1.
2.
Expand the Security Services tree and click Gateway AntiVirus. The Gateway AntiVirus
screen displays).
3.
You can manually update your SonicWALL GAV database at any time by clicking the
Update button. However, by default, the SonicWALL security appliance running
SonicWALL GAV automatically checks for new signatures once an hour.
4.
Check the Enable Gateway Anti-Virus checkbox.
5.
If you have SonicWALL GMS-managed SonicWALL firewall appliances running SonicOS

Standard, select the interface you want to enable Gateway Anti-Virus on. You can select
from WAN, LAN/WorkPort, DMZ/HomePort/WLAN/OPT.
6.
Check the boxes corresponding to the Protocols you wish to enforce Inbound and
Outbound inspection on.
If your SonicWALL firewall appliance is running SonicOS Enhanced, you must enable
Gateway Anti-Virus on the appropriate zone in the Network > Zones page before
continuing.
Configuring GAV Settings

Perform the following steps to configure SonicWALL Gateway Anti-Virus settings and
notification preferences:
1.
Select Enable Client Notification Alerts to send relevant blocked file notifications to users
of the SonicWALL Desktop Anti-Virus client.
2.
Select Disable SMTP Responses to suppress the sending of email notifications when
viruses are blocked at the gateway.
3.
Select Disable detection of EICAR test virus to ignore this test file. The EICAR file is a
small file (but not actually a read virus) often used to test how virus protection mechanisms
respond to a threat.
4.
It is not recommended to check the options for Enable HTTP Byte-Range requests with
Gateway AV or Enable FTP REST requests with Gateway AV unless directed to do so
by a SonicWALL representative.
5.
Select Enable HTTP Clientless Notification Alerts to enable alerts about blocked content
for clients who do not have SonicWALL Client Anti-Virus installed. These alerts are
delivered by way of a standard HTML browser window. You may also enter a message
below if using this notification type.
6.
If Enable Gateway AV Exclusion List is enabled, the SonicWALL security appliance

bypasses AV enforcement for a specified IP range. This requires the addition of an IPS
Range.
541
Configuring GAV Protocols

Application-level awareness of the type of protocol that is transporting the violation allows
SonicWALL GAV to perform specific actions within the context of the application to gracefully
handle the rejection of the payload.
1.
Select which types of traffic to Enable Inbound Inspection for.
2.
To scan outgoing SMTP mail, select to Enable Outbound Inspection on SMTP.
3.
For more granular control over protocol traffic inspection, click the settings icon
for each
of the protocols you choose. The settings window displays and allows you to restrict
transfer of the following possibly dangerous file types:
Table 19
Gateway AV File Restrictions
File Type
Security Issues
Password protected
ZIP files
This option only functions on protocols (e.g. HTTP,

FTP, SMTP) that are enabled for inspection.
MS-Office type files

containing macros
Transfers of any MS Office 97 and above files that

contain VBA macros.
Packed executable files Disables the transfer of packed executable files.

(UPX, FSG, etc.)
Packers are utilities which compress and
sometimes encrypt executables. Although there
are legitimate applications for these, they are also
sometimes used with the intent of obfuscation, so
as to make the executables less detectable by
anti-virus applications. The packer adds a header
that expands the file in memory, and then executes
that file.
4.
Click the Configure Gateway AV Settings link. The Gateway AV settings window displays.
This window allows you to configure client notification alerts and create a SonicWALL GAV
exclusion list.
5.
To download the latest signature database from mysonicwall.com, click the Update
Gateway AV Signature Database link.
6.
Click the Update button when you are ready to save your changes.
Viewing SonicWALL GAV Signatures

The Gateway Anti-Virus Signatures section allows you to view the contents of the SonicWALL
GAV signature database. All the entries displayed in the Gateway Anti-Virus Signatures table
are from the SonicWALL GAV signature database downloaded to your SonicWALL security
appliance.
Note
542
Signature entries in the database change over time in response to new threats.
Configuring the SonicWALL Anti-Spyware Service
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
Use Search String - Allows you to display signatures containing a specified string entered in
the Lookup Signatures Containing String field.
All Signatures - Displays all the signatures in the table, 50 to a page.
0 - 9 - Displays signature names beginning with the number you select from the menu.
A-Z - Displays signature names beginning with the letter you select from menu.
Navigating the Gateway Anti-Virus Signatures Table

The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus
Signatures table. The Items field displays the table number of the first signature. If youre
displaying the first page of a signature table, the entry might be Items 1 to 50 (of 58). Use the
navigation buttons to navigate the table.
Searching the Gateway Anti-Virus Signature Database

You can search the signature database by entering a search string in the Lookup Signatures
Containing String field, then clicking the edit (Notepad) icon. The signatures that match the
specified string are displayed in the Gateway Anti-Virus Signatures table.

SonicWALL Anti-Spyware is included within the SonicWALL Gateway Anti-Virus (GAV),
Anti-Spyware and Intrusion Prevention Service (IPS) unified threat management solution.
SonicWALL GAV, Anti-Spyware and IPS delivers a comprehensive, real-time gateway security
solution for your entire network.
Activating the SonicWALL Anti-Spyware license on your SonicWALL security appliance does
not automatically enable the protection. To configure SonicWALL Anti-Spyware to begin
protecting your network, you need to perform the following steps:
Note
1.
Enable SonicWALL Anti-Spyware
2.
Specify Spyware Danger Level Protection
3.
Apply SonicWALL Anti-Spyware Protection to Zones
For complete instructions on setting up SonicWALL Anti-Spyware Service, refer to the

SonicWALL Anti-Spyware Service Administrators Guide available on the SonicWALL Web
site
http://www.sonicwall.com/us/Support.html
Once you configured these basic anti-spyware protection settings, you can perform additional
configuration options to tailor SonicWALL Spyware protection for your network environment.
543
Selecting Security Services > Anti-Spyware displays the configuration settings for
SonicWALL Anti-Spyware on your SonicWALL security appliance.
The Anti-Spyware page for the SonicOS Enhanced is divided into three sections:
Warning
544
Anti-Spyware Status - displays status information on the state of the signature database,
your SonicWALL Anti-Spyware license, and other information.
Anti-Spyware Global Settings - provides the key settings for enabling SonicWALL
Anti-Spyware on your SonicWALL security appliance, specifying global SonicWALL
Anti-Spyware protection based on three classes of spyware, and other configuration
options.
Anti-Spyware Signatures - shows the status and contents of your signature database.
After activating your SonicWALL Anti-Spyware license, you must enable and
configure SonicWALL Anti-Spyware on the SonicWALL management interface
before anti-spyware policies are applied to your network traffic.
Enabling SonicWALL Anti-Spyware

SonicWALL Anti-Spyware must be globally enabled on your SonicWALL security appliance.
Select the Enable Anti-Spyware check box (a checkmark is displayed), and then click
Configure Anti-Spyware Settings to apply the settings.
.
Checking the Enable Anti-Spyware check box does not automatically start SonicWALL
Anti-Spyware protection. You must also specify a Prevent All action in the Signature Groups
table to activate anti-spyware on the SonicWALL security appliance, and then specify the zones
you want to protect on the Network > Zones page. You can also select Detect All for spyware
event logging and alerting.
Specifying Spyware Danger Level Protection

SonicWALL Anti-Spyware allows you to globally manage your network protection against
attacks by simply selecting the class of attacks: High Danger Level Spyware, Medium Danger
Level Spyware and Low Danger Level Spyware.
Selecting the Prevent All and Detect All check boxes for High Danger Level Spyware and
Medium Danger Level Spyware in the Signature Groups table, and then clicking Apply
protects your network against the most dangerous spyware.
Caution
SonicWALL recommends enabling Prevent All for High Danger Level Spyware and Medium
Danger Level Spyware signature groups to provide anti-spyware protection against the most
damaging and disruptive spyware applications. You can also enable Detect All for spyware
logging and alerting.
SonicWALL Anti-Spyware also allows you to configure anti-spyware policies at the category
and signature level to provide flexible granularity for tailoring SonicWALL Anti-Spyware
protection based on your network environment requirements. If you are running SonicOS
Enhanced, you can apply these custom SonicWALL Anti-Spyware policies to Address Objects,
Address Groups, and User Groups, as well as create enforcement schedules. For more
545
information, refer to the SonicWALL Anti-Spyware Administrators Guide available on the

SonicWALL Web site
Applying SonicWALL Anti-Spyware Protection to Zones

(Enhanced)
For SonicWALL security appliances running SonicOS Enhanced 3.0, you apply SonicWALL
Anti-Spyware to Zones on the Network > Zones page to enforce SonicWALL Anti-Spyware not
only between each network zone and the WAN, but also between internal zones. For example,
enabling SonicWALL Anti-Spyware on the LAN zone enforces SonicWALL Anti-Spyware on all
incoming and outgoing LAN traffic.
In the Anti-Spyware Status section of the Security Services > Anti-Spyware page, click the
Network > Zones link to access the Network > Zones page or select the Network > Zones
page. You apply SonicWALL Anti-Spyware policies to a zone listed on the Network > Zones
page.
To enable SonicWALL Anti-Spyware on a zone, perform these steps:
546
1.
In the SonicWALL security appliance management interface, select Network > Zones or
from the Anti-Spyware Status section, on the Security Services > Anti-Spyware page,
click the Network > Zones link. The Network > Zones page is displayed.
2.
In the Configure column in the Zone Settings table, click the Edit icon
you want to apply SonicWALL IPS. The Edit Zone window is displayed.
3.
Click the Enable Anti-Spyware Service checkbox. A checkmark appears. To disable

SonicWALL Anti-Spyware Service, uncheck the box.
for the zone
4.
Click OK.
You can also enable SonicWALL IPS protection for new zones you create on the Network >
Zones page. Clicking the Add button displays the Add Zone window, which includes the same
settings as the Edit Zone window.
Configuring the Anti-Spyware Category

SonicWALL Anti-Spyware also allows you to configure anti-spyware policies at the category
and signature level to provide flexible granularity for tailoring SonicWALL Anti-Spyware
protection based on your network environment requirements. If you are using GMS to configure
a device that runs SonicOS Enhanced, you can apply these custom SonicWALL Anti-Spyware
policies to Address Objects, Address Groups, and User Groups, as well as create enforcement
schedules. For more information, refer to the SonicWALL Anti-Spyware Administrators Guide
available on the SonicWALL Web site http://www.sonicwall.com/us/Support.html.
Configure the fields in the Anti-Spyware Product Settings dialog box as described in the
following table.
547
Table 20
Anti-Spyware Product Settings
Field
Description
Prevention
Allows you to enable and disable intrusion prevention

for the device.
Detection
Allows you to enable and disable intrusion detection

for the device.
Included
Users/Groups
Applies the anti-spyware settings to members of the

following group types: All, Administrators, Everyone,
Guest Services, Trusted Users, Content Filtering
Bypass, and Limited Administrators.
Excluded
Users/Groups
Does not apply the anti-spyware settings to members

of the following group types: All, Administrators,
Everyone, Guest Services, Trusted Users, Content
Filtering Bypass, and Limited Administrators.
Included IP Address
Range
Allows you to apply the anti-spyware settings to all

users that fall within a specified IP address range of a
specified category. For more details on the
categories, see the table below.
For a birds eye view of the categories, refer to the following figure:
548
CHAPTER 23
Configuring Firewall High Availability
This chapter describes how to use SonicWALL GMS to configure High Availability, which allows
the administrator to specify a primary and secondary SonicWALL appliance. In the case that
the connection to the primary device fails, connectivity will transfer to the backup device.
In addition, SonicWALL GMS can utilize the same device pairing technology to implement
different forms of load balancing. Load balancing helps regulate the flow of network traffic by
splitting that traffic between primary and secondary SonicWALL devices. This chapter includes
the following sections:
Note
Configuring High Availability Settings section on page 549
Configuring Advanced High Availability Settings section on page 550
Monitoring High Availability section on page 552
Verifying High Availability Status section on page 553
High Availability is available at the appliance level, it cannot be configured at the group level.
Configuring High Availability Settings

The High Availability feature configures a pair of SonicWALL appliances as a primary and
backup. The backup monitors the primary through a series of heartbeats. If the backup detects
that the primary is unavailable or has failed, it will replace the primary.
The High Availability feature is available on the following SonicWALL appliances:
SonicWALL NSA Series
SonicWALL NSA E-Class Series
SonicWALL PRO 2040/3060/4060/4100/5060
To configure High Availability settings:

1.
Select a SonicWALL appliance and click the Policies tab.
549
Configuring Advanced High Availability Settings
2.
Expand the High Availability tree and click Settings. The High Availability page displays.
3.
Select the Enable High Availability check box.

When a SonicWALL appliance becomes active after startup, it looks for an active
SonicWALL appliance that is configured for High Availability. If the other appliance is active,
it transitions to Idle mode. Sometimes, due to network latency and other issues, it may take
a while to find the other SonicWALL appliance.
4.
Enter the Serial Number of the Backup SonicWALL security appliance to be used in the
High Availability pair.
5.

The High Availability > Advanced page is used to configure the stateful synchronization and
Active/Active UTM features. The Advanced page also provides the ability to fine tune a number
of High Availability options that manage the settings that trigger the High Availability pair to fail
over from the primary to the backup appliance.
To configure advanced High Availability settings, perform the following steps:
550
1.
Select a SonicWALL appliance and click the Policies tab. Expand the High Availability
tree and click Advanced.
2.
Select the Enable Stateful Synchronization checkbox to configure stateful High

Availability. With Stateful High Availability, the primary unit actively communicates with the
backup on a per connection and VPN level. As the primary creates and updates connection
cache entries or VPN tunnels, the backup unit is informed of such changes. The backup
unit remains in a continuously synchronized state so that it can seamlessly assume the
network responsibilities upon failure of the primary unit with no interruption to existing
network connections.
Note
Stateful High Availability requires an additional license for the primary SonicWALL
appliance. The license is shared between the primary and backup appliances.
3.
To configure Active/Active UTM select the Enable Active/Active UTM checkbox.

In an active/active model, both SonicWALL firewall appliances share the processing of
Deep Packet Inspection (DPI) UTM services. When Active/Active UTM is enabled on a
Stateful HA pair, these DPI UTM services can be processed concurrently with firewall, NAT,
and other modules on both the active and idle SonicWALL firewall appliances. Processing
of all modules other than DPI UTM services is restricted to the active unit.
4.
If enabling Active/Active UTM, select an interface in the HA Data Interface pull-down list.
This interface will be used for transferring data between the two units during Active/Active
UTM processing. Only unassigned, available interfaces appear in the pull-down list.
5.
Select the Enable Preempt Mode check box to configure the primary SonicWALL
appliance to take over from the backup SonicWALL appliance when it becomes available.
Otherwise, the backup SonicWALL appliance will remain active.
6.
Select the Generate/Overwrite Backup Firmware and Settings When Upgrading

Firmware check box to overwrite the current firmware backup settings when upgrading.
With this option, the current settings at the time of upgrade will be saved as backup
settings.
7.
Select the Enable Virtual MAC check box. When the Stateful High Availability Upgrade is
licensed, Virtual MAC capability is also licensed. Virtual MAC allows the backup unit in an
HF pair to use the MAC address of the primary unit when a failover occurs. Alternatively,
you can manually set a virtual MAC address for both units to use. Virtual MAC addressing
contributes to network continuity and efficiency during a failover in the same way as the use
of virtual IP addresses. During a failover, the backup unit uses the same virtual IP address
that was used by the primary unit. The Virtual MAC feature avoids the need to update the
whole network to associate the virtual IP address with the actual physical MAC address of
the backup unit.
8.
Optionally, you can fine tune the following options:

Enter the heartbeat interval (in seconds) in the Heartbeat Interval field.
Specify how long the backup waits before replacing the primary (in seconds) in the
Failover Trigger Level field.
To specify how long the SonicWALL appliance will look, enter the number of seconds
in the Election Delay Time field. You can enter a value between 0 and 300 seconds,
but the default value of 0 seconds is sufficient in most cases.
Optionally, change the value in theDynamic Route Hold-Down Time field. This setting
is used when a failover occurs on a High Availability pair that is using either RIP or
OSPF dynamic routing. When a failover occurs, Dynamic Route Hold-Down Time is the
number of seconds the newly-active appliance keeps the dynamic routes it had
previously learned in its route table. During this time, the newly-active appliance
relearns the dynamic routes in the network. When the Dynamic Route Hold-Down Time
duration expires, it deletes the old routes and implements the new routes it has learned
from RIP or OSPF. The default value is 45 seconds. In large or complex networks, a
larger value may improve network stability during a failover.
551
Monitoring High Availability
9.
When changes are made to the Primary or Secondary SonicWALL firewall appliance, the
changes are automatically synchronized between the two SonicWALL firewall appliances.
To cause the synchronization to occur now, click Synchronize Settings. Additionally,
selecting the Include Certificates/Keys will synchronize certificates and keys between
devices.
10. To force the backup device to load and reboot to current firmware from the primary device,
click the Synchronize Firmware link.
Monitoring High Availability

On the High Availability > Monitoring page, you can specify IP addresses that the SonicWALL
security appliance performs an ICMP ping on to determine link viability. When using logical
monitors, the SonicWALL will ping the defined Probe IP Address target from the Primary as well
as the Backup SonicWALL. If both can successfully ping the target, no failover occurs. If both
cannot successfully ping the target, no failover occurs, as the SonicWALLs will assume that the
problem is with the target, and not the SonicWALLs. But, if one SonicWALL can ping the target
but the other SonicWALL cannot, it will failover to the SonicWALL that can ping the target.
To configure interface monitoring between the primary and backup appliances, perform the
following steps:
552
1.
Expand the High Availability tree and click Monitoring. The Monitoring Settings page
displays.
2.
Click on the configure icon for the X0 interface. The Interface X0 Monitoring Settings
window displays.
3.
Enter the LAN management IP address for the primary appliance in the Primary IP
Address field.
4.
Enter the LAN management IP address for the backup appliance in theBackup IP Address
field.
Verifying High Availability Status
5.
(Optional) Check the Enable Interface Monitoring checkbox and enter the IP address of
a reliable device on the LAN network in the Probe IP Address field. This should be a
downstream router or server. The primary and backup appliances will regularly ping this
probe IP address. If both can successfully ping the target, no failover occurs. If neither can
successfully ping the target, no failover occurs, because it is assumed that the problem is
with the target, and not the SonicWALL appliances. But, if one appliance can ping the target
but the other appliance cannot, failover will occur to the appliance that can ping the target.
6.
(Optional) To manually specify the virtual MAC address, check the Manual Virtual MAC
checkbox and enter a MAC address. SonicWALL recommends that you manually configure
the virtual MAC address only if the appliances do not have Internet access (for example, in
secure network environments). Allowing the appliances to retrieve the virtual MAC address
from the SonicWALL backend eliminates the possibility of configuration errors and ensures
the uniqueness of the virtual MAC address, which prevents possible conflicts.
7.
Click OK.
8.
Click on the configure icon for the X1 interface and repeat steps 3 through 7 for the WAN
IP addresses on the primary and backup appliances.

Under the unit view, GMS displays whether an appliance is the primary or secondary unit on
the System>Status page under the Management heading. For more information, refer to the
Viewing System Status section on page 185.
Another method to determine which SonicWALL is active is to check the High Availability
Settings Status indicator on the High Availability > Settings page. If the primary SonicWALL
is active, the first line in the page indicates that the primary SonicWALL is currently Active. It is
also possible to check the status of the backup SonicWALL by logging into the LAN IP Address
of the backup SonicWALL. If the primary SonicWALL is operating normally, the status indicates
that the backup SonicWALL is currently Idle. If the backup has taken over for the primary, the
status indicates that the backup is currently Active.
Using the GEM framework, you can also configure GMS to send email alerts when there is a
change in the status of the High Availability pair. You can configure an alert using the Unit HF
Status alert type. For information on how to configure alerts, see the Granular Event
Management chapter.
You can also view details on High Availability events in the GMS log, which is available on the
Console tab under the Log tree. Refer to the Configuring Firewall Log Settings section on
page 305 for more information.
553
554
CHAPTER 24
Configuring Firewall SonicPoints
This chapter describes how to configure SonicPoint managed secure wireless access points.
Managing SonicPoints section on page 555
Viewing Station Status section on page 567
Using and Configuring SonicPoint IDS section on page 568
Using and Configuring Virtual Access Points section on page 570
Configuring FairNet section on page 573
Managing SonicPoints
The SonicPoint section of GMS lets you manage the SonicPoints connected to your system.
555
Before Managing SonicPoints

Before you can manage SonicPoints in GMS, you must first:
Configure your SonicPoint Provisioning Profiles
Configure a Wireless zone
Assign profiles to wireless zones

This step is optional. If you do not assign a default profile for a zone, SonicPoints in that
zone will use the first profile in the list.
Assign an interface to the Wireless zone
Attach the SonicPoints to the interfaces in the Wireless zone
Test SonicPoints
SonicPoint Provisioning Profiles

SonicPoint Provisioning Profiles provide a scalable and highly automated method of
configuring and provisioning multiple SonicPoints across a Distributed Wireless Architecture.
SonicPoint Profile definitions include all of the settings that can be configured on a SonicPoint,
such as radio settings for the 2.4GHz and 5GHz radios, SSIDs, and channels of operation.
Once you have defined a SonicPointprofile, you can apply it to a Wireless zone. Each Wireless
zone can be configured with one SonicPoint profile. Any profile can apply to any number of
zones.
Table 21
Default SonicPoint Profile
802.11a Radio
802.11g Radio
Enable
802.11a
Radio
Yes - Always
on
Enable
802.11g
Radio
Yes - Always
on
Enable
802.11n
Radio
Yes - Always on
SSID
sonicwall
SSID
sonicwall
SSID
sonicwall-D790
(where D790 is
an example;
this is
determined by
the hardware
address)
Radio Mode
54Mbps 802.11a
Radio Mode
2.4 GHz
54Mbps 802.11g
Radio
Mode
2.4 GHz 802.11n/g/b

Mixed
Channel
AutoChannel
Channel
AutoChannel Channel
ACL
Enforcement
Disabled
ACL
Disabled
Enforceme
nt
WEP - Both
Open
System &
Shared Key
Authentica WEP - Both

Open System &
tion
Type
Shared Key
ACL
Disabled
Enforcement
Authenticatio WEP - Both

Authenticatio
n
Open System n
Type
& Shared Key Type
556
802.11n Radio
AutoChannel
Schedule
IDS Scan
Disabled
Schedule IDS Disabled

Scan
Schedule
IDS Scan
Disabled
Data Rate
Best
Data Rate
Best
Data Rate
Best
Antenna
Diversity
Best
Antenna
Diversity
Best
Antenna
Diversity
Best
Configuring a SonicPoint Profile

The SonicPoint profile configuration process for 802.11n slightly different than for 802.11a or
802.11g. The following sections describe how to configure SonicPoint profiles:
Configuring a SonicPointN Profile for 802.11n on page 557
Configuring a SonicPoint Profile for 802.11a or 802.11g on page 562
Configuring a SonicPointN Profile for 802.11n

You can add any number of SonicPoint profiles. To configure a SonicPoint provisioning profile:
Step 1
To add a new profile click Add SonicPointN below the list of SonicPoint 802.11n provisioning
profiles. To edit an existing profile, select the profile and click the Configure icon in the same
line as the profile you are editing.
Step 2
In the General tab of the Add Profile window, specify:

Enable SonicPoint: Check this to automatically enable each SonicPoint when it is
provisioned with this profile.
Retain Settings: Check this to have the SonicPointNs provisioned by this profile retain
these settings until the appliance is rebooted.
Name Prefix: Enter a prefix for the names of all SonicPointNs connected to this zone.
When each SonicPointN is provisioned it is given a name that consists of the name
prefix and a unique number, for example: SonicPoint 126008.
Country Code: Select the country where you are operating the SonicPointNs. The
country code determines which regulatory domain the radio operation falls under.
557
802.11n Virtual AP Group: (optional; on SonicWALL NSA only) Select a Virtual Access
Point (VAP) group to assign these SonicPointNs to a VAP. This pull-down menu allows
you to create a new VAP group. For more information on VAPs, refer to the Using and
Configuring Virtual Access Points section on page 570.
Step 3
In the 802.11n tab, configure the radio settings for the 802.11n radio:
Enable Radio: Check this to automatically enable the 802.11n radio bands on all
SonicPoints provisioned with this profile.
Radio Mode: Select your preferred radio mode from the Radio Mode menu. The
wireless security appliance supports the following modes:
Tip
558
2.4GHz 802.11n Only - Allows only 802.11n clients access to your wireless
network. 802.11a/b/g clients are unable to connect under this restricted radio mode.
2.4GHz 802.11n/g/b Mixed - Supports 802.11b, 802.11g, and 802.11n clients

simultaneously. If your wireless network comprises multiple types of clients, select
this mode.
For optimal throughput speed solely for 802.11n clients, SonicWALL recommends the
802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless
client authentication compatibility.
2.4GHz 802.11g Only - If your wireless network consists only of 802.11g clients,
you may select this mode for increased 802.11g performance. You may also select
this mode if you wish to prevent 802.11b clients from associating.
5 GHz 802.11n Only - Allows only 802.11n clients access to your wireless network.
802.11a/b/g clients are unable to connect under this restricted radio mode.
5 GHz 802.11n/a Mixed - Supports 802.11n and 802.11a clients simultaneously. If

your wireless network comprises both types of clients, select this mode.
5 GHz 802.11a Only - Select this mode if only 802.11a clients access your wireless
network.
SSID: Enter a recognizable string for the SSID of each SonicPoint using this profile.
This is the name that will appear in clients lists of available wireless connections.
Note
If all SonicPoints in your organization share the same SSID, it is easier for users to maintain
their wireless connection when roaming from one SonicPoint to another.
When the wireless radio is configured for a mode that supports 802.11n, the following options
are displayed:
Radio Band (802.11n only): Sets the band for the 802.11n radio:
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless
operation based on signal strength and integrity. This is the default setting.
Standard - 20 MHz Channel - Specifies that the 802.11n radio will use only the standard
20 MHz channel. When this option is selected, the Standard Channel pull-down menu is
displayed.
Standard Channel - This pull-down menu only displays when the 20 MHz channel is
selected. By default, this is set to Auto, which allows the appliance to set the optimal
channel based on signal strength and integrity. Optionally, you can select a single
channel within the range of your regulatory domain. Selecting a specific a channel can
also help with avoiding interference with other wireless networks in the area.
Wide - 40 MHz Channel - Specifies that the 802.11n radio will use only the wide 40 MHz
channel. When this option is selected, the Primary Channel and Secondary Channel
pull-down menus are displayed:
Primary Channel - By default this is set to Auto. Optionally, you can specify a specific
primary channel.
Secondary Channel - The configuration of this pull-down menu is controlled by your
selection for the primary channel:
If the primary channel is set to Auto, the secondary channel is also set to Auto.
If the primary channel is set to a specific channel, the secondary channel is set to
to the optimum channel to avoid interference with the primary channel.
Enable Short Guard Interval: Specifies the short guard interval of 400ns (as opposed to the
standard guard interval of 800ns). The guard interval is a pause in transmission intended to
avoid data loss from interference or multipath delays.
Enable Aggregation: Enables 802.11n frame aggregation, which combines multiple frames to
reduce overhead and increase throughput.
Tip
The Enable Short Guard Interval and Enable aggregation options can slightly improve
throughput. They both function best in optimumnetwork conditions where users have strong
signals with little interference. In networks that experience less than optimum conditions
(interference, weak signals, etc.), these options may introduce transmission errors that
eliminate any efficiency gains in throughput.
559
ACL Enforcement: Select this to enforce Access Control by allowing or denying traffic from
specific devices. Select a MAC address group from the Allow List to automatically allow traffic
from all devices with MAC address in the group. Select a MAC address group from the Deny
List to automatically deny traffic from all devices with MAC address in the group. The deny list
is enforced before the Allow list.
Step 4
In the Wireless Security section of the 802.11n Radio tab, configure the following settings:
Authentication Type: Select the method of authentication for your wireless network.
You can select WEP - Both (Open System & Shared Key), WEP - Open System,
WEP - Shared Key, WPA - PSK, WPA - EAP, WPA2-PSK, WPA2-EAP,
WPA2-AUTO-PSK, and WPA2-AUTO-EAP.
WEP Configuration
WEP Key Mode: Select the size of the encryption key.
Default Key: Select which key in the list below is the default key, which will be tried first
when trying to authenticate a user.
Key Entry: Select whether the key is alphanumeric or hexadecimal.

Key 1 - Key 4: Enter the encryptions keys for WEP encryption. Enter the most likely to
be used in the field you selected as the default key.
WPA or WPA2 Configuration:

Cipher Type: The cipher that encrypts your wireless data. Choose either TKIP (older,
more compatible), AES (newer, more secure), or Both (backward compatible).
Group Key Interval: The time period for which a Group Key is valid. The default value
is 86400 seconds. Setting to low of a value can cause connection issues.
Passphrase (PSK only): This is the passphrase your network users must enter to gain
network access.
RADIUS Server Settings (EAP Only): Configure settings for your RADIUS
authentication server.
Step 5
560
In the Advanced tab, configure the performance settings for the 802.11n radio. For most
802.11n advanced options, the default settings give optimum performance.
Hide SSID in Beacon: Check this option to have the SSID broadcast as part of the
wireless beacon, rather than as a separate broadcast.
Schedule IDS Scan: Select a time when there are fewer demands on the wireless
network to schedule an Intrusion Detection Service (IDS) scan to minimize the

inconvenience of dropped wireless connections.
Data Rate: Select the speed at which the data is transmitted and received. Best
automatically selects the best rate available in your area given interference and other
factors. Or you can manually select a data rate.
Transmit Power: Select the transmission power. Transmission power effects the range
of the SonicPoint. You can select: Full Power, Half (-3 dB), Quarter (-6 dB), Eighth
(-9 dB), or Minimum.
Antenna Diversity: The Antenna Diversity setting determines which antenna the
SonicPoint uses to send and receive data. When Best is selected, the SonicPoint
automatically selects the antenna with the strongest, clearest signal.
Beacon Interval (milliseconds): Enter the number of milliseconds between sending
out a wireless beacon.
DTIM Interval: Enter the interval in milliseconds.

Fragmentation Threshold (bytes): Enter the number of bytes of fragmented data you
want the network to allow.
RTS Threshold (bytes): Enter the number of bytes.

Maximum Client Associations: Enter the maximum number of clients you want the
SonicPoint to support on this radio at one time.
Preamble Length: Select the length of the preamble--the initial wireless
communication send when associating with a wireless host. You can select Long or
Short.
Protection Mode: Select the CTS or RTS protection. Select None, Always, or Auto.
None is the default.
Protection Rate: Select the speed for the CTS or RTS protection, 1 Mbps, 2 Mbps, 5
Mbps, or 11 Mbps.
Protection Type: Select the type of protection, CTS-only or RTS-CTS.

Enable Short Slot Time: Allow clients to disassociate and reassociate more quickly.
Allow Only 802.11g Clients to Connect: Use this if you are using Turbo G mode and
therefore are not allowing 802.11b clients to connect.
When a SonicPoint unit is first connected and powered up, it will have a factory default
configuration (IP address 192.168.1.20, username: admin, password: password). Upon
initializing, it will attempt to find a SonicOS device with which to peer. If it is unable to find a
peer SonicOS device, it will enter into a stand-alone mode of operation with a separate
stand-alone configuration allowing it to operate as a standard Access Point.
If the SonicPoint does locate, or is located by a peer SonicOS device, via the SonicWALL
Discovery Protocol, an encrypted exchange between the two units will ensue wherein the
profile assigned to the relevant Wireless zone will be used to automatically configure
(provision) the newly added SonicPoint unit.
As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a
unique name, and it will record its MAC address and the interface and zone on which it was
discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so
that the SonicPoint can communicate with an authentication server for WPA-EAP support.
SonicOS will then use the profile associated with the relevant zone to configure the 2.4GHz and
5GHz radio settings.
561
Modifications to profiles will not affect units that have already been provisioned and are in an
operational state. Configuration changes to operational SonicPoint devices can occur in two
ways:
Via manual configuration changes Appropriate when a single, or a small set of changes
are to be affected, particularly when that individual SonicPoint requires settings that are
different from the profile assigned to its zone.
Via un-provisioning Deleting a SonicPoint unit effectively un-provisions the unit, or clears its
configuration and places it into a state where it will automatically engage the provisioning
process anew with its peer SonicOS device. This technique is useful when the profile for a zone
is updated or changed, and the change is set for propagation. It can be used to update firmware
on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled
fashion, rather than changing all peered SonicPoints at once, which can cause service
disruptions.
Configuring a SonicPoint Profile for 802.11a or 802.11g

You can add any number of SonicPoint profiles. To configure a SonicPoint provisioning profile:
Step 1
To add a new profile click Add below the list of SonicPoint provisioning profiles. To edit an
existing profile, select the profile and click the edit icon
in the same line as the profile you
are editing.
Step 2
In the General tab of the Add Profile window, specify:

Enable SonicPoint: Check this to automatically enable each SonicPoint when it is
provisioned with this profile.
Retain Settings: Check this to have the SonicPoints provisioned by this profile retain
these settings until the appliance is rebooted.
Enable RF Monitoring: Check this to enable RF monitoring on the SonicPoints.

Name Prefix: Enter a prefix for the names of all SonicPoints connected to this zone.
When each SonicPoint is provisioned it is given a name that consists of the name prefix
and a unique number, for example: SonicPoint 126008.
Country Code: Select the country where you are operating the SonicPoints. The
country code determines which regulatory domain the radio operation falls under.
802.11g Virtual AP Group and 802.11a Virtual AP Group: (optional; on SonicWALL
NSA only) Select a Virtual Access Point (VAP) group to assign these SonicPoints to a
VAP. This pull-down menu allows you to create a new V
AP group. For more information
on VAPs, see Using and Configuring Virtual Access Points on page 570.
Step 3
In the 802.11g tab, Configure the radio settings for the 802.11g (2.4GHz band) radio:
Enable 802.11g Radio: Check this to automatically enable the 802.11g radio bands on
all SonicPoints provisioned with this profile.
SSID: Enter a recognizable string for the SSID of each SonicPoint using this profile.
This is the name that will appear in clients lists of available wireless connections.
Note
If all SonicPoints in your organization share the same SSID, it is easier for users to maintain
their wireless connection when roaming from one SonicPoint to another.
Radio Mode: Select the speed of the wireless connection. You can choose 11Mbps -
802.11b, 54 Mbps - 802.11g, or 108 Mbps - Turbo G mode. If you choose Turbo mode,
all users in your company must use wireless access cards that support turbo mode.
562
Channel: Select the channel the radio will operate on. The default is AutoChannel,
which automatically selects the channel with the least interference. Use AutoChannel
unless you have a specific reason to use or avoid specific channels.
ACL Enforcement: Select this to enforce Access Control by allowing or denying traffic
from specific devices. Select a MAC address group from the Allow List to automatically
allow traffic from all devices with MAC address in the group. Select a MAC address
group from the Deny List to automatically deny traffic from all devices with MAC
address in the group. The deny list is enforced before the Allow list.
Authentication Type: Select the method of authentication for your wireless network.
You can select WEP - Both (Open System & Shared Key), WEP - Open System,
WEP - Shared Key, WPA - PSK, WPA - EAP, WPA2-PSK, WPA2-EAP,
WPA2-AUTO-PSK, and WPA2-AUTO-EAP.
WEP Key Mode: Select the size of the encryption key.

Default Key: Select which key in the list below is the default key, which will be tried first
when trying to authenticate a user.
Key Entry: Select whether the key is alphanumeric or hexadecimal.

Key 1 - Key 4: Enter the encryptions keys for WEP encryption. Enter the most likely to
be used in the field you selected as the default key.
Step 4
In the 802.11g Advanced tab, configure the performance settings for the 802.11g radio. For
most 802.11g advanced options, the default settings give optimum performance.
Hide SSID in Beacon: Check this option to have the SSID broadcast as part of the
wireless beacon, rather than as a separate broadcast.
Schedule IDS Scan: Select a time when there are fewer demands on the wireless
network to schedule an Intrusion Detection Service (IDS) scan to minimize the

inconvenience of dropped wireless connections.
Data Rate: Select the speed at which the data is transmitted and received. Best
automatically selects the best rate available in your area given interference and other
factors. Or you can manually select a data rate.
Transmit Power: Select the transmission power. Transmission power effects the range
of the SonicPoint. You can select: Full Power, Half (-3 dB), Quarter (-6 dB), Eighth
(-9 dB), or Minimum.
Antenna Diversity: The Antenna Diversity setting determines which antenna the
SonicPoint uses to send and receive data. You can select:
Best: This is the default setting. When Best is selected, the SonicPoint
automatically selects the antenna with the strongest, clearest signal. In most cases,
Best is the optimal setting.
1: Select 1 to restrict the SonicPoint to use antenna 1 only. Facing the rear of the
SonicPoint, antenna 1 is on the left, closest to the power supply.
2: Select 2 to restrict the SonicPoint to use antenna 2 only. Facing the rear of the
SonicPoint, antenna 2 is on the right, closest to the console port.
Beacon Interval (milliseconds): Enter the number of milliseconds between sending
out a wireless beacon.
DTIM Interval: Enter the interval in milliseconds.

Fragmentation Threshold (bytes): Enter the number of bytes of fragmented data you
want the network to allow.
RTS Threshold (bytes): Enter the number of bytes.
563
Maximum Client Associations: Enter the maximum number of clients you want the
SonicPoint to support on this radio at one time.
Preamble Length: Select the length of the preamble--the initial wireless
communication send when associating with a wireless host. You can select Long or
Short.
Protection Mode: Select the CTS or RTS protection. Select None, Always, or Auto.
None is the default.
Protection Rate: Select the speed for the CTS or RTS protection, 1 Mbps, 2 Mbps, 5
Mbps, or 11 Mbps.
Protection Type: Select the type of protection, CTS-only or RTS-CTS.

CCK OFDM Power Delta: Select the difference in radio transmit power you will allow
between the 802.11b and 802.11g modes: 0 dBm, 1 dBm, or 2 dBm.
Enable Short Slot Time: Allow clients to disassociate and reassociate more quickly.
Allow Only 802.11g Clients to Connect: Use this if you are using Turbo G mode and
therefore are not allowing 802.11b clients to connect.
Step 5
Configure the settings in the 802.11a Radio and 802.11a Advanced tabs. These settings affect
the operation of the 802.11a radio bands. The SonicPoint has two separate radios built in.
Therefore, it can send and receive on both the 802.11a and 802.11g bands at the same time.
The settings in the 802.11a Radio and 802.11a Advanced tabs are similar to the settings in the
802.11g Radio and 802.11g Advanced tabs. Follow the instructions in step 3 and step 4 in this
procedure to configure the 802.11a radio.
When a SonicPoint unit is first connected and powered up, it will have a factory default
configuration (IP address 192.168.1.20, username: admin, password: password). Upon
initializing, it will attempt to find a SonicOS device with which to peer. If it is unable to find a
peer SonicOS device, it will enter into a stand-alone mode of operation with a separate
stand-alone configuration allowing it to operate as a standard Access Point.
If the SonicPoint does locate, or is located by a peer SonicOS device, via the SonicWALL
Discovery Protocol, an encrypted exchange between the two units will ensue wherein the
profile assigned to the relevant Wireless zone will be used to automatically configure
(provision) the newly added SonicPoint unit.
As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a
unique name, and it will record its MAC address and the interface and zone on which it was
discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so
that the SonicPoint can communicate with an authentication server for WPA-EAP support.
SonicOS will then use the profile associated with the relevant zone to configure the 2.4GHz and
5GHz radio settings.
Modifications to profiles will not affect units that have already been provisioned and are in an
operational state. Configuration changes to operational SonicPoint devices can occur in two
ways:
564
Via manual configuration changes Appropriate when a single, or a small set of changes
are to be affected, particularly when that individual SonicPoint requires settings that are
different from the profile assigned to its zone.
Via un-provisioning Deleting a SonicPoint unit effectively un-provisions the unit, or clears
its configuration and places it into a state where it will automatically engage the provisioning
process anew with its peer SonicOS device. This technique is useful when the profile for a
zone is updated or changed, and the change is set for propagation. It can be used to update
firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in
a controlled fashion, rather than changing all peered SonicPoints at once, which can cause
service disruptions.
Updating SonicPoint Settings

You can change the settings of anyindividual SonicPoint list on the SonicPoint > SonicPoints
page.
Edit SonicPoint settings

To edit the settings of an individual SonicPoint:
1.
Under SonicPoint Settings, click the Edit icon

want to edit.
in the same line as the SonicPoint you
2.
In Edit SonicPoint screen, make the changes you want. The Edit SonicPoint screen has the
following tabs:
General
802.11a Radio
802.11a Advanced
802.11g Radio
802.11g Advanced
The options on these tabs are the same as the Add SonicPoint Profile screen. Refer to the
SonicPoint Provisioning Profiles section on page 556 for instructions on configuring these
settings.
3.
Click OK to apply these settings.
Synchronize SonicPoints
Click Synchronize SonicPoints at the top of the SonicPoint > SonicPoints page to update
the settings for each SonicPoint reported on the page. When you click Synchronize
SonicPoints, SonicOS polls all connected SonicPoints and displays updated settings on the
page.
Enable and Disable Individual SonicPoints

You can enable or disable individual SonicPoints on the SonicPoint > SonicPoints page:
1.
Check the box under Enable to enable the SonicPoint, uncheck the box to disable it.
2.
Click Apply at the top of the SonicPoint > SonicPoints page to apply this setting to the
SonicPoint.
3.
Click the SonicPoints option.

GMS displays the SonicPoints dialog box.
4.
Click Add.
GMS displays the Add SonicPoint Profile dialog box containing a series of tabs.
SonicPoint WLAN Scheduling

GMS now supports scheduling activation of both 802.11a Radio and 802.11g Radio devices. To
schedule these devices, perform the following steps:
1.
Navigate to the Policies Panel.
2.
Select either a SonicPoint G or SonicPoint A device in the unit list.

565
3.
In the Navigation Bar, click the SonicPoint menu to display SonicPoint options.
4.
Click the SonicPoints option.

GMS displays the SonicPoints dialog box.
5.
Click on an existing SonicPoint device in the device list or click Add.

