Documente Academic
Documente Profesional
Documente Cultură
0 Administrators Guide
Copyright Notice
2012 SonicWALL, Inc.
All rights reserved.
Under the copyright laws, this manual or the software described within, can not be copied, in
whole or part, without the written consent of the manufacturer, except in the normal use of the
software to make a backup copy. The same proprietary and copyright notices must be affixed
to any permitted copies as were affixed to the original. This exception does not allow copies to
be made for others, whether or not sold, but all of the material purchased (with all backup
copies) can be sold, given, or loaned to another person. Under the law, copying includes
translating into another language or format.
Specifications and descriptions subject to change without notice.
Trademarks
SonicWALL is a registered trademark of SonicWALL, Inc.
Windows XP, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2003,
Internet Explorer, and Active Directory are trademarks or registered trademarks of
Microsoft Corporation.
ii
Table of Contents
Chapter 1: Introduction to SonicWALL GMS . . . . . . . . . . . . . . . . . . . . . . .1
Overview of SonicWALL GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
What Is SonicWALL GMS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
SonicWALL GMS 7.0 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Scaling SonicWALL GMS Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Deployment Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Operating System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Database Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
MySQL Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Java Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Browser Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
SonicWALL Appliance and Firmware Support . . . . . . . . . . . . . . . . . . . . . . . . . .10
SonicWALL GMS Gateway Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Network Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
SonicWALL GMS Internet Access through a Proxy Server . . . . . . . . . . . . . . . .12
Login to SonicWALL GMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Navigating the SonicWALL GMS User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Dashboard Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Appliance Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Monitor Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Console Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Understanding SonicWALL GMS Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Using the SonicWALL GMS TreeControl Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Configuring SonicWALL GMS View Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Group Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Unit Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Creating SonicWALL GMS Fields and Dynamic Views . . . . . . . . . . . . . . . . . . .23
SonicWALL GMS 7.0 Administrators Guide
iii
iv
Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Chapter 6: Viewing SRA Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
SRA Reporting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
SRA Reports Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
What is SRA Reporting? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Benefits of SRA Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
How Does SRA Reporting Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Using and Configuring SRA Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Viewing Available SRA Report Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Configuring SRA Scheduled Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Navigating Through Detailed SRA Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Viewing SRA Summary Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
Viewing SRA Unit-Level Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Viewing Unit-Level Data Usage Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Viewing SRA Top Users Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Viewing Access Method Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Viewing SRA Authentication User Login Report . . . . . . . . . . . . . . . . . . . . . . . .147
Viewing SRA Authentication Failed Login Report . . . . . . . . . . . . . . . . . . . . . .148
Viewing Web Application Firewall (WAF) Reports . . . . . . . . . . . . . . . . . . . . . .148
Viewing Connection Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Viewing Uptime/Downtime Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Viewing SRA Analyzer Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Syslog Exclusion Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Chapter 7: Viewing CDP Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
CDP Reporting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
CDP Reports Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
What is CDP Reporting? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
vi
vii
viii
ix
xi
xii
xiii
xiv
xv
xvi
xvii
xviii
xix
xxi
xxii
xxiii
Backup/Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
Data Export Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870
RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873
Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873
Chapter 50: UMA Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 877
Chapter 51: UMH/UMA Deployment Settings . . . . . . . . . . . . . . . . . . . . 879
Deployment Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879
Configuring the All In One Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
Configuring the Database Only Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882
Configuring the Console Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882
Configuring the Agent Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
Configuring the Reports Summarizer Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884
Configuring the Monitor Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
Configuring the Event Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Configuring the Syslog Collector Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
Configuring Database Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887
Deployment Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
Configuring Web Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
Configuring SMTP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
Configuring SSL Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
Deployment Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891
xxiv
CHAPTER 1
Introduction to SonicWALL GMS
This chapter introduces the SonicWALL Global Management System (GMS) User Interface (UI)
navigation and management views. SonicWALL GMS can be used in a variety of roles in a wide
range of networks. Network administrators can use SonicWALL GMS as a Management
Console role in an Enterprise network containing a single SonicWALL E-Class NSA or
SuperMassive appliance and also as a Remote Management System role for managing
multiple unit deployments for Enterprise and Service Provider networks consisting of hundreds
and thousands of firewalls, Email Security appliances, CDP appliances and Secure Remote
Access appliances.
This section includes the following subsections:
Note
Universal Scheduled ReportsIn SonicWALL GMS 6.0 SP2 reports can be scheduled to
be created and mailed to an email address but theres not one place to do this centrally.
SonicWALL GMS 7.0 has one place to schedule reports to be created and mailed out
across multiple appliances of various types. This approach takes much less time and is
much more intuitive.
Scheduled reports can be saved as templates for future use. Several standard universal
scheduled report templates are included with SonicWALL GMS. Bundled universal
scheduled report templates include one to help witha compliance initiative for the Payment
Card Industry Data Security Standard (PCI DSS) and one to quickly visualize and report on
application usage on the network for a new firewall deployment.
Rogue Wireless Access Point ReportingSonicWALL GMS 7.0 includes a new rogue
wireless access point report. This is especially important to customers subject to the
Payment Card Industry (PCI) Data Security Standard (DSS) programs operated by the
major payment brands.
As part of a PCI compliance initiative, if a customer is using wireless they must be able to
meet the following requirement. PCI Requirement 11.1: Test for the presence of wireless
access points by using a wireless analyzer at least quarterly or deploying a wireless
IDS/IPS to identify all wireless devices in use. The Test Procedure to satisfy this
Requirement is as follows:
Verify that a wireless analyzer is used at least quarterly, or that a wireless IDS/IPS is
personnel. Test for the presence of wireless access points by using a wireless analyzer
at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.
Using SonicWALL GMS 6.0 SP2 a customer can schedule a scan on an individual
firewall. However it is not possible to set a scheduled task for a group of firewalls.
SonicWALL GMS 7.0 adds the following functionality:
Schedule and perform a wireless IDS (WIDS) scan from SonicWALL GMS at the
unit/group levels.
This has been provided, using a combinationof user driven on-demand reports and the
new scheduled reports for rogue wireless access points in SonicWALL GMS 7.0.
Schedule summarized reports from SonicWALL GMS at the unit/group level to be
On screen and scheduled reports including the following data: MAC Address
(BBSID), SSID, Channel (such as, 1-11 for NA), Manufacturer, Signal Strength
(helpful in locating the rogue AP).
The time and date of the scan is also given, which gives an indication of the
duration of the access points since discovery.
Note
The Firewall/SRA/CDP/ES policy panels in SonicWALL GMS 7.0 are not localized.
SRA SMB SupportSonicWALL GMS 7.0 expands support for SonicWALL SRA SMB
devices with the following functionality.
Backup of preference files
Web Application Firewall (WAF) reporting
The SonicWALL GMS gateway that resides between a SonicWALL GMS agent server and
the SonicWALL appliances provides secure communications.
Each SonicWALL appliance can have a primary agent server and a standby server. Each
agent server can be a primary server for certain SonicWALL appliances and a standby
server for other SonicWALL appliances.
Configuration of and changes to the SonicWALL GMS and the SonicWALL appliances are
written to the database.
The users at the Admin Workstations can access the SonicWALL GMS console through a
Web browser (HTTP) from any location. The SonicWALL GMS console can also be
securely accessed using HTTPS.
Deployment Requirements
Deployment Requirements
Before installing SonicWALL GMS, review the following deployment requirements. SonicWALL
GMS can be hosted in three deployment scenarios as follows:
The SonicWALL GMS supports the following Microsoft Windows operating systems:
Note
In all instances, SonicWALL GMS is running as a 32-bit application. Bundled databases run
in 64-bit mode on 64-bit Windows operating systems. All listed operating systems are
supported in both virtualized and non-virtualized (VMware ESXi 4.1) environments.
Hardware for Windows Server
4GB RAM
The elements of basic VMware structure must be implemented prior to deploying the
SonicWALL GMS Virtual Appliance. SonicWALL GMS Virtual Appliance runs on the following
VMware platforms:
ESXi 5.0
Deployment Requirements
Use the following client applications to import the image and configure the virtual settings:
VMware vSphere Provides infrastructure and application services in a graphical user
interface for ESX/ESXi, included with ESX/ESXi. Allows you to specify Thin or Thick (Flat)
provisioning when deploying SonicWALL GMS Virtual Appliance.
The following hardware resources are required for the SonicWALL GMS Virtual Appliance:
RAM 3168 MB
This is the maximum amount of RAM supported by the SonicWALL GMS Virtual Appliance
operating system, SonicLinux (VM), which is a 32-bit OS. Additional RAM provided to the
SonicWALL GMS Virtual Appliance in the virtual environment will not be utilized. A smaller
amount of RAM can be configured, but is not recommended.
CPU 2
This is the default number of CPUs provisioned in the SonicWALL GMS Virtual Appliance.
The minimum required number of CPUs is 1, and the maximum that the SonicWALL GMS
Virtual Appliance can use is 4.
size
When using Thick, or Flat, provisioning as the storage type option, the entire amount of disk
space is allocated when you import and deploy the SonicWALL GMS Virtual Appliance file.
When using Thin provisioning, the initial size is very small and will grow dynamically as more
disk space is needed by the SonicWALL GMS application, until the maximum size is reached.
Once allocated, the size will not shrink if the application space requirements are subsequently
reduced.
Additional disk space provided to SonicWALL GMS Virtual Appliance in the virtual environment,
beyond the respective limits of 250 GB or 950 GB, will not be utilized.
ESX/ESXi can be configured with datastores of varying block sizes. The 4 or 8 MB er quirement
for the 950 GB deployment is because the block size determines the largest virtual disk that
can be deployed, as shown in the table:
Table 1
Block Size of
Datastore
1 MB
2 MB
4 MB
8 MB
Note
Largest Virtual
Disk
256 GB
512 GB
1 TB
2 TB
Deployment Requirements
Database Requirements
The SonicWALL GMS release supports the following databases:
MySQL Requirements
SonicWALL GMS automatically installs MySQL as part of the base installation package.
Separately installed instances of MySQL is not supported with SonicWALL GMS 7.0.
Separately installed instances of MySQL is supported with SonicWALL GMS 6.0 only.
Java Requirements
SonicWALL GMS services uses Java SE 6 Update 23. SonicWALL GMS automatically
downloads the Java Plug-in 6.0 when accessing SonicWALL GMS. SonicWALL GMS uses
Tomcat 6.0.32.
Browser Requirements
Deployment Requirements
SonicWALL Platforms
Multi-blade CASS
High Availability/Clustering
Multi-blade VPN
Advanced Switching
TZ series
PRO series
CSM series
Note
10
Deployment Requirements
Note
SonicWALL NSA Series network security appliance with minimum firmware version
SonicOS 5.0
SonicWALL PRO Series network security appliance with minimum firmware version
SonicOS Enhanced 3.2
The SonicWALL GMS gateway should be at minimum a SonicWALL NSA 2400 with
minimum firmware SonicOS 5.0, or a SonicWALL PRO 2040 with minimum firmware
SonicOS Enhanced 3.2.
There are three SonicWALL GMS management methods with different SonicWALL GMS
gateway requirements. When using HTTPS as the management method, it is optional to have
a SonicWALL GMS gateway between each SonicWALL GMS agent server and the managed
SonicWALL appliance(s). If you select Existing VPN tunnel, a gateway is optional. If you select
Management VPN tunnel, you must have a SonicWALL GMS gateway between the SonicWALL
GMS agent server and the managed SonicWALL appliance(s) to allow each SonicWALL GMS
agent server to securely communicate with its managed appliance(s). The following list
provides more detail on SonicWALL GMS management methods and gateway requirements:
Existing VPN tunnelA SonicWALL GMS gateway is optional. SonicWALL GMS can use
VPN tunnels that already exist in the network to communicate with the managed
appliance(s). For this configuration, the SonicWALL GMS gateway can be a SonicWALL
VPN-based appliance or another VPN device that is interoperable with SonicWALL VPN.
11
Deployment Requirements
HTTPSA SonicWALL GMS gateway is optional. SonicWALL GMS can use HTTPS
management instead of a VPN tunnel to communicate with the managed appliance(s).
However, the SonicWALL Aventail EX-Series SRA appliance allows HTTPS access only to
its LAN port(s), and not to its WAN port(s). This means that when SonicWALL GMS is
deployed outside of the Aventail LAN subnet(s), management traffic must be routed from
SonicWALL GMS to a gateway that allows access into the LAN network, and from there be
routed to the Aventail LAN port.
Network Requirements
To complete the SonicWALL GMS deployment process, the following network requirements
must be met:
Note
The SonicWALL GMS servers network connection must be able to accommodate 1 KB/s
for each device under management. For example, if SonicWALL GMS is monitoring 100
SonicWALL appliances, the connection must support at least 100 KB/s.
Depending on the configuration of SonicWALL log settings and the amount of traffic handled
by each device, the network traffic can vary dramatically. The 1 KB/s for each device is a
general recommendation. Your installation requirements may be different.
name="proxySet" value="1"/>
name="proxyHost" value="10.0.30.62"/>
name="proxyPort" value="3128"/>
name="proxyUser" value="0A57CF01AB39ACF8863C8089321B9287"/>
name="proxyPassword" value="EE80851182B4B962FC3E0EDF1F00275A"/>
The proxyUser and proxyPassword parameters are required only if the Proxy Server requires
authentication, in which case these are TEAV encrypted. This configuration supports both
HTTP and HTTPS Proxy, as long as the settings are identical for both.
To exempt certain hosts from the proxy configuration and allow them to beconnected to directly,
add the following tag to sgmsConfig.xml:
<Parameter name="nonProxyHosts"
value="*something.com|www.foo*|192.168.0.*"/>
The exact values of all of these parameters should be changed to the appropriate values for
your deployment. The asterisk symbol (*) is a wildcard that means any string. The pipe symbol
(|) is a delimiter for the hosts in the list.
To do TEAV encryption of the string test, please go to the directory <gms-install>\bin in a DOS
window. Type the following command:
..\jre\bin\java -cp . TEAV test
12
Deployment Requirements
Encrypted: 5F397A4552CC08F2A409A9297588F134
Decrypted: [test]
Step 2
Step 3
13
Note
1.
Enter the SonicWALL user ID (default: admin) and password (default: password). Select
Local Domain as the domain (default).
2.
For more information on installation, login procedures, and registration of your SonicWALL
GMS installation, please refer to the appropriate Getting Started Guide, available at:
<http://www.sonicwall.com/us/support.html>
14
Dashboard Panel
The Dashboard is a tab intended to work as a customizable dashboard where you are able to
monitor the latest happenings with your SonicWALL GMS 7.0 deployment, your network, the IT
and Security World, as well as the rest of the world.
Upon initial login, you see a default Dashboard tab. You are able to further customize this page
by configuring and adding preferred components.
Appliance Panels
The appliance panels enable administrators to add, delete, configure and view various
SonicWALL appliance types managed by SonicWALL GMS. These panels include:
Within the Firewall, SRA, and CDP panels are two sub-panels:
15
Policies Panel
The Policies Panel is used to configure SonicWALL appliances. From these pages, you can
apply settings to all SonicWALL appliances being managed by SonicWALL GMS, all
SonicWALL appliances within a group, or individual SonicWALL appliances.
To open the Policies Panel, click the Firewall tab at the top of the SonicWALL GMS UI and then
click the Policies tab. The SonicWALL appropriate appliance Policies Panel appears:
Reports Panel
The Reports Panel is an essential component of network security that is used to view and
schedule reports about critical network events and activity, such as security threats,
inappropriate Web use, and bandwidth levels.
To open the Reports Panel, click the Firewall, SRA, or CDP tab at the top of the SonicWALL
GMS UI and then click the Reports tab.
In the Reports Panel, you can simultaneously expand multiple screen groups, allowing you to
compare them. Use Control-click (Windows) to toggle the screen group to the expanded group,
without collapsing previously-opened screen groups.
16
Monitor Panel
The Monitor Panel is the administrators central tool for monitoring the status of any managed
TCP/IP and SNMP capable devices and applications. The SonicWALL GMS Monitor panel
provides power and flexibility to help you manage availability of network devices, creating
custom threshold-based realtime monitor alerts and emailing or archiving network status
reports based on your specifications.
To access the Monitoring features, click the Monitor tab at the top of the SonicWALL GMS UI.
Console Panel
The Console Panel is used to configure SonicWALL GMS settings, view pending tasks,
manage licenses, and configure system wide granular event management settings.
To open the Console Panel, click the Console tab at the top of the SonicWALL GMS UI.
17
Description
One blue box indicates that the appliance is operating normally. The appliance is accessible from
SonicWALL GMS, and no tasks are pending or scheduled.
Two blue boxes indicate that appliances in a group are operating normally. All appliances in the
group are accessible from SonicWALL GMS and no tasks are pending or scheduled.
Three blue boxes indicate that all appliances in the global group of this type (Firewall/SRA/CDP)
are operating normally. All appliances of this type are accessible from SonicWALL GMS and no
tasks are pending or scheduled.
One blue box with a lightning flash indicates that one or more tasks are pending or running on the
appliance.
Two blue boxes with a lightning flash indicate that tasks are currently pending or running on one or
more appliances within the group.
Two blue boxes with a clock indicate that tasks are currently scheduled to execute at a future time
on one or more appliances within the group.
One blue box with a clock indicates that one or more tasks are scheduled on the appliance.
One yellow box indicates that the appliance has been added to SonicWALL GMS management
(provisioned), but not yet acquired.
Two yellow boxes indicate that one or more appliances in the group have been added to
SonicWALL GMS management, but not acquired.
Three yellow boxes indicate that one or more of the global group of appliances of this type
(Firewall/SRA/CDP) have been added to SonicWALL GMS management, but not acquired.
One yellow box with a lightning flash indicates that one or more tasks are pending on the
provisioned appliance.
Two yellow boxes with a lightning flash indicates that tasks are pending on one or more provisioned
appliances within the group.
One red box indicates that the appliance is no longer sending heartbeats to SonicWALL GMS.
Two red boxes indicate that one or more appliance in the group is no longer sending heartbeats to
SonicWALL GMS.
Three red boxes indicate that one or more of the global group of appliances of this type
(Firewall/SRA/CDP) is no longer sending heartbeats to SonicWALL GMS.
Two red boxes with a lightning flash indicate that one or more appliance in the group is no longer
sending heartbeats to SonicWALL GMS and has one or more tasks pending.
One red box with a lightning flash indicates that the appliance is no longer sending heartbeats to
SonicWALL GMS and has one or more tasks pending.
18
Firewall
SRA
CDP
ES
You can hide the entire TreeControl pane by clicking the sideways arrow icon, and re-display
the pane by clicking it again. This is helpful when viewing some reports or other extra-wide
screens, especially on the Monitor or Console panel.
To open a TreeControl menu, right-click the View All icon, a Group icon, or a Unit icon.
FindOpens a Find dialog box that allows you to search for groups or units.
19
Add UnitAdd a new unit to the SonicWALL GMS management view. Requires unit IP and
login information.
Modify Unit(unit node only) Change basic settings for the selected unit, including unit
name, IP and Login information, serial number, management port and
encryption/authentication keys.
DeleteDelete the selected unit, with option to delete interconnected SAs or to delete from
NetMonitor.
Import XMLImport an edited XML file to replace the current TreeControl navigation view.
Login to Unit(unit node only) Login to the selected unit using HTTP or HTTPS protocols.
Manage ViewsOpens a dialog box where you can create, delete, or modify a view.
Change ViewSelect pre-set or user created views. Views are created in the Manage
View window (see above).
Reassign AgentsOpens a dialog box where you can change the IP address of the
primary and standby schedulers and the type of VPN tunnel (management versus
site-to-site) used between SonicWALL GMS and the managed SonicWALL appliances.
Note
Views are only available in the Policies and Reports Panel. Changing views does not affect
the Console or Monitor Panels.
This section describes each view and what to consider when making changes:
20
Group Node
From the Group node of the Policies panel, changes you make are applied to all SonicWALL
appliances within the group. The Global node is the top view that contains all appliances.
To open the Group node, click a group icon in the left pane of the SonicWALL GMS UI. The
Group Status page appears. The Group Node Status page contains a list of statistics for all
SonicWALL appliances within the group.
As you move through the SonicWALL GMS UI with the Group node selected and make
changes, those changes are broken down into configuration tasks and applied to each
subgroup and each SonicWALL appliance within the group.
As SonicWALL GMS processes the tasks, some SonicWALL appliances may be down or
offline. When this occurs, SonicWALL GMS spools the task and reattempts the update later.
Depending on the page that you are configuring, the SonicWALL appliance(s) may
automatically restart. We recommend scheduling the tasks to run when network activity is low.
To determine if a change requires restarting, refer to the configuration instructions for that task.
Making group changes through the SonicWALL GMS UI enables you to save time by instituting
changes that affect all SonicWALL appliances within the group through a single operation.
Although this is very convenient, some changes can have unintended consequences. Be
careful when making changes on a group or global level.
21
Unit Node
From the Unit node of the Policies panel, changes you make are only applied to the selected
SonicWALL appliance. To open the Unit node, click a SonicWALL appliance in the left pane of
the SonicWALL GMS UI. The Status page for the SonicWALL appliance appears.
From the Unit node on the Reports Panel, you can generate real-time and historical reports for
the selected SonicWALL appliance.
As you navigate the SonicWALL GMS UI, you can generate graphical reports and view detailed
log data for the selected SonicWALL appliance. For more information, refer to the Reports
Panel section on page 16.
As you navigate the SonicWALL GMS UI with a single SonicWALL appliance selected and
make changes, those changes are broken down into configuration tasks and sent to the
selected SonicWALL appliance.
As SonicWALL GMS processes the tasks, the SonicWALL appliance may be down or offline.
When this occurs, SonicWALL GMS spools the task and reattempts the update later.
Note
22
Depending on the page that you are configuring, the SonicWALL appliance may
automatically restart. We recommend scheduling the tasks to run when network activity is
low. To determine if a change requires restarting, refer to the configuration instructions for
that task.
SonicWALL Modelspecifies the model of the SonicWALL appliance. If the unit is not
registered, Not Registered appears instead of a model number.
Number of LAN IPs allowedspecifies the number of IP addresses that are allowed on
the LAN.
Tasks Pendingspecifies whether the SonicWALL appliance has any pending tasks.
Agent Assignedspecifies the IP address of the SonicWALL GMS agent server that is the
primary agent managing the SonicWALL appliance.
Standby Agentspecifies the IP address of the peer SonicWALL GMS that acts as the
backup agent for this SonicWALL appliance. If the primary agent fails, this
SonicWALL GMS server begins managing the appliance.
Fetch Uptimethe Uptime parameter indicates how long the SonicWALL has been
running since the last time it was powered up or restarted. To display the current uptime
setting at the unit level for the selected SonicWALL, click Fetch Uptime.
23
AV Statusplaces the SonicWALL appliances into different groups based on their status.
CFS Statusplaces the SonicWALL appliances into two groups: appliances that have
content filtering service (CFS) subscriptions and appliances that do not.
Firmwarecreates a group for each Firmware version and places each SonicWALL
appliance into its corresponding group.
Modelcreates a group for each SonicWALL model and places each SonicWALL
appliance into its corresponding group.
Network Typecreates a group for each network type and places each SonicWALL
appliance into its corresponding group. These include:
Standard
NAT with DHCP Client
NAT with PPPoE Client
NAT with L2TP Client
NAT with PPTP Client
NAT Enabled
Unknown
24
Nodescreates a group for each node range and places each SonicWALL appliance into
its corresponding group.
Registeredplaces the SonicWALL appliances into two groups: appliances that are
registered and appliances that are not.
Schedulercreates a group for each scheduler agent and places each SonicWALL
appliance into its corresponding group.
VPN Presentplaces the SonicWALL appliances into two groups: appliances that have
VPN and appliances that do not.
Warranty Statusplaces the SonicWALL appliances into two groups: appliances that have
current warranties and appliances that do not.
Note
Although SonicWALL GMS supports up to ten custom fields, only seven fields can be used
to sort SonicWALL appliances in any view.
The following are examples of custom fields that you can use:
User-typedifferent service offerings can be made available to different user types. For
example, engineering, sales, and customer service users can have very different
configuration requirements. Or, if offered as a service to end users, you can allow or
disallow network address translation (NAT) depending on the number of IP addresses that
you want to make available.
SonicWALL GMS is pre-configured with four custom fields: Country, Company, Department,
and State. These fields can be modified or deleted. To add fields, follow these steps:
1.
Click the Console tab, expand the Management tree and click Custom Groups.
2.
3.
4.
25
Note
Note
Category names can only contain alpha-numeric characters. Special characters and/or
spaces are not accepted.
5.
Enter the default value for the group in the Default Value field.
6.
Although the fields appear to be in a hierarchical form, this has no effect on how the fields
appears within a view.
To modify or delete fields, right-click any of the existing fields and select Properties or Delete
Category, respectively from the pop-up menu.
Note
Firmware Views
To ensure that all SonicWALL appliances are using the current firmware, you can create a
view to check and update firmware versions and batch process firmware upgrades when
network activity is low.
For example, if you want to update all SonicWALL appliances to the latest firmware at 2:00
A.M., you can use the following grouping method:
Firmware Version, Time Zone
If you want to update SonicWALL appliances only for companies that have agreed to the
upgrade and you want the upgrades to take place at 2:00 A.M., you can use the following
grouping method:
Company, Firmware Version, Time Zone
26
Registration Views
To ensure that all SonicWALL appliances are registered, you can create a registration view
and check it periodically. To create a registration view, you can use the following grouping
method:
Registration Status, any other grouping fields
Upgrade Views
You can create views that contain information on which upgrades customers do not have
and forward this information to the Sales Department.
For example, you can choose the following grouping methods:
Content Filter List, Company, Division, Department
Anti-Virus, Company, Division, Department
Warranty Status, Company, Division, Department
Right-click anywhere in the left pane of the SonicWALL GMS window and select Manage
Views from the pop-up menu. The Edit View page appears.
2.
Type a descriptive name for the new view in the View Name field.
3.
4.
To add a view category, click Add Level. View categories are used to filter SonicWALL
appliances in your view. The Group Categories column contains categories that are a
combination of custom fields and SonicWALL GMS fields.
5.
To change the Group Category field, select the desired field from the pull-down list. For a
list of SonicWALL GMS fields and their meanings, refer to the About Default SonicWALL
Fields section on page 24.
27
Getting Help
6.
7.
8.
9.
To delete a view category, select the level and click Delete Level.
10. When you are finished configuring this view, click Modify View.
11. When you are finished, click Done.
Changing Views
To change views from within the SonicWALL GMS UI, follow these steps:
1.
Right-click anywhere in the left pane of the SonicWALL GMS window and select Change
View from the pop-up menu. The Change View dialog box appears.
2.
Select a view and click OK. The SonicWALL GMS UI displays only the SonicWALL
appliances that meet the requirements of the filters defined in the view.
Getting Help
In addition to this manual,SonicWALL GMS provides on-line help resources. To get help, follow
these steps:
28
1.
2.
Click the Question Mark (?) in the upper right-hand corner of the window. Help for the
selected page appears.
Getting Help
2.
If available, click the Lightbulb icon in the upper right-hand corner of the window. Tips,
tutorials, and online help are displayed for this topic.
29
Getting Help
30
CHAPTER 2
Adding SonicWALL Appliances and
Performing Basic Management Tasks
This chapter describes how to add SonicWALL appliances to SonicWALL GMS, register
appliances, and modify management properties. It also provides an introduction to basic
appliance management tasks that can be performed through SonicWALL GMS. This chapter
contains the following sections:
31
32
1.
Click the appliance tab that corresponds to the type of appliance that you want to add:
Firewall, SRA, CDP, or Email Security.
2.
Expand the SonicWALL GMS tree and select the group to which you will add the
SonicWALL appliance. Then, right-click the group and select Add Unit from the pop-up
menu. To not specify a group, right-click an open area in the left pane (TreeControl pane)
of the SonicWALL GMS management interface and select Add Unit. The Add Unit dialog
box appears.
3.
Enter a descriptive name for the SonicWALL appliance in the Unit Name field.
Do not enter the single quote character () in the Unit Name field.
4.
Note
If applicable, choose a Domain to add this appliance to from the Domain pull-down list.
Domain selection is only available to the admin of the LocalDomain. Individual domain
admins are only able to add an appliance to their respective domains.
5.
Enter the serial number of the SonicWALL appliance in the Serial Number field. On
SonicWALL Aventail appliances, the serial number is found on a sticker on the back of the
appliance. Enter it without hyphens into the field.
6.
7.
Enter the administrator login name for the SonicWALL appliance in the Login Name field.
For SonicWALL Aventail SRA appliances, the login name is pre-configured as GMS and
cannot be changed.
8.
Enter the password used to access the SonicWALL appliance in the Password field.
9.
If the SonicWALL appliance will be managed over HTTPS, select Using HTTPS.
10. Enter the IP address of the managed appliance in the IP Address field.
11. Enter the port used to administer the SonicWALL appliance in the HTTP(S) Port field
Key field. The key must be exactly 16 characters long and composed of hexadecimal
characters. Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0, 1, 2, 3, 4, 5,
6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
Note
This key must match the encryption key of the SonicWALL appliance. You can set the key
on the appliance by logging directly into it.
13. For VPN tunnel management, enter a 32-character authentication key in the SA
Authentication Key field. The key must be exactly 32 characters long and composed of
hexadecimal characters. For example, a valid key would be
1234567890abcdef1234567890abcdef.
Note
This key must match the authentication key of the SonicWALL appliance.
14. If the SonicWALL appliance uses the Anti-Virus feature, enter the Anti-Virus password.
15. Select the IP address of the SonicWALL GMS agent server that will manage the
33
the SonicWALL GMS Agent whose IP address matches the IP address that you
specified when configuring the SonicWALL appliance for SonicWALL GMS
management.
address of the backup SonicWALL GMS server in the Standby Agent IP field. The backup
server will automatically manage the SonicWALL appliance in the event of a primary server
failure. Any Agent can be configured as the backup.
Note
If SonicWALL GMS is deployed in a single server environment, leave this field blank.
17. To add the appliance to Net Monitor, select the Add this unit to Net Monitor checkbox.
18. Click Properties. The Unit Properties dialog box appears.
19. This dialog box displays the category fields to which the SonicWALL appliance belongs. To
change any of the values,select a new value from the pull-down list. When you are finished,
click OK. You are returned to the Add Unit dialog box.
21. Select the user group or individual users to which read-write privileges should be assigned.
Keep in mind that admins always maintain read-write privileges, regardless of your
selection here.
22. Click OK. The new SonicWALL appliance appears in the SonicWALL GMS management
interface. It will have a yellow icon that indicates it has not yet been successfully acquired.
34
SonicWALL GMS will then attempt to establish a management VPN tunnel, set up an
HTTPS connection, or use the existing site-to-site VPN tunnel to access the appliance.
GMS then reads the appliance configuration and acquires the SonicWALL appliance for
management. This will take a few minutes.
Note
After the SonicWALL appliance is successfully acquired, its icon turns blue, its configuration
settings are displayed at the unit level, and its settings are saved to the database. A text
version of this configuration file is also saved in the file: <gms_directory>/etc/Prefs.In
a multi-tier distributed environment, both the primary and secondary SonicWALL GMS
Agents must be configured to use the same management method.
Right-click in the left pane of the SonicWALL GMS UI and select Add Unit from the pop-up
menu. The Add Unit dialog box appears.
2.
Enter a descriptive name for the SonicWALL appliance in the Unit Name field. Do not enter
the single quote character (') in the SonicWALL Name field.
3.
Enter the password to access the SonicWALL appliance in the Password field.
4.
5.
Find and select the saved prefs file of the SonicWALL appliance. Click Import. You are
returned to the Add Unit dialog box.
6.
7.
This dialog box displays fields to which the SonicWALL appliance belongs. To change any
of the values, enter a new value. When you are finished, click OK.
8.
After you are returned to the Add Unit dialog box, click OK again.
9.
Select the user group or individual users to which read-write privileges should be assigned.
Keep in mind that admins always maintain read-write privileges, regardless of your
selection here.
10. The new SonicWALL appliance appears in the SonicWALL GMS UI. It will have a yellow
The SonicWALL GMS will then attempt to establish a management VPN tunnel to the
appliance, read its configuration, and acquire it for management. This will take a few
minutes.
After the SonicWALL appliance is successfully acquired, its icon will turn blue, its
configuration settings will be displayed at the unit level, and its settings will be saved to the
database. A text version of this configuration file is also saved in:
<gms_directory>/etc/Prefs.
35
Note
36
1.
2.
Expand the Register/Upgrades tree and click Register SonicWALLs. The Register
SonicWALLs page appears.
3.
Click Register. The Modify Task Description and Schedule page displays.
SonicWALL GMS creates a task for each SonicWALL appliance registration. The Modify
Task Description and Schedule page allows you to customize the task description and set
the task execution time. During the task execution, SonicWALL GMS registers each
selected SonicWALL appliance using the information that you used to register with the
SonicWALL registration site. After registration is complete, the task will be removed from
the Scheduled Tasks page and the status of the task execution will be logged. To view these
logs, click the Console tab. Then, expand the Log tree and click View Log. For more
information on Scheduled Tasks, refer to the
4.
If the appliance is already registered, the Register SonicWALLs page will state This
appliance is registered.
Note
If a unit has not been acquired (yellow icon), you can change its management mode using
this procedure. After it has been acquired (red or blue icon), you cannot change its
management mode using this procedure and must reassign it. For more information, refer
to the Changing Agents or Management Methods section on page 37.
To modify a SonicWALL appliance, perform the following steps:
1.
Right-click in the left pane of the SonicWALL GMS UI and select Modify Unit from the
pop-up menu. The Modify Unit dialog box appears.
2.
The Modify Unit dialog box contains the same options as the Add Unit dialog box. For
descriptions of the fields, refer to the Adding SonicWALL Appliances to SonicWALL GMS
section on page 31.
3.
When you have finished modifying options, click OK. The SonicWALL appliance settings
are modified.
Caution
1.
Right-click on the group or appliance that you want to re-assign and select Re-assign
Agents from the pop-up menu.
2.
If the appliances to be re-assigned are managed using existing tunnels or the LAN, a
warning message is displayed. Click OK.
Make sure that the appliances will be able to successfully connect to the re-assigned GMS
to avoid losing connection to the appliances.
37
Note
3.
4.
Select the IP address of the SonicWALL GMS agent server that will manage the
SonicWALL appliance from the Scheduler IP Address list box.
5.
If the SonicWALL appliance will be managed over HTTPS, select Using HTTPS.
Note
7.
Enter the port used to administer the SonicWALL appliance in the SonicWALL HTTP Port
field (standard: 80; HTTPS: 443).
For SonicWALL Aventail appliance management, use HTTPS port 8443.
8.
38
When you are finished, click OK. A task is created for each selected SonicWALL appliance.
Note
1.
Right-click on a SonicWALL appliance or group in the left pane of the SonicWALL GMS UI
and select Modify Properties from the pop-up menu. The Properties dialog box appears
2.
Make any changes to the categories to which the SonicWALL appliance or group of
appliances belongs. For information on creating categories, refer to the Creating
SonicWALL GMS Fields and Dynamic Views section on page 23.
If you are performing this procedure at the group or global level, all parameters will be
changed for all selected SonicWALL appliances. For example, if you were attempting to only
change the Country attribute, all other parameters would be changed as well.
3.
Click OK. The SonicWALL appliance(s) are moved to the new group.
Note
1.
Right-click on a SonicWALL appliance or group in the left pane and select Delete from the
pop-up menu.
2.
In the warning message that displays, click Yes. The SonicWALL appliance or group is
deleted from SonicWALL GMS.
After the deleting the SonicWALL appliance from SonicWALL GMS, unprovision the unit as a
best practice. To unprovision the unit, log in to the SonicWALL appliance and disable
SonicWALL GMS management to avoid sending unnecessary syslogs to the SonicWALL GMS
host.
39
Appliance Management
Management Task
Location
Inheriting Group
Settings
Upgrading Firmware
Managing Subscription
Services
Manually Uploading
Signatures
Managing Certificates
40
Understanding
Heartbeat Messages
CHAPTER 3
Using the Dashboard Panel
The Dashboard tab is a customizable executive summary of your SonicWALL GMS
deployment. The Dashboard tab provides powerful network visualization reporting, monitoring,
and search filtering tools consolidated into one area of the management user interface. The
Dashboard tab consists of the following components:
The Dashboard tab provides administrators with an executive summary through a Universal
Dashboard geographic map. As depicted in the screenshot below, the Geographic View
provides a scalable map that displays your SonicWALL GMS-managed units and SonicWALL
GMS servers using graphical icons--these icons provide system state information with a mouse
over. The Geographic View also provides global to regional map displays of VPN Monitor
Views. The administrator can also use the search option to quickly find keywords within their
SonicWALL GMS deployment. And each SonicWALL GMS administrator can create
multiple-customized views of the Universal Dashboard unique to their administrator login.
The Dashboard tab also provides administrators with a centralized location to create Universal
Scheduled Reports for Firewall, SRA, CDP, and Email Security reporting solutions.
Upon initial login, you see a defaultDashboard tab. You are able to further customize this page
by configuring and adding preferred components.
The Dashboard tab also provides administrators with a centralized location to create Universal
Scheduled Reports for Firewall, SRA, CDP, and Email Security reporting solutions.
Upon initial login, you see a defaultDashboard tab. You are able to further customize this page
by configuring and adding preferred components.
41
42
Manage Page and Widget SettingsThe cog wheel icon launches the Manage Page and
Widget Settings configuration tool. This tool allows you to edit, delete, or add new widgets
for your Universal Dashboard page, My Default Page, or a new user page. You can also
create widgets for a specific set of SonicWALL devices.
Save LayoutThe floppy disk icon allows you to Save Layout. This allows you to save
the Geographic View and the order of your list of widgets.
Search using KeywordsThe Search bar allows you to filter the information displayed on
the geographical map. The abc icon displays the Keyword help, which includes list of
available keywords, usage description, and filter example.
Switch to Full ScreenThe four arrows in four corners icon enables the page into
full-screen mode.
Pin Control BarThe pin icon allows you to keep the Dashboard control bar always on.
The Geographical View displays the following SonicWALL GMS elements graphically:
Depending on the administrative access privileges that a logged in user has, the right subset
of objects above will be displayed on the geographical map. For example, the SonicWALL
GMS Servers will be available for display in the map only for the Administrators group users
of LocalDomain.
This section contains the following subsections:
43
Description
Zoom
Fit to Scale
Fit-to-Scale button, a
mouse-over message displays
Show all the objects on the
Map
Clear Selection
Pin Icon
Blob or Group of
Pin Icons
Unknown
44
Alternatively, click on the zoom bar plus (+) button to zoom in to view a specific area or region
of the Map. Another method to zooming into a target area of the map is by double-clicking a
spot on the Map. Each double-click zooms into the map one increment closer. You can also use
the scroll-button on a mouse to zoom.
45
In this example, the entire SonicWALL GMS deployment of SonicWALL GMS hosts and
managed devices are located in the continental United States map. Therefore, clicking the
Show all objects on the Map button displays all the nodes for this deployment in the
continental United States map. To save this Geographic View, click on the floppy disc icon on
the Dashboard control panel.
46
The Deployment View connecting lines from the SonicWALL GMS host to the SonicWALL
GMS-managed device are graphical color lines representing the status of the management
tunnel as follows:
47
The VPN Monitor View connecting lines from the SonicWALL GMS-managed firewall to the
VPN Tunnel endpoint are graphical color lines representing the status of the VPN tunnel as
follows:
For more information on configuring your SonicWALL GMS-managed firewall VPN settings,
refer to the Firewall > Policies > VPN > Settings page.
48
Graphical Icon
Description
A dark gray encapsulated pin icon displays an unselected SonicWALL
GMS-managed unit or group. While a light blue encapsulated pin icon
displays a selected SonicWALL GMS-managed unit or group.
Displays an up/down status SonicWALL GMS-host deployed in the
all-in-one role configuration.
Displays an up/down status SonicWALL GMS-host deployed in server
role configuration.
Displays an up/down status SonicWALL GMS-host deployed in console
agent role configuration.
49
Note
LogsDisplays the log event message, the friendly name of the SonicWALL device, and
the date timestamp.
SitesDisplays site IP, browse time, hits, and the amount of data transferred.
Scheduled TasksDisplays the description of each scheduled task, the friendly name of
the SonicWALL device, and the local time of the schedule.
Data UsageDisplays a Timeline graph and a list of Top Protocols including protocol
service name, number of connections, and the amount of data transferred.
Select a node or group of nodes for context-sensitive widget data and statistics. The widgets
display context-sensitive data specific to the network traffic on the selected node.
For more information, refer to Adding Widgets on the Universal Dashboard section on
page 55.
50
User name
Object type including managed Firewall, SRA, CDP, or Email Security device, NetMonitored
device, or SonicWALL GMS servers
The Search bar uses both text and expression matching to allow the administrator to create
filter criteria with combination strings. For text criteria, the following search operators are
supported:
equals
contains
starts with
ends with
For expression type criteria, the following search operators are supported:
<
>
!=
The ABC icon next to the Search bar allows you to filter by selecting from a list in the Keyword
Help as shown below. The Keyword Help dialog provides a Description and Usage example for
each keyword. Verify the purpose and usage of the keyword before using the selected keyword
in a filter.
Select a keyword to be used for search or filter. The keywords listed on the left-hand side
provide filter options for your Geographic View. You can only select one keyword at a time. After
selecting a keyword, click on the Use button to add this search criteria.
Note
Not all keywords apply to all Widgets. For a few keywords there are Widgets with
applicability, and there are Widgets where the keyword is not interpreted based on context.
51
The public WAN IP of the network address object is used to determine the location of the
object in the geographic map. This excludes all objects with private addresses, for example,
10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 networks. A mapping service is used to map
the WAN IP to longitude and latitude, which is then translated into a location in the
Geographic View.
2.
When a unit is added into SonicWALL GMS, the administrator can specify the location of
the unit, either explicitly in a standard address format, or interactively through a map to
determine the longitude and latitude of the units position. Information provided using this
approach overrides the information retrieved using WAN IP as described in step 1.
3.
In the Geographic View, the administrator can drag a unit and position it anywhere in the
map. This updates the location information (longitude and latitude) of the network address
object and overrides information in step 1 and step 2.
4.
For network address objects whose location is unknown (either because its IP is not known
or the IP is in the private IP space, or the administrator has not provided longitude and
latitude information), these will be displayed in a special unknown area of the geographic
mapfrom where these can be dragged and placed anywhere in the map
5.
The SonicWALL GMS Servers public WAN IPs is determined by SonicWALL GMS using
Web services, and the IPs are used for initial positioning of the SonicWALL GMS servers.
52
World mapWhen network objects belong to different continents, the world map is
displayed.
Continent mapWhen network objects belong to different countries within a continent, the
continent map is displayed.
Country mapWhen network objects are contained in a single country, the country map
is displayed.
State mapWhen network objects are contained in North American states within Canada
and the United States, the state map is displayed.
City mapWhen network objects are contained within a single citys area limits, the city
map is displayed.
The network objects displayed in the Geographic Map are either an individual network object
or an intuitive blob that represents a collection of network objects.
The Unknown section of the map is a place holder for all the network address objects whose
location is unspecified. Select a node in the Geographic Location Unknown list. Drag the node to a
location on the map, and the following message displays, Are you sure you to move the node?
Click the Yes button to accept this geographic location. The geographic location for the
selected node is updated with the new geographical longitude and latitude coordinates. To view
or update the location, right click the selected node as seen.
53
The location information requires the geographical map address if available, which includes the
following information:
Street
City
State
Zip code
Country
Alternatively, the location information also requires geo location, which includes the following
information:
Latitude
Longitude
Enter either the location address or geo location to save the location setting. You can use the
Locate buttons to locate based on an Address or Geocodes, and then complete the other field
based on location search results. For the best results, enter the location address for
SonicWALL appliances residing in North America or Europe, and you can click the Locate
Geocode button to identify the latitude and longitude coordinates. And for the best results for
SonicWALL appliances residing outside of North America or Europe, enter the Geo Location for
these devices. The Locate Address button does not provide the best results for devices
residing outside North America and Europe since the locate address Web service does not
provide detailed coverage for all areas.
You also can enter the location information for each SonicWALL device on the respective
System > Info page. When the location information is updated on these pages, the Geographic
Map is updated instantaneously.
54
Note
Sites Widget
Applications Widget
Scheduled Tasks
Logs
Alerts Widget
No Widget containing the same content can be added more than once in the Universal
Dashboard or My Default Page.
Up to a maximum of 25 Widgets can be added to the Universal Dashboard or the My Default
Page.
55
Enter a new name for your new Dashboard page. Most commonly, network administrators
create new Dashboard pages for managed-security providers servicing customers around the
world. You can also create Dashboard pages for your companys different departments in
Engineering and IT Operations for customized Dashboard views.
Widget SettingsClick the cog wheel icon to edit, delete, or copy the widget to another
page.
Refresh WidgetClick the ying yang icon to refresh the data and statistics for the widget.
Widgets automatically refresh every 60 seconds.
MinimizeClick the minimize window icon to hide your Widget in the bottom-right corner.
Restore/MaximizeClick the four arrows in four corners icon to display the widget in
window in maximized view. Click the icon again to restore the Widget back to its original
window size.
Widgets can be resized by holding the bottom corners to the desired window size.
56
Widgets can also be re-ordered by drag and drop selection. Selecting a Widget and dragging
it over another Widget will change the the top panel to a darker colorthis represents a Widget
that is overlapping another Widget and the following message displays.
The drop position of the Widget allows you to re-order the position of your widget before the
selected widget. For example in this case, The Scheduled Tasks Widget is placed in the drop
position before the Applications Widget. The Dashboard page refreshes and now the widgets
are reorder as follows:
1.
Sites Widget
2.
3.
Applications Widget
4.
Logs Widget
You can also re-order the position of Widgets by using the Manage Page and Widgets
configuration page. In the Manage Page and Widgets configuration page, drag the Widget you
want to re-order to your preferred drop location. The two Widgets will swap locations.
57
58
Adding a Template
Preform the following steps to add a template using the Template Manager:
Step 1
Step 2
Choose the tab for the appliance you wish to add a template to.
Step 3
Step 4
59
The Edit Template window displays. Note: the Visible to Non-Administrators checkbox is
available for SonicWALL GMS only.
Step 5
Step 6
Step 7
Select the checkbox next to the Reports you wish to use for this template.
Step 8
Select the checkbox next to the Policies you wish to use for this template.
Step 9
60
Step 1
Step 2
Click the search text field, then enter your search criteria.
Select a filter for your search criteria by clicking Name, Level, Owner, or Last Update from the
search pull-down list. In this example, we are entering unit for the search criteria and filtering
the search results by level.
The Template Manager window displays the latest search results. Notice the template list now
only shows report templates for level: units.
Note
To clear your search results and return the reports template list back to default, click the
Clear button.
Editing an Existing Template
Now that you found an existing template using the search filter, it is time to use the edit option.
61
Warning
Step 1
Editing an existing template also changes the associated scheduled reports (if
applicable).
Click the
62
The Edit Template window displays. Note: the Visible to Non-Administrators checkbox is
available for SonicWALL GMS only.
Step 2
Step 3
Step 4
Select the checkbox next to the Reports you wish to use for this template.
Step 5
Select the checkbox next to the Polices you wish to use for this template.
Step 6
Deleting a Template
The Template Manager offers three different ways to delete a template: deleting a single
template, deleting multiple templates, or deleting all templates. Use the Searching for an
Existing Template section to search for templates to delete. Preform the following steps to
delete a Universal Scheduled Report Template(s):
Warning
63
Step 2
Click the
icon for the template you wish to delete from the Template Manager list.
64
Step 1
Step 2
Step 3
Click the Delete Selected button. This button is grayed out by default until a checkbox is
selected.
Step 2
Select the Name checkbox, this selects all templates in the list.
Step 3
Click the Delete Selected button. This button is grayed out by default until a checkbox is
selected.
65
Example
In this example we are using the Configuration Manager search options to find a SonicWALL
TZ 210 wireless-N device in the Device List.
Step 1
Step 2
Select the Firewall tab, located at the top of the Configuration Manager window.
Step 3
Click the View pull-down, then select a view type from the list. In this example we are selecting
Model View (Global View is selected by default), since we are searching for an exact appliance
model. You can also filter the Device List by Firmware View, Global View, Instance View, Status
View, or Gateway.
The Device List now displays all the appliance models.
Step 4
66
Note
Notice that the search history bar populates each time you filter the list. You can use this to
navigate back to previous search results.
You can also click the Search text-box (if you know the exact name of the device), then
manually enter the device name or select the device from the pull-down list.
Step 5
Click the
icon to schedule a report for that appliance. Refer to the Creating a Universal
Scheduled Report section for configuration procedures.
67
In this example we are using the Configuration Manager to schedule a single report for a
Firewall appliance model (group level) and SRA devices (unit level).
Selecting Reports
Step 1
Step 2
Select the Firewall tab, located at the top of the Configuration Manager window.
Step 3
Search for the TZ 210 wireless-N model group. Refer to steps 1-3 in the Searching for a Group
or Device section.
Step 4
Click the
Step 5
68
Click the Reports tab, then select the checkboxes for reports you wish to include or click the
Use Templates link to choose a template you created.
Note
Step 6
When you select reports in the Reports and Policies tabs, they populate in the list of
Selected Reports located on the right side of the Configuration Manager page. The Selected
Reports panel allows you to organize the list by dragging and dropping reports/devices,
collapse the reports lists for each device (clicking the arrow next to the device name), and
add a note to a report/device.
Click the Policies tab, then select the checkboxes for the policies you wish to include or click
the Use Templates link to choose a template you created.
The reports for the Firewall model group are now selected, next is choosing reports for the SRA
device.
Step 7
Step 8
69
Step 9
Click the
Note
70
General Information
Note
Step 1
Step 2
The settings entered in the Task Info, Format/Settings, and Email/Archive Info sections,
populate in the Configurations panel located on the right side of the General Information
page.
Report Format: PDF or XML (If XML is selected, the ZIP Password Protection option is
grayed out)
71
PDF Password Protect: Yes or No (If Yes is selected, a pop-up window appears and
prompts you to enter the Password)
Step 3
Step 4
Click the E-mail checkbox to send a PDF report to an email account or alias.
The Email configuration options display.
Note
72
Step 5
73
Theme Information
The Theme Information page displays. If XML is selected from the General Information page,
the Theme Information page is not displayed.
Note
Step 6
74
The settings entered in the Cover Page and Report Page panels automatically update in the
image located on the right side of the Theme Information page. To preview the cover / report
pages, select the Cover Page or Report Page tab.
Cover Logo: Select a logo (click the pull-down and select a cover logo image) or Upload
a logo (click the Browse and Preview button to upload a logo)
Cover Title: Enter a name (Weekly Data Usage Report) for your Universal Scheduled
Report, then select or enter the foreground and background colors
Cover Subtitle: Enter a subtitle (U.S Engineering Department) for your Universal
Scheduled Report, then select or enter the foreground and background colors
Step 7
Step 8
Click the Cover Page and Report Page tabs to preview your Universal Scheduled Report.
Step 9
Note
When the Universal Scheduled Report PDF is exported, a table of contents is created. This
allows you to quickly browse through your scheduled reports.
The report is now scheduled and can be found in the Universal Scheduled Report > Manage
Scheduled Reports page.
75
Navigate to the Universal Scheduled Reports > Manage Scheduled Reports page.
f
Step 2
Use the filter options to searchfor a report in the Scheduled Report Management list, select the
checkbox of the report you wish to resend.
Step 3
76
Step 4
Step 5
The Info pop-up window displays, confirming the schedule resend is complete.
Step 6
Navigate to the Universal Scheduled Reports > Manage Scheduled Reports page.
Step 2
Use the filter options to search for a report to Email /Archive in the Scheduled Report
Management list.
Step 3
Step 4
Step 5
77
78
Step 1
Navigate to the Universal Scheduled Reports > Manage Scheduled Reports page.
Step 2
Use the filter options to search for a report in the Scheduled Report Management list, click the
icon for that Report.
Step 3
To edit the Scheduled Report, use the same configuration procedure shown in the Creating a
Universal Scheduled Report section.
Navigate to the Universal Scheduled Report > Manage Scheduled Reports page.
Step 2
Click on the
Step 3
Step 4
Note
In the Format / Settings panel, navigate to the Disable the Report option and click the Yes
checkbox.
To enable the scheduled report, repeat steps 1-3, then click the No checkbox.
79
Navigate to the Universal Scheduled Report > Manage Scheduled Reports page.
Step 2
Use the filter options to searchfor a report in the Scheduled Report Management list, select the
checkboxes for the reports you want to delete.
Step 3
Note
80
CHAPTER 4
Overview of Reporting
This chapter describes how to use SonicWALL GMS reporting, including the type of information
that can appear in reports. A description of the available features in the user interface is
provided.
This chapter includes the following sections:
Troubleshooting Reports One of the most common reasons when a report does not display
is that no data is available for the selected appliance. There are several reasons why you
might see this error. GMS displays the most likely reason(s) and gives you instructions for
ways to resolve the problem., page 107
81
calendar. The search operator field offers a comprehensive list of search operators that varies
depending on the search field, which can be either text-based or numeric. Refer to Layout of
Reports Display on page 90 to see these items in the context of the Report page.
You can search all columns of report data except columns that contain computed values, such
as %, Cost, or Browse Time. SonicWALL GMS waits until you click the Go button before it
begins building the new report.
The SonicWALL GMS Reporting Module provides an interactive interface that:
Viewing Reports
The GMS Reports view under the Firewall, SRA and CDP tabs is divided into three panes, as
shown below: the TreeControl Pane, the middle pane with the Policies and Reports tabs, and
the Reports pane.
82
TreeControl Pane: A list of views and individual units referred to as the TreeControl. In
the left pane, you can select a top level view, a group view, or a unit to display reports that
apply to the selected view or unit. GlobalView is the default top level selection.
List of Reports: The middle pane provides two tabs: Policies and Reports. The Reports
tab contains a list of available reports that changes according to your selection in the
TreeControl pane: GlobalView provides a general summary of various functions, and unit
view provides specific details. The reports are divided into categories. You can click on the
top level report in a category to expand it to view the list of reports in that category, then
click on an individual report name toview that report. To keep a category in expanded view,
click on the category while pressing the Ctrl key. Otherwise, the expanded entry will
collapse when the next entry is expanded.
The Reports Pane: The right pane displays the report that you selected in the middle pane
for the view or unit that you selected in the TreeControl. For most reports, a search bar is
provided at the top of the pane. Above the search bar, a time bar is provided. You can view the
report for a particular time by clicking right and left arrows, or clicking on the center field to
get a pull-down menu with more options. Click on icons in the upper left corner to send the
report to a PDF or UDP file. These files can then be printed for reference. A quick link to
the Universal Scheduled Reports menu is also provided, allowing you to set up scheduling
and other functions.
The SonicWALL GMS reporting module provides the following configurable reports under the
Firewall and SRA tabs:
Table 6
Data Usage*
User Activity Reports
Applications*
Web Activity*
Web Filter*
VPN Usage*
Threats (Summary
Only)
Firewall Reports
83
Intrusions
GAV
Anti-Spyware
Attacks
Authentication
Analyzers
Up-Down
Configuration
Events
Custom Report
* Multi-Unit Report
Available
Provides event reports about intrusion prevention, targets, initiators, as well as detailed timelines.
Provides reporting on virus attacks blocked.
Provides reporting on attempts to install spyware.
Provides event reports about attacks, targets, and initiators,
Provides login reports.
Provides a detailed analysis of logs or activities.
Provides a timeline of Up-time vs. Downtime, either as a
summary or on a per unit basis.
Configures settings for Summarizer and Log Analyzers.
Creates, configures, and displays alerts.
Provides Internet Activity and Website Filtering reports
with details from raw data
Custom Reports are only available at the unit level.
Provides a high-level activity summary for multiple units.
Table 7
Data Usage*
User Activity Reports
Access Method
Authentication
WAF*
Connections*
Up-Down
Analyzers
Events
Custom Report
* Multi-Unit Report
Available
Table 8
Multi-unit Summary
Reports
Capacity
Backup Activity
Up/Down
84
SRA Reports
CDP Reports
Summary pages are available for the major functions on the middle pane. By default, they
display both the Chart View and Grid View. You can use the toggle buttons to the right to display
either view, or both.
Note
The selected Chart of Grid view remains in effect only for the specified screen. Changing
screens will default back to the Chart and Grid View.
85
Unit View
The Unit view provides a detailed report for the selected SonicWALL appliance.
SonicWALL GMS provides interactive reports that create a clear and visually pleasing display
of information. You can control the way the information is displayed by adjusting the settings
through toggles that allow you to display a graphical chart, a grid view containing the
information in tabular format, or both (default). Reports are scheduled and configured in the
Universal Scheduled Reports settings. For more information, refer to the Using the Universal
Scheduled Reports Application section on page 58.
The Reports tab provides a list of available Reports. Click on the type of report to expand the
list items and view the available reports in that screen group.
86
Tip
At times, you may wish to see multiple screen groups at the same time. Ctrl-click to keep a
previously-expanded topic from collapsing when you select a new report category. For
example, you may want to view Data Usage, Applications, and Intrusions simultaneously, to
see what detail sections are available. Control-click on these entries to see all the screen
groups under these entries simultaneously.
87
The reports available are usually the reports that appear as sections in the Details view. The
Details entry is a shortcut to a view of all the available reports.
88
Click on the desired tab at the top of the SonicWALL GMS interface.
Step 2
Step 3
Step 4
Click on the desired report in the list of reports on the Reports tab.
89
The default view of a root-level report always shows the chart and grid view of the report. The
Sections displayed in the Grid View depend on the Report item selected and the filters applied
to it. Additional information can be displayed by mousing over certain elements of the Report.
Note
As you navigate the Reports panel with a single SonicWALL appliance selected and apply
filter settings, your filter settings will remain in effect throughout the session. To remove filter
settings, click on the search bar Remove Filters button. (Refer to the graphic in Layout of
Reports Display, below.)
90
The Filter Bar area, which includes the Time Bar, Export buttons and Custom Reports
buttons, and data filter functions
Save button
SonicWALL GMS 7.0 Administrators Guide
91
Note
Report Data Container. The Report Data Container consists of the Chart View and the
Grid View, the Show Chart, Show Grid, and Show Chart and Grid toggle buttons, and the
Reload Data button.
The Chart view is clickable. You can drill down to Detail sections simply by clicking on areas
of interest in the bar-chart or pie-chart.
92
Last 1 hour
Last 6 hours
Last 12 hours
In the pull-down schedule menu, you can specify a recent time snapshot, or click on Custom
to select the starting and ending dates and times. The Custom option allows you to select a
specific time and date or range from the Interval menu.
Step 1
To set up a custom time range, click in the Time Selector Bar. The Interval pull-down menu
appears.
In the Interval menu, you can either set the date manually or by using the pull-down calendar.
In the calendar, you can set the month by clicking the desired dates. If no data is available for
a specific date, that date will not be available (grayed out).
Step 2
Set a specific start and ending time by specifying hours and minutes you want to monitor. The
default for a date is an interval starting at hour 0 minute 0 (midnight) and ending at 23:59 (11:59
PM).
Step 3
The Interval menu also lets you set how many lines of information appears in the graph view.
Click the date, and when the Interval pull-down appears, specify the number of rows. Select 5,
10, 20, 50, or 100 from the Rows pull-down list to limit the display to a the specified number of
lines, for easier viewing.
Step 4
93
Report data is sorted and ranked according to how many rows are displayed. By specifying a
limited number of rows to be displayed in the graph section of the Report, rankings will apply
only to the data in those rows. If you reverse the sort order by clicking on the column bar, only
the displayed items will be re-sorted.
To re-sort according to all collected data in the database, click on the Enable Server Side Sort
checkbox on the pull-down menu. The ranking of the grid items will then reflect all data from
the total entries.
By default, Client-side Sort is used, which sorts only the currently viewable data, which was
retrieved the first time the data base was clicked on.
For example, the snapshot below shows data displayed only as it pertains to ten rows.
If you re-rank the column to see the lowest number of hits, it will rank only the items displayed
in the ten rows you selected.
94
Use Enable Server Side Sort to sort data based on all underlying data records, not the
client-side sort. Server side Sort retrieves current data from the back end database. Client-side
sort merely rearranges the data already retrieved. You can still constrain your display to 10
rows, but the display will re-sort based on the total data collected in the back-end database,
and not just the data previously displayed.
Export Results
The Export Results icons allow you to save a report in either PDF or Excel format.
Tip
Export to PDF: This button will allow you to save the displayed report data to a PDF file.
The PDF can export a maximum of 2500 rows.
Export to CSV: This button allows you to send the report to a file in Microsoft Excel Comma
Separated Value (CSV) format. Excel can export a maximum of 10,000 rows.
To print a report, export it to PDF, using the Export to PDF button, then print out the PDF file.
95
If a very large Report file, such as a system log, is being exported, the number of lines that can
be saved is limited. When you click the icon, you will see a message like the following:
Select whether to print only the currently-displayed screen, or the maximum number of rows.
The Filter Bar is at the top of the Report. It contains the Add Filter (+) button for adding filters
and Go button to apply filters, as well as the Clear Filter button to clear all filters.
Using the Filter Bar allows you to view subsets of the report data, based on a set of pre-defined
filters.
Adding Filters
Filters can be added in two ways, either explicitly through the Filter Bar, or implicitly by clicking
on the hyperlinks in the grid sectionsof a displayed report. As hyperlinks are clicked, those link
criteria are added to the Filter bar as if it was added explicitly. Refer to Adding Filters Implicitly
section on page 98 for more information.
Use the Filter Bar to add pre-defined filters from a pull-down menu and to specify parameters
for those filters. Filter values will be matched in the database during report generation.
Click the Add Filter button (+) on the left to display a pull-down menu, which can then be used
to fine-tune the report data by selecting categories.
Filters can also be added by right-clicking on a column entry and selecting the Filter option from
the pull-down menu.
96
Filter criteria are context-dependant, meaning that SonicWALL GMS finds the specific filter
operators applicable to the entry. Many filter operators are used in connection with a text string
or numeric filter input value that determines what data to include in the report. This control uses
auto-complete to suggest a set of candidate values, or you can manually enter a different value.
Manually-entered values should be checked for blanks, illegal characters etc.
Operators are specified by clicking on the default operator to bring up the pull-down menu of
available operators.
Depending on the selected field type, text string or numeric, several filter operators are
available. The filter operators are used with a filter input value to restrict the information
displayed in the Detail report.
The operators are defined as shown in Table 9.
Table 9
Filter Operators
Operator
Definition
Equals
Only data that exactly matches the filter input text will
be included in the report
Start with
End with
Contains
>
>=
<=
<
97
To add a filter, click on the Add Filter (+) menu and select a filter from the pull-down menu.
Available Filter categories may differ, depending on the report, and may require parameters.
Some filter fields use operators with text or numeric values. Others might have pre-filled values.
For example, the Initiator Country filter displays a pull-down list, allowing you to display results
based on a selected country.
Step 2
Click the Go button (right-hand arrow) to add a filter Each filter must be applied by clicking on
Go before you can select and apply the next filter. The filter bar will show all filters added,
whether added from the menu bar or pull-down menu.
As filters are added, items that have been filtered out disappear from the listings, reappearing
only when the associated filter, or all filters, are removed.
Step 3
To remove a filter, click the + next to the filter in the menu bar and click the Go (right arrow)
button. To clear all filters, click the Clear Filter (x) next to the filter fields.
To add a filter to a drillable column containing hypertext links, right-click on a hypertext column
cell and select Add Filter from the resulting pull-down context menu.
Because the filter is context-sensitive, it may suggest a set of candidate values, or you can manually
enter a different value. A new filter will be automatically added to the filter bar, and the report will
be updated accordingly.
Once added, the filter is added to the filter area of the Search Bar and no longer appears in the
pull-down list. The report will display only results restricted by that filter.
Step 2
To remove the filter, click the x next to that filter, or clear all filters by clicking the red X button
to the right of the field.
98
Note
Custom Reports created by a specific user are viewable by that user, and no one else.
Domain Administrators can view all available reports.
Step 1
To save a report, along with its filter criteria, click the Save Report icon.
Step 2
Step 3
To view a saved Custom Report, click the Custom Reports button to bring up a menu that
contains a list of all saved Custom reports available for viewing. Selecting a Custom Report from
this pull-down loads data for the selected report into the Report Data Container.
Step 4
You can also load a saved report from the Report tab on the middle bar menu. Click Custom
Reports on the Reports tab and select the desired report to load it into the Data Container.
Step 5
Click on the appropriate Export Results icon to save a report to a PDF file or Excel spreadsheet.
To print a copy of the report, click on the PDF icon and save it to a file, then print the PDF file.
Tip
Saved Reports can be modified or deleted by clicking on Custom > Manage Reports.
Scheduling Reports
You can schedule a report to be created and sent to you in email, using the Universal
Scheduled Reports function.
The Schedule Reports icon is located to the right side of the toolbar above the Load Custom
Reports button.
Click this icon to bring up the Universal Scheduled Report Configuration Manager.
When the Configuration Manager menu comes up, it will be pre-filled with the information about
the current Reports page. Using this report, you can set up specific tasks, chose the format for
the report, and other options. For more information on using Universal Scheduled Reports, refer
to the section: Universal Scheduled Reports.
99
Note
Cell data in the report container can be copied by right-clicking the cell and selecting Copy
Cell Data from the pull-down menu.
Note
Root level reports available in the Reports panel usually contain only one section.
The Report Data Container sections either appear as a chart view, a grid view, or both.
The default display mode is Show Chart and Grid. In this mode, the data is available for
viewing as both a Chart and a Grid. This layout can be controlled by switching between 3
display mode options, any of which can be turned on/off at any time, using the utility toggle
button group on the Section Title Bar.
The display modes available on this layout are:
100
Show Chart: In this mode only the chart is visible and takes up all the available space
inside the section container. Charts show a timeline or pie chart.
Show Grid: In this mode only the Grid is visible.The Grid Display may contain more than
one Section,
Show Chart and Grid: In this mode both the chart and the grid are visible and are vertically
stacked.
Switching between these modes is handled through the utility toggle buttons.
Drilling Down
Sections in the Grid display may contain drillable columns, containing hypertext links to bring
up a Detail Report. A drillable column appears as a column in the data grid, where the child values
appear underlined and in blue, and act asa hyperlink to additional information. Click on any of these
values to drill down to another report, using the value on which drill-down has been executed as a
filter. When you click on a drillable link, this filter will be added to the Filter Bar.
Drilling down navigates to a new Detail report, filtered by the data on which the drill-down was
executed. Drillable reports can display multiple grid sections in the sub-reports, or bring up a
System Analyzer view, depending on the item selected.
101
The following example illustrates how you can drill down through the Data Usage Report by
clicking on a drillable entry to gain more information and filter the results.
Step 1
Click on an appliance, then click Data Usage on the Reports tab. You will see a timeline
showing connections.
Step 2
Click on a hyperlinked Time to go to the Detail view of the Report. The Detail view contains
multiple sections, including Initiators, Responders, Service types, Initiator Countries, and
Responder Countries. Depending on the number of entries, you may need to scroll down to see
all the sections.
Note
102
You can also apply a filter through the Filter Bar or by right-clicking the entry. Select the filter
and click Go. The Report will show the detail view applicable to that filter.
Step 3
To further filter the output, to view only tcp/https usage, click on the tcp/https entry under
Services. A Detail report, filtered to show only usage of tcp/https, comes up. Notice that a
SonicWALL GMS 7.0 Administrators Guide
103
104
Notice that the Report now focuses on the filter constraint from the drilled-down column.
Since this report also contains drill-down areas, you can drill down even further to add
additional constraints to the results.
Note
Many report categories contain a Details item in the list of reports. This link provides a
shortcut directly to the Detail view of all sub-sections of the report. You can apply filters
directly to the Detail view to further constrain the displayed information.
The Log Analyzer provides the most detailed Report information.
Step 4
Note
To view the Log Analyzer, go to the Reports tab once you have drilled down to the desired level
of detail and click on Analyzers > Log Analyzer.
Because Log Analyzer Reports can contain a very large amount of data, you may wish to
limit the amount of data displayed on the page. The amount of data in the report can also
affect the loading speed.
105
The Log Analyzer contains information about each connection, including port and interface
information, number of Bytes sent, etc.
You can drill down through the Log Analyzer Report as well. Clicking on a column item adds an
additional filter and narrows down your results, allowing you to zoom in on specific instances.
Some Log Analyzer reports can be reached as the final step of a drilldown process.
The bottom bar of the Log Analyzer contains a page bar, which allows you to navigate through
the report by paging forward and backward, or going to the specific page of interest.
106
Custom Reports
Custom Reports
Specific customized reports can be generated and saved by means of the Save icon. Click the
Save icon to bring up a drop down allowing you to save a custom report.
This menu will be pre-filled with a name reflecting the report it was based on. If anearlier report
with this name was generated, you can choose to overwrite it or save a new copy, or assign it
a different name.
The new Custom report will be added to the pull-down menu accessed when you click Load
Custom Report. It will also be added to the Reports Tab list under Custom. When a specific
Custom report is selected on the Load Custom Report pull-down menu, the button will reflect
the name of that report.
Custom Reports can also be accessed or deleted by going to Reports > Custom > Manage
Reports.
a report does not display is that no data is available for the selected appliance. There are
several reasons why you might see thiserror. GMS displays the most likely reason(s) and gives
you instructions for ways to resolve the problem.
The most common examples are shown below.
Appliance is in a Provisioned State:
GMS is waiting for a handshake response signal from the appliance. Generally, the TreeControl
menu will also flag the appliance with a lightning bolt on a yellow background.
Appliance is Down
107
For information about GMS management settings, see the Configuring Management
Settings section on page 775 in the Configuring Console Management Settings chapter.
For information about user screen permissions, see the Moving a User section on
page 787 in the Configuring Console Management Settings chapter.
Reports generated by pre 7.0 releases of SonicWALL GMS can still be viewed, but require
specific configuration. See Managing Legacy Reports section on page 808.
108
CHAPTER 5
Viewing Firewall Reports
This chapter describes how to generate reports using the SonicWALL GMS Reporting Module.
The following section describes how to configure the settings for viewing reports:
109
Log Analyzer
You can view Reports either as Summary reports for all or selected units on the
SonicWALL GMS network, or view detailed reports for individual units.
Step 2
Step 3
Step 4
Step 5
Expand the desired selection on the Reports list and click on it.
Note
All Reports show a one-day period unless another interval is specified in the Time Bar.
The following types of reports are available:
Global or Group Level Reports:
Data Usage
Applications
Web Activity
Web Filter
VPN Usage
Threats
Note
110
Initiators: Top Initiators, listed by IP address, Initiator Host, User, and Responder,
displayed as a pie chart
Details: provides a shortcut to the Detail view normally reached by drilling down.
Detail sections include: Initiators, Services, Responders, Initiator Countries, and
Responder Countries. Additional filtering/drilldown takes you to the Log Analyzer
Applications
User Activity
Web Activity
Sites: sites visited by IP, name, and category, with hits and browse time
Details: provides a shortcut to an access timeline and Detail view normally reached
by drilling down. Detail sections include: Categories, Sites, and Initiators.
Web Filter
Sites: sites visited by IP, name, and category, with hits and browse time
Details: provides a shortcut to an access timeline and Detail view normally reached
by drilling down. Detail sections include: Categories, Sites, and Initiators.
VPN Usage
111
Intrusions
Gateway Viruses
Timeline: times when the virus attempted to gain access, displayed over time
Spyware
Timeline: times when the spyware accessed the system, displayed over time
Attacks
Targets: host and IP address, and number of times access was attempted
User Login
Admin Login
Failed Login
Analyzers
Log Analyzer: provides a detailed event-by event listing of all activity. The Log
Analyzer is drillable, but no Detail sections are available.
Up/Down
112
Hypertext-linked columns are drillable, meaning you can click on the hypertext entry to bring up
a Detail view with more information on the desired entry. Detail views might have multiple
sections.
The Detail views are usually reflected in the sub-headings under the Reports list, which provide
a shortcut directly to the Detail Report. To go to the full Detail view, click the Details entry in the
Reports list. From the Detail view, you can access the system logs, for event-by-event
information, or further filter the results. For more information on using the Log Analyzer to view
and filter syslog reports, see the Using the Log Analyzer section on page 124.
Details views can contain multiple sections. To determine if you have reached the end of the
list of sections, check for the time zone message, which indicates the end of the Detail View.
Reports with hyperlinked columns can be filtered on the column or by drilling down on the
hyperlinked entry.
You can also get to a filtered Detail view by clicking the section representing the desired
information in the pie chart.
To save a filtered view for later viewing, click on the Save icon on the Filter Bar. The saved view
will now appear under Custom Reports.
To learn more about Custom reports, see the Custom Reports section on page 135
Data Usage
App Control
Web Usage
Web Filtering
VPN Usage
Threats
Group-level Summary reports provide an overview of information for all Firewalls under the
group node for the specified period. The report covers the connections and transfers by
appliance for Data Usage, App Control, and VPN Usage, For Web Usage and Web Filters, hits
113
are also included. Web filters and Threats list attempts at connection. Unless specified
differently in the Date Selector, the Summary report covers a single day. Global Summary
reports are not drillable.
To view the Summary report, perform the following steps:
Step 1
Step 2
Step 3
Similar summary reports are available for all the Global or Group reports specified above.
Note
Global reports are displayed in the GMSs timezone. Reports for individual SonicWALL
security appliances are displayed in the individual appliances time zone.
114
Step 1
Step 2
Click Data Usage > Timeline. (This is the default view when the Firewall Report interface
comes up.)
This report is drillable. Click on an Initiator IP entry to break the Timeline report down into its
Detail View report groups for the selected IP address. These groups also contain drillable
hyperlinks that will take you to more specific Detail View information. The columns can also be
filtered on. For more information on drilling down in a report, refer to Drilling Down on
page 101
The following Section entries are available:
Initiators: Initiators are grouped by IP, Host, User Name, Connections, and Transferred
Connections
Responders: Responders are grouped by IP, Host, User Name, Connections, and
Transferred Connections
115
If you wish to create a new report, use the Filter Bar to create a new report.
Step 1
Step 2
Step 3
Click on User Activity > Details to bring up the User Activity Analyzer. The User Activity
Analyzer generates a Detail report based on the user name.
If no user activity reports were saved, only the Filter Bar will display, with the User filter
pre-selected. You can enter a specific user name, or use the LIKE operator wildcards (*) to
match multiple names.
Step 4
Enter the name of the user into the field and click the Go (arrow) button to generate the report
The customized User Activity Details report will display a timeline of events, Initiators,
Responders, Services, Applications, Sites visited, Blocked site access attempted, VPN access
policy in use, user authentication, Intrusions, Initiator Countries, and Responder Countries
associated with that particular user.
Data for a particular user may not be available for all of these categories.
116
Step 1
Step 2
Step 3
The Applications Report displays a pie chart with the application and threat level it poses.
You can drill down for additional Details views on connections over time (Timeline view), Data
Usage, Detected applications, Blocked applications, Categories of applications, top initiators.
Step 2
Step 3
Step 2
Step 3
117
The Web Filter Report displays a pie chart with the Top Categories of blocked access and total
attempts to access.
You can drill down for additional Details views on connections over time (Timeline view), Sites
visited, Categories of sites, and Top initiators. A Details entry links directly to the details view
of all entries.
118
Step 1
Step 2
Step 3
The VPN Usage Report displays total connections for each VPN Policy item as a pie chart and
tabular grid view.
You can drill down for additional Details views on Service protocols and Top initiators.
Step 2
Step 3
119
The Attacks report provides a pie chart and a list of the initiating IP addresses, hosts, and users,
with number of attempts for each.
Drill down for additional Detail views of Intrusion Categories, Targets, Initiators, Ports affected,
Target Countries, and Initiator Countries.
Step 2
Step 3
120
The report provides details on the viruses blocked,the targets, initiators, and a timeline ofwhen
they attempted access.
Drilling down provides a list of virus identity, Targets, Initiators, Target Countries, and Initiator
Countries.
Step 2
Step 3
Step 2
Step 3
121
The Attacks report provides a pie chart and a list of the initiating IP addresses and hosts.
Drill down for additional Detail views of Intrusion Categories, Targets, Initiators, Ports affected,
Target Countries, and Initiator Countries.
122
Step 1
Step 2
Step 3
The Authentication report displays a list of authenticated users, their IP addresses, service,
time they were logged in, and type of login/logout. Additional Reports are available for
Administrator logins and failed login attempts.
123
You can filter on the Service to view SRA and other appliances by drilling down to the syslog.
Step 1
Go to the filter bar and click on the + and select Service from the pull-down menu. Click on the
= operator, and click on the field next to it to bring up the pull-down menu. Select SSLVPN from
the pull-down list
Step 2
Note
For the Duration and Service categories to be present, the Firewall appliance firmware must
be at least version 5.6.0.
Note
124
Click Load Custom Report and select from the pull-down list of saved Custom Reports.
The Log Analyzer entries display raw log information for every connection. Depending on
the amount of traffic, this can quickly consume a large amount of space in the database. It
is highly recommended to be careful when choosing the number of days of information to be
stored.
The log displays information specific to either a particular report or overall system information,
depending on the path used to reach the log, either from the individual report level or from the
Log Analyzer entry on the Reports tab. Entries in the Analyzer log will vary, according to the
relevant report type.
The log event messages are color-keyed according to priority. Red is the highest priority,
followed by yellow for Alerts. Messages without color keys are informational, only. The color
categories are:
Alert: Yellow
Critical: Red
Debug: White
Emergency: Red
Error: White
Info: White
Notice: White
Warning: White
Color keys allow you to immediately focus on the priority level of the message, and filter data
accordingly.
125
Step 2
Step 3
Click to expand the Analyzer tree and click on Log Analyzer. The saved Log Analyzer report
page displays.
Note
Step 4
Because system logs have a large number of entries, it is advisable to constrain the number
of entries displayed on the page.
Saved system logs are limited in the number of rows that will be saved. If saving to PDF, a
maximum of 2500 rows will be saved. If saving to Excel, a maximum of 10,000 rows will be
saved.
To add a filter, click on the + in the Filter Bar and specify the desired filter item and parameters.
Available filters include filters for Application, Category, DST Interface, DST Port, Duration,
Initiator Country, Host, or IP address, Interface, Message, Priority, Responder country, IP, or
Name, Service, Session, Src Interface, Src Port, URL, User, or VPN Policy. This full list is
available from the Log Analyzer Entry.
If you are viewing the log in the Log Analyzer view for a specific application entry, only those
filters specific to that entry will be available.
Log views are drillable, and will add filters as column entries are drilled. Click on an entry of
interest to add a filter and further constrain the information displayed.
126
In the Log Analyzer, click on the + to add a filter, and select the Interface filter. Type in X0 to
specify the default interface. filter. Click on the Go button.
127
Notice that some entries are flagged in yellow, indicating that these are Alerts. The Priority filter
can sort the entries according to the level of priority: Alert, Critical, Debug, Emergency, Error,
Info, Notice, or Warning.
To view only the Alerts, click on the + button and select Priority. Choose Alert from the
pull-down list.
128
Click the Go button to filter the log on the additional criteria. It will now display only those
instances on the X0 interface having an Alert status.
This will allow you to begin debugging, or further investigate use of the database.
More information can also be found by using Universal Scheduled Reports.
Step 2
Step 3
Expand the Status tree and click Up-Time Summary. The Up-Time Summary page displays.
The bar graph displays the amount of time the SonicWALL appliance(s) were online and
functional during each hour of the day.
The Report contains the following information:
Up Timenumber of minutes during the hour that the SonicWALL appliance was Up.
Down Timenumber of minutes during the hour that the SonicWALL appliance was
Down.
129
Step 4
130
Up Time %percentage of time the SonicWALL appliance was Up over the hour.
By default, the GMS Reporting Module shows yesterdays report. To change the date of the
report and other settings, click the date field to access the pull-down calendar, or click the
backward arrow to page further back in time, on a day-by-day basis.
Configuration Settings
Configuration Settings
Configuration settings allow you to set up certain parameters for how data is displayed in
Reports. You can set up currency cost per Megabyte for the Summarizer, or add filters for the
Log Analyzer reports.
Step 2
Select the currency of the desired country and the cost per MB.
Step 3
Click Update. The cost will be immediately reflect on the Data Usage page.
131
Alerts
The Syslog Exclusion Filter page comes up. This page allows you to view what filters are
currently applied, add filters, or remove filters.
Step 2
To configure and add an Exclusion Filter, click Add Filter. The Add Filter menu comes up.
Step 3
Specify the field you want to modify, and select an operator and value. Click Update.
The Reports will now be filtered according to the selected criteria. Exclusion Filter settings are
picked up by the Summarizer at specified regular intervals.
Alerts
The Events entry on the Reports tab allows you to configure and view alerts specific to
Reporting for the unit selected. The Events entry on the Reports tab allows you to configure
and view alerts specific to Reporting for the unit selected, through the Alert Settings and
Current Alerts items.
You can follow specific alerts. For more information, refer to the Using Granular Event
Management section on page 824.
Step 1
132
Alerts
Step 2
You can also add an alert. Click Add Alert on the Alerts menu. The resulting pop-up menu
allows you to specify the type of data you want to track, how often to poll for data, and whether
it is visible to only administrators or to non-administrators as well.
Alert Types are pre-defined, static parameters and are not customizable. Available categories
are:
Alert Type
Description
133
Alerts
Step 3
Note
Alert Type
Description
Events/Hits (Daily)
Select the Alert Type and click on Edit Content to edit threshold values. A popup menu will
come up. You can choose from the preset Threshold values or create a new threshold value by
clicking the icon to the right of the Threshold banner. Only one new threshold can be created
at a time. For more information on thresholds, see the Configuring Event Thresholds section
on page 829.
Threshold values may not be available for all Alert types. If thisis the case, the Edit Content
field will not be present.
Step 4
Alerts can be emailed to you or a specified destination on a regular schedule. You can specify
up to 5 destinations. Click Add Destination to enable and select from the pull-downs of
destination and schedule entries.
Step 5
For more information on configuring Destinations, refer to the Destination / Schedule section
on page 838.
Step 6
134
Click Update when you have finished configuring the Alert. It will be added to the list of Alerts
on the menu.
Custom Reports
You can view any currently-configured alerts by clicking Alerts > Current Alerts. A display of the
current Alerts will come up.
The listing will show the severity level of the Alert, the unit it applies to, and a description.
Additional details can be obtained by hovering over the balloon on the right side of the column.
Custom Reports
You can configure a report with customized filters, then save it for later viewing and analysis.
Saving a Report allows you to view it later, by loading it through the Custom Reports interface.
Custom Reports can either be saved directly, or configured through Universal Scheduled
Reports. You can either load the report through the Custom Report pull-down on the Search
Bar, or click Reports > Custom and choose from the list of saved Custom reports.
Regularly scheduled Custom Reports can be configured through the Universal Scheduled
Reports interface, accessible through the Custom Reports icon in the upper right corner. These
reports can be set up to be emailed to you on a regular schedule.
Custom Reports are available at the unit level for all appliances visible on the Firewall tab. The
Log Analyzer must be enabled for the appliance.
The Manage Reports screen (Custom Reports > Manage Reports) allows you to view what
Custom Reports are available and delete reports from the system.
For more information on configuring and scheduling custom Reports refer to the Universal
Scheduled Reports section.
135
Custom Reports
136
CHAPTER 6
Viewing SRA Reports
This chapter describes how to view SonicWALL Global Management System (GMS) Secure
Remote Access Reports. SRA reporting includes reports for the Web Access Firewall (WAF)
and summarization for SRA appliances using Secure Remote Access (SRA).
This chapter contains the following sections:
After reading the GMS SRA Reporting Overview section, you will understand the main steps to
be taken in order to create and customize reports successfully.
137
SRA Detail Level Reports can track events to the minute or second of the day for forensics
and troubleshooting
Report search
Scheduled reports
138
SRA Reporting supports scheduled reports to be sent on a daily, weekly, or monthly basis to
any specified email address.
2.
3.
WAF
Connections
User Activity
Access Method
Authentication
User login: authenticated user logins by time and IP protocol. User Login reports
combine admin users with all other users in the same report.
139
WAF
Connections
Timeline: a summary of offloaded connections under the group node per SRA
appliance, listed for one day.
Up/Down
Analyzers
Log Analyzer Filter: applies filters to the system logs uploaded to the reporting
database
Note
You can use the Date Selector to select reports covering other intervals than those listed
here.
140
Step 2
Step 3
Expand the Data Usage, WAF, or Connections tree and click Summary. The Summary page
displays.
For more information, click on an individual appliance in the TreeControl menu. More settings,
as well as more detailed information, is available at the Unit View level.
141
Step 2
Step 3
Expand the Data Usage entry and click Timeline to display the Report.
Step 4
The graph displays the number of connections to the selected SRA appliance during the
desired interval. The current 24 hours is displayed by default.
Step 5
To change the interval of the report, use the left arrow to click back a day at a time, or click on
the Time Bar to access the Interval menu pull-down calendar.
Step 6
After selecting a date, click Search. The GMS Reporting Module displays the report for the
selected day.
Note
142
The date setting will stay in effect for all similar reports during your active login
session.
Step 2
Step 3
Expand the Data Usage tree and click Users. The Top Users page displays.
Step 4
The pie chart displays the percentage of connections used by each user.
The table contains the following information for all users:
By default, the GMS Reporting Module shows yesterdays report, a pie chart for the top six
users, and a table for all users. To change the date of the report, click the Start field to access
the pull-down calendar.
Step 5
Note
This report allows you to drill down by user. Clicking on a user in either the chart or
grid view will take you to the Log Analyzer.
143
Step 2
Step 3
Click on User Activity > Details to bring up the User Activity Analyzer. The User Activity
Analyzer generates a Detail report based on the user name.
If no user activity reports were saved, only the Filter Bar will display, with the User filter
pre-selected. You can enter a specific user name, or use the LIKE operator wildcards (*) to
match multiple names.
Step 4
Enter the name of the user into the field and click the Go (arrow) button to generate the report
The customized User Activity Details report will display a timeline of events, Initiators,
Responders, Services, Applications, Sites visited, Blocked site access attempted, VPN access
policy in use, user authentication, Intrusions, Initiator Countries, and Responder Countries
associated with that particular user.
Data for a particular user may not be available for all of these categories.
144
Step 2
Step 3
Expand the Access Method tree and click Summary. The Access Method Summary page
appears.
Step 4
Click on a section of the pie chart to obtain more details, or hover the mouse over an item on
the Protocol column and right click Add Filter to narrow the results to a particular access
protocol. The results will display in the Log Analyzer report.
145
Step 2
Step 3
Expand the Access Method tree and click Users. The Top Users report appears.
In the chart view, you can click on either the pie chart or user list to obtain more information
from the Log Analyzer. Results will be filtered by user, and the setting added to the filter bar.
Alternatively, you can hover your mouse over a user in the User column of the grid view, then
right click to filter results. For full details on that user, drill down by clicking on the user name
in the column.
146
Step 2
Step 3
Expand the Authentication tree and click User Login. The Authenticated User Login report
appears.
Note
147
Step 2
Step 3
Expand the Authentication tree and click User Login. The Authenticated User Login report
appears.
Note
148
Timeline
Threats Detected
Threats Prevented
Apps Detected
Apps Prevented
Users Detected
Users Prevented
Clicking on hyperlinks in these reports take you to the Log Analyzer view, for more details.
To view reports:
Step 1
Click on the SRA tab and either GlobalView for the group or by individual appliance in the
TreeControl view on the left tab of the interface.
Step 2
Step 3
Select the WAF entry to expand it and click on the Report you want to view.
Step 2
Step 3
149
The Timeline displays the unit level summary report containing Offloaded Connections
information for an individual SRA system.
150
Step 1
Step 2
Step 3
Step 4
The Top Threats Detected screen shows the top threats detected by the firewall, and gives
details on the Threat Signature, Threat Classification, Threat Severity, in addition to total
threats detected.
Step 2
Step 3
Step 4
151
Step 2
Step 3
Step 4
152
Step 1
Step 2
Step 3
Step 4
The Top Applications Prevented report will list applications with the most number of threats
prevented by the Web Application Firewall. It will display the Application IP, URI and the preventions
in order of the number of threats prevented by the firewall
Step 2
Step 3
Step 4
Click WAF > Users Detected. The Top Users page displays.
Step 5
The pie chart displays the VPN connections for the top VPN users.
Step 6
153
By default, the GMS Reporting Module shows yesterdays report, a pie chart, and the ten top
users. To change the date of the report, use the Search Bar and click the Start or End field to
access the pull-down calendar, or click More Options for report display settings.
Step 2
Step 3
Step 4
154
Step 2
Step 3
Step 4
155
Step 2
Step 3
Step 4
The report displays the IP address of the application, the URI, and how many connections were
established. The report is drillable on the application IP address to obtain the Log Analyzer
report.
156
Step 2
Step 3
Step 4
The report will drill down to the Top Applications, filtered by User Name.
157
158
Note
Click Load Custom Report and select from the pull-down list of saved Custom reports.
The Log Analyzer entries display raw log information for every connection. Depending on
the amount of traffic, this can quickly consume a large amount of space in the database. It
is highly recommended to be careful when choosing the number of days of information that
will be stored. For more information, see Configuring SRA Scheduled Reports on
page 140 and Universal Scheduled Reports.
You can also click on the print icon to save a log to PDF of Excel format.
Note
Saved system logs are limited in the number of rows that will be saved. If saving to PDF, a
maximum of 2500 rows will be saved. If saving to Excel, a maximum of 10,000 rows will be
saved.
Step 2
Step 3
Expand the Analyzer tree and click on Log Analyzer. The saved Log report page displays.
159
Alerts
The Syslog Exclusion Filter page comes up. This page allows you to view filters currently
applied, add filters, or remove filters.
Step 2
To configure and add a filter, click Add Filter. The Add Filter menu comes up.
Step 3
Specify the field you want to modify, and select an operator and value. Click Update.
Alerts
The Events entry on the Reports tab allows you to configure and view alerts specific to
Reporting for the unit selected. The Events entry on the Reports tab allows you to configure
and view alerts specific to Reporting for the unit selected, through the Alert Settings and
Current Alerts items.
You can follow specific alerts. For more information, refer to CHAPTER 45, Granular Event
Management..
Step 1
160
Alerts
The Alerts menu comes up. You can use this menu to search for Alerts by name or type, either
by exact match or matching strings. Click Search to find an Alert of interest.
Step 2
You can also add an alert. Click Add Alert on the Alerts menu. The resulting pop-up menu
allows you to specify the type of data you want to track, how often to poll for data, and whether
it is visible to only administrators or to non-administrators as well.
161
Custom Reports
Alert Types are pre-defined, static parameters and are not customizable. Available Alert types
for SRA are:
Alert Type
Description
Step 3
Note
Select the Alert Type and click on Edit Content to edit threshold values. A popup menu will
come up. You can choose from the preset Threshold values or create a new threshold value by
clicking the icon to the right of the Threshold banner. Only one new threshold can be created
at a time. For more information on thresholds, see the Configuring Event Thresholds section
on page 829.
Threshold values may not be available for all Alert types. If thisis the case, the Edit Content
field will not be present.
Step 4
Alerts can be emailed to you or a specified destination on a regular schedule. You can specify
up to 5 destinations. Click Add Destination to enable and select from the pull-downs of
destination and schedule entries.
Step 5
Click Update when you have finished configuring the Alert. It will be added to the list of Alerts
on the menu.
Custom Reports
You can configure a report with customized filters, then save it for later viewing and analysis.
Saving a Report allows you to view it later, by loading it through the Custom Reports interface.
Custom Reports can either be saved directly, or configured through the Universal Scheduled
Reports. You can either load the report through the Custom Report pull-down on the Search
Bar, or click Reports > Custom and choose from the list of saved Custom reports.
Custom Reports are available at the unit level for all appliances visible on the SRA at b. The Log
Analyzer must be enabled for the appliance.
The Manage Reports screen (Custom Reports > Manage Reports) allows you to view what
Custom Reports are available and delete reports from the system.
For more information on Custom Reports, refer to the Custom Reports section on page 135.
162
CHAPTER 7
Viewing CDP Reports
This chapter describes how to generate and view Continuous Data Protection (CDP) Reports
on the SonicWALL Global Management System (GMS). CDP is a secure backup solution that
runs continuously, backing up data from assigned agents, such as servers, laptops, and PCs.
This chapter contains the following sections:
After reading the SonicWALL GMS CDP Reporting Overview section, you will understand the
main steps to be taken in order to create and customize reports successfully.
163
The Filter Bar provides an intuitive, responsive interface for customizing the CDP report layout
and configuring content filtering to focus on specific times and/or details. Hyperlinks allow
access to additional reports data, by clicking on column entries to drill down to the desired detail
view. By using these functions, you can:
Track events to the minute or second of the day for forensics and troubleshooting
2.
3.
Backup Details
Up/Down
Timeline: Up and down time for one day, listed by hour (default)
Drilling down through the Group Level Capacity Summary report by appliance takes you to the
Unit Level Summary Report. By drilling down through hypertext links in the Summary, you
access the Detail-level reports.
Click Backup Activity > Backup Details to go directly to the Detail report.
For more information on how to navigate through the Reports, refer to Navigating
SonicWALL GMSReporting on page 85.
164
Step 1
Step 2
Click the Reports tab on the top of the screen. By default, the global capacity report comes up.
The report includes the used and free quotas of the capacity for each appliance, as well as what
percentage of that capacity is free.
Step 3
To view the Capacity Summary for an individual unit, click on the unit in the TreeControl panel.
A detailed view of the agents and quotas for the unit comes up.
Click the agent name to add a filter and obtain a Detail view of backup information.
165
Step 2
Step 3
Step 4
Drilling down takes you to the Detail level report, listing the backed up appliance and listing its
backed up files and folders. The Detail report also provides status on whether the backup
operation was successful. You can shortcut to an unfiltered version of the Detail report by
clicking Backup Details.
166
Step 2
Step 3
Step 4
Drilling down takes you to the Detail level report, listing the backed up appliance and its files
and folders
Step 2
Step 3
Step 4
167
If desired, the Detail view of backup activity can be saved. It will then appear under Custom
Reports, and in the Manage Reports list.
For more information on Custom reports, refer to Custom Reports section on page 107.
168
Step 1
Step 2
Step 3
Step 4
You can save the User Backup Report as a Custom report, for later viewing. For more information on Custom
reports, refer to the Custom Reports section on page 107.
Viewing Uptime/Downtime
Timelines provide an overview of whether a device or group of devices are online. This can be
useful in determining if a backup operation failed or did not take place, due to device
unavailability. You can view the total uptime and downtime for a specific appliance, allowing you
to determine when an appliance was online and percentage of time it was in service.
Step 1
Step 2
Step 3
169
170
CHAPTER 8
Introduction to Policy Management
This chapter describes how to use SonicWALL GMS to configure policies on the full range of
SonicWALL platforms.
This chapter includes the following sections:
SRA PanelFor management and reporting on SonicWALL SRA and Aventail appliances.
The policy panels are used to configure SonicWALL appliances. From these pages, you can
apply settings to all SonicWALL appliances being managed by SonicWALL GMS, all
SonicWALL appliances within a group, or individual SonicWALL appliances.
171
System
This chapter covers a variety SonicWALL firewall appliance controls for managing system
status information, registering the SonicWALL firewall appliance, activating and managing
SonicWALL Security Services licenses, configuring SonicWALL firewall appliance local and
remote management options, managing firmware versions and preferences, and using included
diagnostics tools for troubleshooting.
This chapter describes how to use SonicWALL GMS to configure general System Policy
settings on managed SonicWALL appliances. The following sections describe how to configure
the system settings:
172
TimeDescribes how to change the time and time options for one or more SonicWALL
appliances. Refer to the Configuring Time Settings section on page 187.
Licensed Nodes (Unit-level view only)Provides a Node License Status table listing the
number of nodes your SonicWALL security appliance is licensed to have connected at any
one time, how many nodes arecurrently connected, and how many nodes you have in your
Node license Exclusion List. Refer to the Viewing Licensed Node Status section on
page 188.
AdministratorDescribes how to change the administrator and password options for one
or more SonicWALL appliances. Refer to the Configuring Administrator Settings section
on page 189.
SchedulesDescribes how to create and configure schedule groups, which are used to
apply firewall rules for specify days and hours of the week. Refer to the Configuring
Schedules section on page 198.
Network
This chapter covers configuring the SonicWALL firewall appliance for your network
environment. This chapter describes how to configure network settings for SonicWALL
appliances. It is divided into sections for SonicWALL security appliances running SonicOS
Enhanced and SonicOS Standard.
Firewall
This chapter describes access rules, which is a set of application-specific policies that gives
you granular control over network traffic on the level of users, email users, schedules, and
IP-subnets. The primary functionality of this application-layer access control feature is to
regulate Web browsing, file transfer, email, and email attachments. The Firewall settings in
173
SonicWALL GMS are different for SonicWALL security appliances running SonicOS Enhanced
and Standard. The following sections describe how to configure Firewall settings for each of the
operating systems:
Log
This chapter covers managing the SonicWALL firewall appliances enhanced logging, alerting,
and reporting features. The SonicWALL firewall appliances logging features provide a
comprehensive set of log categories for monitoring security and network activities. This chapter
describes how to the SonicWALL GMS to configure where the SonicWALL appliance(s) send
their logs, how often the logs are sent, and what information is included.
This chapter includes the following sections:
Diagnostics
SonicWALL appliances store information about all devices with which they have
communicated. When you generate diagnostic information, only one report can be generated
at a time and the information is only maintained during the current session. For example, if you
run a firewall log report and then log off or generate another report, the firewall log report data
will be lost until you run the report again.
This chapter includes the following sections:
Website Blocking
This chapter describes how to use SonicWALL GMS to configure website blocking options for
one or more SonicWALL appliances. This functionality can be used to deny access to material
supplied by the active content filtering subscription, specific domains, domains by keyword, and
Web features such as ActiveX, Java, and cookies.
This chapter includes the following sections:
174
DHCP
This chapter describes how to use the SonicWALL GMS (SonicWALL GMS) to configure
SonicWALL appliances as DHCP servers. Dynamic Host Configuration Protocol (DHCP)
enables network administrators to automate the assignment of IP addresses from a centralized
DHCP server. This conserves IP addresses and make it easy for mobile users to move among
different segments of the network without having to manually enter new IP addresses.
This chapters includes the following sections:
Users
This chapter covers how to configure the SonicWALL firewall appliances for user level
authentication as well as manage guest services. This chapter describes how to use the
SonicWALL GMS to configure user and user access settings. Included in this chapter are the
following sections:
App Control
This chapter describes how to configure App Control policies for SonicWALL firewall appliances
from SonicWALL GMS. This chapter includes the following sections:
Anti-Spam
This chapter provides a quick, efficient, and effective way to add anti-spam, anti-phishing, and
anti-virus capabilities to your SonicWALL firewall appliance. There are two primary ways
inbound messages are analyzed by the Anti-Spam feature - Advanced IP Reputation
Management and Cloud-based Advanced Content Management. IP Address Reputation uses
the GRID Network to identify the IP addresses of known spammers, and reject any mail from
those senders without even allowing a connection. GRID Network Sender IP Reputation
Management checks the IP address of incoming connecting requests against a series of lists
and statistics to ensure that the connection has a probability of delivering valuable email. The
lists are compiled using the collaborative intelligence of the SonicWALL GRID Network. Known
spammers are prevented from connecting to the SonicWALL firewall appliance, and their junk
email payloads never consume system resources on the targeted systems.
SonicWALL GMS 7.0 Administrators Guide
175
VPN
This chapter covers how to create VPN policies on the SonicWALL firewall appliance to support
SonicWALL Global VPN Clients as well as creating site-to-site VPN policies for connecting
remote offices running SonicWALL firewall appliances. A VPN is a private data network that
uses encryption technologies to operate over public networks. This chapter contains the
following sections:
SSL VPN
This chapter provides information on how to configure the SRA features on the SonicWALL
SRA appliances. SonicWALLs SRA features provide secure, seamless, remote access to
resources on your local network using the NetExtender client.
This chapter contains the following sections:
DPI-SSL
This chapter describes the Deep Packet Inspection Secure Socket Layer (DPI-SSL) feature to
allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. Client DPI-SSL is
used to inspect HTTPS traffic when clients on the SonicWALL firewall appliances LAN access
content located on the WAN. Server DPI-SSL is used to inspect HTTPS traffic when remote clients
connect over the WAN to access content located on the SonicWALL firewall appliances LAN.
This chapter contains the following subsections:
176
Security Services
High Availability
This chapter describes how to use SonicWALL GMS to configure High Availability, which allows
the administrator to specify a primary and secondary SonicWALL appliance. In the case that
the connection to the primary device fails, connectivity will transfer to the backup device.
In addition, SonicWALL GMS can utilize the same device pairing technology to implement
different forms of load balancing. Load balancing helps regulate the flow of network traffic by
splitting that traffic between primary and secondary SonicWALL devices. This chapter includes
the following sections:
SonicPoints
This chapter describes how to configure SonicPoint managed secure wireless access points.
This chapter includes the following sections:
Wireless
This chapter describes how to configure wireless connectivity options for wireless SonicWALL
appliances. Included in this chapter are the following sections:
177
WGS
This chapter describes how to configure Wireless Guest Services (WGS) enabled appliances
running SonicOS Standard. For appliances running SonicOS Standard, these configuration
options are available at the unit level. Wireless Guest Services allows the administrator to
configure wireless access points for guest access. Wireless Guest Services is configured with
optional custom login pages, user accounts and is compatible with several different
authentication methods including those which require external authentication. Included in this
chapter are the following sections:
Denying Access to Networks with the IP Deny List section on page 608
Modem
This chapter describes how to configure the dialup settings for SonicWALL SmartPath (SP) and
SmartPath ISDN (SPi) appliances. SonicWALL SP appliances have a WAN Failover feature
that enables automatic use of a built-in modem to establish Internet connectivity when the
primary broadband connection becomes unavailable. This is ideal when the SonicWALL
appliance must remain connected to the Internet, regardless of network speed.
This chapter contains the following subsections:
WWAN
This chapter describes how to configure the Wireless Wide Area Network (WWAN) settings for
SonicWALL security appliances that use 3G and other Wireless WAN functionality to utilize
data connections over cellular networks.
This chapter contains the following subsections:
Web Filters
178
Application Filters
This chapter provides configuration tasks for deploying SonicWALL CSM application filtering
services. SonicWALL Content Security Manager (CSM) provides appliance-based application
filtering that enhances security and employee productivity and optimizes network utilization.
This chapter contains the Configuring Application Filter Settings section on page 639.
Register/Upgrades
This chapter describes how to register and upgrade your SonicWALL firewall appliances. This
chapter contains the following subsections:
Events
This section provides an introduction to the SonicOS Event Alerts feature. This chapter
contains the Adding Alerts section on page 651.
179
General
The General > Status section provides the current status of the SRA appliance and allows
for an instant update of appliance information using the Fetch Information button.
The General > Tools section provides the following options: Restart Appliance,
Synchronize Now, Synchronize the Appliance with mysonicwall.com.
Note
The Restart Appliance option is not available for SonicWALL Aventail SRA
appliances.
The General > Info section provides the ability to update the contact information for the
SRA appliance.
Register/Upgrades
The Register/Upgrades > Register screen provides the ability to register CDP appliances
with your mysonicwall.com account.
Note
180
Events
The Events > Alerts screen allows you to add, edit, or delete a Unit Status alert for
managed CDP appliances.
The Events > Current Alerts screen displays all active alerts for this appliance.
Preparing SRA Appliances for SonicWALL GMS Management section on page 657
The General > Status status window displays information about all CDP devices in the
current GMS deployment when in the global view.
181
When an individual appliance is selected, the status window displays information about
The General > Info screen allows you to edit CDP appliance information on a global or unit
level.
The General > Tools section provides options to synchronize both the static and dynamic
information.
Register/Upgrades
The Register/Upgrades > Register screen provides the ability to register CDP appliances
with your mysonicwall.com account.
Events
The Events > Alerts screen allows you to add, edit, or delete a Unit Status alert for
managed CDP appliances.
The Events > Current Alerts screen displays all active alerts for this appliance.
General
The General > Status windows displays both general deployment status, as well as individual
appliance status for Email Security appliances.
182
The General > Tools section provides options to force your SonicWALL ES appliance to
synchronize its license and subscription information with mySonicWALL.com immediately.
The General > Info screen allows you to edit Email Security appliance information on a global
or unit level.
Register/Upgrades
The Register/Upgrades > Register ESA screen provides the ability to register CDP
appliances with your mysonicwall.com account.
Events
The Events > Alerts screen allows you to add, edit, or delete a Unit Status alert for
managed ES appliances.
The Events > Current Alerts screen displays all active alerts for this appliance.
183
184
CHAPTER 9
Configuring Firewall System Settings
Viewing System Status
The System Status page provides a comprehensive collection of information to help you
manage your SonicWALL security appliances and SonicWALL Security Services licenses. In
the global view mode, it provides a summary of all of the devices that are managed by the
SonicWALL GMS, including the number of appliances, whether the appliances are up or down,
and the number of security services subscriptions.
To view a summary of all devices managed by the GMS, click the Change View icon
at the
top left and select GlobalView. Expand the System tree in the middle panel, and click on
Status. The Status page displays.
185
At the individual appliance level, the Status page provides more details such as the serial
number, firmware version, and information on management, reporting, and security service
subscriptions.
To view a summary of the status of an individual appliance, select the appliance in the left pane,
and then click System > Status in the navigation pane. The Status page displays.
If tasks are pending for the selected unit, GMS provides a hyperlink that takes the user to the
Tasks Screen for that unit. Also in System > Status, GMS displays the Last Log Entry for the
unit with a hyperlink that takes the user to the unit Logs screen. The links are only provided if
the user actually has permissions to access those screens on the Console panel.
In the Subscription section header, GMS provides a click here link that displays your current
subscription details on the Register/Upgrades > Search screen. The search parameters are
pre-populated for retrieving the subscription services that are currently active on the
appliance(s) and the search is executed and the results are sorted by Expiry Date for your
convenience.
This page provides a PDF icon that you can click to get a PDF file containing the same content
as the Web page.
At the bottom of the status screen, GMS provides a way to retrieve dynamic information about
the selected appliance, and also provides a link to the GMS Getting Started Guide.
You can click the Fetch Information link to view the following dynamic information:
Last Modified Time and the user who last modified the appliance
Modem speed and active profile used (only for dial-up appliances)
You can retrieved this information by clicking the Fetch Information button at the global, group,
or unit level. The actual results, however, are displayed only at the unit level.
To view the SonicWALL GMS Getting Started Guide, click the Open Getting Started
Instructions In New Window button.
186
Expand the System tree and click Time. The Time page displays.
2.
Select the Time Zone of the appliance(s) from the Time Zone field.
3.
To configure the SonicWALL(s) to automatically adjust their clocks for Daylight Savings
Time, select the Automatically Adjust Clock for Daylight Savings Changes check box.
4.
5.
To configure the SonicWALL(s) to display the time in the international time format, select
the Display Time in International Format check box.
6.
To configure the SonicWALL(s) to automatically set the local time using Network Time
Protocol (NTP), select the Use NTP to set time automatically check box.
7.
When you are finished, click Update. A task gets scheduled to apply the new settings for
each selected appliance.
8.
If you don't want to use theSonicWALL appliance's internal NTP list, you can add your own
NTP list. To add an NTP server, enter the IP address of an NTP server in the Add NTP
Server field.
A task gets scheduled to add the NTP server to each selected SonicWALL appliance.
Note
9.
To add additional NTP servers, click Add and enter another NTP server.
187
Note
If you are not using NTP for the appliance, then GMS configures the time of the appliance
to be identical to the time of the GMS Agent pushing the configuration to the appliance (after
adjusting for any time zone differences).
Expand the System tree and click on Licensed Nodes. The Licensed Nodes page
displays.
2.
To update the licensed node information, click on Request Licensed Node Information
from the appliance. The Currently Licensed Nodes table lists details on each node
connected to your security appliance. Above the table, GMS displays how many nodes the
appliance is licensed for.
When you exclude a node, you block it from connecting to your network through the security
appliance. Excluding a node creates an address object for that IP address and assigns it to the
Node License Exclusion List address group. To exclude a node that is currently licensed,
perform the following steps:
188
1.
Click the configure icon in the Exclude column of the Currently Licensed Nodes table.
Then click Ok on the warning message that displays.
2.
To exclude a node that is not currently licensed, click on Add New Node For Exclusion.
The Add License Exclusion Node window displays.
3.
4.
Optionally, you can enter a comment about the node in the Comment field.
5.
Click Update.
In SonicOS Enhanced, you can manage the License Exclusion List group and address
objects in the Network > Address Objects page of the management interface. On the
Address Objects page, scroll down to the Node License Exclusion List row and click the
configure icon. Refer to the Configuring Address Objects section on page 232 for instructions
on managing address objects.
Expand the System tree and click Administrator. The Administrator page displays.
2.
Enter the login name for the administrator in the Administrator Login Name field.
3.
Specify the maximum number of days after which the a password expires and must be updated
in the Password must be changed every (days) field.
4.
Specify the number of previous passwords that are remembered and that a new password
cannot match in the Bar repeated passwords for this many changes field.
5.
Specify the minimum password length in the Enforce a minimum password length of
field.
6.
Select the level of password complexity from the Enforce Password Complexity
pull-down list. You can select one of the following:
None
Require both alphanumeric and numeric characters
Require alphabetic, numeric and symbolic characters
7.
Select the Administrators checkbox to apply these password constraints only to full and
read-only administrators.
8.
Select the Other full administrators checkbox to apply these password constraints to all
administrators with local passwords.
9.
Select the Limited administrators checkbox to apply these password constraints to all
local users with limited administrator privileges.
189
10. Select the Other local users checkbox to apply these password constraints only to
non-administrator users.
11. Specify how long the SonicWALL appliance(s) wait (in minutes) before logging out inactive
12. To lockout the SonicWALL appliance after user login failure, select the Enable user
lockout on login failure check box. Then, specify the numberof login failure attempts that
must occur before the user is locked out in the Failed login attempts per minute before
lockout field and how long the user will be locked out in the Lockout Period field.
13. For On preemption by another administrator:, select one of the following actions to take
mode
new SonicWALL password. Then, enter the SonicWALL GMS password and click
Change Password. The password is changed.
If you are configuring a SonicWALL appliance at the group or global level, enter the
SonicWALL GMS password and click Change Password. Each SonicWALL appliance
will receive a unique randomly generated password. This unique password is encrypted
and recorded in the SonicWALL GMS database.
At the non-unit level, passwords can be configured in two ways:
GMS can assign random passwords to the appliances (recommended for security
purposes).
The user can specify a specific password which will be assigned to all the
appliances in the node (not recommended).
To have GMS assign random passwords, leave the New SonicWALL Password and
Confirm New SonicWALL Passwords fields empty.
Note
15. When you are finished, click Update. A task gets spooled and once it is executed
successfully, the settings are updated for the selected SonicWALL appliances.
16. To clear all screen settings and start over, click Reset.
190
Note
1.
Expand the System tree and click Tools. The Tools page displays.
2.
Expand the System tree and click Tools. The Tools page displays.
2.
3.
To view the diagnostics, navigate to Diagnostics > Snapshot Status on the Console panel.
4.
In the Diagnostics Requested pull-down list, select the diagnostics that you want to review.
5.
191
Inheriting Settings
On the Policies panel, in the System > Tools screen, you can apply inheritance filters at a global,
group, or appliance level. You can select an existing inheritance filter and customize which of its
rules are actually inherited. You can do this on the fly, without the need to create an entirely separate
filter.
For more information on inheritance, refer to the Configuring Inheritance Filters section on
page 759.
To apply the inheritance filters, perform the following steps:
192
1.
Expand the System tree and click Tools. The Tools page displays.
2.
Select the appropriate radio button for either forward or reverse inheritance. Use the Filter
drop down menu to select the desired filter to apply. Click the Preview button to proceed
to the Preview of Inheritance Settings window.
Note
When configuring forward inheritance at the group level, all selected settings are pushed to
all units in the group.
3.
Note
Review the settings to be inherited. Users may continue with all of the default screens
selected for inheritance or select only specific screens for inheritance by checking boxes
next to the desired settings.
The Preview panel footer states, All referring objects should also be selected as part of the
settings picked, to avoid any dependency errors while inheriting. If the user deselects
dependent screen data, the settings will not inherit properly.
4.
If the user is attempting forward inheritance, they may click Update to proceed. If the user
is attempting to reverse inherit settings,an additional selection must be made at the bottom
of the Preview panel. The user must select either to update the chosen settings to only the
target parent node, or to update the target parent node along with all unit nodes under it.
Once the user makes this selection, they may click Update to proceed, or Reset to edit
previous selections.
5.
If the user selects to update the target parent node and all unit nodes, a Modify Task
Description and Schedule panel opens in place of the Preview panel. (This panel will not
appear if the user selects Update only target parent node). If the Modify Task
Description and Schedule panel opens, the user can edit the task description in the
Description field. They may also adjust the schedule for inheritance, or continue with the
193
default scheduling. If the user chooses to edit the timing by clicking on the arrow next to
Schedule, a calendar expands allowing the user to click on a radio button for Immediate
execution, or to select an alternate day and time for inheritance to occur.
6.
Once the user has completed any edits, they select either Accept or Cancel to execute
or cancel the scheduled inheritance, respectively.
Once the inheritance operation begins, a progress bar appears, along with text stating the
operation may take a few minutes, depending on the volume of data to be inherited.
Once the inheritance operation is complete, the desired settings from the unit or group node
should now be updated and reflected in the parent nodes settings, as well as in the settings of
all other units, if selected.
Note
For the Access/Services and Access/Rules pages, by default, inheriting group settings
overwrites the values at the unit level with the group values. If youwish for SonicWALL GMS
to append the group settings to the values at the unit level, you need to enable the Append
Group Settings option on the General/GMS Settings page on the Console Panel.
For more information on inheritance, refer to the Managing Inheritance in SonicWALL GMS
section on page 759.
Expand the System tree and click Tools. The Tools page displays.
2.
Synchronizing Appliances
If a change is made to the SonicWALL appliance through any means other than through GMS,
SonicWALL GMS will be notified of the change through the syslog data stream. You can
configure an alert through the Granular Event Management framework to send email notification
when a local administrator makes changes to a SonicWALL appliance through the local user
interface rather than through GMS. After the syslog notification is received, SonicWALL GMS will
schedule a task to synchronize its database with the local change. After the task successfully
executes, the current configuration (prefs) file is read from the SonicWALL appliance and
loaded into the database.
194
Note
1.
Expand the System tree and click Tools. The Tools page displays.
2.
Expand the System tree and click Tools. The Tools page displays.
2.
Note
1.
Click on the Console tab, expand the Management tree, and click on GMS Settings.
2.
Select the check boxes for the Firewalls managed by this GMS do not have Internet
Access and Upload latest signatures on subscription status change settings. Refer to
the Configuring Management Settings section on page 775 for more information.
3.
Click on the Policies tab, expand the System tree, and click Tools.
4.
When there are updates signatures to upload, the Upload Signatures Now button is
displayed. Click this button to manually upload the signatures.
The Upload Signatures Now button is displayed only when the GMS has downloaded
updated signature files that are ready to be uploaded.
195
Expand the System tree and click Tools. The Tools page displays.
2.
physical addresses.
DHCP BindingsSaves entries from the SonicWALL security appliance DHCP server.
IKE InfoSaves current information about active IKE configurations.
3.
Click Email TechSupport Report. The requested reports are emailed to the administrator
email address.
196
1.
Expand the System tree and click Info. The Info page displays.
2.
3.
After entering the street address, city, state, zip code, and country appliance contact
information, click the Locate Geocode button. This will populate the GeoLocation field with
the SonicWALL appliance latitude and longitude coordinates. Similarly, you can enter the
latitude or longitude coordinates, and click the Locate Address button to populate the
address information fields. The location information enables your SonicWALL appliance to
display on the Dashboard Geographic Map. For more information on using the Dashboard
Geographic Map to drag and drop the location of your unit, refer to the Using the Universal
Dashboard section on page 43.
4.
When you are finished, click Update. A task gets spooled and once it is executed
successfully, the information is updated for the selected SonicWALL appliances.
5.
Expand the System tree and click Settings. The Settings page displays.
2.
To save the settings of a SonicWALL appliance to the SonicWALL GMS database, enter a
name for the settings in the Name field and click Store settings read from unit. Then, if
you want to save these settings to a local file, click Save the settings to a local file. You
can save multiple version of settings for each SonicWALL appliance to the
SonicWALL GMS database and to different local files.
197
Configuring Schedules
3.
Note
Note
To apply settings to the SonicWALL appliance directly from SonicWALL GMS database,
select the saved settings and click Restore the settings to the unit.
The Restore the settings to the unit option is available only at the unit level, and not at the
group and global levels. This option previously was available at the group and global levels.
GMS now does not display the option at both the group and global levels to minimize risk of
you writing a non-compatible prefs file to an incorrect firmware version running on a
SonicWALL appliance.
4.
To store an external Prefs file into the database, enter the path to the file and click Store
settings from local file. The Store settings from local file button is used to store the prefs
file from the local hard disk into the GMS database so that it displays in the list box of the
Settings page. Once stored in the database (when it will display in the list box), you can
then click the Restore the settings to the unit button.
5.
To automatically backup the preferences for the selected SonicWALL appliance, select the
Enable Prefs File Backup check box and click Update.
The backed up prefs file contains the configuration settings and the firmware version of the
security appliance you are backing up.
6.
Go to the Console > Management > GMS Settings page and update the values in the
Automatically save prefs file section. This enables you to specify when and how frequently
GMS backs up the prefs files.
7.
If you want to automatically purge older backups, select the number of newer backup files
you want to keep in the Number of newest Prefs Files to be preserved field. Enter 0 to
prevent purging of older backups.
8.
Set the value in the Missed Reports Threshold field to the number of heartbeat messages
GMS can miss before considering the unit to be down.
GMS relies on special syslogs called heartbeat messages to determine if an appliance is
up and running. By default, if GMS does not receive three successive heartbeat messages,
it makes the appliance as down. You can customize this threshold to any number. If you
set the value to 0, then GMS will not mark this node as down.
9.
To delete settings from the SonicWALL GMS database, select the saved settings and click
Delete the settings.
Configuring Schedules
You can configure schedule groups on the Policies panel, in System > Schedules. Schedule
Groups are groups of schedules to which you can apply firewall rules. For example, you might
want to block access to auction sites during business hours, but allow employees to access the
sites after hours.
You can apply rules to specific schedule times or all schedules within a Schedule Group. For
example, you might create an Engineering Work Hours group that runs from 11:00 AM to 9:00
PM, Monday through Friday and 12:00 PM to 5:00 PM, Saturday and Sunday. Once configured,
you can apply specific firewall rules to the entire Engineering Work Hours Schedule Group or
only to the weekday schedule.
198
Configuring Schedules
Note
1.
Expand the System tree and click Schedules. The Schedules page displays.
2.
3.
4.
In the Schedule Type section, select if the schedule will occur Once, Recurring, or Mixed.
The one-time and mixed schedule types are only available for systems running SonicOS
Enhanced 5.5 and above.
5.
For a schedule that occurs only once, select the year, month, date, hour, and minutes for
the Start and End fields.
6.
For recurring schedules, select the check boxes for each day the schedule will apply.
7.
Enter the start time for the recurring schedule in the Start Time field. Make sure to use the
24-hour format.
8.
Enter the end time for the recurring schedule in the Stop Time field. Make sure to use the
24-hour format.
9.
Click Add.
199
Caution
Note
200
Expand the System tree and click Management. The Management page displays.
Changing the management parameters can cause units to be disconnected from GMS.
2.
Enter the port number for HTTP connections in the HTTP Port field.
3.
To enable HTTPS access to the appliance, select the Enable HTTPS Access to the unit
checkbox and enter the port number in the HTTPS Port field. For the SonicWALL Aventail
appliance, use port 8443 for HTTPS access.
4.
The Certificate Common Name field defaults to the SonicWALL LAN Address. This allows
you to continue using a certificate without downloading a new one each time you log into
the appliance.
To change the HTTP or HTTPS ports for SonicOS Enhanced units, go to the Firewalls >
Service Objects screen and edit the corresponding service object.
5.
Specify whether the appliance is to be managed by GMS or a VPN client in the Enable
Management Using pull-down menu.
6.
Enter the IP address or host name of the GMS server in the GMS HostName or IPAddress
field.
7.
Enter the syslog server port (default: 514) in the GMS Syslog Server Port field.
8.
If the GMS is behind a device performing Network Address Translation (NAT), select the
GMS behind NAT Device checkbox and enter the IP address in the NAT Device IP
Address field.
9.
If the appliance will be managed over an existing VPN tunnel, select the GMS on VPN (No
SA Required) checkbox.
Configuring SNMP
10. To minimize the amount of syslog between the GMS and the SonicWALL security
appliance, select the Send Heartbeat Status Messages Only checkbox. This option
should be used if you do not need the data to generate reports in GMS. When you check
this setting, the unit will only send heartbeat (m=96) messages that tell GMS that the unit
is alive. Click the Change button.
11. To allow users on the LAN interface to ping the appliance to verify that it is online, select
the Enable Ping from LAN/WorkPort to management interface checkbox. Click the
Change button.
12. To allow GMS administrators to preempt users who are logged in directly to the SonicWALL
13. If you have configured security associations on the appliance the Security Association
Information section displays at the bottom of the Management page. Enter the SA keys in
the Encryption Key and Authentication Key fields and click Change Only SA Keys.
14. When you have finished configuring remote management settings, click Update.
Configuring SNMP
This section describes how to configure Simple Network Management Protocol (SNMP)
settings for one or more SonicWALL appliances.
To configure SNMP, perform the following steps:
1.
Expand the System tree and click SNMP. The SNMP page displays.
2.
3.
4.
Enter the name of the administrator responsible for the SNMP server in the System
Contact field.
5.
Enter the location of the SNMP server in the System Location field.
6.
Enter the community name from which the SNMP server will respond to Get requests in the
Get Community Name field.
7.
Enter the name of administrator group that can view SNMP traps in the Trap Community
Name field
8.
Enter the SNMP server IP addresses or hostnames in the Hosts 1-4 fields.
9.
When you are finished, click Update. A task gets spooled and once it is executed
successfully, the information is updated for each selected SonicWALL appliances.
201
Configuring SNMP
Configuring Certificates
The Certificates dialog box displays details for Certificate Authority (CA) Certificates and local
certificates that you have imported or configured on your SonicWALL appliance.
View Style
The View Style menu allows you to choose which certificates are displayed.
Options include:
202
Imported certificates and requests - displays all imported certificates and generated
certificate requests.
Built-in certificates - displays all certificates included with the SonicWALL security
appliance.
Include expired and built-in certificates - displays all expired and built-in certificates.
Configuring SNMP
Details - the details of the certificate. Moving the pointer over the MAGNIFYING GLASS
icon displays the details of the certificate.
New Signing Request - Create a new signing request directly from the GMS user interface
SCEP - Manage certificates using the Simple Certificate Enrollment Protocol (SCEP)
standard
About Certificates
A digital certificate is an electronic means to verify identity by using a trusted third party known
as a Certificate Authority (CA). SonicWALL now supports third party certificates in addition to
the existing Authentication Service.
SonicWALL security appliances interoperate with any X.509v3-compliant provider of Certificates. However,
SonicWALL security appliances have been tested with the following vendors of Certificate Authority
Certificates:
Entrust
Microsoft
OpenCA
OpenSSL
VeriSign
203
Configuring SNMP
Configuring CA Certificates
To configure CA Certificates in this dialog box, perform the following steps.
1.
2.
Note the details, including the certificate name and subject in the Details region.
3.
Click on the Email Certificate button if you want to send the certificate to a location by
email.
4.
Click the Delete Certificate button if you want to remove the certificate.
5.
Specify a URL of the location of the Certificate Revocation List (CRL) in the CRL URL field.
Then click the CRL URL button to launch the CRL.
6.
To import a CRL, click the Browse button for the Import CRL field and navigate to the CRL.
Then click the Import CRL button to import the CRL.
7.
To import a certificate:
8.
9.
204
Configuring SNMP
This section assumes that you are familiar with Public Key Infrastructure (PKI) and the
implementation of digital certificates with VPN.
To obtain a certificate, perform the following steps:
1.
On the System > Certificates page, click the New Signing Request link.
2.
Complete the information in the Generate Certificate Request section and click Generate
Request. The request displays in the Current Certificate Requests section.
3.
Click Export. You are prompted to save the file. It will be saved in the PKCS 10 format.
4.
Obtain a certificate from one of the approved certificate authorities using the PKCS 10 file.
5.
After you receive the certificate file, locate and import the file by clicking Browse in the
Import Certificate With Private Key section. Then click Import. The certificate will appear
in the Current Local Certificates section.
205
Configuring SNMP
Configuring SCEP
Note
On the System > Certificates page, click the SCEP link. The SCEP Configuration window
displays.
2.
CSR list - Select a certificate signing request (CSR) list if one has been uploaded.
Challenge Password - (optional) Enter the password that is used to authenticate the
enrollment request.
3.
206
CHAPTER 10
Configuring Firewall Network Settings
This chapter describes how to configure network settings for SonicWALL appliances. It is
divided into sections for SonicWALL security appliances running SonicOS Enhanced and
SonicOS Standard.
Overview of Interfaces
You can configure the LAN interface in three different modes:
Static IPUses a static IP address and acts as a gateway for devices on the LAN.
Figure 10:1 shows the basic interfaces for a SonicWALL appliance. The WAN interface can use
a static or dynamic IP address and can connect to the Internet via Transmission Control
Protocol (TCP), Point-to-Point Protocol over Ethernet (PPPoE), Level 2 Tunneling Protocol
(L2TP), or Point-to-Point Tunneling Protocol (PPTP).
A SonicWALL appliance might have one, many, or no optional interfaces. Optional interfaces
can be configured for LAN, WAN, DMZ, WLAN, or Multicast connections, or they can be
disabled.
207
Overview of Interfaces
E7500
LAN
Static IP
Transparent Mode
Layer 2 Bridge Mode
OPT
(LAN/WAN/DMZ/Multicast)
Static IP
Dynamic IP
WAN
Static IP, Dynamic IP,
TCP, PPPoE, L2TP, PPTP
Internet
LAN
DMZ
WAN
208
E7500
X0
VLAN 10
10.10.10.5 10.10.10.7
10.10.10.9
10.20.20.3
X3
VLAN 20
10.20.20.5
10.10.10.4
10.10.10.2
10.20.20.7
LAN / WLAN
10.10.10.1/24 / 10.20.20.1/24
SonicOS Enhanced 4.0 and higher can apply bandwidth management to both egress
(outbound) and ingress (inbound) traffic on the WAN interface. Outbound bandwidth
management is done using Class Based Queuing. Inbound Bandwidth Management is done by
implementing ACK delay algorithm that uses TCPs intrinsic behavior to control the traffic.
Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service
(QoS) for the SonicWALL security appliance. Every packet destined to the WAN interface is
queued in the corresponding priority queue. The scheduler then dequeues the packets and
transmits it on the link depending on the guaranteed bandwidth for the flow and the available
link bandwidth.
209
Note
Group level interface edits are only available for SonicWALL firewall appliances.
2.
Expand the Network tree and click Interfaces. The Interfaces page displays.
3.
Click the Edit icon ( ) of the LAN, WAN, OPT, or WWAN interface. The Edit Interface
window is displayed.
For a WWAN interface, GMS navigates directly to the Network > WWAN > Settings
screen. For configuration information, refer to the Configuring WWAN Settings section on
page 625.
210
Transparent Mode
The following options are available when configuring an interface in Transparent Mode:
For IP Assignment, select Static, Transparent Mode, or Layer 2 Bridged Mode. The display
changes according to your selection. Configure the resulting field as follows:
StaticFor static IP addresses, enter the IP Address for the interface and Subnet
Transparent ModeFor transparent mode, select an address object that contains the
range of IP addresses you want to have access through this interface in the
Transparent Range menu.
appliances, you can configure interfaces for PortShield switch mode, which manually
groups ports together to share a common network subnet as well as common zone
settings. For more information, refer to the Configuring PortShield Groups section on
page 251.
Note
When configuring a zone for Layer 2 Bridge Mode, the only access rule automatically added
is an allow rule between the bridge pair. Other necessary access rules must be added
manually.
211
The following options are available when configuring an interface in Layer 2 Bridge Mode:
Layer 2 Bridged ModeOn appliances running SonicOS Enhanced 3.5 and 4.0 or
higher, you can select Layer 2 Bridged Mode for physical interfaces in either the LAN or the
DMZ zone. On appliances running SonicOS Enhanced 5.5 or higher, you can select Layer
2 Bridge Mode for the WLAN zone.
In the Bridged-to field, select a WAN, LAN, or DMZ interface with a static IP
address.
Select the Block all non-IPv4 traffic checkbox to allow only IPv4 traffic on this
bridge-pair.
Select the Never route traffic on this bridge-pair checkbox to prevent traffic from
being routed to another interface.
Select the Only sniff traffic on this bridge-pair checkbox to allow the bridged
interface to be connected to a mirrored port on a switch in a one-arm mode to
perform intrusion detection by examining traffic going through the switch.
The Engage physical bypass on malfunction option enables Layer 2 Bridge Bypass
Relay Control, also known as Fail to Wire. The bypass relay option provides the user
the choice of avoiding disruption of network traffic by bypassing the firewall in the event
of a malfunction. The bypass relay will be closed for any unexpected anomaly (power
failure, watchdog exception, fallback to safe-mode).
Note
The Engage physical bypass on malfunction option is available only for SonicWALL
E7500 appliances running SonicOS Enhanced version 5.5 or higher and only when the X0
interface is bridged to the X1 interface.
Selecting the Engage physical bypass on malfunction option automatically
configures the other Layer 2 Bridge mode options as follows:
212
they attempt to access the device using HTTP. This option is only applicable when
HTTPS access is enabled and HTTP access is not.
WAN Settings
Perform the following steps to configure the WAN settings for the SonicWALL appliance.
1.
Select how the WAN connects to the Internet from the IP Assignment list box:
StaticConfigure the following settings for static IP address interfaces:
IP AddressEnter the IP address of the interface.
Subnet MaskEnter the subnet mask for the network.
Default GatewayIP address of the WAN gateway.
DNS Server 1-3IP addresses of the DNS Servers.
CommentEnter any comments regarding the interface.
DHCPConfigure the following settings if the WAN IP address will use DHCP:
Host NameSpecifies the host name of the SonicWALL device on the WAN interface.
CommentEnter any comments regarding the interface.
IP Address, Subnet Mask, Gateway (Router) Address, and DNS Server 1-3These
213
PPPoEConfigure the following settings if the WAN IP address will use PPPoE:
ScheduleSelect the schedule for when the interface is enabled. The default value is
Always on. The available options can be customized in the System > Schedule page.
The default choices are:
Always on
Work Hours or M-T-W-TH-F 08:00-17:00 (these two options are the same
schedules)
M-T-W-TH-F 00:00-08:00
After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same
schedules)
Weekend Hours or SA-SU 00:00-24:00 (these two options are the same
schedules)
field is case-sensitive.
To configure the SonicWALL appliance(s) to use a fixed IP address, select Use the
following IP Address and enter the IP address.
214
To specify DNS servers, select Specify DNS Servers and enter the DNS Server IP
addresses.
Note
For PPPoE interfaces, a Protocol tab appears that displays the acquired IP address, subnet
mask, gateway address, and DNS server addresses.
Click the Protocol tab.
View the settings for the acquired IP addr
ess, subnet mask, gateway address, and DNS
server addresses.
Inactivity DisconnectSpecify how long (in minutes) the SonicWALL appliance waits
Strictly use LCP echo packets for server keep-aliveThis checkbox is enabled
when the client recognizes that the server relies on Link Control Protocol (LCP) echo
requests for keeping the PPPoE connection alive.
Disconnect the PPPoE client if the server does not send traffic for __
minutesSelect this checkbox and enter the number of minutes to wait without traffic
before the connection is ended. When enabled, the PPPoE client monitors traffic from
the server on the tunnel and disconnects when no traffic is seen for the specified time
period.
PPTPConfigure the following settings if the WAN IP address will use PPTP:
ScheduleSelect the schedule for when the interface is enabled. The default value is
Always on. The available options can be customized in the System > Schedules page.
The default choices are:
Always on
Work Hours or M-T-W-TH-F 08:00-17:00 (these two options are the same
schedules)
M-T-W-TH-F 00:00-08:00
After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same
schedules)
Weekend Hours or SA-SU 00:00-24:00 (these two options are the same
schedules)
Select from the following from the PPTP IP Assignment list box:
To configure the SonicWALL appliance(s) to dynamically obtain an IP address, select
DHCP.
To configure the SonicWALL appliance(s) to use a fixed IP address, select Static and
Note
For PPTP interfaces, a Protocol tab appears that displays the acquired IP address, subnet
mask, gateway address, and DNS server addresses.
215
L2TPConfigure the following settings if the WAN IP address will use L2TP:
ScheduleSelect the schedule for when the interface is enabled. The default value is
Always on. The available options can be customized in the System > Schedules page.
The default choices are:
Always on
Work Hours or M-T-W-TH-F 08:00-17:00 (these two options are the same
schedules)
M-T-W-TH-F 00:00-08:00
After Hours or M-T-W-TH-F 17:00-24:00 (these two options are the same
schedules)
Weekend Hours or SA-SU 00:00-24:00 (these two options are the same
schedules)
Select from the following from the L2TP IP Assignment list box:
Note
For L2TP interfaces, a Protocol tab appears that displays the acquired IP address, subnet
mask, gateway address, and DNS server addresses.
2.
Protocol (SNMP).
3.
they attempt to access the device using HTTP. This option is only applicable when
HTTPS access is enabled and HTTP access is not.
4.
216
Click Update. The settings are saved. To clear any changes and start over, click Reset.
Advanced Settings
5.
Click the Advanced tab and configure the following Ethernet settings:
Link SpeedTo configure the interface to automatically negotiate Ethernet settings,
select Auto Negotiate. If you want to specify the forced Ethernet speed and duplex,
select the appropriate setting.
To fragment packets that are larger than this MTU, select the Fragment non-VPN
To block notifications that this interface can receive fragmented packets, select the Do
not send ICMP Fragmentation Needed for outbound packets over the Interface
MTU checkbox.
Note
If the maximum transmission unit (MTU) size is too large for a remote router, it may require
more transmissions. If the packet size is too small, this could result in more packet header
overhead and more acknowledgements that have to be processed.
To ignore Dont Fragment (DF) bits from routers connected to the SonicWALL
appliance, select the Ignore Don't Fragment (DF) Bit check box.
Expert Mode
6.
Under the Expert Mode Settings heading, select the Use Routed Mode - Add NAT Policy
to prevent outbound\inbound translation checkbox to enable Routed Mode for the
interface. Routed Mode provides an alternative for NAT for routing traffic between separate
public IP address ranges. NAT translations will be automatically disabled for the interface,
and all inbound and outbound traffic will be routed to the WAN interface
In the Set NAT Policy's outbound\inbound interface to pull-down menu, select the
WAN interface that is to be used to route traffic for the interface. The firewall then
creates no-NAT policies for both the configured interface and the selected WAN
interface. These policies override any more general M21 NAT policies that may be
configured for the interfaces.
7.
Click OK.
8.
The firewall then creates no-NAT policies for both the configured interface and the
selected WAN interface. These policies override any more general M21 NAT policies that
may be configured for the interfaces.
The availability of Expert Mode depends on the zone and IP address assignment configuration
of the interface, as follows:
LAN & DMZ Expert Mode is available for interfaces that are assigned a static IP address.
WLAN - Expert Mode is available for all WLAN interfaces, regardless of IP assignment.
217
Bandwidth Management
SonicOS Enhanced can apply bandwidth management to both egress (outbound) and ingress
(inbound) traffic on the interfaces in the WAN zone. Outbound bandwidth management is done
using Class Based Queuing. Inbound Bandwidth Management is done by implementing ACK
delay algorithm that uses TCPs intrinsic behavior to control the traffic.
Class Based Queuing (CBQ) provides guaranteed and maximum bandwidth Quality of Service
(QoS) for the SonicWALL security appliance. Every packet destined to the WAN interface is
queued in the corresponding priority queue. The scheduler then dequeues the packets and
transmits it on the link depending on the guaranteed bandwidth for the flow and the available
link bandwidth.
Use the Bandwidth Management section of the Edit Interface screen to enable or disable the
ingress and egress bandwidth management. Egress and Ingress available link bandwidth can
be used to configure the upstream and downstream connection speeds in kilobits per second.
Note
The Bandwidth Management settings are applied to all interfaces in the WAN zone, not just
to the interface being configured.
9.
Available Interface Ingress Bandwidth (Kbps) - Specifies the available bandwidth for
WAN interfaces in Kbps
To enable egress bandwidth management on this interface, select the check box and
enter the bandwidth of the connection in the Available Interface Bandwidth field in
kilobytes per second (Kbps).
To enable ingress bandwidth management on this interface, select the check box and
enter the bandwidth of the connection in the Available Interface Bandwidth field in
kilobytes per second (Kbps).
11. Click Update. The settings are saved. To clear any changes and start over, click Reset.
218
At the bottom of the Network > Interfaces page, click Add VLAN Interface. The Add
Interface window displays.
2.
Select a Zone to assign to the interface. You can select LAN, DMZ, WLAN, or unassigned.
The zone assignment does not have to be the same as the parent (physical) interface.
3.
4.
Declare the parent (physical) interface to which this sub-interface will belong. There is no
per-interface limit to the number of sub-interfaces you can assign you may assign
sub-interfaces up to the system limit (in the hundreds).
5.
For LAN and DMZ, select Static or Transparent for the IP Assignment. WLAN interfaces
use static IP addresses:
For static IP addresses, enter the IP Address for the interface and Subnet Mask for
the network.
For transparent mode, select an address object that contains the range of IP addresses
you want to have access through this interface in the Transparent Range menu.
6.
Protocol (SNMP).
7.
they attempt to access the device using HTTP. This option is only applicable when
HTTPS access is enabled and HTTP access is not.
8.
Check Create Default DHCP Lease Scope to indicate that the amount of time allowed for
an IP address issued by DHCP will be the default.
9.
Click OK.
The Virtual interface displays in the VLAN Interfaces table below the Interfaces table.
WWAN onlyThe WAN interface is disabled and the WWAN interface is used exclusively.
Ethernet onlyThe WWAN interface is disabled and the WAN interface is used
exclusively.
Ethernet with WWAN FailoverThe WAN interface is used as the primary interface and
the WWAN interface is disabled. If the WAN connection fails, the WWAN interface is
enabled and a WWAN connection is automatically initiated.
219
Note
The Wan Connection Model option does not apply to TZ200 through NSA240 units running
SonicOS Enhanced 5.6 and above. For these devices, any WWAN interfaces are treated as
a regular WAN interface and failover to the WWAN is configured as a secondary WAN
interface. See the Configuring Multiple WAN Interfaces section on page 222 for more
information.
In the Interface Settings table, in the WWAN row, click Connect. The SonicWALL
appliance attempts to connect to the WWAN service provider.
2.
Note
Before you begin, be sure you have configured a user-defined interface to mirror the WAN
port settings.
To configure the WAN Failover for a SonicWALL appliance, perform the following steps:
Note
220
1.
Expand the Network tree and click WAN Failover & LB. The WAN Failover & LB page
displays.
2.
3.
Select the secondary interface(s) from the Secondary WAN Interface pull-down menu.
If this is not configured, you will need to configure a WAN interface from the Network >
Interfaces page.
Appliances running SonicOS Enhanced 5.5 can support up to three alternate WAN
interfaces. For these appliances, the Secondary WAN Interface pull-down menu is
replaced with up to three Alternate WAN pull-down menus. The pull-down menu will
contain all interfaces configured as WAN interfaces.
4.
Specify how often the SonicWALL appliance will check the interface (5-300 seconds) in the
Check interface every field (default: 5 seconds).
5.
Specify the number of times the SonicWALL appliance tests the interface as inactive before
failing over in the Deactive interface after field (default: 3). For example, if the SonicWALL
appliance tests the interface every 5 seconds and finds the interface inactive after 3
successive attempts, it will fail over to the secondary interface after 15 seconds.
6.
Specify the number of times the SonicWALL appliance tests the interface as active before
failing back to the primary interface in the Deactive interface after field (default: 3). For
example, if the SonicWALL appliance tests the interface every 5 seconds and finds the
interface active after 3 successive attempts, it will fail back to the primary interface after 15
seconds.
7.
primary device fails to provide a connection, it will enter standby and allow the
secondary device to take over network traffic. Check the Preempt and failback to
Primary WAN when possible checkbox to enable immediate failback to the primary
device when available.
balancing. In the 17th or 18th century, when peasants in France wanted to complain to
the king using a petition, the usual reaction from the monarch was to seize the two or
three people on top of that petition list and execute them. In order to stop this form of
arbitrary vengeance, the names were signed in a circle at the bottom of the petition so
that no one would be on top of the list. This became known as a Round-Robin. Thus,
in load balancing, Round-Robin is where network requests are applied to a circular list.
When the network load becomes too much, GMS acts as a monarch and picks several
of the network clients from the list to execute. This process allows GMS to quickly and
easily free up network resources.
Select Spillover-based and enter a value (in Kb/sec) to enable the secondary device
to serve as a load balancer. With this option selected, traffic will be re-routed to the
secondary device should the primary WAN device exceed the specified bandwidth.
Select Percentage-Based to split network traffic between the primary and secondary
Enter a Primary WAN Percentage and Secondary WAN Percentage that add up
to 100 to divide traffic between the two WAN interfaces.
Appliances running SonicOS Enhanced 5.5 or above can divide traffic between up
to four WAN interfaces. Enter a Primary WAN Percentage, and up to three
Alternate WAN Percentage settings that add up to 100.
When using Percentage-Based load balancing, you may select the Use Source and
Destination IP Addresses Binding checkbox to keep related traffic together across
an interface.
Timesaver
When using Percentage-Based load balancing, fill in the Primary WAN Percentage field
only. The Secondary WAN Percentage field will be calculated for you.
221
8.
The SonicWALL appliance can monitor the WAN by detecting whether the link is unplugged
or disconnected or by sending probes to a target IP address of an always available target
upstream device on the WAN network, such as an ISP side router. To enable probe
monitoring, select the Enable Probe Monitoring check box and configure the following
settings:
Primary WAN Probe SettingsSelect the protocol used for monitoring and enter the
IP address and port (TCP only) of the probe target. If there will be an optional probe
target, specify these settings also and select whether the SonicWALL appliance must
test both targets or either target.
Secondary WAN Probe SettingsSelect the protocol used for monitoring and enter
the IP address and port (TCP only) of the secondary probe target. If there will be an
optional secondary probe target, specify these settings also and select whether the
SonicWALL appliance must test both targets or either target.
WWAN WAN Probe SettingsSelect the protocol used for monitoring and enter the
IP address and port (TCP only) of the WWAN probe target. If there will be an optional
WWAN probe target, specify these settings also and select whether the SonicWALL
appliance must test both targets or either target.
Note
TCP probing is useful if you do not have ping (ICPM) response enabled on your network
devices. In this case, TCP can be used to probe the device on a user-specified port.
9.
Select the Respond to Probes checkbox to enable GMS managed devices to respond to
probe requests. With this option selected, you can also check the Any TCP-SYN to Port
checkbox and enter a specific port to probe.
10. Click the Update button at the bottom of the page to save these settings.
Note
222
A virtual WAN interface may belong to the LB group. However, prior to using within the LB
group, please ensure that the virtual WAN network is fully routable like that of a physical
WAN.
Routing the Default & Secondary Default Gateways for Multiple WAN
Because the gateway address objects previously associated with the Primary WAN and
Secondary WAN are now deprecated, user-configured Static Routes need to be re-created in
order to use the correct gateway address objects associated with the WAN interfaces. This
must be configured manually as part of the firmware upgrade procedure on the Network >
Routing (ENH) page.
The old address object, Default Gateway, corresponds to the default gateway associated with
the Primary WAN in the LB group. The Secondary Default Gateway address object
corresponds to the default gateway associated with Alternate WAN #1.
Note
After re-adding the routes, delete the old ones referring to the Default and Secondary
Default Gateways.
Configuring Zones
A Zone is a logical grouping of one or more interfaces designed to make management, such as
the definition and application of Access Rules, a simpler and more intuitive process than
following a strict physical interface scheme. There are four fixed Zone types: Trusted,
Untrusted, Public, and Encrypted. Trusted is associated with LAN Zones. These fixed Zone
types cannot be modified or deleted. A Zone instance is created from a Zone type and named
accordingly, i.e Sales, Finance, etc.
Only the number of interfaces limits the number of Zone instances for Trusted and Untrusted
Zone types. The Untrusted Zone type (i.e. the WAN) is restricted to two Zone instances. The
Encrypted Zone type is a special system Zone comprising all VPN traffic and doesnt have any
associated interfaces.
Trusted and Public Zone types offer an option, Interface Trust, to automate the creation of
Access Rules to allow traffic to flow between the Interfaces of a Zone instance. For example, if
the LAN Zone has interfaces X0, X3, and X5 assigned to it, checking Allow Interface Trust on
the LAN Zone creates the necessary Access Rules to allow hosts on these Interfaces to
communicate with each other.
To add or edit a Zone, perform the following steps:
1.
223
2.
Expand the Network tree and click Zones. The Zones page displays.
3.
4.
5.
6.
To configure the SonicWALL appliance to automatically create the rules that allow data to
freely flow between interfaces in the same Zone, select the Allow Interface Trust check
box.
7.
To enforce content filtering on multiple interfaces in the same Trusted or Public Zones,
select the Enforce Content Filtering Service check box.
8.
For appliances running SonicOS Enhanced 4.0 or above, if the selected node is a group or
global node, or if the selected appliance is licensed for SonicWALL CFS Premium, select a
predefined CFS policy or the default policy from the CFS Policy pull-down list. The
pull-down list is only populated if the Enforce Content Filtering Service checkbox is
enabled. It is not available for the WAN zone.
9.
To enforce network anti-virus protection on multiple interfaces in the same Trusted or Public
Zones, select the Enforce Network Anti-Virus Service check box.
) for a Zone or click Add New Zone. The Edit Zone or Add Zone
10. To enforce gateway anti-virus protection on multiple interfaces in the same Trusted or
Public Zones, select the Enable Gateway Anti-Virus Service check box.
11. To enforce Intrusion Prevention Services (IPS) on multiple interfaces in the same Trusted
14. To automatically create a GroupVPN policy for this zone, select Create Group VPN.
224
15. For appliances running SonicOS Enhanced 4.0 or above, select the Enable SSL Control
check box to allow SSL Control in this zone. This check box is not active for the VPN or
Multicast zones.
16. For WLAN zones, see for information about configuring settings on the other tabs. For all
other zones, click Update when you are finished. The Zone is modified or added for
selected SonicWALL appliance. To clear all settings and start over, click Reset.
When the Security Type for a zone is selected as either Trusted or Public, the Guest
Services tab displays.
2.
3.
Note
225
Tip
226
1.
2.
In the Network > Zones pages, click the Add New Zone or the Edit icon for the WLAN zone.
3.
Configure the settings on the General tab as described for other zones. To expose the
wireless-only tabs when adding a new zone, select Wireless for the Security Type.
4.
5.
On the Wireless tab, select Only allow traffic generated by a SonicPoint to allow only
traffic from SonicWALL SonicPoints to enter the WLAN Zone interface. This allows
maximum security of your WLAN. Uncheck this opt
ion if you want to allow any traffic on your
WLAN Zone regardless of whether or not it is from a wireless connection.
Uncheck Only allow traffic generated by a SonicPoint and use the zone on a wired
interface to allow guest services on that interface.
6.
Select SRA Enforcement to require that all traffic that enters into the WLAN Zone be
authenticated through a SonicWALL SRA appliance. If you select both SRA Enforcement,
and WiFiSec Enforcement, the Wireless zone will allow traffic authenticated by either a
SRA or an IPsec VPN.
7.
In the SRA Server list, select an address object to direct traffic to the SonicWALL SRA
appliance.
8.
In the SRA Service list, select the service or group of services you want to allow for clients
authenticated through the SRA.
9.
Select WiFiSec Enforcement to require that all traffic that enters into the WLAN Zone
interface be either IPsec traffic, WPA traffic, or both. With WiFiSec Enforcement enabled,
all non-guest wireless clients connected to SonicPoints attached to an interface belonging
to a Zone on which WiFiSec is enforced are required to use the strong security of IPsec.
The VPN connection inherent in WiFiSec terminates at the WLAN GroupVPN, which you
can configure independently of WAN GroupVPN or other Zone GroupVPN instances. If
you select both WiFiSec Enforcement, and SRA Enforcement, the Wireless zone will allow
traffic authenticated by either a SRA or an IPsec VPN.
10. If you have enabled WiFiSec Enforcement, you can specify services that are allowed to
bypass the WiFiSec enforcement by checking WiFiSec Exception Service and then
selecting the service you want to exempt from WiFiSec enforcement.
11. If you have enabled WiFiSec Enforcement, you can select Require WiFiSec for
Site-to-Site VPN Tunnel Traversal to require WiFiSec security for all wireless connections
through the WLAN zone that are part of a site-to-site VPN.
12. Select Trust WPA traffic as WiFiSec to accept WPA as an allowable alternative to IPsec.
Both WPA-PSK (Pre-shared key) and WPA-EAP (Extensible Authentication Protocol using
an external 802.1x/EAP capable RADIUS server) will be supported on SonicPoints.
13. Under the SonicPoint Settings heading, select the SonicPoint Provisioning Profile you
want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects
to this zone, it will automatically be provisioned by the settings in the SonicPoint
Provisioning Profile, unless you have individually configured it with different settings.
14. Click the Guest Services tab. You can choose from the following configuration options for
227
Note
228
Configuring DNS
Domain Name System (DNS) is the Internet standard for locating domain names and
translating them into IP addresses. By default, the SonicWALL appliance will inherit its DNS
settings from the WAN Zone. To configure DNS, perform the following steps:
Note
Expand the Network tree and click DNS. The DNS page displays.
2.
To inherit the DNS settings from the WAN Zone configuration, select Inherit DNS
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
2.
From the Action pull-down menu, select an action to perform when a DNS rebinding attack
is detected:
Log Attack
Log Attack & Return a Query Refused Reply
Log Attack & Drop DNS Reply
3.
(Optional) For the Allowed Domains pull-down menu, select an FQDN Address
Object/Group containing allowed domain-names (e.g. *.sonicwall.com) for which locally
connected/routed subnets should be considered legal responses.
229
230
1.
Expand the Network tree and click Dynamic DNS. The Dynamic DNS page displays.
2.
Click Add Dynamic DNS Profile. The Add Dynamic DNS Profile window is displayed.
3.
Select the Provider from the pull-down list at the top of the page. This example uses
DynDNS.org. Dyndns.org requires the selection of a service. This example assumes you
have created a dynamic service record with dyndns.org.
4.
Enter a name to assign to the DDNS entry in the Profile Name field. This can be any value
used to identify the entry in the Dynamic DNS Settings table.
5.
If Enable this profile is checked, the profile is administratively enabled, and the
SonicWALL security appliance takes the actions defined in the Online Settings section on
the Advanced tab.
6.
7.
Enter your dyndns.org username and password in the User Name and Password fields.
8.
Enter the fully qualified domain name (FQDN) of the hostname you registered with
dyndns.org in the Domain Name field. Make sure you provide the same hostname and
domain as you configured.
9.
Optionally, select a WAN interface in the Bound to pull-down menu to assign this DDNS
profile to that specific WAN interface. This allows administrators who are configuring
multiple-WAN load balancing to advertise a predictable IP address to the DDNS service. By
default, this is set to ANY, which means the profile is free to use any of the WAN interfaces
on the appliance. (The Bound to option is supported for appliances running SonicOS 5.6
and higher.
10. When using DynDNS.org, select the Service Type from the pull-down list that corresponds
DNS service and a web-based interface. Supports both dynamic and static IP
addresses.
MX entry in the Mail Exchanger field. Check Backup MX if your DDNS provider allows for
the specification of an alternative IP address for the MX record.
12. Click the Advanced tab. You can typically leave the default settings on this page.
13. The On-line Settings section provides control over what address is registered with the
Let the server detect IP AddressThe dynamic DNS provider determines the IP
address based upon the source address of the connection. This is the most
common setting.
14. The Off-line Settings section controls what IP Address is registered with the dynamic DNS
service provider if the dynamic DNS entry is taken off-line locally (disabled) on the
SonicWALL. The options are:
231
15. When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
232
Expand the Network tree and click Address Objects. The Address Objects page displays.
2.
3.
Enter a name for the Address Object Group in the Name field.
4.
Select an object or group that will be a part of the Address Object Group and click the right
arrow. Repeat for each object or group to add.
5.
Scroll to the bottom of the Address Objects page and click Add New Address Object.
2.
3.
Select the zone to which this Address Object will be assigned from the Zone Assignment
list box.
4.
To specify an IP address range, select Range from the Type pull-down menu and enter
To specify a network, select Network from the Type pull-down menu and enter the IP
To specify a MAC address, select MAC from the Type pull-down menu and enter the
MAC address.
233
To specify a FQDN, select FQDN from the Type pull-down menu and enter the host
name.
5.
6.
2.
3.
2.
Click on the Trash can icon of the selected address group or object.
Note
IP address/port combinations are dynamic and not preserved for new connections.
For example, the first connection for IP address might use port 2302, but the second
connection might use 2832.
234
Original Sourceused to remap IP addresses based on the source address, this field
specifies an Address Object that can consist of an IP address or IP address range.
Note
Note
Translated Service.specifies the service or port to which the original service will be
remapped.
235
One-to-One Mapping
To configure one-to-one mapping from the private network to the public network, select the
Address Object that corresponds to the private network IP address in the Original Source field
and the public IP address that it will used to reach the Internet in the Translated Source field.
Leave the other fields alone, unless you want to filter by service or interface.
Note
If you map more than one private IP address to the same public IP address, the private IP
addresses will automatically be configured for port mapping or NAPT.
To configure one-to-one mapping from the public network to the private network, select the
Address Object that corresponds to the public network IP address in the Original Destination
field and the private IP address that it will used to reach the server in the Translated
Destination field. Leave the other fields alone, unless you want to filter by service or interface.
Note
If you map one public IP address to more than one private IP address, the public IP
addresses will be mapped to the first private IP address. Load balancing is not supported.
Additionally, you must set the Original Source to Any.
Many-to-One Mapping
To configure many-to-one mapping from the private network to the public network, select the
select the Address Object that corresponds to the private network IP addresses in the Original
Source field and the public IP address that it will used to reach the Internet in the Translated
Source field. Leave the other fields alone, unless you want to filter by service or interface.
Note
You can also specify Any in the Original Source field and the Address Object of the LAN
interface in the Translated Source field.
Many-to-Many Mapping
To configure many-to-many mapping from the private network to the public network, select the
select the Address Object that corresponds to the private network IP addresses in the Original
Source field and the public IP addresses to which they will be mapped in the Translated
Source field. Leave the other fields alone, unless you want to filter by service or interface.
Note
If the IP address range specified in the Original Source is larger than the Translated Source,
the SonicWALL appliance will use port mapping or NAPT. If the Translated Source is equal
to or larger than the Original Source, addresses will be individually mapped.
To configure many-to-many mapping from the public network to the private network, select the
Address Object that corresponds to the public network IP addresses in the Original
Destination field and the IP addresses on the private network in the Translated Destination
field. Leave the other fields alone, unless you want to filter by service or interface.
Note
236
If the IP address range specified in the Original Destination is smaller than the Translated
Destination, the SonicWALL appliance will be individually mapped to the first translated IP
addresses in the translated range. If the Translated Destination is equal to or smaller than
the Original Destination, addresses will be individually mapped.
Sticky IPSource IP always connects to the same Destination IP(assuming it is alive). This
method is best for publicly hosted sites requiring connection persistence, such as Web
applications, Web forms, or shopping cart applications. This is the default mechanism, and
is recommended for most deployments.
Round RobinSource IP cycles through each live load-balanced resource for each
connection. This method is best for equal load distribution when persistence is not required.
Block Remap/Symmetrical RemapThese two methods are useful when you know the
source IP addresses/networks (e.g. when you want to precisely control how traffic from one
subnet is translated to another).
For more information about NAT Load Balancing, see the SonicOS Enhanced 4.0
Administrators Guide.
237
Expand the Network tree and click NAT Policies. The NAT Policies page displays.
2.
3.
Original Sourceused to remap IP addresses based on the source address, this field
this field specifies an Address Object that can consist of an IP address or IP address
range.
238
5.
6.
If you selected an Address Group Object for any of the pull-down lists on the General tab,
you can make changes on the Advanced tab. Click the Advanced tab.
7.
Select the NAT method from the NAT Method pull-down list.
For information on the available methods, see NAT Load Balancing Methods on
page 237.
8.
Optionally select the Enable Probing checkbox and make desired changes to the following
fields:
Probe host every ... secondsindicates how often to probe the addresses in the
load-balancing group
Probe Typespecifies to use either Ping (ICMP) or TCP (checks that a socket is
Portspecifies the port that the probe will use, such as TCP port 80 for a Web server
Reply time outspecifies the number of seconds to wait for a reply to the probe
Deactivate host after ... missed intervalsspecifies the number of reply time outs
received before deciding that the host is available for load balancing again
9.
When you are finished, click Update. The policy is added and you are returned to the NAT
Policies screen.
239
Setting up a Web proxy server on a network can be cumbersome, because each computer on
the network must be configured to direct Web requests to the server.
If there is a proxy server on the SonicWALL appliances network, you can move the SonicWALL
appliance between the network and the proxy server, and enable Web Proxy Forwarding. This
will forward all WAN requests to the proxy server without requiring the computers to be
individually configured.
To configure Web Proxy Forwarding settings, perform the following steps:
1.
Expand the Network tree and click Web Proxy. The Web Proxy page displays.
2.
Enter the name or IP address of the proxy server in the Proxy Web Server field.
3.
Enter the proxy IP port in the Proxy Web Server Port field.
4.
To bypass the Proxy Server if a failure occurs, select the Bypass Proxy Servers Upon
Proxy Server Failure check box.
5.
If you have clients configured on the DMZ, select the Forward DMZ Client Requests to
Proxy Server check box.
6.
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
240
Expand the Network tree and click Routing. The Routing page displays.
2.
3.
Select the source address object from the Source list box.
4.
Select the destination address object from the Destination list box.
5.
Specify the type of service that will be routed from the Service list box.
6.
Select the address object that will act as a gateway for packets matching these settings.
7.
Select the interface through which these packets will be routed from the Interface list box.
8.
9.
10. For appliances running SonicOS Enhanced 4.0 and above, optionally select the Disable
11. For appliances running SonicOS Enhanced 4.0 and above, select the Allow VPN path to
take precedence checkbox to allow a matching VPN network to take precedence over the
static route when the VPN tunnel is up.
12. When you are finished, click Update. The route settings are configured for the selected
SonicWALL appliance(s). To clear all screen settings and start over, click Reset.
In the Probe pull-down menu select the appropriate Network Monitor object or select
Create New Network Monitor object... to dynamically create a new object. For more
information, see Configuring Network Monitor on page 256.
241
2.
Typical configurations will not check the Disable route when probe succeeds checkbox,
because typically administrators will want to disable a route when a probe to the routes
destination fails. This option is provided to give administrators added flexibility for defining
routes and probes.
3.
Select the Probe default state is UP to have the route consider the probe to be successful
(i.e. in the UP state) when the attached Network Monitor policy is in the UNKNOWN
state. This is useful to control the probe-based behavior when a unit of a High Availability
pair transitions from IDLE to ACTIVE, because this transition sets all Network Monitor
policy states to UNKNOWN.
4.
242
Expand the Network tree and click RIP (ENH). The RIP (ENH) page displays.
2.
3.
Select the RIP version from the RIP Advertisements list box:
RIPv1 Enabledfirst version of RIP.
RIPv2 Enabled (multicast)sends route advertisements using multicasting (a single
4.
In the Advertise Default Route menu, select Never, or When WAN is up, or Always.
5.
To advertise static routes that you specified on the Routes page, select the Advertise
Static Routes check box.
6.
To advertise remote VPN networks that you specified on the Routes page, select the
Advertise Remote VPN Networks check box.
7.
To set the amount of time between a VPN tunnel state change and the time the change is
advertised, enter a value in the Route Change Damp Time field (default: 30 seconds).
8.
To specify the number of advertisements that are sent after a route is deleted, enter a value
in the Deleted Route Advertisements field (default: 5 advertisements).
9.
By default, the connection between this router and its neighbor counts as one hop.
However, there are cases where you want to discourage or reduce the use of this route by
adding additional hops. To change the hop count of this route, enter the number of hops in
the Route Metric field.
10. Optional. If RIPv2 is selected from the Route Advertisements list box, you can enter a
value for the Route Tag. This value is implementation-dependent and provides a
mechanism for routers to classify the originators of RIPv2 advertisements.
Password field.
MD5 DigestEnter a numerical value from 0-255 in the Authentication Key-Id field.
Enter a 32 hex digit value for the Authentication Key field, or use the generated key.
243
12. When you are finished, click Update. The settings are changed for the SonicWALL
appliance. To clear all screen settings and start over, click Reset.
Note
Note
IP Address Borrowed From - The interface whose IP address is used as the source IP
address for the Tunnel Interface.
Remote IP Address - The IP address of the remote peer to which the Tunnel Interface is
connected. In the case of a SonicWALL-to-SonicWALL configuration with another Tunnel
Interface, this should be the IP address of the borrowed interface of the Tunnel Interface
on the remote peer.
The IP Address Borrowed From and Remote IP Address values apply to both RIP for the
Tunnel Interface.
Tip
SonicWALL recommends creating a VLAN interface that is dedicated solely for use as the
borrowed interface. This avoids conflicts when using wired connected interfaces.
244
The IP address of the borrowed interface should be from a private address space, and
should have a unique IP address in respect to any remote Tunnel Interface endpoints.
The Remote IP Address of the endpoint of the Tunnel Interface should be in the same
network subnet as the borrowed interface.
The same borrowed interface may be used for multiple Tunnel Interfaces, provided that the
Tunnel interfaces are all connected to different remote devices.
When more than one Tunnel Interface on an appliance is connected to the same remote
device, each Tunnel Interface must use a unique borrowed interface.
Depending on the specific circumstances of your network configuration, these guidelines may
not be essential to ensure that the Tunnel Interface functions properly. But these guidelines are
SonicWALL best practices that will avoid potential network connectivity issues.
Configuring IP Helper
The IP Helper allows the SonicWALL to forward DHCP requests originating from the interfaces
on a SonicWALL to a centralized DHCP server on the behalf of the requesting client. IP Helper
is used extensively in routed VLAN environments where a DHCP server is not available for
each interface, or where the layer 3 routing mechanism is not capable of acting as a DHCP
server itself. The IP Helper also allows NetBIOS broadcasts to be forwarded with DHCP client
requests.
Note
Expand the Network tree and click IP Helper. The IP Helper page displays.
2.
3.
4.
245
To enable any of these protocols, select the Enable checkbox and click Update.
To configure additional protocols, perform the following steps:
1.
Click Add Relay Protocol. The Add IP Helper Application window displays.
2.
NameThe name of the protocols. Note that these are case sensitive and must be unique.
Raw ModeUnidirectional forwarding that does not create an IP Helper cache. This is
suitable for most of the user-defined protocols that are used for discovery, for example
WOL/mDNS.
3.
246
Click Update.
To add an IP Helper Policy, click Add IP Helper Policy. The Add IP Helper dialog box
displays.
2.
The policy is enabled by default. To configure the policy without enabling it, clear the
Enabled check box.
3.
4.
5.
6.
7.
8.
Repeat this procedure for each policy to add. To delete a policy, click the trash can icon
next to the policy.
9.
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
Configuring ARP
ARP (Address Resolution Protocol) maps layer 3 (IP addresses) to layer 2 (physical or MAC
addresses) to enable communications between hosts residing on the same subnet. ARP is a
broadcast protocol that can create excessive amounts of network traffic on your network. To
minimize the broadcast traffic, an ARP cache is maintained to store and reuse previously
learned ARP information.
247
Expand the Network tree and click ARP. The ARP page displays.
248
Publish EntryEnabling the Publish Entry option in the Add Static ARP window causes
the SonicWALL device to respond to ARP queries for the specified IP address with the
specified MAC address. This can be used, for example, to have the SonicWALL device
reply for a secondary IP address on a particular interface by adding the MAC address of
the SonicWALL. See the Secondary Subnet section that follows.
Bind MAC AddressEnabling the Bind MAC Address option in the Add Static ARP
window binds the MAC address specified to the designated IP address and interface. This
can be used to ensure that a particular workstation (as recognized by the network card's
unique MAC address) can only be used on a specified interface on the SonicWALL. Once
the MAC address is bound to an interface, the SonicWALL will not respond to that MAC
address on any other interface. It will also remove any dynamically cached references to
that MAC address that might have been present, and it will prohibit additional (non-unique)
static mappings of that MAC address.
Add a 'published' static ARP entry for the gateway address that will be used for the
secondary subnet, assigning it the MAC address of the SonicWALL interface to which it will
be connected.
2.
Add a static route for that subnet, so that the SonicWALL regards it as valid traffic, and
knows to which interface to route that subnet's traffic.
3.
Add Access Rules to allow traffic destined for that subnet to traverse the correct network
interface.
4.
Optional: Add a static route on upstream device(s) so that they know which gateway IP to
use to reach the secondary subnet.
249
Configuring SwitchPorts
The SwitchPorts page allows you to manage the assignments of ports to PortShield interfaces.
A PortShield interface is a virtual interface with a set of ports assigned to it. To configure a
SwitchPort, perform the following steps:
1.
Expand the Network tree and click SwitchPorts. The SwitchPorts page displays.
2.
Click the Edit icon ( ) for the SwitchPort you want to configure. The SwitchPort
Configuration window displays.
Click on the Port Enable list box and click on either the Enable or Disable option to either
activate or deactivate the interfaces in the PortShield interface group.
4.
Click on the PortShield interface list box and click on the PortShield interface you created
in the previous procedure.
5.
Click on the Link Speed list box and click on a throughput speed you want to assign the
interface. The choices are:
Auto negotiate
100Mbps Full Duplex
100 Mbps Half Duplex
10 Mbps Full Duplex
10 Mbps Half Duplex
250
Note
Do not change this setting from the default of Auto negotiate unless your system requires
you to do so. Also, note that for any setting involving the Full Duplex feature to work properly,
be sure to configure Full Duplex on both ends of the link. By not having Full Duplex
configured on both ends, a duplex mismatch occurs, causing throughput loss.
6.
Click on the Rate Limit option and Select on a value. The rate limit value enables you to
throttle traffic coming into the switch. Remember, these values apply to inbound traffic only.
7.
Click Ok. Wait for a few seconds. The system then will incorporate the changes you made
to the PortShield interface Group and add it back to the switch ports list.
Note
Note
1.
2.
Click on the Configure icon for the interface you want to assign to a PortShield group. The
Edit Switch Port window displays.
3.
In the Port Enabled pull-down menu, select whether you want to enabled or disable the
interface.
4.
In the PortShield Interface pull-down menu, select which interface you want to assign as
the master interface for the PortShield interface.
251
5.
In the Link Speed pull-down menu, select the link speed for the interfaces.
6.
Click OK.
The MAC-IP Anti-Spoof subsystem achieves egress control by locking the ARP cache, so
egress packets (packets exiting the network) are not spoofed by a bad device or by unwanted
ARP packets. This prevents a firewall from routing a packet to the unintended device, based on
mapping. This also prevents man-in-the-middle attacks by refreshing a clients own MAC
address inside its ARP cache.
The following sections describe how to configure MAC-IP Anti-Spoof:
Interface Settings on page 252
Interface Settings
To edit MAC-IP Anti-Spoof settings within the Network Security Appliance management interface,
252
To configure settings for a particular interface, click the pencil icon in the Configure column for the
desired interface. The Settings window is displayed for the selected interface.
In this window, the following settings can be enabled or disabled by clicking on the corresponding
checkbox. Once your setting selections for this interface are complete, click OK. The following
options are available:
Enable: To enable the MAC-IP Anti-Spoof subsystem on traffic through this interface
Static ARP: Allows the Anti-Spoof cache to be built from static ARP entries
DHCP Server: Allows the Anti-Spoof cache to be built from active DHCP leases from the
SonicWALL DHCP server
DHCP Relay: Allows the Anti-Spoof cache to be built from active DHCP leases, from the
DHCP relay, based on IP Helper.