GMS displays the SonicPoint Profile dialog box containing a series of tabs.
6.
Click either the 802.11g Radio or 802.11a Radio Tab, depending on which device you want
to schedule.
7.
Click on the Schedule list box at the top of the screen to the right of the Enable checkbox.
The following figure is an example of a scheduling list box (for 802.11g).
Updating SonicPoint Firmware

SonicOS Enhanced 2.5 (or greater) contains an image of the SonicPoint firmware. When you
connect a SonicPoint to a security appliance running SonicOS Enhanced 2.5 (or greater), the
appliance checks the version of the SonicPoints firmware, and automatically updates it, if
necessary.
Automatic Provisioning (SDP & SSPP)

The SonicWALL Discovery Protocol (SDP) is a layer 2 protocol employed by SonicPoints and
devices running SonicOS Enhanced 2.5 and higher. SDP is the foundation for the automatic
provisioning of SonicPoint units via the following messages:
Advertisement SonicPoint devices without a peer will periodically and on startup

announce or advertise themselves via a broadcast. The advertisement will include
information that will be used by the receiving SonicOS device to ascertain the state of the
SonicPoint. The SonicOS device will then report the state of all peered SonicPoints, and
will take configuration actions as needed.
Discovery SonicOS devices will periodically send discovery request broadcasts to elicit
responses from L2 connected SonicPoint units.
Configure Directive A unicast message from a SonicOS device to a specific SonicPoint

unit to establish encryption keys for provisioning, and to set the parameters for and to
engage configuration mode.
Configure Acknowledgement A unicast message from a SonicPoint to its peered

SonicOS device acknowledging a Configure Directive.
Keepalive A unicast message from a SonicPoint to its peered SonicOS device used to
validate the state of the SonicPoint.
If via the SDP exchange the SonicOS device ascertains that the SonicPoint requires
provisioning or a configuration update (e.g. on calculating a checksum mismatch, or when a
firmware update is available), the Configure directive will engage a 3DES encrypted, reliable
566
Viewing Station Status
TCP based SonicWALL Simple Provisioning Protocol (SSPP) channel. The SonicOS device will
then send the update to the SonicPoint via this channel, and the SonicPoint will restart with the
updated configuration. State information will be provided by the SonicPoint, and will be
viewable on the SonicOS device throughout the entire discovery and provisioning process.
Viewing Station Status

Station Status allows the administrator to view status and individual statistics for all SonicPoint
devices connected to the currently selected SonicWALL firewall appliance.
Event and Statistics Reporting

The SonicPoint > Station Status page reports on the statistics of each SonicPoint.
The table lists entries for each wireless client connected to each SonicPoint. The sections of
the table are divided by SonicPoint. Under each SonicPoint, is the list of all clients currently
connected to it.
Click the Refresh button in the top right corner to refresh the list.
By default, the page displays the first 50 entries found. Click the First Page , Previous Page
, Next Page , and Last Page icons to navigate if you need to view more than 50 entries.
Each SonicPoint device reports for both radios, and for each station, the following information
to its SonicOS peer:
MAC Address The clients (Stations) hardware address
Station State The state of the station. States can include:

None No state information yet exists for the station
Authenticated The station has successfully authenticated.
Associated The station is associated.
Joined The station has joined the ESSID.
Connected The station is connected (joined, authenticated or associated).
Up An Access Point state, indicating that the Access Point is up and running.
Down An Access Point state, indicating that the Access Point is not running.
Associations Total number of Associations since power up.
Dis-Associations Total number of Dis-Associations.
Re-Associations Total number of Re-Associations.
Authentications Number of Authentications.
De-Authentications Number of De-Authentications.
Good Frames Received Total number of good frames received.
Good Frames Transmitted Total number of good frames transmitted.
Error in Receive Frames Total number of error frames received.
Error in Transmit Frames Total number of error frames transmitted.
Discarded Frames Total number of frames discarded. Discarded frames are generally a
sign of network congestion.
Total Bytes received Total number of bytes received.
567
Using and Configuring SonicPoint IDS
Total Bytes Transmitted Total number of bytes transmitted.
Management Frames Received Total number of Management frames received.

Management Frames include:
Association request
Association response
Re-association request
Re-association response
Probe request
Probe response
Beacon frame
ATIM message
Disassociation
Authentication
De-authentication
Management Frames Transmitted Total number of Management frames transmitted.
Control Frames Received Total number of Control frames received. Control frames
include:
RTS Request to Send
CTS Clear to Send
ACK Positive Acknowledgement
Control Frames Transmitted Total number of Control frames transmitted.
Data Frames Received Total number of Data frames received.
Data Frames Transmitted Total number of Data frames transmitted.

Intrusion Detection Services should be configured before using wireless access points.
Detecting SonicPoint Access Points

You can have many wireless access points within reach of the signal of the SonicPoints on your
network. The SonicPoint > IDS page reports on all access points the SonicWALL security
appliance can find by scanning the 802.11a and 802.11g radio bands.
Wireless Intrusion Detection Services

Intrusion Detection Services (IDS) greatly increase the security capabilities of the SonicWALL
security appliance with SonicOS Enhanced by enabling it to recognize and even take
countermeasures against the most common types of illicit wireless activity. IDS consists of
three types of services, namely, Sequence Number Analysis, Association Flood Detection, and
Rogue Access Point Detection. IDS logging and notification can be enabled under Log >
Enhanced Log Settings by selecting the WLAN IDS checkbox under Log Categories and
Alerts.
568
Intrusion Detection Settings

Rogue Access Points have emerged as one of the most serious and insidious threats to
wireless security. In general terms, an access point is considered rogue when it has not been
authorized for use on a network. The convenience, affordability and availability of non-secure
access points, and the ease with which they can be added to a network creates a easy
environment for introducing rogue access points. Specifically, the real threat emerges in a
number of different ways, including unintentional and unwitting connections to the rogue
device, transmission of sensitive data over non-secure channels, and unwanted access to LAN
resources. So while this doesn't represent a deficiency in the security of a specific wireless
device, it is a weakness to the overall security of wireless networks.
The security appliance can alleviate this weakness by recognizing rogue access points
potentially attempting to gain access to your network. It accomplishes this in two ways: active
scanning for access points on all 802.11a and 802.11g channels, and passive scanning (while
in Access Point mode) for beaconing access points on a single channel of operation.
Scanning for Access Points

Active scanning occurs when the security appliance starts up, and at any time Scan Now is
clicked on the SonicPoint > IDS page. When the security appliance performs a scan, a
temporary interruption of wireless clients occurs for no more than a few seconds. This
interruption manifests itself as follows:
Warning
Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects.
Persistent connections (protocols such as FTP) are impaired or severed.
WiFiSec connections should automatically re-establish and resume with no noticeable

interruption to the client.
If service disruption is a concern, it is recommended that the Scan Now feature not
be used while the SonicWALL security appliance is in Access Point mode until such
a time that no clients are active, or the potential for disruption becomes acceptable.
Discovered Access Points

The Discovered Access points displays information on every access point that can be detected
by the SonicPoint radio:
Note
This feature is only supported on SonicOS 5.8 or higher.
SonicPoint: The SonicPoint that detected the access point.
MAC Address (BSSID): The MAC address of the radio interface of the detected access
point.
SSID: The radio SSID of the access point.
Type: The range of radio bands used by the access point, 2.4 GHz or 5 GHz.
Channel: The radio channel used by the access point.
Manufacturer: The manufacturer of the access point. SonicPoints will show a

manufacturer of either SonicWALL or Senao.
Signal Strength: The strength of the detected radio signal
569
Using and Configuring Virtual Access Points
Max Rate: The fastest allowable data rate for the access point radio, typically 54 Mbps.
Authorize: Click the Authorize icon to add the access point to the address object group of
authorized access points.
If you have more than one SonicPoint, you can select an individual device from theSonicPoint
list to limit the Discovered Access Points table to display only scan results from that
SonicPoint. Select All SonicPoints to display scan results from all SonicPoints.
Authorizing Access Points on Your Network

Access Points detected by the security appliance are regarded as rogues until they are
identified to the security appliance as authorized for operation. To authorize an access point, it
can be manually added to the Discovered Access Points list by clicking the Edit icon in the
Authorize column and specifying its MAC address (BSSID) along with an optional comment.
Alternatively, if an access point is discovered by the security appliance scanning feature, it can
be added to the list by clicking the Authorize icon.
When a SonicPoint detects a non-SonicPoint access point, a table with the following
information displays:
Table 22
Column
SonicPoint
MAC Address (BSSID)
SSID
Type
Channel
Manufacturer
Signal Strength
Max Rate
Authorize
Description
The SonicPoint that detected the access point.
The MAC address of the radio interface of the
detected access point.
The radio SSID of the access point.
The range of radio bands used by the access point,
2.4 GHz or 5 GHz
The radio channel used by the access point.
The manufacturer of the access point. SonicPoints
will show a manufacturer of either SonicWALL or
Senao.
The strength of the detected radio signal.
Adds the access point to the address object group
of authorized access points.

A Virtual Access Point (VAP) is a multiplexed instantiation of a single physical Access Point
(AP) so that it presents itself as multiple discrete Access Points. To wireless LAN clients, each
Virtual AP appears to be an independent physical AP, when there is actually only a single
physical AP. Before Virtual AP feature support, wireless networks were relegated to a
one-to-one relationship between physical Access Points and wireless network security
characteristics, such as authentication and encryption.
For example, an Access Point providing WPA-PSK security could not simultaneously offer
Open or WPA-EAP connectivity to clients. If Open or WPA-EAP were required, they would need
to have been provided by a separate, distinctly configured APs. This forced WLAN network
administrators to find a solution to scale their existing wireless LAN infrastructure to provide
differentiated levels of service. With the Virtual APs (VAP) feature, multiple VAPs can exist
570
within a single physical AP in compliance with the IEEE 802.11 standard for the media access
control (MAC) protocol layer that includes a unique Basic Service Set Identifier (BSSID) and
Service Set Identifier (SSID). This allows segmenting wireless network services within a single
radio frequency footprint of a single physical access point device.
In SonicOS Enhanced 3.5, VAPs allow the network administrator to control wireless user
access and security settings by setting up multiple custom configurations on a single physical
interface.
Each of these custom configurations acts as a separate (virtual) access point, and can be
grouped and enforced on single or multiple physical SonicPoint access points simultaneously.
In GMS, you can configure VAPs on the Policies panel, SonicPoint > Virtual Access Point
screen.
Configuring Virtual Access Point Groups

To add or configure VAP Groups:
1.
On the Policies panel, navigate to the SonicPoint > Virtual Access Point screen.
2.
Click Add Group. The Add Virtual Access Point Group dialog box displays.
3.
Enter the VAP group name in the Virtual AP Group Name field.
4.
In Available Virtual AP Objects, select the objects that should be in the VAP group, and
then click the arrow button to move them to Member of Virtual AP Group.
571
5.
To remove objects from the group, select them in the Member of Virtual AP Group field
and then click the left arrow button to move back to the Available list.
6.
Click OK.
7.
In the SonicPoint > Virtual Access Point screen, click Update.
Configuring Virtual Access Points

To add or configure Virtual Access Points:
1.
2.
Click Add Virtual Access Point. The Add Virtual Access Point dialog box displays.
3.
On the General tab, enter the SSID associated with the VAP. You can create a service set
identifier (SSID) when creating a SonicPoint profile. Refer to the SonicPoint Provisioning
Profiles section on page 556.
4.
Select Enable Virtual Access Point. You can also deselect this checkbox to disable the
VAP without deleting it completely.
5.
To suppress the SSID, select Enable SSID Suppress.
6.
Click the Advanced tab.
7.
On the Advanced tab, configure the following:

Profile Name: Select the VAP profile from the pull-down list.
Radio Type: Select the radio type from the pull-down list.
Authentication Type: Select the authentication type from the pull-down list.
Unicast Cipher: Select the unicast cipher from the pull-down list.
Multicast Cipher: Select the multicast cipher from the pull-down list.
Maximum Clients: Enter the maximum number of clients.
572
8.
Click OK.
9.
Configuring FairNet
Configuring Virtual Access Point Profiles

To add or configure VAP profiles:
1.
2.
Click Add Virtual Access Point Profile. The Add Virtual Access Point Profile dialog box
displays.
3.
Configure the following:

Radio Type: Select the radio type from the pull-down list.
Profile Name: Select the VAP profile from the pull-down list.
Authentication Type: Select the authentication type from the pull-down list.
Unicast Cipher: Select the unicast cipher from the pull-down list.
Multicast Cipher: Select the multicast cipher from the pull-down list.
Maximum Clients: Enter the maximum number of clients.
4.
Click OK.
5.
Configuring FairNet
The following sections describe SonicPoint FairNet policies in SonicWALL SonicOS Enhanced
to configure bandwidth limits for WLAN clients:
SonicPoint FairNet Overview section on page 573
Configuring SonicPoint FairNet Bandwidth Limit Policies section on page 574
SonicPoint FairNet Overview

IEEE 802.11 wireless LAN is a half-duplex broadcast system, in which all wireless clients
compete for the shared bandwidth. Ideally, wireless networks should provide fairness in
bandwidth distribution to create a better user experience and maintain productivity and
flexibility for all wireless traffic.
With 802.11n technology, wireless LAN throughput can reach up to 300 Mbps to meet the high
demand of performance and diversified timing sensitive services. However in 802.11n wireless
LAN networks wireless users still confront bandwidth issues when multiple users are
573
Configuring FairNet
coexisting. For example since all bandwidth is shared by all associated wireless clients, some
bandwidth hog (such as a VoIP or P2P user) may use most of the bandwidth and cause delays
or network interruptions for low-bandwidth, HTTP users.
Given this fact, SonicPoint FairNet feature is designed to provide an easy-to-use method for
network administrators to control the bandwidth of associated wireless clients and make sure
the fairness among everyone of them.
Administrator can configure SonicPoint FairNet bandwidth limits for all wireless users, for
specific IP address ranges, or for individual clients to provide fairness as well as network
efficiency.
SonicPoint Fairnet is available for appliances running SonicOS 5.6 and higher.
Configuring SonicPoint FairNet Bandwidth Limit Policies

To configure SonicPoint FairNet, perform the following tasks:
574
1.
Navigate to the SonicPoint > FairNet page.
2.
Select the Enable FairNet checkbox
3.
Click Update at the left of the page.
4.
Click the Add New FairNet Policy button to add a SonicPoint FairNet policy for an IP
address or range of addresses. The Add FairNet Policy window displays.
5.
By default the Enable Policy option is checked. Disable this checkbox to disable the
FairNet policy.
Configuring FairNet
6.
In the Direction pull-down menu, select whether the bandwidth limits for the policy will
apply to clients uploading content, downloading content, or both directions:
Both Directions
Downlink (AP to Client)
Uplink (Client to AP)
7.
Tip
In the Start IP and End IP fields, specify the IP address range that the policy will apply to.
The IP address range must be on a subnet that is configured for a WLAN interface.
8.
In the Min Rate(kbps) field, enter the minimum bandwidth that clients will be guaranteed.
9.
In the Max Rate(kbps) field, enter the maximum bandwidth that clients will be allowed.
10. In the Interface pull-down menu, select the WLAN interface that corresponds to the IP
address range you configured. The menu lists all interfaces configured for the WLAN zone,
except for W0.
11. Click OK.
Searching FairNet Policies

To search the configured FairNet policies, perform the following tasks:
1.
On the SonicPoint > FairNet page, go to the FairNet Policy Search section.
2.
Select whether to search for the Start IP in the policy (the first IP address in the IP address
range) or the End IP.
3.
Select the type of search to perform: Equals, Starts with, Ends with, or contains.
4.
Enter an IP address or portion of an IP address to search for.
5.
Click Search. FairNet policies that match the search are displayed.
575
Configuring FairNet
576
CHAPTER 25
Configuring Firewall Wireless Options
This chapter describes how to configure wireless connectivity options for wireless SonicWALL
appliances. Included in this chapter are the following sections:
Configuring General Wireless Settings section on page 577
Configuring Wireless Security Settings section on page 581
Configuring Advanced Wireless Settings section on page 585
Configuring MAC Filter List Settings section on page 588
Configuring Intrusion Detection Settings section on page 589
Configuring Wireless Virtual Access Points section on page 599
Configuring General Wireless Settings

Note
The Wireless > Settings page provides different options for SonicOS Enhanced and
SonicOS Standard.
577
The page for SonicOS Standard is shown below:
The page for SonicOS Enhanced is shown below:
The following sections describe how to configure general wireless settings:
578
Configuring Access Point Radio Mode on page 579
Configuring Wireless Client Bridge Radio Mode on page 580
Wireless Radio Operating Schedule on page 580
Configuring Access Point Radio Mode

Caution
Changing the radio role from Access Point mode to Wireless Client Bridge mode
disconnects any existing wireless clients.
To configure wireless settings for Access Point mode, perform the following steps:
1.
Select a wireless SonicWALL appliance.
2.
Expand the Wireless tree and click Settings. The Settings page displays.
3.
Select whether the SonicWALL appliance will act as anAccess Point or a Wireless Client
Bridge from the Radio Role list box.
4.
To enable Wireless networking on this device, select the Enable WLAN Radio check box.
5.
For SonicOS Standard, configure Use Time Constraints to set hours of operation for this
wireless device. For SonicOS Enhanced, select the schedule from the Schedule list box.
6.
For SonicOS Standard only, optionally select SRA Enforcement and configure the Server
Address and Server Port fields to add SRA enforcement to this wireless device.
7.
For SonicOS Standard only, select WiFiSec Enforcement to enable WiFiSec security over
this wireless device.
8.
For SonicOS Standard only, if using WiFiSec Enforcement, you can choose to Require
WiFiSec for Site-to-Site VPN Tunnel Traversal. This option is selected by default when
enabling both SRA and WiFiSec simultaneously.
9.
For SonicOS Standard only, if using WPA encryption, you can choose to Trust WPA traffic
as WiFiSec.
10. For SonicOS Standard only, if using WiFiSec enforcement, you can choose Enable
WiFiSec Service Exception List. With this checkbox selected, select a service from the
list and click the Add button.
11. Enter the IP address and subnet mask of the Wireless LAN port in the WLAN IP Address
and WLAN Subnet Mask fields.
12. Enter the Service Set Identifier (SSID) or wireless network name in the SSID field
(maximum: 32 characters).
13. Select an applicable wireless Radio Mode form the list-box.

14. Select an applicable Country Code from the list-box.
15. Select a wireless channel to use from the Channel list box.
579
Configuring Wireless Client Bridge Radio Mode

Caution
Changing the radio role from Access Point mode to Wireless Client Bridge mode
disconnects any existing wireless clients.
To configure wireless settings for Wireless Client Bridge mode, perform the following steps:
1.
To enable Wireless networking on this device, select the Enable WLAN Radio check box.
2.
For SonicOS Standard, configure Use Time Constraints to set hours of operation for this
wireless device. For SonicOS Enhanced, select the schedule from the Schedule list box.
3.
For SonicOS Standard only, select WiFiSec Enforcement to enable WiFiSec security over
this wireless device.
4.
Enter the Service Set Identifier (SSID) or wireless network name in the SSID field
(maximum: 32 characters).
5.
802.11d compliance is a regulatory domain update wherein physical and MAC layer
signaling automatically behaves in accordance with geographic requirements for such
settings as channels of operation and power. Access Points and wireless clients implement
802.11d differently; the Access Point can be thought of as the 802.11d provider, wherein it
either provides the 802.11d capability or not the Access Point remains agnostic to the
802.11d capabilities of associated clients. The wireless client is in turn the 802.11d
consumer if the client is not 802.11d capable, it can associate with an Access Point
regardless of its 802.11d capabilities. If the client is 802.11d capable, it can generally
operate in one of three 802.11d modes, which you can select from the 802.11d Compliance
menu.
6.
Wireless Radio Operating Schedule

Wireless Schedule allows you to specify time periods of operation for the WLAN. This feature
is available in the Wireless > Settings screen. In SonicOS Standard, it is available under the
section Use Time Constraints, and in SonicOS Enhanced, it is available as Schedule
pull-down list and at unit Level this section is displayed depending on whether it is SonicOS
Standard or Enhanced. At group level, both options are shown with text in italics indicating
which section applies to SonicOS Standard and SonicOS Enhanced.
580
Configuring Wireless Security Settings

This section describes how to configure wireless security settings. To configure the security
settings, perform the following steps:
1.
2.
Expand the Wireless tree and click Security. The fields on this screen will change depending
on the Authentication Type that you select.
WEP Encryption Settings

Open-system authentication is the only method required by 802.11b. In open-system
authentication, the SonicWALL allows the wireless client access without verifying its identity.
Shared-key authentication uses Wired Equivalent Privacy (WEP) and requires a shared key to
be distributed to wireless clients before authentication is allowed. The SonicWALL wireless
security appliances provide the option of using Open System, Shared Key, or both when WEP
is used to encrypt data. If Both Open System & Shared Key is selected, the Default Key
assignments are not important as long as the identical keys are used each field. If Shared Key
is selected, then the key assignment is important.
To configure WEP on the SonicWALL, perform the following tasks:
1.
On the Policies panel, click Wireless, then Security.
2.
Select a WEP authentication type from the Authentication Type list. Shared Key is
selected by default.
581
WEP Encryption Keys

If you selected Both (Open System & Shared Key) or Shared Key above, you must configure
one or more keys and select the default. SonicOS supports the 802.11a and 802.11g standards,
which includes 64-bit, 128-bit, and 152-bit encryption for WEP.
1.
Select the default key to use, 1,2,3, or 4, from the Default Key pull-down list
2.
Select the key type to be either Alphanumeric or Hexadecimal. The number of characters
you enter is different for each because an alphanumeric (or ASCII) character contains 8
bits, and a hexadecimal character contains only 4 bits.
Table 23
WEP Encryption Key Types
WEP - 64-bit
WEP - 128-bit
WEP - 152-bit
Alphanumeric - 5
characters (0-9, A-Z)
Alphanumeric - 13
Alphanumeric - 16
Hexadecimal - 10
characters (0-9, A-F)
Hexadecimal - 26
Hexadecimal - 32
3.
Type your keys into each field.
4.
For each key, select 64-bit, 128-bit, or 152-bit from the pull-down list next to the Key field.
152-bit is the most secure.
5.
Click Update.
WPA and WPA2 Encryption Settings

You can configure Wi-Fi Protected Access as WPA or WPA2 in GMS. Either of these provides
better security than WEP. WPA and WPA2 support two protocols for storing and generating
keys:
582
Extensible Authentication Protocol (EAP): EAP allows WPA/WPA2 to synchronize keys

with an external RADIUS server. The keys are updated periodically based on time or
number of packets. Use EAP in larger, enterprise-like deployments where you have an
existing RADIUS framework.
Pre-Shared Key (PSK): PSK allows WPA/WPA2 to generate keys from a pre-shared
passphrase that you configure. The keys are updated periodically based on time or number
of packets. Use PSK in smaller deployments where you do not have a RADIUS server.
WPA EAP and WPA2 EAP support is only available in Access Point Mode. Bridge Mode
supports WPA PSK and WPA2 PSK.
To configure WPA or WPA2 security on the SonicWALL, perform the following tasks:
1.
On the Policies panel, click Wireless, then Security.
2.
Under Encryption Mode, select a WPA or WPA2 authentication type from the
Authentication Type list.
You can choose from the following authentication types:
WPA-PSK
WPA-EAP
WPA2-PSK
WPA2-EAP
WPA2-AUTO-PSK
WPA2-AUTO-EAP
The screen changes to display the configurable fields. The same configuration fields are
displayed for all authentication types that employ PSK, and the same configuration fields
are displayed for all authentication types that employ EAP.
WPA and WPA2 Settings

For both PSK and EAP authentication types, the fields under WPA Settings are the same.
To configure the WPA Settings fields:
1.
Select which EAPOL Version to support. EAPOL is Extensible Authentication Protocol

EAP over LAN. EAPOL Version v2 provides better security, but may not be supported by
some wireless clients.
2.
Select one of the following in the Cipher Type pull-down list:

TKIP -Temporal Key Integrity Protocol (TKIP) is a protocol for enforcing key integrity on
a per-packet basis.
AES - Advanced Encryption Standard (AES) is a block cipher adopted as an encryption
standard in 2002. It is widely used in symmetric key cryptography.
Auto - Allows the SonicWALL to automatically select either TKIP or AES.

3.
Select one of the following to determine when to update the key in the Group Key Update
pull-down list:
583
By Timeout - Generates a new group key after an interval specified in seconds.

Disabled - Uses a static key that is never regenerated.
4.
If you selected By Timeout, enter the number of seconds before WPA or WAP2
automatically generates a new group key into the Interval field.
Preshared Key Settings (PSK)

For all authentication types involving PSK, do the following:
1.
Type the passphrase from which the key is generated into the Passphrase field.
2.

To apply the settings, click Update.
Extensible Authentication Protocol (EAP) Settings

For all authentication types involving EAP, the lower part of the screen displays fields for
RADIUS configuration.
For all authentication types involving EAP, do the following:
584
1.
Type the IP address of the primary RADIUS server into the Radius Server 1 IP field.
2.
Type the port number used to communicate with the primary RADIUS server into the Port
field.
3.
Type the password for access to the primary Radius Server into the Radius Server 1
Secret field.
4.
Type the IP address of the secondary RADIUS server into the Radius Server 2 IP field.
5.
Type the port number used to communicate with the secondary RADIUS server into the
Port field.
6.
Type the password for access to the secondary Radius Server into the Radius Server 2
Secret field.
Configuring Advanced Wireless Settings
7.

To apply the settings, click Update.

Note
When the appliance is configured for Wireless Client Bridge mode, only a subset of the
options on the Wireless > Advanced page are applicable. The other settings are inherited
from the access point to which you are bridging.
This section describes how to configure advanced wireless settings for both SonicOS Standard
and SonicOS Enhanced. To do this, perform the following steps:
Note
1.
2.
Expand the Wireless tree and click Advanced. The Advanced screen displays.
The Wireless > Advanced page provides different options for SonicOS Standard and
SonicOS Enhanced. Also, SonicOS Standard 3.8 displays six more fields than earlier
versions of SonicOS Standard.
SonicOS Standard:
585
The SonicOS Enhanced page has different fields than those in SonicOS Standard.
3.
Select Hide SSID in Beacon. If you select Hide SSID in Beacon, your wireless network is
invisible to anyone who does not know your SSID. This is a good way to prevent drive by
hackers from seeing your wireless connection.
This provides marginal security as Probe Responses and other 802.11 frames
contain the SSID.
Note
4.
Enter how often (in milliseconds) a beacon will be sent in the Beacon Interval field.
Decreasing the interval time makes passive scanning more reliable and faster because
Beacon frames announce the network to the wireless connection more frequently.
5.
To specify the maximum number of wireless clients, enter the limit in the Maximum Client
Associations field. Wireless clients are devices that attempt to access the wireless
SonicWALL appliance.
6.
Select the following Advanced Radio Settings:

The Antenna Diversity setting determines which antenna the SonicWALL Wireless
uses to send and receive data. You can select:
Best: This is the default setting. When Best is selected, the SonicWALL Wireless
automatically selects the antenna with the strongest, clearest signal. In most cases,
Best is the optimal setting.
1: Select 1 to restrict the SonicWALL Wireless to use antenna 1 only. Facing the
rear of the SonicWALL, antenna 1 is on the left, closest to the console port. You can
disconnect antenna 2 when using only antenna 1.
2: Select 2 to restrict the SonicWALL Wireless to use antenna 2 only. Facing the
rear of the SonicWALL, antenna 2 is on the right, closest to the power supply. You
can disconnect antenna 1 when using only antenna 2.
Select High from the Transmit Power menu to send the strongest signal on the WLAN.
For example, select High if the signal is going from building to building. Medium is
recommended for office to office within a building, and Low or Lowest isrecommended
for shorter distance communications.
586
Select Short or Long from the Preamble Length menu. Short is recommended for
efficiency and improved throughput on the wireless network.
The Fragmentation Threshold (bytes) is 2346 by default. Increasing the value means
that frames are delivered with less overhead but a lost or damaged frame must be
discarded and retransmitted.
The RTS Threshold (bytes) is 2432 by default. If networkthroughput is slow or a large
number of frame retransmissions is occurring, decrease the RTS threshold to enable

RTS clearing.
The default value for the DTIM Interval is 3. Increasing the DTIM Interval value allows
you to conserve power more effectively.
The Station Timeout (seconds) is 300 seconds by default. Ifyour network is very busy,
you can increase the timeout by increasing the number of seconds in this field.
For SonicOS Standard 3.8 and above, select the wireless transmission rate from the
Data Rate pull-down list. You can select Best or a value between 1 and 54 megabits
per second (Mbps). The default is 48 Mbps.
For SonicOS Standard 3.8 and above, in the Protection Mode pull-down list, select
None, Always or Auto. Use Always or Auto to prevent transmission frame collisions
when you have multiple wireless nodes.
For SonicOS Standard 3.8 and above, in the Protection Rate pull-down list, select 1
Mbps, 2 Mbps, 5 Mbps or 11 Mbps. The Protection Rate specifies the transmission
rate for the Request-To-Send (RTS) and Clear-To-Send (CTS) frames. The default is 5
Mbps.
For SonicOS Standard 3.8 and above, in the Protection Type pull-down list, select
RTS-CTS or CTS-only. RTS-CTS is the mechanism used by the 802.11 wireless

networking protocol to reduce frame collisions. The node wishing to transmit data sends an
RTS frame. The destination node replies with a CTS frame. Other wireless nodes within
range refrain from sending data for a specified time to avoid collisions. The default is
RTS-CTS.
For SonicOS Standard 3.8 and above, in the CCK OFDM Power Delta pull-down list,
select 0 dBm, 1dBm or 2 dBm. Complementary Code Keying (CCK) and Orthogonal
Frequency Division Multiplexing (OFDM) are digital modulation techniques used in wireless
networks using the 802.11 specifications. This field specifies the change in power used in
the modulation, expressed in decibels per milliwatt (dBm). Zero dBm equals one milliwatt.
Two dBm is less than two milliwatts.
For SonicOS Standard 3.8 and above, select the Enable Short Slot Time checkbox to
minimize the time to wait before transmitting. Slot time is the time required for a
transmission to reach the destination. The default is to enable a short slot time.
7.
587
Configuring MAC Filter List Settings
Configuring MAC Filter List Settings

Wireless SonicWALL appliances can allow or block wireless devices based on their MAC
addresses. To configure the MAC filter list, perform the following steps:
Note
1.
Select a wireless SonicWALL appliance, a group, or the global icon.
2.
Expand the Wireless tree and click MAC Filter List. The MAC Filter List screen displays.
The MAC Filter List provides different options in SonicOS Standard and SonicOS
Enhanced.
SonicOS Enhanced provides pull-down lists for the Allow and Deny lists.
3.
To enable the MAC filter list for the selected device(s), select the Enable MAC Filter List
check box.
4.
For SonicOS Standard, to add a MAC address to the filter list, enter the address in the MAC
Address List field, check either Allow or Block, add any comments to the Comment field.
5.
Click Add MAC Address. The scheduler displays.
6.
7.
8.
Click Accept.
9.
Repeat these step for each MAC address that you want to add in SonicOS Standard.
appliance(s). To clear all screen settings and start over, click Reset.
11. For SonicOS Enhanced only, select one of the options from the Allow List and Deny List
list boxes.
12. Click Update. The scheduler displays.

15. Click Accept.
588
Configuring Intrusion Detection Settings

The Intrusion Detection System (IDS) greatly increase the security capabilities of the
SonicWALL security appliance by enabling it to recognize and even take countermeasures
against the most common types of illicit wirelessactivity. IDS consists of three types of services,
namely, Sequence Number Analysis, Association Flood Detection, and Rogue Access Point
Detection.
This section describes how to configure group level and unit level intrusion detection settings
(IDS) for wireless SonicWALL appliances.
Viewing the Wireless > IDS page

The Wireless > IDS page can be viewed at a group or unit level, depending on the model or
appliance selected in the left navigational management interface.
Group Level View
This view does not display the detected wireless access points, but offers a link to schedule a
Rouge Access Point report. To access the group level view, select a group of appliances from
the list.
589
Unit Level View
This view displays all the wireless access points detected by the SonicWALL security appliance
and information about each discovered access point. To access the unit level view, select an
appliance from the Model View list.
Configuring Wireless Intrusion Detection System Settings

To configure the Wireless > IDS settings, preform the following steps:
At Group level
590
Step 1
Navigate to the Wireless > IDS page.
Step 2
Select an appliance Group from the Model View list.
Step 3
Select Enable Client Null Probing Detection to enable client null probe detection.
Step 4
Select the Enable Association Flood Detection checkbox.

Hackers can cause a Denial-of-Service (DoS) attack by flooding a wireless network with
association requests. The Enable Association Flood Detection option combats this.
a.
The default association flood threshold is 10 association attempts within 5 seconds. To

change this setting, enter new flood threshold values.
b.
To block the MAC address of a computer or device attempting this attack, select the Block
station's MAC address in response to an association flood field.
At Unit level
Step 1
Step 2
Select a Unit from the Model View list.
To access a network, hackers can set up a rogue access point that will intercept
communications with legitimate users attempting to access a legitimate access point. This
man-in-the-middle attack can expose passwords and other network resources.
Step 3
To enable detection of Rogue Access Points, select the checkbox for Enable Rogue Access
Point Detection.
Step 4
Click the Authorized Access Points pull-down and select a access point from the list.
Step 5
Click the Update button. To put the IDS settings back to default, click the Reset button.
Note
IDS logging and notification can be enabled under Log > Enhanced Log Settings by
selecting the WLAN IDS checkboxes under the Categories section.
591
Authorized Access Points

In the Group level view, you can specify authorized access points for SonicOS Standard and
Enhanced. Preform the following steps to enter authorized access points:
SonicOS Standard
In SonicOS Standard only, to prevent rogue access points, you must specify each authorized
access point within the network.
Step 1
Enter the MAC address of an access point in the MAC Address (BSSID) field.
Step 2
Enter a comment about the access point.
Step 3

The Modify Task Description and Schedule pop-up window displays.
Step 4
Enter a Description.
Step 5
Select a Schedule:
Step 6
Default
Immediate
At: (select a custom date and time)
Click the Update button. To clear all screen settings and start over, click Reset.
SonicOS Enhanced
For SonicOS Enhanced only, to authorize access points:
592
Step 1
Select one of the options from the Authorized Access Points pull-down list.
Step 2
Click the Update button. To clear all screen settings and start over, click Reset.
Discovering Access Points

You can have many wireless access points within reach of the signal of the wireless appliance
on your network. The Wireless > IDS page reports on all access points the SonicWALL security
appliance can find by scanning the 802.11a, 802.11g, and 802.11n radio bands. This section
details the steps to configure your Discovered Access Point settings.
Note
Wireless Discovered Access Points is supported on SonicOS Enhanced 5.6 or higher

firmware.
Requesting Discovered Access Points

You can use a wireless appliance to discover information about access points.
Step 1
Step 2
Click the link for Request Discovered Access Points Information from Firewall.
593
Step 3
Step 4
Select a Schedule:
Step 5
Default
Immediate
Click the Accept button.

The discovered access points populate in the Discovered Access Points list.
Searching for Discovered Access Points

The Wireless > IDS page offers a search feature to filter the list of discovered access points.
Preform the following steps to search for a discovered access point.
Note
594
The search feature is only available at unit level.
Step 1
Step 2
In the Discovered Access Points Search panel, do the following:
a.
Click the Search pull-down lists.
b.
Select MAC Address (BSSID), SSID, or Manufacture.
c.
Select Equals, Starts With, Ends With, or Contains.
d.
Enter a value in the text-box.
e.
Click the Search button.
Scanning Access Points

Active scanning occurs when the security appliance starts up, and at any time Scan Now is
clicked on the Wireless > IDS page. When the security appliance performs a scan, a temporary
interruption of wireless clients occurs for no more than a few seconds. This interruption
manifests itself as follows:
Warning
Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects.
Persistent connections (protocols such as FTP) are impaired or severed.
WiFiSec connections should automatically re-establish and resume with no noticeable

interruption to the client.
If service disruption is a concern, it is recommended that the Scan Now feature not
be used while the SonicWALL security appliance is in Access Point mode until such
a time that no clients are active, or the potential for disruption becomes acceptable.
Scanning for Access Points
Step 1
Step 2
Click the Scan Now... button.

A warning message displays.
Step 3
Click the OK button.
595
Step 4
Step 5
Select a Schedule:
Step 6
Default
Immediate
Click the Accept button.

Viewing the Discovered Access Points List
The Discovered Access points displays information on every access point that is detected by
the Wireless radio:
596
Table 24
Column
MAC Address (BSSID)
SSID
Channel
Manufacturer
Signal Strength
Secure
Max Rate
Authorize
Description
The MAC address of the radio interface of the
detected access point.
The radio SSID of the access point.
The radio channel used by the access point.
The manufacturer of the access point. SonicPoints
will show a manufacturer of either SonicWALL or
Senao.
This lock icon shows if the connection from the
access point is secured or not. If the locked icon is
present, the access point has a secured connection.
Adds the access point to the address object group of
authorized access points.
Authorizing Access Points on Your Network
Access Points detected by the security appliance are regarded as rogues until they are
identified to the security appliance as authorized for operation. Preform the following steps to
authorize an access point:
Step 1
In the Discovered Access Points list, locate the desired Rogue Access Point and click the Edit
icon in the Authorize column.
The Edit pop-up window displays.
Step 2
Note
Click OK.
To unauthorize an access point, remove it from the Address Object Group of Authorized
Access Points.
597
Scheduling Rogue Access Points Reporting

Rogue Access Points have emerged as one of the most serious and insidious threats to
wireless security. In general terms, an access point is considered rogue when it has not been
authorized for use on a network. The convenience, affordability and availability of non-secure
access points, and the ease with which they can be added to a network creates a easy
environment for introducing rogue access points. Specifically, the real threat emerges in a
number of different ways, including unintentional and unwitting connections to the rogue
device, transmission of sensitive data over non-secure channels, and unwanted access to LAN
resources. So while this doesn't represent a deficiency in the security of a specific wireless
device, it is a weakness to the overall security of wireless networks.
The security appliance can alleviate this weakness by recognizing rogue access points
potentially attempting to gain access to your network. It accomplishes this in two ways: active
scanning for access points on all 802.11a, 802.11g, and 802.11n channels, and passive
scanning (while in Access Point mode) for beaconing access points on a single channel of
operation.
To schedule a Rogue Access Point report, click the Schedule Rouge Access Point Report
link located at the bottom of the Wireless > IDS page. This redirects you to the Universal
Scheduled Reports > Configuration Manager page, where you can schedule the Rogue
Access point report in the Policies tab. Rouge Access Point reporting is not supported at Global
level, only Group and Unit levels. Refer to the Using the Universal Scheduled Reports
Application section for details on configuring Universal Scheduled Reports.
Note
598
Wireless Rogue Access Point Reporting is supported on SonicOS Enhanced 5.6 or higher
firmware.
Configuring Wireless Virtual Access Points

A Virtual Access Point is a multiplexed instantiation of a single physical Access Point (AP) so
that it presents itself as multiple discrete Access Points. To wireless LAN clients, each Virtual
AP appears to be an independent physical AP, when in actuality there is only a single physical
AP.
The following are required areas of configuration for VAP deployment:
1.
Zone - The zone is the backbone of your VAP configuration. Each zone you create will have
its own security and access control settings and you can create and apply multiple zones
to a single physical interface by way of Wireless Subnets.
2.
Wireless Interface - The W0 interface (and its WLAN subnets) represent the physical
connections between the SonicWALL firewall appliance and the internal wireless radio.
Individual zone settings are applied to theseinterfaces and forwarded to the wireless radio.
3.
DHCP Server - The DHCP server assigns leased IP addresses to users within specified
ranges, known as Scopes. The default ranges for DHCP scopes are often excessive for
the needs of most wireless deployments, for instance, a scope of 200 addresses for an
interface that will only use 30. Because of this, DHCP ranges must be set carefully in order
to ensure the available lease scope is not exhausted.
4.
Virtual Access Point Profile - The VAP Profile feature allows for creation of wireless
configuration profiles which can be easily applied to new wireless Virtual Access Points as
needed.
5.
Virtual Access Point - The VAP Objects feature allows for setup of general VAP settings.
SSID and wireless subnet name are configured through VAP Settings.
6.
Virtual Access Point Group - The VAP Group feature allows for grouping of multiple VAP
objects to be simultaneously applied to a single internal wireless radio.
7.
Assign VAP Group to Internal Wireless Radio- The VAP Group is applied to the internal
wireless radio and made available to users through multiple SSIDs.
Searching for Virtual Access Point Objects

You can search the configured Virtual Access Point Objects in GMS using several attributes of
the VAP configuration. To do so, perform the following tasks:
1.
Navigate to the Wireless > Virtual Access Points page.
2.
In the Virtual Access Objects Search section, select the attribute you want to search for:
Attribute
Search types
Name/SSID
Equals, Starts with, Ends with, Contains
Authentication
Equals
Cipher
Equals
Max Clients
=, >, >=, <, <=, !=
SSID Suppress? = yes, = no

Enabled?
3.
= yes, = no
Click Search. Any matching VAPs on the appliance are displayed.
599
Configuring Virtual Access Point Groups

The Virtual Access Point Groups feature is available on SonicWALL NSA appliances. It allows
for grouping of multiple VAP objects to be simultaneously applied to your internal wireless radio.
Virtual Access Point Groups are configured from the Wireless > Virtual Access Point page.
After your VAPs are configured and added to a VAP group, that group must be specified in the
Wireless > Settings page in order for the VAPs to be available through your internal wireless
radio. The default group is called Internal AP Group.
Configuring Virtual Access Points

To configure a Virtual Access Point, perform the following tasks:
600
1.
2.
Click Add Virtual Access Point.
3.
For the SSID, enter a friendly name for your VAP.
4.
Select a Subnet Name to associate this VAP with. Settings for this VAP will be inherited
from the subnet you select from this list.
5.
Select the Enable Virtual Access Point checkbox to enable the VAP.
6.
Select the Enable SSID Suppress checkbox to suppress broadcasting of the SSID name
and disables responses to probe requests. Check this option if you do not wish for your
SSID to be seen by unauthorized wireless clients. Clients will have to know the SSID name
ahead of time and manually enter it to connect to the VAP.
7.
Click on the Advanced tab to configure additional options.
8.
Select the VAP Schedule Name to configure when the VAP will be enabled.
9.
The Radio Type is set to Wireless-Internal-Radio by default. Retain this default setting if
using the internal radio for VAP access (currently the only supported radio type)
10. Enter a Profile Name to set a friendly name for this VAP Profile. Choose something
descriptive and easy to remember as you will later apply this profile to new VAPs.
11. Select an Authentication Type. Below is a list available authentication types with
descriptive features and uses for each:
Open: In open-system authentication, the SonicWALL allows the wireless client access
without verifying its identity.
Shared: Uses WEP and requires a shared key to be distributed to wireless clients
before authentication is allowed.
Both: (Open System & Shared Key.) The Default Key assignments are not important
as long as the identical keys are used in each field. IfShared Key is selected, then the
key assignment is important.
WPA-PSK: WPA is more secure than an open network, but not as secure as WPA2.
PSK allows WPA to generate keys from a pre-shared passphrase that you configure.
The keys are updated periodically based on time or number of packets. Use PSK in
smaller deployments where you do not have a RADIUS server.
WPA-EAP: EAP allows WPA to synchronize keys with an external RADIUS server. The
keys are updated periodically based on time or number of packets. Use EAP in larger,
enterprise-like deployments where you have an existing RADIUS framework.
WPA2-PSK: WPA2 is the strongest security.

WPA2-EAP: WPA2 with EAP.
WPA2-Auto-PSK: First attempts to connect using WPA2-PSK security, but will default
back to WPA-PSK if the client is not WPA2 capable.
WPA2-AUTO-EAP: First attempts to connect using WPA2-EAP security, but will default
12. The Unicast Cipher will be automatically chosen based on the authentication type.
601
13. The Multicast Cipher will be automatically chosen based on the authentication type.
14. Enter a value for Maximum Clients to set the maximum number of concurrent client
connections permissible for this virtual access point.
15. Select whether to Allow 802.11b Clients to connect.

16. Select Enable MAC Filter List to filter which MAC addresses are or are not allowed to
connect to the VAP. You have two options for configuring the MAC filter list:
Select Use Global ACL Settings, or
Select an Address Object Group for the Allow List and/or the Deny List.
17. Click OK.
Virtual Access Point Profiles

A Virtual Access Point Profile allows the administrator to pre-configure and save access point
settings in a profile. VAP Profiles allows settings to be easily applied to new Virtual Access
Points. This feature is especially useful for quick setup in situations where multiple virtual
access points will share the same authentication methods.
To configure a Virtual Access Point Profile, perform the following steps:
1.
2.
Click the Add Virtual Access Point Profile button.
3.
Select the VAP Schedule Name to configure when the VAP will be enabled.
4.
The Radio Type is set to Wireless-Internal-Radio by default. Retain this default setting if
using the internal radio for VAP access (currently the only supported radio type)
5.
Enter a Profile Name to set a friendly name for this VAP Profile. Choose something
descriptive and easy to remember as you will later apply this profile to new VAPs.
6.
Select an Authentication Type. Below is a list available authentication types with

descriptive features and uses for each:
Open: In open-system authentication, the SonicWALL allows the wireless client access
without verifying its identity.
Shared: Uses WEP and requires a shared key to be distributed to wireless clients
before authentication is allowed.
602
Both: (Open System & Shared Key.) The Default Key assignments are not important
as long as the identical keys are used in each field. IfShared Key is selected, then the
key assignment is important.
WPA-PSK: WPA is more secure than an open network, but not as secure as WPA2.
PSK allows WPA to generate keys from a pre-shared passphrase that you configure.
The keys are updated periodically based on time or number of packets. Use PSK in
smaller deployments where you do not have a RADIUS server.
WPA-EAP: EAP allows WPA to synchronize keys with an external RADIUS server. The
keys are updated periodically based on time or number of packets. Use EAP in larger,
enterprise-like deployments where you have an existing RADIUS framework.
WPA2-PSK: WPA2 is the strongest security.