253
ARP Lock: Locks ARP entries for devices listed in the MAC-IP Anti-Spoof cache. This
applies egress control for an interface through the MAC-IP Anti-Spoof configuration, and
adds MAC-IP cache entries as permanent entries in the ARP cache. This controls ARP
poisoning attacks, as the ARP cache is not altered by illegitimate ARP packets.
ARP Watch: Enables generation of unsolicited unicast ARP responses towards the clients
machine for every MAC-IP cache entry on the interface. This process helps prevent
man-in-the-middle attacks.
Enforce: Enables ingress control on the interface, blocking traffic from devices not listed
in the MAC-IP Anti-Spoof cache.
Spoof Detection: Logs all devices that fail to pass Anti-spoof cache and lists them in the
Spoof Detected List.
Allow Management: Allows through all packets destined for the appliances IP address,
even if coming from devices currently not listed in the Anti-Spoof cache.
Once the settings have been adjusted, the interfaces listing will be updated on the MAC-IP
Anti-Spoof panel. The green circle with white check mark icons denote which settings have been
enabled.
Note
The following interfaces are excluded from the MAC-IP Anti-Spoof list: Non-ethernet
interfaces, port-shield member interfaces, Layer 2 bridge pair interfaces, high availability
interfaces, and high availability data interfaces.
Anti-Spoof Cache
The MAC-IP Anti-Spoof Cache lists all the devices presently listed as authorized to access
the network, and all devices marked as blacklisted (denied access) from the network. To add
a device to the list, perform the following tasks:
1.
2.
3.
Enter the MAC addresses for the device. Enter the information in the provided fields.
4.
Check the a router setting to allow traffic coming from behind this device.
5.
Check the a blacklisted device setting to block packets from this device, irrespective of its
IP address.
6.
Click OK.
If you need to edit a static Anti-Spoof cache entry, click the pencil icon, under the Configure
column, on the same line.
Single, or multiple, static anti-spoof cache entries can be deleted. To do this, select the delete
checkbox next to each entry, then click the Delete Anti-Spoof Cache(s) button.
254
To clear cache statistics, select the desired devices, then click Clear Stats.
Some packet types are bypassed even though the MAC-IP Anti-Spoof feature is enabled: 1)
Non-IP packets, 2) DHCP packets with source IP as 0, 3) Packets from a VPN tunnel, 4)
Packets with invalid unicast IPs as their source IPs, and 5) Packets from interfaces where the
Management status is not enabled under anti-spoof settings.
The Anti-Spoof Cache Search section provides the ability to search the entries in the cache.
To search the MAC-IP Anti-Spoof Cache, perform the following steps:
1.
In the search pull-down menu, select whether you want to search by IP address or
Interface.
2.
Select what type of search: Equals, Starts with, Ends with, or Contains.
3.
4.
Click Search. Matching entries in the MAC-IP Anti-Spoof cache will be displayed.
To add an entry to the static anti-spoof list, click on the pencil icon under the Add column for
the desired device. An alert message window will open, asking if you wish to add this static
entry. Click OK to proceed.
Entries can be flushed from the list by clicking the Flush button. The name of each device can
also be resolved using NetBios, by clicking the Resolve button.
255
To add a network monitor policy on the SonicWALL security appliance, perform these steps:
1.
From the Network > Network Monitor page, click the Add button. The Add Network
Monitor Policy window is displayed.
2.
Probe Target - Select the Address Object or Address Group to be the target of the policy.
Address Objects may be Hosts, Groups, Ranges, or FQDNs object. Objects within a Group
object may be Host, Range, or FQDN Address Objects. You can dynamically create a new
address object by selecting Create New Address Object.
Probe Type - Select the appropriate type of probe for the network monitor policy:
Ping (ICMP) - This probe uses the route table to find the egress interface and next-hop
for the defined probe targets. A Ping echo-request is sent out the egress interface with
the source IP address of the egress interface. An echo response must return on the
same interface within the specified Response Timeout time limit for the ping to be
counted as successful.
TCP - This probe uses the route table to find the egress interface and next-hop for the
defined probe targets. A TCP SYN packet is sent to the probe target with the source IP
address of the egress interface. A successful response will be counted independently
for each probe target when the target responds with either a SYN/ACK or RST via the
256
same interface within the Response Timeout time window. When a SYN/ACK is
received, a RST is sent to close the connection. If a RST is received, no response is
returned.
Ping (ICMP) - Explicit Route - This probe bypasses the route table and uses the
source IP address of the interface specified in the Outbound Interface pull-down menu
to send a Ping to the argets.
t
If a Next Hop Gateway is not specified,the probe assumes
that the targets are directly connected to the Outbound Interface's network.
TCP - Explicit Route - This probe bypasses the route table and uses the source IP
address of the interface specified in the Outbound Interface pull-down menu to send a
TCP SYN packet to the targets. If a Next Hop Gateway is not specified, the probe
assumes that the targets are directly connected to the Outbound Interface's network.
When a SYN/ACK is received, a RST is sent to close the connection. If a RST is
received, no response is returned.
Next Hop Gateway - Manually specifies the next hop that is used from the outbound
interface to reach the probe target. This option must be configured for Explicit Route
policies. For non-Explicit Route policies, the probe uses the appliances route table to
determine the egress interface to reach the probe target.If a Next Hop Gateway is not
specified, the probe assumes that the targets are directly connected to the Outbound
Interface's network.
Outbound Interface - Manually specifies which interface is used to send the probe. This
option must be configured for Explicit Route policies. For non-Explicit Route policies, the
probe uses the appliances route table to determine the egress interface to reach the probe
target.
Port - Specifies the destination port of target hosts for TCP probes. A port is not specified
for Ping probes.
3.
Optionally, you can adjust the following thresholds for the probes:
Probe hosts every - The number of seconds between each probe. This number cannot be
less than the Reply time out field.
Reply time out - The number of seconds the NetworkMonitor waits for a response for each
individual probe before a missed-probe will be counted for the specific probe target. The
Reply time out cannot exceed the Probe hosts every field.
Probe state is set to DOWN after - The number of consecutive missed probes that triggers
a host state transition to DOWN.
Probe state is set to UP after - The number of consecutive successful probes that triggers
a host state transition to UP.
All Hosts Must Respond - Selecting this checkbox specifies that all of the probe target
Host States must be UP before the Policy State can transition to UP. If not checked, the
Policy State is set to UP when any of the Host States are UP.
4.
Optionally, you can enter a descriptive comment about the policy in the Comment field.
5.
Click Update to submit the Network Monitor policy. Then click Update on the Network >
Network Monitor page.
When configuring a static route, you can optionally configure a Network Monitor policy for the
route. When a Network Monitor policy is used, the static route is dynamically disabled or
enabled, based on the state of the probe for the policy. For more information, see
Probe-Enabled Policy Based Routing Configuration on page 241.
257
LAN Settings for all Network Addressing Modes section on page 258
Then configure the settings for the appropriate network addressing mode:
Note
Making changes to this page causes the SonicWALL appliance will automatically restart. We
recommend scheduling the tasks to run when network activity is low.
Enter the IP address assigned to the LAN interface in the SonicWALL LAN IP Address field
and the subnet the IP address belongs to in the LAN Subnet Mask field.
2.
To add an additional subnet, enter the IP address and subnet in theNetwork Gateway and
Subnet Mask fields and click Add Subnet.
3.
Enter the IP address of the router that provides Internet access to SonicWALL appliance in
the WAN Gateway (Router) Address field.
The SonicWALL WAN IP Address and WAN Subnet Mask are automatically set to the
SonicWALL LAN IP Address. and LAN Subnet Mask, respectively.
258
Standard Mode
When you select Standard Mode (also known as Transparent Mode), Network Address
Translation (NAT) is disabled. All nodes on the LAN or WorkPort that will access or be accessed
from the Internet must use valid, Internet-accessible IP addresses.
To configure a SonicWALL appliance for standard network addressing, perform the following
steps:
Note
1.
On the Network > Settings, select Standard from the Network Addressing Mode area.
2.
Configure the LAN Settings as described in the LAN Settings for all Network Addressing
Modes section on page 258.
3.
Enter the IP addresses of the DNS servers in the DNS Server 1-3 fields.
SonicWALL appliances require the IP address of at least one DNS server to function
properly.
4.
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
NAT-Enabled Mode
NAT provides anonymity to machines on the LAN or WorkPort by connecting the entire network
to the Internet using a single IP address. This provides security to the internal machines by
hiding them from the outside world and conserves IP addresses.
When using NAT, we recommend using internal network IP addresses from a special range.
The following IP address ranges are reserved for private IP networks and are not routed on the
Internet:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
259
If your network uses IP addresses that are notregistered to your organization and are not within
the private IP address ranges, the servers on the Internet to which those IP addresses belong
will not be accessible from your network. For example, if an IP address on your network is
185.5.20.105 and it is not registered to your organization, the server that uses that IP address
on the Internet will not be accessible from your network.
Note
If you choose to use NAT, but need to make some machines available to the outside world,
use One-to-One NAT. One-to-One NAT maps external IP addresses to private IP addresses.
For more information, refer to the Configuring One-to-One NAT section on page 270.
To configure a SonicWALL appliance for NAT, perform the following steps:
1.
On the Network > Settings page, select NAT Enabled from the Network Addressing Mode
area.
2.
Configure the LAN Settings as described in the LAN Settings for all Network Addressing
Modes section on page 258.
3.
Internet. All activity on the Internet will appear to originate from this address. This IP
address must be valid and is generally supplied by your Internet Service Provider (ISP).
WAN Gateway (Router) AddressAddress of the router that attaches the LAN to the
Internet.
WAN Subnet MaskDetermines the subnet to which the public IP address belongs.
4.
Note
SonicWALL appliances require the IP address of at least one DNS server to function
properly.
5.
260
Enter the IP addresses of the DNS servers in the DNS Server 1-3 fields.
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
On the Network > Settings, page, select NAT with DHCP Client from the Network
Addressing Mode area.
2.
Configure the LAN Settings as described in LAN Settings for all Network Addressing
Modes section on page 258.
3.
The WAN settings and the DNS server IP addresses are automatically provided by the
DHCP server of the service provider. You do not need to configure any parameters in the
WAN Settings area.
4.
In the Other Settings area, enter the name of the DHCP server in the Host Name field.
5.
When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
Note
When this mode is selected, the SonicWALL LAN IP Address is used as the gateway
address for computers on the LAN or WorkPort.
261
To configure a SonicWALL appliance for NAT with PPPoE, perform the following steps:
1.
On the Network > Settings, page, select NAT with PPPoE Client from the Network
Addressing Mode area.
2.
Configure the LAN Settings as described in the LAN Settings for all Network Addressing
Modes section on page 258.
3.
case-sensitive.
4.
To specify how long the SonicWALL appliance waits before disconnecting from the Internet,
select the Disconnect after minutes of inactivity checkbox and enter the amount of time
in the inactivity field.
5.
6.
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
262
Note
When this mode is selected, the SonicWALL LAN (WorkPort) IP Address is used as the
gateway address for computers on the LAN or WorkPort.
To configure a SonicWALL appliance for NAT with L2TP, perform the following steps:
1.
On the Network > Settings, page, select NAT with L2TP Client from the Network
Addressing Mode area.
2.
Configure the LAN Settings as described in the LAN Settings for all Network Addressing
Modes section on page 258.
3.
To configure the SonicWALL appliance to use fixed settings, select Use the specified
WAN Gateway (Router) AddressAddress of the router that attaches the LAN to
the Internet.
4.
Enter the IP address of the DNS server in the DNS Server 1 field.
5.
case-sensitive.
263
6.
To specify how long the SonicWALL appliance waits before disconnecting from the Internet,
select the Disconnect after minutes of inactivity checkbox and enter the amount of time
in the inactivity field.
7.
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
On the Network > Settings, page, select NAT with PPTP Client from the Network
Addressing Mode area.
2.
Configure the LAN Settings as described in the LAN Settings for all Network Addressing
Modes section on page 258.
3.
To configure the SonicWALL appliance to use fixed settings, select Use the specified
WAN Gateway (Router) AddressAddress of the router that attaches the LAN to
the Internet.
4.
Enter the IP address of the DNS server in the DNS Server 1 field.
5.
264
User Passwordpassword used to authenticate the username with the ISP. This field
is case-sensitive.
6.
To specify how long the SonicWALL appliance waits before disconnecting from the Internet,
select the Disconnect after minutes of inactivity checkbox and enter the amount of time
in the inactivity field.
7.
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
Dynamic DNS forwarding settings are identical in SonicOS Standard and Enhanced. For
configuration information, refer to the Configuring Dynamic DNS section on page 230 in
the SonicOS Enhanced section of this chapter.
Web proxy forwarding settings are identical in SonicOS Standard and Enhanced. For
configuration information, refer to the Configuring Web Proxy Forwarding Settings section
on page 239 in the SonicOS Enhanced section of this chapter.
265
Note
Devices connected to the WAN port do not have firewall or content filter protection. To
protect these units, install another SonicWALL appliance between the Internet and devices
connected to the WAN port of the other SonicWALL appliance.
Although the systems on the WAN and LAN links are separated, they are still on the same
subnet. Consequentially, you must make the systems on the larger network aware of the
systems on the smaller network. To do this, perform the following steps:
1.
Expand the Network tree and click Intranet. The Intranet page displays.
2.
Enter the IP address or IP address range of a system or group of systems on the smaller
network:
To enter a single IP address, enter the IP address in the Addr Range Begin field.
To enter a range of IP addresses, enter the starting IP address in the Addr Range
Begin field and the ending IP address in the Addr Range End field.
266
4.
Repeat Step 3. for each IP address or IP address range on the smaller network.
5.
When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
6.
To define which services can be accessed from outside the restricted network segment,
refer to the Configuring Firewall Settings in SonicOS Standard section on page 300.
Expand the Network tree and click Routing. The Routing page displays.
2.
Select whether the router is connected to the LAN (WorkPort), WAN, or OPT interface from
the Link list box.
3.
Enter the destination network IP addresses in the Destination Network and Subnet Mask
fields.
4.
5.
Click Add Route. Repeat Step 2. through Step 4. for each route that you want to add.
6.
When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
Expand the Network tree and click RIP. The RIP page displays.
2.
Select the RIP version from the RIP Advertisements list box:
SonicWALL GMS 7.0 Administrators Guide
267
3.
To advertise static routes that you specified on the Routing page, select the Advertise
Static Routes check box.
4.
To set the amount of time between a VPN tunnel state change and the time the change is
advertised, enter a value in the Route Change Damp Time field (default: 30 seconds).
5.
To specify the number of advertisements that are sent after a route is deleted, enter a value
in the Deleted Route Advertisements field (default: 5 advertisements).
6.
By default, the connection between this router and its neighbor counts as one hop.
However, there are cases where you want to discourage or reduce the use of this route by
adding additional hops. To change the hop count of this route, enter the number of hops in
the Route Metric field.
7.
Optional. If RIPv2 is selected from the Route Advertisements list box, you can enter a value
in the RIPv2 Route Tag field. This value is implementation-dependent and provides a
mechanism for routers to classify the originators of RIPv2 advertisements.
8.
Password field.
MD5 DigestEnter a numerical value from 0-255 in the Authentication Key-Id field.
Enter a 32 hex digit value for the Authentication Key field, or use the generated key.
9.
When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
Note
Some newer SonicWALL appliances have one or more OPT ports that can be configured as
a DMZ port. For more information, refer to the Overview of Interfaces section on page 207.
Each server on the DMZ port or HomePort requires a unique, publishable Internet IP address.
The ISP that provides your Internet connection should be able to provide these addresses.
268
Expand the Network tree and click DMZ Addresses or HomePort Addresses.
2.
3.
Then, enter the starting IP address in the Addr Range Begin field, the ending IP
address in the Addr Range End field, and click Add Range. Repeat this step for each
range of IP addresses.
To enter a single IP address, enter the IP address in the Addr Range Begin field.
If the devices on the DMZ or HomePort will use NAT, select OPT in NAT Mode and do
the following:
4.
Enter the private internal IP address assigned to the DMZ or HomePort interface in
the OPT Private Address field.
Assign a subnet mask in the DMZ or HomePort Subnet Mask field. The LAN
(WorkPort) and OPT can have the same subnet mask, but the subnets must be
different. For instance, the LAN subnet can be 192.168.0.1 with a subnet mask of
255.255.255.0, and the DMZ subnet can be 172.16.18.1 with a subnet mask of
255.255.255.0.
To define a DMZ or HomePort public IP address that will be used to access devices
on the DMZ interface, enter an IP address in the OPT NAT Many to One Public
Address field (Optional).
5.
6.
7.
When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
269
LAN Address
WAN Address
Accessed Via
192.168.168.1
209.19.28.16
192.168.168.2
209.19.28.17
209.19.28.17
192.168.168.3
209.19.28.18
209.19.28.18
[...]
[...]
[...]
192.168.168.16 209.19.28.31
209.19.28.31
192.168.168.16 No
corresponding
IP address
No corresponding IP
address
[...]
[...]
[...]
192.168.168.16 No
corresponding
IP address
No corresponding IP
address
Expand the Network tree and click One-to-One NAT. The One-to-One NAT page displays.
2.
3.
Enter the first IP address of the internal IP address range in the Private Range Begin field.
4.
Enter the first corresponding external IP address in the Public Range Begin field.
5.
Enter the number of IP addresses in the range in the Range Length field.
6.
270
7.
To add additional IP address ranges, repeat Step 3. through 6. for each range. When you
are finished, click Update. The settings are changed for each selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
Expand the Network tree and click Ethernet. The Ethernet page displays.
2.
Negotiate.
To specify WAN link settings, select Force and select the speed and duplex settings.
3.
Negotiate.
To specify OPT link settings, select Force and select the speed and duplex settings.
4.
Negotiate.
To specify LAN link settings, select Force and select the speed and duplex settings.
5.
If you are managing the Ethernet connection from the LAN (WorkPort) side of your network,
select the Proxy Management Workstation Ethernet Address on WAN check box. The
SonicWALL appliance will take the Ethernet address of the computer that is managing the
SonicWALL appliance and will proxy the address on the WAN port of the SonicWALL. If you
are not managing the SonicWALL appliance from the LAN side of your network, the
firmware looks for a random computer on the LAN which can be a lengthy search process.
6.
To limit the size of packets sent over the Ethernet WAN interface, select the Fragment
Outbound Packets Larger than the WAN MTU check box and enter the maximum size in
the WAN MTU field.
271
If the maximum transmission unit (MTU) size is too large for a remote router, it may require
more transmissions. If the packet size is too small, this could result in more packet header
overhead and more acknowledgements that have to be processed. The default size is
1,500 MTU.
7.
To enable bandwidth management, select the Enable check box and enter the bandwidth
of the connection in the Available Bandwidth field.
8.
When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
Configuring ARP
Note
272
ARP settings are identical in SonicOS Standard and Enhanced. For configuration
information, refer to the Configuring ARP section on page 247 in the SonicOS Enhanced
section of this chapter.
CHAPTER 11
Configuring Firewall Appliance Settings
The Firewall settings in SonicWALL GMS are different for SonicWALL security appliances
running SonicOS Enhanced and Standard. The following sections describe how to configure
Firewall settings for each of the operating systems:
Note
Firewall rules take precedence over the default Firewall functions. Because it is possible to
disable all protection or block all access to the Internet, use caution when creating or
deleting network access rules.
Network access rules do not disable protection from Denial of Service attacks such as SYN
Flood, Ping of Death, LAND, and so on. However, it is possible to create vulnerabilities to
attacks that exploit application weaknesses.
It is important to consider the purpose and ramifications of a rule before adding it to the firewall
rule list. Use the following guidelines to determine the rule logic:
What is the purpose of the rule? For example, This rule will restrict all Internet Relay Chat
(IRC) access from the LAN (WorkPort) to the Internet. Or, This rule will allow a remote
Lotus Notes server to synchronize with our internal Notes server via the Internet.
What is the flow of the traffic: LAN (WorkPort) to Internet or Internet to LAN (WorkPort)?
273
Which computers on the Internet will be affected? Be as specific as possible. For example,
if traffic is being allowed from the Internet to the LAN (WorkPort), it is better to only allow
specific computers to access the LAN or WorkPort.
Will this rule stop LAN (WorkPort) users from accessing important resources on the
Internet? For example, if IRC is blocked, are there users who require this service?
Can the rule be modified to be more specific? For example, if IRC is blocked for all users,
will a rule that only blocks certain users be more effective?
Will this rule allow Internet users to access LAN or WorkPort resources in a way that makes
the LAN vulnerable? For example, if NetBIOS ports (UDP 137,138, 139) are allowed from
the Internet to the LAN, Internet users may be able to connect to PCs that have file sharing
enabled.
For example: a rule defining a specific service is more specific than the Default rule; a defined
Ethernet link, such as LAN (WorkPort), or WAN, is more specific than * (all); and a single IP
address is more specific than an IP address range.
Rules are listed in the LAN (WorkPort) Interface window from most specific to the least specific,
and rules at the top override rules listed below.
To illustrate this, consider the rules shown below:
Table 11
Sample Rules.
Actio
n
Service
Source
Destination
Deny
Chat (IRC)
206.18.25.4 (LAN)
148.178.90.55
(WAN)
Allow
Ping
199.2.23.0 - 199.2.23.255
(WAN)
206.18.25.4 (LAN)
Deny
Web (HTTP)
216.37.125.0 - 216.37.125.255
(WAN)
Allow
Lotus Notes
WAN
LAN (WorkPort)
Deny
Deny
Default
LAN (WorkPort)
Allow
Default
LAN (WorkPort)
The Default Allow Rule (#7) at the bottom of thepage allows all traffic from the LAN (WorkPort)
out to the WAN. However, Rule #5 blocks all NNTP traffic from the LAN (WorkPort).
The Default Deny Rule (#6) blocks traffic from the WAN to the LAN (WorkPort). However, Rule
#4 overrides part of this rule by allowing Lotus Notes into the LAN (WorkPort) from the WAN.
274
275
Note
2.
Expand the Firewall tree and click Access Rules. The Access Rules page displays. The
Firewall > Access Rules page enables you to select multiple views of Access Rules,
including pull-down boxes, Matrix, and All Rules. The default view is the Matrix View which
provides a matrix of source and destination nodes between LAN, WAN, VPN, Multicast, and
WLAN.
3.
From the Matrix View, click the Edit icon ( ). for the source and destination interfaces for
which you will configure a rule. The Access Rules table for that interface pair displays.
4.
Below the Access Rules table, click Add Rule. The Add Rule dialog box displays.
5.
If a policy has a No-Edit policy action, the Action radio buttons will not be editable.
6.
Select a service from the from the Service Name list box. If the service does not exist, refer
to the Configuring Service Objects section on page 278.
7.
Select the source Address Object from the Source list box.
8.
Select the destination Address Object from the Destination list box.
9.
Specify if this rule applies to all users or to an individual user or group in the Users Allowed
list box.
10. Specify when the rule will be applied by selecting a schedule or Schedule Group from the
Schedule list box. If the rule will always be applied, select Always on. If the schedule does
not exist, refer to the Configuring Schedules section on page 198.
11. To enable logging for this rule, select the Logging check box.
276
12. Check the Allow Fragmented Packets checkbox to allow fragmented packets.
Caution
Fragmented packets are used in certain types of Denial of Service attacks and, by default,
are blocked. You should only enable the Allow Fragmented Packets check box if users are
experiencing problems accessing certain applications and the SonicWALL logs show many
dropped fragmented packets.
13. Add any comments to the Comment field.
14. Click the Advanced tab.
15. Specify how long (in minutes) TCP connections may remain idle before the connection is
16. Specify how long (in seconds) UDP connections may remain idle before the connection is
17. Specify the percentage of the maximum connections this rule is to allow in the Number of
18. Set a limit for the maximum number of connections allowed per source IP Address by
selecting Enable connection limit for each Source IP Address and entering the value in
the Threshold field.(Only available for Allow rules).
19. Set a limit for the maximum number of connections allowed per destination IP Address by
selecting Enable connection limit for each Destination IP Address field and entering the
value in the Threshold field.(Only available for Allow rules).
20. Click the QoS tab. For information on configuring the QoS tab, refer to the Configuring
22. SonicWALL appliances can manage inbound and outbound traffic on the primary WAN
277
23. To enable outbound bandwidth management for this service, select the Enable Outbound
Enter the amount of bandwidth that will always be available to this service in the
Guaranteed Bandwidth field, and select either % or Kbps in the pull-down list. Keep in
mind that this bandwidth will be permanently assigned to this service and not available to
other services, regardless of the amount of bandwidth this service does or does not use.
Enter the maximum amount of bandwidth that will be available to this service in the
Maximum Bandwidth field.
Select the priority of this service from the Bandwidth Priority list box. Select a priority from
0 (highest) to 7 (lowest).
24. To enable inbound bandwidth management for this service, select the Enable Inbound
Enter the amount of bandwidth that will always be available to this service in the
Guaranteed Bandwidth field, and select either % or Kbps in the pull-down list. Keep in
mind that this bandwidth will be permanently assigned to this service and not available to
other services, regardless of the amount of bandwidth this service does or does not use.
Enter the maximum amount of bandwidth that will be available to this service in the
Maximum Bandwidth field.
Select the priority of this service from the Bandwidth Priority list box. Select a priority from
0 (highest) to 7 (lowest).
Note
25. To track bandwidth usage for this service, select the Enable Tracking Bandwidth Usage
check box.
26. To add this rule to the rule list, click OK. You are returned to the Access Rules page.
27. If the network access rules have been modified or deleted, you can restore the Default
Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP
traffic and allow all outbound IP traffic. To restore the network access rules to their default
settings, click Restore Rules to Defaults and then click Update. A task is scheduled to
update the rules page for each selected SonicWALL appliance.
29. To enable logging for a rule, select its Logging check box.
30. To disable a rule without deleting it, deselect its Enable check box.
31. To delete a rule, click its trash can icon. SonicWALL GMS creates a task that deletes the
278
By default, a large number of services are pre-defined. GMS supports paginated navigation and
sorting by column header in the Service Objects screen. In any of the tables, you can click the
column header to use for sorting. An arrow is displayed to the right of the selected column header.
You can click the arrow to reverse the sorting order of the entries in the table.
To add a service, perform the following steps:
Note
1.
Select the global icon, a group, or a SonicWALL appliance running SonicOS Enhanced.
2.
3.
4.
5.
6.
Enter the starting and ending port for the service in the Port Range fields. For a service that
uses a single port, type the port number into the first field.
7.
Click OK. The service is added and appears in the Custom Services section.
Although most default services can not be edited or deleted, you can edit or delete custom
services by clicking the edit
or delete
buttons that correspond to the desired custom
service.
279
To add a service group, click the Add Group button on the Service Objects page.
The Add Service Group dialog box displays.
Note
2.
3.
4.
5.
or Trashcan
icons that
280
Select the global icon, a group, or a SonicWALL appliance running SonicOS Enhanced.
2.
Expand the Firewall tree and click Advanced. The Advanced page displays.
3.
To enable stealth mode, select the Enable Stealth Mode check box. During normal
operation, SonicWALL appliances respond to incoming connection requests as either
blocked or open. During stealth operation, SonicWALL appliances do not respond to
inbound requests, making the appliances invisible to potential hackers.
4.
5.
Select Decrement IP TTL for forwarded traffic to decrease the Time-to-live (TTL) value
for packets that have been forwarded and therefore have already been in the network for
some time. TTL is a value in an IP packet that tells a network router whether or not the
packet has been in the network too long and should be discarded.
6.
Select Never generate ICMP Time-Exceeded packets if you do not want the SonicWALL
appliance to generate these reporting packets. The SonicWALL appliance generates
Time-Exceeded packets to report when it has dropped a packet because its TTL value has
decreased to zero.
7.
Select the dynamic ports that will be supported from the Dynamic Ports area:
Enable support for Oracle (SQLNet)Select if you have Oracle applications on your
network.
Enable support for Windows MessengerSelect this option to support special SIP
real-time data, such as audio and video. Real Time Streaming Protocol (RTSP) is an
application-level protocol for control over delivery of data with real-time properties.
8.
The Drop Source Routed Packets check box is selected by default. Clear the check box
if you are testing traffic between two specific hosts and you are using source routing.
281
Connections Settings
9.
The Connections section provides the ability to fine-tune the performance of the appliance
to prioritize either optimal performance or support for an increased number of simultaneous
connections that are inspected by Firewall services. For appliances running SonicOS 5.6.0
and above, select one of the following options:
Disable Anti-Spyware, Gateway AV and IPS Engine (increases maximum SPI
connections) This option ensures that the appliance performance will not be
degraded under high-traffic conditions. Firewall connections may be dropped to
preserve performance.
For appliances running SonicOS Enhanced releases lower than 5.6.0, the single Disable
Anti-Spyware, Gateway AV and IPS Engine (increases maximum SPI connections)
option is available as a checkbox.
10. To specify how long the SonicWALL appliance(s) wait before closing inactive TCP
connections outside the LAN, enter the amount of time in the Default Connection Timeout
field (default: 25 minutes). The Connection Inactivity Timeout option disables connections
outside the LAN if they are idle for a specified period of time. Without this timeout,
connections can stay open indefinitely and create potential security holes.
282
11. Select the Force inbound and outbound FTP data connections to use default port 20
check box to specify that any FTP data connection through the SonicWALL must come from
port 20 or the connection will be dropped and logged. By default, FTP connections from port
20 are allowed, but remapped to outbound traffic ports such as 1024.
12. Under IP, UDP Checksum Enforcement, select one or both checkboxes to force the
SonicWALL to perform checksums on IP packet headers and on UDP packets. Packets with
invalid checksums will be dropped. This helps to prevent attacks that involve falsification of
header fields that define important characteristics of the packet.
13. To specify how long the SonicWALL appliance(s) wait before closing inactive UDP
connections outside the LAN, enter the amount of time in the Default UDP Connection
Timeout field.
14. Set a limit for the maximum number of connections allowed per source IP Address by
selecting Enable connection limit for each Source IP Address and entering the value in
the Threshold field.(Only available for Allow rules).
15. Set a limit for the maximum number of connections allowed per destination IP Address by
selecting Enable connection limit for each Destination IP Address field and entering the
value in the Threshold field.(Only available for Allow rules).
16. When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
Tip
283
Description
WAN
Global
5 Medium
7 Low
None
2 High
6 Low
Disables BWM.
When global BWM is enabled on an interface, all of the traffic to and from that interface is
bandwidth managed.
For example, with bandwidth management type none, if there are three traffic types (1, 2, and
3) that are using an interface with the link capability of 100 Mbps, the cumulative capacity for
all three types is 100 Mbps.
Then when bandwidth management type Global is enabled on that interface and the available
ingress and egress traffic are configured to 10 Mbps, the following occurs:
By default, the traffic types are sent to the Medium (4) Priority queue. This queue has, by
default, a Guaranteed percentage of 50 and aMaximum percentage of 100. These values mean
that the cumulative link capability is 10 Mbps with no global BWM enabled policies configured.
Packet Queuing
BWM rules each consume memory for packet queuing, so the number of allowed queued
packets and rules on SonicOS Enhanced is limited by platform (values are subject to change):
284
Platform
TZ 170 Family
PRO 1260
PRO 2040
PRO 3060
PRO 4060
PRO 5060
Max Queued
Packets
220
220
520
2080
2080
6240
NSA 3500
2080
100
NSA 4500
2080
100
Platform
Max Queued
Packets
NSA 5000
2080
100
NSA E5500
6420
100
NSA E6500
6420
100
NSA E7500
6420
100
2.
3.
Allocate the available bandwidth for that interface on the ingress and egress traffic. It then
assigns individual limits for each class of network traffic.
By assigning priorities to network traffic, applications requiring a quick response time, such as
Telnet, can take precedence over traffic requiring less response time, such as FTP.
To configure bandwidth management, navigate to the Firewall > BWM page.
Note
The defaults are set by SonicWALL to provide BWM ease-of-use. It is recommended that
you review the specific bandwidth needs and enter the values on this page accordingly.
Global All zones can have assigned guaranteed and maximum bandwidth to
285
Note
When you change the Bandwidth Management Type from Global to WAN, the default BWM
actions that are in use in any App Rules policies will be automatically converted to WAN
BWM Medium, no matter what level they were set to before the change.
When you change the Type from WAN to Global, the default BWM actions are converted to
BWM Global-Medium. The firewall does not store your previous action priority levels when
you switch the Type back and forth. You can view the conversions on the Firewall > App
Rules page.
The default settings for this page consists of three priorities with preconfigured guaranteed and
maximum bandwidth. The medium priority has the highest guaranteed value since this priority
queue is used by default for all traffic not governed by a BWM enabled policy.
2.
Expand the Firewall tree and click Multicast. The Multicast page displays.
3.
4.
286
Multicast state table entry timeout (minutes)This field has a default of 5. Thevalue
range for this field is 5 to 60 (minutes). Increase the value if you have a client that is
not sending reports periodically.
5.
addresses. Receiving all multicast addresses may cause your network to experience
performance degradation.
Default. To enable reception for the following multicast addresses, select Enable
reception for the following multicast addresses and select Create a new multicast
object or Create new multicast group from the list box.
6.
To view the IGMP State Information, click Request IGMP State Information. The following
information displays:
Multicast Group AddressProvides the multicast group address the interface is
joined to.
Interface / VPN TunnelProvides the interface (such as X0) or the VPN policy.
IGMP VersionProvides the IGMP version (such as V2 or V3).
Time RemainingProvides the remaining time left for the multicast session. This is
calculated by subtracting the Multicast state table entry timeout (minutes) value,
which has the default value of 5 minutes, and the elapsed time since the multicast
address was added.
7.
When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
2.
Expand the Firewall tree and click VoIP. The VoIP page displays.
3.
To enable secure NAT, select the Use secure NAT check box.
4.
287
Tip
By default, NAT translates Layer 3 addresses, but does not translate Layer 5 SIP/SDP
addresses. Unless there is another NAT traversal solution that requires this feature to be
turned off, it is highly recommended to enable SIP transformations.
After enabling SIP transformations, configure the following options:
Select Permit non-SIP packets on signaling port to enable applications such as
Apple iChat and MSN Messenger, which use the SIP signaling port for additional
proprietary messages. Enabling this checkbox may open your network to malicious
attacks caused by malformed or invalid SIP traffic. This checkbox is disabled by default.
(SonicOS Enhanced only) Select the Enable SIP Back-to-Back User Agent (B2BUA)
support setting when the SonicWALL security appliance can see both legs of a voice
call (for example, when a phone on the LAN calls another phone on the LAN). This
setting should only be enabled when the SIP Proxy Server is being used as a B2BUA.
Tip
If there is not the possibility of the SonicWALL security appliance seeing both legs of voice
calls (for example, when calls will only be made to and received from phones on the WAN),
the Enable SIP Back-to-Back User Agent (B2BUA) support setting should be disabled to
avoid unnecessary CPU usage.
SIP Signaling inactivity time out (seconds)Specifies the period of time that must
elapse before timing out an inactive SIP session if no SIP signaling occurs (default:
1800 seconds or 30 minutes).
SIP Media inactivity time out (seconds)Specifies the period of time that must
elapse before timing out an inactive SIP session if no media transfer activity occurs
(default: 120 seconds or 2 minutes).
The Additional SIP signaling port (UDP) for transformations setting allows you to
specify a nonstandard UDP port used to carry SIP signaling traffic. Normally, SIP
signaling traffic is carried on UDP port 5060. However, a number of commercial VoIP
services use different ports, such as 1560. Using this setting, the security appliance
performs SIP transformation on these non-standard ports.
Tip
Enable LDAP ILS Support when selected, the SonicWALL appliance will support
288
Gatekeeper that acts as a proxy server between clients on the private network and the
Internet.
6.
When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
Note
2.
Expand the Firewall tree and click TCP Settings. The TCP Settings page displays.
3.
Select Enforce strict TCP compliance with RFC 793 and RFC 1122 to force VoIP traffic
to comply with RFC 793 (TCP) and RFC 1122 (Internet Hosts, including Link and IP layers)
standards.
4.
Select Enable TCP Checksum Validation to drop any packets with invalid TCP
checksums.
5.
Enter a value for the Default TCP Connection Timeout. This is the default time assigned
to Access Rules for TCP traffic. If a TCP session is active for a period in excess of this
setting, the TCP connection will be cleared by the SonicWALL.
Setting excessively long connection time-outs will slow the reclamation of stale resources,
and in extreme cases could lead to exhaustion of the connection cache.
6.
Specify the Maximum Segment Lifetime to set the number of seconds that any TCP
packet is valid before it expires. This setting is also used to determine the amount of time
(calculated as twice the Maximum Segment Lifetime, or 2MSL) that an actively closed TCP
connection remains in the TIME_WAIT state to ensure that the proper FIN / ACK exchange
has occurred to cleanly close the TCP connection.
7.
Configure the Layer 3 SYN Flood Protection options. Select the desired level of protection
against half-opened TCP sessions and high-frequency SYN packet transmissions:
289
Watch and Report Possible SYN FloodsThis option enables the device to monitor
SYN traffic on all interfaces on the device and to log suspected SYN flood activity that
exceeds a packet count threshold. The feature does not turn on the SYN Proxy on the
device so the device forwards the TCP three-way handshake without modification. This
is the least invasive level of SYN Flood protection. Select this option if your network is
not in a high risk environment.
the device to enable the SYN Proxy feature on WAN interfaces when the number of
incomplete connection attempts per second surpasses a specified threshold. This
method ensures the device continues to process valid traffic during the attack and that
performance does not degrade. Proxy mode remains enabled until all WAN SYN flood
attacks stop occurring or until the device blacklists all of them using the SYN
Blacklisting feature. This is the intermediate level of SYN Flood protection. Select this
option if your network experiences SYN Flood attacks from internal or external sources.
Always Proxy WAN Client ConnectionsThis option sets the device to always use
SYN Proxy. This method blocks all spoofed SYN packets from passing through the
device. Note that this is an extreme security measure and directs the device to respond
to port scans on all TCP ports because the SYN Proxy feature forces the device to
respond to all TCP SYN connection attempts. This can degrade performance and can
generate a false positive. Select this option only if your network is in a high risk
environment.
8.
Configure the SYN Attack Threshold. The appliance gathers statistics on WAN TCP
connections, keeping track of the maximum and average maximum and incomplete WAN
connections per second. Out of these statistics, the device suggests a value for the SYN
flood threshold in the Suggested value calculated from gathered statistics field. Enter
the desired threshold for the number of incomplete connection attempts per second before
the device drops packets in the Attack Threshold field.
9.
Selective ACK where a packet can be dropped and the receiving device indicateswhich
packets it received. Enable this checkbox only when you know that all servers covered
by the SonicWALL firewall appliance accessed from the WAN support the SACK option.
Limit MSS sent to WAN clients (when connections are proxied)Enables you to
enter the maximum Minimum Segment Size value. If you specify an override value for
the default of 1460, this indicates that a segment of that size or smaller will be sent to
the client in the SYN/ACK cookie. Setting this value too low can decreaseperformance
when the SYN Proxy is always enabled. Setting this value too high can break
connections if the server responds with a smaller MSS value.
Maximum TCP MSS sent to WAN clientsThe value of the MSS. The default is 1460.
Note
When using Proxy WAN client connections, remember to set these options conservatively
since they only affect connections when a SYN Flood takes place. This ensures that
legitimate connections can proceed during an attack.
Always log SYN packets receivedLogs all SYN packets received.
290
10. Configure the Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting options to
configure how the appliance deals with devices that exceeded the SYN, RST, and FIN
Blacklist attack threshold:
of SYN, RST, and FIN packets allowed per second. The default is 1,000. This value
should be larger than the SYN Proxy threshold value because blacklisting attempts to
thwart more vigorous local attacks or severe attacks from a WAN network.
Never blacklist WAN machinesThis checkbox ensures that systems on the WAN
are never added to the SYN Blacklist. This option is recommended as leaving it
unchecked may interrupt traffic to and from the SonicWALL firewall appliances WAN
ports.
291
Note
Many service providers do not support CoS tags such as 802.1p or DSCP. Also, most
network equipment with standard configurations will not be able to recognize 802.1p tags,
and could drop tagged traffic.
Note
If you wish to use 802.1p or DSCP marking on your network or your service providers
network, you must first establish that these methods are supported. Verify that your internal
network equipment can support CoS priority marking, and that it is correctly configured to
do so. Check with your service provider - some offer fee-based support for QoS using these
CoS methods.
292
with 802.1p capable equipment, and is not universally interoperable. Additionally, 802.1p,
because of its different packet structure, can rarely traverse wide area networks, even private
WANs. Nonetheless, 802.1p is gaining wide support among Voice and Video over IP vendors,
so a solution for supporting 802.1p across network boundaries (i.e., WAN links) was introduced
in the form of 802.1p to DSCP mapping.
802.1p to DSCP mapping allows 802.1p tags from one LAN to be mapped to DSCP values by
GMS, allowing the packets to safely traverse WAN links. When the packets arrive on the other
side of the WAN or VPN, the receiving GMS appliance can then map the DSCP tags back to
802.1p tags for use on that LAN.
TPID: Tag Protocol Identifier begins at byte 12 (after the 6-byte destination and source
fields), is 2 bytes long, and has an Ethertype of 0x8100 for tagged traffic.
293
802.1p: The first three bits of the TCI (Tag Control Information - beginning at byte 14, and
spanning 2 bytes) define user priority, giving eight (2^3) priority levels. IEEE 802.1p defines
the operation for these 3 user priority bits.
CFI: Canonical Format Indicator is a single-bit flag, always set to zero for Ethernet
switches. CFI is used for compatibility reasons between Ethernet networks and Token Ring
networks. If a frame received at an Ethernet port has a CFI set to 1, then that frame should
not be forwarded as it is to an untagged port.
VLAN ID: VLAN ID (starts at bit 5 of byte 14) is the identification of the VLAN. It has 12 bits
and allows for the identification of 4,096 (2^12)unique VLAN IDs. Of the 4,096 possible IDs,
an ID of 0 is used to identify priority frames, and an ID of 4,095 (FFF) is reserved, so the
maximum possible VLAN configurations are 4,094.
802.1p support begins by enabling 802.1p marking on the interfaces which you wish to have
process 802.1p tags. 802.1p can be enabled on any Ethernet interface on any SonicWALL
appliance that supports VLANs, including the SonicWALL NSA Series and PRO 2040, PRO
3060, PRO 4060, PRO 4100, and PRO 5060.
Note
802.1p tagging is not currently supported on the SonicWALL TZ Series or PRO 1260.
Although Enable 802.1p tagging does not appear as an option on VLAN sub-interfaces, it is
related to the 802.1q tags of VLAN subinterfaces. The behavior of the 802.1p field within these
tags can be controlled by firewall access rules. The default 802.1p capable network Access
Rule action of None resets existing 802.1p tags to 0, unless otherwise configured.
Enabling 802.1p marking allows the target interface to recognize incoming 802.1p tags
generated by 802.1p capable network devices, and will also allow the target interface to
generate 802.1p tags, as controlled by Access Rules. Frames that have 802.1p tags inserted
by GMS will bear VLAN ID 0.
802.1p tags will only be inserted according to access rules, so enabling 802.1p marking on an
interface will not, at its default setting, disrupt communications with 802.1p-incapable devices.
802.1p requires the specific support by the networking devices with which you wish to use this
method of prioritization. Many voice and video over IP devices provide support for 802.1p, but
the feature must be enabled. Check your equipments documentation for information on 802.1p
support if you are unsure. Similarly, many server and host network cards (NICs) have the ability
to support 802.1p, but the feature is usually disabled by default.
294
The above diagram depicts an IP packet, with a close-up on the ToS portion of the header. The
ToS bits were originally used for Precedence and ToS (delay, throughput, reliability, and cost)
settings, but were later reused by the RFC 2474 for the more versatile DSCP settings. The
following table shows the commonly used code point as well as their mapping to the legacy
Precedence and ToS settings.
Table 12
Code Points
Legacy IP Precedence
Best Effort
0 (Routine - 000)
Class 1
1 (Priority - 001)
10
12
Class 1, Silver
AF12
1 (Priority - 001)
14
Class 1, Bronze
AF13
1 (Priority - 001)
D, T
16
Class 2
2 (Immediate - 010)
18
20
Class 2, Silver
AF22
2 (Immediate - 010)
22
Class 2, Bronze
AF23
2 (Immediate - 010)
D, T
24
Class 3
3 (Flash - 011)
26
27
Class 3, Silver
AF32
3 (Flash - 011)
30
Class 3, Bronze
AF33
3 (Flash - 011)
D, T
32
Class 4
34
36
Class 4, Silver
AF42
38
Class 4, Bronze
AF43
40
Express
Forwarding
5 (CRITIC/ECP - 101)
46
Expedited
Forwarding (EF)
5 (CRITIC/ECP - 101)
D, T
48
Control
56
Control
DSCP marking can be performed on traffic to and from any interface and to and from any zone
type, without exception. DSCP marking is controlled by Access Rules, from the QoS tab, and
can be used in conjunction with 802.1p marking, as well as with SonicOS internal bandwidth
management.
295
Configuring QoS
To configure QoS, perform the following tasks:
296
1.
Click on the Interfaces option in the Network menu. GMS displays the Interfaces list.
2.
Click on the Configuration icon for the WAN interface. GMS displays the Edit Interface
dialog box.
3.
4.
Click on the Enable 802.1p tagging checkbox to place a check mark in the checkbox.
5.
Click Update.
From the Firewall menu, click on the Access Rules option. GMS displays the Access
Rules dialog box that contains various interfaces for which you can create an access rule.
2.
Select the LAN > WAN rule and click Add Rule. GMS displays the Add Rule dialog box.
3.
4.
Under DSCP Marking Settings select the DSCP Marking Action. You can select None,
Preserve, Explicit, or Map. Preserve is the default.
None: DSCP values in packets are reset to 0.
Preserve: DSCP values in packets will remain unaltered.
Explicit: Set the DSCP value to the value you select in the Explicit DSCP Value field.
5.
Under 802.1p Marking Settings select the 802.1p Marking Action. You can select None,
Preserve, Explicit, or Map. None is the default.
6.
Click Ok. GMS configures your WAN interface to accept traffic shaping values.
Click on the QoS Settings option in the Firewall menu. GMS displays the QoS Mapping
dialog box:
297
2.
Click on the Configuration icon for any of the 802.1p Class of Service objects. GMS displays
the class of service Edit QoS Mapping dialog box.
3.
the traffic.
From DSCP Begin: The lower limit of the range of values for marking that indicates the
From DSCP End: The upper limit of the range of values for marking that indicates the
An effect of the security provided by SSL is the obscuration of all payload, including the URL
(Uniform Resource Locator, for example, https://www.mysonicwall.com) being requested by a
client when establishing an HTTPS session. This is due to the fact that HTTP is transported
within the encrypted SSL tunnel when using HTTPS. It is not until the SSL session is
established (step 14) that the actual target resource (www.mysonicwall.com) is requested by
the client, but since the SSL session is already established, no inspection of the session data
by the SonicWALL firewall appliance or any other intermediate device is possible. As a result,
URL based content filtering systems cannot consider the request to determine permissibility in
any way other than by IP address.
298
While IP address based filtering does not work well for unencrypted HTTP because of the
efficiency and popularity of Host-header based virtual hosting (defined in Key Concepts below),
IP filtering can work effectively for HTTPS due to the rarity of Host-header based HTTPS sites.
But this trust relies on the integrity of the HTTPS server operator, and assumes that SSL is not
being used for deceptive purposes.
For the most part, SSL is employed legitimately, being used to secure sensitive
communications, such as online shopping or banking, or any session where there is an
exchange of personal or valuable information. The ever decreasing cost and complexity of SSL,
however, has also spurred the growth of more dubious applications of SSL, designed primarily
for the purposes of obfuscation or concealment rather than security.
An increasingly common camouflage is the use of SSL encrypted Web-based proxy servers for
the purpose of hiding browsing details, and bypassing content filters. While it is simple to block
well known HTTPS proxy services of this sort by their IP address, it is virtually impossible to
block the thousands of privately-hosted proxy servers that are readily available through a
simple Web-search. The challenge is not the ever-increasing number of such services, but
rather their unpredictable nature. Since these services are often hosted on home networks
using dynamically addressed DSL and cable modem connections, the targets are constantly
moving. Trying to block an unknown SSL target would require blocking all SSL traffic, which is
practically infeasible.
SSL Control provides a number of methods to address this challenge by arming the security
administrator with the ability to dissect and apply policy based controls to SSL session
establishment. While the current implementation does not decode the SSL application data, it
does allow for gateway-based identification and disallowance of suspicious SSL traffic.
For more information about SSL Control, see the SonicOS Enhanced 4.0 Administrators
Guide.
To configure SSL Control, perform the following steps:
1.
Select the global icon, a group, or a SonicWALL appliance running SonicOS Enhanced 4.0
or higher.
2.
Expand the Firewall tree and click SSL Control. The SSL Control page displays.
3.
Under General Settings, select the Enable SSL Control checkbox to enable SSL Control
for the selected group or appliance.
4.
below, is detected, the event will be logged, but the SSL connection will be allowed to
continue.
SonicWALL GMS 7.0 Administrators Guide
299
Block the connection and log the eventIn the event of a policy violation, the
5.
Custom Lists section below. Whitelisted entries take precedence over all other SSL
control settings.
before the current system time, or whose end date is beyond the current system time.
Date validation depends on the SonicWALLs System Time. Make sure your System
Time is set correctly, preferably synchronized with NTP, on the System > Time page.
susceptible to cipher downgrade attacks because it does not perform integrity checking
on the handshake. Best practices recommend using SSLv3 or TLS instead of SSLv2.
where the issuers certificate is not in the SonicWALLs System > Certificates trusted
store.
with symmetric ciphers less than 64 bits, commonly indicating export cipher usage.
6.
Under Custom Lists, configure the Blacklist and Whitelist by defining strings for matching
common names in SSL certificates. Entries are case-sensitive and are used with
pattern-matching. For example, sonicwall.com will match https://www.sonicwall.com
and https://mysonicwall.com , but not https://www.sonicwall.de.
To add an entry to the Blacklist, type it into the Black List field and then click Add.
To add an entry to the Whitelist, type it into the White List field and then click Add.
7.
When finished, click Update. To return to default values and start over, click Reset.
300
1.
Determine whether the service for which you want to create a rule is defined. If not, define
the service. Refer to the Adding a Service section on page 301.
2.
Create one or more rules for the service. Refer to the Creating Rules section on page 302.
3.
Repeat this procedure for each service for which you would like to define rules.
Adding a Service
By default, a large number of services are pre-defined. This section describes how to add a new
or custom service. To add a service, perform the following steps:
Note
1.
2.
Expand the Firewall tree and click Services. The Services page displays.
3.
To add a known service (e.g., HTTP, FTP, News), select the service from the Service Name
list box and click Add Known Service. Repeat this step for each service that you would
like to add. A task is scheduled for each service for each selected SonicWALL appliance.
Features and services vary widely depending on the managed appliances firmware type
and version. Some options, including Add Known Service are only available when
managing a Non-SonicOS device (such as a SonicWALL TELE3 TZX).
4.
To add a custom service, enter its name in the Service Name field, enter the port range it
uses in the Port Begin and Port End fields, select the appropriate protocol check boxes,
and click Add Custom Service. Repeat this step for each service that you would like to
add. A task gets scheduled for each service for each selected SonicWALL appliance.
5.
To remove a service from the list, select its trash can check box and click Update. A task
gets scheduled to update the services page for each selected SonicWALL appliance.
6.
301
Creating Rules
This section describes how to define rules for defined services in SonicOS Standard. To create
a rule, perform the following steps:
Caution
1.
2.
Expand the Firewall tree and click Rules. The Rules page displays.
3.
4.
Select a service from the from the Service Name list box. If the service does not exist, refer
to the Adding a Service section on page 301.
5.
6.
Select the SonicWALL interface to which this rule applies from the Source list box..
7.
To apply the rule to a range of IP addresses, enter the first and last IP addresses of the
range in the Addr. begin field and Addr. End fields, respectively. The rule will apply to
requests originating from IP addresses within this range. For all IP addresses, enter an
asterisk (*).
8.
Specify when the rule will be applied. By default, it is Always. To specify a time, enter the
time of day (in 24-hour format) to begin and end enforcement. Then, enter the days of the
week to begin and end rule enforcement.
9.
Specify how long (in minutes) the connection may remain idle before the connection is
terminated in the Inactivity Timeout field.
Fragmented packets are used in certain types of Denial of Service attacks and, by default,
are blocked. You should only enable the Allow Fragmented Packets check box if users are
experiencing problems accessing certain applications and the SonicWALL logs show many
dropped fragmented packets.
10. SonicWALL appliances can manage outbound traffic using bandwidth management. To
enable bandwidth management for this service, select the Enable Outbound Bandwidth
Management check box.
Enter the amount of bandwidth that will always be available to this service in the
Guaranteed Bandwidth field. Keep in mind that this bandwidth will be permanently
assigned to this service and not available to other services, regardless of the amount of
bandwidth this service does or does not use.
Enter the maximum amount of bandwidth that will be available to this service in the
Maximum Bandwidth field.
Select the priority of this service from the Bandwidth Priority list box. Select a priority from
0 (highest) to 7 (lowest).
302
Note
11. To add this rule to the rule list, click Update. Repeat Step 3. through Step 11. for each rule
12. If the network access rules have been modified or deleted, you can restore the Default
Rules. The Default Rules prevent malicious intrusions and attacks, block all inbound IP
traffic and allow all outbound IP traffic. To restore the network access rules to their default
settings, click Restore Rules to Defaults and click Update. A task is scheduled to update
the rules page for each selected SonicWALL appliance.
13. If the network access rules for a SonicWALL appliance need to be uniform with access rules
for other SonicWALL appliances in the same group, you can restore the group rules.
To do this, click Restore Rules to Group Settings and click Update. A task is scheduled
to overwrite the rules page for each selected SonicWALL appliance.
If you want to append the group rulesto the current rules, make sure the Append Services
and Rules inherited from group check box is selected on the GMS Settings page of the
Console Panel.
Note
14. To modify a rule, select its notepad icon. The Add/Modify Rule dialog box displays. When
you are finished making changes, click Update. SonicWALL GMS creates a task that
modifies the rule for each selected SonicWALL appliance.
15. To disable a rule without deleting it, deselect its Enable Rule check box.
16. To delete a rule, select its trash can icon and click Update. SonicWALL GMS creates a task
2.
Expand the Firewall tree and click Advanced. The Advanced page displays.
3.
Computers running Microsoft Windows communicate with each other through NetBIOS
broadcast packets. By default, SonicWALL appliances block these broadcasts. To allow
NetBIOS packets to pass among the interfaces select the appropriate checkbox in the
Windows Networking (NetBIOS) Broadcast Pass Through section.
4.
Detection prevention helps hide SonicWALL appliances from potential hackers. Select from
the following Detection Prevention options:
To enable stealth mode, select the Enable Stealth Mode check box. During normal
303
Hackers can use various detection tools to fingerprint IP IDs and detect the presence
5.
Select the dynamic ports that will be supported from the Dynamic Ports area:
Enable support for Oracle (SQLNet)Select if you have Oracle applications on your
network.
Enable support for Windows MessengerSelect this option to support special SIP
real-time data, such as audio and video. Real Time Streaming Protocol (RTSP) is an
application-level protocol for control over delivery of data with real-time properties.
6.
The Drop Source Routed Packets check box is selected by default. Clear the check box
if you are testing traffic between two specific hosts and you are using source routing.
7.
Select Disable Anti-Spyware, Gateway AV and IPS Engine if you want to enable more
connections at the expense of the Gateway Anti-Virus and Intrusion Prevention services.
This is generally not recommended because it opens the SonicWALL security appliance to
possible threats.
8.
The Connection Inactivity Timeout option disables connections outside the LAN if they are
idle for a specified period of time. Without this timeout, connections can stay open
indefinitely and create potential security holes. To specify how long the SonicWALL
appliance(s) wait before closing inactive connections outside the LAN, enter the amount of
time in the Default Connection Timeout field (default: 25 minutes).
9.
By default, FTP connections from port 20 are allowed, but remapped to outbound traffic
ports such as 1024. If you select the Force inbound and outbound FTP data
connections to use default port 20 check box, any FTP data connection through the
SonicWALL must come from port 20 or the connection will be dropped and logged.
Note
10. When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
304
CHAPTER 12
Configuring Firewall Log Settings
This chapter describes how to the SonicWALL GMS to configure where the SonicWALL
appliance(s) send their logs, how often the logs are sent, and what information is included.
This chapter includes the following sections:
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
Select the Policies tab. In the center pane, navigate to Log > Log Settings.
3.
Enter the IP address or name of the mail server in the Mail Server (name or IP Address)
field.
305
4.
Enter the name of the SonicWALL appliance in the Firewall Name field. The firewall name
appears in the subject of email sent by the SonicWALL appliance. By default, the firewall
name is the same as the SonicWALL appliance serial number.
Note
The name of the SonicWALL appliance cannot be configured at the group or global
level.
5.
To override syslog settings with ViewPoint settings, check the Override Syslog settings
with ViewPoint settings box.
6.
To select a syslog format, choose one of the two options from theSyslog Format pull-down
menu:
DefaultThe standard SonicWALL syslog format.
WebTrendsA reporting software that analyzes traffic activity, protocol usage,
security problems, resource usage, bandwidth consumption, and more. For more
information, visit http://www.webtrends.com.
7.
To specify how often SonicWALL GMS logs repetitive events, enter the time period (in
seconds) in the Syslog Event Redundancy Filter field (default: 60 seconds). This
prevents repetitive events from being logged to the syslog. If duplicate events occur during
the period, they will be logged as a single event that specifies the number of times that the
event occurred.The minimum is 0seconds and the maximum is 86,400 seconds (24 hours).
If you specify 0, all events are logged.
For GMS network deployments using Gen-2/Distributed Summarizer Mode, enter 0 in the
Syslog Event Redundancy Filter field. Although a higher setting prevents a log file from
being full of repetitive events, setting this field to anything other than 0 will result in
inaccurate reporting.
For information about the Distributed Summarizer, see the Additionally, you can select the
number of days that raw syslog data is stored. The raw data is made up of information for
every connection. Depending on the amount of traffic, this can quickly consume an
enormous amount of space in the database. Be very careful when selecting how much raw
information to store. As of SonicWALL GMS 7.0, Summarizer processing applies to CDP
appliances, only. section on page 801.
8.
To enable event rate limiting, check the Enable Event Rate Limiting box and enter a
maximum number of events per second in the Maximum Events Per Second field.
9.
To enable data rate limiting, check the Enable Data Rate Limiting box and enter a
maximum bytes per second in the Maximum Bytes Per Second field.
10. Specify how often the SonicWALL appliance(s) send heartbeats to SonicWALL GMS in the
Heartbeat Rate field (default: 60 seconds). If SonicWALL GMS does not receive a
heartbeat message within three intervals, SonicWALL GMS will consider the SonicWALL
appliances offline or unavailable and its icon will turn red.
Note
11. Enter the complete email address (for example, administrator@company.com) where the
log will be sent in the Email Log to field. If this field is left blank, the log will not be sent.
Note
306
12. Some events, such as an attack, may require immediate attention. Enter the complete email
address or email pager address in the Email Alerts to field. If this field is left blank, alerts
will not be sent.
Note
For information about alerts in the GMS Granular Event Management framework, see
Configuring Granular Event Management section on page 826.
13. To email the log now, click Email Log Now.
14. To clear the log, click Clear Log Now. A confirmation displays. Click OK to clear the log.
15. To add a syslog server, enter the IP address and port in the Syslog Server IP Address and
16. For automated log delivery, specify when the log file will be sent from the Send Log
pull-down menu. Select When Full, Daily, or Weekly. If the log will be sent daily, select the
time that the log will be sent (24-hour format). If the log will be sent weekly, select the day
of the week and the time.
17. In some cases, the log buffer may fill up. This may occur if there is a problem with the mail
server and the log cannot be successfully emailed. Under When Log Overflows, select
Overwrite Log (SonicWALL appliances will overwrite the log and discard its contents) or
Shutdown SonicWALL (this will prevent further traffic from not being logged).
18. Select information to log from the Categories section. To select all categories, check the
Note
If you are using SonicWALL GMS, make sure that it can generate all reports for each
SonicWALL appliance by selecting all log category check boxes except for Network
Debug.
307
2.
Enter the IP address or name of the mail server in the Mail Server (name or IP Address)
field.
3.
Enter the email address that will appear as the sender on emails in the From E-mail
Address field.
4.
Select a method of authentication from the Authentication Method pull-down menu, either
None or POP before SMTP.
5.
If you selected POP before SMTP, enter the POP server name or IP address in the POP
Server (name or IP address) field, and the POP account user name and password in the
Username and Password fields.
6.
Enter the name of the SonicWALL appliance in the Firewall Name field. The firewall name
appears in the subject of email sent by the SonicWALL appliance. By default, the firewall
name is the same as the SonicWALL appliance serial number.
Note
The name of the SonicWALL appliance cannot be configured at the group or global
level.
7.
In the Syslog Facility pull-down menu, select one of the syslog facility options.
8.
To override syslog settings with ViewPoint settings, check the Override Syslog settings
with ViewPoint settings box.
9.
To select a syslog format, choose one of the two options from theSyslog Format pull-down
menu:
DefaultThe standard SonicWALL syslog format.
WebTrendsA reporting software that analyzes traffic activity, protocol usage,
security problems, resource usage, bandwidth consumption, and more. For more
information, visit http://www.webtrends.com.
10. To specify how often SonicWALL GMS logs repetitive events, enter the time period (in
seconds) in the Syslog Event Redundancy Filter field (default: 60 seconds). This
prevents repetitive events from being logged to the syslog. If duplicate events occur during
the period, they will be logged as a single event that specifies the number of times that the
event occurred.The minimum is 0seconds and the maximum is 86,400 seconds (24 hours).
If you specify 0, all events are logged.
11. To enable event rate limiting, check the Enable Event Rate Limiting box and enter a
maximum number of events per second in the Maximum Events Per Second field.
12. To enable data rate limiting, check the Enable Data Rate Limiting box and enter a
maximum bytes per second in the Maximum Bytes Per Second field.
13. Specify how often the SonicWALL appliance(s) send heartbeats to SonicWALL GMS in the
Heartbeat Rate field (default: 60 seconds). If SonicWALL GMS does not receive a
heartbeat message within three intervals, SonicWALL GMS will consider the SonicWALL
appliances offline or unavailable and its icon will turn red.
Note
14. Enter the complete email address (for example, administrator@company.com) where the
log will be sent in the Email Log to field. If this field is left blank, the log will not be sent.
308
Note
15. Some events, such as an attack, may require immediate attention. Enter the complete email
address or email pager address in the Email Alerts to field. If this field is left blank, alerts
will not be sent.
Note
16. To email the log now, click Email Log Now. The scheduler displays.
17. Expand Schedule by clicking the plus icon.
18. Select Immediate or specify a future date and time.
19. Click Accept.
20. To clear the log, click Clear Log Now. A confirmation displays. Click OK to clear the log.
21. To add a syslog server, enter the IP address and port in the Syslog Server IP Address and
pull-down menu. Select When Full, Daily, or Weekly. If the log will be sent daily, select the
time that the log will be sent (24-hour format). If the log will be sent weekly, select the day
of the week and the time.
26. In some cases, the log buffer may fill up. This may occur if there is a problem with the mail
server and the log cannot be successfully emailed. Under When Log Overflows, select
Overwrite Log (SonicWALL appliances will overwrite the log and discard its contents) or
Shutdown SonicWALL (this will prevent further traffic from not being logged).
27. From the Logging Level pull-down menu, select one of the logging level options.
28. From the Alert Level pull-down menu, select one of the alert level options.
29. Enter a period of time, in seconds, in the Log Redundancy Filter (seconds) field.
30. Enter a period of time, in seconds, in the Alert Redundancy Filter (seconds) field.
31. For each category in the Categories table, select a combination of Log, Alerts, and
Syslog.
Note
If you are using SonicWALL GMS, make sure that it can generate all reports for each
SonicWALL appliance by selecting all log category check boxes.
32. When you are finished, click Update. The scheduler displays.
33. Expand Schedule by clicking the plus icon.
34. Select Immediate or specify a future date and time.
35. Click Accept.
309
2.
3.
Click the Log Settings option. GMS displays the Log Settings dialog box.
4.
In the Heartbeat Rate field in the General region, type a value that represents the number
of seconds that is the interval between heartbeat tests. Note that the default interval is 60
seconds.
310
1.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
3.
4.
From the Name Resolution Method pull-down menu, select none, DNS, NetBios or DNS
then NetBios.
5.
For DNS and DNS then NetBios, configure the following DNS settings:
Specify DNS Servers ManuallySelect this radio button to manually configure the
DNS servers and specify the IP address(es) in the Log Resolution DNS Server 1 - 3
fields.
Inherit DNS Settings Dynamically from WANSelect this radio button to inherit the
6.
Click Update.
311
312
CHAPTER 13
Viewing Firewall Diagnostic Information
SonicWALL appliances store information about all devices with which they have
communicated. When you generate diagnostic information, only one report can be generated
at a time and the information is only maintained during the current session. For example, if you
run a firewall log report and then log off or generate another report, the firewall log report data
will be lost until you run the report again.
This chapter includes the following sections:
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
Click the Policies tab. In the center pane, navigate to Diagnostics > Network.
3.
313
4.
5.
To view the log file for the selected SonicWALL appliance(s), click Request Log file
display from unit(s).
6.
To test the RADIUS server, enter the username and password of a valid user in the User
and Password fields and click Radius Client Test.
7.
8.
To find a network path from the SonicWALL appliance(s), enter an IP address in the Host
field and click Find Network Path.
9.
To ping a host from the SonicWALL appliance(s), enter a hostname or IP address in the
Host field and click Ping.
10. To perform a Traceroute from the SonicWALL appliance(s), enter a hostname or IP address
11. To view dynamic routing information, click Fetch Default Route Policies (SonicOS 2.5
Enhanced or later).
12. To perform a reverse name resolution, enter an IP address in the Reverse Lookup the IP
13. To perform a real-time black list lookup, enter an IP address in the IP Address field, a
FQDN for the RBL in the RBL Domain field, and DNS server information in the DNS Server
field. Click Real-time Black List Lookup.
14. To generate a Tech Support Report, select any of the following four report options:
click Start. You must enter an IP address in the Host field; do not enter a host name, such
as www.yahoo.com. Click Stop to terminate the packet trace and Query to query the
trace. To reset a host, enter the IP address in the Host field and click Reset.
314
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
Click the Policies tab. In the center pane, navigate to Diagnostics > Connections
Monitor.
3.
You can filter the results to display only connections matching certain criteria. You can filter by
Source IP, Destination IP, Destination Port, Protocol, Source Interface, and Destination
Interface. Enter your filter criteria in the Active Connections Monitor Settings table.
The fields you enter values into are combined into a search string with a logical AND. For
example, if you enter values for Source IP and Destination IP, the search string will look for
connections matching:
Source IP AND Destination IP
Check the Group Filters box next to any two or more criteria to combine them with a logical
OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check
Group Filter next to Source IP and Destination IP, the search string will look for connections
matching:
(Source IP OR Destination IP) AND Protocol
4.
Click Fetch Active Connections Monitor to apply the filter immediately to the Active
Connections Monitor table. The scheduler displays.
5.
6.
315
7.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
Click the Policies tab. In the center pane, navigate to Diagnostics > CPU Monitor.
3.
To refresh the CPU diagnostic display, click Refresh Diagnostic Data display.
4.
To delete the CPU diagnostic display, click Delete Diagnostic Data display.
5.
To modify the time period for the CPU data, select one of the following periods from the
Chart for pull-down menu:
CPU History for the last 60 secondsDisplays CPU history for the last minute.
316
CPU History for the last 60 minutesDisplays CPU history for the last hour.
CPU History for the last 24 hoursDisplays CPU history for the last day.
CPU History for the last 30 daysDisplays CPU history for the last 30 days.
6.
Click Fetch CPU Information to display CPU information from the SonicWALL appliance.
The scheduler displays.
7.
8.
9.
Click Accept.
2.
Expand the Diagnostics tree and click Process Monitor. The Process Monitor page
displays.
3.
To refresh the process diagnostic display, click Refresh Diagnostic Data display.
4.
To delete the process diagnostic display, click Delete Diagnostic Data display.
5.
Click Fetch Process Information to display Process Monitor information. The scheduler
displays.
6.
7.
8.
Click Accept.
317
318
CHAPTER 14
Configuring Firewall Website Blocking
This chapter describes how to use SonicWALL GMS to configure website blocking options for
one or more SonicWALL appliances. This functionality can be used to deny access to material
supplied by the active content filtering subscription, specific domains, domains by keyword, and
Web features such as ActiveX, Java, and cookies.
This chapter includes the following sections:
Note
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
319
3.
In the center pane, navigate to Website Blocking > General. The Website Blocking
General page displays.
4.
N2H2To use N2H2, you must have the N2H2 software package running on a server
WebsenseTo use Websense, you must have the Websense Enterprise software
Note
Timesaver
If you select N2H2 or Websense, make sure to configure the appropriate filtering
options. For more information, refer to the N2H2 and Websense Content Filtering
section on page 338.
5.
A trusted domain is a domain that is allowed to use Web features such as Java, ActiveX,
and cookies. To create a list of trusted domains, select the Don't block
Java/ActiveX/Cookies to Trusted Domains check box.
6.
Enter one or more domains name in the Trusted Domains field and click Add. The
scheduler displays. Multiple domains should be separated by a ; semicolon.
Importing a .txt file with one domain name per line is the easiest way to add multiple
domains to a Trusted Domains list. Click the Import... button to add multiple domains from
a text file.
7.
8.
9.
Click Accept.
10. Repeat steps 5 - 10 for other domains you would like to add.
Note
320
Enter the domain name only. For example, yahoo.com. Do not include http://.
Entering yahoo.com will also allow access to www.yahoo.com, my.yahoo.com,
sports.yahoo.com, and so on.
Note
This feature will only enable Web features for the selected domains. To make the
domain available for unrestricted browsing, add it to the Allowed Domains list. For
more information, refer to the Customizing Access by Domain section on page 331.
11. To delete a domain from the Trusted Domain list, click the checkbox in the trash can column
12. To apply content filtering and Web feature restrictions to the LAN port (WorkPort), select
LAN/WorkPort.
13. To apply content filtering and Web feature restrictions to the DMZ port (HomePort), select
14. Enter the message that will be displayed when users attempt to access restricted content,
sites, and features. For example, This Web site is blocked is restricted. Get back to work.
15. When you are finished, click Update. The scheduler displays.
16. Expand Schedule by clicking the plus icon.
17. Select Immediate or specify a future date and time.
18. Click Accept.
Note
You must activate a service licence to use CFL or CFS content blocking.
Note
This page does not affect N2H2 or Websense content filtering. For information on
configuring filtering options for these software packages, refer to their documentation.
To configure the filter list, perform the following steps:
1.
In the left pane, select the global icon, a group or a SonicWALL appliance.
2.
321
3.
In the center pane, navigate to Website Blocking > CFL Filter List.
4.
Select the content to block by checking the box next to any of the following categories (to
select all categories, check the Select All box):
Violence/ProfanityIncludes pictures or text depicting extreme cruelty, or physical or
emotional acts against any animal or person that are primarily intended to hurt or inflict
pain. Obscene words, phrases, and profanity are defined as text that uses, but is not
limited to, George Carlins seven censored words, more often than once every 50
messages (Newsgroups) or once a page (Web sites).
Partial NudityPictures exposing the female breast or full exposure of either male or
female buttocks, except when exposing genitalia. Excludes all swimsuits, including
thongs.
Full NudityPictures exposing any or all portions of the human genitalia. Excludes
sites containing nudity or partial nudity of a wholesome nature. For example, Web sites
hosted by publications such as National Geographic or Smithsonian Magazine and
museums such as the Guggenheim, the Louvre, or the Museum of Modern Art are not
blocked.
involved in explicit sexual acts and or lewd and lascivious behavior, including
masturbation, copulation, pedophilia, and intimacy involving nude or partially nude
people in heterosexual, bisexual, lesbian or homosexual encounters. This also includes
phone sex ads, dating services, adult personals, CD-ROMs, and videos.
anything that are crudely vulgar or grossly deficient in civility or behavior, or that show
scatological impropriety. For example, maiming, bloody figures, or indecent depiction
of bodily functions.
against any race, color, national origin, religion, disability or handicap, gender, or
sexual orientation. Includes any picture or text that elevates one group over another.
Also includes intolerant jokes or slurs.
322
for evil or wickedness, or the advocacy to join a cult. A cult is defined as a closed
society headed by a single individual where loyalty is demanded and leaving is
punishable.
Drug Culture (graphics or text)Pictures or text advocating the illegal use of drugs
for entertainment. Includes substances used for other than their primary purpose to
alter the individuals state of mind, such asglue sniffing. Excludes currently illegal drugs
legally prescribed for medicinal purposes (e.g., drugs used to treat glaucoma or
cancer).
contraceptives. This topic includes condom use, the correct way to wear a condom and
how to put a condom in place. Also included are sites relating to discussion about the
use of the Pill, IUDs, and other types of contraceptives. In addition to the above, this
includes discussion sites on discussing diseases with a partner, pregnancy, and
respecting boundaries. Excluded from this category are commercial sites selling sexual
paraphernalia.
materials or activities of a dubious nature which that beillegal in any or all jurisdictions,
such as illegal business schemes, chain letters, copyright infringement, computer
hacking, phreaking (using someones phone lines without permission), and software
piracy..
5.
Tip
To configure the SonicWALL appliance(s) to download the content list weekly, select the
Automatically Download List Every check box and select the day of the week and time
when the download will occur.
If you select this option, configure the SonicWALL appliance(s) to download the list at a time
when network activity is low.
Note
6.
To download a new content filter list now, click the Download Filter List Now button. The
scheduler displays.
7.
8.
9.
Click Accept.
323
Log OnlyDoes not block access to restricted content, sites, and features, but logs
expires, select Block traffic to all websites except for Allowed Domains.
To allow access to all Web sites thirty days after the filter list expires, select Allow
Configuring the General CFS Filter List Settings section on page 324.
Note
This page does not affect N2H2 or Websense content filtering. For information on
configuring filtering options for these software packages, refer to their documentation.
To configure the filter list, perform the following steps:
324
1.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
3.
In the center pane, navigate to Website Blocking > CFS Filter List.
4.
To enable failover to a backup CFS server, select the Enable CFS Server Failover
checkbox.
5.
To filter both HTTP and HTTPS traffic, select the Enable HTTPS Content Filtering
checkbox. HTTPS content filtering is IP and hostname based. While HTTP content filtering
can perform redirects to enforce authentication or provide a block page, HTTPS filtered
pages will be silently blocked.
6.
Specify how long the SonicWALL appliance will wait if the CFS server is unavailable before
blocking Web traffic in the If Server is unavailable for field.
7.
Specify the action the SonicWALL appliance will take if the server is unavailable. To block
access to all Web sites, select Block traffic to all Web sites. To allow access to all Web
sites, select Allow traffic to all Web sites.
8.
Specify how the SonicWALL appliance will respond to blocked URLs in theIf Server marks
URL as blocked section:
Block Access to URLBlocks access to restricted content, sites, and features.
Log Access to URLDoes not block access to restricted content, sites, and features,
but logs access. This enables organizations to monitor appropriate usage without
restricting access.
9.
Specify the size of the URL cache in the Cache Size field. For information on valid ranges,
click the Click here for valid ranges link.
10. When you are finished, click Update. The scheduler displays.
11. Expand Schedule by clicking the plus icon.
12. Select Immediate or specify a future date and time.
13. Click Accept.
Note
This page does not affect N2H2 or Websense content filtering. For information on
configuring filtering options for these software packages, refer to their documentation.
To configure the filter list, perform the following steps:
1.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
325
2.
3.
In the center pane, navigate to the Website Blocking > CFS Standard.
4.
Select the content to block by checking the box next to one of the following categories (to
select all categories, check the Select all box):
Violence/Hate/RacismIncludes pictures or text exposing extreme cruelty, or
physical or emotional acts against any animal or person that are primarily intended to
hurt or inflict pain. Includes pictures or text advocating prejudice or discrimination
against any race, color, national origin, religion, disability or handicap, gender, or
sexual orientation. Includes any picture or text that elevates one group over another.
Also includes intolerant jokes or slurs.
for evil or wickedness, or the advocacy to join a cult. A cult is defined as a closed
society headed by a single individual where loyalty is demanded and leaving is
punishable.
drugs for entertainment. Includes substances used for other than their primary purpose
to alter the individuals state of mind, such as glue sniffing. Excludes currently illegal
drugs legally prescribed for medicinal purposes (e.g., drugs used to treat glaucoma or
cancer).
materials or activities of a dubious nature which that beillegal in any or all jurisdictions,
such as illegal business schemes, chain letters, copyright infringement, computer
hacking, phreaking (using someones phone lines without permission), and software
piracy.
and pictures or text exposing anyone or anything involved in explicit sexual acts and or
lewd and lascivious behavior, including masturbation, copulation, pedophilia, and
intimacy involving nude or partially nude people in heterosexual, bisexual, lesbian or
homosexual encounters. Excludes sites containing nudity or partial nudity of a
wholesome nature and all swimsuits, including thongs.
contraceptives. This topic includes condom use, the correct way to wear a condom and
how to put a condom in place. Also included are sites relating to discussion about the
use of the Pill, IUDs, and other types of contraceptives. In addition to the above, this
326
services relating to lotteries, casinos, betting, numbers games, on-line sports, and
financial betting, including non-monetary dares
dating services, adult personals, CD-ROMs, and videos. Excludes sites containing
nudity or partial nudity of a wholesome nature and all swimsuits, including thongs.
5.
6.
7.
8.
Click Accept.
9.
If you believe that a website is rated incorrectly, or to submit a new URL for blocking, click
the here link in the sentence If you believe that a Web site is rated incorrectly or you
wish to submit a new URL, click here.
Note
This page does not affect N2H2 or Websense content filtering. For information on
configuring filtering options for these software packages, refer to their documentation.
To configure the CFS Premium service, perform the following steps:
1.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
3.
327
4.
5.
6.
7.
Check the boxes of the categories to block. To select all categories, check the Select all
Categories box.
8.
328
c. To enable the keyword blocking feature, select the Enable Keyword Blocking check
box.
9.
From the pull-down menu, select when the forbidden URLs will be blocked.
10. When you are finished, click OK. The scheduler displays.
11. Expand Schedule by clicking the plus icon.
12. Select Immediate or specify a future date and time.
13. Click Accept.
14. Repeat this procedure for each filter that you would like to add.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
3.
Check the Enable CFS Exclusion List box to enable CFS block list exclusions.
329
4.
Enter an IP address or IP address range to exclude. For a single IP address, enter the same
IP address in the IP Address From and IP Address To fields. For a range, enter the
beginning IP address in the IP Address From field and the ending IP address in the IP
Address To field.
5.
6.
7.
To delete an IP address or IP address range from the CFS exclusion list, click the checkbox
in the trashcan column for the addresses.a truste4d
8.
9.
330
1.
2.
3.
Click the Update button to save your changes and enable the Custom Category feature.
Note
4.
5.
6.
7.
All subdomains of the domain entered are affected. For example, entering yahoo.com
applies to mail.yahoo.com and my.yahoo.com, hence it is not necessary to enter all
FQDN entries for subdomains of a parent domain.
8.
9.
The CFS Custom Category Search option provides the ability to search the configured custom
categories. To do so, perform the following steps:
1.
2.
When searching by name, select what type of search to perform: Equals, Starts with,
Ends with, or Contains.
3.
When searching by name, enter the value to search for in the text box.
4.
5.
Click Search.
331
Timesaver
Importing a .txt file with one domain per line is the easiest way to add multiple domains to
a forbidden/allowed list. See the Adding Multiple Domains From a List section on p
age 333
for more.
Forbidden domains are domains that users will not be allowed to access. This is useful when a
website disrupts a corporate or educational environment. To find out which websites are most
frequently accessed, refer to the Top Web Site Hits section of the log report. Up to 256 entries
are supported in the Forbidden Domains list.
Note
This feature is not available if you select N2H2 or Websense content filtering. For
information on configuring filtering options for these software packages, refer to their
documentation.
332
1.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
3.
4.
5.
To disable Web traffic except for allowed domains, check the Disable all Web traffic
except for Allowed Domains box. (This option is available only on appliances running
SonicOS Standard, or other non-Enhanced firmware.)
Note
To add a small number of domains, enter the domain name in the Allowed Domains field
and click Add. The scheduler displays.You can add several domains at once by separating
your entries with a semicolon ;.
Enter the domain name only. For example, yahoo.com. Do not include http://. Entering
yahoo.com will also allow access to www.yahoo.com, my.yahoo.com, sports.yahoo.com,
and so on.
2.
3.
4.
Click Accept.
5.
Repeat this step for each domain you would like to add.
2.
Click the Browse... button to upload a text-based (.txt) file containing the URL list. The
URLs in this text file must be separated by line breaks.
3.
In the Schedule window, select Immediate or specify a future date and time.
4.
Click Accept.
Select one of the following Timing options. (This option is available only on appliances
running SonicOS Standard, or other non-Enhanced firmware.)
Always BlockAlways blocks access to all restricted content, sites, and features.
Block FromBlocks access to restricted content, sites, and features between the
selected hours. Select the from and to hours and the day range from the pull-down
menus.
2.
3.
4.
5.
Click Accept.
333
2.
Check the box below the trash can icon and next tothe item you want to delete. Repeat this
step for each domain that you want to remove from the domain lists.
3.
4.
5.
6.
Click Accept.
Note
Be careful when using this feature. For example, blocking the word breast can prevent
access to both pornographic or objectionable sites, but will also block sites on breast cancer.
Note
This feature is not available if you select N2H2 or Websense content filtering. For
information on configuring filtering options for these software packages, refer to their
documentation.
To configure domain blocking by keyword, perform the following steps:
334
1.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
Timesaver
3.
4.
5.
6.
7.
8.
Click Accept.
9.
To add one or more keywords, enter them in the URL Keyword field and click Add. The
scheduler displays. Multiple keywords should be separated by a ; semicolon.
Importing a .txt file with one keyword per line is the easiest way to add multiple keywords.
Click the Import... button to add multiple keywords from a text file.
10. Expand Schedule by clicking the plus icon.
11. Select Immediate or specify a future date and time.
12. Click Accept. Repeat these steps for each keyword you would like to add.
13. To remove a keyword, select its check box below the trash can icon. Repeat this step for
each keyword that you want to remove from the keyword lists.
335
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
3.
4.
JavaBlocks Java applets. Java applets are downloadable Web applications that are
used on many websites. Selecting this option will block all Java applets, regardless of
their function.
used by Web servers to track Web usage and remember user identity. Cookies can
compromise users' privacy by tracking Web activities.
Note
Access to HTTP Proxy ServersBlocks users from accessing Web proxy servers on
the Internet to circumvent content filtering by pointing their computers to the proxy
servers.
a known fraudulent certificate. Digital certificates help verify that Web content
originated from an authorized party.
336
5.
6.
7.
8.
Click Accept.
Note
This feature is not available if you select N2H2 or Websense content filtering. For
information on configuring filtering options for these software packages, refer to their
documentation.
To configure the consent feature, perform the following steps:
1.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
3.
4.
Check the Require Consent check box to require consent. Users can choose if they want
filtering or not.
5.
Enter the maximum time (in minutes) a user can access the Internet in the Maximum Web
Usage field.
6.
Specify the maximum amount of time (in minutes) a connection may remain idle before the
user is logged out and must agree to the consent agreement again in the User Idle
Timeout field.
7.
Enter the URL of the Web page from which users choose to enable filtering in theConsent
Page URL (Optional Filtering) field. This page displays when users first attempt to access
the Internet and must contain a link for choosing unfiltered access and a link for choosing
filtered access. The link for unfiltered access is IPaddress/iAccept.html. The link for filtered
access is IPaddress/iAcceptFilter.html. IPaddress is the LAN (WorkPort) IP address of the
SonicWALL appliances.
8.
Enter the URL of the page that displays when users choose to access the Internet without
content filtering in the Consent Accepted URL (Filtering Off) field. This page must be
accessible on the LAN (WorkPort).
9.
Enter the URL of the page that displays when users access the Internet with content filtering
enabled in the Consent Accepted URL (Filtering On) field. This page must be
accessible on the LAN (WorkPort).
10. When a user opens a Web browser on a computer with mandatory content filtering they will
be shown a consent page. Enter the URL for the consent page in the Consent Page URL
(Mandatory Filtering) field. You will need to create this Web page. It usually contains an
Acceptable Use Policy and a notification that violations will be logged or blocked.
337
This Web page must reside on a Web server that is accessible as a URL by LAN (WorkPort)
users. This page must also contain a link that tells the SonicWALL appliance that the user
agrees to having filtering enabled. To do this, create the following link:
IPaddress/iAcceptFilter.html
where IPaddress is the LAN (WorkPort) IP address of the SonicWALL appliance.
11. To enforce content filtering for a specific computer on the LAN, enter the IP address in the
IP Addresses field of the Mandatory Filtered IP Addresses section and click Add. Up to
128 IP addresses can be entered.
12. To remove a computer from the list of computers to be filtered, click the checkbox in the
13. When you are finished, click Update. The scheduler displays.
14. Expand Schedule by clicking the plus icon.
15. Select Immediate or specify a future date and time.
16. Click Accept.
N2H2
To configure N2H2 content filtering options, perform the following steps:
338
1.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
3.
4.
Enter the N2H2 server name or IP address in the Server Host Name or IP Address field.
5.
Enter the port that the N2H2 server listens for N2H2 requests in the Listen Port field
(default: 4005).
6.
Enter the port that the N2H2 server uses to send packets to the SonicWALL appliances in
the Reply Port field (default: 4005).
7.
Enter the username associated with the N2H2 account in the User Name field.
8.
Enter the size of the URL cache in the URL Cache Size field. A larger URL cache can
improve browser response times.
9.
Select the action that the SonicWALL appliance(s) will take if the N2H2 server is
unavailable beyond a specified period of time. First, enter the time period (in seconds) in
the If user is unavailable for field. Then, select one of the options:
To block traffic to all Web sites, select Block traffic to all Web sites.
To allow access to all Web sites, select Allow traffic to all Web sites.
10. If a server marks a URL as blocked, select one of the following actions:
Block Access to URLBlocks access to restricted sites and logs access attempts.
Log Access to URLDoes not block access to restricted sites, but logs access. This
11. When you are finished, click Update. The scheduler displays.
12. Expand Schedule by clicking the plus icon.
13. Select Immediate or specify a future date and time.
14. Click Accept.
Websense
To configure Websense content filtering options, perform the following steps:
1.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
3.
4.
Enter the Websense server name or IP address in the Server Host Name or IP Address
field.
5.
Enter the port used for Websense packets in the Server Port field (default: 15868).
6.
Enter the username associated with the Websense account in the User Name field.
7.
Enter the size of the URL cache in the URL Cache Size field. A larger URL cache can
improve browser response times. The default cache size is 50.
339
8.
Enter a time period (in seconds) in the If user is unavailable for field. Then, select the
action that the SonicWALL appliance(s) will take after that period of time:
To block traffic to all Web sites, select Block traffic to all Web sites.
To allow access to all Web sites, select Allow traffic to all Web sites.
9.
340
CHAPTER 15
Configuring Firewall Dynamic Host
Configuration Protocol
This chapter describes how to use the SonicWALL GMS (SonicWALL GMS) to configure
SonicWALL appliances as DHCP servers. Dynamic Host Configuration Protocol (DHCP)
enables network administrators to automate the assignment of IP addresses from a centralized
DHCP server. This conserves IP addresses and make it easy for mobile users to move among
different segments of the network without having to manually enter new IP addresses.
This chapters includes the following sections:
341
2.
Expand the DHCP tree and click DHCP over VPN. The DHCP over VPN page displays
3.
tunnel, select Remote Gateway from the DHCP Relay Mode list box and do the
following:
342
Select the security association (SA) through which the DHCP server resides from
the Obtain using DHCP through this SA list box.
Enter the IP address that will be inserted by the SonicWALL appliance as the IP
address of the DHCP Relay Agent in the Relay IP Address field.
To manage this SonicWALL appliance remotely through the VPN tunnel from
behind the Central Gateway, enter the management IP address in the Remote
Management IP Address field.
If you enable Block traffic through tunnel when IP spoof detected, the
SonicWALL blocks any traffic across the VPN tunnel that is spoofing an
authenticated users IP address. If you have any static devices, however, you must
ensure that the correct Ethernet address is entered for the device.
If the VPN tunnel is disrupted, temporary DHCP leases can be obtained from the
local SonicWALL appliance. Once the tunnel is active, it will stop issuing leases. To
enable this option, select the Obtain temporary lease from local DHCP server if
tunnel is down check box.
When you enable this option, clients will be able to obtain IP addresses if the tunnel
is unavailable. To ensure that clients use the remote DHCP server shortly after it
becomes available, enter a short lease time in the Temporary Lease Time field.
The default value is two minutes.
Make sure to enable DHCP and enter an IP address range on the DHCP Setup
page. Otherwise, the SonicWALL appliance will be unable to act as a DHCP server.
To specify static IP addresses on the LAN (WorkPort), enter the IP address and
MAC address and click Add. Repeat this step for each device that uses a static IP
address.
To specify a device that is not allowed to obtain an IP address through the SA, enter
its MAC address and click Add. Repeat this step for each device that will not be
allowed to obtain an IP address through the SA.
select Central Gateway from the DHCP Relay Mode list box and do the following:
4.
To use the DHCP server built into the SonicWALL appliance for some clients, select
the Use Internal DHCP Server check box.
To use the internal DHCP server for Global VPN clients, select the For Global VPN
Client check box.
To use the internal DHCP server for remote firewalls, select the For Remote
Firewalls check box.
When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
2.
Expand the DHCP tree and click Dynamic Ranges. The Dynamic Ranges page displays.
3.
4.
Select Enable Conflict Detection to turn on automatic DHCP scope conflict detection on
each zone.
SonicWALL GMS 7.0 Administrators Guide
343
5.
6.
In the DHCP Setup dialog box, on the General tab, complete the following fields:
Select the Enable this DHCP Scope check box to enable the DHCP range. Deselect
another IP address is issued (or the same one is re-issued). 1440 minutes (24 hours)
is the default value.
Specify the IP address and subnet mask of the default gateway for this IP address
range in the Default Gateway and Subnet Mask fields. By default, these fields will use
the settings on the Network Settings page.
Select the Allow BootP clients to use range check box if you have BootP clients on
this network.
BootP stands for bootstrap protocol, which is a TCP/IP protocol and service that allows
diskless workstations to obtain their IP address, other TCP/IP configuration
information, and their boot image file from a BootP server.
344
7.
8.
In the DHCP Setup dialog box, on the DNS/WINS tab, complete the following fields:
Optionally enter the domain name associated with this IP address range in the Domain
Name field.
To configure one or more DNS servers for this range, do one of the following:
To use the DNS servers specified on the Network Settings page, select Set DNS
Servers using SonicWALLs Network settings.
To specify the DNS servers manually for this IP address range, select Specify
Manually and then type the IP address of your DNS Server in the DNS Server 1
field. You can specify two additional DNS servers.
If you have WINS running on your network, type the WINS server IP address in the
9.
For units running SonicOS Enhanced 4.0 and above, click the Advanced tab. This tab
allows you to configure the SonicWALL DHCP server to send Cisco Call Manager
information to VoIP clients on the network, and to configure DHCP generic options for lease
scopes.
10. Enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You
can add two additional VoIP Call Manager addresses. For more information about
configuring VoIP, refer to the Configuring Voice over IP Settings section on page 287.
345
11. To configure a DHCP lease scope, select a DHCP option or option group in the DHCP
12. To always use DHCP options for this DHCP server lease scope, select the Send Generic
13. When you are finished, click OK. The settings are saved. To clear all screen settings and
Note
2.
Expand the DHCP tree and click Static Entries. The Static Entries page displays
3.
4.
Select Enable Conflict Detection to turn on automatic DHCP scope conflict detection on
each zone.
5.
346
6.
In the DHCP Setup dialog box, on the General tab, complete the following fields:
Select the Enable this DHCP Scope check box to enable this static DHCP scope.
Type a descriptive name for this static DHCP entry in the Entry Name field.
Type the IP address of the device in the Static IP Address field.
Enter the Ethernet (MAC) address of the device in the Ethernet Address field.
In the Lease Time field, type the number of minutes that an IP address is used before
Specify the IP address and subnet mask of the default gateway for this IP address in
the Default Gateway and Subnet Mask fields. By default, these fields will use the
settings on the Network Settings page.
7.
To add a static IP address, click Add Static Entry and complete the following fields:
Specify the IP address and subnet mask of the default gateway for this IP address in
the Default Gateway and Subnet Mask fields. By default, these fields will use the
settings on the Network Settings page.
Enter the lease time for this IP address in the Lease Time field.
8.
347
9.
In the DHCP Setup dialog box, on the DNS/WINS tab, complete the following fields:
If you have a domain name associated with this IP address, enter it in the Domain
Name field.
To configure one or more DNS servers for this range, do one of the following:
To use the DNS servers specified on the Network Settings page, select Set DNS
Servers using SonicWALLs Network settings.
To specify the DNS servers manually for this IP address, select Specify Manually
and then type the IP address of your DNS Server in the DNS Server 1 field. You
can specify two additional DNS servers.
If you have WINS running on your network, type the WINS server IP address in the
10. For units running SonicOS Enhanced 4.0 and above, click the Advanced tab. This tab
allows you to configure the SonicWALL DHCP server to send Cisco Call Manager
information to VoIP clients on the network, and to configure DHCP generic options for lease
scopes.
11. Enter the IP address or FQDN of your VoIP Call Manager in the Call Manager 1 field. You
can add two additional VoIP Call Manager addresses. For more information about
configuring VoIP, refer to the Configuring Voice over IP Settings section on page 287.
12. To configure a DHCP lease scope, select a DHCP option or option group in the DHCP
13. To always use DHCP options for this DHCP server lease scope, select the Send Generic
14. When you are finished, click OK. The settings are saved. To clear all screen settings and
348
This screen is available at the unit/appliance level only for units running SonicOS Enhanced
4.0 and above.
This section describes how to configure DHCP Option Objects. DHCP Option Objects can be
used when setting DHCP Generic Options for DHCP Dynamic Ranges or Static Entries. For
more information about DHCP Options, refer to the DHCP Server Options Overview section
on page 341.
Step 2
Click Add New Object or the Configure icon for an existing object. The Add/Edit DHCP Option
Objects page displays.
Step 3
Step 4
From the Option Number pull-down list, select the option number that corresponds to your
DHCP option.
Step 5
Optionally check the Option Array checkbox to allow entry of multiple option values in the
Option Value field.
Step 6
The option type displays in the Option Type pull-down menu. The pull-down menu will be
functional only if multiple option numbers are available.
Step 7
Type the option value, for example, an IP address, in the Option Value field. If Option Array is
checked, multiple values may be entered, separated by a semi-colon (;).
Step 8
Click the OK button. The object will display in the DHCP Option Object Settings list.
349
This screen is available at the unit/appliance level only for units running SonicOS Enhanced
4.0 and above.
This section describes how to configure DHCP Option Groups. For more information about
DHCP Options, refer to the DHCP Server Options Overview section on page 341.
To configure DHCP Option Groups:
Step 1
Step 2
Click Add New Group or the Configure icon for an existing group. The Add/Edit DHCP Option
Group page displays.
Step 3
Step 4
To add DHCP Option Objects to the group, select one or more objects on the left side and click
the arrow to move them to the right.
Step 5
To remove DHCP Option Objects from the group, select one or more objects on the right side
and click the arrow to move them to the left. Or, click Remove All to remove all objects from the
group.
Step 6
350
1.
2.
Expand the DHCP tree and click Setup. The Static Entries page displays.
3.
DHCP server outside the firewall, deselect the Enable DHCP Server check box and
select the Allow DHCP Pass Through check box.
Enter the lease time for this IP address in the Lease Time field.
Optional. Enter the domain name associated with this IP address in the Domain Name
field.
To use the DNS and WINS servers specified on the Network Settings page, select Set
4.
When you are finished, click Update. The settings are saved. To clear all screen settings
and start over, click Reset.
Note
1.
Navigate to the Policies > DHCP > Trusted Agents screen in the SonicWALL GMS user
interface.
2.
Click the Enable Trusted DHCP Relay Agent List checkbox to enable this feature.
3.
The default selection for the trusted agent list is the Default Trusted Relay Agent List
address group. The entries for this address group are defined in the Network > Address
Objects page.
4.
351
352
CHAPTER 16
Configuring Firewall User Settings
This chapter describes how to use the SonicWALL GMS to configure user and user access
settings. Included in this chapter are the following sections:
353
Select one of the following authentication methods from the Authentication method for login
pull-down list:
Local UsersTo configure users in the local database using the Users > Local Users
and Users > Local Groups pages. For information on configuring local users and
groups, refer to the Configuring Local Users section on page 366 and the Configuring
Local Groups section on page 368.
RADIUSIf you have more than 1,000 users or want to add an extra layer of security
for authenticating the user to the SonicWALL. If you select Use RADIUS for user
authentication, users must log into the SonicWALL using HTTPS in order to encrypt the
password sent to the SonicWALL. If a user attempts to log into the SonicWALL using
HTTP, the browser is automatically redirected to HTTPS. For information on configuring
RADIUS, refer to the Configuring RADIUS for SonicOS Enhanced section on
page 370.
RADIUS + Local UsersIf you want to use both RADIUS and the SonicWALL local
user database for authentication. For information on configuring RADIUS, refer to the
Configuring RADIUS for SonicOS Enhanced section on page 370.
LDAPIf you use a Lightweight Directory Access Protocol (LDAP) server or Microsoft
Active Directory (AD) server to maintain all your user account data. For information
about configuring LDAP, refer to the Configuring LDAP and Active Directory section
on page 355.
354
LDAP + Local UsersIf you want to use both LDAP and the SonicWALL local user
database for authentication. For information about configuring LDAP, refer to the
Configuring LDAP and Active Directory section on page 355.
Step 2
In the Single-sign-on method pull-down list, select SonicWALL SSO Agent if you are using
Active Directory for authentication and the SonicWALL SSO Agent is installed on a computer
in the same domain. Otherwise, select None. For information on configuring SSO, refer to the
Configuring Single Sign-On section on page 372.
Step 3
To require that user names are treated as case-sensitive, select the Case-sensitive user
names checkbox.
Step 4
To prevent a user from logging in from more than one location at a time, select the Enforce
login uniqueness check box.
Step 5
Enter the number of minutes that the login authentication page is displayed in the Show
authentication page for field.
Step 6
Select Redirect users from HTTPS to HTTP on completion of login if the session does not
need to be encrypted.
Active Directory support on SonicOS Enhanced is not a single-sign on mechanism by itself, but
rather the ability for SonicOS Enhanced to act as an LDAP client against an Active Directorys
LDAP interface using Microsofts implementation of an LDAP schema. SonicOS Enhanced
provides extremely flexible schema interoperability, with support for the Microsoft AD schema,
the LDAP core schema, the RFC2798 inetOrgPerson schema, and even user-defined
schemas. Connectivity to LDAP servers is also flexible, with support for following protocols:
LDAPv2 (RFC3494)
LDAP Terms
The following terms are useful when working with LDAP and its variants:
AttributeA data item stored in an object in an LDAP directory. Object can have required
attributes or allowed attributes. For example, the dc attribute is a required attribute of the
dcObject (domain component) object.
355
dnA distinguished name, which is a globally unique name for a user or other object. It
is made up of a number of components, usually starting with a common name (cn)
component and ending with a domain specified as two or more domain components (dc).
For example, cn=john,cn=users,dc=domain,dc=com
EntryThe data that is stored in the LDAP directory. Entries are stored in attribute/value
(or name/value) pairs, where the attributes are defined by object classes. A sample entry
would be cn=john where cn (common name) is the attribute, and john is the value.
ObjectIn LDAP terminology, the entries in a directory are referred to as objects. For the
purposes of the SonicOS implementation of the LDAP client, the critical objects are User
and Group objects. Different implementations of LDAP can refer to these object classes in
different fashions, for example, Active Directory refers to the user object as user and the
group object as group, while RFC2798 refers to the user object as inetOrgPerson and the
group object as groupOfNames.
Object classObject classes define the type of entries that an LDAP directory may
contain. A sample object class, as used by AD, would be user or group.
SchemaThe schema is the set of rules or the structure that defines the types of data that
can be stored in a directory, and how that data can be stored. Data is stored in the form of
entries.
TLSTransport Layer Security is the IETF standardized version of SSL (Secure Sockets
Layer). TLS 1.0 is the successor to SSL 3.0.
Note
356
1.
Navigate to Start > Settings > Control Panel > Add/Remove Programs.
2.
3.
4.
5.
6.
7.
8.
9.
Launch the Certification Authority application: Start > Run > certsrv.msc.
2.
3.
4.
5.
Step through the wizard, select the Base-64 Encoded X.509 (.cer) format.
6.
2.
Select Add new CA certificate. Browse to and select the certificate file you just exported
3.
Note
357
Configuring LDAP
Perform the following steps to configure LDAP authentication.
1.
Browse to the User > Settings page and select either LDAP or LDAP + Local Users.
2.
Click the Configure LDAP button to launch the LDAP configuration window:
3.
which you wish to authenticate. If using a name, be certain it can be resolved by your
DNS server. Also, if using TLS with the Require valid certificate from server option, the
name provided here must match the name to which the server certificate was issued
(i.e. the CN) or the TLS exchange will fail.
Port NumberThe default LDAP over TLS port number is TCP 636. The default LDAP
(unencrypted) port number is TCP 389. If you are using a custom listening port on your
LDAP server, specify it here.
Server timeoutThe amount of time, in seconds, that the SonicWALL will wait for a
response from the LDAP server before timing out. Allowable ranges are 1 to 99999 (in
case youre running your LDAP server on a VIC-20 located on the moon), with adefault
of 10 seconds.
anonymously. If your server supports this (MS AS generally does not), then you may
select this option.
Login nameSpecify a user name which has rights to log in to theLDAP directory. The
login name will automatically be presented to the LDAP server in full dn notation. This
can be any account with LDAP read privileges (essentially any user account)
Administrative privileges are not required. Note that this is the users name, not their
login ID (e.g. John Smith rather than jsmith).
358
Use TLSUse Transport Layer Security (SSL) to log in to the LDAP server. It is
strongly recommended that TLS be used to protected the username and password
information that will be sent across the network. Most modern implementations of LDAP
server, including AD, support TLS. Deselecting this default setting will provide an alert
which must be accepted to proceed.
Send LDAP Start TLS RequestSome LDAP server implementations support the
Start TLS directive rather than using native LDAP over TLS. This allows the LDAP
server to listen on one port (normally 389) for LDAP connections, and to switch to TLS
as directed by the client. AD does not use this option, and it should only be selected if
required by your LDAP server.
server during the TLS exchange, matching the name specified above to the name on
the certificate. Deselecting this default option will present an alert, but exchanges
between the SonicWALL and the LDAP server will still use TLS only without issuance
validation.
Local certificate for TLSOptional, to be used only if the LDAP server requires a
client certificate for connections. Useful for LDAP server implementations that return
passwords to ensure the identity of the LDAP client (AD does not return passwords).
This setting is not required for AD.
If your network uses multiple LDAP/AD servers with referrals, then select one as the
primary server (probably the one that holds the bulk of the users) and use the above
settings for that server. It will then refer h
t e SonicWALL on to the other servers for users
in domains other than its own. For the SonicWALL to be able to log in to those other
servers, each server must have a user configured with the same credentials (user
name, password and location in the directory) as per the login to primary server. This
may entail creating a special user in the directory for the SonicWALL login. Note that
only read access to the directory is required.
4.
359
Object classThis defines which attribute represents the individual user account to
Login name attributeThis defines which attribute is used for login authentication:
Qualified login name attribute if not empty, this specifies an attribute of a user
object that sets an alternative login name for the user in name@domain format. This
may be needed with multiple domains in particular, where the simple login name may
not be unique across domains. This is set to mail for Microsoft Active Directory and
RFC2798 inetOrgPerson.
User group membership attribute this attribute contains the information in the user
object of which groups it belongs to. This is memberOf in Microsoft Active Directory.
The other pre-defined schemas store group membership information in the group object
rather than the user object, and therefore do not use this field.
Framed IP address attribute this attribute can be used to retrieve a static IP address
that is assigned to a user in the directory. Currently it is only used for a user connecting
via L2TP with the SonicWALLs L2TP server In future this may also be supported for
Global VPN Client. In Active Directory the static IP address is configured on the Dial-in
tab of a users properties.
5.
Primary Domain specify the user domain used by your LDAP implementation. For
AD, this will be the Active Directory domain name, e.g. yourADdomain.com. Changes
to this field will, optionally, automatically update the tree information in the rest of the
page. This is set to mydomain.com by default for all schemas except Novell
eDirectory, for which it is set to o=mydomain.
User tree for login to server The tree in which the userspecified in the Settings tab
resides. For example, in AD the administrator accounts default tree is the sameas the
user tree.
360
Trees containing users The trees where users commonly reside in the LDAP
Trees containing user groups Same as above, only with regard to user group
Note
AD has some built-in containers that do not conform (e.g. the DN for the top level
Users container is formatted as cn=Users,dc=, using cn rather than ou) but the
SonicWALL knows about and deals with these, so they can be entered in the simpler
URL format.
Ordering is not critical, but since they aresearched in the given order it is most efficient
to place the most commonly used trees first in each list. If referrals between multiple
LDAP servers are to be used, then the trees are best ordered with those on the primary
server first, and the rest in the same order that they will be referred.
Note
When working with AD, to locate the location of a user in the directory for the User
tree for login to server field, the directory can be searched manually from the Active
Directory Users and Settings control panel applet on the server, or a directory search
utility such as queryad.vbs in the Windows NT/2000/XP Resource Kit can be run
from any PC in the domain.
Auto-configure This causes the SonicWALL to auto-configure the Trees containing
users and Trees containing user groups fields by scanning through the
directory/directories looking for all trees that contain user objects. The User tree for
login to server must first be set, and clicking the Auto-configure button then brings up
the following dialog:
361
6.
Select whether to append new located trees to the current configuration, or to start from
scratch removing all currently configured trees first, and then click OK. Note that it will quite
likely locate trees that are not needed for user login and some tidying up afterwards,
manually removing such entries, is worth while.
If using multiple LDAP/AD servers with referrals, this process can be repeated for each,
replacing the Domain to search accordingly and selecting Append to existing trees on
each subsequent run.
7.
Allow only users listed locally Requires that LDAP users also be present in the
User group membership can be set locally by duplicating LDAP user names
Default LDAP User Group A default group on the SonicWALL to which LDAP users
Group memberships (and privileges) can also be assigned simply with LDAP. By
creating user groups on the LDAP/AD server with the same name as SonicWALL
built-in groups (such as Guest Services, Content Filtering Bypass, Limited
Administrators) and assigning users to these groups in the directory, or creating user
groups on the SonicWALL with the same name as existing LDAP/AD user groups,
SonicWALL group memberships will be granted upon successful LDAP authentication.
The SonicWALL appliance can retrieve group memberships more efficiently in the case
of Active Directory by taking advantage of its unique trait of returning a memberOf
attribute for a user.
362
8.
The RADIUS to LDAP Relay feature is designed for use in a topology where there is a
central site with an LDAP/AD server and a central SonicWALL, with remote satellite sites
connected into it via low-end SonicWALL security appliances that may not support LDAP.
In that case the central SonicWALL can operate as a RADIUS server for the remote
SonicWALLs, acting as a gateway betweenRADIUS and LDAP, and relaying authentication
requests from them to the LDAP server.
Additionally, for remote SonicWALLs running non-enhanced firmware, with this feature the
central SonicWALL can return legacy user privilege information to them based on user
group memberships learned via LDAP. This avoids what can be very complex configuration
of an external RADIUS server such as IAS for those SonicWALLs.
9.
RADIUS shared secret - This is a shared secret common to all remote SonicWALLs.
User groups for legacy users These define the user groups that correspond to the
legacy Access to VPNs, Access from VPN client with XAUTH, Access from L2TP
VPN client and Allow Internet access (when access is restricted) privileges
respectively. When a user in one of the given user groups is authenticated, the remote
SonicWALL will be informed that the user is to be given the relevant privilege.
Note
The Bypass filters and Limited management capabilities privileges are returned based on
membership to user groups named Content Filtering Bypass and Limited Administrators
these are not configurable.
363
The Test page allows for the configured LDAP settings to be tested by attempting
authentication with specified user and password credentials. Any user group memberships
and/or framed IP address configured on the LDAP/AD server for the user will be displayed.
364
User-defined schemas: See the documentation for your LDAP installation. You can also see
general information on LDAP at <http://rfc.net/rfc1777.html>
The following options are configured in the User Session Settings section:
Inactivity timeout (minutes): users can be logged out of the SonicWALL after a
preconfigured inactivity time. Enter the number of minutes in this field. The default value is
5 minutes.
Enable login session limit: you can limit the time a user is logged into the SonicWALL by
selecting the check box and typing the amount of time, in minutes, in the Login session
limit (minutes) field. The default value is 30 minutes.
Login page timeout (minutes): defines how much time a user has to log in before the login
page times out. If it times out, a message displays saying they must click before attempting
to log in again.
Show user login status window with logout button: causes a status window to display
with a Log Out button during the users session. The user can click the Log Out button to
log out of their session.
User's login status window refreshes every (minutes): determines how often the users
status display is updated.
User's login status window sends status heartbeat every (seconds): determines how
often a heartbeat is sent back to the SonicWALL. This heartbeat notifies the SonicWALL of
a users connection status and continues to be sent as long at the status window is open.
Enable disconnected user detection: causes the SonicWALL to detect when a users
connection is no longer valid and end the session.
Timeout on heartbeat from user's login status window (minutes): sets the time needed
without a reply from the heartbeat before ending the user session.
LDAP read from server options: are available when the LDAP option is active. The
options are:
Automatically update the schema configuration
Export details of the schema
365
Caution
1.
2.
Select which users will see the AUP page by selecting the Display on login from
checkboxes. For SonicOS Enhanced, select the zones that will display the AUP page. For
SonicOS Standard, select the network interfaces.
3.
Configure the dimensions of the AUP window in pixels in the Window size (pixels) fields.
4.
Check the Enable scroll bars on the window to allow users to scroll through the AUP
window contents.
5.
Enter the text for the AUP in the Acceptable use policy page content. The content can
include HTML formatting. The page that is displayed to the userincludes an I Accept button
or Cancel button for user confirmation.
6.
Click the Example Template button to create a preformatted HTML template for your AUP
window.
Clicking the Example Template button will overwrite the existing content in the AUP
window.
7.
Click the Preview button to display your AUP message as it will appear for the user.
8.
Click Update.
366
Expand the Users tree and click Local Users. The Local Users page displays.
2.
To add a local group, click Add New Local User. To edit the settings of an existing user,
click its Configure icon.
3.
Internet from the LAN, bypassing Web, News, Java, and ActiveX blocking.
Limited Management Capabilitiesselect this option to provide the user limited local
4.
5.
Select a user group to which this user will be a member and click the right arrow button (->).
Repeat this step for each group to add.
6.
367
7.
Select a network to which this user will be able to access through the VPN client software
and click the right arrow button (->). Repeat this step for each network to add.
8.
When you are finished, click OK. The settings are saved. Repeat this procedure for each
user to add or modify.
Everyone
Guest Services
Trusted Users
Limited Administrators
The permissions of these groups will automatically be applied to its members unless you
manually modify a users settings.
To add or edit a group, perform the following steps:
1.
Expand the Users tree and click Local Groups. The Local Groups page displays.
2.
To add a local group, click Add New Local Group. To edit the settings of an existing group,
click its Configure icon.
3.
access to the Internet from the LAN, bypassing Web, News, Java, and ActiveX
blocking.
group limited local management access to the SonicWALL Management interface. The
access is limited to the following pages:
368
4.
5.
Select the members or groups that will belong to this group and click the right arrow button
(->).
6.
7.
Select the networks to which users within this group will be able to access through their
VPN client software and click the right arrow button (->).
8.
9.
Select a CFS policy to apply to the group in the Policy pull-down menu.
10. When you are finished, click OK. The settings are saved.
369
Expand the Users tree and click HTTP URL ULA. The HTTP URL ULA page displays.
2.
Enter the fully qualified URL of the site that users will be allowed to access without being
authenticated in the ULA HTTP URLs field.
3.
Click Add.
4.
Click Update.
370
2.
Define the number of times the SonicWALL attempts to contact the RADIUS server in the
RADIUS Server Retries field. If the RADIUS server does not respond within the specified
number of retries, the connection is dropped. This field can range between 0 and 10,
however 3 RADIUS server retries is recommended.
3.
Define the RADIUS Server Timeout in Seconds. The allowable range is 1-60 seconds
with a default value of 5.
RADIUS Servers
1.
Specify the following setting for the primary RADIUS server in the Primary Server section:
Type the IP address of the RADIUS server in the IP Address field.
Type the Port Number for the RADIUS server.
Type the RADIUS server administrative password or shared secret in the Shared
Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in
length. The shared secret is case sensitive.
2.
If there is a secondary RADIUS server, type the appropriate information in the Secondary
Server section.
1.
To only allow users that are configured locally, but to still use RADIUS to authenticate them,
select the Allow only users listed locally check box.
2.
Select the mechanism used for setting user group memberships for RADIUS users from the
following list:
RADIUS Users
Use RADIUS Filter-ID attribute on RADIUS server: select to tell the RADIUS server
to send Filter-ID user attributes back to the SonicWALL appliance. Filter-ID attributes
include the names of user groups that a user belongs to.
Enter duplicate RADIUS user names locally on the SonicWALL: select when the
RADIUS server contains user names and passwords, but has no user group
information. The SonicWALL appliance contains the user group configuration for each
user, while RADIUS simply authenticates the password.
3.
For a shortcut for managing RADIUS user groups, check Memberships can be set locally
by duplicating RADIUS user names. When you create users with the same name locally
on the security appliance and manage their group memberships, the memberships in the
RADIUS database will automatically change to mirror your local changes.
4.
If you have previously configured User Groups on the SonicWALL, select the group from
the Default user group to which all RADIUS user belong menu.
5.
You can create a new group by choosing Create a new user group... from the list. The Add
Group window displays.
2.
Enter a valid user name in the User field, and the password in the Password field.
371
3.
If the validation is successful, the Status messages changes to Success. If the validation fails,
the Status message changes to Failure. Once the SonicWALL has been configured, a VPN
Security Association requiring RADIUS authentication prompts incoming VPN clients to type a
User Name and Password into a dialogue box.
372
Step 1
On the User > Settings page, if you are using Active Directory for authentication select
SonicWALL SSO Agent from the Single sign-on method pull-down list, and then click the
Configure button.
Step 2
In the Transparent Authentication Configuration screen, in the Name or IP Address field, enter
the host name or IP Address of the workstation on which SonicWALL SSO Agent is installed.
Step 3
In Port Number, enter the port number of the workstation on which SonicWALL SSO Agent is
installed. The default port is 2258.
Step 4
In the Shared Key field, enter the shared key that you created or generated in the SonicWALL
SSO Agent. The shared key must match exactly. Re-enter the shared key in the Confirm
Shared Key field.
Step 5
In the Timeout (seconds) field, enter a number of seconds before the authentication attempt
times out.
Step 6
Step 7
Step 8
This setting works in conjunction with the automatically calculated number of user requests per
message to the agent when polling to check the status of logged in users. The number of user
requests per message is calculated based on recent polling response times. SonicOS adjusts
this number as high as possible to minimize the number of messages that need to be sent,
which reduces the load on the agent and helps reduce network traffic between the appliance
and the agent. However, the number is kept low enough to allow the agent to process all of the
user requests in the message within the poll period. This avoids potential problems such as
timeouts and failures to quickly detect logged out users.
Users Tab
Step 9
Step 10 Check the box next to Allow only users listed locally to allow only users listed locally to be
authenticated.
Step 11 Check the box next to Simple user names in local database to use simple user names. This
setting ignores the domain component of a user name. If this box is not checked, user names
in the local database must match exactly the full names returned from the agent, including the
domain component.
Step 12 Check the box next to Allow limited access for non-domain users to allow limited access to
users who are logged in to a computer but not into a domain. These users will not be given
access to the Trusted Users user group. They are identified in logs as
373
computer-name/user-name. When performing local authentication and the Simple user names
in local database option is disabled, user names must be configured in the local database
using the full computer-name/user-name identification.
Step 13 (Available for SonicOS 5.6 and higher.) Select the Probe users for checkbox and select either
NetAPI or WMI (depending on which is configured for the SSO Agent) to attempt browser NTLM
authentication before the SonicWALL SSO agent attempts to acquire the user information.
This causes the SonicWALL firewall appliance to probe for a response on the NetAPI/WMIport
before requesting that the SSO Agent identify a user. If no response occurs, these devices will
fail SSO immediately. For a Windows PC the probe will generally work (unless blocked by a
personal firewall) and the SonicWALL SSO agent will be used. For a Linux/Mac PC (assuming
it is not set up to run Samba server) the probe will fail, the SSO agent will be bypassed and
NTLM authentication will be used when HTTP traffic is sent.
NTLM cannot identify the user until they browse with HTTP, so any traffic sent before that will
be treated as unidentified. The default CFS policy will be applied, and any rule requiring
authenticated users will not let the traffic pass.
If NTLM is configured to be used before the SonicWALL SSO agent, then if HTTP traffic is
received first, the user will beauthenticated with NTLM. If non-HTTP traffic is received first, the
SonicWALL SSO agent will be used for authentication.
Step 14 To use LDAP to retrieve user information, select the Use LDAP to retrieve user group
Step 15 To use local configuration, select the Local configuration radio button.
Step 16 In the Polling rate (minutes) field, enter a polling interval, in minutes, that the security
appliance will poll the workstation running SSO Agent to verify that users are still logged on.
Step 17 In the Hold time after (minutes) field, enter a time, in minutes, that the security appliance will
wait before trying again to identify traffic after an initial failure to do so. This feature rate-limits
requests to the agent.
Step 18 (Available for SonicOS 5.6 and higher.) To populate the User names used by Windows
services list, type the service login name in the dialog box (the simple name only, without the
domain or PC name) add click Add. Repeat as necessary for additional user names, and then
click Update.
374
Enforcement Tab
Note
On appliances running SonicOS versions 5.5 and lower, the Enforcement tab is called the
Content Filter tab. The configuration is identical, regardless of the name of the tab.
Step 19 Click on the Enforcement tab if you want to bypass SSO for traffic from non-user devices such
Step 20 (Available in SonicOS releases 5.6 and higher.) To bypass SSO for traffic from certain devices
or locations and apply the default content filtering policy to the traffic, select the appropriate
address object or address group from the first pull-down menu under SSO Bypass. To bypass
SSO for certain services or types of traffic, select the service from the second pull-down menu.
The first setting is used where traffic that would be subject to security services screening can
emanate from a device other than a user's workstation (such as an internal proxy Web server
or IP phone). It prevents the SonicWALL from attempting to identify such a device as a network
user in order to select the content filtering policy to apply. The default content filtering policy will
be used for all traffic from the selected IP addresses.
The second setting is appropriate for user traffic that does not need to be authenticated, and
triggering SSO might cause an unacceptable delay for the service.
SSO bypass settings do not apply when SSO is triggered by firewall access rules requiring user
authentication. To configure this type of SSO bypass, add access rules that do not require user
authentication for the affected traffic.
375
Step 22 Click the Add button. The page is updated to display a new row in the table at the top, and new
Step 23 In the Host Name or IP Address(es) field, enter the name or IP address of the terminal server
on which SonicWALL TSA is installed. If the terminal server is multi-homed (has multiple IP
addresses) and you are identifying the host by IP address rather than DNS name, enter all the
IP addresses as a comma-separated list.
As you type in values for the fields, the row at the top is updated in red to highlight the new
information.
Step 24 In the Port field, enter the port number of the workstation on which SonicWALL TSA is installed.
The default port is 2259. Note that agents at different IP addresses can have the same port
number.
Note
In global view, a maximum of 256 TSA agents can be configured. On the unit level, the
maximum depends on the type of SonicWALL appliance.
Step 25 In the Shared Key field, enter the shared key that you created or generated in the SonicWALL
TSA. The shared key must match exactly. Re-enter the shared key in the Confirm Shared Key
field.
Step 28 The Allow traffic from services on the terminal server to bypass user authentication in
access rules checkbox is selected by default. This allows traffic such as Windows updates or
anti-virus updates, which is not associated with any user login session, to pass without
376
authentication. If you clear this checkbox, traffic from services can be blocked if firewall access
rules require user authentication. In this case, you can add rules to allow access for All to the
services traffic destinations, or configure the destinations as HTTP URLs that can bypass user
authentication in access rules.
Content Filter Tab
Step 29 Click on the Content Filter tab if you are using the SonicWALL Content Filtering Service (CFS)
Note
The Content Filter tab is only displayed for SonicOS releases 5.5 and lower, and
if Premium CFS is enabled on the SonicWALL security appliance. For SonicOS
releases 5.6 and higher, the Content Filter tab is combined with the Enforcement
tab. See Enforcement Tab on page 375 for more information.
Step 30 To bypass SSO for content filtering traffic and apply the default content filtering policy to the
traffic, select the appropriate address object or address group from the pull-down list. This
setting should be used where traffic that would be subject to content filtering can emanate from
a device other than a user's workstation (such as an internal proxy web server). It prevents the
SonicWALL from attempting to identify such a device as a network user in order to select the
content filtering policy to apply. The default content filtering policy will be used for all traffic from
the selected IP addresses.
Test Tab
Step 31 You can test the Transparent Authentication Configuration settings on the Policies >
Diagnostics > Network page. For more information, click the Test tab.
377
2.
Check Show guest login status window with logout button to display a user login
window on the userss workstation whenever the user is logged in. Users must keep this
window open during their login session. The window displays the time remaining in their
current session. Users can log out but clicking the Logout button in the login status window.
3.
To create a guest profile, click Add below the Guest Profile list. The Add Guest Profile page
displays.
4.
profile.
Auto-generate user name: Check this to allow guest accounts generated from this
profile to have an automatically generated user name. The user name is usually the
prefix plus a two- or three-digit number.
Auto-generate password: Check this to allow guest accounts generated from this
Enable Account: Check this for all guest accounts generated from this profile to be
Auto-Prune Account: Check this to have the accountremoved from the database after
378
Enforce login uniqueness: Check this to allow only a single instance of an account to
be used at any one time. By default, this feature is enabled when creating a new guest
account. If you want to allow multiple users to login with a single account, disable this
enforcement by clearing the Enforce login uniqueness checkbox.
Account Lifetime: This setting defines how long an account remains on the security
appliance before the account expires. If Auto-Prune is enabled, the account is deleted
when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list
of guest accounts with an Expired status, allowing easy reactivation.
Session Lifetime: Defines how long a guest login session remains active after it has
been activated. By default, activation occurs the first time a guest user logs into an
account. Alternatively, activation can occur at the time the account is created by
clearing the Activate account upon first login checkbox. The Session Lifetime
cannot exceed the value set in the Account Lifetime
Idle Timeout: Defines the maximum period of time when no traffic is passed on an
activated guest services session. Exceeding the period defined by this setting expires
the session, but the account itself remains active as long as the Account Lifetime
hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime.
2.
379
3.
Confirm Password: If you did not generate the password, re-enter it.
Enable Guest Services Privilege: Check this for the account to be enabled upon
creation.
Enforce login uniqueness: Check this to allow only one instance of this account to log
into the security appliance at one time. Leave it unchecked to allow multiple users to
use this account at once.
Automatically prune account upon account expiration: Check this to have the
Account Lifetime: This setting defines how long an account remains on the security
appliance before the account expires. If Auto-Prune is enabled, the account is deleted
when it expires. If the Auto-Prune checkbox is cleared, the account remains in the list
of guest accounts with an Expired status, allowing easy reactivation. This setting
overrides the account lifetime setting in the profile.
Session Lifetime: Defines how long a guest login session remains active after it has
been activated. By default, activation occurs the first time a guest user logs into an
account. Alternatively, activation can occur at the time the account is created by
clearing the Activate account upon first login checkbox. The Session Lifetime
cannot exceed the value set in the Account Lifetime. This setting overrides the
session lifetime setting in the profile.
Idle Timeout: Defines the maximum period of time when no traffic is passed on an
activated guest services session. Exceeding the period defined by this setting expires
the session, but the account itself remains active as long as the Account Lifetime
hasn't expired. The Idle Timeout cannot exceed the value set in the Session Lifetime.
This setting overrides the idle timeout setting in the profile.
4.
Click Update.
380
Note
In order for changes on this page to take effect, the SonicWALL(s) will automatically be
restarted. We recommend configuring these options when network activity is low.
To add a user, perform the following steps:
1.
Expand the Users tree and click Settings. The User Settings page displays.
2.
To only allow users that are configured locally, but to still use RADIUS to
authenticate them, select the Allow only users listed below check box.
To grant users the privileges that are configured locally, but to still use RADIUS for
authentication, select the Include privileges from users listed locally checkbox.
To bypass RADIUS and only authenticate using the local user database, select Local
3.
Remote Accessenables the users to access LAN resources from the Internet.
This option is only available in Standard mode.
Bypass Filtersenables Bypass Filters if the user can bypass Content Filtering
settings.
381
Note
Access to VPNsenables the users to send information over the VPN Security
Associations.
Access from VPN Client with XAUTHuse if a VPN client is using XAUTH for
authentication.
Easy WGS MAC Filteringenables (and enforces) MAC address filtering for
wireless guest service-enabled connections.
Enter the password in the New Password field and reenter it in the Confirm
Password field.
382
Inactivity timeout (minutes): users can be logged out of the SonicWALL after a
preconfigured inactivity time. Enter the number of minutes in this field. The default value is
5 minutes.
Enable login session limit: you can limit the time a user is logged into the SonicWALL by
selecting the check box and typing the amount of time, in minutes, in the Login session
limit (minutes) field. The default value is 30 minutes.
Login session timeout: defines how much time a user has to log in before the login page
times out. If it times out, a message displays saying they must click before attempting to
log in again.
Show user login status window with logout button: causes a status window to display
with a Log Out button during the users session. The user can click the Log Out button to
log out of their session.
User's login status window refreshes every: determines how often the users status
display is updated.
Enable disconnected user detection: causes the SonicWALL to detect when a users
connection is no longer valid and end the session.
User's login status window sends heartbeat every (seconds): sets the frequency of the
heartbeat signal used to detect whether the user still has a valid connection
Allow unauthenticated VPN users to access DNS: allows unauthenticated users access
to DNS servers across a VPN tunnel with authentication enforcement.
Expand the Users tree and click User ULA Settings. The User ULA Settings page
displays.
2.
To only allow authenticated users to access the Internet, select the Allow only
authenticated users to access the Internet check box.
3.
To allow unauthenticated users to access a service, select the service in the Always allow
these services area and click Add. Repeat this step for each service to add.
4.
To specify a range of IP addresses that will always be allowed to access the Internet, enter
the IP address in the Begin field and the size of the range in the Length field. Repeat this
step for each range to add.
5.
When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
383
2.
Define the number of times the SonicWALL attempts to contact the RADIUS server in the
RADIUS Server Retries field. If the RADIUS server does not respond within the specified
number of retries, the connection is dropped. This field can range between 0 and 10,
however 3 RADIUS server retries is recommended.
3.
Define the RADIUS Server Timeout in Seconds. The allowable range is 1-60 seconds
with a default value of 5.
RADIUS Servers
1.
Specify the following setting for the primary RADIUS server in the Primary Server section:
Type the IP address of the RADIUS server in the IP Address field.
Type the Port Number for the RADIUS server.
Type the RADIUS server administrative password or shared secret in the Shared
Secret field. The alphanumeric Shared Secret can range from 1 to 31 characters in
length. The shared secret is case sensitive.
2.
If there is a secondary RADIUS server, type the appropriate information in the Secondary
Server section.
RADIUS Users
1.
Bypass Filtersenables Bypass Filters if the user can bypass Content Filtering
settings.
Access to VPNsenables the users to send information over the VPN Security
Associations.
Access from VPN Client with XAUTHuse if a VPN client is using XAUTH for
authentication.
Access L2TP Client from VPN Clientenables the user to connect using an L2TP
384
Easy WGS MAC Filteringenables (and enforces) MAC address filtering for wireless
the SonicWALL interface. Access is limited to the General page (Status, Network,
Time), the Log page (View Log, Log Settings, Log Reports), and the Tools page
(Restart, Diagnostics minus Tech Support).
Allow Only Users Listed LocallyDisallows access to RADIUS users, except for
To test your RADIUS Client user name and password, perform the following steps:
1.
2.
Enter a valid user name in the User field, and the password in the Password field.
3.
If the validation is successful, the Status messages changes to Success. If the validation fails,
the Status message changes to Failure. Once the SonicWALL has been configured, a VPN
Security Association requiring RADIUS authentication prompts incoming VPN clients to type a
User Name and Password into a dialogue box.
385
386
CHAPTER 17
Configuring App Control
This chapter describes how to configure App Control policies for SonicWALL firewalls from
SonicWALL GMS. This chapter includes the following sections:
App Control > App Rules The App Rules page provides a way to create a targeted App
Control policy using match objects, action objects, or email address objects. These objects
allow you to be very specific about what to look for in the traffic and provide a number of
ways to control it, including bandwidth management and custom actions. App Rules
policies can define the type of applications to scan, the traffic direction, the content or
keywords to match, the user or domain to match, and the action to perform. For ease of
use, you can create App Rules policies for any of the categories, applications, or signatures
that are also available on the App Control > Advanced page.
387
App Control > Advanced The Advanced page provides a simple and direct way of
configuring global App Control policies. An App Control > Advanced policy defines whether
to block or log an application, which users, groups, or IP address ranges to include or
exclude, and a schedule for enforcement. You can quickly enable blocking or logging for a
whole category of applications, or can just as easily locate and do the same for an individual
application or individual signature. Once enabled, the category, application, or signature is
blocked or logged globally without the need to create a policy on the App Rules page.
App Control is licensed together in a bundle with other security services, including SonicWALL
Gateway Anti-Virus (GAV), Anti-Spyware, and Intrusion Prevention Service (IPS).
You must enable App Control before you can use it. App Control > App Rules and App Control
> Advanced are both enabled with global settings, and App Control must also be enabled on
each network zone that you want to control.
SonicWALL GMS supports App Control on SonicWALL firewall appliances that are running
SonicOS 5.8.1.4 firmware or higher. The units must be licensed for Gateway Anti-Virus.
App Control is supported for Firewalls at the group level and unit level in SonicWALL GMS.
When a unit is selected that is running a version of SonicOS lower than 5.8.1.4, the App Control
menu group is not visible in the middle panel. However, when the group level is selected, the
App Control menu group is available and you can configure objects and policies, even if the
group does not yet contain a unit running 5.8.1.4 or higher. This allows you to prepare the policy
configuration prior to bringing a unit with 5.8.1.4 under GMS management.
Inheritance is supported for App Control policies and configurations. Inheritance in SonicWALL
GMS allows a nodes settings to be inherited to and from unit, group and parent nodes. For
more information about inheritance, see Chapter 38, Managing Inheritance in SonicWALL
GMS.
On SonicWALL TZ 100 and 200 series appliances, the Security Services > Application Control
screen in the SonicOS interface corresponds to the App Control > Advanced screen in
SonicWALL GMS. TZ 100 and 200 boxes do not support App Rules policies. This means that
the App Rules, Match Objects, Action Objects, and Email Address Objects screens do not
appear for these models.
For related information and use case configurations, see the Use Cases section on page 445
as well as the SonicOS 5.8.1 Application Control Feature Module, available on
www.sonicwall.com at:
http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=455
388
Note
Changing the Bandwidth Management Type on the Firewall > BWM page from Global to
WAN, or from WAN to Global, automatically sets the Medium priority action object for any
policies using predefined Global or WAN BWM action objects. If Bandwidth Management
Type is set to None on the Firewall > BWM page, you will have to change the action object
of the policy manually to replace the predefined Global or WAN BWM action objects.
See Configuring Application Layer Bandwidth Management on page 431 for more
information.
See the following sections for configuration information about the settings on this page:
389
Step 2
On the Policies tab, on the App Control > App Rules page, select the Enable App Rules
checkbox to enable App Control on this unit or group.
Step 3
Enter the minimum number of seconds between log entries for multiple matches of the same
policy in the Global Log Redundancy Filter field. If set to zero, a log entry is created for each
policy match.
This global setting applies to all App Rules policies. You can also set custom log redundancy
for an individual policy in the Add/Edit Policy screen. Per-policy settings override the global
setting.
Step 4
Click Update to apply changes in the global settings. Click Reset to clear all changes on the
page and return fields to their default values.
Step 2
On the Policies tab, on the App Control > App Rules page, select one of the following search
objects from the first Search pull-down list:
Step 3
390
Object the full or partial name of the match object in the policy
Action the full or partial name of the action object used in the policy
Select one of the following operators from the next pull-down list:
Equals search for any policy in which the search object exactly matches the target value
Starts with search for any policy in which the search object begins with the target value
Ends with search for any policy in which the search object ends with the target value
Contains search for any policy in which the search object contains the target value
Step 4
In the text box, type in the target value that you are searching for in the Name, Object, or Action
search object.
Step 5
Click Search to search your policies for one or more matches. Click Clear to set the search
fields back to defaults.
The App Rules Policies list changes to display only the policies found by your search.
For example, after selecting App Control Content as the Policy Type, the display changes to
show only policies of the App Control Content type.
391
To filter the display by a specific type of action used in the policy, select the desired type from
the Action Type pull-down list.
For example, after selecting App Control Content as the Policy Type, you could select
Reset/Drop as the Action Type. The display changes to show only App Control Content type
policies that use a Reset/Drop action type.
To change the display back to the default showing all policies, either select All for both Policy
Type and Action Type, or simply navigate away from the page and then back to it.
392
For example, clicking the Name heading sorts the policies alphabetically by the first letter of the
policy name, from A at the top to Z at the bottom. A small upward-pointing arrow is displayed
next to the Name heading, indicating that, if the heading is clicked, it will cause the list to be
sorted in ascending order by name (Z to A).
To resort the list in ascending order, click the heading a second time.
Names beginning with a symbol or number come before names beginning withany alphabetical
character. When sorting by Object name, automatically created objects beginning with tilde (~)
come before objects beginning with any alphabetical character. The same holds true if you use
a symbol or number as the first letter when naming an object, action, or policy.
When sorting by the Enable heading, the first click places all enabled policies at the top of the
list. Clicking again puts disabled policies at the top.
Tooltip Displays
Heading
Name
Policy Type
N/A
Object
Action
Direction
N/A
Comments
Enable
N/A
The actual information displayed depends on the settings configured for the policy or object.
393
Reference the match object and action when you create the policy
When you create a policy, you select a policy type. Each policy type specifies the values or
value types that are valid for the source, destination, match object type, and action fields in the
policy.
You can further define the policy to include or exclude specific users or groups, select a
schedule, turn on logging, and specify the connection side as well as basic or advanced
direction types. A basic direction type simply indicates inbound or outbound. An advanced
direction type allows zone to zone direction configuration, such as from the LAN to the WAN.
394
Step 2
Navigate to the App Control > App Rules page on the Policies tab.
Step 3
Step 4
In the App Control Policies Settings window, type a descriptive name into the Policy Name
field.
Step 5
Select a Policy Type from the pull-down list. Your selection here will affect available options in
the window. For information about available policy types, see Policy Type Reference on
page 398.
Step 6
Select a source and destination Address Group or Address Object from theAddress pull-down
lists. Only a single Address field is available for IPS Content, App Control Content, or CFS
policy types.
Step 7
Select the source or destination service from the Service pull-down lists. Some policy types do
not provide a choice of service.
Step 8
For Exclusion Address, optionally select an Address Group or Address Object from the
pull-down list. This address will not be affected by the policy.
Step 9
For Match Object, select a match object from the pull-down list. The list contains the defined
match objects that are applicable to the policy type.
395
Step 10 For Action, select an action from the pull-down list. The list contains actions that are applicable
to the policy type and the match object, and can include the predefined actions, plus any
customized actions. For a log-only policy, select No Action.
Step 11 For Users/Groups, select from the pull-down lists for both Included and Excluded. The
selected users or group under Excluded will not be affected by the policy.
Step 12 If the policy type is SMTP Client, select from the pull-down lists for MAIL FROM and RCPT TO,
for both Included and Excluded. The selected users or group under Excluded will not be
affected by the policy.
Step 13 For Schedule, select from the pull-down list. The list provides a variety of schedules for the
policy to be in effect.
Step 14 Select the Enable Flow Reporting checkbox to enable internal and external flow reporting
based on data flows, connection related flows, non-connection related flows regarding
applications, viruses, spyware, intrusions, and other information.
Step 15 If you want the policy to create a log entry when a match is found, select the Enable Logging
checkbox.
Step 16 To record more details in the log, select the Log individual object content checkbox.
Step 17 If the policy type is IPS Content, select the Log using IPS message format checkbox to
display the category in the log entry as Intrusion Prevention rather than Application Control,
and to use a prefix such as IPS Detection Alert in the log message rather than Application
Control Alert. This is useful if you want to use log filters to search for IPS alerts.
Step 18 If the policy type is App Control Content, select the Log using App Control message format
checkbox to display the category in the log entry as Application Control, and to use a prefix
such as Application Control Detection Alert in the log message. This is useful if you want to
use log filters to search for Application Control alerts.
Step 19 If the policy type is CFS, select the Log using CFS message format checkbox to display the
category in the log entry as Network Access, and to use a log message such as Web site
access denied in the log message rather than no prefix. This is useful if you want to use log
filters to search for content filtering alerts.
Step 20 For Log Redundancy Filter, you can either select Global Settings to use the global value set
on the App Control > App Rules page, or you can enter a number of seconds to delay between
each log entry for this policy. The local setting overrides the global setting only for this policy;
other policies are not affected.
Step 21 For Connection Side, select from the pull-down list. The available choices depend on the
policy type and can include Client Side, Server Side, or Both, referring to the side where the
traffic originates. IPS Content, App Control Content, or CFS policy types do not provide this
configuration option.
Step 22 For Direction, click either Basic or Advanced and select a direction from the pull-down list.
Basic allows you to select Incoming, Outgoing, or Both. Advanced allows you to select
between zones, such as LAN to WAN. IPS Content, App Control Content, or CFS policy types
do not provide this configuration option.
Step 23 If the policy type is IPS Content, App Control Content, or CFS, select a zone from the Zone
Step 24 If the policy type is CFS, select an entry from the CFS Allow List pull-down list. The list
contains any defined CFS Allow/Forbidden List type of match objects, and also provides
None as a selection. The domains in the selected entry will not be affected by the policy.
Step 25 If the policy type is CFS, select an entry from the CFS Forbidden List pull-down list. The list
contains any defined CFS Allow/Forbidden List type of match objects, and also provides
None as a selection. The domains in the selected entry will be denied access to matching
content, instead of having the defined action applied.
396
Step 26 If the policy type is CFS, select the Enable Safe Search Enforcement checkbox to prevent
safe search enforcement from being disabled on search engines such as Google, Yahoo, Bing,
and others.
Step 27 Click OK. The Modify Task Description and Schedule window displays.
Step 28 A description is automatically added in the Description field. Optionally change the
description.
Step 29 For Schedule, select one of the following radio buttons and set any associated fields:
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to activate this policy using the pull-down lists for the hour,
minute, time zone, month, and year. If your GMS deployment includes Agents in different
time zones, you can select among them in the time zone pull-down list. Select the date from
the calendar.
Step 30 Click Accept to save the policy with this schedule. Click Cancel to exit without saving the
policy.
At the unit level, you may need to refresh the App Control > App Rules page to see your new
policy in the list.
Step 2
Navigate to the App Control > App Rules page on the Policies tab.
Step 3
To enable a policy, select the checkbox in the Enable column for that policy. To disable the
policy, clear the checkbox.
Step 4
Click the Update button. The Modify Task Description and Schedule window displays.
Step 5
Select the Schedule settings, then click Accept to save the policy with this schedule. Click
Cancel to exit without saving the policy.
397
Step 2
Navigate to the App Control > App Rules page on the Policies tab.
Step 3
Step 4
To delete one or more policies, select the checkboxes for the ones to delete and click Delete
Policy(s), and then click OK in the confirmation dialog.
Valid
Source
Service /
Description Default
Valid
Destination
Service /
Valid Match
Default
Object Type
App
Control
Content
Policy using
dynamic
Application
Control
related
objects for
any
application
layer
protocol
N/A
N/A
Application
Category List,
Application
List,
Application
Signature List
Reset/Drop,
N/A
No Action,
Bypass DPI,
Packet
Monitor, BWM
Global-*,
WAN BWM *
CFS
Policy for
content
filtering
N/A
N/A
CFS Category
List, CFS
Allow /
Forbidden List
CFS Block
Page, Packet
Monitor, No
Action, BWM
Global-*,
WAN BWM *
N/A
Custom
Policy
Any / Any
Custom
Object
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action, BWM
Global-*,
WAN BWM *
Client Side,
Server
Side, Both
Policy
Type
398
Policy Types
Valid Action
Type
Connection
Side
Valid
Source
Service /
Description Default
Valid
Destination
Service /
Valid Match
Default
Object Type
Any FTP
Any /
command
Any
transferred
over the FTP
control
channel
Valid Action
Type
Connection
Side
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action
Client Side
FTP
An attempt
Any /
Client File to upload a Any
Upload
file over FTP
(STOR
command)
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action, BWM
Global-*,
WAN BWM *
Client Side
An attempt
FTP
Client File to download
Download a file over
FTP (RETR
command)
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action, BWM
Global-*,
WAN BWM *
Client Side
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action
Both
Policy
Type
FTP
Client
Any /
Any
FTP Data
Transfer
Data
Any /
transferred
Any
over the FTP
Data
channel
Any / Any
HTTP
Client
File Content
Object
Client Side
399
Policy
Type
400
Valid
Source
Service /
Description Default
Valid
Destination
Service /
Valid Match
Default
Object Type
Valid Action
Type
Connection
Side
HTTP
Server
Response
originated
by an HTTP
Server
Any /
Any / Any
HTTP
(configur
able)
ActiveX Class
ID, HTTP Set
Cookie, HTTP
Response,
File Content
Object,
Custom
Header,
Custom
Object
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action, BWM
Global-*,
WAN BWM *
Server Side
IPS
Content
Policy using
dynamic
Intrusion
Prevention
related
objects for
any
application
layer
protocol
N/A
N/A
IPS Signature
Category List,
IPS Signature
List
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action, BWM
Global-*,
WAN BWM *
N/A
POP3
Client
Policy to
Any /
inspect
Any
traffic
generated
by a POP3
client;
typically
useful for a
POP3 server
admin
POP3
(Retrieve
Email) /
POP3
(Retrieve
Email)
Custom
Object
Reset/Drop,
Bypass DPI,
Packet
Monitor, No
Action
Client Side
Policy
Type
Valid
Source
Service /
Description Default
POP3
Server
Policy to
inspect
email
downloaded
from a POP3
server to a
POP3 client;
used for
email
filtering
SMTP
Client
Policy
Any /
applies to
Any
SMTP traffic
that
originates
on the client
Valid
Destination
Service /
Valid Match
Default
Object Type
POP3
Any / Any
(Retrieve
Email) /
POP3
(Retrieve
Email)
SMTP
(Send
Email)/
SMTP
(Send
Email)
Valid Action
Type
Connection
Side
Email Body,
Email CC,
Email From,
Email To,
Email Subject,
File Name,
File
Extension,
MIME Custom
Header
Reset/Drop,
Disable
attachment,
Bypass DPI,
No action
Server Side
Email Body,
Email CC,
Email From,
Email To,
Email Size,
Email Subject,
Custom
Object, File
Content, File
Name, File
Extension,
MIME Custom
Header,
Reset/Drop,
Client Side
Block SMTP
E-Mail
Without
Reply, Bypass
DPI, Packet
Monitor, No
Action
1. Packet Monitor action not supported for File Name or File Extension Custom Object
Specify users, groups, or IP address ranges to include in or exclude from the action.
The App Control > Advanced screen provides application signatures management for all
supported firewalls running SonicOS 5.8.1.4 or higher.
401
Only 50 rows can be displayed in this page. To view additional rows, use the pagination controls
to the right of the Items field.
The App Control > Advanced page provides an App Control View Style section. When you
select Application or Signature in the Viewed By field in this section, the listed items are
displayed as links in the App Control Advanced section. You can click these links for more
details about the application or signature. A summary is provided, as well as information from
Wikipedia, if available.
Note
When All is selected in the Category pull-down list while Viewed By is set to Category, and
then one of the category links is clicked, the View Style settings are changed to select that
category in the Category pull-down list and set Viewed By to Application, displaying all
the applications in that category.
See the following sections:
402
The Status section also displays the expiration date of the App Control Service license. If the
service expires, no new signatures are downloaded to the appliance from MySonicWALL.
A link to the Network > Zones page is provided next, for convenient navigation. You must
enable App Control on each zone where you want it to inspect network traffic. If App Control is
not enabled on any zones, a warning is displayed here. See Enabling App Control on Network
Zones on page 403 for a description of enabling App Control on a network zone.
Note
App Control policies are applied to traffic within a network zone only if you enable the App
Control Service for that zone. App Rules policies are independent, and not affected by the
App Control setting for network zones.
403
Step 2
On the Policies tab, on the App Control > Advanced page, click Network > Zones in the App
Control Status section at the top of the page.
Step 3
On the Network > Zones page, click the Edit icon for the desired zone. The Edit Network Zone
screen displays.
Step 4
Step 5
Click OK. The Modify Task Description and Schedule window displays.
Step 6
Step 7
For Schedule, select one of the following radio buttons and set any associated fields:
Step 8
404
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to enable the configuration by using the pull-down lists for the
hour, minute, time zone, month, and year. If your GMS deployment includes Agents in
different time zones, you can select among them in the time zone pull-down list. Select the
date from the calendar.
Click Accept to enable the configuration on this schedule. Click Cancel to exit without saving
the configuration.
Configure App Control Settings Configure a global exclusion list for App Control
Reset App Control Settings & Policies Delete all App Control configuration and policies
for the selected unit or for all units in the selected group
Step 2
On the Policies tab, navigate to the App Control > Advanced page.
Step 3
In the App Control Global Settings area, select the Enable App Control checkbox to globally
enable App Control.
App Control policies are applied to traffic within a network zone only if you enable the App
Control Service for that zone. See Enabling App Control on Network Zones on page 403 for
a description of enabling App Control on a network zone.
Step 4
Click the Update button. The Modify Task Description and Schedule window displays.
Step 5
Step 6
For Schedule, select one of the following radio buttons and set any associated fields:
Step 7
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to enable App Control Advanced policies by using the pull-down
lists for the hour, minute, time zone, month, and year. If your GMS deployment includes
Agents in different time zones, you can select among them in the time zone pull-down list.
Select the date from the calendar.
Click Accept to enable App Control Advanced policies on this schedule. Click Cancel to exit
without saving the configuration.
405
406
Step 1
Step 2
On the Policies tab, navigate to the App Control > Advanced page.
Step 3
In the App Control Global Settings area, click Configure App Control Settings to bring up
the App Control Exclusion List window.
Step 4
Select the Enable Application Control Exclusion List to activate the exclusion options in the
window.
Step 5
To use the IPS exclusion list, which can be configured from the Security Services > Intrusion
Prevention page, select the Use IPS Exclusion List radio button.
Step 6
To use an address object for the exclusion list, select the Use Application Control Exclusion
Address Object radio button, and then select an address object from the pull-down list.
Step 7
Click OK. The Modify Task Description and Schedule window displays.
Step 8
Step 9
For Schedule, select one of the following radio buttons and set any associated fields:
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to enable the exclusion list by using the pull-down lists for the
hour, minute, time zone, month, and year. If your GMS deployment includes Agents in
different time zones, you can select among them in the time zone pull-down list. Select the
date from the calendar.
Step 10 Click Accept to enable the exclusion list on this schedule. Click Cancel to exit without saving
the configuration.
Step 2
On the Policies tab, navigate to the App Control > Advanced page.
Step 3
In the App Control Global Settings area, click Update App Control Signature Database.
The Modify Task Description and Schedule window displays.
Step 4
Step 5
For Schedule, select one of the following radio buttons and set any associated fields:
Step 6
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to synchronize the database using the pull-down lists for the hour,
minute, time zone, month, and year. If your GMS deployment includes Agents in different
time zones, you can select among them in the time zone pull-down list. Select the date from
the calendar.
Click Accept to synchronize the database on this schedule. Click Cancel to exit without saving
the configuration.
Step 2
On the Policies tab, navigate to the App Control > Advanced page.
Step 3
In the App Control Global Settings area, click the Reset App Control Settings & Policies
button.
Step 4
Click OK in the confirmation dialog box. The Modify Task Description and Schedule window
displays.
Step 5
Step 6
For Schedule, select one of the following radio buttons and set any associated fields:
Default Use the default schedule configured for the Agent that manages this unit
407
Step 7
At Select the exact time to perform the reset using the pull-down lists for the hour, minute,
time zone, month, and year. If your GMS deployment includes Agents in different time
zones, you can select among them in the time zone pull-down list. Select the date from the
calendar.
Click Accept to perform the reset on this schedule. Click Cancel to exit without saving the
configuration.
Specify users, groups, or IP address ranges to include in or exclude from the action.
While these application control settings are independent from App Rules policies, you can also
create application match objects for any of the categories, applications, or signatures available
here, and use those match objects in an App Rules policy.
See the following sections:
408
Step 2
On the Policies tab, on the App Control > Advanced page in the App Control View Style
section, select Category from the Viewed By pull-down list. The list of available categories is
displayed in the App Control Advanced section. Each category has a Configure button
in
its row.
Step 3
Click the Configure button in the row for the category you want to work with. The App Control
Category Settings window opens.
Step 4
Alternatively, select an application category from the Category pull-down list in the View Style
area. A Configure button
appears to the right of the field as soon as a category is selected.
Click the Configure button to open up the App Control Category Settings window for the
selected category.
Step 5
To block applications in this category, select Enable in the Block pull-down list.
Step 6
To create a log entry when applications in this category are detected, select Enable in the Log
pull-down list.
Step 7
To target the selected block or log actions to a specific user or group of users, select a user
group or individual user from the Included Users/Groups pull-down list. Select All to apply the
policy to all users.
Step 8
To exclude a specific user or group of users from the selected block or log actions, select a user
group or individual user from the Excluded Users/Groups pull-down list. Select None to apply
the policy to all users.
Step 9
To target the selected block or log actions to a specific IP address or address range, select an
Address Group or Address Object from the Included IP Address Range pull-down list. Select
All to apply the policy to all IP addresses.
Step 10 To exclude a specific IP address or address range from the selected block orlog actions, select
an Address Group or Address Object from the Excluded IP Address Range pull-down list.
Select None to apply the policy to all IP addresses.
Step 11 To enable this policy during specific days of the week and hours of the day, select one of the
Step 12 To specify a delay between log entries for repetitive events, type the number of seconds for the
409
Step 13 Click OK. The Modify Task Description and Schedule window displays, for GMS scheduling.
Step 14 A description is automatically added in the Description field. Optionally change the
description.
Step 15 For Schedule, select one of the following radio buttons and set any associated fields:
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to enable the policy by using the pull-down lists for the hour,
minute, time zone, month, and year. If your GMS deployment includes Agents in different
time zones, you can select among them in the time zone pull-down list. Select the date from
the calendar.
Step 16 Click Accept to save the configuration. Click Cancel to exit without saving the configuration.
This configuration method allows you to create policy rules specific to a single application if you
want to enforce the policy settings only on the signatures of this application without affecting
other applications in the same category.
To configure an App Control policy for a specific application:
410
Step 1
Step 2
On the Policies tab, on the App Control > Advanced page in the App Control View Style
area, first select a category from the Category pull-down list.
Step 3
Next, select Application in the Viewed By pull-down list. The list of available applications in
the selected category is displayed in the App Control Advanced section. Each application has
a Configure button
in its row.
Step 4
Click the Configure button in the row for the application you want to work with. TheApp Control
App Settings window opens.
Step 5
Alternatively, select an application in this category from the Application pull-down list. A
Configure button
appears to the right of the field as soonas an application is selected. Click
the Configure button to open up the App Control App Settings window for the selected
application.
Step 6
The fields at the top of the window display the values for the App Category Name and App
Name, and are not editable. In the other fields, the application configuration parameters default
to the current settings of the category to which the application belongs. To retain this connection
to the category settings for one or more fields, leave the selection in place for those fields.
Step 7
Step 8
To create a log entry when this application is detected, select Enable in the Log pull-down list.
Step 9
To target the selected block or log actions to a specific user or group of users, select a user
group or individual user from the Included Users/Groups pull-down list. Select All to apply the
policy to all users.
Step 10 To exclude a specific user or group of users from the selected block or log actions, select a user
group or individual user from the Excluded Users/Groups pull-down list. Select None to apply
the policy to all users.
Step 11 To target the selected block or log actions to a specific IP address or address range, select an
Address Group or Address Object from the Included IP Address Range pull-down list. Select
All to apply the policy to all IP addresses.
Step 12 To exclude a specific IP address or address range from the selected block orlog actions, select
an Address Group or Address Object from the Excluded IP Address Range pull-down list.
Select None to apply the policy to all IP addresses.
Step 13 To enable this policy during specific days of the week and hours of the day, select one of the
Step 14 To use the same Log Redundancy Filter settings that are set for the entire category, leave the
Use Category Settings checkbox selected. To specify a different delay between log entries for
repetitive events, clear the Use Category Settings checkbox and type the number of seconds
for the delay into the Log Redundancy Filter field.
411
Step 15 Click OK. The Modify Task Description and Schedule window displays, for GMS scheduling.
Step 16 A description is automatically added in the Description field. Optionally change the
description.
Step 17 For Schedule, select one of the following radio buttons and set any associated fields:
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to enable the policy by using the pull-down lists for the hour,
minute, time zone, month, and year. If your GMS deployment includes Agents in different
time zones, you can select among them in the time zone pull-down list. Select the date from
the calendar.
Step 18 Click Accept to save the configuration. Click Cancel to exit without saving the configuration.
Step 2
On the Policies tab, on the App Control > Advanced page, first select a category from the
Category pull-down list.
Step 3
Next, select an application in this category from the Application pull-down list.
Step 4
To display the specific signatures for this application, select Signature in the Viewed by
pull-down list.
The Farmville gaming application has three signatures.
412
Step 5
Click the Configure button in the row for the signature you want to work with. The App Control
Signature Settings window opens.
Step 6
Alternatively, enter the Signature ID, shown in the ID column, into the Lookup Signature ID
field and click the Configure button next to the field to open the App Control Signature Settings
window.
Step 7
In the App Control Signature Settings window, several fields at the top of the window are not
editable. These fields display the values for the Signature Category, Signature Name,
Signature ID, Application ID, Priority, and Direction of the traffic in which this signature can
be detected.
In the other fields, the default policy settings for the signature are set to the current settings for
the application to which the signature belongs. To retain this connection to the application
settings for one or more fields, leave the selection in place for those fields.
Step 8
Step 9
To create a log entry when this signature is detected, select Enable in the Log pull-down list.
Step 10 To target the selected block or log actions to a specific user or group of users, select a user
group or individual user from the Included Users/Groups pull-down list. Select All to apply the
policy to all users.
Step 11 To exclude a specific user or group of users from the selected block or log actions, select a user
group or individual user from the Excluded Users/Groups pull-down list. Select None to apply
the policy to all users.
Step 12 To target the selected block or log actions to a specific IP address or address range, select an
Address Group or Address Object from the Included IP Address Range pull-down list. Select
All to apply the policy to all IP addresses.
Step 13 To exclude a specific IP address or address range from the selected block orlog actions, select
an Address Group or Address Object from the Excluded IP Address Range pull-down list.
Select None to apply the policy to all IP addresses.
Step 14 To enable this policy during specific days of the week and hours of the day, select one of the
Step 15 To use the same Log Redundancy Filter settings that are set for all signatures in the
application, leave the Use App Settings checkbox selected. To specify a different delay
between log entries for repetitive events, clear the Use App Settings checkbox and type the
number of seconds for the delay into the Log Redundancy Filter field.
413
Step 16 To view more details about the signature, click the Note: Click here for comprehensive
information regarding this signature. The SonicWALL Security Center page for the signature
is displayed.
Step 17 Click OK. The Modify Task Description and Schedule window displays, for GMS scheduling.
Step 18 A description is automatically added in the Description field. Optionally change the
description.
Step 19 For Schedule, select one of the following radio buttons and set any associated fields:
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to enable the policy by using the pull-down lists for the hour,
minute, time zone, month, and year. If your GMS deployment includes Agents in different
time zones, you can select among them in the time zone pull-down list. Select the date from
the calendar.
Step 20 Click Accept to save the configuration. Click Cancel to exit without saving the configuration.
If you have configured any settings for Users/Groups, IP Address Range, or Schedule fields,
icons are displayed in the Comments column for the entry on the App Control > Advanced
page. You can hover your mouse pointer over the icons to display a tooltip with the configured
settings.
414
For example, clicking the Application heading sorts all rows alphabetically by the first letter of
the application name, from numbers at the top to Z at the bottom. Names beginning with a
symbol or number come before names beginning with any alphabetical character.
To resort the list in ascending order, click the heading a second time.
415
Match objects represent the set of conditions which must be matched in order for actions to take
place. This includes the object type, the match type (exact, partial, prefix, or suffix), the input
representation (text or hexadecimal), and the actual content to match.
Hexadecimal input representation is used to match binary content such as executable files,
while text input representation is used to match things like file or email content. You can also
use hexadecimal input representation for binary content found in a graphic image. Text input
representation could be used to match the same graphic if it contains a certain string in one of
its properties fields.
The maximum size for a match object is 8192 (8K) bytes. Match objects do not provide
matching for regular expressions on appliances running SonicOS 5.8.1.x. You can use a proxy
server for this functionality.
The File Content match object type provides a way to match a pattern or keyword within a
compressed (zip/gzip) file. This type of match object can only be used with FTP Data Transfer,
HTTP Server, or SMTP Client policies.
Note
The App Control > Match Objects page might not contain values in all columns for some
types of match objects, when those fields are not applicable to those particular match object
types.
Step 2
On the Policies tab, on the App Control > Match Objects page, select one of the following
search objects from the first Search pull-down list:
Step 3
416
Object Type the object type of the match object; see Table 15 on page 424 for the list of
match object types
Match Type the match type, one of Exact, Partial, Prefix, Suffix, used in the match object
Select one of the following operators from the next pull-down list:
Equals search for any match object in which the name exactly matches the target value
Starts with search for any match object in which the name begins with the target value
Ends with search for any match object in which the name ends with the target value
Contains search for any match object in which the name contains the target value
= (Equals sign) search for any match object inwhich the object type or match type exactly
matches the selected target value
Step 4
When searching for a Name, a text box is displayed to the right of the operator. In the text box,
type the target value that you are searching for in the match object name.
Step 5
When searching for an Object Type or Match Type, select the target value from the pull-down
list to the right of the operator.
Step 6
Click Search to search your objects for one or more matches. Click Clear to set the search
fields back to defaults.
The Match Objects list changes to display only the match objects found by your search.
Step 2
Navigate to the App Control > Match Objects page on the Policies tab.
Step 3
Step 4
In the Match Object Settings window, in the Object Name text box, type a descriptive name
for the object.
Step 5
Select a Match Object Type from the pull-down list. Your selection here will affect available
options in this screen. See Table 15 on page 424 for a description of Match Object Types.
Step 6
Select a Match Type from the pull-down list. The available selections depend on the Match
Object Type.
Step 7
See the Extra Properties column in Table 15 on page 424 for a description of the additional
fields and options that may appear on the page for different Match Object Types. Select the
desired values for any additional fields or options.
Step 8
For the Input Representation, click Alphanumeric to match a text pattern, or click
Hexadecimal if you want to match binary content.
417
You can use a hex editor or a network protocol analyzer like Wireshark to obtain hex format for
binary files.
Step 9
The Enable Negative Matching checkbox may be available, depending on the Match Type.
Select the checkbox to match anything except the pattern in the Content text box. See
Negative Matching on page 419 for more information about using this option.
Step 10 In the Content text box, type the pattern to match, and then click Add. The content appears in
You can add multiple entries to create a list of content elements to match. All content that you
provide in a match object is case-insensitive for matching purposes. List entries are matched
using the logical OR, so if any item in the list is matched, the action for the policy is executed.
Step 11 Alternatively, you can click Load From File to import a list of elements from a text file. Each
element in the file must be on a line by itself. The maximum file size is limited to 8192 bytes.
Step 12 To remove an element from the list, select the element in the List box and then click Remove.
Step 13 Click OK. The Modify Task Description and Schedule window displays.
Step 14 A description is automatically added in the Description field. Optionally change the
description.
Step 15 For Schedule, select one of the following radio buttons and set any associated fields:
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to activate this object using the pull-down lists for the hour,
minute, time zone, month, and year. If your GMS deployment includes Agents in different
time zones, you can select among them in the time zone pull-down list. Select the date from
the calendar.
Step 16 Click Accept to save the match object with this schedule. Click Cancel to exit without saving
At the unit level, you may need to refresh the App Control > Match Objects page to see your
new match object in the list.
418
Negative Matching
Negative matching provides an alternate way to specify which content to block. You can enable
negative matching in a match object when you want to block everything except a particular type
of content. When you use the object in a policy, the policy will execute actions based on
absence of the content specified inthe match object. Multiple list entries in a negative matching
object are matched using the logical AND, meaning that the policy action is executed only when
all specified negative matching entries are matched.
Although all App Rules policies are DENY policies, you can simulate an ALLOW policy by using
negative matching. For instance, you can allow email .txt attachments and block attachments
of all other file types. Or you can allow a few types, and block all others.
Not all match object types can utilize negative matching. For those that can, you will see the
Enable Negative Matching checkbox on the Match Object Settings screen.
Application You can create an application list object on this tab. This screen allows
selection of the application category, threat level, and type of technology. After selections
are made, the list of applications matching those criteria is displayed, and you can select
one or more for the object.
Category You can create a category list object on this tab. A list of application categories
and their descriptions are provided.
419
Application Tab
The Application tab provides a list of applications for selection. Each application includes one
or more signatures. You can control which applications are displayed by selecting one or more
application categories, threat levels, and technologies. To select all application categories,
threat levels, and technologies, click the green check mark below the Search button near the
top right of the display.
To search for a keyword in all application names and signatures, type it into the Search field
and click the Search button. For example, type bittorrent into the Search field and click the
Search button to find multiple applications with bittorrent (not case-sensitive) in the
application name or in the name of a signature under the application. To display the signatures
included by an application, click the arrow next to the application name to expand the details
for it.
When the application list is reduced to a list that is focussed on your preferences, you can
select the individual applications for your filter by clicking the Plus icon next to them, and then
save your selections as an application filter object with a custom name or an automatically
generated name.
420
On the App Control > Match Objects page, click the Add Application List Object button. The
Add Application List Object screen displays.
Step 2
On the Application tab, to name this object, clear the Auto-generate match object name
checkbox and then type a name for the object in the Match Object Name field. To use
automatic naming, leave the field blank and leave the Auto-generate match object name
checkbox selected.
Step 3
Clear specific category checkboxes or clear the Category checkbox to clear all category
checkboxes, then select the checkboxes for the desired categories. Use the scrollbar in this
section to view the entire category list. The list of applications in the lower panel changes as
you clear and select categories.
Step 4
Clear specific threat level checkboxes or clear the Threat Level checkbox to clear all threat
level checkboxes, then select the checkboxes for the desired threat levels. The list of
applications in the lower panel changes as you clear and select threat levels.
Step 5
Clear specific technology checkboxes or clear the Technology checkbox to clear all technology
checkboxes, then select the checkboxes for the desired technologies. The list of applications
in the lower panel changes as you clear and select technologies.
Step 6
In the application list, click the Plus to select the desired applications for your object. The Plus
changes to a green check mark, and the application is added to the Application Group field
on the right.
You can edit the list in this field by deleting individual items or by clicking the X at the top to
delete all items.
Step 7
Click the OK button. The Modify Task Description and Schedule window displays.
Step 8
Step 9
For Schedule, select one of the following radio buttons and set any associated fields:
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to activate this object using the pull-down lists for the hour,
minute, time zone, month, and year. If your GMS deployment includes Agents in different
time zones, you can select among them in the time zone pull-down list. Select the date from
the calendar.
Step 10 Click Accept to save the match object with this schedule. Click Cancel to exit without saving
You will see the object name listed on the AppControl > Match Objects page with an object type
of Application List. This object can then be selected when creating an App Rules policy.
Match Objects created using the Auto-generate match object name option display a tilde (~)
as the first character of the object name.
Category Tab
The Category tab provides a list of application categories for selection. You can select any
combination of categories and then save your selections as an application category list object
with a custom or automatic name.
421
By hovering your mouse pointer over a category in the list, you can see a description of it.
422
Step 1
On the App Control > Match Objects page, click the Add Application List Object button. The
Add Application List Object screen displays.
Step 2
Step 3
To name this object, clear the Auto-generate match object name checkbox and then type a
name for the object in the Match Object Name field. To use automatic naming, leave the field
blank and leave the Auto-generate match object name checkbox selected.
Step 4
Clear specific category checkboxes or clear the Category checkbox to clear all category
checkboxes, then select the checkboxes for the desired categories. Use the scrollbar in this
section to view the entire category list.
Step 5
Click the OK button. The Modify Task Description and Schedule window displays.
Step 6
Step 7
For Schedule, select one of the following radio buttons and set any associated fields:
Step 8
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to activate this object using the pull-down lists for the hour,
minute, time zone, month, and year. If your GMS deployment includes Agents in different
time zones, you can select among them in the time zone pull-down list. Select the date from
the calendar.
Click Accept to save the match object with this schedule. Click Cancel to exit without saving
the match object.
You will see the object name listed on the AppControl > Match Objects page with an object type
of Application Category List. This object can then be selected when creating an App Rules
policy.
Match Objects created using the Auto-generate match object name option display a tilde (~)
as the first character of the object name.
Step 2
Navigate to the App Control > Match Objects page on the Policies tab.
Step 3
To delete one or more match objects, select the checkboxes for the ones to delete and click
Delete Match Object(s).
If any of the selected objects is currently in use by an App Rules policy, a popup message
notifies you that it cannot be deleted. Click OK in the dialog box. If multiple objects were
selected for deletion and one of them is in use by a policy, none are deleted when Delete Match
Object(s) is clicked.
Step 4
Step 5
In the Modify Task Description and Schedule window, select the Schedule settings for this
task and then click Accept.
423
Negative
Matching
Extra Properties
Class ID of an
Exact
Active-X
component. For
example, ClassID of
Gator Active-X
component is
c1fb8842-5281-45c
e-a271-8fd5f117ba5
f
No
None
Application
Category List
No
Application
Categories select
the category from a
pull-down list of
application
categories
Application List
Allows specification
of individual
applications within
the application
category that you
select
N/A
No
Application
Categories see
above;
Allows specification
of individual
signatures for the
application and
category that you
select
N/A
Object Type
Description
ActiveX ClassID
Application
Signature List
424
Match Types
Application
select the specific
application from the
pull-down list
No
Application
Categories see
above;
Application see
above;
Application
Signature select
the specific
signature from the
pull-down list
CFS
Allows specification Exact, Partial,
Allow/Forbidden List of allowed and
Prefix, Suffix
forbidden domains
for Content Filtering
No
None
No
A list of 64
categories is
provided to choose
from
Object Type
Description
Match Types
Negative
Matching
Custom Object
Allows specification
of an IPS-style
custom set of
conditions.
Exact
No
There are 4
additional, optional
parameters that can
be set: Offset
(describes from
what byte in packet
payload we should
start matching the
pattern starts with
1; helps minimize
false positives in
matching), Depth
(describes at what
byte in the packet
payload we should
stop matching the
pattern starts with
1), Payload Size
Minimum and
Maximum size of
data in a packet.
Email Body
Partial
No
None
Email CC (MIME
Header)
Exact, Partial,
Prefix, Suffix
Yes
None
Yes
None
Email Size
Allows specification
of the maximum
email size that can
be sent.