WPA2-EAP: WPA2 with EAP.
WPA2-Auto-PSK: First attempts to connect using WPA2-PSK security, but will default
WPA2-AUTO-EAP: First attempts to connect using WPA2-EAP security, but will default
7.
The Unicast Cipher will be automatically chosen based on the authentication type.
8.
The Multicast Cipher will be automatically chosen based on the authentication type.
9.
Enter a value for Maximum Clients to set the maximum number of concurrent client
connections permissible for this virtual access point.
10. Select whether to Allow 802.11b Clients to connect.

11. Select Enable MAC Filter List to filter which MAC addresses are or are not allowed to
connect to the VAP. You have two options for configuring the MAC filter list:
Select Use Global ACL Settings, or
Select an Address Object Group for the Allow List and/or the Deny List.
12. Click OK.
603
604
CHAPTER 26
Configuring Firewall Wireless Guest
Services
This chapter describes how to configure Wireless Guest Services (WGS) enabled appliances
running SonicOS Standard. For appliances running SonicOS Standard, these configuration
options are available at the unit level. Wireless Guest Services allows the administrator to
configure wireless access points for guest access. Wireless Guest Services is configured with
optional custom login pages, user accounts and is compatible with several different
authentication methods including those which require external authentication. Included in this
chapter are the following sections:
Configuring Wireless Guest Services Settings section on page 605
Configuring the URL Allow List section on page 608
Denying Access to Networks with the IP Deny List section on page 608
Configuring the Custom Login Screen section on page 609
Configuring External Authentication section on page 610
Configuring Wireless Guest Services Settings

This section describes how to configure wireless settings for Wireless Guest Services. To do
this, perform the following steps:
1.
In the TreeControl pane, select a wireless SonicWALL appliance.
605
Note
2.
In the center pane, navigate to WGS > Settings. The Settings page displays.
3.
To enable Wireless Guest Services on this device, select the Enable Wireless Guest
Services check box.
4.
Check the Bypass Guest Authentication checkbox to allow a SonicPoint running WGS to
integrate into environments which are already using some form of user-level authentication.
This feature automates the WGS authentication process, allowing wireless users to reach
WGS resources without requiring authentication.
The Bypass Guest Authentication feature should only be used when unrestricted WGS
access is desired, or when another device upstream of the SonicPoint is enforcing
authentication.
5.
Check the Bypass Filters for Guest Accounts check box to disable filtering for guest
accounts.
6.
Check the Dynamic Address Translation (DAT) checkbox to enable DAT. This option
saves wireless clients the hassle of reconfiguring their IP address and network settings. If
this option is disabled (un-checked), wireless guest users must either have DHCP enabled,
or an IP addressing scheme compatible with the SonicPoints network settings.
7.
Check the Enable SMTP Redirect checkbox and enter the following information:
Server IPenter an SMTP Server IP address to which to redirect SMTP traffic
incoming on this zone
Server Portenter the port number for SMTP traffic on the Server. This is available at the
group and global level, and for units running SonicOS Standard 3.8 and above. The default
is port is 25.
8.
Check the Custom Post Authentication Redirect page checkbox and enter a URL to
redirect wireless guests to a custom page after successful login
9.
To limit the number of concurrent guests, enter the maximum number in the Maximum
Concurrent Guests field.
10. To add a new guest, click Add New Wireless Guest. Refer to the Adding a Guest section
on page 607.
606
Adding a Guest
You can add a new guest to Wireless Guest Services from the WGS > Settings page.
To add a guest:
1.
Select a wireless SonicWALL appliance and navigate to WGS > Settings.
2.
Click Add New Wireless Guest. The Add New Wireless Guest dialog box displays.
3.
In the Account Profile pull-down list, select the WGS account profile to use for this account.
This field is only visible when one or more WGS profiles have been created in the current view.
Views that provide the WGS Profiles screen include the global and group levels, and unit level
for appliances running SonicOS Standard 3.8 and above.
4.
Select the Enable Account checkbox to enable the guest account.
5.
Select the Auto-Prune Account checkbox to automatically remove the account when its
lifetime expires.
6.
Select the Enforce login uniqueness checkbox to prevent more than one guest from
logging in with the account at the same time.
7.
In the Account Name field, enter the username for the guest account.
8.
In the Account Password field, enter the password for the guest account.
9.
In the Confirm Password field, re-enter the password for the guest account.
10. In the Account Lifetime field, select the maximum lifetime of the guest account.
11. In the Session Timeout field, set the time limit for a guest login session.
12. In the Idle Timeout field, enter a number and select a time period that the guest can be idle
at the computer before the session times out.
13. In the Comment field, add any comments.

14. Click Update.
607
Configuring the URL Allow List
Configuring the URL Allow List

The URL allow list specifies URLs that can beaccessed by unauthenticated users. To configure
this list, perform the following steps:
Note
The URL Allow list is not supported in SonicOS Enhanced.

1.
2.
Expand the WGS tree and click URL Allow List. The URL Allow List page displays.
3.
To enable the URL Allow List, select the Enable URL Allow List for Unauthenticated
Users check box.
4.
To add a URL to the URL Allow List, enter a URL in the Allowed URLs text field and click
Add. Repeat this step for each URL that you would like to add. To delete a URL in the URL
Allow List, check the box next to the URL to delete and click the trash can icon.
5.
Denying Access to Networks with the IP Deny List

To specify networks that authenticated users will not be allowed to access, perform the
following steps:
Note
The IP Deny List is not supported in SonicOS Enhanced.

1.
608
Configuring the Custom Login Screen
2.
Expand the WGS tree and click IP Deny List. The IP Deny List page displays.
3.
To enable the IP Deny List, select the Enable IP Address Deny List for Authenticated
Users check box.
4.
To add a URL to the IP Deny List, enter an IP address and subnet mask and click Add IP
Deny Entry. Repeat this step for each URL that you would like to add. To delete a URL from
the IP Deny List, check the box next to the URL to delete and click the trash can icon.
5.
Configuring the Custom Login Screen

The Custom Login page is used to configure the login page that will be accessed by guest users
attempting to connect to the wireless SonicWALL appliance.
To configure the Custom Login page, perform the following steps:
Note
The Custom Login screen is not supported in SonicOS Enhanced.

1.
Select a wireless SonicWALL appliance running SonicOS Standard.
2.
Expand the WGS tree and click Custom Login. The Custom Login page displays.
3.
To customize the login page, select the Customize Login Page check box.
609
Configuring External Authentication
4.
To display the custom login page only when the connection is made through the Wireless
LAN, select the Display Custom Login Page on WLAN Only check box.
5.
The body of the login page will contain the username and password fields that the user must
access to authenticate with the SonicWALL appliance. To configure the header and footer
text, select from the following:
To display custom header and footer URLs, enter the URLs in the Custom Header URL
and Custom Footer URL fields.
To enter custom text for the header and footer, enter the text in the Custom Header
Text and Custom Footer Text fields.
6.

External Guest Authentication allows the administrator to specify an external database for
wireless guest authentication. This authentication requires guests connecting from the device
or network you select to authenticate before gaining access. This feature, based on Lightweight
Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them
parametrically bound network access.
To configure external authentication, perform the following steps:
Note
610
External Authentication is not supported in SonicOS Enhanced.

1.
2.
Expand the WGS tree and click External Authentication. The External Authentication
page displays.
3.
Check the Enable External Guest Authentication checkbox to enable the external
authentication feature and configure the tabs as follows:
Configuring General Settings

1.
Enter a Secure Communications Port and select a Client Redirect Protocol for client
redirect. This port and protocol (HTTP or HTTPS) is used by the SonicWALL security
appliance when performing the initial internal client redirect via the Please wait while you
are being redirected page, prior to redirection to the LHM server.
2.
Select the Web Server Protocol (HTTP or HTTPS) running on your LHM server from the
pull-down list.
3.
Enter the IP or resolvable FQDN of the LHM server in the Host field.
4.
Enter the TCP port of operations for the selected protocol on the LHM server in the Port
field.
5.
Enter the duration of time, in seconds, before the LMH server is considered unavailable in
the Connection Timeout field. On timeout the client will be presented with the Server
Down message configured on the Web Content tab.
6.
Select the Enable Message Authentication checkbox to use HMAC digest and embedded
querystring in communication with the LHM server. This option is useful if you are
concerned about message tampering when HTTP is used to communicate with the LHM
server.
7.
When using Message Authentication, select the Authentication Method from the
pull-down menu. You can select from MD5 or SHA1.
8.
When using Message Authentication enter a Shared Secret. The shared secret for the
hashed MAC, if used, also needs to be configured on the LHM server scripts.
Configuring Settings for Auth Pages

To configure the session and idle timeout settings, perform the following steps:
Note
These pages may each be a unique page on the LHM server, or they may all be the same
page with a separate event handler for each status message.
1.
Click the Auth Pages tab.
2.
Enter a Login Page. This is the first page to which the client is redirected (e.g.
lhm/accept/default.aspx).
3.
Enter a Session Expiration Page. This is the page to which the client is redirected when
the session expires (e.g. lhm/accept/default.aspx?cc=2). After a session expires, the user
must create a new LHM session.
611
4.
Enter an Idle Timeout Page. This is the page to which the client is redirected when the idle
timer is exceeded (e.g.lhm/accept/default.aspx?cc=3). After the idle timer is exceeded,
the user can log in again with the same credentials as long as there is time left of the
session.
5.
Enter a Max Session Page. This is the page to which the client is redirected when the
maximum number of sessions has been reached (e.g. lhm/accept/default.aspx?cc=4).
Configuring Web Content Settings

To configure the Web content for external authentication:
612
1.
Click the Web Content tab.
2.
Select Use Default or select Customize and enter a Redirect Message in the text box.
This is the message that will be presented to the client (usually for no more than one
second) explaining that the session is being redirected to the LHM server. This interstitial
page is used (rather than going directly to the LHM server) so that the SonicWALL security
appliance can verify the availability of the LHM server.
3.
Select Use Default or select Customize and enter a Server Down Message in the text
box. This is the message that will be presented to the client if the Redirector determines
that the LHM server in unavailable.
Configuring Advanced Settings

To configure the advanced settings for external authentication:
1.
Click the Advanced tab.
2.
Check Enable Auto-Session Logout checkbox and configure the two corresponding fields
to set the time increment and the page to which the SonicWALL security appliance will
POST when a session is logged out (either automatically or manually).
3.
Check the Enable Server Status Check Checkbox and configure the two corresponding
fields to set the time increment and the page to which the SonicWALL will POST to
determine the availability of components on or behind (e.g. a back-end database) the LHM
server.
4.
Check the Session Synchronization checkbox and configure the two corresponding fields
to set the time increment and the page to which the SonicWALL will POST the entire Guest
Services session table. This allows the LHM server to synchronize the state of Guest Users
for the purposes of accounting, billing, or mere curiosity.
5.
When you are finished configuring External Authentication, click the Update button to apply
your changes.
613
Configuring WGS Account Profiles
Configuring WGS Account Profiles

At the global or group level, and for SonicWALL appliances running SonicOS Standard 3.8 and
above, GMS supports the configuration of WGS account profiles. You can set up different
profiles that accommodate the need for guest accounts with specific account lifetimes, session
time limits, idle timeouts and so forth. This screen also provides an Enable/Disable setting so
that you can disable a profile without deleting it and losing the configuration.
To add or edit a WGS Account Profile:

1.
2.
Expand the WGS tree and click Profiles.
3.
On the WGS Account Profiles page, click Add New WGS Profile. The Add Profile page
displays.
4.
In the WGS Account Profile Settings dialog box, type a descriptive name into the Profile
Name field.
5.
In the User Name Prefix field, type the user name that the guest will log in with. Do not
include the domain.
6.
Select Enable Account to activate the account for immediate use.
7.
Select Auto-Prune Account if you want the account to be removed after its lifetime
expires.
8.
Select Enforce Login Uniqueness to prevent multiple logins at the same time for this
account.
9.
For Account Lifetime, enter a number in the first field and then select Days, Hours, or
Minutes from the pull-down list. The account will expire after this time period.
10. For Session Lifetime, enter a number in the first field and then select Days, Hours, or
Minutes from the pull-down list. The guests login session will expire after this time period.
11. For Idle Timeout, enter a number in the first field and then selectDays, Hours, or Minutes
from the pull-down list. The guest will be logged out after being idle for this amount of time.
12. Optionally type a descriptive comment into the Comment field.

13. Click Update. Clicking Reset repopulates all fields with the default values and allows you
to start over.
614
CHAPTER 27
Configuring Firewall Modem Options
Note
For information on configuring wireless WAN (WWAN) settings, see Configuring Firewall
Wireless WAN Options, page 621.
This chapter describes how to configure the dialup settings for SonicWALL SmartPath (SP) and
SmartPath ISDN (SPi) appliances.
SonicWALL SP appliances have a WAN Failover feature that enables automatic use of a built-in
modem to establish Internet connectivity when the primary broadband connection becomes
unavailable. This is ideal when the SonicWALL appliance must remain connected to the
Internet, regardless of network speed.
Configuring the Modem Profile section on page 615
Configuring Modem Settings section on page 618
Configuring Advanced Modem Settings section on page 620
Configuring the Modem Profile

Note
For information on configuring WWAN connection profiles, see Configuring the Connection
Profile, page 622 in the Configuring Firewall Wireless WAN Options chapter.
A profile is a list of dialup connection settings that can be used by a SonicWALL SP or
SonicWALL SPi appliance.
To configure a profile, perform the following steps:
1.
In the left pane, select the SonicWALL appliance to manage.
2.
615
Note
3.
In the center pane, navigate to the Modem > Connection Profiles. The profile
configuration page displays.
4.
To create a new profile, enter the name of the profile in the Profile Name field under ISP
User Settings. To edit an existing profile or use an existing profile as a template, select a
profile from the Current Profile pull-down menu.
If you are editing an existing profile, the name in the Current Profile field must match the
existing profile name. If there are no existing profiles, the Current Profile will display the
static message No profiles available.
5.
Enter the primary ISP phone number in the Primary Phone number field.
6.
Enter the backup ISP phone number in the Secondary Phone number field.
7.
Enter the user name associated with the account in the User Name field.
8.
Enter the password associated with the account in the User Password and Confirm User
Password fields.
9.
Enter a chat script (optional).
10. Select one of the following IP address options:

If the account obtains an IP address dynamically, select Obtain an IP Address
Automatically.
If the account uses a fixed IP address, select Use the following IP Address and type
the IP address in the field.
11. Select from the following DNS server options:

If the account obtains DNS server information from the ISP, select Obtain an IP
Address Automatically.
If the account uses a specific DNS servers, select Use the following IP Address and
type the IP address in the field.
12. For SPi appliances, you can configure MSN/EAZ and bandwidth on demand. To configure
MSN/EAZ, enter a phone number in the MSN/EAZ field. To enable bandwidth on demand,
click the Bandwidth on Demand box.
616
13. Select from the following connection options:

If the SonicWALL appliance(s) will remain connected to the Internet until the broadband
connection is restored, select Persistent Connection.
If the SonicWALL appliance(s) will only connect to the Internet when data is being sent,
select Dial On Data.
If the SonicWALL appliance(s) will connect to the Internet manually, select Manual
Dial.
14. To enable the modem to disconnect after a period of inactivity, check the Inactivity
Disconnect box and specify how long (in minutes) the modem waits before disconnecting
from the Internet in the Inactivity Timeout field.
15. For SP appliances, specify a maximum connection speed by selecting the speed from the
Max connection speed pull-down menu. The default is Auto.
16. To specify the maximum connection time, check the Max Connection Time box and enter
the maximum connection time (in minutes) in the Max Connection Time field. To configure
the SonicWALL device to allow indefinite connections, enter 0.
17. To specify a time (in minutes) before the connection reconnects, enter the number of
minutes in the Delay Before Reconnect fields.
18. For SP appliances, disable call waiting by checking the Disable Call Waiting box and
select the radio button next to the touch tone disabling code. To enter a custom touch done
disabling code, select the radio button next to Other and specify the code.
19. To allow the modem to attempt a connection multiple times, check the Dial Retries per
Phone Number box and specify the number of retries.
20. To specify how long the modem waits between retries, check the Delay Between Retries
box and specify the delay (in seconds).
21. To disable VPN when dialed, check the Disable VPN when dialed box.
22. For SP appliances, enable the network modem by checking the Enable Network Modem
box.
23. To specify the time periods when the modem can connect, check the Limit Times for
Dialup Profile box and click Configure. The Edit Schedule String pop-up displays.
24. In the Edit Schedule String pop-up, check the box next to the day(s) you want to allow
dial-up connections. Next to the day(s) you select, enter the start and end times between
which dial-up connections will be allowed. Enter the hour and minute in 24-hour format.
25. Click Apply.
617
Configuring Modem Settings
26. When you are finished, click Add Profile. The profile is added. To clear all screen settings
and start over, click Reset.

Select SonicWALL appliances are equipped to use analog modem, and/or wireless WAN
(WWAN) devices for alternative or primary Internet connectivity.
Note
For information on configuring WWAN settings, see Configuring Advanced Settings,

page 626 in the Configuring Firewall Wireless WAN Options chapter.
To configure the modem settings forone or more SonicWALL SP or SonicWALL SPi appliances,
1.
2.
3.
In the center pane, navigate to Modem > Settings.
4.
For SP appliances, select the Speaker volume pull-down box to configure the speaker
volume On or Off.
5.
For SP appliances, modem initialization has two options:

To initialize the modem for use in a specific country, select the radio button next to
Initialize Modem for use in and select the country in the pull-down menu.
To initialize the modem using AT commands, select the radio button next to Initialize
Modem using AT Command and enter the AT command(s) the modem needs to
establish a connection in the text box.
6.
618
For SPi appliances, you can specify the ISDN protocol by selecting the protocol from the
ISDN Protocol pull-down menu. To connect immediately, click the Connect/Disconnect
button and schedule the connection.
7.
For appliances running SonicOS Enhanced, select the check boxes for any combination of
the following dial on data categories:
NTP packets
GMS Heartbeats
System log emails
AV Profile Updates
SNMP Traps
Licensed Updates
Firmware Update requests
Syslog traffic
8.
the following Management methods:
HTTP
HTTPS
Ping
SNMP
SSH
9.
the following User Login methods:
HTTP
HTTPS
For HTTPS, check the box next to Add rule to enable redirect from HTTP to HTTPs
to redirect an HTTP address to HTTPS.
10. Select a primary profile from the Primary Profile pull-down menu. Optionally, select
alternate profiles from Alternate Profile 1 and, for SP appliances, Alternate Profile 2.
Note
To configure modem profiles, navigate to Modem > Dialup Profiles.

11. For non-SonicOS Enhanced appliances, you can configure the following modem failover
settings:
To enable dialup WAN failover, check the Enable Dialup WAN Failover box.
To enable preempt mode, check the Enable Preempt Mode box.
To enable probing, check the Enable Probing box.
Select a method for probing using the Probe through pull-down menu.
Enter the IP address that the SonicWALL appliance will use to test Internet connectivity
in the Probe Target (IP Address) field. We recommend using the IP address of the
WAN Gateway.
Select the Probe Type, either ICMP Probing or TCP Probing.

Enter the TCP port for probing in the TCP Port for Probing field.
Specify how often the IP address will be tested (in seconds) in the Probe Interval field.
Specify how many times the probe target must be unavailable before the SonicWALL
appliance fails over to the modem in the Failover Trigger Level field.
619
Configuring Advanced Modem Settings
Specify how many times the SonicWALL appliance must successfully reach the probe
target to reactivate the broadband connection in the Successful probes to reactivate

Primary field.
12. When you are finished, click Update.
Configuring Advanced Modem Settings

To configure advanced modem settings, perform the following steps:
Note
620
1.
2.
3.
In the center pane, navigate to Modem > Advanced.
4.
To enable remotely triggered dial-out, check the Enable Remotely Triggered Dial-out box.
5.
If your remotely triggered dial-out requires authentication, check the Requires

Authentication box and enter your password in the Password and Confirm Password
fields.
6.
To enable RIP advertisements through the modem, check the Enable LAN to WAN RIP
during dialup box.
7.
When you are finished, click Update.
For information on configuring WWAN settings, see Configuring Advanced Settings,

page 626 in the Configuring Firewall Wireless WAN Options chapter.
CHAPTER 28
Configuring Firewall Wireless WAN
Options
This chapter describes how to configure the Wireless Wide Area Network (WWAN) settings for
SonicWALL security appliances that use 3G and other Wireless WAN functionality to utilize
data connections over cellular networks.
About Wireless WAN section on page 621
Configuring the Connection Profile section on page 622
Configuring WWAN Settings section on page 625
Configuring Advanced Settings section on page 626
About Wireless WAN

SonicWALL appliances such as the TZ 190, TZ 200, and TZ 210 have a WWAN capability that
can be used for the following:
WAN Failover to a connection that is not dependent on wire or cable.
Temporary networks where a pre-configured connection may not be available, such as

trade-shows and kiosks.
Mobile networks, where the SonicWALL appliance is based in a vehicle.
Primary WAN connection where wire-based connections are not available and cellular is.
Wireless WAN support requires a wireless card and a contract with a wireless network provider.
See the SonicWALL documentation that comes with the security appliance for more
information.
GMS provides for complete management of SonicWALL security appliances that are
WWAN/3G-capable, and running SonicOS Enhanced 3.6 and above.
621
Configuring the Connection Profile

A profile is a list of connection settings that can be used by a SonicWALL appliance.
To configure a connection profile, perform the following steps:
1.
In the TreeControl pane, select a group view or a SonicWALL appliance to manage. The
appliance must be running SonicOS Enhanced 3.6 or higher, and must support WWAN
functionality.
2.
3.
In the center pane, navigate to the 3G/Modem > Connection Profiles. The profile
configuration page displays. For a group view, the page is slightly different to accommodate
both Modem and WWAN settings.
4.
Perform the following procedures to configure the Connection Configuration, General

Settings, IP Address Settings, Parameters, and Data Usage Limiting sections in the
3G/Modem > Connection Profiles screen. See the following procedures:
To Configure the Connection Configuration and General settings: section on
page 623.
To Configure the IP Address Settings: section on page 623

To Configure Parameters: section on page 624
To Configure Data Usage Limiting: section on page 624
622
5.
Click Delete Profile to delete the profile specified in the Profile Name field.
6.
Click RESET to clear all fields and start over.
7.
Click UPDATE to save the settings to the specified connection profile.
To Configure the Connection Configuration and General settings:

1.
To edit an existing profile or use an existing profile as a template, select a profile from the
Current Profile pull-down menu.
Note
If you are editing an existing profile, the name in the Current Profile field must
match the existing profile name. If there are no existing profiles, the Current
Profile will display the static message No profiles available.
2.
To create a new profile, enter the name of the profile in the Profile Name field.
3.
In the Country pull-down list, select the country where the SonicWALL TZ 190 appliance
is deployed.
4.
In the Service Provider pull-down list, select the service provider that you have a cellular
account with. Note that only service providers supported in the country you selected are
displayed in the pull-down list.
5.
In the Plan Type window, select the WWAN plan you have subscribed to with the service
provider, or select Other. If your specific plan type is listed in the pull-down menu, the rest
of the fields in the General section are automatically provisioned. Verify that these fields
are correct and continue in the Parameters section.
6.
Verify that the appropriate Connection Type is selected. Note that this field is automatically
provisioned for most service providers.
7.
Verify that the Dialed Number is correct. Note that the dialed number is *99# for most
service providers.
8.
Enter your username and password in the User Name, User Password, and Confirm User
Password fields, respectively.
9.
Enter the Access Point Name in the APN field. APNs are required only by GPRS devices
and will be provided by the service provider.
To Configure the IP Address Settings:

1.
Under IP Address Settings, select one of the following IP Address options:

If the account obtains an IP address dynamically, select Obtain an IP Address
Automatically. By default, WWAN connection profiles are configured to obtain IP

addresses automatically.
To specify a static IP address, select Use the following IP Address and type the IP
address in the field.
2.
Select from the following DNS Server options:

If the account obtains DNS server information from the ISP, select Obtain an IP
Address Automatically. By default, WWAN connection profiles are configured to

obtain DNS server addresses automatically.
623
If the account uses a specific DNS servers, select Use the following IP Address and
type the IP addresses of the primary and secondary DNS servers in the fields.
To Configure Parameters:
1.
Select from the following Dial Type options:

If the SonicWALL appliance(s) will continuously use the WWAN to stay connected to
the Internet, select Persistent Connection.
If the SonicWALL appliance(s) will only connect to the Internet when data is being sent,
select Dial On Data. To configure the SonicWALL appliance for remotely triggered
dial-out, the Dial Type must be Dial on Data. Refer to the Configuring Advanced
If the SonicWALL appliance(s) will connect to the Internet manually, select Manual
Dial.
2.
Select the Enable Inactivity Disconnect checkbox and enter the number of minutes of
inactivity during which the WWAN connection stays alive before disconnecting from the
Internet. Note that this option is not available if the Dial Type is Persistent Connection.
3.
Select the Enable Max Connection Time checkbox and enter the number of minutes after
which the WWAN connection disconnects, regardless of whether the session is inactive or
not. Enter a value in the Delay Before Reconnect to have the SonicWALL appliance
automatically reconnect after the specified number of minutes.
4.
Select the Dial Retries per Phone Number checkbox and enter a number in the field to
specify the number of times the SonicWALL appliance can attempt to reconnect.
5.
Select the Delay Between Retries checkbox and enter a number in the field to specify the
number of seconds between retry attempts.
6.
Select the Disable VPN when Dialed checkbox to disable VPN connections over the
WWAN interface.
To Configure Data Usage Limiting:

1.
Tip
624
Select the Enable Data Usage Limiting checkbox to have the WWAN interface become
automatically disabled when the specified data or time limit has been reached for the
month.
If your WWAN account has a monthly data or time limit, it is strongly recommended that you
enable Data Usage Limiting.
2.
Select the day of the month to start tracking the monthly data or time usage in the Billing
Cycle Start Date pull-down menu.
3.
Enter a value in the Limit field and select the appropriate limiting factor: either GB, MB,
KB, or Minutes.
Configuring WWAN Settings
Configuring WWAN Settings

To configure the WWAN settings for one or more SonicWALL appliances, perform the following
steps:
1.
In the left pane, select the SonicWALL appliance to manage. The appliance must be
running SonicOS Enhanced 3.6 or higher, and must support WWAN functionality.
2.
3.
In the center pane, navigate to 3G/Modem > Settings.
4.
In the Connect On Data Categories section, select the check boxes for any combination
of the following dial on data categories:
NTP packets
GMS Heartbeats
System log emails
AV Profile Updates
SNMP Traps
Licensed Updates
Firmware Update requests
Syslog traffic
The Connect on Data Categories settings allow you to configure the WWAN interface to
automatically connect to the WWAN service provider when the SonicWALL appliance
detects specific types of traffic. To configure the SonicWALL appliance for Connect on Data
operation, you must select Dial on Data as the Dial Type for the Connection Profile.
Refer to the To Configure Parameters: section on page 624.
5.
In the Management/User Login section, select the check boxes for any combination of the
following Management methods:
HTTP
HTTPS
625
Ping
SNMP
SSH
6.
Select the check boxes for any combination of the following User Login methods:
HTTP
HTTPS
Select Add rule to enable redirect from HTTP to HTTPS to have the SonicWALL
automatically convert HTTP requests to HTTPS requests for added security.
7.
Note
Under Profile Settings, select a primary profile from the Primary Profile pull-down menu.
Optionally, select alternate profiles from Alternate Profile 1 and Alternate Profile 2.
To set up WWAN Interface Monitoring for this unit, go to the Network > WAN Failover & LB
screen.
8.
To return all fields to their default settings and start over, click RESET.
9.
To save settings, click UPDATE.

The 3G/Modem > Advanced page is used to configure the Remotely Triggered Dial-Out
feature on the SonicWALL appliance. The Remotely Triggered Dial-Out feature enables
network administrators to remotely initiate a WWAN connection to a SonicWALL appliance.
Before configuring the Remotely Triggered Dial-Out feature, ensure that your configuration
meets the following prerequisites:
The WWAN profile is configured for dial-on-data.
The SonicWALL Security Appliance is configured to be managed using HTTPS, so that the
device can be accessed remotely.
It is recommended that you enter a value in the Enable Max Connection Time field.
This field is located in the 3G/Modem > Connection Profiles screen in the Parameters
section. Refer to the To Configure Parameters: section on page 624 for more information.
If you do not enter a value in this field, dial-out calls will remain connected indefinitely, and
you will have to manually terminate sessions by clicking the Disconnect button.
To configure advanced WWAN settings, perform the following steps:
626
1.
In the left pane, select the SonicWALL appliance to manage. The appliance must be
running SonicOS Enhanced 3.6 or higher, and must support WWAN functionality.
2.
3.
In the center pane, navigate to 3G/Modem > Advanced.
4.
To enable remotely triggered dial-out, check the Enable Remotely Triggered Dial-out box.
5.
If your remotely triggered dial-out requires authentication, check the Requires

Authentication box and enter your password in the Password and Confirm Password
fields.
6.
Under WWAN Connection Limit, type the number of simultaneous connections that are
allowed, or enter zero for no limit in the Max Hosts field.
7.
To return all fields to their default settings and start over, click RESET.
8.
When you are finished, click UPDATE.
627
628
CHAPTER 29
Configuring Firewall Web Filters with
CSM
SonicWALL Content Security Manager (CSM) CF provides appliance-based Internet filtering
that enhances security and employee productivity, optimizes network utilization, and mitigates
legal liabilities by managing access to objectionable and unproductive Web content. This
chapter provides configuration tasks for deploying these services.
Configuring Web Filter Settings section on page 629
Configuring Web Filter Policies section on page 631
Configuring Custom Categories section on page 634
Configuring Miscellaneous Web Filters section on page 635
Configuring the Custom Block Page section on page 637
Configuring Web Filter Settings

Web Filters includes settings for configuring Internet filtering on the SonicWALL CSM CF. Web
filters settings provides information on the status of filtering subscription service updates,
settings for enabling filtering, managing the behavior of the Dynamic Rating engine, adding IP
addresses to exclude from filtering, and access to URL ratings with the SonicWALL Content
Filtering Service database.
To configure Web Filters perform the following steps:
1.
In the left pane, select a SonicWALL CSM appliance.
2.
629
Configuring Web Filter Settings
Note
3.
In the center pane, navigate to the Web Filters > Settings.
4.
To enable web filtering using SonicWALL CSM, check the Enable Web Filtering box.
5.
Enter a URL cache size in the URL Cache Size (KBs) field. This specifies the URL cache
size on the SonicWALL CSM. The default value is 5120 KBs.
A larger URL cache size can provide noticeable improvements in Internet browsing
response times.
Check the Use Dynamic Rating box to enable the use of the CSM integrated dynamic
rating engine that allows an unrated URL to be dynamically rated in real-time. Select
either Optimize for speed, which instructs the dynamic rating engine to process less
information for faster ratings and lower accuracy, or Optimize for accuracy, which
instructs the dynamic rating engine to process more information, resulting in slower
ratings and higher accuracy.
Check the Server Responses box to block URLs from Web sites that have compressed
content.
6.
Enter the session limit in minutes in the Session Limit (Minutes) for Continue option
field.
7.
To specify an IP address or IP address range on your network to be excluded from any

SonicWALL CSM filtering, enter a single IP address in the IP Address Begin and in the IP
Address End fields (for a single IP address), or enter the starting IP address in the IP
Address Begin field and the ending IP address in the IP Address End field (for an IP
address range).
8.
Click Add. The scheduler displays.
9.

11. Click Accept.
15. Click Accept.
630
Configuring Web Filter Policies
16. If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click the
here link in the sentence If you believe that a Web site is rated incorrectly or you wish
to submit a new URL, click here. The CFS URL Rating Review Request page displays.

The Policies page is where you define policy groups by assembling default content filter and
custom categories into unique policies that are applied to users and groups. The Policies page
allows you create and edit policies that are used to create policy groups, which in turn are
applied to user groups.
The Web Filters > Policies page displays a category sets table. The Policies table initially lists
the default 12 predefined policy groups. Clicking the plus button expands the list to display
every policy under the policy group. Policies with an asterisk are part of the *Default policy
group. The Policies table lists the following information about *Default and custom policy
groups:
Name - The name of the policy group. Clicking the plus button expands the policy group
and displays the policies included in the group.
Type - Displays the type of policy, for example: Policy, Default Category, Forbidden
Keywords, Forbidden URLs or Trusted URLs.
631
Action - Displays the action to be performed when a URL or keyword is accessed that fits
the category, for example, Block, Log, or Allow.
Comment - Displays a caption icon with comments about the policy. When you move the
pointer over the icon, the comment text is displayed. The comment text is entered in the
Add Category Set window.
Configure - Includes the Configure icon, which displays the Edit Web Filter Category Set
window, and the Delete icon for removing the policy group. The Delete icon is greyed out
for the *Default policy.
Clicking the Restore Defaults button removes all custom policies and any policies you added
to the *Default policy group.
Clicking Add Policy Group window displays the Add Web Filter Policy Group window for
adding new policies.
Modifying the *Default Policy Group section on page 632
Adding Category Sets section on page 633
Restoring Defaults section on page 634
Modifying the *Default Policy Group

To modify the *Default policy group category:
632
1.
Click the configure icon under Configure in Policies table next to the category you want to
configure. The Edit Web Filter Category Set window is displayed.
2.
The Name field displays the *Default entry, which can be renamed. You must add
descriptive text up to 63 characters in length in the Comment field.
3.
Click the Predefined tab.
4.
Select the policy categories you want to add to the *Default policy group. Check the box
next to the category you want to add. If you want to remove a policy, uncheck the box next
to the policy.
5.
Click OK. The scheduler displays.
6.
7.
Select Immediate or specify a date and time in the future.
8.
Click Accept.
Adding Category Sets

To add category sets, perform the following steps:
Note
1.
Click Add Category Set. The Add Web Filter Category Set window displays.
2.
Enter a name in the Name field and a comment in the Comment field.
3.
Click the Predefined tab and check the predefined categories you want to add to your
category set. For each category, select the action to be performed, either Block, Log, or
Allow.
4.
Click the Custom tab and check the custom categories you want to add to your category
set. For each category, select the action to be performed, either Block, Log, or Allow.
To learn how to add custom categories, refer to the Configuring Custom Categories section
on page 634.
5.
Click the Miscellaneous tab and select the miscellaneous actions to add to the category
set. For each action, select the action to be performed, either Block, Log, or Allow.
6.
When you are finished, click OK. The scheduler displays.
7.
8.
9.
Click Accept.
633
Configuring Custom Categories
Restoring Defaults
The Restore Defaults button removes all custom policies and any policies you added to the
*Default policy. To restore defaults, perform the following tasks:
1.
Click the Restore Defaults button at the bottom of the screen. A confirmation message
displays.
2.
Click OK.
Configuring Custom Categories

The Custom Categories page allows you to create custom policies that can incorporate
untrusted urls and domains, untrusted keywords, and trusted URLs and domains.
To configure custom categories, perform the following steps:
634
1.
In the left pane, select the appliance to manage.
2.
3.
Navigate to Web Filters > Custom Categories.
4.
To configure Forbidden URLs to selectively block or allow with logging of the action by the
CSM, click Add Forbidden URLs. The Add Forbidden URLs page displays.
5.
Enter a name in the Name field.
6.
Enter a comment in the Comment field.
7.
Enter the URL in the Entry field and click Add. Your entry will appear in the List. To delete
an entry, click Delete.
8.
Configuring Miscellaneous Web Filters
9.

11. Click Accept.
12. To edit Forbidden URLs, click the Configure icon next to the forbidden URL you want to
configure.
13. To delete Forbidden URLs, click the delete icon next to the forbidden URL you want to
delete.
14. To configure Forbidden Keywords to specify keywords that are substrings of URLs (to allow
stricter filtering), click Add Forbidden Keywords.
15. Enter a name in the Name field.

16. Enter a comment in the Comment field.
17. Enter the keyword in the Entry field and click Add. Your entry will appear in the List. To
delete an entry, click Delete.

21. Click Accept.
22. To edit Forbidden Keywords, click the Configure icon next to the forbidden keyword you
want to configure.
23. To delete Forbidden Keywords, click the delete icon next to the forbidden keywordyou want
to delete.
24. To configure Allowed URLs to specify URLs that are always allowed, click Add Allowed
URLs.
27. Enter the URL in the Entry field and click Add. Your entry will appear in the List. To delete

31. Click Accept.
32. To edit Allowed URLs, click the Configure icon next to the allowed URL you want to
configure.
33. To delete Allowed URLs, click the delete icon next to the allowed URL you want to delete.

The miscellaneous page provides configuration for Web risks, forbidden files types and trusted
sites. To configure miscellaneous web filters, perform the following steps:
1.
2.
635
3.
In the center pane, navigate to the Web Filters > Miscellaneous.
4.
Web risks, including Block Cookies, Block ActiveX, Block HTTP Proxy Server, and
Block Fraudulent Certificates are always activated as Block and cannot be deleted or
modified.
Block Cookies - Cookies are used by Web servers to track Web usage and remember
user identity. Cookies can also compromise users' privacy by tracking Web activities.
Block ActiveX - ActiveX is a programming language that embeds scripts in Web pages.
Malicious programmers can use ActiveX to delete files or compromise security.
Block HTTP Proxy Servers - When a proxy server is located on the external interface,
users can circumvent content filtering by pointing their computer to the proxy server.
Block Fraudulent Certificates - Digital certificates help verify that Web content and
files originated from an authorized party. Enabling this feature protects users on the
LAN from downloading malicious programs warranted by these fraudulent certificates.
If digital certificates are proven fraudulent, then the SonicWALL CSM blocks the Web
content and the files that use these fraudulent certificates.
5.
To add forbidden files types, click Add Forbidden File Types. Forbidden File Types are
groupings of file extensions includingJava Applets, Executable Files, Video Files, Audio
Files, and user specified file types by extension, used for similar purposes. SonicWALL
CSM allows you to filter Internet content based on file extension.
6.
Enter a name in the Name field.
7.
Enter a comment in the Comment field.
8.
Enter the file type in the Entry field and click Add. Your entry will appear in the List. To
delete an entry, click Delete.
9.

12. Click Accept.
13. To edit Forbidden File Types, click the Configure icon next to the forbidden file type you
want to configure.
14. To delete Forbidden File Types, click the delete icon next tothe forbidden file type you want
to delete.
15. To add trusted sites, click the configure button next to Trusted Sites List.
636
Configuring the Custom Block Page

18. Enter a URL in the Entry field and click Add. Your entry will appear in the List. To delete

22. Click Accept.

The Custom Block Page allows you to enter your customized text to display to the user when
access to a blocked site is attempted. Any message, including embedded HTML, can be
entered in this field.
1.
2.
3.
In the center pane, navigate to the Web Filters > Custom Block Page.
4.
Type the custom text to be displayed when a blocked site is accessed under Message to
Display when Blocking Website.
5.
Select the background color from the Background Color pull-down menu.
6.
Click Preview to see a preview of the custom block page.
7.
8.
9.
10. Click Accept.
637
638
CHAPTER 30
Configuring Firewall Application Filters
This chapter provides configuration tasks for deploying firewall application filtering services.
Firewall application filtering enhances security and employee productivity and optimizes
network utilization.
Configuring Application Filter Settings

To configure application filters, perform the following steps:
1.
In the left pane, select the firewall appliance to manage.
2.
3.
In the center pane, navigate to Application Filters > Settings.
639
4.
To update the filter database, click Update Filter Database. The scheduler displays.
5.
6.
7.
Click Accept.
8.
To enable application filtering, check the Enable Application Filtering box.
9.

12. Click Accept.
13. To enable the application filters exclusion list, which excludes an IP address or IP address
range from application filtering, check the Enable Application Filters Exclusion List.

640
17. Click Accept.

18. Enter the address range for the application filters exclusion list by entering a beginning IP
address range in the Address Range Begin field and an ending IP address in the Address
Range End field.
19. Click Add.The scheduler displays.

22. Click Accept.
641
642
CHAPTER 31
Registering and Upgrading SonicWALL
Firewall Appliances
This chapter describes how to register and upgrade your SonicWALL firewall appliances. This
chapter contains the following subsections:
Upgrading Licenses section on page 645
Searching section on page 645
Creating License Sharing Groups section on page 647
Viewing Used Activation Codes section on page 650

Registering a SonicWALL appliance using GMS registers the appliance using the same
registration information supplied for GMS. To register a SonicWALL appliance using GMS,
1.
In the left pane, select the SonicWALL appliance.
2.
643
Upgrading Firmware
Note
3.
In the center pane, navigate to Register/Upgrades > Register SonicWALLs.
4.
Click Register. The scheduler displays.
5.
6.
7.
Click Accept.
When a unit is added to GMS, once it is acquired successfully by GMS, it is automatically

registered by GMS.
Upgrading Firmware
SonicWALL firmware is updated on a periodic basis to offer new functionality and address any
known issues. After a SonicWALL appliance is added to SonicWALL GMS management, its
auto-update feature is disabled.
SonicWALL GMS periodically polls mysonicwall.com site for new firmware versions. Once a
new version of firmware is detected and available, SonicWALL GMS sends an email notification
to the SonicWALL GMS administrator.
You need to go to your mysonicwall.com account at <https://www.mysonicwall.com> and
download the firmware, save the firmware file to the GMS server, and then access the
SonicWALL security appliance from GMS.
To upgrade to the latest firmware, perform the following steps:
Note
644
In order for changes on this page to take effect, the SonicWALL appliance(s) will
automatically be restarted. We recommend scheduling the firmware update to run when
network activity is low.
1.
2.
Upgrading Licenses
3.
In the center pane, navigate to Register/Upgrades > Firmware Upgrade.
4.
Select one of the following three methods for upgrading firmware:

To upgrade the firmware of all selected SonicWALL appliances using the firmware file
that is stored in the local GMS server folder, click Upgrade Firmware using files on
the GMS Server.
To upgrade from a firmware file on the local drive of your desktop system,enter the path
to the file or click Browse to locate a file. Then, click Upgrade firmware from local file.
(Group view only) To upgrade firmware using the latest version available on
mysonicwall.com, click Upgrade to latest firmware available at mysonicwall.com.
Caution
Upgrading firmware requires that the appliance be restarted. Selecting any of the three
firmware upgrade methods displays a warning message that states This will involve
restarting the Appliance(s).
Upgrading Licenses
For information on upgrading SonicWALL GMS subscription services (warranty support,
anti-virus, content filtering, etc.) refer to the SonicWALL Upgrades section on page 849.
Searching
The search feature allows you to search for appliances based on registration, subscription and
upgrade status. You can print the search results or save them to a PDF file with a single click of the
printer icon or PDF icon on the Search Results banner.
The search parameters are pre-populated for retrieving the subscription services that are
currently active on the appliance(s). The searchis executed and the results are sorted by Expiry
Date. To search for appliances, perform the following tasks:
1.
In the left pane, select a node or appliance to search.
2.
3.
In the center pane, navigate to Register/Upgrades > Search.
To search based on Registration Criteria, perform the following steps:

4.
From the first pull-down menu, select Registration Status.
5.
From the second pull-down menu, select Registered or Not Registered.
645
Searching
6.
Click Search. A table of search results displays.
7.
Click a header in the table to sort by that variable. For example, to sort by appliance name,
click the Appliance Name header.
To search based on Subscription Status Criteria, perform the following steps:

1.
From the first pull-down menu, select a subscription service.
2.
From the second pull-down menu, select a subscription service status.
3.
Optionally enter a date (mm/dd/yyyy) in the expiring on or before field.
4.
Click Search. A table of search results display.
5.
To search based on Upgrade Status Criteria, perform the following steps:
646
1.
From the first pull-down menu, select an upgrade.
2.
From the second pull-down menu, select an upgrade status.
3.
Click Search. A table of search results display.
Creating License Sharing Groups
4.
Tip
You can print the search results by clicking on the printer icon in the banner Search
Results. You can also save the search results to a PDF file by clicking on the PDF icon in the
banner.