N/A
No
Email Subject
(MIME Header)
Exact, Partial,
Prefix, Suffix
Yes
None
Email To (MIME
Header)
Exact, Partial,
Prefix, Suffix
Yes
None
MIME Custom
Header
Exact, Partial,
Prefix, Suffix
Yes
A Custom header
name needs to be
specified.
File Content
No
Disable
attachment action
should never be
applied to this
object.
Extra Properties
425
Negative
Matching
Extra Properties
Yes
None
Yes
None
FTP Command
Allows selection of
specific FTP
commands.
No
Command the
FTP command,
such as ABORT,
DELETE, GET,
PASSWORD,
RESTART, QUIT,
SIZE. Type HELP
for the complete list
of commands.
FTP Command +
Value
Yes
Command (see
above);
Allows specification
of a Cookie sent by
a browser.
Yes
Object Type
Description
Filename
In cases of email,
Exact, Partial,
this is an
Prefix, Suffix
attachment name. In
cases of HTTP, this
is a filename of an
uploaded
attachment to the
Web mail account.
In cases of FTP, this
is a filename of an
uploaded or
downloaded file.
HTTP Cookie
Header
426
Match Types
N/A
Exact, Partial,
Prefix, Suffix
Argument a
value you type in,
such as the
filename to
GET/PUT or the
directory name
used with MKDIR
None
Negative
Matching
Extra Properties
Content found
Exact, Partial,
inside of the HTTP Prefix, Suffix
Host header.
Represents
hostname of the
destination server in
the HTTP request,
such as
www.google.com.
Yes
None
HTTP Referrer
Header
Yes
None
HTTP Request
Custom Header
Allows handling of
custom HTTP
Request headers.
Exact, Partial,
Prefix, Suffix
Yes
Custom Header
Name Specify a
custom header
name.
HTTP Response
Custom Header
Allows handling of
custom HTTP
Response headers.
Exact, Partial,
Prefix, Suffix
Yes
Custom Header
Name Specify a
custom header
name.
Set-Cookie
Exact, Partial,
headers. Provides a Prefix, Suffix
way to disallow
certain cookies to
be set in a browser.
Yes
None
Exact, Partial,
Prefix, Suffix
No
None
HTTP User-Agent
Exact, Partial,
Prefix, Suffix
Yes
None
MIME Custom
Header
Exact, Partial,
Prefix, Suffix
Yes
Custom Header
Name Specify the
MIME header name
to match.
Web Browser
Allows selection of
specific Web
browsers (MSIE,
Netscape, Firefox,
Safari, Chrome).
N/A
Yes
Browser Specify
the browser type;
choose from MSIE,
Netscape, Firefox,
Safari, Chrome
Object Type
Description
Match Types
427
Match Types
Negative
Matching
Object Type
Description
Extra Properties
IPS Signature
Category List
No
IDP Categories
choose from the a
pull-down list of IPS
attack categories,
including ACTIVEX,
EXPLOIT, JAVA,
LDAP,
MEDIA-PLAYERS,
SQL-INJECTION,
WEB-ATTACKS,
and others
No
IDP Category
(see above); IDP
Signature choose
signatures from any
IDP Category
428
Table 16 lists the predefined actions available on the App Control > Action Objects page. If
BWM Type = None, no additional predefined BWM actions are available.
Table 16
Always Available
Bypass DPI
No Action
Packet Monitor
Reset/Drop
Predefined Actions
BWM Global-High
BWM Global-Highest
BWM Global-Low
BWM Global-Lowest
BWM Global-Medium
BWM Global-Realtime
Step 2
On the Policies tab, on the App Control > Action Objects page, select one of the following
search objects from the first Search pull-down list:
Step 3
Action Type the action type of the action object; see Table 18 on page 438 for the list of
action types
Select one of the following operators from the next pull-down list:
Equals search for any action object in which the name exactly matches the target value
Starts with search for any action object in which the name begins with the target value
Ends with search for any action object in which the name ends with the target value
429
Contains search for any action object in which the name contains the target value
= (Equals sign) search for any action object in which the action type exactly matches the
selected target value
Step 4
When searching for a Name, a text box is displayed to the right of the operator. In the text box,
type the target value that you are searching for in the action object name.
Step 5
When searching for an Action Type, select the target value from the pull-down list to the right
of the operator.
Step 6
Click Search to search your policies for one or more matches. Click Clear to set the search
fields back to defaults.
The Action Objects list changes to display only the action objects found by your search.
430
Step 1
Step 2
Navigate to the App Control > Action Objects page on the Policies tab.
Step 3
Step 4
In the Action Name field, type a descriptive name for the action.
Step 5
In the Action pull-down list, select the action that you want.
Step 6
In the Content text box, type the text or URL to be used in the action.
Step 7
If HTTP Block Page is selected as the action, a Color pull-down list is displayed. Choose a
background color for the block page from the Color pull-down list. Color choices are white,
yellow, red, or blue.
Step 8
Step 9
Click OK. The Modify Task Description and Schedule window displays.
Step 10 A description is automatically added in the Description field. Optionally change the
description.
Step 11 For Schedule, select one of the following radio buttons and set any associated fields:
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to activate this object using the pull-down lists for the hour,
minute, time zone, month, and year. If your GMS deployment includes Agents in different
time zones, you can select among them in the time zone pull-down list. Select the date from
the calendar.
Step 12 Click Accept to save the action object with this schedule. Click Cancel to exit without saving
At the unit level, you may need to refresh the App Control > Action Objects page to see your
new action object in the list.
Note
The maximum action objects allowed is the total of 17 default action objects plus the allowed
number of custom action objects. Of the default action objects, 14 are Global type default
actions and 3 are WAN type default actions.
431
All application bandwidth management is tied in with global bandwidth management, which is
configured on the Firewall > BWM page. Two types of bandwidth management are available:
WAN and Global. The None option allows you to specify no bandwidth management. When the
type is set to WAN, bandwidth management is allowed only on interfaces in the WAN zone. With
a type of Global, interfaces in all zones can be configured with bandwidth management. All App
Control screens that offer an option for bandwidth management provide a link to the Firewall
> BWM page so that you can easily configure global bandwidth management settings for the
type and configure the guaranteed and maximum percentages allowed for each priority level.
The Firewall > BWM page is shown below.
It is a best practice to configure global bandwidth management settings before configuring App
Control policies that use BWM.
Changing the Bandwidth Management Type on the Firewall > BWM page between WAN and
Global causes BWM to be disabled in all Firewall Access Rules, while default BWM action
objects in App Rules policies will convert accordingly to correspond to the new bandwidth
management type.
When you change the Bandwidth Management Type from Global to WAN, the default BWM
actions that are in use in any App Rules policies will be automatically converted to WAN BWM
Medium, no matter what level they were set to before the change.
When you change the Type from WAN to Global, the default BWM actions are converted to
BWM Global-Medium. The firewall does not store your previous action priority levels when you
switch the Type back and forth. You can view the conversions on the App Control > App Rules
page.
Custom bandwidth management actions behave differently than the default BWM actions.
Custom BWM actions are configured by adding a new action object from the App Control >
Action Objects page and selecting the Bandwidth Management action type. Custom
bandwidth management actions and policies using them retain their priority level setting when
the Bandwidth Management Type is changed from Global to WAN, and from WAN to Global.
When the Bandwidth Management Type is set to Global, the Add/Edit Action Object screen
provides the Bandwidth Priority option, but uses the values that are specified in the Priority
table on the Firewall > BWM page for Guaranteed Bandwidth and Maximum Bandwidth. The
Per Action or Per Policy Bandwidth Aggregation Method options are not available for Action
Objects when Bandwidth Management Type is set to Global.
432
Note
All priorities will be displayed (Realtime through Lowest), regardless if all have been
configured. Refer to the Firewall > BWM page to determine which priorities are enabled. If
the Bandwidth Management Type is set to Global and you select a Bandwidth Priority
that is not enabled, the traffic is automatically mapped to the level 4 priority (Medium). For
a BWM Type of WAN, the default priority is level 7 (Low).
When the Bandwidth Management Type is set to WAN, the Add/Edit Action Object screen
provides Per Action or Per Policy Bandwidth Aggregation Method options and you can specify
values for Guaranteed Bandwidth, Maximum Bandwidth, and Bandwidth Priority.
When configuring a Bandwidth Management action, you can select either Per Action or Per
Policy. Per Policy means that when you create a limit of 10 Mbps in an Action Object, and three
different policies use the Action Object, then each policy can consume up to 10 Mbps of
bandwidth. Per Action means that the three policies combined can only use 10 Mbps.
When using Per Action, multiple policies are subject to a single aggregate bandwidth
management setting when they share the same action. For example, consider the following two
App Rules policies:
If these two policies share the same bandwidth management Action (500 Kbit/sec max
bandwidth):
Using the Per Action aggregation method, the downloads of executable files and traffic
from P2P applications combined cannot exceed 500 Kbit/sec.
Using the Per Policy bandwidth aggregation method, a bandwidth of 500 Kbit/sec is
allowed for executable file downloads while concurrent P2P traffic is also allowed a
bandwidth of 500 Kbit/sec.
The predefined BWM High, BWM Medium, and BWM Low actions are all Per Action.
Application layer bandwidth management configuration is handled in the same way as the
Ethernet bandwidth management configuration associated with Firewall > Access Rules. Both
are tied in with the global bandwidth management settings. However, with App Control you can
specify all content type, which you cannot do with access rules.
When the Bandwidth Management Type on the Firewall > BWM page is set to WAN,
bandwidth management policies defined with Firewall > Access Rules always have priority
over application layer bandwidth management policies. Thus, if an access rule bandwidth
management policy is applied to a certain connection, then an application layer bandwidth
management policy will never be applied to that connection.
When the Bandwidth Management Type is set to Global, the reverse is true, giving App
Control bandwidth management policies priority over Firewall Access Rule bandwidth
management policies.
433
If the global bandwidth management settings have the Bandwidth Management Type set to
WAN on the Firewall > BWM page, then only interfaces in WAN zones can have assigned
guaranteed and maximum bandwidth settings and have prioritized traffic. If the Bandwidth
Management Type is set to Global, then all zones can have assigned guaranteed and
maximum bandwidth settings and have prioritized traffic.
See the following sections for configuration details:
434
Step 1
Step 2
Step 3
In the Interface Settings table, click the icon under Edit for the desired interface.
Step 4
Step 5
Step 6
Interface Rating
100,000
1,000,000
Click OK.
Step 2
Navigate to the App Control > Action Objects page on the Policies tab.
Step 3
435
Step 4
In the Action Name field, type a descriptive name for the action.
In the Action pull-down list, select Bandwidth Management.
If the Bandwidth Management Type is set to WAN on the Firewall > BWM page, the screen
displays the following options, which are not displayed if Bandwidth Management Type is set
to Global:
Guaranteed Bandwidth
Maximum Bandwidth
Bandwidth Priority
When the BWM type is Global, the global values for these options are used for the action. In
case of a BWM type of WAN, the configuration of these options is included in the following
steps.
Step 5
Step 6
436
In the Bandwidth Aggregation Method pull-down list, select one of the following:
Per Policy When multiple policies are using the same Bandwidth Management action,
each policy can consume up to the configured bandwidth even when the policies are active
at the same time.
Per Action When multiple policies are using the same Bandwidth Management action,
the total bandwidth is limited as configured for all policies combined if they are active at the
same time.
Step 7
Step 8
Step 9
For Bandwidth Priority, select a priority level from the pull-down list, where 0 is the highest
and 7 is the lowest.
Step 10 Optionally select Enable Tracking Bandwidth Usage to track the usage. When bandwidth
usage tracking is enabled, you can view the usage in the Action Properties tooltip by mousing
over the Action of a policy on the App Control > App Rules page.
Step 11 Click OK. The Modify Task Description and Schedule window displays.
Step 12 A description is automatically added in the Description field. Optionally change the
description.
Step 13 For Schedule, select one of the following radio buttons and set any associated fields:
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to activate this configuration using the pull-down lists for the hour,
minute, time zone, month, and year. If your GMS deployment includes Agents in different
time zones, you can select among them in the time zone pull-down list. Select the date from
the calendar.
Step 14 Click Accept to configure bandwidth settings with this schedule. Click Cancel to exit without
You can see the resulting action in the Action Objects screen.
437
Step 2
Navigate to the App Control > Action Objects page on the Policies tab.
Step 3
To delete one or more action objects, select the checkboxes for the ones to delete and click
Delete Action Object(s). The checkboxes cannot be selected for predefined action
objects.
If any of the selected objects is currently in use by an App Rules policy, a popup message
notifies you that it cannot be deleted. Click OK in the dialog box. If multiple objects were
selected for deletion and one of them is in use by a policy, none are deleted when Delete Match
Object(s) is clicked.
Step 4
Step 5
In the Modify Task Description and Schedule window, select the Schedule settings for this
task and then click Accept.
438
Action Types
Predefined
or Custom
Action Type
Description
BWM Global-Realtime
Predefined
BWM Global-Highest
Predefined
BWM Global-High
Predefined
Predefined
or Custom
Action Type
Description
BWM Global-Medium
High
Predefined
BWM Global-Medium
Predefined
BWM Global-Medium
Low
Predefined
BWM Global-Low
Predefined
BWM Global-Lowest
Predefined
Predefined
Bypass DPI
Predefined
Predefined
Predefined
439
Predefined
or Custom
Action Type
Description
Custom
Disable Email
Attachment - Add Text
Custom
Custom
Custom
HTTP Redirect
Bandwidth Management
Custom
440
Step 2
On the Policies tab, on the App Control > Email Address Objects page, select one of the
following search objects from the first Search pull-down list:
Step 3
Match Type the match type of the email address object, which can be either Exact Match
or Partial Match
Select one of the following operators from the next pull-down list:
Equals search for any email address object in which the name exactly matches the at rget
value
Starts with search for any email address object in which the name begins with the target
value
Ends with search for any email address object in which the name ends with the target
value
Contains search for any email address object in which the name contains the target value
= (Equals sign) search for any email address object in which the match type exactly
matches the selected target value, which can be either Exact Match or Partial Match
Step 4
When searching for a Name, a text box is displayed to the right of the operator. In the text box,
type the target value that you are searching for in the match object name.
Step 5
When searching for a Match Type, select the target value from the pull-down list to the right of
the operator.
Step 6
Click Search to search your policies for one or more matches. Click Clear to set the search
fields back to defaults.
The Email Address Objects list changes to display only the email address objects found by
your search.
441
Step 2
Navigate to the App Control > Email Address Objects page on the Policies tab.
Step 3
Step 4
In the Email Address Object Name field, type a descriptive name for the action.
Step 5
Select one of the following from the Match Type pull-down list:
Step 6
In the Content text box, type the content to match and then click Add. Repeat this step until
you have added as many elements as you want.
For example, to match on a domain, select Partial Match in the previous step and then type @
followed by the domain name in the Content field, for example, type: @sonicwall.com. To
match on an individual user, select Exact Match in the previous step and then type the full
email address in the Content field, for example: alan@sonicwall.com.
Alternatively, you can click Load From File to import a list of elements from a text file. Each
element in the file must be on a line by itself. The maximum file size is 2048 bytes.
Although existing user groups cannot be specified during configuration, by defining an email
address object with a list of users, you can use App Control to simulate groups.
442
Step 7
Click OK. The Modify Task Description and Schedule window displays.
Step 8
Step 9
For Schedule, select one of the following radio buttons and set any associated fields:
Default Use the default schedule configured for the Agent that manages this unit
At Select the exact time to activate this object using the pull-down lists for the hour,
minute, time zone, month, and year. If your GMS deployment includes Agents in different
time zones, you can select among them in the time zone pull-down list. Select the date from
the calendar.
Step 10 Click Accept to save the email address object with the selected schedule. Click Cancel to exit
At the unit level, you may need to refresh the App Control > Email Address Objects page to
see your new email address object in the list.
443
Use Cases
Step 2
Navigate to the App Control > Email Address Objects page on the Policies tab.
Step 3
To delete one or more email address objects, select the checkboxes for the ones to delete
and click Delete Email Address Object(s).
To delete a single email address object, click the trash can icon
and then click OK in the confirmation dialog.
If any of the selected objects is currently in use by an App Rules policy, a popup message
notifies you that it cannot be deleted. Click OK in the dialog box. If multiple objects were
selected for deletion and one of them is in use by a policy, none are deleted when Delete Match
Object(s) is clicked.
Step 4
Step 5
In the Modify Task Description and Schedule window, select the Schedule settings for this
task and then click Accept.
Use Cases
The following use cases are presented in this section:
444
Use Cases
In this example, we create a policy that blocks executable attachments except when they are
sent by a member of the Support team. To do this we define an email address object containing
the email addresses of the Support team, then define a match object to match file name
extensions of executable files, then define an action object to strip the attachment and give the
user a message, and finally define an App Rules policy that uses all these objects.
See the following sections for the necessary procedures:
On the App Control > Email Address Objects page, click Add New Email Address Object.
Step 2
In the Email Address Object page, type a descriptive name for the object into the Email
Address Object Name field, such as Support team.
Step 3
Select Exact Match from the Match Type pull-down list. For an exact match, you must provide
both the username and the domain parts of the email addresses to include in the object.
Step 4
In the Content field, type in the first email address or alias used by the Support team, then click
Add. The address is copied into the List box.
445
Use Cases
Step 5
If more than one email address is used by the Support team, repeat Step 4 until all desired
email addresses are included in the List box.
Step 6
Click OK. The Modify Task Description and Schedule window displays.
Step 7
To view all the options for Schedule, click the arrow to its right.
Step 8
Step 9
Click Accept to save the email address object with the selected schedule.
The new object is listed on the App Control > Email Address Objects page.
446
On the App Control > Match Objects page, click Add New Match Object.
Use Cases
Step 2
In the Match Object Settings window, in the Object Name text box, type a descriptive name
for the object, such as Executable Files.
Step 3
Using the Match Object Type pull-down list, select File Extension.
Step 4
The Match Type field is set to Exact Match; there are no other choices in this case.
Step 5
Step 6
Step 7
In the Content text box, type the executable file name extensions to match, and then click Add
after each one. For this case, we add exe, vbs, bat, awk, and cgi, The extensions appear in the
List text box.
Step 8
Click OK. The Modify Task Description and Schedule window displays.
Step 9
Step 10 Click Accept to save the match object with the selected schedule.
The new object is listed on the App Control > Match Objects page.
447
Use Cases
On the App Control > Action Objects page, click Add New Action Object.
Step 2
In the Action Object Settings window, in the Action Name text box, type a descriptive name
for the object, such as Block email with executable.
Step 3
In the Action pull-down list, select Disable E-Mail Attachment - Add Text.
Step 4
In the Content text box, type the explanation that you want users to see, such as Executable
attachments are not allowed.
Step 5
Click OK. The Modify Task Description and Schedule window displays.
Step 6
Step 7
Click Accept to save the action object with the selected schedule.
The new object is listed on the App Control > Action Objects page.
448
Use Cases
On the App Control > App Rules page, click Add New Policy.
Step 2
In the App Control Policies Settings window, type a descriptive name such as Block
Executable Attachments into the Policy Name field.
Step 3
Step 4
Leave Any as the source and destination in the Address pull-down lists.
Step 5
The Service pull-down lists do not provide a choice of service. The Source is Any, and the
Destination is SMTP (send E-Mail).
Step 6
Step 7
In the Match Object pull-down list, select the Executable Files match object that was just
created.
Step 8
In the Action pull-down list., select the Block email with executable action that was just
created.
Step 9
For Users/Groups, select All from the pull-down list under Included and select None in the
Excluded pull-down list.
449
Use Cases
Step 10 For MAIL FROM, select Any from the pull-down list under Included and select the Support
team email address object in the Excluded pull-down list. The Support team email addresses
will not be affected by the policy.
Step 11 For RCPT TO, select Any from the pull-down list under Included and select None in the
checkbox.
Step 15 To record more details in the log, select the Log individual object content checkbox.
Step 16 For Log Redundancy Filter, select Use Global Settings to use the global value set on the
Step 17 For Connection Side, only Client Side is available in the pull-down list.
Step 18 For Direction, select the Basic radio button and select Both in the pull-down list.
Step 19 Click OK. The Modify Task Description and Schedule window displays.
Step 20 For the Schedule, select Immediate to create the policy immediately.
Step 21 Click Accept to save the policy with the selected schedule.
The new policy is listed on the App Control > App Rules page.
450
Use Cases
By using the Add Application List Object feature on the App Control > Match Objects page,
you can achieve more granularity and select specific applications from different categories.
Then, this object can be used in an App Rules policy.
To include signatures from different applications in a single policy, you need to use the Add
New Match Object feature with a Match Object Type of Application Signature List. This
allows you to select any signature from the same database that is used for App Control >
Advanced, no matter what category or application the signature belongs to, and add them into
a single match object. You can then create an App Rules policy using this match object to
control those specific signatures.
Our example in this use case uses theAdd Application List Object feature to create an object
containing the riskiest applications in the database. We then create an App Rules policy using
this object, and block the application traffic using the predefined Reset/Drop action.
See the following sections:
Step 2
Navigate to the App Control > Match Objects page on the Policies tab.
451
Use Cases
452
Step 3
Click the Add Application List Object button. The Add Application List Object screen
displays.
Step 4
On the Application tab, to name this object, clear the Auto-generate match object name
checkbox and then type a name such as Riskiest apps for the object in the Match Object
Name field.
Step 5
Leave all category checkboxes selected under Category at the top left.
Step 6
Under Threat Level, clear all threat level checkboxes except for the one next to SEVERE. The
list of applications in the lower panel changes as you clear the threat level checkboxes.
Step 7
Use Cases
The screen now shows all applications that have a threat level of SEVERE.
If you want to see the signatures included byany of the applications, click the arrow next to the
application name to expand the details for it.
453
Use Cases
Step 8
In the application list where you see the names of all the SEVERE rated applications, click the
Plus sign next to Name to select all of the listed applications for your object. A dialog box pops
up to warn you that selecting the entire list may ake
t awhile. In our case, it will nottake too long
since there are only a dozen or so applications in the list.
Step 9
Click OK in the warning dialog box. All of the Plus signs change to green check marks, and the
applications are added to the Application Group field on the right.
Step 10 Click the OK button. The Modify Task Description and Schedule window displays.
Step 11 For the Schedule, select Immediate to create the object immediately.
454
Use Cases
Step 12 Click Accept to save the object with the selected schedule.
The new object is listed on the App Control > Match Objects page.
On the App Control > App Rules page, click Add New Policy.
Step 2
In the App Control Policies Settings window, type a descriptive name such as Block Risky
Apps into the Policy Name field.
455
Use Cases
Step 3
Select App Control Content from the Policy Type pull-down list.
Step 4
Step 5
Step 6
In the Match Object pull-down list, select the Riskiest apps match object that was just created.
Step 7
Step 8
For Users/Groups, select All from the pull-down list under Included and select None in the
Excluded pull-down list.
Step 9
Step 10 Optionally select the Enable Flow Reporting checkbox to enable internal and external flow
reporting based on data flows, connection related flows, non-connection related flows
regarding applications, viruses, spyware, intrusions, and other information.
Step 11 Select the Enable Logging checkbox. This causes the policy to create a log entry when a
match is found.
Step 12 Optionally, to record more details in the log, select the Log individual object content
checkbox.
Step 13 Select the Log using App Control message format checkbox. This changes logging to
display the category in the log entry as Application Control, and to use a prefix such as
Application Control Detection Alert in the log message. This is useful if you want to use log
filters to search for Application Control alerts.
Step 14 For Log Redundancy Filter, select Global Settings. This uses the global value set on the App
Control > App Rules page. Alternatively, you can enter a number of seconds to delay between
each log entry for this policy. The local setting overrides the global setting only for this policy;
other policies are not affected.
456
Use Cases
Step 15 Select Any from the Zone pull-down list to apply this policy to all zones.
Step 16 Click OK. The Modify Task Description and Schedule window displays.
Step 17 For the Schedule, select Immediate to create the policy immediately.
Step 18 Click Accept to save the policy with the selected schedule.
The new policy is listed on the App Control > App Rules page.
457
Use Cases
458
CHAPTER 18
Configuring Firewall Anti-Spam Settings
This chapter provides a quick, efficient, and effective way to add anti-spam, anti-phishing, and
anti-virus capabilities to your SonicWALL firewall appliance. There are two primary ways
inbound messages are analyzed by the Anti-Spam feature - Advanced IP Reputation
Management and Cloud-based Advanced Content Management. IP Address Reputation uses
the GRID Network to identify the IP addresses of known spammers, and reject any mail from
those senders without even allowing a connection. GRID Network Sender IP Reputation
Management checks the IP address of incoming connecting requests against a series of lists
and statistics to ensure that the connection has a probability of delivering valuable email. The
lists are compiled using the collaborative intelligence of the SonicWALL GRID Network. Known
spammers are prevented from connecting to the SonicWALL firewall appliance, and their junk
email payloads never consume system resources on the targeted systems.
This chapter includes the following subsections:
Activating Anti-Spam
To activate the Comprehensive Anti-Spam Service, perform the following steps:
Step 1
459
Step 2
Select the Enable Anti-Spam Service checkbox to activate the Anti-Spam service.
The Comprehensive Anti-Spam Service is now activated.
460
Use the pull-down options to choose how to to handle messages in each threat category. Your
options are:
Response
Effect
Filtering off
Tag With
Reject Mail
Permanently Delete
461
462
Description
Probe Interval
Success Count
Threshold
Server Public IP Address The IP address of the server that is available for
external connections.
Server Private IP
Address
463
SMTP Real-Time Black List (RBL) is a mechanism for publishing the IP addresses of SMTP
spammers use. There are a number of organizations that compile this information both for free:
http://www.spamhaus.org, and for profit: http://www.mail-abuse.com. A well-maintained list of
RBL services and their efficacy can be found at:
http://www.sdsc.edu/~jeff/spam/cbc.html
Note
SMTP RBL is an aggressive spam filtering technique that can be prone to false-positives
because it is based on lists compiled from reported spam activity. The SonicOS
implementation of SMTP RBL filtering provides a number of fine-tuning mechanisms to help
ensure filtering accuracy.
RBL list providers publish their lists using DNS. Blacklisted IP addresses appear in the
database of the list provider's DNS domain using inverted IP notation of the SMTP server in
question as a prefix to the domain name. A response code from 127.0.0.2 to 127.0.0.9 indicates
some type of undesirability:
For example, if an SMTP server with IP address 1.2.3.4 has been blacklisted by RBL list
provider sbl-xbl.spamhaus.org, then a DNS query to 4.3.2.1.sbl-xbl.spamhaus.org will provide
a 127.0.0.4 response, indicating that the server is a known source of spam, and the connection
will be dropped.
464
Note
Most spam today is known to be sent from hijacked or zombie machines running a thin
SMTP server implementation.Unlike legitimate SMTP servers, these zombie machines
rarely attempt to retry failed delivery attempts. Once the delivery attempt is blocked by the
SonicWALL RBL filter, no subsequent delivery attempts for that same piece of spam will be
made.
When Enable Real-time Black List Blocking is enabled on the Anti-Spam > RBL Filter page,
inbound connections from hosts on the WAN, or outbound connections to hosts on the WAN
are checked against each enabled RBL service with a DNS request to the DNS servers
configured under RBL DNS Servers.
The RBL DNS Servers menu allows you to specify the DNS servers. You can choose Inherit
Settings from WAN Zone or Specify DNS Servers Manually. If you select Specify DNS
Servers Manually, enter the DNS server addresses in the DNS Server fields.
The DNS responses are collected and cached. If any of the queries result in a blacklisted
response, the server will be filtered. Responses are cached using TTL values, and
non-blacklisted responses are assigned a cache TTL of 2 hours. If the cache fills up, then cache
entries are discarded in a FIFO (first-in-first-out) fashion.
The IP address check uses the cache to determine if a connection should be dropped. Initially,
IP addresses are not in the cache anda DNS request must be made. In this case the IP address
is assumed innocent until proven guilty, and the check results in the allowing of the connection.
A DNS request is made and results are cached in a separate task. When subsequent packets
from this IP address are checked, if the IP address is blacklisted, the connection will be
dropped.
465
466
CHAPTER 19
Configuring Firewall Virtual Private
Networking
A Virtual Private Network (VPN) is a private data network that uses encryption technologies to
operate over public networks. This chapter contains the following sections:
467
In order to ensure message security, it is very important that the security and authentication
keys are not discovered by outside parties. Otherwise, the messages could be read in transit.
Deployment Caveats
When managing one or more VPNs through GMS, be aware of the following caveats:
Because of the individual nature of deployment, VPN SA configurations are not inheritable.
If updates are completed at the group node, separate tasks must be created for each
individual unit within that node.
Authentication Methods
SonicWALL appliances can use the following methods to exchange security and authentication
keys:
Note
468
For an explanation of VPN terms, refer to the VPN Terms and Concepts section on
page 503.
Expand the VPN tree and click Summary. The VPN Summary page displays.
Note
2.
If VPN is already configured for the SonicWALL appliance, a list of current SAs
displays. The unique firewall identifier also displays.
Note the improved navigation for managing VPNs through use of page navigation arrows
within the Current IPSec Security Associations. To navigate through the pages, click on the
navigation arrow buttons in the upper right corner of the VPN Summary Page as shown in
the figure here.
When managing VPNs, the VPN Summary Window sometimes can have too many VPNs listed
for you to easily find the VPN entry you want to view. To make VPN searching and viewing more
easy, GMS now provides a pagination feature in the VPN Summary screen which breaks the
list of VPNs into multiple pages. Each page can display up to 50 VPNs. To display the next page
of VPNs, simply click the Next button. GMS displaysthe succeeding page of the VPN Summary
Window.
469
Expand the VPN tree and click Settings. The VPN Settings page displays.
2.
Under Global IPSec Settings, select the Enable VPN check box.
3.
To disable all NetBIOS broadcasts, select the Disable all VPN Windows Networking
(NetBIOS) broadcast check box.
4.
To improve interoperability with other VPN gateways and applications that use a large data
packet size, select the Enable Fragmented Packet Handling check box. Packet
fragmentation overburdens a network router by resending data packets and causes
network traffic to slow down between networks.
The Enable Fragmented Packet Handling option configures the SonicWALL appliance to
listen to the intermediate router and, if necessary, send Internet Control Message Protocol
(ICMP) messages to the router to decrease the size of the data packets. Enabling this
option is recommended if the VPN tunnel logs contain many Fragmented IPSec packets
dropped messages.
470
5.
To ignore Dont Fragment (DF) bits from routers connected to the SonicWALL appliance,
select the Ignore DF Bit check box.
6.
NAT Traversal is an Internet Engineering Task Force (IETF) draft standard that wraps an
IPsec packet into a UDP/IP header, allowing NAT devices to change IP addresses without
affecting the integrity of the IPsec packet. To enable NAT traversal, select the Enable NAT
Traversal check box.
7.
Specify how often the SonicWALL appliance issues a Keepalive in the Keep alive time
field.
8.
To enable detection of a dead peer, select the Enable IKE Dead peer detection. Then,
specify how often the SonicWALL appliance attempt to detect a peer in the Dead peer
detection Interval field and specify the number of failed attempts that must occur before
closing the VPN tunnel in the Failure Trigger Level field.
9.
Select Enable Dead Peer Detection for Idle vpn sessions if you want idle VPN
connections to be dropped by the SonicWALL security appliance after the time value
defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds) field.
10. Select VPN Single Armed mode to use single armed mode, allowing the appliance to act
as a stand-alone VPN gateway, using the WAN port as the VPN tunnel termination point.
11. Select Clean up Active Tunnels when Peer Gateway DNS names resolves to a
different IP address to break down SAs associated with old IP addresses and reconnect
to the peer gateway.
12. Select Preserve IKE Port for Pass-Through Connections to preserve UDP 500/4500
13. Select Enable OCSP Checking and enter the OCSP Responder URL to enable use of
Online Certificate Status Protocol (OCSP) to check VPN certificate status and specifies the
URL where to check certificate status.
14. Select Send vpn tunnel traps only when tunnel status changes to send tunnel traps
when the tunnel status changes. By default, the firewall sends traps for VPN up/down
status. To minimize email alerts based on VPN traps, check this box.
15. Select Use RADIUS in and then select either MSCHAP or MSCHAPv2 mode for XAUTH
16. Under IKEv2 Settings, select Send IKEv2 Cookie Notify to send cookies to IKEv2 peers
as an authentication tool.
17. Use the IKEv2 Dynamic Client Proposal settings to configure the Internet Key Exchange
(IKE) attributes rather than using the default settings. Previously, only the default settings
were supported: Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the
SHA1 authentication method. Appliances running SonicOS Enhanced 4.0 and higher can
now be configured with the following IKE Proposal settings:
DH GroupSelect Group 1, Group 2, or Group 5 from the pull-down list. This sets DH
group in the global IPsec policy for a zero(0.0.0.0) gateway, IKEv2 mode tunnel with
dynamic peer gateways.
list. This sets the encryption algorithm in the global IPsec policy for a zero(0.0.0.0)
gateway, IKEv2 mode tunnel with dynamic peer gateways whose IP addresses are not
static.
AuthenticationSelect MD5 or SHA1 from the pull-down list. This sets the
authentication algorithm in the global IPsec policy for a zero(0.0.0.0) gateway, IKEv2
mode tunnel with dynamic peer gateways whose IP addresses are not static.
If a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPSec gateway is defined, you
cannot configure these IKE Proposal settings on an individual policy basis.
Note
The VPN policy on the remote gateway must also be configured with the same
settings.
18. When you are finished, click Update. To clear all screen settings and start over, click Reset.
471
Note
2.
To allow unauthenticated users to access a service, select the service in the Allow these
services to bypass user authentication on VPN SAs area and click Add. Repeat this
step for each service to add.
3.
To specify a range of IP addresses that will always be allowed to access the Internet, enter
the IP address in the Begin field and the size of the range in the Length field.
4.
5.
6.
7.
Click Accept.
8.
9.
10. To delete an entry, select the checkbox the left of the service or IP address range and click
Update.
472
Configuring VPNs in Interconnected Mode section on page 473For VPNs between two
SonicWALL appliances.
Note
Note
1.
Expand the VPN tree and click Configure 2.0. The VPN Configure page displays with the
General tab selected.
2.
To establish a new SA, select Add New SA from the Security Association list box.
3.
4.
Select the destination SonicWALL appliance by clicking Select Destination Node and
selecting the node from the dialog box that displays.
6.
To initially disable the SA upon creation, select the Disable SA check box. This option can
always be unchecked at a later time.
7.
Select from the following keying modes from the IPSec Keying Mode list box:
encryption and authentication keys. If the keys are compromised by an outside party,
they will remain compromised until the keys are changed.
IKE Using Pre-Shared Secreteach SonicWALL appliance has a shared secret that
473
After the SA expires, the SonicWALL appliances will reestablish an SA using the same
public keys, but will not use the same security and authentication keys. Configure the
following:
Peer IKE IDspecifies whether the IP address or SonicWALL Identifier will be used
as the IKE ID for the peer SonicWALL appliance.
IKE Using 3rd Party Certificatesthe SonicWALL appliance and peer device obtain
certificates from the third-party certificate authorities. Security and authentication keys
are exchanged using public-key cryptography and authenticity of each node is verified
by the third-party CA.
After the SA expires, the peers will reestablish an SA using the same public keys, but
will not use the same security and authentication keys.
8.
Expand the VPN tree and click Configure 2.0. The VPN Configure page displays with the
General tab selected.
2.
To establish a new SA, select Add New SA from the Security Association list box.
3.
4.
Select the Disable SA check box to initially disable the SA upon creation. This option can
be unchecked at a later time.
5.
Select from the following keying modes from the IPSec Keying Mode list box:
Manual Keykeys are exchanged in advance.
The SA will always use the same encryption and authentication keys. If the keys are
compromised by an outside party, they will remain compromised until the keys are
changed. If you select this option, configure the following:
474
IKE Using Pre-Shared Secreteach SonicWALL appliance has a shared secret that
is used to establish an SA. After the SA expires, the SonicWALL appliances will
reestablish an SA using the same public keys, but will not use the same security and
authentication keys. Configure the following:
Shared Secretspecifies the shared secret used to negotiate the VPN tunnel.
Local IKE IDspecifies the whether the IP address or SonicWALL Identifier will be
used as the IKE ID for the local SonicWALL appliance.
Peer IKE IDspecifies the whether the IP address or SonicWALL Identifier will be
used as the IKE ID for the peer SonicWALL appliance.
IKE Using 3rd Party Certificatesthe SonicWALL appliance and peer device obtain
certificates from the third-party certificate authorities. Security and authentication keys
are exchanged using public-key cryptography and authenticity of each node is verified
by the third-party CA.
After the SA expires, the peers will reestablish an SA using the same public keys, but
will not use the same security and authentication keys. If you select this option,
configure the following:
Click the Network tab. Select which local networks will be establishing VPN connections
with the destination networks:
Choose local network from listspecifies an Address Object that contains one or
more networks. For information on creating address objects, refer to the documentation
that accompanied the SonicWALL appliance.
Tunnelindicates that the computers on the local network will obtain their IP
addresses from the destination network.
Any addressconfigures all networks to establish VPN connections with the specified
destination networks.
2.
Select the destination networks with which the local networks will connect:
Use this VPN Tunnel as default route for all Internet trafficconfigures all networks
on the destination network to use this VPN for all Internet traffic.
475
Tunnelindicates that the computers on the destination network will obtain their IP
addresses from the local network.
one or more networks. For information on creating address objects, refer to the
documentation that accompanied the SonicWALL appliance.
3.
4.
Select the IKE Phase 1 Proposal Options (Certificates and Pre-Shared Secret only):
ExchangeSelect the exchange mode from the Exchange list box. Aggressive mode
DH Groupspecifies the Diffie-Hellman group to use when the VPN devices are
Note
Authenticationspecifies the type of authentication key to use when the VPN devices
Life Time (seconds)specifies how long a tunnel will remain active before being
5.
Authenticationspecifies the type of authentication key to use when the VPN devices
DH Groupspecifies the Diffie-Hellman group to use when the VPN devices after
Life Time (seconds)specifies how long a tunnel will remain active before being
6.
7.
Note
476
The Allow Advanced Routing, Enable Transport Mode, and Enable Multicast
options are available for VPN policies that are configured as follows:
Policy Type: Tunnel Interface
IPSec Keying Mode: IKE using Preshared Secret or IKE using third party certs
Allow Advanced Routing - Adds this Tunnel Interface to the list of interfaces in the
Advanced Routing table on the Network > Routing page. By making this an optional
setting, this avoids adding all Tunnel Interfaces to the Advanced Routing table, which
helps streamline the routing configuration. (This option is supported for SonicOS
versions 5.6 and higher.)
Enable Transport Mode - Forces the IPsec negotiation to use Transport mode instead
of Tunnel Mode. This has been introduced for compatibility with Nortel. When this
option is enabled on the local firewall, it MUST be enabled on the remote firewall as
well for the negotiation to succeed. (This option is supported for SonicOS versions 5.6
and higher.)
SA.
SonicWALL appliance through this SA. In addition to HTTP and HTTPS, you can enable
the SSH management of the device through the IPsec tunnel. When the SSH check box
is selected in an IPsec Policy, an SSH session can be initiated to the device using the
IPsec tunnel for the policy.
User login via this SAspecifies the protocols that users can use to login to the
Default LAN Gatewayspecifies the default gateway when routing all traffic through
VPN Policy bound tospecifies the zone or interface to which the VPN tunnel will
terminate.
primary gateway in the IPsec policy. If a secondary gateway is configured in the IPsec
Policy, an IPsec tunnel is established with the secondary gateway when the primary
gateway is unreachable. If this option is enabled in the policy, a periodic discovery is
attempted for the primary gateway and if discovered successfully, tunnels are switched
back to the primary gateway from the secondary gateway.
Primary Gateway Detection Interval specifies the time interval in seconds for the
discovery of the primary IPsec gateway if it is unreachable. The minimum value is 120
and the maximum value is 28800.
SA.
8.
When you are finished, click OK. SonicWALL GMS begins establishing VPN tunnels
between all specified networks.
477
Note
When All Appliances are Managed by SonicWALL GMS section on page 479
When One Appliance Is Not Managed by SonicWALL GMS section on page 481
This section assumes that you are familiar with Public Key Infrastructure (PKI) and the
implementation of digital certificates with VPN.
A digital certificate is an electronic means to verify identity by using a trusted third party known
as a Certificate Authority (CA). SonicWALL certificates are the easiest certificate solution for
establishing the identity of peer VPN devices and users.
Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital
signatures to authenticate peer devices before setting up security associations. Without digital
signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric
keys. Devices using digital signatures do not require configuration changes every time a new
device is added to the network.
Note
Note
478
Before establishing SAs using SonicWALL certificates, you must obtain a Public Key
Infrastructure (PKI) administrator certificate and apply it to each SonicWALL appliance. For
more information, refer to the Registering and Upgrading SonicWALL Firewall Appliances
section on page 643.
Expand the VPN tree and click Configure. The VPN Configure page displays.
2.
3.
For the IPSec Keying Mode, Select IKE using SonicWALL Certificates.
4.
5.
Note
6.
Select the SonicWALL appliance or group to which you will establish SAs and click the
Select button. The name of the target displays in the Target SonicWALL Group/Node
field.
7.
Aggressive mode improves the performance of IKE SA negotiation by only requiring three
packet exchanges. However, it provides no identity protection. To enable aggressive mode,
select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
8.
Select the Diffie-Hellman (DH) group that will be used when the VPN devices are
negotiating encryption and authentication keys from the Phase 1 DH Group list box.
Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit
Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit
Diffie-Hellman value.
479
9.
Select the Diffie-Hellman group that will be used when the VPN devices have established
an SA from the Phase 2 DH Group list box.
10. Select the type of encryption and authentication keys used when the VPN devices are
11. Select the type of encryption and authentication keys used for the SAs from the Phase 2
12. To specify the default LANgateway, enter the IP address of the gateway in theDefault LAN
Gateway field.
A Default LAN Gateway is used at a central site in conjunction with a remote site using the
Route all Internet traffic through this destination unit check box. The Default LAN
Gateway field allows the network administrator to specify the IP address of the default LAN
route for incoming Internet Protocol Security (IPSec) packets for this SA.
Incoming packets are decoded by the SonicWALL and compared to static routes configured
in the SonicWALL. Since packets can have any IP address destination, it is impossible to
configure enough static routes to handle the traffic. For packets received via an IPSec
tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL
checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is
routed through the gateway. Otherwise, the packet is dropped.
13. To specify how long the tunnel is active before being renegotiated, enter a value in the SA
14. To prevent repeated compromises of the same security key when reestablishing a tunnel,
15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA,
16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate
any VPN traffic, select the Try to bring up all possible SAs check box.
a feature that allows two or more physicallyseparated networks to be joined using a secure
wireless connection.
19. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking
20. To allow the remote VPN tunnel to be included in the routing table, select the Forward
Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually
specified route (refer to the Configuring Routing in SonicOS Enhanced section on
page 240). This option enables you to create a hub and spoke network configuration
where all traffic is routed among branch offices via the corporate office.
Note
To create a hub and spoke network, make sure to select the Forward Packets to Remote
VPNs check box for each SA.
21. To force all network traffic to the WAN through a VPN to a central site, select the Route all
When this option is selected, all traffic that is not destined for another SA is forwarded
through this VPN tunnel. If this option is not specified and the destination does not match
any SA, the packet is forwarded unencrypted to the WAN.
480
Note
on the other side of the SA will be able to access the LAN, but not the OPT.
To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the
other side of the SA will be able to access the OPT, but not the LAN.
To allow users on the other side of the SA to access both the LAN and DMZ, select
LAN/OPT.
23. Select from the following NAT and Firewall Rules:
To disable NAT and not apply firewall rules to traffic coming through this SA, select
Disabled.
To enable NAT and firewall rules for the selected SonicWALL appliance, select Source.
If NAT is enabled, all traffic originating from this appliance will appear to originate from
a single IP address and network firewall rules will be applied to all traffic on this SA.
To enable NAT and firewall rules for the selected SonicWALL appliance and its peer,
select Source and Destination. If NAT is enabled, all traffic originating from this
appliance will appear to originate from a single IP address and all traffic originating from
its peer will appear to originate from a single IP address. Network firewall rules will be
applied to all traffic on this SA.
Note
Applying firewall rules can dramatically affect services that run between the networks. For
more information, refer to the Configuring Firewall Appliance Settings section on
page 273.
24. Select how local users are authenticated:
To disable authentication for local users, select Disabled.
To configure local users to be authenticated locally, either through the SonicWALL
To authenticate local users both locally and on the destination network, select Source
and Destination.
25. Similarly, select how remote users are authenticated.
26. When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
481
Expand the VPN tree and click Configure. The VPN Configure page displays.
2.
3.
4.
5.
Enter the name of the remote firewall/VPN gateway in the Security Association Name
field. This name must match exactly if the device has a dynamic IP address.
6.
Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address
field. This address must be valid and will be the public IP address if the remote LAN has
NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left
blank if the name matches.
7.
To specify how long the tunnel is active before being renegotiated, enter a value in the SA
Lifetime field. We recommend a value of 28,800 seconds (8 hours).
8.
To specify the default LANgateway, enter the IP address of the gateway in theDefault LAN
Gateway field.
A Default LAN Gateway is used at a central site in conjunction with a remote site using the
Route all internet traffic through destination unit check box. The Default LAN Gateway
field allows the network administrator to specify the IP address of the default LAN route for
incoming IPSec packets for this SA.
Incoming packets are decoded by the SonicWALL and compared to static routes configured
in the SonicWALL. Since packets can have any IP address destination, it is impossible to
configure enough static routes to handle the traffic. For packets received via an IPSec
tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL
checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is
routed through the gateway. Otherwise, the packet is dropped.
9.
10. To prevent repeated compromises of the same security key when reestablishing a tunnel,
482
11. Select Enable Wireless Secure Bridging Mode to enable wireless secure bridging mode,
a feature that allows two or more physicallyseparated networks to be joined using a secure
wireless connection
12. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking
13. To apply NAT and firewall rules to all traffic coming through this SA, select the Apply NAT
This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear
to originate from a single IP address.
14. To allow the remote VPN tunnel to be included in the routing table, select the Forward
This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it
to another VPN tunnel. This feature can be used to create a hub and spoke network
configuration by routing traffic among SAs. To do this, make sure to enable this option for
all SAs.
15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA,
16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate
any VPN traffic, select the Try to bring up all possible SAs check box.
17. To require local users to authenticate locally before accessing the SA, select the Require
18. To require remote users to authenticate with this SonicWALL appliance or the local RADIUS
server before accessing resources, select the Require authentication of remote users
check box.
19. Enter the serial number of the target SonicWALL appliance in the Peer SonicWALL Serial
# field.
20. Aggressive mode improves the performance of IKE SA negotiation by only requiring three
21. Select the Diffie-Hellman group that will be used when the VPN devices are negotiating
encryption and authentication keys from the Phase 1 DH Group list box.
Note
22. Select the Diffie-Hellman group that will be used when the VPN devices have established
23. Select the type of encryption and authentication keys used when the VPN devices are
24. Select the type of encryption and authentication keys used for the SAs from the Phase 2
483
If the destination network will receive its IP addresses on this network using DHCP,
click Add Networks and enter the destination network IP addresses and subnet masks.
26. When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
This section assumes that you are familiar with Public Key Infrastructure (PKI) and the
implementation of digital certificates with VPN.
A digital certificate is an electronic means to verify identity by using a trusted third party known
as a Certificate Authority (CA). SonicWALL now supports third party certificates in addition to
the existing Authentication Service. The difference between third party certificates and the
SonicWALL Authentication Service is the ability to select the source for your CA certificate.
Using Certificate Authority Certificates and Local Certificates is a more manual process than
using the SonicWALL Authentication Service; therefore, experience with implementing Public
Key Infrastructure (PKI) is necessary to understand the key components of digital certificates.
Internet Key Exchange (IKE) is an important part of IPSec VPN solutions, and it can use digital
signatures to authenticate peer devices before setting up security associations. Without digital
signatures, VPN users must authenticate by manually exchanging shared secrets or symmetric
keys. Devices using digital signatures do not require configuration changes every time a new
device is added to the network.
SonicWALL has implemented X.509v3 as its certificate form and CRLv2 for its certificate
revocation list. SonicWALL supports the following two vendors of Certificate Authority
Certificates:
VeriSign
Entrust
Obtaining a Certificate
To obtain a certificate, refer to the Generating a Certificate Signing Request section on
page 205. After you have obtained certificates for both devices, continue to configure the VPN.
When All Appliances are Managed by SonicWALL GMS section on page 484
When One Appliance Is Not Managed by SonicWALL GMS section on page 488
484
To enable VPN using third-party certificates when both devices are managed by
SonicWALL GMS, perform the following steps:
Note
1.
Expand the VPN tree and click Configure. The VPN Configure page displays.
2.
3.
5.
Click Select Destination. A dialog box that contains all SonicWALL appliances managed
by this SonicWALL GMS displays.
6.
Select the SonicWALL appliance or group to which you will establish SAs and click the
Select button. The name of the target displays in the Target SonicWALL Group/Node
field.
7.
Aggressive mode improves the performance of IKE SA negotiation by only requiring three
packet exchanges. However, it provides no identity protection. To enable aggressive mode,
select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
8.
Select the Diffie-Hellman (DH) group that will be used when the VPN devices are
negotiating encryption and authentication keys from the Phase 1 DH Group list box.
Note
9.
Select the Diffie-Hellman group that will be used when the VPN devices have established
an SA from the Phase 2 DH Group list box.
485
10. Select the type of encryption and authentication keys used when the VPN devices are
11. Select the type of encryption and authentication keys used for the SAs from the Phase 2
12. To specify the default LANgateway, enter the IP address of the gateway in theDefault LAN
Gateway field.
A Default LAN Gateway is used at a central site in conjunction with a remote site using the
Route all Internet traffic through this destination unit check box. The Default LAN
Gateway field allows the network administrator to specify the IP address of the default LAN
route for incoming Internet Protocol Security (IPSec) packets for this SA.
Incoming packets are decoded by the SonicWALL and compared to static routes configured
in the SonicWALL. Since packets can have any IP address destination, it is impossible to
configure enough static routes to handle the traffic. For packets received via an IPSec
tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL
checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is
routed through the gateway. Otherwise, the packet is dropped.
13. To specify how long the tunnel is active before being renegotiated, enter a value in the SA
14. To prevent repeated compromises of the same security key when reestablishing a tunnel,
15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA,
16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate
any VPN traffic, select the Try to bring up all possible SAs check box.
17. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
18. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking
19. To allow the remote VPN tunnel to be included in the routing table, select the Forward
Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually
specified route (refer to the Configuring Routing in SonicOS Enhanced section on
page 240). This option enables you to create a hub and spoke network configuration
where all traffic is routed among branch offices via the corporate office.
Note
To create a hub and spoke network, make sure to select the Forward Packets to
Remote VPNs check box for each SA.
20. To force all network traffic to the WAN through a VPN to a central site, select the Route all
When this option is selected, all traffic that is not destined for another SA is forwarded
through this VPN tunnel. If this option is not specified and the destination does not match
any SA, the packet is forwarded unencrypted to the WAN.
Note
486
21. If the remote side of this VPN connection is to obtain its addressing from a DHCP server on
this side of the tunnel, select Enable "Destination network obtains IP addresses using
DHCP through this SA" on Target.
side of the SA will be able to access the LAN, but not the DMZ.
To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the
other side of the SA will be able to access the OPT, but not the LAN.
To allow users on the other side of the SA to access both the LAN and OPT, select
LAN/OPT.
23. Select from the following NAT and Firewall Rules:
To disable NAT and not apply firewall rules to traffic coming through this SA, select
Disabled.
To enable NAT and firewall rules for the selected SonicWALL appliance, select Source.
If NAT is enabled, all traffic originating from this appliance will appear to originate from
a single IP address and network firewall rules will be applied to all traffic on this SA.
To enable NAT and firewall rules for the selected SonicWALL appliance and its peer,
select Source and Destination. If NAT is enabled, all traffic originating from this
appliance will appear to originate from a single IP address and all traffic originating from
its peer will appear to originate from a single IP address. Network firewall rules will be
applied to all traffic on this SA.
Note
Applying firewall rules can dramatically affect services that run between the networks. For
more information, refer to the Configuring Firewall Appliance Settings section on
page 273.
24. Select how local users are authenticated:
To disable authentication for local users, select Disabled.
To configure local users to be authenticated locally, either through the SonicWALL
To authenticate local users both locally and on the destination network, select Source
and Destination.
25. Similarly, select how remote users are authenticated.
26. When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
487
Expand the VPN tree and click Configure. The VPN Configure page displays.
2.
3.
4.
5.
Enter the name of the remote firewall/VPN gateway in the Security Association Name
field. This name must match exactly if the device has a dynamic IP address.
6.
Select the certificate to use from the Select Certificate list box.
7.
Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address
field. This address must be valid and will be the public IP address if the remote LAN has
NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left
blank if the name matches. Optionally, you can specify a IPSec Secondary Gateway Name
or Address.
8.
To specify how long the tunnel is active before being renegotiated, enter a value in the SA
Lifetime field. We recommend a value of 28,800 seconds (8 hours).
9.
To specify the default LANgateway, enter the IP address of the gateway in theDefault LAN
Gateway field.
A Default LAN Gateway is used at a central site in conjunction with a remote site using the
Route all internet traffic through destination unit check box. The Default LAN Gateway
field allows the network administrator to specify the IP address of the default LAN route for
incoming IPSec packets for this SA.
Incoming packets are decoded by the SonicWALL and compared to static routes configured
in the SonicWALL. Since packets can have any IP address destination, it is impossible to
configure enough static routes to handle the traffic. For packets received via an IPSec
tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL
checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is
routed through the gateway. Otherwise, the packet is dropped.
10. To prevent repeated compromises of the same security key when reestablishing a tunnel,
488
11. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
12. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking
13. To apply NAT and firewall rules to all traffic coming through this SA, select the Apply NAT
and firewall rules check box. This feature is useful for hiding the LAN subnet from the
corporate site. All traffic will appear to originate from a single IP address.
14. To allow the remote VPN tunnel to be included in the routing table, select the Forward
Packets to Remote VPNs check box. This will enable the SonicWALL appliance to receive
VPN traffic, decrypt it, and forward it to another VPN tunnel.This feature can be used to
create a hub and spoke network configuration by routing traffic among SAs. To do this,
make sure to enable this option for all SAs.
15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA,
16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate
any VPN traffic, select the Try to bring up all possible SAs check box.
17. To require local users to authenticate locally before accessing the SA, select the Require
18. To require remote users to authenticate with this SonicWALL appliance or the local RADIUS
server before accessing resources, select the Require authentication of remote users
check box.
19. Aggressive mode improves the performance of IKE SA negotiation by only requiring three
20. Select the Diffie-Hellman group that will be used when the VPN devices are negotiating
encryption and authentication keys from the Phase 1 DH Group list box.
Note
21. Select the Diffie-Hellman group that will be used when the VPN devices have established
22. Select the type of encryption and authentication keys used when the VPN devices are
23. Select the type of encryption and authentication keys used for the SAs from the Phase 2
24. Select whether the peer device uses a distinguished name, email ID, or domain name as
25. Enter the peer devices certificate ID in the Peer Certificates ID field.
26. Select from the following:
To allow this SA to be used as the default route for all Internet traffic, select Use this
click Add Networks and enter the destination network IP addresses and subnet masks.
489
27. When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
Note
To disable this SA without deleting it, select the Disable this SA check box and click
Update.
When All Appliances are Managed by SonicWALL GMS section on page 490
When One Appliance Is Not Managed by SonicWALL GMS section on page 493
490
1.
Expand the VPN tree and click Configure. The VPN Configure page displays.
2.
3.
4.
5.
Click Select Destination. A dialog box that contains all SonicWALL appliances managed
by this SonicWALL GMS displays.
6.
Select the SonicWALL appliance or group to which you will establish SAs and click the
Select button. The name of the target displays in the Target SonicWALL Group/Node
field.
7.
Aggressive mode improves the performance of IKE SA negotiation by only requiring three
packet exchanges. However, it provides no identity protection. To enable aggressive mode,
select Aggressive Mode from the Exchange list box. Otherwise, select Main Mode.
8.
Select the Diffie-Hellman group that will be used when the VPN devices are negotiating
encryption and authentication keys from the Phase 1 DH Group list box.
Note
9.
Select the Diffie-Hellman group that will be used when the VPN devices have established
an SA from the Phase 2 DH Group list box.
10. Select the type of encryption and authentication keys used when the VPN devices are
11. Select the type of encryption and authentication keys used for the SAs from the Phase 2
12. To specify the default LANgateway, enter the IP address of the gateway in theDefault LAN
Gateway field.
A Default LAN Gateway is used at a central site in conjunction with a remote site using the
Route all internet traffic through destination unit check box. The Default LAN Gateway
field allows the network administrator to specify the IP address of the default LAN route for
incoming IPSec packets for this SA.
Incoming packets are decoded by the SonicWALL and compared to static routes configured
in the SonicWALL. Since packets can have any IP address destination, it is impossible to
configure enough static routes to handle the traffic. For packets received via an IPSec
tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL
checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is
routed through the gateway. Otherwise, the packet is dropped.
13. To specify how long the tunnel is active before being renegotiated, enter a value in the SA
14. To prevent repeated compromises of the same security key when reestablishing a tunnel,
15. To configure the VPN tunnel to remain open as long as there is network traffic on the SA,
16. To configure the SonicWALL appliance to establish the VPN tunnel before users generate
any VPN traffic, select the Try to bring up all possible SAs check box.
17. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
18. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking
19. To allow the remote VPN tunnel to be included in the routing table, select the Forward
491
Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually
specified route (refer to the Configuring Routing in SonicOS Enhanced section on
page 240). This option enables you to create a hub and spoke network configuration
where all traffic is routed among branch offices via the corporate office.
Note
To create a hub and spoke network, make sure to select the Forward Packets to Remote
VPNs check box for each SA.
20. To force all network traffic to the WAN through a VPN to a central site, select the Route all
When this option is selected, all traffic that is not destined for another SA is forwarded
through this VPN tunnel. If this option is not specified and the destination does not match
any SA, the packet is forwarded unencrypted to the WAN.
Note
this side of the tunnel, select Enable "Destination network obtains IP addresses using
DHCP through this SA" on Target.
on the other side of the SA will be able to access the LAN, but not the OPT.
To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the
other side of the SA will be able to access the OPT, but not the LAN.
To allow users on the other side of the SA to access both the LAN and OPT, select
LAN/OPT.
23. Select from the following NAT and Firewall Rules:
To disable NAT and not apply firewall rules to traffic coming through this SA, select
Disabled.
To enable NAT and firewall rules for the selected SonicWALL appliance, select Source.
If NAT is enabled, all traffic originating from this appliance will appear to originate from
a single IP address and network firewall rules will be applied to all traffic on this SA.
To enable NAT and firewall rules for the selected SonicWALL appliance and its peer,
select Source and Destination. If NAT is enabled, all traffic originating from this
appliance will appear to originate from a single IP address and all traffic originating from
its peer will appear to originate from a single IP address. Network firewall rules will be
applied to all traffic on this SA.
Note
Applying firewall rules can dramatically affect services that run between the networks. For
more information, refer to the Configuring Firewall Appliance Settings section on
page 273.
24. Select how local users are authenticated:
To disable authentication for local users, select Disabled.
To configure local users to be authenticated locally, either through the SonicWALL
492
To authenticate local users both locally and on the destination network, select Source
and Destination.
25. Similarly, select how remote users are authenticated.
26. Select either Remote users behind VPN gateway or Remote VPN clients with XAUTH.
27. When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
Note
To disable this SA, select the Disable this SA check box and click Update.
Expand the VPN tree and click Configure. The VPN Configure page displays.
2.
3.
Select IKE using Pre-Shared Secret in the IPSec Keying mode section.
4.
5.
Enter the name of the remote firewall/VPN gateway in the Security Association Name
field. This name must match exactly if the device has a dynamic IP address.
6.
Enter the IP address of the remote firewall/VPN gateway in the IPSec Gateway Address
field. This address must be valid and will be the public IP address if the remote LAN has
NAT enabled. If the remote VPN gateway has a dynamic IP address, this field can be left
blank if the name matches.
493
7.
Enter the amount of time before an IKE SA will automatically negotiate (120 to 2,499,999
seconds) in SA Lifetime.
8.
To specify the default LANgateway, enter the IP address of the gateway in theDefault LAN
Gateway field.
A Default LAN Gateway is used at a central site in conjunction with a remote site using the
Route all Internet traffic through destination unit check box. The Default LAN Gateway
field allows the network administrator to specify the IP address of the default LAN route for
incoming IPSec packets for this SA.
Incoming packets are decoded by the SonicWALL and compared to static routes configured
in the SonicWALL. Since packets can have any IP address destination, it is impossible to
configure enough static routes to handle the traffic. For packets received via an IPSec
tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL
checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is
routed through the gateway. Otherwise, the packet is dropped.
9.
To prevent repeated compromises of the same security key when reestablishing a tunnel,
select the Enable Perfect Forward Secrecy check box.
10. To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
11. To access remote resources within the Windows Network Neighborhood, select the Enable
12. To apply NAT and firewall rules to all traffic coming through this SA, select the Apply NAT
This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear
to originate from a single IP address.
13. To allow the remote VPN tunnel to be included in the routing table, select the Forward
This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it
to another VPN tunnel. This feature can be used to create a hub and spoke network
configuration by routing traffic among SAs. To do this, make sure to enable this option for
all SAs.
14. To configure the VPN tunnel to remain open as long as there is network traffic on the SA,
15. To configure the SonicWALL appliance to establish the VPN tunnel before users generate
any VPN traffic, select the Try to bring up all possible SAs check box.
16. To require local users to authenticate locally before accessing the SA, select the Require
17. To require remote users to authenticate with this SonicWALL appliance or the local RADIUS
server before accessing resources, select the Require authentication of remote users
check box.
18. Select either Remote users behind VPN gateway or Remote VPN clients with XAUTH.
Note
Only SonicWALL VPN clients can authenticate to a RADIUS server. Users tunneling from
another VPN gateway will not be able to complete the VPN tunnel if this check box is
selected.
19. Enter the shared secret in the Shared Secret field.
494
20. Aggressive mode improves the performance of IKE SA negotiation by only requiring three
21. Select the Diffie-Hellman group that will be used when the VPN devices are negotiating
encryption and authentication keys from the Phase 1 DH Group list box.
Note
Group 1 specifies a 768-bit Diffie-Hellman value, Group 2 specifies a more secure 1024-bit
Diffie-Hellman value, and Group 5 specifies the currently most secure 1536-bit
Diffie-Hellman value.
22. Select the Diffie-Hellman group that will be used when the VPN devices have established
23. Select the type of encryption and authentication keys used when the VPN devices are
24. Select the type of encryption and authentication keys used for the SAs from the Phase 2
click Add Network and enter the destination network IP addresses and subnet masks.
26. When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
27. Create an SA in the remote VPN device for each SonicWALL appliance that you have
configured.
Note
To disable this SA without deleting it, select the Disable this SA check box and click
Update.
Manual Keying
Manual keying involves exchanging keys in encryption and authentication keys in advance.
Although this is the simplest method of establishing an SA between two VPN devices, the SA
will always use the same encryption and authentication keys. If the keys are compromised by
an outside party, they will remain compromised until the keys are changed.
When All Appliances are Managed by SonicWALL GMS section on page 496
When One Appliance Is Not Managed by SonicWALL GMS section on page 498
495
Expand the VPN tree and click Configure. The VPN Configure page displays.
2.
3.
4.
5.
Click Select Destination. A dialog box that contains all SonicWALL appliances managed
by this SonicWALL GMS displays.
6.
Select the SonicWALL appliance or group to which you will establish SAs and click the
Select button. The name of the target displays in the Target SonicWALL Group/Node
field.
7.
Select one of the encryption methods from the Encryption Method list box.
8.
To specify the default LANgateway, enter the IP address of the gateway in theDefault LAN
Gateway field.
A Default LAN Gateway is used at a central site in conjunction with a remote site using the
Route all Internet traffic through destination unit check box. The Default LAN Gateway
field allows the network administrator to specify the IP address of the default LAN route for
incoming IPSec packets for this SA.
Incoming packets are decoded by the SonicWALL and compared to static routes configured
in the SonicWALL. Since packets can have any IP address destination, it is impossible to
configure enough static routes to handle the traffic. For packets received via an IPSec
496
tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL
checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is
routed through the gateway. Otherwise, the packet is dropped.
9.
To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
10. To enable NetBIOS broadcasts across the SA, select the Enable Windows Networking
11. To allow the remote VPN tunnel to be included in the routing table, select the Forward
Normally, inbound traffic is decrypted and only forwarded to the local LAN or a manually
specified route (refer to the Configuring Routing in SonicOS Enhanced section on
page 240). This option enables you to create a hub and spoke network configuration
where all traffic is routed among branch offices via the corporate office.
Note
To create a hub and spoke network, make sure to select the Forward Packets to Remote
VPNs check box for each SA.
12. To force all network traffic to the WAN through a VPN to a central site, select the Route all
When this option is selected, all traffic that is not destined for another SA is forwarded
through this VPN tunnel. If this option is not specified and the destination does not match
any SA, the packet is forwarded unencrypted to the WAN.
13. Select one the following VPN termination options:
To configure the VPN tunnel to terminate at the LAN, select LAN. Users on the other
side of the SA will be able to access the LAN, but not the DMZ.
To configure the VPN tunnel to terminate at the OPT or DMZ, select OPT. Users on the
other side of the SA will be able to access the OPT, but not the LAN.
To allow users on the other side of the SA to access both the LAN and OPT, select
LAN/OPT.
14. Select from the following NAT and Firewall Rules:
To disable NAT and not apply firewall rules to traffic coming through this SA, select
Disabled.
To enable NAT and firewall rules for the selected SonicWALL appliance, select Source.
If NAT is enabled, all traffic originating from this appliance will appear to originate from
a single IP address and network firewall rules will be applied to all traffic on this SA.
To enable NAT and firewall rules for the selected SonicWALL appliance and its peer,
select Source and Destination. If NAT is enabled, all traffic originating from this
appliance will appear to originate from a single IP address and all traffic originating from
its peer will appear to originate from a single IP address. Network firewall rules will be
applied to all traffic on this SA.
Note
Applying firewall rules can dramatically affect services that run between the
networks. For more information, refer to the Configuring Firewall Appliance
Settings section on page 273
497
To authenticate local users both locally and on the destination network, select Source
and Destination.
16. Similarly, select how remote users are authenticated.
17. When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
498
1.
Expand the VPN tree and click Configure. The VPN Configure page displays.
2.
3.
4.
5.
Enter a descriptive name for the SA in the Security Association Name field.
6.
Enter the IP address of the remote firewall in the IPSec Gateway Address field. This
address must be valid and will be the public IP address if the remote LAN has NAT enabled.
7.
To specify the default LANgateway, enter the IP address of the gateway in theDefault LAN
Gateway field.
A Default LAN Gateway is used at a central site in conjunction with a remote site using the
Route all Internet traffic through destination unit check box. The Default LAN Gateway
field allows the network administrator to specify the IP address of the default LAN route for
incoming IPSec packets for this SA.
Incoming packets are decoded by the SonicWALL and compared to static routes configured
in the SonicWALL. Since packets can have any IP address destination, it is impossible to
configure enough static routes to handle the traffic. For packets received via an IPSec
tunnel, the SonicWALL looks up a route for the LAN. If no route is found, the SonicWALL
checks for a Default LAN Gateway. If a Default LAN Gateway is detected, the packet is
routed through the gateway. Otherwise, the packet is dropped.
8.
To enable wireless secure bridging, select the Wireless Secure Bridging Mode check box.
9.
To access remote resources within the Windows Network Neighborhood, select the Enable
Windows Networking (NetBIOS) Broadcast check box.
10. To apply NAT and firewall rules to all traffic coming through this SA, select the Apply NAT
This feature is useful for hiding the LAN subnet from the corporate site. All traffic will appear
to originate from a single IP address.
11. To allow the remote VPN tunnel to be included in the routing table, select the Forward
This will enable the SonicWALL appliance to receive VPN traffic, decrypt it, and forward it
to another VPN tunnel. This feature can be used to create a hub and spoke network
configuration by routing traffic among SAs. To do this, make sure to enable this option for
all SAs.
12. To require local users to authenticate locally before accessing the SA, select the Require
13. To require remote users to authenticate with this SonicWALL appliance or the local RADIUS
server before accessing resources, select the Require authentication of remote users
check box.
14. Select one of the encryption methods from the Encryption Method list box.
15. Enter the key used for encryption in the Encryption Key field. The DES and ARCFour Keys
Note
Note
499
This key must match the authentication key of the remote VPN gateway or client. If
authentication is not used, this field is ignored.
17. Enter the Security Parameter Index (SPI) that the remote location will send to identify the
Security Association used for the VPN Tunnel in the Incoming SPI field.
Note
The SPI may be up to eight characters long and be composed of hexadecimal characters.
Valid hexadecimal characters are 0 to 9, and a to f (e.g., 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a,
b, c, d, e, f).
The hexadecimal characters 0 to ff inclusive are reserved by the Internet Engineering
Task Force (IETF) and are not allowed for use as an SPI. For example, a valid SPI would be
1234abcd.
Note
The SPI for an SA must be unique when compared to SPIs for other SAs. However, the
Incoming SPI can be the same as the Outgoing SPI on the same SA.
18. Enter the Security Parameter Index (SPI) that the local SonicWALL VPN will transmit to
identify the Security Association used for the VPN Tunnel in the Outgoing SPI field.
click Modify and enter the destination network IP addresses and subnet masks.
20. When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
21. Create an SA in the remote VPN device for each SonicWALL appliance that you have
configured.
500
1.
Expand the VPN tree and click L2TP. The L2TP page displays.
2.
3.
Specify how often the SonicWALL appliance issues a Keepalive in the Keep alive time
field.
4.
Enter the IP addresses of the DNS Servers in the DNS Server fields.
5.
Enter the IP addresses of the WINS Servers in the WINS Server fields.
6.
pool and enter the starting and ending IP addresses in the Start IP and End IP fields.
7.
When you are finished, click Update. To clear all screen settings and start over, click Reset.
Expand the VPN tree and click Monitor. The Monitor page displays.
2.
Select the category of tunnels to display the Display Options section and click Refresh.
You can select Show Up Tunnels, Show Down Tunnels, or Show All Tunnels.
3.
4.
5.
To view the tunnel statistics, select one or more tunnels and click View Selected Tunnel
Statistics.
6.
To renegotiate selected tunnels, select one or more tunnels and click Renegotiate
Selected Tunnels.
501
2.
3.
To email the SPD file to the SonicWALL GMS administrator or the VPN Client user, click
Email SPD file. The file is attached to the email. A task is scheduled for each email.
Note
A copy of the SPD file is also stored in the SonicWALL Agent's <gms_directory\etc
directory.
4.
Once the SPD file is received, it can be loaded by the VPN Client software on the VPN
Client user's computer.
5.
If the user does not have the VPN Client software, you can send both the SPD file and the
email the client software by clicking Email SPD File and VPN Client.
6.
In SonicOS Standard only, VPN clients use RCF files to import data used to communicate
with SonicWALL appliances. To send an RCF File to an email address, enter the following
information:
Enter the email address in the Email Address field.
Enter and reenter the RCF File password in the RCF File Export Password and
Select whether the file will be used for WAN or wireless connections.
Select from the following:
Note
502
To email the file with the Global VPN Client software, click Email RCF File and
Global VPN Client.
Before the VPN client can be emailed to users, it must be downloaded to the
<gms_directory>\etc directory from mysonicwall.com.
Click the Console Panel tab at the top of the SonicWALL GMS UI.
2.
3.
Click Login in a new window. This will open a new browser into the GMS account on
mysonicwall.com.
4.
5.
6.
ARCFourARCFour is used for communications with secure Web sites using the SSL
protocol. Many banks use a 40-bit key ARCFour for online banking, while others use a
128-bit key. SonicWALL VPN uses a 56-bit key for ARCFour.
The ARCFour key must be exactly 16 characters long and is composed of hexadecimal
characters. Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0, 1, 2, 3, 4, 5,
6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
Data Encryption Standard (DES)When DES is used for data communications, both
sender and receiver must know the same secret key, which can be used to encrypt and
decrypt the message, or to generate and verify a message authentication code. The
SonicWALL DES encryption algorithm uses a 56-bit key.
503
The DES Key must be exactly 16 characters long and is composed of hexadecimal
characters. Valid hexadecimal characters are 0 to 9, and a to f inclusive (0, 1, 2, 3,
4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
Shared SecretA shared secret is a predefined field that the two endpoints of a VPN
tunnel use to set up an IKE SA. This field can be any combination of alphanumeric
characters with a minimum length of 4 characters and a maximum of 128 characters.
Precautions should be taken when delivering/exchanging this shared secret to assure that
a third party cannot compromise the security of a VPN tunnel.
Internet Key Exchange (IKE)IKE is a negotiation and key exchange protocol specified
by the Internet Engineering Task Force (IETF). An IKE SA automatically negotiates
encryption and authentication keys. With IKE, an initial exchange authenticates the VPN
session and automatically negotiates keys that will be used to pass IP traffic.
KeyA key is an alphanumeric string that is used by the encryption operation to transform
clear text into cipher text. A key is composed of hexadecimal characters (0, 1, 2, 3, 4, 5, 6,
7, 8, 9, a, b, c, d, e, f). A valid key would be 1234567890abcdef. Keys used in VPN
communications can vary in length, but are typically 16 or 32 characters. The longer the
key, the more difficult it is to break the encryption. The reason for this is that most methods
used to break encryption involve trying every possible combination of characters, similar to
trying to find someones telephone number by dialing every possible combination of phone
numbers.
Manual KeyManual keying allows the SonicWALL administrator to specify the encryption
and authentication keys. SonicWALL VPN supports the ability to manually set up a security
association as well as the ability to automatically negotiate an SA using IKE.
504
Security Parameter Index (SPI)The SPI is used to establish a VPN tunnel. The SPI is
transmitted from the remote VPN gateway to the local VPN gateway. The local VPN
gateway then uses the network, encryption, and key values that the administrator
associated with the SPI to establish the tunnel.
The SPI must be unique, is from one to eight characters long, and is composed of
hexadecimal characters. Valid hexadecimal characters are 0 to 9, and a to f (i.e., 0,
1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, valid SPIs would be 999 or 1234abcd.
Triple Data Encryption Standard (3DES)3DES is the same as DES, except that it
applies three DES keys in succession and is significantly more secure. However, 3DES has
significantly more processing requirements than DES.
The 3DES Key must be exactly 16 characters long and is composed of hexadecimal
characters. Valid hexadecimal characters are 0 to 9, and a to f inclusive (0, 1, 2, 3,
4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be 1234567890abcdef.
505
The GOOD state is the desired response as it indicates the certificate has not been revoked.
The REVOKED state indicates that the certificate has been revoked. The UNKNOWN state
indicates the responder does not have information about the certificate in question.
OCSP servers typically work with a CA server in push or pull setup. The CA server can be
configured to push a CRL list (revocation list) to the OCSP server. Additionally the OCSP server
can be configured to periodically download (pull) the CRL from the CA server. The OCSP server
must also be configured with an OCSP response signing certificate issued by the CA server.
The signing certificate must be properly formatted or the OCSP client will not accept the
response from the OSCP server.
Note
For SonicOS to act as an OCSP client to a responder, the CA certificate must be loaded onto
the SonicWALL system.
506
1.
2.
Specify the OCSP Responder URL of the OCSP server, for example
<http://192.168.168.220:2560> where 192.168.168.220 is the IP address of your OCSP
server and 2560 is the default port of operation for the OpenCA OCSP responder service.
CHAPTER 20
Configuring Firewall SSL VPN Settings
This chapter provides information on how to configure the SSL VPN features on the SonicWALL
SRA appliances. SonicWALLs SSL VPN features provide secure, seamless, remote access to
resources on your local network using the NetExtender client.
This chapter contains the following sections:
507
Benefits
NetExtender provides remote users with full access to your protected internal network. The
experience is virtually identical to that of using a traditional IPSec VPN client, but NetExtender
does not require any manual client installation. Instead, the NetExtender Windows client is
automatically installed on a remote users PC by an ActiveX control when using the Internet
Explorer browser, or with the XPCOM plugin when using Firefox. On MacOS systems,
supported browsers use Java controls to automatically install NetExtender from the Virtual
Office portal. Linux systems can also install and use the NetExtender client.
After installation, NetExtender automatically launches and connects a virtual adapter for secure
SSL VPN point-to-point access to permitted hosts and subnets on the internal network.
NetExtender Concepts
The following sections describe advanced NetExtender concepts:
Stand-Alone Client
NetExtender is a browser-installed lightweight application that provides comprehensive
remote access without requiring users to manually download and install the application. The
first time a user launches NetExtender, the NetExtender stand-alone client is automatically
installed on the users PC or Mac. The installer creates a profile based on the users login
information. The installer window then closes and automatically launches NetExtender. If
the user has a legacy version of NetExtender installed, the installer will first uninstall the old
NetExtender and install the new version.
Once the NetExtender stand-alone client has been installed, Windows users can launch
NetExtender from their PCs Start > Programs menu and configure NetExtender to launch
when Windows boots. Mac users can launch NetExtender from their system Applications folder,
or drag the icon to the dockfor quick access. On Linux systems, the installer creates a desktop
shortcut in /usr/share/NetExtender. This can be dragged to the shortcut bar in environments
like Gnome and KDE.
Client Routes
NetExtender client routes are used to allow and deny access for SSL VPN users to various
network resources. Address objects are used to easily and dynamically configure access to
network resources.
508
Subnet mask
0.0.0.0
0.0.0.0
0.0.0.0
128.0.0.0
128.0.0.0
128.0.0.0
NetExtender also adds routes for the local networks of all connected Network Connections.
These routes are configured with higher metrics than any existing routes to force traffic
destined for the local network over the SSL VPN tunnel instead. For example, if a remote user
is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is
added to route traffic through the SSL VPN tunnel.
Tunnel All mode is configured on the SSL VPN > Client Routes page.
Connection Scripts
SonicWALL SSL VPN provides users with the ability to run batch file scripts when
NetExtender connects and disconnects. The scripts can be used to map or disconnect
network drives and printers, launch applications, or open files or Web sites. NetExtender
Connection Scripts can support any valid batch file commands.
Proxy Configuration
SonicWALL SSL VPN supports NetExtender sessions using proxy configurations. Currently,
only HTTPS proxy is supported. When launching NetExtender from the Web portal, if your
browser is already configured for proxy access, NetExtender automatically inherits the proxy
settings. The proxy settings can also be manually configured in the NetExtender client
preferences. NetExtender can automatically detect proxy settings for proxy servers that support
the Web Proxy Auto Discovery (WPAD) Protocol.
NetExtender provides three options for configuring proxy settings:
Automatically detect settings - To use this setting, the proxy server must support Web
Proxy Auto Discovery Protocol (WPAD)), which can push the proxy settings script to the
client automatically.
Use automatic configuration script - If you know the location of the proxy settings script,
you can select this option and provide the URL of the script.
Use proxy server - You can use this option to specify the IP address and port of the proxy
server. Optionally, you can enter an IP address ordomain in the BypassProxy field to allow
direct connections to those addresses and bypass the proxy server. If required, you can
enter a user name and password for the proxy server. If the proxy server requires a
username and password, but you do not specify them, a NetExtender pop-up window will
prompt you to enter them when you first connect.
509
When NetExtender connects using proxy settings, it establishes an HTTPS connection to the
proxy server instead of connecting to the SonicWALL security appliance. server directly. The
proxy server then forwards traffic to the SSL VPN server. All traffic is encrypted by SSL with the
certificate negotiated by NetExtender, of which the proxy server has no knowledge. The
connecting process is identical for proxy and non-proxy users.
The following options can be configured on the SSL VPN > Server Settings page.
SSL VPN Status on Zones: This displays the SSL VPN Access status on each Zone.
Green indicates active SSL VPN status, while red indicates inactive SSL VPN status. To
enable or disable SSL VPN access on a zone, click on the Network >Zones link to jump to
the Edit Zone window.
SSL VPN Port: Set the SSL VPN port for the appliance. The default is 4433.
Certificate Selection: Select the certificate that will be used to authenticate SSL VPN
users. All imported local certificates are available to be selected in the pull-down menu. To
manage certificates, go to the System > Certificates page.
Note
510
The Certificate Selection option is only available at the unit level, not at the group
level.
Enable Server Cipher Preference: Select this checkbox to configure a preferred cipher
method. The available ciphers are RC4_MD5, 3DES_SHA1, and AES256_SHA1.
RADIUS User Settings: This option is only available when either RADIUS or LDAP is
configured to authenticate SSL VPN users. Select the Use RADIUS in checkbox to have
RADIUS use MSCHAP (or MSCHAPv2) mode. Enabling MSCHAP-mode RADIUS will allow
users to change expired passwords at login time.
In LDAP, password updates can only be done when using either Novell eDirectory or Active
Directory with TLS and binding to it using an administrative account. If LDAP is not configured
as such, password updates for SSL VPN users will be performed using MSCHAP-mode
RADIUS, after using LDAP to authenticate the user.
Note
RADIUS must be enabled on the Users > RADIUS page. Click the link at the bottom
of the SSL VPN > Server Settings page to go to Users > RADIUS to modify the
configuration.
The following settings configure the appearance of the Virtual Office portal:
Portal Site Title - The text displayed in the top title of the web browser.
Portal Banner Title - The the text displayed next to the logo at the top of the page.
Home Page Message - The HTML code that is displayed above the NetExtender icon.
Login Message - The HTML code that is displayed when users are prompted to log in to
the Virtual Office.
Example Template - Resets the Home Page Message and Login Message fields to the
default example template.
The following options customize the functionality of the Virtual Office portal:
511
Launch NetExtender after login - Automatically launches NetExtender after a user logs in.
Display Import Certificate Button - Displays an Import Certificate button on the Virtual
Office page. This initiates the process of importing the SonicWALL security appliances
self-signed certificate onto the web browser. This option only applies to the Internet
Explorer browser on PCs running Windows 2000 or Windows XP.
Enable HTTP meta tags for cache control - Inserts HTTP tags into the browser that
instruct the web browser not to cache the Virtual Office page. SonicWALL recommends
enabling this option.
The Customized Logo field is used to display a logo other than the SonicWALL logo at the top
of the Virtual Office portal. Enter the URL of the logo in the Customized Logo field. The logo
must be in GIF format of size 155 x 36, and a transparent or light background is recommended.
The following tasks are configured on the SSL VPN > Client Settings page:
Configuring the SSL VPN Client Address Range section on page 513
512
SSL VPN Access can also be configured on the Network > Zones page by clicking the
configure icon for the zone.
Note
WAN management must be enabled on the zone to terminate SSL VPN sessions. Even
though the zone has SSL VPN enabled, if the management interface is disabled, SSL VPN
will not work correctly.
Note
The range must fall within the same subnet as the interface to which the SRA appliance is
connected, and in cases where there are other hosts on the same segment as the SRA
appliance, it must not overlap or collide with any assigned addresses.
To configure the SSL VPN Client Address Range, perform the following steps:
Step 1
Step 2
In the NetExtender Start IP field, enter the first IP address in the client address range.
Step 3
In the NetExtender End IP field, enter the last IP address in the client address range.
Step 4
In the DNS Server 1 field, enter the IP address of the primary DNS server, or click the Default
DNS Settings to use the default settings.
Step 5
(Optional) In the DNS Server 2 field, enter the IP address of the backup DNS server.
Step 6
(Optional) In the DNS Domain field, enter the domain name for the DNS servers.
Step 7
In the User Domain field, enter the domain name for the users. The value of this field must
match the domain field in the NetExtender client.
Step 8
(Optional) In the WINS Server 1 field, enter the IP address of the primary WINS server.
Step 9
(Optional) In the WINS Server 2 field, enter the IP address of the backup WINS server.
Step 10 In the Interface pull-down menu, select the interface to be used for SSL VPN services.
Note
The IP address range must be on the same subnet as the interface used for SSL VPN
services.
Step 11 Click the Zone name at the top of the page to enable SSL VPN access on it with these settings.
The indicator should be green for the Zone you want to enable.
513
Default Session Timeout (minutes) - The default timeout value for client inactivity, after
which the clients session is terminated.
Enable NetBIOS Over SSLVPN - Allows NetExtender clients to broadcast NetBIOS to the
SSL VPN subnet.