License Sharing allows you to share VPN or Anti-Virus Client Licenses license among multiple
SonicWALL appliances. As a result, you can save money by purchasing licenses in quantity
and not wasting licenses on SonicWALL appliances that do not use them all.
License sharing assigns a License Sharing Group (LSG) to a SonicWALL appliance and
activates this feature. You can then add other SonicWALL appliances to the LSG and assign
them licenses from the pool of remaining available licenses.
This section contains the following subsection:
Creating a License Sharing Group section on page 647.
Adding a SonicWALL Appliance to an Existing Group section on page 648.
Creating a License Sharing Group

To create a VPN Client Enterprise or Anti-Virus LSG, perform the following steps:
1.
In the left pane, select a SonicWALL appliance that has no GVC licenses.
2.
3.
In the center pane, navigate to Register/Upgrades > License Sharing. The License
Sharing page displays.
4.
Select VPN Client Enterprise or Anti-Virus from the List of Services list box.
647
5.
Click Join a License Sharing Group. The Join a License Sharing Group dialog box
displays.
6.
Select Create a new License Sharing Group With and from the pull-down menu, select
the appliance that has the Enterprise GVC license.
7.
Enter a name for the group in the And Name it field.
8.
A pop-up with the member license count displays. Click OK. The scheduler displays.
9.

11. Click Accept.
Adding a SonicWALL Appliance to an Existing Group

To add a SonicWALL appliance to an existing VPN Client Enterprise or Anti-Virus LSG, perform
648
1.
2.
3.
4.
Select VPN Client Enterprise or Anti-Virus from the List of Services pull-down menu.
5.
Click Join a License Sharing Group. The Join a License Sharing Group dialog box
displays.
6.
Select Join Existing License Sharing Group and select an LSG from the list box.
7.
Click Accept.
8.
A pop-up with the member license count displays. Click OK. The scheduler displays.
9.

11. Click Accept.
Changing the License Count

To change the number of licenses that a SonicWALL appliance uses, perform the following
steps:
1.
2.
3.
Enter a new license value and click Change License Count to.
4.
To remove this SonicWALL appliance from the LSG, select Remove from License Sharing
Group.
Viewing the Properties of a License Sharing Group

To view the properties of an LSG, perform the following steps:
1.
2.
3.
Click the name of the LSG to view. The License Sharing Group Properties dialog box
displays. This dialog box contains detailed information about the total number of licenses,
the expiration date of the license, the number of licenses used by each member of the
group, and other information.
4.
To change the name of the LSG, enter a new name and click Accept.
649
Viewing Used Activation Codes
Viewing Used Activation Codes

To view used activation codes, perform the following steps:
650
1.
In the left pane, select a node, group or appliance.
2.
3.
In the center pane, navigate to Register/Upgrades > Used Activation Codes. The Used
Activation Codes page displays a list of used activation codes.
4.
From the Select sort order pull-down menu, select Activation Code to sort by activation
code or Service Name, Activation Code to sort first by service name, then by activation
code.
CHAPTER 32
Configuring Firewall Events
This chapter provides configuration procedures for adding, enabling / disabling, deleting, and
editing the Firewall > Events > Alerts page, at a unit or group level. Before you configure an
Event Alert, refer to Chapter 45, Granular Event Management for a detailed overview of the
Granular Event Management feature.
Perform the following steps in the sections listed below:
Adding Alerts section on page 651
Enabling/Disabling Alerts section on page 655
Deleting Alerts section on page 655
Editing Alerts section on page 656
Current Alerts section on page 656
Adding Alerts
This section details the configuration procedures for adding an alert, selecting an alert type, and
configuring a destination / schedule.
Add Alert
In the Add Alert panel you can enter an alert name and description, select the options for visible
to non-administrators and disable, and enter the polling interval. Perform the following steps to
add an alert:
1.
Select a SonicWALL firewall appliance or group in the left pane. Under the Policies tab,
click on Events > Alert Settings.
651
Adding Alerts
2.
Click the Add Alert link. The Add Alert screen displays.
3.
Enter a name and description for your alert.
4.
Enable the Visible to Non-Administrators checkbox if you want your Alert to be visible to
non-administrators.
5.
Enable the Disable checkbox to disable this Alert.
6.
Enter a Polling Interval value (in seconds: 60-86400)
Alert Type
In the Alert Type panel you can select an alert type from the provided list and view the
definitions of each alert type. Perform the following steps to configure an Alert Type:
1.
Click the Alert Type pull-down list and select an alert type.
The table below displays all the Firewall Alert Types and definitions of each alert.
Name
Description
Unit HF Status
Tracks if a unit has failed over to a HF Pair (primary or secondary).

The value that the threshold will use is String. This value is either
p (for primary), b (for secondary) or otherwise.
Unit Locally Changed
Tracks if changes have been made to a unit locally. The value that
the threshold will use is Boolean. This value is either True (1) or
False (0).
Unit Status
Tracks a Units Up/Down status. The value that the threshold will
use is Numeric. This value is the number of missed heartbeats that
should be counted to mark a unit as down.
Edit Content option available.
Unit WAN Status
Tracks if a unit has failed over on the WAN. The value that the
threshold will use is String. This value is either m (for modem), w
(for wireless), e (for ethernet) or otherwise.
VPN Tunnel Status
Tracks an SAs tunnel status. The value that the threshold will use
is Boolean. This value is either Active/Alive/Up (1) or otherwise (0).
652
Adding Alerts
Note
When an alert type is selected, a description for that alert is also displayed in the Alert Type
panel.
If the Alert Type requires you to Edit Content, a link displays in the Alert Type panel. Editing
Contents allows the user to pick additional info, in a granular fashion, on which the alerting has to
be performed.
Note
2.
Click the Edit Content link. The Edit Contents for Alert Type Unit Status pop-up window
displays.
3.
Click the Threshold pull-down list and select a threshold.
You can create a new threshold on-the-fly by clicking the

icon. Refer to Configuring
Event Thresholds, page 829 for details on how to configure event thresholds. Only one new
threshold can be created in this feature.
4.
Click the Update button. To reset the settings, click the Reset button.
653
Adding Alerts
Destination / Schedule
In the Destination / Schedule panel you can add up to 5 destinations and set a schedule for
each. Perform the following steps to add a destination and set a schedule:
Note
654
Every selected destination is required to have a schedule set.

1.
Click the Add Destination link under the Destination/Schedule section.
2.
Click the Destination pull-down list, then select a alert destination.The Destination field
designates where you want alerts to be sent. You have a maximum number of five
destinations.
3.
Click the Schedule pull-down list, then select a schedule type. The Schedule field
designates the frequency of when you want alerts to be sent to the destination(s).
4.
Click Update to finish adding an alert.
Enabling/Disabling Alerts
Perform the following steps to enable or disable an alert:
Enabling a Alert
1.
Select the Enabled checkbox of the alert(s) you wish to enable.
2.
Click the Enable/Disable Alert(s) link. A confirmation window will display. Click OK to
enable/disable.
Disabling an Alert
1.
Deselect the Enabled checkbox of the alert(s) you wish to disable.
2.
enable/disable.
Deleting Alerts
Perform the following steps to delete an alert:
Note
1.
Select the checkbox(s) of the Alert(s) you wish to delete.
2.
Click the Delete Alert link. A confirmation window will display.
3.
Click OK to delete.
You can also delete an alert by clicking the Delete icon under the Configure section of the
alert you wish the delete.
655
Editing Alerts
Editing Alerts
Once an alert is created, you can go back and edit it at any time. Perform the following steps
to edit an alert:
1.
Click the Configure icon of the alert you wish to edit.
The Edit Alert page will display.
2.
Refer to the Adding Alerts section and follow the configuration procedures to edit your
existing Alert.
Current Alerts
To check the status of current alerts for your SonicWALL firewall appliance or group of
appliances:
656
1.
Navigate to the Firewall tab.
2.
Click on the appliance or group you wish to check the alerts for.
3.
Navigate to the Events > Current Alerts page. All active alerts for this appliance will be
listed under Alert Listing.
CHAPTER 33
Adding SRA Appliances to SonicWALL
GMS
This chapter provides instructions on configuring SonicWALL SRAs for management using
SonicWALL GMS.
To configure a SonicWALL SRA for SonicWALL GMS management, perform the following tasks:
Preparing SRA Appliances for SonicWALL GMS Management section on page 657
Adding SRA Appliances in SonicWALL GMS section on page 659
Managing SRA Appliance Settings section on page 660
Preparing SRA Appliances for SonicWALL GMS

Management
This section describes the local configuration steps required on the individual appliance before
adding it to SonicWALL GMS management. See the following subsections:
Preparing SonicWALL SRA Appliances, page 657
Preparing SonicWALL Aventail EX-Series SRA Appliances, page 658
Preparing SonicWALL SRA Appliances

To prepare a SonicWALL SRA appliance (non-Aventail) for GMS management:
1.
Log in to your SonicWALL SRA. Navigate to System > Administration.
2.
In GMS settings, select the Enable GMS Management check box.
3.
Type the GMS host name or IP address of the GMS server in the GMS Host Name or IP
Address field.
4.
Type the GMS syslog server port in the Syslog Server Port field. The default port is 514.
5.
Enter the heartbeat interval, in seconds, in the Heartbeat Interval (seconds) field. The
maximum heartbeat interval is 86400 (24 hours).
6.
Click Apply.
657
Preparing SRA Appliances for SonicWALL GMS Management
Preparing SonicWALL Aventail EX-Series SRA Appliances

There are specific requirements for preparing the SonicWALL Aventail EX-Series SRA
appliance for GMS management:
SonicWALL Aventail EX-Series SRA appliances must be licensed before you can enable
GMS management in the Aventail Management Console.
When enabling GMS on a SonicWALL Aventail appliance, select Enable single sign-on
for AMC configuration if you want direct access to the Aventail Management Console from
the SonicWALL GMS right-click menu. If this check box is cleared, you can still open the
AMC from the right-click menu, but you must enter your appliance login credentials.
The SonicWALL Aventail EX-Series SRA appliance allows HTTPS access only to its LAN
port(s), and not to its WAN port(s). This means that when SonicWALL GMS is deployed
outside of the Aventail LAN subnet(s), management traffic must be routed from GMS to a
gateway that allows access into the LAN network, and from there be routed to the Aventail
LAN port.
To prepare a SonicWALL Aventail EX-Series SRA appliance for GMS management:

1.
Log in to your SonicWALL Aventail EX-Series SRA.
2.
Click General Settings in the main Aventail Management Console (AMC) navigation menu.
3.
Click Edit in the Centralized management area.
4.
Select the Enable GMS management check box, and then enter the host name or IP
address of the GMS console, and its port number.
5.
In the Heartbeat interval text box, set the interval (in seconds) at which the appliance
indicates its readiness to send a report on authentication-related events, in addition to
status information. An interval of 60 seconds is typical.
6.
Select Enable single sign-on for AMC configuration if you want to be able to open the
Aventail Management Console and make changes to its configuration from within GMS. If
this setting is cleared, you can still open AMC, but you must first enter your AMC login
credentials; this is less convenient, but more secure.
7.
Select Send only heartbeat status messages if you want to only manage the appliance
and not create reports for the appliance.
For more information about preparing SonicWALL Aventail appliances for SonicWALL GMS
management, see the SonicWALL GMS Aventail EX-Series Appliance Management feature
module and the SonicWALL / Aventail EX-Series Installation and Administration Guide on the
SonicWALL Support Web site:
658
Adding SRA Appliances in SonicWALL GMS
Adding SRA Appliances in SonicWALL GMS

To add your appliance to GMS, perform the following tasks:
1.
Log in to GMS.
2.
Click the SRA tab.
3.
In the left-most pane, right click and select Add Unit. The Add Unit popup displays.
4.
5.
Enter the serial number of the SonicWALL appliance in the Serial Number field. On
SonicWALL Aventail appliances, the serial number is found on a sticker on the back of the
appliance. Enter it without hyphens into the field.
6.
For the Managed Address, choose weather to Determine automatically, or Specify

manually. Most SMB SRA deployments will be able to determine the address automatically.
7.
For Aventail deployments, choose to Specify manually and check the Aventail SRA
appliance option.
8.
Enter the administrator login name for the SonicWALL appliance in the Login Name field.
For SonicWALL Aventail SRA appliances, the login name is pre-configured as GMS and
cannot be changed.
9.
Enter the password used to access the SonicWALL appliance in the Password field.
10. The radio button next to Using HTTPS is automatically selected for SRA deployments.
11. For SonicWALL Aventail SRA appliances, enter 8443 in the HTTPS Port field. Other
SonicWALL SRA appliances use port 443.
12. Click OK.. It may take up to a minute for the data to load; a Please Wait pop up displays.
The SonicWALL SRA displays in the left pane of the SonicWALL GMS interface as a yellow
icon, which means the unit has not been acquired by SonicWALL GMS. After the appliance has
been acquired, the icon will either turn red, indicating that the appliance status is down, or blue,
indicating that the appliance status is up. For detailed appliance icon descriptions, refer to the
Understanding SonicWALL GMS Icons section on page 18.
It may take up to five minutes for the SonicWALL GMS to establish an HTTPS connection and
acquire the SonicWALL appliance for management.
659
Managing SRA Appliance Settings
Managing SRA Appliance Settings

After a SonicWALL SRA appliance has been added to SonicWALL GMS, it can be modified or
deleted. This section contains the following subsections:
Modifying an SRA Appliance section on page 660
Deleting an SRA Appliance section on page 660
Modifying an SRA Appliance

1.
Click the SRA tab.
2.
In the left pane, right click the SRA appliance you want to modify and select one of the
options
Option
Description
Rename Unit
Allows you to rename the unit.
Modify Unit
Allows you to change the appliance settings, including the unit display name,
and appliance login name and password.
Add to Net Monitor
Allows you to add the appliance to Net Monitor for real-time monitoring.
Import XML
Allows you to import XML settings.
Login to Unit
Allows you to select HTTP or HTTPS management to directly access the

appliance. Single sign-on must be enabled for SonicWALL Aventail appliance
to allow direct access to the Aventail Management Console from the
SonicWALL GMS right-click menu. Otherwise you will be prompted to enter
your Aventail appliance login credentials.
Modify Properties
Allows you to modify the properties of the appliance, including company,

country and department names.
Deleting an SRA Appliance
Note
660
1.
Click the SRAs tab.
2.
In the left pane, right click the SRA appliance you want to delete and select Delete.
3.
An alert will appear to verify the appliance deletion. Click Yes.
It may take several seconds for the appliance to be deleted.
CHAPTER 34
Using General SRA Status and Tools
This chapter provides instructions for modifying the general status and tools for SonicWALL
SRAs. To modify the general status and tools of an SRA appliance using GMS, click the SRAs
tab at the top of the screen, then select the Policies tab. In the center pane, select General.
You will see the options Status, Tools and Info. This section contains the following
subsections:
SRA Status section on page 662
SRA Tools section on page 664
SRA Info section on page 666
This chapter describes how to register SonicWALL SRA appliances using GMS. Register
SRAs is an option in the Policies tab that registers your SRAs using the account information
you provided when you registered your GMS. This chapter contains the following subsection:
Registering SonicWALL SRA Appliances section on page 667
Upgrading SonicWALL SRA Firmware section on page 667
Logging in to SRA using SonicWALL GMS section on page 668
661
SRA Status
SRA Status
The General > Status section provides the current status of the SRA appliance and allows for
an instant update of appliance information using the Fetch Information button.
The General > Status section provides the following appliance information:
Table 25
662
General > Status Information
SRA Status Item
Description
SRA Model
The SRA model number.
Serial Number
The SRA serial number.
Registration Code
The mysonicwall.com registration code

number.
Firmware Version
The SRA firmware version information.
CPU
The SRA CPU information.
Number of LAN IPs

allowed
The number of LAN IPs allowed by the

SRA.
SRA Status
The current status of the SRA appliance,

either Up, Down or Unacquired.
Unit added to SonicWALL

GMS on
The date and time the SRA appliance was

added to GMS.
Management Mode
The management mode used to access the

SRA, either HTTP or HTTPS. Includes the
IP address and port of the SRA.
Primary Agent
The IP address of the primary agent.
SRA Status
SRA Status Item
Description
Secondary Agent
The IP address of the secondary agent.
Tasks Pending
The number of tasks pending for the SRA.
Last Log Entry
The last SonicWALL GMS system log event

message for this device.
SRA Information
The up time since last reboot in days,

hours, minutes, seconds.
Using Fetch Information

To update the General > Status section using the Fetch Information button, perform the
following tasks:
1.
Click Fetch Information. The update scheduler displays.
2.
Select the Immediate radio button. Alternatively, you can select the At button and specify
a date and time for SonicWALL GMS to perform the update.
3.
Click Accept. It may take several seconds for GMS to fetch the appliance information. The
latest status will be displayed under General > Status.
663
SRA Tools
SRA Tools
The General > Tools section provides the following options: Restart Appliance, Synchronize
Now, Synchronize the Appliance with mysonicwall.com.
Note
The Restart Appliance option is not available for SonicWALL Aventail SRA appliances.
Restarting SRA
To restart the SRA appliance, perform the following tasks:
1.
Click the Restart Appliance button. A confirmation pop-up displays.
2.
Use the Scheduler to specify a date and time for SonicWALL GMS to perform the update.
It may take several minutes for the SRA to restart.
Synchronize Now
If a change is made to a SonicWALL appliance through any means other than through
SonicWALL GMS, GMS is notified of the change through the syslog data stream. After the
syslog notification is received, SonicWALL GMS schedules a task to synchronize its database
with the local change. Auto-synchronization automatically occurs whenever SonicWALL GMS
receives a local change notification status syslog message from a SonicWALL appliance.
You can also force synchronization at any time for a SonicWALL appliance or a group of
664
SRA Tools
To synchronize the SRA appliance, perform the following tasks:

1.
Click the Synchronize Now button. A confirmation pop-up displays.
2.
Click OK.
3.
It may take several seconds for SRA to synchronize.
Synchronizing with mysonicwall.com

SonicWALL appliances check their licenses and subscriptions with mysonicwall.com once
every 24 hours. Using the Synchronize the Appliance with mySonicWALL.com button, you
can force the SonicWALL SRA appliance to synchronize this information with mysonicwall.com
immediately.
To synchronize the SRA appliance with mysonicwall.com, perform the following tasks:
1.
Click the Synchronize the Appliance with mysonicwall.com button. A confirmation

pop-up displays.
2.
Click OK. The update scheduler displays.
3.
It may take several seconds for the SRA to synchronize with mysonicwall.com.
665
SRA Info
SRA Info
The General > Info section provides the ability to update the contact information for the SRA
appliance.
Updating SRA Appliance Information

To update the SRA appliance information, perform the following steps:
666
1.
Navigate to General > Info.
2.
Enter the appropriate information for each field.
3.
Click Update to update the information, or Reset to clear the form and start over.
Registering SonicWALL SRA Appliances
Registering SonicWALL SRA Appliances

Note

To register a SonicWALL SRA using GMS, perform the following tasks:
1.
In the left pane, right- click the SRA you want to register and then select Login to Unit to
open its management interface.
2.
In the SRA management interface, the System > Status page will be displayed. Record
your Serial Number and Authentication Code from the Licenses and Registration box.
3.
In the GMS management interface, navigate to the Policies panel. In the center pane,
select Register/Upgrades > Register SSL-VPNs.
4.
In the right pane, click the Register button. The update scheduler displays.
5.
Select the Immediate radio button. Alternatively, you can select the At button and specify
a date and time for SonicWALL GMS to perform the update.
6.
Click Accept.
You will receive a confirmation in the right pane when the registration succeeded.
Note
If you receive an error message, navigate to the Console tab, then to Log > View Log. A
detailed error message will be displayed.
Upgrading SonicWALL SRA Firmware

The SonicWALL SRA appliance must be registered before the firmware can be upgraded. For
information about registering your SRA appliance, refer to Registering SonicWALL SRA
Appliances section on page 667.
Note
Upgrading SonicWALL Aventail SRA appliances from GMS is not supported.

To upgrade the firmware of a SonicWALL SRA appliance using GMS, perform the following
tasks:
1.
In the left pane, select the SRA you want to upgrade.
667
Logging in to SRA using SonicWALL GMS
2.
In the center pane, navigate to Register/Upgrades > Firmware Upgrade.

The current SRA appliance firmware is displayed under Current Status.
3.
To upgrade the SRA appliance firmware using a file on the GMS server, click Upgrade
firmware using files on the GMS Server.
4.
To upgrade the SRA appliance firmware using a local file, enter the path and file name of
the firmware file in the field next to Upgrade firmware from local file, or click Browse to
locate the firmware file. Click Upgrade firmware from local file.
5.
A message displays indicating that an appliance restart is necessary to complete the

firmware upgrade. Click OK to continue.
6.
The license agreement message displays. Read the message and click OK to agree and
download the firmware, or click Cancel to disagree and cancel the firmware upgrade.
Logging in to SRA using SonicWALL GMS

To log in to the SonicWALL SRA using SonicWALL GMS, make sure that pop-ups are enabled
on your Web browser and use the procedure in this section.
SonicWALL Aventail SRA appliances allow direct GMS login when Enable single sign-on for
AMC configuration is selected when enabling GMS management. If SSO is not enabled, you
can still open the Aventail Management Console from the right-click GMS menu, but you must
then enter your appliance login credentials.
1.
Log in to SonicWALL GMS.
2.
Click the SRA tab.
3.
In the left pane, click the SRA that you want to manage.
4.
If you see a security certificate warning, click Yes to continue.
5.
The SRA management interface opens in a new browser window. This may take several
seconds.
You can now manage the SonicWALL SRA directly from the management interface.
For detailed instructions about configuration tasks using the SonicWALL SRA management
interface, refer to the SonicWALL SRA Administrators Guide, available at
http://www.sonicwall.com/us/Support.html.
Configuring Alerts
editing the SRA > Events > Alerts page, at a unit or group level. Before you configure an Event
Alert, refer to Chapter 45, Granular Event Management for a detailed overview of the
668
Configuring Alerts
Adding Alerts
This section details the configuration procedures for adding an alert, selecting an alert type, and
Add Alert
add an alert:
1.
Select a SonicWALL SRA appliance or group in the left pane. Under the Policies tab, click
on Events > Alert Settings.
2.
Click the Add Alert link.
The Add Alert screen displays.
3.
4.
non-administrators.
5.
6.
Alert Type
1.
669
Configuring Alerts
The table below displays all the SRA Alert Types and definitions of each alert.
Name
Description
Unit Status
Note
panel.
be performed.
Note
2.
displays.
3.

4.
Note
670

1.
2.
destinations.
Configuring Alerts
3.
4.
Enabling a Alert
1.
2.
enable/disable.
Disabling an Alert
1.
2.
enable/disable.
671
Configuring Alerts
Deleting Alerts
Note
1.
2.
3.
Click OK to delete.
Editing Alerts
to edit an alert:
1.
2.
672
existing Alert.
Configuring Alerts
Current Alerts
To check the status of current alerts for your SonicWALL SRA appliance or group of appliances:
1.
Navigate to the SRA tab.
2.
3.
673
Configuring Alerts
674
CHAPTER 35
CDP Appliance Management
This chapter describes how to implement and manage single or multiple deployments of
SonicWALL CDP appliances through GMS. Included is an introduction to the Multi-Solutions
appliance management feature, and instructions for using the appliance configuration tools in
SonicWALL GMS.
Adding a CDP Appliance to GMS section on page 675
Templates section on page 688
Accessing the CDP Management Interface section on page 692
Using Multi-Solution Management section on page 692
Adding a CDP Appliance to GMS

SonicWALL CDP appliances must be running firmware version 2.3 or later to be managed using
SonicWALL GMS. To configure a SonicWALL CDP for SonicWALL GMS management, perform
the following tasks:
Preparing the Appliance section on page 675
Adding the CDP Appliance to GMS section on page 676
Preparing the Appliance

1.
Log in to your SonicWALL CDP appliance.
2.
Navigate to System > Administration.
3.
In GMS settings, select the Enable GMS Management check box.
675
Adding a CDP Appliance to GMS
4.
Type the GMS host name or IP address of the GMS server in the GMS Host Name or IP
Address field.
5.
Type the GMS syslog server port in the Syslog Server Port field. The default port is 514.
6.
Enter the heartbeat interval, in seconds, in the Heartbeat Interval (seconds) field. The
maximum heartbeat interval is 86400 (24 hours).
7.
Click Submit
Adding the CDP Appliance to GMS

To add your appliance to GMS, perform the following tasks:
1.
Log in to GMS.
2.
Click the CDP appliance tab to add a CDP appliance to GMS.
3.
4.
5.
Enter the appliance administrator login name in the Login Name field.
6.
Enter the appliance administrator password in the Password field.
7.
Enter the appliance serial number in the Serial Number field. The serial number can be
found in the appliance management interface under General > Status.
8.
The management mode defaults to Using HTTPS. Select the agent that will manage the
CDP appliance from the Agent IP Address field.
9.
Click OK. This may take up to a minute for the data to load.
The SonicWALL appliance is displayed in the left pane of the SonicWALL GMS interface as a
yellow icon, which means the unit has not been acquired by SonicWALL GMS. After the
appliance has been acquired, the icon will either turn red, indicating that the appliance status
is down, or blue, indicating that the appliance status is up. For detailed appliance icon
descriptions, refer to the Understanding SonicWALL GMS Icons section on page 18.
676
Managing CDP General Settings
Your CDP is now ready for management using SonicWALL GMS.

After a SonicWALL CDP appliance has been added to GMS, it can be managed through the
CDP Policies panel.
Viewing and Managing CDP Status section on page 677
CDP Appliance Tools for Synchronization section on page 679
Editing CDP Appliance Contact Information section on page 681
Viewing and Managing CDP Status

appliance status for CDP appliances. Views available in the Status screen are:
Global CDP Status section on page 678
Individual CDP Appliance Status section on page 678
General Appliance Status Information section on page 678
677
Global CDP Status

The Global status window displays information about all CDP devices in the current GMS
deployment.
For CDP appliances, there is an option to Fetch Information at both global and appliance
levels. When in global view, this feature acquires information for all available CDP appliances,
however, the results are only displayed when an individual appliance is selected.
Individual CDP Appliance Status

The individual appliance status window displays information about the currently selected CDP
appliance.
Note
For CDP appliances, click the Fetch Information button for an updated view. This feature
is also available on a global level.
General Appliance Status Information

The General > Status screen provides the following appliance information:
678
Status Item
Description
Model
The CDP model number
Serial Number
The CDP serial number
Status Item
Description
Firmware Version
The CDP firmware version number
CPU
The CDP CPU information
Number of LAN IPs

allowed
The number of LAN IPs allowed by the CDP
Status
The current status of the CDP appliance, either Up,

Down or Unacquired
Unit added to
The date and time the CDP appliance was added to
SonicWALL GMS on GMS
Management Mode
The management mode used to access the CDP,

either HTTP or HTTPS; includes the IP address and
port of the CDP
Primary Agent
The IP address of the primary agent (server, laptop, or

PC intended to be backed up on the SonicWALL CDP
Appliance)
Standby Agent
The IP address of the secondary agent used in case

of failure
Tasks Pending
The number of tasks pending for the CDP
Last Log Entry
The scheduled task to be executed
CDP Information
The up time since last reboot in days, hours, minutes,

seconds
CDP Appliance Tools for Synchronization

The General > Tools section provides the following options to synchronize both the static and
dynamic information:
Synchronize Now section on page 679
Synchronizing with mySonicWALL.com section on page 680
Synchronize Now
If a change is made to a SonicWALL appliance through any means other than through
SonicWALL GMS, GMS is notified of the change through the syslog data stream. After the
syslog notification is received, SonicWALL GMS schedules a task to synchronize its database
with the local change. Auto-synchronization automatically occurs whenever SonicWALL GMS
receives a local change notification status syslog message from a SonicWALL appliance.
You can also force synchronization at any time for a SonicWALL appliance or a group of
To synchronize the appliance, perform the following tasks:
1.
Select the appliance(s) you wish to synchronize.
2.
In the General > Tools screen, click Synchronize Now.
679
3.
A confirmation pop-up displays. Click OK.
4.
Use the scheduler to update immediately, or select a date in the future. Click Accept when
you are finished.

It may take several seconds for the SonicWALL appliance to synchronize with
mySonicWALL.com.

every 24 hours. Using the Synchronize the Appliance with mySonicWALL.com button, you
can force the SonicWALL CDP appliance to synchronize this information with mysonicwall.com
immediately.
To synchronize the appliance with mySonicWALL.com, perform the following tasks:
680
1.
On the General > Tools page, click the Synchronize the Appliance with
mySonicWALL.com button.
2.
3.
you are finished.
Registering CDP Appliances
mySonicWALL.com.
Editing CDP Appliance Contact Information

The General > Info screen allows you to edit CDP appliance information on a global or unit
level.
Registering CDP Appliances

To register a CDP appliance, you must perform tasks on GMS and on the CDP appliance
through its local user interface. See the following sections:
Registration Tasks on GMS section on page 681
Registration Tasks on the CDP Appliance section on page 682
Registration Tasks on GMS

When you add an appliance, GMS creates a task to register it. You can see the scheduled
Appliance Registration task in the Console > Tasks > Scheduled Task screen. Note that when
a unit is added to GMS, it is automatically registered by GMS when successfully acquired.
However, CDP appliances cannot be used until you complete the registration tasks on the local
CDP appliance.
You can also register appliances manually in GMS. To register a CDP appliance:
1.
In the left pane of the CDP appliance, select the appliance.
2.
3.
In the center pane, navigate to Register/Upgrades > Register CDPs.
681
Configuring Alerts
4.
Note
Click Register. The scheduler displays.Use the scheduler to update immediately, or select
a date in the future.
When registering a CDP appliance, you will need to specify the offsite backup location
between Europe or North America.
5.
Click Accept. It may take several seconds for GMS to contact SonicWALL to register the
CDP appliance.
Registration Tasks on the CDP Appliance

After the GMS task has been executed, it disappears from the table of scheduled tasks in the
Console > Tasks > Scheduled Tasks screen. You can now perform the local registration tasks
on the CDP appliance. For more information on CDP registration, see the SonicWALL CDP
Getting Started Guide for your CDP appliance.
Configuring Alerts
editing the CDP > Events > Alerts page, at a unit or group level. Before you configure an Event
Adding Alerts
This section details the configuration procedures for adding an alert, selecting analert type, and
Add Alert
add an alert:
682
Configuring Alerts
1.
Select a SonicWALL CDP appliance or group in the left pane. Under the Policies tab, click
2.
3.
4.
non-administrators.
5.
6.
Alert Type
1.
The table below displays all the CDP Alert Types and definitions of each alert.
Name
Description
Agent Quota Reached
Tracks if the Quota for an Agent assigned to the appliance has

reached its limit. The value that the threshold will use is Boolean.
This value is either True (1) or False (0).
Agent Unsuccessful
Backups
Tracks if the data backup for an Agent assigned to the appliance

has failed. The value that the threshold will use is Boolean. This
value is either True (1) or False (0).
683
Configuring Alerts
Name
Description
Appliance Capacity
Status
Tracks if the storage for an appliance has reached its capacity. The
value that the threshold will use is Numeric. This value is the
utilization in %.
CDP Status
Tracks the performance of the CPU for this appliance. The value
that the threshold will use is Numeric. This value is a percentage
should be counted to mark an appliance as nearing capacity.
Offsite Capacity Status
Tracks if the offsite storage for an appliance has reached its

capacity. The value that the threshold will use is Numeric. This
value is the utilization in %.
Unit Status
Note
panel.
be performed.
Note
2.
displays.
3.

4.
684
Configuring Alerts
Note

1.
2.
destinations.
3.
4.
685
Configuring Alerts
Enabling a Alert
1.
2.
enable/disable.
Disabling an Alert
1.
2.
enable/disable.
Deleting Alerts
Note
686
1.
2.
3.
Click OK to delete.
Configuring Alerts
Editing Alerts
to edit an alert:
1.
2.
existing Alert.
Current Alerts
To check the status of current alerts for your SonicWALL CDP appliance or group of appliances:
1.
Navigate to the CDP tab.
2.
3.
687
Templates
Templates
A Template is simply a collection of Recordings from one or more appliances of the same type.
A Template belongs to a user of a particular domain, and remains visible only in that domain.
That is, Templates from one domain are not visible in another domain. A user only has access
to his or her own Templates (editing, deleting, or moving Templates).
It is recommended that a Template contains Recordings with data that does not conflict with the
data in another Recording, as this may cause the deletion of data previously applied, unless
intended. For example, a Template should not contain a Recording of setting a timezone to IST,
followed by a Recording of setting a time zone to PST, unless it is intentional by the user.
Template Management Screen

The Template Management Screen includes the following sections:
Add/Edit Recording on page 688
Add/Edit Recording on page 688
Move Recording on page 689
Delete Template(s)/Recording(s) on page 690
Applying a Template or a Recording on page 692
Add/Edit Recording
This is used to save a freshly created recording. This screen appears when the Recording is
stopped. This new recording can be directly added to one of the existing Templates or to the
default Template. The same screen displays when editing an existing recording. Provide a
detailed Name and Description in the appropriate fields, then click Update to save the
information.
Note
688
There is no preview for a Recording, thus it is important to enter a detailed Description to

help you differentiate between Recordings/Templates.
Templates
Add/Edit Template
This is used to create a new Template or to edit an existing Template. Provide a detailed Name
and Description in the appropriate fields, then click Update to save the information.
Note

Move Recording
This dialog screen is used to move one or more recordings from one Template to another. To
move a recording, select the recording you wish to move from the Policies > Management >
Templates screen. Then, select which template to move it to. Click OK to save the changes.
689
Templates
Delete Template(s)/Recording(s)
This is used to confirm the deletion of Template(s) and Recording(s). To delete, first select the
template or recording from the Policies > Management > Templates screen. Then, click the
Delete Template(s)/Recording(s) link. Click OK to save the changes.
Recording
The Recording option provides an easier way to apply configurations for one appliance to
another similar appliance. You have the option of saving the Recording into the Default
Template or into a new Template. The data recorded between one Start Recording and Stop
Recording action is called a Recording.
Note
690
Recording can only be applied to a compatible appliance. For example, a Recording for the
SonicWALL CDP appliance can only be applied to another SonicWALL CDP appliance.
Templates
To successfully create and save a Recording, follow the procedures listed below:
Step 1
Select the appliance you want to modify, and navigate to Management > User Interface
screen.
Step 2
Navigate to the screen you want to make changes to. Click on the Start Recording button on
the Recording Controls Panel. Once you see the Recording in progress notification on the
panel, you can begin modifying the settings.
Step 3
More changes can be recorded similarly. Once you have finished making the necessary
changes, stop the Recording by clicking the Stop Recording button on the Recording Controls
Panel. A dialog box will display asking if you wish to save the Recording. Click OK.
Step 4
Next, the Add Recording dialog box will display. Type in the Name and a detailed Description
of the Recording. Indicate if this Recording should be saved into your Default Template or into
a New Template. Click Update when you are finished.
Step 5
The Templates screen will display, notifying you that the changes to the Recording were
successfully saved.
691
Accessing the CDP Management Interface
Applying a Template or a Recording

Follow the procedures listed below to successfully apply a Recording of a Template to an
appliance or a group of appliances:
1.
Click on the Unit/Group Node from the Tree Control that you wish to apply a Template or a
Recording for. Based on the Node selected on the Tree Control, the Templates screen will
list only those Templates/Recordings that can be applied to the currently selected node.
2.
Select the checkbox next to the Template you wish to apply. Specify a Schedule for the
Template/Recording to be applied. Note that once applied, a task will be created. To view
the newly created task, click on the Console tab, and navigate to Tasks>Scheduled Tasks.
3.
To verify if the task executes successfully, navigate to Log>View Log. You can also
navigate back to the User Interface screen of the appliance that you applied the Template
to also verify that the changes are successful.
Accessing the CDP Management Interface

You can access the CDP management interface from SonicWALL GMS. This section provides
a brief introduction to the CDP management interface. For detailed configuration tasks
available on the CDP management interface, refer to either appliances respective SonicWALL
Using Multi-Solution Management

SonicWALL GMS is used to primarily manage SonicWALL CDP appliances where the majority
of the web user interface of those appliances are duplicated and implemented in GMS. This is
mainly done so the user has a common experience while working on GMS or on the appliance
interface. Whenever new functionalities or screens are added, modified, or deleted in the
appliance user interface, the same functionalities need to be implemented on the GMS
interface. Over time, SonicWALL has expanded its GMS management with other SonicWALL
appliances, such as CDP and Email Security.
This expansion of GMS management along with other SonicWALL appliances led to finding a
generic solution where GMS would be able to manage all these appliances, as well as have the
ability to support any new appliance types in the future. The Multi-Solution Management feature
in GMS provides the capability to support management of all these appliance types through
their web user interface over HTTP and HTTPS. Another advantage to the Multi-Solution
Management enhancement is that GMS Core Management functionalities, like creating tasks
to post policies, scheduling tasks at the Unit Node and Group Node levels, and many more will
also be configurable through the enhancement. The Multi-Solution Management feature
provides the next generation management capability in GMS.
The Multi-Solution Management includes the following sections:
692
Logging into the CDP Management Interface section on page 693
Configuring Multi-Solution Management section on page 693
Management Processes Unchanged section on page 694
Logging into the CDP Management Interface

To log in to a SonicWALL CDP appliance using SonicWALL GMS, ensure that pop-ups are
enabled on your Web browser, and perform the following tasks:
Note
1.
2.
Click the CDP panel.
3.
In the left pane, click the CDP appliance that you want to manage.
You may see a security certificate warning. Click Yes to continue.

4.
To open the CDP management interface, click Management > User Interface. You will be
directed to the User Interface of this appliance. To return to the Policies tab, click the
Status Page button.

You can now manage the SonicWALL CDP directly from the management interface. For
detailed instructions about configuration tasks using the SonicWALL CDP management
interface, refer to the SonicWALL CDP Administrators Guide.
Configuring Multi-Solution Management

Navigate to the Host Role Configuration page and configure the MSM Server Protocol and
MSM Server Port settings.
Note
If you choose HTTPS, the server uses the same SSL keystore or certificate that is used by
the Tomcat web server.
693
The Management Screen Group page is one of the latest supported screens for this new
feature.
From this screen, you can navigate to the Template screen or the User Interface screen. Note
that the User Interface screen is only available at the Unit Node level.
The Templates screen displays all the applicable Templates for the selected Unit/Group Node
on the Tree Control.
Management Processes Unchanged

The following management processes are still available with Multi-Solution Management:
694
Adding a Unit into GMS
The Unit Acquire process
Unit Status monitoring through Heartbeat syslogs
Task creation and scheduling
Execution of Task(s) by the Scheduler service
All other core management processes
CHAPTER 36
Email Security Appliance Management
This chapter describes how to implement and manage single or multiple deployments of
SonicWALL Email Security appliances through GMS. Included is an introduction to the
Multi-Solutions appliance management feature, and instructions for using the appliance
configuration tools in SonicWALL GMS.
Configuring Heartbeat using Email Security CLI section on page 695
Adding an ES Appliance to GMS section on page 696
Managing ES General Settings section on page 697
Templates section on page 707
Accessing the ES Management Interface section on page 710
Using Multi-Solution Management section on page 711
Configuring Heartbeat using Email Security CLI

Configuring a heartbeat with GMS is exclusively available on the Email Security Command Line
Interface (CLI). Follow the steps below to configure a Heartbeat with GMS using the Email
Security CLI.
Step 1
Login to the SNWLCLI as admin.
Step 2
Enter the command gms. This will display the EMS current settings for the GMS heartbeat
displayed.
Step 3
Next, set the EMS appliance heartbeat. In this example, the heartbeat interval is 60 seconds.
Step 4
Enter the destination IP address of your GMS server. In this example, the destination IP
address is 10.195.11.38.
695
Adding an ES Appliance to GMS
Note
It is mandatory to send heartbeat messages to a GMS management server to reliably report

the Unit Status (UP or DOWN) for an Email Security appliance in GMS.
Adding an ES Appliance to GMS

SonicWALL Email Security appliances must be running firmware version 7.2 or later to be
managed using SonicWALL GMS.To add your appliance to GMS, perform the following tasks:
696
1.
Log in to GMS.
2.
Click the ES appliance tab to add an Email Security appliance to GMS.
3.
4.
5.
Enter the appliance administrator login name in the Login Name field.
6.
Enter the appliance administrator password in the Password field.
7.
Enter the appliance serial number in the Serial Number field. The serial number can be
found in the appliance management interface under General > Status.
8.
The management mode defaults to Using HTTPS. Select the agent that will manage the
ES appliance from the Agent IP Address field.
Managing ES General Settings
9.
Click OK. This may take up to a minute for the data to load.
The SonicWALL appliance is displayed in the left pane of the SonicWALL GMS interface as a
yellow icon, which means the unit has not been acquired by SonicWALL GMS. After the
appliance has been acquired, the icon will either turn red, indicating that the appliance status
is down, or blue, indicating that the appliance status is up. For detailed appliance icon
descriptions, refer to the Understanding SonicWALL GMS Icons section on page 18.
Your ES is now ready for management using SonicWALL GMS.

After a SonicWALL ES appliance has been added to GMS, it can be managed through the ES
Policies panel.
Viewing and Managing ES Status section on page 697
ES Appliance Tools for Synchronization section on page 700
Viewing and Managing ES Status

appliance status for Email Security appliances. Views available in the Status screen are:
Global ES Status section on page 698
Individual ES Appliance Status section on page 698
697
Global ES Status
The Global status window displays information about all Email Security devices in the current
GMS deployment.
Individual ES Appliance Status

The individual appliance status window displays information about the currently selected Email
Security appliance.
698
General Appliance Status Information

The General > Status screen provides the following appliance information:
Status Item
Description
Model
The ES model number
Serial Number
The ES serial number
Firmware Version
The ES firmware version number
CPU
The ES CPU information
Number of LAN IPs

allowed
The number of LAN IPs allowed by the ES
Status
The current status of the ES appliance, either Up,

Down or Unacquired
Unit added to
The date and time the ES appliance was added to
SonicWALL GMS on GMS
Management Mode
The management mode used to access the ES, either

HTTP or HTTPS; includes the IP address and port of
the ES
Primary Agent
This agent specifies the IP address of the SonicWALL

GMS agent server that is the primary agent managing
the SonicWALL ES appliance
Standby Agent
The IP address of the secondary agent used in case

of failure
Tasks Pending
The number of tasks pending for the ES
Last Log Entry
The scheduled task to be executed
ES Information
The up time since last reboot in days, hours, minutes,

seconds
699
ES Appliance Tools for Synchronization

The General > Tools section provides the following option to force your SonicWALL ES
appliance to synchronize its license and subscription information with mySonicWALL.com
immediately.

every 24 hours.To synchronize the appliance with mySonicWALL.com, perform the following
tasks:
1.
On the General > Tools page, click the Synchronize the Appliance with
mySonicWALL.com button.
2.
3.
you are finished.
mySonicWALL.com.
700
Registering ES Appliances
Editing ES Appliance Contact Information

The General > Info screen allows you to edit Email Security appliance information on a global
or unit level.
Registering ES Appliances
To register an Email Security appliance, you must perform tasks on GMS and on the ES
appliance through its local user interface. See the following sections:
Registration Tasks on GMS section on page 701
Registration Tasks on the ES Appliance section on page 702
Registration Tasks on GMS

When you add an appliance, GMS creates a task to register it. You can see the scheduled
Appliance Registration task in the Console > Tasks > Scheduled Task screen. Note that when
a unit is added to GMS, it is automatically registered by GMS when successfully acquired.
However, ES appliances cannot be used until you complete the registration tasks on the local
ES appliance.
You can also register appliances manually in GMS. To register a ES appliance:
1.
In the left pane of the ES appliance tab, select the appliance.
2.
3.
In the center pane, navigate to Register/Upgrades > Register ESAs.
4.
Click Register. The scheduler displays.
5.
Use the scheduler to update immediately, or select a date in the future.
6.
Click Accept. It may take several seconds for GMS to contact SonicWALL to register the
ES appliance.
701
Configuring Alerts
Registration Tasks on the ES Appliance

After the GMS task has been executed, it disappears from the table of scheduled tasks in the
Console > Tasks > Scheduled Tasks screen. You can now perform the local registration tasks
on the ES appliance. Refer to the SonicWALL Email Security Getting Started Guide for more
information on Email Security Appliance registration.
Configuring Alerts
editing the ES > Events > Alerts page, at a unit or group level. Before you configure an Event
Adding Alerts
This section details the configuration procedures for adding an alert, selecting analert type, and
Add Alert
add an alert:
702
1.
Select a SonicWALL ES appliance or group in the left pane. Under the Policies tab, click
2.
Configuring Alerts
3.
4.
non-administrators.
5.
6.
Alert Type
1.
The table below displays all the ES Alert Types and definitions of each alert.
Name
Description
Unit Status
use is Numeric. This value is the number of missed heartbeats
that should be counted to mark a unit as down.
Note
panel.
be performed.
703
Configuring Alerts
Note
2.
displays.
3.