Enable Client Autoupdate - The NetExtender client checks for updates every time it is
launched.
Exit Client After Disconnect - The NetExtender client exits when it becomes disconnected
from the SSL VPN server. To reconnect, users will have to either return to the SSL VPN
portal or launch NetExtender from their Programs menu.
Uninstall Client After Disconnect - The NetExtender client automatically uninstalls when
it becomes disconnected from the SSL VPN server. To reconnect, users will have to return
to the SSL VPN portal.
Create Client Connection Profile - The NetExtender client will create a connection profile
recording the SSL VPN Server name, the Domain name and optionally the username and
password.
Communication Between Clients - Enables NetExtender clients that are connected to the
same server to communicate.
User Name & Password Caching - Provide flexibility in allowing users to cache their
usernames and passwords in the NetExtender client. The three options are Allow saving
of user name only, Allow saving of user name & password, and Prohibit saving of
user name & password. These options enable administrators to balance security needs
against ease of use for users.
514
The following tasks are configured on the SSL VPN > Client Routes page:
Subnet mask
0.0.0.0
0.0.0.0
0.0.0.0
128.0.0.0
128.0.0.0
128.0.0.0
NetExtender also adds routes for the local networks of all connected Network Connections.
These routes are configured with higher metrics than any existing routes to force traffic
destined for the local network over the SSL VPN tunnel instead. For example, if a remote user
is has the IP address 10.0.67.64 on the 10.0.*.* network, the route 10.0.0.0/255.255.0.0 is
added to route traffic through the SSL VPN tunnel.
515
516
CHAPTER 21
Configuring Firewall DPI-SSL Settings
This chapter describes the Deep Packet Inspection Secure Socket Layer (DPI-SSL) feature to
allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. Client DPI-SSL is
used to inspect HTTPS traffic when clients on the SonicWALL firewall appliances LAN access
content located on the WAN. Server DPI-SSL is used to inspect HTTPS traffic when remote clients
connect over the WAN to access content located on the SonicWALL firewall appliances LAN.
This chapter contains the following subsections:
DPI-SSL Overview
This section provides an introduction to the SonicOS Enhanced DPI-SSL feature as managed
within GMS. Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWALLs
Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and
other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and
then re-encrypted and sent along to its destination if no threats or vulnerabilities are found.
DPI-SSL provides additional security, application control, and data leakage prevention for
analyzing encrypted HTTPS and other SSL-based traffic.
The following security services and features are capable of utilizing DPI-SSL:
Gateway Anti-Virus
Gateway Anti-Spyware
Intrusion Prevention
Content Filtering
Application Firewall
Packet Capture
Packet Mirror
517
Client DPI-SSL: Used to inspect HTTPS traffic when clients on the SonicWALL security
appliances LAN access content located on the WAN.
Server DPI-SSL: Used to inspect HTTPS traffic when remote clients connect over the WAN
to access content located on the SonicWALL security appliances LAN.
518
1.
2.
The DPI-SSL Status section displays the status of the DPI-SSL license for the appliance.
3.
4.
Select which of the following services to perform inspection with: Intrusion Prevent,
Gateway Anti-Virus, Gateway Anti-Spyware, Application Firewall, and Content Filter.
5.
Click Update.
2.
3.
Select the Import a local end-user certificate with private key from a PKCS#12 (.p12
or .pfx) encoded file option.
4.
After the certificate has been imported, you must configure it on the Client DPI-SSL page:
1.
2.
Scroll down to the Certificate Re-Signing Authority section and select the certificate from
the pull-down menu.
3.
Click Update.
For help with creating PKCS-12 formatted files, see Creating PKCS-12 Formatted Certificate
File on page 521.
519
The Inclusion/Exclusion section of the Client SSL page contains three options for specifying
the inclusion list:
Tip
520
On the Address Object/Group line, select an address object or group from the Exclude
pull-down menu to exempt it from DPI-SSL inspection.
On the Service Object/Group line, select a service object or group from the Exclude
pull-down menu to exempt it from DPI-SSL inspection.
On the User Object/Group line, select a user object or group from the Exclude pull-down
menu to exempt it from DPI-SSL inspection.
The Include pull-down menu can be used to fine tune the specified exclusion list. For
example, by selecting the Remote-office-California address object in the Exclude
pull-down and the Remote-office-Oakland address object in the Include pull-down.
The Common Name Exclusions section is used to add domain names to the exclusion
list. To add a domain name, type it in the text box and click Add.
Internet Explorer: Go to Tools > Internet Options, click the Content tab and click
Certificates. Click the Trusted Root Certification Authorities tab and click Import. The
Certificate Import Wizard will guide you through importing the certificate.
Firefox: Go to Tools > Options, click the Advanced tab and then the Encryption tab. Click
View Certificates, select the Authorities tab, and click Import. Select the certificate file,
make sure the Trust this CA to identify websites check box is selected, and click OK.
Mac: Double-click the certificate file, select Keychain menu, click X509 Anchors, and then
click OK. Enter the system username and password and click OK.
Private key (typically a file with .key extension or the word key in the filename)
Certificate with a public key (typically a file with .crt extension or the word cert as part of
filename).
For example, Apache HTTP server on Linux has its private key and certificate in the following
locations:
/etc/httpd/conf/ssl.key/server.key
/etc/httpd/conf/ssl.crt/server.crt
In this example out.p12 will become the PKCS-12 formatted certificate file and server.key and
server.crt are the PEM formatted private key and the certificate file respectively.
After the above command, one would be prompted for the password to protect/encrypted the
file. After the password is chosen, the creation of PKCS-12 formatted certificate file is complete
and it can be imported into the SonicWALL firewall appliance.
Content Filtering
To perform SonicWALL Content Filtering on HTTPS and SSL-based traffic using DPI-SSL,
perform the following steps:
1.
521
Note
2.
Select the Enable SSL Inspection checkbox and the Content Filter checkbox.
3.
Click Update.
4.
Navigate to the Website Blocking > CFS Filter List page and click the Configure button.
5.
6.
7.
Click Update.
8.
Navigate to a blocked site using the HTTPS protocol to verify that it is properly blocked.
For content filtering over DPI-SSL, the first time HTTPS access is blocked result in a blank
page being displayed. If the page is refreshed, the user will see the SonicWALL block page.
Application Firewall
Note
Application Firewall is supported for appliances running SonicOS 5.8 and higher.
Enable Application Firewall checkbox on the Client DPI-SSL screen and enable Application
Firewall on the Application Firewall >Policies screen.
1.
2.
Select the Enable SSL Inspection checkbox and the Application Firewall checkbox.
3.
Click Update.
4.
5.
6.
7.
8.
Access any website using the HTTPS protocol with Internet Explorer and verify that it is
blocked.
DPI-SSL also supports Application Level Bandwidth Management over SSL tunnels.
Application Firewall HTTP bandwidth management policies also applies to content that is
accessed over HTTPS when DPI-SSL is enabled for Application Firewall.
522
In this deployment scenario the owner of the SonicWALL firewall appliance owns the
certificates and private keys of the origin content servers. Administrator would have to import
server's original certificate onto the SonicWALL firewall appliance and create appropriate
server IP address to server certificate mappings in the Server DPI-SSL UI.
The following sections describe how to configure Server DPI-SSL:
Note
1.
2.
The DPI-SSL Status section displays the status of the DPI-SSL license for the appliance.
3.
4.
Select which of the following services to perform inspection with: Intrusion Prevent,
Gateway Anti-Virus, Gateway Anti-Spyware, and Application Firewall.
5.
Click Update.
6.
Scroll down to the SSL Servers section to configure the server or servers to which DPI-SSL
inspection will be applied. See Configuring Server-to-Certificate Pairings on page 524.
523
The Inclusion/Exclusion section of the Server SSL page contains two options for specifying
the inclusion list:
On the Address Object/Group line, select an address object or group from the Exclude
pull-down menu to exempt it from DPI-SSL inspection.
On the User Object/Group line, select a user object or group from the Exclude pull-down
menu to exempt it from DPI-SSL inspection.
Note
The Include pull-down menu can be used to fine tune the specified exclusion list.
For example, by selecting the Remote-office-California address object in the
Exclude pull-down and the Remote-office-Oakland address object in the Include
pull-down.
Note
524
Navigate to the DPI-SSL > Server SSL page and scroll down to the SSL Servers section.
The SSL Servers section is available only at the unit level, not at the group level.
2.
3.
In the Address Object/Group pull-down menu, select the address object or group for the
server or servers that you want to apply DPI-SSL inspection to.
4.
In the SSL Certificate pull-down menu, select the certificate that will be used to sign the
traffic for the server. For more information on importing a new certificate to the appliance,
seeSelecting the Re-Signing Certificate Authority on page 519. For information on
creating a certificate, see Creating PKCS-12 Formatted Certificate File on page 521.
5.
Select the Cleartext checkbox to enable SSL offloading. See SSL Offloading on page 525
for more information.
6.
Click Add.
SSL Offloading
When adding server-to-certificate pairs, a cleartext option is available. This option indicates
that the portion of the TCP connection between the SonicWALL firewall appliance and the local
server will be in the clear without SSL layer, thus allowing SSL processing to be offloaded from
the server by the appliance.
Please note that in order for such configuration to work properly, a NAT policy needs to be
created on the Network > NAT Policies page to map traffic destined for the offload server from
an SSL port to a non-SSL port. For example, in case of HTTPS traffic being used with SSL
offloading, an inbound NAT policy remapping traffic from port 443 to port 80 needs to becreated
in order for things to work properly.
525
526
CHAPTER 22
Configuring Firewall Security Services
SonicWALL security appliances offer several services for protecting networks against viruses
and attacks. This chapter provides concept overviews and configuration tasks for deploying
these services.
This chapter contains the following sections:
527
2.
3.
4.
In the Proxy Server Name or IP Address field, enter the hostname or IP address of the
proxy server.
5.
In the Proxy Server Port field, enter the port number used to connect to the proxy server.
6.
Select the This Proxy Server requires Authentication checkbox if the proxy server
requires a username and password.
Note
528
Anti-Virus Settings
To configure Anti-Virus settings for one or more SonicWALL appliances, follow these steps:
1.
2.
Expand the Security Services tree and click AV Configure. The AV Configure page
appears.
3.
Select the Enable Anti-Virus Client Automated Installation, Updates and Enforcement
check box.
4.
To enforce Anti-Virus protection on the DMZ port or HomePort (if available), select the
Enable DMZ/HomePort/WLAN/OPT Policing check box.
5.
To disable policing from the LAN to the DMZ, select the Disable policing from
LAN/WorkPort to DMZ/HomePort/WLAN/OPT check box.
6.
To configure the SonicWALL appliance(s) to only check for updates once a day, select the
Reduce AV Traffic for ISDN connections check box. This is useful for low bandwidth
connections or connections that are not always on.
7.
SonicWALL GMS automatically downloads the latest virus definition files. To configure the
maximum number of days that can pass before SonicWALL GMS downloads the latest files,
select the number of days from the Maximum Days Allowed Before Forcing Update list
box.
8.
Significant virus events can occur without warning (e.g., Melissa, ILOVEYOU, and others).
When these occur, SonicWALL GMS can be configured to block network traffic until the
latest virus definition files are downloaded. To configure this feature, determine which types
of events will require updating. Then, select the Low Risk, Medium Risk, or High Risk
check boxes.
Exempt Computers
The Exempt Computers section allows the GMS administrator to specify address ranges which
should be explicitly included or excluded in Anti-Virus enforcement.
1.
Select the Enforce Anti-Virus policies for all computers radio button to enforce
Anti-Virus policies across your entire network. Selecting this option forces computers to
install VirusScan ASaP in order to access the Internet or the DMZ. This is the default
configuration
2.
Select the Include specific address ranges in the Anti-Virus enforcement radio button
to force a specified range of addresses to adhere to Anti-Virus enforcement. Choosing this
option allows the administrator to define ranges of IP addresses to receive Anti-Virus
529
enforcement. If you select this option, specify a range of IP addresses to be enforced. Any
computer requiring enforcement needs a static IP address within the specified range of IP
addresses. Up to 64 IP address ranges can be entered for enforcement.
3.
Select the Exclude specific address ranges in the Anti-Virus enforcement radio button
to exempt a specified range of addresses from Anti-Virus enforcement. Selecting this
option allows the administrator to define ranges of IP addresses that are exempt from
Anti-Virus enforcement. If you select this option, specify the range of IP addresses are
exempt. Any computer requiring unrestricted Internet access needs a static IP address
within the specified range of IP addresses. Up to 64 IP address ranges can be entered.
Email Filtering
During an outbreak, Email filtering allows for preemptive blocking of known filenames and
newly discovered viruses before the Anti-Virus signature (DAT) files are actually available.
This feature also provides full filename blocking of virus files, allowing SonicWALL to block only
malicious attachments, while enabling all other attachments through. For example, during a
virus outbreak, only the virus file is blocked while other productive files (such as Word
documents and Excel spreadsheets) are allowed through.
To configure email filter settings for one or more SonicWALL appliances, follow these steps:
1.
530
2.
Expand the Security Services tree and click EMail Filter. The EMail Filter screen displays.
To enable infected email attachment blocking on inbound SMTP and POP3 Email protocols,
select the Enable Email Attachment Filtering Alert Service check box. Only files that
were discovered to be infected will be blocked. If a message contains uninfected
attachments, those will be forwarded to the recipient.
To specify file extensions to filter, select the Enable Email Attachment FIltering of
Forbidden File Extensions checkbox.
If choosing to specify forbidden file extensions, enter the file extensions (one at a time) in
the Forbidden File Extensions box and click the Add button. Remove extensions from the
list by selecting the checkbox to the left of the file extension and clicking theUpdate button
at the bottom of the page.
Select the Disable the forbidden file by altering the file extension and attach warning
text radio button to alter the file extension by replacing the third character of file extensions
with _. If the email attachment is a valid file, the message recipient may return the
attachment to its original file extension without damaging the file.
Select Delete forbidden file and attach warning text to remove the forbidden file from the
Email message entirely and attach warning text to the message.
In the Warning Message Text field (maximum 256 characters), enter the text you wish to
attach to messages containing forbidden files.
531
Note
Only infected files will be blocked. If a message contains uninfected attachments, those will
be forwarded to the recipient.
Email Blocking
This option allows the administrator to block fragments of Email messages.
When you are finished, click Update. The settings are changed for each selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
The SonicWALL appliance will block viruses that are discovered by the virus signaturefiles and
filenames that are known to be infected during an outbreak.
532
Overview of IPS
SonicWALL Intrusion Prevention Service (SonicWALL IPS) delivers a configurable, high
performance Deep Packet Inspection engine for extended protection of key network services
such as Web, Email, file transfer, Windows services and DNS. SonicWALL IPS is designed to
protect against application vulnerabilities as well as worms,Trojans, and peer-to-peer, spyware
and backdoor exploits. The extensible signature language used in SonicWALLs Deep Packet
Inspection engine also provides proactive defense against newly discovered application and
protocol vulnerabilities. SonicWALL IPS offloads the costly and time-consuming burden of
maintaining and updating signatures for new hacker attacks through SonicWALLs
industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows
SonicWALL IPS to detect and prevent attacks based on a global, attack group, or per-signature
basis to provide maximum flexibility and control false positives.
Pattern Definition Language Interpreter uses signatures that can be written to detect and
prevent against known and unknown protocols, applications and exploits.
2.
TCP packets arriving out-of-order are reassembled by the Deep Packet Inspection
framework.
3.
4.
Deep Packet Inspection engine postprocessors perform actions which may either simply
pass the packet without modification, or could drop a packet or could even reset a TCP
connection.
533
5.
If TCP packets arrive out of order, the SonicWALL IPS engine reassembles them before
inspection. However, SonicWALLs IPS framework supports complete signature matching
across the TCP fragments without having to perform complete reassembly. SonicWALLs
unique reassembly-free matching solution dramatically reduces CPU and memory resource
requirements.
534
2.
Expand the Security Services tree and click Intrusion Prevention. The Intrusion
Prevention page appears.
3.
4.
5.
Configure the following settings for High Priority Attacks in the IPS Settings area:
To to detect, log, and prevent all high priority attacks, select the Prevent All check box.
To detect and log all high priority attacks, select the Detect All check box.
To prevent the log from becoming overloaded with entries for the same attack, enter a
value in the Log Redundancy Filter field. For example, if you entered a value of 30
seconds and there were 100 SubSeven attacks during that period of time, only one
attack would be logged during that 30 second period.
6.
Repeat Step 3 for the remaining categories as applicable, including Medium Priority
Attacks, Low Priority Attacks, IM (Instant Messaging) Applications, and P2P
(Peer-to-Peer) Applications.
7.
automatically drops and resets the connection, to prevent the traffic from reaching its
destination.
If Detect Invalid Checksum is enabled, the SonicWALL security appliance logs and
alerts any traffic, but does not take any action against the traffic. The connection
proceeds to its intended destination.
535
If Enable IPS Exclusion List is enabled, this SonicWALL security appliance bypasses
IPS enforcement for a specified IP range. This requires the addition of an IPS Range
(below).
8.
To force the firmware to download all signatures, click Update IPS Signature Database.
9.
To reset your IPS settings to the defaults, click Reset IPS Settings & Policies.
10. When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
1.
536
Locate the type of attack that you would like to view. To sort by category, select a category
from the Categories list box. To sort by priority, select a priority level from the Priority list
box.
2.
3.
Select whether attack detection for this type of attack is enabled, disabled, or uses the
default global settings for the attack category from the Prevention list box.
4.
Select whether attack prevention for this type of attack is enabled, disabled, or uses the
default global settings for the attack category from the Detection list box.
5.
Select which users or groups to include for this attack type in the Included Users/Groups
list box
6.
Select which users or groups to exclude for this attack type in the Excluded Users/Groups
list box.
7.
Select an IP address range to include for this attack type in the Included IP Address
Range list box
8.
Select an IP address range to exclude for this attack type in the Excluded IP Address
Range list box
9.
Select a time range to enforce attack protection on this attack type from the Schedule list
box.
10. Enter a timespan (in seconds) to run the Log Redundancy Filter (seconds) field, or select
11. When you are finished, click Update. You are returned to the Intrusion Prevention page.
12. Repeat Steps 2. through 16 for each attack to edit.
13. To reset all attacks to their default settings, click Reset ALL IPS Settings and Policies.
2.
537
3.
Click on the GMS Settings option. The GMS Settings dialog box displays.
4.
Note
Note that keyset files will be uploaded at the time of registering a unit or when there
is a change in the user license.
5.
In the Policies tab, navigate to the System > Tools page to upload keyset and signature
files.
6.
538
2.
Expand the Security Services tree and click RBL Filter. The Global Security Client screen
displays.
3.
Check the Enable Real-time Black List Blocking checkbox to enable the service.
4.
In the RBL DNS Servers pull-down list, choose to Inherit Settings from WAN Zone or
Specify DNS Servers Manually.
5.
If choosing to specify your DNS servers manually, enter the server names in the DNS
Server (1, 2, 3) fields below.
6.
Click the Add RBL Service link to add a new RBL domain.
7.
Enter the RBL Domain you wish to block and check the appropriate responses in the RBL
Blocked Responses section below. You also have the option to Block All Responses.
8.
9.
539
Note
540
1.
2.
Expand the Security Services tree and click Gateway AntiVirus. The Gateway AntiVirus
screen displays).
3.
You can manually update your SonicWALL GAV database at any time by clicking the
Update button. However, by default, the SonicWALL security appliance running
SonicWALL GAV automatically checks for new signatures once an hour.
4.
5.
6.
Check the boxes corresponding to the Protocols you wish to enforce Inbound and
Outbound inspection on.
If your SonicWALL firewall appliance is running SonicOS Enhanced, you must enable
Gateway Anti-Virus on the appropriate zone in the Network > Zones page before
continuing.
1.
Select Enable Client Notification Alerts to send relevant blocked file notifications to users
of the SonicWALL Desktop Anti-Virus client.
2.
Select Disable SMTP Responses to suppress the sending of email notifications when
viruses are blocked at the gateway.
3.
Select Disable detection of EICAR test virus to ignore this test file. The EICAR file is a
small file (but not actually a read virus) often used to test how virus protection mechanisms
respond to a threat.
4.
It is not recommended to check the options for Enable HTTP Byte-Range requests with
Gateway AV or Enable FTP REST requests with Gateway AV unless directed to do so
by a SonicWALL representative.
5.
Select Enable HTTP Clientless Notification Alerts to enable alerts about blocked content
for clients who do not have SonicWALL Client Anti-Virus installed. These alerts are
delivered by way of a standard HTML browser window. You may also enter a message
below if using this notification type.
6.
541
2.
3.
For more granular control over protocol traffic inspection, click the settings icon
for each
of the protocols you choose. The settings window displays and allows you to restrict
transfer of the following possibly dangerous file types:
Table 19
File Type
Security Issues
Password protected
ZIP files
Click the Configure Gateway AV Settings link. The Gateway AV settings window displays.
This window allows you to configure client notification alerts and create a SonicWALL GAV
exclusion list.
5.
To download the latest signature database from mysonicwall.com, click the Update
Gateway AV Signature Database link.
6.
Click the Update button when you are ready to save your changes.
Note
542
Signature entries in the database change over time in response to new threats.
Displaying Signatures
You can display the signatures in a variety of views using the View Style menu.
Use Search String - Allows you to display signatures containing a specified string entered in
the Lookup Signatures Containing String field.
All Signatures - Displays all the signatures in the table, 50 to a page.
0 - 9 - Displays signature names beginning with the number you select from the menu.
A-Z - Displays signature names beginning with the letter you select from menu.
Note
1.
2.
3.
543
Selecting Security Services > Anti-Spyware displays the configuration settings for
SonicWALL Anti-Spyware on your SonicWALL security appliance.
The Anti-Spyware page for the SonicOS Enhanced is divided into three sections:
Warning
544
Anti-Spyware Status - displays status information on the state of the signature database,
your SonicWALL Anti-Spyware license, and other information.
Anti-Spyware Global Settings - provides the key settings for enabling SonicWALL
Anti-Spyware on your SonicWALL security appliance, specifying global SonicWALL
Anti-Spyware protection based on three classes of spyware, and other configuration
options.
Anti-Spyware Signatures - shows the status and contents of your signature database.
After activating your SonicWALL Anti-Spyware license, you must enable and
configure SonicWALL Anti-Spyware on the SonicWALL management interface
before anti-spyware policies are applied to your network traffic.
Checking the Enable Anti-Spyware check box does not automatically start SonicWALL
Anti-Spyware protection. You must also specify a Prevent All action in the Signature Groups
table to activate anti-spyware on the SonicWALL security appliance, and then specify the zones
you want to protect on the Network > Zones page. You can also select Detect All for spyware
event logging and alerting.
Selecting the Prevent All and Detect All check boxes for High Danger Level Spyware and
Medium Danger Level Spyware in the Signature Groups table, and then clicking Apply
protects your network against the most dangerous spyware.
Caution
SonicWALL recommends enabling Prevent All for High Danger Level Spyware and Medium
Danger Level Spyware signature groups to provide anti-spyware protection against the most
damaging and disruptive spyware applications. You can also enable Detect All for spyware
logging and alerting.
SonicWALL Anti-Spyware also allows you to configure anti-spyware policies at the category
and signature level to provide flexible granularity for tailoring SonicWALL Anti-Spyware
protection based on your network environment requirements. If you are running SonicOS
Enhanced, you can apply these custom SonicWALL Anti-Spyware policies to Address Objects,
Address Groups, and User Groups, as well as create enforcement schedules. For more
545
546
1.
In the SonicWALL security appliance management interface, select Network > Zones or
from the Anti-Spyware Status section, on the Security Services > Anti-Spyware page,
click the Network > Zones link. The Network > Zones page is displayed.
2.
In the Configure column in the Zone Settings table, click the Edit icon
you want to apply SonicWALL IPS. The Edit Zone window is displayed.
3.
4.
Click OK.
You can also enable SonicWALL IPS protection for new zones you create on the Network >
Zones page. Clicking the Add button displays the Add Zone window, which includes the same
settings as the Edit Zone window.
Configure the fields in the Anti-Spyware Product Settings dialog box as described in the
following table.
547
Table 20
Field
Description
Prevention
Detection
Included
Users/Groups
Excluded
Users/Groups
Included IP Address
Range
For a birds eye view of the categories, refer to the following figure:
548
CHAPTER 23
Configuring Firewall High Availability
This chapter describes how to use SonicWALL GMS to configure High Availability, which allows
the administrator to specify a primary and secondary SonicWALL appliance. In the case that
the connection to the primary device fails, connectivity will transfer to the backup device.
In addition, SonicWALL GMS can utilize the same device pairing technology to implement
different forms of load balancing. Load balancing helps regulate the flow of network traffic by
splitting that traffic between primary and secondary SonicWALL devices. This chapter includes
the following sections:
Note
High Availability is available at the appliance level, it cannot be configured at the group level.
549
2.
Expand the High Availability tree and click Settings. The High Availability page displays.
3.
4.
Enter the Serial Number of the Backup SonicWALL security appliance to be used in the
High Availability pair.
5.
When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
550
1.
Select a SonicWALL appliance and click the Policies tab. Expand the High Availability
tree and click Advanced.
2.
unit remains in a continuously synchronized state so that it can seamlessly assume the
network responsibilities upon failure of the primary unit with no interruption to existing
network connections.
Note
Stateful High Availability requires an additional license for the primary SonicWALL
appliance. The license is shared between the primary and backup appliances.
3.
4.
If enabling Active/Active UTM, select an interface in the HA Data Interface pull-down list.
This interface will be used for transferring data between the two units during Active/Active
UTM processing. Only unassigned, available interfaces appear in the pull-down list.
5.
Select the Enable Preempt Mode check box to configure the primary SonicWALL
appliance to take over from the backup SonicWALL appliance when it becomes available.
Otherwise, the backup SonicWALL appliance will remain active.
6.
7.
Select the Enable Virtual MAC check box. When the Stateful High Availability Upgrade is
licensed, Virtual MAC capability is also licensed. Virtual MAC allows the backup unit in an
HF pair to use the MAC address of the primary unit when a failover occurs. Alternatively,
you can manually set a virtual MAC address for both units to use. Virtual MAC addressing
contributes to network continuity and efficiency during a failover in the same way as the use
of virtual IP addresses. During a failover, the backup unit uses the same virtual IP address
that was used by the primary unit. The Virtual MAC feature avoids the need to update the
whole network to associate the virtual IP address with the actual physical MAC address of
the backup unit.
8.
To specify how long the SonicWALL appliance will look, enter the number of seconds
in the Election Delay Time field. You can enter a value between 0 and 300 seconds,
but the default value of 0 seconds is sufficient in most cases.
Optionally, change the value in theDynamic Route Hold-Down Time field. This setting
is used when a failover occurs on a High Availability pair that is using either RIP or
OSPF dynamic routing. When a failover occurs, Dynamic Route Hold-Down Time is the
number of seconds the newly-active appliance keeps the dynamic routes it had
previously learned in its route table. During this time, the newly-active appliance
relearns the dynamic routes in the network. When the Dynamic Route Hold-Down Time
duration expires, it deletes the old routes and implements the new routes it has learned
from RIP or OSPF. The default value is 45 seconds. In large or complex networks, a
larger value may improve network stability during a failover.
551
9.
When changes are made to the Primary or Secondary SonicWALL firewall appliance, the
changes are automatically synchronized between the two SonicWALL firewall appliances.
To cause the synchronization to occur now, click Synchronize Settings. Additionally,
selecting the Include Certificates/Keys will synchronize certificates and keys between
devices.
10. To force the backup device to load and reboot to current firmware from the primary device,
11. When you are finished, click Update. The settings are changed for each selected
SonicWALL appliance. To clear all screen settings and start over, click Reset.
552
1.
Expand the High Availability tree and click Monitoring. The Monitoring Settings page
displays.
2.
Click on the configure icon for the X0 interface. The Interface X0 Monitoring Settings
window displays.
3.
Enter the LAN management IP address for the primary appliance in the Primary IP
Address field.
4.
Enter the LAN management IP address for the backup appliance in theBackup IP Address
field.
5.
(Optional) Check the Enable Interface Monitoring checkbox and enter the IP address of
a reliable device on the LAN network in the Probe IP Address field. This should be a
downstream router or server. The primary and backup appliances will regularly ping this
probe IP address. If both can successfully ping the target, no failover occurs. If neither can
successfully ping the target, no failover occurs, because it is assumed that the problem is
with the target, and not the SonicWALL appliances. But, if one appliance can ping the target
but the other appliance cannot, failover will occur to the appliance that can ping the target.
6.
(Optional) To manually specify the virtual MAC address, check the Manual Virtual MAC
checkbox and enter a MAC address. SonicWALL recommends that you manually configure
the virtual MAC address only if the appliances do not have Internet access (for example, in
secure network environments). Allowing the appliances to retrieve the virtual MAC address
from the SonicWALL backend eliminates the possibility of configuration errors and ensures
the uniqueness of the virtual MAC address, which prevents possible conflicts.
7.
Click OK.
8.
Click on the configure icon for the X1 interface and repeat steps 3 through 7 for the WAN
IP addresses on the primary and backup appliances.
553
554
CHAPTER 24
Configuring Firewall SonicPoints
This chapter describes how to configure SonicPoint managed secure wireless access points.
This chapter includes the following sections:
Managing SonicPoints
The SonicPoint section of GMS lets you manage the SonicPoints connected to your system.
555
Managing SonicPoints
Test SonicPoints
802.11a Radio
802.11g Radio
Enable
802.11a
Radio
Yes - Always
on
Enable
802.11g
Radio
Yes - Always
on
Enable
802.11n
Radio
Yes - Always on
SSID
sonicwall
SSID
sonicwall
SSID
sonicwall-D790
(where D790 is
an example;
this is
determined by
the hardware
address)
Radio Mode
54Mbps 802.11a
Radio Mode
2.4 GHz
54Mbps 802.11g
Radio
Mode
Channel
AutoChannel
Channel
AutoChannel Channel
ACL
Enforcement
Disabled
ACL
Disabled
Enforceme
nt
WEP - Both
Open
System &
Shared Key
ACL
Disabled
Enforcement
556
802.11n Radio
AutoChannel
Managing SonicPoints
Schedule
IDS Scan
Disabled
Schedule
IDS Scan
Disabled
Data Rate
Best
Data Rate
Best
Data Rate
Best
Antenna
Diversity
Best
Antenna
Diversity
Best
Antenna
Diversity
Best
To add a new profile click Add SonicPointN below the list of SonicPoint 802.11n provisioning
profiles. To edit an existing profile, select the profile and click the Configure icon in the same
line as the profile you are editing.
Step 2
Retain Settings: Check this to have the SonicPointNs provisioned by this profile retain
Name Prefix: Enter a prefix for the names of all SonicPointNs connected to this zone.
When each SonicPointN is provisioned it is given a name that consists of the name
prefix and a unique number, for example: SonicPoint 126008.
Country Code: Select the country where you are operating the SonicPointNs. The
country code determines which regulatory domain the radio operation falls under.
557
Managing SonicPoints
802.11n Virtual AP Group: (optional; on SonicWALL NSA only) Select a Virtual Access
Point (VAP) group to assign these SonicPointNs to a VAP. This pull-down menu allows
you to create a new VAP group. For more information on VAPs, refer to the Using and
Configuring Virtual Access Points section on page 570.
Step 3
In the 802.11n tab, configure the radio settings for the 802.11n radio:
Enable Radio: Check this to automatically enable the 802.11n radio bands on all
Radio Mode: Select your preferred radio mode from the Radio Mode menu. The
Tip
558
2.4GHz 802.11n Only - Allows only 802.11n clients access to your wireless
network. 802.11a/b/g clients are unable to connect under this restricted radio mode.
For optimal throughput speed solely for 802.11n clients, SonicWALL recommends the
802.11n Only radio mode. Use the 802.11n/b/g Mixed radio mode for multiple wireless
client authentication compatibility.
2.4GHz 802.11g Only - If your wireless network consists only of 802.11g clients,
you may select this mode for increased 802.11g performance. You may also select
this mode if you wish to prevent 802.11b clients from associating.
5 GHz 802.11n Only - Allows only 802.11n clients access to your wireless network.
802.11a/b/g clients are unable to connect under this restricted radio mode.
Managing SonicPoints
5 GHz 802.11a Only - Select this mode if only 802.11a clients access your wireless
network.
SSID: Enter a recognizable string for the SSID of each SonicPoint using this profile.
This is the name that will appear in clients lists of available wireless connections.
Note
If all SonicPoints in your organization share the same SSID, it is easier for users to maintain
their wireless connection when roaming from one SonicPoint to another.
When the wireless radio is configured for a mode that supports 802.11n, the following options
are displayed:
Radio Band (802.11n only): Sets the band for the 802.11n radio:
Auto - Allows the appliance to automatically detect and set the optimal channel for wireless
operation based on signal strength and integrity. This is the default setting.
Standard - 20 MHz Channel - Specifies that the 802.11n radio will use only the standard
20 MHz channel. When this option is selected, the Standard Channel pull-down menu is
displayed.
Standard Channel - This pull-down menu only displays when the 20 MHz channel is
selected. By default, this is set to Auto, which allows the appliance to set the optimal
channel based on signal strength and integrity. Optionally, you can select a single
channel within the range of your regulatory domain. Selecting a specific a channel can
also help with avoiding interference with other wireless networks in the area.
Wide - 40 MHz Channel - Specifies that the 802.11n radio will use only the wide 40 MHz
channel. When this option is selected, the Primary Channel and Secondary Channel
pull-down menus are displayed:
Primary Channel - By default this is set to Auto. Optionally, you can specify a specific
primary channel.
If the primary channel is set to Auto, the secondary channel is also set to Auto.
If the primary channel is set to a specific channel, the secondary channel is set to
to the optimum channel to avoid interference with the primary channel.
Enable Short Guard Interval: Specifies the short guard interval of 400ns (as opposed to the
standard guard interval of 800ns). The guard interval is a pause in transmission intended to
avoid data loss from interference or multipath delays.
Enable Aggregation: Enables 802.11n frame aggregation, which combines multiple frames to
reduce overhead and increase throughput.
Tip
The Enable Short Guard Interval and Enable aggregation options can slightly improve
throughput. They both function best in optimumnetwork conditions where users have strong
signals with little interference. In networks that experience less than optimum conditions
(interference, weak signals, etc.), these options may introduce transmission errors that
eliminate any efficiency gains in throughput.
559
Managing SonicPoints
ACL Enforcement: Select this to enforce Access Control by allowing or denying traffic from
specific devices. Select a MAC address group from the Allow List to automatically allow traffic
from all devices with MAC address in the group. Select a MAC address group from the Deny
List to automatically deny traffic from all devices with MAC address in the group. The deny list
is enforced before the Allow list.
Step 4
In the Wireless Security section of the 802.11n Radio tab, configure the following settings:
Authentication Type: Select the method of authentication for your wireless network.
You can select WEP - Both (Open System & Shared Key), WEP - Open System,
WEP - Shared Key, WPA - PSK, WPA - EAP, WPA2-PSK, WPA2-EAP,
WPA2-AUTO-PSK, and WPA2-AUTO-EAP.
WEP Configuration
WEP Key Mode: Select the size of the encryption key.
Default Key: Select which key in the list below is the default key, which will be tried first
Group Key Interval: The time period for which a Group Key is valid. The default value
Passphrase (PSK only): This is the passphrase your network users must enter to gain
network access.
RADIUS Server Settings (EAP Only): Configure settings for your RADIUS
authentication server.
Step 5
560
In the Advanced tab, configure the performance settings for the 802.11n radio. For most
802.11n advanced options, the default settings give optimum performance.
Managing SonicPoints
Hide SSID in Beacon: Check this option to have the SSID broadcast as part of the
Schedule IDS Scan: Select a time when there are fewer demands on the wireless
Data Rate: Select the speed at which the data is transmitted and received. Best
automatically selects the best rate available in your area given interference and other
factors. Or you can manually select a data rate.
Transmit Power: Select the transmission power. Transmission power effects the range
of the SonicPoint. You can select: Full Power, Half (-3 dB), Quarter (-6 dB), Eighth
(-9 dB), or Minimum.
Antenna Diversity: The Antenna Diversity setting determines which antenna the
SonicPoint uses to send and receive data. When Best is selected, the SonicPoint
automatically selects the antenna with the strongest, clearest signal.
communication send when associating with a wireless host. You can select Long or
Short.
Protection Mode: Select the CTS or RTS protection. Select None, Always, or Auto.
Protection Rate: Select the speed for the CTS or RTS protection, 1 Mbps, 2 Mbps, 5
Mbps, or 11 Mbps.
When a SonicPoint unit is first connected and powered up, it will have a factory default
configuration (IP address 192.168.1.20, username: admin, password: password). Upon
initializing, it will attempt to find a SonicOS device with which to peer. If it is unable to find a
peer SonicOS device, it will enter into a stand-alone mode of operation with a separate
stand-alone configuration allowing it to operate as a standard Access Point.
If the SonicPoint does locate, or is located by a peer SonicOS device, via the SonicWALL
Discovery Protocol, an encrypted exchange between the two units will ensue wherein the
profile assigned to the relevant Wireless zone will be used to automatically configure
(provision) the newly added SonicPoint unit.
As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a
unique name, and it will record its MAC address and the interface and zone on which it was
discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so
that the SonicPoint can communicate with an authentication server for WPA-EAP support.
SonicOS will then use the profile associated with the relevant zone to configure the 2.4GHz and
5GHz radio settings.
561
Managing SonicPoints
Modifications to profiles will not affect units that have already been provisioned and are in an
operational state. Configuration changes to operational SonicPoint devices can occur in two
ways:
Via manual configuration changes Appropriate when a single, or a small set of changes
are to be affected, particularly when that individual SonicPoint requires settings that are
different from the profile assigned to its zone.
Via un-provisioning Deleting a SonicPoint unit effectively un-provisions the unit, or clears its
configuration and places it into a state where it will automatically engage the provisioning
process anew with its peer SonicOS device. This technique is useful when the profile for a zone
is updated or changed, and the change is set for propagation. It can be used to update firmware
on SonicPoints, or to simply and automatically update multiple SonicPoint units in a controlled
fashion, rather than changing all peered SonicPoints at once, which can cause service
disruptions.
To add a new profile click Add below the list of SonicPoint provisioning profiles. To edit an
existing profile, select the profile and click the edit icon
in the same line as the profile you
are editing.
Step 2
Retain Settings: Check this to have the SonicPoints provisioned by this profile retain
When each SonicPoint is provisioned it is given a name that consists of the name prefix
and a unique number, for example: SonicPoint 126008.
Country Code: Select the country where you are operating the SonicPoints. The
country code determines which regulatory domain the radio operation falls under.
NSA only) Select a Virtual Access Point (VAP) group to assign these SonicPoints to a
VAP. This pull-down menu allows you to create a new V
AP group. For more information
on VAPs, see Using and Configuring Virtual Access Points on page 570.
Step 3
In the 802.11g tab, Configure the radio settings for the 802.11g (2.4GHz band) radio:
Enable 802.11g Radio: Check this to automatically enable the 802.11g radio bands on
SSID: Enter a recognizable string for the SSID of each SonicPoint using this profile.
This is the name that will appear in clients lists of available wireless connections.
Note
If all SonicPoints in your organization share the same SSID, it is easier for users to maintain
their wireless connection when roaming from one SonicPoint to another.
Radio Mode: Select the speed of the wireless connection. You can choose 11Mbps -
802.11b, 54 Mbps - 802.11g, or 108 Mbps - Turbo G mode. If you choose Turbo mode,
all users in your company must use wireless access cards that support turbo mode.
562
Managing SonicPoints
Channel: Select the channel the radio will operate on. The default is AutoChannel,
which automatically selects the channel with the least interference. Use AutoChannel
unless you have a specific reason to use or avoid specific channels.
ACL Enforcement: Select this to enforce Access Control by allowing or denying traffic
from specific devices. Select a MAC address group from the Allow List to automatically
allow traffic from all devices with MAC address in the group. Select a MAC address
group from the Deny List to automatically deny traffic from all devices with MAC
address in the group. The deny list is enforced before the Allow list.
Authentication Type: Select the method of authentication for your wireless network.
You can select WEP - Both (Open System & Shared Key), WEP - Open System,
WEP - Shared Key, WPA - PSK, WPA - EAP, WPA2-PSK, WPA2-EAP,
WPA2-AUTO-PSK, and WPA2-AUTO-EAP.
Step 4
In the 802.11g Advanced tab, configure the performance settings for the 802.11g radio. For
most 802.11g advanced options, the default settings give optimum performance.
Hide SSID in Beacon: Check this option to have the SSID broadcast as part of the
Schedule IDS Scan: Select a time when there are fewer demands on the wireless
Data Rate: Select the speed at which the data is transmitted and received. Best
automatically selects the best rate available in your area given interference and other
factors. Or you can manually select a data rate.
Transmit Power: Select the transmission power. Transmission power effects the range
of the SonicPoint. You can select: Full Power, Half (-3 dB), Quarter (-6 dB), Eighth
(-9 dB), or Minimum.
Antenna Diversity: The Antenna Diversity setting determines which antenna the
Best: This is the default setting. When Best is selected, the SonicPoint
automatically selects the antenna with the strongest, clearest signal. In most cases,
Best is the optimal setting.
1: Select 1 to restrict the SonicPoint to use antenna 1 only. Facing the rear of the
SonicPoint, antenna 1 is on the left, closest to the power supply.
2: Select 2 to restrict the SonicPoint to use antenna 2 only. Facing the rear of the
SonicPoint, antenna 2 is on the right, closest to the console port.
563
Managing SonicPoints
Maximum Client Associations: Enter the maximum number of clients you want the
communication send when associating with a wireless host. You can select Long or
Short.
Protection Mode: Select the CTS or RTS protection. Select None, Always, or Auto.
Protection Rate: Select the speed for the CTS or RTS protection, 1 Mbps, 2 Mbps, 5
Mbps, or 11 Mbps.
Enable Short Slot Time: Allow clients to disassociate and reassociate more quickly.
Allow Only 802.11g Clients to Connect: Use this if you are using Turbo G mode and
Step 5
Configure the settings in the 802.11a Radio and 802.11a Advanced tabs. These settings affect
the operation of the 802.11a radio bands. The SonicPoint has two separate radios built in.
Therefore, it can send and receive on both the 802.11a and 802.11g bands at the same time.
The settings in the 802.11a Radio and 802.11a Advanced tabs are similar to the settings in the
802.11g Radio and 802.11g Advanced tabs. Follow the instructions in step 3 and step 4 in this
procedure to configure the 802.11a radio.
When a SonicPoint unit is first connected and powered up, it will have a factory default
configuration (IP address 192.168.1.20, username: admin, password: password). Upon
initializing, it will attempt to find a SonicOS device with which to peer. If it is unable to find a
peer SonicOS device, it will enter into a stand-alone mode of operation with a separate
stand-alone configuration allowing it to operate as a standard Access Point.
If the SonicPoint does locate, or is located by a peer SonicOS device, via the SonicWALL
Discovery Protocol, an encrypted exchange between the two units will ensue wherein the
profile assigned to the relevant Wireless zone will be used to automatically configure
(provision) the newly added SonicPoint unit.
As part of the provisioning process, SonicOS will assign the discovered SonicPoint device a
unique name, and it will record its MAC address and the interface and zone on which it was
discovered. It can also automatically assign the SonicPoint an IP address, if so configured, so
that the SonicPoint can communicate with an authentication server for WPA-EAP support.
SonicOS will then use the profile associated with the relevant zone to configure the 2.4GHz and
5GHz radio settings.
Modifications to profiles will not affect units that have already been provisioned and are in an
operational state. Configuration changes to operational SonicPoint devices can occur in two
ways:
564
Via manual configuration changes Appropriate when a single, or a small set of changes
are to be affected, particularly when that individual SonicPoint requires settings that are
different from the profile assigned to its zone.
Via un-provisioning Deleting a SonicPoint unit effectively un-provisions the unit, or clears
its configuration and places it into a state where it will automatically engage the provisioning
process anew with its peer SonicOS device. This technique is useful when the profile for a
zone is updated or changed, and the change is set for propagation. It can be used to update
firmware on SonicPoints, or to simply and automatically update multiple SonicPoint units in
a controlled fashion, rather than changing all peered SonicPoints at once, which can cause
service disruptions.
Managing SonicPoints
2.
In Edit SonicPoint screen, make the changes you want. The Edit SonicPoint screen has the
following tabs:
General
802.11a Radio
802.11a Advanced
802.11g Radio
802.11g Advanced
The options on these tabs are the same as the Add SonicPoint Profile screen. Refer to the
SonicPoint Provisioning Profiles section on page 556 for instructions on configuring these
settings.
3.
Synchronize SonicPoints
Click Synchronize SonicPoints at the top of the SonicPoint > SonicPoints page to update
the settings for each SonicPoint reported on the page. When you click Synchronize
SonicPoints, SonicOS polls all connected SonicPoints and displays updated settings on the
page.
Check the box under Enable to enable the SonicPoint, uncheck the box to disable it.
2.
Click Apply at the top of the SonicPoint > SonicPoints page to apply this setting to the
SonicPoint.
3.
4.
Click Add.
GMS displays the Add SonicPoint Profile dialog box containing a series of tabs.
2.
565
Managing SonicPoints
3.
In the Navigation Bar, click the SonicPoint menu to display SonicPoint options.
4.
5.
6.
Click either the 802.11g Radio or 802.11a Radio Tab, depending on which device you want
to schedule.
7.
Click on the Schedule list box at the top of the screen to the right of the Enable checkbox.
The following figure is an example of a scheduling list box (for 802.11g).
Discovery SonicOS devices will periodically send discovery request broadcasts to elicit
responses from L2 connected SonicPoint units.
Keepalive A unicast message from a SonicPoint to its peered SonicOS device used to
validate the state of the SonicPoint.
If via the SDP exchange the SonicOS device ascertains that the SonicPoint requires
provisioning or a configuration update (e.g. on calculating a checksum mismatch, or when a
firmware update is available), the Configure directive will engage a 3DES encrypted, reliable
566
TCP based SonicWALL Simple Provisioning Protocol (SSPP) channel. The SonicOS device will
then send the update to the SonicPoint via this channel, and the SonicPoint will restart with the
updated configuration. State information will be provided by the SonicPoint, and will be
viewable on the SonicOS device throughout the entire discovery and provisioning process.
Discarded Frames Total number of frames discarded. Discarded frames are generally a
sign of network congestion.
567
Control Frames Received Total number of Control frames received. Control frames
include:
RTS Request to Send
CTS Clear to Send
ACK Positive Acknowledgement
568
Warning
Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects.
If service disruption is a concern, it is recommended that the Scan Now feature not
be used while the SonicWALL security appliance is in Access Point mode until such
a time that no clients are active, or the potential for disruption becomes acceptable.
Note
MAC Address (BSSID): The MAC address of the radio interface of the detected access
point.
Type: The range of radio bands used by the access point, 2.4 GHz or 5 GHz.
569
Max Rate: The fastest allowable data rate for the access point radio, typically 54 Mbps.
Authorize: Click the Authorize icon to add the access point to the address object group of
authorized access points.
If you have more than one SonicPoint, you can select an individual device from theSonicPoint
list to limit the Discovered Access Points table to display only scan results from that
SonicPoint. Select All SonicPoints to display scan results from all SonicPoints.
Column
SonicPoint
MAC Address (BSSID)
SSID
Type
Channel
Manufacturer
Signal Strength
Max Rate
Authorize
Description
The SonicPoint that detected the access point.
The MAC address of the radio interface of the
detected access point.
The radio SSID of the access point.
The range of radio bands used by the access point,
2.4 GHz or 5 GHz
The radio channel used by the access point.
The manufacturer of the access point. SonicPoints
will show a manufacturer of either SonicWALL or
Senao.
The strength of the detected radio signal.
The strength of the detected radio signal.
Adds the access point to the address object group
of authorized access points.
570
within a single physical AP in compliance with the IEEE 802.11 standard for the media access
control (MAC) protocol layer that includes a unique Basic Service Set Identifier (BSSID) and
Service Set Identifier (SSID). This allows segmenting wireless network services within a single
radio frequency footprint of a single physical access point device.
In SonicOS Enhanced 3.5, VAPs allow the network administrator to control wireless user
access and security settings by setting up multiple custom configurations on a single physical
interface.
Each of these custom configurations acts as a separate (virtual) access point, and can be
grouped and enforced on single or multiple physical SonicPoint access points simultaneously.
In GMS, you can configure VAPs on the Policies panel, SonicPoint > Virtual Access Point
screen.
On the Policies panel, navigate to the SonicPoint > Virtual Access Point screen.
2.
Click Add Group. The Add Virtual Access Point Group dialog box displays.
3.
Enter the VAP group name in the Virtual AP Group Name field.
4.
In Available Virtual AP Objects, select the objects that should be in the VAP group, and
then click the arrow button to move them to Member of Virtual AP Group.
571
5.
To remove objects from the group, select them in the Member of Virtual AP Group field
and then click the left arrow button to move back to the Available list.
6.
Click OK.
7.
On the Policies panel, navigate to the SonicPoint > Virtual Access Point screen.
2.
Click Add Virtual Access Point. The Add Virtual Access Point dialog box displays.
3.
On the General tab, enter the SSID associated with the VAP. You can create a service set
identifier (SSID) when creating a SonicPoint profile. Refer to the SonicPoint Provisioning
Profiles section on page 556.
4.
Select Enable Virtual Access Point. You can also deselect this checkbox to disable the
VAP without deleting it completely.
5.
6.
7.
572
8.
Click OK.
9.
Configuring FairNet
On the Policies panel, navigate to the SonicPoint > Virtual Access Point screen.
2.
Click Add Virtual Access Point Profile. The Add Virtual Access Point Profile dialog box
displays.
3.
4.
Click OK.
5.
Configuring FairNet
The following sections describe SonicPoint FairNet policies in SonicWALL SonicOS Enhanced
to configure bandwidth limits for WLAN clients:
573
Configuring FairNet
coexisting. For example since all bandwidth is shared by all associated wireless clients, some
bandwidth hog (such as a VoIP or P2P user) may use most of the bandwidth and cause delays
or network interruptions for low-bandwidth, HTTP users.
Given this fact, SonicPoint FairNet feature is designed to provide an easy-to-use method for
network administrators to control the bandwidth of associated wireless clients and make sure
the fairness among everyone of them.
Administrator can configure SonicPoint FairNet bandwidth limits for all wireless users, for
specific IP address ranges, or for individual clients to provide fairness as well as network
efficiency.
SonicPoint Fairnet is available for appliances running SonicOS 5.6 and higher.
574
1.
2.
3.
4.
Click the Add New FairNet Policy button to add a SonicPoint FairNet policy for an IP
address or range of addresses. The Add FairNet Policy window displays.
5.
By default the Enable Policy option is checked. Disable this checkbox to disable the
FairNet policy.
Configuring FairNet
6.
In the Direction pull-down menu, select whether the bandwidth limits for the policy will
apply to clients uploading content, downloading content, or both directions:
Both Directions
Downlink (AP to Client)
Uplink (Client to AP)
7.
Tip
In the Start IP and End IP fields, specify the IP address range that the policy will apply to.
The IP address range must be on a subnet that is configured for a WLAN interface.
8.
In the Min Rate(kbps) field, enter the minimum bandwidth that clients will be guaranteed.
9.
In the Max Rate(kbps) field, enter the maximum bandwidth that clients will be allowed.
10. In the Interface pull-down menu, select the WLAN interface that corresponds to the IP
address range you configured. The menu lists all interfaces configured for the WLAN zone,
except for W0.
On the SonicPoint > FairNet page, go to the FairNet Policy Search section.
2.
Select whether to search for the Start IP in the policy (the first IP address in the IP address
range) or the End IP.
3.
Select the type of search to perform: Equals, Starts with, Ends with, or contains.
4.
5.
Click Search. FairNet policies that match the search are displayed.
575
Configuring FairNet
576
CHAPTER 25
Configuring Firewall Wireless Options
This chapter describes how to configure wireless connectivity options for wireless SonicWALL
appliances. Included in this chapter are the following sections:
The Wireless > Settings page provides different options for SonicOS Enhanced and
SonicOS Standard.
577
578
Changing the radio role from Access Point mode to Wireless Client Bridge mode
disconnects any existing wireless clients.
To configure wireless settings for Access Point mode, perform the following steps:
1.
2.
Expand the Wireless tree and click Settings. The Settings page displays.
3.
Select whether the SonicWALL appliance will act as anAccess Point or a Wireless Client
Bridge from the Radio Role list box.
4.
To enable Wireless networking on this device, select the Enable WLAN Radio check box.
5.
For SonicOS Standard, configure Use Time Constraints to set hours of operation for this
wireless device. For SonicOS Enhanced, select the schedule from the Schedule list box.
6.
For SonicOS Standard only, optionally select SRA Enforcement and configure the Server
Address and Server Port fields to add SRA enforcement to this wireless device.
7.
For SonicOS Standard only, select WiFiSec Enforcement to enable WiFiSec security over
this wireless device.
8.
For SonicOS Standard only, if using WiFiSec Enforcement, you can choose to Require
WiFiSec for Site-to-Site VPN Tunnel Traversal. This option is selected by default when
enabling both SRA and WiFiSec simultaneously.
9.
For SonicOS Standard only, if using WPA encryption, you can choose to Trust WPA traffic
as WiFiSec.
10. For SonicOS Standard only, if using WiFiSec enforcement, you can choose Enable
WiFiSec Service Exception List. With this checkbox selected, select a service from the
list and click the Add button.
11. Enter the IP address and subnet mask of the Wireless LAN port in the WLAN IP Address
12. Enter the Service Set Identifier (SSID) or wireless network name in the SSID field
(maximum: 32 characters).
appliance. To clear all screen settings and start over, click Reset.
579
Changing the radio role from Access Point mode to Wireless Client Bridge mode
disconnects any existing wireless clients.
To configure wireless settings for Wireless Client Bridge mode, perform the following steps:
1.
To enable Wireless networking on this device, select the Enable WLAN Radio check box.
2.
For SonicOS Standard, configure Use Time Constraints to set hours of operation for this
wireless device. For SonicOS Enhanced, select the schedule from the Schedule list box.
3.
For SonicOS Standard only, select WiFiSec Enforcement to enable WiFiSec security over
this wireless device.
4.
Enter the Service Set Identifier (SSID) or wireless network name in the SSID field
(maximum: 32 characters).
5.
802.11d compliance is a regulatory domain update wherein physical and MAC layer
signaling automatically behaves in accordance with geographic requirements for such
settings as channels of operation and power. Access Points and wireless clients implement
802.11d differently; the Access Point can be thought of as the 802.11d provider, wherein it
either provides the 802.11d capability or not the Access Point remains agnostic to the
802.11d capabilities of associated clients. The wireless client is in turn the 802.11d
consumer if the client is not 802.11d capable, it can associate with an Access Point
regardless of its 802.11d capabilities. If the client is 802.11d capable, it can generally
operate in one of three 802.11d modes, which you can select from the 802.11d Compliance
menu.
6.
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
580
2.
Expand the Wireless tree and click Security. The fields on this screen will change depending
on the Authentication Type that you select.
2.
Select a WEP authentication type from the Authentication Type list. Shared Key is
selected by default.
581
Select the default key to use, 1,2,3, or 4, from the Default Key pull-down list
2.
Select the key type to be either Alphanumeric or Hexadecimal. The number of characters
you enter is different for each because an alphanumeric (or ASCII) character contains 8
bits, and a hexadecimal character contains only 4 bits.
Table 23
WEP - 64-bit
WEP - 128-bit
WEP - 152-bit
Alphanumeric - 5
characters (0-9, A-Z)
Alphanumeric - 13
characters (0-9, A-Z)
Alphanumeric - 16
characters (0-9, A-Z)
Hexadecimal - 10
characters (0-9, A-F)
Hexadecimal - 26
characters (0-9, A-F)
Hexadecimal - 32
characters (0-9, A-F)
3.
4.
For each key, select 64-bit, 128-bit, or 152-bit from the pull-down list next to the Key field.
152-bit is the most secure.
5.
Click Update.
582
Pre-Shared Key (PSK): PSK allows WPA/WPA2 to generate keys from a pre-shared
passphrase that you configure. The keys are updated periodically based on time or number
of packets. Use PSK in smaller deployments where you do not have a RADIUS server.
WPA EAP and WPA2 EAP support is only available in Access Point Mode. Bridge Mode
supports WPA PSK and WPA2 PSK.
To configure WPA or WPA2 security on the SonicWALL, perform the following tasks:
1.
2.
Under Encryption Mode, select a WPA or WPA2 authentication type from the
Authentication Type list.
You can choose from the following authentication types:
WPA-PSK
WPA-EAP
WPA2-PSK
WPA2-EAP
WPA2-AUTO-PSK
WPA2-AUTO-EAP
The screen changes to display the configurable fields. The same configuration fields are
displayed for all authentication types that employ PSK, and the same configuration fields
are displayed for all authentication types that employ EAP.
2.
a per-packet basis.
Select one of the following to determine when to update the key in the Group Key Update
pull-down list:
583
If you selected By Timeout, enter the number of seconds before WPA or WAP2
automatically generates a new group key into the Interval field.
Type the passphrase from which the key is generated into the Passphrase field.
2.
584
1.
Type the IP address of the primary RADIUS server into the Radius Server 1 IP field.
2.
Type the port number used to communicate with the primary RADIUS server into the Port
field.
3.
Type the password for access to the primary Radius Server into the Radius Server 1
Secret field.
4.
Type the IP address of the secondary RADIUS server into the Radius Server 2 IP field.
5.
Type the port number used to communicate with the secondary RADIUS server into the
Port field.
6.
Type the password for access to the secondary Radius Server into the Radius Server 2
Secret field.
7.
When the appliance is configured for Wireless Client Bridge mode, only a subset of the
options on the Wireless > Advanced page are applicable. The other settings are inherited
from the access point to which you are bridging.
This section describes how to configure advanced wireless settings for both SonicOS Standard
and SonicOS Enhanced. To do this, perform the following steps:
Note
1.
2.
Expand the Wireless tree and click Advanced. The Advanced screen displays.
The Wireless > Advanced page provides different options for SonicOS Standard and
SonicOS Enhanced. Also, SonicOS Standard 3.8 displays six more fields than earlier
versions of SonicOS Standard.
SonicOS Standard:
585
The SonicOS Enhanced page has different fields than those in SonicOS Standard.
3.
Select Hide SSID in Beacon. If you select Hide SSID in Beacon, your wireless network is
invisible to anyone who does not know your SSID. This is a good way to prevent drive by
hackers from seeing your wireless connection.
This provides marginal security as Probe Responses and other 802.11 frames
contain the SSID.
Note
4.
Enter how often (in milliseconds) a beacon will be sent in the Beacon Interval field.
Decreasing the interval time makes passive scanning more reliable and faster because
Beacon frames announce the network to the wireless connection more frequently.
5.
To specify the maximum number of wireless clients, enter the limit in the Maximum Client
Associations field. Wireless clients are devices that attempt to access the wireless
SonicWALL appliance.
6.
Best: This is the default setting. When Best is selected, the SonicWALL Wireless
automatically selects the antenna with the strongest, clearest signal. In most cases,
Best is the optimal setting.
1: Select 1 to restrict the SonicWALL Wireless to use antenna 1 only. Facing the
rear of the SonicWALL, antenna 1 is on the left, closest to the console port. You can
disconnect antenna 2 when using only antenna 1.
2: Select 2 to restrict the SonicWALL Wireless to use antenna 2 only. Facing the
rear of the SonicWALL, antenna 2 is on the right, closest to the power supply. You
can disconnect antenna 1 when using only antenna 2.
Select High from the Transmit Power menu to send the strongest signal on the WLAN.
For example, select High if the signal is going from building to building. Medium is
recommended for office to office within a building, and Low or Lowest isrecommended
for shorter distance communications.
586
Select Short or Long from the Preamble Length menu. Short is recommended for
The Fragmentation Threshold (bytes) is 2346 by default. Increasing the value means
that frames are delivered with less overhead but a lost or damaged frame must be
discarded and retransmitted.
The default value for the DTIM Interval is 3. Increasing the DTIM Interval value allows
The Station Timeout (seconds) is 300 seconds by default. Ifyour network is very busy,
you can increase the timeout by increasing the number of seconds in this field.
For SonicOS Standard 3.8 and above, select the wireless transmission rate from the
Data Rate pull-down list. You can select Best or a value between 1 and 54 megabits
per second (Mbps). The default is 48 Mbps.
For SonicOS Standard 3.8 and above, in the Protection Mode pull-down list, select
None, Always or Auto. Use Always or Auto to prevent transmission frame collisions
when you have multiple wireless nodes.
For SonicOS Standard 3.8 and above, in the Protection Rate pull-down list, select 1
Mbps, 2 Mbps, 5 Mbps or 11 Mbps. The Protection Rate specifies the transmission
rate for the Request-To-Send (RTS) and Clear-To-Send (CTS) frames. The default is 5
Mbps.
For SonicOS Standard 3.8 and above, in the Protection Type pull-down list, select
For SonicOS Standard 3.8 and above, in the CCK OFDM Power Delta pull-down list,
select 0 dBm, 1dBm or 2 dBm. Complementary Code Keying (CCK) and Orthogonal
Frequency Division Multiplexing (OFDM) are digital modulation techniques used in wireless
networks using the 802.11 specifications. This field specifies the change in power used in
the modulation, expressed in decibels per milliwatt (dBm). Zero dBm equals one milliwatt.
Two dBm is less than two milliwatts.
For SonicOS Standard 3.8 and above, select the Enable Short Slot Time checkbox to
minimize the time to wait before transmitting. Slot time is the time required for a
transmission to reach the destination. The default is to enable a short slot time.
7.
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
587
Note
1.
2.
Expand the Wireless tree and click MAC Filter List. The MAC Filter List screen displays.
The MAC Filter List provides different options in SonicOS Standard and SonicOS
Enhanced.
SonicOS Enhanced provides pull-down lists for the Allow and Deny lists.
3.
To enable the MAC filter list for the selected device(s), select the Enable MAC Filter List
check box.
4.
For SonicOS Standard, to add a MAC address to the filter list, enter the address in the MAC
Address List field, check either Allow or Block, add any comments to the Comment field.
5.
6.
7.
8.
Click Accept.
9.
Repeat these step for each MAC address that you want to add in SonicOS Standard.
10. When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance(s). To clear all screen settings and start over, click Reset.
11. For SonicOS Enhanced only, select one of the options from the Allow List and Deny List
list boxes.
588
This view does not display the detected wireless access points, but offers a link to schedule a
Rouge Access Point report. To access the group level view, select a group of appliances from
the list.
589
This view displays all the wireless access points detected by the SonicWALL security appliance
and information about each discovered access point. To access the unit level view, select an
appliance from the Model View list.
590
Step 1
Step 2
Step 3
Select Enable Client Null Probing Detection to enable client null probe detection.
Step 4
b.
To block the MAC address of a computer or device attempting this attack, select the Block
station's MAC address in response to an association flood field.
At Unit level
Step 1
Step 2
To access a network, hackers can set up a rogue access point that will intercept
communications with legitimate users attempting to access a legitimate access point. This
man-in-the-middle attack can expose passwords and other network resources.
Step 3
To enable detection of Rogue Access Points, select the checkbox for Enable Rogue Access
Point Detection.
Step 4
Click the Authorized Access Points pull-down and select a access point from the list.
Step 5
Click the Update button. To put the IDS settings back to default, click the Reset button.
Note
IDS logging and notification can be enabled under Log > Enhanced Log Settings by
selecting the WLAN IDS checkboxes under the Categories section.
591
SonicOS Standard
In SonicOS Standard only, to prevent rogue access points, you must specify each authorized
access point within the network.
Step 1
Enter the MAC address of an access point in the MAC Address (BSSID) field.
Step 2
Step 3
Step 4
Enter a Description.
Step 5
Select a Schedule:
Step 6
Default
Immediate
Click the Update button. To clear all screen settings and start over, click Reset.
SonicOS Enhanced
592
Step 1
Select one of the options from the Authorized Access Points pull-down list.
Step 2
Click the Update button. To clear all screen settings and start over, click Reset.
Note
Step 2
Click the link for Request Discovered Access Points Information from Firewall.
593
Step 3
Enter a Description.
Step 4
Select a Schedule:
Step 5
Default
Immediate
Note
594
Step 1
Step 2
a.
b.
c.
d.
e.
Warning
Non-persistent, stateless protocols (such as HTTP) should not exhibit any ill-effects.
If service disruption is a concern, it is recommended that the Scan Now feature not
be used while the SonicWALL security appliance is in Access Point mode until such
a time that no clients are active, or the potential for disruption becomes acceptable.
Scanning for Access Points
Step 1
Step 2
Step 3
595
Step 4
Enter a Description.
Step 5
Select a Schedule:
Step 6
Default
Immediate
The Discovered Access points displays information on every access point that is detected by
the Wireless radio:
596
Table 24
Column
MAC Address (BSSID)
SSID
Channel
Manufacturer
Signal Strength
Secure
Max Rate
Authorize
Description
The MAC address of the radio interface of the
detected access point.
The radio SSID of the access point.
The radio channel used by the access point.
The manufacturer of the access point. SonicPoints
will show a manufacturer of either SonicWALL or
Senao.
The strength of the detected radio signal.
This lock icon shows if the connection from the
access point is secured or not. If the locked icon is
present, the access point has a secured connection.
The strength of the detected radio signal.
Adds the access point to the address object group of
authorized access points.
Access Points detected by the security appliance are regarded as rogues until they are
identified to the security appliance as authorized for operation. Preform the following steps to
authorize an access point:
Step 1
In the Discovered Access Points list, locate the desired Rogue Access Point and click the Edit
icon in the Authorize column.
Step 2
Note
Click OK.
To unauthorize an access point, remove it from the Address Object Group of Authorized
Access Points.
597
Note
598
Wireless Rogue Access Point Reporting is supported on SonicOS Enhanced 5.6 or higher
firmware.
Zone - The zone is the backbone of your VAP configuration. Each zone you create will have
its own security and access control settings and you can create and apply multiple zones
to a single physical interface by way of Wireless Subnets.
2.
Wireless Interface - The W0 interface (and its WLAN subnets) represent the physical
connections between the SonicWALL firewall appliance and the internal wireless radio.
Individual zone settings are applied to theseinterfaces and forwarded to the wireless radio.
3.
DHCP Server - The DHCP server assigns leased IP addresses to users within specified
ranges, known as Scopes. The default ranges for DHCP scopes are often excessive for
the needs of most wireless deployments, for instance, a scope of 200 addresses for an
interface that will only use 30. Because of this, DHCP ranges must be set carefully in order
to ensure the available lease scope is not exhausted.
4.
Virtual Access Point Profile - The VAP Profile feature allows for creation of wireless
configuration profiles which can be easily applied to new wireless Virtual Access Points as
needed.
5.
Virtual Access Point - The VAP Objects feature allows for setup of general VAP settings.
SSID and wireless subnet name are configured through VAP Settings.
6.
Virtual Access Point Group - The VAP Group feature allows for grouping of multiple VAP
objects to be simultaneously applied to a single internal wireless radio.
7.
Assign VAP Group to Internal Wireless Radio- The VAP Group is applied to the internal
wireless radio and made available to users through multiple SSIDs.
2.
In the Virtual Access Objects Search section, select the attribute you want to search for:
Attribute
Search types
Name/SSID
Authentication
Equals
Cipher
Equals
Max Clients
= yes, = no
599
600
1.
2.
3.
4.
Select a Subnet Name to associate this VAP with. Settings for this VAP will be inherited
from the subnet you select from this list.
5.
Select the Enable Virtual Access Point checkbox to enable the VAP.
6.
Select the Enable SSID Suppress checkbox to suppress broadcasting of the SSID name
and disables responses to probe requests. Check this option if you do not wish for your
SSID to be seen by unauthorized wireless clients. Clients will have to know the SSID name
ahead of time and manually enter it to connect to the VAP.
7.
8.
Select the VAP Schedule Name to configure when the VAP will be enabled.
9.
The Radio Type is set to Wireless-Internal-Radio by default. Retain this default setting if
using the internal radio for VAP access (currently the only supported radio type)
10. Enter a Profile Name to set a friendly name for this VAP Profile. Choose something
descriptive and easy to remember as you will later apply this profile to new VAPs.
11. Select an Authentication Type. Below is a list available authentication types with
Open: In open-system authentication, the SonicWALL allows the wireless client access
Shared: Uses WEP and requires a shared key to be distributed to wireless clients
Both: (Open System & Shared Key.) The Default Key assignments are not important
as long as the identical keys are used in each field. IfShared Key is selected, then the
key assignment is important.
WPA-PSK: WPA is more secure than an open network, but not as secure as WPA2.
PSK allows WPA to generate keys from a pre-shared passphrase that you configure.
The keys are updated periodically based on time or number of packets. Use PSK in
smaller deployments where you do not have a RADIUS server.
WPA-EAP: EAP allows WPA to synchronize keys with an external RADIUS server. The
keys are updated periodically based on time or number of packets. Use EAP in larger,
enterprise-like deployments where you have an existing RADIUS framework.
WPA2-AUTO-EAP: First attempts to connect using WPA2-EAP security, but will default
12. The Unicast Cipher will be automatically chosen based on the authentication type.
601
13. The Multicast Cipher will be automatically chosen based on the authentication type.
14. Enter a value for Maximum Clients to set the maximum number of concurrent client
connect to the VAP. You have two options for configuring the MAC filter list:
Select Use Global ACL Settings, or
Select an Address Object Group for the Allow List and/or the Deny List.
17. Click OK.
2.
3.
Select the VAP Schedule Name to configure when the VAP will be enabled.
4.
The Radio Type is set to Wireless-Internal-Radio by default. Retain this default setting if
using the internal radio for VAP access (currently the only supported radio type)
5.
Enter a Profile Name to set a friendly name for this VAP Profile. Choose something
descriptive and easy to remember as you will later apply this profile to new VAPs.
6.
Shared: Uses WEP and requires a shared key to be distributed to wireless clients
602
Both: (Open System & Shared Key.) The Default Key assignments are not important
as long as the identical keys are used in each field. IfShared Key is selected, then the
key assignment is important.
WPA-PSK: WPA is more secure than an open network, but not as secure as WPA2.
PSK allows WPA to generate keys from a pre-shared passphrase that you configure.
The keys are updated periodically based on time or number of packets. Use PSK in
smaller deployments where you do not have a RADIUS server.
WPA-EAP: EAP allows WPA to synchronize keys with an external RADIUS server. The
keys are updated periodically based on time or number of packets. Use EAP in larger,
enterprise-like deployments where you have an existing RADIUS framework.
WPA2-AUTO-EAP: First attempts to connect using WPA2-EAP security, but will default
7.
The Unicast Cipher will be automatically chosen based on the authentication type.
8.
The Multicast Cipher will be automatically chosen based on the authentication type.
9.
Enter a value for Maximum Clients to set the maximum number of concurrent client
connections permissible for this virtual access point.
connect to the VAP. You have two options for configuring the MAC filter list:
Select Use Global ACL Settings, or
Select an Address Object Group for the Allow List and/or the Deny List.
12. Click OK.
603
604
CHAPTER 26
Configuring Firewall Wireless Guest
Services
This chapter describes how to configure Wireless Guest Services (WGS) enabled appliances
running SonicOS Standard. For appliances running SonicOS Standard, these configuration
options are available at the unit level. Wireless Guest Services allows the administrator to
configure wireless access points for guest access. Wireless Guest Services is configured with
optional custom login pages, user accounts and is compatible with several different
authentication methods including those which require external authentication. Included in this
chapter are the following sections:
Denying Access to Networks with the IP Deny List section on page 608
605
Note
2.
In the center pane, navigate to WGS > Settings. The Settings page displays.
3.
To enable Wireless Guest Services on this device, select the Enable Wireless Guest
Services check box.
4.
Check the Bypass Guest Authentication checkbox to allow a SonicPoint running WGS to
integrate into environments which are already using some form of user-level authentication.
This feature automates the WGS authentication process, allowing wireless users to reach
WGS resources without requiring authentication.
The Bypass Guest Authentication feature should only be used when unrestricted WGS
access is desired, or when another device upstream of the SonicPoint is enforcing
authentication.
5.
Check the Bypass Filters for Guest Accounts check box to disable filtering for guest
accounts.
6.
Check the Dynamic Address Translation (DAT) checkbox to enable DAT. This option
saves wireless clients the hassle of reconfiguring their IP address and network settings. If
this option is disabled (un-checked), wireless guest users must either have DHCP enabled,
or an IP addressing scheme compatible with the SonicPoints network settings.
7.
Check the Enable SMTP Redirect checkbox and enter the following information:
Server IPenter an SMTP Server IP address to which to redirect SMTP traffic
Server Portenter the port number for SMTP traffic on the Server. This is available at the
group and global level, and for units running SonicOS Standard 3.8 and above. The default
is port is 25.
8.
Check the Custom Post Authentication Redirect page checkbox and enter a URL to
redirect wireless guests to a custom page after successful login
9.
To limit the number of concurrent guests, enter the maximum number in the Maximum
Concurrent Guests field.
10. To add a new guest, click Add New Wireless Guest. Refer to the Adding a Guest section
on page 607.
11. When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
606
Adding a Guest
You can add a new guest to Wireless Guest Services from the WGS > Settings page.
To add a guest:
1.
2.
Click Add New Wireless Guest. The Add New Wireless Guest dialog box displays.
3.
In the Account Profile pull-down list, select the WGS account profile to use for this account.
This field is only visible when one or more WGS profiles have been created in the current view.
Views that provide the WGS Profiles screen include the global and group levels, and unit level
for appliances running SonicOS Standard 3.8 and above.
4.
5.
Select the Auto-Prune Account checkbox to automatically remove the account when its
lifetime expires.
6.
Select the Enforce login uniqueness checkbox to prevent more than one guest from
logging in with the account at the same time.
7.
In the Account Name field, enter the username for the guest account.
8.
In the Account Password field, enter the password for the guest account.
9.
In the Confirm Password field, re-enter the password for the guest account.
10. In the Account Lifetime field, select the maximum lifetime of the guest account.
11. In the Session Timeout field, set the time limit for a guest login session.
12. In the Idle Timeout field, enter a number and select a time period that the guest can be idle
607
Note
2.
Expand the WGS tree and click URL Allow List. The URL Allow List page displays.
3.
To enable the URL Allow List, select the Enable URL Allow List for Unauthenticated
Users check box.
4.
To add a URL to the URL Allow List, enter a URL in the Allowed URLs text field and click
Add. Repeat this step for each URL that you would like to add. To delete a URL in the URL
Allow List, check the box next to the URL to delete and click the trash can icon.
5.
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
Note
608
2.
Expand the WGS tree and click IP Deny List. The IP Deny List page displays.
3.
To enable the IP Deny List, select the Enable IP Address Deny List for Authenticated
Users check box.
4.
To add a URL to the IP Deny List, enter an IP address and subnet mask and click Add IP
Deny Entry. Repeat this step for each URL that you would like to add. To delete a URL from
the IP Deny List, check the box next to the URL to delete and click the trash can icon.
5.
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
Note
2.
Expand the WGS tree and click Custom Login. The Custom Login page displays.
3.
To customize the login page, select the Customize Login Page check box.
609
4.
To display the custom login page only when the connection is made through the Wireless
LAN, select the Display Custom Login Page on WLAN Only check box.
5.
The body of the login page will contain the username and password fields that the user must
access to authenticate with the SonicWALL appliance. To configure the header and footer
text, select from the following:
To display custom header and footer URLs, enter the URLs in the Custom Header URL
To enter custom text for the header and footer, enter the text in the Custom Header
6.
When you are finished, clickUpdate. The settings are changed forthe selected SonicWALL
appliance. To clear all screen settings and start over, click Reset.
Note
610
2.
Expand the WGS tree and click External Authentication. The External Authentication
page displays.
3.
Check the Enable External Guest Authentication checkbox to enable the external
authentication feature and configure the tabs as follows:
Enter a Secure Communications Port and select a Client Redirect Protocol for client
redirect. This port and protocol (HTTP or HTTPS) is used by the SonicWALL security
appliance when performing the initial internal client redirect via the Please wait while you
are being redirected page, prior to redirection to the LHM server.
2.
Select the Web Server Protocol (HTTP or HTTPS) running on your LHM server from the
pull-down list.
3.
Enter the IP or resolvable FQDN of the LHM server in the Host field.
4.
Enter the TCP port of operations for the selected protocol on the LHM server in the Port
field.
5.
Enter the duration of time, in seconds, before the LMH server is considered unavailable in
the Connection Timeout field. On timeout the client will be presented with the Server
Down message configured on the Web Content tab.
6.
Select the Enable Message Authentication checkbox to use HMAC digest and embedded
querystring in communication with the LHM server. This option is useful if you are
concerned about message tampering when HTTP is used to communicate with the LHM
server.
7.
When using Message Authentication, select the Authentication Method from the
pull-down menu. You can select from MD5 or SHA1.
8.
When using Message Authentication enter a Shared Secret. The shared secret for the
hashed MAC, if used, also needs to be configured on the LHM server scripts.
Note
These pages may each be a unique page on the LHM server, or they may all be the same
page with a separate event handler for each status message.
1.
2.
Enter a Login Page. This is the first page to which the client is redirected (e.g.
lhm/accept/default.aspx).
3.
Enter a Session Expiration Page. This is the page to which the client is redirected when
the session expires (e.g. lhm/accept/default.aspx?cc=2). After a session expires, the user
must create a new LHM session.
611
4.
Enter an Idle Timeout Page. This is the page to which the client is redirected when the idle
timer is exceeded (e.g.lhm/accept/default.aspx?cc=3). After the idle timer is exceeded,
the user can log in again with the same credentials as long as there is time left of the
session.
5.
Enter a Max Session Page. This is the page to which the client is redirected when the
maximum number of sessions has been reached (e.g. lhm/accept/default.aspx?cc=4).
612
1.
2.
Select Use Default or select Customize and enter a Redirect Message in the text box.
This is the message that will be presented to the client (usually for no more than one
second) explaining that the session is being redirected to the LHM server. This interstitial
page is used (rather than going directly to the LHM server) so that the SonicWALL security
appliance can verify the availability of the LHM server.
3.
Select Use Default or select Customize and enter a Server Down Message in the text
box. This is the message that will be presented to the client if the Redirector determines
that the LHM server in unavailable.
2.
Check Enable Auto-Session Logout checkbox and configure the two corresponding fields
to set the time increment and the page to which the SonicWALL security appliance will
POST when a session is logged out (either automatically or manually).
3.
Check the Enable Server Status Check Checkbox and configure the two corresponding
fields to set the time increment and the page to which the SonicWALL will POST to
determine the availability of components on or behind (e.g. a back-end database) the LHM
server.
4.
Check the Session Synchronization checkbox and configure the two corresponding fields
to set the time increment and the page to which the SonicWALL will POST the entire Guest
Services session table. This allows the LHM server to synchronize the state of Guest Users
for the purposes of accounting, billing, or mere curiosity.
5.
When you are finished configuring External Authentication, click the Update button to apply
your changes.
613
2.
3.
On the WGS Account Profiles page, click Add New WGS Profile. The Add Profile page
displays.
4.
In the WGS Account Profile Settings dialog box, type a descriptive name into the Profile
Name field.
5.
In the User Name Prefix field, type the user name that the guest will log in with. Do not
include the domain.
6.
7.
Select Auto-Prune Account if you want the account to be removed after its lifetime
expires.
8.
Select Enforce Login Uniqueness to prevent multiple logins at the same time for this
account.
9.
For Account Lifetime, enter a number in the first field and then select Days, Hours, or
Minutes from the pull-down list. The account will expire after this time period.
10. For Session Lifetime, enter a number in the first field and then select Days, Hours, or
Minutes from the pull-down list. The guests login session will expire after this time period.
11. For Idle Timeout, enter a number in the first field and then selectDays, Hours, or Minutes
from the pull-down list. The guest will be logged out after being idle for this amount of time.
to start over.
614
CHAPTER 27
Configuring Firewall Modem Options
Note
For information on configuring wireless WAN (WWAN) settings, see Configuring Firewall
Wireless WAN Options, page 621.
This chapter describes how to configure the dialup settings for SonicWALL SmartPath (SP) and
SmartPath ISDN (SPi) appliances.
SonicWALL SP appliances have a WAN Failover feature that enables automatic use of a built-in
modem to establish Internet connectivity when the primary broadband connection becomes
unavailable. This is ideal when the SonicWALL appliance must remain connected to the
Internet, regardless of network speed.
This chapter contains the following subsections:
For information on configuring WWAN connection profiles, see Configuring the Connection
Profile, page 622 in the Configuring Firewall Wireless WAN Options chapter.
A profile is a list of dialup connection settings that can be used by a SonicWALL SP or
SonicWALL SPi appliance.
To configure a profile, perform the following steps:
1.
2.
615
Note
3.
In the center pane, navigate to the Modem > Connection Profiles. The profile
configuration page displays.
4.
To create a new profile, enter the name of the profile in the Profile Name field under ISP
User Settings. To edit an existing profile or use an existing profile as a template, select a
profile from the Current Profile pull-down menu.
If you are editing an existing profile, the name in the Current Profile field must match the
existing profile name. If there are no existing profiles, the Current Profile will display the
static message No profiles available.
5.
Enter the primary ISP phone number in the Primary Phone number field.
6.
Enter the backup ISP phone number in the Secondary Phone number field.
7.
Enter the user name associated with the account in the User Name field.
8.
Enter the password associated with the account in the User Password and Confirm User
Password fields.
9.
Automatically.
If the account uses a fixed IP address, select Use the following IP Address and type
Address Automatically.
If the account uses a specific DNS servers, select Use the following IP Address and
12. For SPi appliances, you can configure MSN/EAZ and bandwidth on demand. To configure
MSN/EAZ, enter a phone number in the MSN/EAZ field. To enable bandwidth on demand,
click the Bandwidth on Demand box.
616
If the SonicWALL appliance(s) will only connect to the Internet when data is being sent,
If the SonicWALL appliance(s) will connect to the Internet manually, select Manual
Dial.
14. To enable the modem to disconnect after a period of inactivity, check the Inactivity
Disconnect box and specify how long (in minutes) the modem waits before disconnecting
from the Internet in the Inactivity Timeout field.
15. For SP appliances, specify a maximum connection speed by selecting the speed from the
16. To specify the maximum connection time, check the Max Connection Time box and enter
the maximum connection time (in minutes) in the Max Connection Time field. To configure
the SonicWALL device to allow indefinite connections, enter 0.
17. To specify a time (in minutes) before the connection reconnects, enter the number of
18. For SP appliances, disable call waiting by checking the Disable Call Waiting box and
select the radio button next to the touch tone disabling code. To enter a custom touch done
disabling code, select the radio button next to Other and specify the code.
19. To allow the modem to attempt a connection multiple times, check the Dial Retries per
20. To specify how long the modem waits between retries, check the Delay Between Retries
21. To disable VPN when dialed, check the Disable VPN when dialed box.
22. For SP appliances, enable the network modem by checking the Enable Network Modem
box.
23. To specify the time periods when the modem can connect, check the Limit Times for
Dialup Profile box and click Configure. The Edit Schedule String pop-up displays.
24. In the Edit Schedule String pop-up, check the box next to the day(s) you want to allow
dial-up connections. Next to the day(s) you select, enter the start and end times between
which dial-up connections will be allowed. Enter the hour and minute in 24-hour format.
617
26. When you are finished, click Add Profile. The profile is added. To clear all screen settings
Note
2.
3.
4.
For SP appliances, select the Speaker volume pull-down box to configure the speaker
volume On or Off.
5.
Initialize Modem for use in and select the country in the pull-down menu.
To initialize the modem using AT commands, select the radio button next to Initialize
Modem using AT Command and enter the AT command(s) the modem needs to
establish a connection in the text box.
6.
618
For SPi appliances, you can specify the ISDN protocol by selecting the protocol from the
ISDN Protocol pull-down menu. To connect immediately, click the Connect/Disconnect
button and schedule the connection.
7.
For appliances running SonicOS Enhanced, select the check boxes for any combination of
the following dial on data categories:
NTP packets
GMS Heartbeats
System log emails
AV Profile Updates
SNMP Traps
Licensed Updates
Firmware Update requests
Syslog traffic
8.
For appliances running SonicOS Enhanced, select the check boxes for any combination of
the following Management methods:
HTTP
HTTPS
Ping
SNMP
SSH
9.