4.
Note
704

1.
2.
destinations.
3.
4.
Configuring Alerts
Enabling a Alert
1.
2.
enable/disable.
Disabling an Alert
1.
2.
enable/disable.
Deleting Alerts
Note
1.
2.
3.
Click OK to delete.
705
Configuring Alerts
Editing Alerts
to edit an alert:
1.
2.
existing Alert.
Current Alerts
To check the status of current alerts for your SonicWALL ES appliance or group of appliances:
706
1.
Navigate to the ES tab.
2.
3.
Templates
Templates
A Template is simply a collection of Recordings from one or more appliances of the same type.
A Template belongs to a user of a particular domain, and remains visible only in that domain.
That is, Templates from one domain are not visible in another domain. A user only has access
to his or her own Templates (editing, deleting, or moving Templates).
It is recommended that a Template contains Recordings with data that does not conflict with the
data in another Recording, as this may cause the deletion of data previously applied, unless
intended. For example, a Template should not contain a Recording of setting a timezone to IST,
followed by a Recording of setting a time zone to PST, unless it is intentional by the user.
Template Management Screen

The Template Management Screen includes the following sections:
Add/Edit Recording section on page 707
Add/Edit Template section on page 708
Move Recording section on page 708
Delete Template(s)/Recording(s) section on page 708
Add/Edit Recording
This is used to save a freshly created recording. This screen appears when the Recording is
stopped. This new recording can be directly added to one of the existing Templates or to the
default Template.The same screen displays when editing an existing recording. Provide a
detailed Name and Description in the appropriate fields, then click Update to save the
information.
Note

707
Templates
Add/Edit Template
This is used to create a new Template or to edit an existing Template. Provide a detailed Name
and Description in the appropriate fields, then click Update to save the information.
Note

Move Recording
This dialog screen is used to move one or more recordings from one Template to another. To
move a recording, select the recording you wish to move from the Policies > Management >
Templates screen. Then, select which template to move it to. Click OK to save the changes.
Delete Template(s)/Recording(s)
This is used to confirm the deletion of Template(s) and Recording(s). To delete, first select the
template or recording from the Policies > Management > Templates screen. Then, click the
Delete Template(s)/Recording(s) link. Click OK to save the changes.
708
Templates
Recording
The Recording option provides an easier way to apply configurations for one appliance to
another similar appliance. You have the option of saving the Recording into the Default
Template or into a new Template. The data recorded between one Start Recording and Stop
Recording action is called a Recording.
Note
Recordings can only be applied to a compatible appliance. For example, a Recording forthe
SonicWALL Email Security appliance can only be applied to another SonicWALL Email
Security appliance.
To successfully create and save a Recording, follow the procedures listed below:
Step 1
Select the appliance you want to modify, and navigate to Management > User Interface
screen.
Step 2
Navigate to the screen in which you wish to make changes. In this example, we will modify
General Settings on the Default Message Management screen.
Step 3
Next, start the recording by clicking on the Start Recording button on the Recording Controls
Panel. Once you see the Recording in progress notification at the top, you can start modifying
the settings.
In this example, the Number of days to store in Junk Box before deleting changes to 60 days,
and the Number of Junk Box messages to display per page changes to 400 rows.
Step 4
When finished making changes, click theApply Changes button. A screen will appear notifying
you that the changes were successfully applied.
Step 5
More changes can be recorded similarly. Once you have finished making the necessary
changes, stop the Recording by clicking the Stop Recording button on the Recording Controls
Panel. A dialog box will display asking if you wish to save the Recording. Click OK.
Step 6
Next, the Add Recording dialog box will display. Type in the Name and a detailed Description
of the Recording. Indicate if this Recording should be saved into the Default Template or into a
New Template. Click Update when you are finished.
709
Accessing the ES Management Interface
Step 7
The Templates screen will display, notifying you that the changes to the Recording were
successfully saved.
Applying a Template or a Recording

Follow the procedures listed below to successfully apply a Recording of a Template to an
appliance or a group of appliances:
Note
1.
Click on the Unit/Group Node from the Tree Control that you wish to apply a Template or a
Recording for. Based on the Node selected on the Tree Control, the Templates screen will
list only those Templates/Recordings that can be applied to the currently selected node.
2.
Select the checkbox next to the Template you wish to apply. Specify a Schedule for the
Template/Recording to be applied. Note that once applied, a task will be created. To view
the newly created task, click on the Console tab, and navigate to Tasks>Scheduled Tasks.
3.
To verify if the task executes successfully, navigate to Log>View Log. Note that you may
also navigate back to the User Interface screen of the appliance where you applied the
Template to verify changes made were successful.
Management and all changes made on the SonicWALL Email Security appliance cannot be
applied to another SonicWALL Email Security appliance. The only time this may be
overruled is when using the Recording functionality.
Accessing the ES Management Interface

You can access the Email Security management interface from SonicWALL GMS. This section
provides a brief introduction to the ES management interface. For detailed configuration tasks
available on the ES management interface, refer to the SonicWALL Email Security
710

SonicWALL GMS is used to primarily manage SonicWALL firewall appliances where the
majority of the web user interface of those appliances are duplicated and implemented in GMS.
This is mainly done so the user has a common experience while working on GMS or on the
appliance interface. Whenever new functionalities or screens are added, modified, or deleted
in the appliance user interface, the same functionalities need to be implemented on the GMS
interface. Over time, SonicWALL has expanded its GMS management with other SonicWALL
appliances, such as CDP and Email Security.
This expansion of GMS management along with other SonicWALL appliances led to finding a
generic solution where GMS would be able to manage all these appliances, as well as have the
ability to support any new appliance types in the future. The Multi-Solution Management feature
in GMS provides the capability to support management of all these appliance types through
their web user interface over HTTP and HTTPS. Another advantage to the Multi-Solution
Management enhancement is that GMS Core Management functionalities, like creating tasks
to post policies, scheduling tasks at the Unit Node and Group Node levels, and many more will
also be configurable through the enhancement. The Multi-Solution Management feature
provides the next generation management capability in GMS.
The Multi-Solution Management includes the following sections:
Logging into the ES Management Interface section on page 711
Configuring Multi-Solution Management (MSM) section on page 712
Management Processes Unchanged section on page 713
Logging into the ES Management Interface

To log in to a SonicWALL ES appliance using SonicWALL GMS, ensure that pop-ups are
enabled on your Web browser, and perform the following tasks:
Note
1.
2.
Click the ES panel.
3.
In the left pane, click the ES appliance that you want to manage.
You may see a security certificate warning. Click Yes to continue.

4.
To open the ES management interface, click Management > User Interface. You will be
directed to the User Interface of this appliance. To return to the Policies tab, click the
Status Page button.

You can now manage the SonicWALL ES directly from the management interface. For detailed
instructions about configuration tasks using the SonicWALL Email Security management
interface, refer to the SonicWALL Email Security Administrators Guide.
711
Configuring Multi-Solution Management (MSM)

Navigate to the Host Role Configuration page and configure the MSM Server Protocol and
MSM Server Port settings.
Note
If you choose HTTPS, the server uses the same SSL keystore or certificate that is used by
the Tomcat web server.
MSM Screens
The Management Screen Group page is one of the latest supported screens for this new
feature.
From this screen, you can navigate to the Template screen or the User Interface screen. Note
that the User Interface screen is only available at the Unit Node level.
712
The Templates screen displays all the applicable Templates for the selected Unit/Group Node
on the Tree Control.
Management Processes Unchanged

The following management processes are still available with Multi-Solution Management:
Adding a Unit into GMS
The Unit Acquire process
Unit Status monitoring through Heartbeat syslogs
Task creation and scheduling
Execution of Task(s) by the Scheduler service
All other core management processes
713
714
CHAPTER 37
Using Navigation and Monitoring Tools
The SonicWALL GMS Monitor Panel is used for real time monitoring of SonicWALL appliances,
VPN Tunnels, network devices, and syslog information.
This chapter describes the following:
Net Monitor section on page 715
Real-Time Syslog section on page 745
Live Monitoring section on page 749
Net Monitor
The SonicWALL GMS Net Monitor periodically tests the status of SonicWALL appliances and
other network devices. Once configured, it enables you to monitor the status of your network
and immediately respond when SonicWALL appliances and other network devices become
unavailable.
The Net Monitor enables you to categorize different groups of SonicWALL appliances or other
network devices. You can categorize them by device type, geography, or any other
organizational scheme. Additionally, you can assign devices within each category a high,
medium, or low priority.
715
Net Monitor
The following graphic shows the main Net Monitor page:
When you add a new device to your monitor, you will be able to select a category, priority level,
how often the device is tested, and the type of test that is used. The Net Monitor currently
supports five types of tests: Ping, TCP Probe, HTTP, HTTPS, and SNMP.
You can toggle between the main view of the Net Monitor page and the Dashboard view by
clicking the
button. The following graphic shows the Dashboard view:
Configuring the Net Monitor

716
Navigating the Net Monitor UI section on page 717
Finding Devices section on page 717
Viewing Device Status section on page 717
Configuring Preferences section on page 718
Net Monitor
Navigating the Net Monitor UI

The above graphic shows the main page of the Net Monitor in which there are High, Medium
and Low priority devices. To switch between categories, click a category tab. To reconfigure the
settings for a device, right-click the device and select Properties.
The Status Display shows the status of all devices within the category. If all devices are
reachable, all three displays will be green.
To change the priority for a device, drag and drop its icon to a new Priority Category. To move
a device between categories, drag its icon to the tab of the new category and drop it in the
appropriate Priority Category.
Finding Devices
GMS NetMonitor gives you the ability to search for devices using the Find feature:
Note
1.
In the menu bar, go to Edit > Find. The Find window displays.
2.
Type a search string in the Look For field.
3.
You can optionally choose to Match case or to find only the Whole word in your search.
4.
Click the Find button to search all views for your search term, results are displayed below.
5.
Double click on the device you wish to display and it will be found highlighted in the
NetMonitor window.
After making an initial search, you can use F3 (find next) and Shift+F3 (find previous) to
move easily between found devices without having to keep the Find window open.
Viewing Device Status

GMS NetMonitor provides the ability to view device status for all monitored devices:
1.
In the NetMonitor window, select the device(s) you wish to view device status for.
2.
In the menu bar, go to Tools > Status.
717
Net Monitor
3.
Note
The Device Status window displays device specific attributes.
Multiple Device Status windows may be opened simultaneously.
Configuring Preferences
To configure Net Monitor preferences, perform the following steps:
718
1.
In the NetMonitor window, select Preferences from the Tools Menu.
2.
To view each category on its own page, select Each from the View Type list box. To view
all categories on one page, select All.
3.
To configure the Net Monitor toautomatically refresh the status of monitored devices, select
the Enable auto refresh while loading check box and specify the refresh interval.
4.
In the Monitor tab of the Preferences window, select a Minimum Severity to Show Alert
in Dashboard from the pull-down menu.
Net Monitor
5.
Pick a domain to view by selecting from the pull-down list. Note that this field is applicable
only to the users with Super Admin access, and must be selected from this dialog box in
order to view devices in other domains. Users without Super Admin access are only able
to view devices in their own domain.
6.
In the Filters tab, select which devices will be displayed in the Show devices by status
area. To view all devices, select the Select All check box.
7.
In the Table tab, select Default to view the default table color. To pick a custom color, select
Custom and choose a color from the color selector.
8.
Specify the Column count and Row height to display for each priority.
9.
When you are finished, click Apply. To cancel and start over, click Cancel.
719
Net Monitor
Managing Categories and Devices on the Net Monitor

Defining Categories section on page 720
Editing Categories section on page 721
Deleting Categories section on page 721
Re-ordering Categories section on page 722
Adding SonicWALL Appliances section on page 723
Adding Other Devices section on page 727
Editing a Device section on page 731
Deleting a Device section on page 732
Assigning Permissions section on page 732
Defining Categories
To create a new category, perform the following steps:
720
1.
From the Net Monitor main page, select Add Category from the Category Menu.
2.
The Add Category screen displays. Enter the name of the new category in the Name field.
3.
4.
Repeat this procedure for each category to add. This new category will appear in the main
toolbar of the Net Monitor page.
Net Monitor
Editing Categories
To edit an existing category, perform the following steps:
1.
From the Net Monitor main page, select Edit Category from the Category Menu.
2.
Select the category name you want to change from the list.
3.
Enter a new name for the selected category in the Name field.
4.
Deleting Categories
To delete an existing category, perform the following steps:
1.
From the Net Monitor main page, select Delete Category from the Categories Menu.
2.
From the list provided, select the category name (shift-click for multiple category names)
you want to delete.
721
Net Monitor
3.
Note
Select the Forcibly delete all devices under category checkbox to delete all devices in
this category.
A warning message displays when selecting the Forcibly delete all devices under
category checkbox. Click Yes to continue and delete this category.
4.
To submit the delete request, click Apply. To cancel and start over, click Cancel.
Re-ordering Categories
To change the order of an existing category, perform the following steps:
722
1.
From the Net Monitor main page, select Order Category from the Category Menu.
2.
From the list provided, select the category name you want to move.
Net Monitor
3.
Click the Move Up or Move Down buttons to change the order of this category.
4.
Click Apply to finish. To cancel and start over, click Cancel.
Adding SonicWALL Appliances

To add one or more SonicWALL appliances, perform the following steps:
1.
From the Net Monitor page, select Add GMS Device from the File Menu.
2.
Select a device or group to monitor and click the Add button in the center of the screen.
Repeat this step for each device or group to monitor.
723
Net Monitor
3.
Click Next. The second page of the Add GMS Device Wizard appears.
4.
Select the category to which the SonicWALL appliance(s) will be added from the Use an
Existing Category list box. To add the SonicWALL appliance(s) to a new category, enter
the category name in the Add a New Category field.
5.
Select the priority of the appliance(s) from the Category Priority list box.
6.
Select how the SonicWALL appliance(s) will be monitored from the Monitoring Type list
box and specify a Port if applicable.
If choosing SNMP as the monitoring type, you must enter a Monitor Port. Configure the
following advanced settings by clicking on the Advanced button.
Community
Retry
Timeout
SNMP Version
MIB(s)*
724
The community name. (default value is public)

Time to retry, in seconds (default value is 0).
Timeout length, in seconds (default value is 5).
Choose the version of SNMP to be used (default value is V2C).
Select the MIB(s) you wish to use for polling information (RFC1213-MIB is the
default MIB and cannot be de-selected).
Net Monitor
User Name
Authentication Protocol
Authentication Password
Privacy Password
Context ID
Context Name
Note
Enter a user name (SNMP v3 only).

Select an authentication protocol form the list (SNMP v3 only).
Enter an authentication password (SNMP v3 only).
Enter a privacy password (SNMP v3 only).
Enter a context ID (SNMP v3 only).
Enter a context name (SNMP v3 only).
Use extra caution when specifying the Retry and Timeout values, as the SNMP follows the
Exponential Back Off algorithm to calculate the retry and timeout values. With this
algorithm, the specified Timeout value increases exponentially with the retry value.
7.
Press the OK button to save SNMP advanced settings.
8.
Specify how often the SonicWALL appliance(s) will be tested in the Polling Interval field.
9.
Enter the ideal response time (IRT) in the Ideal Response Time field (default: 500
milliseconds). SonicWALL appliances that take between 1 and 1.5 times the IRT will be
marked as Slow. SonicWALL appliances that take between 1.5 and 2 times the IRT will be
marked as Very Slow.
10. Select the Agent that will perform the testing from the Assign to Monitor list box.
11. Optional. To disable monitoring of the SonicWALL appliance(s), select Disable.
12. To change the icon image that will represent the device(s), click the icon image button and
select a new image.
13. Click Next to continue.
If you did not configure the Monitoring Type as SNMP, the Assign Privileges page will
display. See Step 14.
If you configured the Monitoring Type as SNMP, the SNMP Realtime Monitor Template
Information page will display. Select the Realtime Monitor Template to apply to this device.
Then, click Next.
725
Net Monitor
Note
Multiple templates can be selected by holding Ctrl + selecting the templates. The Filter
search bar allows you to narrow the list of templates. Perform an exact match search by
using double quotation marks, for example template name, or search with no quotation
marks to search through multiple keywords.
14. On the Assign Privileges page, select users to have read-write privileges.
Note
Multiple users can be selected by holding Ctrl + selecting the users. Permissions can be
assigned to both Users and Usertypes.
15. Click the Finish button to acquire the new device.
Note
726
The process of acquiring a new device may take several minutes. To force acquisition of the
device, select the device and go to SNMP > SNMP Re-acquire in the NetMonitor menu bar.
Net Monitor
* Custom MIBs may be required for some devices. Custom MIBs allow polling Non-SonicWALL
or Non-Standard based SNMP enabled devices and to poll information specific to a certain
device based on Manufacturer ID.These MIBs have to be placed in the etc\mibs folder by the
GMS Administrator on the Web Server and Monitoring Agent machine(s) in order to use it for
probing.
Adding Other Devices

In addition to SonicWALL appliances, SonicWALL GMS can monitor any publicly accessible
servers or devices on the Internet. To add one or more non-SonicWALL devices, perform the
following steps:
1.
From the Net Monitor screen, select Add Non-GMS Device from the File Menu.
2.
Enter a name for the device in the Name field and its IP address or hostname in the Host
field and click Add. Repeat this step for each device to monitor.
727
Net Monitor
3.
Click Next. The second page of the Add Non-GMS Device Wizard displays.
4.
Select the category to which the device(s) will be added from the Use an Existing
Category list box. To add the device to a new category, enter the category name in the Add
a New Category field.
5.
Select the priority of the device(s) from the Category Priority list box.
6.
Select how the SonicWALL appliance(s) will be monitored from the Monitoring Type list
box and specify a Port if applicable.
If choosing SNMP as the monitoring type, you must enter a Monitor Port. Configure the
following advanced settings by clicking on the Advanced button.
Community
Retry
Timeout
SNMP Version
MIB(s)*
728
The community name. (default value is public)

Time to retry, in seconds (default value is 0).
Timeout length, in seconds (default value is 5).
Choose the version of SNMP to be used (default value is V2C).
Select the MIB(s) you wish to use for polling information (RFC1213-MIB is the
default MIB and cannot be de-selected).
Net Monitor
User Name
Authentication Protocol
Authentication Password
Privacy Password
Context ID
Context Name
Note
Enter a user name (SNMP v3 only).

Select an authentication protocol form the list (SNMP v3 only).
Enter an authentication password (SNMP v3 only).
Enter a privacy password (SNMP v3 only).
Enter a context ID (SNMP v3 only).
Enter a context name (SNMP v3 only).
Use extra caution when specifying the Retry and Timeout values, as the SNMP follows the
Exponential Back Off algorithm to calculate the retry and timeout values. With this
algorithm, the specified Timeout value increases exponentially with the retry value.
7.
Press the OK button to save SNMP advanced settings.
8.
Specify how often the SonicWALL appliance(s) will be tested in the Polling Interval field.
9.
Enter the ideal response time (IRT) in the Ideal Response Time field (default: 500
milliseconds). SonicWALL appliances that take between 1 and 1.5 times the IRT will be
marked as Slow. SonicWALL appliances that take between 1.5 and 2 times the IRT will be
marked as Very Slow.
10. Select the Agent that will perform the testing from the Assign to Monitor list box.
11. Optional. To disable monitoring of the SonicWALL appliance(s), select Disable.
12. To change the icon image that will represent the device(s), click the icon image button and
select a new image.
13. Click Next to continue.
If you did not configure the Monitoring Type as SNMP, the Assign Privileges page will
display. See Step 14.
If you configured the Monitoring Type as SNMP, the SNMP Realtime Monitor Template
Information page will display. Select the Realtime Monitor Template to apply to this device.
Then, click Next.
729
Net Monitor
Note
14. On the Assign Privileges page, select users to have read-write privileges.
Note
Multiple users can be selected by holding Ctrl + selecting the users. Permissions can be
assigned to both Users and Usertypes.
15. Click the Finish button to acquire the new device.
Note
730
The process of acquiring a new device may take several minutes. To force acquisition of the
device, select the device and go to
SNMP > SNMP Re-acquire in the NetMonitor menu bar.
Net Monitor
* Custom MIBs may be required for some devices. Custom MIBs allow polling Non-SonicWALL
or Non-Standard based SNMP enabled devices and to poll information specific to a certain
device based on Manufacturer ID.These MIBs have to be placed in the etc\mibs folder by the
GMS Administrator on the Web Server and Monitoring Agent machine(s) in order to use it for
probing.
Editing a Device
You can edit some of the properties of a specific device by right-clicking the device you want to
edit, then click Properties. Multiple devices can be selected by holding Ctrl + selecting the
devices.
When editing a single Non-GMS managed device, the Edit Device wizard displays, where you
can edit the device Name and Host IP address in their respective fields.
Continue with the device wizard to edit Monitor Information and Realtime Monitor Template
Information. Note these are the same setting you originally configured when adding the device.
When editing a GMS Managed device or multiple devices, the Properties screen displays:
731
Net Monitor
The Change checkbox appears next to each of the fields that have a difference in values for
that field among the devices selected. If there are no differences, the field does not appear.
Once the Change checkbox is selected, the value for the corresponding field is overwritten on
all selected fields.
Note that selecting the Disable checkbox will apply changes to all selected devices.
Click Finish to complete editing the device settings.
Note
You can only rename non-GMS devices. GMS devices cannot be renamed as the name is
synched with the assigned name from the Tree Control automatically.
Deleting a Device
To delete a device, right click on the device you wish to delete and click Delete Device. A
warning will display, confirming the device(s) youve selected to delete. Click Yes to continue.
Note
Multiple devices can be selected by holding Ctrl + selecting the templates. Make sure to
select all devices before right-clicking to delete.
Assigning Permissions
Privileges to a device can now be assigned on a per user or per user group basis. When adding
a Net Monitor device, an Assign Permission dialog box displays in the Add Device Wizard,
listing all users in the system. Upon adding the device(s), you will also be able to select the
users and user groups to grant permissions to.
To add or update permissions to an existing device, navigate toConsole > Management > Edit
Users
Managing Realtime Monitors

When a device is configured for monitoring, the data retrieved form these devices are displayed
in the form of a realtime monitor. The following lists several procedures to create and manage
realtime monitors:
732
Creating a Realtime Monitor section on page 733
Managing Templates for Realtime Monitors section on page 735
Net Monitor
Creating a Realtime Monitor

The Manage Realtime Monitor Dialog enables you to create custom realtime monitors.
1.
From the Net Monitor page, select the device(s) you wish to create a realtime monitor for.
2.
In the menu bar, go to SNMP > SNMP Manage Realtime Monitors.
The SNMP Manage Realtime Monitors page displays.
3.
Click on the
button on the left side of the screen (under Realtime Monitors) to add a
new realtime monitor
4.
Add a friendly name for the new monitor in the Monitor Name field.
5.
If you wish to save the new monitor as a template for future use, select the Save as
template checkbox.Then, add a friendly name for the template.
733
Net Monitor
6.
Choose your display type and chart style as follows:
Display Type
Chart Style
Used only when display type is set to
graph.
7.
Navigate to the MIB Tree list and select the OIDs you wish to add.
8.
In the Middle of the screen, select your preferences as follows:
Add selected OIDs*

Add Type
Note
9.
Tip
Table: Displays data in a tabular format.

Graph: Displays data in a graphical format.
Area: Generates graph in area format.
Bar: Generates graph in bar format.
Line: Generates graph in line format.
Plot: Generates graph in plot format.
Pie: Generates graph in pie format.
Stacked Area: Generates graph similar to area format, with multiple areas
stacked upon each other.
Stacked Bar: Generates graph similar to bar format, with multiple bars
Individually: Add OID(s) as individual elements.

As a group: Add multiple similar OIDs as one single element.
Add To: Add OID(s) to an existing Element.
Insert At: Add OID(s) as a new element in the specified location.
Append: Append OID(s) to the end of the element list.
It is important that the elements present in a Realtime Monitor Template contain OIDs
that are present in the devices that the template is applied to. Applying a template
which contains un-relevant OIDs can produce unexpected results.
Click the
button on the right side of the screen (under MIB Tree) to add the selected
MIB(s) to the Elements list.
Alternate ways of adding a MIB to the Elements list include double-clicking the MIB and
dragging and dropping the MIB from the MIB Tree into the Elements list.
10. Enter a friendly name for the element you just added by double-clicking the display name
field corresponding to the new element.
11. Specify a threshold value for the alert monitor in the Threshold field corresponding to the
new element.
12. Click the Apply button to save changes and create the realtime monitor.
734
Net Monitor
Managing Templates for Realtime Monitors

A set of Realtime Monitor templates are available for every appliance type the GMS manages,
including UMA and Windows. This section allows the user to manage the two types of templates
in the system: User-defined and System-Defined. User-defined templates are created from
other Realtime Monitors by selecting the Save as Template checkbox. User-defined templates
can be edited or deleted. For user friendliness, system-defined templates are created as
Factory Default templates. Unfortunately, these templates are read-only and cannot be edited
or deleted.
Users can manage factory templates by following the procedures below:
1.
Navigate to the SNMP > SNMP Manage Realtime Monitor Templates screen.
2.
The list of available Realtime Monitor Templates appears on the left side of the screen.
Select the template you want applied to the device.
3.
Edit the existing name in the Monitor Name field.
735
Net Monitor
4.
Choose your display type and chart style as follows:
Display Type
Chart Style
Used only when display type is set
to graph.
5.
Navigate to the MIB Tree list and select the OIDs you wish to add.
6.
In the Middle of the screen, select your preferences as follows:
Add selected OIDs*

Add Type
Note
736
Table: Displays data in a tabular format.

Graph: Displays data in a graphical format.
Area: Generates graph in area format.
Bar: Generates graph in bar format.
Line: Generates graph in line format.
Plot: Generates graph in plot format.
Pie: Generates graph in pie format.
Stacked Area: Generates graph similar to area format, with multiple areas
Stacked Bar: Generates graph similar to bar format, with multiple bars stacked
upon each other.
Individually: Add OID(s) as individual elements.

As a group: Add multiple similar OIDs as one single element.
Add To: Add OID(s) to an existing Element.
Insert At: Add OID(s) as a new element in the specified location.
Append: Append OID(s) to the end of the element list.
It is important that the elements present in a Realtime Monitor Template contain OIDs
that are present in the devices that the template is applied to. Applying a template
which contains un-relevant OIDs can produce unexpected results.
Net Monitor
Creating a Realtime Monitor From a Template

Complete the following steps to set up a realtime monitor using one or more templates:
Note
1.
Select the device(s) you wish to create a realtime monitor for.
2.
In the menu bar, go to SNMP > SNMP Apply Realtime Monitor Templates.
3.
Select the templates (ctrl-click for multiple selections) you wish to use for monitoring the
selected device(s).
4.
Click the Apply button to create the Realtime Monitor.
Viewing Realtime SNMP Monitoring Information

GMS NetMonitor allows you to view realtime monitoring data for one or multiple devices
simultaneously. Data represented in these charts will show the last hour of activity for the
specified node. To view the realtime monitoring information for one or more devices, follow the
procedures listed below:
1.
Select the device(s) you wish to monitor from the GMS NetMonitor main status screen
(Ctrl-click for multiple devices).
2.
In the menu bar, select SNMP > SNMP Realtime Monitor Status.
737
Net Monitor
3.
Note
738
In the Realtime Monitors window, select one or more nodes to monitor. The appropriate
graphs and or tables will be loaded into the monitoring window on the right side of the
screen.
Data in the monitoring windows is refreshed automatically based on the auto-refresh interval
specified in NetMonitor Preferences. While you may do a manual refresh of the graphs and
charts, it is not necessary.
Net Monitor
4.
Note
To display historical charts (daily, weekly, monthly) for a node, double-click on the desired
realtime graph in the monitoring window on the right side of the screen.
Only one history chart window may be opened at a time. It is possible, however, to display
historical charts for multiple nodes by selecting the charts you wish to view with ctrl-click,
and then clicking the
button at the top right side of the screen.
Managing Severity and Thresholds

Configuring Severity and Thresholds allows you to be notified when the value of a monitored
OID exceeds a set level. These levels are set in theManage Severity dialog and are then used
to define your alerts by assigning a level of severity to each threshold, set in the Manage
Threshold dialog.
The Severities and Thresholds are now linked to the Granular Events Management (GEM)
framework. This allows you to configure severities and thresholds from the Net Monitor tab, or
navigate to the Console > Events screen to configure and verify changes there.
Managing Severity section on page 740
Managing Thresholds section on page 741
Viewing Threshold Alerts in the Dashboard section on page 742
Managing SNMP Scheduled Reports section on page 742
Setting E-mail Threshold Alerts section on page 742
739
Net Monitor
Managing Severity
To configure your Severity settings:
Note
740
1.
In the menu bar, select Tools > Manage Severity.
2.
Add a new severity by clicking the
3.
Move the new severity to a different priority level by having the severity selected in the list
and using the
and
buttons.
4.
Change the color of the severity by having the severity selected in the list and clicking the
button.
5.
To delete a severity, have the severity selected in the list, and click the
button and entering a name for the severity.
button.
A severity can not be deleted if it is being used by one or more threshold elements. Ensure
all corresponding threshold elements are not associated with that severity before attempting
to delete. Severities are global settings and is available to use across the system.
Net Monitor
Managing Thresholds
Every element in a threshold is assigned an operator, value, and severity. Thresholds are ways
of defining conditions that monitor specified object identifier (OID) values. When the defined
condition is met, the threshold is triggered, and severity helps to identify the priority of the
triggered threshold. To configure your thresholds:
1.
In the menu bar, select Tools > Manage Thresholds.
2.
Click the
button under Threshold and enter a friendly name to add a new threshold.
3.
Click the
button under Elements to add a new element to the threshold.
4.
Configure the Operator, Value, and Severity fields in the new element as follows:
Operator
Value
Severity
Double-click and choose an operator as a modifier for your value. For numeric
values, operator options include ==, !=, >, >=, <, =<. For alpha numeric values,
operator options include equals, equals ignore case, not equals, contains, not contains.
Double-click and enter an alpha or numeric value. Numeric values are entered in
bytes.
Double-click and choose a severity from the list to correspond with the operator
and value.
You may also disable a specific threshold by selecting the Disabled checkbox.
The following threshold triggers a Low-level Warning at a value of less than 100000 bytes.
5.
Note
Click the Apply button to save your changes.
Thresholds are global settings and is available to use across the system.
To delete a Threshold, select the threshold and click the
button.
741
Net Monitor
Viewing Threshold Alerts in the Dashboard

The Dashboard View is a screen where an alert about an SNMP Realtime Monitor satisfying
user-defined threshold conditions are displayed. When a threshold alert is triggered,
information about the device, realtime monitor, and the element that triggered the alert is shown
on this screen.
Managing SNMP Scheduled Reports

You can schedule reports from realtime monitors to be sent by email or archived to a location
on disk. To create a scheduled report, navigate to the Dashboard> Universal Scheduled
Reports screen:
For more information regarding managing SNMP Schedule Reports, refer to the Using the
Universal Scheduled Reports Application section on page 58.
Setting E-mail Threshold Alerts

GMS NetMonitor, now at a granular per device level, allows users to configure multiple
destinations based on schedules. Alerts for that unit are then sent to the specified destinations
based on the specified schedules. Alert settings now supports adding a maximum of five
destinations for specified devices.
To set email threshold alerts:
1.
742
Select the device(s) you wish to configure alerts for from the GMS NetMonitor main status
screen by clicking (ctrl-click for multiple devices).
Net Monitor
2.
In the menu bar, select Tools > Alert Settings.
3.
Click the Add Destination button to add a new destination. You are able to add a maximum
of five destinations/schedules.
4.
Select the Destination from the pull-down menu.
5.
Next, choose the Schedule you want applied to this destination.
6.
Select whether you want these settings applied to just the Selected Device or All
Accessible Devices. Note that selecting the latter option will overwrite any existing
settings for the affected devices.
7.
Click Apply to complete adding alerts. A warning may display, notifying you that the Alert
Settings will reset to the newly specified settings. Click Yes to continue.
743
Net Monitor
Accessing the Legend

To see all icon definitions used in the NetMonitor section, navigate to the Help > Legend
screen:
Monitoring Devices Behind a SonicWALL Appliance

To monitor devices behind a SonicWALL appliance, do one of the following:
Create a VPN tunnel to the remote firewall that makes all LAN subnets accessible to the
Net Monitor.
Create NAT Policies that allow specific types of traffic through.

For example, if TCP Probe is chosen as the monitor type, TCP connections must be
allowed to the specified port. If Ping is chosen as the monitor type, ICMP must be allowed.
Adding Custom Icons to the Net Monitor

The Net Monitor supports custom icons that it will display in the Net Monitor window. The icons
must be 16 x 16 pixels and created in the .GIF format. To add new icons to the Net Monitor,
copy them to the following directory:
<gms_directory>\Tomcat\webapps\sgms\images\monitor
744
Real-Time Syslog
Real-Time Syslog
The real-time syslog utility enables you to diagnos
e the system by viewing the syslog messages
in real time.
Note
Only use this utility when needed for diagnostic purposes.

To open the real-time syslog utility, perform the following steps:
Note
1.
Click the Monitor tab.
2.
Expand the Tools tree and click Real-Time Syslog. The Real-Time Syslog page appears.
3.
If the Syslog Reader is not already running, click Start Syslog Reader.
4.
Click Start Button at the bottom of the screen. The Syslog Viewer begins showing the
latest syslog entries.
5.
To change how many messages are displayed, select a number from the Number of
Messages list box at the bottom of the screen.
6.
To change how often the Syslog Viewer is refreshed, select the time from the Refresh Time
list box at the bottom of the screen.
7.
To filter the results on the fly, enter the search terms in the Filter field using regular search
expressions.
The Real-Time Syslog Viewer uses java.util.regex to support the search feature. For more
information on this enhanced search capability, visit
<http://java.sun.com/developer/technialArticles/releases/1.4regex/>
8.
To stop the viewer, click the Stop button.
745
Real-time Syslog Viewer
Real-time Syslog Viewer

The real-time syslog utility enables you to diagnos
e the system by viewing the syslog messages
in real time.
Note
Only use this utility when needed for diagnostic purposes.

To open the real-time syslog utility, follow these steps:
1.
Click the Monitor tab, expand the Tools tree and click Real-Time Syslog. The Real-Time
Syslog page appears.
2.
If the Syslog Reader is not already running, click Start Syslog Reader.
3.
Click Start Button at the bottom of the screen. The Syslog Viewer begins showing the
latest syslog entries.
Figure 37:5 Syslog Viewer Entries
4.
To change how many messages are displayed, select a number from the Number of
Messages list box at the bottom of the screen.
5.
To change how often the Syslog Viewer is refreshed, select the time from the Refresh Time
list box at the bottom of the screen.
6.
To stop the viewer, click the Stop button.
7.
To search for text, use the browsers Find utility.
When you are finished, close the Syslog Viewer.
746
GMS Reports and Corresponding Syslog Categories
GMS Reports and Corresponding Syslog Categories

Table 26
GMS Reports and Syslog Categories
Report Category
Report Title
Syslog Category
Data Usage
Summary
Network Traffic
Timeline
Network Traffic
Top Initiators
Network Traffic
Top Responders
Network Traffic
Top Services
Network Traffic
Data Usage Details
Network Traffic
Summary
Network Traffic
Data Usage
Network Traffic
Top Applications
Detected
Network Traffic
Top Applications
Blocked
Network Traffic
Top Categories
Network Traffic
Top Initiators
Network Traffic
Timeline
Network Traffic
User Activity
User Activity Details
Network Traffic
Web Activity
Summary
Network Traffic
Top Categories
Network Traffic
Top Sites
Network Traffic
Top Initiators
Network Traffic
Timeline
Network Traffic
Web Activity Details
Network Traffic
Summary
Blocked Websites
Top Categories
Blocked Websites
Top Sites
Blocked Websites
Top Initiators
Blocked Websites
Timeline
Blocked Websites over time
Web Filter Details
Blocked Websites
Summary
Network Traffic
Top VPN Policies
Network Traffic
Top VPN Initiators
Network Traffic
Top VPN Services
Network Traffic
Timeline
Network Traffic
Detected
Targets
Applications
Web Filter
VPN Usage
Intrusions
747
Forwarding Syslog Data to Another Syslog Server
Table 26
GMS Reports and Syslog Categories
Report Category
Gateway Viruses
Report Title
Syslog Category
Timeline
Top Viruses Blocked Attacks

Top Targets
Attacks
Top Initiators
Attacks
Timeline
Attacks
Top Spyware
Blocked
Top Targets
Top Initiators
Timeline
Threats
Summary
Attacks, Intrusion
Prevention
Attacks
Targets
Attacks, Intrusion
Prevention
Top Initiators
Attacks, Intrusion
Prevention
Timeline
Attacks, Intrusion
Prevention
User Login
Authenticated Access
Admin Login
Failed Login
Analyzers
Log Analyzer
Syslog
Up-Down
Timeline
GMS
Spyware
Authentication
Forwarding Syslog Data to Another Syslog Server

To forward SonicWALL GMS syslog data to another syslog server, perform the following steps:
748
1.
Login to the appliance interface of the GMS / Analyzer software.
2.
Access the techSupport.html screen by using the URL

<http://gms-ip/appliance/techSupport.html> in the browser address bar. The following
screen displays. Click the Accept button.
Live Monitoring
3.
Navigate to the Configuration File Editor section, and click the Edit button.
4.
Enter valid values for syslog.forwardToHost and syslog.forwardToHostPort. Then, click

the Update button.
5.
Restart the server/appliance.
Live Monitoring
Live Monitoring lets users monitor a network through the correlation of syslogs received from
appliances throughout a deployment. The syslogs are received by the Event ManagerReceiver
Service, which then feeds them into an Event Correlation Engine. The engine sends the
messages through user-defined rules, and if a rule condition is met, the engine forwards the
object to be turned into an alert for Live Monitoring.
These alerts are sent to email, traps, other user-defined destinations, and to the new Live
Monitoring user interface, if a user is currently monitoring. Viewing alerts in the Live Monitoring
interface provides greater flexibility to monitor a network, and to analyze traffic based on
protocols, web usage and productivity, or even to detect viruses and attacks in the network.
749
Live Monitoring
Live Monitoring is a powerful tool when rules are created properly, allowing the user to monitor
various amounts of information on the unit(s) efficiently. Be aware that while the alerts keep you
updated with what is being sent and received, this may bombard your inbox or trap listener with
a heavy amount of notifications. This happens only when the rule is lenient; if the rule is strict,
there will not be a large number of notifications.
Using the Rule Manager

Within GMS, go to Monitor > Tools > Live Monitor to reach the Live Monitoring user interface.
Click the Manage Rules button on the upper-right of the interface control bar. The Rule
Manger > Rule List is now displayed.
To add a new rule, click the Add New Rule icon.
750
Live Monitoring
Rule Settings
The Rule Manager > Rule Settings panel is now displayed. Fill in the Name field to build a
more descriptive name for this new rule. If you wish to just build a rule without immediately
enabling it, click on the Disable check box. Leaving this box blank sets the rule as enabled in
the Rule List, once it is built.
The Severity drop down menu allows you to set a different severity level tag for each syslog
that meets the conditions of this rule.
Rules must be created using available templates. Under the Group heading, you will find the
available templates.
Under the Generic rules group, a listing of rule templates display. Clicking on one of these
types allows the full rule to display below in the Rule Editor box.
The Computational rules group provides average-based statistical alerts on syslogs received,
further broken down by number received for appliances, or the number of syslogs received
grouped by appliance.
The Attack rules group offers rules to understand the number of appliances under attack from
security threats, and for identifying specific appliances under attack.
751
Live Monitoring
The Advanced rules group is a flexible template that allows syslogs to be filtered based on
one or two conditions.
Using the Rule Editor

The Rule Editor allows you to define conditions for a rule, if available. Keep in mind that the
specificity with which these conditions are set, controls how many alerts will be received in the
Live Monitoring user interface. To edit the rule conditions, click on the Rule Editor (pencil) icon.
A series of open fields and drop down menus are now available to be adjusted to specify the
desired conditions, including various parameters, if desired. Rule types allowing you to set one
condition let you specify the name of the syslog tag you want to see, along with the operator to
use in filtering those tags. You gain further granularity control on rule types allowing filtering
based on two conditions.
Note
752
Multiple rules with the same Rule Type are allowed, as long as the values are different in
the rule condition(s). Creating different severity tags for the same rule type, with the same
conditions, is not possible.
Live Monitoring
Setting Alert Destination and Schedule

Once rule editing is complete, click the Next button, or you may re-click the pencil icon to lock
the rule editor, and then click Next. The Rule Manager > Destination/Schedule panel is now
displayed. To set the destination and schedule for alerts based on the rule you just created,
click Add Destination.
The Destination and Schedule drop down menus are now displayed in the panel. To open
additional destination fields, up to the maximum of five, youmay click again on Add Destination.
Open the Destination drop down menu to select the desired destination, such as
Email-Admin, Email-Adhoc, Trap listener Adhoc, etc. If you have email as a destination,
and the condition defined is very lenient, your email could easily be flooded with alerts.
Note
The Live Monitoring user interface will not appear as a destination, as it is auto-determined,
based on whether the interface is currently running. This means that if at least one user is
live monitoring the interface, the engine will automatically detect this and continue
forwarding alerts. If no one is currently monitoring, no alerts will be sent to the Live Monitor
interface, but they will continue to be sent to defined destinations, such as email and traps.
753
Live Monitoring
Once the destination is selected, open the adjoining Schedule drop down menu to select the
frequency this destination will receive alerts based on this rule.
Once the destination(s) and schedule(s) are set for alerts based on this rule, click the Finish
button to complete this Rule Update. Once completed, a dialog box appears announcing the
Rule Update action was successful. Click OK to close the dialog box and to return to the Rule
Manager > Rule List panel. The newly created rule will now be displayed in the list.
Modifying Rule Status

From this screen, you can Enable (green circle with check), Disable (red circle with X), or
Delete (blue wastebasket) selected rules. These icons are in the section header.
To change a rules status, select it by clicking on the checkbox to the left of the rule name, then
click the desired status icon from the section header. For example, if you chose to disable a
rule, here is how it would appear with the X icon now showing the rules current status as
disabled.
Once you have built and enabled the rules you want the event correlation engine to apply
against the syslogs, click the Close button to return to the Live Monitoring user interface.
754
Live Monitoring
Enabling Live Monitoring And Using The Interface

To configure the desired settings for the Live Monitoring user interface, click the Settings
button in the upper-right of the interface control bar.
The Settings Manager panel is now displayed.
Before you can receive alerts in the Live Monitoring user interface, you must check the box next
to Enable Syslogs Forwarding for Live Monitoring. Once you check the box, the message
below appears. This is a reminder to anticipate an increase in syslog traffic, since each
message will be cloned for event handling. Click OK to proceed.
The remaining fields on the Monitor tab allow you to configure various Live Monitoring
settings, such as the IP address and port (default port is 21011) that the Live Monitoring
interface is listening on.
Note
In a distributed set-up, enter an IP address that is reachable, so the event manager knows
where the Live Monitoring reader is running.
The Monitor Buffer Size field allows you to define how many alerts need to be stored in the
buffer.
755
Live Monitoring
The Limit on Emails field is an email throttling setting that you can adjust to limit the number
emails sent every hour for each rule to prevent the flooding of inboxes.
Click on the User tab. This field allows you to set how often the Live Monitoring user interface
will refresh with new, incoming alerts. Once this is set, click Update to return to the Live
Monitoring user interface.
Controlling the User Interface

The control bar in the upper-left corner of the Live Monitoring interface holds the buttons to
control the flow of alerts on the screen. Click the Start button to begin Live Monitoring. It will
take 15-30 seconds for the backend to recognize that a user is Live Monitoring.
Once alerts are received, they will begin to appear in the user interface.
756
Live Monitoring
Note
Although Super Admins will be able to view alerts from across all domains of a network,
regular users will only see their domain-specific alerts in the Live Monitoring user interface.
Once Live Monitoring begins, the buttons will change in the upper-left of the interface control
bar. If you need to focus on one alert, while keeping the buffer from continuing to fill up with
alerts, click the Pause button.
Once alerts are paused, the control bar buttons will change again. Click Resume when you
are ready to resume Live Monitoring. If you wish to clear all alerts from the interface window,
click the Clear button.
Clicking the Stop button will terminate Live Monitoring from receiving alerts to display. Keep
in mind there is a 15-30 second lag before the event engine sees the Live Monitoring user
interface is no longer listening.
Scroll Navigation
The right side of the Live Monitoring interface contains a scroll bar. As alerts are displayed, the
most recent appear at the bottom of the buffer in auto-scroll mode. Clicking on other scroll bar
controls disables auto-scroll, giving command to the user. Re-start auto-scroll by clicking on the
auto-scroll icon at the top of the scroll bar. The scroll bars up and down double arrow buttons
provide fast scroll movement in the display. The single arrow buttons provide standard
scrolling capability.
Alert Event Detail

Within the Live Monitoring user interface display, you can see greater detail about a particular
alert by clicking on the arrow on the left of the alert. This expands the field to show additional
information, including the RAW Packet information.
The Live Monitoring user interface can be viewed by multiple users at the same time. However,
if no users are actively monitoring, alerts will no longer be sent to the interface. Alerts will
continue to be sent to previously set destinations, such as email and traps.
Note
SonicWALL suggests referencing both the SonicWALL Knowledge Base article, Setting Up
GMS Live Monitor for Alerting, and the SonicWALL Log Event Reference Guide as
essential tools to effectively use the Live Monitoring feature. These documents are available
at www.sonicwall.com.
757
Live Monitoring
758
CHAPTER 38
Managing Inheritance in SonicWALL
GMS
Inheritance in GMS specifies the process by which a nodes settings can be inherited to and from
unit, group and parent nodes. Previously, GMS users could inherit settings down the hierarchy. This
ability can be understood as forward inheritance. Starting in GMS 6.0, users can now also
reverse inherit settings back up the hierarchy, from a unit or group node to its parent node. This
chapter contains the following sections:
Configuring Inheritance Filters section on page 759
Applying Inheritance Settings section on page 761
Configuring Inheritance Filters

The Inheritance Filters screen, under Console > Management > Inheritance Filters, is used
to create inheritance filters by selecting screens available under the Inheritance Filter Detail
panel.
759
Configuring Inheritance Filters
To create a new filter, the user enters a name for this filter in the Name field. The user then
checks boxes next to the screens, or screen groups, they wish to inherit. This screen is
enhanced to automatically select or deselect dependent data screens, based upon the related
screens chosen by the user.
The user must then select the appropriate Access for each user type: Administrators,
Operators, End Users, and Guest users. These selections are made using the corresponding
drop down menus.
Once the user has made the desired screen and access selections, they must click the Add
button to finish creating the new inheritance filter. This new filter will now be available in the
Filter drop down menu on the Firewall > System > Tools screen.
760
Applying Inheritance Settings

Administrators often work to define and test policies at the appliance level, and then
painstakingly attempt to replicate those policies on other appliances. Using this simple process
for inheritance, administrators can capitalize on the valuable time spent building a units
well-configured firewall policies, by then seamlessly replicating those policies through the
hierarchy.
Step 1
To inherit some or all of an appliances settings, go to the Firewall > System > Tools screen
within the GMS 6.0 Management Interface.
Step 2
In the left pane, the user clicks on the appliance whose settings they wish to inherit.
Step 3
Under the screen section heading, Inherit Settings at Unit, the user selects either forward or
reverse inheritance by clicking on the respective radio button.
Step 4
From the Filter drop down menu, the user selects the inheritance filter to apply. If a desired
filter is not listed and must be created, refer to the Configuring Inheritance Filters section on
page 759
Step 5
Once the desired inheritance filter is selected, the user clicks the Preview button. A Preview
panel opens to allow the user to review the settings to be inherited. Users may continue with
all of the default screens selected for inheritance or select only specific screens for inheritance
761
by checking boxes next to the desired settings.
Note
762
The Preview panel footer states, All referring objects should also be selected as part of the
settings picked, to avoid any dependency errors while inheriting. If the user deselects
dependent screen data, the settings will not inherit properly.
Step 6
If the user is attempting forward inheritance, they may click Update to proceed. If the user is
attempting to reverse inherit settings, an additionalselection must be made at the bottom of the
Preview panel. The user must select either to update the chosen settings to only the target
parent node, or to update the target parent node along with all unit nodes under it. Once the
user makes this selection, they may click Update to proceed, or Reset to edit previous
selections.
Step 7
If the user selects to update the target parent node and all unit nodes, a Modify Task
Description and Schedule panel opens in place of the Preview panel. (This panel will not
appear if the user selects Update only target parent node). If the Modify Task Description and
Schedule panel opens, the user can edit the task description in the Description field. They
may also adjust the schedule for inheritance, or continue with the default scheduling. If the user
chooses to edit the timing by clicking on the arrow next to Schedule, a calendar expands
allowing the user to click on a radio button for Immediate execution, or to select an alternate
day and time for inheritance to occur. Once the user has completed any edits, they select either
Accept or Cancel to execute or cancel the scheduled inheritance, respectively.
Once the inheritance operation begins, a progress bar appears, along with text stating the
operation may take a few minutes, depending on the volume of data to be inherited, as shown
below:
Once the inheritance operation is complete, the desired settings from the unit or group node
should now be updated and reflected in the parent nodes settings, as well as in the settings of
all other units, if selected.
763
764
CHAPTER 39
Configuring User Settings
This chapter describes how to configure the user settings that are available in the Console
panel on the User Settings > General page, which provides a way to change the GMS
administrator password, the GMS inactivity Timeout, and pagination settings.
Perform the following steps to configure the user settings that are available in the Console
panel on the User Settings > General page:
Step 1
Enter the existing SonicWALL GMS password in the Current GMS Password field.
Step 2
Enter the new SonicWALL GMS password in the New GMS Password field.
Step 3
Reenter the new password in the Confirm New Password field.
765
Note
Password fields will be grayed out for users on a Remote Domain.
Step 4
The GMS Inactivity Timeout period specifies how long SonicWALL GMS waits before logging
out an inactive user. To prevent someone from accessing the SonicWALL GMS UI when
SonicWALL GMS users are away from their desks, enter an appropriate value in the GMS
Inactivity Timeout field. You can disable automatic logout completely by entering a -1 in this
field. The minimum is 5 minutes and the maximum is 120 minutes.
Step 5
Select a value between 10 and 100 in the Max Rows Per Screen field. This value applies only
to non-reporting related paginated screens.
Step 6
The Appliance Selection Panel options determine how devices are displayed in the far left
panel. You can display only icons (the Icons option), only the name of the appliance (Text), or
both icons and names (Icons and text), or use the default GMS display settings for this user
(Use default). The default is Icons and Text.
Step 7
To configure SonicWALL GMS to display an editable task description each time a task is
generated, select the Enable edit task description dialog when creating tasks check box.
Step 8
To have GMS play an audio alert when an appliance goes up, check the Enable Audio Alarm
when a Managed Unit goes Up check box.
Step 9
To have GMS play an audio alert when an appliance goes down, check the Enable Audio
Alarm when a Managed Unit goes Down check box.
To customize the audio alerts, place wav files in the following directory:
[SGMS2]\Tomcat\webapps\sgms\com\sonicwall\sgms\applets\common
The file names for an appliance going up and down must be up_custom.wav and
down_custom.wav respectively.
Step 10 To view the message of the day now, click View Message of the Day.
Step 11 When you are finished, click Update. The settings are changed. To clear all screen settings and
start over, click Reset.
Note
766
The maximum size of the SonicWALL GMS User ID is 24 alphanumeric characters. The
password is one-way hashed and any password of any length can be hashed into a fixed 32
character long internal password.
CHAPTER 40
This section describes how to configure Log Settings. This includes adjusting settings on
deleting log messages after a certain period of time, and setting criteria for viewing logs.
Configuring Log View Search Criteria section on page 768

The Log > Configuration screen provides a way to delete log messages older than a specific
date.
To delete GMS log messages, perform the following steps:
1.
Click the Console tab, expand the Log tree, and click Configuration. The Configuration
page displays.
2.
Select the month, day, and year from the drop down menu.
3.
Click Delete Log Messages Older Than.
767
Configuring Log View Search Criteria

The SonicWALL GMS log keeps track of changes made within the SonicWALL GMS UI, logins,
failed logins, logouts, password changes, scheduled tasks, failed tasks, completed tasks, raw
syslog database size, syslog message uploads, and time spent summarizing syslog data. To
view the SonicWALL GMS log, perform the following steps:
1.
Click the Console tab, expand the Log tree, and click View Log. The View Log page
displays.
2.
Each log entry contains the following fields:

#specifies the number of the log entry.
Datespecifies the date of the log entry.
Messagecontains a description of the event.
Severitydisplays the severity of the event (Alert, Warning, or FYI).
SonicWALLspecifies the name of the SonicWALL appliance that generated the
event (if applicable).
User@IPspecifies the user name and IP address.

3.
Tip
To narrow the search, configure some of the following criteria:
You can press Enter to navigate from one form element to the next in this section.
Select Time of logsdisplays all log entries for a specified range of dates.
768
SonicWALL Nodedisplays all log entries associated with the specified SonicWALL
appliance.
GMS Userdisplays all log entries with the specified user.

Message containsdisplays all log entries that contain the specified text. This input
field provides an auto-suggest functionality that uses existing log message text to
predict what you want to type. It fills in the field with the suggested text and you can
either press Tab to accept it or keep typing. Different suggestions will appear as you
continue to type if log messages match your input.
Severitydisplays log entries with the matching severity level:
All (Alert, Warning, and FYI)where FYI mean For Your Information
Alert and Warning
Alert
Select the Match case checkbox to make the SonicWALL Node, GMS User, and
Message contains search fields case sensitive.
Select one of Exact Phrase, All Words, or Any Word.
Exact Phrase matches a log entry that contains exactly what you typed in the
Message contains field
All Words matches a log entry that contains all the words you typed in the
Message contains field, but the words can be non-consecutive or in any order
Any Word matches a log entry that contains any of the words you typed in the
Message contains field
4.
To view the results of your search criteria, click Start Search. To clear all values from the
input fields and start over, click Clear Search. To save the results as an HTML file on your
system, click Export Logs and follow the on-screen instructions.
5.
To configure how many messages are shown per screen, enter a new value between 10
and 100 in the Show Messages Per Screen field. (default: 10). Click Next to display the
next page, or click Previous to display the preceding page.
6.
To jump to a specific message, enter the message number in the Go to Message Number
field.
769
770
CHAPTER 41
Managing Scheduled Tasks
This chapter describes how to configure scheduled tasks in the Console panel Tasks screen.
This chapter includes the Scheduled Tasks section on page 771.
Scheduled Tasks
As you perform multiple tasks through the SonicWALL GMS UI, SonicWALL GMS creates,
queues, and applies them to the SonicWALL appliances. As SonicWALL GMS processes tasks,
some SonicWALL appliances may be down or offline. When this occurs, SonicWALL GMS
requeues the tasks and reattempts the changes.
771
Scheduled Tasks
To view and manage pending tasks, perform the following steps:

1.
Click the Console tab, expand the Tasks tree and click Scheduled Tasks. The Scheduled
Tasks page displays.
2.
Each task entry contains the following fields:

Number (#)specifies the number of the task entry.
SonicWALLspecifies the name of the SonicWALL appliance to which the task
applies.
Descriptioncontains a description of the task.

Creation Timespecifies the date and time the task was generated.
Scheduled Time (Local)time the task was scheduled in the local time zone of the
appliance.
Scheduled Time (Agent)time the task was scheduled in the time zone of the agent.
No. of Attemptsspecifies the number of times SonicWALL GMS has attempted to
execute the task.
Last Errorif the task was not successfully executed, specifies the error.
SGMS Userspecifies the user who created the task.
Agentspecifies the IP address of the agent.
3.
Tip
To narrow the search, enter one or more of the following search criteria and click Start
Search:
You can press Enter to navigate from one form element to the next in this section.
Calendarselect the period of time for which SonicWALL GMS will display tasks. The
pull down menu to the right enables you to specify that the date range applies to the
task creation time, the local scheduled time, and the agent scheduled time.
772
Scheduled Tasks
SonicWALL Nodedisplays all tasks associated with the specified SonicWALL
appliance.
Description containsdisplays all tasks that contain the specified text.

Ownerdisplays all tasks with the specified owner.
Task IDdisplays the task with the specified task ID.
Note
4.
To execute one or more scheduled tasks immediately, select their check boxes and click
Execute the tasks selected now. You can also select al l of the tasks on the page by
checking the Select Only the 10 Tasks Displayed Above checkbox, or select all tasks by
checking the Select All Pending Tasks checkbox.
5.
To reschedule one or more pending tasks for another time, select their check boxes and
click Re-schedule the tasks selected. The GMS Date Selector dialog box displays.
6.
Select a new date when the task will execute and click OK. The dialog box closes and the
task will execute at the selected time.
The task(s) will execute based on the time setting of the SonicWALL GMS agent server,
UTC, or local browser's time.
7.
To delete one or more a

t sks from the list of pending a
t sks, select their check boxes and click
Delete the tasks selected. To delete all pending tasks, select the Select all Tasks check
box and click Delete the tasks selected.
773
Scheduled Tasks
774
CHAPTER 42
Configuring Console Management
Settings
This chapter describes the settings available on the Console panel in the Management section.
The following sections are found in this chapter:
Configuring Management Settings section on page 775
Domains section on page 778
Users section on page 784
Custom Groups section on page 792
Configuring Management Sessions section on page 795
Agents section on page 796
SNMP Managers section on page 798
Inheritance Filters section on page 799
Message of the Day section on page 799
Configuring Management Settings

On the Console > Management > Settings page, you can enable reporting, configure email
settings, enable automatic preferences file backup, configure GMS to synchronize with
managed units, and configure Enhanced Security Access (ESA) settings.
This section describes the following Settings topics:
Configuring Email Settings section on page 776
Configuring Prefs File Settings section on page 776
Enabling Reporting and Synchronization with Managed Units section on page 777
Enhanced Security Access Settings section on page 777
775
Configuring Email Settings

An SMTP server and an email address are required for sending GMS reports.
If the Mail Server settings are not configured correctly, you will not receive important email
notifications, such as:
System alerts for your SonicWALL GMS deployment performance
Availability of product updates, hot fixes, or patches
Availability of firmware upgrades for managed appliances
Alerts on your managed appliances status
Scheduled Reports
To configure these email settings:

Step 1
Click the Console tab.
Step 2
Expand the Management tree and click Settings. The Settings page displays.
Step 3
Type the IP address of the Simple Mail Transfer Protocol (SMTP) server into the SMTP Server
field. This server can be the same one that is normally used for email in your network. Type in
the SMTP Port number to use for email service.
Step 4
Enter the email account name and domain that will appear in messages sent from the
SonicWALL GMS into the GMS Sender e-Mail Address field.
Step 5
Enter the email account name and domain that will appear in messages sent from the
SonicWALL GMS into the GMS Administrator e-Mail Address field. You can use User
Authentication for this user by checking the box.
Step 6
When finished in the Settings page, click Update. To clear the screen settings and start over,
click Reset.
Configuring Prefs File Settings

You can have the system automatically save your GMS preferences files on a regular basis.
This includes the addunit.xml file that contains information about the units under GMS
management.
To configure the prefs file settings:
Step 1
Step 2
Step 3
Select Daily or Weekly in the Automatically save prefs file & addunit.xml field, and select a
day of the week (if weekly) and a time. This determines how often SonicWALL GMS will
automatically save the preferences and addUnit.xml files.
Step 4
To automatically save the VPN Gateway Preferences files for SonicWALL appliances, select
Automatically save VPN Gateway Prefs file.
Note
Step 5
776
The Enable Prefs Backup option must also be selected on the Policies >
General > Settings screen.
click Reset.
Enabling Reporting and Synchronization with Managed Units

By default, GMS Reporting is enabled. To enable or disable GMS Reporting, perform the
following steps:
Step 1
Step 2
Step 3
To enable GMS Reporting, select the Enable Reporting check box. To disable it, deselect the
Enable Reporting check box (default: Enabled).
Step 4
To configure SonicWALL GMS to automatically synchronize with the local changes made to the
SonicWALL appliances, select the Enable Auto Synchronization check box.
Step 5
For SonicWALL appliances that do not have directaccess to the Internet, you can instruct GMS
to download updates to security service signatures. To do so, select the follow two check boxes:
Firewalls managed by this GMS do not have Internet Access
Upload latest signatures on subscription status change
Note
When updated signatures have been downloaded to the GMS, you must then manually
upload them to the SonicWALL appliances. This action is performed on the
Policies>System>Tools page. When there are new signatures to be uploaded, the Upload
Signatures Now appears on the Tools page. Click this button to manually upload the
signatures.
Step 6
To create an addUnit.xml file to track all units under management, click Create Add Unit XML
File.
Step 7
click Reset.
Command Line Interface (CLI) Client

The CLI client can be downloaded to allow running scripts on a secure server.
Enhanced Security Access Settings

SonicWALLs Enhanced Security Access (ESA) feature allows for greater granular control of
user access across a GMS network, which is applicable for installations that must comply with
stringent regulatory compliance and account management controls as found in such standards
as Payment Card Industry (PCI), SOX, or HIPAA.
Note
Enhanced security settings are also available in your browser. For information, refer to the
Browser Requirements section on page 9.
777
Domains
GMS supports these data security standards by providing support for encryption of all
passwords and any pre-shared secrets in the database. This includes VPN Security
Association pre-shared secrets, encryption keys, authentication keys, and passwords. The
following passwords are encrypted in GMS:
GMS gateway password
SonicWALL firewall appliance passwords for managed units
Guest account password
LDAP and RADIUS passwords
Enhanced security compliance also requires a password rotation feature. GMS supports
password rotation requirements, including several changes in the management interface.
These changes occur on the Console panel, in the Management > Settings screen and in all
screens accessed from the Management > Users screen.
To turn on password security enforcement in GMS:
Step 1
In the Management > Settings screen, select the Enforce Password Security checkbox.
Step 2
In the Number of failed login attempts before user can be locked out field, enter a value.
The default is 6.
Step 3
In the User lockout minutes field, enter a value. The default is 30. This is the number of
minutes that a user will not be able to log in to GMS after failing to log in correctly for the
specified number of attempts.
Step 4
In the Number of inactive days to mark user for deletion field, enter a value. The default is
90. The users account will be deleted if it is not used for the specified number of days.
Step 5
In the Number of days to force password change field, enter a value. The default is 90. GMS
will prompt the user to change his password after the specified number of days.
Step 6
click Reset.
Domains
A Domain in GMS is a logically bound collection of users, authentication servers, managed
appliances, policies and reporting data, alerts and all other related data in manner such that the
contents in a domain are only visible within the boundaries of the domain. Data from one
domain is not visible to users in other domains. Only the SuperAdmin user can create new
domains and can view and edit information from all the domains in the system. All other admin
users of each domain have the privilege of managing their own domains in GMS.
This section describes the following GMS Settings topics:
778
About Domains on page 779
Creating a New Domain on page 779
Domains
About Domains
In addition to a built in LocalDomain with a LocalAuthServer for authentication of users, GMS
is able to access and authenticate against popular third party systems including Active
Directory, RADIUS and LDAP in a transparent fashion. By default, GMS maintains its own
locally stored database for authentication purposes. This is also referred to as the
LocalAuthServer. GMS also allows simultaneous third party database authentication, which
makes use of your existing (and separately maintained) database system(s).
Note
Although GMS supports the use of multiple external authentication mechanisms for a single
domain, only one instance of a local GMS authentication server the default GMS
LocalAuthServer can exist for each domain.
The user hierarchy of your database (either GMS or third-party) determines what a users view
consists of, and what data they are able to access and/or modify. In the case of Active Directory
servers, GMS has the ability to limit access to only specified groups of users. If this functionality
is desired, the target groups must be specified.
Creating a New Domain

By default, a GMS domain stores user account/passwords/permissions locally inside the GMS
database. When users attempt to access resources in GMS, they are authenticated against this
local database, which determines what their view consists of and data they are able to access
and/or modify.
The following procedures will assist you in creating a new domain, including configuring that
domain to use LDAP/AD/RADIUS for authentication, if required.
Note
Every instance of GMS installs with a default domain, named LocalDomain even before a
domain is created by the administrator. Users of new admin-created domains do not have
the ability to view data in other domains.
Creating a New Domain

To create a new domain:
1.
Login as the Administrator of the LocalDomain on the SonicWALL GMS Login Screen.
2.
Navigate to the Console > Management > Domain page. You will see a default
LocalDomain. To create a new domain in SonicWALL GMS, click Add Domain to complete
the configuration parameters for the new remote domain.
3.
Under Name, type in the desired name for the remote domain. This name will be visible on
the Domain pull-down list on the SonicWALL GMS Login screen.
779
Domains
Note
4.
For Default Admin User, specify a valid user account -- this will be the default admin
account created for the domain. Note that this username must exist in your third party
server, and will have administrative privileges in GMS for the newly created domain.
5.
The Host Name can either be specified as the IP Address of the remote server, or the
fully-qualified domain name.
The authentication servers Global Catalog can be set as a Host in case of a complex
directory structure. If using the Global Catalog, SonicWALL GMS will be able to search
through the directory and through all its children node.
6.
Enter a friendly name, or Alias for this new Domain.
If your new domain will use only local (GMS) database for user authentication, configuration
is complete after this step.
If you are planning to authenticate using an existing third-party database, continue to
Configuring LDAP or AD Authentication or Configuring RADIUS Authentication.
Configuring LDAP or AD Authentication

Complete the following steps if you are configuring this domain for use with external LDAP or
AD authentication:
Note
780
1.
Be sure to complete the basic setup procedures in theCreating a New Domain section on
page 779 before continuing.
2.
Check the Add Auth Server option to enable third-party authentication for this domain.
3.
In the Authentication Port field, specify the value of the port number on which the third
party server listens for authentication requests.
The default Authentication Port for LDAP or AD servers is 389. To reach an AD servers
global catalog, use port 3268.
Domains
Note
Note
4.
Select LDAP, or Active Directory from the pull-down menu under Host Type.
5.
Next, select which Protocol Version the remote server is running on.
6.
The Base Distinguished Name (Base DN) is used to identify the root entry in the directory
from which SonicWALL GMS will execute searches. This should be the node in the
authentication system under which all SonicWALL GMS users will be present. The value is
specified as a distinguished name (for example, dc=gmseng,dc=com).
7.
Click the Use SSL checkbox to use SSL when connecting to the remote server. If you check
this checkbox, you will need to specify the SSL Port on which the remote server is listening
for bind requests. By default, this is 636. Ifconnecting to an AD servers global catalog, use
port 3269.
SonicWALL recommends using SSL with remote domains. The Certificate Authority (CA) or
Root certificate of the LDAP server will need to be imported into GMS JRE using the keytool
command.
8.
Only select Anonymous Login if the authentication system is configured to allow

anonymous binds. This option makes the Admin User ID irrelevant. This is not a
recommended setting as it reduces security.
9.
The Login User Distinguished Name is used to authenticate to the third party server when
performing the initial bind. This value is specified as a distinguished name. Type in the
matching password for the Login Password field.
The Login User Distinguished Name need not correspond with the Admin User ID, but
both must exist in the third party server. The Login User Distinguished Name can be found
using any LDAP Browser Tool.
10. In the Connection Timeout field, specify the connection timeout period (in milliseconds).
Once the Settings panel is completed, click theSchema panel to continue setup of the new
remote domain.
11. Under LDAP Schema, select which LDAP Server you are using from the pull-down list.
Each selection in this list will fill in the remaining fields on the Schema panel with default
values.
Note
If the server you are using is not specified in the default list, click User Defined to configure
your own values and settings.
12. Optional, for AD servers only: Select the Allow Only AD Group Members checkbox. Then
specify which groups are allowed to login to GMS from this remote domain. Multiple groups
can be specified if they are separated by a semi-colon. All users that are members of the
specified AD group must be present below the Base DN that was specified in the settings
pane.
13. Click OK.
781
Domains
Configuring RADIUS Authentication

Configure a RADIUS server for authentication in your domain:
Be sure to complete the basic setup procedures in theCreating a New Domain section on
page 779 before continuing.
Configuring the Settings Tab
Note
1.
Check the Add Auth Server option to enable authentication by a third party server.
2.
Enter the Host Name (or IP address) of the RADIUS server you wish to use for
authentication.
3.
Enter the Authentication Port on which the RADIUS server listens for requests. The
default Authentication Port is 1812.
4.
Enter the Shared Secret to be used between GMS the RADIUS server.
5.
Enter the Authentication Protocol used by your RADIUS installation.
SonicWALL GMS supports PAP, CHAP, MSCHAP, and MSCHAPv2 protocols for RADIUS
authentication.
6.
Enter the RADIUS Timeout (Seconds), this specifies the amount of time GMS will wait
before giving up or retrying the authentication attempt. The number of retries is
specified next. The default value is 10 seconds.
7.
Enter the Max Retries, this specifies the number of times GMS will attempt to authenticate
with the RADIUS server before aborting the attempt. The default value is 3 tries.
8.
Fill in the Host Name, Authentication Port, and Shared Secret values for your backup
RADIUS server, if available.
Configuring the User Groups Tab
782
Domains
9.
Check the Allow Only Radius Group Members option if you plan to limit GMS access to
members of select groups. The specific groups are specified later in this tab.
10. If configured, select the Use SonicWALL Vendor specific attribute on RADIUS Server
option to use SonicWall-user-group, and SonicWall-user-groups as RADIUS user group

identifiers for GMS authentication.
11. If the RADIUS server is configured to return the Filter-ID attribute with each user ID,select
the Use Filter-ID attribute on RADIUS Server option. Henceforth, this value will be used
as the RADIUS user group identifier.
12. Enter the Allowed RADIUS Group(s), separated by a semi-colon ;. This field specifies
groups, the members of which are allowed to access GMS resources.
Verifying Administrator Third Party Authentication Configuration

Under the Test panel, you are able to test and verify the remote domain configurations entered
on the Settings panel. If there are any errors in your configurations, this screen will alert you
and provide information on how to correct them.
To test the third party authentication feature, specify the credentials of any user in the domain
and click the Test button.
You will also see the new domain (local and remote) you have created under Console >
Management > Domains of SonicWALL GMS. To confirm the configurations for each domain,
click the
icon to view or change these settings.
783
Users
Verifying Third Party Authentication Server Configuration

If the login was successful, the user will automatically be directed to the SonicWALL GMS
Dashboard default page. At the top of the page, SonicWALL GMS will no longer display the
users status as Guest.
Editing a Domain
Any admin-created domain can be edited after initial creation. To create a new domain:
Note
1.
Login as the Administrator of the LocalDomain on the SonicWALL GMS Login Screen.
2.
Navigate to the Console > Management > Domain page. To delete a domain in
SonicWALL GMS, select the checkbox corresponding to the domain you wish to delete and
click the Edit Domain button.
The default LocalDomain which comes pre-installed with GMS systems cannot be edited or
deleted.
3.
You are done. Please enjoy your edited domain.
Users
To operate in complex environments, SonicWALL GMS is designed to support multiple users,
each with his or her own set of permissions and access rights. This section contains the
following subsections:
784
Creating User Groups section on page 785
Moving a User section on page 787
Configuring Appliance Access section on page 790
Note
If you do not want to restrict access to SonicWALL appliances or SonicWALL GMS

functions, but want to divide SonicWALL GMS responsibility among multiple users, use
views to provide specific criteria to display groups of SonicWALL appliances. Depending on
the type of task they are trying to perform, users can switch between these views as often
as necessary. For more information, refer to the Configuring Unit, View, and Other
Permissions section on page 791.
Note
All of the user configuration options are available through the command-line interface. For
more information, refer to the SonicWALL GMS Command-Line Interface Guide.
Users
Creating User Groups

A user group (or user type) is a group of SonicWALL GMS users who perform similar tasks and
have similar permissions.
SonicWALL GMS provides three pre-configured groups:
AdministratorsFull view and update privileges.
OperatorsView privileges only.
End UsersNo privileges.
Guest UsersNo privileges.
To create a new group, perform the following steps:

1.
Click the Console tab, expand the Management tree and click Users. The General Page of
the User screen displays.
2.
In the middle pane, right-click All Users and select Add User Types from the pop-up menu.
A new user group dialog box displays.
3.
In the dialog box, enter the name of the new user type and then click OK. The new user
type is added to the list under All Users.
4.
In the right pane, enter any comments regarding the new user group in the Comments field.
5.
Select a default view for the new user group from the Default View pull-down menu. This
view will be displayed for members of the user group when they first log in to
SonicWALL GMS.
6.
To force all users in the user group to change their passwords, select the Change
Password checkbox.
7.
To delete the user type when it becomes inactive, select the Delete Inactive checkbox.
8.
To set a date when the user type will become inactive, click in the Active Until field and
then select a date from the popup calendar.
9.
To keep the user type active at all times without an end date, select the Always Active
checkbox.
10. Select the schedule for when the user group is active from the pull-down list in the
Schedule field.
11. Click Update. The new user group is added. By default, the new group has no privileges.
To configure screen access settings, refer to the Moving a User section on page 787.
785
Users
Adding Users
This section describes how to create a new user. Although the user will inherit all group
settings, individual user settings will override the group settings.
To add a new user, perform the following steps:
Note
Note
1.
Click the Console tab, expand the Management tree and click Users. The General Page of
the User configuration screen displays.
2.
Right-click a user group and selectAdd User from the pop-up menu. The Add User window
displays.
3.
In the dialog box, enter a username and a password and click OK. In the main window, the
new user displays beneath the group to which it is assigned.
The username and password are case-sensitive. Do not enter the single quote character ()
in the User ID field.
4.
Select the new user.
5.
Enter the full name of the user in the Name field.
6.
Enter contact information for the user in the Phone, Fax, Pager, and Email fields.
7.
Select the default view for the user from the Default View list box.
8.
Enter any comments regarding the new user in the Comments field.
9.
Check the SuperAdmin checkbox to enable privileges for this user across all domains.
By default, permissions for users exist only within the domain to which they belong. By
checking the SuperAdmin option, permissions are extended across all domains.
10. Enter the number of minutes that the user can be inactive on his computer before the
session times out in the Inactivity Timeout field. Enter -1 to never time out.
11. To change the password for the user, type in the password in the New Password field, and
then type it again in Confirm Password.
786
Users
12. To disable the user without deleting the entire entry, select the Account Disabled
checkbox.
13. To force the user to change his password, select the Change Password checkbox.
14. To delete the user when the account becomes inactive, select the Delete Inactive
checkbox.
15. To set a date when the user will become inactive, click in the Active Until field and select
a date from the popup calendar.
16. To keep the user active without an end date, select the Always Active checkbox. If this is
selected, the date in the Active Until field is ignored.
17. Select a schedule when the user is active from the pull-down list in the Schedule field.
18. Do one of the following:
Click Inherit Permissions from Group. The user will inherit the permissions from the
group that you right-clicked to begin this procedure.
Click Update. The new user is added. You will need to configure the users permissions.
See Moving a User, below and Configuring Appliance Access on page 790.
Click Reset to change all fields in this screen to their default values and start over.
Note
To temporarily disable a user account, select the Account Disabled check box and click
Update.
Moving a User
When new users log in to SonicWALL GMS for the first time, they will be considered guest users
and will only have limited access. One way to configure user privileges is to more the user to
the appropriate group.
To change a SonicWALL GMS users group:
1.
Have the user login to GMS.

The user will be logged in as a guest user with limited privileges.
An administrator can now upgrade the account to a separate user class.
2.
Login as the remote domains administrator.
3.
Navigate to the Console tab.
4.
Navigate to the Management > Users page.
787
Users
Youll see that there are currently four different categories of users: Administrators, End Users,
Guest Users, and Operators. These categories can be further opened to list the users that
comprise them.
5.
Select the new user from the Guest Users list.
6.
Right-click the new users name in the Guest Users list and select Move User from the pull
down menu.
7.
In the Move User dialog box, select the appropriate new level for the new user, and select
Inherit permissions defined from the new user type permission.
8.
Click OK.
Configuring Screen Access

The Screen Permissions page contains a hierarchical list of all screens that appear within
SonicWALL GMS. From this screen, you can control access to individual screens or all screens
within a section. This includes permissions for users or groups to view, or view and update
reports.
Note
By default, a new user group has no privileges.

To configure screen access settings for a user or user group, perform the following steps:
788
1.
Navigate to Console > Management and open the Users configuration screen.
2.
Select a user or user group under All Users.
3.
Click the Screen Permissions tab.
Users
4.
Under All Screens, select a panel, section, or screen. For example, for REPORTS_PANEL,
you can select the whole panel, the unit type section such as Firewall, SRA, CDP, or Email
Security, the group of reports for that type of unit, or the individual report or screen that you
want to set permissions for. In this example, we chose the Firewall > Bandwidth panel.
5.
On the right side of the pane, select from the following:

To prevent any access to the object, select None.
To allow view only access, select View Only.
To allow the user or group to make updates only for unit-level screens and not for
group-level screens, select View & Update At Unit Level Only. This option is only
available for objects in the Policies Panel and Reports Panel.
To allow unrestricted access to the object, select View and Update.
For this example, we select the View Only option to allow our executive team to view the
firewall bandwidth panel.
6.
Click the Update button to apply the permission changes.
7.
You may see a warning screen if you are applying permission changes to a group, verify
that you wish to apply these changes to the group and all users within that group and click
the OK button.
The panel object is now preceded by a
Note
The more specific settings override the more general settings. For example, if you
select View Only for the Status group of reports and select None for the Up-Time
over Time report, then the selected user will only see the Up-Time Summary report
in the Status reports and have View Only permission for that report.
789
Users
8.
9.
When finished, click Update.
Configuring Appliance Access

The Appliance Permissions page contains a hierarchical list of all SonicWALL appliances that
appear within SonicWALL GMS. From this screen, you can control access to SonicWALL
groups or individual SonicWALL appliances.
To configure appliance access settings for a user, perform the following steps:
790
1.
Open the Users configuration screen.
2.
Select a user.
3.
Click the Unit Permissions tab.
4.
Select a View from the Views pull-down menu.
5.
To provide the user with access to a SonicWALL group or appliance, select a SonicWALL
group or appliance in the left pane of the window and click Add. The group or appliance
displays in the right pane.
6.
Repeat Step 5. for each group or appliance to add.
7.
To prevent the user from accessing a SonicWALL group or appliance, select the group or
appliance in the right pane of the window and click Remove. The group or appliance is
deleted from the right pane.
8.
Repeat Step 7. for each group or appliance to remove.
Users
Configuring Unit, View, and Other Permissions

The Action Permissions tab contains a list of actions and views that can be allowed for a group.
To configure actions and views for a group, perform the following steps:
1.
Open the Management > Users configuration screen.
2.
Select the user group.
3.
Click the Action Permissions tab.
4.
Select the unit actions you wish to be available for this group in the Units section.
Checkbox
Allows the user to...
Add Unit, Modify

Unit, Delete Unit
add, delete, or modify GMS management specifications

of managed units
Rename Unit
rename units
Login to Unit
gain access to managed unit GUI through GMS
Modify Properties
modify properties of managed units
Re-assign Agents
move units between agents
5.
Select the view options you wish to be available for this group in the Views section:
Checkbox
Manage View
alter the properties of views
Change View
change between views
791
Custom Groups
6.
Select any remaining options for this group in the Others section:
Checkbox
Enable CLI
manage using the command line interface (CLI)
Enable Dashboard
see the Dashboard view
Show Switch link
easily switch between the System and Management

interfaces
Use Web Services
configure and use the Web Services feature
7.
Click Update. The settings are changed for the group.
Custom Groups
The SonicWALL GMS uses an innovative method for organizing SonicWALL appliances.
SonicWALL appliances are not forced into specific, limited, rigid hierarchies. Simply create a
set of fields that define criteria (e.g., country
, city, state) which separate SonicWALL appliances.
Then, create and use views to display and sort appliances on the fly.
Creating Custom Fields

When first configuring SonicWALL GMS, you will create custom fields that will be entered for
each SonicWALL appliance. SonicWALL GMS supports up to ten custom fields.
Note
Although SonicWALL GMS supports up to ten custom fields, only seven fields can be used
to sort SonicWALL appliances in any view.
The following are examples of custom fields that you can use:
Geographicuseful for organizing SonicWALL appliances geographically. Especially

useful when used in combination with other grouping methods. Geographic fields may
include:
Country
Time Zone
Region
State
City
Customer-basedUseful for organizations that are providing managed security services

for multiple customers. Customer-based fields may include:
Company
Division
Department
792
Configuration-basedUseful when SonicWALL appliances will have very different

configurations. (e.g., Filtering, No Filtering, Pornography Filtering, Violence Filtering, or
VPN).
Custom Groups
User-typeDifferent service offerings can be made available to different user types. For
example, engineering, sales, and customer service users can have very different
configuration requirements. Or, if offered as a service to end users, you can allow or
disallow network address translation (NAT) depending on the number of IP addresses that
you want to make available.
SonicWALL GMS is pre-configured with four custom fields: Country, Company, Department,
and State. These fields can be modified or deleted.
To add fields, perform the following steps:
Note
1.
Click the Console tab, expand the Management tree and click Custom Groups.
2.
Right-click Custom Groupings in the right pane.
3.
Select Add Group from the pop-up menu.
4.
Enter the name of the first field.
5.
Select the newly created field and select Add Group from the pop-up menu.
6.
Enter the name of the new field.
7.
Repeat Steps 6 through 8 for each field that you want to create. You can create up to ten
fields.
Although the fields appear to be in a hierarchical form, this has no effect on how the fields
will appear within a view. To define views, see Configuring Unit, View, and Other
Permissions on page 791.
To modify or delete fields, right-click any of the existing fields and select Modify or Delete from
the pop-up menu.
Configuring Prefs File Settings

You can have the system automatically save your GMS preferences files on a regular basis.
This includes the addunit.xml file that contains information about the units under GMS
management.
To configure the prefs file settings:
1.
2.
3.
Select Daily or Weekly in the Automatically save prefs file & addunit.xml field, and
select a day of the week (ifweekly) and a time. This determines how often SonicWALL GMS
will automatically save the preferences and addUnit.xml files.
4.
To automatically save the VPN Gateway Preferences files for SonicWALL appliances,
select Automatically save VPN Gateway Prefs file.
793
Custom Groups
Note
5.
The Enable Prefs Backup option must also be selected on the Policies >
General > Settings screen.
When finished in the Settings page, click Update. To clear the screen settings and start
over, click Reset.
Enabling Reporting and Synchronization with Managed Units

By default, GMS Reporting is enabled. To enable or disable GMS Reporting, perform the
following steps:
1.
2.
3.
To enable GMS Reporting, select the Enable Reporting check box. To disable it, deselect
the Enable Reporting check box (default: Enabled).
4.
To configure SonicWALL GMS to automatically synchronize with the local changes made
to the SonicWALL appliances, select the Enable Auto Synchronization check box.
5.
For SonicWALL appliances that do not have direct access to the Internet, you can instruct
GMS to download updates to security service signatures. To do so, select the follow two
check boxes:
Firewalls managed by this GMS do not have Internet Access
Upload latest signatures on subscription status change
Note
When updated signatures have been downloaded to the GMS, you must then manually
upload them to the SonicWALL appliances. This action is performed on the
Policies>System>Tools page. When there are new signatures to be uploaded, the Upload
Signatures Now appears on the Tools page. Click this button to manually upload the
signatures.
6.
To create an addUnit.xml file to track all units under management, click Create Add Unit
XML File.
7.
over, click Reset.
Enhanced Security Access Settings

SonicWALLs Enhanced Security Access (ESA) feature allows for greater granular control of
user access across a GMS network, which is applicable for installations that must comply with
stringent regulatory compliance and account management controls as found in such standards
as Payment Card Industry (PCI), SOX, or HIPPA.
Note
794
Enhanced security settings are also available in your browser. For information, see
Browser Requirements on page 9.
Configuring Management Sessions
GMS 4.1 supports these data security standards by providing support for encryption of all
passwords and any pre-shared secrets in the database. This includes VPN Security
Association pre-shared secrets, encryption keys, authentication keys, and passwords. The
following passwords are encrypted in GMS 4.1:
GMS gateway password
Firewall passwords for managed units
Guest account password
LDAP and RADIUS passwords
Enhanced security compliance also requires a password rotation feature. GMS 4.1 supports
password rotation requirements, including several changes in the management interface.
These changes occur on the Console panel, in the Management > Settings screen and in all
screens accessed from the Management > Users screen.
To turn on password security enforcement in GMS:
1.
In the Management > Settings screen, select the Enforce Password Security checkbox.
2.
In the Number of failed login attempts before user can be locked out field, enter a
value. The default is 6.
3.
In the User lockout minutes field, enter a value. The default is 30. This is the number of
minutes that a user will not be able to log in to GMS after failing to log in correctly for the
specified number of attempts.
4.
In the Number of inactive days to mark user for deletion field, enter a value. The default
is 90. The users account will be deleted if it is not used for the specified number of days.
5.
In the Number of days to force password change field, enter a value. The default is 90.
GMS will prompt the user to change his password after the specified number of days.
6.
over, click Reset.
Configuring Management Sessions

The Sessions page of the Management section ofthe GMS Console allows you to view session
statistics for currently logged in GMS users and to end selected sessions.
795
Agents
Managing Sessions
On occasion, it may be necessary to log off other user sessions. To do this, perform the
following steps:
1.
Click the Console tab, expand the Management tree and click Sessions. The Sessions
page displays.
2.
When more than one session is active, a checkbox is displayed next to each row. Select
the check box of each user to log off and click End selected sessions.
The selected users are logged off.
Agents
The Agents page provides information for the SonicWALL GMS primary and backup agent
servers that are managing the SonicWALL appliances. This page lists the IP address and status
of each agent server, the IP address and password of the GMS gateway for each agent server,
and the number of firewalls under SonicWALL GMS management. You can also schedule all
the tasks for each agent server to be executed during a specified time period.
Note
796
You can also use this page to remove agents, but they cannot be managing any firewalls.
Agents
Managing Agent Configurations

To configure the Agents page, perform the following steps:
Note
1.
Click the Console tab, expand the Management tree and click Agents. The Agents page
displays.
2.
The summary section displays the number of installed and running agents. Select the IP
address of the Agent you want to view from the Agent IP list box. The Agent Name field
displays the name of the selected Agent.
The agent name can be modified by editing this field.

3.
Note
To specify when tasks can run, select the start time from the Daily At list box. The time is
based on the SonicWALL appliances local time.
By default, SonicWALL GMS schedules tasks for immediate execution.