For appliances running SonicOS Enhanced, select the check boxes for any combination of
the following User Login methods:
HTTP
HTTPS
For HTTPS, check the box next to Add rule to enable redirect from HTTP to HTTPs
10. Select a primary profile from the Primary Profile pull-down menu. Optionally, select
alternate profiles from Alternate Profile 1 and, for SP appliances, Alternate Profile 2.
Note
settings:
To enable dialup WAN failover, check the Enable Dialup WAN Failover box.
To enable preempt mode, check the Enable Preempt Mode box.
To enable probing, check the Enable Probing box.
Select a method for probing using the Probe through pull-down menu.
Enter the IP address that the SonicWALL appliance will use to test Internet connectivity
in the Probe Target (IP Address) field. We recommend using the IP address of the
WAN Gateway.
appliance fails over to the modem in the Failover Trigger Level field.
619
Specify how many times the SonicWALL appliance must successfully reach the probe
Note
620
1.
2.
3.
4.
To enable remotely triggered dial-out, check the Enable Remotely Triggered Dial-out box.
5.
6.
To enable RIP advertisements through the modem, check the Enable LAN to WAN RIP
during dialup box.
7.
CHAPTER 28
Configuring Firewall Wireless WAN
Options
This chapter describes how to configure the Wireless Wide Area Network (WWAN) settings for
SonicWALL security appliances that use 3G and other Wireless WAN functionality to utilize
data connections over cellular networks.
This chapter contains the following subsections:
Primary WAN connection where wire-based connections are not available and cellular is.
Wireless WAN support requires a wireless card and a contract with a wireless network provider.
See the SonicWALL documentation that comes with the security appliance for more
information.
GMS provides for complete management of SonicWALL security appliances that are
WWAN/3G-capable, and running SonicOS Enhanced 3.6 and above.
621
In the TreeControl pane, select a group view or a SonicWALL appliance to manage. The
appliance must be running SonicOS Enhanced 3.6 or higher, and must support WWAN
functionality.
2.
3.
In the center pane, navigate to the 3G/Modem > Connection Profiles. The profile
configuration page displays. For a group view, the page is slightly different to accommodate
both Modem and WWAN settings.
4.
page 623.
622
5.
Click Delete Profile to delete the profile specified in the Profile Name field.
6.
7.
To edit an existing profile or use an existing profile as a template, select a profile from the
Current Profile pull-down menu.
Note
If you are editing an existing profile, the name in the Current Profile field must
match the existing profile name. If there are no existing profiles, the Current
Profile will display the static message No profiles available.
2.
To create a new profile, enter the name of the profile in the Profile Name field.
3.
In the Country pull-down list, select the country where the SonicWALL TZ 190 appliance
is deployed.
4.
In the Service Provider pull-down list, select the service provider that you have a cellular
account with. Note that only service providers supported in the country you selected are
displayed in the pull-down list.
5.
In the Plan Type window, select the WWAN plan you have subscribed to with the service
provider, or select Other. If your specific plan type is listed in the pull-down menu, the rest
of the fields in the General section are automatically provisioned. Verify that these fields
are correct and continue in the Parameters section.
6.
Verify that the appropriate Connection Type is selected. Note that this field is automatically
provisioned for most service providers.
7.
Verify that the Dialed Number is correct. Note that the dialed number is *99# for most
service providers.
8.
Enter your username and password in the User Name, User Password, and Confirm User
Password fields, respectively.
9.
Enter the Access Point Name in the APN field. APNs are required only by GPRS devices
and will be provided by the service provider.
To specify a static IP address, select Use the following IP Address and type the IP
2.
623
If the account uses a specific DNS servers, select Use the following IP Address and
type the IP addresses of the primary and secondary DNS servers in the fields.
To Configure Parameters:
1.
If the SonicWALL appliance(s) will only connect to the Internet when data is being sent,
select Dial On Data. To configure the SonicWALL appliance for remotely triggered
dial-out, the Dial Type must be Dial on Data. Refer to the Configuring Advanced
Settings section on page 626
If the SonicWALL appliance(s) will connect to the Internet manually, select Manual
Dial.
2.
Select the Enable Inactivity Disconnect checkbox and enter the number of minutes of
inactivity during which the WWAN connection stays alive before disconnecting from the
Internet. Note that this option is not available if the Dial Type is Persistent Connection.
3.
Select the Enable Max Connection Time checkbox and enter the number of minutes after
which the WWAN connection disconnects, regardless of whether the session is inactive or
not. Enter a value in the Delay Before Reconnect to have the SonicWALL appliance
automatically reconnect after the specified number of minutes.
4.
Select the Dial Retries per Phone Number checkbox and enter a number in the field to
specify the number of times the SonicWALL appliance can attempt to reconnect.
5.
Select the Delay Between Retries checkbox and enter a number in the field to specify the
number of seconds between retry attempts.
6.
Select the Disable VPN when Dialed checkbox to disable VPN connections over the
WWAN interface.
Tip
624
Select the Enable Data Usage Limiting checkbox to have the WWAN interface become
automatically disabled when the specified data or time limit has been reached for the
month.
If your WWAN account has a monthly data or time limit, it is strongly recommended that you
enable Data Usage Limiting.
2.
Select the day of the month to start tracking the monthly data or time usage in the Billing
Cycle Start Date pull-down menu.
3.
Enter a value in the Limit field and select the appropriate limiting factor: either GB, MB,
KB, or Minutes.
In the left pane, select the SonicWALL appliance to manage. The appliance must be
running SonicOS Enhanced 3.6 or higher, and must support WWAN functionality.
2.
3.
4.
In the Connect On Data Categories section, select the check boxes for any combination
of the following dial on data categories:
NTP packets
GMS Heartbeats
System log emails
AV Profile Updates
SNMP Traps
Licensed Updates
Firmware Update requests
Syslog traffic
The Connect on Data Categories settings allow you to configure the WWAN interface to
automatically connect to the WWAN service provider when the SonicWALL appliance
detects specific types of traffic. To configure the SonicWALL appliance for Connect on Data
operation, you must select Dial on Data as the Dial Type for the Connection Profile.
Refer to the To Configure Parameters: section on page 624.
5.
In the Management/User Login section, select the check boxes for any combination of the
following Management methods:
HTTP
HTTPS
625
Ping
SNMP
SSH
6.
Select the check boxes for any combination of the following User Login methods:
HTTP
HTTPS
Select Add rule to enable redirect from HTTP to HTTPS to have the SonicWALL
7.
Note
Under Profile Settings, select a primary profile from the Primary Profile pull-down menu.
Optionally, select alternate profiles from Alternate Profile 1 and Alternate Profile 2.
To set up WWAN Interface Monitoring for this unit, go to the Network > WAN Failover & LB
screen.
8.
To return all fields to their default settings and start over, click RESET.
9.
The SonicWALL Security Appliance is configured to be managed using HTTPS, so that the
device can be accessed remotely.
It is recommended that you enter a value in the Enable Max Connection Time field.
This field is located in the 3G/Modem > Connection Profiles screen in the Parameters
section. Refer to the To Configure Parameters: section on page 624 for more information.
If you do not enter a value in this field, dial-out calls will remain connected indefinitely, and
you will have to manually terminate sessions by clicking the Disconnect button.
626
1.
In the left pane, select the SonicWALL appliance to manage. The appliance must be
running SonicOS Enhanced 3.6 or higher, and must support WWAN functionality.
2.
3.
4.
To enable remotely triggered dial-out, check the Enable Remotely Triggered Dial-out box.
5.
6.
Under WWAN Connection Limit, type the number of simultaneous connections that are
allowed, or enter zero for no limit in the Max Hosts field.
7.
To return all fields to their default settings and start over, click RESET.
8.
627
628
CHAPTER 29
Configuring Firewall Web Filters with
CSM
SonicWALL Content Security Manager (CSM) CF provides appliance-based Internet filtering
that enhances security and employee productivity, optimizes network utilization, and mitigates
legal liabilities by managing access to objectionable and unproductive Web content. This
chapter provides configuration tasks for deploying these services.
This chapter contains the following sections:
2.
629
Note
3.
4.
To enable web filtering using SonicWALL CSM, check the Enable Web Filtering box.
5.
Enter a URL cache size in the URL Cache Size (KBs) field. This specifies the URL cache
size on the SonicWALL CSM. The default value is 5120 KBs.
A larger URL cache size can provide noticeable improvements in Internet browsing
response times.
Check the Use Dynamic Rating box to enable the use of the CSM integrated dynamic
rating engine that allows an unrated URL to be dynamically rated in real-time. Select
either Optimize for speed, which instructs the dynamic rating engine to process less
information for faster ratings and lower accuracy, or Optimize for accuracy, which
instructs the dynamic rating engine to process more information, resulting in slower
ratings and higher accuracy.
Check the Server Responses box to block URLs from Web sites that have compressed
content.
6.
Enter the session limit in minutes in the Session Limit (Minutes) for Continue option
field.
7.
8.
9.
630
16. If you believe that a Web site is rated incorrectly or you wish to submit a new URL, click the
here link in the sentence If you believe that a Web site is rated incorrectly or you wish
to submit a new URL, click here. The CFS URL Rating Review Request page displays.
The Web Filters > Policies page displays a category sets table. The Policies table initially lists
the default 12 predefined policy groups. Clicking the plus button expands the list to display
every policy under the policy group. Policies with an asterisk are part of the *Default policy
group. The Policies table lists the following information about *Default and custom policy
groups:
Name - The name of the policy group. Clicking the plus button expands the policy group
and displays the policies included in the group.
Type - Displays the type of policy, for example: Policy, Default Category, Forbidden
Keywords, Forbidden URLs or Trusted URLs.
631
Action - Displays the action to be performed when a URL or keyword is accessed that fits
the category, for example, Block, Log, or Allow.
Comment - Displays a caption icon with comments about the policy. When you move the
pointer over the icon, the comment text is displayed. The comment text is entered in the
Add Category Set window.
Configure - Includes the Configure icon, which displays the Edit Web Filter Category Set
window, and the Delete icon for removing the policy group. The Delete icon is greyed out
for the *Default policy.
Clicking the Restore Defaults button removes all custom policies and any policies you added
to the *Default policy group.
Clicking Add Policy Group window displays the Add Web Filter Policy Group window for
adding new policies.
This section contains the following subsections:
632
1.
Click the configure icon under Configure in Policies table next to the category you want to
configure. The Edit Web Filter Category Set window is displayed.
2.
The Name field displays the *Default entry, which can be renamed. You must add
descriptive text up to 63 characters in length in the Comment field.
3.
4.
Select the policy categories you want to add to the *Default policy group. Check the box
next to the category you want to add. If you want to remove a policy, uncheck the box next
to the policy.
5.
6.
7.
8.
Click Accept.
Note
1.
Click Add Category Set. The Add Web Filter Category Set window displays.
2.
Enter a name in the Name field and a comment in the Comment field.
3.
Click the Predefined tab and check the predefined categories you want to add to your
category set. For each category, select the action to be performed, either Block, Log, or
Allow.
4.
Click the Custom tab and check the custom categories you want to add to your category
set. For each category, select the action to be performed, either Block, Log, or Allow.
To learn how to add custom categories, refer to the Configuring Custom Categories section
on page 634.
5.
Click the Miscellaneous tab and select the miscellaneous actions to add to the category
set. For each action, select the action to be performed, either Block, Log, or Allow.
6.
7.
8.
9.
Click Accept.
633
Restoring Defaults
The Restore Defaults button removes all custom policies and any policies you added to the
*Default policy. To restore defaults, perform the following tasks:
1.
Click the Restore Defaults button at the bottom of the screen. A confirmation message
displays.
2.
Click OK.
634
1.
2.
3.
4.
To configure Forbidden URLs to selectively block or allow with logging of the action by the
CSM, click Add Forbidden URLs. The Add Forbidden URLs page displays.
5.
6.
7.
Enter the URL in the Entry field and click Add. Your entry will appear in the List. To delete
an entry, click Delete.
8.
9.
configure.
13. To delete Forbidden URLs, click the delete icon next to the forbidden URL you want to
delete.
14. To configure Forbidden Keywords to specify keywords that are substrings of URLs (to allow
want to configure.
23. To delete Forbidden Keywords, click the delete icon next to the forbidden keywordyou want
to delete.
24. To configure Allowed URLs to specify URLs that are always allowed, click Add Allowed
URLs.
25. Enter a name in the Name field.
26. Enter a comment in the Comment field.
27. Enter the URL in the Entry field and click Add. Your entry will appear in the List. To delete
configure.
33. To delete Allowed URLs, click the delete icon next to the allowed URL you want to delete.
2.
635
3.
4.
Web risks, including Block Cookies, Block ActiveX, Block HTTP Proxy Server, and
Block Fraudulent Certificates are always activated as Block and cannot be deleted or
modified.
Block Cookies - Cookies are used by Web servers to track Web usage and remember
user identity. Cookies can also compromise users' privacy by tracking Web activities.
Block ActiveX - ActiveX is a programming language that embeds scripts in Web pages.
Block HTTP Proxy Servers - When a proxy server is located on the external interface,
users can circumvent content filtering by pointing their computer to the proxy server.
Block Fraudulent Certificates - Digital certificates help verify that Web content and
files originated from an authorized party. Enabling this feature protects users on the
LAN from downloading malicious programs warranted by these fraudulent certificates.
If digital certificates are proven fraudulent, then the SonicWALL CSM blocks the Web
content and the files that use these fraudulent certificates.
5.
To add forbidden files types, click Add Forbidden File Types. Forbidden File Types are
groupings of file extensions includingJava Applets, Executable Files, Video Files, Audio
Files, and user specified file types by extension, used for similar purposes. SonicWALL
CSM allows you to filter Internet content based on file extension.
6.
7.
8.
Enter the file type in the Entry field and click Add. Your entry will appear in the List. To
delete an entry, click Delete.
9.
want to configure.
14. To delete Forbidden File Types, click the delete icon next tothe forbidden file type you want
to delete.
15. To add trusted sites, click the configure button next to Trusted Sites List.
16. Enter a name in the Name field.
636
2.
3.
In the center pane, navigate to the Web Filters > Custom Block Page.
4.
Type the custom text to be displayed when a blocked site is accessed under Message to
Display when Blocking Website.
5.
Select the background color from the Background Color pull-down menu.
6.
7.
8.
9.
637
638
CHAPTER 30
Configuring Firewall Application Filters
This chapter provides configuration tasks for deploying firewall application filtering services.
Firewall application filtering enhances security and employee productivity and optimizes
network utilization.
2.
3.
639
4.
To update the filter database, click Update Filter Database. The scheduler displays.
5.
6.
7.
Click Accept.
8.
9.
range from application filtering, check the Enable Application Filters Exclusion List.
640
address range in the Address Range Begin field and an ending IP address in the Address
Range End field.
641
642
CHAPTER 31
Registering and Upgrading SonicWALL
Firewall Appliances
This chapter describes how to register and upgrade your SonicWALL firewall appliances. This
chapter contains the following subsections:
2.
643
Upgrading Firmware
Note
3.
4.
5.
6.
7.
Click Accept.
Upgrading Firmware
SonicWALL firmware is updated on a periodic basis to offer new functionality and address any
known issues. After a SonicWALL appliance is added to SonicWALL GMS management, its
auto-update feature is disabled.
SonicWALL GMS periodically polls mysonicwall.com site for new firmware versions. Once a
new version of firmware is detected and available, SonicWALL GMS sends an email notification
to the SonicWALL GMS administrator.
You need to go to your mysonicwall.com account at <https://www.mysonicwall.com> and
download the firmware, save the firmware file to the GMS server, and then access the
SonicWALL security appliance from GMS.
To upgrade to the latest firmware, perform the following steps:
Note
644
In order for changes on this page to take effect, the SonicWALL appliance(s) will
automatically be restarted. We recommend scheduling the firmware update to run when
network activity is low.
1.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
Upgrading Licenses
3.
4.
that is stored in the local GMS server folder, click Upgrade Firmware using files on
the GMS Server.
To upgrade from a firmware file on the local drive of your desktop system,enter the path
to the file or click Browse to locate a file. Then, click Upgrade firmware from local file.
(Group view only) To upgrade firmware using the latest version available on
Caution
Upgrading firmware requires that the appliance be restarted. Selecting any of the three
firmware upgrade methods displays a warning message that states This will involve
restarting the Appliance(s).
Upgrading Licenses
For information on upgrading SonicWALL GMS subscription services (warranty support,
anti-virus, content filtering, etc.) refer to the SonicWALL Upgrades section on page 849.
Searching
The search feature allows you to search for appliances based on registration, subscription and
upgrade status. You can print the search results or save them to a PDF file with a single click of the
printer icon or PDF icon on the Search Results banner.
The search parameters are pre-populated for retrieving the subscription services that are
currently active on the appliance(s). The searchis executed and the results are sorted by Expiry
Date. To search for appliances, perform the following tasks:
1.
2.
3.
5.
645
Searching
6.
7.
Click a header in the table to sort by that variable. For example, to sort by appliance name,
click the Appliance Name header.
2.
3.
4.
5.
Click a header in the table to sort by that variable. For example, to sort by appliance name,
click the Appliance Name header.
646
1.
2.
3.
4.
Tip
Click a header in the table to sort by that variable. For example, to sort by appliance name,
click the Appliance Name header.
You can print the search results by clicking on the printer icon in the banner Search
Results. You can also save the search results to a PDF file by clicking on the PDF icon in the
banner.
In the left pane, select a SonicWALL appliance that has no GVC licenses.
2.
3.
In the center pane, navigate to Register/Upgrades > License Sharing. The License
Sharing page displays.
4.
Select VPN Client Enterprise or Anti-Virus from the List of Services list box.
647
5.
Click Join a License Sharing Group. The Join a License Sharing Group dialog box
displays.
6.
Select Create a new License Sharing Group With and from the pull-down menu, select
the appliance that has the Enterprise GVC license.
7.
8.
A pop-up with the member license count displays. Click OK. The scheduler displays.
9.
648
1.
In the left pane, select the global icon, a group, or a SonicWALL appliance.
2.
3.
In the center pane, navigate to Register/Upgrades > License Sharing. The License
Sharing page displays.
4.
Select VPN Client Enterprise or Anti-Virus from the List of Services pull-down menu.
5.
Click Join a License Sharing Group. The Join a License Sharing Group dialog box
displays.
6.
Select Join Existing License Sharing Group and select an LSG from the list box.
7.
Click Accept.
8.
A pop-up with the member license count displays. Click OK. The scheduler displays.
9.
In the center pane, navigate to Register/Upgrades > License Sharing. The License
Sharing page displays.
2.
Select VPN Client Enterprise or Anti-Virus from the List of Services pull-down menu.
3.
Enter a new license value and click Change License Count to.
4.
To remove this SonicWALL appliance from the LSG, select Remove from License Sharing
Group.
In the center pane, navigate to Register/Upgrades > License Sharing. The License
Sharing page displays.
2.
Select VPN Client Enterprise or Anti-Virus from the List of Services pull-down menu.
3.
Click the name of the LSG to view. The License Sharing Group Properties dialog box
displays. This dialog box contains detailed information about the total number of licenses,
the expiration date of the license, the number of licenses used by each member of the
group, and other information.
4.
To change the name of the LSG, enter a new name and click Accept.
649
650
1.
2.
3.
In the center pane, navigate to Register/Upgrades > Used Activation Codes. The Used
Activation Codes page displays a list of used activation codes.
4.
From the Select sort order pull-down menu, select Activation Code to sort by activation
code or Service Name, Activation Code to sort first by service name, then by activation
code.
CHAPTER 32
Configuring Firewall Events
This chapter provides configuration procedures for adding, enabling / disabling, deleting, and
editing the Firewall > Events > Alerts page, at a unit or group level. Before you configure an
Event Alert, refer to Chapter 45, Granular Event Management for a detailed overview of the
Granular Event Management feature.
Perform the following steps in the sections listed below:
Adding Alerts
This section details the configuration procedures for adding an alert, selecting an alert type, and
configuring a destination / schedule.
Add Alert
In the Add Alert panel you can enter an alert name and description, select the options for visible
to non-administrators and disable, and enter the polling interval. Perform the following steps to
add an alert:
1.
Select a SonicWALL firewall appliance or group in the left pane. Under the Policies tab,
click on Events > Alert Settings.
651
Adding Alerts
2.
Click the Add Alert link. The Add Alert screen displays.
3.
4.
Enable the Visible to Non-Administrators checkbox if you want your Alert to be visible to
non-administrators.
5.
6.
Alert Type
In the Alert Type panel you can select an alert type from the provided list and view the
definitions of each alert type. Perform the following steps to configure an Alert Type:
1.
Click the Alert Type pull-down list and select an alert type.
The table below displays all the Firewall Alert Types and definitions of each alert.
Name
Description
Unit HF Status
Tracks if changes have been made to a unit locally. The value that
the threshold will use is Boolean. This value is either True (1) or
False (0).
Unit Status
Tracks a Units Up/Down status. The value that the threshold will
use is Numeric. This value is the number of missed heartbeats that
should be counted to mark a unit as down.
Edit Content option available.
Tracks if a unit has failed over on the WAN. The value that the
threshold will use is String. This value is either m (for modem), w
(for wireless), e (for ethernet) or otherwise.
Tracks an SAs tunnel status. The value that the threshold will use
is Boolean. This value is either Active/Alive/Up (1) or otherwise (0).
Edit Content option available.
652
Adding Alerts
Note
When an alert type is selected, a description for that alert is also displayed in the Alert Type
panel.
If the Alert Type requires you to Edit Content, a link displays in the Alert Type panel. Editing
Contents allows the user to pick additional info, in a granular fashion, on which the alerting has to
be performed.
Note
2.
Click the Edit Content link. The Edit Contents for Alert Type Unit Status pop-up window
displays.
3.
Click the Update button. To reset the settings, click the Reset button.
653
Adding Alerts
Destination / Schedule
In the Destination / Schedule panel you can add up to 5 destinations and set a schedule for
each. Perform the following steps to add a destination and set a schedule:
Note
654
2.
Click the Destination pull-down list, then select a alert destination.The Destination field
designates where you want alerts to be sent. You have a maximum number of five
destinations.
3.
Click the Schedule pull-down list, then select a schedule type. The Schedule field
designates the frequency of when you want alerts to be sent to the destination(s).
4.
Enabling/Disabling Alerts
Enabling/Disabling Alerts
Perform the following steps to enable or disable an alert:
Enabling a Alert
1.
2.
Click the Enable/Disable Alert(s) link. A confirmation window will display. Click OK to
enable/disable.
Disabling an Alert
1.
2.
Click the Enable/Disable Alert(s) link. A confirmation window will display. Click OK to
enable/disable.
Deleting Alerts
Perform the following steps to delete an alert:
Note
1.
2.
3.
Click OK to delete.
You can also delete an alert by clicking the Delete icon under the Configure section of the
alert you wish the delete.
655
Editing Alerts
Editing Alerts
Once an alert is created, you can go back and edit it at any time. Perform the following steps
to edit an alert:
1.
2.
Refer to the Adding Alerts section and follow the configuration procedures to edit your
existing Alert.
Current Alerts
To check the status of current alerts for your SonicWALL firewall appliance or group of
appliances:
656
1.
2.
Click on the appliance or group you wish to check the alerts for.
3.
Navigate to the Events > Current Alerts page. All active alerts for this appliance will be
listed under Alert Listing.
CHAPTER 33
Adding SRA Appliances to SonicWALL
GMS
This chapter provides instructions on configuring SonicWALL SRAs for management using
SonicWALL GMS.
To configure a SonicWALL SRA for SonicWALL GMS management, perform the following tasks:
Preparing SRA Appliances for SonicWALL GMS Management section on page 657
2.
3.
Type the GMS host name or IP address of the GMS server in the GMS Host Name or IP
Address field.
4.
Type the GMS syslog server port in the Syslog Server Port field. The default port is 514.
5.
Enter the heartbeat interval, in seconds, in the Heartbeat Interval (seconds) field. The
maximum heartbeat interval is 86400 (24 hours).
6.
Click Apply.
657
SonicWALL Aventail EX-Series SRA appliances must be licensed before you can enable
GMS management in the Aventail Management Console.
When enabling GMS on a SonicWALL Aventail appliance, select Enable single sign-on
for AMC configuration if you want direct access to the Aventail Management Console from
the SonicWALL GMS right-click menu. If this check box is cleared, you can still open the
AMC from the right-click menu, but you must enter your appliance login credentials.
The SonicWALL Aventail EX-Series SRA appliance allows HTTPS access only to its LAN
port(s), and not to its WAN port(s). This means that when SonicWALL GMS is deployed
outside of the Aventail LAN subnet(s), management traffic must be routed from GMS to a
gateway that allows access into the LAN network, and from there be routed to the Aventail
LAN port.
2.
Click General Settings in the main Aventail Management Console (AMC) navigation menu.
3.
4.
Select the Enable GMS management check box, and then enter the host name or IP
address of the GMS console, and its port number.
5.
In the Heartbeat interval text box, set the interval (in seconds) at which the appliance
indicates its readiness to send a report on authentication-related events, in addition to
status information. An interval of 60 seconds is typical.
6.
Select Enable single sign-on for AMC configuration if you want to be able to open the
Aventail Management Console and make changes to its configuration from within GMS. If
this setting is cleared, you can still open AMC, but you must first enter your AMC login
credentials; this is less convenient, but more secure.
7.
Select Send only heartbeat status messages if you want to only manage the appliance
and not create reports for the appliance.
For more information about preparing SonicWALL Aventail appliances for SonicWALL GMS
management, see the SonicWALL GMS Aventail EX-Series Appliance Management feature
module and the SonicWALL / Aventail EX-Series Installation and Administration Guide on the
SonicWALL Support Web site:
http://www.sonicwall.com/us/Support.html
658
Log in to GMS.
2.
3.
In the left-most pane, right click and select Add Unit. The Add Unit popup displays.
4.
Enter a descriptive name for the SonicWALL appliance in the Unit Name field.
5.
Enter the serial number of the SonicWALL appliance in the Serial Number field. On
SonicWALL Aventail appliances, the serial number is found on a sticker on the back of the
appliance. Enter it without hyphens into the field.
6.
7.
For Aventail deployments, choose to Specify manually and check the Aventail SRA
appliance option.
8.
Enter the administrator login name for the SonicWALL appliance in the Login Name field.
For SonicWALL Aventail SRA appliances, the login name is pre-configured as GMS and
cannot be changed.
9.
Enter the password used to access the SonicWALL appliance in the Password field.
10. The radio button next to Using HTTPS is automatically selected for SRA deployments.
11. For SonicWALL Aventail SRA appliances, enter 8443 in the HTTPS Port field. Other
12. Click OK.. It may take up to a minute for the data to load; a Please Wait pop up displays.
The SonicWALL SRA displays in the left pane of the SonicWALL GMS interface as a yellow
icon, which means the unit has not been acquired by SonicWALL GMS. After the appliance has
been acquired, the icon will either turn red, indicating that the appliance status is down, or blue,
indicating that the appliance status is up. For detailed appliance icon descriptions, refer to the
Understanding SonicWALL GMS Icons section on page 18.
It may take up to five minutes for the SonicWALL GMS to establish an HTTPS connection and
acquire the SonicWALL appliance for management.
659
2.
In the left pane, right click the SRA appliance you want to modify and select one of the
options
Option
Description
Rename Unit
Modify Unit
Allows you to change the appliance settings, including the unit display name,
and appliance login name and password.
Allows you to add the appliance to Net Monitor for real-time monitoring.
Import XML
Login to Unit
Modify Properties
Note
660
1.
2.
In the left pane, right click the SRA appliance you want to delete and select Delete.
3.
CHAPTER 34
Using General SRA Status and Tools
This chapter provides instructions for modifying the general status and tools for SonicWALL
SRAs. To modify the general status and tools of an SRA appliance using GMS, click the SRAs
tab at the top of the screen, then select the Policies tab. In the center pane, select General.
You will see the options Status, Tools and Info. This section contains the following
subsections:
This chapter describes how to register SonicWALL SRA appliances using GMS. Register
SRAs is an option in the Policies tab that registers your SRAs using the account information
you provided when you registered your GMS. This chapter contains the following subsection:
661
SRA Status
SRA Status
The General > Status section provides the current status of the SRA appliance and allows for
an instant update of appliance information using the Fetch Information button.
The General > Status section provides the following appliance information:
Table 25
662
Description
SRA Model
Serial Number
Registration Code
Firmware Version
CPU
SRA Status
Management Mode
Primary Agent
SRA Status
Description
Secondary Agent
Tasks Pending
SRA Information
2.
Select the Immediate radio button. Alternatively, you can select the At button and specify
a date and time for SonicWALL GMS to perform the update.
3.
Click Accept. It may take several seconds for GMS to fetch the appliance information. The
latest status will be displayed under General > Status.
663
SRA Tools
SRA Tools
The General > Tools section provides the following options: Restart Appliance, Synchronize
Now, Synchronize the Appliance with mysonicwall.com.
Note
The Restart Appliance option is not available for SonicWALL Aventail SRA appliances.
Restarting SRA
To restart the SRA appliance, perform the following tasks:
1.
2.
Use the Scheduler to specify a date and time for SonicWALL GMS to perform the update.
Synchronize Now
If a change is made to a SonicWALL appliance through any means other than through
SonicWALL GMS, GMS is notified of the change through the syslog data stream. After the
syslog notification is received, SonicWALL GMS schedules a task to synchronize its database
with the local change. Auto-synchronization automatically occurs whenever SonicWALL GMS
receives a local change notification status syslog message from a SonicWALL appliance.
You can also force synchronization at any time for a SonicWALL appliance or a group of
SonicWALL appliances.
664
SRA Tools
2.
Click OK.
3.
Use the Scheduler to specify a date and time for SonicWALL GMS to perform the update.
2.
3.
Use the Scheduler to specify a date and time for SonicWALL GMS to perform the update.
It may take several seconds for the SRA to synchronize with mysonicwall.com.
665
SRA Info
SRA Info
The General > Info section provides the ability to update the contact information for the SRA
appliance.
666
1.
2.
3.
Click Update to update the information, or Reset to clear the form and start over.
In the left pane, right- click the SRA you want to register and then select Login to Unit to
open its management interface.
2.
In the SRA management interface, the System > Status page will be displayed. Record
your Serial Number and Authentication Code from the Licenses and Registration box.
3.
In the GMS management interface, navigate to the Policies panel. In the center pane,
select Register/Upgrades > Register SSL-VPNs.
4.
In the right pane, click the Register button. The update scheduler displays.
5.
Select the Immediate radio button. Alternatively, you can select the At button and specify
a date and time for SonicWALL GMS to perform the update.
6.
Click Accept.
You will receive a confirmation in the right pane when the registration succeeded.
Note
If you receive an error message, navigate to the Console tab, then to Log > View Log. A
detailed error message will be displayed.
Note
667
2.
3.
To upgrade the SRA appliance firmware using a file on the GMS server, click Upgrade
firmware using files on the GMS Server.
4.
To upgrade the SRA appliance firmware using a local file, enter the path and file name of
the firmware file in the field next to Upgrade firmware from local file, or click Browse to
locate the firmware file. Click Upgrade firmware from local file.
5.
6.
The license agreement message displays. Read the message and click OK to agree and
download the firmware, or click Cancel to disagree and cancel the firmware upgrade.
2.
3.
In the left pane, click the SRA that you want to manage.
4.
5.
The SRA management interface opens in a new browser window. This may take several
seconds.
You can now manage the SonicWALL SRA directly from the management interface.
For detailed instructions about configuration tasks using the SonicWALL SRA management
interface, refer to the SonicWALL SRA Administrators Guide, available at
http://www.sonicwall.com/us/Support.html.
Configuring Alerts
This chapter provides configuration procedures for adding, enabling / disabling, deleting, and
editing the SRA > Events > Alerts page, at a unit or group level. Before you configure an Event
Alert, refer to Chapter 45, Granular Event Management for a detailed overview of the
Granular Event Management feature.
Perform the following steps in the sections listed below:
668
Configuring Alerts
Adding Alerts
This section details the configuration procedures for adding an alert, selecting an alert type, and
configuring a destination / schedule.
Add Alert
In the Add Alert panel you can enter an alert name and description, select the options for visible
to non-administrators and disable, and enter the polling interval. Perform the following steps to
add an alert:
1.
Select a SonicWALL SRA appliance or group in the left pane. Under the Policies tab, click
on Events > Alert Settings.
2.
3.
4.
Enable the Visible to Non-Administrators checkbox if you want your Alert to be visible to
non-administrators.
5.
6.
Alert Type
In the Alert Type panel you can select an alert type from the provided list and view the
definitions of each alert type. Perform the following steps to configure an Alert Type:
1.
Click the Alert Type pull-down list and select an alert type.
669
Configuring Alerts
The table below displays all the SRA Alert Types and definitions of each alert.
Name
Description
Unit Status
Tracks a Units Up/Down status. The value that the threshold will
use is Numeric. This value is the number of missed heartbeats that
should be counted to mark a unit as down.
Edit Content option available.
Note
When an alert type is selected, a description for that alert is also displayed in the Alert Type
panel.
If the Alert Type requires you to Edit Content, a link displays in the Alert Type panel. Editing
Contents allows the user to pick additional info, in a granular fashion, on which the alerting has to
be performed.
Note
2.
Click the Edit Content link. The Edit Contents for Alert Type Unit Status pop-up window
displays.
3.
Click the Update button. To reset the settings, click the Reset button.
Destination / Schedule
In the Destination / Schedule panel you can add up to 5 destinations and set a schedule for
each. Perform the following steps to add a destination and set a schedule:
Note
670
2.
Click the Destination pull-down list, then select a alert destination.The Destination field
designates where you want alerts to be sent. You have a maximum number of five
destinations.
Configuring Alerts
3.
Click the Schedule pull-down list, then select a schedule type. The Schedule field
designates the frequency of when you want alerts to be sent to the destination(s).
4.
Enabling/Disabling Alerts
Perform the following steps to enable or disable an alert:
Enabling a Alert
1.
2.
Click the Enable/Disable Alert(s) link. A confirmation window will display. Click OK to
enable/disable.
Disabling an Alert
1.
2.
Click the Enable/Disable Alert(s) link. A confirmation window will display. Click OK to
enable/disable.
671
Configuring Alerts
Deleting Alerts
Perform the following steps to delete an alert:
Note
1.
2.
3.
Click OK to delete.
You can also delete an alert by clicking the Delete icon under the Configure section of the
alert you wish the delete.
Editing Alerts
Once an alert is created, you can go back and edit it at any time. Perform the following steps
to edit an alert:
1.
2.
672
Refer to the Adding Alerts section and follow the configuration procedures to edit your
existing Alert.
Configuring Alerts
Current Alerts
To check the status of current alerts for your SonicWALL SRA appliance or group of appliances:
1.
2.
Click on the appliance or group you wish to check the alerts for.
3.
Navigate to the Events > Current Alerts page. All active alerts for this appliance will be
listed under Alert Listing.
673
Configuring Alerts
674
CHAPTER 35
CDP Appliance Management
This chapter describes how to implement and manage single or multiple deployments of
SonicWALL CDP appliances through GMS. Included is an introduction to the Multi-Solutions
appliance management feature, and instructions for using the appliance configuration tools in
SonicWALL GMS.
This chapter contains the following sections:
2.
3.
675
4.
Type the GMS host name or IP address of the GMS server in the GMS Host Name or IP
Address field.
5.
Type the GMS syslog server port in the Syslog Server Port field. The default port is 514.
6.
Enter the heartbeat interval, in seconds, in the Heartbeat Interval (seconds) field. The
maximum heartbeat interval is 86400 (24 hours).
7.
Click Submit
Log in to GMS.
2.
3.
In the left-most pane, right click and select Add Unit. The Add Unit popup displays.
4.
Enter a descriptive name for the SonicWALL appliance in the Unit Name field.
5.
Enter the appliance administrator login name in the Login Name field.
6.
7.
Enter the appliance serial number in the Serial Number field. The serial number can be
found in the appliance management interface under General > Status.
8.
The management mode defaults to Using HTTPS. Select the agent that will manage the
CDP appliance from the Agent IP Address field.
9.
Click OK. This may take up to a minute for the data to load.
The SonicWALL appliance is displayed in the left pane of the SonicWALL GMS interface as a
yellow icon, which means the unit has not been acquired by SonicWALL GMS. After the
appliance has been acquired, the icon will either turn red, indicating that the appliance status
is down, or blue, indicating that the appliance status is up. For detailed appliance icon
descriptions, refer to the Understanding SonicWALL GMS Icons section on page 18.
676
It may take up to five minutes for the SonicWALL GMS to establish an HTTPS connection and
acquire the SonicWALL appliance for management.
Your CDP is now ready for management using SonicWALL GMS.
677
For CDP appliances, there is an option to Fetch Information at both global and appliance
levels. When in global view, this feature acquires information for all available CDP appliances,
however, the results are only displayed when an individual appliance is selected.
Note
For CDP appliances, click the Fetch Information button for an updated view. This feature
is also available on a global level.
678
Status Item
Description
Model
Serial Number
Status Item
Description
Firmware Version
CPU
Status
Unit added to
The date and time the CDP appliance was added to
SonicWALL GMS on GMS
Management Mode
Primary Agent
Standby Agent
Tasks Pending
CDP Information
Synchronize Now
If a change is made to a SonicWALL appliance through any means other than through
SonicWALL GMS, GMS is notified of the change through the syslog data stream. After the
syslog notification is received, SonicWALL GMS schedules a task to synchronize its database
with the local change. Auto-synchronization automatically occurs whenever SonicWALL GMS
receives a local change notification status syslog message from a SonicWALL appliance.
You can also force synchronization at any time for a SonicWALL appliance or a group of
SonicWALL appliances.
To synchronize the appliance, perform the following tasks:
1.
2.
679
3.
4.
Use the scheduler to update immediately, or select a date in the future. Click Accept when
680
1.
On the General > Tools page, click the Synchronize the Appliance with
mySonicWALL.com button.
2.
3.
Use the scheduler to update immediately, or select a date in the future. Click Accept when
you are finished.
It may take several seconds for the SonicWALL appliance to synchronize with
mySonicWALL.com.
2.
3.
681
Configuring Alerts
4.
Note
Click Register. The scheduler displays.Use the scheduler to update immediately, or select
a date in the future.
When registering a CDP appliance, you will need to specify the offsite backup location
between Europe or North America.
5.
Click Accept. It may take several seconds for GMS to contact SonicWALL to register the
CDP appliance.
Configuring Alerts
This chapter provides configuration procedures for adding, enabling / disabling, deleting, and
editing the CDP > Events > Alerts page, at a unit or group level. Before you configure an Event
Alert, refer to Chapter 45, Granular Event Management for a detailed overview of the
Granular Event Management feature.
Perform the following steps in the sections listed below:
Adding Alerts
This section details the configuration procedures for adding an alert, selecting analert type, and
configuring a destination / schedule.
Add Alert
In the Add Alert panel you can enter an alert name and description, select the options for visible
to non-administrators and disable, and enter the polling interval. Perform the following steps to
add an alert:
682
Configuring Alerts
1.
Select a SonicWALL CDP appliance or group in the left pane. Under the Policies tab, click
on Events > Alert Settings.
2.
3.
4.
Enable the Visible to Non-Administrators checkbox if you want your Alert to be visible to
non-administrators.
5.
6.
Alert Type
In the Alert Type panel you can select an alert type from the provided list and view the
definitions of each alert type. Perform the following steps to configure an Alert Type:
1.
Click the Alert Type pull-down list and select an alert type.
The table below displays all the CDP Alert Types and definitions of each alert.
Name
Description
Agent Unsuccessful
Backups
683
Configuring Alerts
Name
Description
Appliance Capacity
Status
Tracks if the storage for an appliance has reached its capacity. The
value that the threshold will use is Numeric. This value is the
utilization in %.
Edit Content option available.
CDP Status
Tracks the performance of the CPU for this appliance. The value
that the threshold will use is Numeric. This value is a percentage
should be counted to mark an appliance as nearing capacity.
Edit Content option available.
Unit Status
Tracks a Units Up/Down status. The value that the threshold will
use is Numeric. This value is the number of missed heartbeats that
should be counted to mark a unit as down.
Edit Content option available.
Note
When an alert type is selected, a description for that alert is also displayed in the Alert Type
panel.
If the Alert Type requires you to Edit Content, a link displays in the Alert Type panel. Editing
Contents allows the user to pick additional info, in a granular fashion, on which the alerting has to
be performed.
Note
2.
Click the Edit Content link. The Edit Contents for Alert Type Unit Status pop-up window
displays.
3.
684
Click the Update button. To reset the settings, click the Reset button.
Configuring Alerts
Destination / Schedule
In the Destination / Schedule panel you can add up to 5 destinations and set a schedule for
each. Perform the following steps to add a destination and set a schedule:
Note
2.
Click the Destination pull-down list, then select a alert destination.The Destination field
designates where you want alerts to be sent. You have a maximum number of five
destinations.
3.
Click the Schedule pull-down list, then select a schedule type. The Schedule field
designates the frequency of when you want alerts to be sent to the destination(s).
4.
685
Configuring Alerts
Enabling/Disabling Alerts
Perform the following steps to enable or disable an alert:
Enabling a Alert
1.
2.
Click the Enable/Disable Alert(s) link. A confirmation window will display. Click OK to
enable/disable.
Disabling an Alert
1.
2.
Click the Enable/Disable Alert(s) link. A confirmation window will display. Click OK to
enable/disable.
Deleting Alerts
Perform the following steps to delete an alert:
Note
686
1.
2.
3.
Click OK to delete.
You can also delete an alert by clicking the Delete icon under the Configure section of the
alert you wish the delete.
Configuring Alerts
Editing Alerts
Once an alert is created, you can go back and edit it at any time. Perform the following steps
to edit an alert:
1.
2.
Refer to the Adding Alerts section and follow the configuration procedures to edit your
existing Alert.
Current Alerts
To check the status of current alerts for your SonicWALL CDP appliance or group of appliances:
1.
2.
Click on the appliance or group you wish to check the alerts for.
3.
Navigate to the Events > Current Alerts page. All active alerts for this appliance will be
listed under Alert Listing.
687
Templates
Templates
A Template is simply a collection of Recordings from one or more appliances of the same type.
A Template belongs to a user of a particular domain, and remains visible only in that domain.
That is, Templates from one domain are not visible in another domain. A user only has access
to his or her own Templates (editing, deleting, or moving Templates).
It is recommended that a Template contains Recordings with data that does not conflict with the
data in another Recording, as this may cause the deletion of data previously applied, unless
intended. For example, a Template should not contain a Recording of setting a timezone to IST,
followed by a Recording of setting a time zone to PST, unless it is intentional by the user.
Add/Edit Recording
This is used to save a freshly created recording. This screen appears when the Recording is
stopped. This new recording can be directly added to one of the existing Templates or to the
default Template. The same screen displays when editing an existing recording. Provide a
detailed Name and Description in the appropriate fields, then click Update to save the
information.
Note
688
Templates
Add/Edit Template
This is used to create a new Template or to edit an existing Template. Provide a detailed Name
and Description in the appropriate fields, then click Update to save the information.
Note
Move Recording
This dialog screen is used to move one or more recordings from one Template to another. To
move a recording, select the recording you wish to move from the Policies > Management >
Templates screen. Then, select which template to move it to. Click OK to save the changes.
689
Templates
Delete Template(s)/Recording(s)
This is used to confirm the deletion of Template(s) and Recording(s). To delete, first select the
template or recording from the Policies > Management > Templates screen. Then, click the
Delete Template(s)/Recording(s) link. Click OK to save the changes.
Recording
The Recording option provides an easier way to apply configurations for one appliance to
another similar appliance. You have the option of saving the Recording into the Default
Template or into a new Template. The data recorded between one Start Recording and Stop
Recording action is called a Recording.
Note
690
Recording can only be applied to a compatible appliance. For example, a Recording for the
SonicWALL CDP appliance can only be applied to another SonicWALL CDP appliance.
Templates
To successfully create and save a Recording, follow the procedures listed below:
Step 1
Select the appliance you want to modify, and navigate to Management > User Interface
screen.
Step 2
Navigate to the screen you want to make changes to. Click on the Start Recording button on
the Recording Controls Panel. Once you see the Recording in progress notification on the
panel, you can begin modifying the settings.
Step 3
More changes can be recorded similarly. Once you have finished making the necessary
changes, stop the Recording by clicking the Stop Recording button on the Recording Controls
Panel. A dialog box will display asking if you wish to save the Recording. Click OK.
Step 4
Next, the Add Recording dialog box will display. Type in the Name and a detailed Description
of the Recording. Indicate if this Recording should be saved into your Default Template or into
a New Template. Click Update when you are finished.
Step 5
The Templates screen will display, notifying you that the changes to the Recording were
successfully saved.
691
Click on the Unit/Group Node from the Tree Control that you wish to apply a Template or a
Recording for. Based on the Node selected on the Tree Control, the Templates screen will
list only those Templates/Recordings that can be applied to the currently selected node.
2.
Select the checkbox next to the Template you wish to apply. Specify a Schedule for the
Template/Recording to be applied. Note that once applied, a task will be created. To view
the newly created task, click on the Console tab, and navigate to Tasks>Scheduled Tasks.
3.
To verify if the task executes successfully, navigate to Log>View Log. You can also
navigate back to the User Interface screen of the appliance that you applied the Template
to also verify that the changes are successful.
692
Note
1.
2.
3.
In the left pane, click the CDP appliance that you want to manage.
To open the CDP management interface, click Management > User Interface. You will be
directed to the User Interface of this appliance. To return to the Policies tab, click the
Note
If you choose HTTPS, the server uses the same SSL keystore or certificate that is used by
the Tomcat web server.
693
The Management Screen Group page is one of the latest supported screens for this new
feature.
From this screen, you can navigate to the Template screen or the User Interface screen. Note
that the User Interface screen is only available at the Unit Node level.
The Templates screen displays all the applicable Templates for the selected Unit/Group Node
on the Tree Control.
694
CHAPTER 36
Email Security Appliance Management
This chapter describes how to implement and manage single or multiple deployments of
SonicWALL Email Security appliances through GMS. Included is an introduction to the
Multi-Solutions appliance management feature, and instructions for using the appliance
configuration tools in SonicWALL GMS.
This chapter contains the following sections:
Step 2
Enter the command gms. This will display the EMS current settings for the GMS heartbeat
displayed.
Step 3
Next, set the EMS appliance heartbeat. In this example, the heartbeat interval is 60 seconds.
Step 4
Enter the destination IP address of your GMS server. In this example, the destination IP
address is 10.195.11.38.
695
Note
696
1.
Log in to GMS.
2.
3.
In the left-most pane, right click and select Add Unit. The Add Unit popup displays.
4.
Enter a descriptive name for the SonicWALL appliance in the Unit Name field.
5.
Enter the appliance administrator login name in the Login Name field.
6.
7.
Enter the appliance serial number in the Serial Number field. The serial number can be
found in the appliance management interface under General > Status.
8.
The management mode defaults to Using HTTPS. Select the agent that will manage the
ES appliance from the Agent IP Address field.
9.
Click OK. This may take up to a minute for the data to load.
The SonicWALL appliance is displayed in the left pane of the SonicWALL GMS interface as a
yellow icon, which means the unit has not been acquired by SonicWALL GMS. After the
appliance has been acquired, the icon will either turn red, indicating that the appliance status
is down, or blue, indicating that the appliance status is up. For detailed appliance icon
descriptions, refer to the Understanding SonicWALL GMS Icons section on page 18.
It may take up to five minutes for the SonicWALL GMS to establish an HTTPS connection and
acquire the SonicWALL appliance for management.
Your ES is now ready for management using SonicWALL GMS.
697
Global ES Status
The Global status window displays information about all Email Security devices in the current
GMS deployment.
698
Description
Model
Serial Number
Firmware Version
CPU
Status
Unit added to
The date and time the ES appliance was added to
SonicWALL GMS on GMS
Management Mode
Primary Agent
Standby Agent
Tasks Pending
ES Information
699
On the General > Tools page, click the Synchronize the Appliance with
mySonicWALL.com button.
2.
3.
Use the scheduler to update immediately, or select a date in the future. Click Accept when
you are finished.
It may take several seconds for the SonicWALL appliance to synchronize with
mySonicWALL.com.
700
Registering ES Appliances
Registering ES Appliances
To register an Email Security appliance, you must perform tasks on GMS and on the ES
appliance through its local user interface. See the following sections:
2.
3.
4.
5.
6.
Click Accept. It may take several seconds for GMS to contact SonicWALL to register the
ES appliance.
701
Configuring Alerts
Configuring Alerts
This chapter provides configuration procedures for adding, enabling / disabling, deleting, and
editing the ES > Events > Alerts page, at a unit or group level. Before you configure an Event
Alert, refer to Chapter 45, Granular Event Management for a detailed overview of the
Granular Event Management feature.
Perform the following steps in the sections listed below:
Adding Alerts
This section details the configuration procedures for adding an alert, selecting analert type, and
configuring a destination / schedule.
Add Alert
In the Add Alert panel you can enter an alert name and description, select the options for visible
to non-administrators and disable, and enter the polling interval. Perform the following steps to
add an alert:
702
1.
Select a SonicWALL ES appliance or group in the left pane. Under the Policies tab, click
on Events > Alert Settings.
2.
Configuring Alerts
3.
4.
Enable the Visible to Non-Administrators checkbox if you want your Alert to be visible to
non-administrators.
5.
6.
Alert Type
In the Alert Type panel you can select an alert type from the provided list and view the
definitions of each alert type. Perform the following steps to configure an Alert Type:
1.
Click the Alert Type pull-down list and select an alert type.
The table below displays all the ES Alert Types and definitions of each alert.
Name
Description
Unit Status
Tracks a Units Up/Down status. The value that the threshold will
use is Numeric. This value is the number of missed heartbeats
that should be counted to mark a unit as down.
Edit Content option available.
Note
When an alert type is selected, a description for that alert is also displayed in the Alert Type
panel.
If the Alert Type requires you to Edit Content, a link displays in the Alert Type panel. Editing
Contents allows the user to pick additional info, in a granular fashion, on which the alerting has to
be performed.
703
Configuring Alerts
Note
2.
Click the Edit Content link. The Edit Contents for Alert Type Unit Status pop-up window
displays.
3.
Click the Update button. To reset the settings, click the Reset button.
Destination / Schedule
In the Destination / Schedule panel you can add up to 5 destinations and set a schedule for
each. Perform the following steps to add a destination and set a schedule:
Note
704
2.
Click the Destination pull-down list, then select a alert destination.The Destination field
designates where you want alerts to be sent. You have a maximum number of five
destinations.
3.
Click the Schedule pull-down list, then select a schedule type. The Schedule field
designates the frequency of when you want alerts to be sent to the destination(s).
4.
Configuring Alerts
Enabling/Disabling Alerts
Perform the following steps to enable or disable an alert:
Enabling a Alert
1.
2.
Click the Enable/Disable Alert(s) link. A confirmation window will display. Click OK to
enable/disable.
Disabling an Alert
1.
2.
Click the Enable/Disable Alert(s) link. A confirmation window will display. Click OK to
enable/disable.
Deleting Alerts
Perform the following steps to delete an alert:
Note
1.
2.
3.
Click OK to delete.
You can also delete an alert by clicking the Delete icon under the Configure section of the
alert you wish the delete.
705
Configuring Alerts
Editing Alerts
Once an alert is created, you can go back and edit it at any time. Perform the following steps
to edit an alert:
1.
2.
Refer to the Adding Alerts section and follow the configuration procedures to edit your
existing Alert.
Current Alerts
To check the status of current alerts for your SonicWALL ES appliance or group of appliances:
706
1.
2.
Click on the appliance or group you wish to check the alerts for.
3.
Navigate to the Events > Current Alerts page. All active alerts for this appliance will be
listed under Alert Listing.
Templates
Templates
A Template is simply a collection of Recordings from one or more appliances of the same type.
A Template belongs to a user of a particular domain, and remains visible only in that domain.
That is, Templates from one domain are not visible in another domain. A user only has access
to his or her own Templates (editing, deleting, or moving Templates).
It is recommended that a Template contains Recordings with data that does not conflict with the
data in another Recording, as this may cause the deletion of data previously applied, unless
intended. For example, a Template should not contain a Recording of setting a timezone to IST,
followed by a Recording of setting a time zone to PST, unless it is intentional by the user.
Add/Edit Recording
This is used to save a freshly created recording. This screen appears when the Recording is
stopped. This new recording can be directly added to one of the existing Templates or to the
default Template.The same screen displays when editing an existing recording. Provide a
detailed Name and Description in the appropriate fields, then click Update to save the
information.
Note
707
Templates
Add/Edit Template
This is used to create a new Template or to edit an existing Template. Provide a detailed Name
and Description in the appropriate fields, then click Update to save the information.
Note
Move Recording
This dialog screen is used to move one or more recordings from one Template to another. To
move a recording, select the recording you wish to move from the Policies > Management >
Templates screen. Then, select which template to move it to. Click OK to save the changes.
Delete Template(s)/Recording(s)
This is used to confirm the deletion of Template(s) and Recording(s). To delete, first select the
template or recording from the Policies > Management > Templates screen. Then, click the
Delete Template(s)/Recording(s) link. Click OK to save the changes.
708
Templates
Recording
The Recording option provides an easier way to apply configurations for one appliance to
another similar appliance. You have the option of saving the Recording into the Default
Template or into a new Template. The data recorded between one Start Recording and Stop
Recording action is called a Recording.
Note
Recordings can only be applied to a compatible appliance. For example, a Recording forthe
SonicWALL Email Security appliance can only be applied to another SonicWALL Email
Security appliance.
To successfully create and save a Recording, follow the procedures listed below:
Step 1
Select the appliance you want to modify, and navigate to Management > User Interface
screen.
Step 2
Navigate to the screen in which you wish to make changes. In this example, we will modify
General Settings on the Default Message Management screen.
Step 3
Next, start the recording by clicking on the Start Recording button on the Recording Controls
Panel. Once you see the Recording in progress notification at the top, you can start modifying
the settings.
In this example, the Number of days to store in Junk Box before deleting changes to 60 days,
and the Number of Junk Box messages to display per page changes to 400 rows.
Step 4
When finished making changes, click theApply Changes button. A screen will appear notifying
you that the changes were successfully applied.
Step 5
More changes can be recorded similarly. Once you have finished making the necessary
changes, stop the Recording by clicking the Stop Recording button on the Recording Controls
Panel. A dialog box will display asking if you wish to save the Recording. Click OK.
Step 6
Next, the Add Recording dialog box will display. Type in the Name and a detailed Description
of the Recording. Indicate if this Recording should be saved into the Default Template or into a
New Template. Click Update when you are finished.
709
Step 7
The Templates screen will display, notifying you that the changes to the Recording were
successfully saved.
Note
1.
Click on the Unit/Group Node from the Tree Control that you wish to apply a Template or a
Recording for. Based on the Node selected on the Tree Control, the Templates screen will
list only those Templates/Recordings that can be applied to the currently selected node.
2.
Select the checkbox next to the Template you wish to apply. Specify a Schedule for the
Template/Recording to be applied. Note that once applied, a task will be created. To view
the newly created task, click on the Console tab, and navigate to Tasks>Scheduled Tasks.
3.
To verify if the task executes successfully, navigate to Log>View Log. Note that you may
also navigate back to the User Interface screen of the appliance where you applied the
Template to verify changes made were successful.
Management and all changes made on the SonicWALL Email Security appliance cannot be
applied to another SonicWALL Email Security appliance. The only time this may be
overruled is when using the Recording functionality.
710
Note
1.
2.
3.
In the left pane, click the ES appliance that you want to manage.
To open the ES management interface, click Management > User Interface. You will be
directed to the User Interface of this appliance. To return to the Policies tab, click the
711
Note
If you choose HTTPS, the server uses the same SSL keystore or certificate that is used by
the Tomcat web server.
MSM Screens
The Management Screen Group page is one of the latest supported screens for this new
feature.
From this screen, you can navigate to the Template screen or the User Interface screen. Note
that the User Interface screen is only available at the Unit Node level.
712
The Templates screen displays all the applicable Templates for the selected Unit/Group Node
on the Tree Control.
713
714
CHAPTER 37
Using Navigation and Monitoring Tools
The SonicWALL GMS Monitor Panel is used for real time monitoring of SonicWALL appliances,
VPN Tunnels, network devices, and syslog information.
This chapter describes the following:
Net Monitor
The SonicWALL GMS Net Monitor periodically tests the status of SonicWALL appliances and
other network devices. Once configured, it enables you to monitor the status of your network
and immediately respond when SonicWALL appliances and other network devices become
unavailable.
The Net Monitor enables you to categorize different groups of SonicWALL appliances or other
network devices. You can categorize them by device type, geography, or any other
organizational scheme. Additionally, you can assign devices within each category a high,
medium, or low priority.
715
Net Monitor
When you add a new device to your monitor, you will be able to select a category, priority level,
how often the device is tested, and the type of test that is used. The Net Monitor currently
supports five types of tests: Ping, TCP Probe, HTTP, HTTPS, and SNMP.
You can toggle between the main view of the Net Monitor page and the Dashboard view by
clicking the
button. The following graphic shows the Dashboard view:
716
Net Monitor
Finding Devices
GMS NetMonitor gives you the ability to search for devices using the Find feature:
Note
1.
In the menu bar, go to Edit > Find. The Find window displays.
2.
3.
You can optionally choose to Match case or to find only the Whole word in your search.
4.
Click the Find button to search all views for your search term, results are displayed below.
5.
Double click on the device you wish to display and it will be found highlighted in the
NetMonitor window.
After making an initial search, you can use F3 (find next) and Shift+F3 (find previous) to
move easily between found devices without having to keep the Find window open.
In the NetMonitor window, select the device(s) you wish to view device status for.
2.
717
Net Monitor
3.
Note
Configuring Preferences
To configure Net Monitor preferences, perform the following steps:
718
1.
2.
To view each category on its own page, select Each from the View Type list box. To view
all categories on one page, select All.
3.
To configure the Net Monitor toautomatically refresh the status of monitored devices, select
the Enable auto refresh while loading check box and specify the refresh interval.
4.
In the Monitor tab of the Preferences window, select a Minimum Severity to Show Alert
in Dashboard from the pull-down menu.
Net Monitor
5.
Pick a domain to view by selecting from the pull-down list. Note that this field is applicable
only to the users with Super Admin access, and must be selected from this dialog box in
order to view devices in other domains. Users without Super Admin access are only able
to view devices in their own domain.
6.
In the Filters tab, select which devices will be displayed in the Show devices by status
area. To view all devices, select the Select All check box.
7.
In the Table tab, select Default to view the default table color. To pick a custom color, select
Custom and choose a color from the color selector.
8.
Specify the Column count and Row height to display for each priority.
9.
When you are finished, click Apply. To cancel and start over, click Cancel.
719
Net Monitor
Defining Categories
To create a new category, perform the following steps:
720
1.
From the Net Monitor main page, select Add Category from the Category Menu.
2.
The Add Category screen displays. Enter the name of the new category in the Name field.
3.
When you are finished, click Apply. To cancel and start over, click Cancel.
4.
Repeat this procedure for each category to add. This new category will appear in the main
toolbar of the Net Monitor page.
Net Monitor
Editing Categories
To edit an existing category, perform the following steps:
1.
From the Net Monitor main page, select Edit Category from the Category Menu.
2.
Select the category name you want to change from the list.
3.
Enter a new name for the selected category in the Name field.
4.
When you are finished, click Apply. To cancel and start over, click Cancel.
Deleting Categories
To delete an existing category, perform the following steps:
1.
From the Net Monitor main page, select Delete Category from the Categories Menu.
2.
From the list provided, select the category name (shift-click for multiple category names)
you want to delete.
721
Net Monitor
3.
Note
Select the Forcibly delete all devices under category checkbox to delete all devices in
this category.
A warning message displays when selecting the Forcibly delete all devices under
category checkbox. Click Yes to continue and delete this category.
4.
To submit the delete request, click Apply. To cancel and start over, click Cancel.
Re-ordering Categories
To change the order of an existing category, perform the following steps:
722
1.
From the Net Monitor main page, select Order Category from the Category Menu.
2.
From the list provided, select the category name you want to move.
Net Monitor
3.
Click the Move Up or Move Down buttons to change the order of this category.
4.
From the Net Monitor page, select Add GMS Device from the File Menu.
2.
Select a device or group to monitor and click the Add button in the center of the screen.
Repeat this step for each device or group to monitor.
723
Net Monitor
3.
Click Next. The second page of the Add GMS Device Wizard appears.
4.
Select the category to which the SonicWALL appliance(s) will be added from the Use an
Existing Category list box. To add the SonicWALL appliance(s) to a new category, enter
the category name in the Add a New Category field.
5.
Select the priority of the appliance(s) from the Category Priority list box.
6.
Select how the SonicWALL appliance(s) will be monitored from the Monitoring Type list
box and specify a Port if applicable.
If choosing SNMP as the monitoring type, you must enter a Monitor Port. Configure the
following advanced settings by clicking on the Advanced button.
Community
Retry
Timeout
SNMP Version
MIB(s)*
724
Net Monitor
User Name
Authentication Protocol
Authentication Password
Privacy Password
Context ID
Context Name
Note
Use extra caution when specifying the Retry and Timeout values, as the SNMP follows the
Exponential Back Off algorithm to calculate the retry and timeout values. With this
algorithm, the specified Timeout value increases exponentially with the retry value.
7.
8.
Specify how often the SonicWALL appliance(s) will be tested in the Polling Interval field.
9.
Enter the ideal response time (IRT) in the Ideal Response Time field (default: 500
milliseconds). SonicWALL appliances that take between 1 and 1.5 times the IRT will be
marked as Slow. SonicWALL appliances that take between 1.5 and 2 times the IRT will be
marked as Very Slow.
10. Select the Agent that will perform the testing from the Assign to Monitor list box.
11. Optional. To disable monitoring of the SonicWALL appliance(s), select Disable.
12. To change the icon image that will represent the device(s), click the icon image button and
If you did not configure the Monitoring Type as SNMP, the Assign Privileges page will
display. See Step 14.
If you configured the Monitoring Type as SNMP, the SNMP Realtime Monitor Template
Information page will display. Select the Realtime Monitor Template to apply to this device.
Then, click Next.
725
Net Monitor
Note
Multiple templates can be selected by holding Ctrl + selecting the templates. The Filter
search bar allows you to narrow the list of templates. Perform an exact match search by
using double quotation marks, for example template name, or search with no quotation
marks to search through multiple keywords.
14. On the Assign Privileges page, select users to have read-write privileges.
Note
Multiple users can be selected by holding Ctrl + selecting the users. Permissions can be
assigned to both Users and Usertypes.
Note
726
The process of acquiring a new device may take several minutes. To force acquisition of the
device, select the device and go to SNMP > SNMP Re-acquire in the NetMonitor menu bar.
Net Monitor
* Custom MIBs may be required for some devices. Custom MIBs allow polling Non-SonicWALL
or Non-Standard based SNMP enabled devices and to poll information specific to a certain
device based on Manufacturer ID.These MIBs have to be placed in the etc\mibs folder by the
GMS Administrator on the Web Server and Monitoring Agent machine(s) in order to use it for
probing.
From the Net Monitor screen, select Add Non-GMS Device from the File Menu.
2.
Enter a name for the device in the Name field and its IP address or hostname in the Host
field and click Add. Repeat this step for each device to monitor.
727
Net Monitor
3.
Click Next. The second page of the Add Non-GMS Device Wizard displays.
4.
Select the category to which the device(s) will be added from the Use an Existing
Category list box. To add the device to a new category, enter the category name in the Add
a New Category field.
5.
Select the priority of the device(s) from the Category Priority list box.
6.
Select how the SonicWALL appliance(s) will be monitored from the Monitoring Type list
box and specify a Port if applicable.
If choosing SNMP as the monitoring type, you must enter a Monitor Port. Configure the
following advanced settings by clicking on the Advanced button.
Community
Retry
Timeout
SNMP Version
MIB(s)*
728
Net Monitor
User Name
Authentication Protocol
Authentication Password
Privacy Password
Context ID
Context Name
Note
Use extra caution when specifying the Retry and Timeout values, as the SNMP follows the
Exponential Back Off algorithm to calculate the retry and timeout values. With this
algorithm, the specified Timeout value increases exponentially with the retry value.
7.
8.
Specify how often the SonicWALL appliance(s) will be tested in the Polling Interval field.
9.
Enter the ideal response time (IRT) in the Ideal Response Time field (default: 500
milliseconds). SonicWALL appliances that take between 1 and 1.5 times the IRT will be
marked as Slow. SonicWALL appliances that take between 1.5 and 2 times the IRT will be
marked as Very Slow.
10. Select the Agent that will perform the testing from the Assign to Monitor list box.
11. Optional. To disable monitoring of the SonicWALL appliance(s), select Disable.
12. To change the icon image that will represent the device(s), click the icon image button and
If you did not configure the Monitoring Type as SNMP, the Assign Privileges page will
display. See Step 14.
If you configured the Monitoring Type as SNMP, the SNMP Realtime Monitor Template
Information page will display. Select the Realtime Monitor Template to apply to this device.
Then, click Next.
729
Net Monitor
Note
Multiple templates can be selected by holding Ctrl + selecting the templates. The Filter
search bar allows you to narrow the list of templates. Perform an exact match search by
using double quotation marks, for example template name, or search with no quotation
marks to search through multiple keywords.
14. On the Assign Privileges page, select users to have read-write privileges.
Note
Multiple users can be selected by holding Ctrl + selecting the users. Permissions can be
assigned to both Users and Usertypes.
Note
730
The process of acquiring a new device may take several minutes. To force acquisition of the
device, select the device and go to
SNMP > SNMP Re-acquire in the NetMonitor menu bar.
Net Monitor
* Custom MIBs may be required for some devices. Custom MIBs allow polling Non-SonicWALL
or Non-Standard based SNMP enabled devices and to poll information specific to a certain
device based on Manufacturer ID.These MIBs have to be placed in the etc\mibs folder by the
GMS Administrator on the Web Server and Monitoring Agent machine(s) in order to use it for
probing.
Editing a Device
You can edit some of the properties of a specific device by right-clicking the device you want to
edit, then click Properties. Multiple devices can be selected by holding Ctrl + selecting the
devices.
When editing a single Non-GMS managed device, the Edit Device wizard displays, where you
can edit the device Name and Host IP address in their respective fields.
Continue with the device wizard to edit Monitor Information and Realtime Monitor Template
Information. Note these are the same setting you originally configured when adding the device.
When editing a GMS Managed device or multiple devices, the Properties screen displays:
731
Net Monitor
The Change checkbox appears next to each of the fields that have a difference in values for
that field among the devices selected. If there are no differences, the field does not appear.
Once the Change checkbox is selected, the value for the corresponding field is overwritten on
all selected fields.
Note that selecting the Disable checkbox will apply changes to all selected devices.
Click Finish to complete editing the device settings.
Note
You can only rename non-GMS devices. GMS devices cannot be renamed as the name is
synched with the assigned name from the Tree Control automatically.
Deleting a Device
To delete a device, right click on the device you wish to delete and click Delete Device. A
warning will display, confirming the device(s) youve selected to delete. Click Yes to continue.
Note
Multiple devices can be selected by holding Ctrl + selecting the templates. Make sure to
select all devices before right-clicking to delete.
Assigning Permissions
Privileges to a device can now be assigned on a per user or per user group basis. When adding
a Net Monitor device, an Assign Permission dialog box displays in the Add Device Wizard,
listing all users in the system. Upon adding the device(s), you will also be able to select the
users and user groups to grant permissions to.
To add or update permissions to an existing device, navigate toConsole > Management > Edit
Users
732
Net Monitor
From the Net Monitor page, select the device(s) you wish to create a realtime monitor for.
2.
3.
Click on the
button on the left side of the screen (under Realtime Monitors) to add a
new realtime monitor
4.
Add a friendly name for the new monitor in the Monitor Name field.
5.
If you wish to save the new monitor as a template for future use, select the Save as
template checkbox.Then, add a friendly name for the template.
733
Net Monitor
6.
Display Type
Chart Style
Used only when display type is set to
graph.
7.
Navigate to the MIB Tree list and select the OIDs you wish to add.
8.
Note
9.
Tip
It is important that the elements present in a Realtime Monitor Template contain OIDs
that are present in the devices that the template is applied to. Applying a template
which contains un-relevant OIDs can produce unexpected results.
Click the
button on the right side of the screen (under MIB Tree) to add the selected
MIB(s) to the Elements list.
Alternate ways of adding a MIB to the Elements list include double-clicking the MIB and
dragging and dropping the MIB from the MIB Tree into the Elements list.
10. Enter a friendly name for the element you just added by double-clicking the display name
11. Specify a threshold value for the alert monitor in the Threshold field corresponding to the
new element.
12. Click the Apply button to save changes and create the realtime monitor.
734
Net Monitor
Navigate to the SNMP > SNMP Manage Realtime Monitor Templates screen.
2.
The list of available Realtime Monitor Templates appears on the left side of the screen.
Select the template you want applied to the device.
3.
735
Net Monitor
4.
Display Type
Chart Style
Used only when display type is set
to graph.
5.
Navigate to the MIB Tree list and select the OIDs you wish to add.
6.
Note
736
It is important that the elements present in a Realtime Monitor Template contain OIDs
that are present in the devices that the template is applied to. Applying a template
which contains un-relevant OIDs can produce unexpected results.
Net Monitor
Note
1.
2.
In the menu bar, go to SNMP > SNMP Apply Realtime Monitor Templates.
3.
Select the templates (ctrl-click for multiple selections) you wish to use for monitoring the
selected device(s).
Multiple templates can be selected by holding Ctrl + selecting the templates. The Filter
search bar allows you to narrow the list of templates. Perform an exact match search by
using double quotation marks, for example template name, or search with no quotation
marks to search through multiple keywords.
4.
Select the device(s) you wish to monitor from the GMS NetMonitor main status screen
(Ctrl-click for multiple devices).
2.
In the menu bar, select SNMP > SNMP Realtime Monitor Status.
737
Net Monitor
3.
Note
738
In the Realtime Monitors window, select one or more nodes to monitor. The appropriate
graphs and or tables will be loaded into the monitoring window on the right side of the
screen.
Data in the monitoring windows is refreshed automatically based on the auto-refresh interval
specified in NetMonitor Preferences. While you may do a manual refresh of the graphs and
charts, it is not necessary.
Net Monitor
4.
Note
To display historical charts (daily, weekly, monthly) for a node, double-click on the desired
realtime graph in the monitoring window on the right side of the screen.
Only one history chart window may be opened at a time. It is possible, however, to display
historical charts for multiple nodes by selecting the charts you wish to view with ctrl-click,
and then clicking the
button at the top right side of the screen.
739
Net Monitor
Managing Severity
To configure your Severity settings:
Note
740
1.
2.
3.
Move the new severity to a different priority level by having the severity selected in the list
and using the
and
buttons.
4.
Change the color of the severity by having the severity selected in the list and clicking the
button.
5.
To delete a severity, have the severity selected in the list, and click the
button.
A severity can not be deleted if it is being used by one or more threshold elements. Ensure
all corresponding threshold elements are not associated with that severity before attempting
to delete. Severities are global settings and is available to use across the system.
Net Monitor
Managing Thresholds
Every element in a threshold is assigned an operator, value, and severity. Thresholds are ways
of defining conditions that monitor specified object identifier (OID) values. When the defined
condition is met, the threshold is triggered, and severity helps to identify the priority of the
triggered threshold. To configure your thresholds:
1.
2.
Click the
button under Threshold and enter a friendly name to add a new threshold.
3.
Click the
4.
Configure the Operator, Value, and Severity fields in the new element as follows:
Operator
Value
Severity
Double-click and choose an operator as a modifier for your value. For numeric
values, operator options include ==, !=, >, >=, <, =<. For alpha numeric values,
operator options include equals, equals ignore case, not equals, contains, not contains.
Double-click and enter an alpha or numeric value. Numeric values are entered in
bytes.
Double-click and choose a severity from the list to correspond with the operator
and value.
You may also disable a specific threshold by selecting the Disabled checkbox.
The following threshold triggers a Low-level Warning at a value of less than 100000 bytes.
5.
Note
Thresholds are global settings and is available to use across the system.
To delete a Threshold, select the threshold and click the
button.
741
Net Monitor
For more information regarding managing SNMP Schedule Reports, refer to the Using the
Universal Scheduled Reports Application section on page 58.
742
Select the device(s) you wish to configure alerts for from the GMS NetMonitor main status
screen by clicking (ctrl-click for multiple devices).
Net Monitor
2.
3.
Click the Add Destination button to add a new destination. You are able to add a maximum
of five destinations/schedules.
4.
5.
6.
Select whether you want these settings applied to just the Selected Device or All
Accessible Devices. Note that selecting the latter option will overwrite any existing
settings for the affected devices.
7.
Click Apply to complete adding alerts. A warning may display, notifying you that the Alert
Settings will reset to the newly specified settings. Click Yes to continue.
743
Net Monitor
Create a VPN tunnel to the remote firewall that makes all LAN subnets accessible to the
Net Monitor.
744
Real-Time Syslog
Real-Time Syslog
The real-time syslog utility enables you to diagnos
e the system by viewing the syslog messages
in real time.
Note
Note
1.
2.
Expand the Tools tree and click Real-Time Syslog. The Real-Time Syslog page appears.
3.
If the Syslog Reader is not already running, click Start Syslog Reader.
4.
Click Start Button at the bottom of the screen. The Syslog Viewer begins showing the
latest syslog entries.
5.
To change how many messages are displayed, select a number from the Number of
Messages list box at the bottom of the screen.
6.
To change how often the Syslog Viewer is refreshed, select the time from the Refresh Time
list box at the bottom of the screen.
7.
To filter the results on the fly, enter the search terms in the Filter field using regular search
expressions.
The Real-Time Syslog Viewer uses java.util.regex to support the search feature. For more
information on this enhanced search capability, visit
<http://java.sun.com/developer/technialArticles/releases/1.4regex/>
8.
745
Note
Click the Monitor tab, expand the Tools tree and click Real-Time Syslog. The Real-Time
Syslog page appears.
2.
If the Syslog Reader is not already running, click Start Syslog Reader.
3.
Click Start Button at the bottom of the screen. The Syslog Viewer begins showing the
latest syslog entries.
4.
To change how many messages are displayed, select a number from the Number of
Messages list box at the bottom of the screen.
5.
To change how often the Syslog Viewer is refreshed, select the time from the Refresh Time
list box at the bottom of the screen.
6.
7.
746
Report Category
Report Title
Syslog Category
Data Usage
Summary
Network Traffic
Timeline
Network Traffic
Top Initiators
Network Traffic
Top Responders
Network Traffic
Top Services
Network Traffic
Network Traffic
Summary
Network Traffic
Data Usage
Network Traffic
Top Applications
Detected
Network Traffic
Top Applications
Blocked
Network Traffic
Top Categories
Network Traffic
Top Initiators
Network Traffic
Timeline
Network Traffic
User Activity
Network Traffic
Web Activity
Summary
Network Traffic
Top Categories
Network Traffic
Top Sites
Network Traffic
Top Initiators
Network Traffic
Timeline
Network Traffic
Network Traffic
Summary
Blocked Websites
Top Categories
Blocked Websites
Top Sites
Blocked Websites
Top Initiators
Blocked Websites
Timeline
Blocked Websites
Summary
Network Traffic
Network Traffic
Network Traffic
Network Traffic
Timeline
Network Traffic
Detected
Intrusion Prevention
Targets
Intrusion Prevention
Applications
Web Filter
VPN Usage
Intrusions
747
Table 26
Report Category
Gateway Viruses
Report Title
Syslog Category
Timeline
Intrusion Prevention
Attacks
Top Initiators
Attacks
Timeline
Attacks
Top Spyware
Blocked
Intrusion Prevention
Top Targets
Intrusion Prevention
Top Initiators
Intrusion Prevention
Timeline
Intrusion Prevention
Threats
Summary
Attacks, Intrusion
Prevention
Attacks
Targets
Attacks, Intrusion
Prevention
Top Initiators
Attacks, Intrusion
Prevention
Timeline
Attacks, Intrusion
Prevention
User Login
Authenticated Access
Admin Login
Authenticated Access
Failed Login
Authenticated Access
Analyzers
Log Analyzer
Syslog
Up-Down
Timeline
GMS
Spyware
Authentication
748
1.
2.
Live Monitoring
3.
Navigate to the Configuration File Editor section, and click the Edit button.
4.
5.
Live Monitoring
Live Monitoring lets users monitor a network through the correlation of syslogs received from
appliances throughout a deployment. The syslogs are received by the Event ManagerReceiver
Service, which then feeds them into an Event Correlation Engine. The engine sends the
messages through user-defined rules, and if a rule condition is met, the engine forwards the
object to be turned into an alert for Live Monitoring.
These alerts are sent to email, traps, other user-defined destinations, and to the new Live
Monitoring user interface, if a user is currently monitoring. Viewing alerts in the Live Monitoring
interface provides greater flexibility to monitor a network, and to analyze traffic based on
protocols, web usage and productivity, or even to detect viruses and attacks in the network.
749
Live Monitoring
Live Monitoring is a powerful tool when rules are created properly, allowing the user to monitor
various amounts of information on the unit(s) efficiently. Be aware that while the alerts keep you
updated with what is being sent and received, this may bombard your inbox or trap listener with
a heavy amount of notifications. This happens only when the rule is lenient; if the rule is strict,
there will not be a large number of notifications.
Click the Manage Rules button on the upper-right of the interface control bar. The Rule
Manger > Rule List is now displayed.
750
Live Monitoring
Rule Settings
The Rule Manager > Rule Settings panel is now displayed. Fill in the Name field to build a
more descriptive name for this new rule. If you wish to just build a rule without immediately
enabling it, click on the Disable check box. Leaving this box blank sets the rule as enabled in
the Rule List, once it is built.
The Severity drop down menu allows you to set a different severity level tag for each syslog
that meets the conditions of this rule.
Rules must be created using available templates. Under the Group heading, you will find the
available templates.
Under the Generic rules group, a listing of rule templates display. Clicking on one of these
types allows the full rule to display below in the Rule Editor box.
The Computational rules group provides average-based statistical alerts on syslogs received,
further broken down by number received for appliances, or the number of syslogs received
grouped by appliance.
The Attack rules group offers rules to understand the number of appliances under attack from
security threats, and for identifying specific appliances under attack.
751
Live Monitoring
The Advanced rules group is a flexible template that allows syslogs to be filtered based on
one or two conditions.
Note
752
Multiple rules with the same Rule Type are allowed, as long as the values are different in
the rule condition(s). Creating different severity tags for the same rule type, with the same
conditions, is not possible.
Live Monitoring
The Destination and Schedule drop down menus are now displayed in the panel. To open
additional destination fields, up to the maximum of five, youmay click again on Add Destination.
Open the Destination drop down menu to select the desired destination, such as
Email-Admin, Email-Adhoc, Trap listener Adhoc, etc. If you have email as a destination,
and the condition defined is very lenient, your email could easily be flooded with alerts.
Note
The Live Monitoring user interface will not appear as a destination, as it is auto-determined,
based on whether the interface is currently running. This means that if at least one user is
live monitoring the interface, the engine will automatically detect this and continue
forwarding alerts. If no one is currently monitoring, no alerts will be sent to the Live Monitor
interface, but they will continue to be sent to defined destinations, such as email and traps.
753
Live Monitoring
Once the destination is selected, open the adjoining Schedule drop down menu to select the
frequency this destination will receive alerts based on this rule.
Once the destination(s) and schedule(s) are set for alerts based on this rule, click the Finish
button to complete this Rule Update. Once completed, a dialog box appears announcing the
Rule Update action was successful. Click OK to close the dialog box and to return to the Rule
Manager > Rule List panel. The newly created rule will now be displayed in the list.
To change a rules status, select it by clicking on the checkbox to the left of the rule name, then
click the desired status icon from the section header. For example, if you chose to disable a
rule, here is how it would appear with the X icon now showing the rules current status as
disabled.
Once you have built and enabled the rules you want the event correlation engine to apply
against the syslogs, click the Close button to return to the Live Monitoring user interface.
754
Live Monitoring
Before you can receive alerts in the Live Monitoring user interface, you must check the box next
to Enable Syslogs Forwarding for Live Monitoring. Once you check the box, the message
below appears. This is a reminder to anticipate an increase in syslog traffic, since each
message will be cloned for event handling. Click OK to proceed.
The remaining fields on the Monitor tab allow you to configure various Live Monitoring
settings, such as the IP address and port (default port is 21011) that the Live Monitoring
interface is listening on.
Note
In a distributed set-up, enter an IP address that is reachable, so the event manager knows
where the Live Monitoring reader is running.
The Monitor Buffer Size field allows you to define how many alerts need to be stored in the
buffer.
755
Live Monitoring
The Limit on Emails field is an email throttling setting that you can adjust to limit the number
emails sent every hour for each rule to prevent the flooding of inboxes.
Click on the User tab. This field allows you to set how often the Live Monitoring user interface
will refresh with new, incoming alerts. Once this is set, click Update to return to the Live
Monitoring user interface.
Once alerts are received, they will begin to appear in the user interface.
756
Live Monitoring
Note
Although Super Admins will be able to view alerts from across all domains of a network,
regular users will only see their domain-specific alerts in the Live Monitoring user interface.
Once Live Monitoring begins, the buttons will change in the upper-left of the interface control
bar. If you need to focus on one alert, while keeping the buffer from continuing to fill up with
alerts, click the Pause button.
Once alerts are paused, the control bar buttons will change again. Click Resume when you
are ready to resume Live Monitoring. If you wish to clear all alerts from the interface window,
click the Clear button.
Clicking the Stop button will terminate Live Monitoring from receiving alerts to display. Keep
in mind there is a 15-30 second lag before the event engine sees the Live Monitoring user
interface is no longer listening.
Scroll Navigation
The right side of the Live Monitoring interface contains a scroll bar. As alerts are displayed, the
most recent appear at the bottom of the buffer in auto-scroll mode. Clicking on other scroll bar
controls disables auto-scroll, giving command to the user. Re-start auto-scroll by clicking on the
auto-scroll icon at the top of the scroll bar. The scroll bars up and down double arrow buttons
provide fast scroll movement in the display. The single arrow buttons provide standard
scrolling capability.
The Live Monitoring user interface can be viewed by multiple users at the same time. However,
if no users are actively monitoring, alerts will no longer be sent to the interface. Alerts will
continue to be sent to previously set destinations, such as email and traps.
Note
SonicWALL suggests referencing both the SonicWALL Knowledge Base article, Setting Up
GMS Live Monitor for Alerting, and the SonicWALL Log Event Reference Guide as
essential tools to effectively use the Live Monitoring feature. These documents are available
at www.sonicwall.com.
757
Live Monitoring
758
CHAPTER 38
Managing Inheritance in SonicWALL
GMS
Inheritance in GMS specifies the process by which a nodes settings can be inherited to and from
unit, group and parent nodes. Previously, GMS users could inherit settings down the hierarchy. This
ability can be understood as forward inheritance. Starting in GMS 6.0, users can now also
reverse inherit settings back up the hierarchy, from a unit or group node to its parent node. This
chapter contains the following sections:
759
To create a new filter, the user enters a name for this filter in the Name field. The user then
checks boxes next to the screens, or screen groups, they wish to inherit. This screen is
enhanced to automatically select or deselect dependent data screens, based upon the related
screens chosen by the user.
The user must then select the appropriate Access for each user type: Administrators,
Operators, End Users, and Guest users. These selections are made using the corresponding
drop down menus.
Once the user has made the desired screen and access selections, they must click the Add
button to finish creating the new inheritance filter. This new filter will now be available in the
Filter drop down menu on the Firewall > System > Tools screen.
760
To inherit some or all of an appliances settings, go to the Firewall > System > Tools screen
within the GMS 6.0 Management Interface.
Step 2
In the left pane, the user clicks on the appliance whose settings they wish to inherit.
Step 3
Under the screen section heading, Inherit Settings at Unit, the user selects either forward or
reverse inheritance by clicking on the respective radio button.
Step 4
From the Filter drop down menu, the user selects the inheritance filter to apply. If a desired
filter is not listed and must be created, refer to the Configuring Inheritance Filters section on
page 759
Step 5
Once the desired inheritance filter is selected, the user clicks the Preview button. A Preview
panel opens to allow the user to review the settings to be inherited. Users may continue with
all of the default screens selected for inheritance or select only specific screens for inheritance
SonicWALL GMS 7.0 Administrators Guide
761
Note
762
The Preview panel footer states, All referring objects should also be selected as part of the
settings picked, to avoid any dependency errors while inheriting. If the user deselects
dependent screen data, the settings will not inherit properly.