4.
For each agent server, the GMS Gateway IP address and password is displayed. If you
change the GMS gateway IP address or password, you must also change the settings on
this page.
5.
To change the name of the GMS Gateway administrator for selected firmware/models, enter
the name in the GMS Gateway Username field (default: admin).
6.
To change the password used to log in as the GMS Gateway administrator, enter the name
in the GMS Gateway Password field.
7.
For each agent server, the Firewalls for Primary Management list box lists the
SonicWALL appliances that are assigned to the agent server for primary management. The
total number is also displayed.
797
SNMP Managers
8.
For each agent server, the Firewalls for Standby Management list box lists the
SonicWALL appliances that are assigned to the agent server for backup management. The
total number is also displayed.
9.
For each agent server, the Firewalls Under Active Management list box lists the
SonicWALL appliances that are actively being managed by the agent server. The total
number is also displayed.
10. When you are finished, click Update. The settings are changed. To clear the settings and
SNMP Managers
The SNMP Managers page enables you to specify SNMP Managers to which SonicWALL GMS
will send SNMP Traps.
Configuring SNMP Settings

To configure the SNMP Managers page, perform the following steps:
798
1.
Click the Console tab, expand the Management tree and click SNMP Managers. The
SNMP Managers page displays.
2.
Select the IP address and port of the SNMP Manager from the SNMP Manager IP/Port
fields.
3.
Specify the IP addresses of SNMP Hosts to which traps will be forwarded in the SNMP Host
to forward traps to fields.
4.
To enable trap forwarding, select the Enable SNMP Trap Forwarding check box.
5.
To enable trap email, select the Enable SNMP Trap Email check box.
6.
When you are finished, click Update. The settings are changed. To clear the settings and
Inheritance Filters
Inheritance Filters
The Inheritance Filters page specifies which settings are inherited from the group when adding
a new SonicWALL appliance.
To configure the SNMP Inheritance Filter page, perform the following steps:
1.
Click the Console tab, expand the Management tree and click Inheritance Filters. The
Inheritance Filter page displays.
2.
To edit an existing filter, select the filter from the Select Filter list box. To specify a new
filter, select New Filter from the Select Filter pull-down menu and type a name in the Filter
name field.
3.
Select which page settings are inherited in the Inheritance Filter Detail section.
4.
Select the type of access that is available to each SonicWALL GMS user group from the
Access for each UserType section.
5.
When you are finished, click Add for a new filter or click Update for an existing filter. The
settings are changed. To clear the settings and start over, click Reset.
Message of the Day

The Message of the Day page displays a message when SonicWALL GMS users log on to
SonicWALL GMS.
799
Message of the Day
To configure the Message of the Day page, perform the following steps:
800
1.
Click the Console tab, expand the Management tree and click Message of the Day. The
Message of the Day page displays.
2.
Select all users, a user group, or an individual user.
3.
Enter message text in the Message field.
4.
Select whether the message text will be displayed in plain text or HTML.
5.
Select the start and end date of the message (default: current day).
6.
When you are finished, click Update. The settings are changed.
7.
Repeat this procedure for each group or user for which this message will be displayed.
CHAPTER 43
Managing Reports in the Console Panel
This section describes how to configure reporting settings on the Console panel. These include
how often the summary information is updated, the number of days that summary information
is stored, and the number of days that raw data is stored.
The following sections are included in this chapter:
Summarizer section on page 801
Syslog Exclusion Filter section on page 805
Email/Archive section on page 807
Summarizer
About Summary Data in Reports section on page 801
Configuring the Data Deletion Schedule Settings section on page 805
About Summary Data in Reports

These reports are constructed from the most current available summary data. In order to create
summary data, the GMS Reporting Module must parse the raw data files.
When configuring GMS Reporting using the screens on the Console panel under Reports, you
can select the amount ofsummary information to store. These settings affect the database size,
be sure there is adequate disk space to accommodate the settings you choose.
Additionally, you can select the number of days that raw syslog data is stored. The raw data is
made up of information for every connection. Depending on the amount of traffic, this can
quickly consume an enormous amount of space in the database. Be very careful when selecting
how much raw information to store. As of SonicWALL GMS 7.0, Summarizer processing applies
to CDP appliances, only.
801
Summarizer
Summarizer Settings and Summarization Interval for CDP

SonicWALL CDP appliances send their syslog packets to SonicWALL GMS via UDP packets.
When summarization is enabled, the Summarizer will process those files and store the data in
the summary databases at the interval you specify.
Enabling Report Summarization for CDP Appliances section on page 802
Setting the Reports Data Summarization Interval section on page 802
Using Summarize Now section on page 804
Enabling Report Summarization for CDP Appliances

To globally enable the summarization of report data, which is necessary for viewing reports,
perform the following:
1.
On the Console panel, navigate to Reports > Summarizer.
2.
Under Summarizer Settings, select the Enable Report Summarization checkbox.
3.
Click Update.
Setting the Reports Data Summarization Interval

The Summarizer will process syslog data sent from SonicWALL CDP appliances and store the
processed data in the summary databases at the interval you specify. When a CDP appliance
is configured to communicate with GMS, you need to verify that the summarizer is scheduled
to collect and process data for this unit at an appropriate interval.
802
Summarizer
To configure the summarization interval, perform the following steps:
Note
1.
Click the Console tab, expand the Reports tree and click Summarizer. The CDP
Summarizer page displays.
2.
Under Reports Data Summarization Interval, important information about the Summarizer
is displayed. Use the Summarize every pull-down lists to specify how often in hours and
minutes the GMS Reporting Module should process syslog data and update summary
information.
3.
Click the Update button to the right of this field.
4.
To specify the next summarization time, enter a date in the form mm/dd/yyyy in the Next
Scheduled Run Time field, and select the hour and minute values from the pull-down lists.
5.
6.
To update the summary information now, click the Summarize Now button.
SonicWALL GMS will automatically process the latest information and make it available for
immediate viewing.
This will not affect the normally scheduled summarization updates on the GMS Agent.
For more information about using and verifying the Summarize Now option, see the Using
Summarize Now section on page 804.
803
Summarizer
Using Summarize Now

The Summarize Now feature allows the administrator to create instant summary reports without
affecting the regularly scheduled summary reports. You can use Summarize Now to test that
the Summarizer is gathering data for a managed unit. The SonicWALL GMS Summarize Now
feature is located in the Console tab under Reports > Summarizer. The SonicWALL GMS
Summarizer creates summary reports by default every 8 hours. Summary reports can be
configured by the administrator to occur every 15 minutes to every 24 hours.
To use the Summarize Now feature, perform the following tasks:
Note
804
1.
Click the Console tab, expand the Reports tree and click Summarizer. Click the
Summarize Now button to summarize data immediately.
2.
You will see a pop-up window verifying that you want to summarize the data now.
Summarizing data using Summarize Now is a one-time action and will not affect the
scheduled summary. Click OK to continue.
3.
To verify summarization, navigate to Log > View Log in the center pane. Search for the
message Report Data Summarized to verify that the Summarize Now action has
completed.
4.
When Summarize Now has completed, click the Reports tab. In the left-most pane, click
GlobalView click a group or a managed appliance.
You may see incomplete data if you view the Summary section of a selected report before
the Summarize Now process is complete. Wait for the Report Data Summarized message
to be displayed in Log > View Log.
5.
In the center pane, click a report to expand it, then click the Summary option underneath
it. For example, click Capacity, then click Summary to review the summarized CDP
capacity usage data.
6.
Navigate to the Summary section of other reports in the center pane to see other
summarized data.
Configuring the Data Deletion Schedule Settings

Syslog files sent from SonicWALL appliances are stored on the GMS Summarizer system, and
are consolidated into the syslog database. The Summarizer processes the syslog data and
stores the processed data in the summary database. After the configured period of syslog
storage, the syslog data can be periodically deleted from the system. This is necessary, as the
syslog files and database can consume a lot of space on the file system.
This section of the Summarizer page also provides a way to delete summarized data for a
certain date. For example, if summarized data is kept for a long time, such as 90 days, then you
could use this option to remove some summarized data from a particular date within the 90 day
period if the stored data was becoming too large.
Tip
Run your database maintenance jobs soon after the completion of the scheduled tasks
configured on this page for summarizing data and deleting old syslog data.
To configure the syslog and summarized data deletion settings, perform the following:
1.
On the Console panel, navigate to Reports > Summarizer.
2.
Under Data Deletion Schedule, select the day and time for deletion in the hour andminute
widget. Syslog data will be deleted at this time only after being stored for the number of
days configured. You specify how long to keep the date in Data Storage
Configuration.This field allows you to specify the data address of the Summarizer, how
long to keep reporting data (in months), and how long to keep the raw syslog data (in
months)
3.

The Syslog Exclusion Filter allows you to selectwhat fields and operators to use for filtering
the syslog database. It is picked up by the Summarizer every 15 minutes and applied to the
global syslog settings.
805
The Syslog Exclusion Filters function in a manner similar to applying an exclusion filter to
a single Firewall or SRA appliance, but are applied to all GMS appliances, or all appliances
in a Firewall or SRA group.
1.
To add a filter, click Reports > Syslog Filter.
2.
Click Add a Filter. The Add Filter menu comes up.
3.
Select the syslog field name, and an operator and value, for the field you wish to exclude.
Then select the level of Deployment: Appliance, Agent, or full Deployment.
If you select Appliance, you will be prompted for the type of appliance: Firewall, SRA, or
CDP. If you select Agent, you will be prompted to select from a list of SGMS agents.
4.
Click Update.
You can also click on the pencil in the Configure column to edit an existing filter setting. If
no values appear in the Configure column, the filter is a default system filter. These defaults
cannot be configured or deleted.
Syslogs are stored in the database without filtering, so the filters in the Syslog Exclusion
Filter apply only to values displayed in Reports.
806
Email/Archive
Email/Archive
The Console > Reports > Email/Archive page provides global options for setting the time and
interval for emailing/archiving scheduled reports, and global settings for the Web server, logo,
and PDF sorting options.
Configuring Email/Archive Settings

To configure Email/Archive and Web server settings, perform the following steps:
1.
Click the Console tab, expand the Reports tree and click Email/Archive. The
Email/Archive page displays.
2.
To set the next archive time, enter the date and time in the Next Scheduled Email/Archive
Time fields and click Update.
3.
To specify the day to send weekly reports, select the day from the Send Weekly Reports
Every list box and click Update.
4.
To specify the date to send monthly reports, select the date from the Send Monthly
Reports Every list box and click Update.
5.
If the Web server address, port, or protocol has changed since SonicWALL GMS was
installed, the new values will automatically appear in the Email/Archive Configuration
section. These settings can be modified on the System Interface, and cannot be modified
here.
6.
Under Logo Settings, you can select a logo to be used on reports. By default, the
SonicWALL logo is used. To select another logo, click Browse next to the Logo File field
or type the path and filename into the field, and then click Update.
7.
Under Storage Configuration, select how many days to store Universal Scheduled Reports
(USR) then click Update.
USR schedules are managed under the Dashboard Tab. For more information on USR
scheduling, refer to the Using the Universal Scheduled Reports Application section on
page 58.
807
Managing Legacy Reports
Note
High-traffic systems can generate reports that consume large amounts of memory, disk
space and CPU time. Set your Number of Days to Archive and Scheduled Archive Time
accordingly.
Managing_Legacy_Reports

Reports generated by pre 7.0 releases of SonicWALL GMS are still available for viewing, but
require careful management. SonicWALL GMS 7.0 Reporting is not compatible with earlier
versions, but reports generated by earlier versions are still accessible under the current
reporting structure.
Because it is not possible to view both 7.0 and pre-7.0 reports in the same session, we advise
creating a separate Login for accessing Legacy reports. This allows switching back and forth,
as you can only view 7.0 or pre 7.0 reports in a session. By creating a separate login, you can
switch between viewing modes.
808
Step 1
Create a new User or Administrator login. An Administrator login (with a name like
Admin_Legacy) is recommended, as this login will have full privileges. For more information on
configuring Legacy reports for new user, refer to the Console Management section.
Step 2
Log into the Management > Users > Action Permissions tab.
Step 3
Set flag in the checkbox for Show Legacy (pre GMS 7.0) Reports.
Note
Step 4
This check box is only available if Analyzer 6.0 Reports exist in the system.
Log out, log back in using the new Login created in Step 1.
If Legacy Reports are no longer needed, you can delete them.
Step 1
Go to Reports > Summarizer.
Step 2
Under the Data Deletion Schedule, you will see a box for Delete 6.0 Reporting Data
Immediately. Click Delete to delete the Legacy reports.
Note
If you delete pre-7.0 reporting data, the Legacy data checkboxes under the Action
Permissions and Summarizer tabs will no longer be available, going forward.
809
810
CHAPTER 44
Using Diagnostics
This chapter describes the diagnostic information that GMSAnalyzer provides, including log
settings for debugging, system snapshots for troubleshooting, and summarizer status
information.
Debug Log Settings section on page 811
Request Snapshot section on page 813
Snapshot Status section on page 815
Summarizer Status section on page 816
Debug Log Settings

Debug Log Settings are included with GMS to help you diagnose issues you may encounter
with your log data.
Warning
The Debug Log Settings are intended for use only under the direction of SonicWALL
Tech Support.
811
Debug Log Settings
Configuring Debug Log Settings

When instructed by SonicWALL Technical Support, perform the following steps to set the debug
level:
1.
Click the Console tab, expand the Diagnostics tree and click Debug Log Settings. The
Debug Log Settings page displays.
2.
Select the amount of debug information that is stored from the System Debug Level field.
For no debugging, enter 0. For verbose debugging, enter 3.
3.
Select a debug setting from the Custom Settings list, and check the Enable Current
Custom Setting checkbox to enable it. If there is not a custom setting that meets your
needs, select New Custom Setting.
The custom debug settings control the selections in the Custom Settings Detail and
Qualification Type sections of this page. Custom settings can be useful to repeat the same
debug runs after making changes elsewhere in the product to monitor the effect of those
changes.
4.
If you selected New Custom Setting or you need to modify the current custom setting,
configure the Custom Setting Detail section:
Custom Setting Name: Enter the name for the new custom setting.
Event Class: Select whether you want to monitor DEBUG, APPLICATION, or
INTERNAL events.
Event Type: Select the specific type of event you want to monitor within the Event
Class you selected. SonicWALL Technical Support can help you understand the names
of the event types.
Destination File Name: Enter a name for the file where your debug information will be
written.
The destination file will reside in: [GMS_Install_Directory]/Logs/

Sys Output: Select this to enable the debug to capture all system information as it
occurs.
5.
Click Select Qualification List to select a list Java classes in the GMS code in which to
monitor debug symbols.
The Qualification List is a list of Java classes. When you select Java classes in this list,
the debug process monitors only the debug symbols in the Java classes you selected.
Leave the list blank (it will display None) to monitor debug symbols for all classes.
812
Request Snapshot
6.
In the Qualification Names window, select the Java packages you want to debug. you can
include or exclude specific Java classes by entering their full package and class names in
the Included Class File Name and Excluded Class File Name fields.
7.
Click Update to accept your selections and close the window. You can clear you selections
by clicking Reset.
Request Snapshot
In order for a technical support representative to troubleshoot a problem, you might be asked to take a snapshot of
SonicWALL GMS or you might want to view the configuration yourself.
Performing a System
Snapshot
A system snapshot provides a detailed information about SonicWALL GMS, the
SonicWALL GMS database, the system environment, licensing, and firewalls. This information
includes:
Data from the sgmsConfig.xml file (Console or Agent only)

Debug state
Build number
Version
Product Code
Database type
Database driver string
Database dbuser
Database password
Database URL
Server state (Console or Agent only)whether a database connection could be established
813
Request Snapshot
Environment information
CLASSPATH, PATH variables
Web server listening port (Console only)
Country
Language
Operating System
IP Address
MAC Address
Machine data (memory size, etc.)
Latte/Licensing (Console or Agent only)

Connectivity to Latte backend
Latte username/password
MS license information (Console only)
Agent specific data

Managed units
Units states (active or standby)
Gateway firmware version
Gateway state
Ports (syslog, syslog parsing, etc.)
Firewall data (Gateway or Unit only)

IP address
Data from status.xml
VPNs present (Gateway only)
Latte information (if registered)
Performing the Snapshot

To take a snapshot of the system, perform the following steps:
814
1.
Click the Console tab, expand the Diagnostics tree and click Request Snapshot. The
Request Snapshot page displays.
2.
To take a snapshot of the SonicWALL GMS console, select GMS Console.
3.
To take a snapshot of one or more SonicWALL GMS agents, select the Agent check
box(es).
4.
To take a snapshot of the GMS Gateway, select Gateway.
Snapshot Status
5.
Click Submit Snapshot Request. SonicWALL GMS takes the snapshot.
6.
To view the snapshot, see Viewing the Snapshot or Diagnostics.
Snapshot Status
Viewing the Snapshot or Diagnostics
To view a snapshot or SonicWALL diagnostics, perform the following steps:
1.
Click the Console tab, expand the Diagnostics tree and click Snapshot Status. The
Snapshot Status page displays.
2.
Select the snapshot or diagnostics that you want to view from the Diagnostics requested
list box.
3.
To view the information, click View Snapshot Data.
4.
To save the information to a file that you can send to technical support, click Save
Snapshot Data.
5.
To delete the information, click Delete Snapshot Data.
6.
To refresh the information, click Refresh Snapshot Data.
815
Summarizer Status
Summarizer Status
The Summarizer Status page displays overall summarizer utilization information for the
deployment including database and syslog file statistics, and details on the current status of
each summarizer.
The Summarizer Status screen provides performance metrics for your network administrator to
plan, design, and expand your GMS server deployment. This feature has information on the
Syslog Collector and Summarizer metrics. The Summarizer metrics are available only for GMS
deployments that have Distributed Summarizer enabledGMS. The metrics are available for the
past 24 hours, past seven days, and past 30 days.
These metrics are reset (to zero), every 24 hours for daily metrics, every seven days for weekly
metrics, and every 30 days for monthly metrics. Weekly metrics are not shown unless the data
collection for weekly metrics started earlier than the daily metrics. Similarly, monthly metrics are
not shown unless data collection for monthly metrics started earlier than for daily and weekly
metrics. GMS will not display metrics for a component if the daily statistics collection started
more than 26 hours earlier. This generally indicates that the component is not active.
You can receive alert emails when Summarizer Status shows any abnormalities.
To reach the Summarizer Status screen, navigate to the Console panel of GMS and then to
Diagnostics > Summarizer Status.
The Summarizer Status page is divided into a section showing the overall deployment-wide
summarizer status and sections with details for each summarizer. See the following sections:
816
Summarizer Status Over 7 Days, page 817
Details for Summarizer at <IP Address>, page 818
Summarizer Status
Summarizer Status Over 7 Days

The Summarizer Status Over 7 Days section displays overall summarizer utilization information
for the deployment including database and syslog file statistics. Results are calculated over the
last 7 days, with historical data available over the last 30 days.
Summarizer Utilization
The top Summarizer Utilization section shows the average utilization of the summarizer over
the applicable time period. The Dial Charts show the percent of total capacity used by the
Syslog Collector or the Summarizer. The following metrics are also displayed in the
Summarizer Utilization section:
Total Run Time: Total amount of time spent generating summarization statistical data and
results over the applicable time period.
Number of Syslogs Received: Total number of syslogs received by the Summarizer over the
applicable time period.
Note
Not all syslogs are summarized some syslogs, such as heartbeat messages are ignored.
When Web Event Consolidation/Home Port Reporting is enabled, several syslogs may
be ignored or alternatively, consolidated into a single syslog. If your appliance is managed
by a different Agent, the results are not summarized here.
Number of Syslogs Summarized: Total number of syslogs summarized over the applicable
time period.
Average Syslogs Summarizer per Minute: Average number of syslogs summarized per
minute over the applicable time period.
Estimated Unused Capacity in Syslogs: The estimated remaining capacity of the summarizer
in terms of the number of syslogs it can summarize, based on the time taken and number of
syslogs summarized over the applicable time period. This number does not include the
discarded syslogs.
Tip
Usage Example: For this example, lets assume that the syslogs summarized per minute on
a system is 18,108, and the average number of syslogs received on that system is 91 per
firewall, per minute. Divide the number of syslogs per minute (18,108) by the number of
syslogs per appliance per minute (91). This yields an estimate of 198 security appliances,
assuming that the current appliances are a fair sample of the security appliances on your
network.
This simple math gives a reasonable estimate of the total number of security appliances this
system should be able to handle, assuming that the Summarizer was to constantly
summarize 24 hours (as in the case of a dedicated Summarizer).
Data Storage Statistics

The Data Storage Statistics section shows the following directory sizes:
Data Directories Size
Archived Directories Size
Bad Directories Size
817
Summarizer Status
Details for Summarizer at <IP Address>

Summarizer Utilization
The Summarizer Utilization section for a specific summarizer shows the same information
described above for the entire deployment, but only shows the values for this summarizer.
Data File Information

This section displays syslog file details for the selected summarizer.
The Data File Information table is divided into three columns:
Data File Type: The type of files being reported on.

There are ten main data file types:
Processed Files
Unprocessed Files
Grouped Files
Not Mine Files
Infected Files
Archived Files
Bad Files
Upload Pending Files
Uploaded Files
Bad Upload Files
File Stats: The number of syslog files in the category and their size in Megabytes.
Oldest: The date and time on the oldest file in the category.
Summarizer Process Details

The Summarizer Process Details section shows what tasks the summarizer is performing at the
moment the Console > Diagnostics > Summarizer Status page displays. Refresh your
browser display or leave the page and return to it to update the information.
818
Summarizer Status
If the summarizer is currently running, the page displays the thread, appliance identifier, file
being used, and state of the summarizer.
If the summarizer is currently idle, the page displays the last run time and next run time.
819
Summarizer Status
820
CHAPTER 45
Granular Event Management
This chapter describes how to configure and use the Granular Event Management (GEM)
feature in a GMS environment.
Granular Event Management Overview section on page 821
Using Granular Event Management section on page 824
Configuring Granular Event Management section on page 826
Viewing Current Alerts section on page 841
Sample Event Alert Reports section on page 841
Granular Event Management Overview

Granular Event Management (GEM) provides a customized and controlled manner in which
events are managed and alerts are created. On the Console panel, GEM allows you to
systematically configure each sub-component of your alert in order for the alert to best
accommodate your needs.
The GEM alert has multiple sub-components, some of which have further subcomponents. It is
not necessary to configure all sub-components prior to creating an alert.
Severities: Severity is used to tag an alert as Critical, Warning, Information, or a custom

severity level. You can create your own preferred severities and assign the order of
importance to them from lowest to highest. When using a custom severity, you must define
it before creating a threshold that uses it.
Thresholds: A threshold defines the conditionthat must be matched to trigger an event and
send an alert. Each threshold is associated with a Severity to tag the generated alert as
critical, warning, or another value . You must define a threshold prior to creating an alert
that uses it.
One or more threshold elements are defined within a threshold. Each threshold element
includes an Operator, a Value, and a Severity. When a value is received for an alert type,
the GEM framework examines threshold elements to find a match for the specified
condition. If a match is found (one or more conditions match), the threshold with the highest
severity containing a matching element is used to trigger an event.
821
Schedules: You can use Schedules to specify the day(s) and time (intervals) in which to
send an alert. You can also invert a schedule, which means that the schedule is the
opposite of the time specified in it. For example:
Send an alert during weekdays only, or weekends only, or only during business hours.
Do not send an alert during a time period when the unit, network, or database are down
for maintenance.
Destinations: You can use Destinations to define where the alerts are sent. The
destination(s) for an alert are specified in the Add Alert or Edit Alert screen. You can specify
up to five destinations for an alert, such as multiple email addresses. For example:
Send an alert to the Unit owner all the time.
Send an alert to a GMS user during business hours.
Send an alert to the admin also during non-business hours for immediate attention.
Alert types: Alert Types are pre-defined, static parameters and are not customizable. Alert
types are used with threshold elements that define conditions that can trigger an event.
Some example alert types are:
Unit Up-Down Alert type
VPN SA is UP-Down, Enable-Disable
You must configure three of these components in order to create alerts:
Severities - You can use the pre-defined defaults or create your own Severities.
Thresholds - You can use the pre-defined defaults or create your own thresholds.
Schedules - You can use the pre-defined defaults or create your own Schedules.
These can be configured in the Console > Events screens. After you configure these elements
in Console > Events, you can also create alerts in the Firewall, SRA, CDP, and ES Tabs.
The Super Admin (admin@LocalDomain) user is able to add a new Severity, Threshold,
Schedule, Schedule Group, or Alert into any domain. Other administrative users may only
create/edit objects within their own domain.
822
The GEM process flow is illustrated below. As you can see, you begin by configuring Severities
and end with creating Alerts.
What is Granular Event Management?

The purpose of Granular Event Management is to provide all the event handling and alerting
functionality for GMS. The GMS management interface provides screens for centralized event
management on the Console panel, including screens for Events > Settings, Severity,
Threshold, Schedule, and Alert Settings. The Firewall, SRA, CDP, and Email Security panels
also provide an Events > Alert Settings screen where you can add, delete, enable, or configure
alerts that relate to either policies or reports.
You can create or update an alert at the global, group, or unit level in GMS. At the group or
global level, the alert is then applied to all units in the group or globally. Whenever you add a
new unit to GMS management, the alerts set at the global level are applied to the new unit.
Group level alerts are not automatically applied to the new unit, but when you update an alert
at the group level, the update applies the alert to the entire group including any new units.
Benefits
Granular Event Management offers a significant improvement in control over the way different
events are handled. You now have more flexibility when deciding where and when to send
alerts, and you can configure event thresholds, severities, schedules, and alerts from a
centralized location in the management interface rather than configuring these on a per-unit
basis.
823
Using Granular Event Management
How Does Granular Event Management Work?

The Granular Event Management framework provides customized event , including email
alerting on the status of specific VPN tunnels, alerting based on schedules (such as 8 am to 5
pm, or 24 hours a day), and alerting to specific email destinations based on severity and
functionalityhandling for. You can also configure GEM to send an alert when changes are made
to a managed appliance by a local administrator through the appliance management interface
rather than through GMS. This is a predefined alertavailable on the Policies panel. For a list of
the predefined alerts, see Using Granular Event Management on page 824.

For convenience and usability, a number of default settings are predefined for severities,
schedules, thresholds, and alerts. You can edit the predefined values to customize these
settings, or you can create your own at the global, group, or unit level. To create your own, start
by examining the Events screens on the Console Panel and adding custom components where
needed. Then continue with the Events > Alerts Settings screens in the Firewall, SRA, CDP and
Email Security panels. The predefined defaults for the Console panel are as follows:
Table 27
GEM Predefined Default Objects
Panel
Screens
Predefined Default Objects
Console
Events > Severities
Information
Warning
Critical
Console
Events > Thresholds
Unit WAN Status

Unit HF Status
VPN Tunnel Status
Capacity in Percentage
Agent Quota Reached
Monitor Bandwidth
Monitor by Percentage
Monitor by Percentage (Anti)
Monitor CPU
Console
Events > Schedule
Schedule Groups:
24x7
Weekdays 24 hours
8x5
Weekend
Schedules:
824
Schedule: admin
Database Backup
Monday 24 hours
Panel
Screens
Console
Predefined Default Objects
Events > Alert Settings
Monday business hours
Tuesday 24 hours
Tuesday business hours
Wednesday 24 hours
Wednesday business hours
Thursday 24 hours
Thursday business hours
Unit Status Report

Database Info
New Firmware Availability
Database Size Status
System Files Backed-Up Status
Disk Space Utilization Status
About Alerts
The Events > Alert Settings screens are available in the Console, Firewall, SRA, CDP, and
ES panels. You can create and edit alerts on these screens. In the alert settings screens, you
can combine all of the previous elements (severity, threshold, and schedule) that you have
configured in the Console panel.
The GEM framework provides different types of alert types for the respective areas of the GMS
application:
Policies panel: Alert settings for Management
Reports panel: Alert settings for Reporting
Console panel: Alert settings for the GMS application

Table 28
GEM Alert Types
Panel location
Available Alert Types
Console
Backed up Syslog Files

Database Info
Disk Space Utilization Status
New Firmware Availability
Unit Status Report
Reports
Bandwidth Usage (Billing Cycle)

Data Usage (Billing Cycle)
Data Usage (Daily)
Events/Hits Total (Daily)
Number of Attacks (Daily)
Number of Threats (Daily)
825
Configuring Granular Event Management
Panel location
Available Alert Types
Policies
Unit HF Status
Unit Status
Unit WAN Status
VPN Tunnel Status
Agent Quota Reached
Agent Unsuccessful Backups
Appliance Capacity Status
CPU Status
Offsite Capacity Status
Duplicate Alerts
Duplicate alerts are allowed in GMS. A duplicate alert uses the same alert type that is already
used in an existing alert. You do not need to create a duplicate alert if you want to add to or
change an existing alert. Normally, you would avoid creating a duplicate alert by editing an
existing alert to add another threshold element, destination, or other component. For example,
you can have two or more threshold elements in the same alert to trigger under different
conditions.
At times there are benefits to creating a duplicate alert. As an example, only five destinations
are allowed per alert, so a duplicate alert could include additional destinations. Or, you could
create a duplicate alert that sends SNMP traps while the original alert sends email notifications.
Also, if a threshold is being shared and you do not want to modify it, you can create a separate
threshold and use it in a duplicate alert.
GMS displays a warning when you try to create a duplicate alert. The warning serves as a
reminder in case you forget that an alert already exists using the same alert type.
Note
Duplicate alerts use more resources from the alerting agent, but do not have a large impact
on performance. You will receive two alert emails instead of one if the destinations are
identical.

To set up the GEM environment after installing GMS, start with the Events screens on the
Console panel. You should examine each Events screen and make any necessary
configuration changes. Then you can configure alerts in the Events screens on the Policies
panel and Reports panel.
826
Configuring Events on the Console Panel section on page 827
Configuring, Alerts on the Console Panel section on page 837
Configuring Events on the Console Panel

To experience the benefits of GEM, you must configure alerts for important events. In the
Events screens on the Console panel, you can configure the frequency of subscription
expiration and task failure notifications, as well as severities, thresholds, schedules, and alerts
for handling events.
Configuring Event Alert Settings section on page 827
Configuring Event Severities section on page 828
Configuring Event Thresholds section on page 829
Configuring Event Schedules section on page 834
Configuring, Alerts on the Console Panel section on page 837
Configuring Event Alert Settings

In Events > Settings, you can specify the following:
Email Alert Format, such as HTML (the default), text, or text for a pager
Email Alert Frequencies and Thresholds
Enable and Disable Alerts
To configure Event Settings, perform the following steps:
Note
1.
On the Console panel, navigate to the Events > Settings screen.
2.
Under Email Alert Format Preferences, select whether the email alert will be sent as
HTML, Plain Text, or Plain Text (Simple). The Simple setting sends a very short email to
ensure that the email is not cut off by character limits.
To assist in your decision for choosing a type of alert format, refer to Email Alert Formats
section on page 842 to view the appearance of the types of Email Alert Format Preferences.
3.
Click Update.
827
Configuring Event Severities

In the Events > Severity screen, you can create your own severity levels or use predefined
severity levels. You can delete severity levels in this screen as well. Defining the severity
priority can also be performed in this screen. Users with permissions to the Severity screen can
create and edit these severities.
GMS supplies the following three predefined severity levels:
Information: This is the lowest severity level
Warning: This is a mid-range severity level
Critical: This is the highest severity level
To configure Event Severities, perform the following steps:

1.
On the Console panel, navigate to the Events > Severity screen. On this screen, you can
re-sequence the severities in importance by entering a severity sequence number in each
field.
2.

To re-order existing severities with the new sequence numbers that you entered, click
Update.
To add a new severity level, click Add Severity.
828
3.
In the Add Severity dialog box, type a name for the new severity level in the Name
field.The Domain pull-down list is only available for a Super Admin.
4.
Choose the color associated with this severity level by selecting a color from the Color
Chooser dialog. You can see a preview of the color you selected in the Preview field.
5.
Click Update.
6.
In the Console > Events > Severity screen, assign the level for the new severity you created
by changing the numbering in the Sequence column of the Severity table.
7.
Click Update.
Perform the following steps to edit or delete a Severity:

1.
To edit a Severity, click the Edit icon.
The Edit Severity pop-up window displays.
Note
2.
Configure the Severity Settings, then click the Update button.
3.
To delete a Severity(s), select the checkbox(s) for the severitie(s) you wish to delete, then
click the Update button. You can also click the Delete icon in the Edit column, to delete a
single report.
Deleting a Severity that is in use is not permitted. A warning message displays when this
action is performed.
Configuring Event Thresholds

In the Events > Threshold screen, you can view existing event thresholds, enable or disable
them, configure their elements. A threshold defines the condition for which an event is
triggered. Predefined thresholds have names similar to predefined Alert Types. Each threshold
can contain one or more threshold elements. An element consists of an Operator, a Value, and
a Severity.
The following tasks are described in this section:
Adding a Custom Threshold section on page 830
Adding a Threshold Element section on page 831
Editing a Custom or Existing Threshold section on page 831
Editing an Threshold Element section on page 832
Enabling/Disabling Thresholds and Threshold Elements section on page 833
Deleting a Threshold and Threshold Elements section on page 833
829
Adding a Custom Threshold

To add a custom threshold, perform the following steps:
Note
1.
On the Console panel, navigate to Events > Threshold.
2.
Click the Add Threshold button to add a new threshold.
3.
In the Add Threshold dialog box, provide a name for the threshold value in the Name field.
The Domain pull-down list is only available for a Super Admin.
4.
Note
If the Visible to Non-Administrators is unchecked, only users from the Administrator group
or the threshold creator will be able to view, use, edit, and delete the threshold. Whether this
is selected or not, only the users from the Administrator group and the threshold creator will
be able to edit or delete this object.
5.
830
Select the Visible to Non-Administrators check box if you want the threshold to be visible
to non-administrators. If this is selected, anyone can view the threshold elements and use
the threshold in customized reports.
Click Update.
Adding a Threshold Element

Elements are components of a threshold. You must define a threshold by defining its elements.
1.
To add a threshold element to the threshold, click the

column of the Events > Threshold screen.
plus button in the Configure
2.
The Add Threshold window will display.
3.
In the Operator pull-down menu, select from the list of operators.
4.
In the Value field, enter a value.
5.
In the Description field, enter a description to override the auto-generated description.
6.
In the Severity field, select a severity.
7.
The Disable check box allows you to temporarily disable the threshold without deleting it.
Select the Disable check box if you want to disable the threshold. For more information
about the enabling and disabling feature, see Enabling/Disabling Thresholds and
Threshold Elements section on page 833.
8.
Click Update.
Editing a Custom or Existing Threshold

To edit your custom or existing threshold, perform the following steps:
1.
On the Events > Threshold screen, click the
edit button in the threshold row.
2.
The Edit Threshold window will display. In this window, you can edit the name of your
threshold as well as allow this threshold to be visible to non-administrators. For more
information on the visible to non-administrators feature, seeAdding a Custom Threshold
3.
Click Update.
831
Editing an Threshold Element

To edit an existing element of a Threshold, perform the following steps:
1.
On the Events > Threshold screen, click the

column in the element row.
Edit icon located in the Configure
The Edit Threshold pop-up window displays:
Some alerts created by certain Alert Types contain predefined Thresholds that may not be
edited. Alert Types: Unit HF Status, Unit WAN Status, Unit Locally Changed, and Thresholds
with the same name in the Console Panel.
832
2.
In the Operator field, select from the drop down menu the type of operator to apply to your
threshold element..
3.
In the Value field, enter the value for your threshold element.
4.
In the Description field, enter the description for your threshold element.
5.
In the Severity field, select the severity priority from the drop down menu. These are color
coded for your easy reference on the Events > Threshold screen.
6.
To disable the threshold element, click the Disable check box. See Enabling/Disabling
Thresholds and Threshold Elements section on page 833.
7.
Click Update.
Enabling/Disabling Thresholds and Threshold Elements

The GEM feature provides a Disable check box that allows you todisable or enable thresholds
or individual elements within that threshold. Disabling an element or threshold rather than
deleting it is beneficial because of the time invested in creating it. If it is needed again, you can
simply enable it.
You can disable a threshold by disabling all its elements. You can also disable individual
elements within a threshold.
To enable or disable Thresholds and/or their elements, perform the following tasks:
1.
On the Console panel, navigate to the Events > Threshold screen. On this screen, you
are able to view existing Thresholds. You can also view existing elements within those
thresholds by clicking the expand button by a threshold. You have the following two options
for the enabling/disabling feature:
You can enable or disable a Threshold by disabling/enabling all the elements that exist
within it.
You can enable/disable the individual elements within a Threshold.

2.
To enable or disable a threshold and/or elements, click the edit button

element level.
that is on the
3.
Select the Disable checkbox to disable the element or de-select the Disable checkbox to
enable the element.
4.
Click Update.
Deleting a Threshold and Threshold Elements

On the Events > Threshold screen, you can delete Thresholds and Threshold Elements. This
can be done by using the Delete Threshold(s)/Element(s) button. To view the elements within
a threshold, expand the threshold. You can select which threshold or elements within that
threshold to delete. If you delete a threshold, the elements within that threshold will
automatically be deleted as well.
To delete thresholds and threshold elements, perform the following steps:
1.
On the Events > Threshold screen, optionally expand the threshold to view the individual
elements.
2.
To delete a threshold, click the checkbox to the left of the threshold name. You will see that
its elements are automatically selected as well.
3.
To delete an element, select only the element checkbox.
833
Note
Deleting a Threshold that is in use is not permitted. A warning message displays when this
action is performed.
4.
When you have finished with your selections, click the Delete Threshold(s)/Element(s)
button.
Configuring Event Schedules

The next component on the Console panel is Events > Schedule. In this screen, you can add,
delete, or configure schedules and schedule groups.
Schedule groups are one or more schedules grouped within an object. Administrators and
Owners can edit these objects. Other users should be able to view or use them only if the
Visible to Non-Administrators check box is selected.
The following tasks are described in this section:
Adding an Event Schedule section on page 834
Editing an Event Schedule section on page 835
Adding an Event Schedule Group section on page 835
Deleting a Schedule or Schedule Group section on page 836
Adding an Event Schedule

In Events > Schedules you can add, delete, or configure schedules. You will see your
schedules and schedule groups, their descriptions, and whether they are enabled. You can also
individually delete one schedule or schedule group at a time by selecting the trash-icon on the
right hand side for each row. For quick reference, you can hover your mouse over the
descriptions to quickly view the type of schedule and the days and times when it is active.
To add an event schedule, perform the following steps:
1.
On the Events > Schedules screen, click Add Schedule.
2.
In the Name field, enter a name for the schedule.
3.
In the Domain filed, click the pull-down list and select a name. This function is for Super
Admins only.
4.
In the Description filed, add a description for the schedule.
5.
Select the Visible to Non-Administrators check box if you want the schedule to be visible
and usable by non-administrators.
6.
To temporarily disable a schedule, select the Disable checkbox.
7.
Click Invert to create a schedule that is off during the dates and times that you specify.
8.
In the Schedule field, you can create one or more schedules. For each schedule, configure
either:
One Time Occurrence
Fill in the Date and Time fields.
Recurrence
834
Fill in Days, Start Time, and End Time fields.
9.
Click Add to add this schedule to the Schedule List text box.
10. To delete an entry from the Schedule List text box, select the entry that you want to delete,
and then click Delete. Click Delete All to delete all entries.
11. Click Update when you are finished.
Editing an Event Schedule

To edit an existing schedule, click the
Edit icon on the right side of theEvents > Schedule
screen. The screen and procedure for editing are the same as those for adding a schedule. See
Adding an Event Schedule section on page 834.
Adding an Event Schedule Group

You can combine several schedules into a schedule group on the Events > Schedule screen.
To add a schedule group, perform the following steps:
1.
On the Events > Schedule screen, click the Add Schedule Group button.
2.
Enter the name of your schedule group in the Name field.
3.
Enter a description of your schedule group in the Description field.
4.
Click the Visible to Non-Administrators check box to allow this schedule group to be
viewed and used by non administrators.
5.
Click the Disable check box to temporarily disable the schedule group.
835
6.
In the Schedules field, select the schedule(s) to add to your schedule group, and then use
the arrow buttons to move the selected schedule into or out of the group. To move multiple
schedule groups and/or schedules all at once, hold the CTRL button on your keyboard while
making your selections.
7.
Click Update.
Editing an Event Schedule Group

To edit an existing schedule group, click the
Edit icon on the right side of the Events >
Schedule screen. The screen and procedure for editing are the same as those for adding a
event schedule group. See Adding an Event Schedule Group section on page 835.
Deleting a Schedule or Schedule Group

You can delete custom schedules or schedule groups, or you can remove schedules from
schedule groups. You cannot delete predefined static schedules or schedule groups. Only
Administrators and Owners can delete schedules or schedule groups.
Note
Deleting a Schedule or Schedule Group that is in use is not permitted. A warning message
displays when this action is performed.
To delete an event schedule, schedule group, or remove a schedule from a schedule group:
836
1.
Navigate to the Events > Schedule screen.
2.
Click the check boxes of the schedule groups or schedules that you want deleted. When
you click the schedule group check box, the schedules within that schedule group will be
deleted as well.
3.
To remove a schedule from a schedule group, click the expand button on the schedule
group, and select the schedules you wish to remove within that group.
4.
To delete the selected schedule group(s) or remove the selected schedules from a group,
click the Delete Schedule Group(s)/Remove Schedules from Group button.
5.
To delete the selected schedule(s), click the Delete Schedule(s) button.
Configuring, Alerts on the Console Panel

The Console > Events > Alert Settings screen provides predefined alerts that apply to GMS
as a whole. These are status type alerts, and do not use thresholds. You can hover your mouse
over these to display information about them. You can configure the predefined alerts to use
different destinations and schedules.
Add Alert
add an alert:
1.
Navigate to the Events > Alert Settings page.
2.
3.
4.
non-administrators.
5.
6.
837
Alert Type
1.
Note
When an alert type is selected, a description for that alert is displayed in the Alert Type
panel.
Most of the Alert Types require you to edit content. Editing Contents allows the user to pick
additional info, in a granular fashion, on which the alerting has to be performed.
2.
displays.
3.
Note

can be created in this feature.
Note
If you select another Alert Type before you click Update in the Add Alert dialog box, or if you
click Reset, you lose the on the fly Threshold that you created and the Edit Content status
becomes Not Edited.
4.
icon. Only one new threshold
Note

1.
838
Click the Add Destination link under the Destination/Schedule section. The Destination
field designates where you want alerts to be sent. You have a maximum number of five
destinations.
2.
3.
Perform the following steps to enable and disable an alert:
Enabling a Alert
1.
2.
enable/disable.
Disabling an Alert
1.
2.
enable/disable.
839
Deleting Alerts
Note
1.
2.
3.
Click OK to delete.
Editing Alerts
to edit an alert:
1.
2.
840
Refer to the Add Alert section and follow the configuration procedures to edit your existing
Alert.
Sample Event Alert Reports
Viewing Current Alerts

You can view a list of current alerts on the Events > Current Alerts page of the Firewall, SRA,
CDP, or ES panel. Select a global view, group, or unit to view current alerts for your selection.

Examples of alert emails you will receive are shown below:
Figure 45:6 Database Healthcheck
Figure 45:7 Critical: Unit Status
841
Figure 45:8 Critical [Recovered]: Unit Status
Email Alert Formats

The types of alert emails are available in the following formats:
HTML
Plain Text
Plain Text (simple)
HTML Email Alert Format
842
Plain Text
Plain Text (simple)
843
844
CHAPTER 46
Managing Licenses
This chapter provides information about GMS licensing, registration, upgrading to new
versions, and applying software patches.
GMS License section on page 845
SonicWALL Upgrades section on page 849
GMS License
The following sections describe how to manage GMS licenses:
Upgrading a Demo License to a Retail License section on page 846
Product Licenses section on page 846
845
GMS License
Upgrading a Demo License to a Retail License

The following sections describe how to upgrade a SonicWALL GMS demo license to a retail
license.
Upgrading within the Demo Period

To upgrade a SonicWALL GMS demo license to a retail license within the demo period, perform
1.
Click the Console Panel tab, expand the Licenses tree and click Manage Licenses. The
product License Summary page displays. If prompted to login, enter your mysonicwall.com
User name and password before continuing.
2.
Enter the activation code in the Activation Code field and click Upgrade.
The License Type will change to Retail License and the Current Nodes Allowed will change from
10 to 25.
Upgrading Outside the Demo Period

To upgrade a SonicWALL GMS demo license to a retail license after the demo period expires,
1.
Start SonicWALL GMS. The Registration page displays.
2.
Enter the demo upgrade activation code and click Update. The Login displays and the
license is upgraded.
Product Licenses
The Product Licences page allows the user to view, upload, and manage licenses and
subscriptions for this GMS installation.
846
GMS License
License Summary
View license details on the Licenses > Product Licences page, under the License section.
This section allows you to view the following information about security services and support
services:
StatusDisplays whether the product is licensed or not licensed
CountDisplays the remaining number of licenses for this service.
ExpirationDisplays the expiration date of the service (if applicable).
Current Subscription Expirations

View current subscription expiration status on the Licenses > Product Licences page, under
the Current Subscription Expirations section.
This section allows you to view a summary of information about any subscriptions which carry
an expiration date.
Managing Licenses
This feature allows licenses to be managed through your MySonicWALL.com account.
To manage licenses:
1.
In the Console panel, navigate to the Licenses > Product Licenses page.
2.
Click the Manage Licenses button. The MySonicWALL login page displays.
3.
Login with your MySonicWALL credentials to manage your licenses.
847
GMS License
Refreshing Licenses
This feature allows the administrator to synchronize GMS with the MySonicWALL license
server. Synchronization is useful if you have recently purchased new licenses, and these
licenses are not yet appearing in the summary page.
To refresh licenses:
1.
2.
Click the Refresh Licenses button. The License Summary page displays a message, and
the date of last contact changes to reflect this.
Manually Uploading a License

Normally, MySonicWALL communicates with your GMS installation to synchronize licenses
automatically. The manual upload feature is useful if for some reason your GMS node is without
Internet connectivity.
To manually upload a license:
Note
1.
2.
Click the Upload Licenses button. The Upload Licenses page displays.
3.
Click the Browse... button to search for your locally stored license file.
License files for manual updates are available for download through your MySonicWALL
account.
4.
848
Click the Upload button to complete the license transfer.
SonicWALL Upgrades
SonicWALL Upgrades
This section describes the procedures for upgrading SonicWALL appliances. This functionality
includes adding nodes, content filter subscriptions, VPN functionality, VPN clients, anti-virus
licenses, and more.
When a SonicWALL GMS subscription service (i.e., warranty support, anti-virus, or content
filtering) is about to expire, the GMS administrator will receive expiration notifications via email
prior to the expiration. The email notification is sent once a day (if applicable) and lists all
managed SonicWALL appliances with expiring subscription services.
To upgrade SonicWALL appliances, complete the following procedures:
1.
Upgrading the Node License section on page 849
2.
Purchasing Upgrades section on page 849
3.
Activating the Upgrades section on page 850
Upgrading the Node License

Depending on the number of licenses you have ordered, you may need to add
SonicWALL GMS licenses to configure and support additional SonicWALL appliances. This
section describes how to perform a node license upgrade. To view the current node license,
click on the Console panel, expand the Licenses tree, and click Product License. The current
license is displayed under the License Summary section.
SonicWALL offers unified support packages called Comprehensive GMS Support (CGS). CGS
is an annual agreement that includes:
Technical support for the GMS application
Software updates and upgrades for GMS
Technical support, advanced-exchange hardware replacement and firmware updates for all
of the units under GMS management
Comprehensive GMS Support is sold in increments of 25, 100, and 1,000 nodes and is
available in both 8X5 and 24X7 versions. The nodes can be any combination of SonicWALL
firewall appliances or SRA nodes. Currently CDP and SonicWALL Email Security are not
included in CGS packets.
Purchasing Upgrades
To purchase upgrades, perform the following steps:
1.
Contact your SonicWALL sales representative. You will receive an activation code for each
upgrade that you purchase.
2.
After receiving the activation codes for the SonicWALL upgrades, continue to the next
section.
849
SonicWALL Upgrades
Activating the Upgrades

To license upgrades, perform the following steps:
1.
Click the Console tab, expand the Licenses tree and click Activation Codes. The
SonicWALL Activation Codes page displays.
2.
To manually add one or more activation codes, in the Activation Code (manual) field,
enter a list of activation codes separated by semi-colons.
3.
Click Add Activation Code(s).

GMS validates the codes with the backend server and then adds them to the GMS license
pool database if they are valid. The Console > Logs screen provides more information on
success/failure of individual activation codes.
4.
To delete activation codes, select one or more codes under the Delete Activation Codes
section and click the Delete Activation Code(s) button.
5.
To add a large number of activation codes from a file, type the file name into the Activation
Code (file-based) field, or click Browse to select the file. Then, click Add Activation Code(s)
and follow the on-screen prompts.
The file can contain multiple activation codes - each line in the file has a single activation
code. Once the operation is completed, the Console > Logs screen has more detailed
information on the success/failure of individual activation codes that were provided in the
file. A sample file is as follows, which includes for activation codes (one per line):
SBRG4827
AGTRUY56
GFKJASLJ
850
CHAPTER 47
Web Services
This chapter provides information about the GMS Web Services feature. Web Services is a
software system designed to support interoperability between GMS and other network
appliances, servers, and devices through an application programming interface (API).
Web Services is located in the Console panel of the GMS management interface:
URI Basics section on page 851
Status section on page 852
Distributed Instances section on page 853
URI Basics
The URI is a HTTPS string which is used to identify Web Services resources. Each URI is
composed of both static and dynamic parts which differ based on each particular deployment.
851
Settings
The following provides a typical, though not comprehensive, URI example:
https protocol
host name or IP address
serial number of the appliance

(dynamic)
https://10.0.14.150/ws/screenAttributes/0001B123C45D/1003
Web Service
name
Note
Web Services
application name
screen ID
(dynamic)
For more information on configuring and using GMS Web Services in your deployment,
download the GMS Web Services Technote at: <http://www.sonicwall.com/us/support.html>
Settings
The Settings screen allows configuration of a secure HTTPS Public URI for use with Web
Services features. The public URI specified here is used to access Web Services and to ensure
proper embedded cross-links between Web Services applications.
To configure Web Services Settings:
1.
Navigate to the Web Services > Settings screen on the GMS Console panel.
2.
Choose which deployment you wish to configure from the pull-down list in the GMS
Deployment section.
3.
Enter the public server name and port in the Public URI section. This field is typically
pre-populated during the GMS install/setup process.
4.
Status
The status screen allows the administrator to view, enable, and disable individual Web Services
across one or more GMS deployments.
852
Distributed Instances
To view and configure Web Services status:

1.
Navigate to the Web Services > Status screen on the GMS Console panel.
2.
Select or deselect the Enabled checkbox for the service(s) you wish to enable or disable.
3.
4.
The Web Services table, in the Web Services > Status screen gives the following
information about each Web Service:
Feature
Description
Enabled
If selected, this feature is currently enabled
Service
Indicates the name of the Web Service
URI
Indicates the full URI used to access this Web Service
Description
Provides a description of the Web Service
The distributed instances screen allows the administrator to enable and configure distributed
instances of GMS Web Services. The distributed instances feature is accessed through the
Web Services > Distributed Instances screen in the GMS Console tab.
The Distributed Instances Table

The distributed instances table is located on the Web Services > Distributed Instances
screen.
853
Current distributed instances can be viewed, edited, or deleted as follows:

Feature
Description
Status
Green: Instance is currently online

Red: Instance is currently offline
Serial Number
Serial number of this instance
Name
Friendly name assigned to this instance
Hostname
Hostname or IP address of this instance
Port
SSL port used to communicate with this instance
Username
Username used when accessing this instance
Password
Password used when accessing this instance
Edit Icon
Click to edit the properties of this instance
Delete Icon
Click to delete this instance
Configuring Distributed Settings

To manage distributed settings for GMS Web Services:
1.
Navigate to the Web Services > Distributed Instances screen in the GMS Console tab.
2.
Select the Enable distributed instances checkbox to allow this instance of GMS Web
Services to interact with other instances.
3.
Select the This is a central instance checkbox to designate this installation as the central
management point for Web Services across a distributed environment.
Adding a Distributed Instance

To add a new distributed instance for GMS Web Services:
854
1.
Navigate to the Web Services > Distributed Instances screen in the GMS Console tab.
2.
Click the Add Distributed Instance link in the Distributed Interfaces section. The Add
Remote Interface window displays.
3.
Enter a friendly Name for this instance.
4.
Enter the Hostname / IP Address for the system .
5.
Enter the HTTPS port for the system you wish to add as an instance.
6.
Enter the Username you wish to use to access this system.
7.
Enter the Password for the username you specified in the previous step.
8.
Select the Default Domain for this instance to operate under.
9.
Select the Default Scheduler to be used for this instance.
10. Click the Update button to add this instance and wait while the new instance is
authenticated and verified.
855
856
CHAPTER 48
Using GMS Help
To access the GMS online help, click the blue help button
GMSuser interface.
in the top-right corner of the
The Analyzer online help provides context-sensitive conceptual overviews, configuration

examples, and trouble shooting tips.
About GMS
The Console > Help > About page displays the version of GMS being run, who the GMS is
licensed to, database information, and the serial number of the GMS.
To access the GMS online help, click the blue help button
GMSuser interface.
in the top-right corner of the
Tips and Tutorials

Tips and tutorials are available in some pages of the user interface, and are denoted by a
Lightbulb icon:
857
Tips and Tutorials
To access tips and tutorials:
858
1.
2.
If available, click the Lightbulb icon in the upper right-hand corner of the window. Tips,
tutorials, and online help are displayed for this topic.
CHAPTER 49
UMH/UMA System Settings
This chapter describes how to configure the system settings that are available on the
SonicWALL UMH/UMA system pages.
Note
The UMA appliance and the GMS application both provide a system settings interface,
referred to as UMA for the appliance and UMH in GMS software deployments. In either
scenario, the switch icon
is used to toggle between application and system interfaces.
Status section on page 859
Licenses section on page 861
Time section on page 862
Administration section on page 863
Diagnostics section on page 865
File Manager section on page 867
Backup/Restore section on page 869
RAID section on page 873
Shutdown section on page 873
Status
This section describes the UMH/UMA System > Status page, used to view general status of
the appliance hardware and licensed firmware.
Note
859
Status
The UMH System > Status page is shown below:
The UMA System > Status page is shown below:
This page identifies the following specifications:
860
Item
Usage
Name
Displays the user-friendly name of the

system.
Serial Number
Displays the system identification number.
Version
Displays current firmware version and date.
License
Displays the Global Management System or

ViewPoint license status.
Role
Displays configuration set in the

Deployment > Roles section of the user
interface.
Host Name / IP
Displays the system host name (for example,

an FQDN such as mysystem.myhost.com)
and IP address.
Current Time
Displays the current date and time, based on

your localized time zone settings
Operating System
Displays the systems currently loaded

operating system.
CPU
Displays basic specifications (speed and

number of cores) for the systems processor.
Licenses
Item
Usage
RAM
Displays amount of random access memory

(RAM) installed on the system.
RAID Array
Displays type, status, and size of the

currently installed RAID array.
(UMA only)
Available Disk Space Displays free space and total space, in

gigabytes.
Licenses
This section describes the UMH/UMA System > Licenses page, used to view and manage
GMS and ViewPoint licenses.
The UMH System > Licenses page is shown below:
The UMA System > Licenses page is shown below:

Item
Usage
Security Service
The current license type based on product

registration and serial number.
Support Service
The available SonicWALL support types

based on product registration and serial
number. For the UMA, the Hardware
Warranty is also listed here.
Status
License status. If unlicensed, you must

purchase a license or register your product or
appliance.
861
Time
Item
Usage
Count
Number of valid licenses.
Expiration
Expiration date of your current license.
In addition, you may also use the buttons on this screen to:
Manage Licenses through your MySonicWALL.com account
Refresh Licenses by connecting with the SonicWALL licensing server
Upload Licenses if no external network connection is available
Time
This section describes the UMA appliance System > Time page, used to view and manage the
appliance date/time settings. This page is only available on the UMA appliance.
This page allows the administrator to set the following time and date settings:
862
Time in Hours/Minutes/Seconds
Date in Month / Day / Year
Time Zone from standard international time zones or coordinated universal time (UTC) for
deployments spanning multiple time zones.
The Set time automatically using NTP checkbox may be selected for auto-updated time
using standard time servers. Selecting this option causes the system to automatically
adjust for daylight savings time in time zones that recognize DST.
Administration
Administration
This section describes the UMH/UMA System > Administration page, used to manage basic
administrative settings.
The UMH System > Administration page is shown below:
The UMA System > Administration page is shown below:
This page provides the following functions:

Item
Usage
Host Settings
Inactivity Timeout
Number of minutes before an administrator is

forcefully logged out of the user interface.
Entering a value of -1 allows the account to
remain logged in until the appliance is power
cycled. Ensure that your console is in a secure
location as this setting can expose your system
to potential physical security issues. The
default value is 10 minutes.
Enhanced Security Access

(ESA)
Enforce Password Security Check this box to enforce the password
security settings in the following boxes.
863
Settings
Item
Usage
Number of failed login

attempts before user can
be locked out
Number of tries a user has to enter the correct

password before being locked out of the
system for a specified time. Default is 6.
User lockout minutes
Time specified for locking a user out after the

user has failed to correctly log in the specified
number of times. Default is 30 minutes.
Number of days to force

password change
Number of days before a user is forced to

change his or her password. Default is 90 days.
Administrator Password
Administrator Name
Default administrator login name, admin.
Current Password
The current password for the admin account.
New Password
The new password for the admin account.
Confirm Password
The new password for the admin account.
To change the administrator password, enter the Current Password in the appropriate field,
and then enter a New Password and confirm that password.
Click the Update button when you are finished making changes. Click Reset to return to default
settings.
Settings
This section describes the UMH/UMA System > Settings page, used to manage manual
software or firmware upgrades and, on the appliance, re-initialization of factory default settings.
The UMH System > Settings page is shown below:
The UMA System > Settings page is shown below:
On the UMH, this page displays the current version of SonicWALL GMS running on the system,
and provides a link to click for the history of upgrades on this system.
864
Diagnostics
This page also allows the administrator to:

Upload a SonicWALL GMS Service Pack or Hotfix by uploading a valid software image
from your local drive. After uploading the software, click Apply to reboot the system
with the new version.
On the UMA, this page displays the current version of SonicWALL firmware running on the
appliance, and provides a link to click for the history of upgrades on this system.
This page also allows the administrator to:
Upgrade firmware by uploading a valid firmware image from your local drive.
SonicWALL approved service packs and hotfixes can also be installed through this
screen. After uploading the firmware, click Apply to reboot the appliance with the new
version.
Reinitialize the appliance to factory default settings by clicking the Reinitialize button.
This will remove any of your current settings on the appliance and re-image the UMA
with factory default settings. This option is only available for the UMA appliance.
Note
Please be patient while the process is taking place. This process can take up to 15 minutes.
Do NOT manually reset or cycle power to the device during this time.
Diagnostics
This section describes the UMH/UMA System > Diagnostics page, used to set the log debug
level, test connectivity to servers, and download system and log files.
The UMH System > Diagnostics page is shown below:
865
Diagnostics
The UMA System > Diagnostics page is shown below:
This page provides the following diagnostic capabilities:
Debug Log Settings Set the System Debug Level by selecting a value from the
pull-down list. Select 0 for no debug information in the logs, 1 or 2 for more debug
information, and 3 for maximum debug information. Click Update to apply your changes, or
click Reset to return to the default setting of 3.
Test Connectivity Select one of the following options and then click Test to test
connectivity:
Database Connectivity Test connectivity using the database parameters configured
on the Deployment > Roles page.
License Manager Connectivity Test connectivity with the host name that you type
into the License Manager Host field.
SMTP Server Connectivity Test connectivity using the SMTP server displayed here.
The SMTP server is configured on the Deployment > Settings page.
Download System/Log Files You can generate a TSR and view or search log files in this
section:
For information about generating a TSR, see the Technical Support Report section on
page 866.
For information about viewing and searching log files, see the Logs and Syslogs section
on page 867.
Technical Support Report

The Tech Support Report generates a detailed report of the SonicWALL security appliance
configuration and status, and saves it to the local hard disk using the Export Reports button.
This file can then be e-mailed to SonicWALL Technical Support to help assist with a problem.
866
File Manager
Tip
You must register your SonicWALL security appliance on mysonicwall.com to receive

technical support.
Before e-mailing the Tech Support Report to the SonicWALL Technical Support team, complete
a Tech Support Request Form at https://www.mysonicwall.com. After the form is submitted, a
unique case number is returned. Include this case number in all correspondence, as it allows
SonicWALL Technical Support to provide you with better service.
Logs and Syslogs

Both the Logs and Syslogs checkboxes and selection screens allow for the selection of one
or more application or system logs. Within the log list, you can select multiple logs using the
Ctrl key and search log titles using the Search Filter field.
The Search Filter field accepts regular expressions, such as *Summarizer* for files with
Summarizer in their name, or *.?r? for files with an extension that has r as the middle letter
(for example, leak.wri and mysql.err). After entering a search filter value, click the right arrow
next to the field to see the resulting file list.
After you have selected the appropriate log files, click the Export Logs button. Log(s) are
exported to a zip file in a location which you specify.
File Manager
This section describes the UMA appliance System > File Manager page, used to view and
manage system files for an UMA appliance. This page is only available on the UMA appliance.
867
File Manager
The File Manager feature provides a way to view the file system and export, delete, add, or
modify files without opening an SSH session to the appliance. You can select the folder to view
from the Select Folder pull-down list. To search for certain file names, enter search parameters
using regular expressions in the Search Filter field and then click the right arrow next to the
field.
This page allows the administrator to perform the following actions:
Item
Usage
Export
Exports the currently selected file. If the file

size is larger than 5MB, the file is exported as
a .zip file. Files exported should be less than
200MB. Single files can be exported by
clicking the Export icon to the right of the file
name.
Delete
Deletes the currently selected file if correct

permissions are available. Single files can be
deleted by clicking the Delete icon to the right
of the file name.
Add/Edit (Upload)
Allows files to be added to, or overwritten in,

the currently selected folder. This feature is
only available for certain folders and files.
Files can be uploaded by clicking the Upload
icon (a plus sign) in the upper right corner of
the screen.
Working with Multiple Files

Both Export and Delete actions are supported on multiple files.To perform these actions on
multiple files:
Note
868
1.
Select checkboxes for multiple files, or click the Select All checkbox to choose all files.
2.
Click the Export or Delete buttons on the bottom of the screen to perform these actions on
selected files.
Multiple files are exported as a .zip file. Be aware that files larger than 200MB may take a
large portion of your units bandwidth.
Backup/Restore
Backup/Restore
This section describes the UMA appliance System > Backup/Restore page, used to create or
restore a snapshot of configurations and data on your UMA appliance. This page is only
available on the UMA appliance.
The Manage Backups section allows you to download a Java-based UI tool wizard to schedule
backup snapshots to a remote location. This data export feature allows you to periodically
offload backup data and archived reports from your UMA appliance to an offsite client. Web
Services are used with this feature. See the Web Services chapter for more information about
Web Services. See the Data Export Wizard section on page 870 for information about using
the data export feature.
To create a local snapshot, select one from the Available Snapshots list and click theDownload
Snapshot button. To restore a backup, the snapshot is uploaded to your local storage and then
used to restore data. Select one from the Available Snapshots list and click the Restore
Snapshot button.
The Immediate Backup/Restore section allows you to create a new snapshot file and download
it instantly. To create a new snapshot file, click the Backup Now button. To restore data, select
from the Available Snapshots list and click the Restore Now button. You can also upload a
snapshot file. To upload a snapshot file, click on the Choose File button and navigate to the
file on your folder system.
The Scheduled Backup Settings section provides information on your regularly scheduled
system backups. By default, your system is on a backup schedule for once a week on Fridays
at 10pm. Click the Disable Scheduled Backups to stop the scheduled backup maintenance of
your system. You can change the schedule interval of your backups by selecting the day of the
week, time, directory location for storing your backup files, and the number of snapshots to
store before an older snapshot version is deleted. By default, the two latest snapshots are
stored. The maximum number of stored snapshots is 3. Click the Update Settings button to
apply your changes.
869
Backup/Restore
Data Export Wizard

If you have a SonicWALL UMA appliance, you can download and run the Data Export Wizard.
The wizard will help you configure a Java-based client and a corresponding script that you can
use to schedule recurring, automatic backups.
To download and use the wizard:
1.
Log in as admin to your UMA appliance and navigate to the System > Backup/Restore
page.
2.
Click the HERE link under Manage Backups and select whether to run or save the
auto_export.zip file.
3.
Click the Extract button, browse to the desired foldersuch as C:\Program Files, and select
the Use folder names option to extract the files from the zip file into a sub-folder called
auto_export.
4.
Open the README.txt file and read the instructions for using the wizard. On a Windows
machine, double-click runWizard.bat to launch the wizard. On a Linux machine, execute
runWizard.sh.
Note
5.
In the first release of SonicWALL GMS 6.0, if the runWizard.bat file seems to exit
immediately, it may be because you chose a folder with spaces in the name. Edit
the runWizard.bat file in a text editor and add quotes around the command.
The Select a Task screen displays.
Select one of the following options and then click Next:

Create a new configuration script from scratch
Edit an existing configuration script
The Select button appears. Click Select to open a dialog showing existing
configuration files in the auto_export/configs directory. Click the desired file and then
click Open.
870
Backup/Restore
6.
The GMS Instance Authentication screen displays.
7.
Enter the following information to allow SonicWALL GMS to communicate with Web
Services on the UMA, and then click Next:
GMS Serial The serial number of the UMA system
IP/Domain Either the domain name or the IP address of the UMA system
HTTPS Port GMS Web Services always uses the HTTPS protocol to provide the
fundamental security mechanism. By default, the port number is 8443.
Username The GMS administrators username

Password The GMS administrators password
8.
The wizard displays the available export Web services. Select the checkbox for each
service that should be included in the configuration and then click Next.
For example, select the System Backup export service to include it in the export script to
offload system backups from a UMA system.
871
Backup/Restore
9.
The wizard displays a configuration summary. After reviewing the summary, click Save to
create the configuration file.
10. Type the file name into the Input dialog box, or accept the pre-populated name if editing an
existing configuration script. Click OK.
The wizard saves the file in the .../auto_export/configs directory with ".ec" as the file name
extension.
11. Click Done to exit the wizard.
12. You can now set up a scheduled task (in Windows) or a cron job (in Linux) to execute
runTask.bat or runTask.sh to periodically download backup data from the UMA. The
downloaded backup data is stored in the /auto_export/export directory.
Windows command example:
C:\Program Files\auto_export\runTask.bat config_004010235FBE_archiv_report.ec
Linux command example:
/home/ac/auto_export\runTask.sh config_004010235FBE_archived_report.ec
Data is transferred from the UMA system to the target client that executes the export task
whenever the schedule is triggered.
872
RAID
RAID
This section describes the UMA appliance System > RAID page, used to review RAID array
drive status. This page is only available on the UMA appliance.

Item
Usage
RAID Settings
Displays the RAID manufacturer, model, serial number,

driver, and firmware version. Do not use the serial
number from this screen for MySonicWALL registration,
it is not the same information as your UMA appliance.
Array
Displays array type, combined size (for all active drives)

and status. This section also itemizes all installed drives
in the array and their model, serial number, size
(individual), and status.
Shutdown
This section describes the UMA appliance System > Shutdown page, used to shutdown the
appliance. This page is only available on the UMA appliance.
This page allows the administrator to shutdown the appliance, temporarily disconnecting users
and stopping any services.
If you made any changes to the settings, be sure to apply them before you shutdown.The
process of restarting generally takes about 3 minutes.
873
Shutdown
874
CHAPTER 50
UMA Network Settings
This chapter describes how to configure the network settings that are available in the
SonicWALL UMA appliance Network screens.
Routes section on page 877
Settings
This section describes the UMA appliance Network > Settings page, used to configure basic
networking and host settings.
875
Settings
This page allows the administrator to configure the following settings:

Item
Usage
Host section:
Name
A descriptive name for this appliance
Domain
In the form of sonicwall.com; this domain is

not used for authentication
Networking section:
Host IP address
The static IP address for the eth0 interface of

the appliance
Subnet mask
In the form of 255.255.255.0
Default gateway
The IP address of the network gateway this

is the default gateway of your perimeter
firewall or networking appliance, not the GMS
Gateway.
DNS server 1
The IP address of the primary DNS server
DNS server 2
(Optional) The IP address of the secondary

DNS server
DNS server 3
(Optional) The IP address of the tertiary

DNS server
To apply your changes to the above fields, click the Update button. To revert to default settings,
click Reset.
You can also configure suffixes and enable suffix searches on this page, to aid in host name
resolution. If the UMA cannot resolve a host name to its IP address, it appends one suffix at a
time to the host namein the order the suffixes are configured, and tries to resolve the host name
with that suffix.
To enable suffix searches, select the Search Suffix checkbox.

To add a suffix, click the Add button to open the Add/Edit Search Suffix dialog box. Type the
desired suffix into the Search Suffix field and then click Add. You can click the Configure icon
for the suffix to edit it, or click the delete icon to delete it.
Note
876
Adding, configuring, or deleting a suffix restarts the Web server on the UMA, and
disconnects your browser login session.
Routes
Routes
This section describes the UMA appliance Network > Routes page, used to configure default
or alternate network routes.
The default route is generally populated with the Default Gateway, specified in the Network >
Settings page.
877
Routes
878
CHAPTER 51
UMH/UMA Deployment Settings
This chapter describes how to configure the settings that are available in the SonicWALL
UMH/UMA Deployment pages.
Note
Deployment Roles section on page 879
Deployment Settings section on page 889
Deployment Services section on page 891
Deployment Roles
The role that you assign to your SonicWALL GMS instance defines the SonicWALL Universal
Management Suite services that it will provide. SonicWALL GMS uses these services to
perform management, monitoring, and reporting tasks.
Your SonicWALL GMS instance can be deployed in any of the following roles:
All In One
Agent
Console
Database Only
Reports Summarizer
Monitor
Event
Syslog Collector
In the UMH or UMA system management interface, clicking Details in the same row as a role
provides a list of the services that run on a system in that role, and information about using the
role.
879
Deployment Roles
As the number of managed appliances increases, a more distributed deployment provides

better performance. To manage large numbers of SonicWALL appliances, you can use several
SonicWALL GMS appliances operating in different roles in a distributed deployment. You can
also use Windows Server machines running SonicWALL GMS in any of the roles.
You can include the MySQL database installation with any role. The All In One or Database
Only roles automatically include the MySQL database.
If you are configuring a role that includes a Console, such as the Console or All In One role, the
system can be configured as a redundant Console. The Include Redundancy checkbox is
used to configure the GMS deployment to have a redundant Console.
You can scale your deployment to handle more units and more reporting by adding more
systems in the Agent role. Agents provide built-in redundancy capability, meaning that if an
Agent goes down, other Agents can perform the configuration tasks and other tasks of the
Agent that went down.
Note
When configuring the role for the first appliance in a distributed deployment, you should
either include the database or be prepared to provide the IP address of an existing database
server.
You can meet this database objective in one of the following ways:
By selecting a role that includes the database automatically, such as All InOne or Database
Only
By selecting the Include Database (MYSQL) checkbox if configuring the appliance with
any other role
By setting up a compatible database on another machine and providing that IP address

when prompted
You can configure the role of the SonicWALL UMA EM5000 appliance without using the Role
Configuration Tool.
All role configuration is performed in the appliance management interface, available at the URL:
http://<IP address>:<port>/appliance/
Refer to the following sections for instructions on manually configuring the system role:
880
Configuring the All In One Role section on page 881
Configuring the Database Only Role section on page 882
Configuring the Console Role section on page 882
Configuring the Agent Role section on page 883
Configuring the Reports Summarizer Role section on page 884
Configuring the Monitor Role section on page 885
Configuring the Event Role section on page 886
Configuring the Syslog Collector Role section on page 886
Deployment Roles
Configuring the All In One Role

All In One deployments are ideal for managing a small number of SonicWALL appliances or for
test environments.
However, SonicWALL recommends that you use a multi-system, distributed deployment in

production environments, with the database on a dedicated server and the other services on
one or more systems. When only one other system is deployed, the Console role should be
assigned to it.
The All In One role provides all nine services utilized by SonicWALL GMS:
Syslog Collector
Reports Scheduler
Update Manager
Reports Summarizer
SNMP Manager
Scheduler
Monitoring Manager
Web Server
Database
To deploy your SonicWALL GMS in the All In One role, perform the following steps in the
appliance management interface:
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the All
In One radio button.
2.
If this SonicWALL GMS will connect to managed appliances through a GMS gateway, type
the gateway IP address into the GMS Gateway IP field.
To determine if a GMS Gateway is required, see the SonicWALL Getting Started Guide for
your product.
3.
If a GMS gateway will be used, type the password into both the GMS Gateway Password
and Confirm GMS Gateway Password fields.
4.
If this SonicWALL GMS listens for syslog messages on a non-standard port, type the port
number into the Syslog Server Port field. The default port is 514.
5.
If deploying another system in the Console role, select the Include Redundancy checkbox
to configure this system as a redundant Console.
6.
Configure the database settings as described in theConfiguring Database Settings section,

on page 887.
7.
Select the Include Redundancy checkbox to configure this system as a redundant

Console.
881
Deployment Roles
8.
Configure the Web port settings as described in the Configuring Web Port Settings section,
on page 889.
9.
To apply your changes, click Update. To change the settings on this page back to the
defaults, click Reset.
Configuring the Database Only Role

The Database Only role is used in a multi-server SonicWALL GMS deployment. In this role, the
server is configured to run only the database service. SonicWALL recommends that one of the
servers in a multi-server GMS deployment is assigned a Database Only role.
Only the SonicWALL Universal Management Suite Database service runs on a Database Only
system.
The MySQL database engine is pre-installed along with the SonicWALL GMS installation.
SonicWALL GMS can also use a MySQL database or a Microsoft SQL Server database
installed on a server. Only the MySQL database included in the installer is supported. On the
Deployment > Role page in the SonicWALL GMS appliance management interface, you can
configure your SonicWALL GMS systems to use either a MySQL or a SQL Server database.
To deploy your SonicWALL GMS in the Database Only role, perform the steps described in the
Configuring Database Settings section, on page 887.
Configuring the Console Role

The Console role is used in a multi-server, distributed SonicWALL GMS deployment. In this
role, the SonicWALL GMS installation will run all SonicWALL Universal Management Suite
services except for the Database service. In this scenario, the Database role is assigned to a
separate appliance or server.
In the Console role, the SonicWALL GMS behaves as an Agent, and also provides the following
functions:
882
Provides Web user interface for the SonicWALL GMS application
Emails Scheduled Reports
Performs Event Management tasks
Deployment Roles
Performs various periodic checks, such as checking for new appliances that can be
managed, checking for new firmware versions of managed appliances, and similar
functions
To deploy your SonicWALL GMS in the Console role, perform the following steps in the
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the
Console radio button.
2.
your product.
3.
4.
5.
To use a MySQL or Microsoft SQL Server database on another system, do not select the
Include Database (MYSQL) checkbox. To include the MySQL database on this system (not
recommended), select this checkbox (for this configuration, select the All In One role
instead of the Console role).
6.
If deploying another system in the Console or All In One role, select the Include
Redundancy checkbox to configure this system as a redundant Console.
7.

on page 887.
8.
on page 889.
9.
To apply your changes, click Update.

To change the settings on this page back to the defaults, click Reset.
Configuring the Agent Role

The Agent role can be used in a distributed deployment of SonicWALL GMS. The primary
functions of this role include the following:
Manages units by acquiring them, pushing configuration tasks to the units and tracking their
up/down status
Performs monitoring based on ICMP probes, TCP probes, and SNMP OID retrievals
Collects and stores syslog messages
Performs report summarization
883
Deployment Roles
The following SonicWALL Universal Management Suite services run on an Agent system:
Syslog Collector
Reports Summarizer
SNMP Manager
Scheduler
Monitoring Manager
To deploy your SonicWALL GMS in the Agent role, perform the following steps in the appliance
management interface:
1.
Agent radio button.
2.
your product.
3.
4.
5.
To include the MySQL database on this system, select the Include Database (MYSQL)
checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not
select this checkbox.
6.

on page 887.
7.
on page 889.
8.

Configuring the Reports Summarizer Role

The Reports Summarizer role is used to dedicate a server for performing only summarization
of reports in a multi-server GMS deployment. Syslogs collected by the Syslog Collector service
are consumed by the Reports Summarizer service to create generate reports. In such a
deployment, it is essential that the Syslog Collectors running on various GMS Servers write
syslogs to folders that are accessible by Reports Summarizer systems.
884
Deployment Roles
The following services run on a Summarizer system:
SonicWALL Universal Management Suite - Reports Summarizer
SonicWALL Universal Management Suite - Web Service Server
To deploy your SonicWALL GMS in the Reports Summarizer role, perform the following steps
in the appliance management interface:
1.
Reports Summarizer radio button.
2.
3.

on page 887.
4.
on page 889.
5.

Configuring the Monitor Role

The Monitor role is used to dedicate the SonicWALL GMS installation to monitoring appliances
and applications in a multi-server SonicWALL GMS deployment. The monitoring is based on
ICMP probes, TCP probes, and SNMP OID retrievals.
Only the SonicWALL Universal Management Suite Monitoring Manager service runs on a
Monitor system.
To deploy your SonicWALL GMS in the Monitor role, perform the following steps in the
1.
Monitor radio button.
2.
885
Deployment Roles
3.

on page 887.
4.
on page 889.
5.

Configuring the Event Role

The Event, or Event Management, role of a GMS Server is used to dedicate a server for
performing only event based alerting of appliances and applications in a multi-server
SonicWALL GMS deployment.
The following services run on an Event Management system:
SonicWALL Universal Management Suite - Event Manager
SonicWALL Universal Management Suite - Web Service Server
To deploy your SonicWALL GMS in the Event role, perform the following steps in the appliance
1.
Event radio button.
2.
3.

on page 887.
4.
on page 889.
5.

Configuring the Syslog Collector Role

The Syslog Collector role can be assigned to a SonicWALL GMS installation in a multi-server
deployment of SonicWALL GMS. In this role, the SonicWALL GMS installation is dedicated to
collecting syslog messages on the configured port (by default, port 514). The syslog messages
are stored in the SonicWALL GMS file system.
The syslog messages are used by the Reports Summarizer service running on another
SonicWALL GMS server or SonicWALL GMS in the distributed deployment. The folder where
the Syslog Collector service stores the syslog messages must be accessible by the server
running the Reports Summarizer service.
886
Deployment Roles
Only the SonicWALL Universal Management Suite Syslog Collector service runs on a Syslog
Collector system.
To deploy your SonicWALL GMS in the Syslog Collector role, perform the following steps in the
1.
Syslog Collector radio button.
2.
3.
4.

on page 887.
5.
on page 889.
6.

Configuring Database Settings

Database settings configuration is largely the same for any role when you choose to include the
database on that appliance. For roles that automatically include the default MySQL database,
such as All In One or Database Only, the Database Type, Database Host, and Database Port
fields are not editable. This is also the case for any role when the Include Database (MYSQL)
checkbox is selected. The Administrator Credentials fields are displayed only if the role has
been defined to include the installation of the MySQL database. These are not available when
a SQL Server database is selected.
This section describes the options for configuring the database settings for either the MySQL
database or the Microsoft SQL Server database. The SonicWALL GMS can run the MySQL
database, but SonicWALL GMS can also use either a MySQL or a SQL Server database
running on a Windows Server machine in a multi-system deployment.
To configure the database settings for any role, perform the following steps in the appliance
1.
Navigate to the Deployment > Role page and select the role for this appliance.
2.
To run the MySQL database on this SonicWALL GMS, select the Include Database
(MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another
system, do not select this checkbox.
887
Deployment Roles
Note
888
3.
Under Database Configuration, if Include Database (MYSQL) was not selected in the
previous step, select either MYSQL or SQL Server from the Database Type pull-down list.
This field is not editable if you previously selected Include Database (MYSQL) or if the
selected role is All In One or Database Only.
4.
In the Database Host field, type in the IP address of the database server or accept the
default, localhost, if this SonicWALL GMS includes the database. This field is not editable
if you previously selected Include Database (MYSQL) or if the selected role is All In One
or Database Only.
If your deployment requires an instance name for the SQL server database, when
completing the Database Host field, enter the Host or IP address, followed by a back slash
and the instance name. The format should look as follows: 10.20.30.40\INSTANCE.
5.
To use a different port when SonicWALL GMS accesses the database, type the port into the
Database Port field. The default port is 3306.
6.
To use a different user name when SonicWALL GMS accesses the database, type the user
name into the Database User field. The default user name is sa.
7.
Type the password that SonicWALL GMS will use to access the database into both the
Database Password and Confirm Database Password fields.
8.
If your deployment uses a custom database driver, type the value into the Database Driver
field. Otherwise, accept the default, com.mysql.jdbc.Driver.
9.
If your deployment uses a custom database URL, type the value into the Database URL
field. If you are using a different port, change the default port, 3306, in the URL. Otherwise,
accept the default URL, jdbc:mysql://localhost:3306.
Deployment Settings
Deployment Settings
This section describes the UMH/UMA Deployment > Settings page, used for Web port, SMTP,
and SSL access configuration.
The Deployment > Settings page is identical in both the UMH and UMA management
interfaces, except for the left navigation pane which shows the Network menu item on the UMA.
Configuring Web Port Settings section on page 889
Configuring SMTP Settings section on page 890
Configuring SSL Access section on page 890
Configuring Web Port Settings

Web port settings configuration is largely the same on any role:
1.
On the Deployment > Settings page under Web Port Configuration, to use a different
port for HTTP access to the SonicWALL GMS, type the port number into the HTTP Port
field. The default port is 80.
If you enter another port in this field, the port number must be specified when accessing the
appliance management interface or SonicWALL GMS management interface. For example,
if port 8080 is entered here, the appliance management interface would be accessed with
the URL: http://<IP Address>:8080/appliance/.
2.
To use a different port for HTTPS access to the SonicWALL GMS, type the port numberinto
the HTTPS Port field. The default port is 443.
If you enter another port in this field, the port number must be specified when accessing the
appliance management interface or SonicWALL GMS management interface. For example,
if port 4430 is entered here, the appliance management interface would be accessed with
the URL: https://<IP Address>:4430/appliance/.
889
Deployment Settings
Configuring SMTP Settings

The SMTP Configuration section allows you to configure an SMTP server name or IP address,
a sender email address, and an administrator email address. You can test connectivity to the
configured server.
To configure SMTP settings:
1.
Navigate to the Deployment > Settings page under the SMTP Configuration section.
2.
Type the FQDN or IP address of the SMTP server into the SMTP server field.
3.
Type the email address from which mail will be sent into the Sender address field.
4.
Type the email address of the system administrator into the Administrator address field.
5.
To test connectivity to the SMTP server, click Test Connectivity.
6.
Configuring SSL Access

The SSL Access Configuration section allows you to configure and upload a custom
Keystore/Certificate file for SSL access to the GMS appliance, or select the default local
keystore.
To configure SSL access:
Note
890
1.
Navigate to the Deployment > Settings page under SSL Access Configuration section.
2.
Select the Default radio button to keep, or revert to, the default settings, where the default
GMS Web Server certificate with 'gmsvpserverks' keystore is used.
3.
Select the Custom radio button to upload a custom keystore certificate for GMS SSL
access.
4.
In the Keystore/Certificate file field, click the Browse button to select your certificate file.
Your custom file is renamed to gmsvpservercustomks after upload.

5.
Type the password for the keystore certificate into the Keystore/Certificate password
field.
6.
Click the View button to display details about your keystore certificate.
7.
Click the Update button to submit your changes.
Deployment Services
Deployment Services
This section describes the UMH/UMA Deployment > Services page, used for starting and
stopping the GMS services running on the system.
The Deployment > Services page is identical in both the UMH and UMA management
interfaces, except for the left navigation pane which shows the Network menu item on the UMA.
Details are available for the current role, and the status of each service is displayed on the page
The page is shown below for the All In One role, which includes all services.
To start, stop, or restart one or more services:

1.
Navigate to the Deployment > Services page.
2.
Select the checkbox next to Service Name to select all services, or select one or more
checkboxes for individual services.
3.
To disable or stop the selected services, click the Disable/Stop button.
4.
To enable or start the selected services, click the Enable/Start button.
5.
To restart the selected services, click the Restart button.
891
Deployment Services
892
SonicWALL, Inc.
2001 Logic Drive
T +1 408.745.9600
San Jose, CA 95124-3452
F +1 408.745.9300
P/N: 232-000755-00
Rev B, 2/12
2012
descriptions subject to change without notice. 07/07 SW 145
www.sonicwall.com
DYNAMIC SECURITY FOR THE GLOBAL NETWORK

GMS 7.0 Ag

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

GMS 7.0 Ag

Încărcat de

Drepturi de autor:

Formate disponibile

GMS/UMA 7.

SonicWALL GMS 7.0 Administrators

SonicWALL GMS 7.0 Administrators Guide

SonicWALL GMS / UMA Administrators Guide

Firefox is a trademark of the Mozilla Foundation.

SonicWALL GMS 7.0 Administrators Guide

SonicWALL GMS 7.0 Administrators Guide

Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

SonicWALL GMS 7.0 Administrators Guide

Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

SonicWALL GMS 7.0 Administrators Guide

SonicWALL GMS 7.0 Administrators Guide

How to View CDP Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

SonicWALL GMS 7.0 Administrators Guide

Navigating the System > Certificates Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202

SonicWALL GMS 7.0 Administrators Guide

Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265

SonicWALL GMS 7.0 Administrators Guide

Viewing Network Diagnostic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

SonicWALL GMS 7.0 Administrators Guide

Configuring General DHCP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350

SonicWALL GMS 7.0 Administrators Guide

Viewing Tooltips for App Rules Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

SonicWALL GMS 7.0 Administrators Guide

Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

SonicWALL GMS 7.0 Administrators Guide

Monitoring VPN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501

SonicWALL GMS 7.0 Administrators Guide

Configuring General Server DPI-SSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . .523

SonicWALL GMS 7.0 Administrators Guide

Verifying High Availability Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .553

SonicWALL GMS 7.0 Administrators Guide

WPA and WPA2 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583

SonicWALL GMS 7.0 Administrators Guide

Configuring Advanced Modem Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .620

Enabling a Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655

Adding Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682

SonicWALL GMS 7.0 Administrators Guide

Configuring the Net Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .716

SonicWALL GMS 7.0 Administrators Guide

Custom Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792

SonicWALL GMS 7.0 Administrators Guide

How Does Granular Event Management Work? . . . . . . . . . . . . . . . . . . . . . . . .824

SonicWALL GMS 7.0 Administrators Guide

SonicWALL GMS 7.0 Administrators Guide

Overview of SonicWALL GMS section on page 1

Deployment Requirements section on page 7

Login to SonicWALL GMS section on page 14

Navigating the SonicWALL GMS User Interface section on page 14

Understanding SonicWALL GMS Icons section on page 18

Using the SonicWALL GMS TreeControl Menu section on page 19

Configuring SonicWALL GMS View Options section on page 20

Getting Help section on page 28

Overview of SonicWALL GMS

What Is SonicWALL GMS? section on page 2

SonicWALL GMS 7.0 New Features section on page 3

Scaling SonicWALL GMS Deployments section on page 6

SonicWALL GMS 7.0 Administrators Guide

Overview of SonicWALL GMS

What Is SonicWALL GMS?

SonicWALL Email Security reporting is not supported in SonicWALL GMS 7.0.

SonicWALL GMS 7.0 Administrators Guide

Overview of SonicWALL GMS