Step 6
If the user is attempting forward inheritance, they may click Update to proceed. If the user is
attempting to reverse inherit settings, an additionalselection must be made at the bottom of the
Preview panel. The user must select either to update the chosen settings to only the target
parent node, or to update the target parent node along with all unit nodes under it. Once the
user makes this selection, they may click Update to proceed, or Reset to edit previous
selections.
Step 7
If the user selects to update the target parent node and all unit nodes, a Modify Task
Description and Schedule panel opens in place of the Preview panel. (This panel will not
appear if the user selects Update only target parent node). If the Modify Task Description and
Schedule panel opens, the user can edit the task description in the Description field. They
may also adjust the schedule for inheritance, or continue with the default scheduling. If the user
chooses to edit the timing by clicking on the arrow next to Schedule, a calendar expands
allowing the user to click on a radio button for Immediate execution, or to select an alternate
day and time for inheritance to occur. Once the user has completed any edits, they select either
Accept or Cancel to execute or cancel the scheduled inheritance, respectively.
Once the inheritance operation begins, a progress bar appears, along with text stating the
operation may take a few minutes, depending on the volume of data to be inherited, as shown
below:
Once the inheritance operation is complete, the desired settings from the unit or group node
should now be updated and reflected in the parent nodes settings, as well as in the settings of
all other units, if selected.
763
764
CHAPTER 39
Configuring User Settings
This chapter describes how to configure the user settings that are available in the Console
panel on the User Settings > General page, which provides a way to change the GMS
administrator password, the GMS inactivity Timeout, and pagination settings.
Perform the following steps to configure the user settings that are available in the Console
panel on the User Settings > General page:
Step 1
Enter the existing SonicWALL GMS password in the Current GMS Password field.
Step 2
Enter the new SonicWALL GMS password in the New GMS Password field.
Step 3
765
Note
Step 4
The GMS Inactivity Timeout period specifies how long SonicWALL GMS waits before logging
out an inactive user. To prevent someone from accessing the SonicWALL GMS UI when
SonicWALL GMS users are away from their desks, enter an appropriate value in the GMS
Inactivity Timeout field. You can disable automatic logout completely by entering a -1 in this
field. The minimum is 5 minutes and the maximum is 120 minutes.
Step 5
Select a value between 10 and 100 in the Max Rows Per Screen field. This value applies only
to non-reporting related paginated screens.
Step 6
The Appliance Selection Panel options determine how devices are displayed in the far left
panel. You can display only icons (the Icons option), only the name of the appliance (Text), or
both icons and names (Icons and text), or use the default GMS display settings for this user
(Use default). The default is Icons and Text.
Step 7
To configure SonicWALL GMS to display an editable task description each time a task is
generated, select the Enable edit task description dialog when creating tasks check box.
Step 8
To have GMS play an audio alert when an appliance goes up, check the Enable Audio Alarm
when a Managed Unit goes Up check box.
Step 9
To have GMS play an audio alert when an appliance goes down, check the Enable Audio
Alarm when a Managed Unit goes Down check box.
To customize the audio alerts, place wav files in the following directory:
[SGMS2]\Tomcat\webapps\sgms\com\sonicwall\sgms\applets\common
The file names for an appliance going up and down must be up_custom.wav and
down_custom.wav respectively.
Step 10 To view the message of the day now, click View Message of the Day.
Step 11 When you are finished, click Update. The settings are changed. To clear all screen settings and
Note
766
The maximum size of the SonicWALL GMS User ID is 24 alphanumeric characters. The
password is one-way hashed and any password of any length can be hashed into a fixed 32
character long internal password.
CHAPTER 40
Configuring Log Settings
This section describes how to configure Log Settings. This includes adjusting settings on
deleting log messages after a certain period of time, and setting criteria for viewing logs.
This chapter includes the following sections:
Click the Console tab, expand the Log tree, and click Configuration. The Configuration
page displays.
2.
Select the month, day, and year from the drop down menu.
3.
767
Click the Console tab, expand the Log tree, and click View Log. The View Log page
displays.
2.
Tip
You can press Enter to navigate from one form element to the next in this section.
Select Time of logsdisplays all log entries for a specified range of dates.
768
SonicWALL Nodedisplays all log entries associated with the specified SonicWALL
appliance.
field provides an auto-suggest functionality that uses existing log message text to
predict what you want to type. It fills in the field with the suggested text and you can
either press Tab to accept it or keep typing. Different suggestions will appear as you
continue to type if log messages match your input.
All (Alert, Warning, and FYI)where FYI mean For Your Information
Alert
Select the Match case checkbox to make the SonicWALL Node, GMS User, and
Exact Phrase matches a log entry that contains exactly what you typed in the
Message contains field
All Words matches a log entry that contains all the words you typed in the
Message contains field, but the words can be non-consecutive or in any order
Any Word matches a log entry that contains any of the words you typed in the
Message contains field
4.
To view the results of your search criteria, click Start Search. To clear all values from the
input fields and start over, click Clear Search. To save the results as an HTML file on your
system, click Export Logs and follow the on-screen instructions.
5.
To configure how many messages are shown per screen, enter a new value between 10
and 100 in the Show Messages Per Screen field. (default: 10). Click Next to display the
next page, or click Previous to display the preceding page.
6.
To jump to a specific message, enter the message number in the Go to Message Number
field.
769
770
CHAPTER 41
Managing Scheduled Tasks
This chapter describes how to configure scheduled tasks in the Console panel Tasks screen.
This chapter includes the Scheduled Tasks section on page 771.
Scheduled Tasks
As you perform multiple tasks through the SonicWALL GMS UI, SonicWALL GMS creates,
queues, and applies them to the SonicWALL appliances. As SonicWALL GMS processes tasks,
some SonicWALL appliances may be down or offline. When this occurs, SonicWALL GMS
requeues the tasks and reattempts the changes.
771
Scheduled Tasks
Click the Console tab, expand the Tasks tree and click Scheduled Tasks. The Scheduled
Tasks page displays.
2.
applies.
appliance.
Scheduled Time (Agent)time the task was scheduled in the time zone of the agent.
No. of Attemptsspecifies the number of times SonicWALL GMS has attempted to
Last Errorif the task was not successfully executed, specifies the error.
SGMS Userspecifies the user who created the task.
Agentspecifies the IP address of the agent.
3.
Tip
To narrow the search, enter one or more of the following search criteria and click Start
Search:
You can press Enter to navigate from one form element to the next in this section.
Calendarselect the period of time for which SonicWALL GMS will display tasks. The
pull down menu to the right enables you to specify that the date range applies to the
task creation time, the local scheduled time, and the agent scheduled time.
772
Scheduled Tasks
appliance.
Note
4.
To execute one or more scheduled tasks immediately, select their check boxes and click
Execute the tasks selected now. You can also select al l of the tasks on the page by
checking the Select Only the 10 Tasks Displayed Above checkbox, or select all tasks by
checking the Select All Pending Tasks checkbox.
5.
To reschedule one or more pending tasks for another time, select their check boxes and
click Re-schedule the tasks selected. The GMS Date Selector dialog box displays.
6.
Select a new date when the task will execute and click OK. The dialog box closes and the
task will execute at the selected time.
The task(s) will execute based on the time setting of the SonicWALL GMS agent server,
UTC, or local browser's time.
7.
773
Scheduled Tasks
774
CHAPTER 42
Configuring Console Management
Settings
This chapter describes the settings available on the Console panel in the Management section.
The following sections are found in this chapter:
Enabling Reporting and Synchronization with Managed Units section on page 777
775
Scheduled Reports
Step 2
Expand the Management tree and click Settings. The Settings page displays.
Step 3
Type the IP address of the Simple Mail Transfer Protocol (SMTP) server into the SMTP Server
field. This server can be the same one that is normally used for email in your network. Type in
the SMTP Port number to use for email service.
Step 4
Enter the email account name and domain that will appear in messages sent from the
SonicWALL GMS into the GMS Sender e-Mail Address field.
Step 5
Enter the email account name and domain that will appear in messages sent from the
SonicWALL GMS into the GMS Administrator e-Mail Address field. You can use User
Authentication for this user by checking the box.
Step 6
When finished in the Settings page, click Update. To clear the screen settings and start over,
click Reset.
Step 2
Expand the Management tree and click Settings. The Settings page displays.
Step 3
Select Daily or Weekly in the Automatically save prefs file & addunit.xml field, and select a
day of the week (if weekly) and a time. This determines how often SonicWALL GMS will
automatically save the preferences and addUnit.xml files.
Step 4
To automatically save the VPN Gateway Preferences files for SonicWALL appliances, select
Automatically save VPN Gateway Prefs file.
Note
Step 5
776
The Enable Prefs Backup option must also be selected on the Policies >
General > Settings screen.
When finished in the Settings page, click Update. To clear the screen settings and start over,
click Reset.
Step 2
Expand the Management tree and click Settings. The Settings page displays.
Step 3
To enable GMS Reporting, select the Enable Reporting check box. To disable it, deselect the
Enable Reporting check box (default: Enabled).
Step 4
To configure SonicWALL GMS to automatically synchronize with the local changes made to the
SonicWALL appliances, select the Enable Auto Synchronization check box.
Step 5
For SonicWALL appliances that do not have directaccess to the Internet, you can instruct GMS
to download updates to security service signatures. To do so, select the follow two check boxes:
Firewalls managed by this GMS do not have Internet Access
Upload latest signatures on subscription status change
Note
When updated signatures have been downloaded to the GMS, you must then manually
upload them to the SonicWALL appliances. This action is performed on the
Policies>System>Tools page. When there are new signatures to be uploaded, the Upload
Signatures Now appears on the Tools page. Click this button to manually upload the
signatures.
Step 6
To create an addUnit.xml file to track all units under management, click Create Add Unit XML
File.
Step 7
When finished in the Settings page, click Update. To clear the screen settings and start over,
click Reset.
Note
Enhanced security settings are also available in your browser. For information, refer to the
Browser Requirements section on page 9.
777
Domains
GMS supports these data security standards by providing support for encryption of all
passwords and any pre-shared secrets in the database. This includes VPN Security
Association pre-shared secrets, encryption keys, authentication keys, and passwords. The
following passwords are encrypted in GMS:
Enhanced security compliance also requires a password rotation feature. GMS supports
password rotation requirements, including several changes in the management interface.
These changes occur on the Console panel, in the Management > Settings screen and in all
screens accessed from the Management > Users screen.
To turn on password security enforcement in GMS:
Step 1
In the Management > Settings screen, select the Enforce Password Security checkbox.
Step 2
In the Number of failed login attempts before user can be locked out field, enter a value.
The default is 6.
Step 3
In the User lockout minutes field, enter a value. The default is 30. This is the number of
minutes that a user will not be able to log in to GMS after failing to log in correctly for the
specified number of attempts.
Step 4
In the Number of inactive days to mark user for deletion field, enter a value. The default is
90. The users account will be deleted if it is not used for the specified number of days.
Step 5
In the Number of days to force password change field, enter a value. The default is 90. GMS
will prompt the user to change his password after the specified number of days.
Step 6
When finished in the Settings page, click Update. To clear the screen settings and start over,
click Reset.
Domains
A Domain in GMS is a logically bound collection of users, authentication servers, managed
appliances, policies and reporting data, alerts and all other related data in manner such that the
contents in a domain are only visible within the boundaries of the domain. Data from one
domain is not visible to users in other domains. Only the SuperAdmin user can create new
domains and can view and edit information from all the domains in the system. All other admin
users of each domain have the privilege of managing their own domains in GMS.
This section describes the following GMS Settings topics:
778
Domains
About Domains
In addition to a built in LocalDomain with a LocalAuthServer for authentication of users, GMS
is able to access and authenticate against popular third party systems including Active
Directory, RADIUS and LDAP in a transparent fashion. By default, GMS maintains its own
locally stored database for authentication purposes. This is also referred to as the
LocalAuthServer. GMS also allows simultaneous third party database authentication, which
makes use of your existing (and separately maintained) database system(s).
Note
Although GMS supports the use of multiple external authentication mechanisms for a single
domain, only one instance of a local GMS authentication server the default GMS
LocalAuthServer can exist for each domain.
The user hierarchy of your database (either GMS or third-party) determines what a users view
consists of, and what data they are able to access and/or modify. In the case of Active Directory
servers, GMS has the ability to limit access to only specified groups of users. If this functionality
is desired, the target groups must be specified.
Note
Every instance of GMS installs with a default domain, named LocalDomain even before a
domain is created by the administrator. Users of new admin-created domains do not have
the ability to view data in other domains.
Login as the Administrator of the LocalDomain on the SonicWALL GMS Login Screen.
2.
Navigate to the Console > Management > Domain page. You will see a default
LocalDomain. To create a new domain in SonicWALL GMS, click Add Domain to complete
the configuration parameters for the new remote domain.
3.
Under Name, type in the desired name for the remote domain. This name will be visible on
the Domain pull-down list on the SonicWALL GMS Login screen.
779
Domains
Note
4.
For Default Admin User, specify a valid user account -- this will be the default admin
account created for the domain. Note that this username must exist in your third party
server, and will have administrative privileges in GMS for the newly created domain.
5.
The Host Name can either be specified as the IP Address of the remote server, or the
fully-qualified domain name.
The authentication servers Global Catalog can be set as a Host in case of a complex
directory structure. If using the Global Catalog, SonicWALL GMS will be able to search
through the directory and through all its children node.
6.
If your new domain will use only local (GMS) database for user authentication, configuration
is complete after this step.
If you are planning to authenticate using an existing third-party database, continue to
Configuring LDAP or AD Authentication or Configuring RADIUS Authentication.
Note
780
1.
Be sure to complete the basic setup procedures in theCreating a New Domain section on
page 779 before continuing.
2.
Check the Add Auth Server option to enable third-party authentication for this domain.
3.
In the Authentication Port field, specify the value of the port number on which the third
party server listens for authentication requests.
The default Authentication Port for LDAP or AD servers is 389. To reach an AD servers
global catalog, use port 3268.
Domains
Note
Note
4.
Select LDAP, or Active Directory from the pull-down menu under Host Type.
5.
Next, select which Protocol Version the remote server is running on.
6.
The Base Distinguished Name (Base DN) is used to identify the root entry in the directory
from which SonicWALL GMS will execute searches. This should be the node in the
authentication system under which all SonicWALL GMS users will be present. The value is
specified as a distinguished name (for example, dc=gmseng,dc=com).
7.
Click the Use SSL checkbox to use SSL when connecting to the remote server. If you check
this checkbox, you will need to specify the SSL Port on which the remote server is listening
for bind requests. By default, this is 636. Ifconnecting to an AD servers global catalog, use
port 3269.
SonicWALL recommends using SSL with remote domains. The Certificate Authority (CA) or
Root certificate of the LDAP server will need to be imported into GMS JRE using the keytool
command.
8.
9.
The Login User Distinguished Name is used to authenticate to the third party server when
performing the initial bind. This value is specified as a distinguished name. Type in the
matching password for the Login Password field.
The Login User Distinguished Name need not correspond with the Admin User ID, but
both must exist in the third party server. The Login User Distinguished Name can be found
using any LDAP Browser Tool.
10. In the Connection Timeout field, specify the connection timeout period (in milliseconds).
Once the Settings panel is completed, click theSchema panel to continue setup of the new
remote domain.
11. Under LDAP Schema, select which LDAP Server you are using from the pull-down list.
Each selection in this list will fill in the remaining fields on the Schema panel with default
values.
Note
If the server you are using is not specified in the default list, click User Defined to configure
your own values and settings.
12. Optional, for AD servers only: Select the Allow Only AD Group Members checkbox. Then
specify which groups are allowed to login to GMS from this remote domain. Multiple groups
can be specified if they are separated by a semi-colon. All users that are members of the
specified AD group must be present below the Base DN that was specified in the settings
pane.
781
Domains
Note
1.
Check the Add Auth Server option to enable authentication by a third party server.
2.
Enter the Host Name (or IP address) of the RADIUS server you wish to use for
authentication.
3.
Enter the Authentication Port on which the RADIUS server listens for requests. The
default Authentication Port is 1812.
4.
Enter the Shared Secret to be used between GMS the RADIUS server.
5.
SonicWALL GMS supports PAP, CHAP, MSCHAP, and MSCHAPv2 protocols for RADIUS
authentication.
6.
Enter the RADIUS Timeout (Seconds), this specifies the amount of time GMS will wait
before giving up or retrying the authentication attempt. The number of retries is
specified next. The default value is 10 seconds.
7.
Enter the Max Retries, this specifies the number of times GMS will attempt to authenticate
with the RADIUS server before aborting the attempt. The default value is 3 tries.
8.
Fill in the Host Name, Authentication Port, and Shared Secret values for your backup
RADIUS server, if available.
782
Domains
9.
Check the Allow Only Radius Group Members option if you plan to limit GMS access to
members of select groups. The specific groups are specified later in this tab.
10. If configured, select the Use SonicWALL Vendor specific attribute on RADIUS Server
11. If the RADIUS server is configured to return the Filter-ID attribute with each user ID,select
the Use Filter-ID attribute on RADIUS Server option. Henceforth, this value will be used
as the RADIUS user group identifier.
12. Enter the Allowed RADIUS Group(s), separated by a semi-colon ;. This field specifies
You will also see the new domain (local and remote) you have created under Console >
Management > Domains of SonicWALL GMS. To confirm the configurations for each domain,
click the
icon to view or change these settings.
783
Users
Editing a Domain
Any admin-created domain can be edited after initial creation. To create a new domain:
Note
1.
Login as the Administrator of the LocalDomain on the SonicWALL GMS Login Screen.
2.
Navigate to the Console > Management > Domain page. To delete a domain in
SonicWALL GMS, select the checkbox corresponding to the domain you wish to delete and
click the Edit Domain button.
The default LocalDomain which comes pre-installed with GMS systems cannot be edited or
deleted.
3.
Users
To operate in complex environments, SonicWALL GMS is designed to support multiple users,
each with his or her own set of permissions and access rights. This section contains the
following subsections:
784
Note
Note
All of the user configuration options are available through the command-line interface. For
more information, refer to the SonicWALL GMS Command-Line Interface Guide.
Users
Click the Console tab, expand the Management tree and click Users. The General Page of
the User screen displays.
2.
In the middle pane, right-click All Users and select Add User Types from the pop-up menu.
A new user group dialog box displays.
3.
In the dialog box, enter the name of the new user type and then click OK. The new user
type is added to the list under All Users.
4.
In the right pane, enter any comments regarding the new user group in the Comments field.
5.
Select a default view for the new user group from the Default View pull-down menu. This
view will be displayed for members of the user group when they first log in to
SonicWALL GMS.
6.
To force all users in the user group to change their passwords, select the Change
Password checkbox.
7.
To delete the user type when it becomes inactive, select the Delete Inactive checkbox.
8.
To set a date when the user type will become inactive, click in the Active Until field and
then select a date from the popup calendar.
9.
To keep the user type active at all times without an end date, select the Always Active
checkbox.
10. Select the schedule for when the user group is active from the pull-down list in the
Schedule field.
11. Click Update. The new user group is added. By default, the new group has no privileges.
To configure screen access settings, refer to the Moving a User section on page 787.
785
Users
Adding Users
This section describes how to create a new user. Although the user will inherit all group
settings, individual user settings will override the group settings.
To add a new user, perform the following steps:
Note
Note
1.
Click the Console tab, expand the Management tree and click Users. The General Page of
the User configuration screen displays.
2.
Right-click a user group and selectAdd User from the pop-up menu. The Add User window
displays.
3.
In the dialog box, enter a username and a password and click OK. In the main window, the
new user displays beneath the group to which it is assigned.
The username and password are case-sensitive. Do not enter the single quote character ()
in the User ID field.
4.
5.
6.
Enter contact information for the user in the Phone, Fax, Pager, and Email fields.
7.
Select the default view for the user from the Default View list box.
8.
Enter any comments regarding the new user in the Comments field.
9.
Check the SuperAdmin checkbox to enable privileges for this user across all domains.
By default, permissions for users exist only within the domain to which they belong. By
checking the SuperAdmin option, permissions are extended across all domains.
10. Enter the number of minutes that the user can be inactive on his computer before the
session times out in the Inactivity Timeout field. Enter -1 to never time out.
11. To change the password for the user, type in the password in the New Password field, and
786
Users
12. To disable the user without deleting the entire entry, select the Account Disabled
checkbox.
13. To force the user to change his password, select the Change Password checkbox.
14. To delete the user when the account becomes inactive, select the Delete Inactive
checkbox.
15. To set a date when the user will become inactive, click in the Active Until field and select
16. To keep the user active without an end date, select the Always Active checkbox. If this is
17. Select a schedule when the user is active from the pull-down list in the Schedule field.
18. Do one of the following:
Click Inherit Permissions from Group. The user will inherit the permissions from the
Click Update. The new user is added. You will need to configure the users permissions.
See Moving a User, below and Configuring Appliance Access on page 790.
Click Reset to change all fields in this screen to their default values and start over.
Note
To temporarily disable a user account, select the Account Disabled check box and click
Update.
Moving a User
When new users log in to SonicWALL GMS for the first time, they will be considered guest users
and will only have limited access. One way to configure user privileges is to more the user to
the appropriate group.
To change a SonicWALL GMS users group:
1.
2.
3.
4.
787
Users
Youll see that there are currently four different categories of users: Administrators, End Users,
Guest Users, and Operators. These categories can be further opened to list the users that
comprise them.
5.
6.
Right-click the new users name in the Guest Users list and select Move User from the pull
down menu.
7.
In the Move User dialog box, select the appropriate new level for the new user, and select
Inherit permissions defined from the new user type permission.
8.
Click OK.
Note
788
1.
Navigate to Console > Management and open the Users configuration screen.
2.
3.
Users
4.
Under All Screens, select a panel, section, or screen. For example, for REPORTS_PANEL,
you can select the whole panel, the unit type section such as Firewall, SRA, CDP, or Email
Security, the group of reports for that type of unit, or the individual report or screen that you
want to set permissions for. In this example, we chose the Firewall > Bandwidth panel.
5.
group-level screens, select View & Update At Unit Level Only. This option is only
available for objects in the Policies Panel and Reports Panel.
For this example, we select the View Only option to allow our executive team to view the
firewall bandwidth panel.
6.
7.
You may see a warning screen if you are applying permission changes to a group, verify
that you wish to apply these changes to the group and all users within that group and click
the OK button.
The panel object is now preceded by a
Note
The more specific settings override the more general settings. For example, if you
select View Only for the Status group of reports and select None for the Up-Time
over Time report, then the selected user will only see the Up-Time Summary report
in the Status reports and have View Only permission for that report.
789
Users
8.
9.
790
1.
2.
Select a user.
3.
4.
5.
To provide the user with access to a SonicWALL group or appliance, select a SonicWALL
group or appliance in the left pane of the window and click Add. The group or appliance
displays in the right pane.
6.
7.
To prevent the user from accessing a SonicWALL group or appliance, select the group or
appliance in the right pane of the window and click Remove. The group or appliance is
deleted from the right pane.
8.
Users
2.
3.
4.
Select the unit actions you wish to be available for this group in the Units section.
Checkbox
Rename Unit
rename units
Login to Unit
Modify Properties
Re-assign Agents
5.
Select the view options you wish to be available for this group in the Views section:
Checkbox
Manage View
Change View
791
Custom Groups
6.
Select any remaining options for this group in the Others section:
Checkbox
Enable CLI
Enable Dashboard
7.
Custom Groups
The SonicWALL GMS uses an innovative method for organizing SonicWALL appliances.
SonicWALL appliances are not forced into specific, limited, rigid hierarchies. Simply create a
set of fields that define criteria (e.g., country
, city, state) which separate SonicWALL appliances.
Then, create and use views to display and sort appliances on the fly.
Note
Although SonicWALL GMS supports up to ten custom fields, only seven fields can be used
to sort SonicWALL appliances in any view.
The following are examples of custom fields that you can use:
792
Custom Groups
User-typeDifferent service offerings can be made available to different user types. For
example, engineering, sales, and customer service users can have very different
configuration requirements. Or, if offered as a service to end users, you can allow or
disallow network address translation (NAT) depending on the number of IP addresses that
you want to make available.
SonicWALL GMS is pre-configured with four custom fields: Country, Company, Department,
and State. These fields can be modified or deleted.
To add fields, perform the following steps:
Note
1.
Click the Console tab, expand the Management tree and click Custom Groups.
2.
3.
4.
5.
Select the newly created field and select Add Group from the pop-up menu.
6.
7.
Repeat Steps 6 through 8 for each field that you want to create. You can create up to ten
fields.
Although the fields appear to be in a hierarchical form, this has no effect on how the fields
will appear within a view. To define views, see Configuring Unit, View, and Other
Permissions on page 791.
To modify or delete fields, right-click any of the existing fields and select Modify or Delete from
the pop-up menu.
2.
Expand the Management tree and click Settings. The Settings page displays.
3.
Select Daily or Weekly in the Automatically save prefs file & addunit.xml field, and
select a day of the week (ifweekly) and a time. This determines how often SonicWALL GMS
will automatically save the preferences and addUnit.xml files.
4.
To automatically save the VPN Gateway Preferences files for SonicWALL appliances,
select Automatically save VPN Gateway Prefs file.
SonicWALL GMS 7.0 Administrators Guide
793
Custom Groups
Note
5.
The Enable Prefs Backup option must also be selected on the Policies >
General > Settings screen.
When finished in the Settings page, click Update. To clear the screen settings and start
over, click Reset.
2.
Expand the Management tree and click Settings. The Settings page displays.
3.
To enable GMS Reporting, select the Enable Reporting check box. To disable it, deselect
the Enable Reporting check box (default: Enabled).
4.
To configure SonicWALL GMS to automatically synchronize with the local changes made
to the SonicWALL appliances, select the Enable Auto Synchronization check box.
5.
For SonicWALL appliances that do not have direct access to the Internet, you can instruct
GMS to download updates to security service signatures. To do so, select the follow two
check boxes:
Firewalls managed by this GMS do not have Internet Access
Upload latest signatures on subscription status change
Note
When updated signatures have been downloaded to the GMS, you must then manually
upload them to the SonicWALL appliances. This action is performed on the
Policies>System>Tools page. When there are new signatures to be uploaded, the Upload
Signatures Now appears on the Tools page. Click this button to manually upload the
signatures.
6.
To create an addUnit.xml file to track all units under management, click Create Add Unit
XML File.
7.
When finished in the Settings page, click Update. To clear the screen settings and start
over, click Reset.
Note
794
Enhanced security settings are also available in your browser. For information, see
Browser Requirements on page 9.
GMS 4.1 supports these data security standards by providing support for encryption of all
passwords and any pre-shared secrets in the database. This includes VPN Security
Association pre-shared secrets, encryption keys, authentication keys, and passwords. The
following passwords are encrypted in GMS 4.1:
Enhanced security compliance also requires a password rotation feature. GMS 4.1 supports
password rotation requirements, including several changes in the management interface.
These changes occur on the Console panel, in the Management > Settings screen and in all
screens accessed from the Management > Users screen.
To turn on password security enforcement in GMS:
1.
In the Management > Settings screen, select the Enforce Password Security checkbox.
2.
In the Number of failed login attempts before user can be locked out field, enter a
value. The default is 6.
3.
In the User lockout minutes field, enter a value. The default is 30. This is the number of
minutes that a user will not be able to log in to GMS after failing to log in correctly for the
specified number of attempts.
4.
In the Number of inactive days to mark user for deletion field, enter a value. The default
is 90. The users account will be deleted if it is not used for the specified number of days.
5.
In the Number of days to force password change field, enter a value. The default is 90.
GMS will prompt the user to change his password after the specified number of days.
6.
When finished in the Settings page, click Update. To clear the screen settings and start
over, click Reset.
795
Agents
Managing Sessions
On occasion, it may be necessary to log off other user sessions. To do this, perform the
following steps:
1.
Click the Console tab, expand the Management tree and click Sessions. The Sessions
page displays.
2.
When more than one session is active, a checkbox is displayed next to each row. Select
the check box of each user to log off and click End selected sessions.
The selected users are logged off.
Agents
The Agents page provides information for the SonicWALL GMS primary and backup agent
servers that are managing the SonicWALL appliances. This page lists the IP address and status
of each agent server, the IP address and password of the GMS gateway for each agent server,
and the number of firewalls under SonicWALL GMS management. You can also schedule all
the tasks for each agent server to be executed during a specified time period.
Note
796
You can also use this page to remove agents, but they cannot be managing any firewalls.
Agents
Note
1.
Click the Console tab, expand the Management tree and click Agents. The Agents page
displays.
2.
The summary section displays the number of installed and running agents. Select the IP
address of the Agent you want to view from the Agent IP list box. The Agent Name field
displays the name of the selected Agent.
Note
To specify when tasks can run, select the start time from the Daily At list box. The time is
based on the SonicWALL appliances local time.
For each agent server, the GMS Gateway IP address and password is displayed. If you
change the GMS gateway IP address or password, you must also change the settings on
this page.
5.
To change the name of the GMS Gateway administrator for selected firmware/models, enter
the name in the GMS Gateway Username field (default: admin).
6.
To change the password used to log in as the GMS Gateway administrator, enter the name
in the GMS Gateway Password field.
7.
For each agent server, the Firewalls for Primary Management list box lists the
SonicWALL appliances that are assigned to the agent server for primary management. The
total number is also displayed.
797
SNMP Managers
8.
For each agent server, the Firewalls for Standby Management list box lists the
SonicWALL appliances that are assigned to the agent server for backup management. The
total number is also displayed.
9.
For each agent server, the Firewalls Under Active Management list box lists the
SonicWALL appliances that are actively being managed by the agent server. The total
number is also displayed.
10. When you are finished, click Update. The settings are changed. To clear the settings and
SNMP Managers
The SNMP Managers page enables you to specify SNMP Managers to which SonicWALL GMS
will send SNMP Traps.
798
1.
Click the Console tab, expand the Management tree and click SNMP Managers. The
SNMP Managers page displays.
2.
Select the IP address and port of the SNMP Manager from the SNMP Manager IP/Port
fields.
3.
Specify the IP addresses of SNMP Hosts to which traps will be forwarded in the SNMP Host
to forward traps to fields.
4.
To enable trap forwarding, select the Enable SNMP Trap Forwarding check box.
5.
To enable trap email, select the Enable SNMP Trap Email check box.
6.
When you are finished, click Update. The settings are changed. To clear the settings and
start over, click Reset.
Inheritance Filters
Inheritance Filters
The Inheritance Filters page specifies which settings are inherited from the group when adding
a new SonicWALL appliance.
To configure the SNMP Inheritance Filter page, perform the following steps:
1.
Click the Console tab, expand the Management tree and click Inheritance Filters. The
Inheritance Filter page displays.
2.
To edit an existing filter, select the filter from the Select Filter list box. To specify a new
filter, select New Filter from the Select Filter pull-down menu and type a name in the Filter
name field.
3.
Select which page settings are inherited in the Inheritance Filter Detail section.
4.
Select the type of access that is available to each SonicWALL GMS user group from the
Access for each UserType section.
5.
When you are finished, click Add for a new filter or click Update for an existing filter. The
settings are changed. To clear the settings and start over, click Reset.
799
To configure the Message of the Day page, perform the following steps:
800
1.
Click the Console tab, expand the Management tree and click Message of the Day. The
Message of the Day page displays.
2.
3.
4.
Select whether the message text will be displayed in plain text or HTML.
5.
Select the start and end date of the message (default: current day).
6.
When you are finished, click Update. The settings are changed.
7.
Repeat this procedure for each group or user for which this message will be displayed.
CHAPTER 43
Managing Reports in the Console Panel
This section describes how to configure reporting settings on the Console panel. These include
how often the summary information is updated, the number of days that summary information
is stored, and the number of days that raw data is stored.
The following sections are included in this chapter:
Summarizer
This section contains the following subsections:
801
Summarizer
2.
3.
Click Update.
802
Summarizer
Note
1.
Click the Console tab, expand the Reports tree and click Summarizer. The CDP
Summarizer page displays.
2.
Under Reports Data Summarization Interval, important information about the Summarizer
is displayed. Use the Summarize every pull-down lists to specify how often in hours and
minutes the GMS Reporting Module should process syslog data and update summary
information.
3.
4.
To specify the next summarization time, enter a date in the form mm/dd/yyyy in the Next
Scheduled Run Time field, and select the hour and minute values from the pull-down lists.
5.
6.
To update the summary information now, click the Summarize Now button.
SonicWALL GMS will automatically process the latest information and make it available for
immediate viewing.
This will not affect the normally scheduled summarization updates on the GMS Agent.
For more information about using and verifying the Summarize Now option, see the Using
Summarize Now section on page 804.
803
Summarizer
Note
804
1.
Click the Console tab, expand the Reports tree and click Summarizer. Click the
Summarize Now button to summarize data immediately.
2.
You will see a pop-up window verifying that you want to summarize the data now.
Summarizing data using Summarize Now is a one-time action and will not affect the
scheduled summary. Click OK to continue.
3.
To verify summarization, navigate to Log > View Log in the center pane. Search for the
message Report Data Summarized to verify that the Summarize Now action has
completed.
4.
When Summarize Now has completed, click the Reports tab. In the left-most pane, click
GlobalView click a group or a managed appliance.
You may see incomplete data if you view the Summary section of a selected report before
the Summarize Now process is complete. Wait for the Report Data Summarized message
to be displayed in Log > View Log.
5.
In the center pane, click a report to expand it, then click the Summary option underneath
it. For example, click Capacity, then click Summary to review the summarized CDP
capacity usage data.
6.
Navigate to the Summary section of other reports in the center pane to see other
summarized data.
Tip
Run your database maintenance jobs soon after the completion of the scheduled tasks
configured on this page for summarizing data and deleting old syslog data.
To configure the syslog and summarized data deletion settings, perform the following:
1.
2.
Under Data Deletion Schedule, select the day and time for deletion in the hour andminute
widget. Syslog data will be deleted at this time only after being stored for the number of
days configured. You specify how long to keep the date in Data Storage
Configuration.This field allows you to specify the data address of the Summarizer, how
long to keep reporting data (in months), and how long to keep the raw syslog data (in
months)
3.
805
The Syslog Exclusion Filters function in a manner similar to applying an exclusion filter to
a single Firewall or SRA appliance, but are applied to all GMS appliances, or all appliances
in a Firewall or SRA group.
1.
2.
3.
Select the syslog field name, and an operator and value, for the field you wish to exclude.
Then select the level of Deployment: Appliance, Agent, or full Deployment.
If you select Appliance, you will be prompted for the type of appliance: Firewall, SRA, or
CDP. If you select Agent, you will be prompted to select from a list of SGMS agents.
4.
Click Update.
You can also click on the pencil in the Configure column to edit an existing filter setting. If
no values appear in the Configure column, the filter is a default system filter. These defaults
cannot be configured or deleted.
Syslogs are stored in the database without filtering, so the filters in the Syslog Exclusion
Filter apply only to values displayed in Reports.
806
Email/Archive
Email/Archive
The Console > Reports > Email/Archive page provides global options for setting the time and
interval for emailing/archiving scheduled reports, and global settings for the Web server, logo,
and PDF sorting options.
Click the Console tab, expand the Reports tree and click Email/Archive. The
Email/Archive page displays.
2.
To set the next archive time, enter the date and time in the Next Scheduled Email/Archive
Time fields and click Update.
3.
To specify the day to send weekly reports, select the day from the Send Weekly Reports
Every list box and click Update.
4.
To specify the date to send monthly reports, select the date from the Send Monthly
Reports Every list box and click Update.
5.
If the Web server address, port, or protocol has changed since SonicWALL GMS was
installed, the new values will automatically appear in the Email/Archive Configuration
section. These settings can be modified on the System Interface, and cannot be modified
here.
6.
Under Logo Settings, you can select a logo to be used on reports. By default, the
SonicWALL logo is used. To select another logo, click Browse next to the Logo File field
or type the path and filename into the field, and then click Update.
7.
Under Storage Configuration, select how many days to store Universal Scheduled Reports
(USR) then click Update.
USR schedules are managed under the Dashboard Tab. For more information on USR
scheduling, refer to the Using the Universal Scheduled Reports Application section on
page 58.
807
Note
High-traffic systems can generate reports that consume large amounts of memory, disk
space and CPU time. Set your Number of Days to Archive and Scheduled Archive Time
accordingly.
Managing_Legacy_Reports
808
Step 1
Create a new User or Administrator login. An Administrator login (with a name like
Admin_Legacy) is recommended, as this login will have full privileges. For more information on
configuring Legacy reports for new user, refer to the Console Management section.
Step 2
Log into the Management > Users > Action Permissions tab.
Step 3
Set flag in the checkbox for Show Legacy (pre GMS 7.0) Reports.
Note
Step 4
This check box is only available if Analyzer 6.0 Reports exist in the system.
Log out, log back in using the new Login created in Step 1.
If Legacy Reports are no longer needed, you can delete them.
Step 1
Step 2
Under the Data Deletion Schedule, you will see a box for Delete 6.0 Reporting Data
Immediately. Click Delete to delete the Legacy reports.
Note
If you delete pre-7.0 reporting data, the Legacy data checkboxes under the Action
Permissions and Summarizer tabs will no longer be available, going forward.
809
810
CHAPTER 44
Using Diagnostics
This chapter describes the diagnostic information that GMSAnalyzer provides, including log
settings for debugging, system snapshots for troubleshooting, and summarizer status
information.
This chapter includes the following sections:
Warning
The Debug Log Settings are intended for use only under the direction of SonicWALL
Tech Support.
811
Click the Console tab, expand the Diagnostics tree and click Debug Log Settings. The
Debug Log Settings page displays.
2.
Select the amount of debug information that is stored from the System Debug Level field.
For no debugging, enter 0. For verbose debugging, enter 3.
3.
Select a debug setting from the Custom Settings list, and check the Enable Current
Custom Setting checkbox to enable it. If there is not a custom setting that meets your
needs, select New Custom Setting.
The custom debug settings control the selections in the Custom Settings Detail and
Qualification Type sections of this page. Custom settings can be useful to repeat the same
debug runs after making changes elsewhere in the product to monitor the effect of those
changes.
4.
If you selected New Custom Setting or you need to modify the current custom setting,
configure the Custom Setting Detail section:
Custom Setting Name: Enter the name for the new custom setting.
Event Class: Select whether you want to monitor DEBUG, APPLICATION, or
INTERNAL events.
Event Type: Select the specific type of event you want to monitor within the Event
Class you selected. SonicWALL Technical Support can help you understand the names
of the event types.
Destination File Name: Enter a name for the file where your debug information will be
written.
occurs.
5.
Click Select Qualification List to select a list Java classes in the GMS code in which to
monitor debug symbols.
The Qualification List is a list of Java classes. When you select Java classes in this list,
the debug process monitors only the debug symbols in the Java classes you selected.
Leave the list blank (it will display None) to monitor debug symbols for all classes.
812
Request Snapshot
6.
In the Qualification Names window, select the Java packages you want to debug. you can
include or exclude specific Java classes by entering their full package and class names in
the Included Class File Name and Excluded Class File Name fields.
7.
Click Update to accept your selections and close the window. You can clear you selections
by clicking Reset.
Request Snapshot
In order for a technical support representative to troubleshoot a problem, you might be asked to take a snapshot of
SonicWALL GMS or you might want to view the configuration yourself.
Performing a System
Snapshot
A system snapshot provides a detailed information about SonicWALL GMS, the
SonicWALL GMS database, the system environment, licensing, and firewalls. This information
includes:
813
Request Snapshot
Environment information
CLASSPATH, PATH variables
Web server listening port (Console only)
Country
Language
Operating System
IP Address
MAC Address
Machine data (memory size, etc.)
814
1.
Click the Console tab, expand the Diagnostics tree and click Request Snapshot. The
Request Snapshot page displays.
2.
3.
To take a snapshot of one or more SonicWALL GMS agents, select the Agent check
box(es).
4.
Snapshot Status
5.
6.
Snapshot Status
Viewing the Snapshot or Diagnostics
To view a snapshot or SonicWALL diagnostics, perform the following steps:
1.
Click the Console tab, expand the Diagnostics tree and click Snapshot Status. The
Snapshot Status page displays.
2.
Select the snapshot or diagnostics that you want to view from the Diagnostics requested
list box.
3.
4.
To save the information to a file that you can send to technical support, click Save
Snapshot Data.
5.
6.
815
Summarizer Status
Summarizer Status
The Summarizer Status page displays overall summarizer utilization information for the
deployment including database and syslog file statistics, and details on the current status of
each summarizer.
The Summarizer Status screen provides performance metrics for your network administrator to
plan, design, and expand your GMS server deployment. This feature has information on the
Syslog Collector and Summarizer metrics. The Summarizer metrics are available only for GMS
deployments that have Distributed Summarizer enabledGMS. The metrics are available for the
past 24 hours, past seven days, and past 30 days.
These metrics are reset (to zero), every 24 hours for daily metrics, every seven days for weekly
metrics, and every 30 days for monthly metrics. Weekly metrics are not shown unless the data
collection for weekly metrics started earlier than the daily metrics. Similarly, monthly metrics are
not shown unless data collection for monthly metrics started earlier than for daily and weekly
metrics. GMS will not display metrics for a component if the daily statistics collection started
more than 26 hours earlier. This generally indicates that the component is not active.
You can receive alert emails when Summarizer Status shows any abnormalities.
To reach the Summarizer Status screen, navigate to the Console panel of GMS and then to
Diagnostics > Summarizer Status.
The Summarizer Status page is divided into a section showing the overall deployment-wide
summarizer status and sections with details for each summarizer. See the following sections:
816
Summarizer Status
Summarizer Utilization
The top Summarizer Utilization section shows the average utilization of the summarizer over
the applicable time period. The Dial Charts show the percent of total capacity used by the
Syslog Collector or the Summarizer. The following metrics are also displayed in the
Summarizer Utilization section:
Total Run Time: Total amount of time spent generating summarization statistical data and
results over the applicable time period.
Number of Syslogs Received: Total number of syslogs received by the Summarizer over the
applicable time period.
Note
Not all syslogs are summarized some syslogs, such as heartbeat messages are ignored.
When Web Event Consolidation/Home Port Reporting is enabled, several syslogs may
be ignored or alternatively, consolidated into a single syslog. If your appliance is managed
by a different Agent, the results are not summarized here.
Number of Syslogs Summarized: Total number of syslogs summarized over the applicable
time period.
Average Syslogs Summarizer per Minute: Average number of syslogs summarized per
minute over the applicable time period.
Estimated Unused Capacity in Syslogs: The estimated remaining capacity of the summarizer
in terms of the number of syslogs it can summarize, based on the time taken and number of
syslogs summarized over the applicable time period. This number does not include the
discarded syslogs.
Tip
Usage Example: For this example, lets assume that the syslogs summarized per minute on
a system is 18,108, and the average number of syslogs received on that system is 91 per
firewall, per minute. Divide the number of syslogs per minute (18,108) by the number of
syslogs per appliance per minute (91). This yields an estimate of 198 security appliances,
assuming that the current appliances are a fair sample of the security appliances on your
network.
This simple math gives a reasonable estimate of the total number of security appliances this
system should be able to handle, assuming that the Summarizer was to constantly
summarize 24 hours (as in the case of a dedicated Summarizer).
817
Summarizer Status
File Stats: The number of syslog files in the category and their size in Megabytes.
Oldest: The date and time on the oldest file in the category.
818
Summarizer Status
If the summarizer is currently running, the page displays the thread, appliance identifier, file
being used, and state of the summarizer.
If the summarizer is currently idle, the page displays the last run time and next run time.
819
Summarizer Status
820
CHAPTER 45
Granular Event Management
This chapter describes how to configure and use the Granular Event Management (GEM)
feature in a GMS environment.
This chapter contains the following sections:
Thresholds: A threshold defines the conditionthat must be matched to trigger an event and
send an alert. Each threshold is associated with a Severity to tag the generated alert as
critical, warning, or another value . You must define a threshold prior to creating an alert
that uses it.
One or more threshold elements are defined within a threshold. Each threshold element
includes an Operator, a Value, and a Severity. When a value is received for an alert type,
the GEM framework examines threshold elements to find a match for the specified
condition. If a match is found (one or more conditions match), the threshold with the highest
severity containing a matching element is used to trigger an event.
821
Schedules: You can use Schedules to specify the day(s) and time (intervals) in which to
send an alert. You can also invert a schedule, which means that the schedule is the
opposite of the time specified in it. For example:
Send an alert during weekdays only, or weekends only, or only during business hours.
Do not send an alert during a time period when the unit, network, or database are down
for maintenance.
Destinations: You can use Destinations to define where the alerts are sent. The
destination(s) for an alert are specified in the Add Alert or Edit Alert screen. You can specify
up to five destinations for an alert, such as multiple email addresses. For example:
Send an alert to the Unit owner all the time.
Send an alert to a GMS user during business hours.
Send an alert to the admin also during non-business hours for immediate attention.
Alert types: Alert Types are pre-defined, static parameters and are not customizable. Alert
types are used with threshold elements that define conditions that can trigger an event.
Some example alert types are:
Unit Up-Down Alert type
VPN SA is UP-Down, Enable-Disable
Severities - You can use the pre-defined defaults or create your own Severities.
Thresholds - You can use the pre-defined defaults or create your own thresholds.
Schedules - You can use the pre-defined defaults or create your own Schedules.
These can be configured in the Console > Events screens. After you configure these elements
in Console > Events, you can also create alerts in the Firewall, SRA, CDP, and ES Tabs.
The Super Admin (admin@LocalDomain) user is able to add a new Severity, Threshold,
Schedule, Schedule Group, or Alert into any domain. Other administrative users may only
create/edit objects within their own domain.
822
The GEM process flow is illustrated below. As you can see, you begin by configuring Severities
and end with creating Alerts.
Benefits
Granular Event Management offers a significant improvement in control over the way different
events are handled. You now have more flexibility when deciding where and when to send
alerts, and you can configure event thresholds, severities, schedules, and alerts from a
centralized location in the management interface rather than configuring these on a per-unit
basis.
823
Panel
Screens
Console
Information
Warning
Critical
Console
Console
Schedule Groups:
24x7
Weekdays 24 hours
8x5
Weekend
Schedules:
824
Schedule: admin
Database Backup
Monday 24 hours
Panel
Screens
Console
Tuesday 24 hours
Wednesday 24 hours
Thursday 24 hours
About Alerts
The Events > Alert Settings screens are available in the Console, Firewall, SRA, CDP, and
ES panels. You can create and edit alerts on these screens. In the alert settings screens, you
can combine all of the previous elements (severity, threshold, and schedule) that you have
configured in the Console panel.
The GEM framework provides different types of alert types for the respective areas of the GMS
application:
Panel location
Console
Reports
825
Panel location
Policies
Unit HF Status
Unit Locally Changed
Unit Status
Unit WAN Status
VPN Tunnel Status
Agent Quota Reached
Agent Unsuccessful Backups
Appliance Capacity Status
CPU Status
Offsite Capacity Status
Duplicate Alerts
Duplicate alerts are allowed in GMS. A duplicate alert uses the same alert type that is already
used in an existing alert. You do not need to create a duplicate alert if you want to add to or
change an existing alert. Normally, you would avoid creating a duplicate alert by editing an
existing alert to add another threshold element, destination, or other component. For example,
you can have two or more threshold elements in the same alert to trigger under different
conditions.
At times there are benefits to creating a duplicate alert. As an example, only five destinations
are allowed per alert, so a duplicate alert could include additional destinations. Or, you could
create a duplicate alert that sends SNMP traps while the original alert sends email notifications.
Also, if a threshold is being shared and you do not want to modify it, you can create a separate
threshold and use it in a duplicate alert.
GMS displays a warning when you try to create a duplicate alert. The warning serves as a
reminder in case you forget that an alert already exists using the same alert type.
Note
Duplicate alerts use more resources from the alerting agent, but do not have a large impact
on performance. You will receive two alert emails instead of one if the destinations are
identical.
826
Email Alert Format, such as HTML (the default), text, or text for a pager
Note
1.
2.
Under Email Alert Format Preferences, select whether the email alert will be sent as
HTML, Plain Text, or Plain Text (Simple). The Simple setting sends a very short email to
ensure that the email is not cut off by character limits.
To assist in your decision for choosing a type of alert format, refer to Email Alert Formats
section on page 842 to view the appearance of the types of Email Alert Format Preferences.
3.
Click Update.
827
On the Console panel, navigate to the Events > Severity screen. On this screen, you can
re-sequence the severities in importance by entering a severity sequence number in each
field.
2.
Update.
To add a new severity level, click Add Severity.
828
3.
In the Add Severity dialog box, type a name for the new severity level in the Name
field.The Domain pull-down list is only available for a Super Admin.
4.
Choose the color associated with this severity level by selecting a color from the Color
Chooser dialog. You can see a preview of the color you selected in the Preview field.
5.
Click Update.
6.
In the Console > Events > Severity screen, assign the level for the new severity you created
by changing the numbering in the Sequence column of the Severity table.
7.
Click Update.
Note
2.
3.
To delete a Severity(s), select the checkbox(s) for the severitie(s) you wish to delete, then
click the Update button. You can also click the Delete icon in the Edit column, to delete a
single report.
Deleting a Severity that is in use is not permitted. A warning message displays when this
action is performed.
829
Note
1.
2.
3.
In the Add Threshold dialog box, provide a name for the threshold value in the Name field.
4.
Note
If the Visible to Non-Administrators is unchecked, only users from the Administrator group
or the threshold creator will be able to view, use, edit, and delete the threshold. Whether this
is selected or not, only the users from the Administrator group and the threshold creator will
be able to edit or delete this object.
5.
830
Select the Visible to Non-Administrators check box if you want the threshold to be visible
to non-administrators. If this is selected, anyone can view the threshold elements and use
the threshold in customized reports.
Click Update.
2.
3.
4.
5.
6.
7.
The Disable check box allows you to temporarily disable the threshold without deleting it.
Select the Disable check box if you want to disable the threshold. For more information
about the enabling and disabling feature, see Enabling/Disabling Thresholds and
Threshold Elements section on page 833.
8.
Click Update.
2.
The Edit Threshold window will display. In this window, you can edit the name of your
threshold as well as allow this threshold to be visible to non-administrators. For more
information on the visible to non-administrators feature, seeAdding a Custom Threshold
section on page 830.
3.
Click Update.
831
Some alerts created by certain Alert Types contain predefined Thresholds that may not be
edited. Alert Types: Unit HF Status, Unit WAN Status, Unit Locally Changed, and Thresholds
with the same name in the Console Panel.
832
2.
In the Operator field, select from the drop down menu the type of operator to apply to your
threshold element..
3.
In the Value field, enter the value for your threshold element.
4.
In the Description field, enter the description for your threshold element.
5.
In the Severity field, select the severity priority from the drop down menu. These are color
coded for your easy reference on the Events > Threshold screen.
6.
To disable the threshold element, click the Disable check box. See Enabling/Disabling
Thresholds and Threshold Elements section on page 833.
7.
Click Update.
On the Console panel, navigate to the Events > Threshold screen. On this screen, you
are able to view existing Thresholds. You can also view existing elements within those
thresholds by clicking the expand button by a threshold. You have the following two options
for the enabling/disabling feature:
You can enable or disable a Threshold by disabling/enabling all the elements that exist
within it.
that is on the
3.
Select the Disable checkbox to disable the element or de-select the Disable checkbox to
enable the element.
4.
Click Update.
On the Events > Threshold screen, optionally expand the threshold to view the individual
elements.
2.
To delete a threshold, click the checkbox to the left of the threshold name. You will see that
its elements are automatically selected as well.
3.
833
Note
Deleting a Threshold that is in use is not permitted. A warning message displays when this
action is performed.
4.
When you have finished with your selections, click the Delete Threshold(s)/Element(s)
button.
2.
3.
In the Domain filed, click the pull-down list and select a name. This function is for Super
Admins only.
4.
5.
Select the Visible to Non-Administrators check box if you want the schedule to be visible
and usable by non-administrators.
6.
7.
Click Invert to create a schedule that is off during the dates and times that you specify.
8.
In the Schedule field, you can create one or more schedules. For each schedule, configure
either:
One Time Occurrence
Recurrence
834
9.
Click Add to add this schedule to the Schedule List text box.
10. To delete an entry from the Schedule List text box, select the entry that you want to delete,
and then click Delete. Click Delete All to delete all entries.
On the Events > Schedule screen, click the Add Schedule Group button.
2.
3.
4.
Click the Visible to Non-Administrators check box to allow this schedule group to be
viewed and used by non administrators.
5.
Click the Disable check box to temporarily disable the schedule group.
835
6.
In the Schedules field, select the schedule(s) to add to your schedule group, and then use
the arrow buttons to move the selected schedule into or out of the group. To move multiple
schedule groups and/or schedules all at once, hold the CTRL button on your keyboard while
making your selections.
7.
Click Update.
Note
Deleting a Schedule or Schedule Group that is in use is not permitted. A warning message
displays when this action is performed.
To delete an event schedule, schedule group, or remove a schedule from a schedule group:
836
1.
2.
Click the check boxes of the schedule groups or schedules that you want deleted. When
you click the schedule group check box, the schedules within that schedule group will be
deleted as well.
3.
To remove a schedule from a schedule group, click the expand button on the schedule
group, and select the schedules you wish to remove within that group.
4.
To delete the selected schedule group(s) or remove the selected schedules from a group,
click the Delete Schedule Group(s)/Remove Schedules from Group button.
5.
Add Alert
In the Add Alert panel you can enter an alert name and description, select the options for visible
to non-administrators and disable, and enter the polling interval. Perform the following steps to
add an alert:
1.
2.
3.
4.
Enable the Visible to Non-Administrators checkbox if you want your Alert to be visible to
non-administrators.
5.
6.
837
Alert Type
In the Alert Type panel you can select an alert type from the provided list and view the
definitions of each alert type. Perform the following steps to configure an Alert Type:
1.
Note
Click the Alert Type pull-down list and select an alert type.
When an alert type is selected, a description for that alert is displayed in the Alert Type
panel.
Most of the Alert Types require you to edit content. Editing Contents allows the user to pick
additional info, in a granular fashion, on which the alerting has to be performed.
2.
Click the Edit Content link. The Edit Contents for Alert Type Unit Status pop-up window
displays.
3.
Note
Note
If you select another Alert Type before you click Update in the Add Alert dialog box, or if you
click Reset, you lose the on the fly Threshold that you created and the Edit Content status
becomes Not Edited.
4.
Click the Update button. To reset the settings, click the Reset button.
Destination / Schedule
In the Destination / Schedule panel you can add up to 5 destinations and set a schedule for
each. Perform the following steps to add a destination and set a schedule:
Note
838
Click the Add Destination link under the Destination/Schedule section. The Destination
field designates where you want alerts to be sent. You have a maximum number of five
destinations.
2.
Click the Schedule pull-down list, then select a schedule type. The Schedule field
designates the frequency of when you want alerts to be sent to the destination(s).
3.
Enabling/Disabling Alerts
Perform the following steps to enable and disable an alert:
Enabling a Alert
1.
2.
Click the Enable/Disable Alert(s) link. A confirmation window will display. Click OK to
enable/disable.
Disabling an Alert
1.
2.
Click the Enable/Disable Alert(s) link. A confirmation window will display. Click OK to
enable/disable.
839
Deleting Alerts
Perform the following steps to delete an alert:
Note
1.
2.
3.
Click OK to delete.
You can also delete an alert by clicking the Delete icon under the Configure section of the
alert you wish the delete.
Editing Alerts
Once an alert is created, you can go back and edit it at any time. Perform the following steps
to edit an alert:
1.
2.
840
Refer to the Add Alert section and follow the configuration procedures to edit your existing
Alert.
841
HTML
Plain Text
842
Plain Text
843
844
CHAPTER 46
Managing Licenses
This chapter provides information about GMS licensing, registration, upgrading to new
versions, and applying software patches.
This chapter includes the following sections:
GMS License
The following sections describe how to manage GMS licenses:
845
GMS License
Click the Console Panel tab, expand the Licenses tree and click Manage Licenses. The
product License Summary page displays. If prompted to login, enter your mysonicwall.com
User name and password before continuing.
2.
Enter the activation code in the Activation Code field and click Upgrade.
The License Type will change to Retail License and the Current Nodes Allowed will change from
10 to 25.
2.
Enter the demo upgrade activation code and click Update. The Login displays and the
license is upgraded.
Product Licenses
The Product Licences page allows the user to view, upload, and manage licenses and
subscriptions for this GMS installation.
846
GMS License
License Summary
View license details on the Licenses > Product Licences page, under the License section.
This section allows you to view the following information about security services and support
services:
StatusDisplays whether the product is licensed or not licensed
CountDisplays the remaining number of licenses for this service.
ExpirationDisplays the expiration date of the service (if applicable).
This section allows you to view a summary of information about any subscriptions which carry
an expiration date.
Managing Licenses
This feature allows licenses to be managed through your MySonicWALL.com account.
To manage licenses:
1.
In the Console panel, navigate to the Licenses > Product Licenses page.
2.
Click the Manage Licenses button. The MySonicWALL login page displays.
3.
847
GMS License
Refreshing Licenses
This feature allows the administrator to synchronize GMS with the MySonicWALL license
server. Synchronization is useful if you have recently purchased new licenses, and these
licenses are not yet appearing in the summary page.
To refresh licenses:
1.
In the Console panel, navigate to the Licenses > Product Licenses page.
2.
Click the Refresh Licenses button. The License Summary page displays a message, and
the date of last contact changes to reflect this.
Note
1.
In the Console panel, navigate to the Licenses > Product Licenses page.
2.
Click the Upload Licenses button. The Upload Licenses page displays.
3.
Click the Browse... button to search for your locally stored license file.
License files for manual updates are available for download through your MySonicWALL
account.
4.
848
SonicWALL Upgrades
SonicWALL Upgrades
This section describes the procedures for upgrading SonicWALL appliances. This functionality
includes adding nodes, content filter subscriptions, VPN functionality, VPN clients, anti-virus
licenses, and more.
When a SonicWALL GMS subscription service (i.e., warranty support, anti-virus, or content
filtering) is about to expire, the GMS administrator will receive expiration notifications via email
prior to the expiration. The email notification is sent once a day (if applicable) and lists all
managed SonicWALL appliances with expiring subscription services.
To upgrade SonicWALL appliances, complete the following procedures:
1.
2.
3.
Technical support, advanced-exchange hardware replacement and firmware updates for all
of the units under GMS management
Comprehensive GMS Support is sold in increments of 25, 100, and 1,000 nodes and is
available in both 8X5 and 24X7 versions. The nodes can be any combination of SonicWALL
firewall appliances or SRA nodes. Currently CDP and SonicWALL Email Security are not
included in CGS packets.
Purchasing Upgrades
To purchase upgrades, perform the following steps:
1.
Contact your SonicWALL sales representative. You will receive an activation code for each
upgrade that you purchase.
2.
After receiving the activation codes for the SonicWALL upgrades, continue to the next
section.
849
SonicWALL Upgrades
Click the Console tab, expand the Licenses tree and click Activation Codes. The
SonicWALL Activation Codes page displays.
2.
To manually add one or more activation codes, in the Activation Code (manual) field,
enter a list of activation codes separated by semi-colons.
3.
4.
To delete activation codes, select one or more codes under the Delete Activation Codes
section and click the Delete Activation Code(s) button.
5.
To add a large number of activation codes from a file, type the file name into the Activation
Code (file-based) field, or click Browse to select the file. Then, click Add Activation Code(s)
and follow the on-screen prompts.
The file can contain multiple activation codes - each line in the file has a single activation
code. Once the operation is completed, the Console > Logs screen has more detailed
information on the success/failure of individual activation codes that were provided in the
file. A sample file is as follows, which includes for activation codes (one per line):
SBRG4827
AGTRUY56
GFKJASLJ
850
CHAPTER 47
Web Services
This chapter provides information about the GMS Web Services feature. Web Services is a
software system designed to support interoperability between GMS and other network
appliances, servers, and devices through an application programming interface (API).
Web Services is located in the Console panel of the GMS management interface:
URI Basics
The URI is a HTTPS string which is used to identify Web Services resources. Each URI is
composed of both static and dynamic parts which differ based on each particular deployment.
851
Settings
https protocol
https://10.0.14.150/ws/screenAttributes/0001B123C45D/1003
Web Service
name
Note
Web Services
application name
screen ID
(dynamic)
For more information on configuring and using GMS Web Services in your deployment,
download the GMS Web Services Technote at: <http://www.sonicwall.com/us/support.html>
Settings
The Settings screen allows configuration of a secure HTTPS Public URI for use with Web
Services features. The public URI specified here is used to access Web Services and to ensure
proper embedded cross-links between Web Services applications.
To configure Web Services Settings:
1.
Navigate to the Web Services > Settings screen on the GMS Console panel.
2.
Choose which deployment you wish to configure from the pull-down list in the GMS
Deployment section.
3.
Enter the public server name and port in the Public URI section. This field is typically
pre-populated during the GMS install/setup process.
4.
Status
The status screen allows the administrator to view, enable, and disable individual Web Services
across one or more GMS deployments.
852
Distributed Instances
Navigate to the Web Services > Status screen on the GMS Console panel.
2.
Select or deselect the Enabled checkbox for the service(s) you wish to enable or disable.
3.
4.
The Web Services table, in the Web Services > Status screen gives the following
information about each Web Service:
Feature
Description
Enabled
Service
URI
Description
Distributed Instances
The distributed instances screen allows the administrator to enable and configure distributed
instances of GMS Web Services. The distributed instances feature is accessed through the
Web Services > Distributed Instances screen in the GMS Console tab.
853
Distributed Instances
Description
Status
Serial Number
Name
Hostname
Port
Username
Password
Edit Icon
Delete Icon
Navigate to the Web Services > Distributed Instances screen in the GMS Console tab.
2.
Select the Enable distributed instances checkbox to allow this instance of GMS Web
Services to interact with other instances.
3.
Select the This is a central instance checkbox to designate this installation as the central
management point for Web Services across a distributed environment.
854
1.
Navigate to the Web Services > Distributed Instances screen in the GMS Console tab.
2.
Click the Add Distributed Instance link in the Distributed Interfaces section. The Add
Remote Interface window displays.
3.
4.
Distributed Instances
5.
Enter the HTTPS port for the system you wish to add as an instance.
6.
7.
Enter the Password for the username you specified in the previous step.
8.
9.
10. Click the Update button to add this instance and wait while the new instance is
855
Distributed Instances
856
CHAPTER 48
Using GMS Help
To access the GMS online help, click the blue help button
GMSuser interface.
About GMS
The Console > Help > About page displays the version of GMS being run, who the GMS is
licensed to, database information, and the serial number of the GMS.
To access the GMS online help, click the blue help button
GMSuser interface.
857
858
1.
2.
If available, click the Lightbulb icon in the upper right-hand corner of the window. Tips,
tutorials, and online help are displayed for this topic.
CHAPTER 49
UMH/UMA System Settings
This chapter describes how to configure the system settings that are available on the
SonicWALL UMH/UMA system pages.
Note
The UMA appliance and the GMS application both provide a system settings interface,
referred to as UMA for the appliance and UMH in GMS software deployments. In either
scenario, the switch icon
is used to toggle between application and system interfaces.
This chapter includes the following sections:
Status
This section describes the UMH/UMA System > Status page, used to view general status of
the appliance hardware and licensed firmware.
Note
The UMA appliance and the GMS application both provide a system settings interface,
referred to as UMA for the appliance and UMH in GMS software deployments. In either
scenario, the switch icon
is used to toggle between application and system interfaces.
859
Status
860
Item
Usage
Name
Serial Number
Version
License
Role
Host Name / IP
Current Time
Operating System
CPU
Licenses
Item
Usage
RAM
RAID Array
(UMA only)
Licenses
This section describes the UMH/UMA System > Licenses page, used to view and manage
GMS and ViewPoint licenses.
The UMH System > Licenses page is shown below:
Usage
Security Service
Support Service
Status
861
Time
Item
Usage
Count
Expiration
In addition, you may also use the buttons on this screen to:
Time
This section describes the UMA appliance System > Time page, used to view and manage the
appliance date/time settings. This page is only available on the UMA appliance.
This page allows the administrator to set the following time and date settings:
862
Time in Hours/Minutes/Seconds
Time Zone from standard international time zones or coordinated universal time (UTC) for
deployments spanning multiple time zones.
The Set time automatically using NTP checkbox may be selected for auto-updated time
using standard time servers. Selecting this option causes the system to automatically
adjust for daylight savings time in time zones that recognize DST.
Administration
Administration
This section describes the UMH/UMA System > Administration page, used to manage basic
administrative settings.
The UMH System > Administration page is shown below:
Usage
Host Settings
Inactivity Timeout
863
Settings
Item
Usage
Administrator Password
Administrator Name
Current Password
New Password
Confirm Password
To change the administrator password, enter the Current Password in the appropriate field,
and then enter a New Password and confirm that password.
Click the Update button when you are finished making changes. Click Reset to return to default
settings.
Settings
This section describes the UMH/UMA System > Settings page, used to manage manual
software or firmware upgrades and, on the appliance, re-initialization of factory default settings.
The UMH System > Settings page is shown below:
On the UMH, this page displays the current version of SonicWALL GMS running on the system,
and provides a link to click for the history of upgrades on this system.
864
Diagnostics
from your local drive. After uploading the software, click Apply to reboot the system
with the new version.
On the UMA, this page displays the current version of SonicWALL firmware running on the
appliance, and provides a link to click for the history of upgrades on this system.
This page also allows the administrator to:
Upgrade firmware by uploading a valid firmware image from your local drive.
SonicWALL approved service packs and hotfixes can also be installed through this
screen. After uploading the firmware, click Apply to reboot the appliance with the new
version.
Reinitialize the appliance to factory default settings by clicking the Reinitialize button.
This will remove any of your current settings on the appliance and re-image the UMA
with factory default settings. This option is only available for the UMA appliance.
Note
Please be patient while the process is taking place. This process can take up to 15 minutes.
Do NOT manually reset or cycle power to the device during this time.
Diagnostics
This section describes the UMH/UMA System > Diagnostics page, used to set the log debug
level, test connectivity to servers, and download system and log files.
The UMH System > Diagnostics page is shown below:
865
Diagnostics
Debug Log Settings Set the System Debug Level by selecting a value from the
pull-down list. Select 0 for no debug information in the logs, 1 or 2 for more debug
information, and 3 for maximum debug information. Click Update to apply your changes, or
click Reset to return to the default setting of 3.
Test Connectivity Select one of the following options and then click Test to test
connectivity:
Database Connectivity Test connectivity using the database parameters configured
License Manager Connectivity Test connectivity with the host name that you type
SMTP Server Connectivity Test connectivity using the SMTP server displayed here.
Download System/Log Files You can generate a TSR and view or search log files in this
section:
For information about generating a TSR, see the Technical Support Report section on
page 866.
For information about viewing and searching log files, see the Logs and Syslogs section
on page 867.
866
File Manager
Tip
File Manager
This section describes the UMA appliance System > File Manager page, used to view and
manage system files for an UMA appliance. This page is only available on the UMA appliance.
867
File Manager
The File Manager feature provides a way to view the file system and export, delete, add, or
modify files without opening an SSH session to the appliance. You can select the folder to view
from the Select Folder pull-down list. To search for certain file names, enter search parameters
using regular expressions in the Search Filter field and then click the right arrow next to the
field.
This page allows the administrator to perform the following actions:
Item
Usage
Export
Delete
Add/Edit (Upload)
Note
868
1.
Select checkboxes for multiple files, or click the Select All checkbox to choose all files.
2.
Click the Export or Delete buttons on the bottom of the screen to perform these actions on
selected files.
Multiple files are exported as a .zip file. Be aware that files larger than 200MB may take a
large portion of your units bandwidth.
Backup/Restore
Backup/Restore
This section describes the UMA appliance System > Backup/Restore page, used to create or
restore a snapshot of configurations and data on your UMA appliance. This page is only
available on the UMA appliance.
The Manage Backups section allows you to download a Java-based UI tool wizard to schedule
backup snapshots to a remote location. This data export feature allows you to periodically
offload backup data and archived reports from your UMA appliance to an offsite client. Web
Services are used with this feature. See the Web Services chapter for more information about
Web Services. See the Data Export Wizard section on page 870 for information about using
the data export feature.
To create a local snapshot, select one from the Available Snapshots list and click theDownload
Snapshot button. To restore a backup, the snapshot is uploaded to your local storage and then
used to restore data. Select one from the Available Snapshots list and click the Restore
Snapshot button.
The Immediate Backup/Restore section allows you to create a new snapshot file and download
it instantly. To create a new snapshot file, click the Backup Now button. To restore data, select
from the Available Snapshots list and click the Restore Now button. You can also upload a
snapshot file. To upload a snapshot file, click on the Choose File button and navigate to the
file on your folder system.
The Scheduled Backup Settings section provides information on your regularly scheduled
system backups. By default, your system is on a backup schedule for once a week on Fridays
at 10pm. Click the Disable Scheduled Backups to stop the scheduled backup maintenance of
your system. You can change the schedule interval of your backups by selecting the day of the
week, time, directory location for storing your backup files, and the number of snapshots to
store before an older snapshot version is deleted. By default, the two latest snapshots are
stored. The maximum number of stored snapshots is 3. Click the Update Settings button to
apply your changes.
869
Backup/Restore
Log in as admin to your UMA appliance and navigate to the System > Backup/Restore
page.
2.
Click the HERE link under Manage Backups and select whether to run or save the
auto_export.zip file.
3.
Click the Extract button, browse to the desired foldersuch as C:\Program Files, and select
the Use folder names option to extract the files from the zip file into a sub-folder called
auto_export.
4.
Open the README.txt file and read the instructions for using the wizard. On a Windows
machine, double-click runWizard.bat to launch the wizard. On a Linux machine, execute
runWizard.sh.
Note
5.
In the first release of SonicWALL GMS 6.0, if the runWizard.bat file seems to exit
immediately, it may be because you chose a folder with spaces in the name. Edit
the runWizard.bat file in a text editor and add quotes around the command.
The Select button appears. Click Select to open a dialog showing existing
configuration files in the auto_export/configs directory. Click the desired file and then
click Open.
870
Backup/Restore
6.
7.
Enter the following information to allow SonicWALL GMS to communicate with Web
Services on the UMA, and then click Next:
GMS Serial The serial number of the UMA system
IP/Domain Either the domain name or the IP address of the UMA system
HTTPS Port GMS Web Services always uses the HTTPS protocol to provide the
The wizard displays the available export Web services. Select the checkbox for each
service that should be included in the configuration and then click Next.
For example, select the System Backup export service to include it in the export script to
offload system backups from a UMA system.
871
Backup/Restore
9.
The wizard displays a configuration summary. After reviewing the summary, click Save to
create the configuration file.
10. Type the file name into the Input dialog box, or accept the pre-populated name if editing an
The wizard saves the file in the .../auto_export/configs directory with ".ec" as the file name
extension.
11. Click Done to exit the wizard.
12. You can now set up a scheduled task (in Windows) or a cron job (in Linux) to execute
runTask.bat or runTask.sh to periodically download backup data from the UMA. The
downloaded backup data is stored in the /auto_export/export directory.
Windows command example:
C:\Program Files\auto_export\runTask.bat config_004010235FBE_archiv_report.ec
Linux command example:
/home/ac/auto_export\runTask.sh config_004010235FBE_archived_report.ec
Data is transferred from the UMA system to the target client that executes the export task
whenever the schedule is triggered.
872
RAID
RAID
This section describes the UMA appliance System > RAID page, used to review RAID array
drive status. This page is only available on the UMA appliance.
Usage
RAID Settings
Array
Shutdown
This section describes the UMA appliance System > Shutdown page, used to shutdown the
appliance. This page is only available on the UMA appliance.
This page allows the administrator to shutdown the appliance, temporarily disconnecting users
and stopping any services.
If you made any changes to the settings, be sure to apply them before you shutdown.The
process of restarting generally takes about 3 minutes.
873
Shutdown
874
CHAPTER 50
UMA Network Settings
This chapter describes how to configure the network settings that are available in the
SonicWALL UMA appliance Network screens.
This chapter includes the following sections:
Settings
This section describes the UMA appliance Network > Settings page, used to configure basic
networking and host settings.
875
Settings
Usage
Host section:
Name
Domain
Networking section:
Host IP address
Subnet mask
Default gateway
DNS server 1
DNS server 2
DNS server 3
To apply your changes to the above fields, click the Update button. To revert to default settings,
click Reset.
You can also configure suffixes and enable suffix searches on this page, to aid in host name
resolution. If the UMA cannot resolve a host name to its IP address, it appends one suffix at a
time to the host namein the order the suffixes are configured, and tries to resolve the host name
with that suffix.
Note
876
Adding, configuring, or deleting a suffix restarts the Web server on the UMA, and
disconnects your browser login session.
Routes
Routes
This section describes the UMA appliance Network > Routes page, used to configure default
or alternate network routes.
The default route is generally populated with the Default Gateway, specified in the Network >
Settings page.
877
Routes
878
CHAPTER 51
UMH/UMA Deployment Settings
This chapter describes how to configure the settings that are available in the SonicWALL
UMH/UMA Deployment pages.
Note
The UMA appliance and the GMS application both provide a system settings interface,
referred to as UMA for the appliance and UMH in GMS software deployments. In either
scenario, the switch icon
is used to toggle between application and system interfaces.
This chapter includes the following sections:
Deployment Roles
The role that you assign to your SonicWALL GMS instance defines the SonicWALL Universal
Management Suite services that it will provide. SonicWALL GMS uses these services to
perform management, monitoring, and reporting tasks.
Your SonicWALL GMS instance can be deployed in any of the following roles:
All In One
Agent
Console
Database Only
Reports Summarizer
Monitor
Event
Syslog Collector
In the UMH or UMA system management interface, clicking Details in the same row as a role
provides a list of the services that run on a system in that role, and information about using the
role.
SonicWALL GMS 7.0 Administrators Guide
879
Deployment Roles
Note
When configuring the role for the first appliance in a distributed deployment, you should
either include the database or be prepared to provide the IP address of an existing database
server.
You can meet this database objective in one of the following ways:
By selecting a role that includes the database automatically, such as All InOne or Database
Only
By selecting the Include Database (MYSQL) checkbox if configuring the appliance with
any other role
You can configure the role of the SonicWALL UMA EM5000 appliance without using the Role
Configuration Tool.
All role configuration is performed in the appliance management interface, available at the URL:
http://<IP address>:<port>/appliance/
Refer to the following sections for instructions on manually configuring the system role:
880
Deployment Roles
Syslog Collector
Reports Scheduler
Update Manager
Reports Summarizer
SNMP Manager
Scheduler
Monitoring Manager
Web Server
Database
To deploy your SonicWALL GMS in the All In One role, perform the following steps in the
appliance management interface:
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the All
In One radio button.
2.
If this SonicWALL GMS will connect to managed appliances through a GMS gateway, type
the gateway IP address into the GMS Gateway IP field.
To determine if a GMS Gateway is required, see the SonicWALL Getting Started Guide for
your product.
3.
If a GMS gateway will be used, type the password into both the GMS Gateway Password
and Confirm GMS Gateway Password fields.
4.
If this SonicWALL GMS listens for syslog messages on a non-standard port, type the port
number into the Syslog Server Port field. The default port is 514.
5.
If deploying another system in the Console role, select the Include Redundancy checkbox
to configure this system as a redundant Console.
6.
7.
881
Deployment Roles
8.
Configure the Web port settings as described in the Configuring Web Port Settings section,
on page 889.
9.
To apply your changes, click Update. To change the settings on this page back to the
defaults, click Reset.
Only the SonicWALL Universal Management Suite Database service runs on a Database Only
system.
The MySQL database engine is pre-installed along with the SonicWALL GMS installation.
SonicWALL GMS can also use a MySQL database or a Microsoft SQL Server database
installed on a server. Only the MySQL database included in the installer is supported. On the
Deployment > Role page in the SonicWALL GMS appliance management interface, you can
configure your SonicWALL GMS systems to use either a MySQL or a SQL Server database.
To deploy your SonicWALL GMS in the Database Only role, perform the steps described in the
Configuring Database Settings section, on page 887.
882
Deployment Roles
Performs various periodic checks, such as checking for new appliances that can be
managed, checking for new firmware versions of managed appliances, and similar
functions
To deploy your SonicWALL GMS in the Console role, perform the following steps in the
appliance management interface:
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the
Console radio button.
2.
If this SonicWALL GMS will connect to managed appliances through a GMS gateway, type
the gateway IP address into the GMS Gateway IP field.
To determine if a GMS Gateway is required, see the SonicWALL Getting Started Guide for
your product.
3.
If a GMS gateway will be used, type the password into both the GMS Gateway Password
and Confirm GMS Gateway Password fields.
4.
If this SonicWALL GMS listens for syslog messages on a non-standard port, type the port
number into the Syslog Server Port field. The default port is 514.
5.
To use a MySQL or Microsoft SQL Server database on another system, do not select the
Include Database (MYSQL) checkbox. To include the MySQL database on this system (not
recommended), select this checkbox (for this configuration, select the All In One role
instead of the Console role).
6.
If deploying another system in the Console or All In One role, select the Include
Redundancy checkbox to configure this system as a redundant Console.
7.
8.
Configure the Web port settings as described in the Configuring Web Port Settings section,
on page 889.
9.
Manages units by acquiring them, pushing configuration tasks to the units and tracking their
up/down status
Performs monitoring based on ICMP probes, TCP probes, and SNMP OID retrievals
883
Deployment Roles
The following SonicWALL Universal Management Suite services run on an Agent system:
Syslog Collector
Reports Summarizer
SNMP Manager
Scheduler
Monitoring Manager
To deploy your SonicWALL GMS in the Agent role, perform the following steps in the appliance
management interface:
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the
Agent radio button.
2.
If this SonicWALL GMS will connect to managed appliances through a GMS gateway, type
the gateway IP address into the GMS Gateway IP field.
To determine if a GMS Gateway is required, see the SonicWALL Getting Started Guide for
your product.
3.
If a GMS gateway will be used, type the password into both the GMS Gateway Password
and Confirm GMS Gateway Password fields.
4.
If this SonicWALL GMS listens for syslog messages on a non-standard port, type the port
number into the Syslog Server Port field. The default port is 514.
5.
To include the MySQL database on this system, select the Include Database (MYSQL)
checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not
select this checkbox.
6.
7.
Configure the Web port settings as described in the Configuring Web Port Settings section,
on page 889.
8.
884
Deployment Roles
To deploy your SonicWALL GMS in the Reports Summarizer role, perform the following steps
in the appliance management interface:
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the
Reports Summarizer radio button.
2.
To include the MySQL database on this system, select the Include Database (MYSQL)
checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not
select this checkbox.
3.
4.
Configure the Web port settings as described in the Configuring Web Port Settings section,
on page 889.
5.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the
Monitor radio button.
2.
To include the MySQL database on this system, select the Include Database (MYSQL)
checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not
select this checkbox.
885
Deployment Roles
3.
4.
Configure the Web port settings as described in the Configuring Web Port Settings section,
on page 889.
5.
To deploy your SonicWALL GMS in the Event role, perform the following steps in the appliance
management interface:
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the
Event radio button.
2.
To include the MySQL database on this system, select the Include Database (MYSQL)
checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not
select this checkbox.
3.
4.
Configure the Web port settings as described in the Configuring Web Port Settings section,
on page 889.
5.
886
Deployment Roles
Only the SonicWALL Universal Management Suite Syslog Collector service runs on a Syslog
Collector system.
To deploy your SonicWALL GMS in the Syslog Collector role, perform the following steps in the
appliance management interface:
1.
Navigate to the Deployment > Role page. Under Host Role Configuration, select the
Syslog Collector radio button.
2.
If this SonicWALL GMS listens for syslog messages on a non-standard port, type the port
number into the Syslog Server Port field. The default port is 514.
3.
To include the MySQL database on this system, select the Include Database (MYSQL)
checkbox. To use a MySQL or Microsoft SQL Server database on another system, do not
select this checkbox.
4.
5.
Configure the Web port settings as described in the Configuring Web Port Settings section,
on page 889.
6.
Navigate to the Deployment > Role page and select the role for this appliance.
2.
To run the MySQL database on this SonicWALL GMS, select the Include Database
(MYSQL) checkbox. To use a MySQL or Microsoft SQL Server database on another
system, do not select this checkbox.
887
Deployment Roles
Note
888
3.
Under Database Configuration, if Include Database (MYSQL) was not selected in the
previous step, select either MYSQL or SQL Server from the Database Type pull-down list.
This field is not editable if you previously selected Include Database (MYSQL) or if the
selected role is All In One or Database Only.
4.
In the Database Host field, type in the IP address of the database server or accept the
default, localhost, if this SonicWALL GMS includes the database. This field is not editable
if you previously selected Include Database (MYSQL) or if the selected role is All In One
or Database Only.
If your deployment requires an instance name for the SQL server database, when
completing the Database Host field, enter the Host or IP address, followed by a back slash
and the instance name. The format should look as follows: 10.20.30.40\INSTANCE.
5.
To use a different port when SonicWALL GMS accesses the database, type the port into the
Database Port field. The default port is 3306.
6.
To use a different user name when SonicWALL GMS accesses the database, type the user
name into the Database User field. The default user name is sa.
7.
Type the password that SonicWALL GMS will use to access the database into both the
Database Password and Confirm Database Password fields.
8.
If your deployment uses a custom database driver, type the value into the Database Driver
field. Otherwise, accept the default, com.mysql.jdbc.Driver.
9.
If your deployment uses a custom database URL, type the value into the Database URL
field. If you are using a different port, change the default port, 3306, in the URL. Otherwise,
accept the default URL, jdbc:mysql://localhost:3306.
Deployment Settings
Deployment Settings
This section describes the UMH/UMA Deployment > Settings page, used for Web port, SMTP,
and SSL access configuration.
The Deployment > Settings page is identical in both the UMH and UMA management
interfaces, except for the left navigation pane which shows the Network menu item on the UMA.
On the Deployment > Settings page under Web Port Configuration, to use a different
port for HTTP access to the SonicWALL GMS, type the port number into the HTTP Port
field. The default port is 80.
If you enter another port in this field, the port number must be specified when accessing the
appliance management interface or SonicWALL GMS management interface. For example,
if port 8080 is entered here, the appliance management interface would be accessed with
the URL: http://<IP Address>:8080/appliance/.
2.
To use a different port for HTTPS access to the SonicWALL GMS, type the port numberinto
the HTTPS Port field. The default port is 443.
If you enter another port in this field, the port number must be specified when accessing the
appliance management interface or SonicWALL GMS management interface. For example,
if port 4430 is entered here, the appliance management interface would be accessed with
the URL: https://<IP Address>:4430/appliance/.
889
Deployment Settings
Navigate to the Deployment > Settings page under the SMTP Configuration section.
2.
Type the FQDN or IP address of the SMTP server into the SMTP server field.
3.
Type the email address from which mail will be sent into the Sender address field.
4.
Type the email address of the system administrator into the Administrator address field.
5.
6.
Note
890
1.
Navigate to the Deployment > Settings page under SSL Access Configuration section.
2.
Select the Default radio button to keep, or revert to, the default settings, where the default
GMS Web Server certificate with 'gmsvpserverks' keystore is used.
3.
Select the Custom radio button to upload a custom keystore certificate for GMS SSL
access.
4.
In the Keystore/Certificate file field, click the Browse button to select your certificate file.
Type the password for the keystore certificate into the Keystore/Certificate password
field.
6.
Click the View button to display details about your keystore certificate.
7.
Deployment Services
Deployment Services
This section describes the UMH/UMA Deployment > Services page, used for starting and
stopping the GMS services running on the system.
The Deployment > Services page is identical in both the UMH and UMA management
interfaces, except for the left navigation pane which shows the Network menu item on the UMA.
Details are available for the current role, and the status of each service is displayed on the page
The page is shown below for the All In One role, which includes all services.
2.
Select the checkbox next to Service Name to select all services, or select one or more
checkboxes for individual services.
3.
4.
5.
891
Deployment Services
892
SonicWALL, Inc.
2001 Logic Drive
T +1 408.745.9600
F +1 408.745.9300
P/N: 232-000755-00
Rev B, 2/12
2012
descriptions subject to change without notice. 07/07 SW 145
www.sonicwall.com